Recently, I checked out Rapid7’s AppSpider Web Application Testing software. It is a Windows based application, and the demo version is available for anyone to play with.
Web Application Security Testing with AppSpider | Rapid7
I found 2 vulnerabilities in AppSpider – DLL Pre-loading & Buffer overflow – which I then reported privately to R7 team. The folks at Rapid7 confirmed my reports, and released the new versions shortly after.
The Release Announcement is available here – https://community.rapid7.com/docs/DOC-3631
- Updated nginx.exe to utilize Microsoft Security Advisory on remote code execution. Windows 7, Windows Server 2008 R2, Windows Vista and Windows Server 2008: KB2533623 must be installed on the target platform. Resolves – CVE-2017-5236
- Resolved buffer over flow crash in the AppSpider command line tool for inputs. Resolves – CVE-2017-5240
Rapid7 thanks Karn Ganeshen for privately reporting the CVE issues. – w00t w00t!
A. Rapid 7 AppSpider Insecure Library Load (DLL Hijacking) Vulnerability – CVE-2017-5236
Start the listener
Create evil dll – name it SureWareHook.dll
Place evil dll in any directory defined in Windows system PATH variable.
Start the AppSpider installer.
Select Nginx Web Server component in the installation options.
Continue with the set up.
Shell received. Win!
Shell does not disconnect after set up completes.
Start the listener.
Evil DLL is loaded when AppSpider is uninstalled.
Shell once more.!
B. Rapid7 AppSpider Stack Buffer Overflow Vulnerability – CVE-2017-5240
“A”*4040 + “B”*4 + “C”*5956
PoC -> EIP control
C:\Program Files\Rapid7\AppSpider6\ScanEngine> FLAnalyzer.exe <payload>